Http Www.corelan.be Index

7/28/2019 Http Www.corelan.be Index

1/17

https://www.corelan.be - Page 1 / 17

Corelan Team:: Knowledge is not an object, it's a flow ::

Securing Windows Server 2008 and Active DirectoryCorelan Team (corelanc0d3r) Friday, April 18th, 2008

According to Microsoft, Windows Server 2008 is the most secure Windows server version ever.

Windows 2008 does include many features that will help increase overall security of the OS, or assist you with securing AD, the network, etc. Most ofthe features/roles available in Windows 2008 are not being installed in a default installation of Windows 2008, leaving the OS in a more or less securestate right after installation. The attack surface of a default Windows 2008 server may be smaller than it was under NT4, 2000 and 2003, butconcluding that Windows Server 2008 is secure, may be one bridge too far.

Microsoft has published a paper on the differences between 2003 and 2008, which includes some securi ty related information. The document can be

downloaded from Changes in Functionality from Windows Server 2003 with SP1 to Windows Server 2008Ill use this post to explain some of the recommended hardening techniques, and list some additional tweaks/settings that can (and imho should) beapplied to a Windows 2008 server in an attempt to further harden the OS.

This document consists of the following parts

For Windows 2008/AD servers :- Using GPOAccelerator to create GPOs that can be applied to AD and to regular servers- Provide some recommended settings that should be configured to a Domain GPO, including Domain Password Policies and Fine Grained PasswordPolicies- Provide some recommended settings that should be configured to the Domain Controllers GPO,- Provide some recommended settings that should be configured to regular server GPOs- Using GPOAccelerator SCE Extensions to further secure AD and servers using GPOs- Create your own extensions and create custom Security Templates- Use the custom Templates to actually set out the various GPOs (based on the recommendations that are given in this document). You dont want togo in and change all the GPOs manually. It is better to create your own templates and then apply these templates to the corresponding GPOs.- Using Security Configuration Wizard to secure servers that have a specific role

For standalone/high security servers :- Using GPOAccelerator and Security Templates to secure standalone servers

For all servers- Additional (Custom) settings that should be applied to any server, and general security recommendations to secure AD

Download section : I have made my customized Security Templates for AD Domains, for AD DCs, for member servers and for high security hostsavailable for download. You can find the link at the bottom of this post.

Note : this document is not the ultimate complete security guide for 2008. It just provides some tips & tricks to increase the overall security level.

General

Before going into the various procedures of securing AD and servers, I ll briefly discuss some of Microsofts

recommendations on tackling the attack surface that is still present in Windows 2008. The Windows Server 2008 Security Guide document (contentalso available on Technet at http://technet.microsoft.com/en-us/library/cc264463.aspx) makes a clear distinction between (EC) Enterprise Security (Illinterpret this as being servers that need to be part of the Enterprise, the Domain, or have roles/features that require integration and/or interactionwith AD DS and/or other services within the Enterprise for whatever reason) and servers that requires specialized security (SSLF). Ill interpret thelatter as servers that dont need to be part of the domain, or that can have an elevated security level applied. Some of the settings in this blog postwill apply to both environments, others will only apply to the servers with a higher security level requirement. If a setting only needs to be applied tothese servers, Ill mention this (so you dont break stuff. After all, the SSLF model focusses primarily on security, and this will result in limitedfunctionality)

In both scenarios, a Tool / Windows Shell script called GPOAccelerator can be used to set up a security baseline, either using EC Settings, or SSLFSett ings (SSLF is not a supplement on top of EC, i t s just a d i fferent set of ru les). GPOAccelerator can be downloaded fromhttp://www.microsoft.com/downloads/info.aspx?na=47&p=2&SrcDisplayLang=en&SrcCategoryId=&SrcFamilyId=12ac9780-17b5-480c-aef7-5c0bde9060b0&u=details.aspx%3ffamilyid%3dA46F1DBE-760C-4807-A82F-4F02AE3C97B0%26displaylang%3den

First things first

Right after installing the Windows 2008 OS, you should consider running the following steps :

- Secure the filesystems. Change the NTFS Security on all non-System partitions to :

