HP C2 Security Compliancy, Technical Manual

Page 1: ...ucture Kerberos Policy 15 2 7 Domain Level Hardening the Domain Infrastructure Security Options 15 2 8 Baseline Level 17 2 8 1 Audit Policy 17 2 8 2 User Rights Assignments 27 2 8 3 Security Options 37 2 8 4 Event Log 55 2 8 5 System Services 58 2 8 6 Additional Security Settings 91 2 8 7 Additional Security Settings Manual Hardening Procedures 107 2 9 Hardening File Servers 111 2 9 1 Audit Policy...

Page 2: ...User Rights Assignments 135 2 11 3 Security Options 136 2 11 4 Event Log Settings 136 2 11 5 System Services 136 2 11 6 Additional Security Settings 139 2 11 7 HP NAS Specific Security Settings 148 3 C2 CC Security Compliancy 148 3 1 Security Policy Modifications 149 3 2 Registry Modifications 153 4 E3 F C2 Security Compliancy 156 5 For more information 156 ...

Page 3: ...y Evaluation Criteria ITSEC security requirements within the United Kingdom Germany France and the Netherlands 1 1 NSA Security Compliancy Overview This document mainly focuses on NAS system modifications needed to meet NSA security compliancy To meet NSA security requirements the NAS system s network infrastructure must be NSA security compliant as well As such the following modifications are req...

Page 4: ...ecurity Evaluation Criteria ITSEC security requirements within the United Kingdom Germany France and the Netherlands 2 NSA Security Compliancy This section provides detail steps in modifying the NAS system and other systems within the network to meet NSA security compliancy based on Microsoft s Windows Server 2003 Security Guide Patterns and Practices Not all network environments are the same As s...

Page 5: ...one must understand the domain model differences between Windows NT 4 0 Windows 2000 Active Directory and Windows 2003 Active Directory The Windows NT 4 0 domain was a very good organizational and hierarchical model However it had poor communication feature sets with other domains This issue prevented NT 4 0 to scale well within larger enterprise environments As such Windows 2000 Active Directory ...

Page 6: ...dows Server family components rely on accurate and synchronized time If the clocks are not synchronized on the clients the Kerberos v5 authentication protocol might falsely interpret logon requests as intrusion attempts and deny access to users To ensure that the time is accurate the PDC emulator in the forest root domain can be synchronized to an external NTP time server However doing so may resu...

Page 7: ... applied in the order shown in the illustration below As seen above policies are applied first from the local machine policy level of the computer After that any GPOs are applied at the site level and then at the domain level If the server is nested in several OUs GPOs existing at the highest level OU are applied first The process of applying GPOs continues down the OU hierarchy The final GPO to b...

Page 8: ... Enterprise Client Domain Policy or High Security Client Domain Policy and then press Enter 4 Right click on the new domain policy and then select No Override 5 Select on the new domain policy and then click Edit 6 In the Group Policy window click Computer Configuration Windows Settings Right click Security Settings and then select Import Policy 7 In the Import Policy From dialog box navigate to S...

Page 9: ...omain controller For Windows 2000 Active Directory domains Administrators should use the secedit exe refreshpolicy command line from the DOS prompt instead to force domain policy replication Group Policy security settings are applied at several different levels within the network organizational hierarchy which have been broken down to the following three levels in the domain infrastructure Domain ...

Page 10: ...es associated with reusing passwords and specifying a low number for this setting will allow users to continually recycle a small number of passwords repeatedly this setting recommendation is consistent across all environments defined within this guide Also there are no known issues related to setting this value at the maximum number for environments containing legacy clients Maximum Password Usag...

Page 11: ...8 characters 8 characters 12 characters The Minimum password length setting ensures passwords have at least a specified number of characters Long passwords which are eight or more characters are usually stronger than short ones With this policy setting users cannot use blank passwords and they must create passwords that are a certain number of characters long The default value for this setting is ...

Page 12: ...rd Must Meet Complexity Requirements Domain Member Default Legacy Client Enterprise Client High Security Client Enabled Enabled Enabled Enabled The Password must meet complexity requirements policy option checks all new passwords to ensure that they meet basic requirements for strong passwords Complexity requirements are enforced when passwords are created The Windows Server 2003 policy rules cann...

Page 13: ...asswords and they decrease the likelihood of successful attacks on the network The values in the following sections can be configured in the Domain Group Policy at the following location Computer Configuration Windows Settings Security Settings Account Policies Account Lockout Policy Account Lockout Duration Domain Member Default Legacy Client Enterprise Client High Security Client Not defined 30 ...

Page 14: ...revent a DoS attack aimed at intentionally locking out accounts within the company Because it will not prevent a brute force attack choose this setting only if both of the following criteria are explicitly met o The password policy forces all users to have complex passwords made up of eight or more characters o A robust auditing mechanism is in place to alert administrators when a series of accoun...

Page 15: ...ser accounts These policies determine Kerberosv5 protocol related settings such as ticket lifetimes and enforcement Kerberos policies do not exist in the local computer policy Reducing the lifetime of Kerberos tickets decreases the risk of an attacker stealing passwords and then impersonating legitimate user accounts However maintaining these policies increases the authorization overhead In most e...

Page 16: ...have no impact on them However the default setting for domain controllers is Enabled Warning Disabling this setting may cause legacy systems to be unable to communicate with Windows Server 2003 based domains such as Windows NT 4 0 based Remote Access Service servers When a Web application on IIS is configured to allow basic authentication and at the same time has Anonymous access disabled the buil...

Page 17: ...ity such as who accesses an object if a user logs on to or off from a computer or if changes are made to an auditing policy setting Before implementing audit policies one must decide which event categories need to be audited for the corporate environment The auditing settings that an administrator chooses for the event categories define the corporate auditing policy By defining audit settings for ...

Page 18: ... members of the Windows Server family 682 A user has reconnected to a disconnected terminal server session 683 A user disconnected a terminal server session without logging off The event IDs above can be useful when creating custom alerts to monitor any software suite for example Microsoft Operations Manager MOM Audit Account Management Member Server Default Legacy Client Enterprise Client High Se...

Page 19: ... 646 A computer account was changed 647 A computer account was deleted 648 A local security group with security disabled was created Note SECURITY_DISABLED in the formal name means that this group cannot be used to grant permissions in access checks 649 A local security group with security disabled was changed 650 A member was added to a security disabled local security group 651 A member was remo...

