Post on 26-Dec-2015
NIST Recommendations for System Administrators for Securing Windows 2000 Professional
Tony Harris, Booz AllenMurugiah Souppaya, NIST
Outline Introduction Why we did it General hardening principles Securing Windows 2000 Professional Securing popular applications NIST Template Contact information
NIST Assets Include: 3,000 employees
1,600 guest researchers
$760 million annual budget
NIST Laboratories -- National measurement standards
Advanced Technology Program -- $570 million current R&D partnerships with industry
Manufacturing Extension Partnership -- 400 centers nationwide to help small manufacturers
Baldrige National Quality Award
NIST’s mission is to develop and promote measurement, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life.
National Institute of Standards and Technology
NIST Measurement and Standards Laboratories
NIST Mandate for Computer Security
Develop standards and guidelines for the Federal government
Contribute to improving the security of commercial IT products and strengthening the security of users’ systems and infrastructures
Computer Security Division Mission
To improve information systems security by: raising awareness of IT risks, vulnerabilities and protection
requirements, particularly for new and emerging technologies; researching, studying, and advising agencies of IT vulnerabilities
and devising techniques for the cost-effective security and privacy of sensitive Federal systems;
developing standards, metrics, tests and validation programs: to promote, measure, and validate security in systems and services to educate consumers to establish minimum security requirements for Federal systems
developing guidance to increase secure IT planning, implementation, management and operation.
Recent Documents Securing Wireless Networks: A Manager’s Guide Designing Secure Wireless Networks Network Testing Guide Applying Security Patches Securing Your Public Webserver Security Issues and Solutions for E-mail Telecommuting Security Cookbook System Administrator Guidance for
Securing MS Windows 2000 Professional System
Why did we do it? NIST recognized a need for a guide
to consolidate various best practices
Very little federal guidance exists for securing popular applications
Guide designed for educated users and administrators
Goals Secure the Windows 2000 Professional and
suite of applications found on desktop system
Built on the existing resources, i.e. guides, documents, and recommendations produced by NSA, Microsoft, and the security community
A complete unified how-to document covering the OS and common applications installation and configuration with references and pointers to specialized resources
Document Structure High level overview of Windows 2000
built-in security features Windows 2000 Professional installation
recommendations Patching and Updating Securing the OS Application security Description of modified registry keys Various references for further research
General OS Hardening Principles Perform a clean installation Install OS updates and patches Remove and disable unnecessary services,
utilities, and applications Restrict access to the OS critical binaries and
system configuration files and utilities Least privilege – administrator and user role Protection of user data through discretionary
access control Auditing critical files
General Principles for protecting applications against active content Install virus scanners
Keep updated Enable e-mail attachment scanning
Keep applications updated Remove VBS and VBE file-type associations Set Outlook attachment security to high Set macro security to High Enable digital signatures for safe Macros Set Internet Zone security to high Utilize Trusted Site Zone
System Administrator Guidance for Securing Microsoft Windows 2000 Professional System - Overview
Install OS and default applications Fully patch the OS and applications Configure applications Review the template settings and
customize for your environment Apply the security template Test the settings Deploy within your environment
Windows 2000 Professional Installation Perform the installation on a secure
network segment or off the network Partition the Hard Drive using NTFS for
system and data files Install OS with minimum required
services Install Internet Protocol (TCP/IP)
networking and Client for Microsoft Networks only
Application Installation Install an anti-virus scanner, i.e Norton
Antivirus, McAfee, or F-Secure Install an E-mail client, i.e. Eudora or MS
Outlook 2000 Install the browser, i.e. Internet Explorer
6 or Netscape 4.79 Install MS Office 2000, i.e. select only
the required components Run and test each application
Updates and Patches Apply the latest service pack, i.e. SP2 Download and install the required hotfixes from the
Microsoft security site, http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/current.asp
Windows update can be used to download and install the patches, use caution for initial updates since this method requires a connection to the internet.
Download and install all other applications patches and updates as required
Periodically scan the system to determine patch status for the OS and all applications.
Microsoft Hotfix Service
Hfnetchk.exe Tool used to check the hotfix status of
Single computer IP range Entire domain
Can be downloaded from http://www.microsoft.com/downloads/release.asp?releaseid=31154
Latest configuration file can be manually downloaded from http://msvaus.www.conxion.com/download/xml/security/1.0/NT5/EN-US/mssecure.cab
Qchain.exe Allows installation of multiple hotfixes
without rebooting between each Install hotfixes with the –z switch to
disable reboot after install Run qchain.exe after hotfixes have been
installed Run Qfecheck.exe /v to verify the hotfix
installation http://support.microsoft.com/default.aspx?scid=kb;en-us;Q282784
Anti-Virus Configuration Ensure signatures are up to date Enable automatic protection Enable email scanning Enable Internet filtering Enable periodic scanning Enable heuristics, if available Enable automatic updating
Outlook Client Configuration Disable auto opening of messages Disable preview pane and auto
preview Set attachment security to high Set security zone to Restricted Set macro security level to high
Macros will be silently disabled unless they are signed
Eudora Client Configuration Ensure that all executable content extension
types are registered in the WarnLaunchExtensions list within the Eudora.ini file.
