Docstoc

Baseline Security Paper - UCS Home

Document Sample
Baseline Security Paper - UCS Home Powered By Docstoc
					  ____________________________________
  CIS – 230: Network Security

STUDENT NAME/STUDENT ID:       CONTRIBUTION:

Ben Leak                       Hypothesis (1.3)
(need number)                  Procedure (3.1)
                               Data Analysis (3.2)
                               Design (3.3)
                               Results (3.4)
                               Impacts on Study (4.1)
                               Final Conclusion (4.2)
                               Test Cases
                               SPSS Analysis

Jose Madhavasseril             Templates (2.1)
150-82-4164                    Personalized Security Templates (2.1.1)
                               Implementing Templates (2.1.2)
                               Template Breakdown (2.1.3)
                               Out of Box Security (2.1.4)
                               Secure Template Structure (2.1.5)
                               High Secure Template Structure (2.1.6)
                               Template Usage Precautions (2.1.7)
                               Why is patching necessary (2.2)

Amy Farina                     Abstract (1.1)
213-94-657                     Purpose of Study (1.2)
                               What is a service? (2.3)
                               Services and service states (2.4)
                               Editing Services and… (2.5)
                               Historical evolution… (2.6)
                               Basic configuration… (2.7)
                               Service evolution… (2.8)
                               Impacts on Study (4.1)




Professor:           Dr. Catherine Campbell
Due Date:            May 2006

Total Pages: 60
                         TABLE OF CONTENTS
                                                                                    Page(s)
1. SECTION ONE - INTRODUCTION

   1.1       Abstract                                                                 3-4
   1.2       Purpose of Study                                                         5
   1.3       Hypothesis                                                               5


2. SECTION TWO - BACKGROUND

   2.1       Templates                                                                6
         2.1.1 Personalized Security Templates                                        6-7
         2.1.2 Implementing Templates                                                 7-9
         2.1.3 Template Breakdown                                                     9 - 12
         2.1.4 Out of Box Security                                                    12
         2.1.5 Secure Template Structure                                              12 - 14
         2.1.6 High Secure Template Structure                                         14 - 17
         2.1.7 Template Usage Precautions                                             18
   2.2       Why is patching necessary                                                19 -23
   2.3       What is a service?                                                       24
   2.4       Services and service states                                              24 -25
   2.5       Editing services and determining dependencies                            26 -28
   2.6       Historical evolution of Microsoft operating system services              29
   2.7       Basic configuration details                                              30
   2.8       Service evolution breakdown                                              31 -40


3. SECTION THREE - TESTING

   3.1       Procedure                                                                41 -47
   3.2       Data Analysis                                                            48 -51
   3.3       Design                                                                   52
   3.4       Results                                                                  52


4. SECTION FOUR - CONCLUSION

   4.1       Impacts on Study                                                         53
   4.2       Final Conclusion                                                         53 -56


5. BIBLIOGRAPHY                                                                       54


6. APPENDICES
       APPENDIX A - GROUP POLICY OBJECTS APPLIED FOR TESTING                          60




Page 2 of 60                                                               Security Baselines
IT – 230 Network Security
SECTION ONE - INTRODUCTION

1.1    Abstract
       There is an ever-growing concern in the IT industry about workstation and

network security. It has become an inevitable and necessary business practice

today to harden (secure) any system that has access to, or has been accessed

by, the Internet. With this focus in mind, industry security standards have been

developed in the form of templates that are applied to a workstation or networked

environment.

       In many operating systems, the underlying complexity of services and

access rights has been hidden from the average user. This simplification and

abstraction has inexorably also yielded security risks and vulnerabilities in the

operating system itself.     This report was developed to address some of the

security concerns as well as examine the current template standards. It is not

the purpose of this report to define the reasons why security risks and

vulnerabilities exist, but to outline and identify those security vulnerabilities.

       The intention of this study is to provide a statistical representation of

vulnerabilities in stock OOB (out-of-the-box) operating systems (un-patched and

non-updated), compared to upgraded operating systems (last patches and

updates applied) and then lastly compared to „hardened‟ operating systems

(hardened by applying the Microsoft suggested standard security template). The




Page 3 of 60                                                        Security Baselines
IT – 230 Network Security
SECTION ONE - INTRODUCTION

categories were further broken down by our assessment of their risk: “unsafe”,

“risky”, “moderate”, “secure” and “nearly impenetrable”.

      Each operating system tested was unique in its various service offerings.

Therefore, in an attempt not to add further complexity to our investigation, we did

not apply anything to the systems that would not be part of the standard

operating system. The only caveat taken to this principle was the turning off of

the windows firewall (which was enabled in some stock operating systems). In

order to conduct a fair and impartial analysis, it was necessary to turn off the

windows firewall so as not to impede the results of the tests. Obviously, enabling

the windows firewall establishes a basic security measure that will cause our

scans to be unsuccessful.




Page 4 of 60                                                    Security Baselines
IT – 230 Network Security
SECTION ONE - INTRODUCTION

1.2    Purpose of Study

      This report represents the statistical evaluation of our study.     It is not

presented to suggest desired or undesired services in these environments. It

should be noted that certain services are required to be enabled for other

services or software to function properly. It was our intent to keep all

environments equal and unbiased. The study was conducted to see the relevant

differences among operating systems in relation to implementation of varying

service states and default Microsoft templates.



1.3   Hypothesis
      It is hypothesized that Updated: Patched/Unpatched will have a direct

impact on the security of the machines. A machine that is patched is less likely to

become compromised due to holes in the system code. Furthermore, ServiceSt:

Enabled/Disabled is also expected to have a direct impact on the overall security

of the machines. The reasoning behind this is that any unnecessary service

enabled is potentially a way for a hacker to gain access to a system.




Page 5 of 60                                                    Security Baselines
IT – 230 Network Security
SECTION TWO - BACKGROUND

2.1    Templates

       Consumers may purchase a new workstation and not think of protecting

their security, their family‟s security, or that of their privacy intensive materials.

The standard user may be under the misguided perception that Microsoft or the

Windows Operating System somehow protects them. Directly out of the box, the

system may have some security but not a whole lot. It all depends on variables

ranging from what Operating System you install, the applications or software that

you install, to the devices that you attach to it. Security of the user also relies on

whether or not the machine is connected to a domain or part of a workgroup.

Even with all these erratic variables, we can use one method to alleviate our

worries of security.   This process is the use of security templates which are

configured either through the Microsoft Management Console (MMC) or Group

Policy. A security template is a text file that details security settings using a

syntax that can be loaded by various tools and used to apply security settings.



2.1.1 Personalized Security Templates

       By default, a machine has no strong security template enabled.

Nonetheless, Microsoft makes it a good policy to bundle their various operating

systems with a choice of security templates for use. Microsoft bundles these




Page 6 of 60                                                      Security Baselines
IT – 230 Network Security
SECTION TWO - BACKGROUND


templates in their Windows 2000, XP, as well as their 2000 & 2003 Server

packages.    A large cluster of security organizations have derived their own

security templates. These templates are readily available on each organization‟s

website. If a process was needed that would edit the registry of a machine, it

could easily be done by creating a security template.

       In order for security templates to be edited, they can either be edited

directly with a text editor or more easily by use of the Security Templates

Console. This makes our lives a lot easier in that it is a GUI interface allowing us

to have a quicker time navigating through the actual template itself. The safest

method however would be through the MMC, in that we can see the settings that

we alter before they are applied or are being audited. By using the Security

Configuration and Analysis tool, the settings may be indirectly carried out or

applied without our knowledge or desire.



2.1.2 Implementing Templates

As we enter the MMC, by typing “mmc” at the “RUN” command window, we can

see a blank window stating Console 1. We need to add the security templates in

order to edit them. This is done by adding what is known as a “Snap-In” or what

can be compared to as a module for Linux. The “Snap-In” components range

from hard disk manipulation to the current security settings management.


Page 7 of 60                                                    Security Baselines
IT – 230 Network Security
SECTION TWO - BACKGROUND


In the image below we can see that very list of tools and how the “Snap-In” is

actually implemented.



Figure 2.1




       As you can see (Figure 2.1), the list of options available show a wide array

of tools that we can use to tighten our Windows environment by applying

security, customization, and overall fluidity.


Page 8 of 60                                                    Security Baselines
IT – 230 Network Security
SECTION TWO - BACKGROUND


Microsoft provides us with a few templates that we must decide which to make

use of. We need to sit down and decide what our needs are and then move

ahead from there. The default templates that Microsoft does provide range from

high security to low security. Specific names of these templates are “hisecuredc,

hisecurews, securedc, and securews.” There are a few more that they do offer

but these are the main four that we will be dealing with. The naming scheme is

exactly as it may seem. In the naming convention, “dc” stands for domain

controller and “ws” stands for workstation. This is where the choice begins as to

what type of box you are trying to put together. Once you have determined that a

security template is appropriate for the operating system and the computer‟s role

on your network, it can be used to apply security in a consistent manner. It can

also be used to monitor a specific computer that resides on your network.



