Sunday, January 08, 2017
Most administrators and security officers are well aware of the necessity of system hardening for corporate systems. Hardening is the process of securing a system by reducing its surface of vulnerability. By the nature of operation, the more functions a system performs, the larger the vulnerability surface.
System hardening is a step by step process of securely configuring a system to protect it against unauthorized access, while taking steps to make the system more reliable. Generally anything that is done in the name of system hardening ensures that the system is both secure and reliable. Since most systems are dedicated to one or two functions, reduction of possible vectors of attack is done by the removal of any software, user accounts or services that are not related and required by the planned system functions. System hardening is vendor specific process, since different system vendors install different elements in the default install process.
System hardening is necessary since "out of the box", some operating systems tend to be designed and installed primarily to be easy to use rather than secure. Most but not all systems can have security measures enabled that will make them suitable for high security and high reliability environments.
Desktop Hardening Checklist –Windows 7
Windows 7 comes with a more tight security model than previous versions of Microsoft’s client operating systems, but there are a couple of things you can do to tighten down the security of your Windows computer even more.
1. First of all, you should make sure that the user account you use for day to day work is not member of the Administrators local group. This is because an administrative user account poses security vulnerability in itself as the administrators on the local machine have access permissions to change system settings.
In Windows 7, the old RunAs command – which could be quite annoying to use in earlier versions of Windows as not all applications supported this, has been integrated more tightly.
Now, whenever you choose to do an administrative Windows task, Windows will prompt you for credentials for an account with administrative permissions eliminating the need to right click and choose RunAs. The less privileges you have as a user, the less damage you will be able to do to the system by mistake so running the most tasks as a User will improve the overall security of your system.
2. Change your network type to ‘Public’.
When setting up a new network connection, for instance to your newly created wireless network, Windows 7 will prompt you to choose a network type for the network connection. You will have options to choose:
a. Home Network
b. Office Network
c. Public Network Home network will be more ‘Open’ than Office network as Windows will treat all computers on the network as ‘Good’ and the network type allows for sharing of personal folders and files with all other computers on this network.
Windows will create a home group for all computers on the network and will enable network discovery and File and Printer Sharing on the computer. Office Network is a little bit more strict, while the Public network type is the most strict. The Public network type will simply disable Network discovery – which will simply hide your computer on the network and File And Printer Sharing will be disabled by default. If you want a more secure computer and do not need to share your files and do not wish to be part of a Home Group, simply choose the Public network type. Go to Control Panel\Network and Internet\Network and Sharing Center: Change network type to 'Public'.
3. Enable Windows Updates.
Windows Updates are enabled per default. Make sure the ‘Recommended settings’ are chosen or set it to download and notify for install.
Keeping up with the latest updates can significantly help protect you Windows installation.
4. Enable Windows Firewall and make sure all inbound connections are automatically dropped.
The firewall is enabled per default. If you do not need to share anything with other people and computers, you can safely choose to drop all inbound connections to make sure no one can access anything on your computer from the network.It is possible to filter on the outgoing traffic in the Windows firewall as well. If you are really up to protecting your personal files, it can be a good idea to filter outgoing traffic and application access as well.
5. Data Execution Prevention (DEP)
Data Execution Prevention (DEP) is a security feature that can help prevent damage to your computer from viruses and other security threats. Harmful programs can try to attack Windows by attempting to run (also known as execute) code from your computer's memory reserved for Windows and other authorized programs. These types of attacks can harm your programs and files. DEP can help protect your computer by monitoring your programs to make sure that they use computer memory safely. If DEP notices a program on your computer using memory incorrectly, it closes the program and notifies you. Go to system/ advanced system settings/ performance/ settings/ data execution prevention : Set to all programs Turn On DEP for all Programs and services except those I select
6. Disable remote assistance and remote desktop connections
If you do not want to allow people messing with your system remotely – that is, if you do not want to give other people the option to connecting to your precious Windows 7 box and playing around with it, you can specify that this will not be an option. Go to Control Panel\System and Security\System\Advanced System Settings\Remote and uncheck ‘Allow remote assistance connections to this computer’ and ‘Dont allow connections to this computer’.
7. Change User Account Control Settings to highest level
You might get prompted a bit more, but the overall security is raised a bit as you will get prompts for more common administrative system tasks, enabling you to take a stand on whether you will actually allow the specific task to run. Go to Control Panel\User Accounts and Family Safety\User Accounts\ Change User Account Control Settings = Set to highest level
8. Disable sharing and the NetBios protocol
If you are pretty sure you will not need to share your files over the network, you can go further and completely remove the option to share files.
Disable Netbios over tcp/ip on the network adapters on the computer. Remove check mark on Network and sharing, so that the machine is not using the 'File And Printer Sharing For Microsoft Networks' protocol. Go to Control Panel\Network and Internet\Network Connections
Right click the adapter of your choice (if you have more than one) and choose Properties.
Double click the ‘Internet protocol version 4 (TCP/IPv4)’. Navigate to ‘Advanced’ and choose ‘Wins’.
Check ‘Disable NetBios over TCP/IP’. This will block connections to some of the most insecure ports on a Windows operating system – or some of the most exploited.
9. Disable unnecessary services
You can stop for now, but if you are sure exactly what your computer will be used for. You can go any further and disable some of the many services Windows 7 runs, but probably won’t need.
Examples of those services are:
a. TCP/IP Netbios helper
b. Server Service
c. Computer Browser
d. Remote Registry
e. HomeGroup Listener (If you are not intenting to use the homegroup features)
f. HomeGroup Provider (If you are not intenting to use the homegroup features) There might be many more but I have chosen some of the services used for sharing files and if you do not want your Windows computer to be every man’s property, you can safely disable these services to secure your box even more.
Desktop Hardening Checklist –Windows
Desktop computer security is very important to ITS. To better protect our systems and information, we are asking all ITS employees to run through a short checklist of items based on the Information Security Office Desktop and Laptop Computer Standard.
