Friday, 19 October 2012

Windows 2008 R2 server hardening v3

In the first blogpost you might have noticed .\4_Mine2.PS1's existence in Start.PS1 . Today we will look at its content and what we are doing with that file.

One of the most important issues with any windows system is keeping it up to date. Lets assume that you have a WSUS in your network... so you need to register this new box to that WSUS.  Following the scripts from another lovely bloger (Athif)  we put in out 0_Mine.PS1 file:

##**Enable Automatic Updates**
Write-Host ""
Write-Host "Configuring Automatic Updates through the WUPPS..." -ForegroundColor $Global:OnScreenMsgColor
net stop wuauserv
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v AccountDomainSid /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v PingID /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f
net start wuauserv
wuauclt /resetauthorization /detectnow
reg import wupps-download-only.reg
Write-Host ""
Write-Host "Forcing Update through the WUPPS..." -ForegroundColor $Global:OnScreenMsgColor
net stop wuauserv
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v LastWaitTimeout /f
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v DetectionStartTime /f
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v NextDetectionTime /f
net start wuauserv
Write-Host "Update Configuration Completed..." -ForegroundColor $Global:OnScreenMsgColor
Write-Host ""

The wupps-download-only.reg file contains:
Windows Registry Editor Version 5.00




Tao's script assumes you want to disable the default windows firewall most likely because you will install a firewall afterwards or an anti-virus with that functionality as well. Well lets say we are poor and we need that firewall to work!!

###**Firewall Configuration**
Write-Host "Configuring Firewall..." -ForegroundColor $Global:OnScreenMsgColor
Write-Host "Enabling RDP to this host..." -ForegroundColor $Global:OnScreenMsgColor
netsh advfirewall firewall set rule group="remote desktop" new enable=yes
Write-Host "Allowing RDP access to our admin VLAN and another IP..." -ForegroundColor $Global:OnScreenMsgColor
netsh advfirewall firewall set rule name="remote desktop (TCP-In)" new remoteip="," enable=yes
Write-Host "Disabling DFS Management to this host..." -ForegroundColor $Global:OnScreenMsgColor
netsh advfirewall firewall set rule group="dfs management" new enable=no
Write-Host "Enabling SNMP access to this host..." -ForegroundColor $Global:OnScreenMsgColor
netsh advfirewall firewall set rule group="SNMP Service" new enable=yes
netsh advfirewall firewall set rule group="SNMP Trap" new enable=yes
Write-Host "Firewall Configuration Complete..." -ForegroundColor $Global:OnScreenMsgColor

Lastly that server manager pop-up and the notification taskbar auto-hide annoys me a bit so...

## Disable Server Manager Login screen
Write-Host "Disabling Server Manager Pop-up..." -ForegroundColor $Global:OnScreenMsgColor
reg add HKCU\Software\Microsoft\ServerManager /v DoNotOpenServerManagerAtLogon /t REG_DWORD /d 1 /f

Write-Host "Show all icons on notification bar..." -ForegroundColor $Global:OnScreenMsgColor
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer /v EnableAutoTray /t REG_DWORD /d 0 /f

and all is well with the world again :)

NOTE! As Tao mentions on the readme.doc "By default, Execution policy is “Restricted” which means powershell scripts are not allowed to run.". When you fix that by running

Set-ExecutionPolicy Unrestricted

keep in mind that when you are done and rebooted the system you have to set it back

Set-ExecutionPolicy Restricted

That's all for now, stay tuned..

Thursday, 18 October 2012

Microsoft Security Compliance Manager (Intro)

The product looked very interesting so decided to give it a go.. (its free no objections!!)


- Windows 2008 R2 SP1 box
- Microsoft .NET Framework 4
- Security Compliance Manager

Play time:

Go ahead and install the above in the order mentioned. When you reach the SCM point it will need to install SQL Server Xpress as well so go ahead and do that as well.

When the install finished the SCM will pop-up and all the basic Baselines will be imported (woohoo we are on our way!)

As you can see there is a considerable amount of work that has been done here.. you have templates for pretty much all the supported versions of windows (you must be crazy running anything outside of that matrix in your production environment!).

In addition to that each version has been categorized according to server functions (roles to use the MS language...) so its very easy to select the one you want and Duplicate (link on the column) so you can edit it further to your liking!

