HP StorageWorks X5000 Technical Manual

Nas security: technical guide to nsa, c2, e3-fc2, and cc security compliancy

Hide thumbs Also See for StorageWorks X5000:

Release note (39 pages)

Limited warranty (76 pages)

Support manual (17 pages)

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

page of 156

/ 156
Contents
Table of Contents
Bookmarks

Table of Contents

Quick Links

Download this manual See also: Manual

NAS Security:

A technical guide to NSA, C2, E3-FC2, and CC Security

Compliancy

Introduction ................................................................................................................................. 3

1.1

NSA Security Compliancy Overview ....................................................................................... 3

1.2

C2/CC Security Compliancy Overview ................................................................................... 4

1.3

E3/F-C2 Security Compliancy Overview .................................................................................. 4

NSA Security Compliancy ............................................................................................................. 4

2.1

Domain Model Design: Windows NT 4.0, Windows 2000, and Windows 2003 ....................... 5

2.2

Time Synchronization ............................................................................................................ 6

2.3

Organizational Unit (OU) and Group Policy Objects (GPOs) Design........................................... 7

2.4

Domain Level: Hardening the Domain Infrastructure Password Policy .......................................... 9

2.5

Domain Level: Hardening the Domain Infrastructure Account Lockout Policy .............................. 13

2.6

Domain Level: Hardening the Domain Infrastructure Kerberos Policy......................................... 15

2.7

Domain Level: Hardening the Domain Infrastructure Security Options ....................................... 15

2.8

Baseline Level ..................................................................................................................... 17

2.8.1

Audit Policy .................................................................................................................. 17

2.8.2

User Rights Assignments ................................................................................................. 27

2.8.3

Security Options............................................................................................................ 37

2.8.4

Event Log...................................................................................................................... 55

2.8.5

System Services............................................................................................................. 58

2.8.6

Additional Security Settings ............................................................................................ 91

2.8.7

Additional Security Settings (Manual Hardening Procedures) ............................................ 107

2.9

Hardening File Servers....................................................................................................... 111

2.9.1

Audit Policy Settings .................................................................................................... 112

2.9.2

2.9.2 User Rights Assignments ..................................................................................... 112

2.9.3

Security Options.......................................................................................................... 113

2.9.4

Event Log Settings........................................................................................................ 117

2.9.5

System Services........................................................................................................... 117

2.9.6

Additional Security Settings .......................................................................................... 125

2.9.7

HP NAS Specific Security Settings ................................................................................. 128

2.10

Hardening Print Servers .................................................................................................. 130

2.10.1

Audit Policy Settings ................................................................................................. 130

2.10.2

User Rights Assignments ............................................................................................ 130

2.10.3

Security Options....................................................................................................... 131

2.10.4

Event Log Settings..................................................................................................... 131

2.10.5

System Services........................................................................................................ 131

