Windows Hardening

http://technet.microsoft.com/security/bb977553(en-us).aspxWindows XP Security GuideWindows Vista Security GuideWindows Server 2003 Security GuideWindows Server 2008 Security Guide

The Center for Internet Security (CIS)The National Security Agency (NSA)The Defense Information Systems Agency (DISA)The National Institute of Standards and Technology (NIST)

Microsoft provides guidance for how to help secure our own operating systems. We have developed three levels of security settings: LegacyEnterprise Specialized Security, Limited Functionality

As part of an overall defense in depth approach, including multiple layers of security, Microsoft recommends that you implement server security measures tailored to the role or purpose of each server in your organization. Vulnerability, risk, and exposure analysis with regard to security informs you of the tradeoffs between security and usability that all computer systems are subject to in a networked environment.

Hardening server systems in three common enterprise environments should be considered: one in which older operating systems such as Windows 98 must be supported; the Legacy Client scenarioone consisting of only Windows 2000 and later operating systems; the Enterprise Client scenario one in which concern about security is so high that significant loss of functionality and manageability is considered an acceptable tradeoff to achieve the highest level of security; the High Security scenario

Apply to Relevant Servers in your Organization

X-Axis

Text

Select box and type. Control handles change width & height of box.

Drag the side handles to change the width of the text block.

The height of the text box and its associated line increases or decreases as you add text. To change the width of the comment, drag one of the side handles.

Text

Securing Domain Infrastructure

Member Server Baseline Policy

Domain Controllers

Infrastructure Servers

File & Print Servers

Internet Information Servers

PKI Servers

RADIUS Servers

Bastion Servers

Applied through Incremental Group Policy

Hardening Procedures

Establishing Security BoundariesSecurity starts at the domain infrastructureForest vs. DomainTrue Security Boundary = ForestDomain is a Management Boundary of Well-Meaning AdministratorsAdministrative distinctionsEnterprise Administrators are just thatDelegate administrationOrganizational Unit StructureStructuring Support for Administration & Group Policy

Core Security Template Group Policy for all Member ServersAudit PoliciesMonitor Object Access, Logon & Logoff, Policy ChangesUser Rights AssignmentControlling Server Logons & User FunctionalityTip: Use Deny logon from the network to prevent service accounts from logging on remotelySecurity OptionsIncrease LM Compatibility Level, Restrict AnonymousEvent LogsSetting Log Sizes & Access PermissionsSystem ServicesDisabling or Removing Irrelevant Services

Most important server role, physical isolation neededDC baseline policy GP templateDuplicates most member server policiesFurther lockdown on user rights assignmentsConfigure DC specific system services ensure consistencyAdditional security settingsRelocating DC database and logsIncreasing event log sizes Protecting DNS:Secure dynamic updatesLimiting zone transfersBlocking ports with ipsec filtersTip: dont forget to configure nodefaultexempt

Providing DNS & WINS ServicesFoundation: Member Server Baseline PolicyIncremental Infrastructure Group Policy Adjusting Infrastructure System ServicesAdditional Security SettingsConfigure DHCP LoggingLimit Log Sizes (Registry DWORD Addition)Limit Access Permissions to AdministratorsPort Blocking with IPSec Filters: Infrastructure ServersDoes not Fully Secure System During Startup

2004 Microsoft Corporation. All rights reserved.File & Print Group PolicyFoundation: Member Server Baseline PolicyIncremental GP Modifying Security OptionsPrint Server: Disable Digital Signing of CommunicationsSystem Service AdjustmentsFile Server: Enable DFS & File ReplicationPrint Server: Enable Print SpoolerAdditional Security SettingsPort Blocking with IPSec Filters Utilize Terminal Services for Remote ManagementManagement Tools May Have Specific Port NeedsExample: Microsoft Operations Manager

