Monday, March 14, 2011

Seven Hardening Steps For Your Windows Machines That You Wish You Knew About

By now, security idioms such as “Use a strong administrative password” or “Install anti-virus software” are firmly ingrained in the minds of most System Administrators.
The steps comprise the regular hardening procedures for most production systems.
In this article, we describe seven hardening steps that you commonly don’t hear about, yet which are a crucial linchpin in ensuring security of your Windows servers.
These steps should be considered complementary to the regular hardening steps and are not meant to replace them.

1. Stop sharing all your files with the world. By default Windows enables sharing for each logical disk on your system. The intent of this feature was to enable the administrator to remotely access the machine via the network. For example, by typing “cd ADMIN$” the administrator can gain access to %systemroot% on that machine and by typing “cd C$” to the root directory of drive C:\. Of course the hacker, who cracks the administrator’s password can do the same. So it’s recommended to disable this functionality on critical servers.

  • To disable these shares, find the HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters registry key. Add the DWORD values AutoShareWks 0 and AutoShareServer 0 to the registry key. Verify that the default shares no longer exist by running net share --- you should not see any.

    2. Secure your temporary folders.

    Many applications create temporary files while you do your work. Most of the time these files are readable and writeable by any process. In theory, they should be cleaned up when the programs exit. But in practice it doesn’t always happen. Leaving them in the folder presents a bounty to the hacker. To protect your Windows servers, we recommend doing two things: encrypting contents of their temporary folders and regularly searching for sensitive data using a Spider tool.

  • Open an Explorer Window, and go to C:\Documents and Settings\\Local Settings\Temp. Right click the folder and choose Properties-Advanced Attributes. Select “Encrypt contents” to secure data.
  • Sensitive data can lurk in many places, outside of temporary folders. You can check for presence of sensitive information (such as credit card data, passwords, personally-identifiable information) using Spider tool (

    3. Enable outbound filtering on the firewalls

    Most organizations enable inbound filtering on their firewalls to prevent the bad guys from getting in, but they forget about outbound filtering. Outbound filtering aims to stop sensitive data from getting out of the CorpIT network even if the attacker managed to penetrate the defenses.
    It makes sense to block traffic on the following ports from exiting the network : (25 SMTP, 139 NetBios, 143 IMAP, 445 SMB, 3389 RDP, 5900 VNC, and other various Trojan ports). You can see a good list of dangerous ports at the following link : here The ports can be blocked either at the network firewall level, or on firewalls of individual servers, or both!

    4. Log suspicious activity to help spot intrusions.

    To enable auditing in Windows, go to Control Panel -> Administrative Tools -> Local Security Policy. In the Local Security Settings window, click on Local Policies then Audit Policy. At the bare minimum, you should enable auditing for login events, privilege escalation, bad user names or passwords.

    Logs contain a treasure trove of data. But they are useless if you don’t log proper events or don’t actively monitor them.
  • So make sure to aggregate your server logs into a SIEM (security event manager) system, you ensure that attacker can’t hide his traces by removing logs on individual servers, and facilitate log’s review and correlation.

    There are a multitude of SIEM solutions out there; some prominent ones include Splunk, Tripwire log center, and RSA Envision. Also if you are on a budget, you could write a script which copies all the windows security/audit logs onto a central windows server.

    5. Set up intrusion detection software on your servers.

    Installing anti-virus on your servers is no longer sufficient. Zero-day malware exploits vulnerabilities that are unknown to others, and usually doesn’t have its signatures included in the anti-virus database. According to AusCERT (Australian computer emergency team), top-selling anti-virus solutions let in nearly 80% of the new malware.
    There are two emerging approaches to combat viruses.

  • First, is to whitelist software which is considered safe to run, while blocking all other software (Bit 9).
  • Second, is to install a host intrusion detection system (HIDS) which use machine learning algorithms to differentiate good software from the bad.

    6. Disable any unnecessary remotely accessible services.

    In a typical network layout, DMZ servers will be hardened and have few ports open to the outside world; yet, internal servers may have a multitude of various ports ranging from VNC and Bonjour to unauthenticated MYSQL. The flawed thinking is that an attacker won’t get through the gateway firewalls, so there’s nothing to worry about. In reality, it’s a flawed strategy which can fall apart like a house of cards.

  • Just like in DMZ, you should minimize the number of services running on any one internal server, on a need-per basis. Furthermore, isolate the sensitive servers into a completely separate VLAN not shared with any others.
    On individual servers, you can use Foundstone Fport program to see which remotely accessible services are open (
    You should be able to explain every service that’s open. If you are in doubt, then close it.

    7. Patch your servers correctly

    Many companies manually patch their servers when critical patches come out. But they don’t have a sound strategy which articulates the patch lifecycle or sets the SLAs for fixing the vulnerabilities.

  • Make sure to develop such a strategy. Instead of applying patches manually, use a group policy to configure automatic updates in an Active Directory environment so that all the critical patches are applied automatically. Also prevent non-administrative users from being able to manually apply automatic updates.

    Go to User Configuration – Administrative Templates – Windows Components – Windows Update and select “Remove access to use all Windows Update features.”
    To find out which patches are missing, you can use Microsoft Baseline Security Analyzer to assess the security of the host.

    Dr. Aleksandr Yampolskiy heads Security and Compliance team at a well-known e-commerce company. Prior to that, he has been a lead technologist, developing SSO, authentication and authorization solutions in several Fortune 100 companies. Aleksandr has advised various businesses on best practices for integrating security into their products, while complying with external policies and regulations. He has been cited in NY Times, Yale Scientific, and published half a dozen articles in top cryptographic conferences. In 2006, he has been awarded the Best Paper Award in Public Key Cryptography conference for discovering the most efficient verifiable random function to-date. He has a B.A. in Mathematics from New York University, and a Ph.D. in Cryptography from Yale University. He maintains his website at You can also follow him on Twitter at

  • Reactions:


    Really a nice and useful post for me, I found it on google..

    Thank You Very Much CtoThoushts team and Admin

    You can find quite a few locations to buy big face watches and one of the most suitable places is rolex replica uk due to positive feedback about it. Amazon. com offers most of the items at the lowest prices as compared to other places and you can get the best price offers with them. Many people have given their views about the big face tag heuer replica sale as given here. When you try to buy a big face watch from the direct dealer, the price is much higher than that provided by Amazon and thus makes the watch increasingly expensive. chanel replica sale are instances that watch dealers get a few designs of watches, which are not being sold in their market, from other countries and show to their customers just to create the demand and make extra profit. Any time someone wants to purchase that hublot replica uk he can purchased it at an extra cost above its price, but same is not true with tag heuer replica sale as they sell at the standard price in all parts of the world. Normally, big face watches are delivered fast.

    brillant piece of information, I had come to know about your web-page from my friend hardkik, chennai,i have read atleast 9 posts of yours by now, and let me tell you, your webpage gives the best and the most interesting information. This is just the kind of information that i had been looking for, i'm already your rss reader now and i would regularly watch out for the new posts, once again hats off to you! Thanx a million once again, Regards,splunk training in hyderabad

    I have been reading out a lot of your articles.
    I will certainly bookmark your Blog.
    Hybris Training
    Devops Online Training

    Post a Comment