Windows Security Hardening · WindowsSecurityHardening...
Transcript of Windows Security Hardening · WindowsSecurityHardening...
Windows Security Hardening
• Unified CCE Security Hardening for Windows Server , on page 1
Unified CCE Security Hardening for Windows ServerThis topic contains the security baseline for hardening Windows Servers running Unified CCE.
This baseline is essentially a collection of Microsoft group policy settings which are determined by using theMicrosoft Security Compliance Manager 4.0 tool.
In addition to the GPO settings provided in the table, disable the following settings:
• NetBIOS
• SMBv1
For more details about these configurations, see the Microsoft Windows Server documentation.Note
The baseline includes only those settings whose severity qualifies as Critical and Important. The settings withOptional and None severity qualification are not included in the baseline.
ComplianceDefault ValueSetting Name
Send NTLMv2 response only.Refuse LM & NTLM
Send NTLMv2 response onlyNetwork security: LANManager authentication level
Not DefinedNot definedNetwork Security: RestrictNTLM: Audit NTLMauthentication in this domain
Not DefinedNot definedNetwork Security: RestrictNTLM: Incoming NTLMtraffic
Not DefinedDisabledInteractive logon: Requiresmart card
Windows Security Hardening1
ComplianceDefault ValueSetting Name
Not DefinedNot definedNetwork Security: RestrictNTLM: Add remote serverexceptions for NTLMauthentication
DisabledNot definedNetwork security: AllowLocalSystem NULL sessionfallback
DisabledDisabledMicrosoft network client:Send unencrypted passwordto third-party SMB servers
EnabledNot definedNetwork security: AllowLocal System to use computeridentity for NTLM
EnabledEnabledNetwork security: Do notstore LAN Manager hashvalue on next passwordchange
Not DefinedNot definedNetwork Security: AllowPKU2U authenticationrequests to this computer touse online identities
Require NTLMv2 sessionsecurity,Require 128-bit encryption
No minimumNetwork security: Minimumsession security for NTLMSSP based (including secureRPC) servers
Not DefinedOffMicrosoft network server:Server SPN target namevalidation level
Lock WorkstationNo ActionInteractive logon: Smart cardremoval behavior
Require NTLMv2 sessionsecurity,Require 128-bit encryption
No minimumNetwork security: Minimumsession security for NTLMSSP based (including secureRPC) clients
4 logon(s)10 logonsInteractive logon: Number ofprevious logons to cache (incase domain controller is notavailable)
Windows Security Hardening2
Windows Security HardeningWindows Security Hardening
ComplianceDefault ValueSetting Name
Not DefinedNot definedNetwork Security: RestrictNTLM:NTLMauthenticationin this domain
Not DefinedNot definedNetwork Security: RestrictNTLM: Outgoing NTLMtraffic to remote servers
DisabledDisabledNetwork access: LetEveryone permissions applyto anonymous users
Not DefinedNot definedNetwork Security: RestrictNTLM: Add serverexceptions in this domain
Not DefinedNot definedNetwork Security: RestrictNTLM: Audit IncomingNTLM Traffic
EnabledDisabledNetwork access: Do not allowanonymous enumeration ofSAM accounts and shares
EnabledEnabledNetwork access: Do not allowanonymous enumeration ofSAM accounts
DisabledDisabledShutdown: Clear virtualmemory pagefile
System\CurrentControlSet\Control\ProductOptionsSystem\CurrentControlSet\Control\Server ApplicationsSoftware\Microsoft\WindowsNT\CurrentVersion
System\CurrentControlSet\Control\ProductOptionsSystem\CurrentControlSet\Control\Server Applications Software\Microsoft\WindowsNT\CurrentVersion
Network access: Remotelyaccessible registry paths
Not DefinedNot definedNetwork access: Shares thatcan be accessed anonymously
Not ConfiguredNot configuredTurn off the "Publish toWeb"task for files and folders
DisabledEnabledShutdown: Allow system tobe shut down without havingto log on
EnabledEnabledSystem objects: Require caseinsensitivity fornon-Windows subsystems
Windows Security Hardening3
Windows Security HardeningWindows Security Hardening
ComplianceDefault ValueSetting Name
