lab 3033
Windows Server LOCKDOWN
Background:
Windows OS Family Tree
Image from: https://en.wikipedia.org/wiki/List_of_Microsoft_Windows_versions#/media/File:Windows_Version_History.svg
Windows Server Architecture
Central to the operating system is the kernel, which is crucial for any system operation. The kernel is housed in the system32 directory (c:/Windows/system32) and comprises files like .dll, .exe, and .com.
Kernel Protection
The executive layer protects the kernel by serving as an interface between applications and the kernel itself, adding a layer of security by preventing direct access to the kernel.
Images taken from: Team LiB: http://www.icodeguru.com/dotnet/Designing-Scalable-Dot-NET-Applications/8220final/LiB0027.html
Threads and Processes
Threads are single paths of execution within a process, sharing the process's resources. Process priority can be adjusted in Task Manager to influence performance.
Executive Service
Most of the Windows executive resides in ntoskrnl.exe, which includes both executive and kernel components. This file is critical for system performance and varies depending on the system's CPU configuration.
Software and Hardware Security
Security encompasses software-based measures controlled by the OS and hardware-based measures controlled by the processor. Intel's architecture, for example, employs four rings of protection, with the most secure environment (ring 0) reserved for the operating system.
User Mode vs. Kernel Mode
User mode (ring 3) is less protected and restricts access to system data and interfaces, while kernel mode (ring 0) allows full access to system memory and processor instructions, highlighting the need for robust security measures in kernel mode components.
Kernel-Mode and User-Mode Components
Key components include the executive, kernel, device drivers, HAL, and various user-mode components like system processes, service processes, and user applications.
Executive Functions and Managers
The executive provides API functions, manages drivers, and includes various internal and external managers for tasks like I/O management, local procedure calls, object management, virtual memory management, and synchronization.
Hardware Abstraction Layer (HAL)
HAL enables Windows to function across different hardware platforms by abstracting hardware specifics, ensuring compatibility and security across diverse systems.
Windows Subsystems Windows includes subsystems for different environment supports, such as Win32 and Linux, with subsystems acting as translators between applications and the executive.
Understanding these components and their interplay is crucial for securing Windows Server environments. By focusing on the executive's protection of the kernel, the distinction between user and kernel modes, and the role of hardware abstraction in security, you can grasp the foundational elements necessary for safeguarding Windows Server systems.
Reference:
Team LiB, Windows Server Architecture
http://www.icodeguru.com/dotnet/Designing-Scalable-Dot-NET-Applications/8220final/LiB0027.html
Windows Server Security Components
Security Reference Monitor (SRM)
- Core Function: Enforces access control policies and audits system activities.
- Example: In a high-security network, SRM cross-checks every file access request against ACLs, ensuring only users with explicit permissions can access sensitive data, thus preventing data breaches.
Local Security Authority Subsystem (LSASS)
- Role: Handles the authentication of users within a network, managing passwords and logon process
- Example: When a user attempts to access a network resource, LSASS authenticates the request against domain controllers, using protocols like Kerberos, to grant or deny access based on credentials.
Security Account Manager (SAM)
- Functionality: Manages local user and group accounts, storing credentials securely.
- Example: SAM encrypts user password hashes using a system-specific key, adding a layer of security against offline password cracking attempts from stolen SAM databases.
Windows Logon (WinLogon)
- Purpose: Manages user sessions, including logons, logoffs, and locking/unlocking of workstations.
- Example: WinLogon ensures a secure logon process through Secure Attention Sequence (Ctrl+Alt+Del), preventing malware like keyloggers from intercepting user credentials during the logon process.
Network Logon Service (NetLogon)
- Key Role: Supports pass-through authentication and logon requests within a domain environment.
- Example: In a domain environment, NetLogon facilitates the use of secure channels between clients and domain controllers for authentication, leveraging session keys for encrypted communication, vital for protecting credentials over the network.
Active Directory (AD)
- Main Function: Provides a centralized directory service for network administration and security.
- Example: AD uses Group Policy Objects (GPOs) to enforce security policies across the network, such as password complexity requirements and software restriction policies, ensuring a uniform security posture across all domain-joined devices
Remember that locking down a host system is only part of the Network Security system. Defense in Depth holds Host security configurations as only part of a seven-layer system of security.
