Office of Information Technology

Faculty and Staff Windows XP System Hardening Policy June 6, 2003 Version 1.0

Qui non est hodie cras minus aptus erit. He who is not prepared today will be less so tomorrow. Ovid

Introduction System security is a cyclical process. Steps have to be taken daily to ensure the integrity of data and security of a system. The process of system hardening is not a one-time event; it is a dynamic and reiterative process. Security holes are discovered daily in operating systems and programs. A secure system today may not be secure tomorrow. System security cannot be considered inconsequential. Who would want to break into this system or why would they want to? The how and where of this line of questioning can fill volumes. The who could be anyone whether they have legitimate access or not. The why is simple: free computing resources to be used by an intruder in any way they see fit. A compromised system can quickly become a liability as the compromised machine begins to affect the network or operations on other machines locally and remotely. A system can be compromised via non-patched or insecure network applications. However, there are many more ways that a system can be compromised via a local account. Because of this fact, every aspect of the system and its maintenance must be considered when securing it. Because there is no magic bullet for securing a system, securing in layers while adding granularity at each level is the best approach. For example, physical security is one layer. An example of adding granularity to physical security is to use badge access to the area where a machine is located. Host security could be considered at the top layer. An example of granularity at this layer is securing the kernel. Security in Layers Mus uni non fidit antro. (A mouse does not rely on just one hole.) - Platus Security in layers is the preferred approach to securing a system. The template below offers a basic level of granularity. It should not be taken as an absolute rather it is a base that should be extended upon by each system administrator: Host Application Web, Mail, File sharing, shared programs (e.g. word processing) OS Kernel, system binaries, system network parameters, file system, file and directory security User Passwords, Permissions, Accounting, User programs Physical Console access, System in protected area (locked and/or badge access) One single mechanism cannot be relied upon for the security of a system. It should be looked at from every angle with all the pieces and parts taken into consideration.

Physical Security All systems analyst, support personnel, and system users need to be aware that physical security plays an equally important role in the overall protection of each system attached to the Universitys networks. Restrict access to each machine with a minimum requirement being establishment of a hardened screen saver password. BIOS passwords should be used for systems that handle sensitive and/or business critical information. Use of these passwords (screensaver and BIOS) by all Windows XP users on the campus is an excellent protection mechanism from unauthorized physical access. It should also be noted; that a system that is allowed unrestricted and unmonitored access to the University population is vulnerable to break in even if these passwords (screensaver or BIOS) are set. To that end, this document contains specific guidelines for establishing a secure Windows XP computing environment. The document is meant to provide The University of Tennessee, Knoxville support personnel and all interested systems users with a systematic approach to establish and maintain secure systems. This Policy will be maintained and kept current according to accepted industry standards by the Information Technology Security Group (ITSG) with the approval of the Security Advisory Council (SAC). Please note that all exceptions to this guide shall be submitted in writing to security@utk.edu. The OIT Password Policy can be found at http://oit.utk.edu/infosec/ under the Policies and procedures section and is recommended for all systems at the University. In addition, this policy does not specifically identify or comment on anti-virus or personal firewall software. Anti-virus software is required according to the Universities Acceptable Use Policy (AUP) and firewall software is highly recommended for all systems, especially those with sensitive information. For additional information contact the LAN and Desktop Support (LADS) group at (865) 974-9800. A simple but invaluable rule of thumb in the reiterative process of system security is to know your machine: be familiar with its users, processes, and files. Ora et labora. (Pray and labor.) St. Benedict Step 1 - Hardening the Operating Systems and Application Code The first thing you need to do is make sure that the Operating System and Applications are up-to-date with service packs and hotfixes. Microsoft periodically distributes large updates to its operating systems in the form of Service Packs. Service Packs include all the major and minor fixes up to the date of the service pack, and are extensively tested by Microsoft prior to release. Service Packs should be used in a test environment before being pushed into production due to the possibility of undetected bugs. If a test system is not available, wait a week or two after the release of a Service Pack, and pay attention to the Microsoft web site for potential bug reports. Microsoft also distributes intermediate updates to their operating systems in the form of a Hotfix. These updates are usually small and address a single problem. Hotfixes can be released within hours of discovering a particular bug or vulnerability. Since they are normally released so quickly, they

