system hardening recommendations_final
TRANSCRIPT
System Hardening
Recommendations
For
Verisk Health
Jordan Davis | McKell Gomm | Martin Evans
Table of Contents
I. Windows 7 Workstation Hardening Recommendations
a. Account Policies
b. Local Policies
c. Windows Firewall
d. Network List Manager Policies
e. Public Key Policies
f. Software Restriction Policies
g. Application Control Policies
h. Advanced Audit Policy Configuration
II. Windows Server 2012 Hardening Recommendations
a. Additional Server Settings
b. Group Policy Object (GPO) Recommendations
III. Additional Hardening Recommendations
IV. Summary and Potential Impact
I. Windows 7 Workstation Recommendations – While many of these changes
are minor, some recommendations are more impactful. Although some
specifics are given, some areas include brief explanations and each setting
should be carefully considered before implementing.
a. Account Policies
i. Password Policy
Policy Security Settings (Recommended) Enforce password history 24 passwords remembered
Maximum password age ≤ 60 (days) Minimum password age ≥ 1 days Minimum password length
8 characters
Passwords must meet complexity requirements
Enabled
Store passwords using reversible encryption
Disabled
ii. Account Lockout Policy
Policy Security Settings (Recommended)
Account lockout duration 1440 minutes
Account lockout threshold <10 Invalid login attempts
Reset account lockout counter after
1440 minutes
b. Local Policies
i. Audit Policy
Setting Recommendation Audit account logon events Success, Failure
Audit account management Success, Failure
Audit directory service access Failure Audit logon events Success, Failure
Audit object access Failure Audit policy change Success, Failure
Audit privilege use Success, Failure
Audit process tracking Failure
Audit system events Success, Failure
ii. User Rights Assignment – These rights should be assigned by GPO to
include users or administrators as applicable.
iii. Security Options
1. Accounts
Setting Recommendations
Accounts: Administrator account status Disabled
Accounts: Guest account status Disabled
Accounts: Limit local account use of blank passwords to console logon only Enabled
Accounts: Rename administrator account Recommended
Accounts: Rename guest account Recommended
2. Audit
Setting Recommendation
Audit: Audit the access of global system objects Disabled
Audit: Audit the use of Backup and Restore privilege Disabled
Audit: Force audit policy subcategory settings Not Defined
Audit: Shut down system immediately if unable to log security audits Disabled
3. Devices
Setting Recommendation
Devices: Allow undock without having to log on Enabled
Devices: Allowed to format and eject removable media Administrator, Interactive Users
Devices: Prevent users from installing printer drivers Enabled
(*Disabled for laptops/mobile
devices)
Devices: Restrict CD-ROM access to locally logged on user only Not Defined
Devices: Restrict floppy access to locally logged on user only Not Defined
4. Domain Member
Setting Recommendation
Domain member: Digitally encrypt or sign secure channel data
(always)
Enabled
Domain member: Digitally encrypt secure channel data (when
possible)
Enabled
Domain member: Digitally sign secure channel data (when
possible)
Enabled
Domain member: Disable machine account password changes Disabled
Domain member: Maximum machine account password age 30 days
Domain member: Require strong
(Windows 2000 or later) session key
Enabled
5. Interactive Logon
Setting Recommendation
Interactive Logon: Do not display last user name Disabled
Interactive Logon: Display user information when the session is locked Display Name Only
Interactive Logon: Do not require CTRL+ALT+DEL Disabled
Interactive Logon: Message text for users attempting to log on Undefined
Interactive Logon: Message title for users attempting to log on
Legal Notice
Interactive Logon: Number of previous logons to cache (in case domain
controller is not available)
10 or less
Interactive Logon: Prompt user to change password before expiration 5 or less days
Interactive Logon: Require Domain Controller authentication to unlock
workstation
Enabled
(*Disabled for laptops/mobile
devices)
Interactive Logon: Smart card removal behavior Lock Workstation
6. Microsoft Network Client
Setting Recommendation
Microsoft network client: Digitally sign communications (always) Disabled
Microsoft network client: Digitally sign communications (if server agrees) Disabled
