OS Hardening Windows

OS Hardening for Windows 2000 & 2003

Last Updated by asmith 2006.12.04

This document is intended as a starting checklist to harden Windows 2003 Server and IIS for security vulnerabilities.
This checklist is designed for those that are extremely familiar with Windows and IIS, as explanations for the checklist actions are not included.
It is strongly recommend that you visit the Microsoft Security and Privacy page, at http://www.microsoft.com/security/default.asp, for specific information about each step and the reason behind each action.
If you are unfamiliar with any portion of the hardening procedure, PLEASE ASK!


WARNING FOR PLESK INSTALLS

If Plesk is installed, BE SURE NOT TO IMPAIR ANY NEEDED SERVICES.
Do not delete Plesk User Accounts or change any Permissions.

 


Services

You can refer to the following link if you’d like to know what you are disabling or setting to manual: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/management/svrxpser_7.mspx


Configure the following Windows Services to start manually

  • Application Management
  • COM+ Event System
  • Distributed Link Tracking Client
  • Distributed Link Tracking Server
  • File Replication
  • Indexing Service
  • Logical Disk Manager Administrative Service
  • Net Logon
  • Remote Desktop Help Manager
  • Routing and Remote Access
  • Windows Installer
  • Windows Management Instrumentation Driver Extensions
  • Windows Time


Set the following Windows Services to Disabled unless specified as required:

  • Alerter
  • ClipBook
  • Computer Browser (Except Domain Controllers)
  • Intersite Messaging
  • Kerberos Key Distribution Center
  • License Logging
  • Messenger
  • Netmeeting Remote Desktop
  • Network DDE
  • Network DDE DSDM
  • Portable Media Serial Number Service
  • Print Spooler
  • Remote Procedure Call (RPC) Locator
  • Smart Card
  • Simple Mail Transport Protocal (SMTP)
  • Telephony
  • Telnet
  • Uninterruptible Power Supply
  • Windows Audio
  • Windows Image Acquisition (WIA)
  • Wireless Configuration


Windows Firewall

  • If the customer doesn’t currently have a hardware firewall and is not interested in purchasing one convince them to use the built-in Windows firewall. Make sure to tell the customer that we will do the initial firewall configuration but they must administer the firewall after that point.
  • Do NOT use the Windows Security Configuration Wizard as OS Hardening is a CUSTOM procedure.


Administrator Account

  • Rename the Administrator Account cxxxxx_admin and change the password to a more complex password

(where cxxxxx is the customer number – ENSURE YOU HAVE THE RIGHT CUSTOMER ID).

  • Create a user named Administrator and remove all groups from this user and disable the account. This account will be used as a decoy. Add decoy under the description of this account to eliminate confusion for the customer.
  • Run drwtsn32 uncheck all options except Append to "Existing Log File"
  • Verify that anonymous FTP is disabled.


IIS Privileges


WWWROOT FOLDER PERMISSIONS: (c:\inetpub\wwwroot)

NOTE: You may see some plesk accounts listed here such as psaadm and/or psacln, leave them intact.

Administrators: Full control

System: Full Control

IUSR_Machinename: Read

IWAM_Machinename: Read


W3C LOGGING TAB:

Check for the following under Advanced Logging: Website > Properties > W3C > Properties

  • Client IP address
  • User Name
  • Service Name
  • Server IP address
  • Server Port
  • Method
  • URI Stem
  • URI query
  • Protocol Status
  • Protocol Substatus
  • Win32 Status
  • User Agent
  • Host


FTPROOT FOLDER PERMISSIONS: (c:\inetpub\ftproot)

NOTE: You may see some plesk accounts listed here such as psaadm and/or psacln, leave them intact.

Administrators: Full Control

System: Full Control


FTP - WC3 LOGGING TAB:

LOGGING TAB: Check for the following under Advanced Logging: Website > Properties > W3C > Properties

  • Client IP address
  • User Name
  • Service Name
  • Server IP address
  • Server Port
  • Method
  • URI Stem
  • URI query
  • Protocol Status
  • Protocol Substatus
  • Win32 Status
  • User Agent
  • Host


DNS

Disable Zone Transfers-Lock down to slave servers only.

