harris-winsec02.ppt
TRANSCRIPT
8/12/2019 harris-winsec02.ppt
http://slidepdf.com/reader/full/harris-winsec02ppt 1/44
NIST Recommendations forSystem Administrators forSecuring Windows 2000Professional
Tony Harris, Booz Allen
Murugiah Souppaya, NIST
8/12/2019 harris-winsec02.ppt
http://slidepdf.com/reader/full/harris-winsec02ppt 2/44
Outline Introduction
Why we did it
General hardening principles
Securing Windows 2000 Professional
Securing popular applications NIST Template
Contact information
8/12/2019 harris-winsec02.ppt
http://slidepdf.com/reader/full/harris-winsec02ppt 3/44
NIST Assets Include: 3,000 employees
1,600 guest researchers
$760 million annual budget
NIST Laboratories -- Nationalmeasurement standards
Advanced Technology Program -- $570 million current R&Dpartnerships with industry
Manufacturing Extension Partnership -- 400 centers nationwide tohelp small manufacturers
Baldrige National Quality Award
NIST’s mission is to develop and promote
measurement, standards, and technology
to enhance productivity, facilitate trade,and improve the quality of life.
National Institute of Standards and Technology
8/12/2019 harris-winsec02.ppt
http://slidepdf.com/reader/full/harris-winsec02ppt 4/44
NIST Measurement and Standards Laboratories
8/12/2019 harris-winsec02.ppt
http://slidepdf.com/reader/full/harris-winsec02ppt 5/44
NIST Mandate for Computer Security
Develop standards and guidelines for theFederal government
Contribute to improving the security ofcommercial IT products and strengthening
the security of users’ systems andinfrastructures
8/12/2019 harris-winsec02.ppt
http://slidepdf.com/reader/full/harris-winsec02ppt 6/44
Computer Security Division MissionTo improve information systems security by :
raising awareness of IT risks, vulnerabilities and protection
requirements, particularly for new and emerging technologies;
researching, studying, and advising agencies of IT vulnerabilitiesand devising techniques for the cost-effective security and privacy of
sensitive Federal systems;
developing standards, metrics, tests and validation programs:
to promote, measure, and validate security in systems and services
to educate consumers
to establish minimum security requirements for Federal systems
developing guidance to increase secure IT planning, implementation,
management and operation.
8/12/2019 harris-winsec02.ppt
http://slidepdf.com/reader/full/harris-winsec02ppt 7/44
Recent Documents Securing Wireless Networks: A Manager’s Guide
Designing Secure Wireless Networks
Network Testing Guide
Applying Security Patches
Securing Your Public Webserver
Security Issues and Solutions for E-mail
Telecommuting Security Cookbook
System Administrator Guidance for SecuringMS Windows 2000 Professional System
8/12/2019 harris-winsec02.ppt
http://slidepdf.com/reader/full/harris-winsec02ppt 8/44
Why did we do it? NIST recognized a need for a guide to
consolidate various best practices
Very little federal guidance exists forsecuring popular applications
Guide designed for educated users and
administrators
8/12/2019 harris-winsec02.ppt
http://slidepdf.com/reader/full/harris-winsec02ppt 9/44
Goals Secure the Windows 2000 Professional and
suite of applications found on desktop system
Built on the existing resources, i.e. guides,documents, and recommendations producedby NSA, Microsoft, and the securitycommunity
A complete unified how-to document coveringthe OS and common applications installationand configuration with references andpointers to specialized resources
8/12/2019 harris-winsec02.ppt
http://slidepdf.com/reader/full/harris-winsec02ppt 10/44
Document Structure High level overview of Windows 2000 built-in
security features
Windows 2000 Professional installationrecommendations
Patching and Updating
Securing the OS
Application security Description of modified registry keys
Various references for further research
8/12/2019 harris-winsec02.ppt
http://slidepdf.com/reader/full/harris-winsec02ppt 11/44
General OS Hardening Principles Perform a clean installation
Install OS updates and patches
Remove and disable unnecessary services, utilities,and applications
Restrict access to the OS critical binaries and systemconfiguration files and utilities
