harris-winsec02
Download
Report
Transcript harris-winsec02
NIST Recommendations for
System Administrators for
Securing Windows 2000
Professional
Tony Harris, Booz Allen
Murugiah Souppaya, NIST
Outline
Introduction
Why we did it
General hardening principles
Securing Windows 2000 Professional
Securing popular applications
NIST Template
Contact information
National Institute of Standards and Technology
NIST’s mission is to develop and promote
measurement, standards, and technology
to enhance productivity, facilitate trade,
and improve the quality of life.
NIST Assets Include:
3,000 employees
1,600 guest researchers
$760 million annual budget
NIST Laboratories -- National
measurement standards
Advanced Technology Program -- $570 million current R&D
partnerships with industry
Manufacturing Extension Partnership -- 400 centers nationwide to
help small manufacturers
Baldrige National Quality Award
NIST Measurement and Standards Laboratories
NIST Mandate for Computer Security
Develop standards and guidelines for the
Federal government
Contribute to improving the security of
commercial IT products and strengthening
the security of users’ systems and
infrastructures
Computer Security Division Mission
To improve information systems security by:
raising awareness of IT risks, vulnerabilities and protection
requirements, particularly for new and emerging technologies;
researching, studying, and advising agencies of IT vulnerabilities
and devising techniques for the cost-effective security and privacy of
sensitive Federal systems;
developing standards, metrics, tests and validation programs:
to promote, measure, and validate security in systems and services
to educate consumers
to establish minimum security requirements for Federal systems
developing guidance to increase secure IT planning, implementation,
management and operation.
Recent Documents
Securing Wireless Networks: A Manager’s Guide
Designing Secure Wireless Networks
Network Testing Guide
Applying Security Patches
Securing Your Public Webserver
Security Issues and Solutions for E-mail
Telecommuting Security Cookbook
System Administrator Guidance for Securing
MS Windows 2000 Professional System
Why did we do it?
NIST recognized a need for a guide to
consolidate various best practices
Very little federal guidance exists for
securing popular applications
Guide designed for educated users and
administrators
Goals
Secure the Windows 2000 Professional and
suite of applications found on desktop system
Built on the existing resources, i.e. guides,
documents, and recommendations produced
by NSA, Microsoft, and the security
community
A complete unified how-to document covering
the OS and common applications installation
and configuration with references and
pointers to specialized resources
Document Structure
High level overview of Windows 2000 built-in
security features
Windows 2000 Professional installation
recommendations
Patching and Updating
Securing the OS
Application security
Description of modified registry keys
Various references for further research
General OS Hardening Principles
Perform a clean installation
Install OS updates and patches
Remove and disable unnecessary services, utilities,
and applications
Restrict access to the OS critical binaries and system
configuration files and utilities
Least privilege – administrator and user role
Protection of user data through discretionary access
control
Auditing critical files
General Principles for protecting
applications against active content
Install virus scanners
Keep updated
Enable e-mail attachment scanning
Keep applications updated
Remove VBS and VBE file-type associations
Set Outlook attachment security to high
Set macro security to High
Enable digital signatures for safe Macros
Set Internet Zone security to high
Utilize Trusted Site Zone
System Administrator Guidance for Securing
Microsoft Windows 2000 Professional System Overview
Install OS and default applications
Fully patch the OS and applications
Configure applications
Review the template settings and customize
for your environment
Apply the security template
Test the settings
Deploy within your environment
Windows 2000 Professional
Installation
Perform the installation on a secure network
segment or off the network
Partition the Hard Drive using NTFS for
system and data files
Install OS with minimum required services
Install Internet Protocol (TCP/IP) networking
and Client for Microsoft Networks only
Application Installation
Install an anti-virus scanner, i.e Norton
Antivirus, McAfee, or F-Secure
Install an E-mail client, i.e. Eudora or MS
Outlook 2000
Install the browser, i.e. Internet Explorer 6 or
Netscape 4.79
Install MS Office 2000, i.e. select only the
required components
Run and test each application
Updates and Patches
Apply the latest service pack, i.e. SP2
Download and install the required hotfixes from the Microsoft
security site,
http://www.microsoft.com/technet/treeview/default.asp?url=/te
chnet/security/current.asp
Windows update can be used to download and install the
patches, use caution for initial updates since this method
requires a connection to the internet.
Download and install all other applications patches and updates
as required
Periodically scan the system to determine patch status for the
OS and all applications.