Redirect the Eudora data files into the users application directory
Ensure that executables in HTML content are not allowed
Do not use Microsoft's viewer Enable executable warnings
IE Zone Security Local intranet zone
Content located on internal network Trusted site zone
Websites entered into zone are considered reputable and/or trustworthy
Internet zone Untrusted content
Restricted sites zone Highest security level for untrusted sites and
applications Local machine zone
Files on local computer
IE Configuration Set the Internet Zone to high Set the Trusted Site Zone security
to Medium Add trusted sites that will not function
with a high security setting to this zone Set the intranet setting to the
maximum setting your environment can tolerate
Netscape Configuration Enable the minimum utilities
required during the install Disable Java and JavaScript if not
required Review plug-ins and remove
undesired .dll files for the plug-ins
Office Configuration Enable digital signatures for trusted
macros Ensure macro security is set to high Clear the “Trust all installed add-ins and
templates” checkbox to apply the macro security settings to preinstalled macros
If required within your environment, all macros can be disabled regardless of their signature status through registry settings
NIST Template Settings Created by combining recommendations
from Microsoft, NSA, and the Security Community
Few modifications were made to NSA’s recommendations
Added several keys and modifications to services
Tested all of the settings using combinations of the applications discussed within the guide
Services NIST Template Disabled
Internet Connection Sharing Routing and Remote Access Task Scheduler Telnet
Guidance given to administrators for disabling of additional services
Password Policy Differences Maximum Password Age
NSA = 42 Microsoft = 42 SANS = 45 to 90 NIST = 90
System Administration cost and time considerations
Minimum Password Age NSA = 2 Microsoft = 2 SANS = 1 to 5 NIST = 1
Acceptable length of time to prevent users from changing passwords to circumvent the history table
Minimum Password Length NSA = 12 Microsoft = 8 SANS = 8 NIST = 8
System Administration cost and time considerations
Account Lockout Policy Account Lockout duration (minutes)
NSA = 15 Microsoft = 0 SANS = 240 NIST = 15 System Administration cost and time considerations
Account Lockout Threshold NSA = 3 Microsoft = 5 SANS = 5 NIST = 3
Shorter account lockout duration allows us the ability to decrease the lockout threshold
Reset Account Lockout Counter After (minutes) NSA = 15 Microsoft = 30 SANS = 240 NIST = 15
System Administration cost and time considerations
Audit Policy Audit Directory Service Access
NSA = None Microsoft = Not Defined SANS = Success,Failure NIST = None
Audit Object Access NSA = Failure Microsoft = Success, Failure SANS = Success,Failure NIST = Failure
Audit Privilege Use NSA = Failure Microsoft = Success,Failure SANS = Success,Failure NIST = Failure
Changes made for reduction of log entries
User Rights Assignment Access this computer from the network
NSA = Users,Administrators Microsoft = Not Defined SANS = None NIST = Users,Administrators
Bypass traverse checking NSA = Users Microsoft = Not Defined SANS = Administrators NIST = Users
Some directory permissions require this privilege Change system time
NSA = Administrators Microsoft = Not Defined SANS = Admin,Auth Users NIST = Administrators
Restricted for Audit purposes
User Rights Assignment Force shutdown from a remote location
NSA = Administrators Microsoft = Not Defined
SANS = None NIST = Administrators System Administration cost and time considerations
Security Options Lan Manager Authentication Level
NSA, Microsoft & NIST = NTLMv2/Refuse NTLM&LM SANS = NTLMv2 or NTLM
For use in Windows 2000 only environment
Shutdown immediately if unable to log security audits
NSA = Enabled Microsoft = Disabled SANS = Enabled if 9 to 18 Gb NIST = Disabled/Enable if site policy requires it
SynAttackProtect HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect = 2
Hardens TCP stack against SYN attacks Adjusts the retransmission delays for
SYN-ACKS TCP connection requests quickly timeout
when a SYN attack is in progress.
TcpMaxHalfOpen HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpen = 100
This key controls the number of connections in the SYN-RCVD state allowed before SYN-ATTACK protection begins to operate.
TcpMaxHalfOpenRetried HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpenRetried = 80
TcpMaxHalfOpenRetried parameter controls the number of connections in the SYN-RCVD state for which there has been at least one retransmission of the SYN sent, before SYN-ATTACK attack protection begins to operate.
EnablePMTUDiscovery HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscovery = 1 Limits TCP segments to the largest
packet size allowed to a remote host to eliminate packet fragmentation.
EnableICMPRedirects HKEY_LOCAL_MACHINE\\SYSTEM\
CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirects = 0
This parameter controls whether Windows 2000 will alter its route table in response to ICMP redirect messages that are sent to it by network devices such as a routers.
AeDebug\Auto HKEY_LOCAL_MACHINE\
SOFTWARE\Microsoft\Windows NT\CurrentVersion \AeDebug\Auto = 0
This setting disables auto start of the Dr. Watson program debugger on Windows 2000 Professional. To re-enable the debugger type the following at the command line: drwtsn –I
The debugger dump files can contain sensitive information.
CreateCrashDump HKEY_LOCAL_MACHINE\
SOFTWARE\Microsoft\DrWatson\CreateCrashDump = 0
If Dr. Watson is enabled this setting prevents sensitive information from being dumped from memory.
Future Welcome inputs and suggestions
from the Security Community Areas
Windows 2000 Server and active directory
Windows XP Professional and Home Microsoft .NET
Suggestions: itsec@nist.gov
Conclusion Document:
http://csrc.nist.gov/itsec/download_W2Kpro.html Comments, suggestions, and
questions: itsec@nist.gov
Disclaimer Any mention of commercial products or reference to commercial organizations
is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose.
The following information is provided for Civil and Government agencies requiring security configuration guidelines.
Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment.
This document is only a guide containing recommended security settings. It is not meant to replace well-structured policy or sound judgment. Furthermore this guide does not address site-specific configuration issues. Care must be taken when implementing this guide to address local operational and policy concerns.
This document and templates were developed at the National Institute of Standards and Technology by employees of the Federal Government in the course of their official duties. Pursuant to title 17 Section 105 of the United States Code this document and templates are not subject to copyright protection and is in the public domain. NIST assumes no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic. We would appreciate acknowledgement if the documents and templates are used.