 ⏮ Security Strategies in Windows Platforms and Applications NEXT PREV THREE. Microso Windows OS and Application Security Trends …   🔎 12. Microso Application Security Chapter 11. Hardening the Microso Windows Operating System IN PREVIOUS CHAPTERS, you learned about the Microsoft Windows Operating System and its many security features. You discovered how you can use different security controls in Windows to secure various aspects of computers and networks in a Windows environment. In this chapter, you'll learn how to apply what you've studied to make a computer running a Microsoft Windows Operating System more secure. You'll find out where you should focus your efforts for the most effective use of resources. You'll also learn how to ensure each computer is as secure as possible. You'll read as well how important a documented and repeatable process is when making computers more secure. Chapter 11 Topics This chapter covers the following topics and concepts: What the hardening process and mindset are How to harden Microsoft Windows Operating System authentication How to harden the network infrastructure How to secure directory information and operations How to harden Microsoft Windows Operating System administration How to harden Microsoft servers and client computers How to harden data access and controls How to harden communications and remote access How to harden public key infrastructure (PKI) What user security training and awareness is What the best practices are for hardening Microsoft Windows Operating System and applications Chapter 11 Goals When you complete this chapter, you will be able to: Describe the Windows Operating System hardening process Harden all aspects of Windows computers and network environments Provide security training and awareness Understanding the Hardening Process and Mindset Software vendors of all types, including operating system vendors, encounter a basic dilemma when deciding on default installation options. of thought is to install the most features possible to showcase Find answers on the fly,One orschool master something new. Subscribe today. See pricing options. what the product can do. This approach is the one that vendors generally ⏭ select because it promotes the richness of their product's features. The other approach is to only install the bare minimum of features to avoid increasing the product's vulnerability to attack. Many vendors, however, end up showcasing more features. This raises the risk of making their product more vulnerable. The software a computer runs that is vulnerable to attack is called the attack surface. The primary goal in securing Windows computers is to reduce the attack surface. While you can't ever reduce the risk of attack to zero, you can employ controls to make your computers more secure. Strategies to Secure Windows Computers You have two main strategies to choose from to reduce a computer's attack surface. First, disable or remove programs that contain vulnerabilities. This strategy is the most secure method. For example, suppose you are concerned about vulnerabilities in the Microsoft Internet Information Services (IIS) Web server. This Web server is running on your computer and is named WebServ01. You could disable IIS on WebServ01, or remove it entirely. An attacker can't compromise a program that isn't present or running on a computer. Unfortunately, WebServ01 is an important service for your organization. It is a Web server for your e-commerce application. Since you can't disable or remove IIS, you'll have to use another strategy. The second main strategy to reduce the attack surface is to establish controls on running programs to mitigate any known vulnerabilities. This method is always more difficult and less complete. It is also more time consuming than just disabling unneeded programs or services. Despite this, it is necessary when running a program that contains vulnerabilities. In this chapter, you'll learn the steps to reduce the operating system attack surface of your computers. In the next chapter, you'll read about reducing the attack surface of your applications. The process of making configuration changes and deploying controls to reduce the attack surface is called hardening. technical technical TIP TIP Always consider disabling or removing programs or services that you don't really need. You shouldn't install programs if you don't need them. You'll find that if you disable or remove unneeded components the hardening process is easier. You end up with a more secure computer. Always explore which programs or services you actually need before researching controls. Hardening Windows computers is not a single activity—it is an ongoing process. When installing Windows, choose the installation options for programs and services you absolutely need. Then, harden each computer as soon as you complete the installation process. Install Only What You Need The Windows 7 installation procedure follows a standard process. You can't easily change which programs the process installs. If you are installing Windows 7 you'll have to complete the install process and then remove any unwanted components. When you install a Windows Server 2008 R2 operating system, you have the ability to select which programs to install. The easiest way to customize a server is to define one or more roles for the computer. A role is a predefined set of services, programs, and configuration settings that enables a computer to fulfill specific requirements. The available roles depend on the edition of Windows you are installing. Recall that Microsoft offers the following editions of Windows Server 2008 R2: Foundation—Cost-effective, entry-level server for small businesses Standard—Supports more features than Foundation edition for medium-sized businesses Enterprise—Advanced server for more performance and reliability than Standard edition Datacenter—Optimized for large-scale deployment using virtualization on small and large servers Web—Optimized Web application and services platform HPC—Windows High Performance Computing server for extensive scalability and interoperability between servers Itanium—Windows server specifically designed for the Intel Itanium high performance processor Find answers on the fly, or master something new. Subscribe today. See pricing options. WARNING Before installing Windows Server 2008 R2 ensure you have the correct edition to support the roles you'll need. For more information on the limitations on role support for each edition, go to http://www.microsoft.com/windowsserver2008/en/us/r2compare-roles.aspx. Table 11-1 lists the 17 Windows Server 2008 R2 roles and which editions support each role. Table 11-1. Windows Server 2008 R2 standard installation roles and editions. ROLE WINDOWS SERVER 2008 R2 EDITIONS FOUNDATION STANDARD ENTERP Partial Partial Yes Yes Yes Yes No No Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes DNS Server Yes Yes Yes Fax Server Yes Yes Yes File Services Partial Partial Yes Hyper-V No Yes Yes Active Directory Certificate Services Active Directory Domain Services Active