-->

Windows Server 2012 Hardening (Part II)

Using the Security and Configuration Analysis

Microsoft provides security templates for Windows Server and client operating systems, containing security configuration designed for different scenarios and server roles. There are some security templates that are part of the operating system and get applied during different operations, such as when promoting a server to a domain controller.

In Windows Server 2008 and later versions, security templates are located in %systemroot%inf and are more limited than in Windows Server 2003. Templates include:

  • Defltbase.inf (baseline)
  • Defltsv.inf (web/file/print servers)
  • DCfirst.inf (for the first domain controller in a domain)
  • Defltdc.inf (other domain controllers)

Basically, you should repeat the procedures already explained for Windows 7 with two different tools, but instead of loading the .inf from the STIG now you load one of the security templates shipped with Windows Server 2012.

Analyze the baseline template with the Policy Analyzer

Add the baseline template

image

Windows Server 2012 Hardening (Part I)

Servers are the penultimate layer of security between potential threats and your organization’s data. Therefore, applying proper security policies specifically for each server profile is both important and necessary.

Common sense recommendations are to "stop all unnecessary services" or "turn off unused features". Fortunately, every new version of Windows Server is built to be more secure by default. That said, it is common to have several of different roles assigned to a single server as well as multiple sets of file servers, web servers, database servers, etc.  So, how can we guarantee that each of these servers, with their different characteristics, is configured in compliance with the best security practices?

Using the Security Compliance Manager

Using SCM in Windows Server is basically the same as using it on a workstation. The major difference is related to what you can do with your GPOs once you are done.

You cannot install SCM 4 on a Windows Server 2012 just like that, you’ll probably get a warning from the Program Compatibility Assistant. This is a known issue when installing SQL Server 2008 Express, even on supported OSes.

Besides, Windows Server is not on the list of SCM 4 supported OSes…

image

To overcome this, install a newer version of SQL Server, like SQL Server 2014 Express, before installing SCM and everything will go smoothly.

The procedure will be exactly the same as what we did for Windows 10, but now we are going to do same extra steps.

GPEdit vs SecPol

Many users have questions regarding the difference between Local Group Policy Editor (gpedit.msc) and the Local Security Policy (secpol.msc) but there is not nothing mysterious about these two tools.

Both are used for administering system and security policies on your computer. The difference between the two is most visible on the scope of policies which those tools can edit.

To start explaining the difference, we can say that the secpol.msc is a subcategory of gpedit.msc.

image

  • Gpedit.msc is a file name for the Group Policy Editor console, mostly a graphical user interface for editing registry entries. This is not very easy because they are located at many places throughout computer registry but this tool makes the administration of registry easier.
  • Secpol.msc is another Windows module that is also used for administration of system settings. The Local Security Policy is a smaller brother to the Group Policy Editor, used to administer a subgroup of what you can administer using the gpedit.msc.

While group policies apply to your computer and users in your domain universally and are often set by your domain administrator from a central location, local security policies, as the name suggests, are relevant to your particular local machine only.

You can see that when opening the Group Policy Editor (gpedit.msc), you get to see more than when opening the Local Security Policy Editor (secpol.msc), and that is the major difference.

  • The gpedit.msc is broader.
  • The secpol.msc is narrower and focuses more on security related registry entries.

Previous post: Windows 10 Hardening (Part II)

Next post: Windows 2012 Hardening (Part I)

Windows 10 Hardening (Part II)

Using the Security Compliance Manager

SCM 4.0 provides ready-to-deploy policies based on Microsoft Security Guide recommendations and industry best practices, allowing you to easily manage configuration drift, and address compliance requirements for Windows operating systems and Microsoft applications.

image

Update baselines

image

Windows 10 Hardening (Part I)

Using the STIG templates

Just like in previous version of Windows, some of the requirements in the Windows 10 STIG depend on the use of additional group policy administrative templates that are not included with Windows by default. The new administrative template files (.admx and .adml file types) must be copied to the appropriate location in the Windows directory to make the settings they provide visible in group policy tools.

