Hosted by

10 Best Practices for Windows Security

How many of them are you doing?

Roberta Bragg

HCWT

Hosted by

1. Keep Systems up to date

CERT, and others: 90 – 95% of successful

attacks could be prevented with up-to-date

systems

Every single attack in Hacking Exposed is

balanced with a configuration or patch already in

existence

Many world-wide security attacks would not have

been successful if systems were updated

Hosted by

How to Keep Systems UP-to-Date

Apply Service Packs

Apply Hotfixes

Use automated patch distribution• 0 – 50 users use Windows Update

Apply service pack three Windows 2000 and configure Configure XP

• 50- 500 users user Software Update Services Download free from Microsoft, install and configure Configure Clients

• 500 + Use Software Update Services Feature pack and SMS Download Feature Pack (free to licensed SMS users) Configure for automated update and auditing

Hosted by

2. Follow Microsoft advice for hardening systems

Checklists, security templates,

instructions abound!

Use them!

Many successful attacks could have been

prevented by using these instructions.

Hosted by

What Microsoft Advice?

Windows Security Checklists:

www.microsoft.com/security

Windows Server 2003 Security Guide

http://go.microsoft.com/fwlink/?LinkId=14845

Windows 2000 Security Operations Guide (and

other prescriptive guidance documents.

• http://msdn.microsoft.com/practices/

Hosted by

3. Use Native Security Tools

For deploying security settings• Security Templates

• secedit

• Security Configuration and Analysis

• Group Policy

To secure systems• Software Restriction policies

• Password reset disks

• Authorization manager

Hosted by

4. Design a BaseLine Policy

Auditing

Services

Accounts

Security Options

User Rights

Then design incremental policies for computer and user roles in your network

Hosted by

Strengthen passwords

Teach users how to make strong passwords

Write own passfilt.dll • KB article 151082 “Password Change Filtering &

Notification in Windows NT.”

• Enforce stronger restrictions

Audit password strength periodically• Use LC4

Hosted by

Hosted by

Turn on Auditing – Review Logs

Monitor for attack indicators• 643 domain policy changed

• 644 user account locked

• 675 pre-authentication failed

• 681 domain logon filature

• 529, 530, 531, 532, 533, 535,534, 539, 548, 549 logon failure

Monitor for attack patterns• Large number of failed logons, then success

Hosted by

Adjust User Rights

Restrict to Administrators, NETWORK

SERVICE, LOCAL SERVICE• Adjust memory quotas

Hosted by

Use deny rights to restrict access

Use deny rights to restrict access

Deny logon rights

Deny access from network

Deny local logon

Logon as a batch job

Logon using terminal services

Hosted by

Do not grant to anyone:

Act as part of the operating system

Debug

Hosted by

Restrict to Administrators

Right to Restore files and folders

Change System Time

Allow logon to Terminal Services (on non

terminal services boxes)

Hosted by

Deny access

To SUPPORT_388945a0 account• To computer from network

• Logon as a batch

• Logon through terminal services

To non-operating systems service accounts• Logons from terminal services

• To compute from network

Hosted by

Adjust Security Options

Rename administrator, guest account

Restrict CD-ROM, floppy to local user

Digitally sign network communications

Restrict anonymous connections

Tighten accessible named pipes/shares

Do not store LAN Manager password

Use NTLMv2 session security

Use NTLMv2 only, refuse LM and NTLM

Do not authorize subsystems (POSIX)

Shutdown clear memory page file

Hosted by

Manage Event Logs

Enlarge all

Especially security log

Archive and clear frequently

Monitor for sudden increase in size

Examine contents looking for attack

patterns

Hosted by

Manage Services

Set permissions: who can start , stop,

disable?

Don’t use domain accounts for services

Disable unnecessary services• Will vary for each computer role

• Create a baseline which disables most; enable those

needed only as necessary

Hosted by

Unnecessary services? Baseline:

Application Layer Gateway Service

Application Management ASP .NET State Service Automatic Updates Background Intelligent

Transfer Service. Certificate Services Client Service for Netware Clustering Service*- COM+_System Application DHCP Server

Distributed Link Tracking Client.

