Isn’t business continuity part of security?
Andrea Covello
I have to admit, I’m not in love with the new Windows 8 user interface. The design formerly known as Metro is just not right for everyday work on a desktop workstation, there are plenty of other glitches, but I’m going not going to get into those right now. Because everybody is painfully aware of them and rumour has it that Microsoft has finally gotten the message.
However, under the hood, Windows 8 is not so bad and has added more security features to enforce the desktop security.
Going back to our scope here; in this article we’ll create a skeleton for a security baseline to be applied to Windows 8 desktops. Unfortunately, this can only be a generic approach, as the effective implementation in your environment needs fine tuning. Prior to this task, you should conduct a security vulnerability, risk and exposure analysis that will lead you to the requirements to be fulfilled by the Security Baseline. Basically the strategy should target following areas:
Let’s start with some generic desktop security advices:
Here we define our skeleton for the Windows 8 Security Baseline, please note that I’ve omitted all settings already secured by default.
Setting | Value | Description |
---|---|---|
Network Protocols, Services & Client | ||
Turn off downloading of print drivers over HTTP | Enabled | |
Turn off Internet download for Web publishing and online ordering wizards | Enabled | This policy setting controls whether Windows will download a list of providers for the Web publishing and online ordering wizards. |
Turn off the “Publish to Web” task for files and folders | Enabled | |
Turn off the Windows Messenger Customer Experience Improvement Program | Enabled | This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. |
User Rights Assignments | ||
Access this computer from the network | Users, Administrators | This policy setting allows other users on the network to connect to the computer and is required by various network protocols that include Server SMB–based protocols, NetBIOS, CIFS, and COM+. |
Act as part of the operating system | No One | This policy setting allows a process to assume the identity of any user and thus gain access to the resources that the user is authorized to access. |
Deny access to this computer from the network | Guests | This policy setting prohibits users from connecting to a computer from across the network, which would allow users to access and potentially modify data remotely. |
Deny log on as a batch job | Guests | This policy setting determines which accounts will not be able to log on to the computer as a batch job. |
Deny log on locally | Guests | This security setting determines which users are prevented from logging on at the computer. |
Turn off Autoplay | Enabled | |
Security Options | ||
Administrator account status | Disabled | This policy setting enables or disables the Administrator account during normal operation. |
Guest account status | Disabled | This policy setting determines whether the Guest account is enabled or disabled. |
Limit local account use of blank passwords to console logon only | Enabled | Local accounts that have blank passwords will not be able to log on to the network from remote client computers. |
Block Microsoft accounts | Users can’t add or log on with Microsoft accounts | This policy setting prevents users from adding new Microsoft accounts on this computer. |
Allow log on locally | Administrators, Users | This policy setting determines which users can interactively log on to computers. |
Allow Remote Shell Access | Enabled | This policy setting allows you to manage configuration of remote access to all supported shells to execute scripts and commands. |
Boot-Start Driver Initialization Policy | Enabled | This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. |
Do not allow drive redirection | Enabled | This policy setting prevents users from sharing the local drives on their client computers to Terminal Servers that they access. |
Recovery console: Allow automatic administrative logon | Disabled | Admin login is required to access the recovery console. |
Require a Password When a Computer Wakes (On Battery) | Enabled | Specifies whether or not the user is prompted for a password when the system resumes from sleep. |
Require a Password When a Computer Wakes (Plugged In) | Enabled | Specifies whether or not the user is prompted for a password when the system resumes from sleep. |
Reschedule Automatic Updates scheduled installations | Enabled | “Previously scheduled installation will begin after a specified number of minutes when you next start the computer.” |
Turn off Data Execution Prevention for Explorer | Disabled | Disabling data execution prevention can allow certain legacy plug-in applications to function without terminating Explorer. |
Shutdown: Clear virtual memory pagefile | Disabled | This policy setting determines whether the virtual memory pagefile is cleared when the system is shut down. |
Interactive Logon | ||
Do not require CTRL+ALT+DEL | Disabled | Users must press CTRL+ALT+DEL before they log on to Windows unless they use a smart card for Windows logon. |
Machine account lockout threshold | 10 invalid logon attempts | |
Machine inactivity limit | 900 seconds | |
Number of previous logons to cache (in case domain controller is not available) | 4 logon(s) | |
Manage auditing and security log | Administrators | This policy setting determines which users can change the auditing options for files and directories and clear the Security log. |
System Service Settings | ||
Configure Automatic Updates | Enabled | This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. |
Configure Offer Remote Assistance | Disabled | This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. |
Configure Solicited Remote Assistance | Disabled | This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. |
Configure registry policy processing | Enabled | This policy setting determines when registry policies are updated. |
Configure Windows SmartScreen | Enabled | Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. |
Domain Member | ||
Digitally encrypt or sign secure channel data (always) | Enabled | This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. |
Digitally encrypt secure channel data (when possible) | Enabled | This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. |
Digitally sign secure channel data (when possible) | Enabled | This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. |
Disable machine account password changes | Disabled | Computers that cannot automatically change their account passwords are potentially vulnerable, because an attacker might be able to determine the password for the system’s domain account. |
Maximum machine account password age | 30 day(s) | This policy setting determines the maximum allowable age for a computer account password. |
Require strong (Windows 2000 or later) session key | Enabled | When this policy setting is enabled, a secure channel can only be established with domain controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. |
