Windows XP Security II Laurie Walters firstname.lastname@example.org
XP Security II Seminar Objectives • System Security II • Software Update Services (SUS) & Patching • Automatic Updates on Standalone Machines • Installing SUSAdmin • Configuring SUSAdmin • Approving Updates • Installing SUSClient • Configuring SUSClient to update from server via AD OU Group Policy • Simple File Sharing • Simple File Sharing Overview • Setting Up SFS Shares • SFS Is Not Secure • Disabling SFS
XP Security II Seminar Objectives • System Security II (Continued) • NTFS Permissions • Definitions • Changing Default Permissions • NTFS Rules: Additive Permissions and Deny Permissions • Removing Access to Common Executables • Windows Security Templates & Policies • Creating a New Security Template • Defining Your Security Settings • Using the Security Configuration and Analysis Tool • Applying Security Templates • Security Policies
XP Security II Seminar Objectives • Network Security • IPSEC filtering • IP Security Overview • Starting IPSec Service • Installing an IPSec Policy • Creating a Custom IPSec Policy • Application Security • Services to Shut Off • Disabling Un-necessary Services • Use Secure Services • Specific XP Services to Disable
XP Security II Seminar Objectives • Application Security • Remote Desktop / Remote Assistance • Remote Assistance Overview • Disabling Remote Assistance • Setting Up Remote Desktop • Changing Default Remote Desktop Port • Disabling Remote Desktop • Using HFNetChk and Baseline Security Analyzer • HFNetChk Overview • Microsoft Baseline Security Analyzer Overview • Reading Logs • System LogFile Locations • IIS LogFile Locations • Conclusion
XP Security II Seminar Objectives • System Security II • Software Update Services (SUS) & Patching • Simple File Sharing • NTFS Permissions • Windows Security Templates & Policies • IPSEC filtering • Application Security • Services to Shut Off • Remote Desktop / Remote Assistance • Using HFNetChk and Baseline Security Analyzer • Reading Logs
Windows XP Security II • System Security II • Software Update Services (SUS) & Patching • Automatic Updates on Standalone workstations • Installing SUSAdmin • Configuring SUSAdmin • Synchronizing SUS • Approving Updates • Installing SUSClient • Configuring SUSClient to update from server via AD OU Group Policy • Simple File Sharing • NTFS Permissions • Windows Security Policies • Network Security • Application Security
Installing SUSAdmin • SUS has two portions: • Server (SUSAdmin) • Client (Automatic Updates Client) • SUSAdmin can only be installed on Windows 2000 or 2003 Server • It is recommended that SUSAdmin be installed on Standalone Server (Not domain controller or application server) • Install Server Software from: http://download.microsoft.com/download/0/b/9/0b97f864-2408-4748-ad96-3691e2451006/SUS10SP1.exe • Read SUS Deployment Whitepaper: http://www.microsoft.com/windowsserversystem/sus/susdeployment.mspx
Configuring SUSAdmin • On SUSAdmin Server, open following URL: • http://localhost/SUSAdmin • Welcome screen will appear. Click on “Set Options” in left frame. • Choose whether to maintain the updates on a MS Windows Update Server or save the updates to a local folder. • If updates saved to local folder, choose “Locales” (Languages) for install packages. Only use minimum necessary languages to reduce download time of updates • It is recommended that you use SSL for SUS. Instructions on enabling SSL for SUS can be found in the MS SUS Whitepaper on page 25.
Synchronizing SUS • Click on Synchronize Server on left frame. • On right side of page, click on “Synchronization Schedule” • Choose when synchronization should occur (weekly, daily, etc). • Recommended setting = daily • Click on Synchronize now • Catalog Download Progress will appear. It will appear to “hang” on 100% with a cancel button below. Do not cancel! • Next, it will start downloading the actual updates
Approving Updates • Click on “Approve Updates” in left hand pane. • All available updates that have been downloaded will be listed with one of the following status: • New (recently downloaded and not approved) • Approved (approved and available for download by client computers) • Not Approved (Declined by SUS administrator and will not be made available for client computers) • Updated (A change has been made to an update) • Temporarily Unavailable (Update package or a dependency is not available) • Check the box next to the updates you have previously examined in a test environment and want to approve for distribution to your client computers.
