SlideShare a Scribd company logo

System Hardening Recommendations_FINAL

M
Martin Evans

The document provides system hardening recommendations for Windows 7 workstations and Windows Server 2012 at Verisk Health. It includes recommendations for account policies, local policies, Windows Firewall settings, network list manager policies, and public key policies. The recommendations aim to enhance security by restricting user permissions, enabling encryption, and locking down network access and system objects. Implementing the changes would help protect sensitive data like PHI and PII but also require carefully considering each setting's potential impact.

1 of 22
Download to read offline
System Hardening Recommendations For Verisk Health Jordan Davis | McKell Gomm | Martin Evans
Table of Contents I. Windows 7 Workstation Hardening Recommendations a. Account Policies b. Local Policies c. Windows Firewall d. Network List Manager Policies e. Public Key Policies f. Software Restriction Policies g. Application Control Policies h. Advanced Audit Policy Configuration II. Windows Server 2012 Hardening Recommendations a. Additional Server Settings b. Group Policy Object (GPO) Recommendations III. Additional Hardening Recommendations IV. Summary and Potential Impact
I. Windows 7 Workstation Recommendations – While many of these changes are minor, some recommendations are more impactful. Although some specifics are given, some areas include brief explanations and each setting should be carefully considered before implementing. a. Account Policies i. Password Policy Policy Security Settings (Recommended) Enforce password history 24 passwords remembered Maximum password age ≤ 60 (days) Minimum password age ≥ 1 days Minimum password length 8 characters Passwords must meet complexity requirements Enabled Store passwords using reversible encryption Disabled ii. Account Lockout Policy Policy Security Settings (Recommended) Account lockout duration 1440 minutes Account lockout threshold <10 Invalid login attempts Reset account lockout counter after 1440 minutes b. Local Policies i. Audit Policy Setting Recommendation Audit account logon events Success, Failure Audit account management Success, Failure Audit directory service access Failure Audit logon events Success, Failure Audit object access Failure Audit policy change Success, Failure Audit privilege use Success, Failure
Audit process tracking Failure Audit system events Success, Failure ii. User Rights Assignment – These rights should be assigned by GPO to include users or administrators as applicable. iii. Security Options 1. Accounts Setting Recommendations Accounts: Administrator account status Disabled Accounts: Guest account status Disabled Accounts: Limit local account use of blank passwords to console logon only Enabled Accounts: Rename administrator account Recommended Accounts: Rename guest account Recommended 2. Audit Setting Recommendation Audit: Audit the access of global system objects Disabled Audit: Audit the use of Backup and Restore privilege Disabled Audit: Force audit policy subcategory settings Not Defined Audit: Shut down system immediately if unable to log security audits Disabled 3. Devices Setting Recommendation Devices: Allow undock without having to log on Enabled Devices: Allowed to format and eject removable media Administrator, Interactive Users Devices: Prevent users from installing printer drivers Enabled (*Disabled for laptops/mobile devices) Devices: Restrict CD-ROM access to locally logged on user only Not Defined Devices: Restrict floppy access to locally logged on user only Not Defined
4. Domain Member Setting Recommendation Domain member: Digitally encrypt or sign secure channel data (always) Enabled Domain member: Digitally encrypt secure channel data (when possible) Enabled Domain member: Digitally sign secure channel data (when possible) Enabled Domain member: Disable machine account password changes Disabled Domain member: Maximum machine account password age 30 days Domain member: Require strong (Windows 2000 or later) session key Enabled 5. Interactive Logon Setting Recommendation Interactive Logon: Do not display last user name Disabled Interactive Logon: Display user information when the session is locked Display Name Only Interactive Logon: Do not require CTRL+ALT+DEL Disabled Interactive Logon: Message text for users attempting to log on Undefined Interactive Logon: Message title for users attempting to log on Legal Notice Interactive Logon: Number of previous logons to cache (in case domain controller is not available) 10 or less
Interactive Logon: Prompt user to change password before expiration 5 or less days Interactive Logon: Require Domain Controller authentication to unlock workstation Enabled (*Disabled for laptops/mobile devices) Interactive Logon: Smart card removal behavior Lock Workstation 6. Microsoft Network Client Setting Recommendation Microsoft network client: Digitally sign communications (always) Disabled Microsoft network client: Digitally sign communications (if server agrees) Disabled Microsoft network client: Send unencrypted password to third-party SMB servers Disabled 7. Network Access Setting Recommendation Network access: Allow anonymous SID/Name translation Disabled Network access: Do not allow anonymous enumeration of SAM accounts Enabled Network access: Do not allow anonymous enumeration of SAM accounts and shares Enabled Network access: Do not allow storage of credentials or .NET Passports for network authentication Enabled Network access: Let Everyone permissions apply to anonymous users Disabled Network access: Named Pipes that can be accessed anonymously Not Defined Network access: Remotely accessible registry paths Not Defined
Network access: Restrict anonymous access to named Pipes and Shares Enabled Network access: Shares that can be accessed anonymously Not Defined Network access: Sharing and security model for local accounts Classic – local users authenticate as themselves 8. Network Security Setting Recommendation Network security: Allow PKU2U authentication requests to this computer to use online identities Disabled Network security: Configure encryption types allowed for Kerberos AES128 or 256 future encryption types Network security: Do not store LAN Manager hash value on next password change Enabled Network security: LAN Manager authentication level Send NTLMv2 responses onlyrefuse LM Network security: LDAP client signing requirements Negotiate signing Network security: Minimum session security for NTLM SSP based (including secure RPC) clients Require message confidentiality, Require message integrity, Require NTLMv2 session security, Require 128 bit encryption Network security: Minimum session security for NTLM SSP based (including secure RPC) servers Require message confidentiality, Require message integrity, Require NTLMv2 session security, Require 128 bit encryption
9. Recovery Console Setting Recommendation Recovery console: Allow automatic administrative logon Disabled Recovery console: Allow floppy copy and access to all drives and all folders Disabled 10. Shutdown Setting Recommendation Shutdown: Allow system to be shut down without having to log on Enabled Shutdown: Clear virtual memory pagefile Disabled 11. System Cryptography, System Objects, and User Account Control Setting Recommendation System cryptography: Force strong key protection for user keys stored on the computer User must enter a password each time they use a key System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Enabled System objects: Require case insensitivity for non-Windows subsystems Enabled System objects: Strengthen default permissions of internal system objects Enabled c. Windows Firewall i. Windows Firewall – Local GPO Profile: Setting Recommendation Domain Profile Firewall State: ON Inbound Connections: BLOCK Outbound Connections: ALLOW Private Profile: Firewall State: ON Inbound Connections: BLOCK Outbound Connections: ALLOW
Public Profile: Firewall State: ON Inbound Connections: BLOCK Outbound Connections: ALLOW IPsec Settings: IPsec Defaults: CUSTOMIZE Key Exchange (Main Mode): DEFAULT Data Protection (Quick Mode): DEFAULT Authentication Mode: Computer and User (Kerberos V5) IPsec Exemption: Exempt ICMP IPsec: NO IPsec Tunnel Authorization: NONE d. Network List Manager Policies Network Name: Setting Recommendation Network Properties Network Name: Identifies a network Name: N/A User Permissions: User Cannot Change Name Network Icon: Provides a graphic or logo that represents the company or network Icon: ICON User Permissions: User Cannot Change Icon Network Location: Identifies the type of network that a computer is connected to and automatically sets the appropriate firewall setting for that location. Location Type: Private/Public User Permissions: User Cannot Change Location Unidentified Networks: Networks that cannot be identified due to a network issue or lack of identifiable characteristics Network Location: Identifies the type of network that a computer is connected to and automatically sets the appropriate firewall setting for that location. Location Type: Private/Public User Permissions: User Cannot Change Location