Microsoft network client: Send unencrypted password to third-party SMB servers Disabled
7. Network Access
Setting Recommendation
Network access: Allow anonymous SID/Name translation Disabled
Network access: Do not allow anonymous enumeration of SAM accounts Enabled
Network access: Do not allow anonymous enumeration of SAM accounts and
shares
Enabled
Network access: Do not allow storage of credentials or .NET Passports for network authentication
Enabled
Network access: Let Everyone permissions apply to anonymous users Disabled
Network access: Named Pipes
that can be accessed anonymously
Not Defined
Network access: Remotely accessible registry paths Not Defined
Network access: Restrict anonymous access to named Pipes and Shares Enabled
Network access: Shares that can be accessed anonymously Not Defined
Network access: Sharing and security model for local accounts Classic – local
users authenticate
as themselves
8. Network Security
Setting Recommendation
Network security: Allow PKU2U authentication requests to this
computer to use online identities
Disabled
Network security: Configure encryption types allowed for
Kerberos
AES128 or 256 future
encryption types
Network security: Do not store LAN Manager hash value on next
password change
Enabled
Network security: LAN Manager authentication level Send NTLMv2
responses only\refuse
LM
Network security: LDAP client signing requirements Negotiate signing
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
Require message confidentiality, Require message integrity, Require NTLMv2 session security, Require 128 bit
encryption
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
Require message confidentiality, Require message integrity, Require NTLMv2 session security, Require 128 bit
encryption
9. Recovery Console
Setting Recommendation
Recovery console: Allow automatic administrative logon Disabled
Recovery console: Allow floppy copy and access to all drives and all folders Disabled
10. Shutdown
Setting Recommendation
Shutdown: Allow system to be shut down without having to log on Enabled
Shutdown: Clear virtual memory pagefile Disabled
11. System Cryptography, System Objects, and User Account
Control
Setting Recommendation
System cryptography: Force strong key protection for user keys stored on the
computer
User must enter a
password each time
they use a key
System cryptography: Use FIPS compliant algorithms for encryption, hashing,
and signing
Enabled
System objects: Require case insensitivity for non-Windows subsystems Enabled
System objects: Strengthen default permissions of internal system objects Enabled
c. Windows Firewall
i. Windows Firewall – Local GPO
Profile: Setting Recommendation
Domain Profile Firewall State: ON
Inbound Connections: BLOCK
Outbound Connections: ALLOW
Private Profile: Firewall State: ON
Inbound Connections: BLOCK
Outbound Connections: ALLOW
Public Profile: Firewall State: ON
Inbound Connections: BLOCK
Outbound Connections: ALLOW
IPsec Settings: IPsec Defaults: CUSTOMIZE
Key Exchange (Main Mode): DEFAULT
Data Protection (Quick Mode): DEFAULT
Authentication Mode: Computer and User
(Kerberos V5)
IPsec Exemption:
Exempt ICMP IPsec: NO
IPsec Tunnel Authorization: NONE
d. Network List Manager Policies
Network Name: Setting Recommendation Network Properties Network Name: Identifies a network
Name: N/A
User Permissions: User Cannot Change Name
Network Icon: Provides a graphic or logo that represents the company or network
Icon: ICON
User Permissions: User Cannot Change Icon
Network Location: Identifies the type of network that a computer is connected to and automatically sets the appropriate firewall setting for that location.
Location Type: Private/Public
User Permissions: User Cannot Change
Location
Unidentified Networks: Networks that cannot be identified due to a network issue or lack of identifiable characteristics
Network Location: Identifies the type of network that a computer is connected to and automatically sets the appropriate firewall setting for that location.
Location Type: Private/Public
User Permissions: User Cannot Change
Location
Identifiable Networks: Temporary state of networks that are in the process of being identified.
Network Location: Identifies the type of network that a computer is connected to and automatically sets the firewall settings for that location.
Location Type: Private/Public
All Networks: All networks the user connects to.
User Permissions: These permissions control if users can change the network name, location, or icon.
