5 Common Windows Hardening Misconfigurations

Thursday, October 31, 2013

Rohit Sethi

219bfe49c4e7e1a3760f307bfecb9954

My colleague, Stephen Hall, a consultant at Security Compass, put together an overview of Windows hardening misconfigurations that might be helpful for developers and security teams. Here are his thoughts:

Over numerous Windows configuration review engagements that we have performed for our clients, we observed a common pattern in the configuration weaknesses that are worth highlighting here.  

The five common misconfigurations we observed are as follows:  

  1. Insufficient Log sizes
  2. Unnecessary Services
  3. Weak Communication Settings (LANMAN)
  4. Weak Password Protection
  5. Weak TCP/IP Configuration

In the remainder of this post, we further discuss each of the observed weaknesses.  

Insufficient Log Sizes:

Log sizes are normally left at the default size. Though this doesn’t pose a security risk to the server, the risk of this misconfiguration becomes apparent when a compromise occurs and incident response and forensics happens.

With default log sizes and logging configurations, potentially useful information could be missed or overwritten due to insufficient space, making it harder to determine the scale of compromise.  

Unnecessary Services:

Windows by default has services running that are not needed or relevant to the type of server that is being configured. A good example of this is the telephony or smart card services that most servers won’t need. Unnecessary services enabled increase the attack surface of the server. If there isn’t a known vulnerability in the service at the time of deployment, it doesn’t mean that one can’t be found. Also attackers can use the service for identification purposes. An example of this is the Shylock malware that installed if it found that the smartcard service was running.  

Weak Communication Settings (LANMAN):

Settings that typically fall under this configuration issue can result in compromise due to man in the middle attacks or loose permissions. These settings typically include: servers and clients digitally signed communication, allowing anonymous users to enumerate SAM accounts and shares, and allowing anonymous access to shares and named pipes. If anyone can access the shares or named pipes there typically is information stored that can be useful to gain access to either that system or another system.  These settings can be found in the Group Policy Object (GPO) in the following tree:  

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

An example of this is administrative scripts that are run on machines which include passwords to other machines or services on those machines.  

Weak Password Protection:

Settings such as “require domain controller to login” or “unlock workstations and cache passwords” when left as the insecure defaults open up the server or workstation to more avenues of attack. When these settings are left as default, a server that cannot contact the domain controller to verify the password of the user and it will then check its cache. If the password hash matches the hash of the cached password the user is allowed to access the server with the permissions that they had at the time of that cache. These settings can be found in the Group Policy Object (GPO) in the following tree:  

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

Weak TCP/IP Configuration:

One of the settings seen commonly left as enabled is “MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes”. When enabled, this setting allows a remote device to update the default gateway of the host by sending an ICMP redirect message. This message can be easily forged with Scapy and trick the server into setting a malicious IP as the gateway to perform man in the middle attacks on IP addresses that are not in that subnet. These settings can be found in the Group Policy Object (GPO) in the following tree:  

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

The policy settings identified in this post represent areas that are commonly missed when hardening Windows servers, based on trends seen by Security Compass consultants. These settings may seem not as important as others such as the seDebugPrivilege or AutoPlay but they strength the system and aid in the protection of the system from some targeted attack vectors.  

Cross-posted from the SC Labs blog 

Possibly Related Articles:
6884
Hardening Windows Security Misconfigurations
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.