Classic - local users authenticate asthemselves
Classic - local users authenticate asthemselves
Network access: Sharing andsecurity model for localaccounts
DisabledDisabledInteractive logon: Do notrequire CTRL+ALT+DEL
AdministratorsAdministratorsDevices: Allowed to formatand eject removable media
Not ConfiguredNot configuredTurn off the WindowsMessenger CustomerExperience ImprovementProgram
EnabledDisabledSystem settings: UseCertificate Rules onWindowsExecutables for SoftwareRestriction Policies
Not ConfiguredNot configuredTurn off Search Companioncontent file updates
DisabledDisabledNetwork access: Allowanonymous SID/Nametranslation
System\CurrentControlSet\Control\Print\PrintersSystem\CurrentControlSet\Services\Eventlog,Software\Microsoft\OLAPServerSoftware\Microsoft\WindowsNT\CurrentVersion\Print Software\Microsoft\WindowsNT\CurrentVersion\WindowsSystem\CurrentControlSet\Control\ContentIndexSystem\CurrentControlSet\Control\Terminal ServerSystem\CurrentControlSet\Control\TerminalServer\UserConfigSystem\CurrentControlSet\Control\Terminal Server\DefaultUserConfigurationSoftware\Microsoft\WindowsNT\CurrentVersion\PerflibSystem\CurrentControlSet\Services\SysmonLog
System\CurrentControlSet\Control\Print\PrintersSystem\CurrentControlSet\Services\Eventlog, Software\Microsoft\OLAPServerSoftware\Microsoft\WindowsNT\CurrentVersion\Print Software\Microsoft\WindowsNT\CurrentVersion\WindowsSystem\CurrentControlSet\Control\ContentIndexSystem\CurrentControlSet\Control\Terminal ServerSystem\CurrentControlSet\Control\TerminalServer\UserConfigSystem\CurrentControlSet\Control\Terminal Server\DefaultUserConfigurationSoftware\Microsoft\WindowsNT\CurrentVersion\PerflibSystem\CurrentControlSet\Services\SysmonLog
Network access: Remotelyaccessible registry paths andsub-paths
DisabledDisabledRecovery console: Allowautomatic administrativelogon
Windows Security Hardening4
Windows Security HardeningWindows Security Hardening
ComplianceDefault ValueSetting Name
EnabledNot configuredTurn off Autoplay
Not ConfiguredDisabledTurn off Windows Updatedevice driver searching
EnabledEnabledNetwork access: Restrictanonymous access to NamedPipes and Shares
DisabledDisabledRecovery console: Allowfloppy copy and access to alldrives and all folders
Not DefinedNoneNetwork access: Named Pipesthat can be accessedanonymously
Success and FailureNo auditingAudit Policy: System: IPsecDriver
Success and FailureNo auditingAudit Policy: System:Security System Extension
Success and FailureSuccessAudit Policy: AccountManagement: Security GroupManagement
EnabledNot definedAudit: Force audit policysubcategory settings(Windows Vista or later) tooverride audit policy categorysettings
Success and FailureNo auditingAudit Policy: AccountManagement: Other AccountManagement Events
Success and FailureSuccessAudit Policy: System:Security State Change
SuccessNo auditingAudit Policy: DetailedTracking: Process Creation
Success and FailureSuccess and FailureAudit Policy: System: OtherSystem Events
SuccessSuccessAudit Policy: Logon-Logoff:Account Lockout
Success and FailureSuccessAudit Policy: Policy Change:Audit Policy Change
Windows Security Hardening5
Windows Security HardeningWindows Security Hardening
ComplianceDefault ValueSetting Name
Not DefinedDisabledAudit: Audit the access ofglobal system objects
SuccessSuccessAudit Policy: Logon-Logoff:Special Logon
Success and FailureSuccessAudit Policy: AccountManagement: User AccountManagement
Success and FailureNo auditingAudit Policy: Account Logon:Credential Validation
Success and FailureSuccessAudit Policy: Logon-Logoff:Logon
SuccessNo auditingAudit Policy: AccountManagement: ComputerAccount Management
Success and FailureNo auditingAudit Policy: Privilege Use:Sensitive Privilege Use
SuccessSuccessAudit Policy: Logon-Logoff:Logoff
SuccessSuccessAudit Policy: Policy Change:Authentication Policy Change
Not DefinedDisabledAudit: Audit the use ofBackup and Restore privilege
Success and FailureSuccess and FailureAudit Policy: System: SystemIntegrity