Identifiable Networks: Temporary state of networks that are in the process of being identified. Network Location: Identifies the type of network that a computer is connected to and automatically sets the firewall settings for that location. Location Type: Private/Public All Networks: All networks the user connects to. User Permissions: These permissions control if users can change the network name, location, or icon. Network Name: User Cannot Change Name Network Location: User Cannot Change Location Network Icon: User Cannot Change Icon e. Public Key Policies i. Encrypting File System: Specific files/folders should be encrypted if necessary to protect sensitive data (i.e. PHI, IP). We recommend this setting be configured if sensitive/encrypted data will be saved in specific directories/folders on the machine. A Data Recovery Agent should be set – preferably to a local admin account. ii. BitLocker Drive Encryption: As Verisk Health deals with sensitive data on a daily basis (i.e. PHI/PII), we recommend that some form of whole-disk encryption be used. In order to use BitLocker, a Data Recovery Agent must be set – preferably to a local admin account. f. Software Restriction Policies: If it is needed and feasible, strict controls can be put in place to restrict the execution of specific file types. Since this is an advanced set of policies, it may be avoided as long as mitigating controls are in place. These would include restricting downloading and executing software to local administrators only.
g. Application Control Policies i. AppLocker: AppLocker helps administrators control how users can access and use files, such as executable files, packaged apps, scripts, Windows Installer files, and DLLs. RECOMMENDATION: Define rules based on file attributes derived from the digital signature, including the publisher, product name, file name, and file version. Assign a rule to a security group or an individual user. Create exceptions to rules. Use audit-only mode to deploy the policy and understand its impact before enforcing it. Import and export rules. Simplify creating and managing AppLocker rules by using AppLocker PowerShell cmdlets. ii. IP Security Policies: These required advanced configuration but should be used in cases where a system needs to communicate securely with either another computer or group of computers (subnet). h. Advanced Audit Policy i. System Audit Policies – Local GPO System Audit Policy: Setting Recommendation Account Logon Audit Credential Validation: allows you to audit events generated by validation tests on user account logon credentials. Success, Failure Audit Kerberos Authentication Services: allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests. Failure Audit Kerberos Service Ticket Operations: allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests submitted for user accounts. Failure
Account Logon (continued): Audit Other Account Logon Events: allows you to audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets. Failure Account Management Audit Application Group Management: allows you to audit events generated by changes to application groups such as the following: Application group created, changed, or deleted. Member is added or removed from an application group Success, Failure Audit Computer Account Management: allows you to audit events generated by changes to computer accounts such as when a computer account is created, changed, or deleted. Success, Failure Audit Distribution Group Management: allows you to audit events generated by changes to distribution groups. Failure Audit Other Account Management Events: allows you to audit events generates by other user account changes that are not covered in this category. The password hash of a user account was accessed. The Password Policy Checking API was called. Changes to the Default Domain Group Policy were made. Success, Failure Audit Security Group Management: allows you to audit events generated by changes to security groups such as the following: Security group is created, changed, or deleted. Member is added or removed from a security group. Group type is changed Success, Failure Audit user Account Management: allows you to audit changes to user accounts. Events. Success, Failure
Detailed Tracking Audit DPAPI Activity: allows you to audit events generated when encryption or decryption requests are made to the Data Protection application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. Success, Failure Audit Process Creation: allows you to audit events generated when a process is created or starts. The name of the application or user that created the process is also audited. Failure Audit Process Termination: allows you to audit events generated when a process ends. Failure Audit RPC Events: allows you to audit inbound remote procedure call (RPC) connections. Success, Failure DS Access Audit Detailed Directory Service Replication: allows you to audit events generated by detailed Active Directory Domain Services (AD DS) replication between domain controllers. Workstation: No Auditing Server: Failure Audit Directory Service Access: allows you to audit events generated when an Active Directory Domain Services (AD DS) object is accessed. Workstation: No Auditing Server: Failure Audit Directory Service Changes: allows you to audit events generated by changes to objects in Active Directory Domain Services (AD DS). Events are logged when an object is created, deleted, modified, moved, or undeleted. Workstation: No Auditing Server: Success, Failure Audit Directory Service Replication: allows you to audit replication between two Active Directory Domain Services (AD DS) domain controllers. Workstation: No Auditing Server: Failure Logon/Logoff Audit Account Lockout: allows you to audit events generated by a failed attempt to log on to an account that is locked out. Success.
Logon/Logoff (continued): Audit User / Device Claims: allows you to audit user and device claims information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. Workstation: Failure Server: Failure Audit IPsec Extended Mode: allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations. No Auditing Audit IPsec Main Mode: allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations. No Auditing Audit IPsec Quick Mode: allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations. No Auditing Audit Logoff: allows you to audit events generated by the closing of a logon session. These events occur on the computer that was accessed. For an interactive logoff the security audit event is generated on the computer that the user account logged on to. Success. Audit Logon: allows you to audit events generated by user account logon attempts on the computer. Workstation: Success Server: Success, Failure
Logon/Logoff (continued): Audit Network Policy Server: allows you to audit events generated by RADIUS (IAS) and Network Access Protection (NAP) user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock. Success, Failure Audit Other Logon/Logoff Events: allows you to audit other logon/logoff- related events that are not covered in the “Logon/Logoff” policy setting such as the following: Terminal Services session disconnections. New Terminal Services sessions. Locking and unlocking a workstation. Invoking a screen saver. Dismissal of a screen saver. Success, Failure Audit Special Logon: allows you to audit events generated by special logons such as the following: The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. Success, Failure Object Access Audit Application Generated: allows you to audit applications that generate events using the Windows Auditing application programming interfaces (APIs). Applications designed to use the Windows Auditing API use this subcategory to log auditing events related to their function. No Auditing Audit Certification Services: allows you to audit Active Directory Certificate Services (AD CS) operations. No Auditing Audit Detailed File Share: allows you to audit attempts to access files and folders on a shared folder. The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the Success, Failure
