Windows Hardening

http://technet.microsoft.com/security/bb977553( en-us).aspx
Windows XP Security Guide Windows Vista Security Guide Windows Server 2003 Security Guide Windows Server 2008 Security Guide

The Center for Internet Security (CIS) The National Security Agency (NSA) The Defense Information Systems Agency (DISA) The National Institute of Standards and Technology (NIST)

Microsoft provides guidance for how to help secure our own operating systems. We have developed three levels of security settings:
Legacy Enterprise Specialized Security, Limited Functionality

As part of an overall defense in depth approach, including multiple layers of security, Microsoft recommends that you implement server security measures tailored to the role or purpose of each server in your organization.
Vulnerability, risk, and exposure analysis with regard to security informs you of the tradeoffs between security and usability that all computer systems are subject to in a networked environment.

Hardening server systems in three common enterprise environments should be considered:

one in which older operating systems such as Windows 98 must be supported; the Legacy Client scenario one consisting of only Windows 2000 and later operating systems; the Enterprise Client scenario one in which concern about security is so high that significant loss of functionality and manageability is considered an acceptable tradeoff to achieve the highest level of security; the High Security scenario
6

Domain Controllers

Infrastructure Servers

Hardening Procedures

File & Print Servers

Securing Domain Infrastructure

Member Server Baseline Policy

Internet Information Servers

Applied through Incremental Group Policy

RADIUS Servers

PKI Servers

Bastion Servers

Apply to Relevant Servers in your Organization

Establishing Security Boundaries

Security starts at the domain infrastructure
Forest vs. Domain
True Security Boundary = Forest Domain is a Management Boundary of Well-Meaning Administrators

Administrative distinctions
Enterprise Administrators are just that Delegate administration Structuring Support for Administration & Group Policy
8

Organizational Unit Structure

Core Security Template Group Policy for all Member Servers

Audit Policies
Monitor Object Access, Logon & Logoff, Policy Changes Controlling Server Logons & User Functionality Tip: Use Deny logon from the network to prevent service accounts from logging on remotely Increase LM Compatibility Level, Restrict Anonymous Setting Log Sizes & Access Permissions Disabling or Removing Irrelevant Services
9

User Rights Assignment

Security Options

Event Logs
System Services

Most important server role, physical isolation needed DC baseline policy GP template

Additional security settings

Duplicates most member server policies Further lockdown on user rights assignments Configure DC specific system services ensure consistency Relocating DC database and logs Increasing event log sizes Protecting DNS: Blocking ports with ipsec filters
Secure dynamic updates Limiting zone transfers

Tip: dont forget to configure nodefaultexempt

10

Providing DNS & WINS Services Foundation: Member Server Baseline Policy Incremental Infrastructure Group Policy
Adjusting Infrastructure System Services

Additional Security Settings

Configure DHCP Logging
Limit Log Sizes (Registry DWORD Addition) Limit Access Permissions to Administrators Does not Fully Secure System During Startup
11

Port Blocking with IPSec Filters: Infrastructure Servers

File & Print Servers

File & Print Group Policy

Foundation: Member Server Baseline Policy Incremental GP
Modifying Security Options
Print Server: Disable Digital Signing of Communications

System Service Adjustments

File Server: Enable DFS & File Replication Print Server: Enable Print Spooler

Additional Security Settings

Port Blocking with IPSec Filters
Utilize Terminal Services for Remote Management Management Tools May Have Specific Port Needs
Example: Microsoft Operations Manager

2004 Microsoft Corporation. All rights reserved.

12

Internet Information Servers

Secure by default IIS is NO LONGER a default installation

Initial installation is a highly secure locked down configuration

Web server group policy

Foundation: member server baseline policy Modifying system services

IIS
Installation of required IIS components only Enabling essential web service extensions Granting web site permissions Configuring IIS logging

Additional security settings

Dedicating a disk for content Setting file level permissions IPSec port filtering
Tip: configure outbound filtering for IIS servers on external interface

2004 Microsoft Corporation. All rights reserved.

13

PKI Servers

Air gap to root CA paramount to security PKI group policy

Foundation: member server baseline policy Security options
Certificate server
Use FIPS compliant algorithm for encryption, hashing, & signing HSM Luna, nCipher

System service adjustments

Additional security settings

Setting file system ACLs on certificate server folders
Establish file level auditing

Separating certificate database and logs

2004 Microsoft Corporation. All rights reserved.

14

Bastion Servers

Servers accessible publicly Bastion Host group policy

Rarely domain members: local policy required Foundation: member server baseline policy
Tip: Deny network logon right to sensitive accounts Disabled:
Automatic updates & backup intelligent transfer agent DHCP client & netlogon Plug & play Remote administration & registry Server & terminal services

