Enterprise Windows Decisions 2003

Download Report

Transcript Enterprise Windows Decisions 2003

Hosted by
10 Best Practices for
Windows Security
How many of them are you doing?
Roberta Bragg
HCWT
Hosted by
1. Keep Systems up to date
 CERT, and others: 90 – 95% of successful
attacks could be prevented with up-to-date
systems
 Every single attack in Hacking Exposed is
balanced with a configuration or patch already in
existence
 Many world-wide security attacks would not have
been successful if systems were updated
Hosted by
How to Keep Systems UP-to-Date
 Apply Service Packs
 Apply Hotfixes
 Use automated patch distribution
•
0 – 50 users use Windows Update
 Apply service pack three Windows 2000 and configure
 Configure XP
•
50- 500 users user Software Update Services
 Download free from Microsoft, install and configure
 Configure Clients
•
500 + Use Software Update Services Feature pack and SMS
 Download Feature Pack (free to licensed SMS users)
 Configure for automated update and auditing
Hosted by
2. Follow Microsoft advice for hardening systems
 Checklists, security templates,
instructions abound!
 Use them!
 Many successful attacks could have been
prevented by using these instructions.
Hosted by
What Microsoft Advice?
 Windows Security Checklists:
 www.microsoft.com/security
 Windows Server 2003 Security Guide
http://go.microsoft.com/fwlink/?LinkId=14845
 Windows 2000 Security Operations Guide (and
other prescriptive guidance documents.
•
http://msdn.microsoft.com/practices/
Hosted by
3. Use Native Security Tools
 For deploying security settings
•
•
•
•
Security Templates
secedit
Security Configuration and Analysis
Group Policy
 To secure systems
•
•
•
Software Restriction policies
Password reset disks
Authorization manager
Hosted by
4. Design a BaseLine Policy
 Auditing
 Services
 Accounts
 Security Options
 User Rights
 Then design incremental policies for
computer and user roles in your network
Hosted by
Strengthen passwords
 Teach users how to make strong
passwords
 Write own passfilt.dll
• KB article 151082 “Password Change Filtering &
•
Notification in Windows NT.”
Enforce stronger restrictions
 Audit password strength periodically
• Use LC4
Hosted by
Hosted by
Turn on Auditing – Review Logs
 Monitor for attack indicators
•
•
•
•
•
643 domain policy changed
644 user account locked
675 pre-authentication failed
681 domain logon filature
529, 530, 531, 532, 533, 535,534, 539, 548, 549
logon failure
 Monitor for attack patterns
•
Large number of failed logons, then success
Hosted by
Adjust User Rights
 Restrict to Administrators, NETWORK
SERVICE, LOCAL SERVICE
• Adjust memory quotas
Hosted by
Use deny rights to restrict access
 Use deny rights to restrict access
 Deny logon rights
 Deny access from network
 Deny local logon
 Logon as a batch job
 Logon using terminal services
Hosted by
Do not grant to anyone:
 Act as part of the operating system
 Debug
Hosted by
Restrict to Administrators
 Right to Restore files and folders
 Change System Time
 Allow logon to Terminal Services (on non
terminal services boxes)
Hosted by
Deny access
 To SUPPORT_388945a0 account
• To computer from network
• Logon as a batch
• Logon through terminal services
 To non-operating systems service
accounts
• Logons from terminal services
• To compute from network
Hosted by
Adjust Security Options
 Rename administrator, guest account
 Restrict CD-ROM, floppy to local user
 Digitally sign network communications
 Restrict anonymous connections
 Tighten accessible named pipes/shares
 Do not store LAN Manager password
 Use NTLMv2 session security
 Use NTLMv2 only, refuse LM and NTLM
 Do not authorize subsystems (POSIX)
 Shutdown clear memory page file
Hosted by
Manage Event Logs
 Enlarge all
 Especially security log
 Archive and clear frequently
 Monitor for sudden increase in size
 Examine contents looking for attack
patterns
Hosted by
Manage Services
 Set permissions: who can start , stop,
disable?
 Don’t use domain accounts for services
 Disable unnecessary services
• Will vary for each computer role
• Create a baseline which disables most; enable those
needed only as necessary
Hosted by
Unnecessary services?
 Baseline:










Application Layer Gateway
Service
Application Management
ASP .NET State Service
Automatic Updates
Background Intelligent
Transfer Service.
Certificate Services
Client Service for Netware
Clustering Service*COM+_System Application
DHCP Server
 Distributed Link Tracking
Client.
 Distributed Link Tracking
Server.
 Distributed Transaction
Coordinator
 DNS Server
 Error Reporting Service
 Fax Service
 File Replication
 File Server for Macintosh
 FTP Publishing Service
Hosted by
More services you don’t need
 Help and Support
 HTTP SSL
 Human Interface Device
Access
 IIS Admin Service
 IMAPI CD
 Infrared
 Internet Authentication
Service
 Internet Connection Firewall
 Intersite Messaging
 IP Version 6 Helper Service
 Kerberos Key Distribution
Center
 License Logging Service
 Message Queuing
 Message Queuing Down
Level Clients
 Message Queuing Triggers
 Messenger
 Microsoft POP3 Service
 MSSQL$UDDI
Hosted by
And More…
 MSSQLServerADHelper

 .NET Framework Support
Service
Remote Access Connection
Manager

Remote Desktop Help Session
Manager
 NetMeeting Remote Desktop
Sharing

Remote Installation

Remote Procedure Call Locator

Remote Server Manager
 Network DDE DSDM

Remove Server monitor
 NNTP

Remote Storage Notification
 Portable Media Serial
Number

Remote Storage Manger

Removable Storage
 Print Server for Macintosh

Resultant Set of Policy Provider
 Print Spooler

Routing and Remote Access
 Remote Access Auto
Connection Manager

SAP Agent

Secondary Logon
 Network DDE
Hosted by
And More

Shell Hardware Detection

Telnet

SMTP

Terminal Services Licensing

Simple TCP/IP Services


Single Instance Storage
Groveler
Terminal Services Session
Directory

Themes

Smart Card

Trivial FTP Daemon

SNMP Service

UPS

SNMP Trap Service

Upload manager

Special Administration Console
Helper

Virtual Disk Service

Web Client

Web Element Manager

Windows Audio

Windows Image Acquisition
(WIA)

SQLAgent$

Task Scheduler

TCP/IP Print Server

Telephony
Hosted by
And more…
 WINS
 Windows Media Services
 Windows System Resource
Manger
 WinHTTP Web Proxy Auto –
Discovery service
 Wireless Configuration
 World Wide Web Publishing
Service
Hosted by
Set Restricted Groups
 Add group
 Enter authorized members
 Users added in normal GUI will be
removed if not also added here
Hosted by
Set Object ACLs, SACLs
 Use NTFS
 Set common settings in templates,
policies
Hosted by
5. Use IPSec Policies
 File Server Example
 Block access from all to any port
 Allow access from Any source address to the file server for
ports 445, 137, 138 and 139
 Restrict access to terminal services (port 3389) by
allowing access from specific computers. (this helps to
compensate for the blocking of RPC traffic used by many
management services.)
 Allow all traffic to and from the file server and domain
controllers
 Allow traffic between the file server and Microsoft
Operations Manager (MOM)
Hosted by
6. Use Constrained Delegation
 Only where delegation is required
 No blanket rights
 Only for specific services
 Not for administrator accounts
Hosted by
7. Ensure Correct Time
• NTLMv2 authentication requires client and server
clocks to be within 30 minutes of each other.
• Kerberos only allows a 5 minute difference.
• Event correlations between computers will not be
possible if there are time differences.
• Evidence must be correctly identified or it is not valid
evidence.
w32tm /config /synchfromflags:manual
/manualpeerlist:Peerlist
w32tm /config /update
Hosted by
8. Set account restrictions
• Logon hours
• Logon to
• Restrict delegation
• others
Hosted by
 Accounts have unique SIDS; policy that
might impact these accounts cannot be
centrally set
• Guest
• the group Guests
• Support 388045a0
Hosted by
9. Use Administrative Templates
Hosted by
10. Use Certificate Services
 Key archival for EFS
 Certificates for smart cards,
authentication, IPSec, email etc.
 SSL
Hosted by
Bonus -
Don’t use EFS
 Unless properly managed
 Archived keys
 Recovery policy in place