EnabledNoneTurn off toast notifications onthe lock screen
15 minute(s)15 minutesMicrosoft network server:Amount of idle time requiredbefore suspending session
Not DefinedNot definedInteractive logon: Messagetext for users attempting tolog on
900 secondsNot definedInteractive logon: Machineinactivity limit
EnabledEnabledMicrosoft network server:Disconnect clients whenlogon hours expire
Windows Security Hardening6
Windows Security HardeningWindows Security Hardening
ComplianceDefault ValueSetting Name
Not DefinedNot definedInteractive logon: Messagetitle for users attempting tolog on
EnabledDisabledNetwork security: Forcelogoff when logon hoursexpire
DisabledNoneSign-in last interactive userautomatically after asystem-initiated restart
Not DefinedNot definedInteractive logon: Displayuser information when thesession is locked
EnabledDisabledInteractive logon: Do notdisplay last user name
10 invalid logon attemptsNot definedInteractive logon: Machineaccount lockout threshold
Not ConfiguredNot configuredAllow Remote Shell Access
EnabledDisabledDevices: Prevent users frominstalling printer drivers
Administrators, Service, LocalService, Network Service
Administrators, Service, Local Service,Network Service
Create global objects
Administrators, AuthenticatedUsersEveryone, Administrators, Users,Backup Operators
Access this computer fromthe network
Not DefinedNot definedDomain controller: Allowserver operators to scheduletasks
No OneNoneModify an object label
Local Service, Network ServiceLocal Service, Network ServiceGenerate security audits
AdministratorsAdministratorsIncrease scheduling priority
AdministratorsAdministratorsForce shutdown from aremote system
AdministratorsAdministrators, Remote Desktop UsersAllow log on through RemoteDesktop Services
Local Service, AdministratorsLocal Service, AdministratorsChange the system time
Not DefinedNot defined (Authenticated Users fordomain controllers)
Add workstations to domain
Windows Security Hardening7
Windows Security HardeningWindows Security Hardening
ComplianceDefault ValueSetting Name
AdministratorsAdministratorsCreate a pagefile
AdministratorsAdministratorsProfile single process
GuestsNo oneDeny log on as a batch job
No OneNo oneAct as part of the operatingsystem
Local Service, AdministratorsLocal Service, AdministratorsChange the time zone
Not DefinedNot definedSynchronize directory servicedata
No OneNo oneLock pages in memory
No OneNo oneAccess Credential Manageras a trusted caller
No OneNo oneCreate a token object
AdministratorsAdministratorsDebug programs
GuestsNo oneDeny log on as a service
Guests, NT AUTHORITY\Localaccount and member ofAdministrators group
GuestsDeny access to this computerfrom the network
AdministratorsAdministrators, Backup OperatorsBack up files and directories
AdministratorsAdministrators, Backup Operators,Users
Shut down the system
GuestsGuestsDeny log on locally
Local Service, Network ServiceLocal Service, Network ServiceReplace a process level token
AdministratorsAdministratorsModify firmwareenvironment values
AdministratorsGuest, Administrators, Users, BackupOperators
Allow log on locally
AdministratorsAdministrators, Backup OperatorsRestore files and directories
Administrators,NTService\WdiServiceHost
Administrators,NTService\WdiServiceHost
Profile system performance
Not DefinedAdministrators, Backup OperatorsLog on as a batch job
AdministratorsAdministratorsPerform volumemaintenancetasks
Windows Security Hardening8
Windows Security HardeningWindows Security Hardening
ComplianceDefault ValueSetting Name
AdministratorsAdministratorsManage auditing and securitylog
No OneNo oneEnable computer and useraccounts to be trusted fordelegation
Administrators, Service, LocalService, Network Service
Administrators, Service, Local Service,Network Service
Impersonate a client afterauthentication
AdministratorsAdministratorsLoad and unload devicedrivers
AdministratorsAdministratorsTake ownership of files orother objects
Administrators, Local Service,Network Service
Local Service, Network Service,Administrators