Network Name: User Cannot Change Name
Network Location: User Cannot Change
Location
Network Icon: User Cannot Change Icon
e. Public Key Policies
i. Encrypting File System: Specific files/folders should be encrypted if
necessary to protect sensitive data (i.e. PHI, IP). We recommend this
setting be configured if sensitive/encrypted data will be saved in
specific directories/folders on the machine. A Data Recovery Agent
should be set – preferably to a local admin account.
ii. BitLocker Drive Encryption: As Verisk Health deals with sensitive
data on a daily basis (i.e. PHI/PII), we recommend that some form of
whole-disk encryption be used. In order to use BitLocker, a Data
Recovery Agent must be set – preferably to a local admin account.
f. Software Restriction Policies: If it is needed and feasible, strict controls
can be put in place to restrict the execution of specific file types. Since this
is an advanced set of policies, it may be avoided as long as mitigating
controls are in place. These would include restricting downloading and
executing software to local administrators only.
g. Application Control Policies
i. AppLocker:
AppLocker helps administrators control how users can access and use files, such as executable files, packaged apps, scripts, Windows Installer files, and DLLs.
RECOMMENDATION: Define rules based on file attributes derived from the digital signature, including the publisher, product name, file name, and file version. Assign a rule to a security group or an individual user. Create exceptions to rules. Use audit-only mode to deploy the policy and understand its impact before enforcing it. Import and export rules. Simplify creating and managing AppLocker rules by using AppLocker PowerShell cmdlets.
ii. IP Security Policies: These required advanced configuration but
should be used in cases where a system needs to communicate
securely with either another computer or group of computers
(subnet).
h. Advanced Audit Policy
i. System Audit Policies – Local GPO
System Audit Policy: Setting Recommendation
Account Logon Audit Credential Validation: allows you to audit events generated by validation tests on user account logon credentials.
Success, Failure
Audit Kerberos Authentication Services: allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests.
Failure
Audit Kerberos Service Ticket Operations: allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests submitted for user accounts.
Failure
Account Logon (continued):
Audit Other Account Logon Events: allows you to audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets.
Failure
Account Management
Audit Application Group Management: allows you to audit events generated by changes to application groups such as the following: Application group created, changed, or deleted. Member is added or removed from an application group
Success, Failure
Audit Computer Account Management: allows you to audit events generated by changes to computer accounts such as when a computer account is created, changed, or deleted.
Success, Failure
Audit Distribution Group Management: allows you to audit events generated by changes to distribution groups.
Failure
Audit Other Account Management Events: allows you to audit events generates by other user account changes that are not covered in this category. The password hash of a user account was accessed. The Password Policy Checking API was called. Changes to the Default Domain Group Policy were made.
Success, Failure
Audit Security Group Management: allows you to audit events generated by changes to security groups such as the following: Security group is created, changed, or deleted. Member is added or removed from a security group. Group type is changed
Success, Failure
Audit user Account Management: allows you to audit changes to user accounts. Events.
Success, Failure
Detailed Tracking Audit DPAPI Activity: allows you to audit events generated when encryption or decryption requests are made to the Data Protection application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information.
Success, Failure
Audit Process Creation: allows you to audit events generated when a process is created or starts. The name of the application or user that created the process is also audited.
Failure
Audit Process Termination: allows you to audit events generated when a process ends.
Failure
Audit RPC Events: allows you to audit inbound remote procedure call (RPC) connections.
Success, Failure
DS Access Audit Detailed Directory Service Replication: allows you to audit events generated by detailed Active Directory Domain Services (AD DS) replication between domain controllers.
Workstation: No Auditing Server: Failure
Audit Directory Service Access: allows you to audit events generated when an Active Directory Domain Services (AD DS) object is accessed.
Workstation: No Auditing Server: Failure
Audit Directory Service Changes: allows you to audit events generated by changes to objects in Active Directory Domain Services (AD DS). Events are logged when an object is created, deleted, modified, moved, or undeleted.
Workstation: No Auditing Server: Success, Failure
Audit Directory Service Replication: allows you to audit replication between two Active Directory Domain Services (AD DS) domain controllers.
Workstation: No Auditing Server: Failure
Logon/Logoff Audit Account Lockout: allows you to audit events generated by a failed attempt to log on to an account that is locked out.
Success.
Logon/Logoff (continued):
Audit User / Device Claims: allows you to audit user and device claims information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource.
Workstation: Failure Server: Failure
Audit IPsec Extended Mode: allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations.
No Auditing
Audit IPsec Main Mode: allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations.
No Auditing
Audit IPsec Quick Mode: allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations.
No Auditing
Audit Logoff: allows you to audit events generated by the closing of a logon session. These events occur on the computer that was accessed. For an interactive logoff the security audit event is generated on the computer that the user account logged on to.