Directory Federation Services Active Directory Lightweight Directory Services Active Directory Rights Management Services Application Server DHCP Server Find answers on the fly, or master something new. Subscribe today. See pricing options. ROLE Network WINDOWS SERVER 2008 R2 EDITIONS FOUNDATION STANDARD ENTERP Partial Partial Yes Yes Yes Yes Partial Partial Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Policy and Access Services Print and Document Services Remote Desktop Services Web Services (IIS) Windows Deployment Services Windows Server Update Services (WSUS) Table 11-2. Windows Server 2008 R2 core installation roles and editions. ROLE WINDOWS SERVER 2008 R2 EDITIONS (CORE INSTALL) Active FOUNDATION STANDARD ENTERP No Yes Yes No Yes Yes No Yes Yes No No Yes Directory Certificate Services Active Directory Domain Services Active Directory Lightweight Directory Services BranchCache Hosted Cache Find answers on the fly, or master something new. Subscribe today. See pricing options. ROLE WINDOWS SERVER 2008 R2 EDITIONS (CORE INSTALL) FOUNDATION STANDARD ENTERP No Yes Yes DNS Server No Yes Yes File Services No Partial Yes Hyper-V No Yes Yes Media No Yes Yes No Yes Yes No Yes Yes DHCP Server Services Print Services Web Services (IIS) Microsoft provides a new installation option making it easier to exclude programs you don't need. The server core installation option provides a minimal Windows Server 2008 R2 environment that includes only programs necessary for the roles you select. A server core installation doesn't even include a Windows graphical user interface (GUI). You use a command line interface to interact with the operating system. Since Microsoft limits the programs a server core installation installs, your choice of roles is limited. Table 11-2 lists the roles from which you can choose for a server core installation of Windows Server 2008 R2. Taking the time to select the right role for each Windows Server 2008 R2 installation is the first step in hardening your Windows servers. technical technical TIP TIP You can open the SCW on a computer running Windows Server 2008 R2 using these steps: 1. Choose the Windows Start button > Administrative Tools. 2. Select Security Configuration Wizard. Security Configuration Wizard Microsoft provides a tool with Windows Server 2008 R2 that helps further reduce the attack surface of servers. The Security Configuration Wizard (SCW) provides guidance to administrators. It also creates policies based on the least privilege principle for the server roles you've selected. The policies the SCW creates help control services that run, authentication methods between computers, registry settings, audit policy settings, and firewall settings for your server computers. Figure 11-1 shows the Security Configuration Wizard's Configuration Action window. The SCW allows you to create, edit, apply, or roll back policies. It provides you with one place to manage many security settings. This utility helps you harden several servers without manually modifying many security settings. If you have several servers that you want to configure to operate the same as one or more other servers, use the SCW to create a baseline policy and then apply that policy to the other servers. Once you select the server on which this policy is based, you can either view the current Find answers on the fly, or master something new. Subscribe today. See pricing options. configuration or continue to the next Wizard windows to enter policy information. Figure 11-1. Windows Security Configuration Wizard— Configuration Action. Figure 11-2. Windows Security Configuration Wizard— Select Server Roles. In each configuration, the Wizard window displays the current computer configuration for new policies or the current policy setting for existing policies. Here's a list of the SCW configuration settings windows and the information you can enter in each one: Select Server Roles—Select or deselect the roles you want to define for this policy. Select Client Features—Since servers may also serve as clients for some services, you can select the specific client services for the policy. Select Administration and Other Options—Select the additional options that apply to this policy. Select Additional Services—Select the additional services defined in the policy or on the computer that you want to keep. Handling Unspecified Services—Keep or disable any services not specified in the previous four windows. Confirm Service Changes—Review changes that SCW will make to the policy. Network Security Rules—Define, edit, or remove firewall rules for this policy. Require SMB Security Signatures—Set minimum requirements for access to computers using shared resources. Require LDAP Signing—Set minimum requirements for computers sending LDAP queries. Outbound Authentication Methods—Set the mode for outbound computer authentication. Outbound Authentication Using Domain Accounts—Set minimum requirements for outbound authentication using Domain accounts. Registry Settings Summary—Review registry settings changes that SCW will make to the policy. System Audit Policy—Set the global auditSubscribe level for activities.today. See pricing options. Find answers on the fly, or master something new. Audit Policy Summary—Review audit policy changes that SCW will make. Save Security Policy—Save the policy under a specified name and optionally apply the security policy. Figure 11-2 shows the Security Configuration Wizard's Select Server Roles window. Use the SCW after installing each Windows server to harden it for use in your secure environment. Manually Disabling and Removing Programs and Services Before proceeding, back up the Windows registry. It is a good idea to back up the Windows registry before making any changes. Some of the changes you make to Windows can cause unexpected results. A Windows registry backup may help you research problems and restore settings. In addition, make changes on a test computer whenever possible. Making changes on test computers gives you the ability to test the results of those changes before they impact your production environment. The next step is to evaluate each computer. Identify remaining programs and services that you don't need. If you carefully selected the roles for each server computer and then run the SCW, you shouldn't have to remove or disable many programs. Since Windows 7 doesn't provide the option to install the operating system based on roles or a tool like the SCW you'll likely find several programs and services you don't need. For example, it is a good idea to disable the Remote Registry service. This service allows remote users to modify their Windows registry. Once you identify any unneeded programs or services, either disable or remove them. The most permanent and secure option is to remove unneeded programs. Make sure you know what a program is before you remove it. Don't just remove a program because you don't know what it is. If you don't recognize a program, try searching for the program name using an Internet search. You'll likely find information that will help you decide whether or not to remove the program. You can remove unneeded programs in the Control Panel. Removing a program makes it impossible for an attacker to use that program to compromise a computer. technical technical TIP TIP You can create a Windows registry backup by following these steps: 1. Choose the Windows Start button > Run. 2. Type regedit.exe in the fill-in. 3. Select File > Export from the menu. 4. Enter the desired file name for the registry backup and choose Save. technical technical TIP TIP Open the Add/Remove Programs utility on a computer running Windows 7 or Windows Server 2008 R2 using these steps: 1. Choose the Windows Start button > Control Panel. 