2004 Microsoft Corporation. All rights reserved.

File & Print Servers

2004 Microsoft Corporation. All rights reserved.Secure by default IIS is NO LONGER a default installation Initial installation is a highly secure locked down configurationWeb server group policyFoundation: member server baseline policyModifying system servicesAdditional security settingsIISInstallation of required IIS components onlyEnabling essential web service extensionsGranting web site permissionsConfiguring IIS loggingDedicating a disk for contentSetting file level permissionsIPSec port filteringTip: configure outbound filtering for IIS servers on external interface

2004 Microsoft Corporation. All rights reserved.

Internet Information Servers

2004 Microsoft Corporation. All rights reserved.Air gap to root CA paramount to securityPKI group policyFoundation: member server baseline policySecurity optionsCertificate serverUse FIPS compliant algorithm for encryption, hashing, & signingHSM Luna, nCipherSystem service adjustmentsAdditional security settingsSetting file system ACLs on certificate server foldersEstablish file level auditingSeparating certificate database and logs

2004 Microsoft Corporation. All rights reserved.

PKI Servers

2004 Microsoft Corporation. All rights reserved.Servers accessible publiclyBastion Host group policyRarely domain members: local policy requiredFoundation: member server baseline policyTip: Deny network logon right to sensitive accountsSystem service adjustmentsDisabled:Automatic updates & backup intelligent transfer agentDHCP client & netlogonPlug & playRemote administration & registryServer & terminal servicesAdditional security settingsEssential network protocols onlyDisable SMBDisable NetBios over TCP/IP

2004 Microsoft Corporation. All rights reserved.

Bastion Servers

Visit the following Microsoft Web sites to download guides:

Windows XP Security GuideWindows Server 2003 Security GuideWindows 2000 Security Hardening Guide

DCOM Vulnerabilities IPSec Mitigation Tools This free tool kit contains two IPSec tools to help prevent exploitation of vulnerabilities in DCOM.Group Policy Management Console (GPMC) with Service Pack 1 GPMC is a free tool that lets administrators manage Group Policy for multiple domains and sites within one or more forests, all in a simplified user interface (UI) with drag-and-drop support.IIS Lockdown Wizard 2.1 IIS Lockdown Wizard is a free tool that works by turning off unnecessary IIS features, thereby reducing attack surface available to attackers.ISA Server 2000 Feature Pack 1 ISA Server 2000 Feature Pack 1 delivers enhanced security and ease of use beyond that of traditional firewalls for email server, Web server and Exchange Outlook Web Access (OWA) deployments.Microsoft Baseline Security Analyzer (MBSA)MBSA is a free tool that aids in identifying the status of your operating system and application security configuration, including the presence or absence of security updates.Microsoft Software Update Services Solution Accelerator This solution accelerator provides guidance for deploying critical updates and security updates to Microsoft Windows XP, Windows 2000, and Windows Server 2003 operating systems using Microsoft Software Update Services. It describes how Microsoft Software Update Services should be designed and configured to support patch management and provides details of the operational processes and procedures that need to be followed for patch management to be successful.

MyDoom Worm Cleaner This free tool removes variants of the MyDoom worm from infected computers. Additionally, it removes associated backdoor components from infected computers.Outlook Administrator Pack You can use the Outlook Administrator Pack to control the types of attached files blocked by Outlook, modify and specify user- or group-security levels. Outlook Administrator Pack is a free tool.Security Risk Self-Assessment for Midsize Organizations This free application is designed to help organizations with fewer than 1,000 employees assess weaknesses in their current IT security environment.SQL Critical Update Kit The SQL Critical Update Kit is a free tool that helps update editions of SQL Server 2000 and MSDE 2000 that are vulnerable to the 'Slammer' worm.Systems Management Server 2.0 Software Update Services Feature Pack The SMS 2.0 Software Update Services Feature Pack contains the following tools: the Security Update Inventory Tool, the Microsoft Office Inventory Tool for Updates, the Distribute Software Updates Wizard, and the SMS Web Reporting Tool with Web Reports Add-in for Software Updates.UrlScan 2.5 UrlScan version 2.5 is a free security tool that restricts the types of HTTP requests that Internet Information Services (IIS) will process.IIS Lockdown ToolIIS Lockdown Tool functions by turning off unnecessary features, thereby reducing attack surface available to attackers. To provide in-depth defense or multiple layers of protection against attackers, URLscan, with customized templates for each supported server role, has been integrated into the IIS Lockdown Tool.

