harris-winsec02.ppt

8/12/2019 harris-winsec02.ppt

http://slidepdf.com/reader/full/harris-winsec02ppt 1/44

NIST Recommendations forSystem Administrators forSecuring Windows 2000Professional

Tony Harris, Booz Allen

Murugiah Souppaya, NIST



Outline Introduction

Why we did it

General hardening principles

Securing Windows 2000 Professional

Securing popular applications NIST Template

Contact information



NIST Assets Include: 3,000 employees

1,600 guest researchers

$760 million annual budget

NIST Laboratories -- Nationalmeasurement standards

Advanced Technology Program -- $570 million current R&Dpartnerships with industry

Manufacturing Extension Partnership -- 400 centers nationwide tohelp small manufacturers

Baldrige National Quality Award

NIST’s mission is to develop and promote

measurement, standards, and technology

to enhance productivity, facilitate trade,and improve the quality of life.

National Institute of Standards and Technology



NIST Measurement and Standards Laboratories



NIST Mandate for Computer Security

Develop standards and guidelines for theFederal government

Contribute to improving the security ofcommercial IT products and strengthening

the security of users’ systems andinfrastructures



Computer Security Division MissionTo improve information systems security by :

raising awareness of IT risks, vulnerabilities and protection

requirements, particularly for new and emerging technologies;

researching, studying, and advising agencies of IT vulnerabilitiesand devising techniques for the cost-effective security and privacy of

sensitive Federal systems;

developing standards, metrics, tests and validation programs:

to promote, measure, and validate security in systems and services

to educate consumers

to establish minimum security requirements for Federal systems

developing guidance to increase secure IT planning, implementation,

management and operation.



Recent Documents Securing Wireless Networks: A Manager’s Guide

Designing Secure Wireless Networks

Network Testing Guide

Applying Security Patches

Securing Your Public Webserver

Security Issues and Solutions for E-mail

Telecommuting Security Cookbook

System Administrator Guidance for SecuringMS Windows 2000 Professional System



Why did we do it? NIST recognized a need for a guide to

consolidate various best practices

Very little federal guidance exists forsecuring popular applications

Guide designed for educated users and

administrators



Goals Secure the Windows 2000 Professional and

suite of applications found on desktop system

Built on the existing resources, i.e. guides,documents, and recommendations producedby NSA, Microsoft, and the securitycommunity

A complete unified how-to document coveringthe OS and common applications installationand configuration with references andpointers to specialized resources



Document Structure High level overview of Windows 2000 built-in

security features

Windows 2000 Professional installationrecommendations

Patching and Updating

Securing the OS

Application security Description of modified registry keys

Various references for further research



General OS Hardening Principles Perform a clean installation

Install OS updates and patches

Remove and disable unnecessary services, utilities,and applications

Restrict access to the OS critical binaries and systemconfiguration files and utilities

Least privilege – administrator and user role

Protection of user data through discretionary accesscontrol

Auditing critical files



General Principles for protecting

applications against active content Install virus scanners

Keep updated

Enable e-mail attachment scanning

Keep applications updated Remove VBS and VBE file-type associations

Set Outlook attachment security to high

Set macro security to High

Enable digital signatures for safe Macros Set Internet Zone security to high

Utilize Trusted Site Zone



System Administrator Guidance for SecuringMicrosoft Windows 2000 Professional System -

Overview

Install OS and default applications

Fully patch the OS and applications

Configure applications

Review the template settings and customizefor your environment

Apply the security template Test the settings

Deploy within your environment



Windows 2000 Professional

Installation Perform the installation on a secure network

segment or off the network

Partition the Hard Drive using NTFS forsystem and data files

Install OS with minimum required services

Install Internet Protocol (TCP/IP) networkingand Client for Microsoft Networks only



Application Installation Install an anti-virus scanner, i.e Norton

Antivirus, McAfee, or F-Secure

Install an E-mail client, i.e. Eudora or MSOutlook 2000

Install the browser, i.e. Internet Explorer 6 orNetscape 4.79

Install MS Office 2000, i.e. select only therequired components

Run and test each application



Updates and Patches Apply the latest service pack, i.e. SP2

Download and install the required hotfixes from the Microsoftsecurity site,

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/current.asp

Windows update can be used to download and install thepatches, use caution for initial updates since this methodrequires a connection to the internet.