2. Select Uninstall a Program under the Programs link. Figure 11-3 shows the uninstall utility for Windows 7. Many programs in the Windows operating system run as services. You'll find many services running on servers as well as workstations. The Windows Services maintenance utility allows you to start, stop, and change the settings for services defined for a computer. An alternative to removing or uninstalling a program that runs as a service is to disable it. When a Windows computer boots, the operating system reads the list of services and starts the services with a Startup type value of Automatic. Windows will also start services with a Startup type value of Automatic (delayed start) as well once all of the Automatic services have started. You can change the Startup type to Disabled for any services you want to prevent Windows from starting. Although it is possible to manually start a service by running the program, disabling a service reduces the Find answers on the fly,probability or master an attacker something can use it to compromise new. aSubscribe computer. today. See pricing options. Figure 11-3. Uninstalling a program in Windows. Figure 11-4. Windows Services. technical technical TIP TIP Launch and use the Windows Service Maintenance utility on a computer running Windows 7 or Windows Server 2008 R2 using these steps: 1. Choose the Windows Start button > Administrative Tools. 1. If the Administrative Tools option does not appear on the menu, select Control Panel > Administrative Tools. 2. Select Services. 3. To edit the properties of any service, select the service, open the context menu by right mouse clicking on the service, then select Properties. Figure 11-4 shows the Windows Services Maintenance utility. Figure 11-5 shows the Windows Services Properties dialog. After you've identified unneeded programs and services and have either removed or disabled them, you can address remaining vulnerabilities. To continue the hardening process, learn about common vulnerabilities in running programs and deploy controls to secure your computers from those vulnerabilities. Find answers on the fly, or master something new. Subscribe today. See pricing options. Figure 11-5. Windows Services Properties. Hardening Microso Windows Operating System Authentication The next step in hardening your Windows operating systems is to address authentication weaknesses. If you ran the SCW on each server, you have already hardened the computer to computer authentication. The SCW allows you to require higher minimum operating system levels for inbound and outbound authentication. Later operating system versions are more secure and provide more features. If all of the computers in your environment are running the latest version of Windows, then disallow older authentication methods. For example, computers that run Windows 2000 or later support NTLMv2 authentication. Earlier versions of Windows only support the older NTLM protocol. If all your computers are running Windows 2000 or later you can disable support for NTLM. The SCW allows you to change these security settings. Remove or disable any unused or inactive user accounts defined for each computer, both locally and in Active Directory (AD). Unused user accounts provide additional targets for attackers. The most dangerous user for any Windows computer is Administrator. This user has elevated permissions and exists on every Windows computer. Attackers know that accessing the Administrator account allows them many ways to compromise a computer. Unfortunately, you can't delete the Administrator account. But you can disable it. The best way to protect your administrative rights from attackers is to follow these steps: 1. Create new accounts that will become the new Administrator users. 2. Assign the necessary Administrator rights to the new users, or to a group object. 1. Test each of the new Administrator accounts to ensure they possess the necessary rights and permissions. 3. Disable the default Administrator account. Following these steps will make it more difficult for attackers to escalate their privileges to include administrative rights. They have to guess which users now have administrative rights. Many automated attacks target the default Administrator user, so if you have disabled that user such attacks will fail. Once you have disabled the Administrator user, remove other users, such as Guest, that you do not need. As with the Administrator user, attackers know that many Windows operating systems have default users no one took the time to remove. They'll try to use these accounts to compromise your computers. The next step in hardening Windows authentication is to establish and enforce strong account policies. Create or edit Group Policy to modify settings for the following policies: Password policy—Settings for password age, length, complexity, storage, and history. The goal for passwords is to require users to change passwords frequently, but not too frequently. If you force users to change passwords too often and make them too complex, users will likely just write down passwords and keep them close to their workstations. A good rule of thumb is to set maximum password age to 60 days, enable password complexity, and require that passwords be at least eight characters in length. Users will have to change their passwords every 60 days and create passwordstoday. that Find answers on the fly, or master something new. Subscribe See pricing options. contain upper and lower case characters as well as digits or special symbols. Account policy—Settings for account lockout duration, threshold, and reset count. Use these settings to make it more difficult for automated tools to use brute force attacks to guess passwords. A good rule of thumb is to use an account lockout threshold of five to lock a user account after five failed logon attempts. You could set the duration and reset count to 15 to force a user to wait 15 minutes after five failed logons. After 15 minutes the user could try to log on and have five more attempts before either successfully logging on or being locked out again. Kerberos policy—Settings for logon restrictions and ticket lifetimes. These settings tell Windows how long Kerberos tickets should be allowed to live and whether the Kerberos servers should authenticate users on every request. The default ticket lifetime is 10 hours. This default works well