OS Hardening guides

In the bad old days Windows would install in user friendly, super accessible mode.  You’d then run scripts to lock it down, improving security permissions on registry keys, files and folders, reg tweaks, and potentially break stuff too.  There were lots of security guides around.  I’d use these NSA guides and tips from McGraw Hill’s Hacking Exposed. Now days Windows comes secure out of the box and you install roles before it’ll do anything.  This is a much better place to be. Here are some current OS hardening guides:

• http://iase.disa.mil/stigs/Pages/index.aspx
• http://iase.disa.mil/stigs/os/windows/Pages/index.aspx (Windows)

Documented in XML with accompanying XSLT to transform to HTML on the fly. Sexy!  They mostly say no file system or registry permission changes are required for the current Microsoft operating systems. Coolio! So what’s left to do after deployment?

Don’t be swayed by security vendors’ flashy products. Start with the basics (which are not easy) and you’ll go a long way towards improving your chances.

1. Antivirus software. Always on, always up to date. A procedure to deal with virus detections.
2. Manage the local administrator account password. Consider disabling remote access using the administrator account (console access only).
3. Manage membership of the local administrators group via group policy restricted groups. Automatically remove domain user accounts from the local administrators group. (Users and sysAdmins do dumb things when troubleshooting, the first thing is to add themselves or the app service account to local administrators).
4. Patch everything monthly. Windows Software Update Services (WSUS) is free and scriptable so use it.
5. Scan everything regularly for vulnerabilities (eg Nessus) and fix
6. Learn the difference between SYSTEM, local service and network service built-in accounts for running services.  Use the Principle of Least Privilege and run services with low level (service) accounts instead of SYSTEM or local admin accounts. Checkout Managed Service Accounts in Windows 2012 and Global Managed Service Accounts once your Active Directory domain level is upgraded to 2012R
7. BIOS passwords to block booting from CD/USB (offline attacks)
8. Disk encryption to guard against offline attacks (bitlocker)
9. Do security awareness training. Teach staff to spot phishing attacks.

That’s just a few things to get you started. “Security is not a destination, it’s a journey.” That is to say in this crazy IT world where things are changing all the time you’ll never get to 100% secure. 

Try an maintain a sensible balance between secure enough and everything is so locked down I can’t get anything done.

And try not to do anything dumb along the way (like having the same Administrator password on all your systems so one cracked password gains remote admin access to every other system.) Happy hacking!

---

Find more IT Infrastructure tips at blog.alexmags.com