System service adjustments

Additional security settings

Essential network protocols only
Disable SMB Disable NetBios over TCP/IP

2004 Microsoft Corporation. All rights reserved.

15

Visit the following Microsoft Web sites to download guides: Windows XP Security Guide Windows Server 2003 Security Guide Windows 2000 Security Hardening Guide
16

DCOM Vulnerabilities IPSec Mitigation Tools This free tool kit contains two IPSec tools to help prevent exploitation of vulnerabilities in DCOM. Group Policy Management Console (GPMC) with Service Pack 1 GPMC is a free tool that lets administrators manage Group Policy for multiple domains and sites within one or more forests, all in a simplified user interface (UI) with dragand-drop support. IIS Lockdown Wizard 2.1 IIS Lockdown Wizard is a free tool that works by turning off unnecessary IIS features, thereby reducing attack surface available to attackers. ISA Server 2000 Feature Pack 1 ISA Server 2000 Feature Pack 1 delivers enhanced security and ease of use beyond that of traditional firewalls for email server, Web server and Exchange Outlook Web Access (OWA) deployments. Microsoft Baseline Security Analyzer (MBSA) MBSA is a free tool that aids in identifying the status of your operating system and application security configuration, including the presence or absence of security updates. Microsoft Software Update Services Solution Accelerator This solution accelerator provides guidance for deploying critical updates and security updates to Microsoft Windows XP, Windows 2000, and Windows Server 2003 operating systems using Microsoft Software Update Services. It describes how Microsoft Software Update Services should be designed and configured to support patch management and provides details of the operational processes and procedures that need to be followed for patch management to be successful.

17

MyDoom Worm Cleaner This free tool removes variants of the MyDoom worm from infected computers. Additionally, it removes associated backdoor components from infected computers. Outlook Administrator Pack You can use the Outlook Administrator Pack to control the types of attached files blocked by Outlook, modify and specify user- or group-security levels. Outlook Administrator Pack is a free tool. Security Risk Self-Assessment for Midsize Organizations This free application is designed to help organizations with fewer than 1,000 employees assess weaknesses in their current IT security environment. SQL Critical Update Kit The SQL Critical Update Kit is a free tool that helps update editions of SQL Server 2000 and MSDE 2000 that are vulnerable to the 'Slammer' worm. Systems Management Server 2.0 Software Update Services Feature Pack The SMS 2.0 Software Update Services Feature Pack contains the following tools: the Security Update Inventory Tool, the Microsoft Office Inventory Tool for Updates, the Distribute Software Updates Wizard, and the SMS Web Reporting Tool with Web Reports Add-in for Software Updates. UrlScan 2.5 UrlScan version 2.5 is a free security tool that restricts the types of HTTP requests that Internet Information Services (IIS) will process. IIS Lockdown Tool
IIS Lockdown Tool functions by turning off unnecessary features, thereby reducing attack surface available to attackers. To provide in-depth defense or multiple layers of protection against attackers, URLscan, with customized templates for each supported server role, has been integrated into the IIS Lockdown Tool.

18

Patch management mitigates and lessens the impact from threats in the Window of Exposure
19

DAY

00

30

60

90

120

150

180

210

240

270

300

330

360

VULNERABILITY IDENTIFIED

VULNERABILITY VERIFIED BY VENDOR 30 - 90 DAYS

PATCH DEVELOPED AND RELEASED 30 90 DAYS

PATCH DEPLOYED ON UPDATE SERVERS 30 180 DAYS

INFORMATION PROTECTED

WINDOW OF EXPOSURE
ON AVERAGE, BUSINESSES CAN BE EXPOSED FROM 90 TO 360 DAYS

20

DAY

00

30

60

90

120

150

180

210

240

270

300

330

360

VULNERABILITY IDENTIFIED

VULNERABILITY VERIFIED BY MICROSOFT FEBRUARY 2003

PATCH DEVELOPED AND RELEASED JULY 16, 2003 (210 DAYS)

BLASTER LAUNCHED AUGUST 11, 2003 (16 DAYS)

PATCH DEPLOYED 30 180 DAYS

INFORMATION PROTECTED

WINDOW OF EXPOSURE
MOST BUSINESSES WERE EXPOSED TO RPC VULNERABILITY (BLASTER) FOR 180 360 DAYS

21

DAY

00

30

60

90

120

150

180

210

240

270

300

330

360

VULNERABILITY IDENTIFIED

VULNERABILITY PATCH DEVELOPED VERIFIED BY MICROSOFT AND RELEASED APRIL 13, 2004 (188 DAYS) OCTOBER 2003

SASSER LAUNCHED MAY 1, 2004 (18 DAYS)

PATCH DEPLOYED 30 180 DAYS

INFORMATION PROTECTED

WINDOW OF EXPOSURE
MOST BUSINESSES WERE EXPOSED TO LSASS VULNERABILITY (SASSER) FOR 190 260 DAYS

22

Microsoft recommends you implement a process for managing and distributing security updates within your organization. Patch Management:
Assess
Inventory existing computing assets. Assess security threats and vulnerabilities. Determine the best source for information about new software updates. Assess the existing software distribution infrastructure. Assess operational effectiveness.