1. Computer Name Please list all desktop or laptop machines for which you are the primary user, or for which you have assumed primary responsibility. (List the Computer Name of each machine. If you have more than one machine, please list on an additional attached page.) To find the computer name for your computer: For Windows XP: - Click on the Start menu, choose Control Panel (or Start _ Settings _Control Panel) - Open the System control panel, click on the Computer Name tab - The “Full Computer Name” is listed in the middle of the window
2. Use Antivirus Software Most viruses will be caught by antivirus as long as the antivirus software is kept up to date. It is absolutely crucial that users run antivirus software on their computers. It is mandatory to have Antivirus installed on every system in the network.
3. Install and Run an Anti-Spyware Program The ISO Desktop Standard requires that all desktop users run an anti-spyware program to search for and clean unwanted spyware programs from your system. Spyware is software that collects information about your system without your knowledge Anti-spyware software is only recommended if the system is: a) Used to browse the internet and b) If the potential exists for a user of the system to use the internet for other than business purposes and c) The system will be used to access, store, or process protected information.
4. Make sure your operating system is patched Many of the exploits circulating through the Internet take advantage of unpatched systems. Keeping your system fully patched is one of the most important security steps you can take, and is easy to do. The easiest way to keep your system patched is to set it to automatically download and install critical patches. To do this: For Windows XP: - Click on the Start menu, choose Control Panel (or Start _ Settings _ Control Panel) - Open the Automatic Updates control panel - Click the Automatic radio button As an additional measure to ensure that all critical patches have been applied, you should also run a check of your operating system. To do this: For all Windows systems: New security bugs are discovered almost every day. In order to keep your system secure it is critical that it be kept up to date with recent patches and software upgrades. Microsoft provides patches to fix these security bugs, but expects you to download and install these patches. By applying these patches regularly, you have much lower chances of getting a virus, trojan, or worm as most of these exploit common known security holes in unpatched systems Microsoft commonly releases patches on a regular schedule of the 2nd Tuesday of every month. Other critical patches may be released at any time during the month due to their severity and importance. It is important to be aware that Service Packs and Security Updates are not just applicable to operating systems. Individual applications have their own Service Pack and Security Update requirements. The total security of the system requires attention to both Operating System and application levels. Use Synechron Patch Management Procedure to push patches to the Systems thru WSUS server on regular basis.
5. Set Strong Passwords Many systems are compromised as a result of weak or non-existent passwords on accounts. Setting strong passwords that are difficult to guess is important for the security of your system. A strong password is one that: - Is at least 8 characters long, - Contains upper and lower case letters, - Contains at least one number, - Is changed every 120 days, - Does not contain your username Most RIT users log onto their computer system with a username that matches their RIT computer account. To change the password on this account, please visit http://start.rit.edu and click on “Change you password.” This password will be synchronized through your RIT computer account, the Exchange mail system, and your computer. In addition to the account that matches your RIT computer account, your computer system may have additional accounts. Most systems have a default “Administrator” account. These should have strong passwords as well. To check for additional local accounts and change passwords: For Windows XP: - Click on the Start menu, choose Control Panel (or Start _ User Accounts) - Check the accounts that are listed and change the passwords as necessary. - Click on the account, and click the “Reset Password” button Password Policy Settings: The following table shows password policy settings to enable and enforce through your server group policy settings.
Account LockOut Policy Settings:
6. Make sure you are running an up to date anti-virus program For Windows systems: - Right-click the VirusScan icon in your system tray on the bottom right hand corner of your screen, and click on “VirusScan Console”. Make sure the following options are set: o Buffer Overflow protection should be “enabled” o On-Delivery Email Scanner should be “enabled” o On-Access Scanner should be “enabled” o AutoUpdate should occur daily, and the Last Result should indicate that “The Update Succeeded”.
7. Run a Desktop Firewall The desktop standard requires you to run a firewall on your desktop computer. Firewall.
Figure 9-1 Remove any other groups that should not have permissions. There is no need to add the Everyone group (or any other group) and then remove the permissions if the group does not already have permissions. When Windows realizes that a listed security principal has no permissions set on a protected resource, it will remove it from the access control list completely. Be careful. Do not set Read & Execute-Deny permissions for the Everyone or Authenticated Users group unless that is your true intent. Administrators and other privileged accounts belong to the larger groups as well and any permissions you set will also apply to the more privileged user accounts. Doing so could result in Read & Execute permissions unintentionally being taken away for the more specific groups. The key here is to remove Read & Execute permissions from groups that do not need access.
