Hardening Windows JONATHAN HASSELL APress Media, LLC Hardening Windows Copyright © Apress 2004 Originally published by Jonathan Hassell in 2004 All rights reserved. No part of this work may be reproduced or transmitted in an y form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher. ISBN 978-1-59059-266-3 ISBN 978-1-4302-0681-1 (eBook) DOI 10.1007/978-1-4302-0681-1 Trademarked names may appear in this book. Rather than use a trademark symbol with every occurrence of a trademarked name, we use the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. Lead Editor: Jim Sumser Technical Reviewer: Oris Orlando Editorial Board: Steve Anglin, Dan Appleman, Gary Cornell, James Cox, Tony Davis, John Franklin, Chris Mills, Steve Rycroft, Dominic Shakeshaft, Julian Skinner, Jim Sumser, Karen Watterson, Gavin Wray, John Zukowski Project Manager: Tracy Brown Collins Copy Manager: Nicole LeClerc Copy Editor: Mark Nigara Production Manager: Kari Brooks Production Editor: Janet Vail Compositor: Dina Quan Proofreader: Liz Welch Indexer: Carol Burbo Artist: April Milne Cover Designer: Kurt Krames Manufacturing Manager: Tom Debolski Distributed to the book trade in the United States by Springer-Verlag New York, Inc., 175 Fifth Avenue, New York, NY 10010 and outside the United States by Springer-Verlag GmbH & Co. KG, Tiergartenstr. 17,69112 Heidelberg, Germany. In the United States: phone 1-800-SPRINGER, e-mail [email protected], or visit http://www.springer-ny.com. Outside the United States: fax+49 6221345229, e-mail [email protected], or visit http://www.springer.de. For information on translations, please contact Apress directly at 2560 Ninth Street, Suite 219, Berkeley, CA 94710. Phone 510-549-5930, fax 510-549-5939, e-mail [email protected], or visit http://www.apress.com. The information in this book is distributed on an "as is" basis, without warranty. Although every precaution has been taken in the preparation of this work, neither the author(s) no r Apress shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in this work. The source code for this book is available to readers at http: //www. apress. com in the Downloads section. Contents at a Glance About the Author ...................................................i x About the Technical Reviewer ......................................x Acknowledgments ....................................................x i Introduction .......................................................x iii Chapter 1 Hardening: Theory and General Practice ........... 1 Chapter 2 Windows NT Security ................................ 11 Chapter 3 Windows 2000 Security .............................. 33 Chapter 4 Windows XP Security ................................ 49 Chapter 5 Defining Enterprise Security Policies with Windows 2000 and Later ....................... 71 Chapter 6 Patch Management ................................... 87 Chapter 7 Network Access Quarantine Control ............... 105 Chapter 8 Internet Information Services Security ......... 123 Chapter 9 Exchange 2000 Server Security .................... 137 Chapter 10 Security Auditing and Event Logs ................ 151 Appendix Quick-Reference Checklists ....................... 161 Index .............................................................. 173 iii Contents About the Author ................................................ be About the Technical Reviewer ................................ x Acknowledgments ................................................. xi Introduction .................................................... xiii Chapter 1 Hardening: Theory and General Practice .................................. 1 What Is Security? .................................................. 2 The Security Dilemma .............................................. 3 Enemies of Security ................................................ 4 Some General Hardening Suggestions ............................... 4 Software Considerations ............................................ 5 Hardware and Network Considerations ............................... 6 Checkpoints ......................................................... 8 Chapter 2 Windows NT Sec uri ty . . . . . . . . . . . . . . . . . . . . . . . . . . .. 11 Windows NT System Policy Editor ................................. 11 Customizing and Applying Group Policies ............................ 12 Resolving Conflicts Between Multiple Policies ......................... 13 Recommended User Policy Settings ................................. 13 Passwords .......................................................... 18 Password Policies ................................................. 18 Password Cracking ................................................ 19 Protecting User Accounts ......................................... 20 Registry Procedures ............................................... 21 Protecting the File System ....................................... 21 Locking Down Local Directories .................................... 22 Search Paths ...................................................... 23 Guarding Against Internet Threats ............................... 23 Windows NT Port Filtering ......................................... 24 Protecting Against Viruses .......................................... 24 Assigning Rights to Users ........................................ 25 Granting and Revoking User Rights .................................. 26 Checkpoints ........................................................ 30 v Contents Chapter 3 Windows 2000 Security .......................... 33 System Updates ..................................................... 33 The «Slipstreaming" Process ...................................... 34 Critical Updates and Security Hotfixes ......................... 35 Managing Critical Updates Across Multiple Computers ................. 35 Security Templates ................................................ 37 Creating a Custom Security Template ................................ 38 Recommended Security Policy Settings ........................... 40 User Accounts .................................................... 40 Local Options .................................................... 42 Other Security Considerations ................................... 45 Windows Component Selection and Installation ...................... 45 Tightening Running Services ....................................... 45 Checkpoints ........................................................ 46 Chapter 4 Windows XP Security. ............................ 49 Implementing a Firewall .......................................... 49 Changes to Services ............................................... 51 Microsoft Baseline Security Analyzer Patch Check and Security Tests ............................................. 64 Installing Microsoft Baseline Security Analyzer ........................ 64 Penetration Tests ................................................. 65 File System Security .............................................. 65 Disable Automated Logins ......................................... 