Computer Defense Recommendation Summary

Professional Windows Desktop and Server HardeningBy Author Roger A. Grimes

Computer Defense Recommendation Summary(3/4/06)

Hardening Recommendation Description Criticality

Chapter Ref

Don’t give non-admin users administrator privileges

Will prevent 70-90% of malware today High 2/9

Keep patches updated Will prevent many attacks High 2Use a host-based firewall High 2Use antivirus software with an updated signature file

High 2

Use anti-spam software Medium 2Use anti-spyware software High 2Enable boot-up passwords on portable computers

Medium 2

Enable booting from primary boot drive only

To prevent bypassing of Windows security, password cracking, and boot viruses

Medium on workstations, High on servers

2, 4

Password protect the BIOS To prevent resetting of boot drive Medium on workstations, High on servers

2

Harden TCP/IP stack To prevent DoS attacks Low on most computers, high on Internet servers

2

Rename Administrator and other highly privileged accounts; create bogus accounts

Medium/High

2,4

Highly privileged account names should not reflect their roles in the organization

For example, an Exchange Administrator account should not be called ExchAdmin. Better calling it something like PTravers, or some other less notable name

Medium 2,3

Run services on non-default TCP/IP ports

High 2

Install high-risk software to non-default folders

May defeat scripted attacks Low 2

Institute Logon and Account Logon auditing for highly-privileged accounts, consider Per-User Auditing, as well.

Medium 2

All highly privileged accounts should have long (15 characters or longer), complex passwords.

To defeat password cracking High 2, 4

Free Supplement to Professional Windows Desktop and Server Hardening (Grimes, Wrox)


Chapter Ref

Security must be automated Or it won’t be consistently applied High 2, 14, 15Disable delegation on highly-privileged users (and any computers) not needing delegation

Can prevent malicious programs from impersonating users to remote services and computers

Low 3

On Windows Server 2003 servers required to use delegation, enable constrained delegation.

Minimizes a hacker’s attack space on a server enabled with delegation

Medium 3

Make sure SID History filtering is enabled in your environment, which it is by default

Or else, hackers might be able to elevate their privileges

Low 3

Use the AGULP method to assign security permissions

Not using it means you don’t really understand what security is set in your environment.

High 3/9

Always assign permissions to groups and never to individual users

Or else control becomes problematic and unmanageable

Medium/High

3/9

Use Advanced Security Settings dialog box when setting NTFS permissions

It will display “true” permissions. Sometimes Windows doesn’t display correct permissions on permissions summary screen.

Medium 3/9

Set Share and NTFS permissions as tight as you can to meet least-privilege principle.

Don’t make Share permissions Everyone Full Control as recommended by many documents.

Medium 3/9

Use Share Change permissions instead of Full Control.

That’s all people need most of the time anyway

Medium 3

Use NTFS Modify permission instead of Full Control unless user really needs Full Control

Most non-admin users never need Full Control to a file or folder.

High 3

Decrease Number of previous logons to cache to 0-3 versus the default of 10.

By default Windows stores 10 user profiles worth of previous logon names and passwords that may be extracted with admin access and the right tools (e.g. Cachedump.exe)

Low/Medium

4

Do not save passwords with your RDP connection objects

They can easily be revealed using Cain & Able and a locally logged on admin

Medium 4

Disable the storage of LM password hashes and force users to change their passwords after LM hash storage is disabled.

Most password cracking programs rely on the existence of LM password hashes

High 4

Minimum password size should be 15 characters long.

Disables LM hash storage and presents complexity to password crackers

High/Medium

4

Minimum password age should be set to any value above 0.

Prevents password re-use or circumventing Enforce Password history rules.

Medium 4/14

Require long, complex passwords Prevents password crackers from being successful

High 4

Enable Account Lockouts. Set the Stops password guessers High 4



Chapter Ref

Account lockout threshold to a certain number of acceptable bad password attempts, say 3 to 5. Set the Reset account lockout counter after to 1 minute (the smallest it can be). Set Account lockout duration to 1 minute.Force password changes every 90 days or less

Stops password guessors, crackers, and rainbow table programs

High/Medium

4

Periodically re-create Windows trusts and put in new trust passwords

Needed only in high-security environments

Low 4

Consider requiring smart cards or biometrics for highly-privileged accounts

To add extra security Medium 4

Consider only using your most highly-privileged accounts on trusted computers.

You want to ensure that a hardware keyboard logger or trojan isn’t intercepting the password.

Low 4

Separate domain admin and enterprise and schema admin roles (don’t give both to same user account).

To prevent island hopping Medium 4

Use different passwords for your different administrative accounts.

To prevent island hopping High/Medium

4

Don’t forget to change passwords on Directory Services Restore Mode admin account occasionally.

To prevent local admin account cracking

Low 4

Do periodic password audits using password crackers

To audit the strength of user passwords and monitor compliance.

High 4

Enable logon screen warning messages To defeat many brute force tools High/Medium

4

Consider randomly generating passwords

Would defeat many password cracking tools. This is a good idea, but users are highly resistant to it.

