Windows Security Hardening · WindowsSecurityHardening...

Windows Security Hardening

• Unified CCE Security Hardening for Windows Server , on page 1

Unified CCE Security Hardening for Windows ServerThis topic contains the security baseline for hardening Windows Servers running Unified CCE.

This baseline is essentially a collection of Microsoft group policy settings which are determined by using theMicrosoft Security Compliance Manager 4.0 tool.

In addition to the GPO settings provided in the table, disable the following settings:

• NetBIOS

• SMBv1

For more details about these configurations, see the Microsoft Windows Server documentation.Note

The baseline includes only those settings whose severity qualifies as Critical and Important. The settings withOptional and None severity qualification are not included in the baseline.

ComplianceDefault ValueSetting Name

Send NTLMv2 response only.Refuse LM & NTLM

Send NTLMv2 response onlyNetwork security: LANManager authentication level

Not DefinedNot definedNetwork Security: RestrictNTLM: Audit NTLMauthentication in this domain

Not DefinedNot definedNetwork Security: RestrictNTLM: Incoming NTLMtraffic

Not DefinedDisabledInteractive logon: Requiresmart card

Windows Security Hardening1


Not DefinedNot definedNetwork Security: RestrictNTLM: Add remote serverexceptions for NTLMauthentication

DisabledNot definedNetwork security: AllowLocalSystem NULL sessionfallback

DisabledDisabledMicrosoft network client:Send unencrypted passwordto third-party SMB servers

EnabledNot definedNetwork security: AllowLocal System to use computeridentity for NTLM

EnabledEnabledNetwork security: Do notstore LAN Manager hashvalue on next passwordchange

Not DefinedNot definedNetwork Security: AllowPKU2U authenticationrequests to this computer touse online identities

Require NTLMv2 sessionsecurity,Require 128-bit encryption

No minimumNetwork security: Minimumsession security for NTLMSSP based (including secureRPC) servers

Not DefinedOffMicrosoft network server:Server SPN target namevalidation level

Lock WorkstationNo ActionInteractive logon: Smart cardremoval behavior

Require NTLMv2 sessionsecurity,Require 128-bit encryption

No minimumNetwork security: Minimumsession security for NTLMSSP based (including secureRPC) clients

4 logon(s)10 logonsInteractive logon: Number ofprevious logons to cache (incase domain controller is notavailable)


Windows Security HardeningWindows Security Hardening


Not DefinedNot definedNetwork Security: RestrictNTLM:NTLMauthenticationin this domain

Not DefinedNot definedNetwork Security: RestrictNTLM: Outgoing NTLMtraffic to remote servers

DisabledDisabledNetwork access: LetEveryone permissions applyto anonymous users

Not DefinedNot definedNetwork Security: RestrictNTLM: Add serverexceptions in this domain

Not DefinedNot definedNetwork Security: RestrictNTLM: Audit IncomingNTLM Traffic

EnabledDisabledNetwork access: Do not allowanonymous enumeration ofSAM accounts and shares

EnabledEnabledNetwork access: Do not allowanonymous enumeration ofSAM accounts

DisabledDisabledShutdown: Clear virtualmemory pagefile

System\CurrentControlSet\Control\ProductOptionsSystem\CurrentControlSet\Control\Server ApplicationsSoftware\Microsoft\WindowsNT\CurrentVersion

System\CurrentControlSet\Control\ProductOptionsSystem\CurrentControlSet\Control\Server Applications Software\Microsoft\WindowsNT\CurrentVersion

Network access: Remotelyaccessible registry paths

Not DefinedNot definedNetwork access: Shares thatcan be accessed anonymously

Not ConfiguredNot configuredTurn off the "Publish toWeb"task for files and folders

DisabledEnabledShutdown: Allow system tobe shut down without havingto log on

EnabledEnabledSystem objects: Require caseinsensitivity fornon-Windows subsystems




