Windows hardening recommendations
Project: Securing a Microsoft Windows Environment
Chapter 11 Hardening the Microsoft Windows Operating System
Book Solomon, Michael G. (October 2019)
Strategies in Window Platforms and Applications, Edition 3rd, Jones & Bartlett Learning
IN THIS CHAPTER, you’ll learn how to apply what you’ve studied to make a computer running a Microsoft Windows operating system more secure. You’ll find out where you should focus your efforts for the most effective use of resources. You’ll also learn how to ensure each computer is as secure as possible. You’ll read as well how important a documented and repeatable process is when making computers more secure.
Chapter 11 Topics
This chapter covers the following topics and concepts:
· What the hardening process and mindset are
· How to harden Microsoft Windows operating system authentication
· How to harden the network infrastructure
· How to secure directory information and operations
· How to harden Microsoft Windows operating system administration
· How to harden Microsoft servers and client computers
· How to harden data access and controls
· How to harden communications and remote access
· How to harden public key infrastructure (PKI)
· What user security training and awareness is
· What the best practices are for hardening Microsoft Windows operating system and applications
Chapter 11 Goals
When you complete this chapter, you will be able to:
· Describe the Windows operating system hardening process
· Harden all aspects of Windows computers and network environments
· Provide security training and awareness
Understanding the Hardening Process and Mind-set
Software vendors of all types, including operating system vendors, encounter a basic dilemma when deciding on default installation options. One school of thought is to install the most features possible to showcase what the product can do. This approach is the one that vendors generally select because it promotes the richness of their product’s features. The other approach is to only install the bare minimum of features to avoid increasing the product’s vulnerability to attack. Many vendors, however, end up showcasing more features. This raises the risk of making their product more vulnerable. The software a computer runs that is vulnerable to attack is called the attack surface. The primary goal in securing Windows computers is to reduce the attack surface. While you can’t ever reduce the risk of attack to zero, you can employ controls to make your computers more secure.
Strategies to Secure Windows Computers
You have two main strategies to choose from to reduce a computer’s attack surface. First, disable or remove programs that contain vulnerabilities. This strategy is the most secure method. For example, suppose you are concerned about vulnerabilities in the Microsoft Internet Information Services (IIS) web server. This web server is running on your computer and is named WebServ01. You could disable IIS on WebServ01, or remove it entirely. An attacker can’t compromise a program that isn’t present or running on a computer. Unfortunately, WebServ01 is an important service for your organization. It is a web server for your e-commerce application. Since you can’t disable or remove IIS, you’ll have to use another strategy.
The second main strategy to reduce the attack surface is to establish controls on running programs to mitigate any known vulnerabilities. This method is always more difficult and less complete. It is also more time consuming than just disabling unneeded programs or services. Despite this, it is necessary when running a program that contains vulnerabilities.
In this chapter, you’ll learn the steps to reduce the operating system attack surface of your computers. The process of making configuration changes and deploying controls to reduce the attack surface is called hardening .
Hardening Windows computers is not a single activity—it is an ongoing process. When installing Windows, choose the installation options for programs and services you absolutely need. Then, harden each computer as soon as you complete the installation process.
Always consider disabling or removing programs or services that you don’t really need. You shouldn’t install programs if you don’t need them. You’ll find that if you disable or remove unneeded components, the hardening process is easier. You end up with a more secure computer. Always explore which programs or services you actually need before researching controls.
nstall Only What You Need
The workstation versions of the Windows operating system installation procedures follow a standard process. You can’t easily change which programs the process installs. If you are installing Windows 7, Windows 8, or Windows 10, you’ll have to complete the install process and then remove any unwanted components. When you install a Windows Server operating system, you have the ability to select which programs to install. The easiest way to customize a server is to define one or more roles for the computer. A role is a predefined set of services, programs, and configuration settings that enables a computer to fulfill specific requirements. The available roles depend on the edition of Windows you are installing. Microsoft offers multiple editions of each of its server operating systems. Each edition can support different types of roles.