unless your environment routinely supports users who work for more than 10 hours at a time. The Kerberos lifetime should be a little longer than a user's workday. Ensuring you only have the accounts you need, both at the local computer level and in Active Directory, can reduce your exposure to attack. Reviewing, and if needed, strengthening the password policies will harden your Windows authentication and make it harder for attackers to compromise your Windows computers. Hardening the Network Infrastructure Once you've reduced the ability for unauthorized users to log onto your Windows computers, the next step is to harden other access methods. Computers communicate with other devices and computers on a network by sending messages to a destination port address. The combination of a protocol, a host name or address, and a port number identifies the intended target location for a message. For example, assume a Transport Control Protocol (TCP) message travels to www.myserver.com at port 80. Port 80 is the commonly used port for Web traffic. It is likely that there is a Web server on the server at the address www.myserver.com. If this server is a Web server, then you would want to accept TCP traffic on port 80. If you didn't accept the traffic, your Web server would never receive any Web requests and essentially wouldn't be able to do its job. Identify all of the network server and client services that require access to ports. In the previous example, you know that the Web server needs port 80 to be open. If other services are running on the same computer, investigate which ports each service needs. Figure 11-6. Windows Firewall with Advanced Security. Find answers on the fly, or master something new. Subscribe today. See pricing options. Figure 11-7. Group Policy Management Editor—Windows Firewall with Advanced Security. Once you know what your computer needs to operate, modify your firewall settings to open those ports. Depending on which ports you need you may find that they're already open. Close all other ports. If a specific server computer does not run a Web server, it generally doesn't need port 80 open. The SCW utility helps you define firewall rules that correspond to server roles and services required to support those roles. You can customize your firewall rules to fine-tune your network infrastructure security for Windows server computers. You'll have to manually change firewall settings for Windows 7 workstations. In previous versions of Windows, you would make firewall changes directly in the Windows Firewall maintenance utility. In Windows 7 and Windows Server 2008 R2, you can maintain firewall rules in two different ways. One way is to use the Windows Firewall with the Advanced Security maintenance utility. Alternatively, you can use the Group Policy Management Editor to manage firewall settings. Using Group Policy to manage your firewall makes maintenance easier. Create one or more Group Policy Objects (GPO) for firewall settings in Active Directory and apply them to groups of computers without having to edit each one. Figures 11-6 and 11-7 show the Windows Firewall with Advanced Security and editing firewall settings in the Group Policy Management Editor. Regardless of the method you use to edit firewall settings, close all ports and disallow all connections except for those ports and applications you need. Fewer entry points to your computers make them more secure. Securing Directory Information and Operations Active Directory (AD) is a valuable feature of Microsoft Windows for IT operations. AD centralizes many maintenance tasks and makes it easy to standardize security settings. It also is a valuable target for attackers, since it stores so much useful information. Since AD is a target for attackers it should also be a target for your hardening efforts. Begin by recognizing the value of compromising AD. Limit the number of administrators with access to AD. Ensure that administrators managing AD do so using separate Administrator user accounts. Administrators should have one account for AD administration and at least one other account for other administration tasks. Isolating privileged user accounts makes the accounts harder to compromise. You can create an AD security group with necessary privileges for this purpose. To add additional AD administration restrictions, require that AD administrators do their AD work only from dedicated terminal servers instead of their workstations. This requirement reduces the potential of malware infections on workstation computers to infect AD or allow AD compromise. Periodically change the Directory Service Restore Mode (DSRM) password. And immediately change it from the default password after installation. This password is what you use to log on to a Domain Controller (DC) that has been booted into DSRM mode to create an offline copy of AD. This capability would allow an attacker to copy all your AD information. Protect the DSRM password for each DC and change it at least every six months. Other steps you can take to harden AD include ensuring all DCs are physically secure. Locate your DCs in a data center or other location with limited access. Configure your DCs to audit important activities and use Internet Protocol Security (IPSec) between all servers. IPSec may be a little difficult to use for client connections, but setting it up for use between servers doesn't take a lot of effort. IPSec will help ensure that your AD remains secure. Hardening Microso Windows OS Find answers on the fly,Administration or master something new. Subscribe today. See pricing options. Hardening the Windows operating system administration involves protecting the Administrator user accounts and ensuring computers are up to date. You've already learned that disabling the built-in Windows Administrator account is a recommended step. After you create other user accounts with Administrator privileges, disable the default Administrator account and use the new accounts for all administrative tasks. Enable strong passwords and set Administrator passwords to expire on a regular basis. These settings will help keep your Administrator user accounts secure. Since a common administrative activity is to evaluate and change security settings, it is very helpful to create and maintain baselines. Baselines are copies of files and settings you can use for comparison or to restore if necessary. Create a full backup of each system both before and after hardening. The post-hardening backup will be your initial secure baseline. You can use that backup to compare with future backups to identify changes. Figure 11-8. Group Policy Management Console—Backup GPO. Although full backups contain all files and folders, it may be beneficial to create individual backups of policies each time you change them. The Group Policy Management Console (GPMC) gives you the ability to back up and restore GPOs. The GPMC also allows you to manage backups of all GPOs. Figure 11-8 shows the Backup GPO option in the GPMC. Another critical component of hardening operating system administration is ensuring all Windows systems are updated to the latest patch. Ensure that Windows Update is configured to automatically download and install the latest updates from Microsoft. Figure 11-9 shows the Windows Update window. Figure 11-10 shows the Windows Update Settings. technical technical TIP TIP Change the Windows Updates settings using these steps: 1. Choose the Windows Start button > Control Panel. 