Hardening Win2k
Results 1 to 8 of 8

Thread: Hardening Win2k

  1. #1
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356

    Hardening Win2k

    Ok guys and gals, this is my first attempt at a tutorial. Most of this I have slapped together just through experience; however, the services, came mostly from an external source (and are referenced). I have not touched on a few topics and have mentioned these in errata at the end of the article (and I do plan on touching on these in a later tut). This is a work in progress, so if you have suggestions or inputs or just disagree entirely, please pass them on so that we can all learn. Also note, the original document used tables, which don't translate well. The attached file is a zip containing a purely html file with a formatted version of this doc without some corrections that are contained here.


    Hardening Windows 2000
    By Nebulus, September 10, 2002


    Introduction

    This checklist is geared around hardening a machine outside of a firewall or any
    other protective filtering device. There are many services and features that are
    disabled in this configuration that a normal user may or may not want to do,
    depending on their setup; however, I have tried to indicate these where applicable.
    A very good example of something this setup does that a user may not want to do is
    to entirely disabled netbios. As with any normal tweaking of your system, it would
    be wise to make backups before you proceed, it would be wise to only attempt a
    few things at once and then verify that your system still functions normally, and it
    would be wise to think about the explanations before proceeding. These changes
    are largely my opinions that are a reflection of experience and patience playing
    around with these settings and I therefore make no guarantees that your system will
    function normally after making the changes. I also make no guarantees that
    performing these system tweaks will make your system invulnerable to compromise,
    only that it will make it significantly harder (after all, we are talking about windows
    here...).

    Patches, patches, patches, and more patches


    At the time this article has been prepared, windows averages at least one new
    vulnerability a week. Even a well configured box will still have problems if known
    bugs and issues are not corrected, so with that in mind, remember,
    http://windowsupdate.microsoft.com/ is your friend. Everything from the latest
    security patches to service packs are available (assuming you don't mind M$
    checking for you). It is essential that you stay on top of the latest available patches
    and antivirus signatures.

    Item Action

    * Install/Upgrade to IE6 **Note
    * Apply Latest Service Pack (SP3)
    * Check for latest hot fixes
    * Check Windows Update often
    * Install a personal firewall
    * Install a modern AV package with heuristic scanning capability and

    up-to-date signatures

    **: At this time, IE6 is the latest Microsoft browser. Please keep in mind that there are several
    things you can do to secure your web browser and make surfing the web a little less
    dangerous; however, this is a topic not covered by this tutorial. Yes, I know there are other
    browsers out there (Netscape and Opera come to mind), but IE is required by Microsoft sites (how
    clever...)

    Can't overflow services that aren't running...


    The most common type of attack at the time of this writing right now revolves around
    buffer overflows. The attack usually works by targeting a specific program on the
    victim machine that doesn't do proper bounds checking on the variable inputs it
    accepts (thus leading to an overflow of the buffer storing the variable). A buffer
    overflow can either be run locally (think a logged on user trying to escalate privilege)
    or remotely (think of a hacker trying to attack say telnet through the Internet). Before
    a remote attacker can successfully break into a system, they must first find a service
    that is vulnerable. While there is nothing the common user can really do to fight
    poorly written code (think M$ and IIS), a remote attacker cannot take advantage of a
    service if it is not running.

    In that light, we are going to focus on disabling as many services as possible and still
    have a functioning box. The list of services here are split into two categories, one of
    which is for the hardened setup needed for a machine outside of a firewall, the other is
    for what might be considered a normal use box. I am going to be very brief in the
    descriptions here, mainly because blkviper has done such a good job with his page (see
    references). I recommend only disabling one service at a time if you are not sure, so
    that if something breaks you will know which service caused the problem. Also note that
    your list of services may differ from what you see here somewhat, depending on what
    software you have installed, what version of Windows 2000 you are running, what vendor
    supplied your computer, and what service packs have been installed.


    Control Panel -> Administrative Tools -> Services

    <EDITORIAL NOTE> Please see attached file, the cut and paste butchered this... /nebulus


    Local Security Policies

    Remember, if you log onto a domain, all bets are off because domain policies have precedence.
    Also, these recommendations are my personal opinions, your employer, ISP, university, or
    whomever, may require different settings, please see your Terms and Conditions of Use Policy.
    Please note that most of this stuff is self-explanatory and is not commented; however, there
    are a few spots that may have an effect on your ability to use netbios, that unlike other
    sections, I have not noted (be careful and thoughtful).

    Control Panel -> Administrative Tools -> Local Security Policy ->

    Account Policies -> Password Policies

    * Enforce Password History (at least 3)
    Prevents users from using same password when prompted to change
    * Maximum Password Age (180 days)
    Sets the number of days until a password must change
    * Minimum Password Age (0 days)
    Sets the number of days after changing a password that must pass before it can be
    changed again
    * Minimum Password Length (7)
    * Passwords must meet complexity requirements (Enabled)
    Has to do with your password complexity (mix of uppercase/lowercase/numeric/symbols)
    * Store Password using reversible encryption for all users on domain (Disabled)
    Not sure of the implications...

