10 Best Practices for Windows Security
description
Transcript of 10 Best Practices for Windows Security
Hosted by
10 Best Practices for Windows Security
How many of them are you doing?
Roberta Bragg
HCWT
Hosted by
1. Keep Systems up to date
CERT, and others: 90 – 95% of successful
attacks could be prevented with up-to-date
systems
Every single attack in Hacking Exposed is
balanced with a configuration or patch already in
existence
Many world-wide security attacks would not have
been successful if systems were updated
Hosted by
How to Keep Systems UP-to-Date
Apply Service Packs
Apply Hotfixes
Use automated patch distribution• 0 – 50 users use Windows Update
Apply service pack three Windows 2000 and configure Configure XP
• 50- 500 users user Software Update Services Download free from Microsoft, install and configure Configure Clients
• 500 + Use Software Update Services Feature pack and SMS Download Feature Pack (free to licensed SMS users) Configure for automated update and auditing
Hosted by
2. Follow Microsoft advice for hardening systems
Checklists, security templates,
instructions abound!
Use them!
Many successful attacks could have been
prevented by using these instructions.
Hosted by
What Microsoft Advice?
Windows Security Checklists:
www.microsoft.com/security
Windows Server 2003 Security Guide
http://go.microsoft.com/fwlink/?LinkId=14845
Windows 2000 Security Operations Guide (and
other prescriptive guidance documents.
• http://msdn.microsoft.com/practices/
Hosted by
3. Use Native Security Tools
For deploying security settings• Security Templates
• secedit
• Security Configuration and Analysis
• Group Policy
To secure systems• Software Restriction policies
• Password reset disks
• Authorization manager
Hosted by
4. Design a BaseLine Policy
Auditing
Services
Accounts
Security Options
User Rights
Then design incremental policies for computer and user roles in your network
Hosted by
Strengthen passwords
Teach users how to make strong passwords
Write own passfilt.dll • KB article 151082 “Password Change Filtering &
Notification in Windows NT.”
• Enforce stronger restrictions
Audit password strength periodically• Use LC4
Hosted by
Hosted by
Turn on Auditing – Review Logs
Monitor for attack indicators• 643 domain policy changed
• 644 user account locked
• 675 pre-authentication failed
• 681 domain logon filature
• 529, 530, 531, 532, 533, 535,534, 539, 548, 549 logon failure
Monitor for attack patterns• Large number of failed logons, then success
Hosted by
Adjust User Rights
Restrict to Administrators, NETWORK
SERVICE, LOCAL SERVICE• Adjust memory quotas
Hosted by
Use deny rights to restrict access
Use deny rights to restrict access
Deny logon rights
Deny access from network
Deny local logon
Logon as a batch job
Logon using terminal services
Hosted by
Do not grant to anyone:
Act as part of the operating system
Debug
Hosted by
Restrict to Administrators
Right to Restore files and folders
Change System Time
Allow logon to Terminal Services (on non
terminal services boxes)
Hosted by
Deny access
To SUPPORT_388945a0 account• To computer from network
• Logon as a batch
• Logon through terminal services
To non-operating systems service accounts• Logons from terminal services
• To compute from network
Hosted by
Adjust Security Options
Rename administrator, guest account
Restrict CD-ROM, floppy to local user
Digitally sign network communications
Restrict anonymous connections
Tighten accessible named pipes/shares
Do not store LAN Manager password
Use NTLMv2 session security
Use NTLMv2 only, refuse LM and NTLM
Do not authorize subsystems (POSIX)
Shutdown clear memory page file
Hosted by
Manage Event Logs
Enlarge all
Especially security log
Archive and clear frequently
Monitor for sudden increase in size
Examine contents looking for attack
patterns
Hosted by
Manage Services
Set permissions: who can start , stop,
disable?