Table of Contents

Summary of Contents for HP StorageWorks X5000

Page 1: Table Of Contents
NAS Security: A technical guide to NSA, C2, E3-FC2, and CC Security Compliancy Introduction ..........................3 NSA Security Compliancy Overview ..................3 C2/CC Security Compliancy Overview ................... 4 E3/F-C2 Security Compliancy Overview .................. 4 NSA Security Compliancy ......................4 Domain Model Design: Windows NT 4.0, Windows 2000, and Windows 2003 ....... 5 Time Synchronization ......................
Page 2 2.10.6 Additional Security Settings ..................132 2.10.7 HP NAS Specific Security Settings ................134 2.11 Hardening IIS Servers ..................... 135 2.11.1 Audit Policy Settings ....................135 2.11.2 User Rights Assignments .................... 135 2.11.3 Security Options....................... 136 2.11.4 Event Log Settings..................... 136 2.11.5 System Services......................
Page 3: Introduction
1 Introduction This document provides detailed steps and information on how customers can modify and integrate their HP Windows StorageServer 2003 NAS products into their existing NSA or C2 / CC v2.1security compliant environments. HP Windows StorageServer 2003 NAS NSA security compliancy are based on Microsoft’s “Windows Server 2003 Security Guide: Patterns and Practices”...
Page 4: C2/Cc Security Compliancy Overview
1.2 C2/CC Security Compliancy Overview This document also describes network and server system modification steps required for Administrators to meet C2 / CC v2.1(ISO/ IEC15408) security requirements. C2 security requirements are based upon the US Department of Defense (DoD) “Trusted Computer System Evaluation Criteria”...
Page 5: Domain Model Design: Windows Nt 4.0, Windows 2000, And Windows 2003
High Security Moving from the Enterprise Client level to the High Security level requires conforming to stringent security policies for both clients and servers. This environment contains clients running Windows 2000 Professional and Windows XP Professional. Domain controllers and members servers are running Windows 2000 Server or later.
Page 6: Time Synchronization
authorization feature sets. Companies implementing Windows 2003 AD must determine whether to create a single forest or multiple forest domain infrastructures depending upon manageability, security requirements between domains and forests, and administrative costs. A single forest is easier to manage and is ideal for workgroup and departmental environments. However, enterprise environments may require more administrative control between domains and forests and may need a multiple forest domain model even though such a model may increase administrative costs within each domain.
Page 7: Organizational Unit (Ou) And Group Policy Objects (Gpos) Design
2.3 Organizational Unit (OU) and Group Policy Objects (GPOs) Design An organizational unit (OU) is a container within a domain which contain specific access control list (ACL) permissions to devices and items that it can access and /or control. OUs provide administrators an easy way to group users and other security principals together while effectively creating segment administrative boundaries within their domains and forests.
Page 8 Group Policies are implemented using security templates. These text based *.inf files can be accessed and applied using the Security Template snap-in found within Microsoft Management Console (MMC). All computers running Windows 2003 and Windows Storage Server 2003 store their security templates in the %SystemRoot%\security\template folder. Administrators can implement NSA compliant security templates by downloading the Microsoft Windows Server 2003 Security Guide from http://www.microsoft.com/downloads/details.aspx?FamilyId=8A2643C1-0685-4D89-B655-...
Page 9: Domain Level: Hardening The Domain Infrastructure Password Policy
Important: This policy should be imported into any additional domains in the organization. However, it is not uncommon to find environments where the root domain password policy is much stricter than any of the other domains. Care should also be taken to ensure that any other domains that will use this same policy have the same business requirements.
Page 10 Enforce using passwords that require users to type with both hands on the keyboard. • Enforce using uppercase and lowercase letters, numbers, and symbols in all passwords. • • Enforce using space characters and characters that can be produced only by pressing the Alt key.
Page 11 Minimum Password Age Domain Member Legacy Client Enterprise Client High Security Client Default 1 day 2 days 2 days 2 days The Minimum password age setting determines the number of days that a password must be used before a user changes it. The range of values for this setting is between 0 and 999 days. Setting this to 0 allows users to change the password immediately.
Page 12 the LM hash in parallel, the second half of the LM hash is only 1 character long; it will succumb to a rute-force attack in milliseconds. Also, each additional character in a password increases its complexity exponentially. For instance: A seven-digit password would have 267, or 1 x 107, possible combinations.
Page 13: Domain Level: Hardening The Domain Infrastructure Account Lockout Policy
Store Password Using Reversible Encryption Domain Member Legacy Client Enterprise Client High Security Client Default Disabled Disabled Disabled Disabled The security setting for Store password using reversible encryption determines whether the operating system stores passwords using reversible encryption or not. This policy supports applications using protocols requiring the user’s password for authentication purposes.
Page 14 Account Lockout Threshold Domain Member Legacy Client Enterprise Client High Security Client Default 0 invalid login attempts 50 invalid login 50 invalid login 10 invalid login attempts attempts attempts The Account lockout threshold setting determines the number of attempts that a user can make to log on to an account before it is locked.
Page 15: Domain Level: Hardening The Domain Infrastructure Kerberos Policy
Reset Account Lockout Counter After Domain Member Legacy Client Enterprise Client High Security Client Default Not Defined 30 minutes 30 minutes 15 minutes The Reset account lockout counter after setting determines the length of time before the Account lockout threshold resets to 0 and the account is unlocked. If the Account lockout threshold setting is defined, then the reset time must be less than or equal to the value for the Account lockout duration setting.
Page 16 after the client’s logon hours have expired. When enabling this setting, the Network security: Force logoff when logon hours expire setting should be enabled. If the company has configured logon hours for users, then it makes sense to enable this policy. Otherwise, users who are assumed to be unable to access network resources outside of their logon hours may actually be able to continue to use those resources with sessions that were established during allowed hours.
Page 17: Baseline Level
2.8 Baseline Level The settings at the Member Server OU level define the common settings for all member servers in the domain. This is done by creating a GPO that is linked to the Member Server OU, known as a baseline policy.
Page 18 Event ID Event Description An authentication service (AS) ticket was successfully issued and validated. A ticket granting service (TGS) ticket was granted. A TGS is a ticket issued by the Kerberos v5 ticket-granting service TGS that allows a user to authenticate to a specific service in the domain.
Page 19 Event ID Event Description A user account was created. A user password was changed. A user password was set. A user account was deleted. A global group was created. A member was added to a global group. A member was removed from a global group. A global group was deleted.
Page 20 A member was added to a security-enabled universal group. A member was removed from a security-enabled universal group. A security-enabled universal group was deleted. A security-disabled universal group was created. A security-disabled universal group was changed. A member was added to a security-disabled universal group. A member was removed from a security-disabled universal group.
Page 21 Audit Logon Events Member Server Default Legacy Client Enterprise Client High Security Client Success Success Failure Success Failure Success Failure The Audit logon events setting determines whether to audit each instance of a user logging on to or off of a computer. Records are generated from the Account logon events setting on domain controllers to monitor domain account activity and on local computers to monitor local account activity.
Page 22 Main mode authentication failed because of a Kerberos failure or a password that is not valid. IKE security association establishment failed because the peer sent a proposal that is not valid. A packet was received that contained data that is not valid. A failure occurred during an IKE handshake.
