Wednesday, July 31, 2013

7:27 AM

Appendix A: Windows Security Questionnaire

Section 3

The Windows XP Professional Security Benchmarks represent a general
consensus of steps that can be taken to allow most of the normal functionality of a
Windows XP Professional computer, while mitigating many common Internet risks.
These settings have been presented in Section 1, and then described in greater detail in
Section 2. These two sections together constitute the CIS Windows XP Professional
Security Benchmark.
In addition to the configurations described above, there is a great deal more that
can be done, depending on what role your computer fulfills, and what type of computer
environment you are in. Well managed environments that have full time computer
security support professionals may not have a great deal of need for this appendix, but
there are a great many businesses, with or without dedicated personnel, who may be able
to protect themselves better with help from this question-and-answer session.
1. Does anyone on another computer use shared files or printers from your
computer?
Yes: Your Windows XP Professional computer is already capable of sharing files
and printers with other computers on your network.
Do This: Go on to the next question.
No: In addition to the steps already taken, you can DISABLE file and printer
sharing and deny remote access to your computer entirely!
Do This: Disable File and Printer Sharing:
• Click Start -> Settings -> Network and Dial-Up Connections.
• Right-click each active connection, and click Properties.
• Un-check the box for “File and Printer Sharing for Microsoft
Networks”.
• Click OK.
Do This: Deny all access from Network users:
• Click Start -> Settings -> Control Panel.
• Double-click Administrative Tools.
• Double-click Local Security Policy.
• Navigate to Local Policies -> User Rights Assignment.
• Double-click “Deny Access to this computer from the network”.
• Click Add.
• Double-click “Everyone” and click OK.
• Click OK again, and close all open windows.
2. Does your computer use resources (files or printers) stored on any other
computers on your network, other than Internet mail or Internet Browsing?
Yes: Your Windows XP Professional computer is already capable of sharing files
and printers with other computers on your network.
No: In addition to the steps already taken, you can DISABLE all Microsoft
networking and deny remote access to your computer entirely!
Do This: Disable Microsoft Networking
• Click Start -> Settings -> Network and Dial-Up Connections.
• Right-click each active connection, and click Properties.
• Un-check the box for “Client for Microsoft Networks”.
• Click OK.

Appendix C: Problematic Settings

In the course of developing any type of security standard, there is one perpetual
constant: Something will be broken. When you change something in favor of increasing
security, you are “breaking” a potentially vulnerable or exploitable program.
An unfortunate side-effect of disabling the unwanted services is the likelihood that
some hazardous program or function has also been used for good instead of evil. The
unfortunate part is that when you disable the risky code, a perfectly viable operation is
also disabled.
In an effort to disclose likely sources of problems, this appendix lists some of the
settings that are known to cause problems, and what types of problems may arise. This is
not an all-inclusive list. It is provided in good faith to help you diagnose problems when
securing systems. It is subject to change as information becomes available.
3.1.1: Additional Restrictions for Anonymous connections “No Access Without
Explicit Anonymous Permissions”. Many older applications (and some new ones)
actually use Null Sessions to communicate between computers, or between processes on
the same computer. If an application fails to work once a computer is “locked down” this
should be the first setting to “undo” while troubleshooting.
3.2.1.47: Lan Manager Authentication Level set to “Send NTLMv2 response only”.
This setting will make a Windows XP computer unable to share resources with other
computers that are not set to use NTLMv2. It will make the computer unable to share
resources with Windows 95/98/Me computers unless they install the DSCLIENT.EXE
application from the Windows 2000 installation CD.
3.2.1.12: Restrict CD-ROM Access to Locally Logged-On User Only. One problem
has been identified when this setting is enabled. When users are installing software from
a CD-ROM drive, and those installation packages use the Microsoft Installer (.MSI)
packages, the software is actually installed by the Windows Installer service, NOT the
local user. If this setting is enabled, such software installation will not be able to
proceed, because of this restriction. The setting must be changed long enough to install
the software, or the package must be copied to a local or network drive for the installation
procedure to succeed.
3.2.2.9: Remove administrative shares on workstation (Professional): HKLM\System\
CurrentControlSet\Services\LanmanServer\Parameters\AutoShareWks
(REG_DWORD) 0. Removing administrative shares on Windows computers is entirely
desirable if they are not going to be used. This is likely to break some applications that
use administrative shares – the most notable of which are backup and restore utilities.
4.4: File and Registry Permissions. It should go without saying that if a user or
application is attempting to access an object, and receiving an “Access Denied” error,
that some attention should be paid to the permissions applied to that object.