Page 20: ... scripts in order to capture or flag events based on the event IDs above Audit Directory Service Access Member Server Default Legacy Client Enterprise Client High Security Client No auditing Success Failure Success Failure Success Failure The Audit directory service access setting determines whether to audit the event of a user accessing a Microsoft Active Directory directory service object that h...

Page 21: ...29 Logon failure A logon attempt was made with an unknown user name or a known user name with a bad password 530 Logon failure A logon attempt was made outside the allowed time 531 Logon failure A logon attempt was made using a disabled account 532 Logon failure A logon attempt was made using an expired account 533 Logon failure A logon attempt was made by a user who is not allowed to log on at th...

Page 22: ...ss Failure By itself this setting will not cause any events to be audited The Audit object access setting determines whether to audit the event of a user accessing an object for example a file folder registry key printer and so forth that has a specified SACL A SACL is comprised of access control entries ACEs Each ACE contains three pieces of information The security principal user computer or gro...

Page 23: ...anager application 572 The Administrator Manager initialized the application 772 The Certificate Manager denied a pending certificate request 773 Certificate Services received a resubmitted certificate request 774 Certificate Services revoked a certificate 775 Certificate Services received a request to publish the certificate revocation list CRL 776 Certificate Services published the CRL 777 A cer...

Page 24: ...nment policies audit policies or trust policies Configuring this setting to Failure generates an audit entry for each failed change to user rights assignment policies audit policies or trust policies The recommended settings would let administrators see any account privileges that an attacker attempts to Policy change auditing also includes making changes to the audit policy itself as well as to t...

Page 25: ... all parameters are valid for each entry type For example parameters such as DNS name NetBIOS name and SID are not valid for an entry of type TopLevelName 770 Trusted forest information was deleted Note See event description for event 769 771 Trusted forest information was modified Note See event description for event 769 805 The event log service read the security log configuration for a session ...

Page 26: ...m activation process exit handle duplication and indirect object access Configuring this setting to Success generates an audit entry each time the process being tracked succeeds Configuring this setting to Failure generates an audit entry each time the process being tracked fails Enabling Audit process tracking will generate a large number of events so typically it is set to No Auditing However th...

Page 27: ...the Security Accounts Manager 519 A process is using an invalid local procedure call LPC port in an attempt to impersonate a client and reply or read from or write to a client address space 520 The system time was changed Note This audit normally appears twice 2 8 2 User Rights Assignments User Rights Assignments determine which users or groups have logon rights or privileges on the computers on t...

Page 28: ...user right assignments may need to be modified on a system where only the specific target group exists Alternatively the policy templates can be edited individually to include the appropriate groups within the inf files This section provides details on the prescribed user rights assignments for the three environments defined in this guide for the MSBP For a summary of the prescribed settings in th...

Page 29: ...Operating System Member Server Default Legacy Client Enterprise Client High Security Client Not Defined Not Defined Not Defined Revoke all security groups and accounts Important Since various 3rd party applications require and impersonate user and group accounts administrators should verify that these applications within their NAS system are still functioning properly once this policy is set The A...

Page 30: ...e to legitimate users who need to be able to log on to the system prevents unauthorized users from elevating their privileges or from introducing viruses into the computing environment Allow Log On Through Terminal Services Member Server Default Legacy Client Enterprise Client High Security Client Administrators and Remote Desktop Users Administrators and Remote Desktop Users Administrators and Re...

Page 31: ...uilt in Administrator Guests Support_388945a0 Guest all NONOperating System service accounts ANONOYMOUS LOGON Built in Administrator Guests Support_388945a0 Guest all NONOperating System service accounts ANONOYMOUS LOGON Built in Administrator Guests Support_388945a0 Guest all NONOperating System service accounts Important For all HP NAS server systems administrators should only deny the Support_3...

Page 32: ...ces Member Server Default Legacy Client Enterprise Client High Security Client Not Defined Built in Administrator Guests Support_388945a0 Guest all NON operating system service accounts Built in Administrator Guests Support_388945a0 Guest all NON operating system service accounts Built in Administrator Guests Support_388945a0 Guest all NON operating system service accounts Important For all HP NAS...

Page 33: ...r privilege allows a process to generate audit records in the security log The security log can be used to trace unauthorized system access Accounts that are able to write to the security log could be used by an attacker to fill that log with meaningless events If the computer is configured to overwrite events as needed the attacker could use this method to remove evidence of his or her unauthoriz...

Page 34: ...care and install only drivers with verified digital signatures The default user groups for this right are sufficient for the Legacy Client and Enterprise Client environments However this right is configured to enforce the default Administrators group in the High Security environment Lock pages in memory Member Server Default Legacy Client Enterprise Client High Security Client Not Defined Not Defi...

Page 35: ...ise Client environments However this user right is configured to enforce the default Administrators group in the High Security environment Perform volume maintenance tasks Member Server Default Legacy Client Enterprise Client High Security Client Administrators Not Defined Not Defined Administrators The Perform volume maintenance tasks user right allows a non administrative or remote user to manag...

Page 36: ...NETWORK SERVICE groups in the High Security environment Restore files and directories Member Server Default Legacy Client Enterprise Client High Security Client Administrators and Backup Operators Not Defined Administrators Administrators The Restore files and directories user right determines which users can bypass file directory registry and other persistent objects permissions when restoring ba...

Page 37: ... processes and threads Ensure that only the local Administrators group has the Take ownership of files or other objects user right 2 8 3 Security Options The Security Options section of Group Policy is used to configure security settings for computers such as digital signing of data administrator and guest account names floppy disk drive and CD ROM drive access driver installation behavior and log...

Page 38: ... able to log on physically via the keyboard of the computer Therefore enforce the default value for this countermeasure across all three environments Audit Audit the access of global system objects Member Server Default Legacy Client Enterprise Client High Security Client Disabled Disabled Disabled Disabled The Audit Audit the access of global system objects security option setting audits the acce...

Page 39: ...setting is the default for all three of the environments defined in this guide Devices Prevent users from installing printer drivers Member Server Default Legacy Client Enterprise Client High Security Client Enabled Enabled Enabled Enabled For a computer to print to a network printer it must have the driver for that network printer installed Enabling the Devices Prevent users from installing print...