Distributed Link Tracking Server.

Distributed Transaction Coordinator

DNS ServerError Reporting ServiceFax ServiceFile ReplicationFile Server for MacintoshFTP Publishing Service

Hosted by

More services you don’t need

Help and Support

HTTP SSL

Human Interface Device

Access

IIS Admin Service

IMAPI CD

Infrared

Internet Authentication

Service

Internet Connection Firewall

Intersite Messaging

IP Version 6 Helper Service

Kerberos Key Distribution Center

License Logging Service

Message Queuing

Message Queuing Down Level Clients

Message Queuing Triggers

Messenger

Microsoft POP3 Service

MSSQL$UDDI

Hosted by

And More…

MSSQLServerADHelper

.NET Framework Support Service

NetMeeting Remote Desktop Sharing

Network DDE

Network DDE DSDM

NNTP

Portable Media Serial Number

Print Server for Macintosh

Print Spooler

Remote Access Auto Connection Manager

Remote Access Connection Manager

Remote Desktop Help Session Manager

Remote Installation

Remote Procedure Call Locator

Remote Server Manager

Remove Server monitor

Remote Storage Notification

Remote Storage Manger

Removable Storage

Resultant Set of Policy Provider

Routing and Remote Access

SAP Agent

Secondary Logon

Hosted by

And More

Shell Hardware Detection

SMTP

Simple TCP/IP Services

Single Instance Storage Groveler

Smart Card

SNMP Service

SNMP Trap Service

Special Administration Console Helper

SQLAgent$

Task Scheduler

TCP/IP Print Server

Telephony

Telnet

Terminal Services Licensing

Terminal Services Session Directory

Themes

Trivial FTP Daemon

UPS

Upload manager

Virtual Disk Service

Web Client

Web Element Manager

Windows Audio

Windows Image Acquisition (WIA)

Hosted by

And more…

WINS

Windows Media Services

Windows System Resource

Manger

WinHTTP Web Proxy Auto –

Discovery service

Wireless Configuration

World Wide Web Publishing

Service

Hosted by

Set Restricted Groups

Add group

Enter authorized members

Users added in normal GUI will be

removed if not also added here

Hosted by

Set Object ACLs, SACLs

Use NTFS

Set common settings in templates,

policies

Hosted by

5. Use IPSec Policies

File Server ExampleBlock access from all to any port

Allow access from Any source address to the file server for ports 445, 137, 138 and 139

Restrict access to terminal services (port 3389) by allowing access from specific computers. (this helps to compensate for the blocking of RPC traffic used by many management services.)

Allow all traffic to and from the file server and domain controllers

Allow traffic between the file server and Microsoft Operations Manager (MOM)

Hosted by

6. Use Constrained Delegation

Only where delegation is required

No blanket rights

Only for specific services

Not for administrator accounts

Hosted by

7. Ensure Correct Time

• NTLMv2 authentication requires client and server clocks to be within 30 minutes of each other.

• Kerberos only allows a 5 minute difference.

• Event correlations between computers will not be possible if there are time differences.

• Evidence must be correctly identified or it is not valid evidence.

w32tm /config /synchfromflags:manual /manualpeerlist:Peerlist

 

w32tm /config /update

Hosted by

8. Set account restrictions

• Logon hours

• Logon to

• Restrict delegation

• others

Hosted by

Accounts have unique SIDS; policy that

might impact these accounts cannot be

centrally set• Guest

• the group Guests

• Support 388045a0

Hosted by

9. Use Administrative Templates

Hosted by

10. Use Certificate Services

Key archival for EFS

Certificates for smart cards,

authentication, IPSec, email etc.

SSL

Hosted by

Bonus - Don’t use EFS

Unless properly managed

Archived keys

Recovery policy in place