Corelan Team - Copyright - All rights reserved. Terms Of Use are applicable to this pdf file and its contents. See https://www.corelan.be/index.php/terms-of-use 20/04/2013 - 1 / 17
https://www.corelan.be/https://www.corelan.be/index.php/2008/04/18/securing-windows-server-2008-and-active-directory/http://www.microsoft.com/downloads/info.aspx?na=47&p=3&SrcDisplayLang=en&SrcCategoryId=&SrcFamilyId=12ac9780-17b5-480c-aef7-5c0bde9060b0&u=details.aspx?familyid=173E6E9B-4D3E-4FD4-A2CF-73684FA46B60&displaylang=enhttp://www.microsoft.com/downloads/info.aspx?na=47&p=3&SrcDisplayLang=en&SrcCategoryId=&SrcFamilyId=12ac9780-17b5-480c-aef7-5c0bde9060b0&u=details.aspx?familyid=173E6E9B-4D3E-4FD4-A2CF-73684FA46B60&displaylang=enhttp://technet.microsoft.com/en-us/library/cc264463.aspxhttp://www.microsoft.com/downloads/info.aspx?na=22&p=1&SrcDisplayLang=en&SrcCategoryId=&SrcFamilyId=&u=/downloads/details.aspx?FamilyID=fb8b981f-227c-4af6-a44b-b115696a80ac&DisplayLang=enhttp://technet.microsoft.com/en-us/library/cc264463.aspxhttp://www.microsoft.com/downloads/info.aspx?na=47&p=2&SrcDisplayLang=en&SrcCategoryId=&SrcFamilyId=12ac9780-17b5-480c-aef7-5c0bde9060b0&u=details.aspx?familyid=A46F1DBE-760C-4807-A82F-4F02AE3C97B0&displaylang=enhttp://www.microsoft.com/downloads/info.aspx?na=47&p=2&SrcDisplayLang=en&SrcCategoryId=&SrcFamilyId=12ac9780-17b5-480c-aef7-5c0bde9060b0&u=details.aspx?familyid=A46F1DBE-760C-4807-A82F-4F02AE3C97B0&displaylang=enhttp://www.corelan.be:8800/wp-content/uploads/2008/09/image-541.pnghttp://www.microsoft.com/downloads/info.aspx?na=47&p=2&SrcDisplayLang=en&SrcCategoryId=&SrcFamilyId=12ac9780-17b5-480c-aef7-5c0bde9060b0&u=details.aspx?familyid=A46F1DBE-760C-4807-A82F-4F02AE3C97B0&displaylang=enhttp://www.microsoft.com/downloads/info.aspx?na=47&p=2&SrcDisplayLang=en&SrcCategoryId=&SrcFamilyId=12ac9780-17b5-480c-aef7-5c0bde9060b0&u=details.aspx?familyid=A46F1DBE-760C-4807-A82F-4F02AE3C97B0&displaylang=enhttp://technet.microsoft.com/en-us/library/cc264463.aspxhttp://www.microsoft.com/downloads/info.aspx?na=22&p=1&SrcDisplayLang=en&SrcCategoryId=&SrcFamilyId=&u=/downloads/details.aspx?FamilyID=fb8b981f-227c-4af6-a44b-b115696a80ac&DisplayLang=enhttp://www.microsoft.com/downloads/info.aspx?na=47&p=3&SrcDisplayLang=en&SrcCategoryId=&SrcFamilyId=12ac9780-17b5-480c-aef7-5c0bde9060b0&u=details.aspx?familyid=173E6E9B-4D3E-4FD4-A2CF-73684FA46B60&displaylang=enhttps://www.corelan.be/index.php/2008/04/18/securing-windows-server-2008-and-active-directory/https://www.corelan.be/


2/17


(Basically, remove Everyone and SERVER\Users)

- Change NTFS Security on the following executables, and change the ACL to BUILTIN\Administrators and System (Full Control) only :

arp.exeat.execacls.execmd.exerexec.comcommand.comdebug.exeedit.comedlin.exefinger.exeftp.exetracert.exeipconfig.exenbtstat.exenet.exenetsh.execscript.exewscript.exenslookup.exenetstat.exeregedit.exeregedt32.exeroute.exersh.exerunonce.exesyskey.exetelnet.exercp.exexcopy.exe

Note : some of these files may be missing on a Windows 2008 machine, other Windows 2008 files may be missing from this list, but Im still reviewing

the list of files In the meantime, you can use the same list for hardening a Windows 2000/2003 server as well.- Do NOT run services as NetworkService or LocalService, but use regular accounts instead. On IIS7 servers, do not run ASP.NET in Full trust or dontrun websites with NetworkService or LocalService accounts

This setting will prevent Token Kidnapping (http://www.argeniss.com/research/TokenKidnapping.pdf)

For Active Directory, take the following steps as well (in fact, you need to think about these things when you design your AD)

- Keep your DCs dedicated to the DC role.

- Delegate access, dont use the admin accounts. Create the toplevel OU structure, create admin user accounts and a Admin Group. Change thesecurity on this group so only a limited set of admins can change membership of this admin group. Delegate Full Control to the toplevel OU structure,but NOT to the domain. This will help you ensuring the integrity, availability and security of your AD.

Dont forget to set strong passwords to your admin accounts.

- DONT use the Domain Admins group. Dont make anyone member of this group, and keep the password secret. Theres nothing really that cannotbe delegated. For more information about delegating access to your custom admin groups in order to be able to perform certain admin tasks, see nearthe bottom of this post.

- Rename the administrator account, create a fake administrator. Dont forget to copy the contents of the personal/account information fields, so thefake administrator really looks like the administrator :) Of course, keep this fake administrator disabled.

GPOAccelerator Creating a baseline

GPOAccelerator will allow you to create, test and deploy security settings. The tool creates OUs / GPOs, so you can link them in your production ADenvironment, or you can use the .inf files that come with GPOAccelerator to apply settings to standalone servers. It is advised to test GPOAcceleratorbefore using it in production AD.

When you unzip GPOAccelerator, you will find these files :

Start by installing GPOAccelerator.msi

http://www.argeniss.com/research/TokenKidnapping.pdfhttp://www.corelan.be:8800/wp-content/uploads/2008/09/image-62.pnghttp://www.corelan.be:8800/wp-content/uploads/2008/09/image-41.pnghttp://www.argeniss.com/research/TokenKidnapping.pdf


3/17


Roughly, this is what gets installed :

http://www.corelan.be:8800/wp-content/uploads/2008/09/image-142.pnghttp://www.corelan.be:8800/wp-content/uploads/2008/09/image-122.pnghttp://www.corelan.be:8800/wp-content/uploads/2008/09/image-102.pnghttp://www.corelan.be:8800/wp-content/uploads/2008/09/image-81.png


4/17


C:\Program Files\GPOAccelerator>dirVolume in drive C has no label.Volume Serial Number is ACFE-FB99Directory of C:\Program Files\GPOAccelerator17/04/2008 23:52 .17/04/2008 23:52 ..15/11/2007 21:10 617 Accelerator.xml17/12/2007 03:10 237 command-line here.cmd17/04/2008 23:52 GPMCFiles20/02/2008 20:09 389.120 GPOAccelerator.exe18/02/2008 00:31 44.570 GPOAccelerator.wsf18/02/2008 23:47 141.648 License Terms.rtf14/02/2008 02:49 5.424 Localization.ini17/12/2007 03:10 3.189 Path.xml