Patch management mitigates and lessens theimpact from threats in the Window of Exposure

00

30

60

90

120

150

180

210

240

270

300

330

360

DAY

VULNERABILITYVERIFIED BY VENDOR30 - 90 DAYS

VULNERABILITYIDENTIFIED

PATCH DEVELOPEDAND RELEASED30 90 DAYS

PATCH DEPLOYEDON UPDATE SERVERS30 180 DAYS

INFORMATIONPROTECTED

WINDOW OF EXPOSURE

ON AVERAGE, BUSINESSES CAN BE EXPOSED FROM 90 TO 360 DAYS

00

30

60

90

120

150

180

210

240

270

300

330

360

DAY

WINDOW OF EXPOSURE

MOST BUSINESSES WERE EXPOSED TO RPC VULNERABILITY (BLASTER) FOR 180 360 DAYS

INFORMATIONPROTECTED

PATCH DEVELOPEDAND RELEASEDJULY 16, 2003 (210 DAYS)

VULNERABILITYVERIFIED BY MICROSOFTFEBRUARY 2003

VULNERABILITYIDENTIFIED

BLASTER LAUNCHED AUGUST 11, 2003 (16 DAYS)

PATCH DEPLOYED30 180 DAYS

00

30

60

90

120

150

180

210

240

270

300

330

360

DAY

WINDOW OF EXPOSURE

MOST BUSINESSES WERE EXPOSED TO LSASS VULNERABILITY (SASSER) FOR 190 260 DAYS

INFORMATIONPROTECTED

PATCH DEVELOPEDAND RELEASEDAPRIL 13, 2004 (188 DAYS)

VULNERABILITYVERIFIED BY MICROSOFTOCTOBER 2003

VULNERABILITYIDENTIFIED

SASSER LAUNCHED MAY 1, 2004 (18 DAYS)

PATCH DEPLOYED30 180 DAYS

Microsoft recommends you implement a process for managing and distributing security updates within your organization.

Patch Management:AssessInventory existing computing assets.Assess security threats and vulnerabilities.Determine the best source for information about new software updates.Assess the existing software distribution infrastructure.Assess operational effectiveness.IdentifyThe goal for the Identify phase is to:Discover new software updates in a reliable way.Determine whether software updates are relevant to your production environment.Obtain software update source files and confirm that they are safe and will install successfully.Determine whether the software update should be considered a normal change or an emergency, and submit a request for change (RFC) to deploy it. Submitting an RFC is the trigger for the next patch management phase, which is Evaluate and Plan.Evaluate and PlanDeployWSUSSMS(see http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod108.asp for full guidance on Patch Management)

Helps assess the vulnerability of Windows systemsScans for missing security patches / updates and common security misconfigurationsScans local or multiple remote systems via GUI or command line invocationScans various versions of Windows, IIS, IE, SQL, Exchange, and other Microsoft applicationsGenerates XML scan reports on each scanned systemRuns on Windows Server 2003, Windows 2000 and Windows XPWorks with SUS and SMS

Scanning a local machineWindows Server 2003, Windows 2000, or Windows XPIE v5.01 or greater / XML parserWorkstation service and Server serviceMachine running MBSA that performs remote scansWindows Server 2003, Windows 2000, or Windows XPIE v5.01 or greater / XML parserWorkstation service and client for MS networksIIS common files if remotely scanning IIS computers

Machine being remotely scannedWindows NT 4.0 SP4 and above, Windows 2000, Windows XP, or Windows Server 2003IE v5.01 or greaterIIS v4.0, 5.0 (required for IIS vulnerability checks)SQL 7.0, 2000, MSDE (required for SQL vulnerability checks)Microsoft Office 2000, XP, Office 2003 (required for desktop application vulnerability checks)Server service, Remote registry service, File & Print SharingUser must have local admin rights on computer being scannedIf a firewall is protecting remote computers, ports 137 (UDP), 138 (UDP), 139 (TCP) and 445 (TCP) must be opened for MBSA to work

