Thursday, May 14, 2020

Hardening Windows Operating System

Configuring Windows

Configuring Windows properly (Windows 7, 8, 10 and Server Editions) involves many facets. First, disable unnecessary services, configure the registry correctly, enable firewall, configure the browser correctly, and many more. 

Accounts, Users, Groups and Passwords

Windows system comes with many default user accounts and groups. Attackers when launching initial attacks rely on this as starting point i.e. crack passwords for those accounts and gain easy access to a server/network. To improve security posture, simply rename or disable (if not required) these default accounts.

Administrator Accounts

  • The default administrator account has administrative privileges. Administrators should disable this account.
  • Administrative privilege account is needed to maintain server. So, add a new account and give that account administrative privileges.
  • Do not create an account with self explanatory admin names. The whole point of creating a new admin account is that a hacker should not be able to identify which username has administrative privileges.

Other Default Accounts

Identify default accounts and change/alter such accounts.
  • IUSR_{{Machine name}}: A default user account created for IIS i.e. IUSR_ and machine name.
  • ASP.NET: Machine running ASP.NET has a default account created for web application.
  • Database accounts: Many relational database management systems, such as SQL Server, create default user accounts.
When a new account is created, always follow the principal of least privilege. Assign only privileges needed to perform the job

Setting Security Policies

Setting appropriate security policies is the next step in hardening.

Password Security Policies
First, setting secure password policies. The default settings are not secure (see the table below).

Policy
Recommendation
Enforce password history
1 password remembered
Maximum password age
42 days
Minimum password age
0 days
Minimum password length
0 characters
Passwords must meet complexity requirements
Disabled
Store password using reversible encryption for all users in the domain
Disabled

The table below shows the recommendations of Microsoft and the National Security Agency.

Policy
Microsoft
NSA
Enforce password history
3 passwords
5 passwords
Maximum password age
42 days
42 days
Minimum password age
2 days
2 days
Minimum password length
8 characters
12 characters
Passwords must meet complexity requirements
No recommendation
Yes
Store password using reversible encryption for all users in the domain
No recommendation
No recommendation

An appropriate password policy depends greatly on your requirements. If you are protecting high value assets, you must target towards greater security.

Account Lockout Policies

These policies determine number of failed login attempts, and duration of account lockout. The default Windows settings are

Policy
Default Settings
Account lockout duration
Not defined
Account lockout threshold
0 invalid logon attempts
Reset account lockout counter after
Not defined

These default policies are not secure. The recommendations from Microsoft and National Security Agency

Policy
Microsoft
NSA
Account lockout duration
0, indefinite
15 hours
Account lockout threshold
5 attempts
3 attempts
Reset account after
15 minutes
30 minutes

Registry Settings

The Windows Registry is a database used to store settings and options for Microsoft Windows operating systems. This database contains critical information and settings for all the hardware, software, users, and preferences on a particular computer. Whenever users are added, software is installed or any other change is made to the system (including security policies), that information is stored in the registry.

Registry Basics

Since XP, the physical files that make up the registry are stored in %SystemRoot%\System32\Config. Since Windows 8, the file has been named ntuser.dat. Anyway, registry cannot be directly edited. A tool regedit.ext (regedit32) must be used for editing purpose.



A system might have additions, but five are the primary folders containing information necessary for your system to run. These are the core registry folders
  • HKEY_CLASSES_ROOT: This branch contains all of your file association types, OLE information, and shortcut data.
  • HKEY_CURRENT_USER: This branch links to the section of HKEY_USERS appropriate for the user currently logged on to the PC.
  • HKEY_LOCAL_MACHINE: This branch contains computer-specific information about the type of hardware, software, and other preferences on a given PC.
  • HKEY_USERS: This branch contains individual preferences for each user of the computer.
  • HKEY_CURRENT_CONFIG: This branch links to the section of HKEY_LOCAL_MACHINE appropriate for the current hardware configuration.

Restrict Null Session Access

A null session is Windows’ way of designating anonymous connections. Null sessions are a significant weakness that can be exploited through the various shares that are on the computer. This should be handled properly.

Modify null session access to shares on the computer by adding RestrictNullSessAccess, a registry value that toggles null session shares on or off to determine whether the Server service restricts access to clients logged on to the system account without username and password authentication. Setting the value to “1” restricts null session access for unauthenticated users to all server pipes and shares except those listed in the NullSessionPipes and NullSessionShares entries.

Key Path: HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer
Action: Ensure that it is set to: Value = 1

Restrict Null Session Access Over Named Pipes

The null session access over named pipes registry setting should be changed. This helps to prevent unauthorized access over the network. To restrict null session access over named pipes and shared directories, edit the registry and delete the values, as shown below.

Key Path: HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer
Action: Delete all values

Restrict Anonymous Access

The anonymous access registry setting allows anonymous users to list domain user names and enumerate share names. It should be shut off. The possible settings for this key are:
  • 0—Allow anonymous users
  • 1—Restrict anonymous users
  • 2—Allow users with explicit anonymous permissions
Key Path: HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Action: Set Value = 2

Remote Access to the Registry

Remote access to the registry is another potential opening for hackers. Only administrators should have remote access to the registry. In latest version of windows this is off by default but still make sure it is. If possible, disallow remote access to the registry for any person. Completely blocking remote access to the registry is certainly more secure. To restrict network access to the registry:
1.    Add the following key to the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg.
2.    Select winreg, click the Security menu, and then click Permissions.
3.    Set the Administrator’s permission to Full Control, make sure no other users or groups are listed, and then click OK.
4.    Recommended Value = 0

Services

A service (daemons in linux/unix) is a program that runs without direct intervention by the computer user. E.g. Internet Information Services, FTP Service, and many system services. If you are not using a service, disable/shut-down.