Page 23 Event ID Event Description Access was granted to an already existing object. A handle to an object was closed. An attempt was made to open an object with the intent to delete it. Note: This is used by file systems when the FILE_DELETE_ON_CLOSE flag is specified in Createfile(). A protected object was deleted.
Page 24 Certificate Services denied a certificate request. Certificate Services set the status of a certificate request to pending. The certificate manager settings for Certificate Services changed. A configuration entry changed in Certificate Services. A property of Certificate Services changed. Certificate Services archived a key. Certificate Services imported and archived a key.
Page 25 System access was granted to an account. System access was removed from an account. Auditing policy was set on a per-user basis Auditing policy was refreshed on a per-user basis. A collision was detected between a namespace element in one forest and a namespace element in another forest.
Page 26 Generate security audits • Back up files and directories • • Restore files and directories Warning: Enabling privilege auditing generates a very large number of event records. For this reason, each security environment defined in this guide has unique recommendations for these settings.
Page 27: User Rights Assignments
Audit System Events Member Server Default Legacy Client Enterprise Client High Security Client No Auditing Success Success Success The Audit system events setting determines whether to audit when a user restarts or shuts down a computer or when an event occurs that affects either the system security or the security log. Configuring this setting to Success generates an audit entry when a system event is executed successfully.
Page 28 Member Servers • Power Users Power Users possess most administrative powers with some restrictions. Thus, Power Users can run legacy applications in addition to certified applications. • Help Services Group This is the group for the Help and Support Center. Support_388945a0 is a member of this group by default.
Page 29 Access This Computer From The Network Member Server Default Legacy Client Enterprise Client High Security Client Administrators, Backup Not Defined Not Defined Administrators, Operators, Everyone, Authenticated Users Power Users, and Users Important: Although in Windows Server 2003 permissions granted to the Everyone security group no longer grant access to anonymous users, guest groups and accounts can still be granted access through the Everyone security group.
Page 30 Adjust Memory Quotas For A Process Member Server Default Legacy Client Enterprise Client High Security Client Administrators, Not Defined Not Defined Administrators, NETWORK SERVICE, NETWORK SERVICE, LOCAL SERVICE LOCAL SERVICE The Adjust memory quotas for a process user right allows a user to adjust the maximum memory that is available to a process.
Page 31 could make it impossible for users to log on to the domain or to get authorization for accessing domain resources after logging on. Debug Programs Member Server Default Legacy Client Enterprise Client High Security Client Administrators Revoke all security Revoke all security Revoke all security groups and accounts groups and accounts...
Page 32 Deny log on as a batch job Member Server Legacy Client Enterprise Client High Security Client Default Not Defined Guests; Guests; Guests; Support_388945a0; Support_388945a0; Support_388945a0; Guest Guest Guest Note: ANONOYMOUS LOGON, Built-in Administrator, Support_388945a0; Guest; and all NON- operating system service accounts are not included in the .inf security template. These accounts and groups have unique SIDs for each domain in the network.
Page 33 Enable computer and user accounts to be trusted for delegation Member Server Default Legacy Client Enterprise Client High Security Client Not Defined Not Defined Not Defined Revoke all security groups and accounts The Enable computer and user accounts to be trusted for delegation privilege allows the user to change the Trusted for Delegation setting on a user or computer object in Active Directory.
Page 34 Increase scheduling priority Member Server Default Legacy Client Enterprise Client High Security Client Administrators Not Defined Not Defined Administrators The Increase scheduling priority privilege allows a user to increase the base priority class of a process. Increasing relative priority within a priority class is not a privileged operation. This privilege is not required by administrative tools supplied with the operating system but might be required by software development tools.
Page 35 Manage auditing and security log Member Server Default Legacy Client Enterprise Client High Security Client Administrators Not Defined Not Defined Administrators The Manage auditing and security log privilege allows a user to specify object access auditing options for individual resources such as files, Active Directory objects, and registry keys. The right to manage the security event log is a powerful user privilege that should be closely guarded.
Page 36 Profile system performance Member Server Default Legacy Client Enterprise Client High Security Client Administrators Not Defined Not Defined Administrators The Profile system performance user right allows a user to monitor the performance of system processes. Not restricting this user right presents a moderate vulnerability; an attacker with this privilege could monitor a computer’s performance to help identify critical processes that he or she might want to attack directly.
Page 37: Security Options
The Synchronize directory service data user right allows a process to read all objects and properties in the directory, regardless of the protection on the objects and properties. This privilege is required in order to use LDAP directory synchronization (Dirsync) services. The default setting specifies no accounts;...
Page 38 Accounts: Guest account status Member Server Default Legacy Client Enterprise Client High Security Client Disabled Disabled Disabled Disabled Important: Administrators need to check if any of their 3 party applications use and require the Guest account for communication or functionality purpose. If so, administrators may need to set this security policy to Enabled.
Page 39 Note: Changes to the configuration of this security option setting will not take effect until Windows Server 2003 is restarted Audit: Shut down system immediately if unable to log security audits Member Server Default Legacy Client Enterprise Client High Security Client Disabled Disabled Disabled...
Page 40 Disabled Not Defined Not Defined Enabled The Devices: Restrict floppy access to locally logged-on user only security option setting determines whether removable floppy media are accessible to both local and remote users simultaneously. Enabling this setting allows only the interactively logged-on user to access removable floppy media. If this policy is enabled, and no one is logged on interactively, the floppy media is accessible over the network.
Page 41 Domain controller: LDAP server signing requirements Member Server Default Legacy Client Enterprise Client High Security Client Not Defined Not Defined Not Defined Require Signing Important: If all domain controllers are running Windows 2000 or later, set this security option to Require signing.
Page 42 Domain member: Digitally encrypt secure channel data (when possible) Member Server Default Legacy Client Enterprise Client High Security Client Enabled Enabled Enabled Enabled The Domain member: Digitally encrypt secure channel data (when possible) security option setting determines whether a domain member may attempt to negotiate encryption for all secure channel traffic that it initiates.
Page 43 Domain member: Require strong (Windows 2000 or later) session key Member Server Legacy Client Enterprise Client High Security Client Default Disabled Enabled Enabled Enabled Important: Administrators will be unable to join computers running Windows 2000 with this setting enabled to Windows NT 4.0 domains. The Domain member: Require strong (Windows 2000 or later) session key security option setting determines whether 128-bit key strength is required for encrypted secure channel data.
Page 44 The Interactive logon: Message text for users attempting to log on security option setting specifies a text message that is displayed to users when they log on. This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited.
Page 45 Interactive logon: Prompt user to change password before expiration Member Server Default Legacy Client Enterprise Client High Security Client 14 days 14 days 14 days 14 days The Interactive logon: Prompt user to change password before expiration security option setting determines how many days in advance users are warned that their passwords are about to expire.
Page 46 Microsoft network client: Digitally sign communications (if server agrees) Member Server Default Legacy Client Enterprise Client High Security Client Enabled Enabled Enabled Enabled The Microsoft network client: Digitally sign communications (if server agrees) security option setting determines whether the SMB client will attempt to negotiate SMB packet signing. Implementing digital signing in Windows networks helps to prevent session hijacking.
