Enterprise Windows Decisions 2003
Download
Report
Transcript Enterprise Windows Decisions 2003
Hosted by
10 Best Practices for
Windows Security
How many of them are you doing?
Roberta Bragg
HCWT
Hosted by
1. Keep Systems up to date
CERT, and others: 90 – 95% of successful
attacks could be prevented with up-to-date
systems
Every single attack in Hacking Exposed is
balanced with a configuration or patch already in
existence
Many world-wide security attacks would not have
been successful if systems were updated
Hosted by
How to Keep Systems UP-to-Date
Apply Service Packs
Apply Hotfixes
Use automated patch distribution
•
0 – 50 users use Windows Update
Apply service pack three Windows 2000 and configure
Configure XP
•
50- 500 users user Software Update Services
Download free from Microsoft, install and configure
Configure Clients
•
500 + Use Software Update Services Feature pack and SMS
Download Feature Pack (free to licensed SMS users)
Configure for automated update and auditing
Hosted by
2. Follow Microsoft advice for hardening systems
Checklists, security templates,
instructions abound!
Use them!
Many successful attacks could have been
prevented by using these instructions.
Hosted by
What Microsoft Advice?
Windows Security Checklists:
www.microsoft.com/security
Windows Server 2003 Security Guide
http://go.microsoft.com/fwlink/?LinkId=14845
Windows 2000 Security Operations Guide (and
other prescriptive guidance documents.
•
http://msdn.microsoft.com/practices/
Hosted by
3. Use Native Security Tools
For deploying security settings
•
•
•
•
Security Templates
secedit
Security Configuration and Analysis
Group Policy
To secure systems
•
•
•
Software Restriction policies
Password reset disks
Authorization manager
Hosted by
4. Design a BaseLine Policy
Auditing
Services
Accounts
Security Options
User Rights
Then design incremental policies for
computer and user roles in your network
Hosted by
Strengthen passwords
Teach users how to make strong
passwords
Write own passfilt.dll
• KB article 151082 “Password Change Filtering &
•
Notification in Windows NT.”
Enforce stronger restrictions
Audit password strength periodically
• Use LC4
Hosted by
Hosted by
Turn on Auditing – Review Logs
Monitor for attack indicators
•
•
•
•
•
643 domain policy changed
644 user account locked
675 pre-authentication failed
681 domain logon filature
529, 530, 531, 532, 533, 535,534, 539, 548, 549
logon failure
Monitor for attack patterns
•
Large number of failed logons, then success
Hosted by
Adjust User Rights
Restrict to Administrators, NETWORK
SERVICE, LOCAL SERVICE
• Adjust memory quotas
Hosted by
Use deny rights to restrict access
Use deny rights to restrict access
Deny logon rights
Deny access from network
Deny local logon
Logon as a batch job
Logon using terminal services
Hosted by
Do not grant to anyone:
Act as part of the operating system
Debug
Hosted by
Restrict to Administrators
Right to Restore files and folders
Change System Time
Allow logon to Terminal Services (on non
terminal services boxes)
Hosted by
Deny access
To SUPPORT_388945a0 account
• To computer from network
• Logon as a batch
• Logon through terminal services
To non-operating systems service
accounts
• Logons from terminal services
• To compute from network
Hosted by
Adjust Security Options
Rename administrator, guest account
Restrict CD-ROM, floppy to local user
Digitally sign network communications
Restrict anonymous connections
Tighten accessible named pipes/shares
Do not store LAN Manager password
Use NTLMv2 session security
Use NTLMv2 only, refuse LM and NTLM
Do not authorize subsystems (POSIX)
Shutdown clear memory page file
Hosted by
Manage Event Logs
Enlarge all
Especially security log
Archive and clear frequently
Monitor for sudden increase in size
Examine contents looking for attack
patterns
Hosted by
Manage Services
Set permissions: who can start , stop,
disable?
Don’t use domain accounts for services
Disable unnecessary services
• Will vary for each computer role
• Create a baseline which disables most; enable those
needed only as necessary
Hosted by
Unnecessary services?