Page 40: ...r warns the administrator that an unsigned driver is about to be installed This can prevent installing drivers that have not been certified to run on Windows Server 2003 One potential problem with configuring this setting to the Warn but allow installation value is that unattended installation scripts will fail when installing unsigned drivers Domain controller Allow server operators to schedule M...

Page 41: ...ber computers to change computer account passwords Enabling this setting on all domain controllers in a domain prevents computer account passwords on domain members from changing leaving them susceptible to attack Therefore the value for this security option is set to Disabled in the three environments defined in this guide Domain member Digitally encrypt or sign secure channel data always Member ...

Page 42: ...Domain member Disable machine account password changes security option setting determines whether a domain member may periodically change its computer account password Enabling this setting prevents the domain member from changing its computer account password Disabling this setting allows the domain member to change its computer account password as specified by the Domain Member Maximum age for m...

Page 43: ... Log On to Windows dialog box The Interactive logon Do not display last user name setting is enabled in the baseline server policy in the three environments defined in this guide Interactive logon Do not require CTRL ALT DEL Member Server Default Legacy Client Enterprise Client High Security Client Disabled Disabled Disabled Disabled The Interactive logon Do not require CTRL ALT DEL security optio...

Page 44: ...rs see when they log on to the system The reasoning behind this setting is the same as that for the Message text for user attempting to log on setting Organizations that do not utilize this setting are more legally vulnerable to trespassers who attack the network surface Therefore this setting is enabled in the three environments defined in this guide Note Any warning that gets displayed should fi...

Page 45: ...troller must be contacted to unlock a computer This setting addresses a vulnerability similar to the Interactive logon Number of previous logons to cache in case domain controller is not available setting A user could disconnect the network cable of the server and unlock the server using an old password without authenticating to unlock the server To prevent this this setting is configured to Enabl...

Page 46: ...k server Amount of idle time required before suspending session security option setting determines the amount of continuous idle time that must pass in an SMB session before the session is suspended due to inactivity Administrators can use this policy to control when a computer suspends an inactive SMB session If client activity resumes the session is automatically reestablished This setting is co...

Page 47: ...e company has configured logon hours for users then it makes sense to enable this setting otherwise users should not be able to access network resources outside of their logon hours or they may be able to continue to use those resources with sessions established during allowed hours Therefore this setting is configured to Enabled in the three environments defined in this guide Network access Do no...

Page 48: ...ymous Windows users to perform certain activities such as enumerating the names of domain accounts and network shares An unauthorized user could anonymously list account names and shared resources and use the information to guess passwords or perform social engineering attacks Therefore this setting is configured to Disabled in the three environments defined in this guide Network access Named Pipe...

Page 49: ...to access the registry over the network Network access Remotely accessible registry paths and sub Member Server Default Legacy Client Enterprise Client High Security Client System CurrentControl Set Control Print System CurrentControl Set Services Eventlog Software Microsoft OL AP Server Software Microsoft W indows NT CurrentVersion Pri nt Software Microsoft W indows NT CurrentVersion Wi ndows Sys...

Page 50: ... registry paths and sub paths security option setting determines which registry paths and sub paths can be accessed over the network It is recommended to enforce the default setting in the baseline security templates for all three security environments defined in this guide Network access Restrict anonymous access to Named Pipes and Shares Member Server Default Legacy Client Enterprise Client High...

Page 51: ...urity Client Disabled Enabled Enabled Enabled Important Very old legacy operating systems and some third party applications may fail when this setting is enabled Also administrators will need to change the password on all accounts after enabling this setting Administrators within multi protocol heterogeneous environments may want to verify all applications and protocol communications are working p...

Page 52: ...NT Windows 2000 and Windows XP Professional Otherwise administrators must leave this setting configured at no higher than Send NTLMv2 responses only on computers not running Windows 9x Network security LDAP client signing requirements Member Server Default Legacy Client Enterprise Client High Security Client Negotiate signing Negotiate signing Negotiate signing Negotiate signing The Network securi...

Page 53: ...ting and repairing systems that cannot be restarted normally However enabling this setting can be detrimental because anyone can then walk up to the server shut it down by disconnecting the power restart it select Recover Console from the Restart menu and then assume full control of the server Therefore this setting is configured to the default for the three environments defined in this guide To u...

Page 54: ... protection for user keys stored on the computer security option setting determines whether users private keys such as their SMIME keys require a password to be used If this policy is configured so that users must provide a password distinct from their domain password every time that they use a key then even if an attacker takes control of their computer and determines what their logon password is...

Page 55: ...Strengthen default permissions of internal system objects e g Symbolic Links Member Server Default Legacy Client Enterprise Client High Security Client Enabled Enabled Enabled Enabled The System objects Strengthen default permissions of internal system objects e g Symbolic Links security option setting determines the strength of the default discretionary access control list DACL for objects The se...

Page 56: ...rvers should adequately store enough information to conduct audits Configuring this log for other systems to an adequate size is based on factors that include how frequently the log will be reviewed available disk space and so on Maximum system log size Member Server Default Legacy Client Enterprise Client High Security Client 16 384 KB 16 384 KB 16 384 KB 16 384 KB The Maximum system log size sec...

Page 57: ...ts Note This setting does not appear in the Local Computer Policy object Prevent local guests group from accessing system log Member Server Default Legacy Client Enterprise Client High Security Client Enabled Enabled Enabled Enabled The Prevent local guests group from accessing system log security setting determines whether guests are prevented from accessing the system event log By default in Win...

Page 58: ...d to run when the system starts Many of these system services do not need to run in the three environments defined in this guide There are additional optional services available with Windows 2003 such as Certificate Services that are not installed during the default installation of Windows Server 2003 The optional services can be added to an existing system by using Add Remove Programs or the Wind...

Page 59: ...y in uninterruptible power supply UPS alert messages systems Application Layer Gateway Service Service Name Member Server Default Legacy Client Enterprise Client High Security Client ALG Manual Disabled Disabled Disabled The Application Layer Gateway Service system service is a subcomponent of the Internet Connection Sharing ICS Internet Connection Firewall ICF service that provides support for in...

Page 60: ...e Name Member Server Default Legacy Client Enterprise Client High Security Client BITS Manual Automatic if BITS jobs are pending Manual Manual Manual The Background Intelligent Transfer Service BITS system service is a background file transfer mechanism and queue manager BITS is used to transfer files asynchronously between a client and an HTTP server Requests to the BITS service are submitted and...