Page 47 Microsoft network server: Digitally sign communications (if client agrees) Member Server Default Legacy Client Enterprise Client High Security Client Disabled Enabled Enabled Enabled The Microsoft network server: Digitally sign communications (if client agrees) security option setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. Windows 2000 Server, Windows 2000 Professional, Windows Server 2003, and Windows XP Professional include versions of SMB that support mutual authentication, which closes session hijacking attacks and supports message authentication (thus preventing man-in-the-middle attacks).
Page 48 passwords, credentials, or Microsoft .NET Passports for later use after gaining domain authentication. This setting is configured to Enabled in the three security environments defined in this guide. Note: When configuring this security setting, changes will not take effect until Windows is restarted. Network access: Let Everyone permissions apply to anonymous users Member Server Default Legacy Client...
Page 49 Network access: Remotely accessible registry paths Member Server Default Legacy Client Enterprise Client High Security Client System\CurrentControl System\CurrentControl System\CurrentControl System\CurrentControl Set\ Control\Product Set\ Control\Product Set\ Control\Product Set\ Control\Product Options; Options; Options; Options; System\CurrentControl System\CurrentControl System\CurrentControl System\CurrentControl Set\ Set\ Set\ Set\ Contro\Server Contro\Server Contro\Server...
Page 50 Control\Terminal Control\Terminal Control\Terminal Control\Terminal Server; Server; Server; Server; System\CurrentControl System\CurrentControl System\CurrentControl System\CurrentControl Set\ Set\ Set\ Set\ Control\Terminal Control\Terminal Control\Terminal Control\Terminal Server\ UserConfig; Server\ UserConfig; Server\ UserConfig; Server\ UserConfig; System\CurrentControl System\CurrentControl System\CurrentControl System\CurrentControl Set\ Set\ Set\ Set\ Control\Terminal Control\Terminal Control\Terminal Control\Terminal Server\ Server\ Server\...
Page 51 their 3 party applications within their NAS box, as well as other server systems within the network, and verify that they are still functioning properly. The Network access: Shares that can be accessed anonymously security option setting determines which network shares can be accessed by anonymous users. The default for this setting has little impact as all users have to be authenticated before they can access shared resources on the server.
Page 52 environment. The Network security: LAN Manager Authentication level security option setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of security negotiated, and the level of authentication accepted by servers as follows.
Page 53 Network security: Minimum session security for NTLM SSP based (including secure RPC) servers Member Server Default Legacy Client Enterprise Client High Security Client No minimum No minimum Enabled all settings Enabled all settings Important: Administrators within multi-protocol heterogeneous environments may want to verify all applications and protocol communications are working properly within their NAS box, and other servers within the network, once this setting is set.
Page 54 system. Users who can access the console could shut the system down. An attacker or misguided user could connect to the server via Terminal Services and shut it down or restart it without having to identify him or herself. Therefore, this countermeasure should be set to the default across all three environments.
Page 55: Event Log
The System objects: Default owner for objects created by members of the Administrators group security option setting determines whether the Administrators group or an object creator is the default owner of any system objects that are created. When system objects are created, the ownership will reflect which account created the object rather than the more generic Administrators group.
Page 56 applied to all member servers in the domain. The Event Log settings can be configured in Windows Server 2003 at the following location within the Group Policy Object Editor: Computer Configuration\Windows Settings\Security Settings\Event Log This section provides details on the prescribed security options for the three environments defined in this guide for the MSBP.
Page 57 Enabled Enabled Enabled Enabled The Prevent local guests group from accessing security log security setting determines whether guests are prevented from accessing the security event log. A user must possess the Manage auditing and security log user right that is not defined in this guidance to access the security log. Therefore, this setting has no real effect on default systems.
Page 58: System Services
Retention method for application log Member Server Default Legacy Client Enterprise Client High Security Client As needed As needed As needed As needed The Retention method for application log security setting determines the "wrapping" method for the application log. It is imperative that the application log is archived regularly if historical events are desirable for either forensics or troubleshooting purposes.
Page 59 Group Policy that applies to that new server role in this case would also need to be created that sets the SQL Services service to Automatic. Note: If additional services are enabled, they may in turn have dependencies that require further services.
Page 60 Service Member Server Legacy Client Enterprise Client High Security Client Name Default aspnet_state Not installed Disabled Disabled Disabled The ASP .NET State Service system service provides support for out-of-process session states for ASP.NET. This service is set to Disabled in the baseline policy. Automatic Updates Service Member Server...
Page 61 Client Service for Netware Service Name Member Server Legacy Client Enterprise Client High Security Client Default NWCWorkstation Not installed Disabled Disabled Disabled Important: Client Service for Netware must be set to Automatic for all HP NAS server systems that use Services For Netware (SFN) The Client Service for Netware system service provides access to file and print resources on NetWare networks to users interactively logged on to servers on which the service is installed.
Page 62 COM+ Event System Service Member Server Legacy Client Enterprise Client High Security Client Name Default COMSysApp Manual Manual Manual Manual The COM+ Event System service provides automatic distribution of events to subscribing COM components. The COM+ Events service extends the COM+ programming model to support late-bound events or method calls between the publisher or subscriber and the event system.
Page 63 DHCP Client Service Member Server Legacy Client Enterprise Client High Security Client Name Default Dhcp Automatic Automatic Automatic Automatic The DHCP Client system service manages network configuration by registering and updating IP addresses and updating Dynamic Domain Naming Service (DDNS) entries for the computer with DNS servers.
Page 64 Distributed Link Tracking Server Service Member Server Legacy Client Enterprise Client High Security Client Name Default TrkSvr Manual Disabled Disabled Disabled The Distributed Link Tracking Server system service stores information so that files moved between volumes can be tracked for each volume in the domain. When enabled, the Distributed Link Tracking Server service runs on domain controllers.
Page 65 Error Reporting Service Service Member Server Legacy Client Enterprise Client High Security Client Name Default ERSvc Automatic Disabled Disabled Disabled The Error Reporting Service system service collects, stores, and reports unexpected application closures to Microsoft and authorizes error reporting for services and applications running in non- standard environments.
Page 66 File Server for Macintosh Service Name Member Server Legacy Client Enterprise Client High Security Client Default MacFile Not installed Disabled Disabled Disabled Important: File Server for Macintosh must be set to Automatic for HP NAS server systems using multi- protocol communication support, such as Appletalk (AFTP), for Apple systems. The File Server for Macintosh system service enables Macintosh users to store and access files on a local Windows server computer.
Page 67 Human Interface Device Access Service Member Server Legacy Client Enterprise Client High Security Client Name Default HidServ Disabled Disabled Disabled Disabled The Human Interface Device Access system service enables generic input access to Human Interface Devices (HID), which activate and maintain the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices.
Page 68 Indexing Service Service Name Member Server Legacy Client Enterprise Client High Security Client Default cisvc Disabled Disabled Disabled Disabled Important: Although not required, Indexing Service can be set to Automatic within HP NAS server systems depending upon company requirements. The Indexing Service indexes contents and properties of files on local and remote computers and provides rapid access to files through a flexible querying language.