Success.
Audit Logon: allows you to audit events generated by user account logon attempts on the computer.
Workstation: Success Server: Success, Failure
Logon/Logoff (continued):
Audit Network Policy Server: allows you to audit events generated by RADIUS (IAS) and Network Access Protection (NAP) user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock.
Success, Failure
Audit Other Logon/Logoff Events: allows you to audit other logon/logoff-related events that are not covered in the “Logon/Logoff” policy setting such as the following: Terminal Services session disconnections. New Terminal Services sessions. Locking and unlocking a workstation. Invoking a screen saver. Dismissal of a screen saver.
Success, Failure
Audit Special Logon: allows you to audit events generated by special logons such as the following: The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level.
Success, Failure
Object Access Audit Application Generated: allows you to audit applications that generate events using the Windows Auditing application programming interfaces (APIs). Applications designed to use the Windows Auditing API use this subcategory to log auditing events related to their function.
No Auditing
Audit Certification Services: allows you to audit Active Directory Certificate Services (AD CS) operations.
No Auditing
Audit Detailed File Share: allows you to audit attempts to access files and folders on a shared folder. The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the
Success, Failure
permissions or other criteria used to grant or deny access.
Object Access (continued):
Audit File Share: allows you to audit attempts to access a shared folder. If you configure this policy setting, an audit event is generated when an attempt is made to access a shared folder. If this policy setting is defined, the administrator can specify whether to audit only successes, only failures, or both successes and failures.
Success, Failure
Audit File System: allows you to audit user attempts to access file system objects. A security audit event is generated only for objects that have system access control lists (SACL) specified, and only if the type of access requested, such as Write, Read, or Modify and the account making the request match the settings in the SACL.
Success, Failure
Audit Filtering Platform Connection: allows you to audit connections that are allowed or blocked by the Windows Filtering Platform (WFP).
Success, Failure
Audit Filtering Platform Packet Drop: allows you to audit packets that are dropped by Windows Filtering Platform (WFP).
Failure
Audit Handle Manipulation: allows you to audit events generated when a handle to an object is opened or closed. Only objects with a matching system access control list (SACL) generate security audit events.
Success, Failure
Audit Kernel Object: allows you to audit attempts to access the kernel, which include mutexes and semaphores. Only kernel objects with a matching system access control list (SACL) generate security audit events.
Failure
Audit Other Object Access Event: allows you to audit events generated by the management of task scheduler jobs or COM+ objects.
Failure
Object Access (continued):
Audit Registry: allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have system access control lists (SACLs) specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL.
Success, Failure
Audit Removable Storage: allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested.
Success, Failure
Audit SAM: allows you to audit events generated by attempts to access to Security Accounts Manager (SAM) objects.
Success, Failure
Policy Change Audit Audit Policy Change: allows you to audit changes in the security audit policy settings.
Success
Audit Authentication Policy Change: allows you to audit events generated by changes to the authentication policy.
Success
Audit Authorization Policy Change: allows you to audit events generated by changes to the authorization policy.
No Auditing
Audit Filtering Platform Policy Change: allows you to audit events generated by changes to the Windows Filtering Platform (WFP).
Success
Audit MPSSVC Rule-Level Policy Change: allows you to audit events generated by changes in policy rules used by the Microsoft Protection Service (MPSSVC). This service is used by Windows Firewall.
No Auditing
Audit Other Policy Change Events: allows you to audit events generated by other security policy changes that are not audited in the policy change category.
Success
Privilege Use Audit Non Sensitive Privilege Use: allows you to audit events generated by the use of non-sensitive privileges (user rights).
No Auditing
Audit Other Privilege Use Events: No Auditing
Audit Sensitive Privilege Use: allows you to audit events generated when sensitive privileges (user rights) are used.
Success, Failure
System Audit IPsec Driver: allows you to audit events generated by the IPsec filter driver.
Success
Audit Other System Events: allows you to audit any of the following events: Startup and shutdown of the Windows Firewall service and driver. Security policy processing by the Windows Firewall Service. Cryptography key file and migration operations.
Success, Failure
Audit Security State Change: allows you to audit events generated by changes in the security state of the computer such as the following events: Startup and shutdown of the computer. Change of system time. Recovering the system from CrashOnAuditFail, which is logged after a system restarts when the security event log is full and the CrashOnAuditFail registry entry is configured.