This includes settings under MS Security Guide, MSS (Legacy), and the Enhanced Mitigation Experience Toolkit (EMET) tool. The MSS settings have previously been made available through an update of the Windows security options file (sceregvl.inf). This required a change in permissions to that file, which is typically controlled by the system. A custom template was developed to avoid this.

The custom template files (MSS-Legacy and SecGuide) are provided in the Templates directory of the STIG package. The EMET administrative template files are located in the tool’s installation directory, typically “\Program Files (x86)\EMET x.x\Deployment\Group Policy Files\”.

The .admx files must be copied to the \Windows\PolicyDefinitions\ directory. The .adml files must be copied to the \Windows\PolicyDefinitions\en-US\ directory.

NOTE: EMET’s end of life date is being extended until July 31, 2018a and at this time there are no plans to offer support or security patching for EMET that date. For improved security, everyone should migrate to the latest version of Windows 10. EMET 5.5 is compatible with current versions of Windows 10 but according to this article, it won’t be compatible with future versions of the latest Microsoft OS.

Before the installation of the STIG templates, Windows 10 Enterprise has:

  • 2283 Computer configuration settings
  • 1731 User configuration settings

image

 

Linux Hardening with OpenSCAP

The OpenSCAP project is a collection of open source tools for implementing and enforcing this standard, and has been awarded the SCAP 1.2 certification by NIST in 2014. The project provides tools that are free to use anywhere you like, for any purpose.

The OpenSCAP basic tools are:

  • OpenSCAP Base
    • Provides a command line tool which enables various SCAP capabilities such as displaying the information about specific security content, vulnerability and configuration scanning, or converting between different SCAP formats.
  • SCAP Workbench
    • User friendly graphical utility offering an easy way to tailor SCAP content to your needs, perform local or remote scans, and export results.

Linux Hardening with OpenVAS

The Open Vulnerability Assessment System (OpenVAS) is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and management solution.

image

    The security scanner is accompanied with a regularly updated feed of Network Vulnerability Tests (NVTs), over 51,000 in total (as of February 2017).

    OpenVAS Features

    The OpenVAS security suite consists of three parts:

    • OpenVAS Scanner
      • The actual scanner that executes the real-time vulnerability tests;
      • It can handle more than one target host at a time;
      • Uses the OpenVAS Transfer Protocol (OTP);
      • OTP supports SSL.
    • OpenVAS Manager
      • Handles the SQL Database where all scanning results and configurations are stored;
      • Controls the scanner via OTP and offers XML based OpenVAS Management Protocol (OMP);
      • It can stop, pause or resume scanning operations;
      • Makes user management possible including group level management and access control management.
    • OpenVAS CLI
      • Command line tool acting as a client for OMP.

    Linux Hardening with Lynis

    Lynis is a powerful open source auditing tool for Unix/Linux like operating systems. It scans the system for security information, general system information, installed software information, configuration mistakes, security issues, user accounts without password, wrong file permissions, firewall auditing, etc.

    Lynis is also one of the most trusted automated auditing tools for software patch management, malware scanning and vulnerability detecting in Unix/Linux based systems. This tool is useful for auditors, network and system administrators, security specialists and penetration testers.

    Installing Lynis in Ubuntu

    This application doesn’t require any installation, it can be used directly from any directory. So, it’s a good idea to create a custom directory for Lynis:

    sudo mkdir /usr/local/lynis

    Download the stable version of Lynis from the website and unpack it:

    cd /usr/local/lynis

    sudo wget https://cisofy.com/files/lynis-2.4.0.tar.gz

    image

    Linux Hardening with Tiger

    Tiger is a security tool that can be used both as a security audit and as an IDS. It supports multiple UNIX platforms and it is free and provided under a GPL license.

    image

      Check all the details on the official website.