permissions or other criteria used to grant or deny access. Object Access (continued): Audit File Share: allows you to audit attempts to access a shared folder. If you configure this policy setting, an audit event is generated when an attempt is made to access a shared folder. If this policy setting is defined, the administrator can specify whether to audit only successes, only failures, or both successes and failures. Success, Failure Audit File System: allows you to audit user attempts to access file system objects. A security audit event is generated only for objects that have system access control lists (SACL) specified, and only if the type of access requested, such as Write, Read, or Modify and the account making the request match the settings in the SACL. Success, Failure Audit Filtering Platform Connection: allows you to audit connections that are allowed or blocked by the Windows Filtering Platform (WFP). Success, Failure Audit Filtering Platform Packet Drop: allows you to audit packets that are dropped by Windows Filtering Platform (WFP). Failure Audit Handle Manipulation: allows you to audit events generated when a handle to an object is opened or closed. Only objects with a matching system access control list (SACL) generate security audit events. Success, Failure Audit Kernel Object: allows you to audit attempts to access the kernel, which include mutexes and semaphores. Only kernel objects with a matching system access control list (SACL) generate security audit events. Failure Audit Other Object Access Event: allows you to audit events generated by the management of task scheduler jobs or COM+ objects. Failure
Object Access (continued): Audit Registry: allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have system access control lists (SACLs) specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL. Success, Failure Audit Removable Storage: allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. Success, Failure Audit SAM: allows you to audit events generated by attempts to access to Security Accounts Manager (SAM) objects. Success, Failure Policy Change Audit Audit Policy Change: allows you to audit changes in the security audit policy settings. Success Audit Authentication Policy Change: allows you to audit events generated by changes to the authentication policy. Success Audit Authorization Policy Change: allows you to audit events generated by changes to the authorization policy. No Auditing Audit Filtering Platform Policy Change: allows you to audit events generated by changes to the Windows Filtering Platform (WFP). Success Audit MPSSVC Rule-Level Policy Change: allows you to audit events generated by changes in policy rules used by the Microsoft Protection Service (MPSSVC). This service is used by Windows Firewall. No Auditing Audit Other Policy Change Events: allows you to audit events generated by other security policy changes that are not audited in the policy change category. Success
Privilege Use Audit Non Sensitive Privilege Use: allows you to audit events generated by the use of non-sensitive privileges (user rights). No Auditing Audit Other Privilege Use Events: No Auditing Audit Sensitive Privilege Use: allows you to audit events generated when sensitive privileges (user rights) are used. Success, Failure System Audit IPsec Driver: allows you to audit events generated by the IPsec filter driver. Success Audit Other System Events: allows you to audit any of the following events: Startup and shutdown of the Windows Firewall service and driver. Security policy processing by the Windows Firewall Service. Cryptography key file and migration operations. Success, Failure Audit Security State Change: allows you to audit events generated by changes in the security state of the computer such as the following events: Startup and shutdown of the computer. Change of system time. Recovering the system from CrashOnAuditFail, which is logged after a system restarts when the security event log is full and the CrashOnAuditFail registry entry is configured. Success Audit Security System Change: allows you to audit events related to security system extensions or services. Workstation: No Auditing. Server: Success, Failure Audit System Integrity: allows you to audit events that violate the integrity of the security subsystem Success, Failure
* For more details on how these policies may effect end users visit: http://technet.microsoft.com/en-us/library/cc875814.aspx Global Object Access Auditing File System: allows you to apply a comprehensive object access audit policy to every file and folder on the file system for a computer. Configuring this setting also allows you to demonstrate that every file and folder on the computer is monitored by an audit policy that is managed from a central location. This setting applies a global system access control list (SACL) to every file and folder. If either a file or folder SACL and a global SACL are configured on a computer, the effective SACL is derived by combining the file or folder SACL and the global SACL. This means that an audit event is generated when an activity matches either the file or folder SACL or the global SACL. Depends on the effective SACL and the level of user activity Registry: allows you to apply a global object access audit policy to the registry for an entire computer. This policy setting allows you to demonstrate that every registry object on the computer is protected by an audit policy that is managed from a central location. This setting applies a global system access control list (SACL) to every registry object. If both a registry SACL and a global SACL are configured on a computer, the effective SACL is derived by combining the registry SACL and the global SACL. This means that an audit event is generated when an activity matches either the registry key SACL or the global SACL. Depends on the effective SACL and the level of user activity.
II. Windows Server 2012 Hardening Recommendations a. Additional Server Settings – In addition to the standard system build guidelines above, servers should use the following: i. Firewall configuration – host-based software firewalls such as Windows Firewall will have to be configured based on the purpose of the server. There should be standard rules/Access Control Listings (ACL’s) for each type of server (i.e. database, web server) ii. Services – depending on the purpose/use of the server, specific services should be disabled. This will provide defense-in-depth and lessen the computing load. iii. Add/Remove Role s & Features – only enable the relevant features: b. Group Policy Object (GPO) Recommendations i. Rename the Local Administrator Account ii. Disable the Guest Account iii. Disable LM and NTLM v1 iv. Disable LM hash storage
v. Set minimum password length vi. Set maximum password age vii. Enable event logs viii. Disable anonymous SID enumeration ix. Disallow the anonymous account from residing in the everyone group x. Enable User Account Control III. Additional Recommendations – In addition to the specific configurations mentioned above, we would recommend considering the following: a. Workstations: i. Use GPO’s – to simplify implementing security policies, use Group Policy Objects, particularly for settings like password complexity. ii. Have a workstation list – include assigned user, service tag, etc. iii. Force encryption – particularly for mobile devices (i.e. tablets/laptops), this is a must. iv. Configure BIOS – set to boot from local hard drive only and set a BIOS password. v. Disable USB ports on any systems that will access sensitive data. vi. Install and utilize performance tools: 1. Stand-alone optimization tool (CCleaner, Registry Editor, etc.) a. Registry cleaning b. Malware scanning c. Cleans up temp files 2. Disc Defragmentation a. Consolidates fragmented files improving overall performance and system function b. Servers: i. Use Static IP addresses – this makes terminal/remote services, web/application servers, etc. much easier to access and manage ii. Create a detailed server list – this should include server name, IP, purpose, service tag, OS and responsible party.
iii. Centralize security – before being fully deployed, verify that servers have been appropriately patched and have been added to centralized anti-malware and vulnerability scanning consoles. iv. UPS and power-saving – critical servers should have power back-ups to ensure availability directly after an outage until the generator restores long-term power. v. Reset defaults – rename the default local admin accounts and reset the passwords vi. Backups/Restores – no production data should ever get onto a server without being backed up. Data restoration should be tested. IV. Summary and Potential Impact Each of these points and their potential impact should be carefully considered for implementation on some or all of Verisk Health’s workstation builds to eliminate or mitigate attacks or other security risks and keep Verisk Health in compliance with security standards. If Verisk Health were to implement all changes, it would be able to bring workstations to 86% and servers to 93% compliance with the corresponding CIS-CAT benchmarks.

