Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright 2001 Marchany1 Auditing Networks, Perimeters and Systems Audit Checklists, Unit 6 Windows The SANS Institute.

Similar presentations

Presentation on theme: "Copyright 2001 Marchany1 Auditing Networks, Perimeters and Systems Audit Checklists, Unit 6 Windows The SANS Institute."— Presentation transcript:

1 Copyright 2001 Marchany1 Auditing Networks, Perimeters and Systems Audit Checklists, Unit 6 Windows The SANS Institute

2 Copyright 2001 Marchany2 W2K CIS Rulers  CIS Rulers are being developed for Windows 2000 and NT systems  Format is similar to the Unix rulers (levels 1-3)  Work has just started on it  You’re getting a very ROUGH preview of the rulers.

3 Copyright 2001 Marchany3 Sample W2K level 1 Ruler – Physical Data Security  Enable the end user to protect laptops.  Physically secure servers.  Protect the server from Unattended Reboot. –Protect the SAM with SYSKEY  Protect the Backup Tapes.  Use NTFS disk partitions.  Use Encrypting File System

4 Copyright 2001 Marchany4 Sample W2K Level 1 Ruler – Security Policy Configuration  Configure the Local Security Policy.  Configure the Account Policy.  Secure Administrator/Guest accounts.  Configure Local Policies.  Enable Audit Policies.  Customize User Rights.

5 Copyright 2001 Marchany5 Win2k Audit (Run MMC -> CTRL M -> Security Templates -> Setup Security)

6 Copyright 2001 Marchany6 User Rights

7 Copyright 2001 Marchany7 Sample W2K Level 1 Ruler – Security Policy Configuration  Customize Security Options –Restrict Anonymous Connections –Allow server operators to schedule tasks (DC only). –Clear virtual Memory Pagefile on shutdown. –Audit access of Global System Objects. –Do Not Display last username in login screen.  Configure Public Key Policy.  Configure IP Security Policy.

8 Copyright 2001 Marchany8 File System Configuration. (__) Define System Configuration and Service Pack Level (__) During Audit, set browser to see all files (__) System is configured as NTFS file system? (__) System Administrator has a current Emergency Recovery Disk in a locked storage area. (__) Wiping of system page file occurs at system shutdown.

9 Copyright 2001 Marchany9 Sample W2K Level 1 Ruler  Group Policy  MMC Snap-In  System Tools –Configure Event Log Settings –System Information –Performance Logs & Alerts –Local Users & Groups  Lock out unauth’d Floppy Disk use

10 Copyright 2001 Marchany10 Sample W2K Level 1 Ruler  Disable unused services –Remove OS2 and POSIX subsystems  Secure Remote control programs (PC Anywhere)  Disable Microsoft Network Client  Additional Utilities –W2K Suppot tools –Resource Kit tools

11 Copyright 2001 Marchany11 Sample W2K Level 1 Ruler  Freeware, Shareware and Commercial Tools –Use Access Control List Auditing Tools –Audit SP and HotFix levels –Consider installing nmap, WinDump, PGP, Anti-Trojan, L0phtCrack 3, snort

12 Copyright 2001 Marchany12 Sample W2K Level 1 Ruler – The Registry  Disable auto-run on CD ROM Drives.  Control Remote Registry Access.  Restrict Null User access to named pipes and shares.  Disable Router discovery.  Disable ICMP Redirects.  Remove Administrative Shares.

