Hardening XP (yes...XP)/ping EncryptedBytes

Discussion in 'privacy problems' started by bolts, Apr 4, 2013.

Thread Status:
Not open for further replies.
  1. bolts

    bolts Registered Member

    Joined:
    Apr 3, 2013
    Posts:
    7
    Location:
    USA
    @EncryptedBytes...if you're reading this and have a good "short list" for hardening XP (not to NSA requirements, but enough to stop malware from spreading, and bots from using it), that would be appreciated. I saw your posts in the "Security Hardening Windows 7 64 bit install" thread, but I couldn't post to that one because of the age, and PM isn't working for me now/yet.

    I'm the lone IT guy at a medium sized business, and I'd like to tighten up security a bit.
    I'm not familiar with hardening systems, but I'm trying to learn. I've also become very interested in network monitoring, after years of our network getting slower and slower...I'm convinced we're compromised/infected to the eyeballs, but I don't have the skills to prove it to the owners, so they won't spend the money to have somebody come in for remediation. I installed Security Onion, but since I don't know what I'm looking at...it all looks like threats. I took Richard Bejtlich's "TCP/IP Weapons School" class only coming away from that realizing that I knew even less than I thought I did. I'm trying to get some books read on "Windows Desktop and Server Hardening", "Hacking Exposed" and "Practical Packet Analysis", but that will take some time to sink in.

    We're forced to stay with XP for now, because the ERP we currently run won't do Windows 7, but we did just upgrade all of our servers to MS Server 2012 AND virtuallized them all. However, our ERP server is a direct P2V of MS Server 2003 running MS SQL Server 2000. Nothing is hardened, and all we have is a Cisco firewall and a Barracuda SPAM filter.

    I've downloaded every free tool that Mandiant and HBGary has to offer, but again...I don't have the skills to decipher what "Redline" or anything else displays on the screen for me.

    I'd like to start chipping away at this problem, but I'm not sure of where to start. If we're really infected with malware that is using our network, will hardening workstations one at a time help, or do I need to get a hardened image ready for all workstations and roll it out all at once? And the servers, I guess they will all need to be remediated and hardened at the same time? I've been looking at different imaging deployment software (FOG Server, Microsoft's WDS, etc), any preferences?

    Are there any Network Security related groups in the MD/PA/WV (more towards Western MD)? I see ISSA.org has a Baltimore and Blue Ridge chapter, but are there any other organizations? Are there any former "NSA" types or similar individuals in my area that would offer some sort of private training/mentoring for network monitoring, or is SANS the best way to go?
     
  2. EncryptedBytes

    EncryptedBytes Registered Member

    Joined:
    Feb 20, 2011
    Posts:
    449
    Location:
    N/A
    Hello Bolts, I appear to have missed this post. Let me address where I can to offer advice.

    I have a comprehensive list of controls to implement on Windows XP which I can send you however it is ~130 pages (Not really lite =/). Let me know. I would advise any experimentation is performed on development equipment. Hardening is to lower attack surface; though it can at times interfere with resources which key software for business needs to run. My advice, clone the environment you wish to harden and experiment on that equipment. This way you can identify what needs to be available in the environment as not to cause downtime and service disruption. If you have a dev environment already established great!

    *Hardening should happen at all levels, from the network switches, routers, to the IDS solutions, to the systems and applications ideally.

    Network Security is an art in and of itself. Unfortunately I can only offer high level advice here due to limited knowledge of the topography of your network (Don’t post it here!). Most tools out there provide logs and alerts which would need to be tailored to each sites unique need. In terms of network monitoring as a start, I would attempt to establish a baseline of what constitutes normal traffic during operational hours and create and modify rulesets to catch any deviations in that baseline. Are you just monitoring inbound/outbound, or are you also attempting to monitor employee web as well? The largest threat to the network, other than misconfiguration are your employees.

    Hardening would be a good start, also establishing a patch process to make sure your organization is keeping up with vendor and system patches in a reasonable time frame. I would create a clean image if possible and work off that and deploy. Now refer to my first paragraph and make sure to test, test again, and then test some more before rolling out.

    ISSA is good, Infraguard also has local chapters in the area. I would look at sites similar to here https://www.novainfosec.com/events/nova-meetups/ to help keep track of cons and meetups (Shmoocon was a good event that occurred back in February around DC).
     
    Last edited: Apr 28, 2013
  3. EncryptedBytes

    EncryptedBytes Registered Member

    Joined:
    Feb 20, 2011
    Posts:
    449
    Location:
    N/A
    Bolts, I decided to brew a pot of coffee and trim the guide down. Though you may need a pot of coffee when going through this.:D

    The following is from the public unclassified Mar 2013 Windows XP Security Guide. The requirements in scope were developed from United States Federal and DoD consensus, as well as the Windows XP Security Guide and security templates published by Microsoft Corporation.

    As with my other thread, my little disclaimer "I will be throwing a lot at you, you do not have to enable all these recommendations, and you can also opt to enable none as they are to give you general guidance and disabling some options could hinder your day to day use. "

    Control Title: Systems must be at supported service packs (SP) or releases levels.

    Systems at unsupported service packs or releases will not receive security updates for new vulnerabilities and leaves them subject to exploitation. Systems must be maintained at a service pack level supported by the vendor with new security updates.

    Solution: Update the system to a supported service pack.

    Application of new service packs should be thoroughly tested before deploying in a production environment.

    Control Title: ACLs for system files and directories do not conform to minimum requirements.

    Failure to properly configure ACL file and directory permissions, allows the possibility of unauthorized and anonymous modification to the operating system and installed applications.

    Solution: Maintain the default file ACLs, configure the Security Option: “Network access: Let everyone permissions apply to anonymous users” to “Disabled” and restrict the Power Users group to include no members. Configure permissions on the following so that only Administrators and System have Full (no other permissions assigned to other accounts or groups).

    \regedit.exe
    \System32\arp.exe
    \System32\at.exe
    \System32\attrib.exe
    \System32\cacls.exe
    \System32\debug.exe
    \System32\edlin.exe
    \System32\eventcreate.exe
    \System32\eventtriggers.exe
    \System32\ftp.exe
    \System32\nbtstat.exe
    \System32\net.exe
    \System32\net1.exe
    \System32\netsh.exe
    \System32\netstat.exe
    \System32\nslookup.exe
    \System32\ntbackup.exe
    \System32\rcp.exe
    \System32\reg.exe
    \System32\regedt32.exe
    \System32\regini.exe
    \System32\regsvr32.exe
    \System32\rexec.exe
    \System32\route.exe
    \System32\rsh.exe
    \System32\sc.exe
    \System32\secedit.exe
    \System32\subst.exe
    \System32\Systeminfo.exe
    \System32\telnet.exe
    \System32\tftp.exe
    \System32\tlntsvr.exe

    \System32\mshta.exe will have Users – Read and Execute in addition to the permissions above.

    Control Title: File-auditing configuration does not meet minimum requirements.

    Improper modification of the core system files can render a system inoperable. Further, modifications to these system files can have a significant impact on the security configuration of the system. Auditing of significant modifications made to the system files provides a method of determining the responsible party.

    Solution: Configure auditing on each partition/drive to audit all "Failures" for the "Everyone" group.

    Control Title: The system is not configured to make the object creator the owner of objects created by administrators.

    Either the object creator or the Administrators group owns objects created by members of the Administrators group. In order to ensure accurate auditing and proper accountability, the default owner should be the object creator.

    Solution: Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “System objects: Default owner for object created by members of the Administrators group” to “Object creator”.

    Control Title: Remove Software Certificate Installation Files

    This check verifies that software certificate installation files have been removed from a system.

    Solution: Remove any certificate installation files found on a system.

    Note: This does not apply to server-based applications that have a requirement for .p12 certificate files (e.g., Oracle Wallet Manager)

    Control Title: Disallow AutoPlay/Autorun from Autorun.inf

    This registry key will prevent the autorun.inf from executing commands.

    Solution: The guide omitted this part. I am instead posting this to help viewers http://support.microsoft.com/kb/967715

    Control Title: POSIX subsystem registry key exists.

    For the system to comply with Security requirements, the POSIX subsystem must be disabled.

    Solution: Remove the following Registry value from the Windows Registry:

    HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Subsystems\Posix

    Control Title: System pagefile is cleared upon shutdown.

    This check verifies that Windows is not configured to wipe clean the system page file during a controlled system shutdown.

    Solution: Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “Shutdown: Clear virtual memory pagefile” to “Disabled”.

    Control Title: Secure Removable Media CD-ROM

    This check verifies that Windows is configured to not limit access to CD drives when a user is logged on locally per the FDCC.

    Solution: Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “Devices: Restrict CD-ROM access to locally logged-on user only” to “Disabled”.

    Control Title: Floppy media devices are not allocated upon user logon.

    This check verifies that Windows is configured to not limit access to floppy drives when a user is logged on locally per the FDCC.

    Solution: Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “Devices: Restrict floppy access to locally logged-on user only” to “Disabled”.

    Control Title: The system allows shutdown from the logon dialog box.

    Preventing display of the shutdown button in the logon dialog box may encourage a hard shut down with the power button. (However, displaying the shutdown button may allow individuals to shut down a system anonymously.)

    Solution: Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “Shutdown: Allow system to be shutdown without having to log on” to “Enabled”.

    Control Title: The required legal notice must be configured to display before console logon.

    Failure to display the logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources.

    Solution: Consent with your organization's lawyers to determine if this control applies or not to your environment and policy -EB

    Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options ->“Interactive Logon: Message text for users attempting to log on” as outlined in the check.

    Control Title: Caching of logon credentials is not limited.

    The default Windows configuration caches the last logon credentials for users who log on interactively to a system. This feature is provided for system availability reasons such as the user’s machine is disconnected from the network or domain controllers are not available. Even though the credential cache is well-protected, storing encrypted copies of users passwords on systems do not always have the same physical protection required for domain controllers. If a system is attacked, the unauthorized individual may isolate the password to a domain user account using a password-cracking program, and gain access to the domain.

    Solution: Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “Interactive Logon: Number of previous logons to cache (in case Domain Controller is not available)” to “2” logons or less.

    Control Title: Anonymous shares are not restricted.

    This is a Category 1 finding because it allows anonymous logon users (null session connections) to list all account names and enumerate all shared resources, thus providing a map of potential points to attack the system.

    By default, Windows allows anonymous users to list account names and enumerate share names. In a mixed Windows environment this setting may cause systems with down-level operating systems to fail to authenticate, may prevent their users from changing their passwords, and may cause problems with managing printers and spools.

    Solution: Configure the policy values for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “Network access: Do not allow anonymous enumeration of SAM accounts” and “Network access: Do not allow anonymous enumeration of SAM accounts and shares” to “Enabled".

    Control Title: The option to prevent the password in dial-up networking from being saved is not enabled.

    The default Windows configuration enables the option to save the password used to gain access to a remote server using the dial-up networking feature. With this option enabled, an unauthorized user who gains access to a Windows machine would also have access to remote servers with which the machine uses dial-up networking to communicate. Disabling this option will introduce another layer of security and help limit the scope of any security compromise to the local machine.

    Solution: Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “MSS: (DisableSavePassword) Prevent the dial-up password from being saved (recommended)” to “Enabled”.

    Control Title: The built-in Microsoft password filter is not enabled.

    The use of complex passwords increases their strength against guessing. This policy setting configures the system to verify that newly-created passwords conform to the Windows password complexity policy.

    Solution: Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy -> “Password must meet complexity requirements” to "Enabled".

    Control Title: Print driver installation privilege is not restricted to administrators.

    By default, the print spooler allows any user to add and to delete printer drivers on the local system. This capability should be restricted to authorized personnel.

    Solution: Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “Devices: Prevent users from installing printer drivers” to “Enabled”.

    Control Title: The Send download LanMan compatible password option is not set to Send NTLMv2 response onlyLM.

    The Kerberos v5 authentication protocol is the default for authentication of users who are logging on to domain accounts. NTLM is retained in later Windows versions for compatibility with clients and servers that are running earlier versions of Windows. It is also used to authenticate logons to stand-alone computers that are running later versions. Setting this to the required setting may prevent authentication with older Operating Systems and break some applications.

    Solution: Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “Network security: LAN Manager authentication level” to at least “Send NTLMv2 response only\refuse LM”.

    Control Title: Ctrl+Alt+Del security attention sequence is Disabled.

    Disabling the Ctrl+Alt+Del security attention sequence can compromise system security. Because only Windows responds to the Ctrl+Alt+Del security sequence, you can be assured that any passwords you enter following that sequence are sent only to Windows. If you eliminate the sequence requirement, malicious programs can request and receive your Windows password. Disabling this sequence also suppresses a custom logon banner.

    Solution: Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “Interactive Logon: Do not require CTRL ALT DEL” to “Disabled”.

    Control Title: Unencrypted password is sent to 3rd party SMB Server.

    Some non-Microsoft SMB servers only support unencrypted (plain text) password authentication. Sending plain text passwords across the network, when authenticating to an SMB server, reduces the overall security of the environment. Check with the Vendor of the SMB server to see if there is a way to support encrypted password authentication.

    Solution: Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “Microsoft Network Client: Send unencrypted password to connect to third-party SMB servers” to “Disabled”.

    Control Title: Administrator automatic logon is enabled.

    This is a category 1 finding because it will directly log on to the system with administrator privileges when the machine is rebooted. This would give full access to any unauthorized individual who reboots the computer.

    By default this setting is not enabled. If this setting exists, it should be disabled. If this capability exists, the password may also be present in the registry, and must be removed.


    Solution: Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)” to “Disabled”.

    Control Title: Outgoing secure channel traffic is not signed when possible.

    Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but the channel is not integrity checked. If this policy is enabled, all outgoing secure channel traffic should be signed. If the value for “Domain Member: Digitally encrypt or sign secure channel data (always)” is set to “Enabled”, then this would not be a finding.

    Solution: Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “Domain Member: Digitally sign secure channel data (when possible)” to “Enabled”.

    Control Title: The computer account password is prevented from being reset.

    As a part of Windows security, computer account passwords are changed automatically. Enabling this policy to disable automatic password changes can make the system more vulnerable to malicious access. Frequent password changes can be a significant safeguard for your system. If this policy is disabled, a new password for the computer account will be generated every week.

    Solution: Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “Domain Member: Disable Machine Account Password Changes” to “Disabled”.
     
    Last edited: Apr 28, 2013
  4. EncryptedBytes

    EncryptedBytes Registered Member

    Joined:
    Feb 20, 2011
    Posts:
    449
    Location:
    N/A
    Control Title: The Recovery Console SET command is enabled.

    Enabling this option enables the Recovery Console SET command, which allows you to set Recovery Console environment variables. This permits floppy copy and access to all drives and folders.

    Solution: Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “Recovery Console: Allow floppy copy and access to all drives and folders” to “Disabled”.

    Control Title: The Recovery Console option is set to permit automatic logon to the system.

    This is a Category 1 finding because if this option is set, the Recovery Console does not require you to provide a password and will automatically log on to the system, giving Administrator access to system files.

    By default, the Recovery Console requires you to provide the password for the Administrator account before accessing the system.

    Solution: Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “Recovery Console: Allow automatic administrative logon” to “Disabled”.

    Control Title: TThe unsigned driver installation behavior is improperly set.

    Determines what should happen when an attempt is made to install a device driver (by means of the Windows device installer) that has not been certified by the Windows Hardware Quality Lab (WHQL).

    The options are:
    - Silently succeed
    - Warn but allow installation
    - Do not allow installation

    Solution: Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “Devices: Unsigned driver installation behavior” to “Warn but allow installation” or “Do not allow installation”. (EB chiming in, I would start with the first suggestion and once a baseline is set, use the more restrictive)

    Control Title: Ejection of removable NTFS media is not restricted to Administrators.

    Removable hard drives can be formatted and ejected by others who are not members of the Administrators Group, if they are not properly configured. Formatting and ejecting removable NTFS media should only be done by administrators.

    Solution: Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “Devices: Allowed to Format and Eject Removable Media” to “Administrators”.

    Control Title: The default permissions of Global system objects are not increased.

    Windows system maintains a global list of shared system resources such as DOS device names, mutexes, and semaphores. Each type of object is created with a default DACL that specifies who can access the objects with what permissions. If this policy is enabled, the default DACL is stronger, allowing non-admin users to read shared objects, but not modify shared objects that they did not create.

    Solution: Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “System Objects: Strengthen default permissions of internal system objects (e.g. Symbolic links)” to “Enabled”.

    Control Title: Reversible password encryption is not disabled.

    Storing passwords using reversible encryption is essentially the same as storing clear-text versions of the passwords. For this reason, this policy should never be enabled.

    Solution: Configure the system to prevent passwords from being saved using reverse encryption. By default this is disabled.

    Control Title: The system is configured to autoplay removable media.

    Autoplay begins reading from a drive as soon as you insert media in the drive. As a result, the setup file of programs and the music on audio media starts immediately. By default, Autoplay is disabled on removable drives, such as the floppy disk drive (but not the CD-ROM drive), and on network drives. If you enable this policy, you can also disable Autoplay on all drives.

    Solution: Configure the policy value for Computer Configuration -> Administrative Templates -> System -> “Turn off AutoPlay” to “Enabled:All Drives”.

    In addition to the above, Microsoft has released patches to correct issues with this setting. The patches from either Microsoft’s KB953252 (patch KB950582) or KB967715 must be installed. This will add the HonorAutorunSetting registry value and update the file referenced in the Check section.

    Control Title: Unauthorized named pipes are accessible with anonymous credentials.

    This is a Category 1 finding because the potential for gaining unauthorized system access. Pipes are internal system communications processes. They are identified internally by ID numbers that vary between systems. To make access to these processes easier, these pipes are given names that do not vary between systems. This setting controls which of these pipes anonymous users may access.

    Solution: Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “Network access: Named pipes that can be accessed anonymously” as defined in the Check section.

    Control Title: Unauthorized registry paths are remotely accessible.

    This is a Category 1 finding because it could give unauthorized individuals access to the Registry.
    It controls which registry paths are accessible from a remote computer.

    Solution: Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “Network access: Remotely accessible registry paths” as defined in the Check section.

    Control Title: Unauthorized shares can be accessed anonymously.

    This is a Category 1 finding because the potential for gaining unauthorized system access. Any shares listed can be accessed by any network user. This could lead to the exposure or corruption of sensitive data. Enabling this setting is very dangerous.

    Solution: Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “Network access: Shares that can be accessed anonymously” as defined in the Check section.

    Control Title: Remote control of a Terminal Service session is allowed.

    This setting is used to control the rules for remote control of Terminal Services user sessions. This is a Category 1 finding because remote control of sessions could permit an unauthorized user to access sensitive information on the controlled system.

    Solution: Configure the system to prevent remote control of the computer by setting the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Terminal Services, “Sets rules for remote control of Terminal Services user settings” to “Enabled” and the “Options” will be set to “No remote control allowed”.

    Control Title: Solicited Remote Assistance is allowed.

    This setting controls whether or not solicited remote assistance is allowed from this computer. Solicited assistance is help that is specifically requested by the user. This is a Category 1 finding because it may allow unauthorized parties access to the resources on the computer.

    Solution: Configure the system to disable Remote Assistance by setting the policy value for Computer Configuration -> Administrative Templates -> System -> Remote Assistance “Solicited Remote Assistance” to “Disabled”.

    Control Title: The system is configured to permit storage of credentials or .NET Passports.

    This setting controls the storage of authentication credentials or .NET passports on the local system. Such credentials should never be stored on the local machine as that may lead to account compromise.

    Solution: Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “Network access: Do not allow storage of credentials or .NET passports for network authentication” to “Enabled”.

    Control Title: The system is configured to give anonymous users Everyone rights.

    This setting helps define the permissions that anonymous users have. If this setting is enabled then anonymous users have the same rights and permissions as the built-in Everyone group. Anonymous users should not have these permissions or rights.

    Solution: Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “Network access: Let everyone permissions apply to anonymous users” to “Disabled”.

    Control Title: The system is not configured to use the Classic security model.

    Windows includes two network-sharing security models - Classic and Guest only. With the classic model, local accounts must be password protected; otherwise, anyone can use guest user accounts to access shared system resources.

    Solution: Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “Network access: Sharing and security model for local accounts” to “Classic - local users authenticate as themselves”.

    Control Title: The system is configured to store the LAN Manager hash of the password in the SAM.

    This setting controls whether or not a LAN Manager hash of the password is stored in the SAM the next time the password is changed. The LAN Manager hash is a weak encryption algorithm and there are several tools available that use this hash to retrieve account passwords.

    Solution: Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “Network security: Do not store LAN Manager hash value on next password change” to “Enabled”.

    Control Title: The system is not configured to force users to log off when their allowed logon hours expire.

    This setting controls whether or not users are forced to log off when their allowed logon hours expire. If logon hours are set for users, then this should be enforced.

    Solution: Configure the system to log off users when their allowed logon hours expire.

    Control Title: The system is not configured to recommended LDAP client signing requirements.

    This setting controls the signing requirements for LDAP clients. This setting should be set to Negotiate signing or Require signing depending on the environment and type of LDAP server in use.

    Solution: Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “Network security: LDAP client signing requirements” to “Negotiate signing” at a minimum.

    Control Title: The system is not configured to meet the minimum requirement for session security for NTLM SSP based Clients.

    Microsoft has implemented a variety of security support providers for use with RPC sessions. In a homogenous Windows environment, all of the options should be enabled and testing should be performed in a heterogeneous environment to determine the maximum-security level that provides reliable functionality. Microsoft warns that setting these may prevent the client from communicating with legacy servers that do not support them. “Require NTLMv2 session security” will prevent authentication, if the “Network security: LAN Manager authentication level” is set to permit NTLM or LM authentication.


    Solution: Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “Network security: Minimum session security for NTLM SSP based (including secure RPC) clients” to “Require NTLMv2 session security”, ”Require 128-bit encryption”, ”Require Message Integrity”, and ”Require Message Confidentiality” (all options selected).

    Control Title: The system is not configured to use FIPS compliant Algorithms for Encryption, Hashing, and Signing.

    This setting ensures that the system uses algorithms that are FIPS compliant for encryption, hashing, and signing. FIPS compliant algorithms meet specific standards established by the U.S. Government and should be the algorithms used for all OS encryption functions.

    Solution: Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing” to “Enabled”.

    Control Title: The system is configured to allow case insensitivity.

    This setting controls the behavior of non-Windows subsystems when dealing with the case of arguments or commands. Case sensitivity could lead to the access of files or commands that should be restricted. To prevent this from happening, case insensitivity restrictions should be required.

    Solution: Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “System Object: Require Case Insensitivity for Non-Windows Subsystems” to “Enabled”.

    Control Title: The system is configured to prevent background refresh of Group Policy.

    If this setting is enabled, then Group Policy settings are not refreshed while a user is currently logged on. This could lead to instances when a user does not have the latest changes to a policy applied and is therefore operating in an insecure context.

    Solution: Configure the system to require Group Policy background refresh by setting the policy value for Computer Configuration -> Administrative Templates -> System -> Group Policy “Turn Off Background Refresh of Group Policy” to “Disabled”.

    Control Title: The system is configured to allow installation of printers using kernel-mode drivers.

    Kernel-mode drivers are drivers that operate in kernel mode. Kernel mode allows virtually unlimited access to hardware and memory. A poorly written kernel driver may cause system instability and data corruption. Malicious code inserted in a kernel-mode driver has almost no limit on what it may do. Most modern printers do not require kernel-mode drivers. This setting will prevent some applications from installing PDF print drivers. If necessary temporarily disable this setting while installing a legitimate kernel-mode driver.

    Solution: Configure the system to prevent it from allowing the installation of kernel-mode drivers by setting the policy value for Computer Configuration -> Administrative Templates -> Printers “Disallow Installation of Printers Using Kernel-mode Drivers” to “Enabled”.

    Control Title: The system is not configured to use Safe DLL Search Mode.

    The default search behavior, when an application calls a function in a Dynamic Link Library (DLL), is to search the current directory followed by the directories contained in the systems path environment variable. An unauthorized DLL inserted into an applications working directory could allow malicious code to be run on the system. Creating the following registry key and setting the appropriate value forces the system to search the %Systemroot% for the DLL before searching the current directory or the rest of the path.

    Solution: Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)” to “Enabled”.

    Control Title: The system does not generate an audit event when the audit log reaches a percent full threshold.

    When the audit log reaches a given percent full, an audit event is written to the security log. The event ID is 523 and is recorded as a success audit under the category of System. This option may be especially useful if the audit logs are set to be cleared manually. A recommended setting would be 90 percent.

    Solution: Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning” to “90” or less.

    Control Title: The system is configured to allow dead gateway detection.

    Allows TCP to peform dead-gateway detection, switching to a backup gateway if a number of connections to a gateway are experiencing difficulty. If enabled, an attacker could force internal traffic to be directed to a gateway outside the network. This setting applies to all network adapters, regardless of their individual settings.

    Solution: http://technet.microsoft.com/en-us/library/cc960464.aspx -EB this was not provided in the original document

    Control Title: The system is configured to allow IP source routing.

    Protects against IP source routing spoofing.

    Solution: Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)” to “Highest protection, source routing is completely disabled”.

    Control Title: The system is configured to redirect ICMP.

    When disabled, forces ICMP to be routed via shortest path first.

    Solution: Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes” to “Disabled”.
     
  5. EncryptedBytes

    EncryptedBytes Registered Member

    Joined:
    Feb 20, 2011
    Posts:
    449
    Location:
    N/A
    Control Title: The system is configured for a greater keep-alive time than recommended.

    Controls how often TCP sends a keep-alive packet in attempting to verify that an idle connection is still intact.

    Solution: Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds” to “300000 or 5 minutes (recommended)” or less.

    Control Title: The system is configured to allow name-release attacks.

    Prevents a denial-of-service (DoS) attack against a WINS server. The DoS consists of sending a NetBIOS Name Release Request to the server for each entry in the servers cache, causing a response delay in the normal operation of the servers WINS resolution capability.

    Solution: Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “MSS: (NoNameReleaseOnDemand) Allow computer to ignore NetBIOS name release requests except from WINS servers” to “Enabled”.

    Control Title: The system is configured to allow SYN attacks.

    Adjusts retransmission of TCP SYN-ACKs. When enabled, connection responses time out more quickly in the event of a SYN DoS attack.

    Solution: Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “MSS: (SynAttackProtect) Syn attack protection level (protects against DoS)” to “Connections time out sooner if a SYN attack is detected”.

    Control Title: The system is configured to detect and configure default gateway addresses.
    Enables or disables the Internet Router Discovery Protocol (IRDP) used to detect and configure Default Gateway addresses on the computer.

    Solution: Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)” to “Disabled”.

    Control Title: Group Policy objects are not reprocessed if they have not changed.

    Enabling this setting and then selecting the "Process even if the Group Policy objects have not changed" option ensures that the policies will be reprocessed even if none have been changed. This way, any unauthorized changes are forced to match the domain-based group policy settings again.

    Solution: Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Group Policy “Registry Policy Processing” to “Enabled” and select the option “Process even if the Group Policy objects have not changed”.

    Control Title: Outgoing secure channel traffic is not encrypted or signed.

    Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but not all information is encrypted. If this policy is enabled, outgoing secure channel traffic will be encrypted and signed.

    Solution: Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “Domain Member: Digitally encrypt or sign secure channel data (always)” to “Enabled”.

    Control Title: The system is configured to allow the display of the last user name on the logon screen.

    The user name of the last user to log onto a system will not be displayed. This eliminates half of the Userid/Password equation that an unauthorized person would need to log on.

    Solution: Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “Interactive logon: Do not display last user name” to “Enabled”.

    Control Title: Audit Access to Global System Objects is not turned off.

    This policy setting stops the system from setting up a default system access control list for certain system objects which could create a very large number of security events filling the Security log in Windows.

    Solution: Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “Audit: Audit the access to global system objects” to “Disabled”.

    Control Title: Audit of Backup and Restore Privileges is not turned off.

    This policy setting stops the system from generating audit events for every file backed up or restored which could fill the Security log in Windows.

    Solution: Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “Audit: Audit the use of Backup and Restore privilege” to “Disabled”.

    Control Title: 8dot3 Name Creation Prevented

    This check verifies Windows is configured to allow the generation of 8.3 style file names per the FDCC.

    Solution: Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (recommended)” to “Disabled”.

    Control Title: Number of allowed bad-logon attempts does not meet minimum requirements.

    The account lockout feature, when enabled, prevents brute-force password attacks on the system. The higher this value is, the less effective the account lockout feature will be in protecting the local system. The number of bad logon attempts should be reasonably small to minimize the possibility of a successful password attack, while allowing for honest errors made during a normal user logon.

    Solution: Configure the system to lock out an account after three invalid logon attempts.

    Control Title: Time before bad-logon counter is reset does not meet minimum requirements.

    This parameter specifies the amount of time that must pass between two successive login attempts to ensure that a lockout will occur. The smaller this value is, the less effective the account lockout feature will be in protecting the local system.

    Solution: Configure the system to have the lockout counter reset itself after a minimum of 60 minutes.

    Control Title: Users are not forcibly disconnected when logon hours expire.

    Users should not be permitted to remain logged on to the network after they have exceeded their permitted logon hours. In many cases, this indicates that a user forgot to log off before leaving for the day. However, it may also indicate that a user is attempting unauthorized access at a time when the system may be less closely monitored. This protects critical and sensitive network data from exposure to unauthorized personnel with physical access to the computer.

    Solution: Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “Microsoft Network Server: Disconnect Clients When Logon Hours Expire” to “Enabled”.

    Control Title: User rights and advanced user rights settings do not meet minimum requirements.

    Inappropriate granting of user and advanced user rights can provide system, administrative, and other high level capabilities not required by the normal user.

    Solution: Configure the system to prevent accounts from having unauthorized User Rights.

    Control Title: Maximum password age does not meet minimum requirements.

    The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the passwords. Further, scheduled changing of passwords hinders the ability of unauthorized system users to crack passwords and gain access to a system.

    Solution: Configure the Maximum Password Age so that it is not "0" and doesn't exceed 60 days. (EB here, set up also two-factor if possible)

    Control Title: Minimum password age does not meet minimum requirements.

    Permitting passwords to be changed in immediate succession within the same day, allows users to cycle passwords through their history database. This enables users to effectively negate the purpose of mandating periodic password changes.

    Solution: Configure the Minimum Password Age so that it is a minimum of "1".

    Control Title: For systems utilizing a logon ID as the individual identifier, passwords are not at a minimum of 14-characters.

    Information systems not protected with strong password schemes including passwords of minimum length provide the opportunity for anyone to crack the password thus gaining access to the system and causing the device, information, or the local network to be compromised or a denial of service. Strong passwords may invite users to write down the passwords. Ensure that all users store passwords in a secured location.

    Solution: Configure all information systems to require passwords of the minimun length specified in the check.

    Control Title: Password uniqueness does not meet minimum requirements.

    A system is more vulnerable to unauthorized access when system users recycle the same password several times without being required to change a password to a unique password on a regularly scheduled basis. This enables users to effectively negate the purpose of mandating periodic password changes.

    Solution: Configure the system to remember a minimum of "24" or greater used passwords.

    Control Title: The built-in guest account is not disabled

    A system faces an increased vulnerability threat if the built-in guest account is not disabled. This account is a known account that exists on all Windows systems and cannot be deleted. This account is initialized during the installation of the operating system with no password assigned. This account is a member of the Everyone user group and has all the rights and permissions associated with that group, which could subsequently provide access to system resources to anonymous users.

    Solution: Configure the system to rename or disable the built-in guest Account.