Adjust memory quotas for aprocess
Not DefinedNo oneLog on as a service
AdministratorsAdministratorsCreate symbolic links
No OneNo oneCreate permanent sharedobjects
Not DefinedDisabledSystem cryptography: Forcestrong key protection for userkeys stored on the computer
EnabledDisabledDomain member: Requirestrong (Windows 2000 orlater) session key
NoYesWindows Firewall: Domain:Allow unicast response
Yes (default)YesWindows Firewall: Domain:Apply local firewall rules
EnabledBlockWindows Firewall: Domain:Inbound connections
OnOnWindows Firewall: Private:Firewall state
Yes (default)YesWindows Firewall: Private:Apply local connectionsecurity rules
NoYesWindows Firewall: Private:Allow unicast response
Windows Security Hardening9
Windows Security HardeningWindows Security Hardening
ComplianceDefault ValueSetting Name
Yes (default)YesWindows Firewall: Public:Apply local firewall rules
YesYesWindows Firewall: Public:Apply local connectionsecurity rules
OnOnWindows Firewall: Public:Firewall state
Allow (default)AllowWindows Firewall: Private:Outbound connections
Allow (default)AllowWindows Firewall: Domain:Outbound connections
OnOnWindows Firewall: Domain:Firewall state
NoYesWindows Firewall: Public:Allow unicast response
EnabledBlockWindows Firewall: Public:Inbound connections
Yes (default)YesWindows Firewall: Domain:Apply local connectionsecurity rules
Yes (default)YesWindows Firewall: Private:Display a notification
Yes (default)YesWindows Firewall: Domain:Display a notification
YesYesWindows Firewall: Public:Display a notification
Allow (default)AllowWindows Firewall: Public:Outbound connections
EnabledBlockWindows Firewall: Private:Inbound connections
Yes (default)YesWindows Firewall: Private:Apply local firewall rules
EnabledNoneDefault Protections forInternet Explorer
EnabledNot ConfiguredPassword protect the screensaver
Windows Security Hardening10
Windows Security HardeningWindows Security Hardening
ComplianceDefault ValueSetting Name
EnabledDisabledLocal Poilcy
User AccountControl: AdminApproval Mode forthe Built-inAdministratoraccount
EnabledNoneDefault Protections forSoftware
EnabledEnabledUser Account Control: Onlyelevate UIAccess applicationsthat are installed in securelocations
EnabledNoneDefault Protections forPopular Software
EnabledNoneApply UAC restrictions tolocal accounts on networklogons
Prompt for consent on the securedesktop
Prompt for consent for non-Windowsbinaries
User Account Control:Behavior of the elevationprompt for administrators inAdmin Approval Mode
DisabledDisabledUser Account Control: AllowUIAccess applications toprompt for elevation withoutusing the secure desktop
EnabledEnabledLocal Policy
User AccountControl: Virtualizefile and registrywrite failures toper-user locations
EnabledEnabledUser Account Control: Switchto the secure desktop whenprompting for elevation
EnabledEnabledUser Account Control: Runall administrators in AdminApproval Mode
DisabledNoneWDigest Authentication
Windows Security Hardening11
Windows Security HardeningWindows Security Hardening
ComplianceDefault ValueSetting Name
Automatically deny elevationrequests
Prompt for credentialsUser Account Control:Behavior of the elevationprompt for standard users
EnabledNoneSystem ASLR
EnabledEnabled: Application Opt-OutSystem DEP
EnabledEnabledSystem objects: Strengthendefault permissions of internalsystem objects (e.g. SymbolicLinks)
EnabledNot ConfiguredEnable screen saver
EnabledNot ConfiguredForce specific screen saver
Not DefinedUsersIncrease a process workingset
EnabledEnabledUser Account Control: Detectapplication installations andprompt for elevation
EnabledEnabled: Application Opt-OutSystem SEHOP
Not DefinedNot definedNetwork Security: Configureencryption types allowed forKerberos
Not ConfiguredNot configuredSet client connectionencryption level
EnabledEnabledMicrosoft network client:Digitally signcommunications (if serveragrees)
Not DefinedNot definedDomain controller: LDAPserver signing requirements
Negotiate signingNegotiate signingNetwork security: LDAPclient signing requirements
