Presentation on theme: "Copyright 2001 Marchany1 Auditing Networks, Perimeters and Systems Audit Checklists, Unit 6 Windows The SANS Institute."— Presentation transcript:
Copyright 2001 Marchany1 Auditing Networks, Perimeters and Systems Audit Checklists, Unit 6 Windows The SANS Institute
Copyright 2001 Marchany2 W2K CIS Rulers CIS Rulers are being developed for Windows 2000 and NT systems Format is similar to the Unix rulers (levels 1-3) Work has just started on it You’re getting a very ROUGH preview of the rulers.
Copyright 2001 Marchany3 Sample W2K level 1 Ruler – Physical Data Security Enable the end user to protect laptops. Physically secure servers. Protect the server from Unattended Reboot. –Protect the SAM with SYSKEY Protect the Backup Tapes. Use NTFS disk partitions. Use Encrypting File System
Copyright 2001 Marchany4 Sample W2K Level 1 Ruler – Security Policy Configuration Configure the Local Security Policy. Configure the Account Policy. Secure Administrator/Guest accounts. Configure Local Policies. Enable Audit Policies. Customize User Rights.
Copyright 2001 Marchany7 Sample W2K Level 1 Ruler – Security Policy Configuration Customize Security Options –Restrict Anonymous Connections –Allow server operators to schedule tasks (DC only). –Clear virtual Memory Pagefile on shutdown. –Audit access of Global System Objects. –Do Not Display last username in login screen. Configure Public Key Policy. Configure IP Security Policy.
Copyright 2001 Marchany8 File System Configuration. (__) Define System Configuration and Service Pack Level (__) During Audit, set browser to see all files (__) System is configured as NTFS file system? (__) System Administrator has a current Emergency Recovery Disk in a locked storage area. (__) Wiping of system page file occurs at system shutdown.
Copyright 2001 Marchany9 Sample W2K Level 1 Ruler Group Policy MMC Snap-In System Tools –Configure Event Log Settings –System Information –Performance Logs & Alerts –Local Users & Groups Lock out unauth’d Floppy Disk use
Copyright 2001 Marchany11 Sample W2K Level 1 Ruler Freeware, Shareware and Commercial Tools –Use Access Control List Auditing Tools –Audit SP and HotFix levels –Consider installing nmap, WinDump, PGP, Anti-Trojan, L0phtCrack 3, snort
Copyright 2001 Marchany12 Sample W2K Level 1 Ruler – The Registry Disable auto-run on CD ROM Drives. Control Remote Registry Access. Restrict Null User access to named pipes and shares. Disable Router discovery. Disable ICMP Redirects. Remove Administrative Shares.
Copyright 2001 Marchany13 Sample W2K Level 1 Ruler File Folder and Registry Permissions Security Analysis and Configuration Tool –Apply standard Incremental Security Templates –Create Custom Policies –Perform analysis of computer Recovery Options –Baseline System backup –Regular System backup –Remote System backup –NTBackup.exe
Copyright 2001 Marchany14 Sample W2K Level 1 Ruler Recovery Options (Continued) –Emergency Repair Disks –Safe Mode with or without networking –Safe Mode with command prompt –Recovery Console Active Directory Services –Domain Controllers and Trust –The Trees vs. the Forest –Enterprise Admins and Schema Admins
Copyright 2001 Marchany15 Sample W2K Level 1 Ruler Application Security –IIS v5 – CRITICAL! –Telnet Server –File and Printer Sharing –Windows Services for Unix 2.0 –Exchange, Outlook, Outlook Express –SQL These may be more suited to Level 2
Copyright 2001 Marchany16 A Sample NT Level 1 Ruler Installation Networking User Accounts Services/System Files/Directories Registry Applications Developed by Marc Debonis, VA Tech
Copyright 2001 Marchany17 Sample VT Level 1 NT Ruler Installation –Physically secure machine –Enable BIOS boot password, user/admin levels –Install NT on C:, no dual boot, use NTFS –Put bogus name for install –Select only TCP/IP to install –Do NOT install IIS –Do NOT use DHCP –Do NOT use WINS server entries
Copyright 2001 Marchany18 Sample VT Level 1 NT Ruler Installation –Disable LMHOSTS lookup –Login as Administrator Delete MyBriefCase, Install IIS, IE, Inbox icons –Install post SP5/SP6 hotfixes Install in this order: Winhlp-I, Nddefixi, Lsareqi, Q234351I, Csrssfxi, Loctlfxi, Ntfsfix1, Igmpfix1, Ipsrfixi
Copyright 2001 Marchany19 (__) Define Service Pack Level Start -> Run -> WINVER (works the same for NT 4.0)
Copyright 2001 Marchany20 Checking for Service Packs
Copyright 2001 Marchany21
Copyright 2001 Marchany22 (__) System does not have un-necessary devices Start -> Settings -> Control Panel -> Devices.