    Control Title: The use of local accounts with blank passwords is not restricted to console logons only.

    This is a Category 1 finding because no accounts with blank passwords should exist on a system. The password policy should prevent this from occurring. However, if a local account with a blank password does exist, enabling this setting will limit the account to local console logon only.

    Solution: Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “Accounts: Limit local account use of blank passwords to console logon only” to “Enabled”.

    Control Title: Built-in Admin Account Status

    This check verifies that Windows XP is configured to ensure the built-in administrator account is enabled.

    Solution: Configure the system to enable the built-in admin account.

    Control Title: The maximum age for machine account passwords is not set to requirements.

    This setting controls the maximum password age that a machine account may have. This setting should be set to no more than 30 days, ensuring the machine changes its password monthly.

    Solution: Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “Domain Member: Maximum Machine Account Password Age” to 30 or less, but not 0.

    Control Title: The system is not configured to require a strong session key.

    This setting controls the required strength of a session key.

    Solution: Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “Domain Member: Require Strong (Windows 2000 or Later) Session Key” to “Enabled”.

    Control Title: Domain Controller authentication is not required to unlock the workstation.

    This setting controls the behavior of the system when you attempt to unlock the workstation. If this setting is enabled, the system will pass the credentials to the domain controller (if in a domain) for authentication before allowing the system to be unlocked. This will be set to disabled per the FDCC.

    Solution: Workstations - Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “Interactive logon: Require domain controller authentication to unlock workstation” to “Disabled”.

    Control Title: Restricted accounts are not disabled.

    Several new accounts are created as part of the default installation. As these accounts are well known they may represent prime attack targets. To help prevent attacks using the well-known accounts the following accounts should be disabled: HelpAssistant and Support_388945a0.

    Solution: Configure the system to disable restricted accounts such as HelpAssistant or Support_388945a0.

    Control Title: The system is configured to allow remote desktop sharing through NetMeeting.

    Remote desktop sharing enables several users to interact and control one desktop. This could allow unauthorized users to control the system. Remote desktop sharing should be disabled.

    Solution: Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> NetMeeting “Disable remote Desktop Sharing” to “Enabled".

    Control Title: Terminal Services is not configured to always prompt a client for passwords upon connection.

    This setting, which is located under the Encryption and Security section of the Terminal Services configuration option, controls the ability of users to supply passwords automatically as part of their Remote Desktop Connection. Disabling this setting would allow anyone to use the stored credentials in a connection item to connect to the terminal server.

    Solution: Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Terminal Services -> Encryption and Security “Always Prompt Client for Password upon Connection” to “Enabled”.

    Control Title: IPv6 will be disabled until a deliberate transition strategy has been implemented.

    Any nodes’ interface with IPv6 enabled by default presents a potential risk of traffic being transmitted or received without proper risk mitigation strategy and therefore a serious security concern.

    Solution: Uninstall the IPv6 protocol until a deliberate transition strategy has been implemented.

    Control Title: Media Player is configured to allow automatic checking for updates.

    The automatic check for updates perform by the Windows Media Player must be disabled to ensure a constant platform and to prevent the introduction of unknown/untested software on the network.

    Solution: Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Media Player “Prevent Automatic Updates” to “Enabled”.

    Control Title: TCP connection response retransmissions are not controlled.

    In a SYN flood attack, the attacker sends a continuous stream of SYN packets to a server, and the server leaves the half-open connections open until it is overwhelmed and no longer is able to respond to legitimate requests. Microsoft cautions that setting this to “No retransmission, half-open connections dropped after 3 seconds” may cause legitimate connection attempts from distant clients to fail due to time-out.

    Solution: Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “MSS: (TcpMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a connection is not acknowledged” to “3 & 6 seconds, half-open connections dropped after 21 seconds”, “3 seconds, half-open connections dropped after 9 seconds” or “No retransmission, half-open connections dropped after 3 seconds”.

    Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is the default)” to “3” or less.

    Control Title: This check verifies that Windows is configured to have password protection take effect within a limited time frame when the screen saver becomes active.

    Allowing more than several seconds makes the computer vulnerable to a potential attack from someone walking up to the console to attempt to log onto the system before the lock takes effect.

    Solution: Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)” to “5” or less.

    Control Title: Restrict unauthenticated RPC clients.

    This check verifies that the system is configured to restrict unauthenticated RPC clients from connecting to the RPC server.

    Solution: Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Remote Procedure Call “Restrictions for Unauthenticated RPC clients” to “Enabled” and “Authenticated”.

    Control Title: File and Folder Publish to Web option unavailable.

    This check verifies that the system is configured to make the options to publish to the web unavailable from File and Folder Tasks in Windows folders.

    Solution: Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication setting ‘Turn off the "Publish to Web" task for files and folders’ to “Enabled”.

    Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication setting ‘Turn off Internet download for Web publishing and online ordering wizards’ to “Enabled”.

    Control Title: Prevent printing over HTTP.

    This check verifies that the system is configured to prevent the client computer’s ability to print over HTTP, which allows the computer to print to printers on the intranet as well as the Internet.

    Solution: Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication setting ‘Turn off printing over HTTP’ to “Enabled”.

    Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication setting ‘Turn off downloading of print drivers over HTTP’ to “Enabled”.

    Control Title: Windows Peer to Peer Networking

    This check verifies Microsoft Peer-to-Peer Networking Service is turned off.

    Solution: Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> Microsoft Peer-to-Peer Networking Services “Turn Off Microsoft Peer-to-Peer Networking Services” to “Enabled”.

    Control Title: Prohibit Network Bridge in Windows

    This check verifies the Network Bridge can not be installed and configured.

    Solution: Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> Network Connections “Prohibit installation and configuration of Network Bridge on your DNS domain network” to “Enabled”.

    Control Title: Prohibit Internet Connection Sharing

    This check verifies Internet Connection Sharing can not be installed and configured.

    Solution: Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> Network Connections “Prohibit use of Internet Connection Sharing on your DNS domain network” to “Enabled”.

    Control Title: RSS Attachment Downloads

    This check verifies that attachments are prevented from being downloaded from RSS feeds.

    Solution: Note: For Windows XP, this only applies if Internet Explorer 7 or later is installed.

    Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> RSS Feeds “Turn off downloading of enclosures” to “Enabled”.

    Control Title: Windows Explorer Shell Protocol Protected Mode

    This check verifies that the shell protocol is run in protected mode. (This allows applications to only open limited folders.)

    Solution: Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Explorer “Turn off shell protocol protected mode” to “Disabled”.

