Planning Secure Baseline Installations | MCSE 70-293 Exam Prep: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure (2nd Edition)

Plan a secure baseline installation.

Plan a strategy to enforce system default security settings on new systems.

Security just doesn't happen; it requires careful planning, meticulous attention to detail, and persistence. We've already talked a bit about the inherent security of Windows Server 2003 right out of the box, but what about client operating systems? Are they to be thought of as less secure? The answer: yes and no. Ultimately, the security of your servers and clients is what you make of it. To make them secure, you need a baseline ”a starting point. Once you know where you are starting from, you can better see where it is that you are going to. To that end, we examine the default security settings of Windows Server 2003 after a clean installation of a member server and the default security settings of Windows XP Professional after a clean installation. By default, these security settings are applied to every clean installation that is performed. By ensuring that only authorized personnel perform operating system installations, and perform them in a prescribed and consistent manner, you can ensure that these settings are applied uniformly across all new installations.

Identifying Windows Server 2003 Default Security Settings

Plan a secure baseline installation.

Identify all server operating system default security settings.

The security you get out of Windows Server 2003 depends in part on how it is installed. Clean installations of Windows Server 2003 automatically receive the complete set of default configuration settings and thus are more secure (by default) than an upgrade installation. A computer that is upgraded to Windows Server 2003 is likely to inherit security settings that were present in the previous installation. This problem becomes even more acute when Windows NT 4.0 is upgraded to Windows Server 2003 due to the differences in the way Windows NT 4.0 handles the Registry and file system Discretionary Access Control Lists (DACLs).

You might be tempted to assume that by applying the Default security template, Setup security.inf , to a computer that you can easily reset it to the security settings that it would have after a clean installation. This assumption is not always correct. The default security template is automatically created during the installation of Windows Server 2003 on a computer. It represents the current security configuration at that time: either new settings for a clean installation or the resulting settings after an upgrade installation. This security template cannot accurately be used to ensure security settings are uniform unless the same type of installation is being performed on the same type of hardware. This security template, as discussed in more detail in the next section of this chapter, can however be used to reset the computer back to a known state. This capability becomes important over time as you have the need to enforce security settings on computers that may have experienced some changes.

EXAM TIP

For a complete rundown on the security settings you can expect to find in Windows Server 2003 and Windows XP Professional in several different configurations, download "Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP" from http://go.microsoft.com/fwlink/?LinkId=15160.

You can identify the default security settings on a newly installed Windows Server 2003 member server through a variety of different means, such as the Local Group Policy console, the Local Security Policy console or the Resultant Set of Policy (RSoP) snap-in. Although the default security settings can be identified easily enough, they are presented in Table 1.1 for your reference.