    Account Lockout Policy

    * Account Lockout Duration (30 min)
    How long the account remains locked after x failed logon attempts
    * Account Lockout Threshold (3)
    Number of failed logon attempts before a user is locked out
    * Reset Account Lockout... (at least 30 min)
    Allows the account lock to rest after an elapsed time period

    Local Policies -> Audit Policy


    * Audit Account Logon Events (success, failure)
    * Audit Account Management (success, failure)
    * Audit Directory Service Access (failure)
    * Audit Logon Events (failure)
    * Audit Object Access (failure)
    * Audit Policy Change (success, failure)
    * Audit Privilege Use (failure)
    * Audit Process Tracking (failure)
    * Audit System Events (failure)

    User Rights Assignment

    * Access this computer from network (none)
    * Act as part of the OS (none)
    * Add workstations to domain (none)
    * Backup files and directories (Admin)
    * Bypass traverse checking??? (everyone)
    * Change the system time (admin)
    * Create a pagefile (admin)
    * Create a token object (none)
    * Create permanent shared objects (none)
    * Debug Programs (admin)
    * Deny access to this computer over network (guest, guests)
    * Deny logon as batch job (none)
    * Deny logon as service (none)
    * Deny logon locally (guest, guests)
    * Enable computer and user accounts...(none)
    * Force shutdown from remote system (none)
    * Generate Security Audits (none)
    * Increase quotas (admin)
    * Increase scheduling Priority (admin)
    * Load and Unload Device Drivers (admin)
    * Lock pages in memory (none)
    * Logon as batch job (none)
    * Logon as service (none)
    * Logon locally (Administrators, users)
    * Manage Auditing and Security Log (admin)
    * Modify firmware environment values (admin)
    * Profile Single Process (admin)
    * Profile System Performance (admin)
    * Remove computer from docking station (users,admin)
    * Replace process level token (none)
    * Restore files and directories (admin)
    * Shutdown the system (admin)
    * Synchronize directory service data (none)
    * Take Ownership of other Objects (none)

    Security Options

    * Additional restrictions for anonymous (no access without explicit permission)
    * Allow server operators to schedule tasks (disabled)
    * Allow system to be shutdown without having to logon (disabled)
    * Allowed to eject removable NTFS media (admin)
    * Amount of idle time required before ... (15 min)
    * Audit the access of global system objects (disabled)
    * Audit use of Backup and Restore Privileges (enabled)
    * Automatically log off users when logon time expires (enabled)
    * Clear virtual memory pagefile when system...(disabled)
    * Digitally sign client communication (always)...(disabled)
    * Digitally sign client communication (when possible)...(enabled)
    * Digitally sign server communication (always)...(disabled)
    * Digitally sign server communication (when possible)...(enabled)
    * Disable CTRL+ALT+DEL requirement for logon (disabled)
    * Do not display last user name in logon (disabled)
    * LAN Manager Authentication Level (Send LM &NTLM)
    * Message Text for Users Attempting to Logon ( A legal use message would be good here)
    * Message title for Users Attempting to Logon (Logon Banner)
    * Number of Previous Logons to cache (0)
    * Prevent system maintenance of computer...(disabled)
    * Prevent users from installing printer drivers (enabled)
    * Prompt user to change password before ... (14 days)
    * Recovery Console: Allow automatic adm...(disabled)
    * Recovery Console: Allow floppy copy and...(disabled)
    * Rename administrator account (new admin name)
    * Rename guest account (new guest name)
    * Restrict CD-ROM access to locally logged...(enabled)
    * Restrict floppy access to locally logged...(enabled)
    * Secure Channel: Digitally encrypt or sign...(disabled)
    * Secure Channel: Digitally encrypt or secure...(enabled)
    * Secure Channel: Digitally encrypt or secure cahnnel...(enabled)
    * Secure Channel: Require strong (windows ... (enabled)
    * Smart card removal behaviour (no action)
    * Strengthen default permissions of global...(enabled)
    * Unsigned driver installation behaviour (not defined)
    * Unsigned non-driver installation behaviour (not defined)

    Miscellaneous Settings

    Note: You must have Netbios on to use the baseline security analyzer...

    * Use NTFS file system (TODO: File PERMS)
    * Download and install Mibsa from Microsoft (Microsoft Baseline Security Analyzer)

    Network Settings

    * Disable all protocols EXCEPT TCP/IP
    * Disable Netbios over TCP/IP
    * Uncheck Register this connection's address in DNS
    * Enter DNS Suffix for connection (not if you are using dialup)
    * Ensure IP Forwarding is off

    References/Sources:

    ? BLK Viper Win2k Services Page

    Provides a complete list of services, what the services are, what they do, and
    whether or not it is safe to turn off (my list differs somewhat due to experience,
    differences in setup, and programs we use)


    Errata:
    ? Still need a section on File Permissions (I have been hesitant to mess
    with this other than restricting down IIS directories)
    ? Still need a section on Internet Explorer Security (Many vulnerabilities
    are possible through this)
    ? Still need to research registry hacks (have avoided so far)
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  2. #2
    The Iceman Cometh
    Join Date
    Aug 2001
    Posts
    1,210
    Fairly good tutorial. I personally use many different settings for the Local Policy Editor, but that's because I have to harden it based upon my network configuration, and most things are strictly regulated while some others had to be slackened to accomodate certain network features.