Windows Server 2016 and Windows 2019 Editions and Roles
Recall that Microsoft offers the following editions of Windows Server 2008 R2:
· Essentials—Cost-effective, entry-level server for small businesses
· Standard—Supports more features than Essentials edition for medium-sized businesses
· Datacenter—Optimized for large-scale deployment using virtualization on small and large servers
Before installing Windows Server, ensure you have the correct edition to support the roles you’ll need. For more information on the limitations on role support for each edition, go to https://docs.microsoft.com/en-us/windows-server/get-started/2016-edition-comparison for Windows Server 2016, or https://docs.microsoft.com/en-us/windows-server/get-started-19/editions-comparison-19 for Windows Server 2019.
TABLE 11-1 lists the 17 Windows Server 2016 roles and which editions support each role.
Microsoft also provides another installation option making it easier to exclude programs you don’t need. The server core installation option provides a minimal Windows Server environment that includes only programs necessary for the roles you select. A server core installation doesn’t even include a Windows graphical user interface (GUI). You use a command-line interface to interact with the operating system. Since Microsoft limits the programs a server core installation installs, your choice of roles is limited. TABLE 11-2 lists the roles from which you can choose for a server core installation of Windows Server 2016
|
TABLE 11-2 Windows Server 2016 Core Installation Roles and Editions |
|
|
ROLE (CORE INSTALL) |
INSTALLED BY DEFAULT? |
|
Active Directory Certificate Services |
No |
|
Active Directory Domain Services |
No |
|
Active Directory Federation Services |
No |
|
Active Directory Lightweight Directory Services |
No |
|
Active Directory Rights Management Services |
No |
|
Device Health Attestation |
No |
|
DHCP Server |
No |
|
DNS Server |
No |
|
File and Storage Services |
Yes |
|
Host Guardian Service |
No |
|
Hyper-V |
No |
|
Print and Document Services |
No |
|
Remote Access |
No |
|
Remote Desktop Services |
No |
|
Volume Activation Services |
No |
|
Web Server (IIS) |
No |
|
Windows Server Essentials Experience |
No |
|
Windows Server Update Services |
No |
|
© Jones & Bartlett Learning. |
Taking the time to select the right role for each Windows Server installation is the first step in hardening your Windows servers.
Windows Server 2019 Editions and Roles
Recall that Microsoft offers the following editions of Windows Server 2019:
· Essentials—Cost-effective, entry-level server for small businesses
· Standard—Supports more features than Essentials edition for medium-sized businesses
· Datacenter—Designed for large-scale deployment on servers that support extensive virtualization
TABLE 11-3 lists the Windows Server 2019 roles and which editions support each role.
|
TABLE 11-3 Windows Server 2019 Standard Installation Roles and Editions |
|
|
|
© Jones & Bartlett Learning. |
Windows Server 2019 supports server core installations as well. The Windows Server core installation is essentially a Windows Server installation without any GUI components. Due to the lack of GUI, it has a smaller footprint and offers a smaller attack surface. Windows Server core installations work well in datacenters where command-line interaction or remote web-based administration are sufficient. In fact, in every Windows Server release since Windows Server 2012, you can switch between a full server and server core installation without having to reinstall the entire operating system. Windows Server 2019 offers server core installation options for the Standard and Datacenter editions.
Security Compliance Toolkit
Microsoft provides a set of tools to help manage Windows security baselines. According to Microsoft, the Security Compliance Toolkit (SCT) “… allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products.” The SCT provides guidance to administrators that makes it easier to ensure policies adhere to policy best practices.
SCT is not installed with the operating system, but must be downloaded from Microsoft’s website. You can get the SCT at https://www.microsoft.com/en-us/download/details.aspx?id=55319 . Once you navigate to the download website, click the Download button. The action will display a list of files that you can download. You can choose from the following files:
· LGPO.zip—The Local Group Policy Object tool
· Office-2016-baseline.zip—Baseline recommended policy settings for Office 2016
· PolicyAnalyzer.zip—The policy analyzer tool to compare sets of GPOs and analyze their differences.
· Windows 10 Version xxxx (multiple available versions) Security Baseline.zip—Separate baseline recommended policy settings for Windows 10 versions 1507, 1511, 1607, 1703, 1709, and 1803
· Windows 10 Version 1809 and Windows Server 2019 Security Baseline.zip—Baseline recommended policy settings for Windows 10 Version 1809 and Windows Server 2019
· Windows Server 2012 R2 Security Baseline.zip—Baseline recommended policy settings for Windows Server 2012 R2 (and Windows Server 2016)
After you download the files that match the versions for Windows you have installed, extract each of the zip files into a folder of your choice. The baseline zip files contain Microsoft recommended configuration settings for specific versions of Windows. You’ll find documentation, policy examples, and Microsoft Excel spreadsheets that list all of the group policy settings, along with Microsoft’s recommendations.