Section 2.1.3 Template Breakdown

       As we start going through each template we must be assured that we

understand all the changes that each will make to our systems. These changes

may cause us to have a more secure environment but then again may cause us

a small case of havoc if we are not careful. The security areas that may be

defined in security templates are similar to those defined in the Local Security




Page 9 of 60                                                    Security Baselines
IT – 230 Network Security
SECTION TWO - BACKGROUND


Policy. These security areas may not provide the possibility to specify IPSec

policies.

       Each template is broken down into seven different groups that are

viewable through a tree structure.     Each section has its own role, group of

settings, and descriptive process. They may include separate variables directly

under their main heading but in most cases they break down much more in order

to fine tune the areas of security we wish to look into. The specific areas of

interest in a security template are listed as “Account Policies”, “Local Policies”,

“Event Log”, “Restricted Groups”, “System Services”, “Registry”, and “File

System.” Each section holds its own duties and regulations that can be enabled,

edited, or disabled. It is simply up to the user themselves to decide whether or

not he or she actually deems it necessary to make changes. Account policies

deal with things such as password security. In this section, a good password

strength regimen can be set. It can get into Kerberos policies which are only

applicable on domain controllers. Local Policies hold the keys to the castle for us

in some methodology.        Here we can find audit policies, user rights, and

numerous security options. Administrators can set regulations for all of their

workstations and then push out the updated policy through GPO (Group Policy

Object.) Security options include erasing a page file after shutdown or




Page 10 of 60                                                   Security Baselines
IT – 230 Network Security
SECTION TWO - BACKGROUND


forcing a user to use “CTRL+ALT+DEL” when logging onto a machine.

       The Event Log portion has minimal functionality but some usefulness

nonetheless. It allows us to regulate the log‟s actual size and full functionality.

We can set variables we want highlighted and variables that we don‟t care for to

be ousted from that log. In Restricted Groups, we can decide what a user group

really is.   This portion essentially will allow you to separate what makes an

Administrator more powerful than a Power User. Resource access can be set for

each group and defined through use of template exceptions. System Services

allow an Administrator to predefine who can start, stop, and adjust boot services

for a machine. This in turn ties into group restriction. The smallest of options lie

in the Registry and File System directories. Here we can set permissions as well

as change audit settings for the registry, folders, and files themselves. Even with

all of these options changed, we must be fully aware of one thing. Since all

security settings defined in a template can be applied, you may inadvertently

apply some settings. Any incorrect movements or changes to its environment

can either be helpful or hazardous.

       All of these options can be broken down into each of their subcategories

as seen below in Figure 2.2.




Page 11 of 60                                                   Security Baselines
IT – 230 Network Security
SECTION TWO - BACKGROUND

Figure 2.2




Section 2.1.4 Out of Box Security

         Each security template can be used in whichever fashion we choose. We

must measure what we are looking for in security and then move ahead from

there.    The templates that were involved in our study structure themselves

around the security of workstations and domain controllers. The first template we

will take a look at is default security template, “setup security.inf.” This security is

only the safety that the Windows Operating System offers directly after

installation. This is the typical setting that is found at the common home. Users

purchase a new computer and do not think anything of security because of

incompetence or laziness. This template is really only good for disaster recovery

in the event of a severe crisis. However, it is not recommended that it be pushed

out to many machines through Group Policy.




Page 12 of 60                                                      Security Baselines
IT – 230 Network Security
SECTION TWO - BACKGROUND

Section 2.1.5 Secure Template Structure

       The next template, the “securews.inf” and the “securedc.inf”, is able to

create a semi-secure workstation or domain controller environment.              The

enhanced security settings provide more secure possibilities of audit, password

and lockout settings. A big hole within Windows Operating Systems is the use of

LanManager for a data connection protocol. This component can be exploited

through use of a combination of scanners and cracking programs such as

“LOFT” and “John The Ripper.” Windows hashes its passwords for all its users

on that box and entrusts LM to do the whole job of securing it. With this in mind,

Microsoft has pushed out the NT LanManager or NTLM for short. The protocol

keeps a tighter lock on the password hash and works hand in hand with an NTFS

file structure.   The secure setups allow computers to communicate through

NTLM but specifically NTLMv2 for authentication purposes. This template also

restricts anonymous user activity within a domain.          It will stop them from

scanning a machine to find computer shares and or user accounts. There will be

a strict hold against enumeration specifically. Another asset of this tool is that it

prevents a cracker from deciphering your machine‟s SID to discover its real

name and vice versa. A spectacular feature of the secure security template is its

hold on SMB. With this template in place, a rule is created to ensure that server




Page 13 of 60                                                    Security Baselines
IT – 230 Network Security
SECTION TWO - BACKGROUND

side SMB packet signing is performed.         This typically does not exist on

workstations and servers out of the box, but we can make use of it to ensure our

logons aren‟t being exploited. The secure template does not however effect

permissions but sets a tighter grip for account, password, and audit policies. A

neat feature of this template involves the migration of “Power Users” to the group

“Users.” This is done in lieu of the template assuming that Windows security

settings are already in effect. The secure template will move all “Power Users”

from its own group simply as an initial security measure.

Section 2.1.6 High Secure Template Structure

      The next template that we will be looking into is that of high security. This

template is enforced by the workstation template, “hisecws.inf”, and the domain

controller template, “hisecdc.inf.” Each has its own role in guiding a user down

the correct path without being exploited on the way.        This is the highest of

security that the predefined Windows templates offer. They are designed to work

in environments where lower level clients are not supported. An example of this

would be a Windows 2000 Server neglecting a Windows 3.1 client. A strict rule

set can be seen by the enforcement of this component. This setup requires all

network communications to be digitally signed as well as requiring them to be

encrypted. Not only are SMB packets now digitally signed, the structure forces



Page 14 of 60                                                   Security Baselines
IT – 230 Network Security
SECTION TWO - BACKGROUND

everything coming down the pipe to be of that high quality. This ensures that the

sterility of the media found on that server will be somewhat intact and unharmed.

As we saw in the previous template, “Power Users” were somewhat demoted into

a “Users” category however they still retained some of their high horse rights. In

this setup, “Power Users” are completely stripped of their rights and dropped into

the same class as a normal user when dealing with the file system and registry

keys. They are granted that same access only if an exception is made by an

Administrator. The good thing about this template set is that it removes the

Terminal Server user from all file system and registry ACLs which ensures that

users logging on to a Terminal Server environment are subjected to the same

restrictions that plague normal users of that machine. Users are kept the same

across the board as a measure to ensure rights management between resources

on a distinctive machine.

      Each security template can be unique dependent on how the network or

system Administrator configures the device or devices. There are differences

however between a secure and high secure environment. An example may be

between banks that want you to open a checking account. One bank will allow

you to spend your money as you see fit and not have a minimum balance while

the other has major requirements such as a minimum balance, at least twenty

five dollars being transferred to another account, etc. Some of these differences




Page 15 of 60                                                  Security Baselines
IT – 230 Network Security
SECTION TWO - BACKGROUND

exist between a secure template and a high secure template including the use of

NTLM. A secure template will not accept LM requests and responses but will

accept ones from NTLM. A highly secure environment will however reject both

LM and NTLM requests and force the machine to provide NTLMv2

authentication. Another example of a highly secure template and its robustness

is in dealing with our old friend SMB.    The secure template will allow SMB

packets only if they are digitally signed for. The “hisecdc” template however

requires that random packets not only be signed but are in fact true SMB packets

with their own digital signature.   It is cases like these that we as security

professionals are making changes to our templates in order to adjust the security

level.




Page 16 of 60                                                 Security Baselines
IT – 230 Network Security
SECTION TWO - BACKGROUND

SecureDC vs. HisecureDC LAN Manager Restrictions

      SecureDC: Will accept anything above NTLM authentication.




      HisecureDC: Will accept ONLY NTLMv2 authentication.




Page 17 of 60                                      Security Baselines
IT – 230 Network Security
SECTION TWO - BACKGROUND

Section 2.1.7 Template Usage Precautions

       In using anything dealing with the altering of a computer‟s frame or daily

work, one must take a large deal of precaution. By spreading these modified

templates throughout a network by using an automated process can prove to

cripple your organization. Group Policy is spectacular for creating exceptions

and policies for each user group. It provides a state of sanity amongst computing

officials. It is great to make hundreds of computers secure but not to the point

that no one can actually use one. This will not work at all. The best practice for

implementing such templates would be to gather a small group of computers and

set them up on a private LAN. After this is done, the templates should go out

through Group Policy. Now that you have your machines set to your required

settings, begin acquiring guinea pigs. You can simply have them sit down and

work on the machine to discover what they like and dislike. A more detailed task

would be to create Usability Studies for this testing phase. This way you can

hear the woes of users and bend whatever rules you can in order to achieve your

security requirements. In addition to having these tests run, it is useful to have a

simple backup plan in case of a disaster. Nothing too fancy is required, just a

simple routine your IT team would follow in order to get your systems back up.