Classic - local users authenticate asthemselves

Classic - local users authenticate asthemselves

Network access: Sharing andsecurity model for localaccounts

DisabledDisabledInteractive logon: Do notrequire CTRL+ALT+DEL

AdministratorsAdministratorsDevices: Allowed to formatand eject removable media

Not ConfiguredNot configuredTurn off the WindowsMessenger CustomerExperience ImprovementProgram

EnabledDisabledSystem settings: UseCertificate Rules onWindowsExecutables for SoftwareRestriction Policies

Not ConfiguredNot configuredTurn off Search Companioncontent file updates

DisabledDisabledNetwork access: Allowanonymous SID/Nametranslation

System\CurrentControlSet\Control\Print\PrintersSystem\CurrentControlSet\Services\Eventlog,Software\Microsoft\OLAPServerSoftware\Microsoft\WindowsNT\CurrentVersion\Print Software\Microsoft\WindowsNT\CurrentVersion\WindowsSystem\CurrentControlSet\Control\ContentIndexSystem\CurrentControlSet\Control\Terminal ServerSystem\CurrentControlSet\Control\TerminalServer\UserConfigSystem\CurrentControlSet\Control\Terminal Server\DefaultUserConfigurationSoftware\Microsoft\WindowsNT\CurrentVersion\PerflibSystem\CurrentControlSet\Services\SysmonLog

System\CurrentControlSet\Control\Print\PrintersSystem\CurrentControlSet\Services\Eventlog, Software\Microsoft\OLAPServerSoftware\Microsoft\WindowsNT\CurrentVersion\Print Software\Microsoft\WindowsNT\CurrentVersion\WindowsSystem\CurrentControlSet\Control\ContentIndexSystem\CurrentControlSet\Control\Terminal ServerSystem\CurrentControlSet\Control\TerminalServer\UserConfigSystem\CurrentControlSet\Control\Terminal Server\DefaultUserConfigurationSoftware\Microsoft\WindowsNT\CurrentVersion\PerflibSystem\CurrentControlSet\Services\SysmonLog

Network access: Remotelyaccessible registry paths andsub-paths

DisabledDisabledRecovery console: Allowautomatic administrativelogon




EnabledNot configuredTurn off Autoplay

Not ConfiguredDisabledTurn off Windows Updatedevice driver searching

EnabledEnabledNetwork access: Restrictanonymous access to NamedPipes and Shares

DisabledDisabledRecovery console: Allowfloppy copy and access to alldrives and all folders

Not DefinedNoneNetwork access: Named Pipesthat can be accessedanonymously

Success and FailureNo auditingAudit Policy: System: IPsecDriver

Success and FailureNo auditingAudit Policy: System:Security System Extension

Success and FailureSuccessAudit Policy: AccountManagement: Security GroupManagement

EnabledNot definedAudit: Force audit policysubcategory settings(Windows Vista or later) tooverride audit policy categorysettings

Success and FailureNo auditingAudit Policy: AccountManagement: Other AccountManagement Events

Success and FailureSuccessAudit Policy: System:Security State Change

SuccessNo auditingAudit Policy: DetailedTracking: Process Creation

Success and FailureSuccess and FailureAudit Policy: System: OtherSystem Events

SuccessSuccessAudit Policy: Logon-Logoff:Account Lockout

Success and FailureSuccessAudit Policy: Policy Change:Audit Policy Change




Not DefinedDisabledAudit: Audit the access ofglobal system objects

SuccessSuccessAudit Policy: Logon-Logoff:Special Logon

Success and FailureSuccessAudit Policy: AccountManagement: User AccountManagement

Success and FailureNo auditingAudit Policy: Account Logon:Credential Validation

Success and FailureSuccessAudit Policy: Logon-Logoff:Logon

SuccessNo auditingAudit Policy: AccountManagement: ComputerAccount Management

Success and FailureNo auditingAudit Policy: Privilege Use:Sensitive Privilege Use

