Upload
lgonzalez2010
View
39
Download
3
Embed Size (px)
Citation preview
Standard Build Servidor Windows 2003 Server Página 1
Definición de Configuración Inicial Segura Servidor Windows 2003
Server
El presente documento pretende definir un Windows 2003 Base Line, esta configuración debe ser aplicada a todos los servidores participantes de un Dominio o Stand Alone. Además este documento sirve como base para
cualquier procedimiento de hardening que se aplique dependiendo del rol del servidor.
Versión 1.0 (Junio del 2004)
Instalación del Sistema Operativo 1.- Habilitar controles de Seguridad Física del equipo. Debe estar en un Centro de Datos con acceso restringido,
preferentemente con llave para la CPU.
2.- Actualizar firmware a su más reciente versión. Para obtener la última versión visite web del sito del fabricante. Para equipos nuevos.
3.- Crear tres particiones de disco, todas formateadas con NTFS: Una para el sistema operativo (C:), otra para las aplicaciones (D:) y otra para los datos (páginas web por ejemplo) (E:). Para equipos Nuevos.
4.- Habilitar la password de boot del equipo.
5.- Deshabilitar en CMOS dispositivos innecesarios. Como puerto infrarrojo o puertos seriales adicionales.
6.- Deshabilitar boot desde diskette y CDROM.
7.- Instalar Windows 2003 Server
8.- Aplicar el último Service Pack y HotFixes
http://windowsupdate.microsoft.com
9.- Configurar Fecha, Hora y verificar que Zona horaria esté bien configurada.
NOTA: Tener presente, para efectos de análisis, que los registros de log de IIS usan la hora GMT, y no la hora local del equipo.
10.- Generar Emergency Repair Disk, ahora y cada vez que se hace un cambio de la configuración del sistema y almacenarlo en un lugar protegido.
CONFIDENCIAL
Standard Build Servidor Windows 2003 Server Página 2
Configuración del Sistema Operativo 11.- Renombrar cuenta local “Administrador”, asignar password robusta, almacenarla en lugar seguro. admin. Será
el nombre de la cuenta de administrador propuesta.
12.- Crear una segunda cuenta de administración con las mismas características. Utilizar esta cuenta para efectos de administración.
13.- Crear dos cuentas locales que se llamen “Administrador” y “Administrator”, definirlas sin ningún tipo de privilegios.
14.- Asigne una password robusta a la cuenta Guest.Deshabilitadarla.
15.- Revisar y Eliminar cuentas innecesarias.
16.- Configurar Protector de Pantalla con password de bloqueo robusta, el tiempo de espera debe ser de no más de 15 minutos.
17.- Cuando Windows 2003 es instalado los servicios por defectos son configurados para que partan automáticamente, muchos de estos servicios no son necesarios para que el sistema opere. Recuerde que cualquier servicio ó aplicación es un potencial punto de ataque. Los siguientes servicios no son necesarios para que el servidor opere en un Dominio Windows 2003, por lo que la configuración recomendad es la siguiente.
