Windows 8 Baseline Skeleton

Windows 8 Baseline Skeleton

Andrea Covello
by Andrea Covello
time to read: 16 minutes

Introduction

I have to admit, I’m not in love with the new Windows 8 user interface. The design formerly known as Metro is just not right for everyday work on a desktop workstation, there are plenty of other glitches, but I’m going not going to get into those right now. Because everybody is painfully aware of them and rumour has it that Microsoft has finally gotten the message.

Welcome back, old friend.

However, under the hood, Windows 8 is not so bad and has added more security features to enforce the desktop security.

Defence Strategy

Going back to our scope here; in this article we’ll create a skeleton for a security baseline to be applied to Windows 8 desktops. Unfortunately, this can only be a generic approach, as the effective implementation in your environment needs fine tuning. Prior to this task, you should conduct a security vulnerability, risk and exposure analysis that will lead you to the requirements to be fulfilled by the Security Baseline. Basically the strategy should target following areas:

Let’s start with some generic desktop security advices:

Baseline Settings

Here we define our skeleton for the Windows 8 Security Baseline, please note that I’ve omitted all settings already secured by default.

Setting Value Description
Network Protocols, Services & Client
Turn off downloading of print drivers over HTTP Enabled
Turn off Internet download for Web publishing and online ordering wizards Enabled This policy setting controls whether Windows will download a list of providers for the Web publishing and online ordering wizards.
Turn off the “Publish to Web” task for files and folders Enabled
Turn off the Windows Messenger Customer Experience Improvement Program Enabled This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used.
User Rights Assignments
Access this computer from the network Users, Administrators This policy setting allows other users on the network to connect to the computer and is required by various network protocols that include Server SMB–based protocols, NetBIOS, CIFS, and COM+.
Act as part of the operating system No One This policy setting allows a process to assume the identity of any user and thus gain access to the resources that the user is authorized to access.
Deny access to this computer from the network Guests This policy setting prohibits users from connecting to a computer from across the network, which would allow users to access and potentially modify data remotely.
Deny log on as a batch job Guests This policy setting determines which accounts will not be able to log on to the computer as a batch job.
Deny log on locally Guests This security setting determines which users are prevented from logging on at the computer.
Turn off Autoplay Enabled
Security Options
Administrator account status Disabled This policy setting enables or disables the Administrator account during normal operation.
Guest account status Disabled This policy setting determines whether the Guest account is enabled or disabled.
Limit local account use of blank passwords to console logon only Enabled Local accounts that have blank passwords will not be able to log on to the network from remote client computers.
Block Microsoft accounts Users can’t add or log on with Microsoft accounts This policy setting prevents users from adding new Microsoft accounts on this computer.
Allow log on locally Administrators, Users This policy setting determines which users can interactively log on to computers.
Allow Remote Shell Access Enabled This policy setting allows you to manage configuration of remote access to all supported shells to execute scripts and commands.
Boot-Start Driver Initialization Policy Enabled This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver.
Do not allow drive redirection Enabled This policy setting prevents users from sharing the local drives on their client computers to Terminal Servers that they access.
Recovery console: Allow automatic administrative logon Disabled Admin login is required to access the recovery console.
Require a Password When a Computer Wakes (On Battery) Enabled Specifies whether or not the user is prompted for a password when the system resumes from sleep.
Require a Password When a Computer Wakes (Plugged In) Enabled Specifies whether or not the user is prompted for a password when the system resumes from sleep.
Reschedule Automatic Updates scheduled installations Enabled “Previously scheduled installation will begin after a specified number of minutes when you next start the computer.”
Turn off Data Execution Prevention for Explorer Disabled Disabling data execution prevention can allow certain legacy plug-in applications to function without terminating Explorer.
Shutdown: Clear virtual memory pagefile Disabled This policy setting determines whether the virtual memory pagefile is cleared when the system is shut down.
Interactive Logon
Do not require CTRL+ALT+DEL Disabled Users must press CTRL+ALT+DEL before they log on to Windows unless they use a smart card for Windows logon.
Machine account lockout threshold 10 invalid logon attempts
Machine inactivity limit 900 seconds
Number of previous logons to cache (in case domain controller is not available) 4 logon(s)
Manage auditing and security log Administrators This policy setting determines which users can change the auditing options for files and directories and clear the Security log.
System Service Settings
Configure Automatic Updates Enabled This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS.
Configure Offer Remote Assistance Disabled This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer.
Configure Solicited Remote Assistance Disabled This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer.
Configure registry policy processing Enabled This policy setting determines when registry policies are updated.
Configure Windows SmartScreen Enabled Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet.
Domain Member
Digitally encrypt or sign secure channel data (always) Enabled This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted.
Digitally encrypt secure channel data (when possible) Enabled This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates.
Digitally sign secure channel data (when possible) Enabled This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed.
Disable machine account password changes Disabled Computers that cannot automatically change their account passwords are potentially vulnerable, because an attacker might be able to determine the password for the system’s domain account.
Maximum machine account password age 30 day(s) This policy setting determines the maximum allowable age for a computer account password.
Require strong (Windows 2000 or later) session key Enabled When this policy setting is enabled, a secure channel can only be established with domain controllers that are capable of encrypting secure channel data with a strong (128-bit) session key.