Page 18 of 60                                                   Security Baselines
IT – 230 Network Security
SECTION TWO - BACKGROUND

2.2    Why is Patching necessary?
       The solution to creating and implementing strong security baselines on

computers that lie within your network is to simple perform the task and get over

it. These baselines support a network and typically lay a foundation for what is to

come in later years. With all this in mind, it is rather important to start your base

lining operation by patching what you can. Security holes are present just about

everywhere on your network. Windows boxes specifically are in need of patches

for a number of reasons. Microsoft is rather known for allowing their install of the

OS rather insecure.

       In order to understand the need to patch we must see that this is an

epidemic to anyone who uses a computer and isn't limited to one operating

system or group of software. Although you primarily hear about how many

patches are needed to keep Windows running safe, this isn't a strictly Windows

problem. The only reason you hear about Windows patches more is because

Windows runs literally 95% of the world‟s computers and that makes them an

easy target. That being said, keep in mind that whatever operating system you




Page 19 of 60                                                    Security Baselines
IT – 230 Network Security
SECTION TWO - BACKGROUND

have should be updated often. Windows has a great utility called Windows

Update which monitors updates for you. This is available on Windows 2000 and

Windows XP. This is a must in today‟s day and age of cyber crime and cyber

security. Users who regularly patch their setups will encounter little or no issues

that may affect a large section of the world‟s populace.

       Patches for known vulnerabilities are available on software manufacturers'

websites, but they are often ignored or unnoticed. The primary dilemma is that

the task of applying patches is often perceived as too time-consuming, too

complex, or as a low priority for system administrators. However, if you

incorporate review and application of patches into your daily routine it will not

only ensure it gets done, but it could ultimately take up less time. The practice

will become second nature and easily flow through.

       Vulnerabilities can occur when a particular combination of your

technologies do not work properly when used together. Vulnerabilities can also

be the result of an oversight in software production by the manufacturer. Each

vulnerability is a potential target for intrusion or other malicious activity. The key

is to patch, and to patch early, before intruders use details of the exploit to gain

access to your system. When one is identifying vulnerabilities, it is not wise to

overlook any devices whether they are connected to the machine or not. If that

device is on a network and is talking to another device, it needs to be patched.




Page 20 of 60                                                     Security Baselines
IT – 230 Network Security
SECTION TWO - BACKGROUND

      This process can be incorporated into a daily routine in order to ensure

what our machines will actually be able to do.




      Without patching, your computers become vulnerable to any new worms

or viruses that are developed. Every cracker designs his or her virus around an

open hole in the Windows environment. It will see this hole, get in, and then

exploit it. An example of this may be the Welchia or Sasser worms. Each would

make use of the Windows RPC features. The ability for these worms to attack

your open ports, use your bandwidth, or retrieve your sensitive data is amazing.

However, what may hurt your organization in the long run will be the ability for

most of these worms to replicate themselves. They may do so by simply copying

themselves to other directories or even renaming themselves as various files. In

the case of Blaster Worm, a process could be noticed that was running. This


Page 21 of 60                                                Security Baselines
IT – 230 Network Security
SECTION TWO - BACKGROUND

could be ended, and then stopped from running. It then went on a free for all and

began attacking Windows System processes such as “RUNDLL.exe.” The worm

can mask itself as something else, hibernate, and then you will be waiting for any

new activity.

       If your enterprise is running a wide variety of software programs, it is

important to stay up-to-date with the patches for each program, and apply them

to each server as needed. It is important that patching is recognized as a crucial

part of doing business, and should be included into your overall security policy.

Sometimes advisories are released that detail vulnerabilities for which there is no

patch available. If that is the case, your only option may be to restrict access to

the server containing the vulnerability.

       These patches that we see in the diagram above suggest that hot fixes

are the only means to our mayhem. Patches can be labeled by their importance.


      Workarounds: This is a quick fix for an open vulnerability that simply
       involves turning that resource itself off. (i.e., Microsoft Security Bulletin
       MS04-009-Vulnerability in Microsoft Outlook Could Allow Code Execution.
       (828040))

      Patch: A fix for a specific hole in the Windows environment. (i.e., Microsoft
       Security Bulletin MS04-011-Security Update for Microsoft Windows.
       (835732))

      Hot fix: A small fix that is generally geared towards a specific user.(i.e.,
       Compaq restore CD digitally signed with a specific service code)




Page 22 of 60                                                   Security Baselines
IT – 230 Network Security
SECTION TWO - BACKGROUND
      Service Pack: A group of fixes, patches, and workarounds. It provides a
       huge chunk of security updates and overall system updates. (i.e.,
       Windows XP SP2 patched the Sasser worm.)

      Update: Fixes for non-security problems. (i.e., Microsoft Office upgrade
       from XP to 2003.)

      Critical Update: These are updates that are deemed critical because
       they exploit various security vulnerabilities in Windows. (i.e., MS06-013 -
       addresses several vulnerabilities in Internet Explorer, a component of
       Windows.)




Page 23 of 60                                                  Security Baselines
IT – 230 Network Security
SECTION TWO - BACKGROUND

2.3    What is a Service?

       “A service is a process or set of processes that adds functionality to

Windows by providing support to other programs.” (2000 Services)

       Services are similar to programs that run in the background, however

services load and start running upon boot time (not like an application program

that is launched). The default installation of each version of windows provides a

core set of services and configurations (see Figure 2.4).


2.4    Services and service states

       Baseline security measures may be implemented by addressing services

that are not necessary for software or operating system operation. In an attempt

to effectively measure security, we tried to identify and isolated those services

that we felt were not necessary. These are outlined with a history of why the

service should be disabled rather than automatically started. However, each

service would have to be addressed by the specific user as to whether or not it

was needed or necessary to their environment.

       Each operating system not only has certain services with the states of

either disabled, automatic or manual by default, but each system has some

unique services that are specific to its application, such as a domain controller.




Page 24 of 60                                                    Security Baselines
IT – 230 Network Security
SECTION TWO - BACKGROUND

       In summary, due consideration must be taken in deciding what the

ramifications will result when disabling certain services for your environment.



       Every service in Windows has three states and they are listed below:



                                                 • Disabled.
Figure 2.4                                       These services are installed
                                                 however, until they are moved to
                                                 the manual state, they cannot be
                                                 utilized by an application.

                                                 • Manual.
                                                 These services are installed.
                                                 They only startup when another
                                                 service or application needs their
                                                 functionality.



                                                 • Automatic.
                                                 At bootup time, these services
                                                 are started and run by the
                                                 operating system after device
                                                 drivers are loaded.




Page 25 of 60                                                     Security Baselines
IT – 230 Network Security
SECTION TWO - BACKGROUND

2.5   Editing Services and Determining Dependencies

      The “Services” window contains information on each service in the

columns: “Name”, “Description”, “Status”, “Startup Type” and “Log On As”. This

provides an overview of all the services installed. Each operating system can

have many different services available. You can obtain detailed information on

each service by double clicking any of the entries.

      Below (Figure 2.5) is the “Services” property window for the service

“Alerter”. The property sheet has 4 tabs, “General”, “Logon”, “Recovery” and

“Dependencies”.

      Figure 2.5




Page 26 of 60                                               Security Baselines
IT – 230 Network Security
SECTION TWO - BACKGROUND


General Tab:
The “General” tab of the property
sheet provides general information
about the available service.
Included is the display name, a
description (same as the
description in the “Services”
window), a fully qualified path to
the executable that the service is
associated to, the startup type of
the service (Disabled, Automatic or
Manual), the service status (if
running you have the option to
stop, pause and resume the
service) and specific parameters
that may be applied to the service
when it starts.




Log On Tab:
“Assigns a log on account to a
service. Although most services
log on to the system account, some
services can be configure to log on
to special user accounts, so that
the user can have access to
resources such as files and folders
that are protected.” (taken from
Microsoft Windows Help File)

For security reasons, it is helpful to
start 3rd party applications with a
service account with restricted
access.




Page 27 of 60                            Security Baselines
IT – 230 Network Security
SECTION TWO - BACKGROUND

Recovery Tab:
This tab is used to determine what
course of action should be taken if
the service should fail. The options
are to reset on first, second and
subsequent failures. The four
choices are “Take No Action”,
“Restart the Service”, “Run a
Program”, and “Restart the
Computer”. There is a reset fail
count and a restart service after as
additional features to the options.
The “Run a Program” option
enables the „Run Program‟
selection box which allows you to
browse to the program you wish to
launch upon failure and also
supplies parameters to pass to this
program.




Dependencies Tab:
Some services have
interdependencies with other
services. These
interdependencies mean that
stopping certain services can have
effects on others. This tab allows
you to see what dependencies are
related to this service and what
system components depend on
this particular service. In this
example, Alerter depends on the
„Workstation‟ service but no system
components depend on the
„Alerter‟ service.




