-
September 9th, 2002, 11:41 PM
#1
Hardening Win2k
Ok guys and gals, this is my first attempt at a tutorial. Most of this I have slapped together just through experience; however, the services, came mostly from an external source (and are referenced). I have not touched on a few topics and have mentioned these in errata at the end of the article (and I do plan on touching on these in a later tut). This is a work in progress, so if you have suggestions or inputs or just disagree entirely, please pass them on so that we can all learn. Also note, the original document used tables, which don't translate well. The attached file is a zip containing a purely html file with a formatted version of this doc without some corrections that are contained here.
Hardening Windows 2000
By Nebulus, September 10, 2002
Introduction
This checklist is geared around hardening a machine outside of a firewall or any
other protective filtering device. There are many services and features that are
disabled in this configuration that a normal user may or may not want to do,
depending on their setup; however, I have tried to indicate these where applicable.
A very good example of something this setup does that a user may not want to do is
to entirely disabled netbios. As with any normal tweaking of your system, it would
be wise to make backups before you proceed, it would be wise to only attempt a
few things at once and then verify that your system still functions normally, and it
would be wise to think about the explanations before proceeding. These changes
are largely my opinions that are a reflection of experience and patience playing
around with these settings and I therefore make no guarantees that your system will
function normally after making the changes. I also make no guarantees that
performing these system tweaks will make your system invulnerable to compromise,
only that it will make it significantly harder (after all, we are talking about windows
here...).
Patches, patches, patches, and more patches
At the time this article has been prepared, windows averages at least one new
vulnerability a week. Even a well configured box will still have problems if known
bugs and issues are not corrected, so with that in mind, remember,
http://windowsupdate.microsoft.com/ is your friend. Everything from the latest
security patches to service packs are available (assuming you don't mind M$
checking for you). It is essential that you stay on top of the latest available patches
and antivirus signatures.
Item Action
* Install/Upgrade to IE6 **Note
* Apply Latest Service Pack (SP3)
* Check for latest hot fixes
* Check Windows Update often
* Install a personal firewall
* Install a modern AV package with heuristic scanning capability and
up-to-date signatures
**: At this time, IE6 is the latest Microsoft browser. Please keep in mind that there are several
things you can do to secure your web browser and make surfing the web a little less
dangerous; however, this is a topic not covered by this tutorial. Yes, I know there are other
browsers out there (Netscape and Opera come to mind), but IE is required by Microsoft sites (how
clever...)
Can't overflow services that aren't running...
The most common type of attack at the time of this writing right now revolves around
buffer overflows. The attack usually works by targeting a specific program on the
victim machine that doesn't do proper bounds checking on the variable inputs it
accepts (thus leading to an overflow of the buffer storing the variable). A buffer
overflow can either be run locally (think a logged on user trying to escalate privilege)
or remotely (think of a hacker trying to attack say telnet through the Internet). Before
a remote attacker can successfully break into a system, they must first find a service
that is vulnerable. While there is nothing the common user can really do to fight
poorly written code (think M$ and IIS), a remote attacker cannot take advantage of a
service if it is not running.
In that light, we are going to focus on disabling as many services as possible and still
have a functioning box. The list of services here are split into two categories, one of
which is for the hardened setup needed for a machine outside of a firewall, the other is
for what might be considered a normal use box. I am going to be very brief in the
descriptions here, mainly because blkviper has done such a good job with his page (see
references). I recommend only disabling one service at a time if you are not sure, so
that if something breaks you will know which service caused the problem. Also note that
your list of services may differ from what you see here somewhat, depending on what
software you have installed, what version of Windows 2000 you are running, what vendor
supplied your computer, and what service packs have been installed.
Control Panel -> Administrative Tools -> Services
<EDITORIAL NOTE> Please see attached file, the cut and paste butchered this... /nebulus
Local Security Policies
Remember, if you log onto a domain, all bets are off because domain policies have precedence.
Also, these recommendations are my personal opinions, your employer, ISP, university, or
whomever, may require different settings, please see your Terms and Conditions of Use Policy.
Please note that most of this stuff is self-explanatory and is not commented; however, there
are a few spots that may have an effect on your ability to use netbios, that unlike other
sections, I have not noted (be careful and thoughtful).
Control Panel -> Administrative Tools -> Local Security Policy ->
Account Policies -> Password Policies
* Enforce Password History (at least 3)
Prevents users from using same password when prompted to change
* Maximum Password Age (180 days)
Sets the number of days until a password must change
* Minimum Password Age (0 days)
Sets the number of days after changing a password that must pass before it can be
changed again
* Minimum Password Length (7)
* Passwords must meet complexity requirements (Enabled)
Has to do with your password complexity (mix of uppercase/lowercase/numeric/symbols)
* Store Password using reversible encryption for all users on domain (Disabled)
Not sure of the implications...