13 Copyright 2001 Marchany13 Sample W2K Level 1 Ruler  File Folder and Registry Permissions  Security Analysis and Configuration Tool –Apply standard Incremental Security Templates –Create Custom Policies –Perform analysis of computer  Recovery Options –Baseline System backup –Regular System backup –Remote System backup –NTBackup.exe

14 Copyright 2001 Marchany14 Sample W2K Level 1 Ruler  Recovery Options (Continued) –Emergency Repair Disks –Safe Mode with or without networking –Safe Mode with command prompt –Recovery Console  Active Directory Services –Domain Controllers and Trust –The Trees vs. the Forest –Enterprise Admins and Schema Admins

15 Copyright 2001 Marchany15 Sample W2K Level 1 Ruler  Application Security –IIS v5 – CRITICAL! –Telnet Server –File and Printer Sharing –Windows Services for Unix 2.0 –Exchange, Outlook, Outlook Express –SQL  These may be more suited to Level 2

16 Copyright 2001 Marchany16 A Sample NT Level 1 Ruler  Installation  Networking  User Accounts  Services/System  Files/Directories  Registry  Applications  Developed by Marc Debonis, VA Tech

17 Copyright 2001 Marchany17 Sample VT Level 1 NT Ruler  Installation –Physically secure machine –Enable BIOS boot password, user/admin levels –Install NT on C:, no dual boot, use NTFS –Put bogus name for install –Select only TCP/IP to install –Do NOT install IIS –Do NOT use DHCP –Do NOT use WINS server entries

18 Copyright 2001 Marchany18 Sample VT Level 1 NT Ruler  Installation –Disable LMHOSTS lookup –Login as Administrator Delete MyBriefCase, Install IIS, IE, Inbox icons –Install post SP5/SP6 hotfixes Install in this order: Winhlp-I, Nddefixi, Lsareqi, Q234351I, Csrssfxi, Loctlfxi, Ntfsfix1, Igmpfix1, Ipsrfixi

19 Copyright 2001 Marchany19 (__) Define Service Pack Level Start -> Run -> WINVER (works the same for NT 4.0)

20 Copyright 2001 Marchany20 Checking for Service Packs

21 Copyright 2001 Marchany21

22 Copyright 2001 Marchany22 (__) System does not have un-necessary devices Start -> Settings -> Control Panel -> Devices.

23 Copyright 2001 Marchany23 Sample VT Level 1 Ruler  Networking –Use network control panel to remove RPC Configuration, NetBIOS Interface, Workstation, Server. –Set service TCP/IP NetBIOS Helper to disabled –Disable Windows NT Networking –Disable WINS Client (TCP/IP) binding –Disable WINS Client (TCP/IP) device

24 Copyright 2001 Marchany24 Sample VT Level 1 Ruler  Accounts –Set minimum password length to 8 –Lockout after 3 bad attempts –Under Policies-> User Rights Select Right/Access this computer from Network and remove ALL groups listed in the Grant To box Under Show Advanced Rights, select Bypass Traverse Checking, remove Everyone Select Log on Locally and disable guest

25 Copyright 2001 Marchany25 Sample VT NT Level 1 Ruler  Accounts –Select Policies -> Audit Enable audit events: logon/logoff, user/group mgt, security policy changed, restart, shutdown and system –Open User Manager for Domains Rename Administrator account to Master Remove Description for Master Account Set Master account password to something VERY strong Rename Guest account to DEFUNCT –Allow remote lockout of administrator account only

26 Copyright 2001 Marchany26 (__) Auditing is Enabled User Manager, Policies, Audit

27 Copyright 2001 Marchany27 Audit Best Practice

28 Copyright 2001 Marchany28 Audit Best Practice (2)

29 Copyright 2001 Marchany29 Passwords (__) NT password policies comply with Best Practices for NT Passwords. (__) User passwords are known only by the user. (__) Users are required to maintain unique passwords for each AIS. (__) Passcrack for Windows NT or other password tester is run at least yearly. (__) Password database (SAM) is encrypted. (__) Administrator password is protected to the same level as the data contained on the computer. (__) Password is enabled for screen saver. (Control Panel, Desktop)

30 Copyright 2001 Marchany30 Passfilt

31 Copyright 2001 Marchany31 NT 4.0 Start -> Programs -> Administrative Programs -> User Manager

32 Copyright 2001 Marchany32 Win2k, My Computer -> Control panel, Administrative Tools -> Local Security Policy -> Password Policy

33 Copyright 2001 Marchany33 Sample VT NT Level 1 Ruler  Services/System –Disable unnecessary system services Network DDE, Network DDE DDSM, Schedule, Spooler, Telephony service, distributed DCOM –From System Control Panel, click Startup/Shutdown tab Uncheck Overwrite any Existing File? Uncheck Write debugging info to: Uncheck Automatically Reboot?

