harris-winsec02
advertisement
NIST Recommendations for System Administrators for Securing Windows 2000 Professional Tony Harris, Booz Allen Murugiah Souppaya, NIST Outline Introduction Why we did it General hardening principles Securing Windows 2000 Professional Securing popular applications NIST Template Contact information National Institute of Standards and Technology NIST’s mission is to develop and promote measurement, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life. NIST Assets Include: 3,000 employees 1,600 guest researchers $760 million annual budget NIST Laboratories -- National measurement standards Advanced Technology Program -- $570 million current R&D partnerships with industry Manufacturing Extension Partnership -- 400 centers nationwide to help small manufacturers Baldrige National Quality Award NIST Measurement and Standards Laboratories NIST Mandate for Computer Security Develop standards and guidelines for the Federal government Contribute to improving the security of commercial IT products and strengthening the security of users’ systems and infrastructures Computer Security Division Mission To improve information systems security by: raising awareness of IT risks, vulnerabilities and protection requirements, particularly for new and emerging technologies; researching, studying, and advising agencies of IT vulnerabilities and devising techniques for the cost-effective security and privacy of sensitive Federal systems; developing standards, metrics, tests and validation programs: to promote, measure, and validate security in systems and services to educate consumers to establish minimum security requirements for Federal systems developing guidance to increase secure IT planning, implementation, management and operation. Recent Documents Securing Wireless Networks: A Manager’s Guide Designing Secure Wireless Networks Network Testing Guide Applying Security Patches Securing Your Public Webserver Security Issues and Solutions for E-mail Telecommuting Security Cookbook System Administrator Guidance for Securing MS Windows 2000 Professional System Why did we do it? NIST recognized a need for a guide to consolidate various best practices Very little federal guidance exists for securing popular applications Guide designed for educated users and administrators Goals Secure the Windows 2000 Professional and suite of applications found on desktop system Built on the existing resources, i.e. guides, documents, and recommendations produced by NSA, Microsoft, and the security community A complete unified how-to document covering the OS and common applications installation and configuration with references and pointers to specialized resources Document Structure High level overview of Windows 2000 built-in security features Windows 2000 Professional installation recommendations Patching and Updating Securing the OS Application security Description of modified registry keys Various references for further research General OS Hardening Principles Perform a clean installation Install OS updates and patches Remove and disable unnecessary services, utilities, and applications Restrict access to the OS critical binaries and system configuration files and utilities Least privilege – administrator and user role Protection of user data through discretionary access control Auditing critical files General Principles for protecting applications against active content Install virus scanners Keep updated Enable e-mail attachment scanning Keep applications updated Remove VBS and VBE file-type associations Set Outlook attachment security to high Set macro security to High Enable digital signatures for safe Macros Set Internet Zone security to high Utilize Trusted Site Zone System Administrator Guidance for Securing Microsoft Windows 2000 Professional System Overview Install OS and default applications Fully patch the OS and applications Configure applications Review the template settings and customize for your environment Apply the security template Test the settings Deploy within your environment Windows 2000 Professional Installation Perform the installation on a secure network segment or off the network Partition the Hard Drive using NTFS for system and data files Install OS with minimum required services Install Internet Protocol (TCP/IP) networking and Client for Microsoft Networks only Application Installation Install an anti-virus scanner, i.e Norton Antivirus, McAfee, or F-Secure Install an E-mail client, i.e. Eudora or MS Outlook 2000 Install the browser, i.e. Internet