17/04/2008 23:52 SCE Update17/04/2008 23:52 Security Templates7 File(s) 584.805 bytes5 Dir(s) 10.402.938.880 bytes freeC:\Program Files\GPOAccelerator>dir GPMCFilesVolume in drive C has no label.Volume Serial Number is ACFE-FB99Directory of C:\Program Files\GPOAccelerator\GPMCFiles17/04/2008 23:52 .17/04/2008 23:52 ..17/12/2007 03:10 39.886 CreateEnvironmentFromXML.wsf17/04/2008 23:52 OSG17/04/2008 23:52 VSG17/04/2008 23:52 WSSG17/04/2008 23:52 XPG1 File(s) 39.886 bytes6 Dir(s) 10.402.938.880 bytes freeC:\Program Files\GPOAccelerator>dir SCE UpdateVolume in drive C has no label.Volume Serial Number is ACFE-FB99Directory of C:\Program Files\GPOAccelerator\SCE Update17/04/2008 23:52 .17/04/2008 23:52 ..17/12/2007 03:10 21.160 Restore_SCE_to_Default.vbs17/12/2007 03:10 48.214 sce.reg17/12/2007 03:10 14.961 sceregvl_Vista.inf.txt

17/12/2007 03:10 19.391 sceregvl_W2K3_SP1.inf.txt17/12/2007 03:10 14.961 sceregvl_W2K8_SP1.inf.txt17/12/2007 03:10 17.278 sceregvl_XPSP2.inf.txt17/12/2007 03:10 4.188 Strings-sceregvl.txt17/12/2007 03:10 16.775 Update_SCE_with_MSS_Regkeys.vbs05/02/2008 00:49 2.905 Values-sceregvl.txt9 File(s) 159.833 bytes2 Dir(s) 10.402.938.880 bytes freeC:\Program Files\GPOAccelerator>dir Security TemplatesVolume in drive C has no label.Volume Serial Number is ACFE-FB99Directory of C:\Program Files\GPOAccelerator\Security Templates17/04/2008 23:52 .17/04/2008 23:52 ..17/04/2008 23:52 VSG17/04/2008 23:52 WSSG17/04/2008 23:52 XPG0 File(s) 0 bytes5 Dir(s) 10.402.938.880 bytes freeC:\Program Files\GPOAccelerator>

As you can see, a Windows Shell Script file (Command Line, gpoaccelerator.wsf) and an executable (GUI, gpoaccelerator.exe) were placed in theinstallation folder, along with some other files and folders.

For example, the folder GPMC files contains 4 folders.

OSG = Office Security GuideVSG = Vista Security GuideWSSG = Windows Server Security GuideXPG = XP Security Guide

The WSSG folder contains the following files and folders :Directory of C:\Program Files\GPOAccelerator\GPMCFiles\WSSG17/04/2008 23:52 .17/04/2008 23:52 ..21/02/2008 22:54 31.186 EC-WSSG-GPOs-LAB.xml21/02/2008 22:51 12.646 EC-WSSG-GPOs.xml24/02/2008 21:21 3.727 EC-WSSGApplyAuditPolicy-DC.CMD24/02/2008 21:21 3.727 EC-WSSGApplyAuditPolicy-MS.CMD24/02/2008 21:21 3.845 EC-WSSGAuditPolicy-DC.CMD21/02/2008 11:38 4.729 EC-WSSGAuditPolicy-DC.txt24/02/2008 21:22 3.845 EC-WSSGAuditPolicy-MS.CMD27/12/2007 04:20 4.737 EC-WSSGAuditPolicy-MS.txt21/02/2008 23:03 14.011 manifest.xml

21/02/2008 22:59 31.266 SSLF-WSSG-GPOs-LAB.xml21/02/2008 22:59 12.688 SSLF-WSSG-GPOs.xml24/02/2008 21:22 3.728 SSLF-WSSGApplyAuditPolicy-DC.CMD24/02/2008 21:22 3.728 SSLF-WSSGApplyAuditPolicy-MS.CMD24/02/2008 21:22 3.852 SSLF-WSSGAuditPolicy-DC.CMD21/02/2008 11:40 4.825 SSLF-WSSGAuditPolicy-DC.txt24/02/2008 21:22 3.852 SSLF-WSSGAuditPolicy-MS.CMD27/12/2007 04:37 4.809 SSLF-WSSGAuditPolicy-MS.txt17/04/2008 23:52 {05BBE0FC-5EB9-42FB-B446-90BE4BD2399A}17/04/2008 23:52 {086C17BC-F733-4DC2-A47B-78A31F14E4EA}17/04/2008 23:52 {0A78C5FB-E931-4D5A-83E2-78293109928F}17/04/2008 23:52 {1F620490-1BFE-4C30-AF06-299584460C80}17/04/2008 23:52 {2F1705AF-65DD-4A94-8EE6-ADDB849EBD6A}17/04/2008 23:52 {31714DC9-8666-4BAA-8E54-CC4947882E9F}17/04/2008 23:52 {3F4C29A4-0D71-405B-874F-14B0C08C99FD}17/04/2008 23:52 {4F86A66E-A827-422C-B42C-03FCA32B77CE}17/04/2008 23:52 {5A57478B-56B7-4AE6-A3B6-950B228BE45A}17/04/2008 23:52 {69D76DED-9157-458D-AACC-50BEB12428B2}17/04/2008 23:52 {6D3D68A1-6ED4-4E0D-A7BF-4D7603AB0BF9}17/04/2008 23:52 {72D0C62E-6645-43AF-B374-D4A2192533D3}17/04/2008 23:52 {98550823-6F63-447B-AF25-5E6FE5697DF3}17/04/2008 23:52 {B5E5C2BD-6A23-4284-9306-AD41068D34DB}17/04/2008 23:52 {BBC153BA-8DDD-4829-A7C6-185148F7F7E5}17/04/2008 23:52 {BD1CAB21-1AE0-4786-ACC2-0D93DFF66EE6}17/04/2008 23:52 {BD61819B-3414-4C25-B6D0-11275D44A235}17/04/2008 23:52 {C23B1C0B-0C81-46B9-B2EE-83386BB5391A}17/04/2008 23:52 {D09EE5EA-1565-455C-BF62-1BAACB445AAC}