EnabledDisabledMicrosoft network client:Digitally signcommunications (always)
EnabledDisabledMicrosoft network server:Digitally signcommunications (always)
Windows Security Hardening12
Windows Security HardeningWindows Security Hardening
ComplianceDefault ValueSetting Name
EnabledEnabledDomain member: Digitallysign secure channel data(when possible)
EnabledEnabledDomain member: Digitallyencrypt or sign secure channeldata (always)
EnabledDisabledMicrosoft network server:Digitally signcommunications (if clientagrees)
EnabledEnabledDomain member: Digitallyencrypt secure channel data(when possible)
Enabled20480 KBSpecify the maximum log filesize (KB)
Enabled20480 KBSpecify the maximum log filesize (KB)
Enabled20480 KBSpecify the maximum log filesize (KB)
DisabledDisabledAudit: Shut down systemimmediately if unable to logsecurity audits
EnabledEnabledAccounts: Limit local accountuse of blank passwords toconsole logon only
Not DefinedNot definedDomain controller: Refusemachine account passwordchanges
DisabledDisabledDomain member: Disablemachine account passwordchanges
30 day(s)30 daysDomain member: Maximummachine account passwordage
Not DefinedDisabledNetwork access: Do not allowstorage of passwords andcredentials for networkauthentication
Windows Security Hardening13
Windows Security HardeningWindows Security Hardening
ComplianceDefault ValueSetting Name
14 day(s)14 daysInteractive logon: Prompt userto change password beforeexpiration
DisabledNoneAllow indexing of encryptedfiles
Not DefinedAdministratorAccounts: Renameadministrator account
EnabledNoneDo not display networkselection UI
EnabledNoneAllow Microsoft accounts tobe optional
Not DefinedEnabledAccounts: Administratoraccount status
DisabledDisabledAccounts: Guest accountstatus
Not DefinedGuestAccounts: Rename guestaccount
EnabledNonePrevent enabling lock screenslide show
EnabledNonePrevent enabling lock screencamera
DisabledNot DefinedIRC Ports
DisabledNot DefinedOutgoing Email Port 25
Success and FailureSuccessAdvanced Audit PolicyConfiguration
Audit DirectoryService Access
Other Windows Hardening Considerations
The following table lists the IIS settings with their corresponding default and possible values.
Windows Security Hardening14
Windows Security HardeningWindows Security Hardening
Supported ValuesDefault ValueSetting Name
• On: The system displays custom errors to bothremote systems and the local host.
• Off: The system displays ASP.NET errors toboth remote systems and the local host.
• RemoteOnly: The system displays customerrors to the remote systems and ASP.NETerrors to the local host.
You can use any of these optionsavailable without impacting the systemfunctionality.
Note
RemoteOnlyASP.NETApplication CustomError
OffOffHTTPOnlyCookie
truetrueAllowUnlisted
.asax, .ascx, .master, .skin, .browser, .sitemap,
.config, .cs, .csproj, .vb, .vbproj, .webinfo, .licx,
.resx, .resources, .mdb, .vjsproj, .java, .jsl, .ldb,
.dsdgm, .ssdgm, .lsad, .ssmap, .cd, .dsprototype,
.lsaprototype, .sdm, .sdmDocument, .mdf, .ldf, .ad,
.dd, .ldd, .sd, .adprototype, .lddprototype, .exclude,
.refresh, .compiled, .msgx, .vsdisco, .rules
.com, .doc, .docx, .docm, .jar, .hta, .vbs, .pdf, .sfx,
.bat, .dll, .tmp, .py, .msi, .msp, .gadget, .cmd, .vbe,
.jse, .ps1, .ps1xml, .ps2, .ps2xml, .psc1, .psc2, .lnk,
.inf, .scf, .ws, .wsf, .scr, .pif
.asax, .ascx, .master, .skin,
.browser, .sitemap, .config, .cs,
.csproj, .vb, .vbproj, .webinfo,
.licx, .resx, .resources, .mdb,
.vjsproj, .java, .jsl, .ldb, .dsdgm,
.ssdgm, .lsad, .ssmap, .cd,
.dsprototype, .lsaprototype,
.sdm, .sdmDocument, .mdf, .ldf,
.ad, .dd, .ldd, .sd, .adprototype,
.lddprototype, .exclude, .refresh,
.compiled, .msgx, .vsdisco,
.rules
requestFiltering
File extensionsblocked using false asthe value for theallowed attribute.
Certain extensions, such as .exe, .htm and .dll, cannot be filtered in IIS.Note
Windows Security Hardening15
Windows Security HardeningWindows Security Hardening
Windows Security Hardening16
Windows Security HardeningWindows Security Hardening