Hardening Windows

Alhaji265

Hey,

I need to know what is the term "hardening" when creating windows imaging/deployment?

FloOz

To my knowledge "hardening" and OS includes configuring policies/firewall/applications/updates. Like tightening up the security of the OS to correspond to how the company wants each OS "build" to turn out on a machine. Someone please correct me if I am wrong with my definition.

boredgamelad

The simplest definition of hardening an OS is "making it more secure". In the context of a server, it can generally mean any of the following (and a lot more) depending on how secure your organization wants things:

Installing the system to its own partition separate from data
Disabling/uninstalling any extra components that are not in use
Disabling/not installing any services which are not needed (if it's not a print server, no reason to run the print service)
Locking down the registry
Disable autorun on removable media drives
Remove root access to the system for non-administrators

There's more to it and it can range from extreme to light depending on the policies where you're at. But essentially your role in hardening an OS is to reduce the size of the attack surface.

RobertKaucher

When I was studying for the MCSE Security I used this book as a resource. It was pretty good:
Professional Windows Desktop and Server Hardening (Programmer to Programmer): Roger A. Grimes: 9780764599903: Amazon.com: Books

Of course it is a bit out of date. But combined with the security resource kit you should find a ton of useful information.

Amazon.com: Windows Server 2008 Security Resource Kit (PRO - Resource Kit) 1st edition by Johansson, Jesper M. published by Microsoft Press [ Paperback ]: --N/A--: Books

For Linux there is this book, but I have not read it.

JDMurray

You should also have a look at NIST's Security Configuration Checklists Program:

NIST.gov - Computer Security Division - Computer Security Resource Center
National Vulnerability Database (NVD) National Checklist Program Repository

SephStorm

It annoys me how many "hardened" systems are not. How many systems have XPS Viewer or Tablet PC services running, numerous other services. If I ever start doing some sort of (Legit) Malware, i'd like to see if I can create something that exploits some completely unneeded service.

RobertKaucher

SephStorm wrote: »

If I ever start doing some sort of (Legit) Malware, i'd like to see if I can create something that exploits some completely unneeded service.

You mean like Code Red back in the day? That's really the way most malware work these days: exploits at the application level and applications that should never be running on a hardened system.

JDMurray wrote: »

You should also have a look at NIST's Security Configuration Checklists Program:

NIST.gov - Computer Security Division - Computer Security Resource Center
National Vulnerability Database (NVD) National Checklist Program Repository

Thanks for these. I had not seen these before.

it_consultant

Don't forget about the NSA.

Operating Systems - NSA/CSS

JDMurray

RobertKaucher wrote: »

You mean like Code Red back in the day? That's really the way most malware work these days: exploits at the application level and applications that should never be running on a hardened system.

Now you're looking at the dividing line between an OS with its native services and the 3rd-patry apps and services that run on top of the OS. Just "hardening the OS" is not the same thing as hardening the apps it runs. A hardened Windows OS would still have been infected by Code Red if it were running IIS without a host header. And using a host header with IIS is generally not consider to be a security measure, but it is an effective defense against most worms and automated scanners.

RobertKaucher

JDMurray wrote: »

Now you're looking at the dividing line between an OS with its native services and the 3rd-patry apps and services that run on top of the OS. Just "hardening the OS" is not the same thing as hardening the apps it runs. A hardened Windows OS would still have been infected by Code Red if it were running IIS without a host header. And using a host header with IIS is generally not consider to be a security measure, but it is an effective defense against most worms and automated scanners.

Well, my point on Code Red was that IIS was installed by default; needed or not. So many servers were infected that would not have been had that not been the case. The infection could never have spread as quickly if it had not been or if the servers that did not need it had been properly hardened.

the_Grinch

Amazon.com: Thor's Microsoft Security Bible: A Collection of Practical Security Techniques (9781597495721): Timothy "Thor" Mullen: Books <---This is for Server 2008, but still a great read. I have a review posted on ethicalhacker.net. It was a really enjoyable read and he definitely showed things I felt could be applied to just about any environment. I really liked that he discusses a method for accessing network drives in a secure manner without the need of a vpn!

DevilWAH

As my security tutor would say, a hardened Computer is one encases in concrete at the bottom of an ocean. This is both hardened and secured