This article can also be found in the Premium Editorial Download "Information Security magazine: Negative exposure: Web scanners reveal unknown holes."
Download it now to read this article plus other related content.
Q: What are the pros and cons of Windows hardening? I want to make my boxes more secure without breaking any apps. -M.N.
A: First of all, let's define "hardening." When you harden a box, you're attempting to make it bulletproof. Ideally, you want to be able to leave it exposed to the general public on the Internet without any other form of protection. This isn't a box you'll use for a wide variety of services. A hardened box should serve only one purpose--it's a Web server or DNS or Exchange server, and nothing else. You don't typically harden a file and print server, or a domain controller, or a workstation. These boxes need too many functions to be properly hardened.
In general, if you need a hardened box, you shouldn't be looking to Microsoft. It's far easier to harden a Red Hat or FreeBSD box, among others. Not only is there less work, but there's better documentation on how to do it.
I've stripped down every Microsoft OS ever produced, and believe me, you'll never get the level of satisfaction you'll get with a hardened Linux box in the same amount of time.
That said, I should point out that there are notable exceptions. If you're running a Check Point firewall on NT, there's no reason not to feel the box is as secure as its Unix counterpart. Vendors of these products generally catch things a user might otherwise miss when hardening the system on their own.
To harden a Windows box, you'll need to do the following three steps, at a bare minimum:
Disable all unnecessary services. To do this, you first need to determine which services can be disabled. Sounds simple enough, but it's not. For example, it's impossible to disable the Remote Procedure Call (RPC) service. Also, little documentation exists to identify what services a given purpose will require. Even if we had such a list, it would likely change depending on a vendor's specific implementation (say, of a DNS or mail server). In the end, knowing which services are required and which can be disabled is largely a matter of trial and error.
Remove all unnecessary executables and registry entries. Forgetting to remove unneeded executables and registry entries might allow an attacker to invoke something that had previously been disabled.
- Apply appropriately restrictive permissions to files, services, end points and registry entries. Inappropriate permissions could give an attacker an opening. The ability to launch CMD.EXE as "LocalSystem," for example, is a classic backdoor.
Now to the specific question on the pros and cons of hardening. The benefits of hardening a Windows box are that you will have fewer patches to apply, you'll be less likely to be vulnerable to the average exploit, and you'll have fewer records to review in the logs. You can focus your attention on what the box is doing, not on services it may have running that you don't need.
On the other hand, it's very difficult to properly harden/configure a box so that it keeps running effectively. Documentation is scarce, and permissions are required to make it effective--and in the Windows world, permissioning remains one of those mystic arts. Finally, even a hardened Windows box will probably have far too many resident files and registry entries to effectively monitor and maintain.
An alternative to this type of hardening is what TruSecure calls essential configurations, or ECs. ECs are like best practices for server security, a set of tasks that can be completed in an hour or so on any existing or new box. ECs don't harden the box, per se, but they make it resistant to all known mass exploits and the most common vulnerabilities for the box's primary task. Therefore, ECs can be applied to any box, regardless of its role, but aren't designed to equal the security of a hardened box.
Microsoft Windows NT 3.5, Guidelines for Security, Audit, and Control Microsoft Press, ISBN 1-55615-814-9
About the author:
Russ Cooper is surgeon general of TruSecure Corp. and editor of the NTBugtraq mailing list.
This was first published in April 2011