Page 61: ...nect to while the Clipbook application and service allow administrators to create the pages of data to share To ensure greater security in the three environments defined in this guide disable this service Any services that explicitly depend on this service will fail to start Clipbrd exe can still be used to view the local Clipboard where data is stored when a user selects text and then clicks Copy...

Page 62: ...onfiguration and tracking of components based on COM This service is not a requirement for the baseline server policy Therefore this service is configured to Disabled in the three environments defined in this guide Computer Browser Service Name Member Server Default Legacy Client Enterprise Client High Security Client Browser Automatic Automatic Automatic Automatic The Computer Browser system serv...

Page 63: ...However this setting is required and is set to Automatic for the DHCP servers in all three environments Distributed File System Service Name Member Server Default Legacy Client Enterprise Client High Security Client Dfs Automatic Disabled Disabled Disabled Important Distributed File System DFS must be set to Automatic for all HP NAS server systems running DFS The Distributed File System DFS servic...

Page 64: ... Client Enterprise Client High Security Client Dnscache Automatic Automatic Automatic Automatic The DNS Client system service resolves and caches DNS names for the computer The DNS client service must be running on every computer that performs DNS name resolution Resolving DNS names is essential for locating domain controllers in ActiveDirectory domains Running the DNS client service is also criti...

Page 65: ...ility to successfully diagnose system problems Therefore this service sets the value of Automatic in the three environments defined in this guide Fax Service Service Name Member Server Default Legacy Client Enterprise Client High Security Client Fax Not installed Disabled Disabled Disabled The Fax Service system service a Telephony API TAPI compliant service provides fax capabilities from the comp...

Page 66: ...Member Server Default Legacy Client Enterprise Client High Security Client helpsvc Automatic Disabled Disabled Disabled Important Help and Support should be set to Automatic within HP NAS server systems only if Administrators require the Help and Support Center service The Help and Support system service enables the Help and Support Center to run on the computer The service supports the Help and S...

Page 67: ...e set to Automatic for HP NAS server systems in which the HP NAS WEB GUI interface is used HP Insight Manager is used HP s Array Configuration Utility ACU is used HTTP file shares are created FTP file shares are created or SMTP mail notification are used The IIS Admin Service allows administration of IIS components such as FTP Applications Pools Web sites Web service extensions and both Network Ne...

Page 68: ... Server If this service is disabled files and images cannot be shared using infrared These features are not needed in the baseline server environment Therefore this service is configured to Disabled Internet Authentication Service Service Name Member Server Default Legacy Client Enterprise Client High Security Client IAS Not installed Disabled Disabled Disabled The Internet Authentication Service ...

Page 69: ...st be set to Automatic for HP NAS server systems requiring IPv6 support The IP Version 6 Helper Service system service offers IPv6 connectivity over an existing IPv4 network These features are not required in the baseline server environment Therefore this service is configured to Disabled IPSEC Policy Agent IPSec Service Service Name Member Server Default Legacy Client Enterprise Client High Secur...

Page 70: ...ient High Security Client dmadmin Manual Manual Manual Manual The Logical Disk Manager Administrative Service performs administrative service for disk management requests and configures hard disk drives and volumes The Logical Disk Manager Administrative Service is started only when a drive or partition is configured or when a new drive is detected Therefore this service is configured to Manual in...

Page 71: ...nger This service is not a requirement for the baseline server policy Therefore this service is configured to Disabled in the three environments defined in this guide Microsoft POP3 Service Service Name Member Server Default Legacy Client Enterprise Client High Security Client POP3SVC Not installed Disabled Disabled Disabled The Microsoft POP3 Service provides e mail transfer and retrieval service...

Page 72: ...Client High Security Client CORRTSvc Not installed Disabled Disabled Disabled Important The NET Framework Support Service may need to be set to Manual or Automatic within an HP NAS server environment depending upon whether there are any 3rd party applications that require the NET Framework support The NET Framework Support Service system service notifies a subscribing client when a specified proce...

Page 73: ...e Network DDE system service provides network transport and security for Dynamic Data Exchange DDE for programs running on the same computer or on different computers This service is not a requirement for the baseline server policy Therefore this service is configured to Disabled in the three environments defined in this guide Network DDE DSDM Service Name Member Server Default Legacy Client Enter...

Page 74: ...e NTLM authentication protocol or access network resources Therefore this service is configured to Automatic in the three environments defined in this guide Performance Logs and Alerts Service Name Member Server Default Legacy Client Enterprise Client High Security Client SysmonLog Manual Manual Manual Manual The Performance Logs and Alerts system service collects performance data from local or re...

Page 75: ...in the baseline server environment Therefore this service is configured to Disabled in the three environments defined in this guide Print Spooler Service Name Member Server Default Legacy Client Enterprise Client High Security Client Spooler Automatic Disabled Disabled Disabled Important The Print Spooler system service must be set to Automatic for HP NAS server systems requiring print server supp...

Page 76: ...emote networks These features are not required in the baseline server environment Therefore this service is configured to Disabled in the three environments defined in this guide Remote Administration Service Service Name Member Server Default Legacy Client Enterprise Client High Security Client SrvcSurg Not installed Manual Manual Manual The Remote Administration Service system service is respons...

Page 77: ...red to Automatic in the three environments defined in this guide Remote Procedure Call RPC Locator Service Name Member Server Default Legacy Client Enterprise Client High Security Client RpcLocator Manual Automatic on a domain controller Disabled Disabled Disabled The Remote Procedure Call RPC Locator system service enables RPC clients using the RpcNs family of APIs to locate RPC servers and manag...

Page 78: ...vers These features are not required in the baseline server environment Therefore this service is configured to Disabled in the three environments defined in this guide Remote Storage Notification Service Name Member Server Default Legacy Client Enterprise Client High Security Client Remote_Storage _User_Link Not installed Disabled Disabled Disabled The Remote Storage Notification system service n...

Page 79: ...y referred to as planning mode These features are not required in the baseline server environment Therefore this service is configured to Disabled in the three environments defined in this guide Routing and Remote Access Service Name Member Server Default Legacy Client Enterprise Client High Security Client RemoteAccess Disabled Disabled Disabled Disabled Important The Routing and Remote Access sy...