Page 69 Intersite Messaging Service Member Server Legacy Client Enterprise Client High Security Client Name Default IsmServ Disabled (Started for Disabled Disabled Disabled a domain controller) The Intersite Messaging system service enables messages to be exchanged between computers running Windows Server sites. This service is used for mail-based replication between sites. Active Directory includes support for replication between sites by using SMTP over IP transport.
Page 70 License Logging Service Service Name Member Server Legacy Client Enterprise Client High Security Client Default LicenseService Disabled Disabled Disabled Disabled The License Logging Service monitors and records client access licensing for portions of the operating system. These include IIS, Terminal Server, and File/Print, as well as products that are not a part of the operating system, such as SQL Server and Microsoft Exchange Server.
Page 71 Service Member Server Legacy Client Enterprise Client High Security Client Name Default Mqtgsvc Not installed Disabled Disabled Disabled The Message Queuing Triggers system service provides rule-based monitoring of messages arriving in a Message Queuing queue and, when the conditions of a rule are satisfied, invokes a COM component or a stand-alone executable program to process the message.
Page 72 MSSQLServerADHelpe Service Name Member Server Legacy Client Enterprise Client High Security Default Client MSSQLServerADHelper Not installed Disabled Disabled Disabled The MSSQLServerADHelper system service enables SQL Server and SQL Server Analysis Services to publish information in Active Directory when the services are not running under the LocalSystem account.
Page 73 NetMeeting Remote Desktop Sharing Service Member Server Legacy Client Enterprise Client High Security Client Name Default mnmsrvc Disabled Disabled Disabled Disabled The NetMeeting Remote Desktop Sharing system service enables an authorized user to access this computer remotely by using Microsoft NetMeeting® over a corporate intranet. The service must be explicitly enabled by NetMeeting and can be disabled in NetMeeting or shut down via a Windows tray icon.
Page 74 Network News Transport Protocol (NNTP) Service Member Server Legacy Client Enterprise Client High Security Client Name Default NntpSvc Not installed Disabled Disabled Disabled The Network News Transport Protocol (NNTP) system service allows computers running Windows Server 2003 to act as a news server. This service is not a requirement for the baseline server policy. Therefore, this service is configured to Disabled in the three environments defined in this guide.
Page 75 Portable Media Serial Number Service Member Server Legacy Client Enterprise Client High Security Client Name Default WmdmPmSN Manual Disabled Disabled Disabled The Portable Media Serial Number system service retrieves the serial number of any portable music player connected to the computer. These features are not required in the baseline server environment. Therefore, this service is configured to Disabled in the three environments defined in this guide.
Page 76 Remote Access Auto Connection Manager Service Member Server Legacy Client Enterprise Client High Security Client Name Default RasAuto Manual Disabled Disabled Disabled The Remote Access Auto Connection Manager system service detects unsuccessful attempts to connect to a remote network or computer and then provides alternative methods for connection. The Remote Access Auto Connection Manager service offers to establish a dial-up or virtual private network (VPN) connection to a remote network whenever a program fails in an attempt to reference a remote DNS or NetBIOS name or address.
Page 77 Remote Installation Service Member Server Legacy Client Enterprise Client High Security Client Name Default BINLSVC Not installed Disabled Disabled Disabled The Remote Installation Services (RIS) system service is a Windows deployment feature included in members of the Windows Server family. This service is not a requirement for the baseline server policy.
Page 78 Remote Server Manager Service Name Member Server Legacy Client Enterprise Client High Security Client Default AppMgr Not installed Disabled Disabled Disabled Important: The Remote Server Manager may be set to Manual or Automatic on HP NAS server systems that require remote administration. The Remote Server Manager acts as a Windows Management Instrumentation (WMI) instance provider for Remote Administration Alert Objects and a WMI method provider for Remote Administration Tasks.
Page 79 Removable Storage Service Name Member Server Legacy Client Enterprise Client High Security Client Default NtmsSvc Manual Disabled Disabled Disabled Important: This service is required for system backups using Ntbackup.exe. If Ntbackup.exe is used, set this service to Manual. This service should also be set to Manual on HP NAS server systems using removable storage.
Page 80 Secondary Logon Service Name Member Server Legacy Client Enterprise Client High Security Client Default seclogon Automatic Disabled Disabled Disabled Important: The Secondary Logon system service should be set to Automatic on HP NAS server systems having 3 party applications that execute functions using a secondary user or group account. The Secondary Logon system service allows the user to create processes in the context of different security principals.
Page 81 Simple Mail Transport Protocol (SMTP) Service Name Member Server Legacy Client Enterprise Client High Security Client Default SMTPSVC Not installed Disabled Disabled Disabled Important: The Simple Mail Transport Protocol (SMTP) system service must be set to Automatic on HP NAS server systems requiring mail notifications of NAS system failures. The Simple Mail Transport Protocol (SMTP) system service transports electronic mail across the network.
Page 82 is by providing specific administrator information; an example of a two-factor authentication including this type would be requiring users to submit to a retina scanner followed by entering their passwords before granting them access to restricted resources. Using smart cards to implement multifactor authentication is a best practice and is employed for all administrator accounts.
Page 83 SQLAgent$* (*UDDI or WebDB) Service Name Member Server Legacy Client Enterprise Client High Security Client Default SQLAgent$WEB Not installed Disabled Disabled Disabled SQLAgent$* (* UDDI or WebDB) is a job scheduler and monitoring service. It also moves information between computers running SQL Server and is used heavily for backups and replication. If the SQLAgent$* (* UDDI or WebDB) service is stopped, SQL replication will not occur.
Page 84 TCP/IP Print Server Service Name Member Server Legacy Client Enterprise Client High Security Client Default LPDSVC Not installed Disabled Disabled Disabled Important: This service must be set to Automatic on HP NAS server systems using the Line Printer Daemon protocol. The TCP/IP Print Server system service enables TCP/IP-based printing using the Line Printer Daemon protocol.
Page 85 Terminal Services Licensing Service Name Member Server Legacy Client Enterprise Client High Security Client Default TermServLicensing Not installed Disabled Disabled Disabled The Terminal Services Licensing system service installs a licensed server and provides registered client licenses when connecting to a Terminal Server. This service is not a requirement for the baseline server policy.
Page 86 Uninterruptible Power Supply Service Name Member Server Legacy Client Enterprise Client High Security Client Default Manual Disabled Disabled Disabled Important: This service must be set to Manual on HP NAS server systems requiring UPS support. The Uninterruptible Power Supply system service manages an uninterruptible power supply (UPS) connected to the computer by a serial port.
Page 87 WebClient Service Name Member Server Legacy Client Enterprise Client High Security Client Default WebClient Disabled Disabled Disabled Disabled Important: The WebClient system service must be set to Automatic for HP NAS server systems requiring access to the Internet. The WebClient system service allows Win32 applications to access documents on the Internet. This service is not a requirement for the baseline server policy.
Page 88 Windows Installer Service Member Server Legacy Client Enterprise Client High Security Client Name Default MSIServer Manual Automatic Automatic Automatic The Windows Installer system service manages the installation and removal of applications by applying a set of centrally-defined setup rules during the installation process. This service is required in the baseline server environment;...
Page 89 Windows Media Services Service Member Server Legacy Client Enterprise Client High Security Client Name Default WMServer Not installed Disabled Disabled Disabled Important: The Windows Media Services system service must be set to Automatic for HP NAS server systems requiring Windows streaming media services. The Windows Media Services system service provides streaming media services over IP-based networks.
Page 90 WinHTTP Web Proxy Auto Service Name Member Server Legacy Client Enterprise Client High Security Default Client WinHttpAutoProxySvc Manual Disabled Disabled Disabled Important: The WinHTTP Web Proxy Auto-Discovery Service system service must be set to Manual for HP NAS server systems using and requiring WinHTTP or HTTP WebProxy support. The WinHTTP Web Proxy Auto-Discovery Service system service implements the Web Proxy Auto- Discovery (WPAD) protocol for Windows HTTP Services (WinHTTP).