Account Lockout Policy
* Account Lockout Duration (30 min)
How long the account remains locked after x failed logon attempts
* Account Lockout Threshold (3)
Number of failed logon attempts before a user is locked out
* Reset Account Lockout... (at least 30 min)
Allows the account lock to rest after an elapsed time period
Local Policies -> Audit Policy
* Audit Account Logon Events (success, failure)
* Audit Account Management (success, failure)
* Audit Directory Service Access (failure)
* Audit Logon Events (failure)
* Audit Object Access (failure)
* Audit Policy Change (success, failure)
* Audit Privilege Use (failure)
* Audit Process Tracking (failure)
* Audit System Events (failure)
User Rights Assignment
* Access this computer from network (none)
* Act as part of the OS (none)
* Add workstations to domain (none)
* Backup files and directories (Admin)
* Bypass traverse checking??? (everyone)
* Change the system time (admin)
* Create a pagefile (admin)
* Create a token object (none)
* Create permanent shared objects (none)
* Debug Programs (admin)
* Deny access to this computer over network (guest, guests)
* Deny logon as batch job (none)
* Deny logon as service (none)
* Deny logon locally (guest, guests)
* Enable computer and user accounts...(none)
* Force shutdown from remote system (none)
* Generate Security Audits (none)
* Increase quotas (admin)
* Increase scheduling Priority (admin)
* Load and Unload Device Drivers (admin)
* Lock pages in memory (none)
* Logon as batch job (none)
* Logon as service (none)
* Logon locally (Administrators, users)
* Manage Auditing and Security Log (admin)
* Modify firmware environment values (admin)
* Profile Single Process (admin)
* Profile System Performance (admin)
* Remove computer from docking station (users,admin)
* Replace process level token (none)
* Restore files and directories (admin)
* Shutdown the system (admin)
* Synchronize directory service data (none)
* Take Ownership of other Objects (none)
Security Options
* Additional restrictions for anonymous (no access without explicit permission)
* Allow server operators to schedule tasks (disabled)
* Allow system to be shutdown without having to logon (disabled)
* Allowed to eject removable NTFS media (admin)
* Amount of idle time required before ... (15 min)
* Audit the access of global system objects (disabled)
* Audit use of Backup and Restore Privileges (enabled)
* Automatically log off users when logon time expires (enabled)
* Clear virtual memory pagefile when system...(disabled)
* Digitally sign client communication (always)...(disabled)
* Digitally sign client communication (when possible)...(enabled)
* Digitally sign server communication (always)...(disabled)
* Digitally sign server communication (when possible)...(enabled)
* Disable CTRL+ALT+DEL requirement for logon (disabled)
* Do not display last user name in logon (disabled)
* LAN Manager Authentication Level (Send LM &NTLM)
* Message Text for Users Attempting to Logon ( A legal use message would be good here)
* Message title for Users Attempting to Logon (Logon Banner)
* Number of Previous Logons to cache (0)
* Prevent system maintenance of computer...(disabled)
* Prevent users from installing printer drivers (enabled)
* Prompt user to change password before ... (14 days)
* Recovery Console: Allow automatic adm...(disabled)
* Recovery Console: Allow floppy copy and...(disabled)
* Rename administrator account (new admin name)
* Rename guest account (new guest name)
* Restrict CD-ROM access to locally logged...(enabled)
* Restrict floppy access to locally logged...(enabled)
* Secure Channel: Digitally encrypt or sign...(disabled)
* Secure Channel: Digitally encrypt or secure...(enabled)
* Secure Channel: Digitally encrypt or secure cahnnel...(enabled)
* Secure Channel: Require strong (windows ... (enabled)
* Smart card removal behaviour (no action)
* Strengthen default permissions of global...(enabled)
* Unsigned driver installation behaviour (not defined)
* Unsigned non-driver installation behaviour (not defined)
Miscellaneous Settings
Note: You must have Netbios on to use the baseline security analyzer...
* Use NTFS file system (TODO: File PERMS)
* Download and install Mibsa from Microsoft (Microsoft Baseline Security Analyzer)
Network Settings
* Disable all protocols EXCEPT TCP/IP
* Disable Netbios over TCP/IP
* Uncheck Register this connection's address in DNS
* Enter DNS Suffix for connection (not if you are using dialup)
* Ensure IP Forwarding is off
References/Sources:
? BLK Viper Win2k Services Page
Provides a complete list of services, what the services are, what they do, and
whether or not it is safe to turn off (my list differs somewhat due to experience,
differences in setup, and programs we use)
Errata:
? Still need a section on File Permissions (I have been hesitant to mess
with this other than restricting down IIS directories)
? Still need a section on Internet Explorer Security (Many vulnerabilities
are possible through this)
? Still need to research registry hacks (have avoided so far)
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
-
September 9th, 2002, 11:48 PM
#2
Fairly good tutorial. I personally use many different settings for the Local Policy Editor, but that's because I have to harden it based upon my network configuration, and most things are strictly regulated while some others had to be slackened to accomodate certain network features.
