OTPs as Second Factor
Hardening procedures are the most interesting and scaring thing to do in ICT security. Interesting because it requires not only deep knowledge of the system and/or application architecture, but also a deep knowledge of security related concepts.
On the other side it might be scary because you are going to touch deep into the system configuration and every single mistake could lead to a complete system or application failure. System administrators who just managed to make a system work as required would say: “Don’t touch a running system!” And guess what? They are right!
Because hardening should be a procedure that is implemented during the system engineering and not after everything is up and running. Anyway, most of the time the ideal way is not the one we may find and have to deal with it. In this case, before any attempt to harden is made, a system replica (virtual or physical) must be created and used as playground. Ideally you’ll test on virtual machines that allow you to take several snapshots of the data environment allowing to step back easily in case to total failure.
Now talking about Windows 7, Microsoft did a great job in making documents and tools to address security in general and hardening in particular. Microsoft has developed a framework to help business companies to be compliant to legal regulation (like SOX, HIPAA, PCI-DSS, …) and those regulations also requires baselines for operating system and application. The name of this framework is SCM (Security Compliance Manager) – On the other side we can also do hardening the old style: making everything by hand.
The SCM toolset has following features:
At the end you’ll get computer policies that can be used locally or imported to the Active Directory allowing to enforce Registry and File system settings. This helps in avoiding making all the changes by hand; it also permits to quickly revert any parameter to its original value (and this is very nice).
Once SCM is downloaded and installed, you’ll get access to several Security Guides like:
plus documentation on Windows Server, Exchange and Office security. Those guides are not only for technical settings but also handles security design issues allowing a good foundation for security plan and deployment.
The SCE tool itself has a central management console and has a windows 7 MMC like GUI.
If you would like to see how it works I suggest you check this well made video that gives you a good introduction on how the toolset works.
I’ll highlight the main settings areas of the hardening procedures in Windows 7:
|Audit Policy||Before we can secure we need to see what is happening or has happened, therefore we need to activate security event recording|
|User Rights||User rights should be assessed and use minimum privileged user for daily tasks|
|Security Options||These are the configurations that we can deploy best via baselines tools like SCM (services to run, network parameters, …)|
|Authentication||Reducing the NTLM authentication and setting an adequate password policy is one of the most tangible effects for workstation security|
|Event Logging||After we make sure the system is reporting security events we need to make sure that those logs are available and tamper proof|
|Firewall||The new firewall is capable of filtering IN/OUT packets making a prerequisite for strong security policy on application access, therefore every application should be monitored and be allowed to access only what it really needs to|
|Update||Windows automated update policy is a must|
|File Sharing||A workstation should not share any file and configuration setting to assure the confidentiality of accessed files must be in place (SMB security)|
|Malware detection||Windows offers a basic malware detection tool, and at least this should be used although better solutions are available by security vendors|
In this article we covered Hardening Procedures for Windows 7 using SCM, next month we’ll focus on other hardening methods, stay tuned!
Our experts will get in contact with you!
Our experts will get in contact with you!
Further articles available here