1 / 33

Collier Spencer Information Systems Security Professional San Antonio JSAC April 18, 2006

Collier Spencer Information Systems Security Professional San Antonio JSAC April 18, 2006. Defense Security Service Windows Configuration Workshop. Introduction. Purpose Provide descriptions of how to implement security features within the Windows Platforms

ayita
Download Presentation

Collier Spencer Information Systems Security Professional San Antonio JSAC April 18, 2006

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Collier Spencer Information Systems Security Professional San Antonio JSAC April 18, 2006 Defense Security Service Windows Configuration Workshop

  2. Introduction • Purpose • Provide descriptions of how to implement security features within the Windows Platforms • Cover Protection Level 1 Configurations

  3. System Certification 1st Step • Lock Down your BIOS* • Boot to appropriate drive • Password protect it (Supervisor) * System Assurance 1 Requirement * Vulnerabilities - Rearrange jumper switch, remove battery, manufacture’s backdoor password, software attacks.

  4. System Certification 8-613, NISPOM. System Assurance (SysAssur) • System assurance includes those components of a system (hardware, software, firmware, and communications) that are essential to maintaining the security policy(ies) of the system, (e.g. Security Support Structure). • SysAssur 1 Requirements. • Access to Protection Functions. • Access to hardware/software/firmware that perform systems or security functions shall be limited to authorized personnel. • The BIOS indirectly provides security functions in its booting sequence (Controlled Sequence Initiation). (I.e., booting to the A drive, not C.) • The Date and Time will effect the Date and Time on security objects, i.e., Audit Trails.(Changing date from December 30 to December 29.)

  5. System CertificationNTFS Check the System partition to ensure that it has been converted to NTFS perform the following checks: • On the My Computer icon the desktop, right click and select “Open”. • Select the C:\ drive and right click. Select “Properties” • Check the file system on the General tab to ensure that it states “NTFS”. • This procedure will have to be completed for each drive. If it shows NTFS, it can be set up for security and auditing, if not proceed to converting to NTFS.

  6. System CertificationNTFS

  7. System CertificationNTFS, cont Converting the System Partition to NTFS • In order to set up any security or perform any auditing the system partition must be converted to NTFS. • To convert the file system to NTFS: • Select the “Start” button and then select “Run”. • In the Open box type in convert c: /fs:ntfs, hit enter. • When executed on the system disk, it will perform the conversion during the next boot.

  8. System CertificationNTFS, cont

  9. System CertificationLocal Security Policy Setting up Windows Security To get to the Local Security Policy • Click the “Start” bar • Select “Settings” • Select “Control Panel” • Select “Administrative tools” • Select “Local Security Policy”

  10. System CertificationLocal Security Policy

  11. System CertificationPassword Policy To change the password policy, double click on each policy and a dialog box will appear • Enforce password history: 8 passwords remembered • Maximum password age: 365 days • Minimum password age: DSS recommends at least 1 day • Password must meet complexity requirements: Enabled • Store password using reversible encryption: Disabled

  12. System CertificationPassword Policy

  13. System CertificationAccount Lockout Policy To change the account lockout policies, double click on each policy and a dialog box will appear • Account lockout duration: 15 minutes. (If you want to lock the account and require an administrator to do the reset, set this at "0" minutes.) • Account lockout threshold: 5 invalid logon attempts. • Reset account lockout counter after: 15 minute

  14. System CertificationAccount Lockout Policy

  15. System CertificationAudit Policy To change the audit policies, double click on each policy and select Success and/or Failure as appropriate • Audit Account Logon Events: Success, Failure • Audit Account Management: Success, Failure. • Audit Directory Service Access: No auditing. • Audit Logon Events: Success, Failure. • Audit Object Access: Failure. • Audit Policy Change: Success, Failure. • Audit Privilege Use: Failure. • Audit Process Tracking: No auditing. • Audit System Events: Success, Failure

  16. System CertificationAudit Policy

  17. System CertificationUser Rights Assignment Policy • Restrict the right to change the system time to Administrators only • If the administrator is not performing the security audits and a custodian has been delegated that responsibility: • Double click on “Manage auditing and security log” • Add in the user name of the custodian. This will give the custodian rights to the audit events.