Page 80: ...ounts Manager Service Name Member Server Default Legacy Client Enterprise Client High Security Client SamSs Automatic Automatic Automatic Automatic The Security Accounts Manager SAM system service is a protected subsystem that manages user and group account information In Windows 2000 and the Windows Server 2003 family the SAM in the local computer registry stores workstation security accounts and...

Page 81: ...e Instance Storage Groveler Service Name Member Server Default Legacy Client Enterprise Client High Security Client Groveler Not installed Disabled Disabled Disabled The Single Instance Storage Groveler SIS system service is an integral component of the Remote Installation Service RIS that reduces the overall storage required on the RIS volume This service is not a requirement for the baseline ser...

Page 82: ...refore this service is configured to Disabled in the three environments defined in this guide SNMP Trap Service Service Name Member Server Default Legacy Client Enterprise Client High Security Client SNMPTRAP Not installed Disabled Disabled Disabled Important The SNMP Trap Service must be set to Automatic on HP NAS server systems requiring SNMP trap support For example HP Insight Manager software ...

Page 83: ...ervice Name Member Server Default Legacy Client Enterprise Client High Security Client Schedule Automatic Disabled Disabled Disabled Important This service must be set to Automatic if administrators are using Ntbackup exe for scheduled backups This service must be set to Automatic on HP NAS server systems using applications or services requiring task scheduler functionality For example various sna...

Page 84: ...m service for Windows provides ASCII terminal sessions to Telnet clients This service supports two types of authentication and four types of terminals ANSI VT 100 VT 52 and VTNT This service is not a requirement for the baseline server policy Therefore this service is configured to Disabled in the three environments defined in this guide Terminal Services Service Name Member Server Default Legacy ...

Page 85: ... Client Enterprise Client High Security Client Themes Disabled Disabled Disabled Disabled The Themes system service provides user experience theme management services The Themes service provides rendering support for the new Windows XP Professional graphic user interface GUI This service is not a requirement for the baseline server policy Therefore this service is configured to Disabled in the thr...

Page 86: ... for the baseline server policy Therefore this service is configured to Disabled in the three environments defined in this guide Virtual Disk Service Service Name Member Server Default Legacy Client Enterprise Client High Security Client VDS Manual Disabled Disabled Disabled Important This service must be set to Manual on HP NAS server systems requiring VDS support The Virtual Disk Service VDS sys...

Page 87: ... GUI interface The Web Element Manager system service is responsible for serving Web user interface elements for the Administration Web site at port 8098 This feature is not needed in the baseline server environment Therefore this service is configured to Disabled in the three environments defined in this guide Windows Audio Service Name Member Server Default Legacy Client Enterprise Client High S...

Page 88: ...r this service to Disabled This service also is set to Automatic in the Infrastructure Server role policy Windows Management Instrumentation Service Name Member Server Default Legacy Client Enterprise Client High Security Client winmgmt Automatic Automatic Automatic Automatic The Windows Management Instrumentation system service provides a common interface and object model to access management inf...

Page 89: ...sourceManager Not installed Disabled Disabled Disabled Important The Windows System Resource Manager WSRM system service must be set to Automatic for HP NAS server systems that are used to deploy applications The Windows System Resource Manager WSRM system service is a tool to help customers deploy applications into consolidation scenarios This feature is not required in the baseline server enviro...

Page 90: ... This service is not a requirement for the baseline server policy Therefore this service is configured to Disabled in the three environments defined in this guide WMI Performance Adapter Service Name Member Server Default Legacy Client Enterprise Client High Security Client WmiApSrv Manual Manual Manual Manual The WMI Performance Adapter system service provides performance library information from...

Page 91: ...the windir inf folder and re registering scecli dll The original security settings as well as the additional ones appear under Local Policies Security in the snap ins and tools listed previously in this section The customization to sceregvl inf provided below uses features only available on Microsoft Windows XP Professional with Service Pack 1 and Windows Server 2003 Administrators should not try ...

Page 92: ...acklog3 80000 MaximumDynamicBacklog4 160000 MaximumDynamicBacklog5 MACHINE SYSTEM CurrentControlSet Control SessionManager SafeDllSearchMode 4 SafeDllSearchMode 0 3 Navigate to the bottom of the Strings section and copy the following text into the file MSS Settings EnableICMPRedirect MSS EnableICMPRedirect Allow ICMP redirects to override OSPF generated routes SynAttackProtect MSS SynAttackProtect...

Page 93: ...mpt window and type the command regsvr32 scecli dll to re register the SCE DLL 6 Subsequent launches of the SCE will display these custom registry values Important All modifications within this section apply to all three environments defined within this guide for MSBP 2 8 6 1 Security Consideration for Network Attacks To help prevent denial of service DoS attacks administrators should keep their c...

Page 94: ...ride OSPF generated routes to a value of Disabled The possible values for this Registry value are 1 or 0 default is 1 enabled In the SCE UI these options appear as Enabled Disabled Not Defined Potential Impact When Routing and Remote Access Service RRAS is configured as an autonomous system boundary router ASBR it does not correctly import connected interface subnet routes Instead this router inje...

Page 95: ...An attacker could force the server to switch gateways potentially to an unintended one Countermeasure Configure MSS Allow automatic detection of dead network gateways could lead to DoS to a value of Disabled The possible values for this Registry value are 1 or 0 default is 0 disabled In the SCE UI these options appear as Enabled Disabled Not Defined Potential Impact Configuring this setting to 0 p...

Page 96: ...o verify that an idle connection is still intact by sending a keep alive packet If the remote computer is still reachable it acknowledges the keep alive packet Vulnerability An attacker who is able to connect to network applications could cause a DoS condition by establishing numerous connections Countermeasure Configure MSS How often keep alive packets are sent in milliseconds 300 000 is recommen...

Page 97: ...s to be dropped TcpMaxConnectResponseRetransmissions SYN ACK retransmissions when a connection request is not acknowledged This entry appears as MSS SYN ACK retransmissions when a connection request is not acknowledged in the SCE This parameter determines the number of times that TCP retransmits a SYN before aborting the attempt The retransmission time out is doubled with each successive retransmi...