Recommended

System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Application
edavid2685
 
Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers
zakieh alizadeh
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Sergey Soldatov
 
CISSP - Chapter 3 - Cryptography
CISSP - Chapter 3 - CryptographyCISSP - Chapter 3 - Cryptography
CISSP - Chapter 3 - Cryptography
Karthikeyan Dhayalan
 
03 keamanan password
03 keamanan password03 keamanan password
03 keamanan password
Setia Juli Irzal Ismail
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
CISSP - Chapter 4 - Network Fundamental
CISSP - Chapter 4 - Network FundamentalCISSP - Chapter 4 - Network Fundamental
CISSP - Chapter 4 - Network Fundamental
Karthikeyan Dhayalan
 
Keamanan Informasi dan Perlindungan Data Pribadi
Keamanan Informasi dan Perlindungan Data PribadiKeamanan Informasi dan Perlindungan Data Pribadi
Keamanan Informasi dan Perlindungan Data Pribadi
Widy Widyawan
 

Recommended

System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Application
edavid2685
 
Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers
zakieh alizadeh
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Sergey Soldatov
 
CISSP - Chapter 3 - Cryptography
CISSP - Chapter 3 - CryptographyCISSP - Chapter 3 - Cryptography
CISSP - Chapter 3 - Cryptography
Karthikeyan Dhayalan
 
03 keamanan password
03 keamanan password03 keamanan password
03 keamanan password
Setia Juli Irzal Ismail
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
CISSP - Chapter 4 - Network Fundamental
CISSP - Chapter 4 - Network FundamentalCISSP - Chapter 4 - Network Fundamental
CISSP - Chapter 4 - Network Fundamental
Karthikeyan Dhayalan
 
Keamanan Informasi dan Perlindungan Data Pribadi
Keamanan Informasi dan Perlindungan Data PribadiKeamanan Informasi dan Perlindungan Data Pribadi
Keamanan Informasi dan Perlindungan Data Pribadi
Widy Widyawan
 
CISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsCISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security Operations
Sam Bowne
 
Materi Pelatihan analisa malware
Materi Pelatihan analisa malwareMateri Pelatihan analisa malware
Materi Pelatihan analisa malware
Setia Juli Irzal Ismail
 
CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)
CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)
CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)
Sam Bowne
 
CISSP - Security Assessment
CISSP - Security AssessmentCISSP - Security Assessment
CISSP - Security Assessment
Karthikeyan Dhayalan
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
n|u - The Open Security Community
 
Active Directory 2019 v2.pptx
Active Directory 2019 v2.pptxActive Directory 2019 v2.pptx
Active Directory 2019 v2.pptx
Pradeep Kapkoti
 
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDuty
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDutyAWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDuty
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDuty
Chris Farris
 
01a pengenalan keamanan jaringan upload
01a pengenalan keamanan jaringan upload01a pengenalan keamanan jaringan upload
01a pengenalan keamanan jaringan upload
Setia Juli Irzal Ismail
 
02 teknik penyerangan
02 teknik penyerangan02 teknik penyerangan
02 teknik penyerangan
Setia Juli Irzal Ismail
 
Windows Event Analysis - Correlation for Investigation
Windows Event Analysis - Correlation for InvestigationWindows Event Analysis - Correlation for Investigation
Windows Event Analysis - Correlation for Investigation
Mahendra Pratap Singh
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking Authentication
Sam Bowne
 
Attacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chainAttacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chain
SecuRing
 
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Florian Roth
 
Zero Trust and Data Security
Zero Trust and Data SecurityZero Trust and Data Security
Zero Trust and Data Security
Career Communications Group
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
Sqrrl
 
05 wireless
05 wireless05 wireless
05 wireless
Setia Juli Irzal Ismail
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
Sunny Neo
 
Workshop 101 - Penetration testing & Vulnerability assessment system
Workshop 101 - Penetration testing & Vulnerability assessment systemWorkshop 101 - Penetration testing & Vulnerability assessment system
Workshop 101 - Penetration testing & Vulnerability assessment system
Dan H
 
Introduction to Active Directory
Introduction to Active DirectoryIntroduction to Active Directory
Introduction to Active Directory
thoms1i
 
DMARC Overview
DMARC OverviewDMARC Overview
DMARC Overview
OWASP Delhi
 
Windows 7 Seminar - Acend Corporate Learning
Windows 7 Seminar - Acend Corporate LearningWindows 7 Seminar - Acend Corporate Learning
Windows 7 Seminar - Acend Corporate Learning
Acend Corporate Learning
 
What's New in Windows 7
What's New in Windows 7What's New in Windows 7
What's New in Windows 7
Acend Corporate Learning
 

More Related Content

What's hot

CISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsCISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security Operations
Sam Bowne
 
Materi Pelatihan analisa malware
Materi Pelatihan analisa malwareMateri Pelatihan analisa malware
Materi Pelatihan analisa malware
Setia Juli Irzal Ismail
 
CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)
CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)
CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)
Sam Bowne
 
CISSP - Security Assessment
CISSP - Security AssessmentCISSP - Security Assessment
CISSP - Security Assessment
Karthikeyan Dhayalan
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
n|u - The Open Security Community
 
Active Directory 2019 v2.pptx
Active Directory 2019 v2.pptxActive Directory 2019 v2.pptx
Active Directory 2019 v2.pptx
Pradeep Kapkoti
 
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDuty
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDutyAWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDuty
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDuty
Chris Farris
 
01a pengenalan keamanan jaringan upload
01a pengenalan keamanan jaringan upload01a pengenalan keamanan jaringan upload
01a pengenalan keamanan jaringan upload
Setia Juli Irzal Ismail
 
02 teknik penyerangan
02 teknik penyerangan02 teknik penyerangan
02 teknik penyerangan
Setia Juli Irzal Ismail
 
Windows Event Analysis - Correlation for Investigation
Windows Event Analysis - Correlation for InvestigationWindows Event Analysis - Correlation for Investigation
Windows Event Analysis - Correlation for Investigation
Mahendra Pratap Singh
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking Authentication
Sam Bowne
 
Attacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chainAttacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chain
SecuRing
 
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Florian Roth
 
Zero Trust and Data Security
Zero Trust and Data SecurityZero Trust and Data Security
Zero Trust and Data Security
Career Communications Group
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
Sqrrl
 
05 wireless
05 wireless05 wireless
05 wireless
Setia Juli Irzal Ismail
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
Sunny Neo
 
Workshop 101 - Penetration testing & Vulnerability assessment system
Workshop 101 - Penetration testing & Vulnerability assessment systemWorkshop 101 - Penetration testing & Vulnerability assessment system
Workshop 101 - Penetration testing & Vulnerability assessment system
Dan H
 
Introduction to Active Directory
Introduction to Active DirectoryIntroduction to Active Directory
Introduction to Active Directory
thoms1i
 
DMARC Overview
DMARC OverviewDMARC Overview
DMARC Overview
OWASP Delhi
 

What's hot (20)

CISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsCISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security Operations
 
Materi Pelatihan analisa malware
Materi Pelatihan analisa malwareMateri Pelatihan analisa malware
Materi Pelatihan analisa malware
 
CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)
CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)
CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)
 
CISSP - Security Assessment
CISSP - Security AssessmentCISSP - Security Assessment
CISSP - Security Assessment
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Active Directory 2019 v2.pptx
Active Directory 2019 v2.pptxActive Directory 2019 v2.pptx
Active Directory 2019 v2.pptx
 
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDuty
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDutyAWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDuty
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDuty
 
01a pengenalan keamanan jaringan upload
01a pengenalan keamanan jaringan upload01a pengenalan keamanan jaringan upload
01a pengenalan keamanan jaringan upload
 
02 teknik penyerangan
02 teknik penyerangan02 teknik penyerangan
02 teknik penyerangan
 