The supplied baseline information contains so many recommendations. The SCT include two tools to help manage the baseline input, along with managing your own GPOs. The LGPO tool helps to automate managing your local GPOs. The LGPO tool is a command-line utility that you can run from a Windows PowerShell. For example, suppose you want to view the contents of a local computer’s Registry.pol file. This file is a binary file that contains a registry-defined policy. By default, you can find this file at C:\Windows\System32\GroupPolicy\Machine\Registry.pol (assuming that Windows is installed in C:\Windows). You can’t view this file directly since it is a binary file, but you can use LGPO to see what it contains. The command .\lgpo/parse/m C:\Windows\System32\GroupPolicy\Machine\Registry.pol will show what the Registry.pol file contains. (This command assumes that the directory where you extracted LGPO.exe is your current directory.)
The other utility available in SCT is the policy analyzer tool. The policy analyzer tool displays GPOs and compares selected GPO values. This makes it easy to compare the Microsoft supplied baseline GPOs with your own. You can even use the policy analyzer to create your own baseline GPOs and use those to quickly see if any computers in your organization have changed their settings to violate your security policy.
After you extract the policy analyzer zip archive you downloaded, change your working directory to the location where you extracted PolicyAnalyzer.exe. Then, you can launch the policy analyzer by running PolicyAnalyzer.exe. The first time you run the policy analyzer, the window is blank. Try loading the Registry.pol file. Click Add, then File -> Add Computer Configuration (registry.pol). Navigate to C:\Windows\System32\GroupPolicy\Machine and select Registry.pol. Click Import, then close the Policy File Importer window. Select Local policy (at the top of the window) and the registry entry you just imported, then click View/ Compare. The policy analyzer shows all of the settings in selected GPOs and will highlight any differences. FIGURE 11-1 shows the Policy Analyzer selection window, and FIGURE 11-2 shows the Policy Viewer (the result of the policy comparison.).
Manually Disabling and Removing Programs and Services
Before proceeding, back up the Windows Registry. It is a good idea to back up the Windows Registry before making any changes. Some of the changes you make to Windows can cause unexpected results. A Windows Registry backup may help you research problems and restore settings. In addition, make changes on a test computer whenever possible. Making changes on test computers gives you the ability to test the results of those changes before they impact your production environment.
you can create a Windows Registry backup by following these steps:
1. Choose the Windows Start button > Run.
2. Type regedit.exe in the text box.
3. Select File > Export from the menu.
4. Enter the desired filename for the Registry backup and choose Save.
The next step is to evaluate each computer. Identify remaining programs and services that you don’t need. If you carefully select the roles for each server computer, you shouldn’t have to remove or disable many programs. Since workstation versions of Windows do not provide the option to install the operating system based on roles, you’ll likely find several programs and services installed you don’t need. For example, it is a good idea to disable the Remote Registry service. This service allows remote users to modify their Windows Registry. Once you identify any unneeded programs or services, either disable or remove them.
The most permanent and secure option is to remove unneeded programs. Make sure you know what a program is before you remove it. Don’t just remove a program because you don’t know what it is. If you don’t recognize a program, try searching for the program name using an Internet search. You’ll likely find information that will help you decide whether or not to remove the program. You can remove unneeded programs using the Control Panel -> Programs and Features utility. You can also use the Add or Remove Programs app to manage applications. Removing a program makes it impossible for an attacker to use that program to compromise a computer. FIGURE 11-3 shows the Programs and Features utility for Windows 10.
FIGURE 11-3 Uninstalling a program in Windows using the Programs and Features utility.
Courtesy of Microsoft Corporation.
Many programs in the Windows operating system run as services. Services are programs that run in the background and help other programs to run. For example, the DHCP Client service is a program that you don’t see on your display, but it provides the important service of requesting an IP address for your computer. You’ll find many services running on servers as well as workstations. The Windows Services maintenance utility allows you to start, stop, and change the settings for services defined for a computer. An alternative to removing or uninstalling a program that runs as a service is to disable it. When a Windows computer boots, the operating system reads the list of services and starts the services with a Startup type value of Automatic. Windows will also start services with a Startup type value of Automatic (delayed start) as well once all of the Automatic services have started. You can change the Startup type to Disabled for any services you want to prevent Windows from starting. Although it is possible to manually start a service by running the program, disabling a service reduces the probability an attacker can use it to compromise a computer.
