Monday, 21 May 2012

Windows Hardening

Today I would like to spend some time on Release to production (Move to production) it doesn't matter how you call it the result is the same, you want slash need servers to be in secure format before you can use them, today we'll walk through the basics in this example I'll create a .bat or .cmd file that you can run, or as some of you might know from earlier post can be run by script using PSEXEC on many servers, in fact you might use this as a post patching script in the server build.

So lets start at the beginning with services, now remember this is intended for a server not a workstation so some services might change, also depending on the services you need for example if you are using ISA on a server then you will need RasMan running so check carefully what you need and remember you can always enable the services later when the application is installed on the server.

I assume that you will add what you need to this list and maybe you've solved this with a GPO as well and your thinking why would i need this, well here is one example because servers in DMZ are sometimes in work groups for security reasons and then this kind of scripting will same you hours of clicking

First we'll disable the top 6 service we never use, there are allot more but again this depends on your environment.
Echo off
Echo Disabling not needed services
sc config alerter start= disabled
sc config CiSvc start= disabled
sc config helpsvc start= disabled
sc config RasMan start= disabled
sc config TapiSrv start= disabled
sc config WZCSVC start= disabled

Next up on the list is local account settings minimum password length 12 digits, local out duration 45 minutes, unique password 24 yes that means you can't use the same password for 24 times and shame on you for trying to use the same one!!!
Lastly maximum password age 42 days, remember you can review the existing setting using NET ACCOUNTS from the command prompt

Echo Setting local account policy
net accounts /minpwlen:12
net accounts /lockoutduration:45
net accounts /UNIQUEPW:24
net accounts /MAXPWAGE:42

Next lets get rid of that account we all know we should never use, the guest account.
We'll start with the basics add a password, then disable the account and finally rename the account, now to be honest if i was you I'd also add the local administrator account to this list as well.

Echo Disabling local Guest account
Net user guest C0mp!exPa55w0rd
net user guest /active:no

Echo Renaming local Guest account
wmic UserAccount where Name="Guest" call Rename Name="Local_Guest"

Next up on the list is local security policy, frankly local security policy by default will tell almost nothing about what is going on on the server and that means you have the hard job of turning it on, now to save hours of clicking and chance that you might miss on tick box there is a command line option called auditpol that you can use to set the options, here is another sample list below.

Echo hardening auditing
auditpol /set /subcategory:"Security State Change" /success:enable /failure:enable 
auditpol /set /subcategory:"Security System Extension" /success:enable /failure:enable 
auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable 
auditpol /set /subcategory:"IPsec Driver" /success:disable /failure:disable 
auditpol /set /subcategory:"Other System Events" /success:disable /failure:enable 
auditpol /set /subcategory:"Logon" /success:enable /failure:enable 
auditpol /set /subcategory:"Logoff" /success:enable /failure:enable 
auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable 
auditpol /set /subcategory:"IPsec Main Mode" /success:disable /failure:disable 
auditpol /set /subcategory:"IPsec Quick Mode" /success:disable /failure:disable 
auditpol /set /subcategory:"IPsec Extended Mode" /success:disable /failure:disable 
auditpol /set /subcategory:"Special Logon" /success:enable /failure:enable 
auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable 
auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable 
auditpol /set /subcategory:"File System" /success:enable /failure:enable 
auditpol /set /subcategory:"Registry" /success:enable /failure:enable 
auditpol /set /subcategory:"Kernel Object" /success:enable /failure:enable 
auditpol /set /subcategory:"SAM" /success:disable /failure:disable
auditpol /set /subcategory:"Certification Services" /success:enable /failure:enable 
auditpol /set /subcategory:"Application Generated" /success:enable /failure:enable 
auditpol /set /subcategory:"Handle Manipulation" /success:disable /failure:disable 
auditpol /set /subcategory:"File Share" /success:enable /failure:enable 
auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable 
auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:disable 
auditpol /set /subcategory:"Other Object Access Events" /success:disable /failure:disable 
auditpol /set /subcategory:"Sensitive Privilege Use" /success:disable /failure:disable
auditpol /set /subcategory:"Non Sensitive Privilege Use" /success:disable /failure:disable 
auditpol /set /subcategory:"Other Privilege Use Events" /success:disable /failure:disable 
auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable 
auditpol /set /subcategory:"Process Termination" /success:enable /failure:enable 
auditpol /set /subcategory:"DPAPI Activity" /success:disable /failure:disable 
auditpol /set /subcategory:"RPC Events" /success:enable /failure:enable 
auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable 
auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:enable 
auditpol /set /subcategory:"Authorization Policy Change" /success:enable /failure:enable 
auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:disable /failure:disable
auditpol /set /subcategory:"Filtering Platform Policy Change" /success:disable /failure:disable 
auditpol /set /subcategory:"Other Policy Change Events" /success:disable /failure:enable 
auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable 
auditpol /set /subcategory:"Computer Account Management" /success:enable /failure:enable 
auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable 
auditpol /set /subcategory:"Distribution Group Management" /success:enable /failure:enable 
auditpol /set /subcategory:"Application Group Management" /success:enable /failure:enable 
auditpol /set /subcategory:"Other Account Management Events" /success:enable /failure:enable 
auditpol /set /subcategory:"Directory Service Access" /success:enable /failure:enable 
auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable 
auditpol /set /subcategory:"Directory Service Replication" /success:disable /failure:disable 
auditpol /set /subcategory:"Detailed Directory Service Replication" /success:disable /failure:disable 
auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable 
auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable 
auditpol /set /subcategory:"Other Account Logon Events" /success:enable /failure:enable 
auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable

Now having changes all of those local auditing your going to need a bigger event local to hold all that info, so here is my solution, using my old echo y command to make it say yes on a yes no question... still love that command so dangerous in the wrong hands.

Echo Setting Auditing  Log size
Echo y |reg add HKLM\Software\Policies\Microsoft\Windows\EventLog\Application /v MaxSize /t REG_DWORD /d 0x19000
Echo y |reg add HKLM\Software\Policies\Microsoft\Windows\EventLog\Security /v MaxSize /t REG_DWORD /d 0x64000
Echo y |reg add HKLM\Software\Policies\Microsoft\Windows\EventLog\System /v MaxSize /t REG_DWORD /d 0x19000
Echo y |reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DontDisplayLastUserName /t REG_DWORD /d 0x1
So there you have it a hardening script... have fun and be safe...

Sunday, 26 February 2012

Seven Cloud Computing Rules

Today I’d like to cover cloud computing, the design in a nutshell.
I'm going to try and cover some very detailed practice in seven rules.

One you need to keep in mind is that any hard coding is rule number one not to break, as you can’t work in a cloud where instances and server names are fix, so the first thing that you need to get used to working with alias and Cnames as you have to be able to move seamlessly from one server/instance to another without it.

Two avoid all single point of failure (SPF) this is something that is often overlooked with the small components such as switches/routers/firewalls as without this instance and servers can’t fail over Rule.

Three you need to pick a load balancing algorithm as fail over times are often slow in a Active/Passive i highly recommend Active/Active, also take into account other types of fail over not just when there is unplanned outages but also the options for maintenance, as it very useful to be able to do upgrades and work on problem hardware/software without having the service down.

Four the solution you use must be able to scale up, most likely you'll not have the dream budget on day one to allow you to build a cloud 100 times bigger than you need and even if you did chances are that demand will grow beyond your first scope.

Five be careful of issues with scaling the network, some protocols don't scale up to 4000 nodes well and can cause timeouts while recalculating network paths and this also comes back to the point three about active active as well hot standby isn't as good as active active.

Six just because its a cloud doesn't mean its just one big box that you throw everything in, when you have web servers, db servers and email server etc don't just put them in one big lan as that going to be unmanageable try to create VLAN's for each service stream, example

1) Service VLAN, this zone should have things that all the others will need like DNS servers certificate server maybe even Proxy depending on your setup
2) Web VLAN this one is quite easy needs lookups to service VLAN for DNS etc and most like likely need ports to DB VLAN and SMTP VLAN as well but only those ports and some port 80/443 to service the outside world
3) DB VLAN most likely will need no external access at all however need access to service VLAN for authentication and maybe SMTP VLAN to send messages
4) SMTP VLAN needs access to service VLAN to lookup DNS and authenticate connections from outside clients perhaps but no access to DB or WEB VLAN

over all you get to around 8 VLAN's in most designs once you split off each of the streams, one big advantage with this is that you are able to see where traffic is going/should be going without 100s of firewall rules and this make management of the network layer easier as you scale up

Seven don't forget the goals you want redundancy at all times even when you want to work on something, this doesn't always mean clusters could be mirrors or synced content, remember you should be able to do your work on the cloud during the day without anyone being aware that its done.
Service announcements are also key with large stake holders/user bases you don't want to have a one to one about every thing so make sure you've an fast and effective communication system.
Document the ways of working not just to pass the ISO standards but also remember you might be on sick leave or hit by a passing comet (stranger things have happened trust me) what ever the reason just pretend that someone else has to work on it so documents should be many and simple, anything over 3 pages no one reads!!! remember that, also try to avoid human error (the more things you need a person to do the greater the chance of a mistake) so script as many of the commands down to press this button, and follow up on this point in your problem management, so that solutions to problem if you can't fix them outright are also quick.

So now your at the end of the seven rules you can start to build your clouds, and it doesn't matter if they are private, public or hybrid the same rules will apply.