Table 1.1. Windows Server 2003 Member Server Default Security Settings

Group Policy Node/Policy Item	Default Member Server Setting
Windows Settings\Security Settings\Account Policies
Enforce password history	24 passwords remembered
Maximum password age	42 days
Minimum password age	1 days
Minimum password length	7 characters
Passwords must meet complexity requirements	Enabled
Store password using reversible encryption for all users in the domain	Disabled
Windows Settings\Security Settings\Account Lockout Policy
Account lockout duration	Not defined
Account lockout threshold attempts	0 invalid login
Reset account lockout counter after	Not defined
Windows Settings\Security Settings\Kerberos Policy
Enforce user logon restrictions	Not applicable
Maximum lifetime for service ticket	Not applicable
Maximum lifetime for user ticket	Not applicable
Maximum lifetime for user ticket renewal	Not applicable
Maximum tolerance for computer clock synchronization	Not applicable
Windows Settings\Local Policies\Audit Policy
Audit account logon events	Success
Audit account management	No auditing
Audit directory service access	No auditing
Audit logon events	Success
Audit object access	No auditing
Audit policy change	No auditing
Audit privilege use	No auditing
Audit process tracking	No auditing
Audit system events	No auditing
Windows Settings\Local Policies\User Rights Assignment
Access this computer from the network	Backup Operators, Power Users, Users, Administrators, Everyone
Act as part of the operating system	Not defined
Add workstations to domain	Not defined
Adjust memory quotas for a process	Administrators, NETWORK SERVICE, LOCAL SERVICE
Allow logon locally	Backup Operators, Power Users, Users, Administrators
Allow logon through Terminal Services	Remote Desktop Users, Administrators
Back up files and directories	Backup Operators, Administrators
Bypass traverse checking	Backup Operators, Power Users, Users, Administrators, Everyone
Change the system time	Power Users, Administrators
Create a pagefile	Administrators
Create a token object	Not defined
Create global objects	SERVICE, Administrators
Create permanent shared objects	Not defined
Debug programs (SeDebugPrivilege)	Administrators
Deny access to this computer from the network	SUPPORT_388945a0
Deny logon as a batch job	Not defined
Deny logon as a service	Not defined
Deny logon locally	SUPPORT_388945a0
Deny logon through Terminal Services	Not defined
Enable computer and user accounts to be trusted for delegation	Not defined
Force shutdown from a remote system	Administrators
Generate security audits	NETWORK SERVICE, LOCAL SERVICE
Impersonate a client after authentication	SERVICE, Administrators
Increase scheduling priority	Administrators
Load and unload device drivers	Administrators
Lock pages in memory	Not defined
Log on as a batch job	SUPPORT_388945a0, LOCAL SERVICE
Log on as a service	NETWORK SERVICE
Manage auditing and security log	Administrators
Modify firmware environment values	Administrators
Perform Volume Maintenance Tasks	Administrators
Profile single process	Power Users, Administrators
Profile system performance	Administrators
Remove computer from docking station	Power Users, Administrators
Replace a process level token	NETWORK SERVICE, LOCAL SERVICE
Restore files and directories	Backup Operators, Administrators
Shut down the system	Backup Operators, Power Users, Administrators
Synchronize directory service data	Not defined
Take ownership of files or other objects	Administrators
Windows Settings\Local Policies\Security Options
Accounts : Administrator account status	Enabled
Accounts : Guest account status	Disabled
Accounts : Limit local account use of blank passwords to console logon only	Enabled
Accounts : Rename administrator account	Administrator
Accounts : Rename guest account	Guest
Audit : Audit the access of global system objects	Disabled
Audit : Audit the use of Backup and Restore privilege	Disabled
Audit : Shut down system immediately if unable to log security audits	Disabled
Devices : Allow undock without having to log on	Enabled
Devices : Allowed to format and eject removable media	Administrators
Devices : Prevent users from installing printer drivers	Enabled
Devices : Restrict CD-ROM access to locally logged-on user only	Disabled
Devices : Restrict floppy access to locally logged-on user only	Disabled
Devices : Unsigned driver installation behavior	Warn but allow installation
Domain controller : Allow server operators to schedule tasks	Not defined
Domain controller : LDAP server signing requirements	Not defined
Domain controller : Refuse machine account password changes	Not defined
Domain member : Digitally encrypt or sign secure channel data (always)	Enabled
Domain member : Digitally encrypt secure channel data (when possible)	Enabled
Domain member : Digitally sign secure channel data (when possible)	Enabled
Domain member : Disable machine account password changes	Disabled
Domain member : Maximum machine account password age	30 days
Domain member : Require strong (Windows 2000 or later) session key	Disabled
Interactive logon : Do not display last user name	Disabled
Interactive logon : Do not require CTRL+ALT+DEL	Disabled
Interactive logon : Message text for users attempting to log on	Not defined
Interactive logon : Message title for users attempting to log on	Not defined
Interactive logon : Number of previous logons to cache (in case domain controller is not available)	10 logons