Reports vulnerabilities on:Password weaknessesGuest account not disabledAuditing not configuredUnnecessary services installedIIS vulnerabilitiesIE zone settingsAutomatic Updates configurationInternet Connection Firewall configuration

MSSECURE.XMLAn XML file containing the latest security update information, constantly updated by MicrosoftContains data about each hotfix, including:Operating system and service pack (SP) applicability.Details about all files in the patchFile versionFile checksumFile locationRegistry key applied by the patch.Patch Superseding information

Run MBSA on Admin system, specify targets1Downloads CAB file with MSSecure.xml and verifies digital signature2Scans target systems for OS, OS components, and applications3Parses MSSecure to see if updates are available4Checks if required updates are missing5Generates time-stamped report of missing updates6Windows Download CenterMSSecure.xmlMBSA Computer

MBSA and SUSPerforms security update scan against specified SUS server Reads registry for SUS server info or user specifies this infoReads approveditems.txt file on SUS server via HTTPLooks up approved items in mssecure.xml filePerforms scan against appropriate patches in mssecure.xmlCMD LINE execution:mbsacli.exe /sus http://mysusservermbsacli.exe /hf /sus http://mysusserver

MBSA v1.2Additional Language SupportAdditional Product SupportExchange Server 2003, Microsoft Office (local scans only), MDAC v2.5-2.8, MVM, MSXML, BizTalk Server, Commerce Server, Content Management Server, SNA Server, HISAlternate File SupportQFE vs GDR release of a security updateMulti-processor vs uni-processor release of a security updateNon-security bulletin updates to security bulletin updatesRevised (updated) security bulletinsPrevious versions of MBSA reported these updates with a yellow X, with a warning message file version greater than expectedCheck for New Version of MBSAAdditional Windows Vulnerabilities ChecksCustom IE Zones InterpretationNew Command Line Switches

Microsoft security risk self assessment tool

Free Microsoft risk-assessment tool designed to provide information and recommendations about best practices for security within an IT infrastructureThe application is designed for organizations with 50 to 500 desktops and/or 100 to 1,000 employeesThe risk assessment is based on accepted standards and best practices for helping reduce risk in IT environments. It uses the "Defense-in-Depth" concept Available for download at http://www.securityguidance.comWorks with Windows 2000 and XP

Microsoft security risk self assessment tool

Interviews user about security policy and operationsCompares scores obtained in assessment to industry averagesCreates two assessment reports:Business Risk Profile-assesses risks a company in your industry facesRisk Assessment-rates your companys risk and security practices as compared to industry averagesUploads results to common database for industry comparison

Microsoft Security Risk Self Assessment Tool

Always get approval of management before running assessmentConsider potential side effects of running assessment tool, which may cause computer lockouts and network bandwidth problems, on production computers during business hoursRun on regularly scheduled basis. Use comparative results between assessments as an empirical measurement of improving security policies and proceduresNever run without first alerting end-users

**********New version, 1.2 came out in January 2004.New versions must be installed just like it was never installed-no auto-update feature.Also shows Drive shares and file subsystem types-can be used as a mini-inventorying tool.***Local Account Passwords Check DescriptionThis check identifies any blank or simple passwords for each local user account on the computer. This check is not performed on domain controllers.WindowsXP, Windows2000, and WindowsNT operating systems all require user authentication through passwords. In general users are permitted to choose their own passwords. The security of their account depends on the choice of the password. This check enumerates all user accounts and checks for the following password conditions: Password is blank Password is the same as the user account name Password is the same as the machine name Password uses the word "password" Password uses the word "admin" or "administrator"

Windows AuditingCheck DescriptionThis check determines whether auditing is enabled on the scanned computer. Microsoft Windows has an auditing feature that tracks and logs specific events on your system, such as successful and failed logon attempts. By monitoring your system's event log, you can help identify potential security issues and malicious activity.