FIGURE 11-4 shows the Windows Services Maintenance utility.
Open the Programs and Features utility on a computer running Windows 10 or Windows Server 2019 using these steps:
1. Choose the Windows Start button > Control Panel.
2. Select Programs and Features.
After you’ve identified unneeded programs and services and have either removed or disabled them, you can address remaining vulnerabilities. To continue the hardening process, learn about common vulnerabilities in running programs and deploy controls to secure your computers from those vulnerabilities.
Hardening Microsoft Windows Operating System Authentication
The next step in hardening your Windows operating systems is to address authentication weaknesses. Current operating system versions, regardless of vendor, tend to be more secure and provide more features. If all of the computers in your environment are running the latest version of Windows, then you should disallow older authentication methods. For example, computers that run Windows 2000 or later support NTLMv2 authentication. Earlier versions of Windows only support the older NTLM protocol. If all your computers are running Windows 2000 or later, you can disable support for NTLM.
Technical TIP
Launch and use the Windows Services Maintenance utility on a computer running Windows 10 or Windows Server 2019 using these steps:
1. Choose the Windows Start button > Windows Administrative Tools.
a. If the Administrative Tools option does not appear on the menu, select Control Panel > Administrative Tools.
2. Select Services.
3. To edit the properties of any service, select the service, open the context menu by right-clicking on the service, then select Properties.
Remove or disable any unused or inactive user accounts defined for each computer, both locally and in Active Directory (AD). Unused user accounts provide additional targets for attackers. The most dangerous user for any Windows computer is Administrator. This user has elevated permissions and exists on every Windows computer. Attackers know that accessing the Administrator account allows them many ways to compromise a computer. Unfortunately, you can’t delete the Administrator account. But you can disable it. The best way to protect your administrative rights from attackers is to follow these steps:
1. Create new accounts that will become the new Administrator users.
2. Assign the necessary Administrator rights to the new users, or to a group object.
Test each of the new Administrator accounts to ensure they possess the necessary rights and permissions.
3. Disable the default Administrator account.
Following these steps will make it more difficult for attackers to escalate their privileges to include administrative rights. They have to guess which users now have administrative rights. Many automated attacks target the default Administrator user; so, if you have disabled that user, such attacks will fail. Once you have disabled the Administrator user, remove other users, such as Guest, that you do not need. As with the Administrator user, attackers know that many Windows operating systems have default users no one took the time to remove. They’ll try to use these accounts to compromise your computers.
The next step in hardening Windows authentication is to establish and enforce strong account policies. The Microsoft Security Compliance Toolkit provides many policy recommendations and makes it easy to compare recommendations with the setting you have in place. Create or edit Group Policy to modify settings for the following policies:
· Password policy—Settings for password age, length, complexity, storage, and history. The goal for passwords is to require users to change passwords frequently, but not too frequently. If you force users to change passwords too often and make them too complex, users will likely just write down passwords and keep them close to their workstations. A good rule of thumb is to set the maximum password age to 60 days, enable password complexity, and require that passwords be at least eight characters in length. Users will have to change their passwords every 60 days and create passwords that contain upper and lowercase characters as well as digits or special symbols.
· Account policy—Settings for account lockout duration, threshold, and reset count. Use these settings to make it more difficult for automated tools to use brute-force attacks to guess passwords. A good rule of thumb is to use an account lockout threshold of five to lock a user account after five failed logon attempts. You could set the duration and reset count to 15 to force a user to wait 15 minutes after five failed logons. After 15 minutes, the user could try to log on and have five more attempts before either successfully logging on or being locked out again.
· Kerberos policy—Settings for logon restrictions and ticket lifetimes. These settings tell Windows how long Kerberos tickets should be allowed to live and whether the Kerberos servers should authenticate users on every request. The default ticket lifetime is 10 hours. This default works well unless your environment routinely supports users who work for more than 10 hours at a time. The Kerberos lifetime should be a little longer than a user’s workday.