16. Use Windows software restriction policy thrugh Group Policy Use Group Policy to block all extensions related to scripts and disallows execution of programs like cmd.exe and Regedit.exe. 17. Create regular backups There is the potential that files may be lost or corrupted due to hardware and/or software failures, and/or human errors (e.g., unintentionally deleting the file), and having another copy of critical data prior to such catastrophe will alleviate the burden of recreating the lost or corrupted files to their original form. Perform regularly scheduled (e.g., daily and/or weekly) backup of servers according to Synechron Data Backup Procedure. The backup frequency should be based on the importance of the data and the frequency of change to the data. 18. Sanitize your computer before donating and/or disposal Before selling, donating, or discarding old computers, make sure that sensitive data is removed. Files that are simply deleted can be easily recovered. To sanitize your hard drives, use a program designed to overwrite the drive in a secure manner, formatting your drive does not remove the data effectively. 19.Attack surface must be reduced Reason: In order to mitigate the risk of compromise, you should only install the components explicitly requested by the customer. Services that should not be used by default:
Find this key key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDRom\AutoRun
Change the value to : 0 (REG_DWORD) Secure registry keys for the SNMP service. Only allow these accounts to access the keys: Administrators – Full Control
System – Full Control HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SNMP\Parameters\PermittedManagers
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities Secure the registry keys below with this access: Administrators and System - Full Control Authenticated Users – Read Also set auditing for Everyone on these keys; check all checkboxes under Failed and the “Set Value” checkbox under Successful.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_LOCAL_MACHINE\Software\Microsoft\DrWatson (Leave the permissions for Terminal Server User, if exists)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg Select "winreg". Click Security and then click Permissions. Only those system, administrators and backup operators should have permissions. This is setup like this default on a Windows 2003 Server, but it’s worth checking this out anyway. Navigate to Start / Control Panel / Administrative Tools / Local Security Policy”. Expand “Security Settings” and “Local Policies”. Choose "Security Options” and set ”Network security: Do not store LAN Manager hash value on next password change” to Enabled. 24.Other settings that must be checked Reason: Load ”Event viewer” into the MMC. Right click on each log and choose ”Properties”. Set the following values: Application Log: 16384 kb / Overwrite events as needed
Security Log: 16384 kb / Overwrite events as needed
System Log: 16384 kb / Overwrite events as needed Navigate to Start / Control Panel / Administrative Tools / Local Security Policy”. Expand “Security Settings” and “Local Policies”. Choose "Security Options”, “Local Policy” and “Auditing Policy”. Set it up as follows: Audit Account Logon events Success, Failure
Audit Account Management Success, Failure
Audit Logon Events Success, Failure
Audit Object Access Failure
Audit Policy Change Success, Failure
Audit Privilege Use Failure
Audit System Events Success, and Failure Remove unnecessary software - all systems come with a predefined set of software packages that are assumed to be useful to most users. Depending on your target use of the system, you should remove all software that is not to be used like graphics and office packages on a web server. Disable or remove unnecessary usernames and passwords - most systems come with a lot of predefined user accounts for all kinds of purposes - from remote support to dedicated user accounts for specific services. Remove all remote and support accounts, and all accounts related to services which are not to be used. For all used accounts, ALWAYS change the default passwords. Disable or remove unnecessary services - just as the two previous points, remove all services which are not to be used in production. You can always just disable them, but if you have the choice remove them altogether. This will prevent the possible errors of someone activating the disabled service further down the line. Apply patches - after clearing the 'mess' of the default install, apply security and functionality patches for everything that is left in the system - especially the target services. Run Nessus Scan - update your Nessus scanner and let her rip. Perform a full scan including dangerous scans. Do the scan without any firewalls on the path of the scan. Read through the results, there will always be some discoveries, so you need to analyse them.If no Vulnerabilities are discovered, use system - after the analysis of the results, if there is nothing significant discovered, congratulations! You have a hardened system ready for use. Professional Windows Desktop and Server Hardening
System hardening is a step by step process of securely configuring a system to protect it against unauthorized access, while taking steps to make the system more reliable. Generally anything that is done in the name of system hardening ensures that the system is both secure and reliable. Since most systems are dedicated to one or two functions, reduction of possible vectors of attack is done by the removal of any software, user accounts or services that are not related and required by the planned system functions. System hardening is vendor specific process, since different system vendors install different elements in the default install process.
System hardening is necessary since "out of the box", some operating systems tend to be designed and installed primarily to be easy to use rather than secure. Most but not all systems can have security measures enabled that will make them suitable for high security and high reliability environments.
Desktop Hardening Checklist –Windows 7
Windows 7 comes with a more tight security model than previous versions of Microsoft’s client operating systems, but there are a couple of things you can do to tighten down the security of your Windows computer even more.
1. First of all, you should make sure that the user account you use for day to day work is not member of the Administrators local group. This is because an administrative user account poses security vulnerability in itself as the administrators on the local machine have access permissions to change system settings.
In Windows 7, the old RunAs command – which could be quite annoying to use in earlier versions of Windows as not all applications supported this, has been integrated more tightly.
Now, whenever you choose to do an administrative Windows task, Windows will prompt you for credentials for an account with administrative permissions eliminating the need to right click and choose RunAs. The less privileges you have as a user, the less damage you will be able to do to the system by mistake so running the most tasks as a User will improve the overall security of your system.
2. Change your network type to ‘Public’.
When setting up a new network connection, for instance to your newly created wireless network, Windows 7 will prompt you to choose a network type for the network connection. You will have options to choose:
a. Home Network
b. Office Network
c. Public Network Home network will be more ‘Open’ than Office network as Windows will treat all computers on the network as ‘Good’ and the network type allows for sharing of personal folders and files with all other computers on this network.
Windows will create a home group for all computers on the network and will enable network discovery and File and Printer Sharing on the computer. Office Network is a little bit more strict, while the Public network type is the most strict. The Public network type will simply disable Network discovery – which will simply hide your computer on the network and File And Printer Sharing will be disabled by default. If you want a more secure computer and do not need to share your files and do not wish to be part of a Home Group, simply choose the Public network type. Go to Control Panel\Network and Internet\Network and Sharing Center: Change network type to 'Public'.
3. Enable Windows Updates.
Windows Updates are enabled per default. Make sure the ‘Recommended settings’ are chosen or set it to download and notify for install.
Keeping up with the latest updates can significantly help protect you Windows installation.
4. Enable Windows Firewall and make sure all inbound connections are automatically dropped.
The firewall is enabled per default. If you do not need to share anything with other people and computers, you can safely choose to drop all inbound connections to make sure no one can access anything on your computer from the network.It is possible to filter on the outgoing traffic in the Windows firewall as well. If you are really up to protecting your personal files, it can be a good idea to filter outgoing traffic and application access as well.
5. Data Execution Prevention (DEP)
Data Execution Prevention (DEP) is a security feature that can help prevent damage to your computer from viruses and other security threats. Harmful programs can try to attack Windows by attempting to run (also known as execute) code from your computer's memory reserved for Windows and other authorized programs. These types of attacks can harm your programs and files. DEP can help protect your computer by monitoring your programs to make sure that they use computer memory safely. If DEP notices a program on your computer using memory incorrectly, it closes the program and notifies you. Go to system/ advanced system settings/ performance/ settings/ data execution prevention : Set to all programs Turn On DEP for all Programs and services except those I select
6. Disable remote assistance and remote desktop connections
If you do not want to allow people messing with your system remotely – that is, if you do not want to give other people the option to connecting to your precious Windows 7 box and playing around with it, you can specify that this will not be an option. Go to Control Panel\System and Security\System\Advanced System Settings\Remote and uncheck ‘Allow remote assistance connections to this computer’ and ‘Dont allow connections to this computer’.
