Windows Security Scoring Tool v2.0.1 By Kerry Steele Win2K-Feedback@cisecurity.org
Terms of Use Agreement 1. Grant of Permission to use the Windows 2000 Download Package consisting of the Windows 2000 Benchmark, software tools for scoring and monitoring the status of Benchmark settings at the network and system level, plus associated documentation. Subject to the terms and provisions listed below, CIS grants to you the nonexclusive and limited right to use the Windows 2000 Download Package components. You are not receiving any ownership or proprietary right, title or interest in or to the Windows 2000 Download Package components or the copyrights, trademarks, or other rights related thereto. 2. Limitations on Use. Receipt of the Windows 2000 Download Package components does not permit you to: a. Sell the Windows 2000 Download Package components; b. Lease or lend the Windows 2000 Download Package components; c. Distribute the Windows 2000 Download Package components by any means, including, but not limited to, through the Internet or other electronic distribution, direct mail, retail, or mail order (Certain internal distribution rights are specifically granted to CIS Consulting and User Members as noted in (2.e.) below); d. In any other manner and through any medium commercially exploit or use the Windows 2000 Download Package components for any commercial purpose; e. Post the Benchmark, software tools, or associated documentation on any internal or external web site. (Consulting and User Members of CIS may distribute the Windows 2000 Download Package components within their own organization); f. Represent or claim a particular level of compliance with the Windows 2000 Benchmark unless the system is operated by a Consulting or User Member of CIS and has been scored against the Benchmark criteria by a monitoring tool obtained directly from CIS or a commercial monitoring tool certified by CIS. Page 2 of 34
Table of Contents Terms of Use Agreement... 2 Table of Contents... 3 Introduction... 4 Security Template Implementation for your Organization... 4 CIS Windows Security Tool Installation... 5 Tool Operation Scoring a Windows machine... 8 Security Template Implementation... 12 Windows 2000 Group Policy The Best Method... 12 Windows 2000 Local Computer Policy... 13 Windows 2000 Security Configuration and Analysis Toolset... 14 Creating the Toolset Snap-in... 14 Creating and Opening a SECEDIT Database... 20 Analyzing your Computer... 21 Configuring your Computer... 23 Customization of the Security Templates... 25 Windows NT 4.0 Security Configuration Editor... 29 SCE Download and Installation... 29 Appendix A: Additional Resources the Security Configuration and Analysis Toolset... 32 Appendix B: Security Templates Included with the Tool... 33 Appendix C: Applying Service Permissions... 34 Page 3 of 34
Introduction FACT: A default installation of Windows will yield an Overall Score of zero using the CIS Windows Security Scoring Tool. The CIS Windows Security Benchmarks specify the baseline minimum level of prudent due care which should be given when securing a Windows computer. By following the steps outlined in this document, you can fully comply with the CIS Windows Security requirements, and achieve an Overall Score of ten. So why bother scoring? Security is difficult to quantify. Do you know how secure your systems are? The CIS Windows Security Scoring Tool provides a mechanism to assign a score to a previously immeasurable factor: READINESS. Let s walk through scoring and securing a computer step-by-step. Security Template Implementation for your Organization Depending on your environment, there are several methods available to apply a security template: Domain Security Policy (Group Policy) allows you to set security options at the Domain level, for all systems and users in the domain Domain Controller Security Policy (Group Policy) allows application of group policy to only the Domain Controllers within the domain Group Policy Local Security Policy applied to an individual machine, and is typically overwritten by the Domain Security Policy if joined to a Windows 2000 domain Security Configuration and Analysis Toolset provides a tool to create security templates and a method of analyzing and applying security on an individual machine based upon the configuration defined in a security template For an individual machine that is not a member of a Windows 2000 domain, Local Security Policy or the Security Configuration and Analysis Toolset are the only available methods of implementing a security template. For a machine that is a member of a Windows 2000 domain, the Domain Security Policy is the easiest (and best) method of applying domain-wide baseline security settings. Page 4 of 34
CIS Windows Security Tool Installation Double-click on the CIS.msi Windows Installer Package to begin installation of the scoring tool (CIS.exe if you are running Windows NT 4.0 and have not installed the Windows Installer service). NOTE you must be logged in using an account with Administrative Privileges. Follow the directions of the installation wizard. For example, the wizard prompts you to exit all other Windows applications. Click on Next. Page 5 of 34
The Readme.txt file is displayed. Take a moment to read through the installation procedures and security scoring tool operation. Click Next. Select whether the Tool will be installed for all users or just you (the installer). Page 6 of 34