Appendix D: Windows XP Service Pack 2

Windows XP introduced a number of significant security enhancements. Most of the

significant security enhancements break down into these ten general categories:

1. Bluetooth.
Windows XP now provides out-of-the-box support for Bluetooth connections.
Bluetooth is most commonly used for short distance communications, and makes its mark
as a replacement for infrared connections. Although Bluetooth operates in the same
frequency range as 802.11 wireless networks, it serves a very different purpose. Once
Bluetooth is configured for use on a workstation, you can access configuration options
through the control panel.
Some examples of Bluetooth connections include the following:
 Dial-up networking to connect your PC to a Bluetooth-enabled mobile phone
 Printing to a Bluetooth-enabled printer
 Host interface wireless devices such a mouse or keyboard.
 Personal networking which creates an IP connection between two Bluetooth
enabled devices
Bluetooth obviously presents some security concerns. However, at this time, there
are no native configuration options to manage these connections. Therefore, this guide
does not currently include provide any Bluetooth recommendations.
2. DCOM Permissions.
Windows machines typically host a number of DCOM services. These services can
be accessed locally by the workstation itself, or remotely from another machine.
Although local and remote calls are handled somewhat differently, they both end up
passing through the same COM engine.
Service Pack 2 adds group policy settings which control permissions for managing
DCOM components. Permissions are separated into two distinct categories: users that
can access existing DCOM services, and users that can launch or activate services.
Rights are typically assigned depending on whether the DCOM request came from the
machine itself (local), or from another machine (remote).
These settings are discussed in sections 3.2.1.9 and 3.2.1.10.
3. RPC Permissions.
RPC services behave similar to DCOM services. They allow a remote computer to
access a service on the workstation. Each separate service requires a TCP port to be
opened on the workstation. Rather than assigning specific ports to each service, the
operating system provides a generic “portmapper.” The portmapper serves as an address
book, allowing clients to determine which port is assigned to a specific DCOM service.
With Service Pack 2, Microsoft by default requires all clients to authenticate before
being allowed to connect to a service on the workstation. In addition, clients must
authenticate before being allowed to query the portmapper to locate a specific DCOM
service.
Section 5.1.1 describes administrative template settings used to control DCOM
access permissions.
4. WebDAV Permissions.
Web (HTTP) based file management is becoming increasingly popular. Using the
standard HTTP protocol, clients can access, modify and delete files on a remote server.
As the protocol developed, Microsoft embedded the technology more deeply into the
operating system. Within XP, you are able to access files using WebDAV through the
same interface used to access network shares with NetBIOS or SMB.
The HTTP protocol uses different authentication methods from traditional Windows
networking protocols. Many systems support some robust authentication models through
HTTP, such as Kerberos or NTLM. However, clients and servers can also negotiate
“Basic” HTTP authentication, which essentially passes credentials across the network in
clear text.
Service pack 2 introduced two new settings to protect credentials sent over HTTP
sessions. These settings are discussed in sections 3.2.2.24 and 3.2.2.25.
5. Windows Firewall.
The most significant security improvement with Windows XP Service Pack 2 is the
Windows Firewall. By default, the firewall service is enabled, and monitoring inbound
traffic on all interfaces. The service provides many very specific settings for controlling
published network ports. In addition, the service works in combination with the RPC
interface to effectively control remote access to specific RPC services, which may be
dynamically assigned listening ports.
All settings for the firewall can be managed through group policy, as described in
5.1.2.2.1.
6. Wireless Provisioning Services.
The WiFi industry has been working rapidly to recover from significant security
vulnerabilities identified in the initial implementation of 802.11 wireless networks.
Service Pack 2 provides access to the improved security options through a new feature
called “Wireless Provisioning Services.”
Wireless provisioning services provide additional controls for three specific
scenarios: the public Hotspot provider, a generic wireless Internet Service Provider, and
the corporate network. By using a Wireless Network Registration Wizard and Setup
Wizard, the client can safely connect to a service provider on an encrypted channel
without having to exchange cumbersome passwords.
At this point, no native configuration options exist to control these new wireless
configuration settings. Therefore, this guide does not provide any recommended settings
for Wireless Provisioning Services.
7. Data Execution Protection.
The most significant class of vulnerabilities remains the Buffer Overflow. With a
properly crafted exploit, an attacker can easily shut down specific services, an sometimes
even gain full control over a computer. The root problem seems extremely simple: the
attacker stuffed too much data into memory. The extra data flowed over into an area of
memory designated for something else—such as executable code—and compromised the
machine.
Windows XP Service Pack 2 provides additional protection against buffer overflows
in two ways. First, the operating system can work with the hardware to identify specific
parts of memory as “Non Executable”—NX regions. However, this requires hardware
which supports such protection. Alternatively, the operating system can perform similar
protection in code. It is not necessary to upgrade to new hardware to benefit from
Windows Data Execution Protection.
Since buffer overflows have played such a significant role in past security
vulnerabilities, this protection is considered critical in protecting the machine. Data
Execution Protection is discussed in section 3.1.3.
8. The Security Center.
The Security Center continually monitors the three cornerstones of security on the
workstation: anti-virus software, the firewall and the security updates service. When an
issue arises with any of these three items, the security center notifies the user. Individual
items can be disabled through registry keys.
The security center is discussed in section 5.3.
9. DTC Control.
Transactions can be coordinated across multiple processes using the Distributed
Transaction Coordinator (DTC). The process could all be local to a single machine, or
they could be spread across a number of devices—file systems, message queues and
databases, for example.
Workstations rarely need to be involved in network-based distributed transactions. In
order to reduce the attack surface of the workstation, this service has been disabled by
default. The registry setting used to manage DTC settings is discussed in section
3.2.2.27.
10. Outbound Connection Throttling
Service Pack 2 limits the number of incomplete outbound TCP connection attempts.
If an application (such as a port scanner) generates a large number of outbound
connection requests, the requests are throttled, since this activity is not normal. When
throttling occurs, event 4226, source “Tcpip” is written to the system event log.


