NIST Recommendations for System Administrators for Securing Windows 2000 Professional

Tony Harris, Booz AllenMurugiah Souppaya, NIST

Outline Introduction Why we did it General hardening principles Securing Windows 2000 Professional Securing popular applications NIST Template Contact information

NIST Assets Include: 3,000 employees

1,600 guest researchers

$760 million annual budget

NIST Laboratories -- National measurement standards

Advanced Technology Program -- $570 million current R&D partnerships with industry

Manufacturing Extension Partnership -- 400 centers nationwide to help small manufacturers

Baldrige National Quality Award

NIST’s mission is to develop and promote measurement, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life.

National Institute of Standards and Technology

NIST Measurement and Standards Laboratories

NIST Mandate for Computer Security

Develop standards and guidelines for the Federal government

Contribute to improving the security of commercial IT products and strengthening the security of users’ systems and infrastructures

Computer Security Division Mission

To improve information systems security by: raising awareness of IT risks, vulnerabilities and protection

requirements, particularly for new and emerging technologies; researching, studying, and advising agencies of IT vulnerabilities

and devising techniques for the cost-effective security and privacy of sensitive Federal systems;

developing standards, metrics, tests and validation programs: to promote, measure, and validate security in systems and services to educate consumers to establish minimum security requirements for Federal systems

developing guidance to increase secure IT planning, implementation, management and operation.

Recent Documents Securing Wireless Networks: A Manager’s Guide Designing Secure Wireless Networks Network Testing Guide Applying Security Patches Securing Your Public Webserver Security Issues and Solutions for E-mail Telecommuting Security Cookbook System Administrator Guidance for

Securing MS Windows 2000 Professional System

Why did we do it? NIST recognized a need for a guide

to consolidate various best practices

Very little federal guidance exists for securing popular applications

Guide designed for educated users and administrators

Goals Secure the Windows 2000 Professional and

suite of applications found on desktop system

Built on the existing resources, i.e. guides, documents, and recommendations produced by NSA, Microsoft, and the security community

A complete unified how-to document covering the OS and common applications installation and configuration with references and pointers to specialized resources

Document Structure High level overview of Windows 2000

built-in security features Windows 2000 Professional installation

recommendations Patching and Updating Securing the OS Application security Description of modified registry keys Various references for further research

General OS Hardening Principles Perform a clean installation Install OS updates and patches Remove and disable unnecessary services,

utilities, and applications Restrict access to the OS critical binaries and

system configuration files and utilities Least privilege – administrator and user role Protection of user data through discretionary

access control Auditing critical files

General Principles for protecting applications against active content Install virus scanners

Keep updated Enable e-mail attachment scanning

Keep applications updated Remove VBS and VBE file-type associations Set Outlook attachment security to high Set macro security to High Enable digital signatures for safe Macros Set Internet Zone security to high Utilize Trusted Site Zone

System Administrator Guidance for Securing Microsoft Windows 2000 Professional System - Overview

Install OS and default applications Fully patch the OS and applications Configure applications Review the template settings and

customize for your environment Apply the security template Test the settings Deploy within your environment

Windows 2000 Professional Installation Perform the installation on a secure

network segment or off the network Partition the Hard Drive using NTFS for

system and data files Install OS with minimum required

services Install Internet Protocol (TCP/IP)

networking and Client for Microsoft Networks only

Application Installation Install an anti-virus scanner, i.e Norton

Antivirus, McAfee, or F-Secure Install an E-mail client, i.e. Eudora or MS

Outlook 2000 Install the browser, i.e. Internet Explorer

6 or Netscape 4.79 Install MS Office 2000, i.e. select only

the required components Run and test each application

Updates and Patches Apply the latest service pack, i.e. SP2 Download and install the required hotfixes from the

Microsoft security site, http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/current.asp

Windows update can be used to download and install the patches, use caution for initial updates since this method requires a connection to the internet.