Success
Audit Security System Change: allows you to audit events related to security system extensions or services.
Workstation: No Auditing. Server: Success, Failure
Audit System Integrity: allows you to audit events that violate the integrity of the security subsystem
Success, Failure
* For more details on how these policies may effect end users visit:
http://technet.microsoft.com/en-us/library/cc875814.aspx
Global Object Access Auditing
File System: allows you to apply a comprehensive object access audit policy to every file and folder on the file system for a computer. Configuring this setting also allows you to demonstrate that every file and folder on the computer is monitored by an audit policy that is managed from a central location. This setting applies a global system access control list (SACL) to every file and folder. If either a file or folder SACL and a global SACL are configured on a computer, the effective SACL is derived by combining the file or folder SACL and the global SACL. This means that an audit event is generated when an activity matches either the file or folder SACL or the global SACL.
Depends on the effective SACL and the level of user activity
Registry: allows you to apply a global object access audit policy to the registry for an entire computer. This policy setting allows you to demonstrate that every registry object on the computer is protected by an audit policy that is managed from a central location. This setting applies a global system access control list (SACL) to every registry object. If both a registry SACL and a global SACL are configured on a computer, the effective SACL is derived by combining the registry SACL and the global SACL. This means that an audit event is generated when an activity matches either the registry key SACL or the global SACL.
Depends on the effective SACL and the level of user activity.
II. Windows Server 2012 Hardening Recommendations
a. Additional Server Settings – In addition to the standard system build
guidelines above, servers should use the following:
i. Firewall configuration – host-based software firewalls such as
Windows Firewall will have to be configured based on the purpose
of the server. There should be standard rules/Access Control Listings
(ACL’s) for each type of server (i.e. database, web server)
ii. Services – depending on the purpose/use of the server, specific
services should be disabled. This will provide defense-in-depth and
lessen the computing load.
iii. Add/Remove Role s & Features – only enable the relevant features:
b. Group Policy Object (GPO) Recommendations
i. Rename the Local Administrator Account
ii. Disable the Guest Account
iii. Disable LM and NTLM v1
iv. Disable LM hash storage
v. Set minimum password length
vi. Set maximum password age
vii. Enable event logs
viii. Disable anonymous SID enumeration
ix. Disallow the anonymous account from residing in the everyone
group
x. Enable User Account Control
III. Additional Recommendations – In addition to the specific configurations
mentioned above, we would recommend considering the following:
a. Workstations:
i. Use GPO’s – to simplify implementing security policies, use Group
Policy Objects, particularly for settings like password complexity.
ii. Have a workstation list – include assigned user, service tag, etc.
iii. Force encryption – particularly for mobile devices (i.e.
tablets/laptops), this is a must.
iv. Configure BIOS – set to boot from local hard drive only and set a
BIOS password.
v. Disable USB ports on any systems that will access sensitive data.
vi. Install and utilize performance tools:
1. Stand-alone optimization tool (CCleaner, Registry Editor, etc.)
a. Registry cleaning
b. Malware scanning
c. Cleans up temp files
2. Disc Defragmentation
a. Consolidates fragmented files improving overall
performance and system function
b. Servers:
i. Use Static IP addresses – this makes terminal/remote services,
web/application servers, etc. much easier to access and manage
ii. Create a detailed server list – this should include server name, IP,
purpose, service tag, OS and responsible party.
iii. Centralize security – before being fully deployed, verify that servers
have been appropriately patched and have been added to
centralized anti-malware and vulnerability scanning consoles.
iv. UPS and power-saving – critical servers should have power back-ups
to ensure availability directly after an outage until the generator
restores long-term power.
v. Reset defaults – rename the default local admin accounts and reset
the passwords
vi. Backups/Restores – no production data should ever get onto a
server without being backed up. Data restoration should be tested.
IV. Summary and Potential Impact
Each of these points and their potential impact should be carefully considered for
implementation on some or all of Verisk Health’s workstation builds to eliminate
or mitigate attacks or other security risks and keep Verisk Health in compliance
with security standards. If Verisk Health were to implement all changes, it
would be able to bring workstations to 86% and servers to 93% compliance
with the corresponding CIS-CAT benchmarks.