Upload File

windows server hardening procedure

67
1. Review OS Patch Security 1. Critical Patches 1. Install critical patches listed in the current C 2. Review Physical Access Security 1. Location Security 1. Place the server in a physically secure area th 2. BIOS Security 3. Console Security 1. Configure the automatic password protected scree 4. Recovery Console 1. Disable the automatic administrative logon featu 3. Review User and Group Security The consistent and proper application of user and g 1. Users and Groups 2. Review and confirm that only Local groups are be 2. Administrator Account 1. Rename the Administrator account. 2. Rename the account to a non-obvious name (e.g., 3. Delete the default account description for the r 4. Change the renamed administrator account passwor 6. Create a decoy account named "Administrator" wit 7. Disable the decoy “Administrator” account. 9. Change the decoy administrator account password 3. Guest Account 1. Rename the Guest account. 2. Delete the default account description for the r 3. Ensure the Guest account remains disabled. 4. Change the Guest account password. By default it 5. Create a decoy account named "Guest" with no pri 1. Set a BIOS password to prevent the boot sequence 2. Configure the bios so the system must boot from 1. Remove general users IDs from the local SAM. Pro 3. Review and confirm that only Global groups are b 5. Enable account lockout on the real Administrator 8. Add the following account description for the de

Upload: omarelmoktar19869795

Post on 19-Oct-2015

81 views

Category:

Documents


8 download

Report

TRANSCRIPT

Procedure Template

Sheet11. Review OS Patch Security1. Critical Patches1. Install critical patches listed in the current Critical Security Patches document.2. Review Physical Access Security1. Location Security1. Place the server in a physically secure area that complies with the Physical Security for Infrastructure Technology section of the Watson Security Policy.2. BIOS Security1. Set a BIOS password to prevent the boot sequence from being changed. Note: Many new servers have an Administrator BIOS password verse a generic BIOS password that may prevent a server from rebooting. This may occur if the BIOS password is prompted for at each reboot.2. Configure the bios so the system must boot from the hard drive first, then from the floppy or CD-ROM Note: This boot sequence is configured in the systems BIOS, which is typically accessed by hitting a special key (such as DEL or Ctrl-S) during early boot up. Watch for an on screen message and refer to the owners manual to discover this key sequence and to learn how to modify BIOS settings./ An additional step is to set a BIOS setup password that prevents a person from changing the boot sequence to floppy or CD first.3. Console Security1. Configure the automatic password protected screen saver so it will activate after five minutes of inactivity at the console.4. Recovery Console1. Disable the automatic administrative logon feature.3. Review User and Group SecurityThe consistent and proper application of user and group security is essential to maintaining a secure environment. As with all security policies, the least privilege approach should be used when assigning rights and access. The following is to be followed when reviewing server security:1. Users and Groups1. Remove general users IDs from the local SAM. Process IDs are permitted, but have been documented. Note: General user IDs refers to userids created for specific people and associated with a specific person.2. Review and confirm that only Local groups are being used to apply security;3. Review and confirm that only Global groups are be added to Local groups. The general User is to be added to the Global groups for Share access and file permissions. Note: Local Groups must not contain individual users. If a single individual requires access for a single server then a new Global Group have been created, then that individual have been added to that new Global Group and that Global Group have been added to the appropriate Local Group. In addition, the description have been updated to provide details of that groups particular function.2. Administrator Account1. Rename the Administrator account.2. Rename the account to a non-obvious name (e.g., not "admin," "root," etc.)3. Delete the default account description for the renamed account.4. Change the renamed administrator account password and ensure it complys with the more restrictive administrator level settings of the Watson Password Standard.5. Enable account lockout on the real Administrator account which have been renamed by using the admnlock utility and by running the admnlock /e command. Note: This enables the temporary lockout only for connections from the network. This does not affect administrator logons that occur interactively from the console or via Terminal Services.6. Create a decoy account named "Administrator" with no privileges.7. Disable the decoy Administrator account.8. Add the following account description for the decoy Administrator account: Built-in account for administering the computer/domain9. Change the decoy administrator account password and ensure it complys with the restrictive administrator level settings of the Watson Password Standard.3. Guest Account1. Rename the Guest account.2. Delete the default account description for the renamed account.3. Ensure the Guest account remains disabled.4. Change the Guest account password. By default it does not have a password assigned. It have been set using the admin level settings of the Watson Password Standard.5. Create a decoy account named "Guest" with no privileges.6. Disable the decoy Guest account.7. Ensure the decoy Guest account has the following account description: Built-in account for guest access to the computer/domain8. Change the decoy Guest account password and ensure it complys with the admin level settings of the Watson Password Standard.4. Review Share SecurityThe definition of File Shares must incorporate two levels of access permissions; Share Level permissions and File Level permissions.1. Review and confirm that only the default admin shares on the system and boot partitions, typically the C: drive that contains the Windows OS installation.2. Review and confirm that Full Control for the Everyone group have been removed from all shared files and directories. Authenticated users group may be used in place if wide access is required.3. Review files and directories to ensure that only required and approved permissions are applied.4. Review Shares to ensure that only required and approved shares are implemented.5. When file access is needed to the data drive, such as D:, by SQL Administrators or other applicable groups. Create the share as required:6. Apply Read/Write to all groups given access and Full Control to the Local Administrators group;7. Apply NTFS file permissions to the directory. Full Control for Local Administrators and as appropriate for all others;8. Apply the appropriate group permissions to any additional directories, except for Full Control.5. Review Account PoliciesAccount policies can be configured by accessing the Local Security Policy through Control Panel >Administrative Tools. There are two sections in Account Policies, Password Policy and Account Lockout Policy. Apply the following configurations settings:1. All passwords are at least 8 characters long (minimum);2. Minimum Password Age: 1 day;3. Maximum Password Age: 90 days;4. Password Uniqueness: 13 Passwords Remembered;5. Password Complexity: Enabled. Passwords are made up of various characters, which can be broken down into four character groups. These are uppercase alphabetic, lowercase alphabetic,numeric, and special characters. Requiring