Installing SUSClient • Client can be downloaded from: http://www.microsoft.com/windows2000/downloads/recommended/susclient/default.asp • Client can be installed on: • Windows 2000 Professional with Service Pack (SP) 2 (already included with W2K SP3) • Windows 2000 Server with SP2 • Windows 2000 Advanced Server with SP2 • Windows XP Professional (already included with XP SP1) • Windows XP Home Edition
Configuring SUSClient to update via AD OU Group Policy • Type dsa.msc on an Active Directory Domain Controller. • Right click the OU or domain where you want to create the policy • Choose properties • Click the Group Policy tab and click new • Type a name for the policy and click edit. • Double click either Computer or User Configuration (Settings) and right-click on Administrative Templates • Choose Add/Remove Templates, and then click Add • If you don’t already see wuau in the list of current policy templates, click the add button at the bottom of the screen. • Navigate to \Systemroot\Windir\inf\WUAU.adm • Click Open
Configuring SUSClient to update via AD OU Group Policy (Cont.) • In Group Policy Editor, Click on Computer Configuration in left hand pane. • Click + next to Administrative Templates to expand it. • Click + Next to Windows Components • Click on Windows Update • Configure options in right hand pane: • Configure Automatic Updates • Specify intranet Microsoft update service location • Reschedule Automatic Updates scheduled installations • No auto-restart for scheduled Automatic Updates installations • SUS can be set up via Registry entries if you aren’t using Active Directory. Please see page 61 of the SUS Whitepaper for installation instructions.
Windows XP Security II • System Security II • Software Update Services (SUS) & Patching • Simple File Sharing • Simple File Sharing Overview • Setting Up SFS Shares • SFS Is Not Secure • Disabling SFS • NTFS Permissions • Windows Security Templates and Policies • Network Security • Application Security
XP Simple File Sharing • With Windows XP, Microsoft introduced a new feature called “Simple File Sharing” • By default with Simple File Sharing, no files or folders on the hard drive are shared with other network users. • Simple File Sharing enabled by default in: • XP Home: This feature cannot be disabled in XP Home Edition. • XP Pro: Only enabled in workstation / standalone mode. It may be disabled in this mode. When an XP Pro machine is joined to a domain, this feature is automatically disabled, and uses standard NTFS permissions instead.
Setting Up Shares Using Simple File Sharing • To share a folder with simple file sharing enabled, right click on folder and choose properties and select the sharing tab. • To share files/folders with other users on the same machine, drag the desired items to the “Shared Documents” folder • To share file(s) or folder(s) with other network users, (use the network setup wizard) and then give share a name. There is a check box to “Allow network users to change my files” – This is not recommended!!!
XP Simple File Sharing Is Not Very Secure! • Simple File Sharing does not use passwords or access restrictions. • Everything that is shared is accessible by everyone on the network. • If “Allow network users to change my files” is checked, others have write privileges to the folder without any access controls. • This is a good way for viruses to spread! • If any folders or files are shared, it is recommended that you do not use simple file sharing.
Disabling XP Simple File Sharing • To disable simple file sharing, open up Windows Explorer or My Computer folder. Under the Tools Menu, Select Folder Options. Choose the View Tab. Scroll down to “Use Simple File Sharing” and uncheck the box.
Windows XP Security II • System Security II • Software Update Services (SUS) & Patching • Simple File Sharing • NTFS Permissions • Definitions • Changing Default Permissions • NTFS Rules: Additive Permissions and Deny Permissions • Removing Access to common executables • Windows Security Templates & Policies • Network Security • Application Security
NT File ACLs (Permissions) For Shared Files • NTFS uses DACLs (Discretionary Access Control Lists) to determine authorization • An individual object in an Access Control Lists us known as an Access Control Entry (ACE). • Generically, a collection of ACL’s can be referred to as permissions • Microsoft default for permissions has been : Usability over security • For security purposes it is prudent to restrict access to everyone and anonymous users where possible.
Changing Default NTFS Permissions • After applying service pack, replace “Everyone” with Full Control to Administrators on pertinent files/folders • Folders created by OS generally have correct permissions. Any folders created by you will inherit root folder permissions by default which is Everyone has Full Control • Note: Always add administrator(s) with full control before taking away full control for everyone. • Add Authenticated Users; give them desirable permissions • E.g. RWXD or RX
NTFS ACL Rule 1: ACL Permissions Are Additive • Example: Your account is a member of two groups: Backup Operators and Users. • The Users group is not listed in the group of people allowed access to the folder. However, the Backup Operators group has permissions listed as RWXD. • Result: You have RWXD permissions for this folder.
NTFS ACL Rule 2: “Deny” Explicitly Overwrites Any “Allow” Permissions • Example: Your account is again a member of two groups: Backup Operators and Users • The Users group has an explicit deny flag set for the folder. The Backup Operators Group is set to RWXD. • Result: You will not be able to access this folder!
Remove Access to Known Command Line Executables From “Everyone” • Grant ACL’s for authenticated users only for the following C:\Winnt\System32 executables: • Cmd.exe • Command.com • Ftp.exe • Regedit.exe • Regedt32.exe • Telnet.exe • Tftp.exe
Windows XP Security II • System Security II • Simple File Sharing • NTFS Permissions • Windows Security Templates & Policies • Security Policies Overview • Account / Password Policies • Auditing Policies • User Rights Assignment • Security Policies • Network Security • Application Security
Security Policies • Control Panel Classic View Administrative Tools Local Security Policy • Policies Include: • Account Policies, Local Policies, Security Options, Public Key Policies, Software Restriction, IPSEC
Security Templates • Template: A predefined “stencil” of computer settings which can be quickly and/or automatically applied. • Microsoft has predefined some computer security templates • Designed to lock down settings and make the computers more secure. • They are located at: %SystemRoot%\Security\Templates and are kept as .ini files. • You can directly edit the .ini files in notepad if you wish • You can use the MS templates, but it is suggested that you create a new template and define the security settings • Then use the Security Configuration and Analysis tool to compare your settings to MS recommended settings.
