Hardening Windows
Introduction
In the previous two labs, you should have learned how to penetrate your vulnerable Windows 2003 server using a variety of vulnerability testing strategies. In this lab, students will learn how to make their Windows servers less vulnerable to these types of attacks (i.e. hardening the Windows 2003 server):
- Students will learn to setup Account & Auditing Policies (including the shutting-down of unnecessary services). This is performed an application called the Security Configuration Wizard (SCW).
- Students will then learn to limit the roles and priviledges of regular and administrative accounts, and set up a method of logging to help monitor any suspicious activity.
- Students will learn to setup and implement NTFS to provide addition security for files (similar to using ACLs when you hardened your Linux system).
- Finally, students will learn to apply sofware upgrades (patches) to make their Windows server less vulnerable, and to automate the process of software updates.
Objectives
- Setup and maintain User Account and Auditing (logging) Policiesi (including shutting down any unnecessary services).
- Implement NTFS to provide additional security access to files
- Monitor system logs for any suspicious activity (intrusion)
- Apply and automate software updates (patches)
Required Materials (Bring to All Labs)
- SATA Hard Disk (in removable disk tray).
- Lab Logbook (Lab4 Reference Sheet) (to make notes and observations).
Prerequisites
Online Tools and References
- Security Configuration Wizard (Service Pack 1 - Windows 2003 Server)
- NTFS (Setting up Share Permissions)
- Automating Updates - Windows 2003 Server
- Intrusion Discovery (Windows)
Course Notes
- odp | pdf | ppt (Slides: Hardening Windows 2003 Server)
- Hardening Windows Second Edition (E-book) (Chapter 5)
- YouTube Video: Security Configuration Wizard 2003
Performing Lab 5
Task #1: Setting Account & Auditing Policies (Security Configuration Wizard)
- Which services can be turned on and off
- Which users have access to running services
- Service policies
In this section, you will learn to install, configure and implement security policies using SCW.
INSTRUCTIONS:
- Boot up your Kali Linux (host), and boot up your Windows 2003 server.
- Log in as administrator.
- Make certain that you installed Service Pack 1 before proceeding (refer to "Service Pack 1 Required" above).
- In order to install SCW, select Control Panel , double click Add/Remove Programs , select Security Configuration Wizard checkbox, click Next, and click Finish.
- Launch the SCW application, click Next.
- At the Configuration Action dialog box, select Create a new security policy and then click Next.
- The Select Server dialog box should appear. select current server and click Next
- It may a few minutes for SCW to process the default settings.
Click View Configuration and then click Next in order to view the various roles, running applications and open ports on your current server.
- Click Next to go to the Select Client Features dialog box. This allows the administrator to run various client services on the server.
- Click Next to go tot he Select Administration and Other Options dialog box. This section allows the adminstrator to enable special (usually remote) services (ports).
- Click Next to access the Select Additional Services dialog box. This allows the administrator to detect running services and display other services that are not enabled, but are available.
- Click Next to proceed to the last (verification) dialog box, and click Next to proceed with setting the various parts of your current server's security policy.
- In the Network Security section, make selections to tighten up your system to expose the smallest possible number of services running on your Windows Server (as you did in lab 4: System Hardening Linux - Part 1).
- In the Registry Settings section, make selections for encryption type relating to what was taught in class (slides). You can also setup LDAP to require users on remote machines to provide authentication when logging in.
- In the Audit Policy section, set the policy to complete auditing.
- proceed to the summary dialog box to confirm settings, and also save your security policy using the name lab8_security_policy.
- Proceed to Task #2
Answer the Task #1 observations / questions in your lab log book.
Task #2: Implementing New Technology File System (NTFS)
NTFS is a newer file system developped for Windows operating systems that provide improved disk space utilization, file system journaling, as well as security. This newer file system technology incorporates Access Control Lists (ACLs) which you have learned and configured in lab #5: Linux Hardening - Part 2.
In this section, we will learn how to use ACLs to "finely-tune" group access to directories and files, and differentiate between setting permissions via ACL and setting permissions .