17/04/2008 23:52 {E4977B95-BD5E-40C9-8EF7-D016832235F7}17/04/2008 23:52 {F3C3960B-93C2-4C02-BD4A-A1F26A21B182}17/04/2008 23:52 {F3DE561D-93FE-4FD9-99B2-2F85E2792956}17 File(s) 151.201 bytes24 Dir(s) 10.403.004.416 bytes free



5/17


These files will be used by the GPOAccelerator tool to create GPO objects, in this case for Windows Servers.

If you are only interested in creating the GPOs with the EC settings, run GPOAccelerator.wsf /WSSG /Enterprise

If you want to create special OUs, then use the /LAB option (so GPOs are linked to these OUs, and not to OUs in your production environment)

(Review the How To Use the GPOAccelerator.doc document for more command-line options.)

Well come back to the command line features, lets have a look at the GUI component first, which is in fact nothing more than a wizard that will createthe exact syntax/parameters to run the Script.

Log on as Domain Admin and launch the GUI by running GPOAccelerator.exe

You can either create GPO objects in the domain, or create a Security Policy that can be applied to standalone systems. Finally, the GUI allows you toupdate the SCE to display MSS security settings. Youll need this last option (so you need to run this at least once) in order to be able to display/editthe settings that were written by the Microsoft Solutions for Security group. Dont run this yet, Ill show you how this works later on.

Click Domain and select the desired Security Baseline from the dropdown list. In our example, this is Windows Server 2008

Select either the Enterprise Client (EC) or SSLF environment.

http://www.corelan.be:8800/wp-content/uploads/2008/09/image-201.pnghttp://www.corelan.be:8800/wp-content/uploads/2008/09/image-182.pnghttp://www.corelan.be:8800/wp-content/uploads/2008/09/image-162.png


6/17


Well start with the EC first

The next page will ask you whether you want to implement the basel ine in lab or production environment. Normal ly, if you have a clean LABenvironment, you could choose LAB, but since I dont want the tool to start messing up my own OU structure, I just want the GPOs to be created, andIll link them to whatever OU I want later on. So Ill choose Production for now

The last page shows the command that will be run as a result of our selections. As stated before, this tool is nothing more than a GUI wizard on top ofthe script.

So basically, if you would run GPOAccelerator.wsf /WSSG /Enterprise from command line, then you would get the same results.

Just keep in mind, if you want to use the command line in production environment :

- Log on with Domain Admin rights- Launch Command-line here.cmd with administrator privileges (Run as administrator)- type cscript GPOAccelerator.wsf /WSSG /Enterprise

Anyways, well let the GUI run the scripts for now the result should be exactly the same.

If you press Continue, youll get the following warning

http://www.corelan.be:8800/wp-content/uploads/2008/09/image-261.pnghttp://www.corelan.be:8800/wp-content/uploads/2008/09/image-242.pnghttp://www.corelan.be:8800/wp-content/uploads/2008/09/image-221.png


7/17


Click YES to continue (at your own risk, of course :-) )

Click OK when asked

Wait until the process has completed

and accept the fact that you will have to link the GPOs to the appropriate OUs yourself.

Open Group Policy Management console and verify that the objects have been created

You can use these GPOs in conjunction with the corresponding roles and features to secure these installed roles/features.

Lets have a look at some common GPOs and what we can do to further secure these GPOs before you apply them

Modifying the WSSG EC Domain Policy

While this GPO does not really apply directly to one particular server, it is still good practise to set/review these settings as your overall security planfor your servers.

http://www.corelan.be:8800/wp-content/uploads/2008/09/image-36.pnghttp://www.corelan.be:8800/wp-content/uploads/2008/09/image-34.pnghttp://www.corelan.be:8800/wp-content/uploads/2008/09/image-32.pnghttp://www.corelan.be:8800/wp-content/uploads/2008/09/image-30.pnghttp://www.corelan.be:8800/wp-content/uploads/2008/09/image-28.png


8/17


Default Domain Password Policy

The Domain (Password) Policy that is created by GPOAccelerator states

Password history : 24 passwordsMax password age : 90 daysMin password age : 1 daysMin password length : 8 charactersPassword complexity : enabled

Store passwords using reversible encryption : disabledAccount lockout : 15 minutesAccount lockout threshold : 50 invalid attemptsReset lockout counter after : 15 minutes

I would strongly recommend

- change the Account lockout during to forever (until admin unlocks) : change value to 0

- change the lockout threshold to 3 or 5 attempts- change the lockout counter to 30 minutes or more

Additionally, I would recommend configuring the following settings for the Domain Policy :

Computer Configuration Policies Windows Settings Security Settings Account Policies Kerberos Policy

Enforce user logon restrictions : EnabledMax lifetime for service ticket : 600 minutesMax lifetime for user ticket : 10 hoursMax lifetime for user ticket renewal : 7 daysMax tolerance for computer clock synchronization : 5 minutes

Note : Depending on how you want to keep the clients clock up to date, you may have to allow your users to change the system time (For example : ifyou are running some command to sync the clock from a loginscript, then the user account needs to have permissions to change the system time).You can define this setting under Local Policies User Rights Assignments. If you are using NTP, then this sett ing is irrelevant and can be limited toyour IT Admin group

Fine Grained Password Policies

Windows 2008 introduces the concept of Fine Grained Password Policies. This feature allows you to specify multiple password policies in a domain, bybasically linking a password policy to a set of users (inetOrg Person objects, or Global Groups). Unfortunately you cannot assign a Fine GrainedPassword Policy to members of a OU.In order to be able to define a Policy, the domain needs to be in 2008 functional mode. By default, only Domain Admins can set Fine Grained PasswordPolicies, but you can delegate these rights.