should be used with caution. Each Hotfix includes a description of the issue it resolves. These should be weighed to determine if the risk of installing the Hotfix is worth the risk of not installing it. It is important to be aware that Service Packs and Hotfixes are not just applicable to operating systems. Individual applications have their own Service Pack and Hotfix requirements. The total security of the system requires attention to both Operating System and application levels. The process of discovering which Service Pack and hotfixes are needed has been automated since the release of Windows XP. The following steps outline the automated process of discovering and installing Service Packs and hotfixes to a Windows XP system. 1. Open Internet Explorer, Go to Tools-> Windows Update 2. Click on the link to Scan for Updates 3. When asked if you trust Microsoft, say yes to proceed. Windows update will take a few moments to analyze your system. You will then be prompted with a listing of Service Packs or Hotfixes available for your system. Additionally, the following websites provide the necessary information to perform the updates manually. Microsoft Windows Security: http://www.microsoft.com/security Service Pack Information: http://www.microsoft.com/windowsxp/pro/downloads/default.asp Current Critical Hotfixes: http://www.microsoft.com/windowsxp/pro/downloads/servicepacks/sp1/hfdeploy.asp Security Bulletins: http://www.microsoft.com/technet/security/ Microsoft also provides a Product Security Notification email service. The goal of this service is to provide accurate information to inform and protect their customers from malicious attacks. To subscribe to the Product Security Notification service, visit the Microsoft Profile Center at http://register.microsoft.com/regsys/pic.asp It is recommended that the Windows Time service be enabled for file date/time stamp accuracy and event log precision. Windows XP has a built-in NTP client that can be enabled as follows: In a command prompt windows, type: net time /setsntp: ntp.utk.edu (where ntp.utk.edu is a preferred NTP server) Right-click on My Computer and select Manage In the left-hand window, expand Services and Applications and select services In the right-hand window, scroll down and double-click on Windows Time. In the drop-down Startup type select Automatic Click the button Start (unless it is already started) and click on OK

Step 2 - Hardening File System Security The second thing you need to do is make sure that your hard drive partitions are formatted with NTFS (NT File System). This file system is more secure than FAT or FAT32 partition schemes. Allowed exceptions to this requirement are centrally managed servers and dual boot systems. To check your hard drive partitions: 1. Log in as Administrator. 2. Double click on My Computer 3. Right-click on each hard drive letter and choose properties. 4. The general tab will identify the File system type. 5. Click cancel to close the properties window. 6. Follow steps 1 5 for each drive letter, noting which ones are labeled FAT or FAT32. Converting FAT or FAT32 partitions to NTFS: 1. Go to Start->Run 2. Type cmd and click OK. 3. At the command prompt type 4. convert drive /FS:NTFS /V *Where drive = one of the drive letters you noted above. 5. Hit return to run the command 6. Follow steps 1 4 for each FAT or FAT32 partition. 7. Reboot the system for the changes to take effect Disable Automated Logins: 1. Start ->Control Panel ->User Accounts (for Classic View: Start ->Settings >Control Panel -> User Accounts) 2. Select a Username 3. Make sure there is a password set for each user account that is enabled. Step 3 - Hardening Local Security Policies The third thing you need to do is modify the default local security policy. Windows XP allows you easy access to the basic security functionality of your system. While many system attacks take advantage of software inadequacies, many also make use of user accounts on a Windows computer. In order to prevent this sort of vulnerability, "policies" or rules define what sort of account/password "behavior" is appropriate, and what auditing behavior is required. The configuration of user account policies is inadequate or disabled in a default installation. Account Policies answer the questions like "How often do I need to change my password?" or "How long or how complex does my password need to be?" These policies are often left disabled or weak, leaving many machines vulnerable to attack with little or no effort. Please review the OIT Password Policy located at