Page 28 of 60                          Security Baselines
IT – 230 Network Security
SECTION TWO - BACKGROUND

2.6    Historical evolution of operating system services

       As windows has been evolving into a more and more secure operating

system, services that had once been considered „automatic‟ now come out-of-

the-box „disabled‟ for specific operating systems. Certain editions of windows are

inherently more secure than their predecessors. The following is a break down

of services that are suggested to be „disabled‟ or „manual‟ rather than „automatic‟.

Note that some of these configuration settings do not deal with the services that

are running on a standard out-of-the-box installation (for example, if you install a

new XP version it will at least come with service pack 1).

       The services that are listed in Section 2.8 is a small list of services

available under most windows operating systems. The list is representative of

how these services have evolved from version to version with an opinion on what

a suggested setting for this service should be. Along with this information is a

brief summary or description of the service.




Page 29 of 60                                                   Security Baselines
IT – 230 Network Security
SECTION TWO - BACKGROUND

2.7    Basic configuration details
Some of the more obvious basic configuration details are listed:

      Simple File Sharing. Turn off file sharing if you are not using it.


      ICS - Internet Connection Sharing. A machine acts as a proxy to the
       internet to share a connection with other machines.


      Enable ICF - Internet Connection Firewall. Windows firewall is enabled
       standard in XP editions.


      Use account passwords and password expiration and lockout policies.
       Disable the guest account.


      Install an antivirus software program.


      Keep up-to-date with patches and updates. Turn on automatic updates.


      Disable un-necessary services. Disabling unneeded services provides
       an extra layer in that you are not opening ports or running programs that
       you do not use. These same ports and programs can fall pray to
       vulnerabilities.




Page 30 of 60                                                    Security Baselines
IT – 230 Network Security
SECTION TWO - BACKGROUND

2.8      Service Evolution Breakdown


                                                 Alerter Service

                                                                                   svchost.exe -k
      Service Name              Alerter                    Process Name
                                                                                   LocalService
      Default Settings          XP Home/Pro: Manual                     2000 Server DC : Automatic
                                Win2000 Pro (all SP): Manual            2003 Server DC: Disabled
                                XP w/SP2 : Disabled
                                Notifies selected users and computers of administrative alerts. If the
      Microsoft Service         service is stopped, programs that use administrative alerts will not
      Description               receive them. If this service is disabled, any services that explicitly
                                depend on it will fail to start.
      Dependencies              Workstation
                                If you're part of a network that sends and receives administrative alerts
      Suggestion                this service is for you.

      Ramification              Programs that use administrative alerts will not receive them
      Is this service needed?         Possibly          Recommended Setting:               Disabled



                                   Application Layer Gateway Service

      Service Name              ALG                      Process Name              alg.exe
      Default Settings          XP Home/Pro: Manual                     2000 Server DC : N/A
                                Win2000 Pro (all SP): N/A               2003 Server DC: Manual
                                XP w/SP2 : Manual
      Microsoft Service         Provides support for 3rd party protocol plug-ins for Internet Connection
      Description               Sharing and the Windows Firewall.
      Dependencies              None
                                One of the bits and pieces you need if you connect to the internet using
      Suggestion                ICS or ICF. Provides support for application level protocol plugins.
                                Enables network/protocol connectivity
                                Programs that use this service (MSN messenger, Windows Messenger
      Ramification              will not work) Enable when using windows firewall or another firewall
                                because failure to do so can cause a significant security hole
      Is this service needed?         Probably          Recommended Setting:                 Manual




Page 31 of 60                                                                           Security Baselines
IT – 230 Network Security
SECTION TWO - BACKGROUND

                                 Application Management Service

                                                                              svchost.exe -k
   Service Name              AppMgmt                 Process Name
                                                                              netsvcs
   Default Settings          XP Home/Pro: Manual                    2000 Server DC : Manual
                             Win2000 Pro (all SP): Manual           2003 Server DC: Manual
                             XP w/SP2 : Manual
   Microsoft Service         Provides software installation services such as Assign, Publish, and
   Description               Remove.
   Dependencies              None
                              Used for Add/Remove programs. Processes installation and removal
   Suggestion
                             for AD and GP programs.
   Ramification              Users will be unable to install or remove any programs.
   Is this service needed?           YES            Recommended Setting:               Manual



                             Background Intelligent Transfer Service

   Service Name               BITS             Process Name             svchost.exe -k netsvcs
   Default Settings            XP Home/Pro: Automatic           2000 Server DC : Manual
                              Win2000 Pro (all SP):
                                                                2003 Server DC: Manual
                              Manual
                               XP w/SP2 : Manual
                              Transfers files in the background using idle network bandwidth. If the
                              service is stopped, features such as Windows Update, and MSN
                              Explorer will be unable to automatically download programs and other
   Microsoft Service
                              information. If this service is disabled, any services that explicitly
   Description
                              depend on it may fail to transfer files if they do not have a fail safe
                              mechanism to transfer files directly through IE in case BITS has been
                              disabled.
                              Remote Procedure Call
   Dependencies
                              (RPC)
                              Transfers data between Clients and servers in the background. Enable
   Suggestion
                              this if you enable automatic updates.
                              Features that update automatically like virus definitions or windows
   Ramification
                              updates will not work.
   Is this service needed?          Probably       Recommended Setting:                Manual




Page 32 of 60                                                                     Security Baselines
IT – 230 Network Security
SECTION TWO - BACKGROUND

                                           ClipBook Service

   Service Name               ClipSrv                Process Name             clipsrv.exe
   Default Settings            XP Home/Pro: Manual                2000 Server DC : Manual
                               Win2000 Pro (all SP): Manual       2003 Server DC: Disabled
                               XP w/SP2 : Disabled
                              Enables ClipBook Viewer to store information and share it with remote
   Microsoft Service          computers. If the service is stopped, ClipBook Viewer will not be able
   Description                to share information with remote computers. If this service is disabled,
                              any services that explicitly depend on it will fail to start.
   Dependencies               Network DDE                         Network DDE DSDM
                              Enables Clipbook Viewer to store/share info with remote computers. If
   Suggestion                 you often cut/paste from others over the LAN, then yes, if no disable
                              and run on the rare occasion you need the service.
   Ramification               You will not be able to cut/paste info with remote computers.
   Is this service needed?           NO            Recommended Setting:              Disabled




                             Distributed Link Tracking Client Service

   Service Name               TrkWks            Process Name              svchost.exe -k netsvcs
   Default Settings           XP Home/Pro: Automatic                 2000 Server DC : Automatic
                              Win2000 Pro (all SP): Automatic        2003 Server DC: Manual
                              XP w/SP2 : Automatic
   Microsoft Service          Maintains links between NTFS files within a computer or across
   Description                computers in a network domain.
   Dependencies               Remote Procedure Call (RPC)
                              Ensures that links and shortcuts continue to work even after the target
   Suggestion
                             file is renamed or moved (maintains links in a file system).
                             Link tracking unavailable. If part of a domain and you use NTFS for
   Ramification              keeping links across network (i.e., databases updated) then keep
                             enabled.
   Is this service needed?      Possibly         Recommended Setting:                 Manual




Page 33 of 60                                                                     Security Baselines
IT – 230 Network Security
SECTION TWO - BACKGROUND

                                              HTTP SSL

                                                                             svchost.exe -k
   Service Name              HTTPFilter             Process Name
                                                                             HTTPFilter
   Default Settings          XP Home/Pro: N/A                        2000 Server DC : N/A
                             Win2000 Pro (all SP): N/A               2003 Server DC: Manual
                             XP w/SP2 : Manual**                     **this service was added
                             This service implements the secure hypertext transfer protocol
   Microsoft Service         (HTTPS) for the HTTP service, using the Secure Socket Layer (SSL).
   Description               If this service is disabled, any services that explicitly depend on it will
                             fail to start.
   Dependencies              HTTP
                             A security provision for e-commerce and banking web sites to make
                             use of. If set to manual then it will start when needed but should be set
   Suggestion
                             to Automatic anyway. Also used for some newer web-based email
                             protocols.
   Ramification              Unable to use https.
   Is this service needed?       Yes            Recommended Setting:                  Automatic




                                IMAPI CD-Burning COM Service

   Service Name              ImapiService         Process Name              imapi.exe
   Default Settings          XP Home/Pro: Manual                    2000 Server DC : N/A
                             Win2000 Pro (all SP): N/A              2003 Server DC: Automatic
                             XP w/SP2 : Manual
                             Manages CD recording using Image Mastering Applications
   Microsoft Service         Programming Interface (IMAPI). If this service is stopped, this
   Description               computer will be unable to record CDs. If this service is disabled, any
                             services that explicitly depend on it will fail to start.
   Dependencies
                             This is the Windows version of CD burning, manages CD recording
   Suggestion                using IMAPI (Image Mastering API). If you want to use windows CD
                             burning enable. If you don‟t have a CDRW drive disable.
   Ramification              Unable to burn CD usings windows.
   Is this service needed?   Possibly         Recommended Setting:                      Manual




Page 34 of 60                                                                       Security Baselines
IT – 230 Network Security
SECTION TWO - BACKGROUND

