Microsoft Vista - Mini Hardening Guide (Manchester - 01.03.2009)
Author: Rafal Rajs (ElessaR) (email: elessar1@poczta.wp.pl)
Introduction
Hello all ,
Windows Vista is becoming more and more popular Operating System. It contains a lot of new security features. Additionally, its default install is fairly secure. So you can ask why to bother to write such an article?
Firstly, some security options can be hardened and tweaked, some services can be disabled and audit policy improved. Secondly, many security improvements are not understood properly and switched off because of that. User Account Control (UAC) is a good example here.
This guide can help you automate some part of the hardening process for a standalone Vista machine and help you decide what changes you need.
Most of this article is based on the Vista Security Guide by Microsoft.
You should definitely read it in order to understand Vista security options. This guide will help you to implement settings presented in this Security Guide easily and it will also point out some functional and interoperability issues involved in that.
The article content is as follows:
1. System hardening using SSLF Security Templates plus customizing applied security settings
2. Setting and customizing Audit Policy using Auditpol tool
3. Services worth disabling plus scripting
4. Some firewall usage tips
5. Some Group Policy options worth setting
6. Network hardening
7. Some network and usage tips
Backup
Before introducing any changes to your system, you need to backup your old configuration, so you can revert back easily when some problems occur.
1. Backup current security policy
Local Security Policy -> Security Settings -> Export Policy
2. Backup current audit policy
auditpol /backup /file:Backup-Default-AuditPolicy.txt
Preparation
Vista Security Guide by Microsoft contains not only the document, but also Security Templates and security tools, which help you to implement guidelines in your environment.
They are prepared mainly for a domain environment. I hope this guide will help you to implement these settings simply for a stand-alone machine.
You will need the following files from the above package:
GPOAccelerator Tool\Security Templates\VSG SSLF Domain.inf
GPOAccelerator Tool\Security Templates\VSG SSLF Desktop.inf
GPOAccelerator Tool\Security Group Policy Objects\GPMCFiles\SSLF-VSGAuditPolicy.txt
GPOAccelerator Tool\Security Group Policy Objects\GPOAccelerator.wsf
Procedure
Extending Security Options
The hardened Security Policy contains options, which are not available in standard configuration. You need to extend the Policy to include these options.
You can do that by running as Administrator the following command in "GPOAccelerator Tool\Security Group Policy Objects" folder:
cscript GPOAccelerator.wsf /ConfigSCE
Importing new Security Policy
You will use "Specialized Security Limited Functionality" Security Template (SSLF) as your hardened Security Policy. In order to import
new settings open:
Local Security Policy -> Import Policy
and import the "VSG SSLF Domain.inf" and "VSG SSLF Desktop.inf" templates.
Security Settings to consider
The hardened Security Policy in the default form will probably limit your network connectivity and interoperability. Review below settings and decide whether you can use hardened values or you need to revert back to defaults to maintain required functionality.
Security Settings -> Local Policies -> User rights assignment -> Allow log on through Terminal Services
Default: Administrators, Remote Desktop Users
SSLF: None
Security Settings -> Local Policies -> User rights assignment -> Deny log on through Terminal Services
Default: None
SSLF: Everyone
If you are going to use Remote Desktop functionality, you want to revert these 2 above settings to the default values.
Security Settings -> Local Policies -> User rights assignment -> Access this computer from the network
Default: Administrators,Backup Operators,Users,Everyone
SSLF: Administrators
You probably want to add Users group to the SSLF setting, if you want access your computer from the network.
Security Settings -> Local Policies -> User rights assignment -> Debug programs
Default: Administrators
SSLF: None
If you want to be able to debug programs at your system, consider reverting this setting to the default value.
Security Settings -> Local Policies -> User rights assignment -> Increase a process working set
Default: Users
SSLF: Administrators
Changing to the default value should be fine for a standard workstation (http://technet.microsoft.com/en-us/library/cc766301.aspx)
Security Settings -> Local Policies -> Security Options -> Network security: LAN Manager authentication level
Default: Send NTLMv2 response only
SSLF: Send NTLMv2 response only\refuse LM & NTLM
SSLF setting works fine with Linux SAMBA. However, in certain cases a connection to WindowsXP can be limited with this setting. If you have problems connecting to WindowsXP, try setting this parameter to anything, which allows NTLM authentication. Also remember, in order to connect to WindowsXP share successfully, WindowsXP has to have disabled "SIMPLE SHARING".
Security Settings -> Local Policies -> Security Options -> Microsoft network client: Digitally sign communications (always)
Default: Disabled
SSLF: Enabled
Security Settings -> Local Policies -> Security Options -> Microsoft network server: Digitally sign communications (always)
Default: Disabled
SSLF: Enabled
Consider to revert back to the default values in these two above settings, if you want to access Linux SAMBA shares or if you want your computer to be accessed by SAMBA.
