Configuring Windows
Configuring Windows properly (Windows 7, 8, 10 and Server Editions) involves many facets. First, disable unnecessary services, configure the registry correctly, enable firewall, configure the browser correctly, and many more.
Accounts, Users, Groups and Passwords
Windows system comes with many default user accounts and groups. Attackers when launching initial attacks rely on this as starting point i.e. crack passwords for those accounts and gain easy access to a server/network. To improve security posture, simply rename or disable (if not required) these default accounts.
Administrator Accounts
- The default administrator account has administrative privileges. Administrators should disable this account.
- Administrative privilege account is needed to maintain server. So, add a new account and give that account administrative privileges.
- Do not create an account with self explanatory admin names. The whole point of creating a new admin account is that a hacker should not be able to identify which username has administrative privileges.
Other Default Accounts
Identify default accounts and change/alter such accounts.
- IUSR_{{Machine name}}: A default user account created for IIS i.e. IUSR_ and machine name.
- ASP.NET: Machine running ASP.NET has a default account created for web application.
- Database accounts: Many relational database management systems, such as SQL Server, create default user accounts.
When a new account is created, always follow the principal of least privilege. Assign only privileges needed to perform the job
Setting Security Policies
Setting appropriate security policies is the next step in hardening.
Password Security Policies
First, setting secure password policies. The default settings are not secure (see the table below).
Policy | Recommendation |
Enforce password history | 1 password remembered |
Maximum password age | 42 days |
Minimum password age | 0 days |
Minimum password length | 0 characters |
Passwords must meet complexity requirements | Disabled |
Store password using reversible encryption for all users in the domain | Disabled |
The table below shows the recommendations of Microsoft and the National Security Agency.
Policy | Microsoft | NSA |
Enforce password history | 3 passwords | 5 passwords |
Maximum password age | 42 days | 42 days |
Minimum password age | 2 days | 2 days |
Minimum password length | 8 characters | 12 characters |
Passwords must meet complexity requirements | No recommendation | Yes |
Store password using reversible encryption for all users in the domain | No recommendation | No recommendation |
An appropriate password policy depends greatly on your requirements. If you are protecting high value assets, you must target towards greater security.
Account Lockout Policies
These policies determine number of failed login attempts, and duration of account lockout. The default Windows settings are
Policy | Default Settings |
Account lockout duration | Not defined |
Account lockout threshold | 0 invalid logon attempts |
Reset account lockout counter after | Not defined |
These default policies are not secure. The recommendations from Microsoft and National Security Agency
Policy | Microsoft | NSA |
Account lockout duration | 0, indefinite | 15 hours |
Account lockout threshold | 5 attempts | 3 attempts |
Reset account after | 15 minutes | 30 minutes |
Registry Settings
The Windows Registry is a database used to store settings and options for Microsoft Windows operating systems. This database contains critical information and settings for all the hardware, software, users, and preferences on a particular computer. Whenever users are added, software is installed or any other change is made to the system (including security policies), that information is stored in the registry.
Registry Basics
Since XP, the physical files that make up the registry are stored in %SystemRoot%\System32\Config. Since Windows 8, the file has been named ntuser.dat. Anyway, registry cannot be directly edited. A tool regedit.ext (regedit32) must be used for editing purpose.
A system might have additions, but five are the primary folders containing information necessary for your system to run. These are the core registry folders
- HKEY_CLASSES_ROOT: This branch contains all of your file association types, OLE information, and shortcut data.
- HKEY_CURRENT_USER: This branch links to the section of HKEY_USERS appropriate for the user currently logged on to the PC.
- HKEY_LOCAL_MACHINE: This branch contains computer-specific information about the type of hardware, software, and other preferences on a given PC.
- HKEY_USERS: This branch contains individual preferences for each user of the computer.
- HKEY_CURRENT_CONFIG: This branch links to the section of HKEY_LOCAL_MACHINE appropriate for the current hardware configuration.
Restrict Null Session Access
A null session is Windows’ way of designating anonymous connections. Null sessions are a significant weakness that can be exploited through the various shares that are on the computer. This should be handled properly.
Modify null session access to shares on the computer by adding RestrictNullSessAccess, a registry value that toggles null session shares on or off to determine whether the Server service restricts access to clients logged on to the system account without username and password authentication. Setting the value to “1” restricts null session access for unauthenticated users to all server pipes and shares except those listed in the NullSessionPipes and NullSessionShares entries.
Key Path: HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer
Action: Ensure that it is set to: Value = 1
Restrict Null Session Access Over Named Pipes
The null session access over named pipes registry setting should be changed. This helps to prevent unauthorized access over the network. To restrict null session access over named pipes and shared directories, edit the registry and delete the values, as shown below.
Key Path: HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer
Action: Delete all values
Restrict Anonymous Access
The anonymous access registry setting allows anonymous users to list domain user names and enumerate share names. It should be shut off. The possible settings for this key are:
- 0—Allow anonymous users
- 1—Restrict anonymous users
- 2—Allow users with explicit anonymous permissions
Key Path: HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Action: Set Value = 2
Remote Access to the Registry
Remote access to the registry is another potential opening for hackers. Only administrators should have remote access to the registry. In latest version of windows this is off by default but still make sure it is. If possible, disallow remote access to the registry for any person. Completely blocking remote access to the registry is certainly more secure. To restrict network access to the registry:
1. Add the following key to the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg.
2. Select winreg, click the Security menu, and then click Permissions.
3. Set the Administrator’s permission to Full Control, make sure no other users or groups are listed, and then click OK.
4. Recommended Value = 0
Services
A service (daemons in linux/unix) is a program that runs without direct intervention by the computer user. E.g. Internet Information Services, FTP Service, and many system services. If you are not using a service, disable/shut-down.
Encrypting File System
Windows has offered the Encrypting File System (EFS), which is based on public key encryption and takes advantage of the CryptoAPI architecture in Windows 2000. With this system, each file is encrypted using a randomly generated file encryption key. Make use of this.
Security Templates
To make all these steps easy, use security templates. A security template contains hundreds of possible settings that can control a single or multiple computers. Security templates can control areas such as user rights, permissions, and password policies, and they enable administrators to deploy these settings centrally by means of Group Policy Objects (GPOs).
The following is a partial list of the security templates that you will find in this folder:
- Hisecdc.inf: This template is designed to increase the security and communications with domain controllers.
- Hisecws.inf: This template is designed to increase security and communications for client computers and member servers.
- Securedc.inf: This template is designed to increase the security and communications with domain controllers, but not to the level of the High Security DC security template.
- Securews.inf: This template is designed to increase security and communications for client computers and member servers.
- Setup security.inf: This template is designed to reapply the default security settings of a freshly installed computer. It can also be used to return a system that has been misconfigured to the default configuration.