Identify

Evaluate and Plan Deploy WSUS SMS (see http://msdn.microsoft.com/library/default.asp?url=/library/enus/secmod/html/secmod108.asp for full guidance on Patch Management)

The goal for the Identify phase is to: Discover new software updates in a reliable way. Determine whether software updates are relevant to your production environment. Obtain software update source files and confirm that they are safe and will install successfully. Determine whether the software update should be considered a normal change or an emergency, and submit a request for change (RFC) to deploy it. Submitting an RFC is the trigger for the next patch management phase, which is Evaluate and Plan.

23

 Helps assess the vulnerability of Windows systems Scans for missing security patches / updates and common security misconfigurations Scans local or multiple remote systems via GUI or command line invocation Scans various versions of Windows, IIS, IE, SQL, Exchange, and other Microsoft applications Generates XML scan reports on each scanned system Runs on Windows Server 2003, Windows 2000 and Windows XP Works with SUS and SMS

24

 Scanning a local machine

Windows Server 2003, Windows 2000, or Windows XP IE v5.01 or greater / XML parser Workstation service and Server service

Machine running MBSA that performs remote scans

Windows Server 2003, Windows 2000, or Windows XP IE v5.01 or greater / XML parser Workstation service and client for MS networks IIS common files if remotely scanning IIS computers
25

Windows 2000, Windows XP, or Windows Server 2003 IE v5.01 or greater Machine being remotely scanned IIS v4.0, 5.0 (required for IIS vulnerability checks) SQL 7.0, 2000, MSDE (required for SQL vulnerability checks) Microsoft Office 2000, XP, Office 2003 (required for desktop application vulnerability checks) Server service, Remote registry service, File & Print Sharing User must have local admin rights on computer being scanned

26

Reports vulnerabilities on:

Password weaknesses Guest account not disabled Auditing not configured Unnecessary services installed IIS vulnerabilities IE zone settings Automatic Updates configuration Internet Connection Firewall configuration
27

MSSECURE.XML An XML file containing the latest security update information, constantly updated by Microsoft Contains data about each hotfix, including:
Operating system and service pack (SP) applicability. Details about all files in the patch File version File checksum File location Registry key applied by the patch. Patch Superseding information
28

1 2 3 4 5 6

Run MBSA on Admin system, specify targets Downloads CAB file with MSSecure.xml and verifies digital signature Scans target systems for OS, OS components, and applications Parses MSSecure to see if updates are available Checks if required updates are missing Generates time-stamped report of missing updates

Download Center MSSecure.xml

Windows

MBSA Computer
29

MBSA and SUS

Performs security update scan against specified SUS server
Reads registry for SUS server info or user specifies this info Reads approveditems.txt file on SUS server via HTTP Looks up approved items in mssecure.xml file Performs scan against appropriate patches in mssecure.xml

CMD LINE execution:

mbsacli.exe /sus http://mysusserver mbsacli.exe /hf /sus http://mysusserver
30

 Additional Language Support MBSA v1.2 Additional Product Support Alternate File Support
QFE vs GDR release of a security update Multi-processor vs uni-processor release of a security update Non-security bulletin updates to security bulletin updates Revised (updated) security bulletins Previous versions of MBSA reported these updates with a yellow X, with a warning message file version greater than expected Exchange Server 2003, Microsoft Office (local scans only), MDAC v2.5-2.8, MVM, MSXML, BizTalk Server, Commerce Server, Content Management Server, SNA Server, HIS

Check for New Version of MBSA Additional Windows Vulnerabilities Checks Custom IE Zones Interpretation
31

Microsoft security risk self assessment tool

Free Microsoft risk-assessment tool designed to provide information and recommendations about best practices for security within an IT infrastructure The application is designed for organizations with 50 to 500 desktops and/or 100 to 1,000 employees The risk assessment is based on accepted standards and best practices for helping reduce risk in IT environments. It uses the "Defense-in-Depth" concept Available for download at http://www.securityguidance.com Works with Windows 2000 and XP

32

Microsoft security risk self assessment tool

Interviews user about security policy and operations Compares scores obtained in assessment to industry averages Creates two assessment reports:
Business Risk Profile-assesses risks a company in your industry faces Risk Assessment-rates your companys risk and security practices as compared to industry averages Uploads results to common database for industry comparison
33

34

Microsoft Security Risk Self Assessment Tool

35

 Always get approval of management before running assessment Consider potential side effects of running assessment tool, which may cause computer lockouts and network bandwidth problems, on production computers during business hours Run on regularly scheduled basis. Use comparative results between assessments as an empirical measurement of improving security policies and procedures Never run without first alerting end-users
36