  18. System CertificationUser Rights Assignment Policy

  19. System CertificationUser Rights Assignment Policy If the administrator is not performing the security audits and a custodian has been delegated that responsibility. Go to the Local Security Settings and double click on “Manage auditing and security log”. Add in the user name of the custodian. This will give the custodian rights to the audit events.

  20. System CertificationUser Rights Assignment Policy

  21. Shutting down the system when security auditing stops The following illustration shows how to set up the system to shut down in the event that security audit events stop recording. At that point, the system would be accessible only to a privileged user who would be able to archive the security log and clear the active log to restore normal system operation. System CertificationSecurity Options Policy

  22. System CertificationSecurity Options Policy

  23. System CertificationUser Account Checklist • Disable Guest Account • Make only accounts for users that have briefed and have signed a briefing statement • If possible try to use the same naming convention as used on the unclassified systems • For users who need an administrator account use the same naming convention, but add zz in front of the name, for example: zzjohnsna • Use the administrator named account only in case of an emergency • Re-valid all user accounts at the interval prescribed in your SSP

  24. System CertificationSecure \Windows or \WinNT Directory • Right click on the Windows or WINNT directory and select “Properties”, then select the “Security” tab • Make sure that Administrators group, Administrator, Authenticated users and SYSTEM are added to the “Permissions” • Administrators group, Administrator and SYSTEM get “Full Control” • Authenticated users get only “Read & Execute” • Select the “Advanced…” button and select “Auditing” • Add in “Everyone".

  25. System CertificationSecure \Windows or \WinNT Directory

  26. System CertificationSecure \Windows or \WinNT Directory

  27. System CertificationSecure \Windows or \WinNT Directory

  28. System CertificationSecure \Windows or \WinNT Directory

  29. System CertificationSecure the SAM database The other concern is the SAM database; the database contains the passwords for the system. SAM located in the \system32\config directory AND the \repair directory. • Right click on the \system32\config directory. Select the “Security” tab. • Add in the “Authenticated users”, “Administrators”, “Administrator” and “SYSTEM”. • The “Authenticated users” will have "List Folder Contents" rights only. All others will have Full Control. • Repeat this for \repair directory.

  30. System CertificationSecure the SAM database

  31. System CertificationSecure the Registry Limit the number of people who have access to the registry. For example, because members of the Administrators group have full access to the registry, add only users who need such access to the Administrators group. Also, you can use Group Policy to restrict the use of Registry Editor (both Regedt32.exe and Regedit.exe) for users who do not need access to the registry, or you can simply remove Registry Editor from the computers of these users. Disable registry editing tools (Through GPO) set the GPO and create a user group to assign the GPO to (everyone but administrators). This will disable the use of regedit.exe and regedt32.exe (User Configuration\Administrative Templates\System) DisableRegistryTools (HKLM\System\CurrentControlSet\Control\SecurePipeServers\winreg) On the menu bar, select Security\Permissions and make sure that non-privileged users do not have permissions to access the registry.

  32. System CertificationSecure Anti-Virus Software The users will not be able to modify or turn off the Auto-protect shield in the Anti-virus software. The C:\Program Files directory will have the same security and auditing as the Windows or WinNT directory. • Go to the C:\Program Files directory and right click on the folder. Select the “Security” tab. • Make sure that Administrators group, Administrator, Authenticated users and SYSTEM are added to the “Permissions”. • Administrators group, Administrator and SYSTEM get “Full Control”. • Authenticated users get only “Read & Execute”, List Folder contents, and Read. • Apply the auditing as previously directed for the \Windows or \WinNT folder.

  33. System CertificationSecure Anti-Virus Software

More Related