      Installing Tiger in Ubuntu

      Install the application by running the command:

      sudo apt-get install tiger

      image

      Windows 7 Hardening (Part II)

      Enhanced Mitigation Experience Toolkit

      EMET is a free tool built to offer additional security defenses against vulnerable third party applications and assorted vulnerabilities. EMET helps prevent vulnerabilities in software from being successfully exploited by using security mitigation technologies. These technologies function as special protections and obstacles that an exploit author must defeat to exploit software vulnerabilities. These security mitigation technologies work to make exploitation as difficult as possible to perform but do not guarantee that vulnerabilities cannot be exploited.

      Download the tool here

      image

      and the User’s guide here.

      image

      Windows 7 Hardening (Part I)

      Using Microsoft Security Baseline Analyzer

      Download MSBA 2.3. Install it and start a default scan on your Windows machine:

      image

      Typical results:

      image

      • Analyze the report and the proposed solutions.
      • Enable the IIS Windows feature.
      • Repeat the MSBA scan
      • Analyze the new report an compare it with the previous one.

      System Hardening

      System hardening refers to providing various means of protection in a computer system, eliminating as many security risks as possible. This is usually done by removing all non-essential software programs and utilities from the computer. While these programs may offer useful features to the user, they might provide "back-door" access to the system and thus must be removed to improve system security.

      Extended system protection should be provided at various levels and is often referred to as defense in depth. Protecting in levels means to protect at the host layer, the application layer, the operating system layer, the data layer, the physical layer and all the sub layers in between. Each one of these layers requires a unique method of security.

       

      Security Content Automation Protocol

      SCAP is a method for using commonly accepted standards to enable automated vulnerability management and security policy compliance metrics. It started as a collection of specifications originally created by the US government which are now an industry standard.

      It was developed through the cooperation and collaboration of public and private sector organizations, including government, industry and academia, but the standard is still maintained by the the US National Institute of Standards and Technology.

       

      Benefits of SCAP

      Automated tools that use SCAP specifications make it easier to continuously verify the security compliance status of a wide variety of IT systems. The use of standardized, automated methods for system security management can help organizations operate more effectively in complex, interconnected environments and realize cost savings.

      SCAP Components

      • CVE - Common Vulnerabilities and Exposures
        • Catalog of known security threats
      • CCE - Common Configuration Enumeration
        • List of “identifiers” and entries relating to security system configuration issues
        • Common identification enables correlation
      • CPE - Common Platform Enumeration
        • Structured naming scheme to describe systems, platforms, software
      • CVSS - Common Vulnerability Scoring System
        • Framework to describe the characteristics and impacts of IT vulnerabilities.
      • XCCDF - eXtensible Configuration Checklist Description Format
        • Security checklists, benchmarks and configuration documentation in XML format. 
      • OVAL - Open Vulnerability and Assessment Language
        • Common language for assessing the status of a vulnerability
      • OCIL – Open Checklist Interactive Language
        • Common language to express questions to be presented to a user and interpret responses
      • Asset Identification
        • This specification describes the purpose of asset identification, a data model and methods for identifying assets, and guidance on how to use asset identification.
      • ARF - Asset Reporting Format
        • Data model to express the transport format of information about assets, and the relationships between assets and reports.
      • CCSS - Common Configuration Scoring System
        • Set of measures of the severity of software security configuration issues
      • TMSAD - Trust Model for Security Automation Data
        • Common trust model that can be applied to specifications within the security automation domain.

      image

      Security Baselines

      US Government Configuration Baseline

      The purpose of USGCB initiative is to create security configuration baselines for Information Technology products widely deployed across the federal agencies.

      The USGCB is a Federal government-wide initiative that provides guidance to agencies on what should be done to improve and maintain an effective configuration settings focusing primarily on security.

      IT-Grundschutz

      The aim of IT-Grundschutz is to achieve an appropriate security level for all types of information of an organization. IT-Grundschutz uses a holistic approach to this process.