Full incorporation of HFNetChk engineSupport for HFNetChk v3.81 in MBSA command line interfaceNew /hf flag supported by mbsacli.exeHFNetChk no longer offered as standalone tool from MSUsers can choose between MBSA-style scan or HFNetChk-style scanMBSA scan: mbsa.exe, mbsacli.exeHFNetChk scan: mbsacli.exe /hf (followed by any valid HFnetchk parameter)Mbsacli.exe /hf v nosumNote: Shavlik is offering HFNetChk v3.86 for free

*The MSSecure.XML file contains information about which hotfixes are available for each platform. The XML file contains security bulletin name and title, and detailed data about platform-specific security hotfixes, including: files in each hotfix package and their file versions and checksumsregistry keys that were applied by the hotfix installation packageinformation about which patches supersede which other patchesrelated Microsoft Knowledge Base article numbers, and much more.

The XML file is available on the Microsoft Download Center Web site in compressed form. The file is a digitally signed .cab file.

**In HFNetchk mode, if one PC cannot be contacted (using the ports listed) in instructed IP range or domain, whole scan fails. In regular MBSA mode, MBSA notes failures but continues to scan.*Additional Language SupportMBSA V1.2 is now localized for English, German, French, and Japanese versions of Windows. Users can download builds of MBSA in each language.These builds will download the mssecure.xml file containing localized security update information for that language when available from the Microsoft Download Center. All localized builds will fall back to using the English mssecure.xml file (with checksum checks disabled when scanning a non-English machine) if the matching localized xml file is not available.Additional Product SupportMBSA V1.2 has added security update checks for the following products: Exchange Server 2003 Microsoft Office (local scans only; see list of products). Microsoft Data Access Components (MDAC) 2.5, 2.6, 2.7, and 2.8 Microsoft Virtual Machine MSXML 2.5, 2.6, 3.0, and 4.0 BizTalk Server 2000, 2002, and 2004 Commerce Server 2000 and 2002 Content Management Server (CMS) 2001 and 2002 SNA Server 4.0, Host Integration Server (HIS) 2000 and 2004 Note: the Microsoft Office support was added via integration of the Office Update Inventory Tool.Alternate File SupportMBSA V1.2 has added the capability to support alternate versions of a file. Files may have different version numbers and/or checksums due to: QFE (Quick Fix Engineering)/LDR (Limited Distributed Release) vs. GDR (General Distributed Release) of a security update Multi processor vs. uni processor releases of a security update Non-security bulletin updates to security bulletin updates Revised (updated) security bulletins Previous versions of MBSA reported such updates with a yellow X, with a warning message that a "file version greater than expected" was found. MBSA V1.2, with its new alternate file version support, will have the ability to suppress this warning and verify the above cases if any of the files listed in the mssecure.xml match those found on the scanned machine.Check for New VersionMBSA V1.2 can check if new versions of MBSA have been released by Microsoft. If a new version of MBSA is released, the user will be notified ofthe update in both the GUI and CLI. Additional Windows Vulnerabilities ChecksMBSA V1.2 added a check for Automatic Updates feature settings, as well as a check for Internet Connection Firewall (ICF). For Automatic Updates, MBSA will report if this feature is enabled and whether it is configured to automatically download and automatically install updates, or whether it is enabled and controlled by Group Policy. For ICF, MBSA will scan against all network connections on the machine that support ICF, and report whether the firewall is enabled and whether any ports are open to external traffic.Custom Internet Explorer Zones InterpretationMBSA 1.2 now interprets custom IE zone settings and compares to recommended default zone level settings. The scan reports will identify any individual zone settings that have custom settings below the recommended defaults for the overall zone.New MBSA Command Line SwitchesMBSA 1.2 adds the following new command line switches, which can be used with mbsacli.exe or mbsacli.exe /hf: -unicode (generates Unicode output for users running Japanese MBSA or scanning Japanese Windows machines) -nvc (prevents MBSA from checking if newer tool version is available)