7. Change User Account Control Settings to highest level
You might get prompted a bit more, but the overall security is raised a bit as you will get prompts for more common administrative system tasks, enabling you to take a stand on whether you will actually allow the specific task to run. Go to Control Panel\User Accounts and Family Safety\User Accounts\ Change User Account Control Settings = Set to highest level
8. Disable sharing and the NetBios protocol
If you are pretty sure you will not need to share your files over the network, you can go further and completely remove the option to share files.
Disable Netbios over tcp/ip on the network adapters on the computer. Remove check mark on Network and sharing, so that the machine is not using the 'File And Printer Sharing For Microsoft Networks' protocol. Go to Control Panel\Network and Internet\Network Connections
Right click the adapter of your choice (if you have more than one) and choose Properties.
Double click the ‘Internet protocol version 4 (TCP/IPv4)’. Navigate to ‘Advanced’ and choose ‘Wins’.
Check ‘Disable NetBios over TCP/IP’. This will block connections to some of the most insecure ports on a Windows operating system – or some of the most exploited.
9. Disable unnecessary services
You can stop for now, but if you are sure exactly what your computer will be used for. You can go any further and disable some of the many services Windows 7 runs, but probably won’t need.
Examples of those services are:
a. TCP/IP Netbios helper
b. Server Service
c. Computer Browser
d. Remote Registry
e. HomeGroup Listener (If you are not intenting to use the homegroup features)
f. HomeGroup Provider (If you are not intenting to use the homegroup features) There might be many more but I have chosen some of the services used for sharing files and if you do not want your Windows computer to be every man’s property, you can safely disable these services to secure your box even more.
Desktop Hardening Checklist –Windows
Desktop computer security is very important to ITS. To better protect our systems and information, we are asking all ITS employees to run through a short checklist of items based on the Information Security Office Desktop and Laptop Computer Standard.
1. Computer Name Please list all desktop or laptop machines for which you are the primary user, or for which you have assumed primary responsibility. (List the Computer Name of each machine. If you have more than one machine, please list on an additional attached page.) To find the computer name for your computer: For Windows XP: - Click on the Start menu, choose Control Panel (or Start _ Settings _Control Panel) - Open the System control panel, click on the Computer Name tab - The “Full Computer Name” is listed in the middle of the window
2. Use Antivirus Software Most viruses will be caught by antivirus as long as the antivirus software is kept up to date. It is absolutely crucial that users run antivirus software on their computers. It is mandatory to have Antivirus installed on every system in the network.
3. Install and Run an Anti-Spyware Program The ISO Desktop Standard requires that all desktop users run an anti-spyware program to search for and clean unwanted spyware programs from your system. Spyware is software that collects information about your system without your knowledge Anti-spyware software is only recommended if the system is: a) Used to browse the internet and b) If the potential exists for a user of the system to use the internet for other than business purposes and c) The system will be used to access, store, or process protected information.
4. Make sure your operating system is patched Many of the exploits circulating through the Internet take advantage of unpatched systems. Keeping your system fully patched is one of the most important security steps you can take, and is easy to do. The easiest way to keep your system patched is to set it to automatically download and install critical patches. To do this: For Windows XP: - Click on the Start menu, choose Control Panel (or Start _ Settings _ Control Panel) - Open the Automatic Updates control panel - Click the Automatic radio button As an additional measure to ensure that all critical patches have been applied, you should also run a check of your operating system. To do this: For all Windows systems: New security bugs are discovered almost every day. In order to keep your system secure it is critical that it be kept up to date with recent patches and software upgrades. Microsoft provides patches to fix these security bugs, but expects you to download and install these patches. By applying these patches regularly, you have much lower chances of getting a virus, trojan, or worm as most of these exploit common known security holes in unpatched systems Microsoft commonly releases patches on a regular schedule of the 2nd Tuesday of every month. Other critical patches may be released at any time during the month due to their severity and importance. It is important to be aware that Service Packs and Security Updates are not just applicable to operating systems. Individual applications have their own Service Pack and Security Update requirements. The total security of the system requires attention to both Operating System and application levels. Use Synechron Patch Management Procedure to push patches to the Systems thru WSUS server on regular basis.
5. Set Strong Passwords Many systems are compromised as a result of weak or non-existent passwords on accounts. Setting strong passwords that are difficult to guess is important for the security of your system. A strong password is one that: - Is at least 8 characters long, - Contains upper and lower case letters, - Contains at least one number, - Is changed every 120 days, - Does not contain your username Most RIT users log onto their computer system with a username that matches their RIT computer account. To change the password on this account, please visit http://start.rit.edu and click on “Change you password.” This password will be synchronized through your RIT computer account, the Exchange mail system, and your computer. In addition to the account that matches your RIT computer account, your computer system may have additional accounts. Most systems have a default “Administrator” account. These should have strong passwords as well. To check for additional local accounts and change passwords: For Windows XP: - Click on the Start menu, choose Control Panel (or Start _ User Accounts) - Check the accounts that are listed and change the passwords as necessary. - Click on the account, and click the “Reset Password” button Password Policy Settings: The following table shows password policy settings to enable and enforce through your server group policy settings.
