Windows 7 / Server 2008 R2 Configuration Overview. By: Robert Huth Dated: March 2014

Windows 7 / Server 2008 R2 Configuration Overview By: Robert Huth Dated: March 2014

Expectations This Windows 7 / Server 2008 R2 (Win7-2K8) presentation is a general overview of the technical security settings that must be addressed when configuring a Win7-2K8 Information System (IS) for Defense Security Service (DSS) Office of Designated Approving Authority (ODAA) accreditation. The information in this presentation was derived from the Office of the Designated Approving Authority (ODAA) Baseline Technical Security Configuration for Microsoft Windows 7 and Windows Server 2008 R2, dated July 2013. A copy of the baseline standard can be requested by sending email to odaa@dss.mil. Note: There are some inconsistencies with the Win7-2K8 baseline standard. For example, there is no mention of the requirement that an IS must have Anti-Virus software. This requirement is outlined in the National Industry Security Program Operating Manual (NISPOM) and is identified in the Known Issues which has been publish by DSS. If you have questions about the settings defined in the Win7-2K8 baseline standard, contact your local DSS Information System Security Professional (ISSP) for clarification.

Overview Many companies use Microsoft operating systems (OS) Windows XP Service Pack (SP) 3 will reach end of life (EOL) April 8, 2014 Windows 7 SP1 EOL ~ *January 2015/ **January 2020 Windows Server 2008 R2 SP1 EOL ~ *January 2015/ **January 2020 * Mainstream Support End Date ** Extended Support End Date *** Support ends 24 months after the next service pack release or at the end of the product s support lifecyle, whichever comes first Support ends 24 months after the next service pack releases or at the end of the

New Win7-2K8 Baseline Standard DSS released the baseline standard for Windows 7 and Windows Server 2008 R2 (Version 1, dated July 2013) The baseline standard provides technical configuration settings for securing Win7-2K8 The configuration settings are based on NISPOM standards and settings recommended by the following organizations:

Baseline Highlights There are 9 sections in the Win7-2K8 baseline standard Each section covers a range of topics dealing with general information to required settings for securing the OS Sections 1, 2, & 3 describe general information and guidelines that should be considered Sections 4, 5, & 6 define Group Policy settings Settings are defined based on system type MUSA (Multi-user Standalone) P2P (Peer-to-Peer) Client/Server Section 7 defines file permission /audit requirements for Security Relevant Objects (SROs) and lists the SROs for Windows 7 Section 8 defines additional requirements for autorun, programs and features, and services Section 9 explains vulnerabilities

Security Settings Use Group Policy Editor to manage local computer policy Group Policy (Local) click Start, click Run, type gpedit.msc in the Open box Computer Configuration and User Configuration (Tree Structure) Left Pane lists the group policy items/sub-items Right Pane double-click item to configure setting

Group Policy Editor (Local)

Password and Account Lockout Policies Account Policies Path: Computer> Windows Setting> Security Settings> Account Policies Password Enforce password history 24 Maximum password age 60 Minimum password age 1 Minimum password length 14 Password must meet complexity requirements Enable Store passwords using reversible encryption Disable Account Lockout Account lockout duration 0 Account lockout threshold 3 invalid logon attempt(s) Reset account lockout counter after 60 minute(s)

Kerberos Policy The Kerberos authentication protocol provides the default mechanism for domain authentication services and the authorization data that is necessary for a user to access a resource and perform a task on that resource. In most environments, the Kerberos policy settings should not need to be changed. These policy settings are applied at the domain level, and the default values are configured in the Default Domain Policy in a default installation of a Windows Server Active Directory (AD) domain.

Advanced Audit Policies Advanced Audit Policies Path: Computer> Windows Setting> Security Settings> Advanced Audit Policy Configuration> System Audit Policies Advanced Auditing replaces the standard audit policies There are 54 audit settings to Review

Advanced Audit Policies (Continued) Account Logon Audit Credential Validation Audit Kerberos Authentication Service Audit Kerberos Service Ticket Operations Audit Other Account Logon Events Success and Failure No Auditing No Auditing No Auditing Account Management Audit Application Group Management Audit Computer Account Management Distribution Group Management Other Account Management Events Security Group Management User Account Management No Auditing Success and Failure No Auditing Success and Failure Success and Failure Success and Failure

Advanced Audit Policies (Continued) Detailed Tracking DPAPI Activity Process Creation Process Termination RPC Events Success DS Access Detailed Directory Service Replication Directory Service Access Directory Service Changes Directory Service Replication No Auditing Failure No Auditing No Auditing

Advanced Audit Policies (Continued) Logon/Logoff Account Lockout IPsec Extended Mode IPsec Main Mode IPsec Quick Mode Logoff Logon Network Policy Server Other Logon/Logoff Events Special Logon Success Success and Failure Success

Advanced Audit Policies (Continued) Object Access Application Generated Certification Services Detailed File Share File Share File System Filtering Platform Connection Filtering Platform Packet Drop Handle Manipulation Kernel Object Other Object Access Events Registry SAM Failure Failure Success and Failure

Advanced Audit Policies (Continued) Policy Change Audit Policy Change Authentication Policy Change Authorization Policy Change Filtering Platform Policy Change MPSSVC Rule-Level Policy Change Other Policy Change Events Success and Failure Success Privilege Use Non Sensitive Privilege Use Other Privilege Use Events Sensitive Privilege Use Success and Failure

Advanced Audit (Continued) / Log Policies System IPsec Driver Other System Events Security State Change Security System Extension System Integrity Success and Failure Success and Failure Success and Failure Success and Failure Application, Security, System Log File Path Maximum Log Size (KB) Maximum Log Size (KB) Backup log automatically when full Log Access Retain old events Not Configured 81920 Kb* Disable

Log Policies (Continued)

User Rights Assignments User Rights Assignments Path: Computer> Windows Setting> Security Setting> Local Policies> User Rights Assignment Most items are configured the same for MUSA, P2P, or Client/Server No surprises in the configuration settings An estimated 42 settings to review/configure Refer to baseline standard for complete list of settings

Security Options Security Options Path: Computer> Windows Setting> Security Setting> Local Policies> Security Options 3 types of IS MUSA P2P Client / Server An estimated 87 security settings Configurable options: digital data signatures, Administrator and Guest account names, access to floppy disk, CD- ROM USB drives, driver installation behavior, and logon prompts Refer to baseline standard for complete list of settings

Windows Firewall Windows Firewall Path: Computer> Windows Setting> Windows Firewall with Advance Security> - Local Group Policy Object Software controlled Enable/Disable communication traffic Protect the IS from unwanted attacks Denial of Service (DoS) Malware, Spyware, other Virus Printing Downloading Right click to access/configure communication traffic 3 Firewall Profiles (Domain, Private, Public) Firewall Properties Connection Security Rules Inbound/Outbound Rules Firewall settings should be not configured for MUSA

Windows Firewall (Continued)

Windows Firewall (Continued) Firewall State On, Off, Not configured Configure inbound / outbound connections Additional settings to consider include Notifications, Unicast, and Rule Merging - (Group Policies ) Each item has Yes No Not Configured Logging events Identifying a Log Name Drop Packets Successful Connections Log Size Consider SRO

Windows Firewall (Continued) Create and configure custom security rules

Windows Firewall (Continued) Create and configure Inbound/Outbound rules for a Program, Port, or Predefined connections

Group Policy Processing Path: Computer Configuration> Administrative Templates> System> Group Policy Group Policy - Registry policy processing Not Defined Client / Server Do not apply during periodic background processing False Process even if the Group Policy objects have not changed True

Internet Communication Policies Path: Computer Configuration > Administrative Templates > System >Internet Communication Setting Turn off downloading of print drivers over HTTP Turn off Internet download for Web publishing and online ordering wizards Turn off printing over HTTP Turn off Search Companion content file updates Turn off the "Publish to Web" task for files and folders Turn off the Windows Messenger Customer Experience Improvement Program Turn off Windows Update device driver searching

Additional Settings Run at Login Path: Computer Configuration> Administrative Templates> System> Logon Do not process the legacy run list Not Defined Do not process the run once list Not Defined Power Management Path: Computer Configuration> Administrative Templates> System> Power Management> Sleep Setting Require a Password When a Computer Wakes (On Battery) Require a Password When a Computer Wakes (Plugged In) Remote Assistance Path: Computer Configuration> Administrative Templates> System> Remote Assistance Offer Remote Assistance Disabled Solicited Remote Assistance Disabled Not Defined

Additional Settings (Continued) Remote Procedure Call Path: Computer Configuration> Administrative Templates> System> Remote Procedure Call Restrictions for Unauthenticated RPC clients Not Defined RPC Runtime Unauthenticated Client Restriction to Apply (applies above) Authenticated RPC Endpoint Mapper Client Authentication AutoPlay Policies Path: Computer Configuration> Administrative Templates> Windows Components> AutoPlay Policies Turn off Autoplay Default behavior for AutoRun Turn off Autoplay for non-volume devices -- All drives --

Additional Settings (Continued) Credential User Interface Path: Computer Configuration> Administrative Templates> Windows Components> Credential User Interface Enumerate administrator accounts on elevation Disabled Require trusted path for credential entry. RSS Feeds Path: Computer Configuration> Administrative Templates> Windows Components> RSS Feeds Turn off downloading of enclosures HomeGroup Path: Computer Configuration> Administrative Templates> Windows Components> HomeGroup Prevent the computer from joining a homegroup

Additional Settings (Continued) Windows Explorer Path: Computer Configuration> Administrative Templates> Windows Components> Windows Explorer Turn off Data Execution Prevention for Explorer Disabled Windows Remote Shell Path: Computer Configuration> Administrative Templates> Windows Components> Windows Remote Shell Allow Remote Shell Access Disabled Windows Update Path: Computer Configuration> Administrative Templates> Windows Components> Windows Update Configure Automatic Updates Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box Disabled Disabled

Additional Settings (Continued) Windows Update Continued Do not display Install Updates and Shut Down option in Shut Down Windows dialog box No auto-restart with logged on users for scheduled automatic updates installations Reschedule Automatic Updates scheduled installations Startup (minutes) Specify intranet Microsoft update service location Disabled Disabled 1 Minute Not configured

Additional Settings (Continued) Personalization Path: User Configuration> Administrative Templates> Control Panel> Personalization Enable screen saver Force specific screen saver Screen saver executable name scrnsave.scr Password protect the screen saver Screen saver timeout Seconds 900 = 15 Minutes

Additional Settings (Continued) System Path: User Configuration> Administrative Templates> System Prevent access to registry editing tools Disable regedit from running silently? Yes

Additional Settings (Continued) Attachment Manager Path: User Configuration> Administrative Templates> Windows Components> Attachment Manager Do not preserve zone information in file attachments Hide mechanisms to remove zone information Notify antivirus programs when opening attachments Disabled

Additional Settings (Continued) Section 6 defines additional configurations, some of the items have already been covered in the previous sections. Examples of some of the additional controls Networking Printer Driver installation Internet Communication Logon Sleep Setting Troubleshooting and Diagnostics Remote Assistance Windows Time Server Application Compatibilities Desktop Gadgets Event Log Service Game Explorer (updating or downloading) HomeGroup Remote Desktop Service Etc

File Permissions and File Auditing for SROs Section 7 identifies Security Relevant Objects (SRO) and defines file auditing requirements Monitor access to sensitive files including SROs SRO Examples Audits records (local and backup copies) Windows\System32 Windows\SysWOW64 Anti-Virus program folder / updates System recovery files Program or Financial Data Additional SRO files/ folders (device drivers) To access the appropriate file or folder, open Windows Explorer and follow the steps outlined below. 1. Right-click on the file/folder, then select Properties 2. Select the Security tab and click on Advanced 3. Select the Auditing tab and click on Add, then specify a user or group (e.g., Everyone) 4. Configurations: For PL1 systems configure the file permission access attributes as shown on next slide. Special Note: For PL 2 systems configure the following file permission access attributes: Select Full Control Failed to capture all failed check boxes.

File Permission Access Attributes for PL1 SROs Folder File

Vulnerabilities Defined as any object or resource that may cause a possible threat to the operation of the accredited IS. A vulnerability may be caused by an outsider or insider threat. Vulnerabilities should be identified and a risk assessment be performed to determine the overall health of the IS. Examples Accounts Password User Rights Services Files and Permissions Software / Hardware Networking User and Group Accounts Source code

Known Issues Section 5.4 Windows Explorer Settings: Remove Security Tab is set to. Recommendation: Apply the policy to Users and not Administrators until this is resolved. Section 5.2 Registry Editing Options: Prevent access to registry editing tools is set to enabled. Recommendation: Apply the policy to Users and not Administrators until this is resolved. Section 4.9 Windows Firewall Starting Page 22: This section has you completely configure the Windows Firewall section. Recommendations: You cannot turn on windows firewall on the domain controller. If you do you will stop Domain controlled activity communications. There is no baseline for configuring the DC for ports that need to be active on the DC firewall. Section 8.3 Services, the standard says to Disable Windows Firewall/Internet Connection Sharing (which is the Windows XP Service name for the firewall). The Windows 7 /2008 name for the firewall is "Windows Firewall".

Known Issues Page 21: of Baseline settings, User Account Control: Admin Approval Mode for the Built-in Administrator & Behavior of the elevation prompt for administrators in Admin approval Mode is set to for MUSA / P2P / Client/Server. The behavior after this setting is implemented is to enter you Userid and Password for every Security Relevant action. Recommendation: This should remain Disabled or and you can disable this setting while performing security activity Page 10: Object Access SAM, No Auditing. Recommend setting to success and failure. Redundant for local audit setting if tampered with. Page12: Application - Backup Log Automatically when Full is enabled. This inherits the requirement to audit the Backup Log also as a SRO. Page 24: Log File for Windows Firewall is set to a file path that is not the standard windows events path. This inherits the requirement to audit the Backup Log also as a SRO.

Known Issues Anti-Virus Software Not addressed in this manual. Anti-Virus software is security relevant and is required to be audited as a SRO. Common File locations: C:\Program Files\{AV-Software Folder} C:\Program Files\Common Files\{AV-Software Folder} C:\ProgramData\{AV-Software Folder} C:\Program Files(x86)\{AV-Software Folder C:\Program Files(x86)\Common Files\{AV-Software Folder} Note: Program Data folder is hidden, must unhide folder to view in Explorer view options. Event Log Reader and DOMAIN\Event Log Reader account has default permissions for the %WINDOWS%\System32\Winevt\Logs folder. If you have not added "EVENT LOG READER" account /w FULL CONTROL to the permissions you will not be able to start the EVENT LOG SERVICE or if it does start there will be total chaos trying to read logs and save them. The error will be ACCESS DENIED. Finally, the service will stop and error "Windows could not start the Windows Event Log Service on Local Computer. Error 5: Access is Denied.

Validation Verify the system security settings Have others review the setting Validate the Configuration Windows\System32 \ - (~ 150 files permissions 32bit OS) Windows\SysWOW64 \ - (~ 132 files permissions 64bit OS) Windows\WINSXS\ (~ files permissions 64bit OS) File and Folder Permissions Event logs User account Local and Domain policies Use a Software Tools - SRO NISP tool works on older Windows OS - Retired Gold Disk Retired Retina Scan GPResult tool Security Content Automation Protocol - (SCAP) Northern Gunmen develop a PL-1 content benchmark DSS has not approved the PL-1 content from NG

Warp Up Software - Know what is and is not a SRO Hardware - Know what is does Patches Know what software updates are done and why Software Activation Do you have a way to activate software (Activation code) once the system is installed No internet connection. IS support Do you have support when you need it for the Accredited IS? Verify Technical & Non-Technical Controls Do the configurations match? Know the Program Requirements Work with the Program before you start purchasing equipment. Setup / Test / Validate the IS Verify the equipment, software, security measures are in place and working as defined

References DSS ODAA Windows 7 / Server 2008 R2 baseline standard http://www.dss.mil/odaa DSS ISSP and RDAA throughout the United States Dayton ISSM Working Group (DISSMWG) https://infocenter.caci.com/sites/dissmwg Microsoft http://www.microsoft.com Lockheed Martin Aero (Fort Worth, TX; Palmdale, CA ; Marietta, GA) National Information System Security Committee (ISSC) Local NCMS Dallas / Fort Worth Chapter and ISSIG.

Questions? Questions Robert Huth, ISSM Elbit Systems of America 817-231-4475 office email: robert.huth.elbitsystems-us.com