                                           Indexing Service

   Service Name              cisvc                Process Name               cisvc.exe
   Default Settings          XP Home/Pro: Manual                 2000 Server DC : Manual
                             Win2000 Pro (all SP):
                                                                 2003 Server DC: Disabled
                             Disabled
                             XP w/SP2 : Manual
                             Indexes contents and properties of files on local and remote
   Microsoft Service
                             computers; provides rapid access to files through flexible querying
   Description
                             language.
   Dependencies              Remote Procedure Call (RPC)
                             Indexes contents and properties of files on local and remote machines
                             which provides rapid access to files. Apparently service tends to not
   Suggestion                function as well as it could and for the benefit it‟s resource usage far
                             outweigh the tradeoff. Before disabling uninstall via the Add/Remove
                             programs control.
   Ramification              Files will not be indexing, indexing may increase speed of search.
   Is this service needed?           NO          Recommended Setting:                 Disabled




                                          Messenger Service

   Service Name              Messenger            Process Name              svchost.exe -k netsvcs
   Default Settings          XP Home/Pro: Automatic                 2000 Server DC : Automatic
                             Win2000 Pro (all SP): Automatic        2003 Server DC: Disabled
                             XP w/SP2 : Disabled
                             Transmits net send and Alerter service messages between clients and
                             servers. This service is not related to Windows Messenger. If this
   Microsoft Service
                             service is stopped, Alerter messages will not be transmitted. If this
   Description
                             service is disabled, any services that explicitly depend on it will fail to
                             start.
   Dependencies              NetBIOS Interface                   Plug and Play
   Dependencies              Remote Procedure Call (RPC) Workstation
                             Transmits net send and Alerter service messages between clients and
   Suggestion
                             servers. This is not related to the Windows Messenger service.
   Ramification              Alerter messages will not get transmitted
   Is this service needed?       NO            Recommended Setting:                   Disabled




Page 35 of 60                                                                       Security Baselines
IT – 230 Network Security
SECTION TWO - BACKGROUND

                         MS Software Shadow Copy Provider Service

   Service Name              SwPrv               Process Name             dllhost.exe
   Default Settings          XP Home/Pro: Manual                2000 Server DC : N/A
                             Win2000 Pro (all SP): N/A          2003 Server DC: Manual
                             XP w/SP2 : Manual
                             Manages software-based volume shadow copies taken by the Volume
   Microsoft Service         Shadow Copy service. If this service is stopped, software-based
   Description               volume shadow copies cannot be managed. If this service is disabled,
                             any services that explicitly depend on it will fail to start.
   Dependencies              Remote Procedure Call (RPC)
                             Manages software based volume shadow copies handled by the
   Suggestion                volume shadow copy service. This is related to the Microsoft backup
                             utility, if you are using it then enable, if not disable.
   Ramification              Leave as manual if you intend to use windows backup.
   Is this service needed?      NO          Recommended Setting:                 Disabled




                                         Net Logon Service

   Service Name              Netlogon            Process Name             lsass.exe
   Default Settings          XP Home/Pro: Manual              2000 Server DC : Automatic
                             Win2000 Pro (all SP):
                                                              2003 Server DC: Manual
                             Manual
                             XP w/SP2 : Manual
   Microsoft Service         Supports pass-through authentication of account logon events for
   Description               computers in a domain.
   Dependencies              Workstation
   Suggestion                Used for domain authentication when you log into a domain.
   Ramification              No domain, then you do not need net logon.
   Is this service needed?    Possibly       Recommended Setting:                Disabled




Page 36 of 60                                                                   Security Baselines
IT – 230 Network Security
SECTION TWO - BACKGROUND

                          NetMeeting Remote Desktop Sharing Service

    Service Name               mnmsrvc             Process Name               mnmsrvc.exe
    Default Settings           XP Home/Pro: Manual                2000 Server DC : Manual
                               Win2000 Pro (all SP): Manual       2003 Server DC: Disabled
                               XP w/SP2 : Manual
                               Enables an authorized user to access this computer remotely by using
    Microsoft Service          NetMeeting over a corporate intranet. If this service is stopped, remote
    Description                desktop sharing will be unavailable. If this service is disabled, any
                               services that explicitly depend on it will fail to start.
    Dependencies
                              This service makes it possible for a remote user via Net Meeting to
    Suggestion                have access to your machine (over corporate network). This is best left
                              to situations where you want to enable it before and after use.
    Ramification              Leave as manual if you intend to use Net Meeting frequently.
    Is this service needed?     NO          Recommended Setting:                   Disabled




                                        Network DDE Service

    Service Name              NetDDE               Process Name               netdde.exe
    Default Settings          XP Home/Pro: Manual                 2000 Server DC : Manual
                              Win2000 Pro (all SP): Manual        2003 Server DC: Disabled
                              XP w/SP2 : Disabled
                              Provides network transport and security for Dynamic Data Exchange
                              (DDE) for programs running on the same computer or on different
    Microsoft Service
                              computers. If this service is stopped, DDE transport and security will be
    Description
                              unavailable. If this service is disabled, any services that explicitly
                              depend on it will fail to start.
    Dependencies              Network DDE DSDM
                              Provides for network transport and security for DDE for applications
    Suggestion                running on the same machine or different machine. This service used
                              by clipbook
    Ramification              DDE will be unavailable
    Is this service needed?    NO         Recommended Setting:                     Disabled


NOTE: *Network DDE DSDM Service manages the network shares for the above service Network
DDE.




Page 37 of 60                                                                      Security Baselines
IT – 230 Network Security
SECTION TWO - BACKGROUND


                       Remote Desktop Help Session Manager Service

   Service Name              RDSessMgr           Process Name                sessmgr.exe
   Default Settings          XP Home/Pro: Manual               2000 Server DC : N/A
                             Win2000 Pro (all SP): N/A         2003 Server DC: Manual
                             XP w/SP2 : Manual
                             Manages and controls Remote Assistance. If this service is stopped,
   Microsoft Service
                             Remote Assistance will be unavailable. Before stopping this service,
   Description
                             see the Dependencies tab of the Properties dialog box.
   Dependencies              Remote Procedure Call (RPC)
                             Manages and controls remote assistance, if you are a remote desktop
   Suggestion
                             user then keep enabled.
   Ramification              Remote assistance will not be available.
   Is this service needed?      NO        Recommended Setting:                    Disabled




                                     Remote Registry Service

                                                                              svchost.exe -k
   Service Name              RemoteRegistry        Process Name
                                                                              LocalService
   Default Settings          XP Home/Pro: N/A - Automatic           2000 Server DC : Automatic
                             Win2000 Pro (all SP): Automatic        2003 Server DC: Automatic
                             XP w/SP2 : Automatic
                             Enables remote users to modify registry settings on this computer. If
   Microsoft Service         this service is stopped, the registry can be modified only by users on
   Description               this computer. If this service is disabled, any services that explicitly
                             depend on it will fail to start.
   Dependencies              Remote Procedure Call (RPC)
                             Provides for remote system registry modification. Some programs
   Suggestion
                             require this functionality to run.
                             Remote systems will not be able to connect to the registry, disabling
   Ramification
                             can effect patching.
   Is this service needed?   Possibly       Recommended Setting:                    Disabled




Page 38 of 60                                                                       Security Baselines
IT – 230 Network Security
SECTION TWO - BACKGROUND

                              Routing and Remote Access Service

    Service Name              RemoteAccess         Process Name             svchost.exe -k netsvcs
    Default Settings          XP Home/Pro: Disabled/Manual        2000 Server DC : Disabled
                              Win2000 Pro (all SP): Disabled      2003 Server DC: Disabled
                              XP w/SP2 : Disabled
    Microsoft Service         Offers routing services to businesses in local area and wide area
    Description               network environments.
    Dependencies              NetBIOSGroup                     Remote Procedure Call (RPC)
                              Allows LAN and WAN dial in access to the computer by enabled LAN-
    Suggestion                to-LAN (LAN-to-WAN), VPN, and NAT routing services for clients and
                              servers on network.
    Ramification              Routing and remote access services will be unavailable.
    Is this service needed?     NO       Recommended Setting:                   Disabled




                                            Telnet Service

    Service Name              TlntSvr            Process Name               tlntsvr.exe
    Default Settings          XP Home/Pro: N/A - Manual            2000 Server DC : Manual
                              Win2000 Pro (all SP): Manual         2003 Server DC: N/A
                              XP w/SP2 : Disabled
                              Enables a remote user to log on to this computer and run programs,
                              and supports various TCP/IP Telnet clients, including UNIX-based and
    Microsoft Service
                              Windows-based computers. If this service is stopped, remote user
    Description
                              access to programs might be unavailable. If this service is disabled,
                              any services that explicitly depend on it will fail to start.
    Dependencies              NT LM Security Support Provider
                              Remote Procedure Call
    Dependencies                                               TCP/IP Protocol Driver
                              (RPC)
                              Enables a remote user to log to this machine and run programs.
    Suggestion                TCP/IP clients supported. Unless you have specific reason to use this
                              disable and use SSH. (sygwin or unix services for windows 3.5)
    Ramification              Remote access via Telnet unavailable
    Is this service needed?     NO      Recommended Setting:                   Disabled

NOTE: Smart Card Service & Smart Card Helper Service (eliminated in XP SP2), enable only if you
are using.



