Hardening Windows Operating System

Configuring Windows

Configuring Windows properly (Windows 7, 8, 10 and Server Editions) involves many facets. First, disable unnecessary services, configure the registry correctly, enable firewall, configure the browser correctly, and many more. 

Accounts, Users, Groups and Passwords

Windows system comes with many default user accounts and groups. Attackers when launching initial attacks rely on this as starting point i.e. crack passwords for those accounts and gain easy access to a server/network. To improve security posture, simply rename or disable (if not required) these default accounts.

Administrator Accounts

• The default administrator account has administrative privileges. Administrators should disable this account.
• Administrative privilege account is needed to maintain server. So, add a new account and give that account administrative privileges.
• Do not create an account with self explanatory admin names. The whole point of creating a new admin account is that a hacker should not be able to identify which username has administrative privileges.

Other Default Accounts

Identify default accounts and change/alter such accounts.

• IUSR_{{Machine name}}: A default user account created for IIS i.e. IUSR_ and machine name.
• ASP.NET: Machine running ASP.NET has a default account created for web application.
• Database accounts: Many relational database management systems, such as SQL Server, create default user accounts.

When a new account is created, always follow the principal of least privilege. Assign only privileges needed to perform the job

Setting Security Policies

Setting appropriate security policies is the next step in hardening.

Password Security Policies

First, setting secure password policies. The default settings are not secure (see the table below).

Policy	Recommendation
Enforce password history	1 password remembered
Maximum password age	42 days
Minimum password age	0 days
Minimum password length	0 characters
Passwords must meet complexity requirements	Disabled
Store password using reversible encryption for all users in the domain	Disabled

The table below shows the recommendations of Microsoft and the National Security Agency.

Policy	Microsoft	NSA
Enforce password history	3 passwords	5 passwords
Maximum password age	42 days	42 days
Minimum password age	2 days	2 days
Minimum password length	8 characters	12 characters
Passwords must meet complexity requirements	No recommendation	Yes
Store password using reversible encryption for all users in the domain	No recommendation	No recommendation

An appropriate password policy depends greatly on your requirements. If you are protecting high value assets, you must target towards greater security.

Account Lockout Policies

These policies determine number of failed login attempts, and duration of account lockout. The default Windows settings are

Policy	Default Settings
Account lockout duration	Not defined
Account lockout threshold	0 invalid logon attempts
Reset account lockout counter after	Not defined

These default policies are not secure. The recommendations from Microsoft and National Security Agency

Policy	Microsoft	NSA
Account lockout duration	0, indefinite	15 hours
Account lockout threshold	5 attempts	3 attempts
Reset account after	15 minutes	30 minutes

Registry Settings

The Windows Registry is a database used to store settings and options for Microsoft Windows operating systems. This database contains critical information and settings for all the hardware, software, users, and preferences on a particular computer. Whenever users are added, software is installed or any other change is made to the system (including security policies), that information is stored in the registry.

Registry Basics

Since XP, the physical files that make up the registry are stored in %SystemRoot%\System32\Config. Since Windows 8, the file has been named ntuser.dat. Anyway, registry cannot be directly edited. A tool regedit.ext (regedit32) must be used for editing purpose.

A system might have additions, but five are the primary folders containing information necessary for your system to run. These are the core registry folders

• HKEY_CLASSES_ROOT: This branch contains all of your file association types, OLE information, and shortcut data.
• HKEY_CURRENT_USER: This branch links to the section of HKEY_USERS appropriate for the user currently logged on to the PC.
• HKEY_LOCAL_MACHINE: This branch contains computer-specific information about the type of hardware, software, and other preferences on a given PC.
• HKEY_USERS: This branch contains individual preferences for each user of the computer.
• HKEY_CURRENT_CONFIG: This branch links to the section of HKEY_LOCAL_MACHINE appropriate for the current hardware configuration.

Restrict Null Session Access

A null session is Windows’ way of designating anonymous connections. Null sessions are a significant weakness that can be exploited through the various shares that are on the computer. This should be handled properly.

Modify null session access to shares on the computer by adding RestrictNullSessAccess, a registry value that toggles null session shares on or off to determine whether the Server service restricts access to clients logged on to the system account without username and password authentication. Setting the value to “1” restricts null session access for unauthenticated users to all server pipes and shares except those listed in the NullSessionPipes and NullSessionShares entries.

Key Path: HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer

Action: Ensure that it is set to: Value = 1

Restrict Null Session Access Over Named Pipes

The null session access over named pipes registry setting should be changed. This helps to prevent unauthorized access over the network. To restrict null session access over named pipes and shared directories, edit the registry and delete the values, as shown below.

Key Path: HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer

Action: Delete all values

Restrict Anonymous Access

The anonymous access registry setting allows anonymous users to list domain user names and enumerate share names. It should be shut off. The possible settings for this key are:

• 0—Allow anonymous users
• 1—Restrict anonymous users
• 2—Allow users with explicit anonymous permissions

Key Path: HKLM\SYSTEM\CurrentControlSet\Control\Lsa

Action: Set Value = 2

Remote Access to the Registry

Remote access to the registry is another potential opening for hackers. Only administrators should have remote access to the registry. In latest version of windows this is off by default but still make sure it is. If possible, disallow remote access to the registry for any person. Completely blocking remote access to the registry is certainly more secure. To restrict network access to the registry:

1.    Add the following key to the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg.

2.    Select winreg, click the Security menu, and then click Permissions.

3.    Set the Administrator’s permission to Full Control, make sure no other users or groups are listed, and then click OK.

4.    Recommended Value = 0

Services

A service (daemons in linux/unix) is a program that runs without direct intervention by the computer user. E.g. Internet Information Services, FTP Service, and many system services. If you are not using a service, disable/shut-down.

Encrypting File System

Windows has offered the Encrypting File System (EFS), which is based on public key encryption and takes advantage of the CryptoAPI architecture in Windows 2000. With this system, each file is encrypted using a randomly generated file encryption key. Make use of this.

Security Templates

To make all these steps easy, use security templates. A security template contains hundreds of possible settings that can control a single or multiple computers. Security templates can control areas such as user rights, permissions, and password policies, and they enable administrators to deploy these settings centrally by means of Group Policy Objects (GPOs).

The following is a partial list of the security templates that you will find in this folder:

• Hisecdc.inf: This template is designed to increase the security and communications with domain controllers.
• Hisecws.inf: This template is designed to increase security and communications for client computers and member servers.
• Securedc.inf: This template is designed to increase the security and communications with domain controllers, but not to the level of the High Security DC security template.
• Securews.inf: This template is designed to increase security and communications for client computers and member servers.
• Setup security.inf: This template is designed to reapply the default security settings of a freshly installed computer. It can also be used to return a system that has been misconfigured to the default configuration.