Monday, 21 May 2012

Windows Hardening

Today I would like to spend some time on Release to production (Move to production) it doesn't matter how you call it the result is the same, you want slash need servers to be in secure format before you can use them, today we'll walk through the basics in this example I'll create a .bat or .cmd file that you can run, or as some of you might know from earlier post can be run by script using PSEXEC on many servers, in fact you might use this as a post patching script in the server build.

So lets start at the beginning with services, now remember this is intended for a server not a workstation so some services might change, also depending on the services you need for example if you are using ISA on a server then you will need RasMan running so check carefully what you need and remember you can always enable the services later when the application is installed on the server.

I assume that you will add what you need to this list and maybe you've solved this with a GPO as well and your thinking why would i need this, well here is one example because servers in DMZ are sometimes in work groups for security reasons and then this kind of scripting will same you hours of clicking

First we'll disable the top 6 service we never use, there are allot more but again this depends on your environment.
Echo off
Echo Disabling not needed services
sc config alerter start= disabled
sc config CiSvc start= disabled
sc config helpsvc start= disabled
sc config RasMan start= disabled
sc config TapiSrv start= disabled
sc config WZCSVC start= disabled

Next up on the list is local account settings minimum password length 12 digits, local out duration 45 minutes, unique password 24 yes that means you can't use the same password for 24 times and shame on you for trying to use the same one!!!
Lastly maximum password age 42 days, remember you can review the existing setting using NET ACCOUNTS from the command prompt

Echo Setting local account policy
net accounts /minpwlen:12
net accounts /lockoutduration:45
net accounts /UNIQUEPW:24
net accounts /MAXPWAGE:42

Next lets get rid of that account we all know we should never use, the guest account.
We'll start with the basics add a password, then disable the account and finally rename the account, now to be honest if i was you I'd also add the local administrator account to this list as well.

Echo Disabling local Guest account
Net user guest C0mp!exPa55w0rd
net user guest /active:no

Echo Renaming local Guest account
wmic UserAccount where Name="Guest" call Rename Name="Local_Guest"

Next up on the list is local security policy, frankly local security policy by default will tell almost nothing about what is going on on the server and that means you have the hard job of turning it on, now to save hours of clicking and chance that you might miss on tick box there is a command line option called auditpol that you can use to set the options, here is another sample list below.

Echo hardening auditing
auditpol /set /subcategory:"Security State Change" /success:enable /failure:enable 
auditpol /set /subcategory:"Security System Extension" /success:enable /failure:enable 
auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable 
auditpol /set /subcategory:"IPsec Driver" /success:disable /failure:disable 
auditpol /set /subcategory:"Other System Events" /success:disable /failure:enable 
auditpol /set /subcategory:"Logon" /success:enable /failure:enable 
auditpol /set /subcategory:"Logoff" /success:enable /failure:enable 
auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable 
auditpol /set /subcategory:"IPsec Main Mode" /success:disable /failure:disable 
auditpol /set /subcategory:"IPsec Quick Mode" /success:disable /failure:disable 
auditpol /set /subcategory:"IPsec Extended Mode" /success:disable /failure:disable 
auditpol /set /subcategory:"Special Logon" /success:enable /failure:enable 
auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable 
auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable 
auditpol /set /subcategory:"File System" /success:enable /failure:enable 
auditpol /set /subcategory:"Registry" /success:enable /failure:enable 
auditpol /set /subcategory:"Kernel Object" /success:enable /failure:enable 
auditpol /set /subcategory:"SAM" /success:disable /failure:disable
auditpol /set /subcategory:"Certification Services" /success:enable /failure:enable 
auditpol /set /subcategory:"Application Generated" /success:enable /failure:enable 
auditpol /set /subcategory:"Handle Manipulation" /success:disable /failure:disable 
auditpol /set /subcategory:"File Share" /success:enable /failure:enable 
auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable 
auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:disable 
auditpol /set /subcategory:"Other Object Access Events" /success:disable /failure:disable 
auditpol /set /subcategory:"Sensitive Privilege Use" /success:disable /failure:disable
auditpol /set /subcategory:"Non Sensitive Privilege Use" /success:disable /failure:disable 
auditpol /set /subcategory:"Other Privilege Use Events" /success:disable /failure:disable 
auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable 
auditpol /set /subcategory:"Process Termination" /success:enable /failure:enable 
auditpol /set /subcategory:"DPAPI Activity" /success:disable /failure:disable 
auditpol /set /subcategory:"RPC Events" /success:enable /failure:enable 
auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable 
auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:enable 
auditpol /set /subcategory:"Authorization Policy Change" /success:enable /failure:enable 
auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:disable /failure:disable
auditpol /set /subcategory:"Filtering Platform Policy Change" /success:disable /failure:disable 
auditpol /set /subcategory:"Other Policy Change Events" /success:disable /failure:enable 
auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable 
auditpol /set /subcategory:"Computer Account Management" /success:enable /failure:enable 
auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable 
auditpol /set /subcategory:"Distribution Group Management" /success:enable /failure:enable 
auditpol /set /subcategory:"Application Group Management" /success:enable /failure:enable 
auditpol /set /subcategory:"Other Account Management Events" /success:enable /failure:enable 
auditpol /set /subcategory:"Directory Service Access" /success:enable /failure:enable 
auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable 
auditpol /set /subcategory:"Directory Service Replication" /success:disable /failure:disable 
auditpol /set /subcategory:"Detailed Directory Service Replication" /success:disable /failure:disable 
auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable 
auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable 
auditpol /set /subcategory:"Other Account Logon Events" /success:enable /failure:enable 
auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable

Now having changes all of those local auditing your going to need a bigger event local to hold all that info, so here is my solution, using my old echo y command to make it say yes on a yes no question... still love that command so dangerous in the wrong hands.

Echo Setting Auditing  Log size
Echo y |reg add HKLM\Software\Policies\Microsoft\Windows\EventLog\Application /v MaxSize /t REG_DWORD /d 0x19000
Echo y |reg add HKLM\Software\Policies\Microsoft\Windows\EventLog\Security /v MaxSize /t REG_DWORD /d 0x64000
Echo y |reg add HKLM\Software\Policies\Microsoft\Windows\EventLog\System /v MaxSize /t REG_DWORD /d 0x19000
Echo y |reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DontDisplayLastUserName /t REG_DWORD /d 0x1
So there you have it a hardening script... have fun and be safe...