Difference between revisions of "SEC520/labs/Lab 5"

From CDOT Wiki
Jump to: navigation, search
(Created page with "<h1> <span class="mw-headline">Hardening Windows</span></h1> <a name="Introduction" id="Introduction"></a><h2> <span class="mw-headline">Introduction</span></h2> <br /> In the...")
 
m (Protected "SEC520/labs/Lab 5": OER transfer ([Edit=Allow only administrators] (indefinite) [Move=Allow only administrators] (indefinite)))
 
(4 intermediate revisions by one other user not shown)
Line 1: Line 1:
 
<h1> <span class="mw-headline">Hardening Windows</span></h1>
 
<h1> <span class="mw-headline">Hardening Windows</span></h1>
<a name="Introduction" id="Introduction"></a><h2> <span class="mw-headline">Introduction</span></h2>
+
<h2> <span class="mw-headline">Introduction</span></h2>
 
<br />
 
<br />
 
In the previous two labs, you should have learned how to penetrate your vulnerable Windows 2003 server using a variety of vulnerability testing strategies. In this lab, students will learn how to make their Windows servers less vulnerable to these types of attacks (i.e. <b>hardening</b> the Windows 2003 server):<br /><br />
 
In the previous two labs, you should have learned how to penetrate your vulnerable Windows 2003 server using a variety of vulnerability testing strategies. In this lab, students will learn how to make their Windows servers less vulnerable to these types of attacks (i.e. <b>hardening</b> the Windows 2003 server):<br /><br />
Line 17: Line 17:
 
</dd></dl>
 
</dd></dl>
 
<br /><br />
 
<br /><br />
<a name="Objectives" id="Objectives"></a><h2> <span class="mw-headline">Objectives</span></h2>
+
<h2> <span class="mw-headline">Objectives</span></h2>
 
<ol>
 
<ol>
 
<li>Setup and maintain <b>User Account and Auditing (logging) Policies</b>i (including shutting down any unnecessary services).
 
<li>Setup and maintain <b>User Account and Auditing (logging) Policies</b>i (including shutting down any unnecessary services).
Line 26: Line 26:
 
<p><br>
 
<p><br>
 
</p>
 
</p>
<a name="Required_Materials_.28Bring_to_All_Labs.29" id="Required_Materials_.28Bring_to_All_Labs.29"></a><h2> <span class="mw-headline">Required Materials (Bring to All Labs)</span></h2>
+
<h2> <span class="mw-headline">Required Materials (Bring to All Labs)</span></h2>
 
<ul>
 
<ul>
 
<li> <b>SATA Hard Disk</b> (in removable disk tray).
 
<li> <b>SATA Hard Disk</b> (in removable disk tray).
Line 33: Line 33:
 
<p><br>
 
<p><br>
 
</p>
 
</p>
<a name="Prerequisites" id="Prerequisites"></a><h2> <span class="mw-headline">Prerequisites</span></h2>
+
<h2> <span class="mw-headline">Prerequisites</span></h2>
<ul><li> <a href="https://scs.senecac.on.ca/~fac/sec520/labs/SEC520_Lab_4.html">SEC520 Lab 4</a>
+
<ul><li> [https://wiki.cdot.senecacollege.ca/wiki/SEC520/labs/Lab_4 SEC520 Lab 4]
 
</li></ul>
 
</li></ul>
 
<p><br>
 
<p><br>
 
</p>
 
</p>
<a name="Linux_Command_Online_Reference" id="Linux_Command_Online_Reference"></a><h2> <span class="mw-headline">Online Tools and References</span></h2>
+
<h2> <span class="mw-headline">Online Tools and References</span></h2>
  