Interactive logon : Prompt user to change password bef ore expiration	14 days
Interactive logon : Require Domain Controller authentication to unlock workstation	Disabled
Interactive logon : Require smart card	Disabled
Interactive logon : Smart card removal behavior	No Action
Microsoft network client : Digitally sign communications (always)	Disabled
Microsoft network client : Digitally sign communications (if server agrees)	Enabled
Microsoft network client : Send unencrypted password to third-party SMB servers	Disabled
Microsoft network server : Amount of idle time required before suspending session	15 minutes
Microsoft network server : Digitally sign communications (always)	Disabled
Microsoft network server : Digitally sign communications (if client agrees)	Disabled
Microsoft network server : Disconnect clients when logon hours expire	Enabled
MSS : Number of connections to create when additional connections are necessary for Winsock applications
MSS : Enable dynamic backlog for Winsock applications	Disabled
MSS : Maximum number of 'quasifree' connections for Winsock applications
MSS : Minimum number of free connections for Winsock applications
MSS : Allow automatic detection of dead network gateways	Disabled
MSS : Allow automatic detection of MTU size	Enabled
MSS : Allow ICMP redirects to override OSPF generated routes	Enabled
MSS : Allow IRDP to detect and configure Default Gateway addresses	Disabled
MSS : Allow the computer to ignore NetBIOS name release requests except from WINS servers	Enabled
MSS : Disable Autorun for all drives	Disabled
MSS : Enable the computer to stop generating 8.3 style filenames	Disabled
MSS : How many dropped connect requests to initiate SYN attack protection	5
MSS : How many times unacknowledged data is retransmitted	5
MSS : How often keep- alive packets are sent in milliseconds	7,200,000
MSS : IP source routing protection level	No additional protection, source routed packets are allowed
MSS : Percentage threshold for the security event log at which the system will generate a warning	0 (not configured)
MSS : Syn attack protection level	No additional protection, use default settings
MSS : SYN-ACK retransmissions when a connection request is not acknowledged	3 and 6 seconds, half- open connections dropped after 21 seconds
MSS : The time in seconds before the screen saver grace period expires	5
MSS : Enable Safe DLL search mode	Disabled
Network access : Allow anonymous SID/Name translation	Disabled
Network access : Do not allow anonymous enumeration of SAM accounts	Enabled
Network access : Do not allow anonymous enumeration of SAM accounts and shares	Disabled
Network access : Do not allow storage of credentials or .NET Passports for network authentication	Disabled
Network access : Let Everyone permissions apply to anonymous users	Disabled
Network access : Named Pipes that can be accessed anonymously	Too numerous to list
Network access : Remotely accessible registry paths	Too numerous to list
Network access : Remotely accessible registry paths and subpaths	Too numerous to list
Network access : Restrict anonymous access to Named Pipes and Shares	Enabled
Network access : Shares that can be accessed anonymously	COMCFG,DFS$
Network access : Sharing and security model for local accounts	Classic ” local users authenticate as themselves
Network security : Do not store LAN Manager hash value on next password change	Disabled
Network security : Force logoff when logon hours expire	Disabled
Network security : LAN Manager authentication level	Send NTLM response only
Network security : LDAP client signing requirements	Negotiate signing
Network security : Minimum session security for NTLM SSP based (including secure RPC) clients	No minimum
Network security : Minimum session security for NTLM SSP based (including secure RPC) servers	No minimum
Recovery console : Allow automatic administrative logon	Disabled
Recovery console : Allow floppy copy and access to all drives and all folders	Disabled
Shutdown : Allow system to be shut down without having to log on	Disabled
Shutdown : Clear virtual memory pagefile	Disabled
System cryptography : Force strong key protection for user keys stored on the computer	Not defined
System cryptography : Use FIPS compliant algorithms for encryption, hashing, and signing	Disabled
System objects : Default owner for objects created by members of the Administrators group	Administrators group
System objects : Require case insensitivity for non-Windows subsystems	Enabled
System objects : Strengthen default permissions of internal system objects (e.g. Symbolic Links)	Enabled
System settings : Optional subsystems	Posix
System settings : Use Certificate Rules on Windows Executables for Software Restriction Policies	Disabled
Windows Settings\Event Log\Settings for Event Logs
Maximum application log size	16,384KB
Maximum security log size	16,384KB
Maximum system log size	16,384KB
Restrict guest access to application log	Enabled
Restrict guest access to security log	Enabled
Restrict guest access to system log	Enabled
Retain application log	Not defined
Retain security log	Not defined
Retain system log	Not defined
Retention method for application log	As needed
Retention method for security log	As needed
Retention method for system log	As needed

NOTE

File System, Registry, and Services Information about the default settings of the file system, Registry, and services is not provided due to the large number of possible configurations of the hardware and operating system.