Encrypting File System

Windows has offered the Encrypting File System (EFS), which is based on public key encryption and takes advantage of the CryptoAPI architecture in Windows 2000. With this system, each file is encrypted using a randomly generated file encryption key. Make use of this.

Security Templates

To make all these steps easy, use security templates. A security template contains hundreds of possible settings that can control a single or multiple computers. Security templates can control areas such as user rights, permissions, and password policies, and they enable administrators to deploy these settings centrally by means of Group Policy Objects (GPOs).
The following is a partial list of the security templates that you will find in this folder:
  • Hisecdc.inf: This template is designed to increase the security and communications with domain controllers.
  • Hisecws.inf: This template is designed to increase security and communications for client computers and member servers.
  • Securedc.inf: This template is designed to increase the security and communications with domain controllers, but not to the level of the High Security DC security template.
  • Securews.inf: This template is designed to increase security and communications for client computers and member servers.
  • Setup security.inf: This template is designed to reapply the default security settings of a freshly installed computer. It can also be used to return a system that has been misconfigured to the default configuration.

4 comments:

  1. **HIGH CREDIT SCORES SSN FULLZ AVAILABLE**

    >For tax filling/return
    >SSN dob DL all info included
    >For SBA & PUA filling
    >Fresh spammed & Fresh database

    **TOOLS & TUTORIALS AVAILABLE FOR HACKING SPAMMING CARDING CASHOUTS CLONING**

    =>Contact 24/7<=

    Telegram> @killhacks
    ICQ> 752822040
    Skype> Peeterhacks

    FRESHLY SPAMMED
    VALID INFO WITH VALID DL EXPIRIES

    *All info included*
    NAME+SSN+DOB+DL+DL-STATE+ADDRESS
    Employee & Bank details included

    CC & CVV'S ONLY USA AVAILABLE

    SSN+DOB
    SSN+DOB+DL
    High credit fullz 700+
    (bulk order negotiable)
    *Payment in all crypto currencies will be accepted

    ->You can buy few for testing
    ->Invalid info found, will be replaced
    ->Serious buyers contact me for long term business & excellent profit
    ->Genuine & Verified stuff

    TOOLS & TUTORIALS AVAILABLE FOR
    (Carding, spamming, hacking, scripting, scam page, Cash outs, dumps cash outs)

    Ethical Hacking Tools & Tutorials
    Kali linux
    Facebook & Google hacking
    SQL Injector
    Bitcoin flasher
    Viruses
    Keylogger & Keystroke Logger
    Logins Premium (Netflix, coinbase, FedEx, PayPal, Amazon, Banks etc)
    Paypal Logins
    Bulk SMS Sender
    Bitcoin Cracker
    SMTP Linux Root
    DUMPS with pins track 1 and 2 with & without pin
    Smtp's, Safe Socks, rdp's, VPN, Viruses
    Cpanel
    Php mailer
    Server I.P's & Proxies
    HQ Emails Combo (Gmail, yahoo, Hotmail, MSN, AOL, etc)

    ->Serious buyers are always welcome
    ->Big discount in bulk order
    ->Offer gives monthly, quareterly, half yearly & yearly)
    ->Hope we do a great business together

    CONTACT 24/7
    Telegram> @killhacks
    ICQ> 752822040
    Skype> Peeterhacks

    ReplyDelete
  2. Myclassnotes: Hardening Windows Operating System >>>>> Download Now

    >>>>> Download Full

    Myclassnotes: Hardening Windows Operating System >>>>> Download LINK

    >>>>> Download Now

    Myclassnotes: Hardening Windows Operating System >>>>> Download Full

    >>>>> Download LINK sT

    ReplyDelete
  3. QUALITY SSN DOB DL HIGH CREDIT SCORES Leads
    CC with CVV Fullz (USA, UK, CANADA)
    Tutorials & E-Books For Ethical Hacking
    Tools For Everything You Need

    I'm On Telegram = @killhacks & I C Q = 752822040

    Stuff available for
    (Spamming, Carding, Ethical Hacking, LINUX, Programming, Scripting, etc. )

    Deals in all kind of Tools, Tutorials, E-books, Leads/Fullz/Pros
    Availability 24/7
    FASTEST DELIVERY

    Build Your Own Business with proper guide & Legit Tools
    Always glad to serve

    GOOD LUCK
    Here I'm:
    I C Q = 752822040
    Tele-gram = @killhacks

    ReplyDelete
  4. WA/TG = +92 317 272 1122
    TG/ICQ = @killhacks
    exploit.tools 4u at gmail dot com
    Wickr/Skype = @peeterhacks

    Hello To All !

    Stuff we're offering :

    SSN DOB DL Fullz with High CS 700+
    CC Fullz with CVV+SSN info & address (all USA banks)
    Dumps with pin & complete dumps using tutorials for cash outs
    Business EIN fullz fresh
    Full packages with all related & necessary tools & Tutorials
    Hacki-ng, Spamm-ing, C-arding, Spying, Cloning
    Working Loan Methods with all info

    Hey Guy's very fresh fullz & Tools are now available.
    We're offering bulk fullz & Many packages in offers.
    If you wanna learn anything regarding Hac-king, Carding, Applying Loan Online,
    Spa-mming, Filling for benefits.
    We'll provide you fresh & legit stuff with proper guidance & assistance.

    Other tools are also available
    Just try our services at once
    you'll never be disappointed

    For further info
    Feel Free to ping us

    ReplyDelete