Windows Event Analysis - Correlation for Investigation
Windows Event Analysis - Correlation for InvestigationWindows Event Analysis - Correlation for Investigation
Windows Event Analysis - Correlation for Investigation
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking Authentication
 
Attacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chainAttacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chain
 
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
 
Zero Trust and Data Security
Zero Trust and Data SecurityZero Trust and Data Security
Zero Trust and Data Security
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
05 wireless
05 wireless05 wireless
05 wireless
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
Workshop 101 - Penetration testing & Vulnerability assessment system
Workshop 101 - Penetration testing & Vulnerability assessment systemWorkshop 101 - Penetration testing & Vulnerability assessment system
Workshop 101 - Penetration testing & Vulnerability assessment system
 
Introduction to Active Directory
Introduction to Active DirectoryIntroduction to Active Directory
Introduction to Active Directory
 
DMARC Overview
DMARC OverviewDMARC Overview
DMARC Overview
 

Similar to System Hardening Recommendations_FINAL

Windows 7 Seminar - Acend Corporate Learning
Windows 7 Seminar - Acend Corporate LearningWindows 7 Seminar - Acend Corporate Learning
Windows 7 Seminar - Acend Corporate Learning
Acend Corporate Learning
 
What's New in Windows 7
What's New in Windows 7What's New in Windows 7
What's New in Windows 7
Acend Corporate Learning
 
UNIT 6-EXPLAINING THE ROLE OF THE NETWORK ADMINISTRATOR AND SUPPORT.pptx
UNIT 6-EXPLAINING THE ROLE OF THE NETWORK ADMINISTRATOR AND SUPPORT.pptxUNIT 6-EXPLAINING THE ROLE OF THE NETWORK ADMINISTRATOR AND SUPPORT.pptx
UNIT 6-EXPLAINING THE ROLE OF THE NETWORK ADMINISTRATOR AND SUPPORT.pptx
LeahRachael
 
Prévention et détection des mouvements latéraux
Prévention et détection des mouvements latérauxPrévention et détection des mouvements latéraux
Prévention et détection des mouvements latéraux
ColloqueRISQ
 
0828 Windows Server 2008 新安全功能探討
0828 Windows Server 2008 新安全功能探討0828 Windows Server 2008 新安全功能探討
0828 Windows Server 2008 新安全功能探討
Timothy Chen
 
Sanctuary Device Control
Sanctuary Device ControlSanctuary Device Control
Sanctuary Device Control
HassaanSahloul
 
Securing Windows web servers
Securing Windows web serversSecuring Windows web servers
Securing Windows web servers
Information Technology
 
James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara
 
Windows 2008 R2 Security
Windows 2008 R2 SecurityWindows 2008 R2 Security
Windows 2008 R2 Security
Amit Gatenyo
 
Microsoft Windows 7 Enhanced Security And Control
Microsoft Windows 7 Enhanced Security And ControlMicrosoft Windows 7 Enhanced Security And Control
Microsoft Windows 7 Enhanced Security And Control
Microsoft TechNet
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
BeyondTrust
 
Chapter 2 overview
Chapter 2 overviewChapter 2 overview
Chapter 2 overview
ali raza
 
Copy of learn_the_art_of_firewall_security(1)
Copy of learn_the_art_of_firewall_security(1)Copy of learn_the_art_of_firewall_security(1)
Copy of learn_the_art_of_firewall_security(1)
ManageEngine, Zoho Corporation
 
New Features Lotus Domino Administration 8.5
New Features Lotus Domino Administration 8.5New Features Lotus Domino Administration 8.5
New Features Lotus Domino Administration 8.5
Rolf Kremer
 
Introduccion a la seguridad Windows 7
Introduccion a la seguridad Windows 7Introduccion a la seguridad Windows 7
Introduccion a la seguridad Windows 7
EAE
 
A Critical Analysis of Microsoft Data Protection Solutions
A Critical Analysis of Microsoft Data Protection SolutionsA Critical Analysis of Microsoft Data Protection Solutions
A Critical Analysis of Microsoft Data Protection Solutions
John Rhoton
 
Security features In MySQL 8.0
Security features In MySQL 8.0Security features In MySQL 8.0
Security features In MySQL 8.0
Mydbops
 
SkypeShield - Securing Skype for Business
SkypeShield - Securing Skype for BusinessSkypeShield - Securing Skype for Business
SkypeShield - Securing Skype for Business
Yoav Crombie
 
Windows Server 2008 Active Directory
Windows Server 2008 Active DirectoryWindows Server 2008 Active Directory
Windows Server 2008 Active Directory
anilinvns
 
Chromium OS - User Accounts and Management
Chromium OS - User Accounts and ManagementChromium OS - User Accounts and Management
Chromium OS - User Accounts and Management
Picker Weng
 

Similar to System Hardening Recommendations_FINAL (20)

Windows 7 Seminar - Acend Corporate Learning
Windows 7 Seminar - Acend Corporate LearningWindows 7 Seminar - Acend Corporate Learning
Windows 7 Seminar - Acend Corporate Learning
 
What's New in Windows 7
What's New in Windows 7What's New in Windows 7
What's New in Windows 7
 
UNIT 6-EXPLAINING THE ROLE OF THE NETWORK ADMINISTRATOR AND SUPPORT.pptx
UNIT 6-EXPLAINING THE ROLE OF THE NETWORK ADMINISTRATOR AND SUPPORT.pptxUNIT 6-EXPLAINING THE ROLE OF THE NETWORK ADMINISTRATOR AND SUPPORT.pptx
UNIT 6-EXPLAINING THE ROLE OF THE NETWORK ADMINISTRATOR AND SUPPORT.pptx
 
Prévention et détection des mouvements latéraux
Prévention et détection des mouvements latérauxPrévention et détection des mouvements latéraux
Prévention et détection des mouvements latéraux
 
0828 Windows Server 2008 新安全功能探討
0828 Windows Server 2008 新安全功能探討0828 Windows Server 2008 新安全功能探討
0828 Windows Server 2008 新安全功能探討
 
Sanctuary Device Control
Sanctuary Device ControlSanctuary Device Control
Sanctuary Device Control
 
Securing Windows web servers
Securing Windows web serversSecuring Windows web servers
Securing Windows web servers
 
James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5
 
Windows 2008 R2 Security
Windows 2008 R2 SecurityWindows 2008 R2 Security
Windows 2008 R2 Security
 
Microsoft Windows 7 Enhanced Security And Control
Microsoft Windows 7 Enhanced Security And ControlMicrosoft Windows 7 Enhanced Security And Control
Microsoft Windows 7 Enhanced Security And Control
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
 
Chapter 2 overview
Chapter 2 overviewChapter 2 overview
Chapter 2 overview
 
Copy of learn_the_art_of_firewall_security(1)
Copy of learn_the_art_of_firewall_security(1)Copy of learn_the_art_of_firewall_security(1)
Copy of learn_the_art_of_firewall_security(1)
 
New Features Lotus Domino Administration 8.5
New Features Lotus Domino Administration 8.5New Features Lotus Domino Administration 8.5
New Features Lotus Domino Administration 8.5
 
Introduccion a la seguridad Windows 7
Introduccion a la seguridad Windows 7Introduccion a la seguridad Windows 7
Introduccion a la seguridad Windows 7
 