Of course, the defaults listed in Table 1.1 can and will change depending on the final role of the server. The Default Domain Policy will be applied to all member servers in the domain, modifying the defaults previously listed. Servers that are promoted to domain controller status will also be subjected to the additional configuration contained in the Default Domain Controller Policy. The installation and configuration of various network services and applications may also lead to additional security configuration modifications. Recall, as you saw in Figure 1.1, that the final configuration of a computer is the cumulative total of all policies applied to it at all levels, unless they have been blocked.

Identifying Windows XP Professional Default Security Settings

Plan a secure baseline installation.

Identify client operating system default security settings.

You can identify the default security settings on a newly installed Windows XP Professional workstation through a variety of different means, such as the Local Group Policy console, the Local Security Policy console, or the Resultant Set of Policy (RSoP) snap-in. Although the default security settings can be identified easily enough, they are presented in Table 1.2 for your reference.

Table 1.2. Windows XP Professional Default Security Settings

Group Policy Node/Policy Item	Default Domain Member Client Setting
Windows Settings\Security Settings\Account Policies
Enforce password history	0 passwords remembered
Maximum password age	42 days
Minimum password age	0 days
Minimum password length	0 characters
Passwords must meet complexity requirements	Disabled
Store password using reversible encryption for all users in the domain	Disabled
Windows Settings\Security Settings\Account Lockout Policy
Account lockout duration	Not applicable
Account lockout threshold	0 invalid login attempts
Reset account lockout counter after	Not applicable
Windows Settings\Security Settings\Kerberos Policy
Enforce user logon restrictions	Not applicable
Maximum lifetime for service ticket	Not applicable
Maximum lifetime for user ticket	Not applicable
Maximum lifetime for user ticket renewal	Not applicable
Maximum tolerance for computer clock synchronization	Not applicable
Windows Settings\Local Policies\Audit Policy
Audit account logon events	No auditing
Audit account management	No auditing
Audit directory service access	No auditing
Audit logon events	No auditing
Audit object access	No auditing
Audit policy change	No auditing
Audit privilege use	No auditing
Audit process tracking	No auditing
Audit system events	No auditing
Windows Settings\Local Policies\User Rights Assignment
Access this computer from the network	Everyone, Administrators, Users, Power Users, Backup Operators
Act as part of the operating system	Not defined
Add workstations to domain	Not defined
Adjust memory quotas for a process	LOCAL SERVICE, NETWORK SERVICE, Administrators
Allow logon through Terminal Services	Administrators, Remote Desktop Users
Back up files and directories	Administrators, Backup Operators
Bypass traverse checking	Everyone, Administrators, Users, Power Users, Backup Operators
Change the system time	Administrators, Power Users
Create a pagefile	Administrators
Create a token object	Not defined
Create global objects	Not applicable
Create permanent shared objects	Not defined
Debug programs	Administrators
Deny access to this computer from the network	Support_ xxxxxxxx , Guest
Deny logon as a batch job	Not defined
Deny logon as a service	Not defined
Deny logon locally	Support_ xxxxxxxx , Guest
Deny log on through Terminal Services	Not defined
Enable computer and user accounts to be trusted for delegation	Not defined
Force shutdown from a remote system	Administrators
Generate security audits	LOCAL SERVICE, NETWORK SERVICE
Increase scheduling priority	Administrators
Load and unload device drivers	Administrators
Lock pages in memory	Not defined
Log on as a batch job	Support_ xxxxxxxx
Log on as a service	NETWORK SERVICE
Log on locally	Administrators, Users, Power Users, Backup Operators
Manage auditing and security log	Administrators
Modify firmware environment values	Administrators
Perform Volume Maintenance Tasks	Administrators
Profile single process	Administrators, Power Users
Profile system performance	Administrators
Remove computer from docking station	Administrators, Power Users
Replace a process level token	LOCAL SERVICE, NETWORK SERVICE
Restore files and directories	Administrators, Backup Operators
Shut down the system	Administrators, Power Users, Backup Operators, Users
Synchronize directory service data	Not defined
Take ownership of files or other objects	Administrators
Windows Settings\Local Policies\Security Options
Accounts : Administrator account status	Enabled
Accounts : Guest account status	Disabled
Accounts : Limit local account use of blank passwords to console logon only	Enabled
Accounts : Rename administrator account	Administrator
Accounts : Rename guest account	Guest
Audit : Audit the access of global system objects	Disabled
Audit : Audit the use of Backup and Restore privilege	Disabled
Audit : Shut down system immediately if unable to log security audits	Disabled
Devices : Allow undock without having to log on	Enabled
Devices : Allowed to format and eject removable media	Administrators
Devices : Prevent users from installing printer drivers	Disabled
Devices : Restrict CD-ROM access to locally logged-on user only	Disabled
Devices : Restrict floppy access to locally logged-on user only	Disabled
Devices : Unsigned driver installation behavior	Warn but allow installation
Domain controller : Allow server operators to schedule tasks	Not defined
Domain controller : LDAP server signing requirements	Not defined
Domain controller : Refuse machine account password changes	Not defined
