Thursday, 18 October 2012

Windows 2008 R2 server hardening v1


Time to stop thinking about Linux hardening (at least for a while) and take a quick look at Windows 2008R2.. One would be crazy to have an infrastructure with just with windows OR linux so both need to be brought up to an acceptable level (out of the box never works I am not going to debate that).

The following I found to be quite useful resourses:

Link 1
Link 2 (pdf)
Link 3 (MS technet)
Link 4 (blog)
Link 5 (blog)

The last link (Tao Yang) is a brilliant collection of Powershell scripts which many wonderfull things.

Unfortunately nothing works out of the box so...

You can create a 0_Mine.PS1 which you can include in Start.PS1 (around line 230) before Tao starts his own scripts.

Add this to 0_Mine.PS1:

Set-ItemProperty -Path HKLM:\System\CurrentControlSet\services\iphlpsvc -Name "Start" -Value 4
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\services\Dhcp -Name "Start" -Value 4
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\services\Spooler -Name "Start" -Value 4
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\services\RemoteRegistry -Name "Start" -Value 4
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\services\WinRM -Name "Start" -Value 4
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\services\UxSms -Name "Start" -Value 4
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\services\LanmanServer -Name "Start" -Value 4
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\services\LanmanWorkstation -Name "Start" -Value 4
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\services\lmhosts -Name "Start" -Value 4
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\services\CertPropSvc -Name "Start" -Value 4
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\services\SCPolicySvc -Name "Start" -Value 4
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\services\ScardSvr -Name "Start" -Value 4
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\services\RasMan -Name "Start" -Value 4
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\services\Tapisrv -Name "Start" -Value 4
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\services\RasAuto -Name "Start" -Value 4
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\services\RemoteAccess -Name "Start" -Value 4


Another thing that did not work was the IPv6 disabling bit... so Bhargav Shukla (ex-Microsoft dude) to the rescue..

technet bshukla

You can pick that up and add it to the same area in Start.PS1 but make sure it looks like this:

.\0_Mine.PS1
.\1_OSConfig.PS1
.\2_network.PS1
.\Disable-IPv6Components.ps1 -All
.\3_security.PS1
.\4_Mine2.PS1



more to come.. stay tunned (I am far from saying done on this one!)
 

No comments:

Post a Comment