complex passwords will require new passwords to use characters from three of those four groups.6. Account Lockout Duration: 60 Minutes (minimum)7. Account Lockout After: 5 Bad Login Attempts (maximum)8. Reset Account Lockout After: 15 Minutes (minimum)6. Review Object Security1. Protected Store Security1. Enable 168-bit Protected Store key length by using the Keymigrt.exe utility at least once regardless of what patches or service packs are installed. Note: To obtain the Keymigrt tool, run the Microsoft Windows Security Update Q23332 Patch using the x2. File System Security1. Verify all partitions have been NTFS.2. Convert All File Allocation Table (FAT16/FAT32) partitions to NTFS. Warning: The convert utility will set the ACLs for the converted drive to Everyone: Full Control. Use the fixacls.exe utility from the Windows NT Server Resource Kit to reset them to approved values.3. Verify applications reside on a different logical partition than the operating system where technically possible.3. Critical File Security1. Verify permissions for critical system administration files listed below are modified so that only Administrators and SYSTEM have Full Access.2. Verify permissions for all other users have been removed.3. Relocate critical %SYSTEMROOT% and %SYSTEMDIRECTORY% administration files where technically possible.4. Verify relocated system administration files reside in newly created %SYSTEMROOT%\TLS directory so that only Administrators and SYSTEM have Full Access.FILES%SYSTEMDIRECTORY%\ARP.EXE%SYSTEMDIRECTORY%\POLEDIT.EXESYSTEMDIRECTORY%\AT.EXE%SYSTEMDIRECTORY%\RCP.EXESYSTEMDIRECTORY%\BOOTCFG.EXE%SYSTEMDIRECTORY%\REGEXE%SYSTEMDIRECTORY%\CACLS .EXE%SYSTEMDIRECTORY%\REGEDIT.EXE%SYSTEMDIRECTORY%\CIPHER.EXE%SYSTEMDIRECTORY%\REGEDT32.EXE%SYSTEMDIRECTORY%\CMD.EXE%SYSTEMDIRECTORY%\REGINI.EXE%SYSTEMDIRECTORY%\COMMAND.COM%SYSTEMDIRECTORY%\REGSVR32.EXE%SYSTEMDIRECTORY%\CSCRIPT.EXE%SYSTEMDIRECTORY%\REXEC.EXE%SYSTEMDIRECTORY%\DEBUG.EXE%SYSTEMDIRECTORY%\RSH.EXE%SYSTEMDIRECTORY%\EDLPN.EXE%SYSTEMDIRECTORY%\ROUTE.EXE%SYSTEMDIRECTORY%\EVENTVWR.EXE%SYSTEMDIRECTORY%\RUNAS .EXE%SYSTEMDIRECTORY%\EVENTVWR.MSC%SYSTEMDIRECTORY%\RUNONCE.EXE%SYSTEMDIRECTORY%\FIND.EXE%SYSTEMDIRECTORY%\SC.EXE%SYSTEMDIRECTORY%\FINDSTR.EXE%SYSTEMDIRECTORY%\SECEDIT.EXE%SYSTEMDIRECTORY%\FINGER.EXE%SYSTEMDIRECTORY%\SECPOL.MSC%SYSTEMDIRECTORY%\FTP.EXE%SYSTEMDIRECTORY%\SYSKEY.EXE%SYSTEMDIRECTORY%\GETMAC.EXE%SYSTEMDIRECTORY%\TELNET.EXE%SYSTEMDIRECTORY%\GPEDIT.MSC%SYSTEMDIRECTORY%\TFTP.EXE%SYSTEMDIRECTORY%\IPCONFIGEXE%SYSTEMDIRECTORY%\TRACERT.EXE9%SYSTEMDIRECTORY%\IPSECCMD.EXE%SYSTEMDIRECTORY%\TSKILL.EXE%SYSTEMDIRECTORY%\ISSYNC.EXE%SYSTEMDIRECTORY%\WSCRIPT.EXE%SYSTEMDIRECTORY%\MOUNTVOL.EXE%SYSTEMDIRECTORY%\XCOPY.EXE%SYSTEMDIRECTORY%\NBTSTAT.EXE%SYSTEMDRIVE%\AUTOEXEC.BAT%SYSTEMDIRECTORY%\NET.EXE%SYSTEMDRIVE%\BOOT.PNI%SYSTEMDIRECTORY%\NETl .EXE%SYSTEMDRIVE%\CONFIGSYS%SYSTEMDIRECTORY%\NETSH.EXE%SYSTEMDRIVE%\IO. SYS%SYSTEMDIRECTORY%\NETSTAT.EXE%SYSTEMDRIVE%\MSDOS.SYS%SYSTEMDIRECTORY%\NSLOOKUP.EXE%S YSTEMDRIVE%\NTBOOTDD. SYS%SYSTEMDIRECTORY%\NTBACKUP.EXE%SYSTEMDRIVE%\NTDETECT.COM%SYSTEMDIRECTORY%\PATHPPNGEXE%SYSTEMDRIVE%\NTLDR%SYSTEMDIRECTORY%\PPNGEXE%SYSTEMROOT%\REGEDIT.EXENote: Upon completing the installation of service packs and hot-fixes, which can contain copies of the files listed above, you must verify that additional instances of the critical files have been deleted from temporary directories.4. Critical Directory Security1. Verify permissions for critical system administration directories listed below are modified so that only Administrators and SYSTEM have Full Access.2. Verify permissions for all other users have been removed.DIRECTORIES%PROGRAMFILES%\RESOURCE KIT%SYSTEMROOT%\REPAIR%PROGRAMFILES%\RESOURCE PRO KIT%SYSTEMDIRECTORY%\DLLCACHE%SYSTEMROOT%\$NTSERVICEPACKUNINSTALL$%SYSTEMDIRECTORY%\IAS%SYSTEMROOT%\CONFIG%SYSTEMDIRECTORY%\NTMSDATA%SYSTEMROOT%\CSC5. Critical Registry Keys Security1. Verify permissions on critical registry keys listed below have been modified so that only Administrators and SYSTEM have Full Access.2. Verify read and write permissions for all other users have been removed.REGISTRY KEYSHKEY_LOCAL_MACHINE\software\microsoft\netddeHKEY_LOCAL_MACHINE\software\microsoft\OS/2 Subsystem for NTHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LsaHKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\control\securepipeservers\winregHKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\control\wmi\securityHKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\services\SNMP\Parameters\PermittedManagersHKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\services\SNMP\Parameters\ValidComunitiesHKEY_USERS\.Default\software\microsoft\netdde3. Verify permissions on critical registry keys listed below have been modified so that only Administrators, SYSTEM, and CREATOR OWNER have Full Control permissions.4. Verify Everyone has only Read permissions5. Verify permissions for all other users have been removed.REGISTRY KEYSHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceExHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebugHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon6. Subsystems Security1. Verify the OS/2 and POSIX subsystems have been removed.7. Device Security1. Verify CD-ROM access have been restricted to locally logged-on users only.2. Verify Floppy access have been restricted to locally logged-on users only.3. Verify Printer driver installation have been restricted to administrators only.7. Review Network Security1. Anonymous Access1. Disable the enumeration of SAM accounts and shares via the anonymous user account with the settings below.Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\EntryTypeValueLSADWORD12. Null Session Access1. Restrict Null session share access have been restricted with the settings below.Key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\Entry Type ValueRestrictNullSessAccess DWORD3. Telnet Access1. Restrict telnet access by creating an empty TelnetClients Local Group on standalone servers and by creating an empty TelnetClients Global Group on domain controllers. Note: Members of the Administrators group are provided access via Telnet regardless of their membership, or lack thereof, in the TelnetClients group. The telnet service must also be disabled unless approved by the Information Security Department.4. Remote Console Access1. Restrict Remote Console access by creating an empty Rconsole Users local Group on standalone servers and by creating an empty Rconsole Users Global Group on domain controllers.8. Review Interactive Logon1. Add the following legal notice.Warning: These facilities are solely for the use of authorized employees or agents of the Company, its subsidiaries and affiliates. Unauthorized use is prohibited and subject to criminal and civil penalties. Individuals using this computer system are subject to having all of their activities on this system monitored and recorded by systems personnel.2. Disable the display last logged on user setting.3. Disable the Shutdown button in the Logon dialog box.4. Disable automatic administrator logon.5. Require usage of CTRL+ALT+DEL for interactive logon.9. Review Audit PoliciesEnable auditing by accessing the Local Security Policy through Control Panel> Administrative Tools. Audit Policies is located under Local Policies. Enable the following settings:1. Audit Account Logon Events: Success, Failure;2. Audit Account Management: Success, Failure;3. Audit Directory Service Access: Failure;4. Audit Logon Events: Success, Failure;5. Audit Policy Change: Success, Failure;6. Audit Privilege Use: Failure;7. Audit Process Tracking: None;8. Audit System Events: Success, Failure;9. Audit Object Access: Success, Failure;2. Critical Directory Access Auditing1. Enable Directory level audit tracking to critical system and security directories listed below for the group Everyone.DIRECTORIESRWXDPO%SYSTEMDRIVE%\PROGRAM FILES\RESOURCE KITXXXXX%SYSTEMDRIVE%\PROGRAM FILES\RESOURCE PRO KITXXXXX%SYSTEMROOT%XXX%SYSTEMROOT%\CONFIGXXXXX%SYSTEMROOT%\CSCXXXXX%SYSTEMROOT%\REPAIRXXXXX%SYSTEMROOT%\SECURITYXXXXX%SYSTEMROOT%\SYSTEMXXXX%SYSTEMROOT%\SYSTEM3 2XXXX%SYSTEMDIRECTORY%\DLLCACHEXXXXX%SYSTEMDIRECTORY%\IASXXXXX%SYSTEMDIRECTORY%\NTMSDATAXXXXX%SYSTEMDIRECTORY%\WBEMXXXXX3. Critical File Auditing1. Enable File level audit tracking to critical system and security files listed below for the group Everyone.FILESRWXDPO%SYSTEMDIRECTORY%\ARP.EXEXXXXX%SYSTEMDIRECTORY%\AT.EXEXXXXX%SYSTEMDIRECTORY%\BOOTCFG.EXEXXXXX%SYSTEMDIRECTORY%\CACLS .EXEXXXXX%SYSTEMDIRECTORY%\CIPHER.EXEXXXXX%SYSTEMDIRECTORY%\CMD.EXEXXXXX%SYSTEMDIRECTORY%\COMMAND.COMXXXXX%SYSTEMDIRECTORY%\CSCRIPT.EXEXXXXX%SYSTEMDIRECTORY%\DEBUG.EXEXXXXX%SYSTEMDIRECTORY%\EDLIN.EXEXXXXX%SYSTEMDIRECTORY%\EVENTVWR.EXEXXXXX%SYSTEMDIRECTORY%\EVENTVWR.MSCXXXXX%SYSTEMDIRECTORY%\FIND.EXEXXXXX%SYSTEMDIRECTORY%\FINDSTR.EXEXXXXX%SYSTEMDIRECTORY%\FINGER.EXEXXXXX%SYSTEMDIRECTORY%\FTP.EXEXXXXX%SYSTEMDIRECTORY%\GETMAC.EXEXXXXX%SYSTEMDIRECTORY%\GPEDIT.MSCXXXXX%SYSTEMDIRECTORY%\IPCONFIGEXEXXXXX%SYSTEMDIRECTORY%\IPSECCMD.EXEXXXXX%SYSTEMDIRECTORY%\ISSYNC.EXEXXXXX%SYSTEMDIRECTORY%\NBTSTAT.EXEXXXXX%SYSTEMDIRECTORY%\NET.EXEXXXXX%SYSTEMDIRECTORY%\NETl .EXEXXXXX%SYSTEMDIRECTORY%\NETSH.EXEXXXXX%SYSTEMDIRECTORY%\NETSTAT.EXEXXXXX%SYSTEMDIRECTORY%\NTBACKUP.EXEXXXXX%SYSTEMDIRECTORY%\PATHPPNGEXEXXXXX%SYSTEMDIRECTORY%\PPNGEXEXXXXX%SYSTEMDIRECTORY%\POLEDIT.EXEXXXXX%SYSTEMDIRECTORY%\RCP.EXEXXXXX%SYSTEMDIRECTORY%\REGEXEXXXXX%SYSTEMDIRECTORY%\REGEDIT.EXEXXXXX%SYSTEMDIRECTORY%\REGEDT32.EXEXXXXX%SYSTEMDIRECTORY%\REGPNI.EXEXXXXX%SYSTEMDIRECTORY%\REGSVR32.EXEXXXXX%SYSTEMDIRECTORY%\REXEC.EXEXXXXX%SYSTEMDIRECTORY%\RSH.EXEXXXXX%SYSTEMDIRECTORY%\ROUTE.EXEXXXXX%SYSTEMDIRECTORY%\RUNAS.EXEXXXXX%SYSTEMDIRECTORY%\RUNONCE.EXEXXXXX%SYSTEMDIRECTORY%\SC.EXEXXXXX%SYSTEMDIRECTORY%\SECEDIT.EXEXXXXX%SYSTEMDIRECTORY%\SECPOL.MSCXXXXX%SYSTEMDIRECTORY%\SYSKEY.EXEXXXXX%SYSTEMDIRECTORY%\TELNET.EXEXXXXX%SYSTEMDIRECTORY%\TFTP.EXEXXXXX%SYSTEMDIRECTORY%\TRACERT.EXEXXXXX%SYSTEMDIRECTORY%\TSKILL.EXEXXXXX%SYSTEMDIRECTORY%\WSCRIPT.EXEXXXXX%SYSTEMDIRECTORY%\XCOPY.EXEXXXXX%SYSTEMDIRECTORY%\WBEM\WMIC.EXEXXXXX%SYSTEMDRIVE%\AUTOEXEC.BATXXXXX%SYSTEMDRIVE%\BOOT.INIXXXXX%SYSTEMDRIVE%\CONFIG. SYSXXXXX%SYSTEMDRIVE%\IO.SYSXXXXX%SYSTEMDRIVE%\MSDOS.SYSXXXXX%SYSTEMDRIVE%\NTBOOTDD.SYSXXXXX%SYSTEMDRIVE%\NTDETECT.COMXXXXX%SYSTEMDRIVE%\NTLDRXXXXX%SYSTEMROOT%\REGEDIT.EXEXXXXX4. Critical Registry Key Auditing1. Enable Registry level tracking for the critical registry keys listed below.REGISTRY KEYSHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\netddeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OS/2 Subsystem for NTHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceExHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebugHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogonHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LsaHKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\control\securepipeservers\winregHKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\control\wmi\securityHKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\services\SNMP\Parameters\PermittedManagersHKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\services\SNMP\Parameters\ValidComunitiesHKEY_USERS\.Default\SOFTWARE\Microsoft\netdde10. Verify User RightsModify User Rights through the Local Security Policy via the Control Panel> Administrative Tools. User Rights Assignment is located under Local Policies. The following settings are to be applied:1. Access this computer from the network: Authenticated Users, Administrators (or none);2. Act as part of the operating system: None;3. Add workstations to domain: Administrators, Desktop Support Group (Applies to Domain Controllers of resource Domains only); Note: An authorized Desktop Support administrators group.4. Back up files and directories: Administrators, Backup Operators;5. Bypass traverse checking: Administrators, Server Operators, and Backup Operators6. Change the system time: Administrators;7. Create a pagefile: Administrators;8. Create a token object: None; Note: As a general rule no userids are allowed to create process tokens, but there are some service ids that will need to have this User right granted on a case by case basis.9. Create permanent shared objects: None;10. Debug Programs: None;11. Force shutdown from a remote system: Administrators;12. Generate security audits: None;13. Increase quotas: Administrators;14. Increase scheduling priority: Administrators;15. Load and unload device drivers: Administrators;16. Lock pages in memory: None;17. Log on as a batch job: None; Note: Some service accounts will need to have this right granted. No User accounts should have this right.18. Log on as a service: Replicators (Domain Controller only, all others set to None) Serviceaccounts will be granted this right as required by the service;19. Log on locally: Administrators;20. Manage auditing and security log: Administrators;21. Modify firmware environment values: Administrators;22. Replace a process level token: None;23. Restore files and directories: Administrators , Back-up Operators;24. Shut down the system: Administrators;25. Take ownership of file or other objects: Administrators;26. Deny access to this computer from the network: Guests (Add Administrators if Domain Controller) (Note: This setting is the default. There are sites where this setting interferes with system administration. Each site must configure based upon the approved methodology at their location.);27. Deny logon as a batch job: None by default (others allowable as approved and documented);28. Deny logon as a service: None by default (others allowable as approved and documented);29. Deny logon locally: None by default (others allowable as approved and documented);30. Enable computer and user accounts to be trusted for delegation: None;31. Profile single process: Administrators;32. Profile system performance: Administrators;11. Verify Event Log Settings1. Application, System, and Security1. Minimum Event Log Size: 20,032 KB for Security, 5,120 KB for the System and Application logs. Log files should maintain a minimum of 60 days of events.2. Log Retention Method: Overwrite Events As Needed3. Log Retention: Not Defined4. Restrict Guest access to logs: Enabled. (SCE configuration item)5. Enable Security Log Warning Level.6. A security audit event must be created in the security event log when the security log reaches 90 percent of capacity using the settings below to comply.7. An email alert must be sent to Information Security Department for each security audit 90% capacity event using an Watson approved host-based intrusion detection product.Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\SecurityEntryTypeValueWarningLevelDWORD90Note: The WarningLevel setting requires Windows 2000 Service Pack 3(SP3).12. Verify Security Policy Settings and Options1. Additional Restrictions for Anonymous Connections: No Access Without Explicit Anonymous Permissions2. Allow Server Operators to Schedule Tasks: Not Applicable3. Allow System to be Shut Down Without Having to Log On: Disabled4. Amount of Idle Time Required Before Disconnecting Session: 20 Minutes (maximum)5. Audit the access of Global system objects: Disabled.6. Audit Use of Backup and Restore Privilege: Disabled.7. Automatically Log Off Users When Logon Time Expires: Enabled8. Automatically Log Off Users When Logon Time Expires (local): Enabled9. Clear Virtual Memory Pagefile When System Shuts Down: Enabled10. Digitally Sign client communications (when possible): Enabled11. Digitally sign server communications (when possible): Enabled12. Disable CTRL+ALT+Delete Requirement for Logon: Disabled13. Do Not Display Last User Name in Logon Screen: Enabled14. Guest Account Status: Disabled15. LAN Manager Authentication Level: Refuse LM & NTLM Use NTLMv2 session security (others allowable as approved and documented) [NOTE: This would allow Win95/98 system which utilize weak encryption hashing.]16. Message Text for Users Attempting to Log On:Warning: These facilities are solely for the use of authorized employees or agents of the Company, its subsidiaries and affiliates. Unauthorized use is prohibited and subject to criminal and civil penalties. Individuals using this computer system are subject to having all of their activities on this system monitored and recorded by systems personnel.17. Message Title for Users Attempting to Log On: Legal Warning:18. Number of Previous Logons to Cache: 1 Logon.19. Prevent system maintenance of computer account password: Disabled.20. Prevent Users from Installing Printer Drivers: Enabled21. Prompt User to Change Password Before Expiration: 14 Days (minimum)22. Recovery Console: Allow Automatic Administrative Logon: Disabled23. Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders: Disabled24. Rename Administrator Account: Watsonadmin (or Line of Business standard);25. Rename Guest Account: xGuest (or Line of Business standard)26. Restrict CD-ROM Access to Locally Logged-On User Only: Enabled27. Restrict Floppy Access to Locally Logged-On User Only: Enabled28. Secure channel: Digitally encrypt secure channel data (When possible): Enabled.29. Secure channel: digitally sign secure channel data (when possible): Enabled.30. Send Unencrypted Password to Connect to Third-Party SMB Servers: Disabled31. Strengthen Default Permissions of Global System Objects (e.g. Symbolic Links): Enabled32. Unsigned Driver Installation Behavior: Warn, but allow installation (minimum) or Do Not Allow Installation.33. Unsigned Non-Driver Installation Behavior: Warn, but allow installation (minimum) or Do Not Allow Installation.13. Verify Services Security1. Registry Run KeysPrograms listed in Run keys execute automatically at startup.1. Verify that Systray.exe is the only program.2. Required Services1. Verify the required services listed below are enabled and running.ServiceSettingEnterprise Security AgentEnabledEventlogEnabledIntruder Alert AgentEnabledNetwork Associates McShieldEnabledProtected StorageEnabledSecurity Accounts ManagerEnabledSystem Event NotificationEnabledWindows TimeEnabledNote: Enterprise Security Agent (ESM) must be installed on all servers where technically possible. Intruder Alert Agent (ITA) must be installed on all critical servers where technically possible. Critical servers include all DMZ servers, Domain Controllers, Web Servers, Exchange/Mail Servers, FTP Servers, Telnet Servers, DNS Servers, Database Servers, and Financial/Customer Data File Servers.3. Disallowed Services1. Verify the following disallowed services are