| Setting | Domain controller default |
| Enforce password history | 10 passwords |
| Maximum password age | 40 days |
| Minimum password age | 1 day |
| Minimum password length | 8 characters |
| Password must meet complexity requirements | Enabled |
| Store password using reversible encryption for all users in the domain | Disabled |
| Setting | Domain controller default |
| Account Lockout Duration | 60 minutes (minimum) |
| Account Lockout Threshold | 5 attempts |
| Reset Account Lockout After | 30 minutes (minimum) |
7. Run a Desktop Firewall The desktop standard requires you to run a firewall on your desktop computer. Firewall.
8. Remove or Delete Software
If existing software isn't needed by any user, uninstall it, delete it, or rename it. As discussed earlier in this book, even when software isn't used, it can make a computer vulnerable. If possible, uninstall or delete the software or service. Using the program's official uninstall program is preferred, as it should remove associated files, folders, and registry entries. Unfortunately, many uninstall routines still leave unneeded files and registry entries even when they claim to be removing them. If the software being removed is high-risk, be sure to manually inspect the related files, folders, and registry keys, and delete if needed. Renaming the software executable or folder to something Windows or the end user doesn't expect can be useful when the software is difficult to remove. It's security-by-obscurity, but it can work in preventing easy execution. Be aware that Windows will sometimes track name changes and update the pointers, icons, and shortcuts to the new name. Unfortunately, this method doesn't prevent re-installation. For example, if a network administrator removes America Online's Instant Messaging (AIM) client, there is little to prevent an end user from re-installing it if they have the appropriate admin permissions. Also, you cannot remove, delete, or rename Windows File Protection (WFP)—protected files. If you do any of the preceding, Windows just replaces them in a few seconds. Still, if you can successfully remove unneeded software, it is one of the best ways to strengthen the security of any computer system. 9. All partitions use NTFS Reason: NTFS supports security properties and auditing. FAT16/32 does not.Use NTFS Permissions
You can use NTFS permissions to prevent the execution of existing installed software, and in some limited cases, prevent the installation of new software. NTFS permissions are the number one most secure way to prevent the unauthorized execution of existing software. If appropriately used, NTFS is hard to get around or trick. Determine what software most normal users should be able to execute, and if the software cannot be removed completely (e.g., needed for admin purposes or other users on a shared computer), then use appropriately set NTFS permissions to secure it. In most cases, an administrator wants to take away a normal user's Read & Execute permission. As Figure 9-1 shows, a common decision would be to set permissions at the application's folder level and let the resulting permissions be inherited downward. In this case, Figure 9-1 shows the Everyone group's permissions being set to none (as if it had previously had permissions set). Administrators, System, and Service have the expected default Read & Execute permissions.Figure 9-1 Remove any other groups that should not have permissions. There is no need to add the Everyone group (or any other group) and then remove the permissions if the group does not already have permissions. When Windows realizes that a listed security principal has no permissions set on a protected resource, it will remove it from the access control list completely. Be careful. Do not set Read & Execute-Deny permissions for the Everyone or Authenticated Users group unless that is your true intent. Administrators and other privileged accounts belong to the larger groups as well and any permissions you set will also apply to the more privileged user accounts. Doing so could result in Read & Execute permissions unintentionally being taken away for the more specific groups. The key here is to remove Read & Execute permissions from groups that do not need access.
Preventing New Installs Using NTFS Permissions
The easiest way to prevent new installs using NTFS permissions is to not allow non-admin users to be logged in with admin credentials. Outside of that effort, another way to prevent new installs using NTFS permissions is to remove all permissions on the folders where the software is likely to be installed. Essentially, you want to take away the Read permissions from even the Administrators group, if end users are normally logged on with admin credentials. The true administrator can always take ownership and add back permissions if they are really needed. 10. Use Microsoft Baseline Security Analyzer This is a free host-based application that is available to download from Microsoft. In addition to detailing missing patches, this tool also performs checks on basic security settings and provides information on remediating any issues found. It is mandatory to scan each server thru MBSA and take appropriate action on all the reported issues, before putting it into production 11. Restricting physical and network access to critical or highly sensitive systems Allow only trusted personnel to have access to critical systems. Establish security practices for users to ensure that only authorized personnel have access to systems that access protected information. If RDP is used set the encryption level to high. 12. Enable Internet Connection Firewall (ICF) or any Third Party Firewall Windows Firewall is a software-based, state full filtering firewall for Windows PCs and it should be enabled on every system or the system should have any other third party firewall program. 13. Windows Explorer Configure Windows to always show file extensions. In Windows, this is done through Explorer via the Tools menu: Tools/Folder Options/View – and uncheck "Hide file extensions for known file types". This makes it more difficult to for a harmful file (such as an EXE or VBS) to masquerade as a harmless file (such as TXT or JPG). 14. Configure the Device Boot Order Configure the device boot order to prevent unauthorized booting from alternate media. It is recommended that the boot order of the system be set to boot from the Hard Disk first followed by other media such as the CD Drive. This will prevent an unauthorized user from inserting bootable media into the available drives or ports and taking control of the system. 15. Configure services on all the desktops as following| Service | Startup Type |
| Alerter | Automatic |
| Automatic Update | Automatic |
| BITS | Automatic |
| Messenger | Automatic |
| Windows Firewall | Automatic |
| Windows Event Log | Automatic |
| Remote Registry | Disabled |
| SMTP | Disabled |
| Server | Disabled |
| Secondary Logon | Disabled |
| Windows Installer | Disabled |
| Computer Browser | Disabled |
| Routing and Remote Access | Disabled |
| Encrypting File System | Disabled |
| SNMP Service | Disabled |
| Telnet(Server) | Disabled |
- Help and Support
- IPSEC Services
- Print Spooler
- Windows Firewall/Internet Connection Sharing (ICS)
- Wireless Configuration
21. Don't Let End Users Be Logged In As Admin