      Through proper application of well-proven technical, organizational, personnel, and infrastructural safeguards, a security level is reached that is suitable and adequate to protect business-related information having normal protection requirements. In many areas, IT-Grundschutz even provides advice for IT systems and applications requiring a high level of protection.

      There are also the IT-Grundschutz Catalogues where you will find modules, threats and safeguards.

      CERN Mandatory Security Baselines

      The Security Baselines define a set of basic security objectives which must be met by any given service or system.

      The objectives are chosen to be pragmatic and complete, and do not impose technical means.

      Therefore, details on how these security objectives are fulfilled by a particular service/system must be documented in a separate "Security Implementation Document".

      Microsoft Security Baselines

      A security baseline is a collection of settings that have a security impact and include Microsoft’s recommended value for configuring those settings along with guidance on the security impact of those settings.

      These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.

      Cisco Network Security Baseline

      Developing and deploying a security baseline can, be challenging due to the vast range of features available

      The Network Security Baseline is designed to assist in this endeavor by outlining those key security elements that should be addressed in the first phase of implementing defense-in-depth.

      The main focus of Network Security Baseline is to secure the network infrastructure itself: the control and management planes.

       

      Security Standards

      These are common industry-accepted standards that include specific weakness-correcting guidelines. The main ones are published by the following organizations:

       

      Center for Internet Security

      CIS Benchmarks are recommended technical settings for operating systems, middleware and software applications, and network devices. Developed in a unique consensus-based process comprised of hundreds of security professionals worldwide as de facto, best-practice configuration standards.

       

      International Organization for Standardization

      ISO/IEC 27002:2013 gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization's information security risk environment(s).

       

      National Institute of Standards and Technology

      The National Checklist Program (NCP), defined by the NIST SP 800-70 Rev. 3, is the U.S. government repository of publicly available security checklists (or benchmarks) that provide detailed low level guidance on setting the security configuration of operating systems and applications. NCP is migrating its repository of checklists to conform to the SCAP thus allowing standards based security tools to automatically perform configuration checking using NCP checklists.

       

      Defense Information Systems Agency

      The Security Technical Implementation Guides (STIGs) and the NSA Guides are the configuration standards for DoD Information Assurance (IA) and IA-enabled devices/systems. The STIGs contain technical guidance to "lock down" information systems/software that might otherwise be vulnerable to a malicious computer attack.

       

      Bundesamt für Sicherheit in der Informationstechnik

      The BSI Standards contain recommendations on methods, processes, procedures, approaches and measures relating to information security.

       

      Compliance Requirements

      Any organization managing payments, handling private customer data, or operate in markets controlled by security regulations, need to demonstrate security compliance to avoid penalties and meet customer expectations. These are some of the major compliance requirements:

       

      Payment Card Industry Data Security Standard

      The PCI DSS is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment. It was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with a focus on improving payment account security throughout the transaction process.

       

      Health Insurance Portability and Accountability Act

      The HIPAA Privacy Rule, also called the Standards for Privacy of Individually Identifiable Health Information, essentially defines how healthcare provider entities use individually-identifiable health information or the PHI (Personal Health Information).

       

      Information Technology Infrastructure Library 

      ITIL compliance guidelines include categories such as change management, security architecture and help desk systems. Companies can then find ways to accomplish ITIL compliance by using the appropriate systems and strategies.

       

      Control Objectives for Information and Related Technology

      COBIT is a framework created for IT governance and management. It is meant to be a supportive tool for managers and allows bridging the crucial gap between technical issues, business risks and control requirements.

       

      National Institute of Standards and Technology

      The NIST is responsible for developing cybersecurity standards, guidelines, tests, and metrics for the protection of federal information systems. While developed for federal agency use, these resources are voluntarily adopted by other organizations because they are effective and accepted globally.

      Next post: Windows 7 Hardening (Part 1)