Thursday, 18 October 2012

Windows 2008 R2 server hardening v2

Continuing on the previous blogpost, Tao's script is not just things that don't work.
Because it is coded so nicely you can edit SecPolicy.inf to do more things, for example:

Under [System Access] you can add

PasswordHistorySize = 13
PasswordComplexity = 1
MaximumPasswordAge = 42
MinimumPasswordAge = 2
MinimumPasswordLength = 8
ResetLockoutCount = 2880
LockoutBadCount = 2
LockoutDuration = -1


which will enable you to define Account Policies better
(more details at technet)

and under [Registry Values] add

MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD=4,0
MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown=4,1
MACHINE\Software\Microsoft\ServerManager\Oobe\DoNotOpenInitialConfigurationTasksAtLogon=4,1

Which will force users to press CTRL+ALT+DEL to log on to the system
Clear the PageFile (swap) at shutdown (usually that can be an Audit requirement for some environments)
and finally get rid of the Initial Configuration screen

Because the script changes the system names and makes all those changes if we need to install SNMP/WMI we need to do it early so 0_Mine.PS1 comes in handy once again.

Add to 0_Mine.PS1 (Replacing the <> entries of course)

## Install SNMP
Write-Host "Installing and configuring SNMP..." -ForegroundColor $Global:OnScreenMsgColor
dism /online /enable-feature:SNMP
dism /online /enable-feature:WMISnmpProvider
reg add "HKLM\SYSTEM\CurrentControlSet\services\SNMP\Parameters\ValidCommunities" /v <RO_COMMUNITY_NAME> /t REG_DWORD /d 4 /f
reg add "HKLM\SYSTEM\CurrentControlSet\services\SNMP\Parameters\PermittedManagers" /v 2 /t REG_SZ /d <IP_OF_UR_NAGIOS_BOX> /f
reg add "HKLM\SYSTEM\CurrentControlSet\services\SNMP\Parameters\RFC1156Agent" /v sysServices /t REG_DWORD /d 79 /f


That's all for now.. more to come :)

No comments:

Post a Comment