Page 91: Additional Security Settings
World Wide Web Publishing Service Service Name Member Server Legacy Client Enterprise Client High Security Client Default W3SVC Not installed Disabled Disabled Disabled Important: The World Wide Web Publishing Service system service must be set to Automatic for HP NAS server systems in which the HP NAS WEB GUI interface is used, HP Insight Manager is used, HP’s Array Configuration Utility (ACU) is used, HTTP file shares are created, or FTP file shares are created.
Page 92 MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime,4,%KeepAliveTime%,3,150000|%KeepAliv eTime0%,300000|%KeepAliveTime1%,600000|%KeepAliveTime2%,1200000|%KeepAliveTime3%,2400000|%KeepAliveTi me4%,3600000|%KeepAliveTime5%,7200000|%KeepAliveTime6% MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting,4,%DisableIPSourceRouting%,3,0| %DisableIPSourceRouting0%,1|%DisableIPSourceRouting1%,2|%DisableIPSourceRouting2% MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxConnectResponseRetransmissions,4,%TcpMaxConn ectResponseRetransmissions%,3,0|%TcpMaxConnectResponseRetransmissions0%,1|%TcpMaxConnectResponseRetransmission s1%,2|%TcpMaxConnectResponseRetransmissions2%,3|%TcpMaxConnectResponseRetransmissions3% MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetransmissions,4,%TcpMaxDataRetransmissio ns%,1 MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDiscovery,4,%PerformRouterDiscovery%,0 MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TCPMaxPortsExhausted,4,%TCPMaxPortsExhausted%,1 MACHINE\System\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand,4,%NoNameReleaseOnDema nd%,0 MACHINE\System\CurrentControlSet\Control\FileSystem\NtfsDisable8dot3NameCreation,4,%NtfsDisable8dot3NameCreati on%,0 MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun,4,%NoDriveTypeAutoR un%,3,0|%NoDriveTypeAutoRun0%,255|%NoDriveTypeAutoRun1% MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\WarningLevel,4,%WarningLevel%,3,50|%WarningLevel0 %,60|%WarningLevel1%,70|%WarningLevel2%,80|%WarningLevel3%,90|%WarningLevel4% MACHINE\SYSTEM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\ScreenSaverGracePeriod,4,%ScreenSaver GracePeriod%,1 MACHINE\System\CurrentControlSet\Services\AFD\Parameters\DynamicBacklogGrowthDelta,4,%DynamicBacklogGrowthDe lta%,1 MACHINE\System\CurrentControlSet\Services\AFD\Parameters\EnableDynamicBacklog,4,%EnableDynamicBacklog%,0 MACHINE\System\CurrentControlSet\Services\AFD\Parameters\MinimumDynamicBacklog,4,%MinimumDynamicBacklog%,1 MACHINE\System\CurrentControlSet\Services\AFD\Parameters\MaximumDynamicBacklog,4,%MaximumDynamicBacklog%, 3,10000|%MaximumDynamicBacklog0%,15000|%MaximumDynamicBacklog1%,20000|%MaximumDynamicBacklog2%,40 000|%MaximumDynamicBacklog3%,80000|%MaximumDynamicBacklog4%,160000|%MaximumDynamicBacklog5% MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\SafeDllSearchMode,4,%SafeDllSearchMode%,0 3. Navigate to the bottom of the [Strings] section and copy the following text into the file: ;================================ MSS Settings================================ EnableICMPRedirect = "MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes"...
Page 93 NoNameReleaseOnDemand = "MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers" NtfsDisable8dot3NameCreation = "MSS: Enable the computer to stop generating 8.3 style filenames" NoDriveTypeAutoRun = "MSS: Disable Autorun for all drives" NoDriveTypeAutoRun0 = "Null, allow Autorun" NoDriveTypeAutoRun1 = "255, disable Autorun for all drives"...
Page 94 Subkey Registry Value Entry Format Recommended Value (Decimal) EnableICMPRedirect DWORD SynAttackProtect DWORD EnableDeadGWDetect DWORD EnablePMTUDiscovery DWORD KeepAliveTime DWORD 300,000 DisableIPSourceRouting DWORD TcpMaxConnectResponseRetransmissions DWORD TcpMaxDataRetransmissions DWORD PerformRouterDiscovery DWORD TCPMaxPortsExhausted DWORD EnableICMPRedirect: Allow ICMP redirects to override OSPF generated routes This entry appears as MSS: Allow ICMP redirects to override OSPF generated routes in the SCE. Internet Control Message Protocol (ICMP) redirects cause the stack to plumb host routes.
Page 95 Countermeasure: Configure MSS: Syn attack protection level (protects against DoS) to a value of Connections time out sooner if a SYN attack is detected. The possible values for this Registry value are: 1 or 0; default is 0 (disabled) • In the SCE UI, these options appear as: •...
Page 96 • 1 or 0; default is 1 (enabled) In the SCE UI, these options appear as: Enabled • Disabled • • Not Defined Potential Impact: S etting EnablePMTUDiscovery to 1 causes TCP to attempt to discover either the MTU or the largest packet size over the path to a remote host. TCP can eliminate fragmentation at routers along the path that connect networks with different MTUs by discovering the path MTU and limiting TCP segments to this size.
Page 97 DisableIPSourceRouting: IP source routing protection level (protects against packet spoofing) This entry appears as MSS: IP source routing protection level (protects against packet spoofing) in the SCE. IP source routing is a mechanism allowing the sender to determine the IP route that a datagram should take through the network.
Page 98 Potential Impact: Setting this value to greater than or equal to 2 causes the stack to employ SYN- ATTACK protection internally. Setting this value is to less than 2 prevents the stack from reading the registry values at all for SYN-ATTACK protection. This parameter shortens the default time that it takes to clean up a half-open TCP connection.
Page 99 In the SCE UI, these options appear as: Enabled • • Disabled Not Defined • Potential Impact: Disabling this setting prevents Windows Server 2003, which supports the IRDP, from automatically detecting and configuring Default Gateway addresses on the computer. TCPMaxPortsExhausted: How many dropped connect requests to initiate SYN attack protection (5 is recommended) This entry appears as MSS: How many dropped connect requests to initiate SYN attack protection (5 is recommended) in the SCE.
Page 100 Subkey Registry Value Entry Format Recommended Value (Decimal) DynamicBacklogGrowthDelta DWORD EnableDynamicBacklog DWORD MinimumDynamicBacklog DWORD MaximumDynamicBacklog DWORD 20000 DynamicBacklogGrowthDelta: (AFD DynamicBacklogGrowthDelta) Number of connections to create when additional connections are necessary for Winsock applications (10 recommended) This entry appears as MSS: (AFD DynamicBacklogGrowthDelta) Number of connections to create when additional connections are necessary for Winsock applications (10 recommended) in the SCE.
Page 101 In the SCE UI, these options appear as: Enabled • • Disabled Not Defined • Potential Impact: The impact should be small if administrators implement the other settings as suggested in this section, but as stated in the previous item, DynamicBacklogGrowthDelta, setting the values improperly could lead to diminished responsiveness or a DoS condition.
Page 102 Countermeasure: The suggested value for a system under heavy attack is memory dependent. This value should not exceed 5000 for each 32 MB of RAM installed in the server, in order to prevent exhaustion of non-paged pool when under attack. As a starting point, evaluate system performance after configuring MSS: (AFD MaximumDynamicBacklog) Maximum number of ’quasi-free’...
Page 103 Countermeasure: Configure MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers to a value of Enabled. The possible values for this Registry value are: 1 or 0; default is 1 (enabled) • In the SCE UI, these options appear as: Enabled •...
Page 104 Vulnerability: This means that an attacker only needs eight characters to refer to a file that may be 20 characters long. For example, a file named Thisisalongfilename.doc, could be referenced by its 8.3 filename Thisis~1.doc. If administrators avoid using 16-bit applications, they can turn this feature off.
Page 105 Subkey Registry Value Entry Format Recommended Value (Decimal) AutoRun DWORD Vulnerability: To prevent a possible malicious program from starting when media is inserted, the Group Policy disables Autorun on all drives. An attacker with physical access to the system could insert an Autorun enabled DVD or CD into the computer that will then automatically launch malicious code.
Page 106 0 to 255; default value is 5 seconds • In the SCE UI, this appears as a text entry box: A user defined number • Not Defined • Potential Impact: Users will have to enter their passwords to resume their console sessions as soon as the screen saver activates.
Page 107: Additional Security Settings (Manual Hardening Procedures)
2.8.6.8 DLL Search Settings Enable Safe DLL Search Order: Enable Safe DLL search mode (recommended) This entry appears as MSS: Enable Safe DLL search mode (recommended) in the SCE. The dynamic-link library (DLL) search order can be configured to search for DLLs requested by running processes in one of two ways: Search folders specified in the system path first, and then search the current working folder.
