Windows Security Tips

1
Windows Security Tips
Adapted from presentation given by Mark Minasi at
GAETC
Ernest Staats erstaats_at_gcasda.org MS Information
Assurance, CISSP, MCSE, CNA, CWNA, CCNA,
Security, I-Net, Network, Server,
A Resources available _at_ http//www.es-es.net
2
Win Security Tips

• Security verse Usability
• Must have Written Security Policy
• Passwords
• Limit the Administrator
• Auditing and Logs
• Turn off unneeded Services
• Lock down IIS
• Simplify hardening by using security templates

• eXPloit XP, 2003, SP1/2
• Physical Security
• Have A DR Plan
• Upgrade the Carbon Units
• Stay Informed
• Patch!

3
Security verse Usability

• We accept risks all the time
• Microsoft security versus Novell security and
  what about Linux
• Many hardening techniques will cause software
  to break

4
Security Policies

• Policies will only work if
• Administration is on board
• You have a written security policy
• It has some real teeth and real consequences
• If not, then relax! youre going to get hacked,
  but theres nothing you can do about it, so dont
  work late

5
Passwords the stakes

• Bad guys just need ONE account, not all of them
• Passwords are a CARBON-based issue, not a
  SILICON-based issue
• Get the users on board, or NO technology will work

6
Passwords the modern facts

• Passwords are attacked in several ways
• Shoulder surfing
• Post-Its
• Theyre yelled across a room
• They are shared ltBig issue for schoolsgt
• Someone steals your password hashes and cracks
  them
• Someone tries repeatedly to log on with different
  passwords

7
How Technical Attacks Work

• Passwords are never stored on your computer
  instead, password hashes are stored
• As the crackers are reversing your hashes,
  theyre not subject to account lockout ltUSB
  HackSawgt
• And someone needs either an admin password or
  physical access to your DCs to get these hashes!

8
Bad Passwords

• These kind of passwords can be almost always
  cracked in minutes
• A name associated with you or your organization
• A date associated with you or your organization
• A dictionary word
• Just adding a number or a capital adds no more
  than a few minutes to the time
• Passwords under 8 characters
• Disable LM hashes Google Rainbow crack if you
  do not know anything about stored passwords

9
Make Passwords Secure

• One of the top Windows authorities Mark Minasi
  advocates 15 character minimum password length,
  no complexity requirement
• passphrase
• 15 lowercase letters 1,677,259,342,285,725,925,3
  76 possibilities
• Try a million a second, itll take 531,855
  centuries

10
Limit the Administrator

• Local Administrator account is unaccountable
• Rename it
• Prohibit insiders from using it also
• (Otherwise, auditing is pointless)
• Give peoples accounts the admin privileges that
  they need no more
• Then assume that people using Administrator have
  no good in mind make using it a firing offense!

11
Limit the Administrator

• Lock out the Administrator account by
  deliberately trying to log in with the wrong
  password (need to download passprop to make
  this possible)
• Effect now Admin only works locally
• Change the Admin password and then dont spread
  the new password around

12
Dont Spend All Day As Admin

• Tempting to be logged in all day as an
  administrator
• But its easier to make mistakes
• Workaround runas command
• Works best when shift-right-clicking a menu item

13
Auditing And Logs

• Audit important functions
• You first enable audits/logging one machine at a
  time or with system/group policies
• Youve then got to decide how much auditing is
  right for you
• Remember, though, that 2000/2003 dont centralize
  Security logs they live separately on each
  workstation and server
• Essential tool eventcombmt search
  "eventcombmt" at microsoft.com

14
Turn off unneeded Services

• File server Server / Computer Browser
• Messenger / Alerter
• Clipbook service
• XP Web Client
• Wireless Zero Configuration
• Web Server, SMTP server
• Fax
• Net Meeting Remote Desktop Sharing
• RRAS

• Error Reporting Service / Upload Manager
• Internet Connection Firewall
• Automatic Updates / Background Intelligent
  Transfer Service (if not using SUS/Windows
• Infrared Monitor
• SSDP Discovery Service
• Universal PnP Host
• Index Service

15
IIS Services

• Permissions are important users visit your home
  page as IUSR
• But by default IUSR has full control of most of
  your disk change the default permissions
• (2003 fixes this)
• Theres an IIS lockdown tool from MS try it
  carefully (IIS 6 doesnt need it)
• Get rid of the stuff you dont use (Front Page
  extensions, WebDav, sample code, etc.)
• Stay on top of IIS patches

16
Simplify Hardening Security Templates

• To secure a system, you
• Install patches
• Adjust local policies and security settings
• Adjust event log settings
• Modify NTFS permissions
• Set local groups accordingly
• Shut off local services
• But who wants to do all that by hand?

17
Local Policies

• Create ASCII templates to set
• Account Policies, Local Policies, Event Log
  policies Event log settings (registry stuff)
• Restricted Groups control and reset group
  members
• System services turn em on or off, control who
  can
• Registry set permissions on Registry keys
• NTFS preconfigure NTFS permissions on
  particular directories or files

18
Local Policies

• You can apply templates with secedit.exe, machine
  by machine although you can use a remote tool
  like telnet (although domain GPs make it easier)
• Neat 2003 feature -- /generaterollback creates a
  template that will undo what you did good for
  testing

19
Beyond Templates

• Anything in a template can go into a domain-based
  group policy object
• 2003s Security Configuration Wizard will create
  GPOs
• Create OU structures that reflect different kinds
  of servers and you can then attach different GPOs
  to those OUs

20
eXPloit XP and 2003

• netstat ano identifies who created a session
• XP SP2, 2003 SP1 includes per-user auditing,
  selective control of ActiveX controls,
  IPsec-based firewalls, Security Config Wizard
• To learn more read Mark Minasi Newsletters 41,
  42, 49
• Group Policy Management Console lets you easily
  create templates from a machine, and make
  templates into group policy objects

21
Physical Security

• Examples of things that are only possible, or far
  easier locally than over the net
• Downing your server
• Cracking a SAM or an AD
• Stealing server hardware
• Rebooting under DOS/Linux and reading NTFS files
• Physically destroying the Server

22
Have A Disaster Plan

• Think about and write these down
• What do we do when we detect that were under
  attack from an internal source?
• What do we do when we detect that were under
  attack from an external source?
• What do we do in the event of a disaster?

23
Have A Plan

• KISS
• After the attack/disaster, the questions the
  same where are the backups? How do I restore
  them?
• These should be step by step plans
• These must be tested beforehand
• This is not a small job, but its necessary and
  even constitutes training materials for new hires

24
Upgrade the Carbon Units

• While there is no patch for human stupidity
  training can lower your risk level greatly
• The bad guys win when users invite them in
• Dont yell, but user training is the answer
• Just 15 minutes of basics about mail and
  attachments goes a long way

25
Stay Informed and Stay Paranoid

• Keeping your servers secure protects both you and
  limits your liability of your systems being used
  to attack others.
• www.microsoft.com/security for patches etc.
• Dont assume that because you have a firewall,
  you are secure. You are probably are worse off
  because of the false idea that you are secure.

26
Practice Patch Control

• Use Microsofts WSUS patch server
• WSUS patches Windows, Office, Exchange (But NOT
  SQL 2000, so be careful)
• You can slipstream service packs onto your
  windows setup disk we have done that and added
  driver packs to make setting up new PCs faster