SuccessSuccessAudit Policy: Logon-Logoff:Logoff

SuccessSuccessAudit Policy: Policy Change:Authentication Policy Change

Not DefinedDisabledAudit: Audit the use ofBackup and Restore privilege

Success and FailureSuccess and FailureAudit Policy: System: SystemIntegrity

EnabledNoneTurn off toast notifications onthe lock screen

15 minute(s)15 minutesMicrosoft network server:Amount of idle time requiredbefore suspending session

Not DefinedNot definedInteractive logon: Messagetext for users attempting tolog on

900 secondsNot definedInteractive logon: Machineinactivity limit

EnabledEnabledMicrosoft network server:Disconnect clients whenlogon hours expire




Not DefinedNot definedInteractive logon: Messagetitle for users attempting tolog on

EnabledDisabledNetwork security: Forcelogoff when logon hoursexpire

DisabledNoneSign-in last interactive userautomatically after asystem-initiated restart

Not DefinedNot definedInteractive logon: Displayuser information when thesession is locked

EnabledDisabledInteractive logon: Do notdisplay last user name

10 invalid logon attemptsNot definedInteractive logon: Machineaccount lockout threshold

Not ConfiguredNot configuredAllow Remote Shell Access

EnabledDisabledDevices: Prevent users frominstalling printer drivers

Administrators, Service, LocalService, Network Service

Administrators, Service, Local Service,Network Service

Create global objects

Administrators, AuthenticatedUsersEveryone, Administrators, Users,Backup Operators

Access this computer fromthe network

Not DefinedNot definedDomain controller: Allowserver operators to scheduletasks

No OneNoneModify an object label

Local Service, Network ServiceLocal Service, Network ServiceGenerate security audits

AdministratorsAdministratorsIncrease scheduling priority

AdministratorsAdministratorsForce shutdown from aremote system

AdministratorsAdministrators, Remote Desktop UsersAllow log on through RemoteDesktop Services

Local Service, AdministratorsLocal Service, AdministratorsChange the system time

Not DefinedNot defined (Authenticated Users fordomain controllers)

Add workstations to domain




AdministratorsAdministratorsCreate a pagefile

AdministratorsAdministratorsProfile single process

GuestsNo oneDeny log on as a batch job

No OneNo oneAct as part of the operatingsystem

Local Service, AdministratorsLocal Service, AdministratorsChange the time zone

Not DefinedNot definedSynchronize directory servicedata

No OneNo oneLock pages in memory

No OneNo oneAccess Credential Manageras a trusted caller

No OneNo oneCreate a token object

AdministratorsAdministratorsDebug programs

GuestsNo oneDeny log on as a service

Guests, NT AUTHORITY\Localaccount and member ofAdministrators group

GuestsDeny access to this computerfrom the network

AdministratorsAdministrators, Backup OperatorsBack up files and directories

AdministratorsAdministrators, Backup Operators,Users

Shut down the system

GuestsGuestsDeny log on locally

Local Service, Network ServiceLocal Service, Network ServiceReplace a process level token

AdministratorsAdministratorsModify firmwareenvironment values

AdministratorsGuest, Administrators, Users, BackupOperators

Allow log on locally

AdministratorsAdministrators, Backup OperatorsRestore files and directories

Administrators,NTService\WdiServiceHost

Administrators,NTService\WdiServiceHost

Profile system performance

Not DefinedAdministrators, Backup OperatorsLog on as a batch job

AdministratorsAdministratorsPerform volumemaintenancetasks




AdministratorsAdministratorsManage auditing and securitylog

No OneNo oneEnable computer and useraccounts to be trusted fordelegation

Administrators, Service, LocalService, Network Service

Administrators, Service, Local Service,Network Service

Impersonate a client afterauthentication

AdministratorsAdministratorsLoad and unload devicedrivers

AdministratorsAdministratorsTake ownership of files orother objects

Administrators, Local Service,Network Service

Local Service, Network Service,Administrators

Adjust memory quotas for aprocess

Not DefinedNo oneLog on as a service

AdministratorsAdministratorsCreate symbolic links

No OneNo oneCreate permanent sharedobjects

Not DefinedDisabledSystem cryptography: Forcestrong key protection for userkeys stored on the computer