 
<ul>
 
<ul>
  <li><a href="http://www.windowsecurity.com/articles/security-configuration-wizard-windows-server-2003-sp1.html" target="_new">Security Configuration Wizard (Service Pack 1 - Windows 2003 Server)</a></li>
+
  <li>[http://techgenix.com/security-configuration-wizard-windows-server-2003-sp1/ Security Configuration Wizard (Service Pack 1 - Windows 2003 Server)]</li>
  <li><a href="http://www.windowsecurity.com/articles/understanding-windows-ntfs-permissions.html" target="_new">NTFS (Setting up Share Permissions)</a></li>
+
  <li>[http://techgenix.com/Understanding-Windows-NTFS-Permissions/ NTFS (Setting up Share Permissions)]</li>
  <li><a href="http://support.microsoft.com/kb/327838" target="_new">Automating Updates - Windows 2003 Server</a></li>
+
  <li>[http://support.microsoft.com/kb/327838 Automating Updates - Windows 2003 Server]</li>
  <li><a href="https://www.sans.org/media/score/checklists/ID-Windows.pdf" target="_new">Intrusion Discovery (Windows)</a></li>
+
  <li>[https://www.sans.org/media/score/checklists/ID-Windows.pdf Intrusion Discovery (Windows)]</li>
 
</ul>
 
</ul>
  
 
<p><br>
 
<p><br>
 
</p>
 
</p>
<a name="Resources_on_the_web" id="Resources_on_the_web"></a><h2> <span class="mw-headline">Course Notes</span></h2>
+
<h2> <span class="mw-headline">Course Notes</span></h2>
 
<ul>
 
<ul>
   <li><a href="http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w8_l1.odp" target="_new">odp</a> | <a href="http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w8_l1.pdf" target="_new">pdf</a> | <a href="http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w8_l1.ppt" target="_new">ppt</a> (Slides: Hardening Windows 2003 Server)</li><li><a href="http://lcweb.senecac.on.ca:2052/assetviewer.aspx?bookid=12602&chunkid=978290911&rowid=177" target="_new">Hardening Windows Second Edition (E-book)</a> (Chapter 5)</li>
+
   <li>[http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w8_l1.odp odp] | [http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w8_l1.pdf pdf] | [http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w8_l1.ppt ppt] (Slides: Hardening Windows 2003 Server)</li><li>[http://lcweb.senecac.on.ca:2052/assetviewer.aspx?bookid=12602&chunkid=978290911&rowid=177 Hardening Windows Second Edition (E-book)] (Chapter 5)</li>
   <li>YouTube Video: <a href="http://www.youtube.com/watch?v=df1_yx2fa8g" target="_new">Security Configuration Wizard 2003</a></li>
+
   <li>YouTube Video: [http://www.youtube.com/watch?v=df1_yx2fa8g Security Configuration Wizard 2003]</li>
 
</ul>
 
</ul>
  
 
<p><br>
 
<p><br>
 
</p>
 
</p>
<a name="Performing_Lab_2" id="Performing_Lab_2"></a><h1> <span class="mw-headline">Performing Lab 5</span></h1>
+
<h1> <span class="mw-headline">Performing Lab 5</span></h1>
<a name="Task1" id="Investigation_1:_How_to_Perform_a_Fedora_DVD_Install_on_Your_Removable_Hard_Drive"></a><h2> <span class="mw-headline">Task #1: Setting Account &amp; Auditing Policies (Security Configuration Wizard)</span></h2>
+
<h2> <span class="mw-headline">Task #1: Setting Account &amp; Auditing Policies (Security Configuration Wizard)</span></h2>
 
<br />
 
<br />
 
The Security Configuration Wizard (<b>SCW</b>) is a tool to allow the adminstrator to control or "lock down" your Windows 2003 server in terms of:<ul><li>Which services can be turned on and off</li><li>Which users have access to running services</li><li>Service policies</li></ul>
 
The Security Configuration Wizard (<b>SCW</b>) is a tool to allow the adminstrator to control or "lock down" your Windows 2003 server in terms of:<ul><li>Which services can be turned on and off</li><li>Which users have access to running services</li><li>Service policies</li></ul>
Line 64: Line 64:
 
In this section, you will learn to install, configure and implement security policies using <b>SCW</b>.
 
In this section, you will learn to install, configure and implement security policies using <b>SCW</b>.
 
<br /><br />
 
<br /><br />
<div class="messagebox" style="background-color: #f9f6b7; border: 1px solid #c4c295; color: black; padding: 5px; margin: 1ex 0; min-height: 35px; padding-left: 45px;">
+
{{Admon/tip|Locking Down the Server's BIOS|The system adminstrator should prevent the server's BIOS from bootin from removable drives, and setup a BIOS password to limit access to editing the server's BIOS. Since you are using the college's computers, you are not able to lock down the BIOS, but it is worth mentioning when you are securing computers in the future.|}}
<div style="float: left; margin-left: -40px;"><a href="/wiki/index.php/File:Important.png" class="image" title="Important.png"><img alt="" src="35px-Idea.png" width="35" height="35" border="0" /></a></div>
 
<div><b>Locking Down the Server's BIOS</b><br />The system adminstrator should prevent the server's BIOS from bootin from removable drives, and setup a BIOS password to limit access to editing the server's BIOS. Since you are using the college's computers, you are not able to lock down the BIOS, but it is worth mentioning when you are securing computers in the future.</div>
 
</div>
 
 
<br />
 
<br />
 
INSTRUCTIONS:
 
INSTRUCTIONS:
 
<br />
 
<br />
<div class="messagebox" style="background-color: #f9f6b7; border: 1px solid #c4c295; color: black; padding: 5px; margin: 1ex 0; min-height: 35px; padding-left: 45px;">
+
{{Admon/important|Service Pack 1 Required|In order to install, setup and configure the Security Configuration Wizard, you need to install Service Pack 1 on your Windows 2003 server before proceeding with this section.<br /><br />In order to <b>install Service Pack 1</b>, you need to download and install</b>. Here is a link to obtain Service Pack 1:<br />[http://technet.microsoft.com/en-us/windowsserver/bb463273.aspx http://technet.microsoft.com/en-us/windowsserver/bb463273.aspx] |}}
<div style="float: left; margin-left: -40px;"><a href="/wiki/index.php/File:Important.png" class="image" title="Important.png"><img alt="" src="35px-Important.png" width="35" height="35" border="0" /></a></div>
 
<div><b>Service Pack 1 Required</b><br />In order to install, setup and configure the Security Configuration Wizard, you need to install Service Pack 1 on your Windows 2003 server before proceeding with this section.<br /><br />In order to <b>install Service Pack 1</b>, you need to download and install</b>. Here is a link to obtain Service Pack 1:<br /><a href="http://technet.microsoft.com/en-us/windowsserver/bb463273.aspx">http://technet.microsoft.com/en-us/windowsserver/bb463273.aspx</a> </div>
 
</div>
 
 
<br />
 
<br />
 
<ol>
 
<ol>
Line 86: Line 80:
 
  <li>It may a few minutes for <b>SCW</b> to process the default settings.<br /> Click <b>View Configuration</b> and then click <b>Next</b> in order to view the <i>various roles</i>, <i>running applications</i> and <i>open ports</i> on your current server.</li>
 
  <li>It may a few minutes for <b>SCW</b> to process the default settings.<br /> Click <b>View Configuration</b> and then click <b>Next</b> in order to view the <i>various roles</i>, <i>running applications</i> and <i>open ports</i> on your current server.</li>
 
</ol>
 
</ol>
<div class="messagebox" style="background-color: #f9f6b7; border: 1px solid #c4c295; color: black; padding: 5px; margin: 1ex 0; min-height: 35px; padding-left: 45px;">
+
{{Admon/tip|Security Policy Template|<b>SCW</b> allows security settings to be saved in a file, that can be used to import into other newly-installed or exising Window 2003 servers in order to save time...|}}
<div style="float: left; margin-left: -40px;"><a href="/wiki/index.php/File:Important.png" class="image" title="Important.png"><img alt="" src="35px-Idea.png" width="35" height="35" border="0" /></a></div>
 
<div><b>Security Policy Template</b><br /><b>SCW</b> allows security settings to be saved in a file, that can be used to import into other newly-installed or exising Window 2003 servers in order to save time...</div>
 
</div>
 
  
 