Domain member : Digitally encrypt or sign secure channel data (always)	Enabled
Domain member : Digitally encrypt secure channel data (when possible)	Enabled
Domain member : Digitally sign secure channel data (when possible)	Enabled
Domain member : Disable machine account password changes	Disabled
Domain member : Maximum machine account password age	30 days
Domain member : Require strong (Windows 2000 or later) session key	Disabled
Interactive logon : Do not display last user name	Disabled
Interactive logon : Do not require CTRL+ALT+DEL	Not defined
Interactive logon : Message text for users attempting to log on	Not defined
Interactive logon : Message title for users attempting to log on	Not defined
Interactive logon : Number of previous logons to cache (in case domain controller is not available)	10 logons
Interactive logon : Prompt user to change password be fore expiration	14 days
Interactive logon : Require Domain Controller authentication to unlock workstation	Disabled
Interactive logon : Smart card removal behavior	No Action
Microsoft network client : Digitally sign communications (always)	Disabled
Microsoft network client : Digitally sign communications (if server agrees)	Enabled
Microsoft network client : Send unencrypted password to third-party SMB servers	Disabled
Microsoft network server : Amount of idle time required before suspending session	15 minutes
Microsoft network server : Digitally sign communications (always)	Disabled
Microsoft network server : Digitally sign communications (if client agrees)	Disabled
Microsoft network server : Disconnect clients when logon hours expire	Enabled
MSS : Number of connections to create when additional connections are necessary for Winsock applications
MSS : Enable dynamic backlog for Winsock applications	Disabled
MSS : Maximum number of 'quasi-free' connections for Winsock applications
MSS : Minimum number of free connections for Winsock applications
MSS : Allow automatic detection of dead network gateways	Disabled
MSS : Allow automatic detection of MTU size (possible DoS by an attacker using a small MTU)	Enabled
MSS : Allow ICMP redirects to override OSPF generated routes	Enabled
MSS : Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)	Disabled
MSS : Allow the computer to ignore NetBIOS name release requests except from WINS servers	Enabled
MSS : Disable Autorun for all drives	Disabled
MSS : Enable the computer to stop generating 8.3 style filenames	Disabled
MSS : How many dropped connect requests to initiate SYN attack protection	5
MSS : How many times unacknowledged data is retransmitted	5
MSS : How often keep-alive packets are sent in milliseconds	7,200,000
MSS : IP source routing protection level	No additional protection, source routed packets are allowed
MSS : Percentage threshold for the security event log at which the system will generate a warning	0 (not configured)
MSS : Syn attack protection level	No additional protection, use default settings
MSS : SYN-ACK retransmissions when a connection request is not acknowledged	3 and 6 seconds, half-open connections dropped after 21 seconds
MSS : The time in seconds before the screen saver grace period expires	5
MSS : Enable Safe DLL search mode	Disabled
Network access : Allow anonymous SID/Name translation	Disabled
Network access : Do not allow anonymous enumeration of SAM accounts	Enabled
Network access : Do not allow anonymous enumeration of SAM accounts and shares	Disabled
Network access : Do not allow storage of credentials or .NET Passports for network authentication	Disabled
Network access : Let Everyone permissions apply to anonymous users	Disabled
Network access : Named Pipes that can be accessed anonymously	COMNAP, COMNODE, SQL\QUERY, SPOOLSS, EPMAPPER, LOCATOR, TrkWks, TrkSvr
Network access : Remotely accessible registry paths	Too numerous to list
Network access : Shares that can be accessed anonymously	COMCFG,DFS$
Network access : Sharing and security model for local accounts	Classic ”local users authenticate as themselves
Network security : Do not store LAN Manager hash value on next password change	Disabled
Network security : Force logoff when logon hours expire	Disabled
Network security : LAN Manager authentication level	Send LM and NTLM responses
Network security : LDAP client signing requirements	Negotiate signing
Network security : Minimum session security for NTLM SSP based (including secure RPC) clients	No minimum
Network security : Minimum session security for NTLM SSP based (including secure RPC) servers	No minimum
Recovery console : Allow automatic administrative logon	Disabled
Recovery console : Allow floppy copy and access to all drives and all folders	Disabled
Shutdown : Allow system to be shut down without having to log on	Enabled
Shutdown : Clear virtual memory pagefile	Disabled
System cryptography : Use FIPS compliant algorithms for encryption, hashing, and signing	Disabled
System objects : Default owner for objects created by members of the Administrators group	Object creator
System objects : Require case insensitivity for non-Windows subsystems	Enabled
System objects : Strengthen default permissions of internal system objects (e.g. Symbolic Links)	Enabled
Windows Settings\Event Log\Settings for Event Logs
Maximum application log size	512 KB
Maximum security log size	512 KB
Maximum system log size	512 KB
Restrict guest access to application log	Enabled
Restrict guest access to security log	Enabled
Restrict guest access to system log	Enabled
Retain application log	7 days
Retain security log	7 days
Retain system log	7 days
Retention method for application log	Overwrite events older than
Retention method for security log	Overwrite events older than
Retention method for system log	Overwrite events older than