Page 39 of 60                                                                     Security Baselines
IT – 230 Network Security
SECTION TWO - BACKGROUND

                                            WebClient Service

                                                                                  svchost.exe -k
    Service Name                WebClient              Process Name
                                                                                  LocalService
    Default Settings            XP Home/Pro: Automatic                  2000 Server DC : N/A
                                Win2000 Pro (all SP): N/A               2003 Server DC: Disabled
                                XP w/SP2 : Automatic
                                Enables Windows-based programs to create, access, and modify
    Microsoft Service           Internet-based files. If this service is stopped, these functions will not
    Description                 be available. If this service is disabled, any services that explicitly
                                depend on it will fail to start.
    Dependencies                WebDav Client Redirector
                               Enables windows applications to create, access and modify internet
                               based files. Service makes it possible to use "web folders" and to
    Suggestion
                               browse the file systems of web servers -- adds secure password
                               authentication and file locking) within an Explorer window.
                               Functions tied to service may not be available, although Internet
    Ramification               Explorer can be used for this functionality (File --> Open --> enter URL
                               and check the "Open as Web Folder" checkbox).
    Is this service needed?     Possibly       Recommended Setting:                     Disabled




                              Windows Image Acquisition (WIA) Service

    Service Name               stisvc                  Process Name               svchost.exe -k imgsvc
    Default Settings            XP Home/Pro: Manual                    2000 Server DC : N/A
                                Win2000 Pro (all SP): N/A              2003 Server DC: Disabled
                                XP w/SP2 : Manual
    Microsoft Service
                               Provides image acquisition services for scanners and cameras.
    Description
    Dependencies               Remote Procedure Call (RPC)
                               This service is for image acquisition for camera and scanners. If you
    Suggestion
                               don‟t have a scanner or camera you can disable this service
                               Programs that require images like Windows Movie maker won‟t function
    Ramification
                               properly. If you are using a scanner or camera enable.
    Is this service needed?     Possibly      Recommended Setting:                      Manual

Note: Volume Shadow Copy Service related to Microsoft Backup Utility, disable if you are
not using.



Page 40 of 60                                                                           Security Baselines
IT – 230 Network Security
 SECTION THREE - TESTING

3.1   Procedure
      Machines were first categorized by Workstation, Server, Domain

Controllers, and Out of Box. The last group was created because of the testing

not being able to correspond with the initial three groups. The original three were

tested on four variables, while Out of Box Operating Systems were only tested on

three. Template was not a factor within those Operating Systems. VMWARE

Server Beta and Microsoft Virtual Machine 2005 RC2 were utilized to allow

easier operation of a multi-tasking environment. While, the different products

used have no affect on the actual testing that was being performed, they allow

the easiest means of insuring a reliable test bed.

      This reliability stems from the products architecture of saving their partition

tables and data into two files. VMWare uses <filename>.vmdk for the partition

table and data and a <filename>.vmx file for configuration data. Virtual Machine

uses <filename>.vhd for the partition table and data and <filename>.vmc for the

configuration. These two files can then be copied elsewhere on the physical

machine hosting the virtual machine‟s to replicate, backup, or archive the virtual

machine.

      The joining of machines (minus DCs) to a Microsoft Active Directory

Domain was needed to allow consistent policy and service manipulation amongst

all machines via Group Policy Objects (GPOs).



Page 41 of 60                                                    Security Baselines
IT – 230 Network Security
SECTION THREE - TESTING

      The first actual step consisted of allocating virtual machine (VM) resources

to each base operating system.      A VM was created for Windows 2000 Pro,

Windows 2000 Server, Windows 2003 Ent Server, Windows XP, Linux Enterprise

ES, Fedora FC4, Windows 2000 Server DC, Windows 2003 Server DC, NT 4.0

Server.   This was followed by the actual installation of the above operating

systems to the virtual machines.

      In an attempt to keep out of box (OOB) testing somewhat on the same

playing field, as well as, to test environments that may truly exist, the operating

systems were installed from the following media: Release to Manufacturing (RTM

builds for Window Server 2003, slipstreamed SP6a for Windows NT. This media

was used in an attempt to bring most of the operating systems to patch levels of

year 2002-2003. Following the installation of the operating systems, servers and

workstations were setup to auto logon and shutdown to be replicated.

      It was necessary to manually copy the *.vmx/*.vmdx or *.vmc/*.vhd files to

another folder named operating system version patched. The virtual machine

was opened and renamed the host‟s friendly name, in order to reflect Patched.

Unpatched virtual machine was then booted and the computer was renamed to

reflect naming scheme set out. For example, <OSVersionServicePack#PatchStatus>

Windows 2000 Pro, which is running SP4 and is patched, would be named

“Win2kpSP4p”.    Patched virtual machine was then booted, all of the needed

patches applied, then renamed.

Page 42 of 60                                                   Security Baselines
IT – 230 Network Security
SECTION THREE - TESTING

       Nessus was installed in order to run penetration testing. The machines

were scanned with Nessus using NMAP and security plug-ins up to the beginning

of April 2006. In each test case assessed the security of the system for over

10,000 vulnerability plug-ins. Above and beyond the vulnerability plug-ins, ports

1-2000 were scanned for open ports and accessibility.             Each test took an

estimate of 1-2 hours in order to complete full assessment.

       Throughout each test, group policy objects (GPOs) were applied to each

machine to test the security level. The different GPOs applied were Secure

WKs, High Secure WKs, Secure DC, High Secure DC, Services Enabled, and

Services Disabled. Organizational Units (OU) were created for Secure WKs,

High Secure WKs, Secure DC, and High Secure DC. The GPOs were linked to

their appropriate Organizational Units and Services Enabled was linked by

default to each OU as stated for the conditions of the initial test.

       A different criterion, such as Services Disabled, was also applied to

default computer OU depending on the criteria of that test. The machines were

rebooted twice to insure services were disabled. The machines were once again

scanned with Nessus Scan Policy Out of Box.

       Following the last Nessus Scan, all machines were moved into Secure WK

Organizational Unit. The machines were rebooted twice to allow the GPOs to

install and insure that it was installed by checking each machine manually to




Page 43 of 60                                                      Security Baselines
IT – 230 Network Security
SECTION THREE - TESTING

determine that “Effective Policy” had been changed.    Another Nessus Scan

Policy named Secure WK was created and all the machines were scanned.

      Services Disabled GPO and Secure WK Organizational Units were linked

and the Services Enabled Group Policy Object was deleted. The machines were

rebooted twice to insure services were disabled. The machines were scanned

using Nessus Scan Policy Secure WK.

      The machines were moved from Secure WK Organization Unit into High

Secure WK Organizational.    The machines again were rebooted twice and

checked for “Effective Policy” to determine that services were enabled.   The

creation of the new Nessus Scan was completed and named High Secure WK

Organizational Unit, which was followed by the initial scan. Disabled Service

GPO was linked to High Secure WK and Services Enabled GPO were deleted.

The machine were rebooted twice to insure Services were disabled and scanned

by Nessus Scan Policy High Secure WK.

      The Domain Controllers were booted and a new Active Directory Domain

for them to join was also created.    “Win2k3ssp1dcp” was made the primary

Domain Controller. All of the other machines were joined to its domain. The

patched Windows 2003 Server Domain Controller was made a Global Catalog

and DNS Server.




Page 44 of 60                                              Security Baselines
IT – 230 Network Security
SECTION THREE - TESTING

      A new Nessus Scan Policy was created and called Domain Controller Out

of Box. The machines began their initial scan. On the Windows 2003 Server

Patched Box, the services were disabled in the Default Domain Controller Policy

Object. All boxes were rebooted twice and checked to insure that changes were

replicated. The machines with Nessus Scan Policy Domain Controller Out of Box

were then scanned.

      On the Windows 2003 Server Patched Box, the Secure DC policy was

imported and the services were enabled into the Default Domain Controller

Policy Object.   All machines were rebooted twice to insure changes were

replicated. A new Nessus Scan was created and called DC Secure DC. Then

the initial scan of the machines was done.     On the Windows 2003 Server

Patched Box, services in the Default Domain Controller Policy object were

disabled. The machine was rebooted in order to insure changes were replicated.

The machines were scanned with Nessus Scan Policy DC Secure DC.

      On one of the Windows 2003 Server Patched box, the High Security DC

policy was imported and the services in the Default Domain Controller Policy

Object were enabled. All machines were rebooted twice to insure that changes

were replicated. A new Nessus Scan Policy called DC High Security DC was

created and the initial scan of the machines done. On one of the Windows 2003

Server Patched box, services that were unnecessary in the Default Domain

Controller Policy Object were disabled. The machine was rebooted twice to

Page 45 of 60                                               Security Baselines
IT – 230 Network Security
SECTION THREE - TESTING

insure changes were replicated and the machines were again scanned using

Nessus Scan Policy DC High Secure DC.

      After all of the data testing was complete, the results were put in four

SPSS files for statistical analysis. It was necessary to go into variable view on

the spreadsheets to determine the Dependant Variables and the Independent

Variables. The four Independent Dependant variables were ServiceST (Enabled

or Disabled), Updated (Patched or Unpatched), Template (Out of Box, Secure

Workstation, or High Secure Workstation), and Operating System (Windows

2000 Pro, Windows 2000 Server, Windows 2000 Server DC, Windows 2003

Server, Windows 2003 Server DC, WindowsNT4 PDC, Windows XP, Redhat

Enterprise ES3, or FedoraFC4). The variables ServiceST, Updated, Template

and OS were determined to be independent based on the fact that each one will

not be impacted based on the results. Each one will however have an impact on

the Dependant Variable, the overall security of the system.

      The Dependant Variable was determined to be the overall security of the

machines being tested and was given five possible levels of security.        One

(Unsafe), Two (Risky), Three (Moderate), Four (Secure), or Five (Nearly

Impenetrable). The decision of the security level of the machine was based on

these criteria listed respectively as: One-Any number of high risk vulnerabilities

found, Two-Any more than two or greater, Three-Greater than five lows and one

medium, Four-Two to five lows, and Five-One to two lows. All of the independent

Page 46 of 60                                                  Security Baselines
IT – 230 Network Security
SECTION THREE - TESTING

variables and the dependent variable were coded and migrated into the SPSS

spreadsheets.

       In order to determine if there were any common factors or significant data

throughout the testing, multiple one-way analysis of variances (ANOVA) were

run. The dependant factor always remained security; however, the independent

variable was switched in and out among the four different possibilities. This was

necessary in order to see if based on the different scenarios, was there an

impact on the security of the given machine. If the significance level was shown

to be less than .03, the result was proven to be significant.

       Additionally, the raw data was run through descriptive testing, which

made it plausible to determine the mean and mode of the security levels among

all of the test cases. This determined the multitude of security levels given to an

individual test based on the four independent variables. Furthermore, it showed

how many times each test was given and the different variables as they were

enabled and disabled.

       When the final data analysis was complete, the four spreadsheets were

compared to each other in order to determine if there was a significant difference

among the groups that the machines were divided into at the beginning of the

testing. This was based on which ones showed the most significance among

their four independent variables.




Page 47 of 60                                                   Security Baselines
IT – 230 Network Security
SECTION THREE - TESTING

3.2       Data Analysis

                              (WorkStations)
ANOVA

OS
                   Sum of
                   Squares    df        Mean Square          F      Sig.
 Between Groups     .398      3            .133            .473     .704
   Within Groups    5.602     20           .280
         Total      6.000     23

ANOVA

Updated
                   Sum of
                   Squares    df        Mean Square         F       Sig.
 Between Groups     4.091     3            1.364          14.286    .000
   Within Groups    1.909     20           .095
         Total      6.000     23

ANOVA

Template
                   Sum of
                   Squares    df        Mean Square         F       Sig.
 Between Groups     1.614     3            .538            .748     .536
   Within Groups   14.386     20           .719
         Total     16.000     23



ANOVA

ServiceST
                   Sum of
                   Squares    df        Mean Square         F       Sig.
 Between Groups       1.023        3               .341     1.370      .281
 Within Groups        4.977        20              .249
 Total                6.000        23




Page 48 of 60                                                       Security Baselines
IT – 230 Network Security
SECTION THREE - TESTING

                                   (Servers)
ANOVA

OS
                  Sum of
                  Squares    df        Mean Square    F          Sig.
 Between Groups       .333        2            .167       .618      .549
 Within Groups       5.667        21           .270
 Total               6.000        23




ANOVA

Template
                  Sum of
                  Squares    df        Mean Square    F          Sig.
 Between Groups       .000        2            .000       .000     1.000
 Within Groups      16.000        21           .762
 Total              16.000        23



ANOVA

ServiceST
                  Sum of
                  Squares    df        Mean Square    F          Sig.
 Between Groups       .000        2            .000       .000    1.000
 Within Groups       6.000        21           .286
 Total               6.000        23




Page 49 of 60                                                    Security Baselines
IT – 230 Network Security
SECTION THREE - TESTING

                                  (Out of Box)
ANOVA

OS
                  Sum of
                  Squares    df        Mean Square   F          Sig.
 Between Groups      6.667         2         3.333   22.500        .000
 Within Groups       1.333         9          .148
 Total               8.000        11


ANOVA

Updated
                  Sum of
                  Squares    df        Mean Square   F          Sig.
 Between Groups       .667         2          .333    1.286        .323
 Within Groups       2.333         9          .259
 Total               3.000        11


ANOVA

ServiceST
                  Sum of
                  Squares    df        Mean Square   F          Sig.
 Between Groups       .000         2          .000       .000    1.000
 Within Groups       3.000         9          .333
 Total               3.000        11




Page 50 of 60                                                   Security Baselines
IT – 230 Network Security
SECTION THREE - TESTING

                             (Domain Controllers)
ANOVA

OS
                  Sum of
                  Squares      df        Mean Square    F          Sig.
 Between Groups       .000          1            .000       .000    1.000
 Within Groups       6.000          22           .273
 Total               6.000          23




ANOVA

Template
                  Sum of
                  Squares      df        Mean Square    F          Sig.
 Between Groups       .000          1            .000       .000     1.000
 Within Groups      16.000          22           .727
 Total              16.000          23




ANOVA

ServiceST
                  Sum of
                  Squares      df        Mean Square    F          Sig.
 Between Groups       .000          1            .000       .000    1.000
 Within Groups       6.000          22           .273
 Total               6.000          23




Page 51 of 60                                                      Security Baselines
IT – 230 Network Security
SECTION THREE - TESTING

3.3 Design

      Each study has a 2 x 2 x 3 x 2 between subjects factorial design, except

for Out of Box, which has a 3 x 2 x 2 between subjects factorial design. There

was only one dependent variable in this study. This one dependent variable was

security. It consisted of five levels; one being unsafe, two being risky, three

being moderate, four being secure, five being nearly impenetrable.            The

independent variable for the Servers, Domain Controllers, and WorkStations

tests were the operating systems, updates, templates, and secure states. The

Out of Box tests only had operating systems, updates, and secure states as

independent variables.



3.4   Results
      For Domain Controllers, Servers, and WorkStations, a 2 x 2 x 3 x 2

between subjects one-way ANOVA was computed to find the interaction effect

between operating systems, templates, secure states, and updates on overall

security. With the aid of the ANOVA, a significant effect was found for updates

impacting security: F(3) = 14.286, MS error = 1.364, p = > .000. This was true for

all groups, except for Out of Box, which showed a significant effect on operating

systems impacting security: F(2) = 22.500, MS error = 3.333, p = > .000.




Page 52 of 60                                                  Security Baselines
IT – 230 Network Security
SECTION FOUR - CONCLUSION

4.1    Impacts on Study
       Microsoft offers standard templates that are applied and used in

determining a baseline.     These templates are part of the Microsoft Baseline

Security Analyzer (MBSA). The MBSA is designed for businesses to determine

their security state in accordance with Microsoft security recommendations. It

offers specific remediation guidance via templates.   In our study we used these

templates as a guide to ascertain which services are primarily used in what is

considered the standard environment.



4.2    Final Conclusion

       Though there were multiple independent variables during the data testing,

the   one-way    analysis   of   variance   showed    only   one   as   significant.

Patched/Unpatched is the only independent variable that created a significance

of less than .03. This concludes that whether a computer is updated has a direct

correlation with the security level of the machine.

       The dependent variable was categorized by the number of vulnerabilities

discovered during the Nessus penetration testing. A number between 1 and 5

was given to the machine depending on how many low, medium, or high

vulnerability risks were discovered. One was considered unsafe, 2 was




Page 53 of 60                                                  Security Baselines
IT – 230 Network Security
SECTION FOUR - CONCLUSION

considered risky, three was considerate moderate, four was considered secure,

and five was considered nearly impenetrable.

        The four groups that were tested each received a significant effect within

their independent variable “updated”, except for Out of Box, which received a

significant effect within the operating system. This; however, was concluded to

be false data because of the operating systems chosen to be in this group.

SPSS requires that each spreadsheet have the same amount of variable to be

tested for each case. All of the operating systems within this group were not

capable of being tested for the template independent variable. This is why the

fourth group had to be created. the fourth group to be created. The lack of

association amongst these groups is what caused the significance to occur.

       Workstations showed a significance level of .000 probability 0f 0? in the

testing of Patched/Unpatched. Domain Controllers and Servers both had mostly

ones for unpatched and mostly fours for patched.        This caused a complete

opposite interaction amongst these groups.      Though they are still significant,

SPSS showed it as fallible.