Event Viewer Administrative tools > Event Viewer

  • Increase Maximum Log Size to 16384K
  • Clear each event Log (NOTE: You may save the event logs you are clearing to the win2k3setupfiles folder. In the event that you do name them according to the log type and date: Sysevent00-00-00, Appevent00-00-00, Secevent00-00-00, etc)

 


Registry Changes

VERY IMPORTANT!!! Create a full backup of the registry.
If you do not know the procedure to do this, please ask. Place the backup on the customer’s server under: c:\windows2k3setupfiles\registry backup\xx-xx-xx (where xx-xx-xx is the mo-day-yr format )

You may now insert some of these changes through keys in the OS Hardening directory path: S:\Security\documentation\OSHARDENINGDOCS\Windows Reg Keys – the changes highlighted in red are the ones with importable registry key files – if you import those registry keys you do not have to do the changes manually.

The only keys not located on \\fs2 in the reg key directory are the last two. Using a key file to delete keys can cause potential problems.

Clear Paging file:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\MemoryManagement: ClearPageFileAtShutdown = 1

Restrict anonymous logging:

  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA: RestrictAnonymous = 1

Delete

  • HKLM\System\CurrentControlSet\Control\Session Manager\SubSystems\Posix
  • HKLM\System\CurrentControlSet\Control\Session Manager\SubSystems\Optional

Registry Enumeration Countermeasure: (Prevent non-administrators from connecting to sections of the Registry via remote Win32 programming interfaces)

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg: AllowedExactPaths: Machine

Click on Machine and delete the paths in the textbox.

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg: AllowedPaths: Machine

Click on Machine and delete the paths in the textbox.

Restrict null session access:

  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters: RestrictNullSessAccess = 1

Remove administrative shares:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters: AutoShareServer = 0

TCP/IP Stack Hardening (Only do this on special occasions)

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

SynAttackProtect = 2

TcpMaxPortsExhausted = 5

TCPMaxHalfOpen = 350

TCPMaxHalfOpenRetried = 200

EnableDynamicBacklog = 1

MinimumDynamicBacklog = 20

MaximumDynamicBacklog = 20000

Delete

  • HKLM\Software\Microsoft\RPC\ClientProtocols\ncacn_ip_tcp
  • HKLM\Software\Microsoft\RPC\ClientProtocols\ncagd_ip_udp


Control Panel Changes


Control Panel\System/Advanced\Startup and Recovery

  • Set display list to 10 seconds.
  • Check "Automatically Restart"
  • Set Write Debugging Information to "none"


Control Panel\ Administrative Tools\Local Security Policy\Account Policies\Password Policy\

  • Enforce password history to 8
  • Minimum password length to 8
  • Maximum password age to 42
  • Minimum Password Age to 5 days
  • Password must meet complexity requirements - Enabled


Control Panel\ Administrative Tools\Local Security Policy\Account Policies\Account Lockout Policy

  • Account lockout duration to 20 minutes
  • Account lockout threshold to 10
  • Reset account lockout counter to 20 minutes


Control Panel\ Administrative Tools\Local Security Policy\Local Policies\Audit Policy

  • Audit account logon events to Success, Failure
  • Audit account management to Success, Failure
  • Audit directory service access to Failure
  • Audit login events to Success, Failure
  • Audit object access to Failure
  • Audit policy change to Success, Failure
  • Audit privilege use to Failure
  • Audit process tracking to Failure
  • Audit system events to Failure


Control Panel\ Administrative Tools\Local Security Policy\Local Policies\User Rights

  • Log on as a batch job - (Ensure no user accounts are in this list).
  • Log on as a service - (Ensure no user accounts are in this list).
  • Change System Time – Remove Power users
  • Debug Programs – Remove Administrator Group
  • Force Shutdown – Remove Operators Group
  • Load Device Drivers – Remove Print Operators group