Of course, the defaults listed in Table 1.2 can and will change depending on the final role of the workstation. The Default Domain Policy will be applied to all workstations in the domain, modifying the defaults previously listed. The installation and configuration of various network services and applications may also lead to additional security configuration modifications. Recall, as you saw in Figure 1.1, that the final configuration of a computer is the cumulative total of all policies applied to it at all levels, unless they have been blocked.

Selecting Secure Operating Systems

Evaluate and select the operating system to install on computers in an enterprise.

Identify the minimum configuration to satisfy security requirements.

The enterprise operating systems of choice these days are Windows 2000, Windows XP Professional, and Windows Server 2003. Your choice depends on several factors, including budgetary issues, licensing, and specific role requirements.

You should be aware of potential problems with legacy clients, such as Windows 95 and Windows NT 4.0, in newer Windows Active Directory domains. These legacy clients cannot participate fully in the Active Directory domain environment because they cannot utilize Group Policy Objects; you need to implement security settings on these computers through System Policies or direct editing of the Registry. Also, these legacy computers may not be able to communicate with Windows Server 2003 domain controllers due to the increased level of security of domain controller communications through server message block (SMB) signing.

If your budget allows it, you will be best served by installing all Windows Server 2003 servers and all Windows XP Professional workstations. This combination provides the greatest amount of security configuration capability, including newer items such as wireless networking security, 802.1x configuration, and Software Restriction Policies. Also, the newly improved Certificate Services in Windows Server 2003 were designed to be used with Windows XP Professional clients.