One of the single best things you can do to prevent unauthorized software installation is to prevent non-admin users from being logged in as administrators. Non-admin users cannot install most software, modify the HKLM registry key, or add programs to most Windows auto-start areas. Non-admin users normally cannot install programs from the Internet or modify existing program configuration information. Unfortunately, this recommendation doesn't prevent normal users from running already installed software. Unless the user is restricted from running a program using permissions or some other method, Windows allows users to run most programs without administrative access. 22.Lock down the filesystem Reason: Note: %SystemRoot% is the directory that holds the currently running installation of Windows. Normally it is c:\windows. Remove "Everyone" and "All Users" from the root of the System disk. Change the permissions on %SystemRoot%\repair and set that only Administrators and Systems have access (full access). Create a new directory that only Administrators and SYSTEM have full access to called %SystemRoot%\dump. Enable auditing for everyone on this folder and check all checkboxes under Failed and the “Change Permissions” checkbox under Successful. Then goto the Control Panel - System - Advanced - Startup and Recovery settings. Change the path at “Dump File” to %SystemRoot%\dump\MEMORY.DMP. (It must end with a filename.) Then run drwtsn32.exe and change the path ”Crash Dump” to %SystemRoot%\dump\user.dmp. 23.Lock down the registry Reason: Disable AutoRun for CD-ROM drives.Find this key key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDRom\AutoRun
Change the value to : 0 (REG_DWORD) Secure registry keys for the SNMP service. Only allow these accounts to access the keys: Administrators – Full Control
System – Full Control HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SNMP\Parameters\PermittedManagers
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities Secure the registry keys below with this access: Administrators and System - Full Control Authenticated Users – Read Also set auditing for Everyone on these keys; check all checkboxes under Failed and the “Set Value” checkbox under Successful.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_LOCAL_MACHINE\Software\Microsoft\DrWatson (Leave the permissions for Terminal Server User, if exists)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg Select "winreg". Click Security and then click Permissions. Only those system, administrators and backup operators should have permissions. This is setup like this default on a Windows 2003 Server, but it’s worth checking this out anyway. Navigate to Start / Control Panel / Administrative Tools / Local Security Policy”. Expand “Security Settings” and “Local Policies”. Choose "Security Options” and set ”Network security: Do not store LAN Manager hash value on next password change” to Enabled. 24.Other settings that must be checked Reason: Load ”Event viewer” into the MMC. Right click on each log and choose ”Properties”. Set the following values: Application Log: 16384 kb / Overwrite events as needed
Security Log: 16384 kb / Overwrite events as needed
System Log: 16384 kb / Overwrite events as needed Navigate to Start / Control Panel / Administrative Tools / Local Security Policy”. Expand “Security Settings” and “Local Policies”. Choose "Security Options”, “Local Policy” and “Auditing Policy”. Set it up as follows: Audit Account Logon events Success, Failure
Audit Account Management Success, Failure
Audit Logon Events Success, Failure
Audit Object Access Failure
Audit Policy Change Success, Failure
Audit Privilege Use Failure
Audit System Events Success, and Failure Remove unnecessary software - all systems come with a predefined set of software packages that are assumed to be useful to most users. Depending on your target use of the system, you should remove all software that is not to be used like graphics and office packages on a web server. Disable or remove unnecessary usernames and passwords - most systems come with a lot of predefined user accounts for all kinds of purposes - from remote support to dedicated user accounts for specific services. Remove all remote and support accounts, and all accounts related to services which are not to be used. For all used accounts, ALWAYS change the default passwords. Disable or remove unnecessary services - just as the two previous points, remove all services which are not to be used in production. You can always just disable them, but if you have the choice remove them altogether. This will prevent the possible errors of someone activating the disabled service further down the line. Apply patches - after clearing the 'mess' of the default install, apply security and functionality patches for everything that is left in the system - especially the target services. Run Nessus Scan - update your Nessus scanner and let her rip. Perform a full scan including dangerous scans. Do the scan without any firewalls on the path of the scan. Read through the results, there will always be some discoveries, so you need to analyse them.If no Vulnerabilities are discovered, use system - after the analysis of the results, if there is nothing significant discovered, congratulations! You have a hardened system ready for use. Professional Windows Desktop and Server Hardening
| Hardening Recommendation | Description | Criticality |
| Don’t give non-admin users administrator privileges | Will prevent 70-90% of malware today | High |
| Keep patches updated | Will prevent many attacks | High |
| Use a host-based firewall | High | |
| Use antivirus software with an updated signature file | High | |
| Use anti-spam software | Medium | |
| Use anti-spyware software | High | |
| Enable boot-up passwords on portable computers | Medium | |
| Enable booting from primary boot drive only | To prevent bypassing of Windows security, password cracking, and boot viruses | Medium on workstations, High on servers |
| Password protect the BIOS | To prevent resetting of boot drive | Medium on workstations, High on servers |
| Harden TCP/IP stack | To prevent DoS attacks | Low on most computers, high on Internet servers |
| Rename Administrator and other highly privileged accounts; create bogus accounts | Medium/High | |
| Highly privileged account names should not reflect their roles in the organization | For example, an Exchange Administrator account should not be called ExchAdmin. Better calling it something like PTravers, or some other less notable name | Medium |
| Run services on non-default TCP/IP ports | High | |
| Install high-risk software to non-default folders | May defeat scripted attacks | Low |
| Institute Logon and Account Logon auditing for highly-privileged accounts, consider Per-User Auditing, as well. | Medium | |
| All highly privileged accounts should have long (15 characters or longer), complex passwords. | To defeat password cracking | High |
| Security must be automated | Or it won’t be consistently applied | High |
| Disable delegation on highly-privileged users (and any computers) not needing delegation | Can prevent malicious programs from impersonating users to remote services and computers | Low |
| On Windows Server 2003 servers required to use delegation, enable constrained delegation. | Minimizes a hacker’s attack space on a server enabled with delegation | Medium |
| Make sure SID History filtering is enabled in your environment, which it is by default | Or else, hackers might be able to elevate their privileges | Low |
