330 likes | 337 Views
Learn how to implement the top 10 best practices for Windows security, including keeping systems up-to-date, following Microsoft advice, using native security tools, and designing a baseline policy.
E N D
HCWT 10 Best Practices for Windows Security How many of them are you doing? Roberta Bragg
1. Keep Systems up to date • CERT, and others: 90 – 95% of successful attacks could be prevented with up-to-date systems • Every single attack in Hacking Exposed is balanced with a configuration or patch already in existence • Many world-wide security attacks would not have been successful if systems were updated
How to Keep Systems UP-to-Date • Apply Service Packs • Apply Hotfixes • Use automated patch distribution • 0 – 50 users use Windows Update • Apply service pack three Windows 2000 and configure • Configure XP • 50- 500 users user Software Update Services • Download free from Microsoft, install and configure • Configure Clients • 500 + Use Software Update Services Feature pack and SMS • Download Feature Pack (free to licensed SMS users) • Configure for automated update and auditing
2. Follow Microsoft advice for hardening systems • Checklists, security templates, instructions abound! • Use them! • Many successful attacks could have been prevented by using these instructions.
What Microsoft Advice? • Windows Security Checklists: • www.microsoft.com/security • Windows Server 2003 Security Guide http://go.microsoft.com/fwlink/?LinkId=14845 • Windows 2000 Security Operations Guide (and other prescriptive guidance documents. • http://msdn.microsoft.com/practices/
3. Use Native Security Tools • For deploying security settings • Security Templates • secedit • Security Configuration and Analysis • Group Policy • To secure systems • Software Restriction policies • Password reset disks • Authorization manager
4. Design a BaseLine Policy • Auditing • Services • Accounts • Security Options • User Rights • Then design incremental policies for computer and user roles in your network
Strengthen passwords • Teach users how to make strong passwords • Write own passfilt.dll • KB article 151082 “Password Change Filtering & Notification in Windows NT.” • Enforce stronger restrictions • Audit password strength periodically • Use LC4
Turn on Auditing – Review Logs • Monitor for attack indicators • 643 domain policy changed • 644 user account locked • 675 pre-authentication failed • 681 domain logon filature • 529, 530, 531, 532, 533, 535,534, 539, 548, 549 logon failure • Monitor for attack patterns • Large number of failed logons, then success
Adjust User Rights • Restrict to Administrators, NETWORK SERVICE, LOCAL SERVICE • Adjust memory quotas
Use deny rights to restrict access • Use deny rights to restrict access • Deny logon rights • Deny access from network • Deny local logon • Logon as a batch job • Logon using terminal services
Do not grant to anyone: • Act as part of the operating system • Debug
Restrict to Administrators • Right to Restore files and folders • Change System Time • Allow logon to Terminal Services (on non terminal services boxes)
Deny access • To SUPPORT_388945a0 account • To computer from network • Logon as a batch • Logon through terminal services • To non-operating systems service accounts • Logons from terminal services • To compute from network
Adjust Security Options • Rename administrator, guest account • Restrict CD-ROM, floppy to local user • Digitally sign network communications • Restrict anonymous connections • Tighten accessible named pipes/shares • Do not store LAN Manager password • Use NTLMv2 session security • Use NTLMv2 only, refuse LM and NTLM • Do not authorize subsystems (POSIX) • Shutdown clear memory page file
Manage Event Logs • Enlarge all • Especially security log • Archive and clear frequently • Monitor for sudden increase in size • Examine contents looking for attack patterns
Manage Services • Set permissions: who can start , stop, disable? • Don’t use domain accounts for services • Disable unnecessary services • Will vary for each computer role • Create a baseline which disables most; enable those needed only as necessary
Baseline: Application Layer Gateway Service Application Management ASP .NET State Service Automatic Updates Background Intelligent Transfer Service. Certificate Services Client Service for Netware Clustering Service*- COM+_System Application DHCP Server Distributed Link Tracking Client. Distributed Link Tracking Server. Distributed Transaction Coordinator DNS Server Error Reporting Service Fax Service File Replication File Server for Macintosh FTP Publishing Service Unnecessary services?
Help and Support HTTP SSL Human Interface Device Access IIS Admin Service IMAPI CD Infrared Internet Authentication Service Internet Connection Firewall Intersite Messaging IP Version 6 Helper Service Kerberos Key Distribution Center License Logging Service Message Queuing Message Queuing Down Level Clients Message Queuing Triggers Messenger Microsoft POP3 Service MSSQL$UDDI More services you don’t need
MSSQLServerADHelper .NET Framework Support Service NetMeeting Remote Desktop Sharing Network DDE Network DDE DSDM NNTP Portable Media Serial Number Print Server for Macintosh Print Spooler Remote Access Auto Connection Manager Remote Access Connection Manager Remote Desktop Help Session Manager Remote Installation Remote Procedure Call Locator Remote Server Manager Remove Server monitor Remote Storage Notification Remote Storage Manger Removable Storage Resultant Set of Policy Provider Routing and Remote Access SAP Agent Secondary Logon And More…
Shell Hardware Detection SMTP Simple TCP/IP Services Single Instance Storage Groveler Smart Card SNMP Service SNMP Trap Service Special Administration Console Helper SQLAgent$ Task Scheduler TCP/IP Print Server Telephony Telnet Terminal Services Licensing Terminal Services Session Directory Themes Trivial FTP Daemon UPS Upload manager Virtual Disk Service Web Client Web Element Manager Windows Audio Windows Image Acquisition (WIA) And More
WINS Windows Media Services Windows System Resource Manger WinHTTP Web Proxy Auto –Discovery service Wireless Configuration World Wide Web Publishing Service And more…
Set Restricted Groups • Add group • Enter authorized members • Users added in normal GUI will be removed if not also added here
Set Object ACLs, SACLs • Use NTFS • Set common settings in templates, policies
5. Use IPSec Policies • File Server Example • Block access from all to any port • Allow access from Any source address to the file server for ports 445, 137, 138 and 139 • Restrict access to terminal services (port 3389) by allowing access from specific computers. (this helps to compensate for the blocking of RPC traffic used by many management services.) • Allow all traffic to and from the file server and domain controllers • Allow traffic between the file server and Microsoft Operations Manager (MOM)
6. Use Constrained Delegation • Only where delegation is required • No blanket rights • Only for specific services • Not for administrator accounts
7. Ensure Correct Time • NTLMv2 authentication requires client and server clocks to be within 30 minutes of each other. • Kerberos only allows a 5 minute difference. • Event correlations between computers will not be possible if there are time differences. • Evidence must be correctly identified or it is not valid evidence. w32tm /config /synchfromflags:manual /manualpeerlist:Peerlist w32tm /config /update
8. Set account restrictions • Logon hours • Logon to • Restrict delegation • others
Accounts have unique SIDS; policy that might impact these accounts cannot be centrally set • Guest • the group Guests • Support 388045a0
10. Use Certificate Services • Key archival for EFS • Certificates for smart cards, authentication, IPSec, email etc. • SSL
Bonus - Don’t use EFS • Unless properly managed • Archived keys • Recovery policy in place