    Just so you know, Microsoft released IE 6.0 SP1 today which patches up all of the previously discovered problems with Internet Explorer

    Official Microsoft Internet Explorer 6.0 SP1 Site
    http://www.microsoft.com/windows/ie...sp1/default.asp

    AJ

  3. #3
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    If you don't mind sharing the differences in your settings, I would be really curious to know what you do different and why...(If you do mind, I would certainly understand)...

    One of the things that I was torn between in putting this together was to try to strike a balance between securing a box and keeping it functional, and at the same time to keep the tasks easy to do. Of course whenever I finish it, some of it will be not as easy (registry edits), but the goal is to make it as simple and quick to do as possible, without running too much of a risk of breaking another persons computer...

    Thanks for the info on the service pack, I will incorporate that into the document.

    Nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  4. #4
    The Iceman Cometh
    Join Date
    Aug 2001
    Posts
    1,210
    Here are some of the policies instituted (many are left as they were originally set, though I know there are more that are changed each time, I just don't remember what they are since I have a script which does it all for me so I never really have to worry about it anymore... I'll try to find the rest of the settings for you):

    Account Policies -> Password Policies


    (NOTE: Basically, I require that users change their password once a month and are not allowed to use the same password for the following year)

    * Enforce Password History: 12 passwords remembered
    * Maximum Password Age: 35 days
    * Minimum Password Age: 7 days
    * Minimum Password Length: 12 characters
    * Passwords must meet complexity requirements: Enabled

    Account Policies -> Account Lockout Policy

    * Account Lockout Duration: 120 minutes
    * Account Lockout Threshold: 2 invalid logon attempts
    * Reset Account Lockout: 60 minutes

    Local Policies -> Audit Policy

    (NOTE: Most auditing is skipped due to the fact that I don't need it... I just need to know when someone or something logs on, when it logs off, and whether everything was succesful).

    * Audit Logon Events: Success, Failure

    Local Policies -> Security Options

    * Additional restrictions for anonymous connections: No access without explicit permission
    * Amount of idle time required before disconnecting session: 10 minutes
    * Automatically log off users when logon time expires: Enabled
    * Disable CTRL+ALT+DEL requirement for logon: Disabled
    * Do not display last user name in logon: Enabled
    * Number of Previous Logons to cache: 0
    * Prompt user to change password before expiration: 7 days
    * Rename guest account: <domain guest name, withheld for security reasons>

    AJ

  5. #5
    Junior Member
    Join Date
    Aug 2004
    Posts
    1

    Thumbs up

    Great tutorial. There's one single point I'd like to make:

    The tutorial says:

    * Store Password using reversible encryption for all users on domain (Disabled)
    Not sure of the implications...


    Well, this is a setting to disable whenever possible, since if enabled it'll store passwords in a way in which they can be decrypted (typical trade-off for keeping legacy systems, I believe it's related to NTLM authentication and NT systems).

  6. #6
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,024
    Seckool, notice the flashing date of this tut? It says it was posted over 2 years ago. There usually isn't much of a reason to reply to posts this old.
    [H]ard|OCP <--Best hardware/gaming news out there--|
    pwned.nl <--Gamers will love this one --|
    Light a man a fire and you\'ll keep him warm for a day, Light a man ON fire and you\'ll keep him warm the rest of his life.

  7. #7
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324
    Originally posted here by The Grunt
    Seckool, notice the flashing date of this tut? It says it was posted over 2 years ago. There usually isn't much of a reason to reply to posts this old.
    Sure there is. He tried to elaborate on something the original poster was unsure about.

    If it simply just said: "Good tutorial!"... then there would be no need to post... but since he added something its is OK IMO. If I posted a tut and I was wrong/unsure... I'd like for someone to mention/elaborate on it no matter the date.

    But... thats just my opinion... there have been so many "community changes" that I haven't kept up on... I might be wrong myself.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  8. #8
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,024
    I guess that makes sense... Whatever, I guess it doesn't really matter... Changes changes all the time.

    I guess elaborating on the original posters unsureities &lt;-- is that a word?--| is an ok reason to start back up a 2 year old thread!
    [H]ard|OCP <--Best hardware/gaming news out there--|
    pwned.nl <--Gamers will love this one --|
    Light a man a fire and you\'ll keep him warm for a day, Light a man ON fire and you\'ll keep him warm the rest of his life.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •