The title to this week’s blog sounds like nirvana, but like anything else the devil is in the details. Most companies who deliver an application in a hardware appliance form factor “harden” the operating system (OS). This means they disable certain functions in the OS and create configuration settings which allow the OS to only function for the desired needs of the application. Therefore an end user cannot run other applications on the appliance. It also means certain access points exploited by hackers and criminals are no longer available.
While there are several benefits for those who desire to “lock” down Windows and create a more secure environment for their applications, hardening should only be done by those with experience. For example, you can:
- Harden your server’s TCP and IP stack (Netbios, ICMP, SYN, SYN-ACK). By hardening the IP stack your network can sustain or completely thwart various sophisticated network attacks
- Protect your servers from Denial-of-Service and other network-based attacks
- Enable SYN flood protection when an attack is detected
- Set the threshold values that are used to determine what constitutes an attack
- Reduce potential intrusion vectors by disabling non-used services
- Proactively disable scripting or Active-X controls which proofed potential propagation vectors in the past and continue to be exploited
So how do you harden Windows? For Windows XP, NT, 2000 and 2003 some of the methods involve:
- Adjusting retransmission of SYN-ACKS. This makes connection responses time out more quickly during a SYN flood.
- Determining how many times TCP retransmits an unacknowledged data segment on an existing connection. TCP retransmits data segments until they are acknowledged or until this value expires.
- Disabling ICMP Router Discovery Protocol (IRDP) where an attacker may remotely add default route entries on a remote system.
- Disabling these services:
- Universal Plug and Play Device Host
- IIS (not installed by default)
- Netmeeting Remote Desktop Sharing
- Remote Desktop Help Session Manager
- Remote Registry
- Routing & Remote Access
- SSDP Discovery Service
- Disable any non-active accounts and delete any accounts which are no longer required
- Disable Guest accounts
- Use the Local Security Policy snap-in to strengthen the system policies for password acceptance. Microsoft suggests that you make the following changes:
- Set the minimum password length to at least 8 characters
- Set a minimum password age appropriate to your network (typically between 1 and 7 days)
- Set a maximum password age appropriate to your network (typically no more than 42 days)
- Set a password history maintenance (using the “Remember passwords” radio button) of at least 6
- Disable Enumeration of SIDS. Even after renaming Guest and Administrator accounts, an intruder armed with the right software can still find the real account by enumerating the account SIDs (Security Identifiers) because renaming an account does not change its SID. Once an account name has been identified (an attacker is looking for an Administrator account here) a brute force attack on the password is usually the next step. This can be avoided by not allowing the enumeration of Account SIDs.
- Disable File and Print Sharing. If you use an always-on high-speed Internet connection, leaving these services turned on is like leaving your doors open when you are not at home. Unless it is absolutely necessary, turn these services off.
- Disable Remote Assistance and Remote Desktop. This applies to Windows XP machines only. Remote assistance allows you to invite another person to logon to your machine for remote troubleshooting. Leave it disabled. You can always re-enable it later if the service is ever needed. Remote desktop is available on XP Professional and allows you access to a Windows session on one computer while you are at another computer in another location, not only over a LAN, but over the Internet as well.
- Disable any unnecessary and potentially dangerous service. The three most common services to turn off are Windows Plug and Play, DCOM, and Windows Messenger.
- Encrypt the My Documents and Temp folders. Both Windows XP and Windows 2000 allow you to encrypt selected data files and folders in your computer. By doing this, even if your computer is compromised by an attacker, you have an extra layer of security for your most used files by denying access to anyone except the user that encrypted the files to begin with.
- Set account lockout policy.Windows XP includes an account lockout feature that will disable an account after an administrator-specified number of logon failures.
- Use a BIOS and Bootlevel Password. Once you set a Boot level BIOS password, it will be required every time the system is started. The system is completely disabled until the password is entered. This is normally accomplished by selecting the password option in the BIOS setup. You may also want to consider an additional password for accessing the BIOS settings in order to prevent unauthorized changes in the BIOS settings.
- Use NTFS File system. When Windows XP or Windows 2000 is installed, it should be installed on a separate partition formatted with the NTFS File system rather than the older FAT File system. The NTFS system allows you to configure which users have access to which data, who can perform what kinds of operations, and allows you to encrypt files and data.
- Disable auto-logins. Do not use any automated logins and be sure all users are password protected.
These are some of the most common methods used to harden Windows. If you’d prefer to turn this task over to professionals, visit our hardware and software solutions page to learn what we can do for you.