http://oit.utk.edu/infosec/Password_Recommendations.htm for information concerning passwords. Auditing Policies determine what sorts of security transactions are recorded in the Security Event Log. By default, nothing is retained in the Security Event Log, so any attempts to compromise a system go completely unrecorded. Logging events is crucial for analysis in the aftermath of an intrusion incident. The options discussed in the section can be set using the Local Security Policy editor on each individual system. Nevertheless, Group Policy configurations may override any changes made at the local level. Thus, ensure that Group Policy meet the same guidelines. The following suggested changes will make your system much more secure. To access the Local Security Policy Editor Tool: 1. Go to Start->Control Panel->Administrative Tools->Local Security Policy (for Classic View: Start->Settings->Control Panel->Administrative Tools->Local Security Policy) 2. Expand Account Policies by clicking the + box 3. Select the appropriate category 4. Double-click the individual policy settings to make the following changes: 5. When all settings have been configured, close the policy editor Password Policy Enforce password history 12 passwords remembered Maximum password age 180 days Minimum password age 0 days Minimum password length 8 characters Passwords must meet complexity Enabled requirements Store password using reversible encryption f Disabled all users in the domain Account Lockout Policy Account lockout threshold Account lockout duration Reset account lockout counter after 7 invalid logon attempts 30 minutes 30 minutes

Please refer to the OIT Password Policy for recommendations on making strong passwords. This can be found under the Policies and Procedures section of the ITSG web site (http://oit.utk.edu/infosec/Password_Recommendations.htm). Audit Policy Audit account logon events Audit account management Audit directory service access Audit logon events 6 Success, Failure Success, Failure No Auditing Success, Failure

Audit object access Audit policy change Audit privilege use Audit process tracking Audit system events

Failure Success, Failure Failure No Auditing Success, Failure

* It is important to frequently check the Event Viewer to review log files for possible security concerns. It is optimal to log a minimum of seven days of activity in the application, system, and security logs. In order to maintain the information for seven days, users need to increase the size of the log files. You can access the Event Viewer by: Going to Start ->Control Panel->Administrative Tools->Event Viewer (for Classic View: Start ->Settings->Control Panel->Administrative Tools->Event Viewer) User Rights Assignment User Right Domain Controller
Access this computer from the network Act as part of the operating system Add workstations to domain Adjust memory quotas for a process Allow login through Terminal Services Back up files and directories Bypass traverse checking Change the system time Create a pagefile Create a token object Create permanent share objects Debug programs Deny access to this computer from the network Deny logon as a batch j Deny logon as a service Deny logon locally Deny logon through Terminal Services Enable computer and user accounts to be trusted for delegation Domain Users None Administrators Administrators None Backup Operators, Administrators Administrators, Server Operators, and Backup Operators Administrators Domain Admins None None None (except in offinternet development) None None None None None Use this right only if testing reveals it is necessary.

Standalone/ Membe Professional Server

Domain Users None None Administrators None Backup Operators, Administrators Administrators, Server Operators, and Backup Operators Administrators Administrators None None None (except in offinternet development) None None None None None Remove Everyone None None Administrators None Backup Operators, Administrators Administrators Administrators and Power Users Administrators None None None (except in off-internet development) None None None None None

Use this right only if testin Use this right only if testing reveals it is necessary. reveals it is necessary.

User Right
Force shutdown from a remote system Generate security audit Increase scheduling priority Load and unload device drivers Lock pages in memory Log on as a batch job Log on as a service Log on locally Manage auditing and security log *** Modify firmware environment values

Domain Controller
Administrators None Administrators Administrators None None Replicators Administrators, Server Operators, and Backup Operators Administrators Administrators, Server Operators, and Backup Operators Administrators

Standalone/ Membe Professional Server

Administrators None Administrators Administrators None None None Administrators, Server Operators, and Backup Operators Administrators Administrators Administrators None None None None Backup Operators, Administrators Administrators and Server Operators None Administrators None None Administrators Administrators None None None Administrators and Authenticated Users Administrators Administrators Administrators None None None None Backup Operators, Administrators Administrators and Authenticated Users None Administrators