<br />
 
<br />
Line 98: Line 89:
 
  <li>Click <b>Next</b> to proceed to the last (verification) dialog box, and click <b>Next</b> to proceed with setting the various parts of your current server's security policy.</li>
 
  <li>Click <b>Next</b> to proceed to the last (verification) dialog box, and click <b>Next</b> to proceed with setting the various parts of your current server's security policy.</li>
 
</ol>
 
</ol>
<div class="messagebox" style="background-color: #f9f6b7; border: 1px solid #c4c295; color: black; padding: 5px; margin: 1ex 0; min-height: 35px; padding-left: 45px;">
+
{{Admon/tip|Security Policy Elements|Security policies in <b>SCW</b> consists of several categories: <ul><li><b>Network Security</b> (port and application settings</li><li><b>Registry</b> (communication protocols between machines)</li><li><b>Audit Policy</b> (logging user and system events)</li></ul>|}}
<div style="float: left; margin-left: -40px;"><a href="/wiki/index.php/File:Important.png" class="image" title="Important.png"><img alt="" src="35px-Idea.png" width="35" height="35" border="0" /></a></div>
 
<div><b>Security Policy Elements</b><br />Security policies in <b>SCW</b> consists of several categories: <ul><li><b>Network Security</b> (port and application settings</li><li><b>Registry</b> (communication protocols between machines)</li><li><b>Audit Policy</b> (logging user and system events)</li></ul></div>
 
</div>
 
 
<br />
 
<br />
  
Line 115: Line 103:
 
<br />
 
<br />
  
<a name="Task2" d="Investigation_2:_How_many_file_packages_and_files_are_installed_on_the_system.3F"></a><h2> <span class="mw-headline">Task #2: Implementing New Technology File System (NTFS)</span></h2>
+
<h2> <span class="mw-headline">Task #2: Implementing New Technology File System (NTFS)</span></h2>
 
<br />
 
<br />
 
<b>NTFS</b> is a newer file system developped for Windows operating systems that provide improved disk space utilization, file system journaling, as well as security. This newer file system technology incorporates <b>Access Control Lists (ACLs)</b> which you have learned and configured in <i>lab #5: Linux Hardening - Part 2</i>.
 
<b>NTFS</b> is a newer file system developped for Windows operating systems that provide improved disk space utilization, file system journaling, as well as security. This newer file system technology incorporates <b>Access Control Lists (ACLs)</b> which you have learned and configured in <i>lab #5: Linux Hardening - Part 2</i>.
Line 124: Line 112:
 
INSTRUCTIONS:
 
INSTRUCTIONS:
 
<ol>
 
<ol>
  <li>Read the tutorial on how to use ACLs with Windows NTFS Permissions at the following link:<br /><a href="http://www.windowsecurity.com/articles/understanding-windows-ntfs-permissions.html" target="_new">Understanding Windows NTFS Permissions</a></li>
+
  <li>Read the tutorial on how to use ACLs with Windows NTFS Permissions at the following link:<br />[http://www.windowsecurity.com/articles/understanding-windows-ntfs-permissions.html Understanding Windows NTFS Permissions]</li>
 
  <li>Perform the following steps (as in Lab #5, but using Windows NTFS Permissions):<ol>
 
  <li>Perform the following steps (as in Lab #5, but using Windows NTFS Permissions):<ol>
 
  <li>Create the following directory: <b>c:\share</b></li>
 
  <li>Create the following directory: <b>c:\share</b></li>
Line 145: Line 133:
 
</p>
 
</p>
  
<a name="Task3" d="Investigation_2:_How_many_file_packages_and_files_are_installed_on_the_system.3F"></a><h2> <span class="mw-headline">Task #3: Monitoring Logs &amp; Activity / Tripwire for Windows</span></h2>
+
<h2> <span class="mw-headline">Task #3: Monitoring Logs &amp; Activity / Tripwire for Windows</span></h2>
 
<br />
 
<br />
 
In this section, we will be using similar techniques to monitor suspicious activity in your Windows 2003 server as you did in <b>lab7</b> (for your Linux server). The tools in Windows will be a combination of Graphical and command-line.
 
In this section, we will be using similar techniques to monitor suspicious activity in your Windows 2003 server as you did in <b>lab7</b> (for your Linux server). The tools in Windows will be a combination of Graphical and command-line.
Line 154: Line 142:
 
  <li>Run the <b>Event Manger</b> graphical tool by issing the following MS command:
 
  <li>Run the <b>Event Manger</b> graphical tool by issing the following MS command:
 
<pre>
 
<pre>
   <b>eventvwr.msc</b>
+
   eventvwr.msc
 
</pre>
 
</pre>
 
<br />
 
<br />
Line 168: Line 156:
 
  <li>Run the following graphical and command-line tools, in order to view and identify all of the services running on your Windows 2003 server (both normal and suspicious):
 
  <li>Run the following graphical and command-line tools, in order to view and identify all of the services running on your Windows 2003 server (both normal and suspicious):
 
<pre>
 
<pre>
   <b>taskmgr.exe</b>
+
   taskmgr.exe
  
   <b>services.msc</b>
+
   services.msc
  
   <b>tasklist /svc</b>
+
   tasklist /svc
 
</pre>
 
</pre>
 
<br />
 
<br />
Line 180: Line 168:
 
<li>View your Windows registry file to detect any suspicious or strange programs by issuing the following command:
 
<li>View your Windows registry file to detect any suspicious or strange programs by issuing the following command:
 
<pre>
 
<pre>
   <b>regedit</b>
+
   regedit
 
</pre>
 
</pre>
 
<br />
 
<br />
Line 187: Line 175:
 
<li>Next, issue the following MS commands in order to detect unusual network activity:
 
<li>Next, issue the following MS commands in order to detect unusual network activity:
 
<pre>
 
<pre>
   <b>net view</b>
+
   net view
  
   <b>net session</b>
+
   net session
  
   <b>net user</b>
+
   net user
  
   <b>netstat -na</b>
+
   netstat -na
 
</pre>
 
</pre>
 
<br /></li>
 
<br /></li>
 
<li>Run the following Windows commands to observe any unusual scheduled tasks:
 
<li>Run the following Windows commands to observe any unusual scheduled tasks:
 
<pre>
 
<pre>
   <b>schtasks</b>
+
   schtasks
  
   <b>msconfig.exe</b>
+
   msconfig.exe
 
</pre>
 
</pre>
 
<br /></li>
 
<br /></li>
 
<li>Finally, run the following Windows command to detect any unusual (recentrly added) user accounts to the Windows system:
 
<li>Finally, run the following Windows command to detect any unusual (recentrly added) user accounts to the Windows system:
 
<pre>
 
<pre>
   <b>lusrmgr.msc</b> </pre>
+
   lusrmgr.msc </pre>
 
<br /></li>
 
<br /></li>
 
</ol>
 
</ol>
<div class="messagebox" style="background-color: #f9f6b7; border: 1px solid #c4c295; color: black; padding: 5px; margin: 1ex 0; min-height: 35px; padding-left: 45px;">
+
{{Admon/tip|Tripwire Alternative for Windows?|
<div style="float: left; margin-left: -40px;"><a href="/wiki/index.php/File:Important.png" class="image" title="Important.png"><img alt="" src="35px-Idea.png" width="35" height="35" border="0" /></a></div>
 
<div><b>Tripwire Alternative for Windows?</b><br />
 
 
As a matter of interest, there is an alternative IDS for MS Windows (amoung other platforms). The name of the application is called <b>OSSEC</b> which is a scalable, multi-platform, and open source (free).<br /><br />Here is a link to this application:<br />
 
As a matter of interest, there is an alternative IDS for MS Windows (amoung other platforms). The name of the application is called <b>OSSEC</b> which is a scalable, multi-platform, and open source (free).<br /><br />Here is a link to this application:<br />
<a href="http://www.ossec.net/" target="_blank">http://www.ossec.net/</a>
+
[https://ossec.github.io/ https://ossec.github.io/]
</div>
+
|}}
</div>
 
 
<br />
 
<br />
 
<ol>
 
<ol>
Line 225: Line 210:
 
</p>
 
</p>
  
<a name="Task4" d="Investigation_2:_How_many_file_packages_and_files_are_installed_on_the_system.3F"></a><h2> <span class="mw-headline">Task #4: Apply / Automate Software Updates</span></h2>
+
<h2> <span class="mw-headline">Task #4: Apply / Automate Software Updates</span></h2>
  
  
Line 231: Line 216:
 
INSTRUCTIONS:
 
INSTRUCTIONS:
 
<ol>
 
<ol>
  <li>Read the tutorial on how to setup automatic updates in Windows 2003 server at the following link:<br /><a href="http://support.microsoft.com/kb/327838" target="_new">How to Schedule Automatic Updates in Windows Server 2003</a></li>
+
  <li>Read the tutorial on how to setup automatic updates in Windows 2003 server at the following link:<br />[http://support.microsoft.com/kb/327838 How to Schedule Automatic Updates in Windows Server 2003]</li>
 
  <li>Using the above tutorial, setup your Windows 2003 server to automatically update the server.</li>
 
  <li>Using the above tutorial, setup your Windows 2003 server to automatically update the server.</li>
 
  <li>Try the same process in Lab 3 to try to penetrate your Windows 2003 server. Where you successful? Record your findings in your lab lab-book.
 
  <li>Try the same process in Lab 3 to try to penetrate your Windows 2003 server. Where you successful? Record your findings in your lab lab-book.
Line 243: Line 228:
  
  
<a name="Completing_the_Lab" id="Completing_the_Lab"></a><h1> <span class="mw-headline"> Completing the Lab </span></h1>
+
<h1> <span class="mw-headline"> Completing the Lab </span></h1>
 
<p><b>Arrange evidence for each of these items on your screen, then ask  
 
<p><b>Arrange evidence for each of these items on your screen, then ask  
 
your instructor to review them and sign off on the lab's completion:</b>
 
your instructor to review them and sign off on the lab's completion:</b>
Line 256: Line 241:
 
<p><br>
 
<p><br>
 
</p>
 
</p>
<a name="Preparing_for_Quizzes" id="Preparing_for_Quizzes"></a><h1> <span class="mw-headline"> Preparing for Quizzes </span></h1>
+
<h1> <span class="mw-headline"> Preparing for Quizzes </span></h1>
  
 
<ol>
 
<ol>

Latest revision as of 15:00, 21 July 2023

Hardening Windows

Introduction


In the previous two labs, you should have learned how to penetrate your vulnerable Windows 2003 server using a variety of vulnerability testing strategies. In this lab, students will learn how to make their Windows servers less vulnerable to these types of attacks (i.e. hardening the Windows 2003 server):

  • Students will learn to setup Account & Auditing Policies (including the shutting-down of unnecessary services). This is performed an application called the Security Configuration Wizard (SCW).
  • Students will then learn to limit the roles and priviledges of regular and administrative accounts, and set up a method of logging to help monitor any suspicious activity.
  • Students will learn to setup and implement NTFS to provide addition security for files (similar to using ACLs when you hardened your Linux system).
  • Finally, students will learn to apply sofware upgrades (patches) to make their Windows server less vulnerable, and to automate the process of software updates.



Objectives

  1. Setup and maintain User Account and Auditing (logging) Policiesi (including shutting down any unnecessary services).
  2. Implement NTFS to provide additional security access to files
  3. Monitor system logs for any suspicious activity (intrusion)
  4. Apply and automate software updates (patches)


Required Materials (Bring to All Labs)

  • SATA Hard Disk (in removable disk tray).
  • Lab Logbook (Lab4 Reference Sheet) (to make notes and observations).


Prerequisites


Online Tools and References


Course Notes


Performing Lab 5

Task #1: Setting Account & Auditing Policies (Security Configuration Wizard)


The Security Configuration Wizard (SCW) is a tool to allow the adminstrator to control or "lock down" your Windows 2003 server in terms of:
  • Which services can be turned on and off
  • Which users have access to running services
  • Service policies


In this section, you will learn to install, configure and implement security policies using SCW.

