BBVA Standard Build Win2003

Standard Build Servidor Windows 2003 Server Página 1

Definición de Configuración Inicial Segura Servidor Windows 2003

Server

El presente documento pretende definir un Windows 2003 Base Line, esta configuración debe ser aplicada a todos los servidores participantes de un Dominio o Stand Alone. Además este documento sirve como base para

cualquier procedimiento de hardening que se aplique dependiendo del rol del servidor.

Versión 1.0 (Junio del 2004)

Instalación del Sistema Operativo 1.- Habilitar controles de Seguridad Física del equipo. Debe estar en un Centro de Datos con acceso restringido,

preferentemente con llave para la CPU.

2.- Actualizar firmware a su más reciente versión. Para obtener la última versión visite web del sito del fabricante. Para equipos nuevos.

3.- Crear tres particiones de disco, todas formateadas con NTFS: Una para el sistema operativo (C:), otra para las aplicaciones (D:) y otra para los datos (páginas web por ejemplo) (E:). Para equipos Nuevos.

4.- Habilitar la password de boot del equipo.

5.- Deshabilitar en CMOS dispositivos innecesarios. Como puerto infrarrojo o puertos seriales adicionales.

6.- Deshabilitar boot desde diskette y CDROM.

7.- Instalar Windows 2003 Server

8.- Aplicar el último Service Pack y HotFixes

http://windowsupdate.microsoft.com

9.- Configurar Fecha, Hora y verificar que Zona horaria esté bien configurada.

NOTA: Tener presente, para efectos de análisis, que los registros de log de IIS usan la hora GMT, y no la hora local del equipo.

10.- Generar Emergency Repair Disk, ahora y cada vez que se hace un cambio de la configuración del sistema y almacenarlo en un lugar protegido.

CONFIDENCIAL


Configuración del Sistema Operativo 11.- Renombrar cuenta local “Administrador”, asignar password robusta, almacenarla en lugar seguro. admin. Será

el nombre de la cuenta de administrador propuesta.

12.- Crear una segunda cuenta de administración con las mismas características. Utilizar esta cuenta para efectos de administración.

13.- Crear dos cuentas locales que se llamen “Administrador” y “Administrator”, definirlas sin ningún tipo de privilegios.

14.- Asigne una password robusta a la cuenta Guest.Deshabilitadarla.

15.- Revisar y Eliminar cuentas innecesarias.

16.- Configurar Protector de Pantalla con password de bloqueo robusta, el tiempo de espera debe ser de no más de 15 minutos.

17.- Cuando Windows 2003 es instalado los servicios por defectos son configurados para que partan automáticamente, muchos de estos servicios no son necesarios para que el sistema opere. Recuerde que cualquier servicio ó aplicación es un potencial punto de ataque. Los siguientes servicios no son necesarios para que el servidor opere en un Dominio Windows 2003, por lo que la configuración recomendad es la siguiente.

Servicio EstadoAlert DisabledApplication Layer Gateway Service DisabledApplication Management DisabledASP .NET State Service DisabledAutomatic Update AutomaticBackgroud Intelligent Transfer Service ManualCertificate Services DisabledMS Software Shadow Copy Provider ManualClient Service for Netware ManualClipBook DisabledCluster Service DisabledCOM+ Event System ManualCOM+ System Application DisabledComputer Browser AutomaticCryptographic Service AutomaticDHCP Client AutomaticDHCP Server DisabledDistributed File System DisabledDistributed Link Tracking Client DisabledDistributed Link Tracking Server DisabledDistributed Transaction Coordinator DisabledDNS Client AutomaticDNS Server DisabledError Reporting Service DisabledEvent Log AutomaticFax Service DisabledFile Replication DisabledFile Server for Macintosh DisabledFTP Publishing Service DisabledHelp and Support Disabled

CONFIDENCIAL


Servicio EstadoHttp SSL DisabledHuman Interface Device Access DisabledIAS Jet Database Access DisabledIIS Admin Service DisabledIMAPI CD-Burning COM Service DisabledIndexing Service DisabledInfrared Monitor DisabledInternet Authentication Service DisabledInternet Connetion Firewall (ICF) /Internet Connection Sharing (ICS)