Don’t use domain accounts for services
Disable unnecessary services• Will vary for each computer role
• Create a baseline which disables most; enable those
needed only as necessary
Hosted by
Unnecessary services? Baseline:
Application Layer Gateway Service
Application Management ASP .NET State Service Automatic Updates Background Intelligent
Transfer Service. Certificate Services Client Service for Netware Clustering Service*- COM+_System Application DHCP Server
Distributed Link Tracking Client.
Distributed Link Tracking Server.
Distributed Transaction Coordinator
DNS ServerError Reporting ServiceFax ServiceFile ReplicationFile Server for MacintoshFTP Publishing Service
Hosted by
More services you don’t need
Help and Support
HTTP SSL
Human Interface Device
Access
IIS Admin Service
IMAPI CD
Infrared
Internet Authentication
Service
Internet Connection Firewall
Intersite Messaging
IP Version 6 Helper Service
Kerberos Key Distribution Center
License Logging Service
Message Queuing
Message Queuing Down Level Clients
Message Queuing Triggers
Messenger
Microsoft POP3 Service
MSSQL$UDDI
Hosted by
And More…
MSSQLServerADHelper
.NET Framework Support Service
NetMeeting Remote Desktop Sharing
Network DDE
Network DDE DSDM
NNTP
Portable Media Serial Number
Print Server for Macintosh
Print Spooler
Remote Access Auto Connection Manager
Remote Access Connection Manager
Remote Desktop Help Session Manager
Remote Installation
Remote Procedure Call Locator
Remote Server Manager
Remove Server monitor
Remote Storage Notification
Remote Storage Manger
Removable Storage
Resultant Set of Policy Provider
Routing and Remote Access
SAP Agent
Secondary Logon
Hosted by
And More
Shell Hardware Detection
SMTP
Simple TCP/IP Services
Single Instance Storage Groveler
Smart Card
SNMP Service
SNMP Trap Service
Special Administration Console Helper
SQLAgent$
Task Scheduler
TCP/IP Print Server
Telephony
Telnet
Terminal Services Licensing
Terminal Services Session Directory
Themes
Trivial FTP Daemon
UPS
Upload manager
Virtual Disk Service
Web Client
Web Element Manager
Windows Audio
Windows Image Acquisition (WIA)
Hosted by
And more…
WINS
Windows Media Services
Windows System Resource
Manger
WinHTTP Web Proxy Auto –
Discovery service
Wireless Configuration
World Wide Web Publishing
Service
Hosted by
Set Restricted Groups
Add group
Enter authorized members
Users added in normal GUI will be
removed if not also added here
Hosted by
Set Object ACLs, SACLs
Use NTFS
Set common settings in templates,
policies
Hosted by
5. Use IPSec Policies
File Server ExampleBlock access from all to any port
Allow access from Any source address to the file server for ports 445, 137, 138 and 139
Restrict access to terminal services (port 3389) by allowing access from specific computers. (this helps to compensate for the blocking of RPC traffic used by many management services.)
Allow all traffic to and from the file server and domain controllers
Allow traffic between the file server and Microsoft Operations Manager (MOM)
Hosted by
6. Use Constrained Delegation
Only where delegation is required
No blanket rights
Only for specific services
Not for administrator accounts
Hosted by
7. Ensure Correct Time
• NTLMv2 authentication requires client and server clocks to be within 30 minutes of each other.
• Kerberos only allows a 5 minute difference.
• Event correlations between computers will not be possible if there are time differences.
• Evidence must be correctly identified or it is not valid evidence.
w32tm /config /synchfromflags:manual /manualpeerlist:Peerlist
w32tm /config /update
Hosted by
8. Set account restrictions
• Logon hours
• Logon to
• Restrict delegation
• others
Hosted by
Accounts have unique SIDS; policy that
might impact these accounts cannot be
centrally set• Guest
• the group Guests
• Support 388045a0
Hosted by
9. Use Administrative Templates
Hosted by
10. Use Certificate Services
Key archival for EFS
Certificates for smart cards,
authentication, IPSec, email etc.
SSL
Hosted by
Bonus - Don’t use EFS
Unless properly managed
Archived keys
Recovery policy in place