One of the possible implementations of multiple password policies is setting a different password policy to administrative accounts (IT Staff who is

managing AD, or have other elevated permissions, including the Domain administrator account (SID 500), with more restrictive policy settings, andsetting another password policy for system accounts (used for example to run services)This is how it works: http://technet2.microsoft.com/windowsserver2008/en/library/056a73ef-5c9e-44d7-acc1-4f0bade6cd751033.mspx?mfr=true

Configuring a PSO is easy : Open the Fine Grained Password Policy MMC GUI. just kidding :-) Microsoft has not built a nice wizard or GUI around this,

http://technet2.microsoft.com/windowsserver2008/en/library/056a73ef-5c9e-44d7-acc1-4f0bade6cd751033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver2008/en/library/056a73ef-5c9e-44d7-acc1-4f0bade6cd751033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver2008/en/library/056a73ef-5c9e-44d7-acc1-4f0bade6cd751033.mspx?mfr=truehttp://www.corelan.be:8800/wp-content/uploads/2008/09/image-42.pnghttp://www.corelan.be:8800/wp-content/uploads/2008/09/image-40.pnghttp://www.corelan.be:8800/wp-content/uploads/2008/09/image-38.png


9/17


so youll have to do this the hard way. Luckily, Microsoft has done an excellent job in documenting most of the Windows configuration steps over thel as t c ou pl e o f y ea rs , s o T ec hn et c on ta in s d et ai le d i nf or ma ti on o n h ow t o s et t hi s u p. Y ou c an v is ithttp://technet2.microsoft.com/windowsserver2008/en/library/1e1c9618-cda9-489b-a1cb-bbc182216aee1033.mspx?mfr=true orhttp://blogs.dirteam.com/blogs/jorge/archive/2007/08/09/windows-server-2008-fine-grained-password-policies.aspx for more information on how to setup the PSO. Furthermore, some clever individuals decided to wrap a GUI around the process. One of the really excellent (and free) tools that can beu s e d t o m a n a g e t h e P S O s ( u s i n g P o w e r s h e l l c o m p o n e n t s ) c a n b e f o u n d a th t tp : / /dm i t ryso tn i kov .wordpress .com/2007/06 /19 / f ree -u i - conso le - fo r - f i ne -g ra ined -password -po l i c i es /

Password policy settings :

For administrators, a min. password length of 12 characters should not be a big problem, or if you want to keep the passwords shorter, then at leastconsider setting the password expiry to 2 weeks.

For service accounts it may be hard to change passwords all the time, so setting no password expiration may be acceptable in certain scenarios, butthe password length should be something like 30 or 40 characters

Modifying the WSSG EC Domain Controller Baseline Policy

The second GPOAccelerator-created GPO I am going to review is the one that can be applied to Domain Controllers. This GPO is quite detailed andconfigures a lot of settings compared to the Default DC policy in Windows.

However, the following settings should be changed (these could be settings that are already configured to something else, or could be settings thathave not been configured yet, and should be set in addition to the already existing settings) :

Policies Windows Settings Security Settings Local Policies

Audit Policy

The WSSG EC Policy will only log the success events. In certain cases, logging the failure events as well can help you troubleshooting as well as tracingback attempts to access data/objects by unauthorized users.

I would at least consider auditing success AND failure events for

Audit account logon eventsAudit account management

Audit directory service accessAudit logon eventsAudit object access

These settings can be found under Computer Configuration Policies Windows Settings Security Settings Local Policies Audit Policy

User Rights Assignments

Access this computer from the network

The WSSG EC Policy changes the default settings (which are indeed way to broad) to BUILTIN\Administrators, NT AUTHORITY\Authenticated Users, NTAUTHORITY\ENTERPRISE DOMAIN CONTROLLERS

THis is a lot better already, however I dont like Authenticated Users It would be better to create a Group in AD, add all of your known users into thatgroup, and replace Authenticated Users with your own group. That way, you are sure that someone who is able to create a user account (in any way),cannot necessarily access your DCs from the network.

Add workstations to the domain

Typically, youd only want your IT staff to be able to add computers to the domain. In order to really be able to delegate and secure th is kind ofactivity, there are 2 places that need some configuration

1. Edit the GPO that is applied to your DCs Go to Computer Configuration Policies Windows Settings Security Settings User RightsAssignments

Edit Add workstations to the domain, remove Authenticated Users (Default Policy) or BUILTIN\Administrators (WSSG EC Policy) and add your ITStaff users. If changing this setting breaks your attempt to add a new DC to the Domain, you may have to add your Domain Admins/Enterprise Adminsgroup as well)

2. Open Active Directory Users & Computers. Go to View and enable Advanced Features. Right-click Computers and go the the Security tab. Makesure regular users (Authenticated Users, etc) have read-only rights. You dont need to add your IT Staff to the ACL. After all, it would be much better tocreate a separate OU structure, grant access to that OU, and set necessary permissions to the OU to the IT Staff. This way they can pre-create thecomputer objects before adding a computer to the domain. That is, imho, the best way to manage your computer objects (or at least the addition ofcomputer objects in your environment)

Log on locally

Change this setting from Not defined to your local admin group, Domain Admins, BUILTIN\Administrators whatever, as long as you dont allowregular users to log on locally on a DC. In most cases, BUILTIN\Administrators will do just fine. If youre not an admin, theres nothing you should do ona DC.