Download and install all other applications patches and updates as required

Periodically scan the system to determine patch status for the OS and all applications.

Microsoft Hotfix Service

Hfnetchk.exe Tool used to check the hotfix status of

Single computer IP range Entire domain

Can be downloaded from http://www.microsoft.com/downloads/release.asp?releaseid=31154

Latest configuration file can be manually downloaded from http://msvaus.www.conxion.com/download/xml/security/1.0/NT5/EN-US/mssecure.cab

Qchain.exe Allows installation of multiple hotfixes

without rebooting between each Install hotfixes with the –z switch to

disable reboot after install Run qchain.exe after hotfixes have been

installed Run Qfecheck.exe /v to verify the hotfix

installation http://support.microsoft.com/default.aspx?scid=kb;en-us;Q282784

Anti-Virus Configuration Ensure signatures are up to date Enable automatic protection Enable email scanning Enable Internet filtering Enable periodic scanning Enable heuristics, if available Enable automatic updating

Outlook Client Configuration Disable auto opening of messages Disable preview pane and auto

preview Set attachment security to high Set security zone to Restricted Set macro security level to high

Macros will be silently disabled unless they are signed

Eudora Client Configuration Ensure that all executable content extension

types are registered in the WarnLaunchExtensions list within the Eudora.ini file.

Redirect the Eudora data files into the users application directory

Ensure that executables in HTML content are not allowed

Do not use Microsoft's viewer Enable executable warnings

IE Zone Security Local intranet zone

Content located on internal network Trusted site zone

Websites entered into zone are considered reputable and/or trustworthy

Internet zone Untrusted content

Restricted sites zone Highest security level for untrusted sites and

applications Local machine zone

Files on local computer

IE Configuration Set the Internet Zone to high Set the Trusted Site Zone security

to Medium Add trusted sites that will not function

with a high security setting to this zone Set the intranet setting to the

maximum setting your environment can tolerate

Netscape Configuration Enable the minimum utilities

required during the install Disable Java and JavaScript if not

required Review plug-ins and remove

undesired .dll files for the plug-ins

Office Configuration Enable digital signatures for trusted

macros Ensure macro security is set to high Clear the “Trust all installed add-ins and

templates” checkbox to apply the macro security settings to preinstalled macros

If required within your environment, all macros can be disabled regardless of their signature status through registry settings

NIST Template Settings Created by combining recommendations

from Microsoft, NSA, and the Security Community

Few modifications were made to NSA’s recommendations

Added several keys and modifications to services

Tested all of the settings using combinations of the applications discussed within the guide

Services NIST Template Disabled

Internet Connection Sharing Routing and Remote Access Task Scheduler Telnet

Guidance given to administrators for disabling of additional services

Password Policy Differences Maximum Password Age

NSA = 42 Microsoft = 42 SANS = 45 to 90 NIST = 90

System Administration cost and time considerations

Minimum Password Age NSA = 2 Microsoft = 2 SANS = 1 to 5 NIST = 1

Acceptable length of time to prevent users from changing passwords to circumvent the history table

Minimum Password Length NSA = 12 Microsoft = 8 SANS = 8 NIST = 8

System Administration cost and time considerations

Account Lockout Policy Account Lockout duration (minutes)

NSA = 15 Microsoft = 0 SANS = 240 NIST = 15 System Administration cost and time considerations

Account Lockout Threshold NSA = 3 Microsoft = 5 SANS = 5 NIST = 3

Shorter account lockout duration allows us the ability to decrease the lockout threshold

Reset Account Lockout Counter After (minutes) NSA = 15 Microsoft = 30 SANS = 240 NIST = 15

System Administration cost and time considerations

Audit Policy Audit Directory Service Access

NSA = None Microsoft = Not Defined SANS = Success,Failure NIST = None

Audit Object Access NSA = Failure Microsoft = Success, Failure SANS = Success,Failure NIST = Failure

Audit Privilege Use NSA = Failure Microsoft = Success,Failure SANS = Success,Failure NIST = Failure