Baseline:
Application Layer Gateway
Service
Application Management
ASP .NET State Service
Automatic Updates
Background Intelligent
Transfer Service.
Certificate Services
Client Service for Netware
Clustering Service*COM+_System Application
DHCP Server
Distributed Link Tracking
Client.
Distributed Link Tracking
Server.
Distributed Transaction
Coordinator
DNS Server
Error Reporting Service
Fax Service
File Replication
File Server for Macintosh
FTP Publishing Service
Hosted by
More services you don’t need
Help and Support
HTTP SSL
Human Interface Device
Access
IIS Admin Service
IMAPI CD
Infrared
Internet Authentication
Service
Internet Connection Firewall
Intersite Messaging
IP Version 6 Helper Service
Kerberos Key Distribution
Center
License Logging Service
Message Queuing
Message Queuing Down
Level Clients
Message Queuing Triggers
Messenger
Microsoft POP3 Service
MSSQL$UDDI
Hosted by
And More…
MSSQLServerADHelper
.NET Framework Support
Service
Remote Access Connection
Manager
Remote Desktop Help Session
Manager
NetMeeting Remote Desktop
Sharing
Remote Installation
Remote Procedure Call Locator
Remote Server Manager
Network DDE DSDM
Remove Server monitor
NNTP
Remote Storage Notification
Portable Media Serial
Number
Remote Storage Manger
Removable Storage
Print Server for Macintosh
Resultant Set of Policy Provider
Print Spooler
Routing and Remote Access
Remote Access Auto
Connection Manager
SAP Agent
Secondary Logon
Network DDE
Hosted by
And More
Shell Hardware Detection
Telnet
SMTP
Terminal Services Licensing
Simple TCP/IP Services
Single Instance Storage
Groveler
Terminal Services Session
Directory
Themes
Smart Card
Trivial FTP Daemon
SNMP Service
UPS
SNMP Trap Service
Upload manager
Special Administration Console
Helper
Virtual Disk Service
Web Client
Web Element Manager
Windows Audio
Windows Image Acquisition
(WIA)
SQLAgent$
Task Scheduler
TCP/IP Print Server
Telephony
Hosted by
And more…
WINS
Windows Media Services
Windows System Resource
Manger
WinHTTP Web Proxy Auto –
Discovery service
Wireless Configuration
World Wide Web Publishing
Service
Hosted by
Set Restricted Groups
Add group
Enter authorized members
Users added in normal GUI will be
removed if not also added here
Hosted by
Set Object ACLs, SACLs
Use NTFS
Set common settings in templates,
policies
Hosted by
5. Use IPSec Policies
File Server Example
Block access from all to any port
Allow access from Any source address to the file server for
ports 445, 137, 138 and 139
Restrict access to terminal services (port 3389) by
allowing access from specific computers. (this helps to
compensate for the blocking of RPC traffic used by many
management services.)
Allow all traffic to and from the file server and domain
controllers
Allow traffic between the file server and Microsoft
Operations Manager (MOM)
Hosted by
6. Use Constrained Delegation
Only where delegation is required
No blanket rights
Only for specific services
Not for administrator accounts
Hosted by
7. Ensure Correct Time
• NTLMv2 authentication requires client and server
clocks to be within 30 minutes of each other.
• Kerberos only allows a 5 minute difference.
• Event correlations between computers will not be
possible if there are time differences.
• Evidence must be correctly identified or it is not valid
evidence.
w32tm /config /synchfromflags:manual
/manualpeerlist:Peerlist
w32tm /config /update
Hosted by
8. Set account restrictions
• Logon hours
• Logon to
• Restrict delegation
• others
Hosted by
Accounts have unique SIDS; policy that
might impact these accounts cannot be
centrally set
• Guest
• the group Guests
• Support 388045a0
Hosted by
9. Use Administrative Templates
Hosted by
10. Use Certificate Services
Key archival for EFS
Certificates for smart cards,
authentication, IPSec, email etc.
SSL
Hosted by
Bonus -
Don’t use EFS
Unless properly managed
Archived keys
Recovery policy in place