Backup files & directories, Restore files & directories

By default, this setting is set to not defined. I would suggest changing this to your admin groups, BUILTIN\Administrators and BUILTIN\BackupOperators

Change the system time

Set this parameter to your admin group, BUILTIN\Administrators and LOCAL SERVICE

Security Options

http://blogs.dirteam.com/blogs/jorge/archive/2007/08/09/windows-server-2008-fine-grained-password-policies.aspxhttp://technet2.microsoft.com/windowsserver2008/en/library/1e1c9618-cda9-489b-a1cb-bbc182216aee1033.mspx?mfr=truehttp://blogs.dirteam.com/blogs/jorge/archive/2007/08/09/windows-server-2008-fine-grained-password-policies.aspxhttp://dmitrysotnikov.wordpress.com/2007/06/19/free-ui-console-for-fine-grained-password-policies/http://www.corelan.be:8800/wp-content/uploads/2008/09/image-52.pnghttp://dmitrysotnikov.wordpress.com/2007/06/19/free-ui-console-for-fine-grained-password-policies/http://blogs.dirteam.com/blogs/jorge/archive/2007/08/09/windows-server-2008-fine-grained-password-policies.aspxhttp://technet2.microsoft.com/windowsserver2008/en/library/1e1c9618-cda9-489b-a1cb-bbc182216aee1033.mspx?mfr=true


10/17


11/17


If you now open for example Security Options under Computer Configuration Policies Windows Settings Security Settings Local Policies, youllsee the MSS: specific settings.

Further hardening regular (EC) servers using MSS extensions

I would recommend using the following MSS specific settings in a GPO that applies to all of your servers (including Domain Controllers):

AutoAdminLogon : disabledDisableIPSourceRouting : enabledNoDriveTypeAutoRun : disabledNoNameReleaseOnDemand : enabled

Further hardening some (EC) servers using MSS extensions

The following settings should be applied to all servers whenever possible (Test these settings because they might impact the operation of your server):

AutoShareWks : disabledHidden : enabled

Security Configuration Wizard : role based Firewall rulesets, Services modifications, Registry Security and Auditing

Windows 2008 is very much role based. The Security Configuration Wizard will attempt to identify the roles that are installed on a server, and changeFirewall rules according to the roles that it has found on the system. The built-in roles can be hardened using built-in SCW templates (xml files), butyou can add other templates as well (e.g. for MS Exchange 2007 roles : http://technet.microsoft.com/en-us/library/aa998208(EXCHG.80).aspx andhttp://technet.microsoft.com/en-us/library/bb124977(EXCHG.80).aspx)

Basically, these templates link the roles & features to network ports, so the firewall ruleset can be adjusted accordingly, based on the roles that areinstalled on a given 2008 Server.

The SCW wizard is pretty much self-explanatory, however the key component is veryfying that the correct roles have been identified. Otherwise, youllend up with a broken system.

Launch the SCW Wizard from Start Programs Administrative Tools

http://technet.microsoft.com/en-us/library/aa998208(EXCHG.80).aspxhttp://technet.microsoft.com/en-us/library/bb124977(EXCHG.80).aspxhttp://technet.microsoft.com/en-us/library/aa998208(EXCHG.80).aspxhttp://technet.microsoft.com/en-us/library/bb124977(EXCHG.80).aspxhttp://technet.microsoft.com/en-us/library/bb124977(EXCHG.80).aspxhttp://technet.microsoft.com/en-us/library/aa998208(EXCHG.80).aspxhttp://www.corelan.be:8800/wp-content/uploads/2008/09/image-501.pnghttp://www.corelan.be:8800/wp-content/uploads/2008/09/image-48.png


12/17


Accept the welcome text

Select Create a new security policy

You can create a new policy for this server, or get the running configuration from another (similar) server. So if you get the config right for for examplea DC, you can use this config for the other DCs as well. This copy is one time, so if you change the config on the source DC, it will not be changedon the current machine, unless you run SCW again.

After the security database has been processed, click the view configuration database button

This option will show you the roles/features/apps that have been discovered and enumerated on the system.

Close this screen and click next to continue

First, youll enter the Role-Based Service Configuration

Set the scope to Installed roles and review whether the roles that were discovered match with what is installed on the system

Do the same for Features (Installed Features) and Options (Installed Options)

Next, review the page that lists the additional applicationsNext, Choose what you want the wizard to do with unexpected services :



13/17


Review the changes that will be applied to services

The next section Network Security will change the Firewall rulesets. Review the list of rules and click next

The next section will change Registry settings :

(note that this last option impacts the max clock skew it is set to 5 minutes using the DC GPO, so Id suggest thinking about keeping all clocks insync, no matter what)

Change the inbound authentication methods if you environment supports this



14/17


Review the registry changes summary

Make changes for the audit policy. You can set these settings via a GPO as well, so you can skip this setting and configure auditing elsewhere

Save the policy

Pick a name (so you can find the policy back later on) and save the policy. The result is an xml file that can be modified manually if you want to.

You now have the option to apply the policy now or later. If you apply the policy, youll need to reboot the server

You can apply a saved policy by running the SCW wizard again and select to apply an existing policy

It is highly recommended to run this SCW on every server DCs, member servers, bastion hosts.

M o r e i n f o r m a t i o n a b o u t t h e S e c u r i t y C o n f i g u r a t i o n W i z a r d c a n b e f o u n d a thttp://www.microsoft.com/downloads/details.aspx?FamilyID=903fd496-9eb9-4a45-aa00-3f2f20fd6171&displaylang=en

SSLF High Security Servers (Standalone servers with specific roles and an elevated security exposure level)

Im not going to discuss the settings for the SSLF GPO right now this GPO/Security Template requires extensive testing. It is easy to break stuff withthis set of configuration parameters, so youll have to tweak them a bit.