Changes made for reduction of log entries

User Rights Assignment Access this computer from the network

NSA = Users,Administrators Microsoft = Not Defined SANS = None NIST = Users,Administrators

Bypass traverse checking NSA = Users Microsoft = Not Defined SANS = Administrators NIST = Users

Some directory permissions require this privilege Change system time

NSA = Administrators Microsoft = Not Defined SANS = Admin,Auth Users NIST = Administrators

Restricted for Audit purposes

User Rights Assignment Force shutdown from a remote location

NSA = Administrators Microsoft = Not Defined

SANS = None NIST = Administrators System Administration cost and time considerations

Security Options Lan Manager Authentication Level

NSA, Microsoft & NIST = NTLMv2/Refuse NTLM&LM SANS = NTLMv2 or NTLM

For use in Windows 2000 only environment

Shutdown immediately if unable to log security audits

NSA = Enabled Microsoft = Disabled SANS = Enabled if 9 to 18 Gb NIST = Disabled/Enable if site policy requires it

SynAttackProtect HKEY_LOCAL_MACHINE\SYSTEM\

CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect = 2

Hardens TCP stack against SYN attacks Adjusts the retransmission delays for

SYN-ACKS TCP connection requests quickly timeout

when a SYN attack is in progress.

TcpMaxHalfOpen HKEY_LOCAL_MACHINE\SYSTEM\

CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpen = 100

This key controls the number of connections in the SYN-RCVD state allowed before SYN-ATTACK protection begins to operate.

TcpMaxHalfOpenRetried HKEY_LOCAL_MACHINE\SYSTEM\

CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpenRetried = 80

TcpMaxHalfOpenRetried parameter controls the number of connections in the SYN-RCVD state for which there has been at least one retransmission of the SYN sent, before SYN-ATTACK attack protection begins to operate.

EnablePMTUDiscovery HKEY_LOCAL_MACHINE\SYSTEM\

CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscovery = 1 Limits TCP segments to the largest

packet size allowed to a remote host to eliminate packet fragmentation.

EnableICMPRedirects HKEY_LOCAL_MACHINE\\SYSTEM\

CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirects = 0

This parameter controls whether Windows 2000 will alter its route table in response to ICMP redirect messages that are sent to it by network devices such as a routers.

AeDebug\Auto HKEY_LOCAL_MACHINE\

SOFTWARE\Microsoft\Windows NT\CurrentVersion \AeDebug\Auto = 0

This setting disables auto start of the Dr. Watson program debugger on Windows 2000 Professional. To re-enable the debugger type the following at the command line: drwtsn –I

The debugger dump files can contain sensitive information.

CreateCrashDump HKEY_LOCAL_MACHINE\

SOFTWARE\Microsoft\DrWatson\CreateCrashDump = 0

If Dr. Watson is enabled this setting prevents sensitive information from being dumped from memory.

Future Welcome inputs and suggestions

from the Security Community Areas

Windows 2000 Server and active directory

Windows XP Professional and Home Microsoft .NET

Suggestions: itsec@nist.gov

Conclusion Document:

http://csrc.nist.gov/itsec/download_W2Kpro.html Comments, suggestions, and

questions: itsec@nist.gov

Disclaimer Any mention of commercial products or reference to commercial organizations

is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose.

The following information is provided for Civil and Government agencies requiring security configuration guidelines.

Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment.

This document is only a guide containing recommended security settings. It is not meant to replace well-structured policy or sound judgment. Furthermore this guide does not address site-specific configuration issues. Care must be taken when implementing this guide to address local operational and policy concerns.

This document and templates were developed at the National Institute of Standards and Technology by employees of the Federal Government in the course of their official duties. Pursuant to title 17 Section 105 of the United States Code this document and templates are not subject to copyright protection and is in the public domain. NIST assumes no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic. We would appreciate acknowledgement if the documents and templates are used.