2. Select System and Security. 3. Select Windows Update. From this window you can change Windows Update settings, manually check for available updates, or view update history. Find answers on the fly, or master something new. Subscribe today. See pricing options. Figure 11-9. Windows Update. Figure 11-10. Windows Update Settings. Hardening Microso Servers and Client Computers Don't neglect any computer that is attached to your network. You should harden both servers and workstation computers. Any compromised computer that is connected to your network is a threat to the entire network. Microsoft makes the process of hardening server computers easier with the SCW utility. You can implement many of the hardening recommendations just by answering questions in the SCW. Workstation computers are another matter. You will have to manually harden your workstations. However, the news isn't all bad. Windows 7 is fairly secure when it is installed and you won't have to start from scratch. You'll need to take extra steps, but Windows 7 doesn't require substantial effort to harden. Hardening Server Computers Server computers exist on your network to provide one or more specific services. You have two main areas to address when hardening servers. First, ensure that your server computers don't do anything they're not supposed to do, such as run extra services that aren't needed. If a server should provide database services only, then it probably shouldn't have IIS installed as well. Second, harden the services they are supposed to provide. Start off by installing only the roles you need for any particular server to fulfill its purpose. One of the first steps to take after installing any new server is to run the SCW utility. The SCW utility helps identify many of the unneeded services and open ports. Run SCW to disable any roles or services you don't need and then review the remaining services in the Windows Services window. Disable any services that are still running but you don't need. Find answers on the fly, or master something new. Subscribe today. See pricing options. After running SCW and disabling additional services, it is a good idea to scan each server using a port scanner to identify any open ports you may have missed. Use the nmap utility or any other port scanning software to identify open ports. Your open port scan shouldn't find any unexpected open ports. If it does locate any ports that are open, find out what service is using them and decide whether to close the ports or add them to your approved open ports list. You should know how every open port is being used. To make it harder for unauthorized users to connect to your server computers, enable IPSec for all server-to-server connections. IPSec will require that any computer that attempts to connect to your server be authorized to connect. Using IPSec and removing or disabling unnecessary user accounts will make it more difficult for attackers to compromise your server computers. Once you've taken these steps to harden your servers, focus on the services that are still running. Every server will have some services running and some ports open. The second main phase of hardening servers is to focus on these components. You'll learn in the next chapter about how to harden specific services and applications. technical technical TIP TIP Get more information on the free nmap utility at http://nmap.org/. The utility can be downloaded from this site and installed on any computer. Before you use nmap to scan any computer, ensure you have permission in writing from the computer and network owner to perform the scan. Port scanning can cause substantial network activity and even trigger intrusion alarms. You don't want to cause someone to treat your scan as a hostile attack. Make sure all stakeholders know what you're planning to do, when you're planning to do it, and that you have permission to do it. Nmap offers many command options, but here are a few simple ones that will provide a list of open ports: nmap -vA 192.168.1.128 The previous command scans for any open ports on 192.168.1.128 and also attempts to detect the operating system running on the computer at that Internet Protocol (IP) address. nmap -vsT 192.168.1.128 The previous command scans and attempts to connect to any open ports on the computer at 192.168.1.128. Using the "-vsT" option is slower than the "-vA" scan but also provides more complete information on services that are running and monitoring open ports. For even more command options, go to the nmap Web site for additional details and complete documentation. Nmap can help you identify any vulnerability on your computers. Hardening Workstation Computers While many of the strategies for hardening computers apply to all computers, some are especially important for workstations. In general, workstation computers act as clients, and not servers. When hardening workstation computers one of the main goals is to ensure the computer maintains a clean identity and doesn't attempt to violate your security policy. One of the more common issues with workstation computers is malware. Since workstations tend to connect to many Internet resources and run many software programs, they run into malware frequently. Removing malware is often far more difficult than preventing it. Ensure that every workstation computer has up-to-date anti-malware software installed and that its database of known malware is up to date as well. Microsoft provides two products for this purpose. Each includes anti-malware protection: Microsoft Security Essentials (http://www.microsoft.com/Security_Essentials/)—A free collection of security products intended to protect home computer users from various types of malware Microsoft Forefront (http://www.microsoft.com/forefront)—A commercial product that is a complete security management solution for enterprise users anti-malware products are available for workstations. Refer to Find answers on the fly,Other or master something new. Subscribe today. See pricing options. Chapter 5 for more information on protecting Windows computers from malware. WARNING Securing workstations requires control. You can exert control over workstations your organization owns or directly manages. Group Policy makes it possible to effectively manage and enforce nearly all security settings for your organization's workstations. Remote users pose a more difficult challenge. It is very difficult to exert any control over workstations your organization doesn't own or manage. You should provide a separate access path for internal versus external workstations. Isolate external workstations and restrict what resources they can access. In addition