Friday, 19 October 2012

Windows 2008 R2 server hardening v3


In the first blogpost you might have noticed .\4_Mine2.PS1's existence in Start.PS1 . Today we will look at its content and what we are doing with that file.

One of the most important issues with any windows system is keeping it up to date. Lets assume that you have a WSUS in your network... so you need to register this new box to that WSUS.  Following the scripts from another lovely bloger (Athif)  we put in out 0_Mine.PS1 file:

##**Enable Automatic Updates**
Write-Host ""
Write-Host "Configuring Automatic Updates through the WUPPS..." -ForegroundColor $Global:OnScreenMsgColor
net stop wuauserv
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v AccountDomainSid /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v PingID /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f
net start wuauserv
wuauclt /resetauthorization /detectnow
reg import wupps-download-only.reg
Write-Host ""
Write-Host "Forcing Update through the WUPPS..." -ForegroundColor $Global:OnScreenMsgColor
net stop wuauserv
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v LastWaitTimeout /f
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v DetectionStartTime /f
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v NextDetectionTime /f
net start wuauserv
Write-Host "Update Configuration Completed..." -ForegroundColor $Global:OnScreenMsgColor
Write-Host ""


The wupps-download-only.reg file contains:
-----------------------------------------------------------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate]
"WUServer"="http://wupps.localdomain.local"
"WUStatusServer"="http://wupps.localdomain.local"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate\AU]
"AutoInstallMinorUpdates"=dword:00000001
"NoAutoRebootWithLoggedOnUsers"=dword:00000001
"NoAutoUpdate"=dword:00000000
"AUOptions"=dword:00000003
"ScheduledInstallDay"=dword:00000000
"ScheduledInstallTime"=dword:00000012
"UseWUServer"=dword:00000001

-----------------------------------------------------------

Tao's script assumes you want to disable the default windows firewall most likely because you will install a firewall afterwards or an anti-virus with that functionality as well. Well lets say we are poor and we need that firewall to work!!

###**Firewall Configuration**
Write-Host "Configuring Firewall..." -ForegroundColor $Global:OnScreenMsgColor
Write-Host "Enabling RDP to this host..." -ForegroundColor $Global:OnScreenMsgColor
netsh advfirewall firewall set rule group="remote desktop" new enable=yes
Write-Host "Allowing RDP access to our admin VLAN and another IP..." -ForegroundColor $Global:OnScreenMsgColor
netsh advfirewall firewall set rule name="remote desktop (TCP-In)" new remoteip="192.168.1.100,192.168.5.0/24" enable=yes
Write-Host "Disabling DFS Management to this host..." -ForegroundColor $Global:OnScreenMsgColor
netsh advfirewall firewall set rule group="dfs management" new enable=no
Write-Host "Enabling SNMP access to this host..." -ForegroundColor $Global:OnScreenMsgColor
netsh advfirewall firewall set rule group="SNMP Service" new enable=yes
netsh advfirewall firewall set rule group="SNMP Trap" new enable=yes
Write-Host "Firewall Configuration Complete..." -ForegroundColor $Global:OnScreenMsgColor


Lastly that server manager pop-up and the notification taskbar auto-hide annoys me a bit so...

## Disable Server Manager Login screen
Write-Host "Disabling Server Manager Pop-up..." -ForegroundColor $Global:OnScreenMsgColor
reg add HKCU\Software\Microsoft\ServerManager /v DoNotOpenServerManagerAtLogon /t REG_DWORD /d 1 /f

Write-Host "Show all icons on notification bar..." -ForegroundColor $Global:OnScreenMsgColor
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer /v EnableAutoTray /t REG_DWORD /d 0 /f

and all is well with the world again :)

NOTE! As Tao mentions on the readme.doc "By default, Execution policy is “Restricted” which means powershell scripts are not allowed to run.". When you fix that by running

Set-ExecutionPolicy Unrestricted

keep in mind that when you are done and rebooted the system you have to set it back

Set-ExecutionPolicy Restricted


That's all for now, stay tuned..

2 comments:

  1. Why disable group="dfs management"?

    ReplyDelete
    Replies
    1. Hey Paul,

      The principle here is to minimize the server's footprint. I do not use the dfs service therefore I disable it, if you need it by all means have it running.

      Cheers,

      Nik

      Delete