Select the installation directory, this will default to C:\Program Files\CIS. Click Next. Installation will now begin this should take approximately 15 seconds. You will NOT need to reboot your computer after installation. Click Next. Page 7 of 34
Installation has completed. Click Finish. Tool Operation Scoring a Windows machine Now that installation is complete, we are ready to run the Security Scoring tool. Navigate to Start -> Programs -> Center for Internet Security, and you should see shortcuts for the Security Benchmark documents, one for the Readme.txt file, one for the Security Scoring Tool, and one for the. Page 8 of 34
To generate your computer s score, select Start -> Programs -> Center for Internet Security -> Windows Security Scoring Tool. In the Scoring Section, select a security template (the Level I template for your operating system will be selected by default) and click on Generate Score. Page 9 of 34
Using the Microsoft Network Security Hotfix Checker (HFNetChk) from Shavlik Technologies, the scoring tool obtains the latest database of available hotfixes. Security hotfixes are released on a regular basis so the scoring tool must ensure that accurate, real-time data is used for needed hotfixes. More information about the Microsoft Network Security Hotfix Checker can be found at: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/hfnetchk.asp After completion of the Benchmark document security requirements, you will receive an Overall Score of 10. Page 10 of 34
The Summary Report generated by the scoring tool. Page 11 of 34
Security Template Implementation Windows 2000 Group Policy The Best Method To implement a security template domain-wide, navigate to Start -> Programs -> Administrative Tools -> Domain Security Policy. Right-click on the Security Settings node and select Import Policy (The same can be done with the Domain Controller Security Policy) Navigate to the directory that contains the security template you want to apply domain-wide (C:\Program Files\CIS\Templates contains the security templates included with the tool). Select the desired template and select Open to import the template into Group Policy. Page 12 of 34
Windows 2000 Local Computer Policy To implement a security template on an individual machine, navigate to Start -> Programs -> Administrative Tools -> Local Security Policy. Right-click on the Security Settings node and select Import Policy Navigate to the directory that contains the security template you want to apply to this machine (C:\Program Files\CIS\Templates contains the security templates included with the tool). Select the desired template and select Open to import the template into the Domain Security Policy. Page 13 of 34
Windows 2000 Security Configuration and Analysis Toolset Creating the Toolset Snap-in Select Start -> Run -> MMC. Select Console -> Add/Remove Snap-In. Page 14 of 34
Click on Add. Page 15 of 34
Select Security Configuration and Analysis -> click on Add. Select Security Templates -> click on Add. Click Close. NOTE If this seems somewhat hidden, it is. Page 16 of 34
Click on OK. Page 17 of 34
Now both the Security Configuration and Analysis and Security Templates Snap-Ins are visible within the MMC. Page 18 of 34
Select Console -> Save As Name the MMC Security Tools, or any other name you feel is appropriate. Page 19 of 34
Creating and Opening a SECEDIT Database Right-click on the Security Configuration and Analysis snap-in -> Select Open Database Select the name of the database used in the previous example, or type a new name if preferred. Click Open. Page 20 of 34
Analyzing your Computer Right-click the Security Configuration and Analysis node and select -> Import Policy. Select a security template from the C:\Program Files\CIS\templates directory. Check the Clear this database before importing option. Click Open. Right-click on the Security Configuration and Analysis toolset and -> Select Analyze Computer Now Page 21 of 34
The default location is usually fine for the log files. Click OK. Expand the Account Policies, Local Policies, and System Services nodes to view the elements that are defined in the security template. Any items that are red do not comply with the configuration defined in the security template. Follow the steps in the next section to configure a computer using this Security Template. Page 22 of 34
Configuring your Computer Right-click the Security Configuration and Analysis node and select -> Import Policy. Select a security template from the C:\Program Files\CIS\templates directory. Check the Clear this database before importing option. Click Open. Right-click on the Security Configuration and Analysis toolset -> Select Configure Computer Now. Page 23 of 34
When prompted, select the default location for the security scan log file. When the progress window disappears, your computer will be configured according to the configuration defined in the security template. Page 24 of 34
Customization of the Security Templates Right-click on the Security Templates node and select New Template Search Path... Navigate to the template installation directory (C:\Program Files\CIS\Templates). Click OK. Page 25 of 34
The security templates are now available for customization within the Security Toolset snap-in. Select a security template and expand the Local Policies -> Security Options node. Page 26 of 34
Some of the items in the security template should be customized. For example, the Message text for users attempting to logon, Message title for users attempting to logon, Rename administrator account, and Rename guest account values will vary for each end user. Refer to the Benchmark document for more information on each setting of the security template/local policy. Page 27 of 34
To save changes to a security template, right-click the security template -> Select Save. Run the Windows Security Scoring Tool again to reflect your new score. Page 28 of 34
Windows NT 4.0 Security Configuration Editor As of Service Pack 4, Microsoft has provided support for the Security Configuration Editor a Windows NT 4.0 port of the Windows 2000 Security Configuration and Analysis Toolset. See the Windows 2000 sections on Creating the Toolset Snap-in, Creating and Opening a SECEDIT Database, Analyzing your Computer, Configuring your Computer, and Customization of the Security Templates. SCE Download and Installation Download the Security Configuration Editor from: ftp://ftp.microsoft.com/bussys/winnt/winnt-public/tools/scm Once the files have been downloaded and extracted, run mssce.exe. Click Yes. When asked to install Microsoft Management Console, click Yes. The first of two reboots Page 29 of 34
Click Yes to install the MMC. Installation of the SCE is now complete. Reboot. Page 30 of 34
Download and install MMC v1.2 to correct known bugs from MMC v1.0 included with the SCE: http://support.microsoft.com/default.aspx?pr=mmc Click Next. Click Yes to accept the EULA. Click Next. Click Finish to restart the computer. Page 31 of 34
Appendix A: Additional Resources the Security Configuration and Analysis Toolset The NSA provides an extensive amount of information in their Windows 2000 Security Recommendation Guides: http://nsa2.www.conxion.com/win2k/download.htm Guide to Securing Microsoft Windows 2000 Group Policy: Security Configuration Tool Set http://nsa2.www.conxion.com/win2k/guides/w2k-3.pdf Security Configuration Tool and Template Settings http://www.sans.org/infosecfaq/win/settings.htm An excerpt from the SANS Securing Windows 2000 Step-By-Step Guide: http://www.sansstore.org/merchant/windows2000-sbys-chapter6.pdf Microsoft Security Configuration Tool Set White Paper: http://www.microsoft.com/windows2000/techinfo/howitworks/security/sctoolset.asp Microsoft Step-by-Step Guide to Using the Security Configuration Tool Set White Paper: http://www.microsoft.com/windows2000/techinfo/planning/security/secconfsteps.asp Methods Used to Apply Security Settings Throughout an Enterprise: http://support.microsoft.com/support/kb/articles/q216/7/35.asp Page 32 of 34
Appendix B: Security Templates Included with the Tool Center for Internet Security http://www.cisecurity.org Security Template Description CIS-Win2K-Level-I-v1.1.7.inf Windows 2000 Level I Current Release CIS-Win2K-Pro-Level-II-v1.0.4.inf Windows 2000 Professional Level II Current Release CIS-WinNT4-Level-I-v1.0.3.inf Windows NT Level I Current Release National Security Agency http://nsa1.www.conxion.com/ Security Template Description NSA_isa.inf Microsoft ISA Server 2000 NSA_nt4_BDC.inf Windows NT 4.0 Backup Domain Controller NSA_nt4_Exchange.inf Windows NT 4.0 with Exchange Server NSA_nt4_MemberServer.inf Windows NT 4.0 Member Server NSA_nt4_PDC.inf Windows NT 4.0 Primary Domain Controller NSA_nt4_Workstation.inf Windows NT 4.0 Workstation NSA_w2k_dc.inf Windows 2000 Domain Controller NSA_w2k_domain_policy.inf Windows 2000 Domain Policy NSA_w2k_server.inf Windows 2000 Server NSA_w2k_workstation.inf Windows 2000 Workstation National Institute of Standards and Technology http://csrc.nist.gov/itsec/guidance_w2kpro.html Security Template Description NIST-2kdm.inf Windows 2000 Professional Domain Member NIST-2kws.inf Windows 2000 Professional Standalone Microsoft http://www.microsoft.com/downloads/release.asp?releaseid=36834 Security Template Description MS-Baseline.inf Microsoft Baseline MS-BaselineDC.inf Microsoft Baseline Domain Controller Page 33 of 34
Appendix C: Applying Service Permissions Service permissions are applied to Windows NT 4.0 and Windows 2000 using the Security Configuration and Analysis toolset. Permissions can be viewed in the Security Templates node of the MMC Snap-in for the SCE Toolset. To configure permissions using the MMC Snap-In, see the Configuring your Computer section on page 23 of this document. An alternative to using the MMC Snap-in for configuring Services, this can also be scripted using a batch script or run manually using the secedit.exe utility. This method allows configuring only specific sections of a Security Template. The following example configures Windows 2000 Services using the CIS Level I Security Template. (A batch file - services.bat - is included.) (This entire statement should be executed as one command.) %WINDIR%\System32\secedit.exe /CONFIGURE /OVERWRITE /DB %TEMP%\secedit.sdb /CFG "C:\Program Files\CIS\Templates\CIS-Win2K-Level-I-v1.1.7.inf" /VERBOSE /AREAS SERVICES /LOG %TEMP%\secedit.log NOTE To accomplish this on Windows NT 4.0 the Security Configuration and Analysis Toolset should be installed as described in the Windows NT 4.0 Security Configuration Editor Section of this document. Page 34 of 34