Appendix E: Change History

November 6, 2003 – Version 1.0 released to public.
March 13, 2004 – Version 1.1.2 released.
Updated changes to “Debug Programs” User Right.
September 3, 2004 – Version 1.2 released.
Added section on “Security Levels”
Updated “High Security” template to comment out the SystemDrive, HKLM\Software,
and HKLM\System permissions. Administrators must manually edit the template to
enable these settings.
October 3, 2004 – Version 1.2.1 released.
Fixed references in Appendix C.
Resolved typographical errors in HiSec Template.
October 20, 2004 – Version 1.3 released.
Renamed “High Security” to “Specialized Security – Limited Functionality”.
August 22, 2005 – Version 2.0 released.
• Renumbering to accommodate added SP2 items.
• Item 2.2.4.1.2: Changed to “As Needed”
• Item 2.2.4.2.3: Changed to “As Needed”
• Item 2.2.4.3.3: Changed to “As Needed”
• Item 3.1.4 added.
• Item 3.2.1.6: Specialized level changed to “Disabled”
• Item 3.2.1.7: Specialized level changed to “Disabled”
• Item 3.2.1.8: Specialized level changed to “Not Defined”
• Item 3.2.1.9: added; previous item moved to 3.2.1.11
• Item 3.2.1.10: added; previous item moved to 3.2.1.12
• Item 3.2.1.13: Enterprise settings changed to “Enabled” and “Not Defined”
• Item 3.2.1.14: Specialized level changed to “Disabled”
• Item 3.2.1.15: Specialized level changed to “Disabled”
• Item 3.2.1.44: Added list of registry paths to Specialized level
• Item 3.2.1.45: Legacy and Enterprise levels change to “Not Defined”.
Specialized level changed to “COMCFG, DFS$”
• Item 3.2.1.50: “Require” changed to “Negotiate”
• Item 3.2.1.53: Specialized level changed to “Disabled”
• Item 3.2.1.56: Specialized level changed to “Disabled”
• Item 3.2.1.57: Enterprise and Specialized levels changed to “Not Defined”
• Item 3.2.1.58: Changed to “CREATOR OWNER”
• Item 3.2.2.1: Legacy and Enterprise changed to “Not Defined”
• Item 3.2.2.2: Changed to “Not Defined”
• Item 3.2.2.6: Changed to “Not Defined”
• Item 3.2.2.7: Legacy and Enterprise changed to “Not Defined”
• Item 3.2.2.10: Changed to “Not Defined”
• Item 3.2.2.12: Legacy and Enterprise changed to “Not Defined”
• Item 3.2.2.13: Legacy and Enterprise changed to “Not Defined”
• Item 3.2.2.14: Changed to “Not Defined”
• Item 3.2.2.15: Legacy and Enterprise changed to “Not Defined”
• Item 3.2.2.16: Legacy and Enterprise changed to “Not Defined”
• Item 3.2.2.17: Legacy and Enterprise changed to “Not Defined”
• Item 3.2.2.18: Legacy and Enterprise changed to “Not Defined”
• Item 3.2.2.19: Changed to “Not Defined”
• Item 3.2.2.20: Changed to “Not Defined”
• Item 3.2.2.22: Legacy and Enterprise changed to “Not Defined”
• Item 3.2.2.25: Legacy and Enterprise changed to “Not Defined”
• Item 3.2.2.26: Legacy and Enterprise changed to “Not Defined”
• Item 3.2.2.27: Legacy and Enterprise changed to “Not Defined”
• Item 4.1.11: Changed to “Not Defined”
• Item 4.1.14: Changed to “Not Defined”
• Item 4.2.1: Changed to “Not Defined”
• Item 4.2.5: Legacy and Enterprise changed to “Not Defined”
• Item 4.2.6: Changed to “Not Defined”
• Item 4.2.7: Changed to “Not Defined”
• Item 4.2.12: Legacy changed to “Administrators”
• Item 4.2.13: Added “Support_388945a0”
• Item 4.3.2: Changed to “Not Defined”
• Added Section 5: Administrative Templates for SP2 items
August 30, 2005 – Version 2.01
• Removed Appendix C because it was out of date
• Typo and other text corrections.
• Item 3.2.1.56: Specialized level changed to Enabled.

                                                                Thnx for reading !

0 comments:

Post a Comment