Page 98: ... server leaves the half open connections open until it is overwhelmed and no longer is able to respond to legitimate requests Countermeasure Configure MSS How many times unacknowledged data is retransmitted 3 recommended 5 is default to a value of 3 The possible values for this Registry value are 0 to 0xFFFFFFFF default is 5 In the SCE UI this appears as a text entry box A user defined number Not ...

Page 99: ...tion 5 is recommended to a value of 5 The possible values for this Registry value are 0 to 0xFFFF default is 5 In the SCE UI this appears as a text entry box A user defined number Not Defined Potential Impact This parameter controls the point at which SYN ATTACK protection starts to operate SYN ATTACK protection begins to operate when TCPMaxPortsExhausted connect requests have been refused by the ...

Page 100: ...FD DynamicBacklogGrowthDelta Number of connections to create when additional connections are necessary for Winsock applications 10 recommended to a value of 10 The possible values for this Registry value are 0 to 0xFFFFFFFF default is 0 In the SCE UI this appears as a text entry box A user defined number Not Defined Potential Impact Setting this value to too large a number could cause a large amou...

Page 101: ...nerability Socket applications may be susceptible to DoS attacks Countermeasure Configure MSS AFD MinimumDynamicBacklog Minimum number of free connections for Winsock applications 20 recommended for systems under attack 10 otherwise to a value of 10 The possible values for this Registry value are 1 to 0xFFFFFFFF default is 0 In the SCE UI this appears as a text entry box A user defined number Not ...

Page 102: ...ut output system NetBIOS over TCP IP is a networking protocol that among other things provides a means of easily resolving NetBIOS names registered on Windows based systems to the IP addresses configured on those systems This value determines whether the computer releases its NetBIOS name when it receives a name release request The following registry value entry was added to the template file to t...

Page 103: ...see Knowledge Base article Q269239 Note There is a high maintenance factor required to update the LMHOSTS files in most environments Microsoft encourages the use of WINS over LMHOSTS Potential Impact An attacker could send a request over the network asking a computer to release its NetBIOS name As with any changes that could affect applications Microsoft recommends testing this change in a non pro...

Page 104: ...er than the 8 3 format allows Note If administrators apply this setting to an existing server that already has files with auto generated 8 3 file names it does not remove them To remove existing 8 3 file names administrators will need to copy those files off the server delete the files from the original location and then copy the files back to their original locations 2 8 6 5 Drive AutoRun Setting...

Page 105: ...ord Protection Immediate The time in seconds before the screen saver grace period expires 0 recommended This entry appears as MSS The time in seconds before the screen saver grace period expires 0 recommended in the SCE Windows includes a grace period between when the screen saver is launched and when the console is actually locked automatically if screen saver locking is enabled The following reg...

Page 106: ... is configured to overwrite events as needed The following registry value entries have been added to the template file to the following registry key HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services Eventlog Security Subkey Registry Value Entry Format Recommended Value Decimal WarningLevel DWORD 90 Vulnerability If the security log fills up and the computer has not been configured to overwrite ...

Page 107: ...l SafeDllSearchMode DWORD 1 Vulnerability If a user unknowingly executes hostile code and that hostile code has been packaged with additional files including modified versions of system DLLs the hostile code could load its own versions of those DLLs potentially increasing the type and degree of damage the code can render Countermeasure Configure MSS Enable Safe DLL search mode recommended to a val...

Page 108: ...est all NONOperating System service accounts Built in Administrator Support_388945a0 Guest all NONOperating System service accounts Built in Administrator Support_388945a0 Guest all NONOperating System service accounts Deny log on as a batch Job Support_388945a0 and Guest Support_388945a0 and Guest Support_388945a0 and Guest Deny log on through Terminal Services Built in Administrator Support_3889...

Page 109: ...in Administrator account to determine its true name A SID is the value that uniquely identifies each user group computer account and logon session on a network It is not possible to change the SID of this built in account Renaming the local administrator account to a unique name can make it easy for the domain operations groups to monitor attempted attacks against this account Complete the followi...

Page 110: ...oller security settings are applied during the promotion of a server to a domain controller All partitions on servers in all three environments defined in this guide are formatted with NTFS partitions in order to provide the means for file and directory security management via ACLs 2 8 7 5 Terminal Services Settings Setting Name in UI Legacy Client Enterprise Client High Security Set client connec...

Page 111: ...nternal corporate file share This setting is only available on Windows XP Professional and Windows Server 2003 This is the path for configuring this setting in the Group Policy editor Computer Configuration Administrative Templates System Error Reporting Error reports can potentially contain sensitive or even confidential corporate data Microsoft s privacy policy regarding error reporting ensures ...

Page 112: ...tem service accounts are not included in the security template These accounts and groups have unique security identifiers SIDs for each domain on the network Therefore they must be added manually The Deny access to this computer from the network setting determines which users are prevented from accessing a computer over the network This setting will deny a number of network protocols including ser...

Page 113: ...trator accounts is prohibited 2 9 3 Security Options Most Security Options for file servers in the three environments defined in this guide are configured via the MSBP For more information on the MSBP see section 2 8 Differences between the MSBP and the Incremental file server Group Policy are described in the following section Accounts Guest account status Member Server Default Legacy Client Ente...

Page 114: ... prevents the Microsoft network client from communicating with a Microsoft network server unless that server agrees to perform SMB packet signing Microsoft network server Digitally sign communications always Member Server Default Legacy Client Enterprise Client High Security Client Disabled Disabled Enabled Enabled Important Administrators within multi protocol heterogeneous environments should se...

Page 115: ...ult Legacy Client Enterprise Client High Security Client Disabled Enabled Enabled Enabled Important Very old legacy operating systems and some third party applications may fail when this setting is enabled Also administrators will need to change the password on all accounts after enabling this setting Administrators within multi protocol heterogeneous environments may want to verify all applicatio...

Page 116: ... all settings Enabled all settings Important Administrators within multi protocol heterogeneous environments may want to verify all applications and protocol communications are working properly within their NAS box and other servers within the network once this setting is set The Network security Minimum session security for NTLM SSP based including secure RPC servers security option setting allow...

Page 117: ...to company network environment Adjust the File Server Group Policy recommendations as needed to meet company requirements Automatic Updates Service Name Member Server Default Legacy Client Enterprise Client High Security Client wuauserv Automatic Automatic Automatic Automatic Important Automatic Updates must be set to Disabled for all HP NAS server systems The Automatic Updates system service enab...