to ensuring workstations are protected from malware, it is important to mitigate as many other vulnerabilities as possible. Most workstation installations add many unneeded programs and services. And no single program effectively analyzes a workstation's role and recommends changes to make it more secure. Review all running services and programs and disable the ones you don't need. Likewise, review the Windows firewall settings to only allow network traffic for the services and applications your workstations really need. Hardening Data Access and Controls You learned about Windows access controls in Chapter 3. The key to deploying the best controls is to first develop a clear idea of what you are attempting to control. In general, minimize the number of user accounts on all computers and carefully control access to accounts with Administrator rights. Access to data and resources is based on identity. You have to implement secure identity management before you can trust your access controls. As you've already learned, having fewer user accounts and using strong passwords make your systems more secure. But just limiting user account access is only part of the solution. Once you identify the data and resources you need to control, use Windows Group Policy to establish access control lists (ACLs) that limit access to specifically defined users and groups. The easiest way to implement access control in a large environment is to use AD and global groups for as many ACLs as possible. Avoid allowing anonymous or guest user accounts to access any sensitive data. To protect data at rest, either use Windows Encrypting File System (EFS) for folders that contain sensitive data or Windows BitLocker to encrypt entire volumes. Regardless of the option you choose, ensure any backups encrypt your data as well. Hardening Communications and Remote Access Remote connections can present additional security challenges. You need the ability to evaluate several attributes of a connection request's source before granting access to your network. Define different access profiles based on your policies to meet the needs of different types of network users. Network access control (NAC) is a solution that defines and implements a policy that describes the requirements to access your network. Table 11-3. NAC software products. PRODUCT WEB SITE PacketFence http://www.packetfence.org/en/home. (Open source) Sophos NAC http://www.sophos.com/products/ente Advanced Symantec http://www.symantec.com/business/ne Network Access Control Find answers on the fly, or master something new. Subscribe today. See pricing options. PRODUCT WEB SITE Cisco https://www.cisco.com/en/US/netsol/ Network Admission Control StillSecure http://www.stillsecure.com/safeacce Safe Access McAfee http://www.mcafee.com/us/enterprise Network Access Control NAC defines the rules a connecting node must meet to establish a secure connection with your network. It also allows you to proactively interrogate nodes that request a connection to your network to ensure they don't pose a risk. Use NAC to classify connecting nodes based on the level of compliance with your access rules. NAC allows you to evaluate node attributes that include: Anti-malware protection Firewall status and configuration Operating system version and patch level Node role and identity Custom attributes for enterprise configuration NAC solutions enable you to exert control over which nodes can connect to your networks and what rights you'll grant to them once they connect. NAC provides a formal method to establish relationships with several types of security controls and helps you minimize threats from malware, increase LAN-to-WAN availability, and provide proof of compliance through NAC-related auditing data. NAC is a method of controlling network access that several vendor products support. Table 11-3 lists some vendors that provide NAC software. You can choose from many products to implement NAC. NAC software alone won't secure your networks but it gives you the ability to define and enforce policies that can get you closer to your security goals. Authentication Servers Once remote computers are authorized to connect you'll need to authenticate the remote user as well. You have many ways to authenticate remote users, but three main approaches are common. The first two, RADIUS and TACACS+, rely on centralized authentication databases and servers to handle all remote users. Either of these approaches works well when there are a large number of remote users or you need to manage remote users from a central location. The third option is to use a virtual private network (VPN). RADIUS Remote Authentication Dial In User Service (RADIUS) is a network protocol that supports remote connections by centralizing the management tasks for authentication, authorization, and accounting for computers to connect and access a network. RADIUS is a popular protocol that many network software and devices support and is often used by Internet Service Providers (ISPs) and large enterprises to manage access to their networks. RADIUS is a client/server protocol that runs in the application layer (layer seven in the Open Systems Interconnection, or OSI, reference model or layer four in the TCP-IP reference model), and uses the User Datagram Protocol (UDP) to transport authentication and control information. Servers with RADIUS support that control access for remote users and devices communicate with the RADIUS server to authenticate devices and users before granting access. In addition to just granting access and authorizing actions, RADIUS records network services used for accounting. Find answers on the fly,TACACS+ or master something new. Subscribe today. See pricing options. Terminal Access Controller Access-Control System Plus (TACACS+) is another network protocol. TACACS+ was developed by Cisco. TACACS+ has roots back to an earlier protocol, TACACS, but is an entirely different protocol. TACACS+ provides access control for remote networked computing devices using one or more centralized servers. TACACS+ is similar to RADIUS in that it provides authentication, authorization, and accounting services, but TACACS+ separates the authentication and authorization information. TACACS+ also uses the TCP protocol for more reliability. One difference between RADIUS and TACACS+ is important to security. RADIUS only encrypts the password when sending an access request packet to the server. TACACS+ encrypts the entire packet. That makes it a little harder to sniff data from a TACACS+ packet. VPNs and Encryption Virtual private networks (VPNs) are one of the most popular methods to establish remote connections. A VPN appears to your software as a regular network connection. It is actually a virtual connection, also called a tunnel, which uses a regular WAN connection of many hops but looks like a direct connection to your software. Most VPNs offer the option to encrypt traffic using different modes to meet different needs. technical technical TIP TIP Most people associate VPNs with encrypted traffic. Although most VPN uses include encrypting all of the traffic transported through the VPN tunnel, encryption is an option and not a part of the VPN itself. The private part of VPN really refers to private addressing, not data privacy. The concept of tunneling is central to most VPNs. Tunneling allows applications to use any protocol to communicate with servers and services without having to worry about addressing privacy concerns. Applications can even use protocols that aren't compatible with your WAN. Here's how tunneling works: 1. Your application sends a message to a remote address using its application layer protocol. 