Ensuring you only have the accounts you need, both at the local computer level and in AD, can reduce your exposure to attack. Reviewing, and if needed, strengthening the password policies will harden your Windows authentication and make it harder for attackers to compromise your Windows computers.
Hardening the Network Infrastructure
Once you’ve reduced the ability for unauthorized users to log on to your Windows computers, the next step is to harden other access methods. Computers communicate with other devices and computers on a network by sending messages to a destination port address. The combination of a protocol, a host name or address, and a port number identifies the intended target location for a message. For example, assume a Transport Control Protocol (TCP) message travels to www.myserver.com at port 80. Port 80 is the commonly used port for web traffic. It is likely that there is a web server on the server at the address www.myserver.com . If this server is a web server, then you would want to accept TCP traffic on port 80. If you didn’t accept the traffic, your web server would never receive any web requests and essentially wouldn’t be able to do its job.
Identify all of the network server and client services that require access to ports. In the previous example, you know that the web server needs port 80 to be open. If other services are running on the same computer, investigate which ports each service needs. Once you know what your computer needs to operate, modify your firewall settings to open those ports. Depending on which ports you need, you may find that they’re already open. Close all other ports. If a specific server computer does not run a web server, it generally doesn’t need port 80 open. The SCT tools and baselines help you define firewall rules that correspond to server roles and services required to support those roles. You can customize your firewall rules to fine-tune your network infrastructure security for Windows server computers.
In legacy versions of Windows, you would make firewall changes directly in the Windows Firewall maintenance utility. Starting with Windows 7 and Windows Server 2008, you now can maintain firewall rules in two different ways. One way is to use the Windows Firewall with the Advanced Security maintenance utility. Alternatively, you can use the Local Group Policy Editor to manage firewall settings. Using Group Policy to manage your firewall makes maintenance easier. Create one or more Group Policy Objects (GPOs) for firewall settings in AD and apply them to groups of computers without having to edit each one. FIGURES 11-6 and 11-7 show the Windows Firewall with Advanced Security and editing firewall settings in the Group Policy Management Editor.
FIGURE 11-6 Windows Firewall with Advanced Security.
Courtesy of Microsoft Corporation
FIGURE 11-7 Group Policy Management Editor—Windows Firewall with Advanced Security.
Courtesy of Microsoft Corporation.
Regardless of the method you use to edit firewall settings, close all ports and disallow all connections except for those ports and applications you need. Fewer entry points to your computers make them more secure.
Securing Directory Information and Operations
AD is a valuable feature of Microsoft Windows for IT operations. AD centralizes many maintenance tasks and makes it easy to standardize security settings. It also is a valuable target for attackers, because it stores so much useful information. Since AD is a target for attackers, it should also be a target for your hardening efforts.
Begin by recognizing the value of compromising AD. Limit the number of administrators with access to AD. Ensure that administrators managing AD do so using separate Administrator user accounts. Administrators should have one account for AD administration and at least one other account for other administration tasks. Isolating privileged user accounts makes the accounts harder to compromise. You can create an AD security group with necessary privileges for this purpose. To add additional AD administration restrictions, require that AD administrators do their AD work only from dedicated terminal servers instead of their workstations. This requirement reduces the potential of malware infections on workstation computers to infect AD or allow AD compromise.
Periodically change the Directory Service Restore Mode (DSRM) password. And immediately change it from the default password after installation. This password is what you use to log on to a domain controller (DC) that has been booted into DSRM mode to create an offline copy of AD. This capability would allow an attacker to copy all your AD information. Protect the DSRM password for each DC and change it at least every 6 months.
Other steps you can take to harden AD include ensuring all DCs are physically secure. Locate your DCs in a datacenter or other location with limited access. Configure your DCs to audit important activities and use Internet Protocol Security (IPSec) between all servers. IPSec may be a little difficult to use for client connections, but setting it up for use between servers doesn’t take a lot of effort. IPSec will help ensure that your AD remains secure.
Hardening Microsoft Windows OS Administration
Hardening the Windows operating system administration involves protecting the Administrator user accounts and ensuring computers are up to date. You’ve already learned that disabling the built-in Windows Administrator account is a recommended step. After you create other user accounts with Administrator privileges, disable the default Administrator account and use the new accounts for all administrative tasks. Enable strong passwords and set Administrator passwords to expire on a regular basis. These settings will help keep your Administrator user accounts secure.