Perform volume maintenance tasks Profile single None process *** Profile system None performance *** Remove computer from None docking station Replace a process level None token Restore files and Backup Operators, directories Administrators Shut down the system Administrators and Server Operators Synchronize directory None service data Take ownership of Administrators files or other objects

*** Note: Service specific accounts can be granted User Rights that are necessary to perform specific user functions. Security Options Local Security Policy Accounts: Administrator account status Accounts: Guest account status Accounts: Limit local account use of blank passwords to console logon only Accounts: Rename administrator account Accounts: Rename guest account Audit: Audit the access of global system objects Recommended Settings Enabled Enabled Enabled <configure locally> <configure locally> Disabled

Local Security Policy

Audit: Audit the use of Backup and Restore privileges Audit: Shut down system immediately if unable to log security audits Devices: Allow undock without having to log on Devices: Allows to format and eject removable media Devices: Prevent users from installing printer drivers Devices: Restrict CD-ROM access to locally logged-on user only Devices: Restrict floppy access to locally logged-on user only Devices: Unsigned driver installation behavior Domain controller: Allow server operators to schedule tasks Domain controller: LDAP server signing requirements Domain controller: Refuse machine account password changes Domain member: Digitally encrypt or sign secure channel data (always) Domain member: Digitally encrypt secure channel data (when possible) Domain member: Digitally sign secure channel data (when possible) Domain member: Disable machine account password changes Domain member: Maximum machine account password age Domain member: Require strong (Windows 2000 or later) session Interactive logon: Do not display last user name Interactive logon: Do not require CTRL+ALT+DEL Interactive logon: Message text for users attempting to log on

Recommended Settings
Disabled Disabled Enabled Administrators Disabled Disabled Disabled Warn but allow installation Not defined Not defined Not defined Enabled Enabled Enabled Disabled 30 days Disabled Disabled Not defined * * * * * * * W A R N I N G * * * * * * * ** This computer system is the property of the Univers of Tennessee. It is for authorized use only. Users have expectation of privacy in any materials they place o view on this system. The University complies with state and federal law regarding certain legally prote confidential information, but makes no representatio that any other uses of this system will be private or confidential. Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to authoriz University and law enforcement personnel, as well a authorized individuals of other organizations. By us this system, the user consents to such interception, monitoring, recording, copying, auditing, inspection

and disclosure at the discretion of authorized Univer of Tennessee personnel. Unauthorized or improper use of this system may re in administrative disciplinary action and/or civil charges/criminal penalties. By continuing to use this system you indicate your awareness of and consent these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning. * * * * * University of Tennessee * * * * * * Recommended Settings Warning: This is a monitored computer system! 0 logons 14 days Disabled No Action Disabled Enabled Disabled 15 minutes Disabled Disabled Enabled Disabled Enabled Disabled Disabled Disabled COMNAP COMNODE SQL\QUERY SPOOLSS LLSRPC EPMAPPER LOCATOR TrkWks TrkSvr

Local Security Policy Interactive logon: Message title for users attempting to log on Interactive logon: Number of previous logons to cache (in case domain controller is not available Interactive logon: Prompt user to change password before expiration Interactive logon: Require Domain Controller authentication to unlock workstation Interactive logon: Smart card removal behavior Microsoft network client: Digitally sign communications (Always) Microsoft network client: Digitally sign communications (if server agrees) Microsoft network client: Send unencrypted password to third-party SMB servers Microsoft network server: Amount of idle time require before suspending session Microsoft network server: Digitally sign communications (always) Microsoft network server: Digitally sign communication (if client agrees) Microsoft network server: Disconnect clients when logon hours expire Network access: allow anonymous SID/Name translation Network access: Do not allow anonymous enumeration of SAM account Network access: Do not allow anonymous enumeration of SAM accounts and shares Network access: Do not allow storage of credentials or .NET Passports for network authentication Network access: Let Everyone permissions apply to anonymous users Network access: Named pipes that can be accessed anonymously