34 Copyright 2001 Marchany34 Sample VT NT Level 1 Ruler  Services/System –Click Display Control Panel Click Screen Save Tab, enable Blank Screen Screen Saver, modify wait to 5 minutes, check the Password Protected box. –Event Logs Open Log->Log settings and increase max size of logs > 2048K

35 Copyright 2001 Marchany35 Log--> Log Settings

36 Copyright 2001 Marchany36 Event View 2000 My Computer -> Control Panel -> Administrative Tools -> Event Viewer

37 Copyright 2001 Marchany37 Using dumpel for audit logs

38 Copyright 2001 Marchany38 Sample VT NT Level 1 Ruler  For the rest of the ruler, go to and look in the Checklists section for Marc’s document  Some may consider his requirements to be really strict but some may like them.

39 Copyright 2001 Marchany39 Sample Windows 2000 Level 2 Ruler  Rules of Engagement for Active Directory  Developed at VA Tech for our AD structure –Marc Debonis,  Allows lower level admins to control their own domains  Not for everyone  Somewhat draconian

40 Copyright 2001 Marchany40 Sample VT Level 2 Ruler: Active Directory ROE  The Child domain must have at least 1 fulltime peer BDC for the child domain  The child domain controllers must meet Microsoft’s minimum computer hardware requirements  No 3 rd party of Microsoft add-on software are allowed on child domain controllers –IIS, Certificate Services, Indexing Service, Windows Media Services, DNS, DHCP, WINS, printer/file services

41 Copyright 2001 Marchany41 Sample VT Level 2 Ruler: Active Directory ROE  The child domain controllers must be in a backup program and have full recoverability tested  The child domain controllers must allow and not block global policy objects replicated from the root  All W2K hosts must follow prescribed DNS naming conventions (

42 Copyright 2001 Marchany42 Sample VT Level 2 Ruler: Active Directory ROE  All W2K hosts within the child domain will use root AD DDNS server settings. Child DC will use static IP and not run DHCP servers  Child domain will not attempt to create child domains “below” theirs. They will use OU to do this.

43 Copyright 2001 Marchany43 Sample VT Level 2 Ruler: Active Directory ROE  No non-administrative local logins will be allowed to the child domain controllers. The CDC will be housed in secure areas with controlled access  2 week backups of event/audit logs will be kept and access to them will be given to the AD enterprise admins for security/debugging purposes.

44 Copyright 2001 Marchany44 Sample VT Level 2 Ruler: Active Directory ROE  All service packs will be installed in a timely manner, coordinated with root AD controller upgrades  Will people buy into this? –Some will, some won’t but those that do are more secure.

45 Copyright 2001 Marchany45 Whew! u You’ve got a basic strategy for building security checklist/audit plans for – Perimeter – Unix – NT – Windows 2000 Please fill out your comment sheets!

46 Copyright 2001 Marchany46 Today’s Course Goals u Construct a high level Security Checklist from the CIS rulers for your site. – Unix. NT, Windows 2000 u Use TBS to provide a response to your internal auditors and secure your systems. u Use STAR to define the $$$ cost of implementing security features at your site. – This method can be used over time to show trends u Develop a set of reports/matrices that can be used to quickly identify the security status of a host at your site.

47 Copyright 2001 Marchany47 URLs referred to in this course STAR Matrices Sample R/A Documents Top Ten Vulnerabilties Top Ten Blocking Egress Filtering CVE GIAC Practicals RFC 2196 Center for Internet Security

48 Copyright 2001 Marchany48 Course Revision History

Download ppt "Copyright 2001 Marchany1 Auditing Networks, Perimeters and Systems Audit Checklists, Unit 6 Windows The SANS Institute."

Similar presentations

Ads by Google