Enable computer and user accounts to be trusted for delegation | No One | This policy setting allows users to change the Trusted for Delegation setting on a computer object in Active Directory. |
Enumerate administrator accounts on elevation | Disabled | By default, all administrator accounts are displayed when you attempt to elevate a running application. |
Do not display ‘Install Updates and Shut Down’ option in Shut Down Windows dialog box | Disabled | This policy setting allows you to manage whether the Install Updates and Shut Down option is displayed in the Shut Down Windows dialog box. |
No auto-restart with logged on users for scheduled automatic updates installations | Disabled | Automatic Updates will force a system restart even if a user is logged into the workstation. |
Force shutdown from a remote system | Administrators | This policy setting allows users to shut down Windows Vista–based computers from remote locations on the network. |
Audit Policy | ||
Account Lockout | No Auditing | |
Logoff | Success | |
Logon | Success and Failure | |
Network Policy Server | No Auditing | |
Other Logon/Logoff Events | No Auditing | |
Special Logon | Success | |
Audit Policy Change | Success and Failure | |
Security State Change | Success and Failure | |
Security System Extension | Success and Failure | |
System Integrity | Success and Failure | |
Microsoft Network Client | ||
Digitally sign communications (always) | Enabled | This policy setting determines whether packet signing is required by the SMB client component. |
Digitally sign communications (if server agrees) | Enabled | This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. |
Send unencrypted password to third-party SMB servers | Disabled | To prevent the SMB redirector from sending plaintext passwords during authentication. |
Microsoft Network Server | ||
Amount of idle time required before suspending session | 15 minute(s) | SMB session timeout before the session is suspended because of inactivity. |
Digitally sign communications (always) | Enabled | This policy setting determines if the server side SMB service is required to perform SMB packet signing. Enable this policy setting in a mixed environment to prevent downstream clients from using the workstation as a network server. |
Disconnect clients when logon hours expire | Enabled | Disconnect users who are connected to the local computer outside their user account’s valid logon hours. |
Network Access | ||
Allow anonymous SID/Name translation | Disabled | This policy setting to prevent unauthenticated users from obtaining user names that are associated with their respective SIDs. |
Apply Everyone permissions to anonymous users | Disabled | This policy setting determines which additional permissions are assigned to anonymous connections to the computer. |
Do not allow anonymous enumeration of SAM accounts | Enabled | Anonymous connections cannot enumerate domain account user names on the workstations in your environment. |
Do not allow anonymous enumeration of SAM accounts and shares | Enabled | Anonymous users will not be able to enumerate domain account user names and network share names on the workstations in your environment. |
Network Security | ||
Do not store LAN Manager hash value on next password change | Enabled | This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. |
LAN Manager Authentication level | Send NTLMv2 response only. Refuse LM & NTLM | In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory will use LM, NTLM, or NTLMv2. |
LDAP client signing requirements | Negotiate signing | |
Minimum session security for NTLM SSP based (including secure RPC) clients | Require NTLMv2 session security, Require 128-bit encryption | This policy setting determines which behaviours are allowed for applications using the NTLM Security Support Provider (SSP). |
Minimum session security for NTLM SSP based (including secure RPC) servers | Require NTLMv2 session security, Require 128-bit encryption | This policy setting determines which behaviours are allowed for applications using the NTLM Security Support Provider (SSP). |
Set client connection encryption level | Enabled | This policy setting specifies whether the computer that is about to host the remote connection will enforce an encryption level for all data sent between it and the client computer for the remote session. |
User Account Control | ||
Admin Approval Mode for the Built-in Administrator account | Enabled | The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will require the user to approve of the operation. |
Behaviour of the elevation prompt for administrators in Admin Approval Mode | Prompt for consent on the secure desktop | This policy setting controls the behaviour of the elevation prompt for administrators. |
Behaviour of the elevation prompt for standard users | Automatically deny elevation requests | This policy setting controls the behaviour of the elevation prompt for standard users. |
Detect application installations and prompt for elevation | Enabled | This policy setting controls the behaviour of application installation detection for the computer. |
Windows Firewall | ||
Domain: Firewall state | On (recommended) | |
Domain: Inbound connections | Enabled | The default behaviour is to block connections unless there are firewall rules to allow the connection. |
Private: Firewall state | On | |
Private: Inbound connections | Enabled | The default behaviour is to block connections unless there are firewall rules to allow the connection. |
Public: Apply local connection security rules | No | This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. |
Public: Display a notification | No | |
Public: Firewall state | On | |
Public: Inbound connections | Enabled | This setting determines the behaviour for inbound connections that do not match an inbound firewall rule. The default behaviour is to block connections unless there are firewall rules to allow the connection. |
All credits for the settings names and descriptions goes to Microsoft Security Compliance Manager – SCM
Here are some advanced recommendations that you may add in consideration when handling with very exposed devices (notebooks) or with access to Confidential Data:
If one or more of these recommendations are not sustainable for your environment, consider a segregation/virtualization approach. This could be implementing Micro Virtualization technologies like in Bromium vSentry or a remote execution environment in a dedicated VDI infrastructure for a specific purpose (like internet browsing). Other technology that may help in these regards could be:
The idea behind all this is to limit the privileges needed by applications and to segregate operations as much as possible, reflecting the security approach of the Principles of Least Privileges.
No. This is not the end… but just the beginning; because, like an old friend of mine likes to say, “The fine tuning is going to kill us all!”
Have fun and don’t get bored ;)
Our experts will get in contact with you!
Andrea Covello
Our experts will get in contact with you!