2. The target address your application used directs the message to the tunnel interface. The tunnel interface places each of the packets from the application layer inside another packet using an encapsulating protocol. This encapsulating protocol handles tunnel addressing and encryption issues. 3. The tunnel packet interface then passes the packets to the layers that handle the WAN interface for physical transfer. 4. On the receiving end, the packets go from the WAN to the remote tunnel interface where the packets are decrypted and assembled back into application layer packets and then passed up to the remote application layer. This arrangement provides excellent flexibility and security. Depending on your VPN solution, you can choose from several encapsulating protocols, including: Generic Routing Encapsulation (GRE)—A tunneling protocol developed by Cisco Systems as an encapsulating protocol that can transport a variety of other protocols inside IP tunnels IPSec—A protocol suite designed to secure IP traffic using authentication and encryption for each packet Layer 2 Forwarding (L2F)—A tunneling protocol developed by Cisco Systems to establish VPNs over the Internet. L2F does not provide encryption—it relies on other protocols for encryption Point-to-Point Tunneling Protocol (PPTP)—A protocol used to implement VPNs using a control channel over TCP and a GRE tunnel for data. PPTP does not provide encryption. Layer 2 Tunneling Protocol (L2TP)—A tunneling protocol used to implement a VPN. L2TP is a newer protocol that traces its ancestry to L2F and PPTP. Like its predecessors, L2TP does not provide encryption itself. The VPN you select depends on several factors. Some VPN solutions are vendor specific and rely on one type of hardware. Other types of VPNs are operating system specific. For example, the new Secure Socket Tunneling Protocol (SSTP) is only available for the Windows operating system. SSTP is Microsoft's attempt to provide a solution that works on any networking Find answers on the fly,hardware. or master something new. See pricing options. SSTP uses a Secure Sockets Layer (SSL)Subscribe to transport Pointtoday. to Point Protocol (PPP) or Layer 2 Tunneling Protocol (L2TP) traffic. Using SSL removes many of the firewall and network address translation (NAT) issues some other protocols encounter. Regardless of the remote authentication method you choose to use, ensure that you configure each server and client to establish connections only using your preferred method. Hardening PKI One method of hardening authentication is by using digital certificates. Certificates can increase the security of IPSec, SSL connections, and Web server authentication. Implementing such an approach requires a method of creating, distributing, and maintaining certificates. A common approach is to implement a public key infrastructure (PKI). PKI is a term that refers to the hardware, software, policies, and procedures to manage all aspects of digital certificates. PKI has the reputation of making environments more secure, but this is only true if your PKI components are secure. The most important component of securing PKI is to ensure all computers that participate are hardened. This is especially true for the Certificate Authority (CA) servers. In addition to hardening CAs like other servers, ensure your CAs are physically secure and only accessible by authorized administrators. Ensure that you back up the CA keys and store them in a safe location. You'll need these to recover certificate access after restoring from some types of disasters. Use GPOs to distribute root CA certificates. Using GPOs gives you the ability to control and automate the certificate distribution. To ensure you can track down unauthorized certificate actions, enable auditing for all CA and certificate events. You will probably need to increase the maximum audit log file to store log entries for more than a few days for heavily utilized servers. User Security Training and Awareness One of the most important aspects of hardening any computer is how the computers are used. Although malicious attackers are a threat to computer security, so are authorized users. Many security incidents result from poorly trained, forgetful, or stubborn authorized users. In some environments users view security as a barrier and stubbornly refuse to abide by the security policy. Security awareness training is crucial from a person's first exposure to your environment. Each new employee, contractor, or visitor should go through security awareness training that corresponds to his or her level of system access. Employees generally have the greatest privileges in any organization's information systems and should be required to undergo the most comprehensive security training. Contractors or other temporary personnel have less access than employees. Visitors often have less access. You should design security training for each group of users, based on their access and responsibilities. Part of internal personnel training should include procedures for granting access to visitors. Security awareness programs are always good ideas and they also may be mandatory. If your organization must comply with Sarbanes-Oxley, Gramm-Leach-Bliley, HIPAA, or the Federal Information Security Management Act (FISMA), you must implement a security awareness program. Table 11-4 lists different groups of users and suggested security training requirements. Table 11-4. User types and suggested security training. USER TYPE DESCRIPTION SECURITY TRAINING Find answers on the fly, or master something new. Subscribe today. See pricing options. USER TYPE DESCRIPTION SECURITY TRAINING Employee Person Employees receive employed by mandatory security an policy training with organization signed acceptance of with Acceptable Use permanent Policies (AUPs), responsibilities completion of and access to information system certain access security information training prior to system issuing access resources credentials, and mandatory recurrent security awareness and policy update training. Properly trained employees should be able to recognize security breaches and know what to do about them. Contractor Temporary Contractors receive worker with mandatory pre- limited engagement security temporary policy training with access to signed acceptance of information AUPs, completion of resources information system related to access security assigned training that relates responsibilities to assigned