Working with custom Security Templates

Definitions

A GPO contains of a set of registry settings. The GPO editor (SCE) is in fact nothing more than a GUI wrapped around these settings, allowing you tochange the values of these registry settings before deploying them to one or more systems/users

A Security Template (.inf) is a set of pre-defined settings and values that can be applied to a server, via a GPO. The combination of a GPO and aSecurity Template allows you to quickly create GPOs including the necessary customizations.

If you open a Security Template file, youll see something like this (Ive taken the WSSG EC Domain.inf file from GPOAccelerator as an example) :

http://www.microsoft.com/downloads/details.aspx?FamilyID=903fd496-9eb9-4a45-aa00-3f2f20fd6171&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyID=903fd496-9eb9-4a45-aa00-3f2f20fd6171&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyID=903fd496-9eb9-4a45-aa00-3f2f20fd6171&displaylang=enhttp://www.corelan.be:8800/wp-content/uploads/2008/09/image-82.pnghttp://www.corelan.be:8800/wp-content/uploads/2008/09/image-80.pnghttp://www.corelan.be:8800/wp-content/uploads/2008/09/image-78.png


15/17


; (c) Microsoft Corporation 2008;; Security Configuration Template for Security Configuration Editor;; Template Name: WSSG EC Domain.inf; Template Version: 1.0;;This Security Configuration Template provides settings to support the;EC Domain settings for the Windows Server 2008 Security Guide.;Please read the entire guide before using this template.;; Release History; 0001 - Original February 27, 2008[Unicode]

Unicode=yes[Version]signature=$CHICAGO$Revision=1[System Access]MinimumPasswordAge = 1MaximumPasswordAge = 90MinimumPasswordLength = 8PasswordComplexity = 1PasswordHistorySize = 24LockoutBadCount = 50ResetLockoutCount = 15LockoutDuration = 15ClearTextPassword = 0[Registry Values][Profile Description]Description=This Security Configuration Template provides settings to support the Enterprise settings for the Windows Server 2008 Vista Security Guide. Pleaseread the entire guide before using this template.

You can find more ready-made Security Templates on each Windows server , or on specific servers, serving specific purposes such as securingExchange server etc.Just search for *.inf files (which may not all be Security Templates, but youll recognize a Security Template when you see one :) )

Custom Security Templates

As you can see, these templates are just plain text files, but it might not be a good idea to edit these files using notepad. Furthermore, you may wantto leave the default templates untouched, and create your own templates based upon a copy of the original files.

First, create a folder where you want to store your own templates. Make sure to change the NTFS permissions on this folder so only your admins canaccess this folder. Next, create a Security Templates MMC. Open the MMC, right click Security Templates and choose New Template Search Path.

Add your custom folder to the list.

If you want to see the original/default templates, then add C:\Windows\Security\Templates to the list as well. You can create a copy of a Template byright-clicking on the Template and choosing Save As

As you can see, you can further refine the Security Templates before applying them to all of the relevant GPOs in your environment.

http://www.corelan.be:8800/wp-content/uploads/2008/09/image-581.pnghttp://www.corelan.be:8800/wp-content/uploads/2008/09/image-561.png


16/17


Custom Settings

The following settings can be applied to any server. You can either change these parameters manually, use a script to deploy and apply a .reg file, orcreate a custom GPO (.adm(x)) and optionally a Security Template (.inf) and apply these custom registry settings using a GPO, Or alternatively, extendthe SCE database and add your own registry keys :

http://support.microsoft.com/kb/214752http://www.windowsdevcenter.com/pub/a/windows/2005/03/15/local_security_policies.html

Custom TCP/IP Settings

General settings

Disable IP Source Routing : This feature is now turned off by default for IPv4 connections, but it is still active for IPv6 connections. Even if you arenot planning on using IPv6 right now, it might still be a good idea, just in case you decide to start using it. You can disable IP Source Routing for IPv6by changing the following registry key :

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\ParametersDisableIPSourceRouting (Value Type : REG_DWORD)Set to 1 or 2Possible values : 0 = forward all packets, 1 = dont forward source routed packets, 2 = drop all incoming source routed packetsDefault values : 1 for IPv4, 0 for IPv6

I f y ou w an t t o v er i f y t he s et t i ng s f or I Pv 4, t he n c he ck t he v al ue o f D is ab le IP So ur ce Ro ut in g u nd er

HKEY_LOCAL_MACHINE \SYSTEM\Cur rentCont ro lSet \Serv i ces \Tcp ip \Pa rametersNote : this setting can be set using a SCE Extended GPO (look for one of the MSS: specific settings under Computer Configuration Policies WindowsSettings Security Settings Local Policies Security Options)

Disable IP Routing : make sure IP routing is disabled, unless you want your server to act as a router. This setting is disabled by default underWindows 2008. Make sure IPEnableRouter is set to 0 under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters(Default value is 0. Possible values : 0 = disable IP routing, 1 = enable IP routing)

Disable ICMP Redirects : unless you have a very good reason to leave this functionality turned on, you should consider disabling this by changingthe value of HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirects (reg_dword) to 0

Per interface settings

Assuming that you know how to match a network interface with a GUID, you should consider setting the following options for each of the interfaces

D i s ab l e P e r fo r m R o u t er D i s c ov er y : S e t P e r f o r m R o u te r D i s c o v e ry ( R E G_ D W OR D) u nd e rHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{interfaceGUID} to 0 (disabled)Possible values are 0 = disabled, 1 = enabled, 2 = enabled only when DHCP Perform Router Discovery option is set. Default value is 2

Disable APIPA : For each adapter under HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{xxxxxxxxx} Replace this with the GUID of the adapters : Create a REG_DWORD called IPAutoconfigurationEnabled and set to 00

M o r e i n f o r m a t i o n a b o u t t h e s e ( a n d o t h e r r e g i s t r y s e t t i n g s f o r T C P / I P ) c a n b e f o u n d a thttp://www.microsoft.com/downloads/details.aspx?FamilyID=12ac9780-17b5-480c-aef7-5c0bde9060b0&DisplayLang=en

If you want more information about the netsh.exe command, visit http://go.microsoft.com/fwlink/?LinkId=49654

Custom Other settings

Restrict access to Null sessions : Set HKLM/System/CurrentControlSet/Control/LSA/RestrictAnonymous to 1 on DCs, and to 2 on other servers.