Download and install all other applications patches and updatesas required

Periodically scan the system to determine patch status for theOS and all applications.







Microsoft Hotfix Service



Hfnetchk.exe Tool used to check the hotfix status of

Single computer

IP range

Entire domain Can be downloaded from

http://www.microsoft.com/downloads/release.asp?releaseid=31154

Latest configuration file can be manuallydownloaded fromhttp://msvaus.www.conxion.com/download/xml/security/1.0/NT5/EN-US/mssecure.cab



http://msvaus.www.conxion.com/download/xml/security/1.0/NT5/EN-US/mssecure.cab










Qchain.exe Allows installation of multiple hotfixes without

rebooting between each

Install hotfixes with the –z switch to disablereboot after install

Run qchain.exe after hotfixes have beeninstalled

Run Qfecheck.exe /v to verify the hotfixinstallationhttp://support.microsoft.com/default.aspx?scid=kb;en-us;Q282784

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q282784








Anti-Virus Configuration Ensure signatures are up to date

Enable automatic protection

Enable email scanning

Enable Internet filtering

Enable periodic scanning Enable heuristics, if available

Enable automatic updating



Outlook Client Configuration Disable auto opening of messages

Disable preview pane and auto preview

Set attachment security to high

Set security zone to Restricted

Set macro security level to high Macros will be silently disabled unless they

are signed



Eudora Client Configuration Ensure that all executable content extension types

are registered in the WarnLaunchExtensions listwithin the Eudora.ini file.

Redirect the Eudora data files into the usersapplication directory

Ensure that executables in HTML content are notallowed

Do not use Microsoft's viewer

Enable executable warnings



IE Zone Security Local intranet zone

Content located on internal network

Trusted site zone Websites entered into zone are considered reputable and/or

trustworthy

Internet zone Untrusted content

Restricted sites zone Highest security level for untrusted sites and applications

Local machine zone Files on local computer



IE Configuration Set the Internet Zone to high

Set the Trusted Site Zone security to

Medium

Add trusted sites that will not function witha high security setting to this zone

Set the intranet setting to the maximumsetting your environment can tolerate



Netscape Configuration Enable the minimum utilities required

during the install

Disable Java and JavaScript if notrequired

Review plug-ins and remove undesired

.dll files for the plug-ins



Office Configuration Enable digital signatures for trusted macros

Ensure macro security is set to high

Clear the “Trust all installed add-ins andtemplates” checkbox to apply the macrosecurity settings to preinstalled macros

If required within your environment, allmacros can be disabled regardless of theirsignature status through registry settings



NIST Template Settings Created by combining recommendations from

Microsoft, NSA, and the Security Community

Few modifications were made to NSA’srecommendations

Added several keys and modifications toservices

Tested all of the settings using combinationsof the applications discussed within the guide



Services NIST Template Disabled

Internet Connection Sharing

Routing and Remote Access

Task Scheduler

Telnet

Guidance given to administrators fordisabling of additional services



Password Policy Differences Maximum Password Age

NSA = 42 Microsoft = 42 SANS = 45 to 90 NIST = 90

System Administration cost and time considerations

Minimum Password Age

NSA = 2 Microsoft = 2 SANS = 1 to 5 NIST = 1

Acceptable length of time to prevent users from changingpasswords to circumvent the history table

Minimum Password Length NSA = 12 Microsoft = 8 SANS = 8 NIST = 8




Account Lockout Policy Account Lockout duration (minutes)

NSA = 15 Microsoft = 0 SANS = 240 NIST = 15


Account Lockout Threshold

NSA = 3 Microsoft = 5 SANS = 5 NIST = 3

Shorter account lockout duration allows us the ability todecrease the lockout threshold

Reset Account Lockout Counter After (minutes) NSA = 15 Microsoft = 30 SANS = 240 NIST = 15




Audit Policy Audit Directory Service Access

NSA = None Microsoft = Not Defined

SANS = Success,Failure NIST = None

Audit Object Access

NSA = Failure Microsoft = Success, Failure

SANS = Success,Failure NIST = Failure

Audit Privilege Use

NSA = Failure Microsoft = Success,Failure

SANS = Success,Failure NIST = Failure

Changes made for reduction of log entries



User Rights Assignment Access this computer from the network

NSA = Users,Administrators Microsoft = Not Defined

SANS = None NIST = Users,Administrators

Bypass traverse checking NSA = Users Microsoft = Not Defined

SANS = Administrators NIST = Users Some directory permissions require this privilege