EnabledDisabledDomain member: Requirestrong (Windows 2000 orlater) session key

NoYesWindows Firewall: Domain:Allow unicast response

Yes (default)YesWindows Firewall: Domain:Apply local firewall rules

EnabledBlockWindows Firewall: Domain:Inbound connections

OnOnWindows Firewall: Private:Firewall state

Yes (default)YesWindows Firewall: Private:Apply local connectionsecurity rules

NoYesWindows Firewall: Private:Allow unicast response




Yes (default)YesWindows Firewall: Public:Apply local firewall rules

YesYesWindows Firewall: Public:Apply local connectionsecurity rules

OnOnWindows Firewall: Public:Firewall state

Allow (default)AllowWindows Firewall: Private:Outbound connections

Allow (default)AllowWindows Firewall: Domain:Outbound connections

OnOnWindows Firewall: Domain:Firewall state

NoYesWindows Firewall: Public:Allow unicast response

EnabledBlockWindows Firewall: Public:Inbound connections

Yes (default)YesWindows Firewall: Domain:Apply local connectionsecurity rules

Yes (default)YesWindows Firewall: Private:Display a notification

Yes (default)YesWindows Firewall: Domain:Display a notification

YesYesWindows Firewall: Public:Display a notification

Allow (default)AllowWindows Firewall: Public:Outbound connections

EnabledBlockWindows Firewall: Private:Inbound connections

Yes (default)YesWindows Firewall: Private:Apply local firewall rules

EnabledNoneDefault Protections forInternet Explorer

EnabledNot ConfiguredPassword protect the screensaver




EnabledDisabledLocal Poilcy

User AccountControl: AdminApproval Mode forthe Built-inAdministratoraccount

EnabledNoneDefault Protections forSoftware

EnabledEnabledUser Account Control: Onlyelevate UIAccess applicationsthat are installed in securelocations

EnabledNoneDefault Protections forPopular Software

EnabledNoneApply UAC restrictions tolocal accounts on networklogons

Prompt for consent on the securedesktop

Prompt for consent for non-Windowsbinaries

User Account Control:Behavior of the elevationprompt for administrators inAdmin Approval Mode

DisabledDisabledUser Account Control: AllowUIAccess applications toprompt for elevation withoutusing the secure desktop

EnabledEnabledLocal Policy

User AccountControl: Virtualizefile and registrywrite failures toper-user locations

EnabledEnabledUser Account Control: Switchto the secure desktop whenprompting for elevation

EnabledEnabledUser Account Control: Runall administrators in AdminApproval Mode

DisabledNoneWDigest Authentication




Automatically deny elevationrequests

Prompt for credentialsUser Account Control:Behavior of the elevationprompt for standard users

EnabledNoneSystem ASLR

EnabledEnabled: Application Opt-OutSystem DEP

EnabledEnabledSystem objects: Strengthendefault permissions of internalsystem objects (e.g. SymbolicLinks)

EnabledNot ConfiguredEnable screen saver

EnabledNot ConfiguredForce specific screen saver

Not DefinedUsersIncrease a process workingset

EnabledEnabledUser Account Control: Detectapplication installations andprompt for elevation

EnabledEnabled: Application Opt-OutSystem SEHOP

Not DefinedNot definedNetwork Security: Configureencryption types allowed forKerberos

Not ConfiguredNot configuredSet client connectionencryption level

EnabledEnabledMicrosoft network client:Digitally signcommunications (if serveragrees)

Not DefinedNot definedDomain controller: LDAPserver signing requirements

Negotiate signingNegotiate signingNetwork security: LDAPclient signing requirements

EnabledDisabledMicrosoft network client:Digitally signcommunications (always)

EnabledDisabledMicrosoft network server:Digitally signcommunications (always)




EnabledEnabledDomain member: Digitallysign secure channel data(when possible)

