malakai1911 Posted May 5, 2009 Share Posted May 5, 2009 Okay folks, here's a release candidate of a Windows Security Policy Template that I have been working with.It acts to 'harden' some windows settings. As time passes, I will include more modifications to it. Please test it out and comment on it.It'll go into my security guide (as a download, not as a codebox) once I am satisfied with it.Note: This template is for Windows 2000, XP, Vista, and Windows 7.; Comprehensive Security Guide; Security Configuration Template; for Windows 2000 / XP / Vista / 7; by malakai1911;; Template Name: security.inf; Template Version: 0.9.100 - RC (05 MAY 2009); Template Description: This is a release candidate of my local security policy, which includes modified services and integrated registry tweaks.;; Known Issues: On some systems, non-critical errors will be logged in %windir%\security\logs\scesrv.log, due to services tweaks; covering all systems. ;[Profile Description]%SCESecureWSProfileDescription%[version]signature="$CHICAGO$"revision=1[System Access];----------------------------------------------------------------; Account Policies - Password Policy;----------------------------------------------------------------MinimumPasswordAge = 2MaximumPasswordAge = 45MinimumPasswordLength = 8PasswordComplexity = 1PasswordHistorySize = 24ClearTextPassword = 0LSAAnonymousNameLookup = 0EnableGuestAccount = 0;----------------------------------------------------------------; Account Policies - Lockout Policy;----------------------------------------------------------------LockoutBadCount = 5ResetLockoutCount = 30LockoutDuration = 30;----------------------------------------------------------------; Event Log - Log Settings;----------------------------------------------------------------;Audit Log Retention Period:;0 = Overwrite Events As Needed;1 = Overwrite Events As Specified by Retention Days Entry;2 = Never Overwrite Events (Clear Log Manually)[System Log]MaximumLogSize=16384AuditLogRetentionPeriod=0RestrictGuestAccess=1[Security Log]MaximumLogSize=65536AuditLogRetentionPeriod=0RestrictGuestAccess=1[Application Log]MaximumLogSize=16384AuditLogRetentionPeriod=0RestrictGuestAccess=1;----------------------------------------------------------------------; Local Policies\Audit Policy;----------------------------------------------------------------------[Event Audit]AuditSystemEvents = 0AuditObjectAccess = 0AuditPrivilegeUse = 2AuditPolicyChange = 3AuditAccountManage = 3AuditProcessTracking = 0AuditDSAccess = 0AuditAccountLogon = 3AuditLogonEvents = 3;----------------------------------------------------------------; Privilege Rights;----------------------------------------------------------------[Privilege Rights]SeNetworkLogonRight=*S-1-5-32-545,*S-1-5-32-544SeTcbPrivilege=SeInteractiveLogonRight=*S-1-5-32-544,*S-1-5-32-545SeSystemTimePrivilege=*S-1-5-32-544SeCreatePagefilePrivilege=*S-1-5-32-544SeDebugPrivilege=*S-1-5-32-544SeDenyNetworkLogonRight=*S-1-5-32-546SeRemoteShutdownPrivilege=*S-1-5-32-544SeAuditPrivilege=*S-1-5-19,*S-1-5-20SeIncreaseBasePriorityPrivilege=*S-1-5-32-544SeLoadDriverPrivilege=*S-1-5-32-544SeLockMemoryPrivilege=SeSecurityPrivilege=*S-1-5-32-544SeSystemEnvironmentPrivilege=*S-1-5-32-544SeManageVolumePrivilege=*S-1-5-32-544SeSystemProfilePrivilege=*S-1-5-32-544SeUndockPrivilege=*S-1-5-32-544,*S-1-5-32-545SeAssignPrimaryTokenPrivilege=*S-1-5-19,*S-1-5-20SeShutdownPrivilege=*S-1-5-32-544,*S-1-5-32-545SeTakeOwnershipPrivilege=*S-1-5-32-544;----------------------------------------------------------------; Services;----------------------------------------------------------------; 2 = Automatic, 3 = Manual, 4 = Disabled[Service General Setting]"Alerter",4,"" ; Alerter (Disabled)"PeerDistSvc",4,"" ; BranchCache (Disabled)"ClipSrv",4,"" ; ClipBook (Disabled)"TrkWks",4,"" ; Distributed Link Tracking Client (Disabled)"Dnscache",4,"" ; DNS Client (Disabled)"CiSvc",4,"" ; Indexing Service (Disabled)"Messenger",4,"" ; Messenger (Disabled)"NetDDE",4,"" ; Network DDE (Disabled)"NetDDEdsdm",4,"" ; Network DDE DSDM (Disabled)"CscService",4,"" ; Offline Files (Disabled)"RemoteRegistry",4,"" ; Remote Registry (Disabled)"seclogon",3,"" ; Secondary Logon (Manual)"SSDPSRV",4,"" ; SSDP Discovery Service"LmHosts",4,"" ; TCP/IP NetBIOS Helper (Disabled)"TlntSvr",4,"" ; Telnet (Disabled)"upnphost",4,"" ; Universal Plug and Play Device Host (Disabled)"WebClient",4,"" ; WebClient (Disabled)"WinRM",4,"" ; Windows Remote Management (WS-Management) (Disabled);----------------------------------------------------------------; Registry Values;----------------------------------------------------------------[Registry Values]; Registry value name in full path = Type, Value; REG_SZ ( 1 ); REG_EXPAND_SZ ( 2 ) // with environment variables to expand; REG_BINARY ( 3 ); REG_DWORD ( 4 ); REG_MULTI_SZ ( 7 );----------------------------------------------------------------; Account