Since a common administrative activity is to evaluate and change security settings, it is very helpful to create and maintain baselines. Baselines are copies of files and settings you can use for comparison or to restore if necessary. Create a full backup of each system both before and after hardening. The post-hardening backup will be your initial secure baseline. You can use that backup to compare with future backups to identify changes. Although full backups contain all files and folders, it may be beneficial to create individual backups of policies each time you change them. The Group Policy Management Console (GPMC) gives you the ability to back up and restore GPOs. The GPMC also allows you to manage backups of all GPOs. FIGURE 11-8 shows the Backup GPO option in the GPMC.
Change the Windows Updates settings in Windows 10 and Windows Server 2019 using these steps:
1. Choose the Windows Start button > Settings.
2. Select Update & Security.
3. Select Windows Update. From this window, you can change Windows Update settings, manually check for available updates, or view update history.
Another critical component of hardening operating system administration is ensuring all Windows systems are updated to the latest patch. Ensure that Windows Update is configured to automatically download and install the latest updates from Microsoft.
FIGURE 11-9 shows the Windows Update window.
Hardening Microsoft Servers and Client Computers
Don’t neglect any computer that is attached to your network. You should harden both servers and workstation computers. Any compromised computer that is connected to your network is a threat to the entire network. Microsoft makes the process of hardening server computers easier with the SCT. You can implement many of the hardening recommendations just by implementing recommendations in the SCT. Unlike earlier versions of Windows, workstation computers are integrated into the SCT recommendations. This means you don’t need to manually harden your workstations. Although Windows workstation installations are more secure by default than in the past, you’ll need to take extra steps to ensure that they are as secure as possible.
Hardening Server Computers
Server computers exist on your network to provide one or more specific services. You have two main areas to address when hardening servers. First, ensure that your server computers don’t do anything they’re not supposed to do, such as run extra services that aren’t needed. If a server should provide database services only, then it probably shouldn’t have IIS installed as well. Second, harden the services they are supposed to provide. Start off by installing only the roles you need for any particular server to fulfill its purpose. One of the first steps to take after installing any new server is to use the SCT tools. The SCT tools help identify many of the unneeded services and open ports. Run SCT to disable any roles or services you don’t need and then review the remaining services in the Windows Services window. Disable any services that are still running but you don’t need.
After running SCT and disabling additional services, it is a good idea to scan each server using a port scanner to identify any open ports you may have missed. Use the nmap utility or any other port-scanning software to identify open ports. Your open port scan shouldn’t find any unexpected open ports. If it does locate any ports that are open, find out what service is using them and decide whether to close the ports or add them to your approved open ports list. You should know how every open port is being used.
To make it harder for unauthorized users to connect to your server computers, enable IPSec for all server-to-server connections. IPSec will require that any computer that attempts to connect to your server be authorized to connect. Using IPSec and removing or disabling unnecessary user accounts will make it more difficult for attackers to compromise your server computers.
Once you’ve taken these steps to harden your servers, focus on the services that are still running. Every server will have some services running and some ports open. The second main phase of hardening servers is to focus on these components.
Get more information on the free nmap utility at http://nmap.org/ . The utility can be downloaded from this site and installed on any computer. Before you use nmap to scan any computer, ensure you have permission in writing from the computer and network owner to perform the scan. Port scanning can cause substantial network activity and even trigger intrusion alarms. You don’t want to cause someone to treat your scan as a hostile attack. Make sure all stakeholders know what you’re planning to do, when you’re planning to do it, and that you have permission to do it.
Nmap offers many command options, but here are a few simple ones that will provide a list of open ports:
nmap -vA 192.168.1.128
The previous command scans for any open ports on 192.168.1.128 and also attempts to detect the operating system running on the computer at that Internet Protocol (IP) address.
nmap -vsT 192.168.1.128
The previous command scans and attempts to connect to any open ports on the computer at 192.168.1.128. Using the “-vsT” option is slower than the “-vA” scan but also provides more complete information on services that are running and monitoring open ports.
For even more command options, go to the nmap website for additional details and complete documentation. Nmap can help you identify any vulnerability on your computers.