Page 118: ...his service is configured to Disabled in the three environments defined in this guide Distributed File System Service Name Member Server Default Legacy Client Enterprise Client High Security Client Dfs Automatic Disabled Disabled Disabled Important This setting must be set to Automatic for all HP NAS server systems using DFS The Distributed File System DFS service manages logical volumes distribut...

Page 119: ...d access files on a local Windows server computer This is not a requirement for a standard server environment Therefore this service is configured to Disabled in the three environments defined in this guide Help and Support Service Name Member Server Default Legacy Client Enterprise Client High Security Client helpsvc Automatic Disabled Disabled Disabled Important Help and Support should be set to...

Page 120: ...in the three environments defined in this guide Remote Server Manager Service Name Member Server Default Legacy Client Enterprise Client High Security Client AppMgr Not installed Disabled Disabled Disabled Important The Remote Server Manager may be set to Manual or Automatic on HP NAS server systems that require remote administration The Remote Server Manager acts as a Windows Management Instrumen...

Page 121: ...Ds These features are not required in the baseline server environment Therefore this service is configured to Disabled in the three environments defined in this guide Routing and Remote Access Service Name Member Server Default Legacy Client Enterprise Client High Security Client RemoteAccess Disabled Disabled Disabled Disabled Important The Routing and Remote Access system service must be set to ...

Page 122: ... Transport Protocol SMTP system service must be set to Automatic on HP NAS server systems requiring mail notifications of NAS system failures The Simple Mail Transport Protocol SMTP system service transports electronic mail across the network This service is not a requirement for the baseline server policy Therefore this service is configured to Disabled in the three environments defined in this g...

Page 123: ...h Security Client TlntSvr Disabled Disabled Disabled Disabled Important This service must be set to Manual or Automatic on HP NAS server systems using telnet The Telnet system service for Windows provides ASCII terminal sessions to Telnet clients This service supports two types of authentication and four types of terminals ANSI VT 100 VT 52 and VTNT This service is not a requirement for the baseli...

Page 124: ...is configured to Disabled in the three environments defined in this guide WebClient Service Name Member Server Default Legacy Client Enterprise Client High Security Client WebClient Disabled Disabled Disabled Disabled Important The WebClient system service must be set to Automatic for HP NAS server systems requiring access to the Internet The WebClient system service allows Win32 applications to a...

Page 125: ... characters in length The following registry value entry has been added to the template in the registry key HKEY_LOCAL_MACHINE System CurrentControlSet Control FileSystem Subkey Registry Value Entry Format Recommended Value Decimal NtfsDisable8dot3NameCreation DWORD 1 Important Various 3rd party applications may not install nor function correctly if this registry setting is set to 1 It is recommen...

Page 126: ...g can be configured to rename administrator accounts in the three environments defined in this guide This setting is a part of the Security Options settings in Group Policy Never configure a service to run under the security context of a domain account unless absolutely necessary If a server is physically compromised domain account passwords can be easily obtained by dumping Local Security Authori...

Page 127: ...n particular RPC and authentication traffic all communications are permitted between a file server and all domain controllers Traffic could be further limited but most environments would require the creation of dozens of additional filters in order for the filters to effectively protect the server This would make it very difficult to implement and manage IPSec policies Similar rules should be crea...

Page 128: ...the server will be unprotected until the IPSec Policy Agent starts For more information on building persistent filters or creating more advanced IPSec filter scripts see Chapter 11 Additional Member Server Hardening Procedures in Microsoft s Windows Solution for Security Threats and Countermeasures Security Settings in Windows Server 2003 and Windows XP Finally this script is configured to not ass...

Page 129: ...Novell NetWare IBM AIX and HP UX operating systems Redundant hardware advanced RAID technology and Secure Path s automated failover capability are used to enhance fault tolerance and availability Secure Path effectively eliminates controllers disk drives interconnect hardware and host bus adapters as single points of failure in the storage subsystem The SecurePath account must meet NSA password gu...

Page 130: ...ing server information on the HP Insight Manager web home page and modifying its settings 2 10 Hardening Print Servers This section focuses on the challenges of further hardening print servers since the most essential services they provide are the ones that require the Microsoft Windows Network Basic Input Output System NetBIOS related protocols The protocols for Server Message Block SMB and Commo...

Page 131: ...s defined in this guide 2 10 4 Event Log Settings The Event Log settings for print servers in the three environments defined in this guide are configured via the MSBP For more information on the MSBP see section 2 8 2 10 5 System Services Any service or application is a potential point of attack and therefore any unneeded services or executable files should be disabled or removed In the MSBP these...

Page 132: ...e Guest and Administrator The Guest account is disabled by default on member servers and domain controllers This setting should not be changed The built in Administrator account should be renamed and the description altered to help prevent attackers from compromising a remote server using a well known account Many variations of malicious code use the built in administrator account in an initial at...

Page 133: ...olution for Security Threats and Countermeasures Security Settings in Windows Server 2003 and Windows XP The following table lists all of the IPSec filters that can be created on print servers in the High Security environment defined in this guide Important For Legacy Client and Enterprise Client environments HP does not recommend blocking ports with IPSec filters All of the rules listed in the ta...

Page 134: ... This will allow administrators to perform remote administration The network traffic map above assumes that the environment contains Active Directory enabled DNS servers If stand alone DNS servers are used additional rules may be required The implementation of IPSec policies should not have a noticeable impact on the performance of the server However testing should be performed before implementing...

Page 135: ...itially installs in a highly secure locked mode For example IIS will by default initially only serve static content Features such as Active Server Pages ASP ASP NET Server Side Includes SSI Web Distributed Authoring and Versioning WebDAV publishing and Microsoft FrontPage Server Extensions will not work until an administrator enables them These features and services can be enabled through the Web ...

Page 136: ...users and groups assigned this right to provide the highest level of security possible Nevertheless the IUSR account used for anonymous access to IIS is by default a member of the Guests group This guide recommends removing the Guests group from the Incremental IIS Group Policy to ensure anonymous access to IIS servers can be configured when necessary For these reasons the Deny access to this comp...

Page 137: ...ADMIN Not installed Automatic Automatic Automatic The IIS Admin Service allows administration of IIS components such as File Transfer Protocol FTP Application Pools Web sites Web service extensions and both Network News Transfer Protocol NNTP and Simple Mail Transfer Protocol SMTP virtual servers The IIS Admin Service must be running for an IIS server to provide Web FTP NNTP and SMTP services If t...