responsibilities prior to issuing access credentials, and mandatory recurrent security awareness and policy update training. Properly trained contractors should be able to recognize security breaches and know whom to notify if a breach occurs. Visitor/guest Transient user Visitors/guests agree with very to comply with limited access AUPs. to information system resources Regardless of the type of user, anyone who connects to your computer systems should encounter frequent reminders of the importance of security. Use any of these formats to remind users of the importance of security: Physical posters and banners in conspicuous locations, such as in break rooms, cafeterias, and around printers, fax machines, or shredders E-mail newsletters and security policy updates Periodic Web site reminders Social media messages Daily or weekly tip programs Contests with security themes Security events on specific dates, such as November 30, Find answers on the fly, or master something new. Subscribe today. See pricing options. International Computer Security Awareness Day Lunch-and-learn meetings about topics of interest to employees personally (e.g., identity theft, cyberbullying) as well as topics of interest to your organization Visible actions of good security behaviors by your organization's leaders Best Practices for Hardening Microso Windows OS and Applications Many resources are available to you for hardening Windows computers. Some resources focus on a few high-level suggestions while others go into very detailed lists of suggestions. To make your job of securing Windows computers easier, here is a list of best practices for securing different types of computers. These best practices may not all apply to every one of your computers. They do provide a solid starting point that will result in a far higher level of security than taking no action at all. The key to hardening your Windows computers is to reduce each computer's attack surface to the absolute minimum while still allowing the computer to fulfill its purpose. Here are the best practices for hardening Windows operating systems: Install only the Server Core option when you don't need extra functionality. Select the minimum number of roles when installing Windows Server 2008 R2. For Windows Server 2008 R2, run SCW immediately after installing the operating system. Update each computer with the latest operating system patches. Configure each computer for automatic Windows updates. Install and run Microsoft Baseline Security Analyzer (MBSA) and at least one other Windows security vulnerability scanner. Create one or more user accounts with Administrator rights. Disable the Administrator and Guest user accounts. Disable all unneeded services. Close all ports not required by services or applications. Create GPOs for all security settings, including firewall rules. Use AD to distribute all configuration changes using GPOs. Create a backup of each GPO. Scan all computers for open ports. Limit physical access to all critical servers. Create an initial baseline backup. Change AD DSRM password periodically, at least every six months. Install anti-malware software on each computer. Ensure all anti-malware software and data is current. Use NAC software or devices to control remote computer connections. Use remote authentication methods to authorize remote computers and users. Require secure VPNs to access internal network resources. Use IPSec with digital certificates to authenticate computer-tocomputer connections in the data center. Require security awareness training prior to issuing access credentials. Require periodic recurrent security awareness training to retain access credentials. Provide continuing security awareness through different means. CHAPTER SUMMARY Hardening is the process of making computers more secure. The process involves identifying vulnerabilities and implementing compensating controls. In short, hardening Windows computers involves putting what Find answers on the fly,you've or master something new. Subscribe See pricing options. learned in the previous chapters into practice. In this chapter today. you read about some of the most important steps to make your Windows computers more secure. You learned how to install servers to be more secure and how to make both servers and workstations more secure after installation. Following the best practices at the end of this chapter will help you keep your Windows environment secure and difficult for attackers to compromise. KEY CONCEPTS AND TERMS Directory Service Restore Mode (DSRM) Encapsulating protocol Hardening Network access control (NAC) Nmap Public key infrastructure (PKI) Roles Security Configuration Wizard (SCW) Server core installation Tunneling CHAPTER 11 ASSESSMENT 1. The term attack surface refers to all of the software a computer runs that is vulnerable to attack. 1. True 2. False 2. The best way to secure a service is to disable it. 1. True 2. False 3. The process of making configuration changes and deploying controls to reduce the attack surface is called _______. 4. Which Windows Server 2008 R2 feature allows you to specify which services you want to include during the operating system installation? 1. Edition 2. Role 3. GPO 4. Configuration 5. Which Windows Server 2008 R2 installation option only includes a minimal environment to just run selected services? 1. Server core 2. Foundation 3. Standard 4. Runtime 6. Which Microsoft tool guides administrators and creates policies based on least privilege to reduce the attack surface of a Windows server after installation? 1. GPO 2. MBSA 3. SCW 4. NMAP 7. You can use GPOs to deploy Windows firewall rules. 1. True 2. False something new. Subscribe today. See pricing options. Find answers on the fly, or master 8. Which of the following actions is the best action to take to secure an unneeded service? 1. Close the port 2. Disable the service 3. Delete the service from Services 4. Create a GPO restriction for the service 9. You should disable the _______ user account to make it harder for attackers to access the default escalated-privilege account. 10. AD makes securing many computers in a network more complex. 1. True 2. False 11. The _______ tool is a handy open source tool to scan computers for open ports. 12. Which term describes software that defines and implements a policy that describes the requirements to access your network? 1. SCW 2. VPN 3. GPO 4. NAC 13. VPNs increase security of remote connection by guaranteeing all traffic is encrypted. 1. True 2. False 14. Which new Microsoft VPN protocol makes it easy to use VPNs even through firewalls? 1. L2TP 2. SSTP 3. TLS 4. TCP 15. _______ refers to the hardware, software, policies, and procedures to manage all aspects of digital certificates. Settings / Support / Sign Out © 2019 O'Reilly Media, Inc. Terms of Service / Privacy Policy ⏮ PREV THREE. Microso Windows OS and Application Security Trends … NEXT 12. Microso Application Security Find answers on the fly, or master something new. Subscribe today. See pricing options. ⏭
Purchase answer to see full attachment