Low (ranking offset by other non-technical issues)

4

Disable Autorun.inf feature using registry edit or SRP

To prevent autorun programs from removable media from running malicious commands or programs

Low 5/9

Prevent users from running high-risk files and programs

To prevent malicious use Medium 5/9

Turn off file extension hiding in Windows Explorer

Malware can use double-naming tricks to confuse users into executing malware.

High 5

Disable “Super Hidden” file extensions for high-risk file associations

Else malware can trick users into executing malware by accident

High 5

Uninstall, disable, remove, delete, and rename unneeded high-risk files and programs

To prevent malicious exploitation using those same files.

High 5/9

Use NTFS permissions to prevent non- To prevent malicious use High 5/9



Chapter Ref

admin users from running high-risk files and folders.Use GPOs when possible to push NTFS security on high-risk files, folders, and registry keys.

Security permissions will re-apply even if file gets replaced. Make sure to also enable Security policy processing and Process even if Group Policy objects have not changed for the GPO carrying the NTFS permission settings.

High 5/9/14

Create a LeastPrivilegedUsers _Grp and highly-restrict its members

To give them access to only the exact resources they need access to.

High 5

Enable Object Access auditing for high-risk critical files.

To monitor unauthorized requests Medium 5

Use Software Restriction Policies to deny all software except that which is specifically allowed.

To prevent unauthorized software execution. One of the single best things you can do to your system.

High 9/5

Block non-admin access to high-risk registry keys

Block non-admin write access to registry “run” keys, and block al non-admin access to high-risk file associations.

High 6

Block non-admin access to high-risk URI handlers

To prevent malware execution that depends on rarely used URI handlers. Examples include telnet://, rlogin://, news://, tn3270://;and aim:// if you don’t allow AIM.

Medium 6

Enable the Confirm open after download file type option for potentially dangerous file types

To prevent automatic malware execution

High 6/10

Make lesser-privileged custom service account for non-default services

Reduce attack surface if service account is compromised

High 7

Make custom service account passwords long and complex, and change more frequently than normal accounts

Service account passwords can be extracted in plaintext by an admin user

High 7

Use lesser privileged service accounts (LocalService, NetworkService, and custom) when possible instead of LocalSystem or admin-level accounts.

To decrease risk of successful exploit from direct use or buffer overflows

Medium/High

7

Prevent unneeded services from executing

Use ACLs, SRP, etc. High 7/9

Disable services in hardware profiles not needing them

Reduces attack surface area Medium 7/9

Lock custom service account to the local PC

Prevents island hopping attacks. Medium 7

Consider configuring high-risk services to alert users/administrators when they have stopped (e.g. from a buffer overflow attack), instead of automatically restarting.

Can be configured on the services’ Recovery tab on the Services console.

Medium 7


tn3270://;and

news://

rlogin://


Chapter Ref

Environments with high-security requirements or expecting attacks against its IPSec infrastructure should enable Perfect Forward Secrecy.

Prevents an attacker cracking one IPSec secret key from easily brute forcing the others

Low 8

Use IPSec to create network security domains, VPNs, and to filter host connections.

Prevents many types of attacks. Medium/High

8

Use latest versions of IE and keep patched

Most resistant version of IE High 10

Use Killbit to stop risky ActiveX controls without easier alternate defenses

Stop malicious ActiveX use Medium 9

Don’t surf untrusted web sites Avoid malicious code Medium/High

10

Customize and tighten IE’s Internet security zone

Minimize malicious browser attacks Medium/High

10

Use 3rd party tool to protect IE If additional protection is needed Medium/High

10

Block High-Risk File Attachments As recommended in other chapters High 11Disable HTML Content in e-mail clients

One of the single best things you can do to protect users

High 11

Use Software That Authenticate E-mail Links

Hopefully your email or browser client does this

Medium 11

Run Anti-virus software that scans e-mail

Run on client and email gateway High 11

Block Unmanaged E-mail Connections (over SMTP, HTTP, etc.)

Unmanaged email provides high-risk opportunities for internal network compromises

High 11

Block Spam Implement at least one non-client-side solution (i.e. on gateway or prior to network perimeter)

High 11

Block e-mail clients from using port 25 Outlook/Exchange clients on the internal LAN use RPC, not SMTP to communicate. By only allowing email servers to use port 25, you will catch SMTP worms and bots with their own email engines

High 11

Implement authenticated e-mail protocols

Consider implementing a PKI hierarchy on the LAN, Sender ID (or other anti-spam protocol) to fight spam, and use S/MIME or PGP to authenticate sensitive emails

Medium 11

Securely configure email client To minimize the chances of exploitation High 11Secure DNS services To prevent DNS poisoning that can

redirect users to bogus web sitesHigh 11

IIS: Only allow the bare minimum of TCP/IP ports to and from the web

Usually the only ingress filters that should be allowed are 80, maybe 443,

High 12



Chapter Ref

server and whatever the remote management port requirement is. There should be no egress filters allowed, unless external communications is an authorized component of the server. Do not allow port 80 and 53 outbound all the time.

IIS: Unless otherwise contraindicated IIS should always be installed on a dedicated computer

To prevent exploitation from other services.

