• Part 1: OS Tools
• Part 2: Hardening Procedures
• Part 3: Keep it Safe

Hardening procedures are the most interesting and scaring thing to do in ICT security. Interesting because it requires not only deep knowledge of the system and/or application architecture, but also a deep knowledge of security related concepts.

On the other side it might be scary because you are going to touch deep into the system configuration and every single mistake could lead to a complete system or application failure. System administrators who just managed to make a system work as required would say: “Don’t touch a running system!” And guess what? They are right!

Because hardening should be a procedure that is implemented during the system engineering and not after everything is up and running. Anyway, most of the time the ideal way is not the one we may find and have to deal with it. In this case, before any attempt to harden is made, a system replica (virtual or physical) must be created and used as playground. Ideally you’ll test on virtual machines that allow you to take several snapshots of the data environment allowing to step back easily in case to total failure.

Now talking about Windows 7, Microsoft did a great job in making documents and tools to address security in general and hardening in particular. Microsoft has developed a framework to help business companies to be compliant to legal regulation (like SOX, HIPAA, PCI-DSS, …) and those regulations also requires baselines for operating system and application. The name of this framework is SCM (Security Compliance Manager) – On the other side we can also do hardening the old style: making everything by hand.

Hardening Procedure using SCM

The SCM toolset has following features:

• It is available free of charge
• Can create a GOLD/MASTER image for mass distribution (domain deployment)
• Can create a baseline for stand-alone machine (local hardening)
• Has several security guides for configuring registry and file system settings
• Can compare baselines with industry security standards (SOX, PCI-DSS, …)
• Can export settings for usage in other environment
• Can generate configuration check for technical compliance

At the end you’ll get computer policies that can be used locally or imported to the Active Directory allowing to enforce Registry and File system settings. This helps in avoiding making all the changes by hand; it also permits to quickly revert any parameter to its original value (and this is very nice).

Once SCM is downloaded and installed, you’ll get access to several Security Guides like:

• Windows 7 Computer Security
• Windows 7 Domain Security
• Windows 7 BitLocker Security
• Windows 7 User Security
• Internet Explorer Security

plus documentation on Windows Server, Exchange and Office security. Those guides are not only for technical settings but also handles security design issues allowing a good foundation for security plan and deployment.

The SCE tool itself has a central management console and has a windows 7 MMC like GUI.

If you would like to see how it works I suggest you check this well made video that gives you a good introduction on how the toolset works.

Hardening Procedure on Windows 7

I’ll highlight the main settings areas of the hardening procedures in Windows 7:

Summary

In this article we covered Hardening Procedures for Windows 7 using SCM, next month we’ll focus on other hardening methods, stay tuned!

About the Author

Andrea Covello has been working in information security since the 1990s. His strengths are in engineering, specializing in Windows security, firewalling and advanced virtualization.

Links

• http://social.technet.microsoft.com/wiki/contents/articles/774.microsoft-security-compliance-manager-scm-en-us.aspx
• http://www.microsoft.com/resources/technet/en-us/solutionaccelerators/SCM_Demo_Windows_Server_ITPro.wvx