A Critical Analysis of Microsoft Data Protection Solutions
A Critical Analysis of Microsoft Data Protection SolutionsA Critical Analysis of Microsoft Data Protection Solutions
A Critical Analysis of Microsoft Data Protection Solutions
 
Security features In MySQL 8.0
Security features In MySQL 8.0Security features In MySQL 8.0
Security features In MySQL 8.0
 
SkypeShield - Securing Skype for Business
SkypeShield - Securing Skype for BusinessSkypeShield - Securing Skype for Business
SkypeShield - Securing Skype for Business
 
Windows Server 2008 Active Directory
Windows Server 2008 Active DirectoryWindows Server 2008 Active Directory
Windows Server 2008 Active Directory
 
Chromium OS - User Accounts and Management
Chromium OS - User Accounts and ManagementChromium OS - User Accounts and Management
Chromium OS - User Accounts and Management
 

System Hardening Recommendations_FINAL

  • 1. System Hardening Recommendations For Verisk Health Jordan Davis | McKell Gomm | Martin Evans
  • 2. Table of Contents I. Windows 7 Workstation Hardening Recommendations a. Account Policies b. Local Policies c. Windows Firewall d. Network List Manager Policies e. Public Key Policies f. Software Restriction Policies g. Application Control Policies h. Advanced Audit Policy Configuration II. Windows Server 2012 Hardening Recommendations a. Additional Server Settings b. Group Policy Object (GPO) Recommendations III. Additional Hardening Recommendations IV. Summary and Potential Impact
  • 3. I. Windows 7 Workstation Recommendations – While many of these changes are minor, some recommendations are more impactful. Although some specifics are given, some areas include brief explanations and each setting should be carefully considered before implementing. a. Account Policies i. Password Policy Policy Security Settings (Recommended) Enforce password history 24 passwords remembered Maximum password age ≤ 60 (days) Minimum password age ≥ 1 days Minimum password length 8 characters Passwords must meet complexity requirements Enabled Store passwords using reversible encryption Disabled ii. Account Lockout Policy Policy Security Settings (Recommended) Account lockout duration 1440 minutes Account lockout threshold <10 Invalid login attempts Reset account lockout counter after 1440 minutes b. Local Policies i. Audit Policy Setting Recommendation Audit account logon events Success, Failure Audit account management Success, Failure Audit directory service access Failure Audit logon events Success, Failure Audit object access Failure Audit policy change Success, Failure Audit privilege use Success, Failure
  • 4. Audit process tracking Failure Audit system events Success, Failure ii. User Rights Assignment – These rights should be assigned by GPO to include users or administrators as applicable. iii. Security Options 1. Accounts Setting Recommendations Accounts: Administrator account status Disabled Accounts: Guest account status Disabled Accounts: Limit local account use of blank passwords to console logon only Enabled Accounts: Rename administrator account Recommended Accounts: Rename guest account Recommended 2. Audit Setting Recommendation Audit: Audit the access of global system objects Disabled Audit: Audit the use of Backup and Restore privilege Disabled Audit: Force audit policy subcategory settings Not Defined Audit: Shut down system immediately if unable to log security audits Disabled 3. Devices Setting Recommendation Devices: Allow undock without having to log on Enabled Devices: Allowed to format and eject removable media Administrator, Interactive Users Devices: Prevent users from installing printer drivers Enabled (*Disabled for laptops/mobile devices) Devices: Restrict CD-ROM access to locally logged on user only Not Defined Devices: Restrict floppy access to locally logged on user only Not Defined
  • 5. 4. Domain Member Setting Recommendation Domain member: Digitally encrypt or sign secure channel data (always) Enabled Domain member: Digitally encrypt secure channel data (when possible) Enabled Domain member: Digitally sign secure channel data (when possible) Enabled Domain member: Disable machine account password changes Disabled Domain member: Maximum machine account password age 30 days Domain member: Require strong (Windows 2000 or later) session key Enabled 5. Interactive Logon Setting Recommendation Interactive Logon: Do not display last user name Disabled Interactive Logon: Display user information when the session is locked Display Name Only Interactive Logon: Do not require CTRL+ALT+DEL Disabled Interactive Logon: Message text for users attempting to log on Undefined Interactive Logon: Message title for users attempting to log on Legal Notice Interactive Logon: Number of previous logons to cache (in case domain controller is not available) 10 or less
  • 6. Interactive Logon: Prompt user to change password before expiration 5 or less days Interactive Logon: Require Domain Controller authentication to unlock workstation Enabled (*Disabled for laptops/mobile devices) Interactive Logon: Smart card removal behavior Lock Workstation 6. Microsoft Network Client Setting Recommendation Microsoft network client: Digitally sign communications (always) Disabled Microsoft network client: Digitally sign communications (if server agrees) Disabled Microsoft network client: Send unencrypted password to third-party SMB servers Disabled 7. Network Access Setting Recommendation Network access: Allow anonymous SID/Name translation Disabled Network access: Do not allow anonymous enumeration of SAM accounts Enabled Network access: Do not allow anonymous enumeration of SAM accounts and shares Enabled Network access: Do not allow storage of credentials or .NET Passports for network authentication Enabled Network access: Let Everyone permissions apply to anonymous users Disabled Network access: Named Pipes that can be accessed anonymously Not Defined Network access: Remotely accessible registry paths Not Defined
  • 7. Network access: Restrict anonymous access to named Pipes and Shares Enabled Network access: Shares that can be accessed anonymously Not Defined Network access: Sharing and security model for local accounts Classic – local users authenticate as themselves 8. Network Security Setting Recommendation Network security: Allow PKU2U authentication requests to this computer to use online identities Disabled Network security: Configure encryption types allowed for Kerberos AES128 or 256 future encryption types Network security: Do not store LAN Manager hash value on next password change Enabled Network security: LAN Manager authentication level Send NTLMv2 responses onlyrefuse LM Network security: LDAP client signing requirements Negotiate signing Network security: Minimum session security for NTLM SSP based (including secure RPC) clients Require message confidentiality, Require message integrity, Require NTLMv2 session security, Require 128 bit encryption Network security: Minimum session security for NTLM SSP based (including secure RPC) servers Require message confidentiality, Require message integrity, Require NTLMv2 session security, Require 128 bit encryption
  • 8. 9. Recovery Console Setting Recommendation Recovery console: Allow automatic administrative logon Disabled Recovery console: Allow floppy copy and access to all drives and all folders Disabled 10. Shutdown Setting Recommendation Shutdown: Allow system to be shut down without having to log on Enabled Shutdown: Clear virtual memory pagefile Disabled 11. System Cryptography, System Objects, and User Account Control Setting Recommendation System cryptography: Force strong key protection for user keys stored on the computer User must enter a password each time they use a key System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Enabled System objects: Require case insensitivity for non-Windows subsystems Enabled System objects: Strengthen default permissions of internal system objects Enabled c. Windows Firewall i. Windows Firewall – Local GPO Profile: Setting Recommendation Domain Profile Firewall State: ON Inbound Connections: BLOCK Outbound Connections: ALLOW Private Profile: Firewall State: ON Inbound Connections: BLOCK Outbound Connections: ALLOW
  • 9. Public Profile: Firewall State: ON Inbound Connections: BLOCK Outbound Connections: ALLOW IPsec Settings: IPsec Defaults: CUSTOMIZE Key Exchange (Main Mode): DEFAULT Data Protection (Quick Mode): DEFAULT Authentication Mode: Computer and User (Kerberos V5) IPsec Exemption: Exempt ICMP IPsec: NO IPsec Tunnel Authorization: NONE d. Network List Manager Policies Network Name: Setting Recommendation Network Properties Network Name: Identifies a network Name: N/A User Permissions: User Cannot Change Name Network Icon: Provides a graphic or logo that represents the company or network Icon: ICON User Permissions: User Cannot Change Icon Network Location: Identifies the type of network that a computer is connected to and automatically sets the appropriate firewall setting for that location. Location Type: Private/Public User Permissions: User Cannot Change Location Unidentified Networks: Networks that cannot be identified due to a network issue or lack of identifiable characteristics Network Location: Identifies the type of network that a computer is connected to and automatically sets the appropriate firewall setting for that location. Location Type: Private/Public User Permissions: User Cannot Change Location
