Hardening Windows Registry

[Will]

Does Microsoft publish any documents that give an alternative for hardening
of the Windows 2000 or Windows 2003 registries? There are a lot of
default permissions with "Everyone" and I would like to tighten that up.

 

[Adam Joseph Cook]

Does Microsoft publish any documents that give an alternative for hardening
of the Windows 2000 or Windows 2003 registries? There are a lot of
default permissions with "Everyone" and I would like to tighten that up.

Hey Will,

When ever I fresh install a copy of Windows 2000/XP or Windows 2003
Server I always take a look at the NSA security guides. These are US
governement approved policy settings for permissions regarding the
Windows registry and other security (logon, network,...etc.) policies.
I have always been very happy with these security templates, but
always ALWAYS go over the documents and templates very carefully
before apply any of the security templates to your system. I usually
have to modify some of the settings to match my network setup. The
documents on the following link are worth a read to any security bound
user anyways.

Windows 2000 Professional:

http://www.nsa.gov/snac/downloads_win2000.cfm?MenuID=scg10.3.1.1

Windows 2003 Professional:

http://www.nsa.gov/snac/downloads_win2003.cfm?MenuID=scg10.3.1.1


I hope this helps.


--Adam Joseph Cook, Mechanical Engineer

 

[karl levinson, mvp]

When ever I fresh install a copy of Windows 2000/XP or Windows 2003
Server I always take a look at the NSA security guides.

Windows 2000 Professional:

http://www.nsa.gov/snac/downloads_win2000.cfm?MenuID=scg10.3.1.1

Windows 2003 Professional:

http://www.nsa.gov/snac/downloads_win2003.cfm?MenuID=scg10.3.1.1

I think you mean "Windows Server 2003."

Actually, starting with Windows XP and 2003, NSA no longer publishes their
own hardening guidance. What they've posted there is just the Microsoft
Windows 2003 Security Guide, and I'd recommend getting the latest version
directly from Microsoft instead of NSA: www.microsoft.com/technet/security
Also, when you download it from Microsoft, I think you get other stuff like
tools.

For Windows 2000, I absolutely agree that the NSA document is a good one.
I'd also consider downloading the Windows 2000 Security Guide at the above
link as well.

 

[karl levinson, mvp]

Does Microsoft publish any documents that give an alternative for
hardening
of the Windows 2000 or Windows 2003 registries? There are a lot of
default permissions with "Everyone" and I would like to tighten that up.

I think you're trying to do something that most people do not do. The NSA
hardening guide for Windows 2000 suggests changing permissions on a few
registry values only, and I would agree with their recommendation. The
Windows 2003 defaults are very secure for most purposes. I'm not sure the
Microsoft Windows 2003 Security Guide recommends changing any of the default
registry permissions, and it was vetted by the NSA. Changing lots of
permissions increases your chance of problems, without necessarily
increasing security very much.

You might also want to look at these articles by Jesper Johansson and Steve
Riley, where they argue against the need to make a lot of registry tweaks:

www.microsoft.com/technet/community/columns/secmgmt/sm0305_2.mspx
www.microsoft.com/technet/community/columns/secmgmt/sm0405.mspx

I would assert that removing the "Everyone" group from registry primarily
affects locally logged in users, not remote attackers. On most servers like
Windows 2003 [that are not offering Terminal Services], the only people
logging in locally and/or have any access to the registry are going to be
Administrators already anyways. If you're trying to harden a system against
local privilege escalation by your authenticated users, there are guides out
there to direct you on that. I think it's pretty challenging to
successfully harden Windows 2000 against local privilege escalation,
especially where there are multiple users logging in.

Even though your normal users may be in the "everyone" group, I believe they
will not have remote access to the registry on your servers by default.

 

[Roger Abell [MVP]]

Say Will, are there any specific reg keys set this way that
particularly raise your eyebrows ??
Everyone does not differ from Authenticated Users if you
have Guest disabled and you have not gone out of your way
to permit anonymous access to the system.
On a server one usually will take control over the logon rights,
which means you limit what subset of Authenticated Users can
possibly function on the server in any way whatever.
So, substiting Everyone with such as the machine local Users
or a custom group might make sense, but it is much effort if
there is actually no net gain.

Roger

 

[Will]

--
Will

Does Microsoft publish any documents that give an alternative for
hardening
of the Windows 2000 or Windows 2003 registries? There are a lot of
default permissions with "Everyone" and I would like to tighten that up.

I think you're trying to do something that most people do not do. The NSA
hardening guide for Windows 2000 suggests changing permissions on a few
registry values only, and I would agree with their recommendation. The
Windows 2003 defaults are very secure for most purposes. I'm not sure the
Microsoft Windows 2003 Security Guide recommends changing any of the default
registry permissions, and it was vetted by the NSA. Changing lots of
permissions increases your chance of problems, without necessarily
increasing security very much.

You might also want to look at these articles by Jesper Johansson and Steve
Riley, where they argue against the need to make a lot of registry tweaks:

www.microsoft.com/technet/community/columns/secmgmt/sm0305_2.mspx
www.microsoft.com/technet/community/columns/secmgmt/sm0405.mspx

I would assert that removing the "Everyone" group from registry primarily
affects locally logged in users, not remote attackers. On most servers like
Windows 2003 [that are not offering Terminal Services], the only people
logging in locally and/or have any access to the registry are going to be
Administrators already anyways. If you're trying to harden a system against
local privilege escalation by your authenticated users, there are guides out
there to direct you on that. I think it's pretty challenging to
successfully harden Windows 2000 against local privilege escalation,
especially where there are multiple users logging in.

Even though your normal users may be in the "everyone" group, I believe they
will not have remote access to the registry on your servers by default.

 

[Will]

If you're trying to harden a system against
local privilege escalation by your authenticated users, there are guides out
there to direct you on that.

I'm very interested in seeing any guidelines on this issue for Windows 2000
and Windows 2003.

We have a fair number of Windows 2000 and Windows 2003 machines where domain
users are logging in both on the console and via Remote Desktop.

For future desktops, it will surprise you to hear we are planning on paying
the extra for Windows 2003 Web Edition for end users, for the simple reason
that we can have an administrator and the odd end user login to the machine
remotely while the box is in use. We also really like to be able to mirror
boot devices using the built in software RAID 1.

So how to secure servers for us has particular importance.

 

[karl levinson, mvp]

We have a fair number of Windows 2000 and Windows 2003 machines where
domain
users are logging in both on the console and via Remote Desktop.

For future desktops, it will surprise you to hear we are planning on
paying
the extra for Windows 2003 Web Edition for end users, for the simple
reason
that we can have an administrator and the odd end user login to the
machine
remotely while the box is in use. We also really like to be able to
mirror
boot devices using the built in software RAID 1.

Ah, I see now. Interesting!

I would start with the usual guides at the links posted before... and I
think there may also be Microsoft guidance in there or in other documents
about how to secure Terminal Services, which should I think be similar. I
believe there are other documents and solutions discussing hardening Windows
systems into kiosks, either at Microsoft or elsewhere, which I would think
might resemble the level of security that you are looking for, but I'd have
to google it.