Disable Dial-Up Networking : Set (or create) HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\NetworkNoDialin (reg_dword) to 1

Disable File&Print sharing & close the associated open ports.

You can use firewall rules to do this, but in general, this may help as well :

Disable file & print sharingDisable Netbios TCP/IP Helper ServiceDisable Netbios over TCP/IPDisable LMHOSTS LookupDisable the Computer Browser ServiceDisable the Server serviceSet SMBDeviceEnabled under HKLM\System\Controlset001\Services\NetBT\Parameters(Reg_Dword) to 0 to close SMB Port 445

Of course, dont do this on DCs or on File & Print Servers.

Delegation

DHCP

By default, only Enterprise admins have the ability to authorize DHCP servers.

http://www.windowsdevcenter.com/pub/a/windows/2005/03/15/local_security_policies.htmlhttp://www.windowsdevcenter.com/pub/a/windows/2005/03/15/local_security_policies.htmlhttp://www.microsoft.com/downloads/details.aspx?FamilyID=12ac9780-17b5-480c-aef7-5c0bde9060b0&DisplayLang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyID=12ac9780-17b5-480c-aef7-5c0bde9060b0&DisplayLang=enhttp://go.microsoft.com/fwlink/?LinkId=49654http://go.microsoft.com/fwlink/?LinkId=49654http://www.microsoft.com/downloads/details.aspx?FamilyID=12ac9780-17b5-480c-aef7-5c0bde9060b0&DisplayLang=enhttp://www.windowsdevcenter.com/pub/a/windows/2005/03/15/local_security_policies.htmlhttp://support.microsoft.com/kb/214752http://www.corelan.be:8800/wp-content/uploads/2008/09/image-60.png


17/17


You can change who can authorize a DHCP server by editing the ACL on the following service :

Go to the first DC in the forest, open Active Directory Sites and Services, and make sure advanced features is turned on (on Windows 2003) orenable Show Services Node on Windows 2008

Edit the properties of NetServices and go to SecurityAdd the group of admins you want to all to authorize DHCP serversGive the group full control

Wait until replication has completed to all DCs, and you should be fine.

GPO

After creating an admin group for AD administrators, you will need to grant access to this admin group so they can add GPOs to the domain. Open theAD Users and Computers mmc, go to the Users folder, open the Group Policy Creator Owners group and add the AD Administrators group.

Additonally, make sure the AD Administrators group has RW access to the SYSVOL//Policies folder on the DCs (which should be the case,because of the Group Policy Creator Owners membership

Additionally, open the GPMC, go to Forest: , Domains, . Selec and in the right pane, go to the Delegation Tabsheet

Add rights to the Admin group to link GPOs, do GPO modelling and analyse results

Next, select Sites, show sites, and add Link GPOs Access to the sites that will be managed by this Admin group

Audit

Download MBSA (at time of writing, latest version is 2.1 beta 2) from http://www.microsoft.com/technet/security/tools/mbsa2_1/default.mspx#ETBandrun scans against your systems. You should do this on a continuous basis and implement a process to review the deltas between 2 scans

Additionally, implementing tools that will go through event logs (or even better, tools that will capture events before they are entered in the event log,such as OpsMgr) and look for specific codes will help you get (and hold) grip of your environment.

If I have some spare time, I might write some details on performing Security monitoring with OpsMgr 2007.

Downloads

I have modified the following Security Templates with most of the GPO settings that were discussed in this post.

After applying the template to your GPOs, make sure to review the settings and to add any Domain Specific groups to these settings. (I had to leavethem out as these groups are specific to my environment)

These templates do not contain the custom TCP/IP settings that are listed above, youll have to apply those settings manually.

You can download the modified Security Templates from the links below :

EC Domain Baseline modified template (1.3 KiB, 47 hits)

EC Domain Controller Baseline modified template (14.7 KiB, 62 hits)

Dont forget to extend the SCE using GPOAccelerator before you use these Templates !

This entry was posted

on Friday, April 18th, 2008 at 12:54 pm and is filed under 001_Security, Active Directory,Windows Server

You can follow any responses to this entry through the Comments (RSS) feed. Both comments and pings are currently closed.
http://www.microsoft.com/technet/security/tools/mbsa2_1/default.mspx#ETBhttps://www.corelan.be/?dl_id=34https://www.corelan.be/?dl_id=35https://www.corelan.be/securityhttps://www.corelan.be/active-directoryhttps://www.corelan.be/windows-serverhttps://www.corelan.be/windows-serverhttps://www.corelan.be/index.php/comments/feed/https://www.corelan.be/index.php/comments/feed/https://www.corelan.be/windows-serverhttps://www.corelan.be/active-directoryhttps://www.corelan.be/securityhttps://www.corelan.be/?dl_id=35https://www.corelan.be/?dl_id=34http://www.microsoft.com/technet/security/tools/mbsa2_1/default.mspx#ETB

Documents

Http Www.corelan.be Index