Idea.png
Locking Down the Server's BIOS
The system adminstrator should prevent the server's BIOS from bootin from removable drives, and setup a BIOS password to limit access to editing the server's BIOS. Since you are using the college's computers, you are not able to lock down the BIOS, but it is worth mentioning when you are securing computers in the future.


INSTRUCTIONS:

Important.png
Service Pack 1 Required
In order to install, setup and configure the Security Configuration Wizard, you need to install Service Pack 1 on your Windows 2003 server before proceeding with this section.

In order to install Service Pack 1, you need to download and install</b>. Here is a link to obtain Service Pack 1:
http://technet.microsoft.com/en-us/windowsserver/bb463273.aspx


  1. Boot up your Kali Linux (host), and boot up your Windows 2003 server.
  2. Log in as administrator.
  3. Make certain that you installed Service Pack 1 before proceeding (refer to "Service Pack 1 Required" above).
  4. In order to install SCW, select Control Panel , double click Add/Remove Programs , select Security Configuration Wizard checkbox, click Next, and click Finish.
  5. Launch the SCW application, click Next.
  6. At the Configuration Action dialog box, select Create a new security policy and then click Next.
  7. The Select Server dialog box should appear. select current server and click Next
  8. It may a few minutes for SCW to process the default settings.
    Click View Configuration and then click Next in order to view the various roles, running applications and open ports on your current server.
Idea.png
Security Policy Template
SCW allows security settings to be saved in a file, that can be used to import into other newly-installed or exising Window 2003 servers in order to save time...


  1. Click Next to go to the Select Client Features dialog box. This allows the administrator to run various client services on the server.
  2. Click Next to go tot he Select Administration and Other Options dialog box. This section allows the adminstrator to enable special (usually remote) services (ports).
  3. Click Next to access the Select Additional Services dialog box. This allows the administrator to detect running services and display other services that are not enabled, but are available.
  4. Click Next to proceed to the last (verification) dialog box, and click Next to proceed with setting the various parts of your current server's security policy.
Idea.png
Security Policy Elements
Security policies in SCW consists of several categories:
  • Network Security (port and application settings
  • Registry (communication protocols between machines)
  • Audit Policy (logging user and system events)


  1. In the Network Security section, make selections to tighten up your system to expose the smallest possible number of services running on your Windows Server (as you did in lab 4: System Hardening Linux - Part 1).
  2. In the Registry Settings section, make selections for encryption type relating to what was taught in class (slides). You can also setup LDAP to require users on remote machines to provide authentication when logging in.
  3. In the Audit Policy section, set the policy to complete auditing.
  4. proceed to the summary dialog box to confirm settings, and also save your security policy using the name lab8_security_policy.
  5. Proceed to Task #2

Answer the Task #1 observations / questions in your lab log book.


Task #2: Implementing New Technology File System (NTFS)


NTFS is a newer file system developped for Windows operating systems that provide improved disk space utilization, file system journaling, as well as security. This newer file system technology incorporates Access Control Lists (ACLs) which you have learned and configured in lab #5: Linux Hardening - Part 2.

In this section, we will learn how to use ACLs to "finely-tune" group access to directories and files, and differentiate between setting permissions via ACL and setting permissions .



INSTRUCTIONS:

  1. Read the tutorial on how to use ACLs with Windows NTFS Permissions at the following link:
    Understanding Windows NTFS Permissions
  2. Perform the following steps (as in Lab #5, but using Windows NTFS Permissions):
    1. Create the following directory: c:\share
    2. Set passthrough permissions, and set permissions for the share directory to allow students to access and list contents for this directory.
    3. Use the groupadd command to create a new group name called project
    4. Create a file in the share directory called project.txt
    5. Set permissions for same group members to view and modify contents of the file C:\share\project.txt
    6. Create two user accounts called: user1 and user2 (Use the useradd command with an option to create a home directory and to belong to group: project.
    7. Switch to user1, and confirm that they can access and modify the file: C:\share\project.txt
    8. Repeat the above step for user2.
    9. Why can't you allow user1 to read and modify the project.txt file, but only allow user2 to only read the project.txt file? Answer in your lab log-book.
  3. Proceed to Task #3.