Hardening Workstation Computers
While many of the strategies for hardening computers apply to all computers, some are especially important for workstations. In general, workstation computers act as clients, and not servers. When hardening workstation computers, one of the main goals is to ensure the computer maintains a clean identity and doesn’t attempt to violate your security policy.
One of the more common issues with workstation computers is malware. Since workstations tend to connect to many Internet resources and run many software programs, they run into malware frequently. Removing malware is often far more difficult than preventing it. Ensure that every workstation computer has up-to-date anti-malware software installed and that its database of known malware is up to date as well.
In addition to ensuring workstations are protected from malware, it is important to mitigate as many other vulnerabilities as possible. Most workstation installations add many unneeded programs and services. And no single program effectively analyzes a workstation’s role and recommends changes to make it more secure. Review all running services and programs and disable the ones you don’t need. Likewise, review the Windows Firewall settings to only allow network traffic for the services and applications your workstations really need.
Securing workstations requires control. You can exert control over workstations your organization owns or directly manages. Group Policy makes it possible to effectively manage and enforce nearly all security settings for your organization’s workstations. Remote users pose a more difficult challenge. It is very difficult to exert any control over workstations your organization doesn’t own or manage. You should provide a separate access path for internal versus external workstations. Isolate external workstations and restrict what resources they can access.
Hardening Data Access and Controls
The key to deploying the best Windows access controls is to first develop a clear idea of what you are attempting to control. In general, minimize the number of user accounts on all computers and carefully control access to accounts with Administrator rights. Access to data and resources is based on identity. You have to implement secure identity management before you can trust your access controls. As you’ve already learned, having fewer user accounts and using strong passwords make your systems more secure. But just limiting user account access is only part of the solution.
Once you identify the data and resources you need to control, use Windows Group Policy to establish access control lists (ACLs) that limit access to specifically defined users and groups. The easiest way to implement access control in a large environment is to use AD and global groups for as many ACLs as possible. Avoid allowing anonymous or guest user accounts to access any sensitive data.
To protect data at rest, either use Windows Encrypting File System (EFS) for folders that contain sensitive data or Windows BitLocker to encrypt entire volumes. Regardless of the option you choose, ensure any backups encrypt your data as well.
Hardening PKI
One method of hardening authentication is by using digital certificates. Certificates can increase the security of IPSec, SSL connections, and web server authentication. Implementing such an approach requires a method of creating, distributing, and maintaining certificates. A common approach is to implement a PKI. PKI is a term that refers to the hardware, software, policies, and procedures to manage all aspects of digital certificates. PKI has the reputation of making environments more secure, but this is only true if your PKI components are secure.
The most important component of securing PKI is to ensure all computers that participate are hardened. This is especially true for the Certificate Authority (CA) servers. In addition to hardening CAs like other servers, ensure your CAs are physically secure and only accessible by authorized administrators. Ensure that you back up the CA keys and store them in a safe location. You’ll need these to recover certificate access after restoring from some types of disasters.
Use GPOs to distribute root CA certificates. Using GPOs gives you the ability to control and automate the certificate distribution. To ensure you can track down unauthorized certificate actions, enable auditing for all CA and certificate events. You will probably need to increase the maximum audit log file to store log entries for more than a few days for heavily utilized servers.
User Security Training and Awareness
One of the most important aspects of hardening any computer is how the computers are used. Although malicious attackers are a threat to computer security, so are authorized users. Many security incidents result from poorly trained, forgetful, or stubborn authorized users. In some environments, users view security as a barrier and stubbornly refuse to abide by the security policy. Security awareness training is crucial from a person’s first exposure to your environment.
Each new employee, contractor, or visitor should go through security awareness training that corresponds to his or her level of system access. Employees generally have the greatest privileges in any organization’s information systems and should be required to undergo the most comprehensive security training. Contractors or other temporary personnel have less access than employees. Visitors often have less access. You should design security training for each group of users, based on their access and responsibilities. Part of internal personnel training should include procedures for granting access to visitors. Security awareness programs are always good ideas and they also may be mandatory. If your organization must comply with The European Union General Data Protection Regulation (GDPR), Sarbanes-Oxley, Payment Card Industry-Digital Signature Standard, Health Insurance Portability and Accountability Act (PCI-DSS, HIPAA), or the Federal Information Security Management Act (FISMA), you must implement a security awareness program. TABLE 11-5 lists different groups of users and suggested security training requirements.