Control Panel\ Administrative Tools\Local Security Policy\Local Policies\Security Options

  • Shutdown:Allow System to Be Shut Down Without Having to Login On to Disabled
  • Audit: Audit Use of Backup and Restore Privilege to Enabled
  • Interactive Logon: Do not require CTRL-ALT-DEL for Login to Disabled
  • Interactive Logon: Do Not Display Last User Name in Login Screen to Enabled
  • Interactive Logon: Message Text for Users Attempting to Log On to

This commercial computer system is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy. Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to authorized site, ISP, and law enforcement personnel, as well as authorized officials of other agencies, both domestic and foreign and The Planet Information Security team. By using this system, the user consents to such interception, monitoring, recording, copying, auditing, inspection, and disclosure at the discretion of authorized site or The Planet Information Security team. Unauthorized or improper use of this system may result civil and criminal penalties. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning by US CODE: Title 18, U.S.C.

  • Interactive Logon: Message Title for Users Attempting to Log On: WARNING!
  • Devices: Prevent Users from Installing Printer Drivers to Enabled
  • Recovery Console: Allow Automatic Administrative Login to Disabled
  • Devices: Restrict CD-ROM Access to Locally Logged-On User to Enabled
  • Devices: Restrict Floppy Access to Locally Logged-On user to Enabled
  • Devices: Set Unsigned Driver Installation Behavior to Do not allow

(NOTE: May prevent software installs)

  • Network Access: Allow anonymous SID Disabled
  • Network Access: Do Not allow Anonymous SAM accounts Enable
  • Network Access: Do Not allow Anonymous SAM shares Enable
  • Reload the policies. Security Setting > Reload


Control Panel\ Administrative Tools\Computer Management\Local Users and Groups\Users

  • Guest account\General Tab\Cannot change password
  • Guest account\General Tab\Password never expires
  • Guest account\General Tab\Account disabled
  • Guest account\Dial-in Tab\Remote Access Permission\Deny access

Do the same for the DECOY Administrator account.


General Changes (windows 2k only)

2003 has an everyone account but it’s not listed anywhere really except for C with special perms only

Remove all rights for the Everyone group, that was renamed, from following c:\windows\system32 files

  • arp.exe
  • at.exe
  • cacls.exe
  • cmd.exe
  • command.exe
  • debug.exe
  • edit.com
  • edlin.exe
  • finger.exe
  • ftp.exe
  • ipconfig.exe
  • nbtstat.exe
  • net.exe
  • netstat.exe
  • nslookup.exe
  • ping.exe
  • posix.exe
  • rdisk.exe
  • rcp.exe
  • rexec.exe
  • regedit.exe
  • regedt32.exe
  • route.exe
  • rsh.exe
  • runone.exe
  • syskey.exe
  • tracert.exe
  • telnet.exe
  • xcopy.exe
  • (And any others not needed)


IIS

(windows2k generally) Stop the default website/Ftpservice/SMTP service if the customer is not using them. (You can also kill IIS, ftp service and SMTP if the customer is running ServU or some other server for FTP – MailEnable or Merak mail for email server – and apache for websites)

(windows2k generally for the following)

  • Delete the "iisstart.asp" in the WWWRoot directory
  • Delete the "iissamples" folder under the "inetpub" directory
  • Delete the "iisadmin" folder under the "inetpub" directory
  • Delete the "iishelp", "issadmin" and "iissamples" virtual directory for all current webs.

NOTE: These directories should be deleted on any future webs also.


Display Properties

  • Set screen saver to "Logon Screen Saver"
  • Set screen saver to 5 minutes
  • Check password protect


Vulnerability Scan

For the customer:

  • Use a vulnerability scanner or scanning services to verify your site is secure and no vulnerability exist. The Planet offers vulnerability scanning for free under Security in your Orbit Interface.

Run through the Microsoft Baseline Security Analyzer again to see if you’ve missed anything.