       The hypothesis stated that security was the independent variable

expected to show significant results. ServiceSt was also expected to create a

significant effect.   The results showed otherwise.     Many services open up

unnecessary ports that if unused can be safely closed; however, if unused and

not secured properly you can find that vulnerabilities exist. Machines Out of

Page 54 of 60                                                  Security Baselines
IT – 230 Network Security
SECTION FOUR - CONCLUSION

Box include most services enabled. In conjunction with these default services

being enabled, security was expected to decline. For example: the file and print

service by default is enabled which could potentially allow an attacker to

compromise data on a machine.

       In occurrence with the results, patching machines is extremely important

to the security of a machine. Patching is the process of repairing pieces of code

that have been found to have memory leaks or other adverse effects. Without

patching the machine, anyone could easily exploit the bug to allow remote

execution, denial of service, or loss of data.      Simply stated, patching is a

necessary step in aiding to the security of a machine.

       Outside effects were also present within the study that must be stated in

order to insure the results were reliable. It was already stated that the Out of Box

group was created in order to allow SPSS to analyze all of the necessary data.

Furthermore, the initial testing was meant to compare all raw data in a single file.

When the SPSS was encountered by a 9 x 3 x 2 x 3 factorial design, it was

unable to account for all of the variables and contingencies. As a result, the data

was split among the four groups that are stated throughout the testing.

       Initially, to compliment the Nessus tool, machines were also scanned with

Microsoft Security Baseline Assessment (MSBA) tool; however, after two scans

of all Windows machines it was determined that the data was not changing

between the different independent variables. The reason for the inconclusive

Page 55 of 60                                                   Security Baselines
IT – 230 Network Security
SECTION FOUR - CONCLUSION

data was that the MSBA tool searched primarily for patches and gave other non

trivial suggestions.

       Suggestions for future research may include running ethereal network

sniffer between two window hosts to determine if the security templates increase

the security of the network packets being transmitted between both hosts. It may

be beneficial to expand testing to other third party templates or create templates

for specific needs.




Page 56 of 60                                                  Security Baselines
IT – 230 Network Security
BIBLIOGRAPHY

"Windows 2000 Services." Microsoft TechNet. 1 July 2001.
       Microsoft. 1 April 2006
      <http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/
      prodspecs/win2ksvc.mspx>. (2000 Services)

Foley, Jim. "Services Guide for Windows XP."
       The Elder Geek on Windows XP. 2006.
       The Elder Geek. 1 April 2006
       <http://www.theeldergeek.com/services_guide.htm>. (Foley)

“Baselining With Security Templates.” Windows Security.com. 30 Sept 2004
       Windows Security. 5 April 2006
       <http://www.windowsecurity.com/pages/article_p.asp?id=1291>.
       (Windows Auditing & Security)

“Threats and Countermeasures.” Microsoft TechNet. 27 Dec 2005.
      Microsoft. 7 April 2006
      <http://www.microsoft.com/technet/security/topics/serversecurity/tcg/tcgch
      05n.mspx>. (Security Options)

“Windows XP Services that can be Disabled”, Tech Republic.
      15 Jun 2005.
      Scott Lowe (Lowe)




Page 57 of 60                                                 Security Baselines
IT – 230 Network Security
                                APPENDIX A:
                GROUP POLICY OBJECTS APPLIED FOR TESTING

                     Service Name                   EnableGPO       DisableGPO

.NET Runtime Optimization Service v2.0.50727_X86   Automatic        Not Defined
Alerter                                            Automatic        Disabled
Application Experience Lookup Service              Manual           Disabled
Application Layer Gateway Service                  Automatic        Disabled
Application Management                             Automatic        Disabled
ASP.NET State Service                              Automatic        Disabled
Automatic Updates                                  Automatic        Not Defined
Background Intelligent Transfer Service            Manual           Not Defined
Certificate Services                               Automatic        Not Defined
ClipBook                                           Automatic        Disabled
COM+ Event System                                  Manual           Not Defined
COM+ System Application                            Automatic        Not Defined
Computer Browser                                   Automatic        Disabled
Cryptographic Services                             Automatic        Not Defined
DCOM Server Process Launcher                       Automatic        Not Defined
DHCP Client                                        Automatic        Not Defined
Diskeeper                                          Not Defined      Not Defined
Distributed File System                            Manual           Disabled
Distributed Link Tracking Client                   Manual           Disabled
Distributed Link Tracking Server                   Manual           Disabled
Distributed Transaction Coordinator                Manual           Disabled
DNS Client                                         Automatic        Not Defined
DNS Server                                         Not Defined      Not Defined
Error Reporting Service                            Automatic        Disabled
Event Log                                          Automatic        Not Defined
File Replication Service                           Not Defined      Disabled
Help and Support                                   Automatic        Not Defined
HID Input Service                                  Automatic        Not Defined
HTTP SSL                                           Automatic        Not Defined
IIS Admin Service                                  Automatic        Disabled
IMAPI CD-Burning COM Service                       Automatic        Not Defined
Indexing Service                                   Automatic        Disabled
Intersite Messaging                                Not Defined      Disabled
IPSEC Services                                     Manual           Disabled
                       Service Name                 EnableGPO       DisableGPO

Kerberos Key Distribution Center                   Not Defined      Not Defined
License Logging                                    Not Defined      Not Defined
Logical Disk Manager                               Automatic        Not Defined


Page 58 of 60                                                    Security Baselines
IT – 230 Network Security
Logical Disk Manager Administrative Service   Manual           Not Defined
McAfee Framework Service                      Not Defined      Not Defined
Messenger                                     Automatic        Disabled
Net Logon                                     Not Defined      Not Defined
NetMeeting Remote Desktop Sharing             Manual           Disabled
Network Associates McShield                   Not Defined      Not Defined
Network Associates Task Manager               Not Defined      Not Defined
Network Connections                           Not Defined      Not Defined
Network DDE                                   Manual           Disabled
Network DDE DSDM                              Manual           Disabled
Network Location Awareness (NLA)              Not Defined      Not Defined
Network News Transfer Protocol (NNTP)         Not Defined      Not Defined
Network Provisioning Service                  Not Defined      Not Defined
NT LM Security Support Provider               Automatic        Disabled
Office Source Engine                          Not Defined      Not Defined
Performance Logs and Alerts                   Manual           Not Defined
Plug and Play                                 Automatic        Not Defined
Portable Media Serial Number Service          Automatic        Disabled
Print Spooler                                 Automatic        Not Defined
Protected Storage                             Automatic        Not Defined
Remote Access Auto Connection Manager         Manual           Not Defined
Remote Access Connection Manager              Manual           Not Defined
Remote Desktop Help Session Manager           Automatic        Disabled
Remote Procedure Call (RPC)                   Automatic        Not Defined
Remote Procedure Call (RPC) Locator           Manual           Not Defined
Remote Registry                               Automatic        Disabled
Removable Storage                             Automatic        Not Defined
Resultant Set of Policy Provider              Automatic        Not Defined
Routing and Remote Access                     Automatic        Disabled
Secondary Logon                               Automatic        Not Defined
Security Accounts Manager                     Automatic        Not Defined
Server                                        Automatic        Not Defined
Shell Hardware Detection                      Automatic        Disabled
Simple Mail Transfer Protocol (SMTP)          Not Defined      Not Defined
                      Service Name             EnableGPO       DisableGPO

Smart Card                                    Manual           Disabled
Special Administration Console Helper         Not Defined      Not Defined
System Event Notification                     Automatic        Not Defined
Task Scheduler                                Automatic        Not Defined
TCP/IP NetBIOS Helper                         Automatic        Not Defined
Telephony                                     Automatic        Not Defined
Terminal Services                             Manual           Not Defined
Terminal Services Session Directory           Not Defined      Not Defined



Page 59 of 60                                               Security Baselines
IT – 230 Network Security
Themes                                                 Automatic        Not Defined
Uninterruptible Power Supply                           Manual           Not Defined
Upload Manager                                         Automatic        Disabled
Virtual Disk Service                                   Not Defined      Not Defined
VNC Server Version 4                                   Not Defined      Not Defined
Volume Shadow Copy                                     Manual           Disabled
WebClient                                              Automatic        Disabled
Windows Audio                                          Automatic        Not Defined
Windows Firewall/Internet Connection Sharing (ICS)     Manual           Disabled
Windows Image Acquisition (WIA)                        Manual           Not Defined
Windows Installer                                      Manual           Not Defined
Windows Management Instrumentation                     Automatic        Not Defined
Windows Management Instrumentation Driver Extensions   Manual           Not Defined
Windows Time                                           Automatic        Manual
Windows User Mode Driver Framework                     Manual           Not Defined
WinHTTP Web Proxy Auto-Discovery Service               Manual           Not Defined
Wireless Configuration                                 Manual           Not Defined
WMI Performance Adapter                                Manual           Not Defined
Workstation                                            Automatic        Not Defined
World Wide Web Publishing Service                      Automatic        Disabled




Page 60 of 60                                                        Security Baselines
IT – 230 Network Security

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:12
posted:7/5/2011
language:English
pages:60