Security Testing
Tomaso Vasella
Windows 8 Baseline Skeleton
time to read: 16 minutes
Introduction
I have to admit, I’m not in love with the new Windows 8 user interface. The design formerly known as Metro is just not right for everyday work on a desktop workstation, there are plenty of other glitches, but I’m going not going to get into those right now. Because everybody is painfully aware of them and rumour has it that Microsoft has finally gotten the message.
However, under the hood, Windows 8 is not so bad and has added more security features to enforce the desktop security.
Defence Strategy
Going back to our scope here; in this article we’ll create a skeleton for a security baseline to be applied to Windows 8 desktops. Unfortunately, this can only be a generic approach, as the effective implementation in your environment needs fine tuning. Prior to this task, you should conduct a security vulnerability, risk and exposure analysis that will lead you to the requirements to be fulfilled by the Security Baseline. Basically the strategy should target following areas:
- Implementation of a Security Baseline (hardening)
- Defence against Malware
- Protection against Sensitive Data
Let’s start with some generic desktop security advices:
- Deny unauthorized device boot
- Don’t use privileged user accounts for day-to-day work
- Use a different browser to access the internet
- Use a browser with granular control on plug-ins (like Chrome or Firefox)
- Remove the windows APPs and disable the Windows APP store
- Use an alternative Adobe reader (without scripting or “active contents” support)
- Avoid local storage for important data
- Use encrypted storage to back up your files (Yes, especially on USB-sticks or external HDD)
- Activate the local firewall service and configure its policy to your needs
- Implement AppLocker as Malware prevention tool
- Disable 16-Bit and Posix subsystems (where applicable)
- Check your security settings on a regular basis (Microsoft Security Baseline Analyzer – MBSA is a good starting point)
- Last but not least: patch operating system and applications ASAP!
Baseline Settings
Here we define our skeleton for the Windows 8 Security Baseline, please note that I’ve omitted all settings already secured by default.
| Setting | Value | Description |
|---|---|---|
| Network Protocols, Services & Client | ||
| Turn off downloading of print drivers over HTTP | Enabled | |
| Turn off Internet download for Web publishing and online ordering wizards | Enabled | This policy setting controls whether Windows will download a list of providers for the Web publishing and online ordering wizards. |
| Turn off the “Publish to Web” task for files and folders | Enabled | |
| Turn off the Windows Messenger Customer Experience Improvement Program | Enabled | This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. |
| User Rights Assignments | ||
| Access this computer from the network | Users, Administrators | This policy setting allows other users on the network to connect to the computer and is required by various network protocols that include Server SMB–based protocols, NetBIOS, CIFS, and COM+. |
| Act as part of the operating system | No One | This policy setting allows a process to assume the identity of any user and thus gain access to the resources that the user is authorized to access. |
| Deny access to this computer from the network | Guests | This policy setting prohibits users from connecting to a computer from across the network, which would allow users to access and potentially modify data remotely. |
| Deny log on as a batch job | Guests | This policy setting determines which accounts will not be able to log on to the computer as a batch job. |
| Deny log on locally | Guests | This security setting determines which users are prevented from logging on at the computer. |
| Turn off Autoplay | Enabled | |
| Security Options | ||
| Administrator account status | Disabled | This policy setting enables or disables the Administrator account during normal operation. |
| Guest account status | Disabled | This policy setting determines whether the Guest account is enabled or disabled. |
| Limit local account use of blank passwords to console logon only | Enabled | Local accounts that have blank passwords will not be able to log on to the network from remote client computers. |
| Block Microsoft accounts | Users can’t add or log on with Microsoft accounts | This policy setting prevents users from adding new Microsoft accounts on this computer. |
| Allow log on locally | Administrators, Users | This policy setting determines which users can interactively log on to computers. |
| Allow Remote Shell Access | Enabled | This policy setting allows you to manage configuration of remote access to all supported shells to execute scripts and commands. |
| Boot-Start Driver Initialization Policy | Enabled | This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. |
| Do not allow drive redirection | Enabled | This policy setting prevents users from sharing the local drives on their client computers to Terminal Servers that they access. |
| Recovery console: Allow automatic administrative logon | Disabled | Admin login is required to access the recovery console. |
| Require a Password When a Computer Wakes (On Battery) | Enabled | Specifies whether or not the user is prompted for a password when the system resumes from sleep. |
| Require a Password When a Computer Wakes (Plugged In) | Enabled | Specifies whether or not the user is prompted for a password when the system resumes from sleep. |