Disabled

Intersite Messaging DisabledIP Version 6 Helper Service DisabledIPSEC Policy Agent (IPSec Service) AutomaticKerberos Key Distribution Center DisabledLicense Logging Service DisabledLogical Disk Manager ManualLogical Disk Manager Administrative Service ManualMessage Queuing DisabledMessage QueuingDown level Clients DisabledMessage Queuing Triggers DisabledMessenger DisabledMicrosoft POP3 Service DisabledMSSQL$UDDI DisabledMSSQLServerADHelper Disabled.NET Framework Support Service DisabledNetlogon AutomaticNetMeeting Remote Desktop Sharing DisabledNetwork Connections ManualNetwork DDE DisabledNetwork DDE DSDM DisabledNetwork Location Awareness (NLA) ManualNetwork News Transfer Protocol (NNTP) DisabledNTLM Security Support Providera AutomaticPerformance Logs and Alerts ManualPlug and Play AutmaticPortable Media Serial Number DisabledPrint Server for Macintosh DisabledPrint Spooler a menos que sea “print server” DisabledProtected Storage AutomaticRemote Access Auto Connection Manager DisabledRemote Access Connection Manager DisabledRemote Administrator Service ManualRemote Desktop Help Session Manager DisabledRemote Installation DisabledRemote Procedure Call (RPC) AutomaticRemote Procedure Call (RPC) Locator DisbledRemote Registry Service AutomaticRemote Server Manager DisabledRemote Server Monitor DisabledRemote Storage Notification DisabledRemote Storage Server DisabledRemovable Storage ManualResultant Set of Policy Provider DisabledRouting and Remote Access DisabledSAP Agent Disabled

CONFIDENCIAL


Servicio EstadoSecondary Logon DisabledSecurity Accounts Manager AutomaticServer AutomaticShell Hardware Detection DisabledSimple Mail Transport Protocol (SMTP) DisabledSimple TCP/IP Services DisabledSingle Instance Storage Groveler DisabledSmart Card DisabledSNMP Service DisabledSNMP Trap Service DisabledSpecial Administrator Console Helper DisabledSQLAgent$ (*UDDI or WEBDB) DisabledSystem Event Notification AutomaticTask Scheduler DisabledTCP/IP NetBIOS Helper Service AutomaticTCP/IP Print Server DisabledTelephony DisabledTelnet DisabledTerminal Services AutomaticTerminal Services Licensing DisabledTerminal Services Session Directory DisabledThemes DisabledTrivial FTP Daemon DisabledUninterruptible Power Supply DisabledUpload Manager DisabledVirtual Disk Service DisabledVolume Shadow Copy ManualWebClient DisabledWeb Element manager DisabledWindows Audio DisabledWindows image Acquisition (WIA) DisabledWindows Installer AutomaticWindows Internet Name Service (WINS) DisabledWindows Management Instrumentation AutomaticWindows Management Instrumentation Driver Extensions ManualWindows Media Services DisabledWindows System Resource Manager DisabledWindows Time AutomaticWinHTTP Web Proxy Auto – Discovery Service DisabledWireless Configuration DisabledWMI Performance Adapter ManualWorkstation AutomaticWorl Wide Web Publishing Service Disabled

NOTA: La deshabilitación de los servicios indicados anteriormente no contempla las necesidades de otros paquetes de software (como antivirus o control remoto). Se debe verificar con el proveedor del mismo los servicios que son requeridos por éste para no deshabilitarlos.