| Use the AGULP method to assign security permissions | Not using it means you don’t really understand what security is set in your environment. | High |
| Always assign permissions to groups and never to individual users | Or else control becomes problematic and unmanageable | Medium/High |
| Use Advanced Security Settings dialog box when setting NTFS permissions | It will display “true” permissions. Sometimes Windows doesn’t display correct permissions on permissions summary screen. | Medium |
| Set Share and NTFS permissions as tight as you can to meet least-privilege principle. | Don’t make Share permissions Everyone Full Control as recommended by many documents. | Medium |
| Use Share Change permissions instead of Full Control. | That’s all people need most of the time anyway | Medium |
| Use NTFS Modify permission instead of Full Control unless user really needs Full Control | Most non-admin users never need Full Control to a file or folder. | High |
| Decrease Number of previous logons to cache to 0-3 versus the default of 10. | By default Windows stores 10 user profiles worth of previous logon names and passwords that may be extracted with admin access and the right tools (e.g. Cachedump.exe) | Low/Medium |
| Do not save passwords with your RDP connection objects | They can easily be revealed using Cain & Able and a locally logged on admin | Medium |
| Disable the storage of LM password hashes and force users to change their passwords after LM hash storage is disabled. | Most password cracking programs rely on the existence of LM password hashes | High |
| Minimum password size should be 15 characters long. | Disables LM hash storage and presents complexity to password crackers | High/Medium |
| Minimum password age should be set to any value above 0. | Prevents password re-use or circumventing Enforce Password history rules. | Medium |
| Require long, complex passwords | Prevents password crackers from being successful | High |
| Enable Account Lockouts. Set the Account lockout threshold to a certain number of acceptable bad password attempts, say 3 to 5. Set the Reset account lockout counter after to 1 minute (the smallest it can be). Set Account lockout duration to 1 minute. | Stops password guessers | High |
| Force password changes every 90 days or less | Stops password guessors, crackers, and rainbow table programs | High/Medium |
| Periodically re-create Windows trusts and put in new trust passwords | Needed only in high-security environments | Low |
| Consider requiring smart cards or biometrics for highly-privileged accounts | To add extra security | Medium |
| Consider only using your most highly-privileged accounts on trusted computers. | You want to ensure that a hardware keyboard logger or trojan isn’t intercepting the password. | Low |
| Separate domain admin and enterprise and schema admin roles (don’t give both to same user account). | To prevent island hopping | Medium |
| Use different passwords for your different administrative accounts. | To prevent island hopping | High/Medium |
| Don’t forget to change passwords on Directory Services Restore Mode admin account occasionally. | To prevent local admin account cracking | Low |
| Do periodic password audits using password crackers | To audit the strength of user passwords and monitor compliance. | High |
| Enable logon screen warning messages | To defeat many brute force tools | High/Medium |
| Consider randomly generating passwords | Would defeat many password cracking tools. This is a good idea, but users are highly resistant to it. | Low (ranking offset by other non-technical issues) |
| Disable Autorun.inf feature using registry edit or SRP | To prevent autorun programs from removable media from running malicious commands or programs | Low |
| Prevent users from running high-risk files and programs | To prevent malicious use | Medium |
| Turn off file extension hiding in Windows Explorer | Malware can use double-naming tricks to confuse users into executing malware. | High |
| Disable “Super Hidden” file extensions for high-risk file associations | Else malware can trick users into executing malware by accident | High |
| Uninstall, disable, remove, delete, and rename unneeded high-risk files and programs | To prevent malicious exploitation using those same files. | High |
| Use NTFS permissions to prevent non-admin users from running high-risk files and folders. | To prevent malicious use | High |
| Use GPOs when possible to push NTFS security on high-risk files, folders, and registry keys. | Security permissions will re-apply even if file gets replaced. Make sure to also enable Security policy processing and Process even if Group Policy objects have not changed for the GPO carrying the NTFS permission settings. | High |
| Create a LeastPrivilegedUsers _Grp and highly-restrict its members | To give them access to only the exact resources they need access to. | High |
| Enable Object Access auditing for high-risk critical files. | To monitor unauthorized requests | Medium |
| Use Software Restriction Policies to deny all software except that which is specifically allowed. | To prevent unauthorized software execution. One of the single best things you can do to your system. | High |
| Block non-admin access to high-risk registry keys | Block non-admin write access to registry “run” keys, and block al non-admin access to high-risk file associations. | High |
| Block non-admin access to high-risk URI handlers | To prevent malware execution that depends on rarely used URI handlers. Examples include telnet://, rlogin://, news://, tn3270://;and aim:// if you don’t allow AIM. | Medium |
| Enable the Confirm open after download file type option for potentially dangerous file types | To prevent automatic malware execution | High |
| Make lesser-privileged custom service account for non-default services | Reduce attack surface if service account is compromised | High |
| Make custom service account passwords long and complex, and change more frequently than normal accounts | Service account passwords can be extracted in plaintext by an admin user | High |
| Use lesser privileged service accounts (LocalService, NetworkService, and custom) when possible instead of LocalSystem or admin-level accounts. | To decrease risk of successful exploit from direct use or buffer overflows | Medium/High |
| Prevent unneeded services from executing | Use ACLs, SRP, etc. | High |
| Disable services in hardware profiles not needing them | Reduces attack surface area | Medium |
| Lock custom service account to the local PC | Prevents island hopping attacks. | Medium |
| Consider configuring high-risk services to alert users/administrators when they have stopped (e.g. from a buffer overflow attack), instead of automatically restarting. | Can be configured on the services’ Recovery tab on the Services console. | Medium |
| Environments with high-security requirements or expecting attacks against its IPSec infrastructure should enable Perfect Forward Secrecy. | Prevents an attacker cracking one IPSec secret key from easily brute forcing the others | Low |
| Use IPSec to create network security domains, VPNs, and to filter host connections. | Prevents many types of attacks. | Medium/High |
| Use latest versions of IE and keep patched | Most resistant version of IE | High |
| Use Killbit to stop risky ActiveX controls without easier alternate defenses | Stop malicious ActiveX use | Medium |