and Password Related;----------------------------------------------------------------; Account Policies - Password PolicyMACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse=4,1MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD=4,0MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\disablepasswordchange=4,0MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\maximumpasswordage=4,30MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\requirestrongkey=4,1; Password Security and RelatedMACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\requiresignorseal=4,1MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\sealsecurechannel=4,1MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\signsecurechannel=4,1MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName=4,1MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount=1,"2"MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning=4,14MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon=4,0MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption=1,"1"; OtherMACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD=1,"2"MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers=4,0MACHINE\Software\Microsoft\Driver Signing\Policy=3,1;----------------------------------------------------------------; Network Policies - TCP/IP Stack Hardening ( [url="http://anonymz.com/?http://msdn.microsoft.com/en-us/library/aa302363.aspx"]http://msdn.microsoft.com/en-us/library/aa302363.aspx[/url] );----------------------------------------------------------------; SYN Attack Protection & Protection ThresholdsMACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect=4,1MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxPortsExhausted=4,5MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpen=4,500MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpenRetried=4,400; Additional ProtectionsMACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxConnectResponseRetransmissions=4,2MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetransmissions=4,2MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscovery=4,1MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime=4,300000MACHINE\System\CurrentControlSet\Services\IPSEC\NoDefaultExempt=4,1; NetBIOS ProtectionsMACHINE\System\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand=4,1; Protection Against ICMP, SNMP AttacksMACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect=4,0MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnableDeadGWDetect=4,0MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDiscovery=4,0; Protection against External AttacksMACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting=4,1MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnableMulticastForwarding=4,0MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnableAddrMaskReply=4,0;----------------------------------------------------------------;Security Options;----------------------------------------------------------------; Disable Default ("Administrative") SharesMACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\AutoShareServer=4,0MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\AutoShareWks=4,0MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoShareServer=4,0MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoShareWks=4,0; NetBIOS Security (Disable LM Password Hashing, Require NTLMv2)MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=4,1MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword=4,0MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel=4,5MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds=4,1MACHINE\System\CurrentControlSet\Control\Lsa\NoDefaultAdminOwner=4,1MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec=4,524288MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec=4,524288; Restrict Anonymous / Null SessionsMACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=4,1MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=4,1MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous=4,0MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess=4,1MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares=7,; Enable SigningMACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature=4,1MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature=4,0MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\enablesecuritysignature=4,1MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\requiresecuritysignature=4,0MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity=4,1; Other Network Related OptionsMACHINE\Software\Microsoft\OLE\EnableDCOM=1,"N"MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\autodisconnect=4,15MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\securitylevel=4,0MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest=4,0 ;Turns Simple File Sharing off for