| Reschedule Automatic Updates scheduled installations | Enabled | “Previously scheduled installation will begin after a specified number of minutes when you next start the computer.” |
| Turn off Data Execution Prevention for Explorer | Disabled | Disabling data execution prevention can allow certain legacy plug-in applications to function without terminating Explorer. |
| Shutdown: Clear virtual memory pagefile | Disabled | This policy setting determines whether the virtual memory pagefile is cleared when the system is shut down. |
| Interactive Logon | ||
| Do not require CTRL+ALT+DEL | Disabled | Users must press CTRL+ALT+DEL before they log on to Windows unless they use a smart card for Windows logon. |
| Machine account lockout threshold | 10 invalid logon attempts | |
| Machine inactivity limit | 900 seconds | |
| Number of previous logons to cache (in case domain controller is not available) | 4 logon(s) | |
| Manage auditing and security log | Administrators | This policy setting determines which users can change the auditing options for files and directories and clear the Security log. |
| System Service Settings | ||
| Configure Automatic Updates | Enabled | This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. |
| Configure Offer Remote Assistance | Disabled | This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. |
| Configure Solicited Remote Assistance | Disabled | This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. |
| Configure registry policy processing | Enabled | This policy setting determines when registry policies are updated. |
| Configure Windows SmartScreen | Enabled | Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. |
| Domain Member | ||
| Digitally encrypt or sign secure channel data (always) | Enabled | This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. |
| Digitally encrypt secure channel data (when possible) | Enabled | This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. |
| Digitally sign secure channel data (when possible) | Enabled | This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. |
| Disable machine account password changes | Disabled | Computers that cannot automatically change their account passwords are potentially vulnerable, because an attacker might be able to determine the password for the system’s domain account. |
| Maximum machine account password age | 30 day(s) | This policy setting determines the maximum allowable age for a computer account password. |
| Require strong (Windows 2000 or later) session key | Enabled | When this policy setting is enabled, a secure channel can only be established with domain controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. |
| Enable computer and user accounts to be trusted for delegation | No One | This policy setting allows users to change the Trusted for Delegation setting on a computer object in Active Directory. |
| Enumerate administrator accounts on elevation | Disabled | By default, all administrator accounts are displayed when you attempt to elevate a running application. |
| Do not display ‘Install Updates and Shut Down’ option in Shut Down Windows dialog box | Disabled | This policy setting allows you to manage whether the Install Updates and Shut Down option is displayed in the Shut Down Windows dialog box. |
| No auto-restart with logged on users for scheduled automatic updates installations | Disabled | Automatic Updates will force a system restart even if a user is logged into the workstation. |
| Force shutdown from a remote system | Administrators | This policy setting allows users to shut down Windows Vista–based computers from remote locations on the network. |
| Audit Policy | ||
| Account Lockout | No Auditing | |
| Logoff | Success | |
| Logon | Success and Failure | |
| Network Policy Server | No Auditing | |
| Other Logon/Logoff Events | No Auditing | |
| Special Logon | Success | |
| Audit Policy Change | Success and Failure | |
| Security State Change | Success and Failure | |
| Security System Extension | Success and Failure | |
| System Integrity | Success and Failure | |
| Microsoft Network Client | ||
| Digitally sign communications (always) | Enabled | This policy setting determines whether packet signing is required by the SMB client component. |
| Digitally sign communications (if server agrees) | Enabled | This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. |
| Send unencrypted password to third-party SMB servers | Disabled | To prevent the SMB redirector from sending plaintext passwords during authentication. |
| Microsoft Network Server | ||
| Amount of idle time required before suspending session | 15 minute(s) | SMB session timeout before the session is suspended because of inactivity. |
| Digitally sign communications (always) | Enabled | This policy setting determines if the server side SMB service is required to perform SMB packet signing. Enable this policy setting in a mixed environment to prevent downstream clients from using the workstation as a network server. |
| Disconnect clients when logon hours expire | Enabled | Disconnect users who are connected to the local computer outside their user account’s valid logon hours. |
| Network Access | ||
| Allow anonymous SID/Name translation | Disabled | This policy setting to prevent unauthenticated users from obtaining user names that are associated with their respective SIDs. |
| Apply Everyone permissions to anonymous users | Disabled | This policy setting determines which additional permissions are assigned to anonymous connections to the computer. |
| Do not allow anonymous enumeration of SAM accounts | Enabled | Anonymous connections cannot enumerate domain account user names on the workstations in your environment. |