Microsoft Hotfix Service
Hfnetchk.exe
Tool used to check the hotfix status of
Single computer
IP range
Entire domain
Can be downloaded from
http://www.microsoft.com/downloads/release.asp?rel
easeid=31154
Latest configuration file can be manually
downloaded from
http://msvaus.www.conxion.com/download/xml/secu
rity/1.0/NT5/EN-US/mssecure.cab
Qchain.exe
Allows installation of multiple hotfixes without
rebooting between each
Install hotfixes with the –z switch to disable
reboot after install
Run qchain.exe after hotfixes have been
installed
Run Qfecheck.exe /v to verify the hotfix
installation
http://support.microsoft.com/default.aspx?sci
d=kb;en-us;Q282784
Anti-Virus Configuration
Ensure signatures are up to date
Enable automatic protection
Enable email scanning
Enable Internet filtering
Enable periodic scanning
Enable heuristics, if available
Enable automatic updating
Outlook Client Configuration
Disable auto opening of messages
Disable preview pane and auto preview
Set attachment security to high
Set security zone to Restricted
Set macro security level to high
Macros will be silently disabled unless they
are signed
Eudora Client Configuration
Ensure that all executable content extension types
are registered in the WarnLaunchExtensions list
within the Eudora.ini file.
Redirect the Eudora data files into the users
application directory
Ensure that executables in HTML content are not
allowed
Do not use Microsoft's viewer
Enable executable warnings
IE Zone Security
Local intranet zone
Trusted site zone
Untrusted content
Restricted sites zone
Websites entered into zone are considered reputable and/or
trustworthy
Internet zone
Content located on internal network
Highest security level for untrusted sites and applications
Local machine zone
Files on local computer
IE Configuration
Set the Internet Zone to high
Set the Trusted Site Zone security to
Medium
Add trusted sites that will not function with
a high security setting to this zone
Set the intranet setting to the maximum
setting your environment can tolerate
Netscape Configuration
Enable the minimum utilities required
during the install
Disable Java and JavaScript if not
required
Review plug-ins and remove undesired
.dll files for the plug-ins
Office Configuration
Enable digital signatures for trusted macros
Ensure macro security is set to high
Clear the “Trust all installed add-ins and
templates” checkbox to apply the macro
security settings to preinstalled macros
If required within your environment, all
macros can be disabled regardless of their
signature status through registry settings
NIST Template Settings
Created by combining recommendations from
Microsoft, NSA, and the Security Community
Few modifications were made to NSA’s
recommendations
Added several keys and modifications to
services
Tested all of the settings using combinations
of the applications discussed within the guide
Services
NIST Template Disabled
Internet Connection Sharing
Routing and Remote Access
Task Scheduler
Telnet
Guidance given to administrators for
disabling of additional services
Password Policy Differences
Maximum Password Age
NSA = 42 Microsoft = 42 SANS = 45 to 90 NIST = 90
Minimum Password Age
NSA = 2
System Administration cost and time considerations
Microsoft = 2
SANS = 1 to 5
NIST = 1
Acceptable length of time to prevent users from changing
passwords to circumvent the history table
Minimum Password Length
NSA = 12 Microsoft = 8
SANS = 8
NIST = 8
System Administration cost and time considerations
Account Lockout Policy
Account Lockout duration (minutes)
NSA = 15 Microsoft = 0
NIST = 15
System Administration cost and time considerations
Account Lockout Threshold
NSA = 3
SANS = 240
Microsoft = 5
SANS = 5
NIST = 3
Shorter account lockout duration allows us the ability to
decrease the lockout threshold
Reset Account Lockout Counter After (minutes)
NSA = 15 Microsoft = 30 SANS = 240
NIST = 15
System Administration cost and time considerations
Audit Policy
Audit Directory Service Access
NSA = None
SANS = Success,Failure
Audit Object Access
NSA = Failure
SANS = Success,Failure
Microsoft = Success, Failure
NIST = Failure
Audit Privilege Use
Microsoft = Not Defined
NIST = None
NSA = Failure
SANS = Success,Failure
Microsoft = Success,Failure
NIST = Failure
Changes made for reduction of log entries
User Rights Assignment
Access this computer from the network
NSA = Users,Administrators Microsoft = Not Defined
SANS = None
NIST = Users,Administrators
Bypass traverse checking
NSA = Users
SANS = Administrators
Microsoft = Not Defined
NIST = Users
Some directory permissions require this privilege
Change system time
NSA = Administrators
SANS = Admin,Auth Users
Microsoft = Not Defined
NIST = Administrators
Restricted for Audit purposes
User Rights Assignment
Force shutdown from a remote location
NSA = Administrators
SANS = None
Microsoft = Not Defined
NIST = Administrators
System Administration cost and time considerations
Security Options
Lan Manager Authentication Level
NSA, Microsoft & NIST = NTLMv2/Refuse NTLM&LM
SANS = NTLMv2 or NTLM
For use in Windows 2000 only environment
Shutdown immediately if unable to log security audits
NSA = Enabled
Microsoft = Disabled
SANS = Enabled if 9 to 18 Gb
NIST = Disabled/Enable if site policy requires it
SynAttackProtect
HKEY_LOCAL_MACHINE\SYSTEM\Cu
rrentControlSet\Services\Tcpip\Paramet
ers\SynAttackProtect = 2
Hardens TCP stack against SYN attacks
Adjusts the retransmission delays for SYN-ACKS
TCP connection requests quickly timeout when
a SYN attack is in progress.