High 12

IIS: Check for and install updated hardware drivers

To prevent hardware exploitation. Medium 12

IIS: IIS should be installed on a system with two separate, clean hard drives, each formatted with NTFS

To prevent directory traversal attacks. Medium/High

12

IIS: Install in stand-alone, workgroup mode unless domain authentication is needed.

Less information to be protected if Active Directory is not needed

High 12

IIS: Specifically denied access to IIS anonymous user and anonymous null session

Add accounts to \Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny logon through Terminal Services

Medium 12

IIS: Enabled High level encryption on any Terminal Services connections.

Set under \Computer Configuration\Administrative Templates\Terminal Services\Encryption and Security\Set client connection encryption level

Medium 12

IIS: If you use Remote Desktop to administer web server, change RDP port to something random and high

To prevent easy RDP port enumeration and remote password guessing attacks

High 12

IIS: Structure web site content directories to maximize security.

See Chapter 12. High 12

IIS: 12IIS: 12IIS: 12IIS: 12IIS: 12IIS: 12IIS: 12Disable EFS until an EFS recovery policy is defined

Otherwise encrypted files could be lost High 13

Encrypt confidential and sensitive files To prevent information theft Medium 13Encrypt sensitive information stored on laptops and other computer assets subject to high-risk of theft

To prevent information theft Medium/High

13

Ensure that a data recovery agent (DRA) is defined on stand-alone XP Pro machines

To prevent EFS-encrypted data from becoming unrecoverable

Medium/High

13



Chapter Ref

Create a custom DRA account to replace the default DRA selection of Administrator

To give added protection to EFS-protected files. Disable the custom DRA account until needed.

Medium/High

13

After using or creating a DRA account, export and remove the DRA’s recovery certificate from the system

You can import when needed. Gives added protection to the DRA account and EFS.

Medium/High

13

Consider implementing Syskey protect (mode 2 or 3) on computers using EFS

to protect local credentials against password attacks trying to recover EFS keys

Low 13

Use GPO software publishing to install and update software

If not other automated software install tool is in use, especially for common Internet Explorer browser add-on programs, like Sun’s Java VM, Adobe’s Acrobat Reader, RealPlayer, etc.

High/Medium

14

Modify the Access this computer from the network right.

Should be set to Authenticated Users and Administrators, not Everyone, in most environments. Must Allow Enterprise Domain Controllers group on Domain Controllers; and add Backup Operators, Everyone, and Pre-Win 2K Compatible groups if they are used. Early versions of OWA required remote users have this right

Low/Medium

14

Modify the Add workstations to the domain right.

By default all Authenticated Users have this right, consider only granting this right to the Administrators group.

Low/Medium

14

Enable the Require Domain Controller authentication to unlock workstation security option

Determines whether or not a domain controller is required to unlock a locked workstation, or whether cached credentials will work. Default is disabled. Should be enabled to prevent timing issues and other types of hacks involving locked screen savers.

Medium 14

Use the Restricted Group GPO feature to control the membership of highly-privileged groups

Prevents unauthorized users from remaining in highly-privileged groups for long

High 14

Use role-based security in designing your AD structure

Make role-based security templates, role-based OUs, role-based GPOs, etc.

High 15

Create and use Local Computer Policy To prevent users from circumventing GPOs

Medium 15

Create and apply a one-time uber-security template to each new or existing PC that fully reflects (as best as possible) your company’s security policy

To make sure all computers meet the defined security policy.

High 15

If a cross-forest trust is used, enable To prevent remote forest users from High 15 Free Supplement to Professional Windows Desktop and Server Hardening (Grimes, Wrox)


Chapter Ref

selective authentication. automatically being added to local forest’s Authenticated Users group upon connection.

Trust passwords should be long and complex

To prevent unauthorized recovery during initial setup. Overall risk is low because attackers haven’t attacked trust passwords much and after the initial setup, Windows frequently changes the password and makes it long and complex.

Low/Medium

15

Use Gpresult.exe /V to report effective GPO policy settings instead of RSoP

Gpresult.exe /v can report the affects of Local Computer Policy, while RSoP cannot.

Medium if Local Computer Policy is used, otherwise Low

15

Ensure that GPOs get applied during the refresh interval even if the GPO settings did not change

Each GPO category can be disabled or enforced under \Computer Configuration\Administrative Templates\System\GroupPolicy.

Medium/High

15

Other than domain-level policies, each GPO should be applied to a computer or user object, but not both at the same time. Disable the Computer Configuration or User Configuration option when not used

This will speed up GPO application significantly

Medium 15

Make sure administrators are not exempt from GPO settings

Some sources tell you remove all GPOs from applying to Admin accounts, which is the wrong advice.

Medium 15

Notes:1. This table summarizes the computer defense advice made in Professional Windows Desktop and Server Hardening.2. The author of this table has made it as accurate as possible, but it may contain inaccuracies, and accepts no risk or liability

from its use. 3. Send any corrections, additions, and suggestions to author at [email protected]. Document may be freely distributed as long unmodified, the author attribution is maintained, and not used for profit.


mailto:[email protected]

Computer Defense Recommendation Summary

Documents

Transcript of Computer Defense Recommendation Summary