Creating a New Security Template • Go to the Start Menu and choose Run. Type “mmc” in the box and press enter. • Under the file menu, select “Add/Remove Snap-in” and select the add button when it appears • Click the Security Templates from the Add Standalone Snap-in Window • Click ok and the close button • The Security Templates button will now appear in the left pane of the MMC console window. • Right click on the location of the templates and select “New Template” Next, type in the name of your template and a description.
Defining your Security Settings • Click on the + Sign next to the name of your newly created security template and navigate through the entries. • Change the security settings you see fit. • Once you have done so, right click on the name of your security template and choose “Save As” to save your settings to a file. • Extensive information about security settings will be discussed in following section of seminar.
Opening the Security Configuration and Analysis Tool • Open the MMC and add the Security Configuration and Analysis Snap-In exactly as you added the Security Templates Snap-In. • Right Click on the Security Configuration and Analysis in the left pane. Choose “Open Database” and type in a filename for a new database you will be creating to compare your security settings in. • Next, you will see an “import template” dialog box. Choose the name of the template you want to compare your settings to (e.g. HISECWS). Click on Open.
Using the Security Configuration and Analysis Tool • Right-click on the tool and choose “Analyze Computer Now” It will put a check mark next to any of your settings that it deems sufficiently match the MS predefined template and an X next to those that do not. • To apply all settings from a MS template to your computer, right-click on the Tool and Click “Configure Computer Now”. Warning, this applies MS settings over yours, which is Non-reversible! Use Caution!
Applying Security Templates • Security templates should be applied both for domain settings and local settings (in case the domain is not available). • You can apply the templates manually to the local system or though the “secedit” command (you can use a batch file at logon to automatically apply the desired template). • You can also apply domain security settings for domain to automatically be applied to all computers the domain.
Importing a template into Active Directory • You can set templates for Organizational Units in the following manner on an AD Domain Controller: • Open Administrative Tools in the Control Panel and select Active Directory Users and Computers • Right-click on the Organizational Unit that requires the security policy. Select properties • Click on the Group Policy Tab. Select New and type in the name of the new policy you will be adding • Click on the Edit button and the Group Policy Object Editor will appear • Click the + next to Computer Configuration. Then, Click the + to expand the Windows Settings • Right click on Security Settings and choose “Import Policy” • Select the template that you wish to be applied to the OU and click on Open to import the policy.
Account / Password Policies • Password History (X passwords remembered) • Default = 0, Recommended = 5 • Maximum Password Age (X days) • Default = 42 days, Recommended = ? • Minimum Password Age • Default = 0 days, Recommended = ? • Password Length • Default =0, Recommended = 7
Password Policies (cont.) • Password Must Meet Complexity Requirements • ¾ of the following: lower case, upper case, numbers, symbols AND passwords cannot contain user name or any part of full name. • Default = Disabled, Recommended = Enabled • Store passwords using reversible encryption for all users in the domain • Default = Disabled
Account Lockout Policy • Account Lockout Duration • Recommended: 15 minutes or longer • Account Lockout Threshold • Recommended: 5 attempts or lower • Reset Account After • Recommended: 15 minutes or longer
Auditing Policies • By default, nothing is audited in XP! • Audit Account Logon Events – Records response of a domain controller to authenticate a network user. • Recommended: Success / Failure • Audit Account Management – Audits account changes such as renaming, enabling/disabling, password changes, creation, deletion, etc. • Recommended: Success / Failure
Auditing Policies (Cont.) • Audit directory service access – logs events of standard active directory objects • Recommended = Failure • Audit Logon Events – Records user authentication for local machine or domain controllers • Recommended = Success / Failure • Audit Object Access – Allows setting of auditing on files or directories (you must set each directory/file separately). • Recommended = Varies
Auditing Policies (Cont.) • Audit Policy Change – Audits additions, deletions, and changes made to local and domain security policies • Recommended = Success / Failure • Audit Privilege Use – Audits special privileges assigned to a user, privileged services that are called, and privileged object operation • Recommended = Failure (Auditing success will fill up logs very quickly!)
Auditing Policies (Cont.) • Audit Process Tracking – Audits processes (creation, exits, and resources) • Recommended = Failure or None • Audit System Events – Audits events going on within the physical system that can affect security or logging (shutdowns, reboots, clearing of logs) • Recommended = Failure (can fill up logs VERY quickly)