TcpMaxHalfOpen
HKEY_LOCAL_MACHINE\SYSTEM\Cu
rrentControlSet\Services\Tcpip\Paramet
ers\TcpMaxHalfOpen = 100
This key controls the number of connections in
the SYN-RCVD state allowed before SYNATTACK protection begins to operate.
TcpMaxHalfOpenRetried
HKEY_LOCAL_MACHINE\SYSTEM\Cu
rrentControlSet\Services\Tcpip\Paramet
ers\TcpMaxHalfOpenRetried = 80
TcpMaxHalfOpenRetried parameter controls
the number of connections in the SYN-RCVD
state for which there has been at least one
retransmission of the SYN sent, before SYNATTACK attack protection begins to operate.
EnablePMTUDiscovery
HKEY_LOCAL_MACHINE\SYSTEM\Cu
rrentControlSet\Services\Tcpip\Paramet
ers\EnablePMTUDiscovery = 1
Limits TCP segments to the largest packet
size allowed to a remote host to eliminate
packet fragmentation.
EnableICMPRedirects
HKEY_LOCAL_MACHINE\\SYSTEM\C
urrentControlSet\Services\Tcpip\Parame
ters\EnableICMPRedirects = 0
This parameter controls whether Windows
2000 will alter its route table in response to
ICMP redirect messages that are sent to it by
network devices such as a routers.
AeDebug\Auto
HKEY_LOCAL_MACHINE\SOFTWARE
\Microsoft\Windows NT\CurrentVersion
\AeDebug\Auto = 0
This setting disables auto start of the Dr.
Watson program debugger on Windows 2000
Professional. To re-enable the debugger type
the following at the command line: drwtsn –I
The debugger dump files can contain sensitive
information.
CreateCrashDump
HKEY_LOCAL_MACHINE\SOFTWARE
\Microsoft\DrWatson\CreateCrashDump
=0
If Dr. Watson is enabled this setting prevents
sensitive information from being dumped from
memory.
Future
Welcome inputs and suggestions from
the Security Community
Areas
Windows 2000 Server and active directory
Windows XP Professional and Home
Microsoft .NET
Suggestions: [email protected]
Conclusion
Document:
http://csrc.nist.gov/itsec/download_W2Kpro.html
Comments, suggestions, and questions:
[email protected]
Disclaimer
Any mention of commercial products or reference to commercial organizations is
for information only; it does not imply recommendation or endorsement by NIST
nor does it imply that the products mentioned are necessarily the best available
for the purpose.
The following information is provided for Civil and Government agencies
requiring security configuration guidelines.
Do not attempt to implement any of the settings in this guide without first
testing them in a non-operational environment.
This document is only a guide containing recommended security settings. It is
not meant to replace well-structured policy or sound judgment. Furthermore
this guide does not address site-specific configuration issues. Care must be
taken when implementing this guide to address local operational and policy
concerns.
This document and templates were developed at the National Institute of
Standards and Technology by employees of the Federal Government in the
course of their official duties. Pursuant to title 17 Section 105 of the United
States Code this document and templates are not subject to copyright
protection and is in the public domain. NIST assumes no responsibility
whatsoever for its use by other parties, and makes no guarantees, expressed or
implied, about its quality, reliability, or any other characteristic. We would
appreciate acknowledgement if the documents and templates are used.