Explorer 6 or Netscape 4.79 Install MS Office 2000, i.e. select only the required components Run and test each application Updates and Patches Apply the latest service pack, i.e. SP2 Download and install the required hotfixes from the Microsoft security site, http://www.microsoft.com/technet/treeview/default.asp?url=/te chnet/security/current.asp Windows update can be used to download and install the patches, use caution for initial updates since this method requires a connection to the internet. Download and install all other applications patches and updates as required Periodically scan the system to determine patch status for the OS and all applications. Microsoft Hotfix Service Hfnetchk.exe Tool used to check the hotfix status of Single computer IP range Entire domain Can be downloaded from http://www.microsoft.com/downloads/release.asp?rel easeid=31154 Latest configuration file can be manually downloaded from http://msvaus.www.conxion.com/download/xml/secu rity/1.0/NT5/EN-US/mssecure.cab Qchain.exe Allows installation of multiple hotfixes without rebooting between each Install hotfixes with the –z switch to disable reboot after install Run qchain.exe after hotfixes have been installed Run Qfecheck.exe /v to verify the hotfix installation http://support.microsoft.com/default.aspx?sci d=kb;en-us;Q282784 Anti-Virus Configuration Ensure signatures are up to date Enable automatic protection Enable email scanning Enable Internet filtering Enable periodic scanning Enable heuristics, if available Enable automatic updating Outlook Client Configuration Disable auto opening of messages Disable preview pane and auto preview Set attachment security to high Set security zone to Restricted Set macro security level to high Macros will be silently disabled unless they are signed Eudora Client Configuration Ensure that all executable content extension types are registered in the WarnLaunchExtensions list within the Eudora.ini file. Redirect the Eudora data files into the users application directory Ensure that executables in HTML content are not allowed Do not use Microsoft's viewer Enable executable warnings IE Zone Security Local intranet zone Trusted site zone Untrusted content Restricted sites zone Websites entered into zone are considered reputable and/or trustworthy Internet zone Content located on internal network Highest security level for untrusted sites and applications Local machine zone Files on local computer IE Configuration Set the Internet Zone to high Set the Trusted Site Zone security to Medium Add trusted sites that will not function with a high security setting to this zone Set the intranet setting to the maximum setting your environment can tolerate Netscape Configuration Enable the minimum utilities required during the install Disable Java and JavaScript if not required Review plug-ins and remove undesired .dll files for the plug-ins Office Configuration Enable digital signatures for trusted macros Ensure macro security is set to high Clear the “Trust all installed add-ins and templates” checkbox to apply the macro security settings to preinstalled macros If required within your environment, all macros can be disabled regardless of their signature status through registry settings NIST Template Settings Created by combining recommendations from Microsoft, NSA, and the Security Community Few modifications were made to NSA’s recommendations Added several keys and modifications to services Tested all of the settings using combinations of the applications discussed within the guide Services NIST Template Disabled Internet Connection Sharing Routing and Remote Access Task Scheduler Telnet Guidance given to administrators for disabling of additional services Password Policy Differences Maximum Password Age NSA = 42 Microsoft = 42 SANS = 45 to 90 NIST = 90 Minimum Password Age NSA = 2 System Administration cost and time considerations Microsoft = 2 SANS = 1 to 5 NIST = 1 Acceptable length of time to prevent users from changing passwords to circumvent the history table Minimum Password Length NSA = 12 Microsoft = 8 SANS = 8 NIST = 8 System Administration cost and time considerations Account Lockout Policy Account Lockout duration (minutes) NSA = 15 Microsoft = 0 NIST = 15 System Administration cost and time considerations Account Lockout Threshold NSA = 3 SANS = 240 Microsoft = 5 SANS = 5 NIST = 3 Shorter account lockout duration allows us the ability to decrease the lockout threshold Reset Account Lockout Counter After (minutes) NSA = 15 Microsoft = 30 SANS = 240 NIST = 15 