Copyright 2001 Marchany23 Sample VT Level 1 Ruler Networking –Use network control panel to remove RPC Configuration, NetBIOS Interface, Workstation, Server. –Set service TCP/IP NetBIOS Helper to disabled –Disable Windows NT Networking –Disable WINS Client (TCP/IP) binding –Disable WINS Client (TCP/IP) device
Copyright 2001 Marchany24 Sample VT Level 1 Ruler Accounts –Set minimum password length to 8 –Lockout after 3 bad attempts –Under Policies-> User Rights Select Right/Access this computer from Network and remove ALL groups listed in the Grant To box Under Show Advanced Rights, select Bypass Traverse Checking, remove Everyone Select Log on Locally and disable guest
Copyright 2001 Marchany25 Sample VT NT Level 1 Ruler Accounts –Select Policies -> Audit Enable audit events: logon/logoff, user/group mgt, security policy changed, restart, shutdown and system –Open User Manager for Domains Rename Administrator account to Master Remove Description for Master Account Set Master account password to something VERY strong Rename Guest account to DEFUNCT –Allow remote lockout of administrator account only
Copyright 2001 Marchany26 (__) Auditing is Enabled User Manager, Policies, Audit
Copyright 2001 Marchany27 Audit Best Practice
Copyright 2001 Marchany28 Audit Best Practice (2)
Copyright 2001 Marchany29 Passwords (__) NT password policies comply with Best Practices for NT Passwords. (__) User passwords are known only by the user. (__) Users are required to maintain unique passwords for each AIS. (__) Passcrack for Windows NT or other password tester is run at least yearly. (__) Password database (SAM) is encrypted. (__) Administrator password is protected to the same level as the data contained on the computer. (__) Password is enabled for screen saver. (Control Panel, Desktop)
Copyright 2001 Marchany30 Passfilt
Copyright 2001 Marchany31 NT 4.0 Start -> Programs -> Administrative Programs -> User Manager
Copyright 2001 Marchany32 Win2k, My Computer -> Control panel, Administrative Tools -> Local Security Policy -> Password Policy
Copyright 2001 Marchany33 Sample VT NT Level 1 Ruler Services/System –Disable unnecessary system services Network DDE, Network DDE DDSM, Schedule, Spooler, Telephony service, distributed DCOM –From System Control Panel, click Startup/Shutdown tab Uncheck Overwrite any Existing File? Uncheck Write debugging info to: Uncheck Automatically Reboot?
Copyright 2001 Marchany34 Sample VT NT Level 1 Ruler Services/System –Click Display Control Panel Click Screen Save Tab, enable Blank Screen Screen Saver, modify wait to 5 minutes, check the Password Protected box. –Event Logs Open Log->Log settings and increase max size of logs > 2048K
Copyright 2001 Marchany35 Log--> Log Settings
Copyright 2001 Marchany36 Event View 2000 My Computer -> Control Panel -> Administrative Tools -> Event Viewer
Copyright 2001 Marchany37 Using dumpel for audit logs
Copyright 2001 Marchany38 Sample VT NT Level 1 Ruler For the rest of the ruler, go to and look in the Checklists section for Marc’s document Some may consider his requirements to be really strict but some may like them.
Copyright 2001 Marchany39 Sample Windows 2000 Level 2 Ruler Rules of Engagement for Active Directory Developed at VA Tech for our AD structure –Marc Debonis, Allows lower level admins to control their own domains Not for everyone Somewhat draconian
Copyright 2001 Marchany40 Sample VT Level 2 Ruler: Active Directory ROE The Child domain must have at least 1 fulltime peer BDC for the child domain The child domain controllers must meet Microsoft’s minimum computer hardware requirements No 3 rd party of Microsoft add-on software are allowed on child domain controllers –IIS, Certificate Services, Indexing Service, Windows Media Services, DNS, DHCP, WINS, printer/file services
Copyright 2001 Marchany41 Sample VT Level 2 Ruler: Active Directory ROE The child domain controllers must be in a backup program and have full recoverability tested The child domain controllers must allow and not block global policy objects replicated from the root All W2K hosts must follow prescribed DNS naming conventions (xxx.yyy.vt.edu)
Copyright 2001 Marchany42 Sample VT Level 2 Ruler: Active Directory ROE All W2K hosts within the child domain will use root AD DDNS server settings. Child DC will use static IP and not run DHCP servers Child domain will not attempt to create child domains “below” theirs. They will use OU to do this.
Copyright 2001 Marchany43 Sample VT Level 2 Ruler: Active Directory ROE No non-administrative local logins will be allowed to the child domain controllers. The CDC will be housed in secure areas with controlled access 2 week backups of event/audit logs will be kept and access to them will be given to the AD enterprise admins for security/debugging purposes.
Copyright 2001 Marchany44 Sample VT Level 2 Ruler: Active Directory ROE All service packs will be installed in a timely manner, coordinated with root AD controller upgrades Will people buy into this? –Some will, some won’t but those that do are more secure.
Copyright 2001 Marchany45 Whew! u You’ve got a basic strategy for building security checklist/audit plans for – Perimeter – Unix – NT – Windows 2000 Please fill out your comment sheets!
Copyright 2001 Marchany46 Today’s Course Goals u Construct a high level Security Checklist from the CIS rulers for your site. – Unix. NT, Windows 2000 u Use TBS to provide a response to your internal auditors and secure your systems. u Use STAR to define the $$$ cost of implementing security features at your site. – This method can be used over time to show trends u Develop a set of reports/matrices that can be used to quickly identify the security status of a host at your site.
Copyright 2001 Marchany47 URLs referred to in this course STAR Matriceshttp://courseware.vt.edu/marchany/STARhttp://courseware.vt.edu/marchany/STAR Sample R/A Documentshttp://security.vt.edu Top Ten Vulnerabiltieshttp://www.sans.org/topten.htm Top Ten Blockinghttp://www.sans.org/giactc/gcfw.htm Egress Filteringhttp://www.sans.org/y2k/egress.htm CVEhttp://cve.mitre.org GIAC Practicalshttp://www.sans.org/giactc/cert.htm RFC 2196http://www.ietf.org/rfc/rfc2196.txthttp://www.ietf.org/rfc/rfc2196.txt Center for Internet Securityhttp://www.cisecurity.org
Copyright 2001 Marchany48 Course Revision History