Image from: https://www.techtarget.com/searchsecurity/answer/Whats-the-difference-between-zero-trust-vs-defense-in-depth
- this lab we will explore the Windows Server Security features and learn some recommended techniques and procedures to secure a system. This lab will introduce you to how to configure a Windows System for security. For more ideas outside the classroom, use these recommended settings:
- Microsoft Security Compliance Toolkit (SCT)
- National Institute for Standards and Technology (NIST): National Checklist Program (NCP)
- Defense Information Systems Agency (DISA): Security Technical Implementation Guide (STIG)
- Center for Internet Security (CIS) - Configuration Assessment Tool (CAT) – CIS-CAT Pro
PART 1: SPIN UP A WINDOWS SERVER
Note: If you have access to a Windows Server 2016, 2019 or 2022 you can skip this step
Step 1: SPIN up a Windows Server
- Create a free tier account on Amazon AWS Cloud Services - https://portal.aws.amazon.com/billing/signup?p=free&c=hp&z=1#/start/email
- Create an EC2 instance of Windows Server 2022 using this Compute Service
https://aws.amazon.com/ec2/?did=ft_card&trk=ft_card
Note: This free tier service will test your card with $1 but should not charge you as long as you do not use more than 750 hours a month. Please keep your computer usage low so you don't get charged.
Don’t know where to go from here? If you have any issues spinning up your server, please watch my demo video and explanation of a basic remote Windows server on the associated pdf. To remote into your server using Remote Desktop Protocol (RDP), you will have to allow it through the firewall using the port number. It is a process 😊 Patience is a virtue when it comes to using these cloud platforms.
- Name your server with your lastname and the name of the class. For example, my last name is Paul so I would make mine: paul_IS3033
- Use the ipconfig /all command to note the IP address, Gateway IP and DNS Server IP addresses.
Once you have your server spun up and ready to go, you can go to the next step.
Part 2: Windows Server Hardening
Choose one of the options for this lab
Option 1: You can follow one of the recommended baselines listed at the end of the Background section (SCT, NCP, STIG or CIS-CAT Pro). Indicate which secure baseline you chose and provide screenshots of all of your settings with a description of the setting and what this setting does for security.
Option 2: Follow this guide for some recommended settings that I have found helpful for Windows Administration.
Note: This guide is for academic use for Lab03 only. Do not use this as a guide for the professional world because this is not a complete set of guidelines required to reliably lock down a system.
Option 2 Guidelines
Provide a screenshot of each security configuration with a short description under each screenshot.
- Open Windows Server Manager and go to Manage -> Add Roles and Features
Click Next until you come to this screen.
Preparation:
Choose Active Directory Domain Services, DNS Server and Internet Information Services (IIS) Server. Note what these services do. Restart your server and make sure all services are running. You can check by opening Server Manager back up after the restart.
Disclaimer: These instructions are suggestions that can change with any upgrade. If you find other avenues of adding these features you are using the curiousity and inguinity it takes in the professional world.
Note that these instructions can be fulfilled with either GUI or Powershell commands. You can use either mode to fulfill an action on objectives.
1. Create an Account and Set Permissions
- Open "Computer Management" > "Local Users and Groups" > "Users".
- Right-click and choose "New User" to create a new account.
- Set a strong password and appropriate permissions.
- Action: Take a screenshot of the new account with its permissions.
2. Note SID and Check Integrity Level
- Open Command Prompt and type whoami /user to view the Security Identifier (SID).
- To check integrity level, type whoami /all.
- Action: Capture a screenshot showing the SID and integrity level.
3. Check Integrity Level in PowerShell
- Open PowerShell and enter Get-Process | Select-Object -Property ProcessName, IntegrityLevel.
- Action: Take a screenshot displaying the integrity levels of processes.
4. Disable Guest Account
- Navigate to "Local Users and Groups" > "Users".
- Right-click on the "Guest" account and select "Properties".
- Check "Account is disabled" and apply changes.
- Action: Capture a screenshot showing the disabled Guest account.
5. Open Group Policy Editor and Set Password Policies
- Run gpedit.msc to open the Group Policy Editor.
- Navigate to "Computer Configuration" > "Windows Settings" > "Security Settings" > "Account Policies" > "Password Policy".
- Configure password policies as per requirements.
- Action: Take a screenshot of your configured password policies.
6. Enable Audit for Success and Failures
- In Group Policy Editor, go to "Security Settings" > "Advanced Audit Policy Configuration".
- Configure "Audit Policies" for both success and failure events.