EnabledEnabledDomain member: Digitallyencrypt or sign secure channeldata (always)

EnabledDisabledMicrosoft network server:Digitally signcommunications (if clientagrees)

EnabledEnabledDomain member: Digitallyencrypt secure channel data(when possible)

Enabled20480 KBSpecify the maximum log filesize (KB)



DisabledDisabledAudit: Shut down systemimmediately if unable to logsecurity audits

EnabledEnabledAccounts: Limit local accountuse of blank passwords toconsole logon only

Not DefinedNot definedDomain controller: Refusemachine account passwordchanges

DisabledDisabledDomain member: Disablemachine account passwordchanges

30 day(s)30 daysDomain member: Maximummachine account passwordage

Not DefinedDisabledNetwork access: Do not allowstorage of passwords andcredentials for networkauthentication




14 day(s)14 daysInteractive logon: Prompt userto change password beforeexpiration

DisabledNoneAllow indexing of encryptedfiles

Not DefinedAdministratorAccounts: Renameadministrator account

EnabledNoneDo not display networkselection UI

EnabledNoneAllow Microsoft accounts tobe optional

Not DefinedEnabledAccounts: Administratoraccount status

DisabledDisabledAccounts: Guest accountstatus

Not DefinedGuestAccounts: Rename guestaccount

EnabledNonePrevent enabling lock screenslide show

EnabledNonePrevent enabling lock screencamera

DisabledNot DefinedIRC Ports

DisabledNot DefinedOutgoing Email Port 25

Success and FailureSuccessAdvanced Audit PolicyConfiguration

Audit DirectoryService Access

Other Windows Hardening Considerations

The following table lists the IIS settings with their corresponding default and possible values.



Supported ValuesDefault ValueSetting Name

• On: The system displays custom errors to bothremote systems and the local host.

• Off: The system displays ASP.NET errors toboth remote systems and the local host.

• RemoteOnly: The system displays customerrors to the remote systems and ASP.NETerrors to the local host.

You can use any of these optionsavailable without impacting the systemfunctionality.

Note

RemoteOnlyASP.NETApplication CustomError

OffOffHTTPOnlyCookie

truetrueAllowUnlisted

.asax, .ascx, .master, .skin, .browser, .sitemap,

.config, .cs, .csproj, .vb, .vbproj, .webinfo, .licx,

.resx, .resources, .mdb, .vjsproj, .java, .jsl, .ldb,

.dsdgm, .ssdgm, .lsad, .ssmap, .cd, .dsprototype,

.lsaprototype, .sdm, .sdmDocument, .mdf, .ldf, .ad,

.dd, .ldd, .sd, .adprototype, .lddprototype, .exclude,

.refresh, .compiled, .msgx, .vsdisco, .rules

.com, .doc, .docx, .docm, .jar, .hta, .vbs, .pdf, .sfx,

.bat, .dll, .tmp, .py, .msi, .msp, .gadget, .cmd, .vbe,

.jse, .ps1, .ps1xml, .ps2, .ps2xml, .psc1, .psc2, .lnk,

.inf, .scf, .ws, .wsf, .scr, .pif

.asax, .ascx, .master, .skin,

.browser, .sitemap, .config, .cs,

.csproj, .vb, .vbproj, .webinfo,

.licx, .resx, .resources, .mdb,

.vjsproj, .java, .jsl, .ldb, .dsdgm,

.ssdgm, .lsad, .ssmap, .cd,

.dsprototype, .lsaprototype,

.sdm, .sdmDocument, .mdf, .ldf,

.ad, .dd, .ldd, .sd, .adprototype,

.lddprototype, .exclude, .refresh,

.compiled, .msgx, .vsdisco,

.rules

requestFiltering

File extensionsblocked using false asthe value for theallowed attribute.

Certain extensions, such as .exe, .htm and .dll, cannot be filtered in IIS.Note



Windows Security Hardening · WindowsSecurityHardening...

Documents

Transcript of Windows Security Hardening · WindowsSecurityHardening...