Servicio EstadoAlert DisabledApplication Layer Gateway Service DisabledApplication Management DisabledASP .NET State Service DisabledAutomatic Update AutomaticBackgroud Intelligent Transfer Service ManualCertificate Services DisabledMS Software Shadow Copy Provider ManualClient Service for Netware ManualClipBook DisabledCluster Service DisabledCOM+ Event System ManualCOM+ System Application DisabledComputer Browser AutomaticCryptographic Service AutomaticDHCP Client AutomaticDHCP Server DisabledDistributed File System DisabledDistributed Link Tracking Client DisabledDistributed Link Tracking Server DisabledDistributed Transaction Coordinator DisabledDNS Client AutomaticDNS Server DisabledError Reporting Service DisabledEvent Log AutomaticFax Service DisabledFile Replication DisabledFile Server for Macintosh DisabledFTP Publishing Service DisabledHelp and Support Disabled
CONFIDENCIAL
Standard Build Servidor Windows 2003 Server Página 3
Servicio EstadoHttp SSL DisabledHuman Interface Device Access DisabledIAS Jet Database Access DisabledIIS Admin Service DisabledIMAPI CD-Burning COM Service DisabledIndexing Service DisabledInfrared Monitor DisabledInternet Authentication Service DisabledInternet Connetion Firewall (ICF) /Internet Connection Sharing (ICS)
Disabled
Intersite Messaging DisabledIP Version 6 Helper Service DisabledIPSEC Policy Agent (IPSec Service) AutomaticKerberos Key Distribution Center DisabledLicense Logging Service DisabledLogical Disk Manager ManualLogical Disk Manager Administrative Service ManualMessage Queuing DisabledMessage QueuingDown level Clients DisabledMessage Queuing Triggers DisabledMessenger DisabledMicrosoft POP3 Service DisabledMSSQL$UDDI DisabledMSSQLServerADHelper Disabled.NET Framework Support Service DisabledNetlogon AutomaticNetMeeting Remote Desktop Sharing DisabledNetwork Connections ManualNetwork DDE DisabledNetwork DDE DSDM DisabledNetwork Location Awareness (NLA) ManualNetwork News Transfer Protocol (NNTP) DisabledNTLM Security Support Providera AutomaticPerformance Logs and Alerts ManualPlug and Play AutmaticPortable Media Serial Number DisabledPrint Server for Macintosh DisabledPrint Spooler a menos que sea “print server” DisabledProtected Storage AutomaticRemote Access Auto Connection Manager DisabledRemote Access Connection Manager DisabledRemote Administrator Service ManualRemote Desktop Help Session Manager DisabledRemote Installation DisabledRemote Procedure Call (RPC) AutomaticRemote Procedure Call (RPC) Locator DisbledRemote Registry Service AutomaticRemote Server Manager DisabledRemote Server Monitor DisabledRemote Storage Notification DisabledRemote Storage Server DisabledRemovable Storage ManualResultant Set of Policy Provider DisabledRouting and Remote Access DisabledSAP Agent Disabled
CONFIDENCIAL
Standard Build Servidor Windows 2003 Server Página 4
Servicio EstadoSecondary Logon DisabledSecurity Accounts Manager AutomaticServer AutomaticShell Hardware Detection DisabledSimple Mail Transport Protocol (SMTP) DisabledSimple TCP/IP Services DisabledSingle Instance Storage Groveler DisabledSmart Card DisabledSNMP Service DisabledSNMP Trap Service DisabledSpecial Administrator Console Helper DisabledSQLAgent$ (*UDDI or WEBDB) DisabledSystem Event Notification AutomaticTask Scheduler DisabledTCP/IP NetBIOS Helper Service AutomaticTCP/IP Print Server DisabledTelephony DisabledTelnet DisabledTerminal Services AutomaticTerminal Services Licensing DisabledTerminal Services Session Directory DisabledThemes DisabledTrivial FTP Daemon DisabledUninterruptible Power Supply DisabledUpload Manager DisabledVirtual Disk Service DisabledVolume Shadow Copy ManualWebClient DisabledWeb Element manager DisabledWindows Audio DisabledWindows image Acquisition (WIA) DisabledWindows Installer AutomaticWindows Internet Name Service (WINS) DisabledWindows Management Instrumentation AutomaticWindows Management Instrumentation Driver Extensions ManualWindows Media Services DisabledWindows System Resource Manager DisabledWindows Time AutomaticWinHTTP Web Proxy Auto – Discovery Service DisabledWireless Configuration DisabledWMI Performance Adapter ManualWorkstation AutomaticWorl Wide Web Publishing Service Disabled
NOTA: La deshabilitación de los servicios indicados anteriormente no contempla las necesidades de otros paquetes de software (como antivirus o control remoto). Se debe verificar con el proveedor del mismo los servicios que son requeridos por éste para no deshabilitarlos.