disabled.ServiceSettingAlerterDisabledAutomatic UpdateDisabledClipbookDisabledFax ServiceDisabledFTP Publishing ServiceDisabledGopher Publishing ServiceDisabledIIS Admin ServiceDisabledIndexing ServiceDisabledInternet Connection SharingDisabledMessengerDisabledNetMeeting Remote Desktop SharingDisabledNetwork DDEDisabledNetwork DDE DSDMDisabledNetwork MonitorDisabledNetwork News Transfer ProtocolDisabledRemote Access Auto Connection ManagerDisabledRemote Procedure Call (RPC)DisabledRemote Registry ServiceDisabledRouting and Remote AccessDisabledRunAs ServiceDisabledSimple TCP / IP ServicesDisabledSimple Mail Transfer Protocol (SMTP)DisabledSNMP ServiceDisabledSNMP Trap ServiceDisabledTelephonyDisabledTelnetDisabledTerminal ServicesDisabledTrivial FTP DaemonDisabledWorld Wide Web Publishing ServiceDisabled4. Windows Time Service1. Configure and enable the Windows Time Service. System time must be synchronized with all servers, within 5 minutes. The authoritative Simple Network Time Protocol (SNTP) time server must be the default router at each location. This must be set using the net time utility and by running the net time /setsntp:server_list command. Note: For additional information, see the following Microsoft white paper: The Windows Time Service. http://www.microsoft.com/windows2000/docs/wintimeserv.doc / The network routers are set with an approved centralized time synchronization source.5. DNS Server Service1. DNS Server services must be disabled unless approved by the Information Security Department.2. Zone transfers must be restricted to Watson approved servers.6. SNMP Service1. Verify SNMP services have been disabled unless approved by the Information Security Department.2. Verify the SNMP default community strings have been changed and should not be Public or Private.3. Verify SNMP traffic has been restricted to authorized IP addresses only.14. Verify Registry Settings1. Enable Dr. Watson Crash Dumps: HKLM\Software\Microsoft\DrWatson\CreateCrashDump (REG_DWORD) 12. Disable Automatic Execution of the System Debugger: HKLM\ Software\Microsoft\Windows NT\CurrentVersion\ AEDebug\Auto (REG_DWORD) 03. Disable autoplay from any disk type, regardless of application: HLKM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun (REG_DWORD) 2554. Disable Automatic Logon: HKLM\ Software \Microsoft\WindowsNT\CurrentVersion\Winlogon\AutoAdminLogon (REG_DWORD) 05. Dont display username of last successful logon at the logon screen: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DontDisplayLastUserName (REG_SZ) 16. Enable the File System Checker and Disable Popups: HKLM\ Software\Microsoft\Windows NT\CurrentVersion\ Winlogon\SFCDisable (REG_DWORD) 47. Enable the System File Checker to verify all operating system files at boot time: HKLM\Software\Microsoft\ Windows NT\CurrentVersion\Winlogon\SFCScan(REG_DWORD) 18. Do not show the System File Checker progress meter: HKLM\Software\Microsoft\Windows NT\CurrentVersion\ Winlogon\SFCShowProgress(REG_DWORD) 09. Disable automatic reboots after a Blue Screen of Death: HKLM\System\CurrentControlSet\Control\ CrashControl\AutoReboot(REG_DWORD) 010. Disable CD Autorun: HKLM\System\CurrentControlSet\Services\CDrom\Autorun(REG_DWORD) 011. Protect against Computer Browser Spoofing Attacks: HKLM\System\CurrentControlSet\Services\MrxSmb\ Parameters\RefuseReset(REG_DWORD) 112. Protect against source-routing spoofing: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting (REG_DWORD) 213. Protect the Default Gateway network setting: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\ EnableDeadGWDetect(REG_DWORD) 014. Ensure ICMP Routing via shortest path first: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\ EnableICMPRedirect(REG_DWORD) 015. Help protect against packet fragmentation: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\ EnablePMTUDiscovery(REG_DWORD) 116. Manage Keep-alive times: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime(REG_DWORD) 30000017. Protect Against Malicious Name-Release Attacks: HKLM\System\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand (REG_DWORD) 118. Ensure Router Discovery is Disabled: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDiscovery (REG_DWORD) 019. Protect against SYN Flood attacks: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\ SynAttackProtect(REG_DWORD) 220. SYN Attack protection Manage TCP Maximum half-open sockets: HKLM\System\CurrentControlSet\Services\ Tcpip\Parameters\TcpMaxHalfOpen(REG_DWORD) 10021. SYN Attack protection Manage TCP Maximum half-open retired sockets: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpenRetired (REG_DWORD) 8022. Enable IPSec to protect Kerberos RSVP Traffic: HKLM\System\CurrentControlSet\Services\IPSEC\ NoDefaultExempt (REG_DWORD) 123. Do not announce this computer to domain master browsers: HKLM\System\CurrentControlSet\Services\Lanmanserver\Parameters\Hidden(REG_DWORD) 1 [Note: the exception for this setting are for file and print servers that employees would be expected to browse to.]15. File PermissionsUnless stated otherwise, Administrators or System is granted full control for the designated folder and all contents. Creator Owner Full Control is for subfolders and files only. User permissions are for current folder, subfolders, and files.1. %SystemDrive%\ - Administrators: Full; System: Full; Creator Owner: Full; Users:Read and Execute, List2. %SystemDrive%\autoexec.bat Administrators: Full; System: Full3. %SystemDrive%\boot.ini Administrators: Full; System: Full4. %SystemDrive%\config.sys - Administrators: Full; System: Full5. %SystemDrive%\io.sys Administrators: Full; System: Full6. %SystemDrive%\msdos.sys Administrators: Full; System: Full7. %SystemDrive%\ntbootdd.sys - Administrators: Full; System: Full8. %SystemDrive%\ntdetect.com Administrators: Full; System: Full9. %SystemDrive%\ntldr - Administrators: Full; System: Full10. %SystemDrive%\Documents and Settings - Administrators: Full; System: Full; Users:Read and Execute, List11. %SystemDrive%\Documents and Settings\Administrator - Administrators: Full; System:Full12. %SystemDrive%\Documents and Settings\All Users - Administrators: Full; System: Full; Users: Read and