Security Settings -> Local Policies -> Security Options -> User Account Control: Behavior of the elevation prompt for
administrators in Admin Approval Mode
Default: Prompt for consent
SSLF: Prompt for credentials
You should consider changing this option to the default value. The prompting for consent should be secure enough for most environments.
Security Settings -> Local Policies -> Security Options -> Interactive logon: Don't display last user name
Default: Disabled
SSLF: Enabled
Security Settings -> Local Policies -> Security Options -> Interactive logon: Do not require CTRL-ALT-DELETE
Default: Enabled
SSLF: Disabled
If you want to retain the default login screen, consider changing the above two settings to the default values.
Security Settings -> Local Policies -> Security Options -> Microsoft network client: Digitally sign communications
(if server agrees)
Default: Enabled
SSLF: Enabled
Security Settings -> Local Policies -> Security Options -> Microsoft network server: Digitally sign communications
(if client agrees)
Default: Disabled
SSLF: Enabled
If the performance of the windows sharing is below expectations, consider disabling the above options.
For most security settings, the way to apply settings is to run "gpupdate /force". However, certain settings require a system restart.
Audit Policy
Windows Vista includes the same nine audit policy categories present in previous versions of Windows, which can be managed by using
Local Security Policy -> Local Policies -> Audit Policy
Vista Audit Policy can be managed in a better and more specific way by using 50 audit policy subcategories. They can be managed by using command line tool: "AuditPol.exe".
You will use "Specialized Security Limited Functionality" Audit Policy, which is contained in file: "SSLF-VSGAuditPolicy.txt".
In SSLF config you can find the following 2 subcategories, which can log lots of events:
- Sensitive Privilege Use (Success and Failure)
- Process Creation (Success)
If you don't require to log the above information, modify the following 2 lines in the "SSLF-VSGAuditPolicy.txt":
VSG,System,Process Creation,{0CCE922B-69AE-11D9-BED3-505054503030},Success,,1
VSG,System,Sensitive Privilege Use,{0CCE9228-69AE-11D9-BED3-505054503030},Success and Failure,,3
to this form:
VSG,System,Process Creation,{0CCE922B-69AE-11D9-BED3-505054503030},No Auditing,,0
VSG,System,Sensitive Privilege Use,{0CCE9228-69AE-11D9-BED3-505054503030},No Auditing,,0
In order to apply the new policy, perform the following 2 steps as Administrator:
- clear the current policy auditpol /clear
- apply the new policy - auditpol.exe /restore /file:SSLF-VSGAuditPolicy.txt
Services worth disabling
If you don't use any UPnP devices on your network or you don't want to use UPnP protocol, disable the following services:
Windows Media Player Network Sharing Service
UPnP Device Host
SSDP Discovery
The following services seem to be safe to disable for a standalone machine without IPv6 and Tablet Input, which doesn't use offline files:
Distributed Link Tracking Client
IP Helper
Offline Files
Tablet PC Input Service
Webclient
For performance issues, you can consider disabling the following services:
Superfetch
Windows Search
The following two scripts can be used to disable and enable the above services. The scripts have to run as Administrator.
services_disable.bat,
services_enable.bat
Vista built-in firewall
Vista offers improved built-in firewall, which you could find in Windows XP. This version allows you to filter not only the inbound traffic, but also the outbound traffic. However, the interface for managing outbound traffic is far from perfect. Therefore, if you want to filter the outbound traffic in daily use, you will need to find a commercial personal firewall. However, if you need to filter mainly inbound traffic, the built-in firewall is perfect for this.
You can review the following points, when you use the built-in firewall:
1. verify the general policy (inbound and outbound filtering): Windows Firewall with Advanced Security -> Properties
Firewall state: On
Inbound connections: Block(default)
2. verify inbound rules. Use FILTER BY STATE: ENABLED to quickly check what rules are enabled and what profiles they apply to.
By default CORE NETWORKING rules are enabled for all profiles. If you don't use IPv6, all rules regarding IPv6 (plus TEREDO rule) can be disabled.
The following 3 CORE NETWORKING rules can be enabled only on IPv4 machine:
DHCP-IN
Destination Unreachable, Fragmentation needed ICMP4-IN
IGMP-IN
If you enable FILE SHARING, 8 rules will be activated. However, if you don't need any local name resolution and want to use IP addresses in file sharing,
only 1 firewall rule will work just fine for this purpose:
File and Printer Sharing (SMB-In)
You can apply this rule only for PRIVATE profile, which should mark only 'trusted' networks. You need to remember that the access to the port allowed by this rule (TCP 445) will allow an unauthenticated user to enumerate your OS version and its service pack level.