66 Hardening Default Accounts ....................................... 66 Using Forensic Analysis Techniques .............................. 68 Checkpoints ........................................................ 69 Chapter 5 Defining Enterprise Security Policies with Windows 2000 and Later. ................. 71 System Policies, Group Policies, and Interaction .............. 72 Mixing Policies and Operating Systems ............................... 73 Security and the Group Policy Framework ........................ 77 Organized Layout of Policies ........................................ 78 Policy Application Precedence ...................................... 79 Creating Security Configuration Files ................................ 80 Defaul t Domain Policy ............................................. 82 Default Domain Controller Security Policies .......................... 82 Troubleshooting Group Policy ..................................... 83 Checkpoints ........................................................ 84 vi Contents Chapter 6 Patch Management ................................. 87 About Software Update Services .................................. 87 Comparing Software Update Services to Systems Management Server ........................................... 88 Using Software Update Services: On the Server Side ................... 90 Using SUS: On the Client Side ...................................... 99 Checkpoints ....................................................... 102 Chapter 7 Network Access Quarantine Control ......... 105 How Network Access Quarantine Works ........................... 106 A Step-by-Step Overview of Network Access Quarantine Control ........ 106 Deploying NAQC .............................. ".. ................... 108 Creating Quarantined Resources ................................... 108 Writing the Baseline Script ........................................ 109 Installing the listening Components ............................... 112 Creating a Quarantined Connection Profile .......................... 113 Distributing the Profile to Remote Users ............................ 116 Configuring the Quarantine Policy ................................. 116 Checkpoints ....................................................... 122 Chapter 8 Internet In/ormation Services Security .............................. 123 Completely Disable 115 .......................................... 123 Checking for Updates on Machines ............................... 124 Keeping 115 Updated .............................................. 126 Securing Files, Folders, and Scripts .......................... 127 The Microsoft Indexing Service ................................. 129 TCPIIP Port Evaluation .......................................... 131 Administrative and Default Pages ............................... 133 The Ins and Outs of Internet Services Application Programming Interface ........................... 134 Looking at Apache as an Alternative ........................... 134 Checkpoints ....................................................... 135 Chapter 9 Exchange 2000 Server Security .............. 137 Installation Security ............................................ 137 Security Policy Modifications .................................. 138 For Exchange Server Machines ..................................... 139 For Domain Controller Machines .................................. 139 vii Contents Service Security ................................................. 140 Patch Management ................................................. 141 Protecting Against Address Spoofing ............................ 142 Protecting Against Denial-of-Service Attacks ................. 144 Restricting SMTP Access ......................................... 146 Controlling Access ............................................... 148 Checkpoints ....................................................... 149 Chapter 10 Security Auditing and Event Logs .......... 151 For Windows 2000) XP) and Server i003 ......................... 151 Recommended Items to Audit ..................................... 153 Event Logs ...................................................... 153 For Windows NT 4.0 ............................................... 155 Recommended Items to Audit ..................................... 156 The Event Log ................................................... 157 Filtering Events ................................................. 157 What Might Be Missing ........................................... 158 Checkpoints ....................................................... 158 Appendix Quick-Reference Checklists .................. 161 Index ............................................................. 173 viii About the Author Jonathan Hassell is a systems administrator and IT consultant residing in Raleigh, NC. He is currently employed by one of the largest departments on campus at North Carolina State University, where he supports a computing environment that consists ofWmdows NT, 2000, XP, Server 2003, Sun Solaris, and HP-UX machines. Hassell has extensive experience in networking technologies and Internet connectivity. He currently runs his own web-hosting business, Enable Hosting, which is based out of both Raleigh and Charlotte, NC. He is involved in all facets of the business, including finances, marketing, operating decisions, and customer relations. Jonathan's previous published work includes RADIUS, published by O'Reilly & Associates, which serves as a detailed guide to the RADIUS authentication protocol and offers suggestions for implementing RADIUS and overall network security. He has also written monthly columns for the Windows 2000 Magazine Network and WindowsITSecurity.com. His work has also been published in CMP's Publish magazine and Pinnacle's Lima AppDev newsletter. Hassell's latest book, Managing Windows Server 2003, will be published by O'Reilly & Associates in early 2004. ix About the Technical Reviewer Oris Orlando, born in Naples, Italy, in 1971, has been interested in computer science since the eighties. His first computer was an Intellivision Computer Module, which allowed him to develop programs in the limited edition BASIC language only. At the end of the eighties, he began to use 8086 machines, and in 1989 he enrolled in the computer science department at the University of Salerno (Italy), from which he graduated in 1997. During his university career, he developed many applications for small businesses and often used a bulletin board system (BBS), before the Internet grew in popularity. In December 1997 he worked at Siemens Nixdorf for two years as an analyst and programmer (Java, C, PLlSQL, CGI, HTML) in a web environment. In 1999 he took a position at Bull HN, where, for the first two years he belonged to a technical team. By the third year he became the project leader in the security department, before eventually becoming project manager. He is experienced in UNIX, Windows, Linux, DOS, computer programming, the Internet, security, and databases (Oracle, LDAP). x