Least privilege – administrator and user role
Protection of user data through discretionary accesscontrol
Auditing critical files
8/12/2019 harris-winsec02.ppt
http://slidepdf.com/reader/full/harris-winsec02ppt 12/44
General Principles for protecting
applications against active content Install virus scanners
Keep updated
Enable e-mail attachment scanning
Keep applications updated Remove VBS and VBE file-type associations
Set Outlook attachment security to high
Set macro security to High
Enable digital signatures for safe Macros Set Internet Zone security to high
Utilize Trusted Site Zone
8/12/2019 harris-winsec02.ppt
http://slidepdf.com/reader/full/harris-winsec02ppt 13/44
System Administrator Guidance for SecuringMicrosoft Windows 2000 Professional System -
Overview
Install OS and default applications
Fully patch the OS and applications
Configure applications
Review the template settings and customizefor your environment
Apply the security template Test the settings
Deploy within your environment
8/12/2019 harris-winsec02.ppt
http://slidepdf.com/reader/full/harris-winsec02ppt 14/44
Windows 2000 Professional
Installation Perform the installation on a secure network
segment or off the network
Partition the Hard Drive using NTFS forsystem and data files
Install OS with minimum required services
Install Internet Protocol (TCP/IP) networkingand Client for Microsoft Networks only
8/12/2019 harris-winsec02.ppt
http://slidepdf.com/reader/full/harris-winsec02ppt 15/44
Application Installation Install an anti-virus scanner, i.e Norton
Antivirus, McAfee, or F-Secure
Install an E-mail client, i.e. Eudora or MSOutlook 2000
Install the browser, i.e. Internet Explorer 6 orNetscape 4.79
Install MS Office 2000, i.e. select only therequired components
Run and test each application
8/12/2019 harris-winsec02.ppt
http://slidepdf.com/reader/full/harris-winsec02ppt 16/44
Updates and Patches Apply the latest service pack, i.e. SP2
Download and install the required hotfixes from the Microsoftsecurity site,
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/current.asp
Windows update can be used to download and install thepatches, use caution for initial updates since this methodrequires a connection to the internet.
Download and install all other applications patches and updatesas required
Periodically scan the system to determine patch status for theOS and all applications.
8/12/2019 harris-winsec02.ppt
http://slidepdf.com/reader/full/harris-winsec02ppt 17/44
Microsoft Hotfix Service
8/12/2019 harris-winsec02.ppt
http://slidepdf.com/reader/full/harris-winsec02ppt 18/44
Hfnetchk.exe Tool used to check the hotfix status of
Single computer
IP range
Entire domain Can be downloaded from
http://www.microsoft.com/downloads/release.asp?releaseid=31154
Latest configuration file can be manuallydownloaded fromhttp://msvaus.www.conxion.com/download/xml/security/1.0/NT5/EN-US/mssecure.cab
8/12/2019 harris-winsec02.ppt
http://slidepdf.com/reader/full/harris-winsec02ppt 19/44
Qchain.exe Allows installation of multiple hotfixes without
rebooting between each
Install hotfixes with the –z switch to disablereboot after install
Run qchain.exe after hotfixes have beeninstalled
Run Qfecheck.exe /v to verify the hotfixinstallationhttp://support.microsoft.com/default.aspx?scid=kb;en-us;Q282784
8/12/2019 harris-winsec02.ppt
http://slidepdf.com/reader/full/harris-winsec02ppt 20/44
Anti-Virus Configuration Ensure signatures are up to date
Enable automatic protection
Enable email scanning
Enable Internet filtering
Enable periodic scanning Enable heuristics, if available
Enable automatic updating
8/12/2019 harris-winsec02.ppt
http://slidepdf.com/reader/full/harris-winsec02ppt 21/44
Outlook Client Configuration Disable auto opening of messages
Disable preview pane and auto preview
Set attachment security to high
Set security zone to Restricted
Set macro security level to high Macros will be silently disabled unless they
are signed
8/12/2019 harris-winsec02.ppt
http://slidepdf.com/reader/full/harris-winsec02ppt 22/44
Eudora Client Configuration Ensure that all executable content extension types
are registered in the WarnLaunchExtensions listwithin the Eudora.ini file.
