10 Best Practices for Windows Security

1
10 Best Practices for Windows Security

• How many of them are you doing?
• Roberta Bragg

2
1. Keep Systems up to date

• CERT, and others 90 95 of successful
  attacks could be prevented with up-to-date
  systems
• Every single attack in Hacking Exposed is
  balanced with a configuration or patch already in
  existence
• Many world-wide security attacks would not have
  been successful if systems were updated

3
How to Keep Systems UP-to-Date

• Apply Service Packs
• Apply Hotfixes
• Use automated patch distribution
• 0 50 users use Windows Update
• Apply service pack three Windows 2000 and
  configure
• Configure XP
• 50- 500 users user Software Update Services
• Download free from Microsoft, install and
  configure
• Configure Clients
• 500 Use Software Update Services Feature pack
  and SMS
• Download Feature Pack (free to licensed SMS
  users)
• Configure for automated update and auditing

4
2. Follow Microsoft advice for hardening systems

• Checklists, security templates, instructions
  abound!
• Use them!
• Many successful attacks could have been prevented
  by using these instructions.

5
What Microsoft Advice?

• Windows Security Checklists
• www.microsoft.com/security
• Windows Server 2003 Security Guide
  http//go.microsoft.com/fwlink/?LinkId14845
• Windows 2000 Security Operations Guide (and other
  prescriptive guidance documents.
• http//msdn.microsoft.com/practices/

6
3. Use Native Security Tools

• For deploying security settings
• Security Templates
• secedit
• Security Configuration and Analysis
• Group Policy
• To secure systems
• Software Restriction policies
• Password reset disks
• Authorization manager

7
4. Design a BaseLine Policy

• Auditing
• Services
• Accounts
• Security Options
• User Rights
• Then design incremental policies for computer and
  user roles in your network

8
Strengthen passwords

• Teach users how to make strong passwords
• Write own passfilt.dll
• KB article 151082 Password Change Filtering
  Notification in Windows NT.
• Enforce stronger restrictions
• Audit password strength periodically
• Use LC4

9
(No Transcript)
10
Turn on Auditing Review Logs

• Monitor for attack indicators
• 643 domain policy changed
• 644 user account locked
• 675 pre-authentication failed
• 681 domain logon filature
• 529, 530, 531, 532, 533, 535,534, 539, 548, 549
  logon failure
• Monitor for attack patterns
• Large number of failed logons, then success

11
Adjust User Rights

• Restrict to Administrators, NETWORK SERVICE,
  LOCAL SERVICE
• Adjust memory quotas

12
Use deny rights to restrict access

• Use deny rights to restrict access
• Deny logon rights
• Deny access from network
• Deny local logon
• Logon as a batch job
• Logon using terminal services

13
Do not grant to anyone

• Act as part of the operating system
• Debug

14
Restrict to Administrators

• Right to Restore files and folders
• Change System Time
• Allow logon to Terminal Services (on non terminal
  services boxes)

15
Deny access

• To SUPPORT_388945a0 account
• To computer from network
• Logon as a batch
• Logon through terminal services
• To non-operating systems service accounts
• Logons from terminal services
• To compute from network

16
Adjust Security Options

• Rename administrator, guest account
• Restrict CD-ROM, floppy to local user
• Digitally sign network communications
• Restrict anonymous connections
• Tighten accessible named pipes/shares
• Do not store LAN Manager password
• Use NTLMv2 session security
• Use NTLMv2 only, refuse LM and NTLM
• Do not authorize subsystems (POSIX)
• Shutdown clear memory page file

17
Manage Event Logs

• Enlarge all
• Especially security log
• Archive and clear frequently
• Monitor for sudden increase in size
• Examine contents looking for attack patterns

18
Manage Services

• Set permissions who can start , stop, disable?
• Dont use domain accounts for services
• Disable unnecessary services
• Will vary for each computer role
• Create a baseline which disables most enable
  those needed only as necessary

