4.2 Windows System Hardening
As you study this section, answer the following questions:
> What is hardening? > How does it benefit security? > How do you reduce the attack surface of a device? > Why should you install only software that you need? > What is a security baseline? > What is the difference between a hotfix and a patch? Why would you use one instead of the other? In this section, you will learn to: > Harden an operating system. > Manage automatic updates. > Configure automatic updates. > Configure Microsoft Defender Firewall. > Configure Windows Defender with Firewall Advanced Security.
Use a Trusted Operating System (TOS)
A TOS is an operating system that comes hardened and validated to a specific security level as defined in the Common Criteria for Information Technology Security Evaluation (CC). Many TOSs provide sufficient support for mulilevel security, a system in which multiple levels of classified data reside within the same system, but users are not permitted to access data at different classification levels. Additionally, all personnel must have access approval on a need-to-know basis.
Service Pack
A collection of patches, hotfixes, and system enhancements that have been test by the manufacturer for wide deployment.
Use Configuration Baselines
A configuration baseline is a set of consistent requirements for a workstation or server. A security baseline is a component of the configuration baseline that ensure that all workstations and servers comply with the security goals of the organization Use configuration baselines as follows: > Identify common configuration baselines that should be applied to all, or a group, of systems. > Use security templates to quickly apply security baseline settings. A security template is a saved set of configuration values that produce the system configuration as specified in the configuration baseline. When you apply the security template to a system, the setting within the template are applied to the system. Use security template to: > Quickly apply settings to one or more computers. > Configure consistent security settings between devices. > Quickly restore security settings to the baseline. > Compare the actual settings on a device to the settings required by the configuration baseline. Microsoft operating systems include the following tools for managing security templates: > The security templates snap-in, which creates and edits templates. You can obtain security template from various sources, including the NSA, which has predefined settings it believes are appropriate for Windows OS. > The Security Configuration and Analysis snap-in, which compares the existing settings with the template or applies a template to a single device. > The Group Policy Editor, which imports a template into a Group Policy and applies the template to multiple computers.
Patch
A fix that is more thoroughly tested than a hotfix and designed for a wider deployment.
Hotfix
A quick fix for a problem. Normally, you install a hotfix only if you have the specific problem it is intended to fix. Hotfixes are: > Typically made to address a specific customer situation and possibly may not be distributed outside that customer organization. > Commonly used to address freshly discovered security holes.
Hotfix
A quick fix for a specific software problem.
Service Pack (SP)
A service pack (SP) is a collection of patches, hotfixes and other system enhancements that have been tested by the manufacturer for wide deployment. A service pack includes all previously released bug fixes. If you install the service pack, you do not need to install individual patches. Installing a service pack also includes all previous service packs. *You do not necessarily need to install every hotfix, patch, or service pack that is released. For example, if a hotfix applies to a service that you have disabled on your servers, applying that hotfix is not required. Or if a patch applies to browser security and the browser on the server is not used, you don't need to install the patch.
Patch
Also a quick fix, but generally more thoroughly tested than a hotfix and designed for a wider deployment. Patches: > Include previous hotfixes that the manufacturer has thoroughly tested for mass deployment. > Includes fixes that should be applied to wider audiences, such as patching security holes. * The best place to obtain updates is from the manufacturer's website.
Test Patches
Be sure to test patches before applying patches within your organization. A common strategy is to: 1. Apply and test patches in a lab environment. 2. Deploy patches to a set of systems, such as a single department. 3. Deploy patches system-wide.
Harden the System
Hardening is the process of increasing the security of device and software. You can harden a network and reduce your security exposure by tightening security controls. Improved performance may result from the hardening process, but it is not the primary goal. The first step should always be to improve the security of the most foundational elements. You can harden specific hardware devices as well as the software running on the device. The following table describes recommendations for hardening systems.
Managing Updates
Keep the OS and applications at the most current levels by applying updates. The following table describes three types of updates.
Use a Standard Operating Environment (SOE)
Most organizations maintain a Standard Operating Environment which is implemented as a standard disk image or master image. The disk image is used when deploying new computers to the network. Automation is used when deploying the master image and when running configuration scripts, to give the computer a name, to join a domain, and during any other customizations. The use of a master image and automation can reduce security risks by ensuring that security standards are consistent throughout the network. Master images should be based on a TOS and be fully patched.