  • 10. Identifiable Networks: Temporary state of networks that are in the process of being identified. Network Location: Identifies the type of network that a computer is connected to and automatically sets the firewall settings for that location. Location Type: Private/Public All Networks: All networks the user connects to. User Permissions: These permissions control if users can change the network name, location, or icon. Network Name: User Cannot Change Name Network Location: User Cannot Change Location Network Icon: User Cannot Change Icon e. Public Key Policies i. Encrypting File System: Specific files/folders should be encrypted if necessary to protect sensitive data (i.e. PHI, IP). We recommend this setting be configured if sensitive/encrypted data will be saved in specific directories/folders on the machine. A Data Recovery Agent should be set – preferably to a local admin account. ii. BitLocker Drive Encryption: As Verisk Health deals with sensitive data on a daily basis (i.e. PHI/PII), we recommend that some form of whole-disk encryption be used. In order to use BitLocker, a Data Recovery Agent must be set – preferably to a local admin account. f. Software Restriction Policies: If it is needed and feasible, strict controls can be put in place to restrict the execution of specific file types. Since this is an advanced set of policies, it may be avoided as long as mitigating controls are in place. These would include restricting downloading and executing software to local administrators only.
  • 11. g. Application Control Policies i. AppLocker: AppLocker helps administrators control how users can access and use files, such as executable files, packaged apps, scripts, Windows Installer files, and DLLs. RECOMMENDATION: Define rules based on file attributes derived from the digital signature, including the publisher, product name, file name, and file version. Assign a rule to a security group or an individual user. Create exceptions to rules. Use audit-only mode to deploy the policy and understand its impact before enforcing it. Import and export rules. Simplify creating and managing AppLocker rules by using AppLocker PowerShell cmdlets. ii. IP Security Policies: These required advanced configuration but should be used in cases where a system needs to communicate securely with either another computer or group of computers (subnet). h. Advanced Audit Policy i. System Audit Policies – Local GPO System Audit Policy: Setting Recommendation Account Logon Audit Credential Validation: allows you to audit events generated by validation tests on user account logon credentials. Success, Failure Audit Kerberos Authentication Services: allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests. Failure Audit Kerberos Service Ticket Operations: allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests submitted for user accounts. Failure
  • 12. Account Logon (continued): Audit Other Account Logon Events: allows you to audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets. Failure Account Management Audit Application Group Management: allows you to audit events generated by changes to application groups such as the following: Application group created, changed, or deleted. Member is added or removed from an application group Success, Failure Audit Computer Account Management: allows you to audit events generated by changes to computer accounts such as when a computer account is created, changed, or deleted. Success, Failure Audit Distribution Group Management: allows you to audit events generated by changes to distribution groups. Failure Audit Other Account Management Events: allows you to audit events generates by other user account changes that are not covered in this category. The password hash of a user account was accessed. The Password Policy Checking API was called. Changes to the Default Domain Group Policy were made. Success, Failure Audit Security Group Management: allows you to audit events generated by changes to security groups such as the following: Security group is created, changed, or deleted. Member is added or removed from a security group. Group type is changed Success, Failure Audit user Account Management: allows you to audit changes to user accounts. Events. Success, Failure
  • 13. Detailed Tracking Audit DPAPI Activity: allows you to audit events generated when encryption or decryption requests are made to the Data Protection application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. Success, Failure Audit Process Creation: allows you to audit events generated when a process is created or starts. The name of the application or user that created the process is also audited. Failure Audit Process Termination: allows you to audit events generated when a process ends. Failure Audit RPC Events: allows you to audit inbound remote procedure call (RPC) connections. Success, Failure DS Access Audit Detailed Directory Service Replication: allows you to audit events generated by detailed Active Directory Domain Services (AD DS) replication between domain controllers. Workstation: No Auditing Server: Failure Audit Directory Service Access: allows you to audit events generated when an Active Directory Domain Services (AD DS) object is accessed. Workstation: No Auditing Server: Failure Audit Directory Service Changes: allows you to audit events generated by changes to objects in Active Directory Domain Services (AD DS). Events are logged when an object is created, deleted, modified, moved, or undeleted. Workstation: No Auditing Server: Success, Failure Audit Directory Service Replication: allows you to audit replication between two Active Directory Domain Services (AD DS) domain controllers. Workstation: No Auditing Server: Failure Logon/Logoff Audit Account Lockout: allows you to audit events generated by a failed attempt to log on to an account that is locked out. Success.
  • 14. Logon/Logoff (continued): Audit User / Device Claims: allows you to audit user and device claims information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. Workstation: Failure Server: Failure Audit IPsec Extended Mode: allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations. No Auditing Audit IPsec Main Mode: allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations. No Auditing Audit IPsec Quick Mode: allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations. No Auditing Audit Logoff: allows you to audit events generated by the closing of a logon session. These events occur on the computer that was accessed. For an interactive logoff the security audit event is generated on the computer that the user account logged on to. Success. Audit Logon: allows you to audit events generated by user account logon attempts on the computer. Workstation: Success Server: Success, Failure
  • 15. Logon/Logoff (continued): Audit Network Policy Server: allows you to audit events generated by RADIUS (IAS) and Network Access Protection (NAP) user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock. Success, Failure Audit Other Logon/Logoff Events: allows you to audit other logon/logoff- related events that are not covered in the “Logon/Logoff” policy setting such as the following: Terminal Services session disconnections. New Terminal Services sessions. Locking and unlocking a workstation. Invoking a screen saver. Dismissal of a screen saver. Success, Failure Audit Special Logon: allows you to audit events generated by special logons such as the following: The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. Success, Failure Object Access Audit Application Generated: allows you to audit applications that generate events using the Windows Auditing application programming interfaces (APIs). Applications designed to use the Windows Auditing API use this subcategory to log auditing events related to their function. No Auditing Audit Certification Services: allows you to audit Active Directory Certificate Services (AD CS) operations. No Auditing Audit Detailed File Share: allows you to audit attempts to access files and folders on a shared folder. The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the Success, Failure