    Control Title: Windows Installer IE Security Prompt

    This check verifies that users are notified if a web-based program attempts to install software.

    Solution: Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Installer “Disable IE security prompt for Windows Installer scripts” to “Disabled”.

    Control Title: Windows Installer User control

    This check verifies that users are prevented from changing installation options.

    Solution: Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Installer “Enable user control over installs” to “Disabled”.

    Control Title: Windows Installer Vendor signed updates

    This check verifies that users are prevented applying vendor signed updates.

    Solution: Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Installer “Prohibit non-administrators from applying vendor signed updates” to “Enabled”.
     
  6. EncryptedBytes

    EncryptedBytes Registered Member

    Joined:
    Feb 20, 2011
    Posts:
    449
    Location:
    N/A
    Control Title: XP Firewall Standard Profile – Enable Firewall

    This setting enables the Windows Firewall when not connected to the domain.

    The standard profile settings are used when the system is connected to a network that does not contain domain controllers for the domain of which the computer is a member.


    Solution: Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> Network Connections -> Windows Firewall -> Standard Profile "Windows Firewall: Protect all network connections" to "Enabled".

    Control Title: XP Firewall Domain Profile File and Printer Sharing

    Shared files and printers will not be available to other computers when connected to the domain.


    Solution: Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> Network Connections -> Windows Firewall -> Domain Profile "Windows Firewall: Allow file and printer sharing exception" to "Disabled".

    Control Title: XP Firewall Domain Profile ICMP Exceptions

    Only Inbound ICMP echo requests will be allowed when connected to the domain.

    Solution: Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> Network Connections -> Windows Firewall -> Domain Profile "Windows Firewall: Allow ICMP exceptions" to "Enabled" with the following parameter checked "Allow inbound echo request".

    Control Title: XP Firewall Domain Profile Local Port Exceptions

    Local port exceptions can not be defined when connected to the domain.

    Solution: Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> Network Connections -> Windows Firewall -> Domain Profile "Windows Firewall: Allow local port exceptions" to "Disabled".

    Control Title: XP Firewall Domain Profile Logging

    Firewall logging will be enabled and configured as defined when connected to the domain.

    Solution: Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> Network Connections -> Windows Firewall -> Domain Profile "Windows Firewall: Allow logging" to "Enabled" with the following parameters checked
    "Log dropped packets"
    "Log successful connections"
    "Log file path and name" set to "%systemroot%\domainfw.log"
    "Size limit (KB)" set to "16384" (or greater)

    Control Title: XP Firewall Domain Profile Plug and Play

    Unsolicited Plug and Play messages will be blocked when connected to the domain.

    Solution: Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> Network Connections -> Windows Firewall -> Domain Profile "Windows Firewall: Allow UPnP framework exception" to "Disabled".

    Control Title: XP Firewall Domain Profile Unicast Response

    The receipt of unicast responses to outgoing multicast or broadcast messages will be blocked when connected to the domain.

    Solution: Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> Network Connections -> Windows Firewall -> Domain Profile "Windows Firewall: Prohibit unicast response to multicast or broadcast requests" to "Enabled".

    Control Title: XP Firewall Standard Profile ICMP Requests

    ICMP requests will be blocked when not connected to the domain.

    Solution: Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> Network Connections -> Windows Firewall -> Standard Profile "Windows Firewall: Allow ICMP exceptions" to "Disabled".

    Control Title: XP Firewall Standard Profile No Exceptions

    All unsolicited incoming messages will be blocked when not connected to the domain.

    Solution: Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> Network Connections -> Windows Firewall -> Standard Profile "Windows Firewall: Do not allow exceptions" to "Enabled".

    -Fin :cool:
     
    Last edited: Apr 28, 2013
  7. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    X-What?

    Just kidding.

    EB, you should put that stuff in an ebook and sell it on iTunes or Amazon.
    Seriously! Good stuff.

    `
     
  8. EncryptedBytes

    EncryptedBytes Registered Member

    Joined:
    Feb 20, 2011
    Posts:
    449
    Location:
    N/A
    I may customize/omit certain parts not relevant to posters here, however these are pulled from much larger checklists provided by NIST/NSA/DISA for the information security community at the unclassified level. Offered as general guidance to private sectors, but mandated fun for public. At the very least it can offer a good starting baseline to harden systems within scope of an organization.

    I pull from:

    http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml
    http://iase.disa.mil/stigs/a-z.html
    http://csrc.nist.gov/publications/PubsSPs.html
     
  9. bolts

    bolts Registered Member

    Joined:
    Apr 3, 2013
    Posts:
    7
    Location:
    USA
    @EB...Thank you for replying, and for the information. That looks like it will keep me busy for quite a while.
    Can you recommend some books or websites for "know-nothing" network monitoring noobs like me? I've pre-ordered Richard Bejtlich's new book coming out in late July, and I'm currently reading "Hacking Exposed 7".

    @LockBox...LOL! A few months ago, I replaced some old workstations that were still running Windows 2000, and we also had a CNC machine that had a program that could only run in DOS...so that one had Windows 95 on it! And it had to be run on older hardware because the interface card for the motion controller was for an ISA slot. I found a lot of 5 HP E60 Netservers new in the box for dirt cheap. They came with a 256 meg RAM chip, and wouldn't you know it...Windows 95 would not load on that. I needed to find a 128 meg chip.
    Then I had to load a program called Mo' Slo to slow the processing speed of the PIII down to something like 33mHz or whatever so the timing ran right for the DOS program.
    Fortunately, a month ago; we got a new laser cutter and press brake to retire that machine. Both new machines have embedded Windows software on them...I just found out that the press brake uses Windows CE. :ouch:

    Did I mention that I love my job? o_O
     
    Last edited: May 3, 2013
  10. bolts

    bolts Registered Member

    Joined:
    Apr 3, 2013
    Posts:
    7
    Location:
    USA
    I still can't send PMs, but if you could email the 130 page version...I'd like to look through that as well.

    Thanks,
    boltsinneck +at+ hotmail +dot+ com

    Yeah, I know...Hot-what?
    But hey, it works great with Netscape!
    <kidding>
     
    Last edited: May 4, 2013
  11. teched21

    teched21 Registered Member

    Joined:
    Oct 9, 2013
    Posts:
    1
    Location:
    United Kingdom
    Hi,

    to disable anonymous logon by Group Policy

    I am going to ComputerConfiguration ->Policies ->WindowsSettings
    ->SecuritySettings ->LocalPolicies ->UserRightsAssignment
    -Deny Logon Locally

    is this the correct place to set it??
     