Use Patch Management Activities
Patch Management Activities include: > Determining the patches that are needed on the system. > Testing patches in a lab environment to identify the effects of applying the fixes. > Applying the patches. > Auditing for successful application of pathces.
4.2.7 Configure Microsoft Defender Firewall Lab
Required Actions > Turn Windows Firewall on > Allow Key Management Service through the public firewall only - Public Allowed - Domain Denied - Private Denied > All the Arch98 program the the Public firewall only - Public Allowed - Domain Denied - Private Denied > Allow the Apconf program through the Public firewall only - Public Allowed - Domain Denied - Private Denied Explanation To complete this lab, you need to allow the following service and programs through the firewall for the Public network profile only: > A service named Key Management Service > An application named Arch98 > An application named Apconf Leave all other existing apps and features as they are. Complete this lab as follows: 1. Access the Windows Firewall settings. a. Right-click Start and then select Settings b. Select Network & Internet. c. From the right pane, scroll down and select Windows Firewall. 2. From the Firewall & network protection dialog, under Public network, select Turn on. 3. Allow applications to communicate through the firewall for the Public network only. a. Select Allow an app through firewall. b. Select Change settings. c. For Key Management Service, clear Domain and Private, and then select Public. d. Select Allow another app to configure an exception for an application not currently allowed through the firewall. e. Select the application from the list and then select Add. f. For the newly added application, clear Domain and Private, and then select Public. g. Repeat steps 3d - 3f for the remaining application. 4. Select OK.
4.2.5 Configure Automatic Update Lab
Task Summary Required Actions > Give updates for other MS products when Windows is updated > Choose when updates are installed - Feature update deferral: 60 days - Quality update deferral: 30 days > Configure Windows to automatically download the manufactures' apps and custom icons Complete this lab as follows: 1. Configure the Windows Update settings. a. Right-click Start and then select Settings. b. Select Update & Security. c. From the right pane, select Advanced options. d. Under Update Options, turn on Receive updates for other Microsoft products when you update Windows by sliding the switch to On. e. Under Choose when updates are installed, configure each option as follows: > A feature update includes new capabilities and improvements. It can be deferred for 60 days. > A quality update includes security improvements. It can be deferred for this many days: 30 f. Close the Settings window. 2. Configure Windows to automatically download the manufacture's apps and custom icons. a. In the search field on the Windows taskbar, type Control. b. From Best match, select Control Panel. c. Select System and Security. d. Select System. e. From the left pane, select Advanced system settings. f. Select the Hardware tab. g. Select Device Installation Settings. h. Select Yes and then select Save Changes. i. Select OK.
Hardening
The process of securing devices and software by reducing the security exposure and tightening security controls.
4.2.2 Hardening Facts
This lesson covers the following topics: > Harden the system > Manage updates
Manage Software
Tips for managing software include: > Check that all software has up-to-date licenses. A license compliance violation may open your organization to legal actions and may cause a vital application to cease its functions. > Install security software such as anti-virus/spyware/rootkit and firewall. > Install only needed software. > Avoid installing freeware or software from untrusted publishers. > reduce the attack surface of the device by limiting applications and services running on the device and removing unnecessary software, features, and non-essential services. > Use role separation by installing services on separate physical systems. If a single system is compromised, only the few services on that system will be affected. > Remove unnecessary services, protocols, and applications following installation. Unnecessary services are often installed in new system by default. > Determine the dependencies of services you are using before removing existing services. Examples of non-essential services are TFTP, Telnet, and SNMP. DNS, ICMP, and NNTP are generally considered essential protocols and services; however consider the function of your system before leaving them on the system.
Control Login
To control login and access to a system you can: > Limit privileges, especially administrative privileges. > Change default passwords. > Require complex passwords. > Require multi-factor authentication > Use smart cards, finger print readers, text services, or other apps that send verification codes.
Use Patch Management Software
Use patch management software to simplify the patch distribution and management process. Windows Software Update Service (WSUS) is a patch management tool that allows clients on a network to download software updates from a WSUS server internal to their organization. > The WSUS server receives a list of available updates from Microsoft. > On the WSUS server, you identify allowed or required patches for you organization. > Clients download only approved patches from an internal WSUS server or directly from Microsoft. You can also use Group Policy to distribute and automatically install patches. You must use Group Policy to install updates to non-microsoft software that is not supported by WSUS.