- Action: Capture a screenshot showing the audit settings.
7. Turn on Credential Guard and ATP
- Open "Windows Defender Security Center".
- Navigate to "Device Security" and enable "Credential Guard".
- For ATP, ensure Windows Defender ATP is set up and running from the "Windows Security" app.
- Action: Take a screenshot showing both Credential Guard and ATP enabled.
8. Group Policy for Automated Patches
- In Group Policy Editor, go to "Administrative Templates" > "Windows Components" > "Windows Update".
- Configure "Configure Automatic Updates" to your preference.
- Action: Capture a screenshot of the automatic updates configuration.
9. Create a Folder and Restrict Permissions
- Right-click in the desired directory, select "New" > "Folder", and name it.
- Right-click on the folder, select "Properties" > "Security" tab > "Edit" to modify permissions.
- Action: Take a screenshot showing the folder with restricted permissions.
10. Create a Local User Account
- Repeat the process from step 1 to create an additional local user account.
- Action: Capture a screenshot of the newly created user account.
11. Change UAC Settings
- Open "Control Panel" > "User Accounts" > "Change User Account Control settings".
- Adjust the slider to your preferred level of notifications.
- Action: Take a screenshot showing the adjusted UAC settings.
12. Moderate Access to Control Panel and Command Prompt, Restrict Software Installations
- In Group Policy Editor, navigate to "User Configuration" > "Administrative Templates" to configure restrictions on Control Panel, Command Prompt, and software installations.
- Action: Capture a screenshot of the configurations.
13. Prevent Storing NetLM Hash
- In Group Policy Editor, go to "Security Settings" > "Local Policies" > "Security Options".
- Find and configure "Network security: Do not store LAN Manager hash value on next password change".
- Action: Take a screenshot of the policy setting.
14. Disable FTP, Proxy Services, Telnet, and Universal Plug and Play
- Use "Windows Features" or "Services.msc" to disable FTP, Telnet, and UPnP services.
- For Proxy, go to "Internet Options" > "Connections" > "LAN settings" and ensure the proxy is disabled.
- Action: Take a screenshot showing these services disabled.
15. Windows Defender and Firewall
- Open "Windows Defender Security Center".
- Ensure "Virus & threat protection" and "Firewall & network protection" are active and configured properly.
- Action: Capture a screenshot displaying active Defender and Firewall settings.
16. Disable NTLM, PS 2.0, SMB 1.0
- For NTLM and SMB 1.0, use Group Policy Editor under "Security Options" and "Network Security" to disable.
- For PowerShell 2.0, use "Windows Features" to turn it off.
- Action: Take a screenshot showing these features disabled.
17. Enable SMB Encryption
- Open PowerShell and use the command Set-SmbServerConfiguration -EncryptData $true to enable SMB encryption.
- Action: Capture a screenshot of the PowerShell window showing successful execution.
18. Enable PS Logging and Disable PS 2.0
- To enable logging, use Group Policy Editor to navigate to "Administrative Templates" > "Windows Components" > "Windows PowerShell" and configure "Turn on PowerShell Script Block Logging".
- Ensure PowerShell 2.0 is disabled from step 16.
- Action: Take a screenshot of the PS logging configuration.
19. Monitor DNS Logs
- Open "DNS Manager", right-click on your server > "Properties" > "Debug Logging" tab to enable logging.
- Configure as per your requirements.
- Action: Capture a screenshot showing DNS logging enabled.
Answer these reflection questions with 1-2 comprehensive sentences showing your understanding of each feature.
Note: You can just provide the answer after the number. There is no need to have the original question before your answer.
1. Create an Account and Set Permissions
- Instruction: Open "Computer Management" > "Local Users and Groups" > "Users". Right-click and choose "New User" to create a new account. Set a strong password and appropriate permissions.
- Reflection: How did creating a specific account and setting permissions help secure your Windows Server?
2. Note SID and Check Integrity Level
- Instruction: Open Command Prompt, type whoami /user to view the SID, and whoami /all to check the integrity level.
- Reflection: How does understanding the SID and integrity level contribute to the security of your Windows Server?
3. Check Integrity Level in PowerShell
- Instruction: Open PowerShell, enter Get-Process | Select-Object -Property ProcessName, IntegrityLevel.
- Reflection: How does checking the integrity level in PowerShell enhance the security measures on your Windows Server?