Change system time NSA = Administrators Microsoft = Not Defined

SANS = Admin,Auth Users NIST = Administrators Restricted for Audit purposes



User Rights Assignment Force shutdown from a remote location

NSA = Administrators Microsoft = Not Defined

SANS = None NIST = Administrators




Security Options Lan Manager Authentication Level

NSA, Microsoft & NIST = NTLMv2/Refuse NTLM&LM

SANS = NTLMv2 or NTLM

For use in Windows 2000 only environment

Shutdown immediately if unable to log security audits

NSA = Enabled Microsoft = Disabled

SANS = Enabled if 9 to 18 Gb

NIST = Disabled/Enable if site policy requires it



SynAttackProtect HKEY_LOCAL_MACHINE\SYSTEM\Cu

rrentControlSet\Services\Tcpip\Paramet

ers\SynAttackProtect = 2 Hardens TCP stack against SYN attacks

Adjusts the retransmission delays for SYN-ACKS

TCP connection requests quickly timeout whena SYN attack is in progress.



TcpMaxHalfOpen HKEY_LOCAL_MACHINE\SYSTEM\Cu


ers\TcpMaxHalfOpen = 100 This key controls the number of connections in

the SYN-RCVD state allowed before SYN-

ATTACK protection begins to operate.



TcpMaxHalfOpenRetried HKEY_LOCAL_MACHINE\SYSTEM\Cu


ers\TcpMaxHalfOpenRetried = 80 TcpMaxHalfOpenRetried parameter controls

the number of connections in the SYN-RCVD

state for which there has been at least one

retransmission of the SYN sent, before SYN- ATTACK attack protection begins to operate.



EnablePMTUDiscovery HKEY_LOCAL_MACHINE\SYSTEM\Cu


ers\EnablePMTUDiscovery = 1 Limits TCP segments to the largest packet

size allowed to a remote host to eliminate

packet fragmentation.



EnableICMPRedirects HKEY_LOCAL_MACHINE\\SYSTEM\C

urrentControlSet\Services\Tcpip\Param

eters\EnableICMPRedirects = 0 This parameter controls whether Windows

2000 will alter its route table in response to

ICMP redirect messages that are sent to it by

network devices such as a routers.



AeDebug\Auto HKEY_LOCAL_MACHINE\SOFTWARE

\Microsoft\Windows NT\CurrentVersion

\AeDebug\Auto = 0 This setting disables auto start of the Dr.

Watson program debugger on Windows 2000

Professional. To re-enable the debugger type

the following at the command line: drwtsn –

I The debugger dump files can contain sensitive

information.



CreateCrashDump HKEY_LOCAL_MACHINE\SOFTWARE

\Microsoft\DrWatson\CreateCrashDump

= 0 If Dr. Watson is enabled this setting prevents

sensitive information from being dumped from

memory.



Future Welcome inputs and suggestions from

the Security Community

Areas Windows 2000 Server and active directory

Windows XP Professional and Home

Microsoft .NET

Suggestions: [email protected]



Conclusion Document:

http://csrc.nist.gov/itsec/download_W2Kpro.html

Comments, suggestions, and questions:[email protected]


mailto:[email protected]

mailto:[email protected]




Disclaimer Any mention of commercial products or reference to commercial organizations isfor information only; it does not imply recommendation or endorsement by NISTnor does it imply that the products mentioned are necessarily the best availablefor the purpose.

The following information is provided for Civil and Government agenciesrequiring security configuration guidelines.

Do not attempt to implement any of the settings in this guide without firsttesting them in a non-operational environment.

This document is only a guide containing recommended security settings. It isnot meant to replace well-structured policy or sound judgment. Furthermorethis guide does not address site-specific configuration issues. Care must betaken when implementing this guide to address local operational and policyconcerns.

This document and templates were developed at the National Institute of

Standards and Technology by employees of the Federal Government in thecourse of their official duties. Pursuant to title 17 Section 105 of the UnitedStates Code this document and templates are not subject to copyright protection and is in the public domain. NIST assumes no responsibilitywhatsoever for its use by other parties, and makes no guarantees, expressed orimplied, about its quality, reliability, or any other characteristic. We wouldappreciate acknowledgement if the documents and templates are used.