Execute, List13. %SystemDrive%\Documents and Settings\All Users\Documents \DrWatson Administrators: Full; System: Full; Creator Owner: Full; Users: Traverse Folder/Execute File, List Folder/Read Data, Read Attributes, Read Extended Attributes, Read Permissions (This folder, subfolders, and files); Users: Traverse Folder/Execute Files, Create Files/Write Data, Create Folder/Append Data (Subfolders and files only)14. %SystemDrive%\Documents and Settings\Default User - Administrators: Full; System: Full; Users: Read and Execute, List15. %ProgramFiles% - Administrators: Full; System: Full; Creator Owner: Full; Users: Read and Execute, List16. %Program Files%\Resource Kit Administrators: Full; System: Full17. %Program Files%\Resource Pro Kit Administrators: Full; System: Full18. %SystemRoot Administrators: Full; System: Full; Creator Onwer: Full; Users: Read and Execute, List19. %SystemRoot%\$NtServicePackUninstall$ Administrators: Full; System: Full20. %SystemRoot%\CSC Administrators: Full; System: Full21. %SystemRoot%\Debug - Administrators: Full; System: Full; Creator Owner: Full; Users: Read and Execute, List22. %SystemRoot%\Debug\UserMode - Administrators: Full; System: Full; Users: Traverse Folder/Execute File, List folder/Read data, Create files/Write data (This folder, only); Create files/Write data, Create folders/Append data (Files only)23. %SystemRoot%\Offline Web Pages Everyone: Full24. %SystemRoot%\Registration - Administrators: Full; System: Full; Users: Read25. %SystemRoot%\repair - Administrators: Full; System: Full26. %SystemRoot%\security - Administrators: Full; System: Full; Creator Owner: Full27. %SystemRoot%\system32 - Administrators: Full; System: Full; Creator Owner: Full; Users: Read and Execute, List28. %SystemRoot%\system32\at.exe Administrators: Full; System: Full29. %SystemRoot%\system32\Ntbackup.exe Administrators: Full; System: Full30. %SystemRoot%\system32\rcp.exe Administrators: Full; System: Full31. %SystemRoot%\system32\regedit.exe Administrators: Full; System: Full32. %SystemRoot%\system32\regedt32.exe Administrators: Full; System: Full33. %SystemRoot%\system32\rexec.exe Administrators: Full; System: Full34. %SystemRoot%\system32\rsh.exe Administrators: Full; System: Full35. %SystemRoot%\system32\secedit.exe Administrators: Full; System: Full36. %SystemRoot%\system32\appmgmt Administrators: Full; System: Full; Users: Read and Execute, List37. %SystemRoot%\system32\config Administrators: Full; System: Full38. %SystemRoot%\system32\dllcache Administrators: Full; System: Full; Creator Owner: Full39. %SystemRoot%\system32\DTCLog - Administrators: Full; System: Full; Creator Owner: Full; Users: Read and Execute, List40. %SystemRoot%\system32\Group Policy - Administrators: Full; System: Full; Authenticated Users: Read and Execute, List41. %SystemRoot%\system32\ias - Administrators: Full; System: Full; Creator Owner: Full42. %SystemRoot%\system32\NTMS Data Administrators: Full; System: Full43. %SystemRoot%\system32\reinstallbackups Administrators: Full; System: Full; Creator Owner: Full; Power Users: Read and Execute, List44. %SystemRoot%\system32\Setup Administrators: Full; System: Full; Users: Read and Execute, List45. %SystemRoot%\system32\spool\printers Administrators: Full; System: Full; Creator Owner: Full; Users: Traverse Folder, Execute File, Read, Read Extended Attributes, Create folders, Append Data46. %SystemRoot%\Tasks - Administrators: Full; System: Full; Creator Owner: Full16. Verify Registry PermissionsUnless stated otherwise, Administrators or System Full Control is full control for the designated key and all subkeys. Creator Owner Full Control is for subkeys only. User permissions are for current key, subkeys, and values.1. HKCR - Administrators: Full; System: Full; Creator Owner: Full; Users: Read2. HKLM\Software Administrators Full; System: Full; Creator Owner: Full; Users: Read3. HKLM\Software\Microsoft\Net DDE Administrators: Full; System: Full4. HKLM\Software\Microsoft\OS/2 Subsystem for NT Administrators: Full; System: Full; Creator Owner: Full5. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Asr\Commands Administrators: Full; System: Full; Creator Owner: Full; Users: Read; Backup Operators: Query Value, Set Value, Create Subkey, Enumerate Subkeys, Notify, Delete, Read (this key and subkeys)6. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Perflib Administrators: Full; System: Full; Creator Owner: Full; Interactive: Read (this key and subkeys)7. HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy - Administrators: Full; System: Full; Authenticated Users: Read8. HKLM\Software\Microsoft\Windows\CurrentVersion\Installer - Administrators Full; System: Full; Users: Read9. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies - Administrators: Full; System: Full; Authenticated Users: Read10. HKLM\System - Administrators Full; System: Full; Creator Owner: Full; Users: Read11. HKLM\System\Clone Allow inheritable permissions to propagate to this object12. HKLM\System\ControlSet001 - Administrators Full; System: Full; Creator Owner: Full; Users: Read13. HKLM\System\ControlSet00x - Administrators Full; System: Full; Creator Owner: Full; Users: Read14. Apply these permissions to all control sets other than CurrentControlSet.15. HKLM\System\CurrentControlSet\Control\SecurePipeServers\WinReg Administrators: Full16. HKLM\System\CurrentControlSet\Control\WMI\Security - Administrators Read; System: Full; Creator Owner: Full (this key and subkeys)17. HKLM\System\CurrentControlSet\Enum - Administrators Read; System: Full; Authenticated Users: Read18. HKLM\System\CurrentControlSet\Hardware Profiles - Administrators Full; System: Full; Creator Owner: Full; Users: Read19. HKLM\System\CurrentControlSet\Services\SNMP\Parameters\PermittedManagers - Administrators Full; System: Full; Creator Owner: Full20. HKLM\System\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities - Administrators Full; System: Full; Creator Owner: Full21. HKU\.Default - Administrators Full; System: Full; Creator Owner: Full; Users: Read22. HKU\.Default\Software\Microsoft\NetDDE - Administrators Full; System: Full23. HKU\.Default\Software\Microsoft\Protected Storage System Provider No entries


