Defense Security Service Windows Configuration Workshop

Collier Spencer Information Systems Security Professional San Antonio

JSAC April 18, 2006 Introduction

. Purpose

– Provide descriptions of how to implement security features within the Windows Platforms

– Cover Protection Level 1 Configurations

2 System Certification

1st Step • Lock Down your BIOS* – Boot to appropriate drive – Password protect it (Supervisor)

* System Assurance 1 Requirement

* Vulnerabilities - Rearrange jumper switch, remove battery, manufacture’s backdoor password, software attacks.

3 System Certification

8-613, NISPOM. System Assurance (SysAssur) – System assurance includes those components of a system (hardware, software, firmware, and communications) that are essential to maintaining the security policy(ies) of the system, (e.g. Security Support Structure).

– SysAssur 1 Requirements. – Access to Protection Functions. • Access to hardware/software/firmware that perform systems or security functions shall be limited to authorized personnel.

• The BIOS indirectly provides security functions in its booting sequence (Controlled Sequence Initiation). (I.e., booting to the A drive, not C.) • The Date and Time will effect the Date and Time on security objects, i.e., Audit Trails. (Changing date from December 30 to December 29.)

4 System Certification NTFS

Check the System partition to ensure that it has been converted to NTFS perform the following checks:

•On the My Computer icon the desktop, right click and select “Open”.

•Select the C:\ drive and right click. Select “Properties”

•Check the file system on the General tab to ensure that it states “NTFS”.

•This procedure will have to be completed for each drive. If it shows NTFS, it can be set up for security and auditing, if not proceed to converting to NTFS.

5 System Certification NTFS

6 System Certification NTFS, cont

Converting the System Partition to NTFS

• In order to set up any security or perform any auditing the system partition must be converted to NTFS.

• To convert the file system to NTFS:

• Select the “Start” button and then select “Run”.

• In the Open box type in convert c: /fs:ntfs, hit enter.

 When executed on the system disk, it will perform the conversion during the next boot.

7 System Certification NTFS, cont

8 System Certification Local Security Policy

Setting up Windows Security

To get to the Local Security Policy

• Click the “Start” bar

• Select “Settings”

• Select “Control Panel”

• Select “Administrative tools”

• Select “Local Security Policy”

9 System Certification Local Security Policy

10 System Certification Password Policy

To change the password policy, double click on each policy and a dialog box will appear

•Enforce password history: 8 passwords remembered

•Maximum password age: 365 days

•Minimum password age: DSS recommends at least 1 day

•Password must meet complexity requirements: Enabled

•Store password using reversible encryption: Disabled

11 System Certification Password Policy

12 System Certification Account Lockout Policy

To change the account lockout policies, double click on each policy and a dialog box will appear

•Account lockout duration: 15 minutes. (If you want to lock the account and require an administrator to do the reset, set this at "0" minutes.)

•Account lockout threshold: 5 invalid logon attempts.

•Reset account lockout counter after: 15 minute

13 System Certification Account Lockout Policy

14 System Certification Audit Policy

To change the audit policies, double click on each policy and select Success and/or Failure as appropriate

•Audit Account Logon Events: Success, Failure

•Audit Account Management: Success, Failure.

•Audit Directory Service Access: No auditing.

•Audit Logon Events: Success, Failure.

•Audit Object Access: Failure.

•Audit Policy Change: Success, Failure.

•Audit Privilege Use: Failure.

•Audit Process Tracking: No auditing.

•Audit System Events: Success, Failure

15 System Certification Audit Policy

16 System Certification User Rights Assignment Policy

•Restrict the right to change the system time to Administrators only

•If the administrator is not performing the security audits and a custodian has been delegated that responsibility:

•Double click on “Manage auditing and security log” •Add in the user name of the custodian. This will give the custodian rights to the audit events.

17 System Certification User Rights Assignment Policy

18 System Certification User Rights Assignment Policy

If the administrator is not performing the security audits and a custodian has been delegated that responsibility. Go to the Local Security Settings and double click on “Manage auditing and security log”. Add in the user name of the custodian. This will give the custodian rights to the audit events.

19 System Certification User Rights Assignment Policy

20 System Certification Security Options Policy

• Shutting down the system when security auditing stops • The following illustration shows how to set up the system to shut down in the event that security audit events stop recording. At that point, the system would be accessible only to a privileged user who would be able to archive the security log and clear the active log to restore normal system operation.

21 System Certification Security Options Policy

22 System Certification User Account Checklist

•Disable Guest Account

•Make only accounts for users that have briefed and have signed a briefing statement

•If possible try to use the same naming convention as used on the unclassified systems

•For users who need an administrator account use the same naming convention, but add zz in front of the name, for example: zzjohnsna

•Use the administrator named account only in case of an emergency

•Re-valid all user accounts at the interval prescribed in your SSP

23 System Certification Secure \Windows or \WinNT Directory

•Right click on the Windows or WINNT directory and select “Properties”, then select the “Security” tab

•Make sure that Administrators group, Administrator, Authenticated users and SYSTEM are added to the “Permissions”

•Administrators group, Administrator and SYSTEM get “Full Control”

•Authenticated users get only “Read & Execute”

•Select the “Advanced…” button and select “Auditing”

•Add in “Everyone".

24 System Certification Secure \Windows or \WinNT Directory

25 System Certification Secure \Windows or \WinNT Directory

26 System Certification Secure \Windows or \WinNT Directory

27 System Certification Secure \Windows or \WinNT Directory

28 System Certification Secure the SAM database

The other concern is the SAM database; the database contains the passwords for the system.

SAM located in the \system32\config directory AND the \repair directory.

Right click on the \system32\config directory. Select the “Security” tab.

•Add in the “Authenticated users”, “Administrators”, “Administrator” and “SYSTEM”.

•The “Authenticated users” will have "List Folder Contents" rights only. All others will have Full Control.

•Repeat this for \repair directory.

29 System Certification Secure the SAM database

30 System Certification Secure the Registry

Limit the number of people who have access to the registry.

For example, because members of the Administrators group have full access to the registry, add only users who need such access to the Administrators group. Also, you can use Group Policy to restrict the use of Registry Editor (both Regedt32.exe and Regedit.exe) for users who do not need access to the registry, or you can simply remove Registry Editor from the computers of these users.

Disable registry editing tools (Through GPO) set the GPO and create a user group to assign the GPO to (everyone but administrators). This will disable the use of regedit.exe and regedt32.exe (User Configuration\Administrative Templates\System) DisableRegistryTools (HKLM\System\CurrentControlSet\Control\SecurePipeServers\winreg) On the menu bar, select Security\Permissions and make sure that non- privileged users do not have permissions to access the registry.

31 System Certification Secure Anti-Virus Software

The users will not be able to modify or turn off the Auto-protect shield in the Anti-virus software. The C:\Program Files directory will have the same security and auditing as the Windows or WinNT directory.

•Go to the C:\Program Files directory and right click on the folder. Select the “Security” tab.

•Make sure that Administrators group, Administrator, Authenticated users and SYSTEM are added to the “Permissions”.

•Administrators group, Administrator and SYSTEM get “Full Control”.

•Authenticated users get only “Read & Execute”, List Folder contents, and Read.

•Apply the auditing as previously directed for the \Windows or \WinNT folder.

32 System Certification Secure Anti-Virus Software

33