|
TABLE 11-5 User Types and Suggested Security Training |
||
|
USER TYPE |
DESCRIPTION |
SECURITY TRAINING |
|
Employee |
Person employed by an organization with permanent responsibilities and access to certain information system resources |
Employees receive mandatory security policy training with signed acceptance of acceptable use policies (AUPs), completion of information system access security training prior to receipt of access credentials, and mandatory recurrent security awareness and policy update training. Properly trained employees should be able to recognize security breaches and know what to do about them. |
|
Contractor |
Temporary worker with limited temporary access to information resources related to assigned responsibilities |
Contractors receive mandatory pre-engagement security policy training with signed acceptance of AUPs, completion of information system access security training that relates to assigned responsibilities prior to receipt of access credentials, and mandatory recurrent security awareness and policy update training. Properly trained contractors should be able to recognize security breaches and know whom to notify if a breach occurs. |
|
Visitor/guest |
Transient user with very limited access to information system resources |
Visitors/guests agree to comply with AUPs. |
|
© Jones & Bartlett Learning. |
Regardless of the type of user, anyone who connects to your computer systems should encounter frequent reminders of the importance of security. Use any of these formats to remind users of the importance of security:
· Physical posters and banners in conspicuous locations, such as in break rooms and cafeterias, and around printers, fax machines, or shredders
· Email newsletters, social media contact, and security policy updates
· Periodic website reminders
· Social media messages
· Daily or weekly tip programs
· Contests with security themes
· Security events on specific dates, such as November 30, International Computer Security Awareness Day
· Lunch-and-learn meetings about topics of interest to employees personally—such as identity theft or cyberbullying—as well as topics of interest to your organization
· Visible modeling of good security behaviors by your organization’s leaders
Best Practices for Hardening Microsoft Windows OS and Applications
Many resources are available to you for hardening Windows computers. Some resources focus on a few high-level suggestions while others go into very detailed lists of suggestions. To make your job of securing Windows computers easier, here is a list of best practices for securing different types of computers. These best practices may not all apply to every one of your computers. They do provide a solid starting point that will result in a far higher level of security than taking no action at all. The key to hardening your Windows computers is to reduce each computer’s attack surface to the absolute minimum while still allowing the computer to fulfill its purpose.
Here are the best practices for hardening Windows operating systems:
· Install only the Server Core option when you don’t need extra functionality (i.e., GUI).
· Select the minimum number of roles when installing Windows Server.
· Use SCT immediately after installing the operating system for any Windows computer, specifically for computers that participate in an organization’s network.
· Update each computer with the latest operating system patches.
· Configure each computer for automatic Windows updates.
· Install and run Microsoft Baseline Security Analyzer (MBSA) and at least one other Windows security vulnerability scanner.
· Create one or more user accounts with Administrator rights.
· Disable the Administrator and Guest user accounts.
· Determine which services are needed and disable all unneeded services.
· Close all ports not required by services or applications.
· Create GPOs for all security settings, including firewall rules.
· Use AD to distribute all configuration changes using GPOs.
· Create a backup of each GPO.
· Scan all computers for open ports and known vulnerabilities.
· Limit physical access to all critical servers.
· Create an initial baseline backup.
· Change the AD DSRM password periodically, at least every 6 months.
· Install anti-malware software on each computer.
· Ensure all anti-malware software and data are current.
· Use NAC software or devices to control remote computer connections.
· Use remote authentication methods to authorize remote computers and users.
· Require secure VPNs to access internal network resources.
· Use IPSec with digital certificates to authenticate computer-to-computer connections in the datacenter.
· Require security awareness training prior to issuing access credentials.
· Require periodic recurrent security awareness training to retain access credentials.
· Provide continuing security awareness through different means.
CHAPTER SUMMARY
Hardening is the process of making computers more secure. The process involves identifying vulnerabilities and implementing compensating controls. In this chapter, you read about some of the most important steps to make your Windows computers more secure. You learned how to install servers to be more secure and how to make both servers and workstations more secure after installation. Following the best practices at the end of this chapter will help you keep your Windows environment secure and difficult for attackers to compromise.
KEY CONCEPTS AND TERMS
· Directory Service Restore Mode (DSRM)
· Network access control (NAC)
· nmap
· Role
· Security Compliance Toolkit (SCT)