Enable computer and user accounts to be trusted for delegation No One This policy setting allows users to change the Trusted for Delegation setting on a computer object in Active Directory.
Enumerate administrator accounts on elevation Disabled By default, all administrator accounts are displayed when you attempt to elevate a running application.
Do not display ‘Install Updates and Shut Down’ option in Shut Down Windows dialog box Disabled This policy setting allows you to manage whether the Install Updates and Shut Down option is displayed in the Shut Down Windows dialog box.
No auto-restart with logged on users for scheduled automatic updates installations Disabled Automatic Updates will force a system restart even if a user is logged into the workstation.
Force shutdown from a remote system Administrators This policy setting allows users to shut down Windows Vista–based computers from remote locations on the network.
Audit Policy
Account Lockout No Auditing
Logoff Success
Logon Success and Failure
Network Policy Server No Auditing
Other Logon/Logoff Events No Auditing
Special Logon Success
Audit Policy Change Success and Failure
Security State Change Success and Failure
Security System Extension Success and Failure
System Integrity Success and Failure
Microsoft Network Client
Digitally sign communications (always) Enabled This policy setting determines whether packet signing is required by the SMB client component.
Digitally sign communications (if server agrees) Enabled This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing.
Send unencrypted password to third-party SMB servers Disabled To prevent the SMB redirector from sending plaintext passwords during authentication.
Microsoft Network Server
Amount of idle time required before suspending session 15 minute(s) SMB session timeout before the session is suspended because of inactivity.
Digitally sign communications (always) Enabled This policy setting determines if the server side SMB service is required to perform SMB packet signing. Enable this policy setting in a mixed environment to prevent downstream clients from using the workstation as a network server.
Disconnect clients when logon hours expire Enabled Disconnect users who are connected to the local computer outside their user account’s valid logon hours.
Network Access
Allow anonymous SID/Name translation Disabled This policy setting to prevent unauthenticated users from obtaining user names that are associated with their respective SIDs.
Apply Everyone permissions to anonymous users Disabled This policy setting determines which additional permissions are assigned to anonymous connections to the computer.
Do not allow anonymous enumeration of SAM accounts Enabled Anonymous connections cannot enumerate domain account user names on the workstations in your environment.
Do not allow anonymous enumeration of SAM accounts and shares Enabled Anonymous users will not be able to enumerate domain account user names and network share names on the workstations in your environment.
Network Security
Do not store LAN Manager hash value on next password change Enabled This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed.
LAN Manager Authentication level Send NTLMv2 response only. Refuse LM & NTLM In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory will use LM, NTLM, or NTLMv2.
LDAP client signing requirements Negotiate signing
Minimum session security for NTLM SSP based (including secure RPC) clients Require NTLMv2 session security, Require 128-bit encryption This policy setting determines which behaviours are allowed for applications using the NTLM Security Support Provider (SSP).
Minimum session security for NTLM SSP based (including secure RPC) servers Require NTLMv2 session security, Require 128-bit encryption This policy setting determines which behaviours are allowed for applications using the NTLM Security Support Provider (SSP).
Set client connection encryption level Enabled This policy setting specifies whether the computer that is about to host the remote connection will enforce an encryption level for all data sent between it and the client computer for the remote session.
User Account Control
Admin Approval Mode for the Built-in Administrator account Enabled The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will require the user to approve of the operation.
Behaviour of the elevation prompt for administrators in Admin Approval Mode Prompt for consent on the secure desktop This policy setting controls the behaviour of the elevation prompt for administrators.
Behaviour of the elevation prompt for standard users Automatically deny elevation requests This policy setting controls the behaviour of the elevation prompt for standard users.
Detect application installations and prompt for elevation Enabled This policy setting controls the behaviour of application installation detection for the computer.
Windows Firewall
Domain: Firewall state On (recommended)
Domain: Inbound connections Enabled The default behaviour is to block connections unless there are firewall rules to allow the connection.
Private: Firewall state On
Private: Inbound connections Enabled The default behaviour is to block connections unless there are firewall rules to allow the connection.
Public: Apply local connection security rules No This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy.
Public: Display a notification No
Public: Firewall state On
Public: Inbound connections Enabled This setting determines the behaviour for inbound connections that do not match an inbound firewall rule. The default behaviour is to block connections unless there are firewall rules to allow the connection.

All credits for the settings names and descriptions goes to Microsoft Security Compliance Manager – SCM

Going Further

Here are some advanced recommendations that you may add in consideration when handling with very exposed devices (notebooks) or with access to Confidential Data:

If one or more of these recommendations are not sustainable for your environment, consider a segregation/virtualization approach. This could be implementing Micro Virtualization technologies like in Bromium vSentry or a remote execution environment in a dedicated VDI infrastructure for a specific purpose (like internet browsing). Other technology that may help in these regards could be:

The idea behind all this is to limit the privileges needed by applications and to segregate operations as much as possible, reflecting the security approach of the Principles of Least Privileges.

Conclusion

No. This is not the end… but just the beginning; because, like an old friend of mine likes to say, “The fine tuning is going to kill us all!”

Have fun and don’t get bored ;)

About the Author

Andrea Covello

Andrea Covello has been working in information security since the 1990s. His strengths are in engineering, specializing in Windows security, firewalling and advanced virtualization.

Links

You want to test the security of your firewall?

Our experts will get in contact with you!

×
Isn’t business continuity part of security?

Isn’t business continuity part of security?

Andrea Covello

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here