| Don’t surf untrusted web sites | Avoid malicious code | Medium/High |
| Customize and tighten IE’s Internet security zone | Minimize malicious browser attacks | Medium/High |
| Use 3rd party tool to protect IE | If additional protection is needed | Medium/High |
| Block High-Risk File Attachments | As recommended | High |
| Disable HTML Content in e-mail clients | One of the single best things you can do to protect users | High |
| Use Software That Authenticate E-mail Links | Hopefully your email or browser client does this | Medium |
| Run Anti-virus software that scans e-mail | Run on client and email gateway | High |
| Block Unmanaged E-mail Connections (over SMTP, HTTP, etc.) | Unmanaged email provides high-risk opportunities for internal network compromises | High |
| Block Spam | Implement at least one non-client-side solution (i.e. on gateway or prior to network perimeter) | High |
| Block e-mail clients from using port 25 | Outlook/Exchange clients on the internal LAN use RPC, not SMTP to communicate. By only allowing email servers to use port 25, you will catch SMTP worms and bots with their own email engines | High |
| Implement authenticated e-mail protocols | Consider implementing a PKI hierarchy on the LAN, Sender ID (or other anti-spam protocol) to fight spam, and use S/MIME or PGP to authenticate sensitive emails | Medium |
| Securely configure email client | To minimize the chances of exploitation | High |
| Secure DNS services | To prevent DNS poisoning that can redirect users to bogus web sites | High |
| IIS: Only allow the bare minimum of TCP/IP ports to and from the web server | Usually the only ingress filters that should be allowed are 80, maybe 443, and whatever the remote management port requirement is. There should be no egress filters allowed, unless external communications is an authorized component of the server. Do not allow port 80 and 53 outbound all the time. | High |
| IIS: Unless otherwise contraindicated IIS should always be installed on a dedicated computer | To prevent exploitation from other services. | High |
| IIS: Check for and install updated hardware drivers | To prevent hardware exploitation. | Medium |
| IIS: IIS should be installed on a system with two separate, clean hard drives, each formatted with NTFS | To prevent directory traversal attacks. | Medium/High |
| IIS: Install in stand-alone, workgroup mode unless domain authentication is needed. | Less information to be protected if Active Directory is not needed | High |
| IIS: Specifically denied access to IIS anonymous user and anonymous null session | Add accounts to \Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny logon through Terminal Services | Medium |
| IIS: Enabled High level encryption on any Terminal Services connections. | Set under \Computer Configuration\Administrative Templates\Terminal Services\Encryption and Security\Set client connection encryption level | Medium |
| IIS: If you use Remote Desktop to administer web server, change RDP port to something random and high | To prevent easy RDP port enumeration and remote password guessing attacks | High |
| IIS: Structure web site content directories to maximize security. | High | |
| Disable EFS until an EFS recovery policy is defined | Otherwise encrypted files could be lost | High |
| Encrypt confidential and sensitive files | To prevent information theft | Medium |
| Encrypt sensitive information stored on laptops and other computer assets subject to high-risk of theft | To prevent information theft | Medium/High |
| Ensure that a data recovery agent (DRA) is defined on stand-alone XP Pro machines | To prevent EFS-encrypted data from becoming unrecoverable | Medium/High |
| Create a custom DRA account to replace the default DRA selection of Administrator | To give added protection to EFS-protected files. Disable the custom DRA account until needed. | Medium/High |
| After using or creating a DRA account, export and remove the DRA’s recovery certificate from the system | You can import when needed. Gives added protection to the DRA account and EFS. | Medium/High |
| Consider implementing Syskey protect (mode 2 or 3) on computers using EFS | to protect local credentials against password attacks trying to recover EFS keys | Low |
| Use GPO software publishing to install and update software | If not other automated software install tool is in use, especially for common Internet Explorer browser add-on programs, like Sun’s Java VM, Adobe’s Acrobat Reader, RealPlayer, etc. | High/Medium |
| Modify the Access this computer from the network right. | Should be set to Authenticated Users and Administrators, not Everyone, in most environments. Must Allow Enterprise Domain Controllers group on Domain Controllers; and add Backup Operators, Everyone, and Pre-Win 2K Compatible groups if they are used. Early versions of OWA required remote users have this right | Low/Medium |
| Modify the Add workstations to the domain right. | By default all Authenticated Users have this right, consider only granting this right to the Administrators group. | Low/Medium |
| Enable the Require Domain Controller authentication to unlock workstation security option | Determines whether or not a domain controller is required to unlock a locked workstation, or whether cached credentials will work. Default is disabled. Should be enabled to prevent timing issues and other types of hacks involving locked screen savers. | Medium |
| Use the Restricted Group GPO feature to control the membership of highly-privileged groups | Prevents unauthorized users from remaining in highly-privileged groups for long | High |
| Use role-based security in designing your AD structure | Make role-based security templates, role-based OUs, role-based GPOs, etc. | High |
| Create and use Local Computer Policy | To prevent users from circumventing GPOs | Medium |
| Create and apply a one-time uber-security template to each new or existing PC that fully reflects (as best as possible) your company’s security policy | To make sure all computers meet the defined security policy. | High |
| If a cross-forest trust is used, enable selective authentication. | To prevent remote forest users from automatically being added to local forest’s Authenticated Users group upon connection. | High |
| Trust passwords should be long and complex | To prevent unauthorized recovery during initial setup. Overall risk is low because attackers haven’t attacked trust passwords much and after the initial setup, Windows frequently changes the password and makes it long and complex. | Low/Medium |
| Use Gpresult.exe /V to report effective GPO policy settings instead of RSoP | Gpresult.exe /v can report the affects of Local Computer Policy, while RSoP cannot. | Medium if Local Computer Policy is used, otherwise Low |
| Ensure that GPOs get applied during the refresh interval even if the GPO settings did not change | Each GPO category can be disabled or enforced under \Computer Configuration\Administrative Templates\System\GroupPolicy. | Medium/High |
| Other than domain-level policies, each GPO should be applied to a computer or user object, but not both at the same time. Disable the Computer Configuration or User Configuration option when not used | This will speed up GPO application significantly | Medium |
| Make sure administrators are not exempt from GPO settings | Some sources tell you remove all GPOs from applying to Admin accounts, which is the wrong advice. | Medium |
0 comments:
Post a Comment