Page 108 place by using shell scripts, such as the IPSec filters, to secure the MSBP for each of the security environments defined in this guide. 2.8.7.1 Manually Adding Unique Security Groups to User Rights Assignments Most of the recommended security groups for User Rights Assignments have been configured within the security templates that accompany this guide.
Page 109 7. Force replication between the domain controllers so that all have the policy applied to them by doing the following: a. Open a command prompt, and use the gpupdate.exe command line tool to force the server to refresh the policy with the command: gpupdate /Force.
Page 110 2.8.7.4 NTFS NTFS partitions support ACLs at the file and folder levels. This support is not available with the file allocation table (FAT), FAT32, or file systems. FAT32 is a version of the FAT file system that has been updated to permit significantly smaller default cluster sizes and to support hard disks up to two terabytes in size.
Page 111: Hardening File Servers
There are three levels of encryption available, as the table below describes. Encryption Level Description High level This level encrypts data sent from client to server and from server to client by using strong 128-bit encryption. Use this level when the terminal server is running in an environment containing 128-bit clients only (such as Remote Desktop Connection clients).
Page 112: Audit Policy Settings
2.9.1 Audit Policy Settings The Audit Policy settings for file servers in the three environments defined in this guide are configured via the MSBP. For more information on the MSBP, see section 2.8. The MSBP settings ensure that all the relevant security audit information is logged on all file servers. 2.9.2 2.9.2 User Rights Assignments Most User Rights Assignments for file servers in the three environments defined in this guide are...
Page 113: Security Options
Deny log on through Terminal Services Member Server Default Legacy Client Enterprise Client High Security Client Not Defined Built-in Administrator; Built-in Administrator; Built-in Administrator; Guests; Guests; Guests; Support_388945a0; Support_388945a0; Support_388945a0; Guest ;all NON- Guest ;all NON- Guest ;all NON- operating system operating system operating system service accounts...
Page 114 The Domain member: Digitally encrypt or sign secure channel data (always) security option setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. If a system is set to always encrypt or sign secure channel data, then it cannot establish a secure channel with a domain controller that is not capable of signing or encrypting all secure channel traffic, because all secure channel data is signed and encrypted.
Page 115 The Network access: Let Everyone permissions apply to anonymous users security option setting determines what additional permissions are granted for anonymous connections to the computer. Enabling this setting allows anonymous Windows users to perform certain activities, such as enumerating the names of domain accounts and network shares. An unauthorized user could anonymously list account names and shared resources and use the information to guess passwords or perform social engineering attacks.
Page 116 The Network security: LAN Manager authentication level security option setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of security negotiated, and the level of authentication accepted by servers as follows.
Page 117: Event Log Settings
System settings: Optional subsystems Member Server Default Legacy Client Enterprise Client High Security Client POSIX None None None Important: Administrators within multi-protocol heterogeneous environments, especially within Unix and Linux, may want to set this setting back to POSIX for the NAS and server systems. The System settings: Optional subsystems security option setting determines which subsystems are used to support applications within the network.
Page 118 Cluster Service Service Name Member Server Legacy Client Enterprise Client High Security Client Default ClusSvc Not installed Disabled Disabled Disabled Important: Cluster Service must be set to Automatic for all HP NAS server systems running Microsoft Clustering. The Cluster Service system service controls server cluster operations and manages the cluster database.
Page 119 The File Replication Service (FRS) enables files to be automatically copied and maintained simultaneously on multiple servers. FRS is the automatic file replication service in Windows® 2000 and the Windows Server 2003 family. The service replicates the system volume (Sysvol) on all domain controllers.
Page 120 IP Version 6 Helper Service Service Name Member Server Legacy Client Enterprise Client High Security Client Default 6to4 Not installed Disabled Disabled Disabled Important: IP Version 6 Helper Service must be set to Automatic for HP NAS server systems requiring IPv6 support.
Page 121 Remote Storage Server Service Name Member Server Legacy Client Enterprise Client High Security Client Default Remote_Storage Not installed Disabled Disabled Disabled _Server Important: The Remote Storage Server system service must be set to Manual on HP NAS server systems using remote storage. The Remote Storage Server system service stores infrequently used files in secondary storage media.
Page 122 Secondary Logon Service Name Member Server Legacy Client Enterprise Client High Security Client Default seclogon Automatic Disabled Disabled Disabled Important: The Secondary Logon system service should be set to Automatic on HP NAS server systems having 3 party applications that execute functions using a secondary user or group account. The Secondary Logon system service allows the user to create processes in the context of different security principals.
Page 123 The SNMP Service allows incoming SNMP requests to be serviced by the local computer. The SNMP Service includes agents that monitor activity in network devices and report to the network console workstation. There are no requirements or dependencies in the three environments for the SNMP Server.
Page 124 Uninterruptible Power Supply Service Name Member Server Legacy Client Enterprise Client High Security Client Default Manual Disabled Disabled Disabled Important: This service must be set to Manual on HP NAS server systems requiring UPS support. The Uninterruptible Power Supply system service manages an uninterruptible power supply (UPS) connected to the computer by a serial port.
Page 125: Additional Security Settings
Windows System Resource Manager Service Name Member Server Legacy Client Enterprise Client High Security Client Default WindowsSystem Not installed Disabled Disabled Disabled ResourceManager Important: The Windows System Resource Manager (WSRM) system service must be set to Automatic for HP NAS server systems that are used to deploy applications. The Windows System Resource Manager (WSRM) system service is a tool to help customers deploy applications into consolidation scenarios.
Page 126 unique name can make it easy for the domain operations groups to monitor attempted attacks against this account. Complete the following steps to secure well known accounts on the file servers: 1. Rename the Administrator and Guest accounts, and then change their passwords to a long and complex value on every domain and server.
Page 127 All of the rules listed in the table above should be mirrored when they are implemented. This ensures that any network traffic coming into the server will also be allowed to return to the originating server. The table above represents the base ports that should be opened for the server to perform its role- specific functions.
Page 128: Hp Nas Specific Security Settings
procedure call (RPC) traffic. This can make management of the server difficult. Because so many ports have been effectively closed, Terminal Services has been enabled. This will allow administrators to perform remote administration. The network traffic map above assumes that the environment contains Active Directory enabled DNS servers.
Page 129 sites. Using iLO Advanced features, an administrator can install, configure, monitor, update, and troubleshoot remote ProLiant servers anywhere, anytime from a standard Web browser. All user accounts within the Integradted Lights-Out (iLO) board must meet NSA password guidelines. Administrators must apply the following password guidelines: Avoid using words from a dictionary, common or clever misspellings of words, and foreign •...
Page 130: Hardening Print Servers
Insight Lights-Out Edition board, and the HP Version Control Agents. HP Insight Manager provides rapid access to detailed fault and performance information gathered by the HP Management Agents. HP Insight Manager helps maximize system uptime and performance and reduces the cost of maintaining the IT infrastructure by providing proactive notification of problems before those problems result in costly downtime.
Page 131: Security Options
2.10.3 Security Options Most Security Options settings for print servers in the three environments defined in this guide are configured via the MSBP. For more information about MSBP, section 2.8. Differences between the MSBP and the Incremental Print Server Group Policy are described in the following section. Microsoft network server: Digitally sign communications (always) Print Server Default Legacy Client...