Guest;----------------------------------------------------------------;Other;----------------------------------------------------------------; Disable OS/2 and POSIX subsystemsMACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems\optional=7,MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems\Posix=2,; UAC (Vista/7)MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken=4,1MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin=4,0MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser=4,1MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection=4,1MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures=4,0MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths=4,1MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA=4,1MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop=4,1MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization=4,1MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle=4,0; OtherMACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScreenSaverGracePeriod=4,0MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown=4,0MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode=4,1MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode=4,1[Strings]SceInfAdministrator = "Administrator"SceInfAdmins = "Administrators"SceInfAcountOp = "Account Operators"SceInfAuthUsers = "Authenticated Users"SceInfBackupOp = "Backup Operators"SceInfDomainAdmins = "Domain Admins"SceInfDomainGuests = "Domain Guests"SceInfDomainUsers = "Domain Users"SceInfEveryone = "Everyone"SceInfGuests = "Guests"SceInfGuest = "Guest"SceInfPowerUsers = "Power Users"SceInfPrintOp = "Print Operators"SceInfReplicator = "Replicator"SceInfServerOp = "Server Operators"SceInfUsers = "Users"SceSecureWSProfileDescription = "Provides enhanced local account policies, limits the use of LanMan authentication, enables server-side SMB signing, and provides further restrictions on anonymous users. To apply to a domain member, all DC's that contain accounts of all users that logon to that member must be running NT4 SP4 or higher. See online help for further info."Step 1: Save the text in the codebox as "security.inf"Step 2: Use the following command to apply the security template: [ secedit /configure /db secedit.sdb /cfg "C:\<Path To Security.inf File>\security.inf" ]Step 3: Reload your policy using the following the command: [ secedit /refreshpolicy machine_policy ] (Windows 2000) or [ gpupdate ] (Windows XP / Vista / 7)That's it. Link to comment Share on other sites More sharing options...
malakai1911 Posted May 7, 2009 Author Share Posted May 7, 2009 Just a few questions to whomever might have read this thread.1. Are the instructions to use the template clear enough? If not, how can it be worded better, or what should be changed?2. Have you used the template? If so, have you noted any negative effects from any settings or policies used?3. (If applicable) Are there any other security-related registry tweaks that are overlooked and worth including (I'm picky, so not just anything will get into the template).Thank you Link to comment Share on other sites More sharing options...
Atasas Posted May 7, 2009 Share Posted May 7, 2009 1- fairly clear to me (not to average joe- should be run CMD; Run regedid, then copy /paste in that window etc...)2- have started, but my registry had different/missing components already, stopped applying anything further+ there are registry tools that do optimization without manual input (no offense intended) 3- I believe you are doing an excellent job - not many (certainly not me!) users are capable or interested to investigate/optimise everything manualy Link to comment Share on other sites More sharing options...
malakai1911 Posted May 7, 2009 Author Share Posted May 7, 2009 1. This isn't a registry file, it's a security template. I have no idea what behavior will happen if imported into regedit, that's why secedit must be used.+ Optionally, the MMC can be used.... Start -> Run -> "secpol.msc". Then the "Local Security Settings" window will appear. Action -> Import Policy.2. This can be integrated into a windows install CD by overwriting the "defltwk.inf" file on a windows setup disc (2000/XP). Plus I'm not entirely sure there is a single tool that performs even half of the tweaks in this template (nLite tweaks section contains a few, hardenit.exe does some too).3. Thanks :clap: Link to comment Share on other sites More sharing options...
Administrator Lite Posted May 8, 2009 Administrator Share Posted May 8, 2009 Not tried it - but i like the idea.Might be an idea to make a .bat file or something that runs it automatically though :P Link to comment Share on other sites More sharing options...
malakai1911 Posted May 9, 2009 Author Share Posted May 9, 2009 I think a batch file is a good idea and I'm playing around with a batch file. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.