4. Disable Guest Account
- Instruction: Navigate to "Local Users and Groups" > "Users", right-click the "Guest" account, select "Properties", and check "Account is disabled".
- Reflection: How does disabling the Guest account improve the overall security of your Windows Server?
5. Open Group Policy Editor and Set Password Policies
- Instruction: Run gpedit.msc, navigate to "Computer Configuration" > "Windows Settings" > "Security Settings" > "Account Policies" > "Password Policy" and configure password policies.
- Reflection: How do stringent password policies set through the Group Policy Editor strengthen the security of your Windows Server?
6. Enable Audit for Success and Failures
- Instruction: In Group Policy Editor, go to "Security Settings" > "Advanced Audit Policy Configuration" and configure "Audit Policies" for both success and failure events.
- Reflection: How does enabling audit success and failure notifications contribute to a more secure Windows Server environment?
7. Turn on Credential Guard and ATP
- Instruction: Open "Windows Defender Security Center", navigate to "Device Security" and enable "Credential Guard". For ATP, ensure it's set up from the "Windows Security" app.
- Reflection: How do Credential Guard and ATP enhance the security posture of your Windows Server?
8. Group Policy for Automated Patches
- Instruction: In Group Policy Editor, navigate to "Administrative Templates" > "Windows Components" > "Windows Update" and configure "Configure Automatic Updates".
- Reflection: How does setting a group policy for automated patches contribute to maintaining a secure Windows Server?
9. Create a Folder and Restrict Permissions
- Instruction: Right-click in the directory, select "New" > "Folder", name it, right-click on the folder, select "Properties" > "Security" tab > "Edit" to modify permissions.
- Reflection: How does creating a folder and restricting its permissions help in securing sensitive data on your Windows Server?
10. Create a Local User Account
- Instruction: Repeat the process from step 1 to create an additional local user account.
- Reflection: How does the addition of a local user account, with specific permissions, enhance the security framework of your Windows Server?
11. Change UAC Settings
- Instruction: Open "Control Panel" > "User Accounts" > "Change User Account Control settings" and adjust the slider to your preferred notification level.
- Reflection: How does adjusting UAC settings contribute to a more secure user environment on your Windows Server?
12. Moderate Access to Control Panel and Command Prompt, Restrict Software Installations
- Instruction: In Group Policy Editor, navigate to "User Configuration" > "Administrative Templates" to configure restrictions.
- Reflection: How does moderating access to critical system utilities like the Control Panel and Command Prompt reinforce the security of your Windows Server?
13. Prevent Storing NetLM Hash
- Instruction: In Group Policy Editor, navigate to "Security Settings" > "Local Policies" > "Security Options" and configure the relevant policy.
- Reflection: How does preventing the storage of NetLM hash values mitigate potential security vulnerabilities in your Windows Server?
14. Disable FTP, Proxy Services, Telnet, and Universal Plug and Play
- Instruction: Use "Windows Features" or "Services.msc" to disable these services. For Proxy, disable it from "Internet Options".
- Reflection: How does disabling these services reduce the attack surface on your Windows Server?
15. Windows Defender and Firewall
- Instruction: Ensure "Virus & threat protection" and "Firewall & network protection" are active in the "Windows Defender Security Center".
- Reflection: How do Windows Defender and Firewall serve as critical components in safeguarding your Windows Server against threats?
16. Disable NTLM, PS 2.0, SMB 1.0
- Instruction: Use Group Policy Editor and "Windows Features" to disable these features.
- Reflection: How does disabling outdated and potentially insecure protocols like NTLM, PS 2.0, and SMB 1.0 contribute to the security of your Windows Server?
17. Enable SMB Encryption
- Instruction: Use PowerShell with Set-SmbServerConfiguration -EncryptData $true to enable SMB encryption.
- Reflection: How does enabling SMB encryption enhance the confidentiality and integrity of data in transit on your Windows Server?
18. Enable PS Logging and Disable PS 2.0
- Instruction: Configure "Turn on PowerShell Script Block Logging" in Group Policy Editor and ensure PowerShell 2.0 is disabled.
- Reflection: How does enabling PowerShell logging and disabling outdated versions improve the audit and security posture of your Windows Server?
19. Monitor DNS Logs
- Instruction: In "DNS Manager", right-click your server > "Properties" > "Debug Logging" tab to enable logging.
- Reflection: How does actively monitoring DNS logs contribute to identifying and mitigating potential security threats on your Windows Server?