ITS 3250 - Securing Systems

Security Strategies in Windows...
Chapter 11

This lesson presents a measure of closure for the Windows text for this course. Objectives important to this lesson:

  1. Hardening process
  2. Hardening authentication
  3. Directory information
  4. Administration
  5. Servers and workstations
  6. Data access controls
  7. Remote access

Concepts:
Chapter 11

Chapter 11 is about hardening Windows servers, workstations, and networks. It begins with some ideas about the hardening process.

  • disable or remove vulnerable programs - The text points out that this method is an easy choice for services and programs that are not needed, but it provides no help for those we need, other than removing other avenues of attack.
  • use controls to reduce vulnerabilities - This is harder than just turning something off, but it is more practical.

The text uses this as an introduction to hardening methods. On page 250, it presents a list of roles available in Server 2008. Each role includes several programs that run to enable the functions the server must perform. In the section that follows, the text lists seven roles included in Server 2008 R2. In case you are not familiar with roles and features, or the process to install and remove them, here are two videos to discuss that. I recommend that you set the audio play rate a bit faster than normal if you know a good bit about this.


The text suggests that installing Windows Server with the Server Core option provides a minimal installation that provides a smaller attack surface. As discussed in this Microsoft article about Server 2016, it has only the File and Storage role installed by default. Many administrators will not care for this option because it has no GUI. It is meant to be managed remotely. This second article from Microsoft introduces you to more aspects of Server Core and links to other articles about managing and patching it. The video below, also from Will, the presenter in the two videos above, presents a short lecture and some advice about Server Core.

The text offers a confusing section about the available editions of Server 2008 and 2012. In the context of this chapter, what you need to know is how to use the roles and features wizard, which will show you what is installed on a server that you are configuring or maintaining. In that same vein, the text presents a short section on page 254 about the Security Configuration Wizard. This feature can be used to create and manage policies that relate to security and to server roles. It allows you to examine a server in your network that is running well, to create a policy based on its settings, and to push that policy to other servers you choose. Assuming you are tired of Will, I have provided a demo of the Security Configuration Wizard from another YouTube poster.

The text recognizes that you don't have to use a utility program to remove services but, I hope you see the benefit in discovering a service running on a server where you did not expect to find it. The text recommends that you should make a backup of the Windows registry before attempting to make a change in services manually. As the text explains on page 257, this can be done from the regedit.exe program by choosing File, Export, and saving to a new file.

The text suggests that manual changes will be needed more on workstations than on servers if you are using the utilities described above, which are only good for your servers. The text does not offer much advice about what to turn off in Windows 10. This link will take you to a nice article about shutting off unnecessary services in Windows 10. It also includes links to earlier articles about earlier versions of Windows.

Obviously, you can remove services on a workstation or on a server through the Programs section in Control Panel. The text mentions this and offers suggestions on starting the utilities to do so.

On page 260, the text begins a section on authentication. The advice at the top of the next page is useful when you take over a server from a previous administrator, whether that person left under good or bad circumstances.

  • Create new accounts that you will use to administer the server or network.
  • Assign necessary rights to the new accounts. Alternatively, you may make the new accounts members of an administrator group.
  • Test the rights you think you have given to the new accounts, correcting any errors that may have been made.
  • Disable the administrator account you have been using, and any others that are suspect. You should do this right away in competitions, and you should do it to all existing accounts that have administrative rights.

You should review the suggestions for changes in the Password, Account, and Kerberos policies that apply to your system. When defending your system, the Account lockout settings in Account policy directly affect the chances of an attacker trying to guess a password.

The text warns us that Active Directory is vulnerable to your own administrators, who should be using special accounts to gain access to it. The text is a little dry and indirect about its advice, as are most of the Microsoft documents I have found on the Internet. This article is written in a more readable way, and it offers good advice on several of the topics mentioned in the text. It also addresses the issues the text discusses under the OS Administration section.

The remaining sections of the chapter are not of much interest. We will conclude our study of this book with Lab 10 in the Jones and Bartlett labs.

 

Assignments

Assignments for this chapter will be found in Canvas. We will explore that in class.