18.- A continuación ejecute el “Local Security Policy” e introdusca las siguientes modificaciones:
Stara -> Administrative Tools -> Local Security Policy
CONFIDENCIAL
Standard Build Servidor Windows 2003 Server Página 5
Account PoliciesPassword Policy
Enforce password history 24 password remembered
Maximum password age 42 days
Minimum password age 2 days
Minimum password length 8 characters
Passwords must meet complexity requirements Enabled
Store password using reversible encyrption for all users in the domain
Disabled
Account Lockout PolicyAccount lockout duration 30 minutes
Account lockout threshold 5 invalid logon attempts
Reset account lockout counter after 30 minutes
Kerberos PolicyEnforce user logon restrictions Not Defined
Maximum lifetime for service ticket Not Defined
Maximum lifetime for user ticket Not Defined
Maximum lifetime for user ticket renewal Not Defined
Maximum tolerance for computer clock synchronization
Not Defined
Local PoliciesAudit Policy
Audit account logon events Success, Failure
Audit account management Success, Failure
Audit directory service access Success, Failure
Audit logon events Success, Failure
Audit object access Success, Failure
Audit policy change Success
Audit privilege use Failure
Audit process tracking No auditing
Audit system events Success
User Rights AssignmentAllow logon locally (SeInteractiveLogonRight) Power Users, Backup
Operators, Administrators
Allow logon Through Terminal Services (SeRemoteInteractiveLogonRight)
Administrators, Remote Desktop Users
Deny access to this computer from the network (SeDenyNetworkLogonRight)
ANONOYMOUS LOGON; Built-in Administrator, Guests; Support_388945a0;Guest; all NON-Operating System service accounts
Deny logon as a batch job (SeDenyBatchLogonRight)
Guests; Support_388945a0; Guest
Deny log on Through Terminal Services (SeDenyRemoteInteractiveLogonRight)
Built-in Administrator; Guests; Support_388945a0; Guest ;all NON-operating system service accounts
CONFIDENCIAL
Standard Build Servidor Windows 2003 Server Página 6
Restore files and directories (SeRestorePrivilege) Administrators
Security OptionsAccounts: Guest account status Disabled
Accounts: Limit local account use of blank passwords to console logon only
Enabled
Audit: Audit the access of global system objects Disabled
Audit: Audit the use of Backup and Restore privilege
Disabled
Audit: Shut down system immediately if unable to log security audits
Disabled
Devices: Allow undock without having to log on Disabled
Devices: Allowed to format and eject removable media
Administrators
Devices: Prevent users from installing printer drivers
Enabled
Devices: Unsigned driver installation behavior Warn but allow installation
Domain controller: Allow server operators to schedule tasks
Disabled
Domain controller: Refuse machine account password changes
Disabled
Domain member: Digitally encrypt or sign secure channel data (always)
Enabled
Domain member: Digitally encrypt secure channel data (when possible)
Enabled
Domain member: Digitally sign secure channel data (when possible)
Enabled
Domain member: Disable machine account password changes
Disabled
Domain member: Maximum machine account password age
30 Days
Domain member: Require strong (Windows 2000 or later) session key
Enabled
Interactive logon: Do not display last user name Enabled
Interactive logon: Do not require CTRL+ALT+DEL Disabled
CONFIDENCIAL
Standard Build Servidor Windows 2003 Server Página 7
Interactive logon: Message text for users attempting to log on
This system is restricted to authorized users. Individuals attempting unauthorized access will be prosecuted. If unauthorizedterminate access now! Clicking on OK indicates your acceptance of the information in the background.