Redirect the Eudora data files into the usersapplication directory
Ensure that executables in HTML content are notallowed
Do not use Microsoft's viewer
Enable executable warnings
8/12/2019 harris-winsec02.ppt
http://slidepdf.com/reader/full/harris-winsec02ppt 23/44
IE Zone Security Local intranet zone
Content located on internal network
Trusted site zone Websites entered into zone are considered reputable and/or
trustworthy
Internet zone Untrusted content
Restricted sites zone Highest security level for untrusted sites and applications
Local machine zone Files on local computer
8/12/2019 harris-winsec02.ppt
http://slidepdf.com/reader/full/harris-winsec02ppt 24/44
IE Configuration Set the Internet Zone to high
Set the Trusted Site Zone security to
Medium
Add trusted sites that will not function witha high security setting to this zone
Set the intranet setting to the maximumsetting your environment can tolerate
8/12/2019 harris-winsec02.ppt
http://slidepdf.com/reader/full/harris-winsec02ppt 25/44
Netscape Configuration Enable the minimum utilities required
during the install
Disable Java and JavaScript if notrequired
Review plug-ins and remove undesired
.dll files for the plug-ins
8/12/2019 harris-winsec02.ppt
http://slidepdf.com/reader/full/harris-winsec02ppt 26/44
Office Configuration Enable digital signatures for trusted macros
Ensure macro security is set to high
Clear the “Trust all installed add-ins andtemplates” checkbox to apply the macrosecurity settings to preinstalled macros
If required within your environment, allmacros can be disabled regardless of theirsignature status through registry settings
8/12/2019 harris-winsec02.ppt
http://slidepdf.com/reader/full/harris-winsec02ppt 27/44
NIST Template Settings Created by combining recommendations from
Microsoft, NSA, and the Security Community
Few modifications were made to NSA’srecommendations
Added several keys and modifications toservices
Tested all of the settings using combinationsof the applications discussed within the guide
8/12/2019 harris-winsec02.ppt
http://slidepdf.com/reader/full/harris-winsec02ppt 28/44
Services NIST Template Disabled
Internet Connection Sharing
Routing and Remote Access
Task Scheduler
Telnet
Guidance given to administrators fordisabling of additional services
8/12/2019 harris-winsec02.ppt
http://slidepdf.com/reader/full/harris-winsec02ppt 29/44
Password Policy Differences Maximum Password Age
NSA = 42 Microsoft = 42 SANS = 45 to 90 NIST = 90
System Administration cost and time considerations
Minimum Password Age
NSA = 2 Microsoft = 2 SANS = 1 to 5 NIST = 1
Acceptable length of time to prevent users from changingpasswords to circumvent the history table
Minimum Password Length NSA = 12 Microsoft = 8 SANS = 8 NIST = 8
System Administration cost and time considerations
8/12/2019 harris-winsec02.ppt
http://slidepdf.com/reader/full/harris-winsec02ppt 30/44
Account Lockout Policy Account Lockout duration (minutes)
NSA = 15 Microsoft = 0 SANS = 240 NIST = 15
System Administration cost and time considerations
Account Lockout Threshold
NSA = 3 Microsoft = 5 SANS = 5 NIST = 3
Shorter account lockout duration allows us the ability todecrease the lockout threshold
Reset Account Lockout Counter After (minutes) NSA = 15 Microsoft = 30 SANS = 240 NIST = 15
System Administration cost and time considerations
8/12/2019 harris-winsec02.ppt
http://slidepdf.com/reader/full/harris-winsec02ppt 31/44
Audit Policy Audit Directory Service Access
NSA = None Microsoft = Not Defined
SANS = Success,Failure NIST = None
Audit Object Access
NSA = Failure Microsoft = Success, Failure
SANS = Success,Failure NIST = Failure
Audit Privilege Use
NSA = Failure Microsoft = Success,Failure
SANS = Success,Failure NIST = Failure
Changes made for reduction of log entries
8/12/2019 harris-winsec02.ppt
http://slidepdf.com/reader/full/harris-winsec02ppt 32/44
User Rights Assignment Access this computer from the network
NSA = Users,Administrators Microsoft = Not Defined
SANS = None NIST = Users,Administrators
Bypass traverse checking NSA = Users Microsoft = Not Defined
SANS = Administrators NIST = Users Some directory permissions require this privilege
Change system time NSA = Administrators Microsoft = Not Defined
SANS = Admin,Auth Users NIST = Administrators Restricted for Audit purposes
8/12/2019 harris-winsec02.ppt
http://slidepdf.com/reader/full/harris-winsec02ppt 33/44
User Rights Assignment Force shutdown from a remote location
NSA = Administrators Microsoft = Not Defined
SANS = None NIST = Administrators
System Administration cost and time considerations
8/12/2019 harris-winsec02.ppt
http://slidepdf.com/reader/full/harris-winsec02ppt 34/44
Security Options Lan Manager Authentication Level
NSA, Microsoft & NIST = NTLMv2/Refuse NTLM&LM
SANS = NTLMv2 or NTLM
For use in Windows 2000 only environment
Shutdown immediately if unable to log security audits
NSA = Enabled Microsoft = Disabled
SANS = Enabled if 9 to 18 Gb
NIST = Disabled/Enable if site policy requires it
8/12/2019 harris-winsec02.ppt
http://slidepdf.com/reader/full/harris-winsec02ppt 35/44
SynAttackProtect HKEY_LOCAL_MACHINE\SYSTEM\Cu
rrentControlSet\Services\Tcpip\Paramet
ers\SynAttackProtect = 2 Hardens TCP stack against SYN attacks
Adjusts the retransmission delays for SYN-ACKS
TCP connection requests quickly timeout whena SYN attack is in progress.