  • 16. permissions or other criteria used to grant or deny access. Object Access (continued): Audit File Share: allows you to audit attempts to access a shared folder. If you configure this policy setting, an audit event is generated when an attempt is made to access a shared folder. If this policy setting is defined, the administrator can specify whether to audit only successes, only failures, or both successes and failures. Success, Failure Audit File System: allows you to audit user attempts to access file system objects. A security audit event is generated only for objects that have system access control lists (SACL) specified, and only if the type of access requested, such as Write, Read, or Modify and the account making the request match the settings in the SACL. Success, Failure Audit Filtering Platform Connection: allows you to audit connections that are allowed or blocked by the Windows Filtering Platform (WFP). Success, Failure Audit Filtering Platform Packet Drop: allows you to audit packets that are dropped by Windows Filtering Platform (WFP). Failure Audit Handle Manipulation: allows you to audit events generated when a handle to an object is opened or closed. Only objects with a matching system access control list (SACL) generate security audit events. Success, Failure Audit Kernel Object: allows you to audit attempts to access the kernel, which include mutexes and semaphores. Only kernel objects with a matching system access control list (SACL) generate security audit events. Failure Audit Other Object Access Event: allows you to audit events generated by the management of task scheduler jobs or COM+ objects. Failure
  • 17. Object Access (continued): Audit Registry: allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have system access control lists (SACLs) specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL. Success, Failure Audit Removable Storage: allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. Success, Failure Audit SAM: allows you to audit events generated by attempts to access to Security Accounts Manager (SAM) objects. Success, Failure Policy Change Audit Audit Policy Change: allows you to audit changes in the security audit policy settings. Success Audit Authentication Policy Change: allows you to audit events generated by changes to the authentication policy. Success Audit Authorization Policy Change: allows you to audit events generated by changes to the authorization policy. No Auditing Audit Filtering Platform Policy Change: allows you to audit events generated by changes to the Windows Filtering Platform (WFP). Success Audit MPSSVC Rule-Level Policy Change: allows you to audit events generated by changes in policy rules used by the Microsoft Protection Service (MPSSVC). This service is used by Windows Firewall. No Auditing Audit Other Policy Change Events: allows you to audit events generated by other security policy changes that are not audited in the policy change category. Success
  • 18. Privilege Use Audit Non Sensitive Privilege Use: allows you to audit events generated by the use of non-sensitive privileges (user rights). No Auditing Audit Other Privilege Use Events: No Auditing Audit Sensitive Privilege Use: allows you to audit events generated when sensitive privileges (user rights) are used. Success, Failure System Audit IPsec Driver: allows you to audit events generated by the IPsec filter driver. Success Audit Other System Events: allows you to audit any of the following events: Startup and shutdown of the Windows Firewall service and driver. Security policy processing by the Windows Firewall Service. Cryptography key file and migration operations. Success, Failure Audit Security State Change: allows you to audit events generated by changes in the security state of the computer such as the following events: Startup and shutdown of the computer. Change of system time. Recovering the system from CrashOnAuditFail, which is logged after a system restarts when the security event log is full and the CrashOnAuditFail registry entry is configured. Success Audit Security System Change: allows you to audit events related to security system extensions or services. Workstation: No Auditing. Server: Success, Failure Audit System Integrity: allows you to audit events that violate the integrity of the security subsystem Success, Failure
  • 19. * For more details on how these policies may effect end users visit: http://technet.microsoft.com/en-us/library/cc875814.aspx Global Object Access Auditing File System: allows you to apply a comprehensive object access audit policy to every file and folder on the file system for a computer. Configuring this setting also allows you to demonstrate that every file and folder on the computer is monitored by an audit policy that is managed from a central location. This setting applies a global system access control list (SACL) to every file and folder. If either a file or folder SACL and a global SACL are configured on a computer, the effective SACL is derived by combining the file or folder SACL and the global SACL. This means that an audit event is generated when an activity matches either the file or folder SACL or the global SACL. Depends on the effective SACL and the level of user activity Registry: allows you to apply a global object access audit policy to the registry for an entire computer. This policy setting allows you to demonstrate that every registry object on the computer is protected by an audit policy that is managed from a central location. This setting applies a global system access control list (SACL) to every registry object. If both a registry SACL and a global SACL are configured on a computer, the effective SACL is derived by combining the registry SACL and the global SACL. This means that an audit event is generated when an activity matches either the registry key SACL or the global SACL. Depends on the effective SACL and the level of user activity.
  • 20. II. Windows Server 2012 Hardening Recommendations a. Additional Server Settings – In addition to the standard system build guidelines above, servers should use the following: i. Firewall configuration – host-based software firewalls such as Windows Firewall will have to be configured based on the purpose of the server. There should be standard rules/Access Control Listings (ACL’s) for each type of server (i.e. database, web server) ii. Services – depending on the purpose/use of the server, specific services should be disabled. This will provide defense-in-depth and lessen the computing load. iii. Add/Remove Role s & Features – only enable the relevant features: b. Group Policy Object (GPO) Recommendations i. Rename the Local Administrator Account ii. Disable the Guest Account iii. Disable LM and NTLM v1 iv. Disable LM hash storage
  • 21. v. Set minimum password length vi. Set maximum password age vii. Enable event logs viii. Disable anonymous SID enumeration ix. Disallow the anonymous account from residing in the everyone group x. Enable User Account Control III. Additional Recommendations – In addition to the specific configurations mentioned above, we would recommend considering the following: a. Workstations: i. Use GPO’s – to simplify implementing security policies, use Group Policy Objects, particularly for settings like password complexity. ii. Have a workstation list – include assigned user, service tag, etc. iii. Force encryption – particularly for mobile devices (i.e. tablets/laptops), this is a must. iv. Configure BIOS – set to boot from local hard drive only and set a BIOS password. v. Disable USB ports on any systems that will access sensitive data. vi. Install and utilize performance tools: 1. Stand-alone optimization tool (CCleaner, Registry Editor, etc.) a. Registry cleaning b. Malware scanning c. Cleans up temp files 2. Disc Defragmentation a. Consolidates fragmented files improving overall performance and system function b. Servers: i. Use Static IP addresses – this makes terminal/remote services, web/application servers, etc. much easier to access and manage ii. Create a detailed server list – this should include server name, IP, purpose, service tag, OS and responsible party.
  • 22. iii. Centralize security – before being fully deployed, verify that servers have been appropriately patched and have been added to centralized anti-malware and vulnerability scanning consoles. iv. UPS and power-saving – critical servers should have power back-ups to ensure availability directly after an outage until the generator restores long-term power. v. Reset defaults – rename the default local admin accounts and reset the passwords vi. Backups/Restores – no production data should ever get onto a server without being backed up. Data restoration should be tested. IV. Summary and Potential Impact Each of these points and their potential impact should be carefully considered for implementation on some or all of Verisk Health’s workstation builds to eliminate or mitigate attacks or other security risks and keep Verisk Health in compliance with security standards. If Verisk Health were to implement all changes, it would be able to bring workstations to 86% and servers to 93% compliance with the corresponding CIS-CAT benchmarks.