Hardening Linux Server Security

Apache Web Server Hardening

Security and Hardening Guide - SUSE Linux Enterprise Server 15

Server Hardening Primer - Eric Vanderburg - JURINNOV

Hardening Guide - SUSE Linux Enterprise Server 12 …...A.4 October 2014 (Initial Release of SUSE Linux Enterprise Server 12) 56 v Hardening Guide About This Guide The SUSE Linux Enterprise

Server hardening

Hardening Guide - SUSE Linux Enterprise Server 15 …...About This Guide The SUSE Linux Enterprise Server Hardening Guide deals with the particulars of installation and set up of a

Linux Hardening in Hostile Networks - pearsoncmg.comptgmedia.pearsoncmg.com/images/9780134173269/samplepages/... · Linux®Hardening in Hostile Networks Server Security from TLS to

Windows Security Hardening · WindowsSecurityHardening •UnifiedCCESecurityHardeningforWindowsServer,onpage1 Unified CCESecurity Hardening forWindows Server

SECURITY SERVER USER'S GUIDE - x-road.eex-road.ee/docs/eng/security_server_users_guide.pdf · 3 SECURITY SERVER HARDENING ... Security server user's guide 1. ... Security server updates

20 Linux Server Hardening Security Tips

Linux Server Hardening - Steps by Steps

Chapter 8 Hardening Your SQL Server Instance. Hardening Hardening The process of making your SQL Server Instance more secure New features Policy based

Security and Hardening Guide - SUSE Linux Enterprise Server 12 SP2

Creating "Secure" PHP applications, Part 2, Server Hardening

UCCE Security Compliance · UCCESecurityCompliance •UnifiedCCESecurityHardeningforWindowsServer,onpage1 Unified CCESecurity Hardening forWindows Server

Hardening Guide - SUSE Linux Enterprise Server 12 SP5 · 2021. 1. 5. · security and hardening to be applied to a server or defined as part of a baseline server build. As a final

Sap Hardening and Patch Management Guide for Windows Server

CHE 333 Class 8 Precipitation Hardening. Precipitation Hardening is a NON EQUILIBRIUM heat treatment procedure. Process involves a solution heat treatment,

Implications of induction hardening - Inductotherm Group...engineering properties. A typical induction hardening (IH) procedure involves heating the alloy to the austenitizing temperature

ISA Server 2004 Security Hardening Guide

Cisco BBSM Server Hardening · Cisco BBSM Server Hardening Cisco BBSM 5.2 and HP Mobile Public Printing Solution Technical White Paper Overview Cisco Building Broadband Service Manager

HARDENING IN APACHE WEB SERVER

Hardening Red Hat Enterprise Linux 5 - CentOS · Hardening Red Hat Enterprise Linux 5 Steve Grubb, Red Hat ... /usr/sbin/ntpdate ntp-server where ntp-server is the hostname or IP

03.03.01 Windows Server (2003) Hardening Guidelines

23 Hardening Tips to Secure Your Linux Server _ RootUsers

SQL Server Hardening · SQL Server Security Hardening Utility TheSQLServerSecurityHardeningutilityallowsyoutohardenorrollbacktheSQLServersecurityon

Hardening your Windows Server Environment · Hardening your Windows Server Environment. Caveats ... •Can also use Azure Monitoring to collect event data from on-prem/IaaS servers

20 Linux Server Hardening Security Tips - NixCraft

Pembuatan Hardening Server Pada PT Dekodr Solusi Digital Indonesia Menggunakan IPTABLES

Penerapan Keamanan Server dengan Teknik Hardening pada

Hardening Server Window

Web Server Hardening

Cisco WCS Server Hardening · Appendix D Cisco WCS Server Hardening Tomcat Shutdown Prevention Tomcat Shutdown Prevention On Windows, the file which controls the web service is the

SQL Server Hardening - Cisco · SQL Server Hardening • SQLServerHardeningConsiderations,page1 • SQLServer2014SecurityConsiderations,page3 SQL Server Hardening Considerations