INSTRUCTIONS:
- Read the tutorial on how to use ACLs with Windows NTFS Permissions at the following link:
Understanding Windows NTFS Permissions - Perform the following steps (as in Lab #5, but using Windows NTFS Permissions):
- Create the following directory: c:\share
- Set passthrough permissions, and set permissions for the share directory to allow students to access and list contents for this directory.
- Use the groupadd command to create a new group name called project
- Create a file in the share directory called project.txt
- Set permissions for same group members to view and modify contents of the file C:\share\project.txt
- Create two user accounts called: user1 and user2 (Use the useradd command with an option to create a home directory and to belong to group: project.
- Switch to user1, and confirm that they can access and modify the file: C:\share\project.txt
- Repeat the above step for user2.
- Why can't you allow user1 to read and modify the project.txt file, but only allow user2 to only read the project.txt file? Answer in your lab log-book.
- Proceed to Task #3.
Answer Task #2 observations / questions in your lab log book.
Task #3: Monitoring Logs & Activity / Tripwire for Windows
In this section, we will be using similar techniques to monitor suspicious activity in your Windows 2003 server as you did in lab7 (for your Linux server). The tools in Windows will be a combination of Graphical and command-line.
INSTRUCTIONS:
- In your hardened Windows server, open the command prompt.
- Run the Event Manger graphical tool by issing the following MS command:
eventvwr.msc
Check the logs for the following activity:- Event logging stopped
- Windows File Permission not active
- Telnet Service started successfully (this service is vulnerable)
- Significant number of unsuccessful login attempts
- Run the following graphical and command-line tools, in order to view and identify all of the services running on your Windows 2003 server (both normal and suspicious):
taskmgr.exe services.msc tasklist /svc
As with the previous Linux hardenening lab, determine which services are vulnerable, and shut-down vulnerable or unnecessary services. Which services did you shut down? Record your answer in your lab log-book.
- Perform a Search for Files or Folders that are over 10000KB in size (i.e. use the search options before starting search). Did you locate any files of this size? What do you think files greater than 10000KB would indicate? Record your answers in your log lab-book.
- View your Windows registry file to detect any suspicious or strange programs by issuing the following command:
regedit
For interest, perform a netsearch for a listing of common programs (contained in the registry) that could pose a hazard to your Windows system.
- Next, issue the following MS commands in order to detect unusual network activity:
net view net session net user netstat -na
- Run the following Windows commands to observe any unusual scheduled tasks:
schtasks msconfig.exe
- Finally, run the following Windows command to detect any unusual (recentrly added) user accounts to the Windows system:
lusrmgr.msc
- Take a moment to note general similarities and difference between hardening your Windows server (as opposed to your Linux server). Record your observations in your lab log-book.
- Proceed to Task #4.
Answer Task #3 observations / questions in your lab log book.
Task #4: Apply / Automate Software Updates
INSTRUCTIONS:
- Read the tutorial on how to setup automatic updates in Windows 2003 server at the following link:
How to Schedule Automatic Updates in Windows Server 2003 - Using the above tutorial, setup your Windows 2003 server to automatically update the server.
- Try the same process in Lab 3 to try to penetrate your Windows 2003 server. Where you successful? Record your findings in your lab lab-book.
- Besides making system updates automatic, what other steps could a system administrator take in order to protect their system from newer network attacks? Record your answer in your lab log-book.
- Proceed to "Completing The Lab".
Answer Task #4 observations / questions in your lab log book.
Completing the Lab
Arrange evidence for each of these items on your screen, then ask your instructor to review them and sign off on the lab's completion:
- Contents of security policy file called: lab8_security_policy.
- Compare ACLs by demonstrating running services via user1 and user2.
- Automatic Updates enabled.
- Results of hardened Windows 2003 second attempt at penetration testing.
- Completed Lab 5 notes.
Preparing for Quizzes
- What is the purpose of a security policy as it related to a Windows server?
- What is required from a new Windows 2003 Server install in order to install and configure SCW?
- List and breifly explain the elements of a security policy using the SCW.
- List 4 features of NTFS.
- Why is it advantageous to set automatic updates for your Windows 2003 server as it relates to network security?