Answer Task #2 observations / questions in your lab log book.


Task #3: Monitoring Logs & Activity / Tripwire for Windows


In this section, we will be using similar techniques to monitor suspicious activity in your Windows 2003 server as you did in lab7 (for your Linux server). The tools in Windows will be a combination of Graphical and command-line.

INSTRUCTIONS:

  1. In your hardened Windows server, open the command prompt.
  2. Run the Event Manger graphical tool by issing the following MS command:
       eventvwr.msc
    


    Check the logs for the following activity:

    • Event logging stopped
    • Windows File Permission not active
    • Telnet Service started successfully (this service is vulnerable)
    • Significant number of unsuccessful login attempts


  3. Run the following graphical and command-line tools, in order to view and identify all of the services running on your Windows 2003 server (both normal and suspicious):
       taskmgr.exe
    
       services.msc
    
       tasklist /svc
    


    As with the previous Linux hardenening lab, determine which services are vulnerable, and shut-down vulnerable or unnecessary services. Which services did you shut down? Record your answer in your lab log-book.

  4. Perform a Search for Files or Folders that are over 10000KB in size (i.e. use the search options before starting search). Did you locate any files of this size? What do you think files greater than 10000KB would indicate? Record your answers in your log lab-book.
  5. View your Windows registry file to detect any suspicious or strange programs by issuing the following command:
       regedit
    


    For interest, perform a netsearch for a listing of common programs (contained in the registry) that could pose a hazard to your Windows system.

  6. Next, issue the following MS commands in order to detect unusual network activity:
       net view
    
       net session
    
       net user
    
       netstat -na
    

  7. Run the following Windows commands to observe any unusual scheduled tasks:
       schtasks
    
       msconfig.exe
    

  8. Finally, run the following Windows command to detect any unusual (recentrly added) user accounts to the Windows system:
       lusrmgr.msc 

Idea.png
Tripwire Alternative for Windows?

As a matter of interest, there is an alternative IDS for MS Windows (amoung other platforms). The name of the application is called OSSEC which is a scalable, multi-platform, and open source (free).

Here is a link to this application:
https://ossec.github.io/


  1. Take a moment to note general similarities and difference between hardening your Windows server (as opposed to your Linux server). Record your observations in your lab log-book.
  2. Proceed to Task #4.

Answer Task #3 observations / questions in your lab log book.


Task #4: Apply / Automate Software Updates



INSTRUCTIONS:

  1. Read the tutorial on how to setup automatic updates in Windows 2003 server at the following link:
    How to Schedule Automatic Updates in Windows Server 2003
  2. Using the above tutorial, setup your Windows 2003 server to automatically update the server.
  3. Try the same process in Lab 3 to try to penetrate your Windows 2003 server. Where you successful? Record your findings in your lab lab-book.
  4. Besides making system updates automatic, what other steps could a system administrator take in order to protect their system from newer network attacks? Record your answer in your lab log-book.
  5. Proceed to "Completing The Lab".

Answer Task #4 observations / questions in your lab log book.



Completing the Lab

Arrange evidence for each of these items on your screen, then ask your instructor to review them and sign off on the lab's completion:

  1. Contents of security policy file called: lab8_security_policy.
  2. Compare ACLs by demonstrating running services via user1 and user2.
  3. Automatic Updates enabled.
  4. Results of hardened Windows 2003 second attempt at penetration testing.
  5. Completed Lab 5 notes.


Preparing for Quizzes

  1. What is the purpose of a security policy as it related to a Windows server?
  2. What is required from a new Windows 2003 Server install in order to install and configure SCW?
  3. List and breifly explain the elements of a security policy using the SCW.
  4. List 4 features of NTFS.
  5. Why is it advantageous to set automatic updates for your Windows 2003 server as it relates to network security?