Moving from the customization subject which I will be coming back to later on, in the Start menu of the SCM you will see that LocalGPO is included. Go ahead and install it to the targeted systems so it can be used later on to deploy the custom Local Policy configs we will build.

When its done you can open your Powershell and go to Program Files (x86)\LocalGPO where you can find LocalGPO.wsf (simple run will give you a pop-up menu with the instructions).

The main reason behind LocalGPO is that its the only free way of distributing what we will do on SCM. The other ways all include System center which is not for everybody :P

That's all for now.. will come back to that later on.

Windows 2008 R2 server hardening v2

Continuing on the previous blogpost, Tao's script is not just things that don't work.
Because it is coded so nicely you can edit SecPolicy.inf to do more things, for example:

Under [System Access] you can add

PasswordHistorySize = 13
PasswordComplexity = 1
MaximumPasswordAge = 42
MinimumPasswordAge = 2
MinimumPasswordLength = 8
ResetLockoutCount = 2880
LockoutBadCount = 2
LockoutDuration = -1

which will enable you to define Account Policies better
(more details at technet)

and under [Registry Values] add

MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown=4,1

Which will force users to press CTRL+ALT+DEL to log on to the system
Clear the PageFile (swap) at shutdown (usually that can be an Audit requirement for some environments)
and finally get rid of the Initial Configuration screen

Because the script changes the system names and makes all those changes if we need to install SNMP/WMI we need to do it early so 0_Mine.PS1 comes in handy once again.

Add to 0_Mine.PS1 (Replacing the <> entries of course)

## Install SNMP
Write-Host "Installing and configuring SNMP..." -ForegroundColor $Global:OnScreenMsgColor
dism /online /enable-feature:SNMP
dism /online /enable-feature:WMISnmpProvider
reg add "HKLM\SYSTEM\CurrentControlSet\services\SNMP\Parameters\ValidCommunities" /v <RO_COMMUNITY_NAME> /t REG_DWORD /d 4 /f
reg add "HKLM\SYSTEM\CurrentControlSet\services\SNMP\Parameters\PermittedManagers" /v 2 /t REG_SZ /d <IP_OF_UR_NAGIOS_BOX> /f
reg add "HKLM\SYSTEM\CurrentControlSet\services\SNMP\Parameters\RFC1156Agent" /v sysServices /t REG_DWORD /d 79 /f

That's all for now.. more to come :)

Windows 2008 R2 server hardening v1

Time to stop thinking about Linux hardening (at least for a while) and take a quick look at Windows 2008R2.. One would be crazy to have an infrastructure with just with windows OR linux so both need to be brought up to an acceptable level (out of the box never works I am not going to debate that).

The following I found to be quite useful resourses:

Link 1
Link 2 (pdf)
Link 3 (MS technet)
Link 4 (blog)
Link 5 (blog)

The last link (Tao Yang) is a brilliant collection of Powershell scripts which many wonderfull things.

Unfortunately nothing works out of the box so...

You can create a 0_Mine.PS1 which you can include in Start.PS1 (around line 230) before Tao starts his own scripts.

Add this to 0_Mine.PS1:

Set-ItemProperty -Path HKLM:\System\CurrentControlSet\services\iphlpsvc -Name "Start" -Value 4
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\services\Dhcp -Name "Start" -Value 4
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\services\Spooler -Name "Start" -Value 4
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\services\RemoteRegistry -Name "Start" -Value 4
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\services\WinRM -Name "Start" -Value 4
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\services\UxSms -Name "Start" -Value 4
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\services\LanmanServer -Name "Start" -Value 4
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\services\LanmanWorkstation -Name "Start" -Value 4
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\services\lmhosts -Name "Start" -Value 4
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\services\CertPropSvc -Name "Start" -Value 4
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\services\SCPolicySvc -Name "Start" -Value 4
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\services\ScardSvr -Name "Start" -Value 4
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\services\RasMan -Name "Start" -Value 4
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\services\Tapisrv -Name "Start" -Value 4
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\services\RasAuto -Name "Start" -Value 4
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\services\RemoteAccess -Name "Start" -Value 4

Another thing that did not work was the IPv6 disabling bit... so Bhargav Shukla (ex-Microsoft dude) to the rescue..

technet bshukla

You can pick that up and add it to the same area in Start.PS1 but make sure it looks like this:

.\Disable-IPv6Components.ps1 -All

more to come.. stay tunned (I am far from saying done on this one!)