| Do not allow anonymous enumeration of SAM accounts and shares | Enabled | Anonymous users will not be able to enumerate domain account user names and network share names on the workstations in your environment. |
| Network Security | ||
| Do not store LAN Manager hash value on next password change | Enabled | This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. |
| LAN Manager Authentication level | Send NTLMv2 response only. Refuse LM & NTLM | In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory will use LM, NTLM, or NTLMv2. |
| LDAP client signing requirements | Negotiate signing | |
| Minimum session security for NTLM SSP based (including secure RPC) clients | Require NTLMv2 session security, Require 128-bit encryption | This policy setting determines which behaviours are allowed for applications using the NTLM Security Support Provider (SSP). |
| Minimum session security for NTLM SSP based (including secure RPC) servers | Require NTLMv2 session security, Require 128-bit encryption | This policy setting determines which behaviours are allowed for applications using the NTLM Security Support Provider (SSP). |
| Set client connection encryption level | Enabled | This policy setting specifies whether the computer that is about to host the remote connection will enforce an encryption level for all data sent between it and the client computer for the remote session. |
| User Account Control | ||
| Admin Approval Mode for the Built-in Administrator account | Enabled | The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will require the user to approve of the operation. |
| Behaviour of the elevation prompt for administrators in Admin Approval Mode | Prompt for consent on the secure desktop | This policy setting controls the behaviour of the elevation prompt for administrators. |
| Behaviour of the elevation prompt for standard users | Automatically deny elevation requests | This policy setting controls the behaviour of the elevation prompt for standard users. |
| Detect application installations and prompt for elevation | Enabled | This policy setting controls the behaviour of application installation detection for the computer. |
| Windows Firewall | ||
| Domain: Firewall state | On (recommended) | |
| Domain: Inbound connections | Enabled | The default behaviour is to block connections unless there are firewall rules to allow the connection. |
| Private: Firewall state | On | |
| Private: Inbound connections | Enabled | The default behaviour is to block connections unless there are firewall rules to allow the connection. |
| Public: Apply local connection security rules | No | This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. |
| Public: Display a notification | No | |
| Public: Firewall state | On | |
| Public: Inbound connections | Enabled | This setting determines the behaviour for inbound connections that do not match an inbound firewall rule. The default behaviour is to block connections unless there are firewall rules to allow the connection. |
All credits for the settings names and descriptions goes to Microsoft Security Compliance Manager – SCM
Going Further
Here are some advanced recommendations that you may add in consideration when handling with very exposed devices (notebooks) or with access to Confidential Data:
- Secure and encrypt local boot and storage devices (with tools like BitLocker or TrueCrypt
- Use Dual-Factor user Authentication (with OTP, PKI or Challenge-Response enabled devices)
- Avoid the use of JAVA
- Avoid the use of Adobe FLASH
- Implement an Application Whitelist enforcement, leveraging features available in AppLocker / SRP
- Implement Sandboxing/Virtualization in the Operating System and/or Applications (more information below)
- Implement central Log Management to get the information and get reports out of it before it disappears
If one or more of these recommendations are not sustainable for your environment, consider a segregation/virtualization approach. This could be implementing Micro Virtualization technologies like in Bromium vSentry or a remote execution environment in a dedicated VDI infrastructure for a specific purpose (like internet browsing). Other technology that may help in these regards could be:
- “OS Enhancement” sandboxing like Sandboxie or
- Trustware’s BufferZone
The idea behind all this is to limit the privileges needed by applications and to segregate operations as much as possible, reflecting the security approach of the Principles of Least Privileges.
Conclusion
No. This is not the end… but just the beginning; because, like an old friend of mine likes to say, “The fine tuning is going to kill us all!”
Have fun and don’t get bored ;)
About the Author
Links
- http://en.wikipedia.org/wiki/Principle_of_least_privilege
- http://technet.microsoft.com/en-us/library/cc734043.aspx
- http://technet.microsoft.com/en-us/library/hh831409.aspx
- http://technet.microsoft.com/en-us/library/hh831713.aspx
- http://winsupersite.com/windows-8/threshold-be-called-windows-9-ship-april-2015
- http://www.bromium.com/innovations/micro-virtualization.html
- http://www.bromium.com/products.html
- http://www.microsoft.com/en-us/download/details.aspx?id=16776
- http://www.sandboxie.com/
- http://www.truecrypt.org/
- http://www.trustware.com/index.php?id=products_home
You want to test the security of your firewall?
Our experts will get in contact with you!
×
Active Directory certificate services
Eric Maurer
Foreign Entra Workload Identities
Marius Elmiger
Active Directory certificate services
Eric Maurer
You need support in such a project?
Our experts will get in contact with you!