Just so you know, Microsoft released IE 6.0 SP1 today which patches up all of the previously discovered problems with Internet Explorer
Official Microsoft Internet Explorer 6.0 SP1 Site
http://www.microsoft.com/windows/ie...sp1/default.asp
AJ
-
September 9th, 2002, 11:57 PM
#3
If you don't mind sharing the differences in your settings, I would be really curious to know what you do different and why...(If you do mind, I would certainly understand)...
One of the things that I was torn between in putting this together was to try to strike a balance between securing a box and keeping it functional, and at the same time to keep the tasks easy to do. Of course whenever I finish it, some of it will be not as easy (registry edits), but the goal is to make it as simple and quick to do as possible, without running too much of a risk of breaking another persons computer...
Thanks for the info on the service pack, I will incorporate that into the document.
Nebulus
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
-
September 10th, 2002, 01:13 AM
#4
Here are some of the policies instituted (many are left as they were originally set, though I know there are more that are changed each time, I just don't remember what they are since I have a script which does it all for me so I never really have to worry about it anymore... I'll try to find the rest of the settings for you):
Account Policies -> Password Policies
(NOTE: Basically, I require that users change their password once a month and are not allowed to use the same password for the following year)
* Enforce Password History: 12 passwords remembered
* Maximum Password Age: 35 days
* Minimum Password Age: 7 days
* Minimum Password Length: 12 characters
* Passwords must meet complexity requirements: Enabled
Account Policies -> Account Lockout Policy
* Account Lockout Duration: 120 minutes
* Account Lockout Threshold: 2 invalid logon attempts
* Reset Account Lockout: 60 minutes
Local Policies -> Audit Policy
(NOTE: Most auditing is skipped due to the fact that I don't need it... I just need to know when someone or something logs on, when it logs off, and whether everything was succesful).
* Audit Logon Events: Success, Failure
Local Policies -> Security Options
* Additional restrictions for anonymous connections: No access without explicit permission
* Amount of idle time required before disconnecting session: 10 minutes
* Automatically log off users when logon time expires: Enabled
* Disable CTRL+ALT+DEL requirement for logon: Disabled
* Do not display last user name in logon: Enabled
* Number of Previous Logons to cache: 0
* Prompt user to change password before expiration: 7 days
* Rename guest account: <domain guest name, withheld for security reasons>
AJ
-
August 16th, 2004, 01:03 AM
#5
Junior Member
Great tutorial. There's one single point I'd like to make:
The tutorial says:
* Store Password using reversible encryption for all users on domain (Disabled)
Not sure of the implications...
Well, this is a setting to disable whenever possible, since if enabled it'll store passwords in a way in which they can be decrypted (typical trade-off for keeping legacy systems, I believe it's related to NTLM authentication and NT systems).
-
August 16th, 2004, 01:34 AM
#6
Seckool, notice the flashing date of this tut? It says it was posted over 2 years ago. There usually isn't much of a reason to reply to posts this old.
[H]ard|OCP <--Best hardware/gaming news out there--|
pwned.nl <--Gamers will love this one --|
Light a man a fire and you\'ll keep him warm for a day, Light a man ON fire and you\'ll keep him warm the rest of his life.
-
August 16th, 2004, 01:42 AM
#7
Originally posted here by The Grunt
Seckool, notice the flashing date of this tut? It says it was posted over 2 years ago. There usually isn't much of a reason to reply to posts this old.
Sure there is. He tried to elaborate on something the original poster was unsure about.
If it simply just said: "Good tutorial!"... then there would be no need to post... but since he added something its is OK IMO. If I posted a tut and I was wrong/unsure... I'd like for someone to mention/elaborate on it no matter the date.
But... thats just my opinion... there have been so many "community changes" that I haven't kept up on... I might be wrong myself.
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
-
August 16th, 2004, 01:54 AM
#8
I guess that makes sense... Whatever, I guess it doesn't really matter... Changes changes all the time.
I guess elaborating on the original posters unsureities <-- is that a word?--| is an ok reason to start back up a 2 year old thread!
[H]ard|OCP <--Best hardware/gaming news out there--|
pwned.nl <--Gamers will love this one --|
Light a man a fire and you\'ll keep him warm for a day, Light a man ON fire and you\'ll keep him warm the rest of his life.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|