Interactive logon: Message title for users attempting to log on
Built-in AdministratorGuestsThis system is restricted to authorized users. Individuals attempting unauthorized access will be prosecuted. If unauthorizedterminate access now! Clicking on OK indicates your acceptance of the information in the background
Interactive logon: Number of previous logons to cache (in case domain controller is not available)
0 logons
Interactive logon: Prompt user to change password before expiration
14 days
Interactive logon: Require Domain Controller authentication to unlock workstation
Enabled
Interactive logon: Smart card removal behavior Lock Workstation
Microsoft network client: Digitally sign communications (always)
Enabled
Microsoft network client: Digitally sign communications (if server agrees)
Enabled
Microsoft network client: Send unencrypted password to third-party SMB servers
Disabled
Microsoft network server: Amount of idle time required before suspending session
15 minutes
Microsoft network server: Digitally sign communications (always)
Enabled
Microsoft network server: Digitally sign communications (if client agrees)
Enabled
Microsoft network server: Disconnect clients when logon hours expire
Enabled
Network access: Do not allow anonymous enumeration of SAM accounts
Enabled
Network access: Do not allow anonymous enumeration of SAM accounts and shares
Enabled
CONFIDENCIAL
Standard Build Servidor Windows 2003 Server Página 8
Network access: Do not allow storage of credentials or .NET Passports for network authentication
Enabled
Network access: Let Everyone permissions apply to anonymous users
Disabled
Network access: Remotely accessible registry paths
System\CurrentControlSet\Control\ProductOptionsSystem\CurrentControlSet\Control\Server ApplicationsSoftware\Microsoft\Windows NT\CurrentVersion
Network access: Remotely accessible registry paths and subpaths
Software\Microsoft\Windows NT\CurrentVersion\PrintSoftware\Microsoft\Windows NT\CurrentVersion\WindowsSystem\CurrentControlSet\Control\Print\PrintersSystem\CurrentControlSet\Services\EventlogSoftware\Microsoft\OLAP ServerSystem\CurrentControlSet\Control\ContentIndexSystem\CurrentControlSet\Control\Terminal ServerSystem\CurrentControlSet\Control\Terminal Server\UserConfigSystem\CurrentControlSet\Control\Terminal Server\DefaultUserConfigurationSoftware\Microsoft\Windows NT\CurrentVersion\PerflibSystem\CurrentControlSet\Services\SysmonLog
Network access: Restrict anonymous access to Named Pipes and Shares
Enabled
Network access: Sharing and security model for local accounts
Classic - Local users authenticate as themselves
Network security: Do not store LAN Manager hash value on next password change
Enabled
Network security: LAN Manager authentication level
Send NTLM v2 Response only, refuse LM
Network security: LDAP client signing requirements
Negotiate Signing
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
Require message integrityRequire message confidentialityRequire NTLMv2 session securityRequire 128-bit encryption
CONFIDENCIAL
Standard Build Servidor Windows 2003 Server Página 9
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
Require message integrityRequire message confidentialityRequire NTLMv2 session securityRequire 128-bit encryption
Recovery console: Allow automatic administrative logon
Disabled
Recovery console: Allow floppy copy and access to all drives and all folders
Enabled
Shutdown: Allow system to be shut down without having to log on
Disabled
Shutdown: Clear virtual memory pagefile Disabled
System cryptography: Force strong key protection for user keys stored on the computer
User is prompted when the key is first used
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
Disabled
System objects: Default owner for objects created by members of the Administrators group
Object creator
System objects: Require case insensitivity for non-Windows subsystems
Enabled
System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)
Enabled
System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies
Not Defined
Event LogSettings for Event Logs
Maximum application log size 16384 kilobytes
Maximum security log size 81920 kilobytes
Maximum system log size 16384 kilobytes
Retention method for application log As Needed
Retention method for security log As Needed
Retention method for system log As Needed
19.- Si el servicio SNMP es necesario, configure un nombre de comunidad complejo (estilo password), no usar “Public”.
20.- Configure los siguientes parámetros para el stack TCP/IP
1. Ejecute la herramienta regedt32.exe2. Abra la siguiente lleve
HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Services \ Tcpip \ Parameters \3. Agregue / Modifique los siguientes parámetros
CONFIDENCIAL
Standard Build Servidor Windows 2003 Server Página 10
SubKey Registry Value Entry Format ValueEnableICMPRedirect DWORD 0SynAttackProtect DWORD 1EnableDeadGWDetect DWORD 0EnablePMTUDiscovery DWORD 0KeepAliveTime DWORD 300000DisableIPSourceRouting DWORD 2TcpMaxConnectResponseRetransmissions DWORD 2TcpMaxDataRetransmissions DWORD 3PerfmRouterDiscovery DWORD 0TCPMaxPortsExhausted DWORD 5
21.- Revisar, limpiar información de tabla de host local. La ruta es:/winnt/system32/drivers/etc/hosts
22.- Generar Emergency Repair Disk, ahora y cada vez que se hace un cambio de la configuración del sistema y almacenarlo en un lugar protegido.
CONFIDENCIAL