In a recent Windows security tip, I talked about Ten attacks you can easily avoid with Group Policy. It highlights the fact that you can keep malicious attackers like "Eddie" out of your systems. In this tip, I've outlined how you can change what I believe are the most critical Group Policy security settings I covered previously -- along with a few more tips tossed in for good measure.
You can implement many of these at the local computer level in Windows XP, 2000 and Server 2003, as well as at the domain OU level in Server 2003 and 2000. For the sake of simplicity and staying current, I'm going to outline these settings on a Windows Server 2003-based domain. Keep in mind that these are only the tip of the iceberg for GPOs you can set up in your domain, but they are the ones that can make or break Windows security in my opinion. Also, your mileage may vary with these settings, so I encourage you to research thoroughly each of these options before enabling them to make sure they're compatible with your network. If at all possible, experiment with them in a non-production fashion (if you're lucky enough to have a test environment).
If you haven't already, I recommend downloading and installing Microsoft's Group Policy Management Console (GPMC) to make these changes. This program gives you a more global view on your domain(s) by centralizing Group Policy Object (GPO) management tasks into a single interface. To start the editing process, you simply load up GPMC, expand your domain, right-click "Default Domain Policy," and select "Edit." This loads up the Group Policy Object Editor. If you want a quicker and "less enterprise" way of editing your domain GPOs, you can run gpedit.msc from the "Start" menu.
1. Ensure a default password policy that makes sense for your organization is set under "Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy."
2. Set the following under "Computer Configuration/Windows Settings/Security Settings/Account Policies/Account Lockout Policy" in order to thwart automated password cracking attacks:
- Account lockout duration (define at least 5-10 minutes)
 |
|
|
|
|
Give attackers more hoops to jump through in order to minimize Windows attacks
Kevin Beaver
CISSP
|
|
|
|
|
|
|
|
|
|
- Account lockout threshold (define at most 5-10 invalid logon attempts)
- Reset account lockout counter after (define at least 10-15 minutes)
3. Enable the following under "Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy:"
- Audit account management
- Audit logon events
- Audit policy change
- Audit privilege use
- Audit system events
Ideally, you'll want to enable logging for successes and failures, but it depends on what types of records you want to keep and whether you'll actually be able to manage it all. Roberta Bragg has outlined some common audit logging settings here. Just remember that each type of logging you enable requires more resources on the part of your systems processor and hard drive.
4. Set the following under "Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options" for general Windows hardening best practice, and give attackers more hoops to jump through in order to minimize Windows attacks:
- Accounts: Rename administrator account -- not highly effective but another security layer nonetheless (define a new name)
- Accounts: Rename guest account (define a new name)
- Interactive logon: Do not display last user name (set to "Enabled")
- Interactive logon: Do not require last user name (set to "Disabled")
- Interactive logon: Message text for users attempting to log on (define banner text for users to see – something along the lines of This is a private and monitored system…you abuse this system, you're toast -- just run it by your lawyer first)
- Interactive logon: Message title for users attempting to log on -- something along the lines of WARNING!!!
- Network access: Do not allow enumeration of SAM accounts and shares (set to "Enabled")
- Network access: Let "Everyone" permissions apply to anonymous users (set to "Disabled")
- Network security: Do no store LAN Manager hash value on next password change (set to "Enabled")
- Shutdown: Allow system to be shut down without having to log on (set to "Disabled")
- Shutdown: Clear virtual memory pagefile (set to "Enabled")
If you don't have a Windows Server 2003 domain controller, you can find details on which local security policy settings are available for Windows XP here, and which Group Policy settings are available for Windows 2000 Server here. For more information on Windows Server 2003 group policies, check out Microsoft's dedicated page.
About the author: Kevin Beaver is founder and information security advisor with Atlanta-based Principle Logic, LLC. He has more than 17 years of experience in IT and specializes in performing information security assessments. Kevin has authored five information security-related books including Hacking For Dummies (Wiley), the brand new Hacking Wireless Networks For Dummies, and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at kbeaver@principlelogic.com.
More information from SearchWindowsSecurity.com
Learning Center: Group Policy Q&As
Tip: XP SP2 helps control malware -- but watch out for that firewall
Checklist: Secure Group Policy design