10

Local Security Policy

Recommended Settings

Network access: Remotely accessible registry pathsSystem\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Control\Server Applicati System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Network access: Shares that can be accessed COMCFG anonymously DFS$ Network access: Sharing and security model for Guest only local users authenticate as Guest local accounts Network security: Do not store LAN Manager has Disabled values on next password change Network security: Force logoff when logon hours Disabled expire Network security: LAN Manager authentication Send LM & NTLM responses level Network security: LDAP client signing Negotiate signing requirements Network security: Minimum session security for No minimum NTLM SSP based (including secure RPC) clients Network security: Minimum session security for No minimum NTLM SSP based (including secure RPC) servers Recovery console: Allow automatic administrative Disabled logon Recovery console: Allow floppy copy and access Disabled to all drives and all folders Shutdown: Allow system to be shut down without Enabled having to log on Shutdown: Clear virtual memory pagefile Disabled System cryptography: Use FIPS complaint Disabled algorithms for encryption, hashing, and signing System objects: Default owner for objects Object Creator created by members of the Administrators group System objects: Require case insensitivity for Enabled non-Windows System objects: Strengtgen default permissions of Enabled internal system objects (e.g. Symbolic Links)

### Note: An exception to the enabling the Do not display last user name in logon screen is allowed for specific applications. Step 4 - Hardening Default Accounts The fourth thing you need to do is change the default configuration of the Administrator and Guest account. In general, a prospective user must have a username and password to access a Windows XP system. The default installation of Windows XP creates an

11

Administrator and Guest account. By changing these accounts names, system security is greatly enhanced. The following actions should be taken: Configuring the Administrator Account: 1. Log in as Administrator. 2. Go to Start->Control Panel->Administrative Tools->Computer Management 3. Open Local Users and Groups (for Classic View: Start->Settings->Control Panel> Administrative Tools->Computer Management 4. Open Local Users and Groups 5. Click on the User folder 6. Right-click the Administrator account, and choose to rename it. Make it a nonobvious name. 7. Right-click this renamed Administrator account and select Set Password. The Guest account is disabled in WXP by default. Enabling the guest account allows anonymous users to access the system. If you share a folder, the default permission is that Everyone has full control. Since the Guest account is included in Everyone, system security is dramatically weakened. A standard practice is to always remove the share permissions from Everyone and add them to Authenticated Users. This is a much safer configuration. Configuring the Guest Account: 1. Right-click the Guest account, and choose to rename it. Make it a non-obvious name. 2. Right-click this renamed Guest account, then select Set Password. Step 5 - Hardening Services The fifth thing you should do is remove programs and services that are not needed. The more applications that are installed on your system, the greater the risk of one of them containing a bug or security flaw. Thus, you should remove all unnecessary programs and services. WARNING: Disabling services without understanding what each does can make a system react adversely. Not all services are optional, thus, be careful which services are changed. The following table outlines a few examples of services that can possibly be disabled. It is very important to understand that an improperly configured service can present a vulnerability that can bypass security measures. Thus, it is critical to understand what is the function of each active service. There are numerous vulnerabilities in the Microsoft BackOffice product and other 3rd party applications. You should contact the appropriate software vendors for additional security information on the services installed on your system.

12

SERVICE Alerter

Clipbook

Messenger NetMeeting Remote Desktop Sharing Telnet

DESCRIPTION ACTION The Alerter service makes it possible Disable if Unneeded for Windows XP computers to alert each other of problems. This feature is generally unused. The Clipbook service is used to Disable if Unneeded transfer clipboard information from on computer to another. This is generally only used in Terminal Services. The Messenger service works in Disable if Unneeded conjunction with the Alerter service. NetMeeting users have the option to Disable if Unneeded share their desktops, and allow other @@@ NetMeeting users to control their workstation. The Telnet service allows a remote Reference Telnet Policy user to connect to a machine using a http://oit.utk.edu/infosec/ command prompt. Use SSH if this functionality is needed.