You can disable REMOTE ASSISTANCE rules, if you are not going to use them. You can consider enabling REMOTE DESKTOP rule (and limit it to PRIVATE profile), if you are going to use this feature.
Group Policy options worth setting
Run this command Gpedit.msc to enter the Local Machine GPO.
Computer Configuration\Administrative Templates\System\Remote Procedure Call
Restrictions for Unauthenticated RPC clients - Change to "Enabled & Authenticated"
RPC Endpoint Mapper Client Authentication - Change to "Enabled"
Computer Configuration\Administrative Templates\Windows Components\AutoPlay Policies
Turn off Autoplay - Change to "Enabled & All Drives"
Review system FEATURES
Under "Control Panel -> Programs and Features -> Turn Windows features on or off" verify what features are enabled. You should disable features, which you don't use.
Network hardening
In order to decrease the attack surface, review and disable unneeded network services and interfaces.
1. disable NETBIOS
Control Panel -> Network and Sharing Center -> Manage network connections -> Properties of Network Interface
-> Properties of Internet Protocol Version 4 -> Advanced -> WINS tab -> Disable NETBIOS over TCP/IP
2. Disable IPv6 and LINK-LAYER Topology Discovery
Control Panel -> Network and Sharing Center -> Manage network connections -> Properties of Network Interface
Uncheck -> Internet Protocol Version 6
Uncheck -> Link Layer Topology Discovery Mapper I/O Driver
Uncheck -> Link Layer Topology Discovery Responder
3. Network Discovery
Disable Network Discovery for all profiles in
Control Panel -> Network and Sharing Center -> Network Discovery -> OFF
However, following the article below:
http://blogs.technet.com/networking/archive/2008/04/01/how-to-benefit-from-link-local-multicast-name-resolution.aspx
"If Network Discovery is not enabled on a client, it will still send out an LLMNR request unless it has been disabled via group policy. To disable LLMNR via group policy, set the following group policy value: Group Policy = "Computer Configuration\Administrative Templates\Network\DNS Client\Turn off Multicast Name Resolution". (Enabled = Don't use LLMNR, Disabled = Use LLMNR)"
4. Disable Teredo and Isatap interfaces
In Administrator command prompt execute the following two commands:
netsh interface teredo set state disabled
netsh interface isatap set state disabled
If the above commands don't work (the interfaces are still visible in the output of "ipconfig /all" command), use the following procedure:
- Click Start, then Control Panel
- Click on "System and Maintenance" link
- Click on "Device Manager"
- Click Continue on UAC prompt
- In device manager, click the "View" menu and select (tick) "Show hidden devices"
- Expand the "Network Adapters" tree
- Right click on "Teredo Tunneling Pseudo-Interface" and ISATAP interfaces, then select "Disable".
References:
http://technet.microsoft.com/en-us/library/cc722030.aspx
Some network and usage tips
1. If you are going to use Vista sharing to send a lot of big files (backup etc.), you will probably notice that Vista share disappears while
being heavily used. You can find then the following error message in the Event Log:
"The server was unable to allocate from the system nonpaged pool because the server reached the configured limit for nonpaged
pool allocations"
In order to eliminate this behaviour, you need to create/change some keys in the Windows Registry.
Run REGEDIT.exe tool and create/change the following entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanmanserver\Parameters
NEW DWORD (DECIMAL)
MaxWorkItems = 1,024
MaxMpxCt = 255
Size=3
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanmanworkstation\Parameters
MaxCmds =255
References:
http://support.microsoft.com/kb/937082
2. "Run as different user"
If you used the above command on Windows XP, you will be pretty disappointed not to find it on Vista context menu. However, you can easily add this functionality by installing Sysinternals ShellRunas tool.
References:
http://technet.microsoft.com/en-us/sysinternals/cc300361.aspx
3. Internet Explorer 7 DEP protection
Consider enabling DEP protection for IE7.
References:
Update on Internet Explorer 7, DEP and Adobe Software
End
Alright. This is everything I wanted to write in this short article.
I've almost forgotten about UAC. I hope that the following program can convince you how helpful this mechanism is:
UAC-What-How-Why
Additionally, if you want to listen to one of the best Microsoft experts, you should definitely watch next two programs:
- Mark-Russinovich-From-Winternals-to-Microsoft-On-Windows-Security-Windows-CoreArch
- Mark-Russinovich-On-Working-at-Microsoft-Windows-Server-2008-Kernel-MinWin-vs-ServerCore-HyperV
I hope you enjoyed the article. If you have any comments, let me know please.
best regards
Rafal Rajs