19
Unnecessary services?

• Baseline
• Application Layer Gateway Service
• Application Management
• ASP .NET State Service
• Automatic Updates
• Background Intelligent Transfer Service.
• Certificate Services
• Client Service for Netware
• Clustering Service-
• COM_System Application
• DHCP Server

• Distributed Link Tracking Client.
• Distributed Link Tracking Server.
• Distributed Transaction Coordinator
• DNS Server
• Error Reporting Service
• Fax Service
• File Replication
• File Server for Macintosh
• FTP Publishing Service

20
More services you dont need

• IP Version 6 Helper Service
• Kerberos Key Distribution Center
• License Logging Service
• Message Queuing
• Message Queuing Down Level Clients
• Message Queuing Triggers
• Messenger
• Microsoft POP3 Service
• MSSQLUDDI

• Help and Support
• HTTP SSL
• Human Interface Device Access
• IIS Admin Service
• IMAPI CD
• Infrared
• Internet Authentication Service
• Internet Connection Firewall
• Intersite Messaging

21
And More

• MSSQLServerADHelper
• .NET Framework Support Service
• NetMeeting Remote Desktop Sharing
• Network DDE
• Network DDE DSDM
• NNTP
• Portable Media Serial Number
• Print Server for Macintosh
• Print Spooler
• Remote Access Auto Connection Manager

• Remote Access Connection Manager
• Remote Desktop Help Session Manager
• Remote Installation
• Remote Procedure Call Locator
• Remote Server Manager
• Remove Server monitor
• Remote Storage Notification
• Remote Storage Manger
• Removable Storage
• Resultant Set of Policy Provider
• Routing and Remote Access
• SAP Agent
• Secondary Logon

22
And More

• Shell Hardware Detection
• SMTP
• Simple TCP/IP Services
• Single Instance Storage Groveler
• Smart Card
• SNMP Service
• SNMP Trap Service
• Special Administration Console Helper
• SQLAgent
• Task Scheduler
• TCP/IP Print Server
• Telephony

• Telnet
• Terminal Services Licensing
• Terminal Services Session Directory
• Themes
• Trivial FTP Daemon
• UPS
• Upload manager
• Virtual Disk Service
• Web Client
• Web Element Manager
• Windows Audio
• Windows Image Acquisition (WIA)

23
And more

• WINS
• Windows Media Services
• Windows System Resource Manger
• WinHTTP Web Proxy Auto Discovery service
• Wireless Configuration
• World Wide Web Publishing Service

24
Set Restricted Groups

• Add group
• Enter authorized members
• Users added in normal GUI will be removed if not
  also added here

25
Set Object ACLs, SACLs

• Use NTFS
• Set common settings in templates, policies

26
5. Use IPSec Policies

• File Server Example
• Block access from all to any port
• Allow access from Any source address to the file
  server for ports 445, 137, 138 and 139
• Restrict access to terminal services (port 3389)
  by allowing access from specific computers. (this
  helps to compensate for the blocking of RPC
  traffic used by many management services.)
• Allow all traffic to and from the file server and
  domain controllers
• Allow traffic between the file server and
  Microsoft Operations Manager (MOM)

27
6. Use Constrained Delegation

• Only where delegation is required
• No blanket rights
• Only for specific services
• Not for administrator accounts

28
7. Ensure Correct Time

• NTLMv2 authentication requires client and server
  clocks to be within 30 minutes of each other.
• Kerberos only allows a 5 minute difference.
• Event correlations between computers will not be
  possible if there are time differences.
• Evidence must be correctly identified or it is
  not valid evidence.
• w32tm /config /synchfromflagsmanual
  /manualpeerlistPeerlist
•  
• w32tm /config /update

29
8. Set account restrictions

• Logon hours
• Logon to
• Restrict delegation
• others

30

• Accounts have unique SIDS policy that might
  impact these accounts cannot be centrally set
• Guest
• the group Guests
• Support 388045a0

31
9. Use Administrative Templates
32
10. Use Certificate Services

• Key archival for EFS
• Certificates for smart cards, authentication,
  IPSec, email etc.
• SSL

33
Bonus - Dont use EFS

• Unless properly managed
• Archived keys
• Recovery policy in place