Page 138: ...uters requesting RIS from this server will fail to install if this service is disabled However this feature is not required in the baseline server environment Therefore this service is configured to Disabled in the three environments defined in this guide WinHTTP Web Proxy Auto Service Name Member Server Default Legacy Client Enterprise Client High Security Client WinHttpAutoProxySvc Manual Disabl...

Page 139: ...tional Security Settings After installing Windows Server 2003 and IIS IIS by default transmits only static Web content When Web sites and applications contain dynamic content or require one or more additional IIS components each additional IIS feature must be individually enabled However care should be taken during this process to ensure that the attack surface of each IIS server on the network is...

Page 140: ... of the default IIS components in the NAS server systems is not recommended Administrators should only install and remove IIS components that are not a part of the NAS default IIS component list Only essential IIS components and services required by Web sites and applications should be enabled Enabling unnecessary components and services increases the attack surface of an IIS server Complete the f...

Page 141: ...ion IIS servers will transmit only static content Dynamic content capabilities can be enabled through the Web Service Extensions node in IIS Manager These extensions include ASP NET SSI WebDAV and FrontPage Server Extensions Enabling all Web service extensions ensures the highest possible compatibility with existing applications however this also creates a security risk because when all extensions...

Page 142: ...ccess to a much more limited group of users Second after making this change cmd exe does not exist on the same disk volume as the Web root and there are currently no known methods to access commands on a different drive using such an attack In addition to security concerns placing Web site and application files and folders on a dedicated disk volume makes administration tasks such as backup and re...

Page 143: ...to simplify the process of applying NTFS permissions 2 11 6 5 Setting IIS Web Site Permissions IIS examines Web site permissions to determine the types of action that can occur within a Web site such as allowing script source access or directory browsing Web site permissions should be assigned to further secure Web sites on IIS servers in the three environments defined in this guide Web site permi...

Page 144: ...the selection of the fields that will be logged When IIS logging is enabled IIS uses the W3C Extended Log File Format to create daily activity logs which are stored in the directory specified for the Web site in IIS Manager To improve server performance logs should be stored on a non system striped or striped mirrored disk volume Furthermore logs can be written to a remote share over a network usi...

Page 145: ...ful not to confuse Administrator account with the built in Administrators security group If the Administrators security group is added to any of the deny access user rights below administrators will need to log on locally to correct the mistake In addition the built in Administrator account may have been renamed based in some of the recommendations described in section 2 8 When adding the Administ...

Page 146: ... can be renamed via Group Policy This setting was not configured in any of the security templates provided with this guide because administrators should choose a unique name for their environment The Accounts Rename administrator account setting can be configured to rename administrator accounts in the three environments defined in this guide This setting is a part of the Security Options settings...

Page 147: ...d be further limited but most environments would require the creation of dozens of additional filters in order for the filters to effectively protect the server This would make it very difficult to implement and manage IPSec policies Similar rules should be created for each of the domain controllers an IIS server will interact with To increase the reliability and availability of IIS servers this w...

Page 148: ... Windows Server 2003 and Windows XP Finally this script is configured to not assign the IPSec policy it creates The IP Security Policy Management snap in can be used to examine the IPSec filters created and to assign the IPSec policy in order for it to take effect 2 11 7 HP NAS Specific Security Settings The hardening of specific HP NAS accounts and applications are required to meet NSA security c...

Page 149: ...BIOS setup password to prevent rogue administrators and users from accessing the system BIOS and changing its settings for all three environment configurations Physical Removal of Floppy and DVD ROM drive Member Server Default Legacy Client Enterprise Client High Security Client Floppy and DVD ROM installed Floppy and DVD ROM installed Floppy and DVD ROM installed Remove Floppy and DVD ROM It is r...

Page 150: ...section of Windows Server 2003 at the following location Computer Configuration Windows Settings Security Settings Local Policies Audit Policy The Audit process tracking setting determines whether to audit detailed tracking information for events such as program activation process exit handle duplication and indirect object access Configuring this setting to Success generates an audit entry each t...

Page 151: ...nts with legacy clients set this option to Disabled as these clients will not be able to authenticate or gain access to domain controllers This setting must be set to Disabled for HP NAS server systems within multi protocol network environments involving NFS AFTP or NCP This Security Option setting can be configured in Windows Server 2003 at the following location within the Group Policy Object Ed...

Page 152: ...Enables wildcard support for some commands such as the DEL command AllowAllPaths Allows access to all files and folders on the computer AllowRemovableMedia Allows files to be copied to removable media such as a floppy disk NoCopyPrompt Does not prompt when overwriting an existing file For CC security compliancy however this setting should be set to Disabled Devices Restrict CD ROM access to locall...

Page 153: ...ned to be too high within NSA security requirements However this setting must be set to Enabled for CC security compliancy Devices Unsigned non driver installation behavior Member Server Default Legacy Client Enterprise Client High Security Client Warn but allow installation Warn but allow installation Warn but allow installation Warn but allow installation This Security Option setting can be conf...

Page 154: ... key enables support for OS 2 and POSIX subsystem support For CC compliancy all subsystem support should be removed Disable Devices Key Path HKLM SYSTEM CurrentControlSet Services Format Value Key audstub Value Name Start REG_DWORD 4 Key mnmdd Value Name Start REG_DWORD 4 Key ndistapi Value Name Start REG_DWORD 4 Key ndiswan Value Name Start REG_DWORD 4 Key ndproxy Value Name Start REG_DWORD 4 Key...

Page 155: ...AS server system by disabling all null session access over named pipes and shares Prevent Applications From Interfering With the Session Lock Key Path HKCU Software Policies Microsoft Windows Control Panel Format Value Key Desktop Value Name BlockSendInputResets REG_SZ 1 Important The aforementioned key path registry key registry value name and registry value all need to be created This key preven...

Page 156: ...eet E3 F C2 security requirements within their network and HP NAS server systems All E3 F C2 system modifications within this document are based upon the Information Technology Evaluation Manual ITSEM at http www boran com security itsem html to meet Information Technology Security Evaluation Criteria ITSEC security requirements within the United Kingdom Germany France and the Netherlands To meet ...