18.- A continuación ejecute el “Local Security Policy” e introdusca las siguientes modificaciones:

Stara -> Administrative Tools -> Local Security Policy

CONFIDENCIAL


Account PoliciesPassword Policy

Enforce password history 24 password remembered

Maximum password age 42 days

Minimum password age 2 days

Minimum password length 8 characters

Passwords must meet complexity requirements Enabled

Store password using reversible encyrption for all users in the domain

Disabled

Account Lockout PolicyAccount lockout duration 30 minutes

Account lockout threshold 5 invalid logon attempts

Reset account lockout counter after 30 minutes

Kerberos PolicyEnforce user logon restrictions Not Defined

Maximum lifetime for service ticket Not Defined

Maximum lifetime for user ticket Not Defined

Maximum lifetime for user ticket renewal Not Defined

Maximum tolerance for computer clock synchronization

Not Defined

Local PoliciesAudit Policy

Audit account logon events Success, Failure

Audit account management Success, Failure

Audit directory service access Success, Failure

Audit logon events Success, Failure

Audit object access Success, Failure

Audit policy change Success

Audit privilege use Failure

Audit process tracking No auditing

Audit system events Success

User Rights AssignmentAllow logon locally (SeInteractiveLogonRight) Power Users, Backup

Operators, Administrators

Allow logon Through Terminal Services (SeRemoteInteractiveLogonRight)

Administrators, Remote Desktop Users

Deny access to this computer from the network (SeDenyNetworkLogonRight)

ANONOYMOUS LOGON; Built-in Administrator, Guests; Support_388945a0;Guest; all NON-Operating System service accounts

Deny logon as a batch job (SeDenyBatchLogonRight)

Guests; Support_388945a0; Guest

Deny log on Through Terminal Services (SeDenyRemoteInteractiveLogonRight)

Built-in Administrator; Guests; Support_388945a0; Guest ;all NON-operating system service accounts

CONFIDENCIAL


Restore files and directories (SeRestorePrivilege) Administrators

Security OptionsAccounts: Guest account status Disabled

Accounts: Limit local account use of blank passwords to console logon only

Enabled

Audit: Audit the access of global system objects Disabled

Audit: Audit the use of Backup and Restore privilege

Disabled

Audit: Shut down system immediately if unable to log security audits

Disabled

Devices: Allow undock without having to log on Disabled

Devices: Allowed to format and eject removable media

Administrators

Devices: Prevent users from installing printer drivers

Enabled

Devices: Unsigned driver installation behavior Warn but allow installation

Domain controller: Allow server operators to schedule tasks

Disabled

Domain controller: Refuse machine account password changes

Disabled

Domain member: Digitally encrypt or sign secure channel data (always)

Enabled

Domain member: Digitally encrypt secure channel data (when possible)

Enabled

Domain member: Digitally sign secure channel data (when possible)

Enabled

Domain member: Disable machine account password changes

Disabled

Domain member: Maximum machine account password age

30 Days

Domain member: Require strong (Windows 2000 or later) session key

Enabled

Interactive logon: Do not display last user name Enabled

Interactive logon: Do not require CTRL+ALT+DEL Disabled

CONFIDENCIAL


Interactive logon: Message text for users attempting to log on

This system is restricted to authorized users. Individuals attempting unauthorized access will be prosecuted. If unauthorizedterminate access now! Clicking on OK indicates your acceptance of the information in the background.

Interactive logon: Message title for users attempting to log on

Built-in AdministratorGuestsThis system is restricted to authorized users. Individuals attempting unauthorized access will be prosecuted. If unauthorizedterminate access now! Clicking on OK indicates your acceptance of the information in the background

Interactive logon: Number of previous logons to cache (in case domain controller is not available)

0 logons

Interactive logon: Prompt user to change password before expiration

14 days

Interactive logon: Require Domain Controller authentication to unlock workstation

Enabled

Interactive logon: Smart card removal behavior Lock Workstation

Microsoft network client: Digitally sign communications (always)

Enabled

Microsoft network client: Digitally sign communications (if server agrees)

Enabled

Microsoft network client: Send unencrypted password to third-party SMB servers

Disabled

Microsoft network server: Amount of idle time required before suspending session

15 minutes

Microsoft network server: Digitally sign communications (always)

Enabled

Microsoft network server: Digitally sign communications (if client agrees)