System Administration cost and time considerations Audit Policy Audit Directory Service Access NSA = None SANS = Success,Failure Audit Object Access NSA = Failure SANS = Success,Failure Microsoft = Success, Failure NIST = Failure Audit Privilege Use Microsoft = Not Defined NIST = None NSA = Failure SANS = Success,Failure Microsoft = Success,Failure NIST = Failure Changes made for reduction of log entries User Rights Assignment Access this computer from the network NSA = Users,Administrators Microsoft = Not Defined SANS = None NIST = Users,Administrators Bypass traverse checking NSA = Users SANS = Administrators Microsoft = Not Defined NIST = Users Some directory permissions require this privilege Change system time NSA = Administrators SANS = Admin,Auth Users Microsoft = Not Defined NIST = Administrators Restricted for Audit purposes User Rights Assignment Force shutdown from a remote location NSA = Administrators SANS = None Microsoft = Not Defined NIST = Administrators System Administration cost and time considerations Security Options Lan Manager Authentication Level NSA, Microsoft & NIST = NTLMv2/Refuse NTLM&LM SANS = NTLMv2 or NTLM For use in Windows 2000 only environment Shutdown immediately if unable to log security audits NSA = Enabled Microsoft = Disabled SANS = Enabled if 9 to 18 Gb NIST = Disabled/Enable if site policy requires it SynAttackProtect HKEY_LOCAL_MACHINE\SYSTEM\Cu rrentControlSet\Services\Tcpip\Paramet ers\SynAttackProtect = 2 Hardens TCP stack against SYN attacks Adjusts the retransmission delays for SYN-ACKS TCP connection requests quickly timeout when a SYN attack is in progress. TcpMaxHalfOpen HKEY_LOCAL_MACHINE\SYSTEM\Cu rrentControlSet\Services\Tcpip\Paramet ers\TcpMaxHalfOpen = 100 This key controls the number of connections in the SYN-RCVD state allowed before SYNATTACK protection begins to operate. TcpMaxHalfOpenRetried HKEY_LOCAL_MACHINE\SYSTEM\Cu rrentControlSet\Services\Tcpip\Paramet ers\TcpMaxHalfOpenRetried = 80 TcpMaxHalfOpenRetried parameter controls the number of connections in the SYN-RCVD state for which there has been at least one retransmission of the SYN sent, before SYNATTACK attack protection begins to operate. EnablePMTUDiscovery HKEY_LOCAL_MACHINE\SYSTEM\Cu rrentControlSet\Services\Tcpip\Paramet ers\EnablePMTUDiscovery = 1 Limits TCP segments to the largest packet size allowed to a remote host to eliminate packet fragmentation. EnableICMPRedirects HKEY_LOCAL_MACHINE\\SYSTEM\C urrentControlSet\Services\Tcpip\Parame ters\EnableICMPRedirects = 0 This parameter controls whether Windows 2000 will alter its route table in response to ICMP redirect messages that are sent to it by network devices such as a routers. AeDebug\Auto HKEY_LOCAL_MACHINE\SOFTWARE \Microsoft\Windows NT\CurrentVersion \AeDebug\Auto = 0 This setting disables auto start of the Dr. Watson program debugger on Windows 2000 Professional. To re-enable the debugger type the following at the command line: drwtsn –I The debugger dump files can contain sensitive information. CreateCrashDump HKEY_LOCAL_MACHINE\SOFTWARE \Microsoft\DrWatson\CreateCrashDump =0 If Dr. Watson is enabled this setting prevents sensitive information from being dumped from memory. Future Welcome inputs and suggestions from the Security Community Areas Windows 2000 Server and active directory Windows XP Professional and Home Microsoft .NET Suggestions: itsec@nist.gov Conclusion Document: http://csrc.nist.gov/itsec/download_W2Kpro.html Comments, suggestions, and questions: itsec@nist.gov Disclaimer Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose. The following information is provided for Civil and Government agencies requiring security configuration guidelines. Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. This document is only a guide containing recommended security settings. It is not meant to replace well-structured policy or sound judgment. Furthermore this guide does not address site-specific configuration issues. Care must be taken when implementing this guide to address local operational and policy concerns. This document and templates were developed at the National Institute of Standards and Technology by employees of the Federal Government in the course of their official duties. Pursuant to title 17 Section 105 of the United States Code this document and templates are not subject to copyright protection and is in the public domain. NIST assumes no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic. We would appreciate acknowledgement if the documents and templates are used.