8/12/2019 harris-winsec02.ppt
http://slidepdf.com/reader/full/harris-winsec02ppt 36/44
TcpMaxHalfOpen HKEY_LOCAL_MACHINE\SYSTEM\Cu
rrentControlSet\Services\Tcpip\Paramet
ers\TcpMaxHalfOpen = 100 This key controls the number of connections in
the SYN-RCVD state allowed before SYN-
ATTACK protection begins to operate.
8/12/2019 harris-winsec02.ppt
http://slidepdf.com/reader/full/harris-winsec02ppt 37/44
TcpMaxHalfOpenRetried HKEY_LOCAL_MACHINE\SYSTEM\Cu
rrentControlSet\Services\Tcpip\Paramet
ers\TcpMaxHalfOpenRetried = 80 TcpMaxHalfOpenRetried parameter controls
the number of connections in the SYN-RCVD
state for which there has been at least one
retransmission of the SYN sent, before SYN- ATTACK attack protection begins to operate.
8/12/2019 harris-winsec02.ppt
http://slidepdf.com/reader/full/harris-winsec02ppt 38/44
EnablePMTUDiscovery HKEY_LOCAL_MACHINE\SYSTEM\Cu
rrentControlSet\Services\Tcpip\Paramet
ers\EnablePMTUDiscovery = 1 Limits TCP segments to the largest packet
size allowed to a remote host to eliminate
packet fragmentation.
8/12/2019 harris-winsec02.ppt
http://slidepdf.com/reader/full/harris-winsec02ppt 39/44
EnableICMPRedirects HKEY_LOCAL_MACHINE\\SYSTEM\C
urrentControlSet\Services\Tcpip\Param
eters\EnableICMPRedirects = 0 This parameter controls whether Windows
2000 will alter its route table in response to
ICMP redirect messages that are sent to it by
network devices such as a routers.
8/12/2019 harris-winsec02.ppt
http://slidepdf.com/reader/full/harris-winsec02ppt 40/44
AeDebug\Auto HKEY_LOCAL_MACHINE\SOFTWARE
\Microsoft\Windows NT\CurrentVersion
\AeDebug\Auto = 0 This setting disables auto start of the Dr.
Watson program debugger on Windows 2000
Professional. To re-enable the debugger type
the following at the command line: drwtsn –
I The debugger dump files can contain sensitive
information.
8/12/2019 harris-winsec02.ppt
http://slidepdf.com/reader/full/harris-winsec02ppt 41/44
CreateCrashDump HKEY_LOCAL_MACHINE\SOFTWARE
\Microsoft\DrWatson\CreateCrashDump
= 0 If Dr. Watson is enabled this setting prevents
sensitive information from being dumped from
memory.
8/12/2019 harris-winsec02.ppt
http://slidepdf.com/reader/full/harris-winsec02ppt 42/44
Future Welcome inputs and suggestions from
the Security Community
Areas Windows 2000 Server and active directory
Windows XP Professional and Home
Microsoft .NET
Suggestions: [email protected]
8/12/2019 harris-winsec02.ppt
http://slidepdf.com/reader/full/harris-winsec02ppt 43/44
Conclusion Document:
http://csrc.nist.gov/itsec/download_W2Kpro.html
Comments, suggestions, and questions:[email protected]
8/12/2019 harris-winsec02.ppt
http://slidepdf.com/reader/full/harris-winsec02ppt 44/44
Disclaimer Any mention of commercial products or reference to commercial organizations isfor information only; it does not imply recommendation or endorsement by NISTnor does it imply that the products mentioned are necessarily the best availablefor the purpose.
The following information is provided for Civil and Government agenciesrequiring security configuration guidelines.
Do not attempt to implement any of the settings in this guide without firsttesting them in a non-operational environment.
This document is only a guide containing recommended security settings. It isnot meant to replace well-structured policy or sound judgment. Furthermorethis guide does not address site-specific configuration issues. Care must betaken when implementing this guide to address local operational and policyconcerns.
This document and templates were developed at the National Institute of
Standards and Technology by employees of the Federal Government in thecourse of their official duties. Pursuant to title 17 Section 105 of the UnitedStates Code this document and templates are not subject to copyright protection and is in the public domain. NIST assumes no responsibilitywhatsoever for its use by other parties, and makes no guarantees, expressed orimplied, about its quality, reliability, or any other characteristic. We wouldappreciate acknowledgement if the documents and templates are used.