Enabled

Microsoft network server: Disconnect clients when logon hours expire

Enabled

Network access: Do not allow anonymous enumeration of SAM accounts

Enabled

Network access: Do not allow anonymous enumeration of SAM accounts and shares

Enabled

CONFIDENCIAL


Network access: Do not allow storage of credentials or .NET Passports for network authentication

Enabled

Network access: Let Everyone permissions apply to anonymous users

Disabled

Network access: Remotely accessible registry paths

System\CurrentControlSet\Control\ProductOptionsSystem\CurrentControlSet\Control\Server ApplicationsSoftware\Microsoft\Windows NT\CurrentVersion

Network access: Remotely accessible registry paths and subpaths

Software\Microsoft\Windows NT\CurrentVersion\PrintSoftware\Microsoft\Windows NT\CurrentVersion\WindowsSystem\CurrentControlSet\Control\Print\PrintersSystem\CurrentControlSet\Services\EventlogSoftware\Microsoft\OLAP ServerSystem\CurrentControlSet\Control\ContentIndexSystem\CurrentControlSet\Control\Terminal ServerSystem\CurrentControlSet\Control\Terminal Server\UserConfigSystem\CurrentControlSet\Control\Terminal Server\DefaultUserConfigurationSoftware\Microsoft\Windows NT\CurrentVersion\PerflibSystem\CurrentControlSet\Services\SysmonLog

Network access: Restrict anonymous access to Named Pipes and Shares

Enabled

Network access: Sharing and security model for local accounts

Classic - Local users authenticate as themselves

Network security: Do not store LAN Manager hash value on next password change

Enabled

Network security: LAN Manager authentication level

Send NTLM v2 Response only, refuse LM

Network security: LDAP client signing requirements

Negotiate Signing

Network security: Minimum session security for NTLM SSP based (including secure RPC) clients

Require message integrityRequire message confidentialityRequire NTLMv2 session securityRequire 128-bit encryption

CONFIDENCIAL


Network security: Minimum session security for NTLM SSP based (including secure RPC) servers

Require message integrityRequire message confidentialityRequire NTLMv2 session securityRequire 128-bit encryption

Recovery console: Allow automatic administrative logon

Disabled

Recovery console: Allow floppy copy and access to all drives and all folders

Enabled

Shutdown: Allow system to be shut down without having to log on

Disabled

Shutdown: Clear virtual memory pagefile Disabled

System cryptography: Force strong key protection for user keys stored on the computer

User is prompted when the key is first used

System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing

Disabled

System objects: Default owner for objects created by members of the Administrators group

Object creator

System objects: Require case insensitivity for non-Windows subsystems

Enabled

System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)

Enabled

System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies

Not Defined

Event LogSettings for Event Logs

Maximum application log size 16384 kilobytes

Maximum security log size 81920 kilobytes

Maximum system log size 16384 kilobytes

Retention method for application log As Needed

Retention method for security log As Needed

Retention method for system log As Needed

19.- Si el servicio SNMP es necesario, configure un nombre de comunidad complejo (estilo password), no usar “Public”.

20.- Configure los siguientes parámetros para el stack TCP/IP

1. Ejecute la herramienta regedt32.exe2. Abra la siguiente lleve

HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Services \ Tcpip \ Parameters \3. Agregue / Modifique los siguientes parámetros

CONFIDENCIAL


SubKey Registry Value Entry Format ValueEnableICMPRedirect DWORD 0SynAttackProtect DWORD 1EnableDeadGWDetect DWORD 0EnablePMTUDiscovery DWORD 0KeepAliveTime DWORD 300000DisableIPSourceRouting DWORD 2TcpMaxConnectResponseRetransmissions DWORD 2TcpMaxDataRetransmissions DWORD 3PerfmRouterDiscovery DWORD 0TCPMaxPortsExhausted DWORD 5

21.- Revisar, limpiar información de tabla de host local. La ruta es:/winnt/system32/drivers/etc/hosts

22.- Generar Emergency Repair Disk, ahora y cada vez que se hace un cambio de la configuración del sistema y almacenarlo en un lugar protegido.

CONFIDENCIAL

Documents

BBVA Standard Build Win2003