  12. hogndog

    hogndog Registered Member

    Joined:
    Jun 9, 2007
    Posts:
    628
    Location:
    In His Service
    @EncryptedBytes: Maybe Mr. Wilder would consider making this a sticky, in my opinion this is some very beneficial material for all XP users..:thumb:

    I'm sure everyone here feels the same..;)
     
  13. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    687
    Thankyou for this thread. XP here too, but this will take more than a cursory glance to get through this.
     
  14. SnowFall

    SnowFall Registered Member

    Joined:
    Oct 26, 2013
    Posts:
    16
    Location:
    space
    Even after you disable local file and print sharing, Windows XP still leaves port 445 open and listening for incoming connections. If you are not using local networking, this can pose a security risk. To close this port you need to make a quick change to an entry in the Windows registry.

    NOTE: It is very important that if you do not feel comfortable editing the registry or have never done it before that you avoid doing this right away and learn more about the Windows registry. Changing the wrong setting or changing a setting incorrectly can cause Windows to not function correctly.

    Please be advised that Vectro Security takes no responsibility for any damage caused to the operating system.

    Here are the step-by-step instructions to close port 445 in Windows XP:

    1. Click "Start"
    2. Click "Run..."
    3. Where it says "Open:" type "regedit"
    4. Navigate to HKLM\System\CurrentControlSet\Services\NetBT\Parameters
    5. Find the value "TransportBindName" and right-click it to open up a menu of options.
    6. Click "Modify" (it is in bold text)
    7. Where it says "Value data:" delete whatever is in the box so the box is blank. The blank entry is what closes the port.
    8. Click "OK"
    9. Close the registry and reboot.
    ----------------------------------------------
    That takes care of it, now you are much safer from other machines on your local network, or if you are plugged into a cable modem without a router.
    To disable Port 445:

    Add the following registry key:

    Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
    Name: SMBDeviceEnabled
    Type: DWORD (REG_DWORD)
    Data: 0

    Don’t forget to restart your computer after disabling the above ports for effect. Also, to check that those ports are disabled, you can open a command prompt and type netstat -an to confirm that your computer is no longer listening to those ports.

    ----------------------------------------

    To disable Port 135 (step 4 is not necessary):

    [1] Start by launching the registry editor.
    Start » Run » regedit.

    [2] Navigate over to key: HKEY_LOCAL_MACHINE\Software\Microsoft\OLE

    At the right column, locate the value "EnableDCOM" and modify the value to "N"

    [3] Navigate to this registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RPC

    Right click on & Modify the value named "DCOM Protocols" Under the key "Value Data", you will see values. These values keep port 135 open. Highlight everything listed and delete all existing data. Doing so gives "DCOM Protocols" blank data which will in turn close down port 135.

    ncacn_ip_tcp
    ncacn_spx
    ncacn_nb_nb
    ncacn_nb_ipx

    disable ipsec to close port 500~4500 winxp sp3

    and if your really pro you'll find out how to close alg.exe from camping the network stack, sadly i forgot like a bond head how to do it, all i remember is it has something to do with ICS "windows firewall"

    WinXP SP2 = security placebo
     
    Last edited: Oct 26, 2013
  15. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    Ahh... this thread brings a tear to my eye. I have most of those tweaks applied myself, and many more. A few seem counter-productive though. Like restricting CD Rom & Floppy control to locally logged on users only should be Enabled IMO, not disabled. And clearing the virtual memory pagefile on Shutdown is good practice too IMO. Also cached logons should be 0/disabled, me thinks, not even 2.

    As far as disabling auto-run, which is a biggie: Turn it off in Group Policy, for all drives, under both Computer Configuration & User. Disable the Shell Hardware Detection "service". And you'll want to check out this page here and apply the registry tweak to shut it down for good:

    http://windowssecrets.com/top-story/one-quick-trick-prevents-autorun-attacks/

    Great stuff there by SnowFall too to shut down ports 135 & 445 for good. If they didn't post it, I would've.
     
  16. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    Actually the methods I learned to close ports 135 & 445 are a bit different from what SnowFall posted. Here are mine... you can try both/either.

    For 135:

    Disable DCOM first

    Then do all the steps SnowFall provided. Afterward make sure these services are stopped/disabled, in addition to DCOM: COM+ Event System, COM+ System Application, System Event Notification.

    You will need to Start/Auto DCOM to update Windows, along with Automatic Updates (Start/Auto), Backround Intelligent Transfer Service (Manual/will start itself), Crytographic Services (Manual/will start itself). DCOM is also needed for Windows Defragmentation. It will function fine after those tweaks.

    For 445:

    In regedit locate: HKLM\System\CurrentControlSet\Services\NetBT

    Locate the "Start" entry (DWORD value). Modify value from 1 to 4.

    Then look just below at: HKLM\System\CurrentControlSet\Services\NetBT\Parameters

    > look at "TransportBindName", and delete the \DEVICE\ value, leaving it blank.

    Close regedit. Reboot computer.

    To check that both ports are closed go to "Run", and type in netstat -an (notice the space between t & -). See that ports 135 & 445 are no longer "Listening". In fact the list should be clear if you have everything locked down.
     
  17. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    If you do this tweak make sure you use REGEDT32 instead of Regedit to go into your registry and make the change, or you can really hose your box. Refer to this guide here for how to safely apply this tweak:

    http://www.pctools.com/guides/registry/detail/1202/
     
  18. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    This is one I have to strongly disagree with. In fact the first thing I do after a fresh install of XP is create another Admin account and then disable the built-in one, along with the Guest account. Even as the system administrator, you should be able to do anything that needs done from the secondary Admin account, with lower privileges... the built-in account gives you enough of them to hang yourself with.
     
  19. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
  20. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    ^ No doubt ^ Clean images IMO are a must have in this day & age, on a dying OS or a thriving one. Or at least something like Shadow Defender. Or both.
     
  21. bolts

    bolts Registered Member

    Joined:
    Apr 3, 2013
    Posts:
    7
    Location:
    USA
    Wow...eight months later, and there's still some interest in this thread.
    So now that I have all of this great information, and thank you all for your contributions; I have another question...Since the DISA Windows Gold Disk Program was phased out nearly a year ago, is it possible for regular John Q. Public types like myself to get one of these disks from somebody with the right connections, or is that illegal?

    http://www.disa.mil/News/Stories/2012/gold-disk
     
Thread Status:
Not open for further replies.