@@@ - Please be aware that video conferencing capabilities are directly affected by this setting. If you plan to participate in any video conference activities, contact a technical representative for the required settings. Step 6 - Prepare System for an Incident The sixth and final thing you should do is to prepare the system for an incident. The information outlined in this step is for trained System Administrators only. It is sufficient for the general user to be aware of potential threats, to monitor the performance and functionality of your system, and to notify the ITSG if you see any unusual activities. It is recommended that all general system users contact a qualified System Administrator or the ITSG prior to attempting any of the activities listed in this section of the Hardening Guide. While the actions outlined in this guide will dramatically increase system security, system vulnerabilities may exist. New security holes are discovered regularly, thus, preparing for the worst is critical. These steps should help to facilitate identifying a system compromise, allow for forensic analysis, and enable a timely recovery. Identifying a System Compromise Aside from consistently watching for common indications of a system compromise (listed below), you should consider recording cryptographic checksums. By doing so you can establish a baseline of system binaries, application code, and data. This allows you to compare the current file system against a known reliable version. 1. A system alarm or similar indication from an intrusion detection tool

13

2. Suspicious entries in system or network accounting (e.g., a UNIX user obtains privileged access without using authorized methods) 3. Accounting discrepancies (e.g., someone notices an 18-minute gap in the accounting log in which there is no correlation) 4. Unsuccessful logon attempts 5. New user accounts of unknown origin 6. New files of unknown origin and function 7. Unexplained changes or attempt to change file sizes, check sums, date/time stamps, especially those related to system binaries or configuration files 8. Unexplained addition, deletion, or modification of data 9. Denial of service activity or inability of one or more users to login to an account; including admin/root logins to the console 10. System crashes 11. Poor system performance 12. Unauthorized operation of a program or the addition of a sniffer application to capture network traffic or usernames/passwords 13. Port Scanning (use of exploit and vulnerability scanners, remote requests for information about systems and/or users, or social engineering attempts) 14. Unusual usage times (statistically, more security incidents occur during non-working hours than any other time) 15. An indicated last time of usage of a account that does not correspond to the actual last time of usage for that account 16. Unusual usage patterns (e.g., programs are being compiled in the account of a user who does not know how to program) The most commonly accepted cryptographic checksum used today is the MD5 algorithm, created by Ron Rivest of MIT and published in April 1992 as RFC 1321. To learn more about the MD5 algorithm or to download the source code visit one of the following websites: RFC 1321: http://www.landfield.com/rfcs/rfc1321.html MD5 Algorithm (available in the Cygwin distribution): ftp://mirrors.rcn.net/mirrors/sources.redhat.com/cygwin/setup.exe Additionally, commercial products such as Tripwire automate the process and provide a management interface for easy administration. Tripwire is available at http://www.tripwire.com. Forensic Analysis Forensic Analysis is the process of unearthing data of probative value from computer and information systems. The University of Tennessee, Knoxville Computer Incident Response Team (CIRT) is responsible for gathering data and identifying security improvements for all security issues. Thus, it is imperative to maintain the integrity of

14

possible evidence. This includes log files, trusted cryptographic checksums, and information pertaining to system users/groups. Hackers are ever increasing their ability to cover their trails. Log files are often deleted or modified to protect the identity of the intruder. Thus, measures to preserve the integrity of log files should be taken. Perhaps the best method is to use a remote logging software application that allows system logs to be stored on a remote system. The following list of actions will greatly increase the ability for investigators to pursue an intruder. Set proper permissions on log files Use a separate server to gather log files Make regular backups of log files Use write once media for log files Encrypt the log files Review log files on a frequent basis

Additionally, there are a few 3rd party tools that enable Windows XP to send log files to a remote server. They are: SLNT at http://www.netal.com/sl4nt.htm Kiwis syslog at http://www.kiwisyslog.com Timely Recovery Regular complete system backups can be a useful resource during the recovery process. Using commercial software such as Ghost allows you to create a production image of the system after service packs, hotfixes, and security settings have been applied. This allows you to rebuild the system to a trusted version of the system configuration quickly. Traditional backup methods are also useful for protecting applications and data. Additional Resources No One document can provide a complete guide to securing a Windows XP system. Thus, the following resources are available for additional information regarding the theory and concepts behind this document. The Center for Internet Security http://www.cisecurity.org The SANs Institute http://www.sans.org National Security Agency Security Recommendation Guides http://nsa1.www.conxion.com Microsoft Windows Security http://www.microsoft.com/security

15