Page 132: Additional Security Settings
drivers and input/output (I/O) components. Print servers rely on the proper operation of the Print Spooler service. This service must be configured to run in order for a print server to process print jobs for clients. Using Group Policy to secure and set the startup mode of the Print Spooler service grants access solely to server administrators, and prevents the service from being configured or operated by unauthorized or malicious users.
Page 133 be configured to rename administrator accounts in the three environments defined in this guide. This setting is a part of the Security Options settings in Group Policy. Never configure a service to run under the security context of a domain account unless absolutely necessary.
Page 134: Hp Nas Specific Security Settings
Important: These changes could affect performance and should be tested prior to implementing in production. The exact number of ports that will be opened will depend on the environment as well as the use and functionality of the server. If print server performance or responsiveness degrades, additional ports may need to be opened.
Page 135: Hardening Iis Servers
2.10.7.1 Service Packs, Security Patches, and Hotfixes Installation Administrators must update all HP NAS server systems to the latest HP NAS revision for their product. All Microsoft service packs, security patches, and hotfixes that have been certified by HP NAS can be found at: http://h20015.www2.hp.com/hub_search/document.jhtml?lc=en&docName=c00056831 All HP NAS specific software and drivers can be downloaded at:...
Page 136: Security Options
Deny access to this computer from the network Member Server Default Legacy Client Enterprise Client High Security Client SUPPORT_388945a0 ANONOYMOUS ANONOYMOUS ANONOYMOUS LOGON; Built-in LOGON; Built-in LOGON; Built-in Administrator, Guest; Administrator, Guest; Administrator, Guest; Support_388945a0; all Support_388945a0; all Support_388945a0; all NONOperating System NONOperating System NONOperating System...
Page 137 FTP Publishing Service Service Member Server Legacy Client Enterprise Client High Security Client Name Default MSFtpsvc Not installed Automatic Automatic Automatic The FTP Publishing Service provides connectivity and administration through the IIS snap-in. The FTP Publishing Service is a requirement for IIS server environments running FTP. HTTP SSL Service Service Name...
Page 138 baseline server policy. Therefore, this service is configured to Disabled in the three environments defined in this guide. Simple Mail Transport Protocol (SMTP) Service Name Member Server Legacy Client Enterprise Client High Security Client Default SMTPSVC Not installed Automatic Automatic Automatic Important: The Simple Mail Transport Protocol (SMTP) system service must be set to Automatic on HP NAS server systems requiring mail notifications of NAS system failures.
Page 139: Additional Security Settings
The World Wide Web Publishing Service provides Web connectivity and administration of Web sites through the IIS snap-in. The World Wide Web Publishing Service must be running for an IIS server to provide Web connectivity and administration through the IIS Manager. Using Group Policy to secure and set the startup mode of a service grants access solely to server administrators, thus preventing the service from being configured or operated by unauthorized or malicious users.
Page 140 2.11.6.1 Installing Only Necessary IIS Components IIS 6.0 includes other components and services in addition to the World Wide Web Publishing Service, such as the services for FTP and SMTP. IIS components and services are installed and enabled using the Windows Components Wizard Application Server that can be launched by double- clicking Add or Remove Programs in the Control Panel.
Page 141 5. In the Internet Information Services (IIS) dialog box, in the Subcomponents of Internet Information Services (IIS) list, do either of the following: To add optional components, select the check box next to the desired • components. To remove optional components, clear the check box next to the undesired •...
Page 142 2.11.6.3 Placing Content on a Dedicated Disk Volume IIS stores files for its default Web site in the <systemroot>\inetpub\wwwroot, where <systemroot> is the drive on which the Windows Server 2003 operating system is installed. Place all files and folders that make up Web sites and applications on dedicated disk volumes on IIS servers in the three environments defined in this guide.
Page 143 restrictive settings are applied. Access to anonymous accounts should be explicitly denied on Web sites and applications in which anonymous access is not desired. Anonymous access occurs when a user who has no authenticated credentials accesses system resources. Anonymous accounts include the built-in Guest account, the Guests group, and IIS Anonymous accounts.
Page 144 2.11.6.6 Configuring IIS Logging This guide recommends enabling IIS logging on IIS servers in the three environments defined in this guide. Separate logs can be created for each Web site or application. IIS logs information beyond the scope of the event logging or performance monitoring features provided by Microsoft Windows. The IIS logs can include information such as who has visited a site, what the visitor viewed, and when the information was last viewed.
Page 145 IIS servers that host hundreds of sites can improve logging performance by enabling centralized binary logging. Centralized binary logging enables all Web sites on an IIS server to write activity information to a single log file. This can greatly increase the manageability and scalability of the IIS logging process by reducing the number of logs that need to be individually stored and analyzed.
Page 146 to compromise a server. The value of this configuration change has diminished over the past few years since the release of attack tools that attempt to break into the server by specifying the security identifier (SID) of the built-in Administrator account to determine its true name. A SID is the value that uniquely identifies each user, group, computer account, and logon session on a network.
Page 147 All of the rules listed in the table above should be mirrored when they are implemented. This ensures that any network traffic coming into the server will also be allowed to return to the originating server. The table above represents the base ports that should be opened for the server to perform its role- specific functions.
Page 148: Hp Nas Specific Security Settings
The network traffic map above assumes that the environment contains Active Directory enabled DNS servers. If stand-alone DNS servers are used, additional rules may be required. The implementation of IPSec policies should not have a noticeable impact on the performance of the server. However, testing should be performed before implementing these filters to verify that the necessary functionality and performance of the server is maintained.
Page 149: Security Policy Modifications
described below within this chapter should achieve an NIAP Evaluation Assurance Level (EAL) 4 augmented with ALC_FLR.3 and a TOE minimum function strength of SOF-medium. 3.1 Security Policy Modifications Administrators can configure their network and HP NAS server systems to meet the US Government's C2 security requirements or the National Information Trusted Computer Security Evaluation Criteria (TCSEC)
Page 150 exercised successfully. Configuring this value to Failure generates an audit entry each time that a user right is exercised unsuccessfully. Audits are not generated when the following user rights are exercised, even if the Audit privilege use settings is configured to Success or Failure. This is because auditing these user rights generates many events in the security log, which may constrain the performance of the NAS and other server systems.
Page 151 Note: Changes to the configuration of this security option setting will not take effect until Windows Storage Server 2003 is restarted. Audit: Audit the use of Backup and Restore privilege Member Server Default Legacy Client Enterprise Client High Security Client Disabled Enabled Enabled...
Page 152 Windows Server 2003, and Windows XP Professional include versions of SMB that support mutual authentication, which closes session hijacking attacks and supports message authentication (thus preventing man-in-the-middle attacks). SMB signing provides this authentication by placing a digital signature into each SMB packet, which is then verified by both the client and the server. When computers are configured to ignore all unsigned SMB communications, legacy applications and operating systems will be unable to connect.
Page 153: Registry Modifications
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options The Devices: Restrict floppy access to locally logged-on user only security option setting determines whether removable floppy media are accessible to both local and remote users simultaneously. Enabling this setting allows only the interactively logged-on user to access removable floppy media. If this policy is enabled, and no one is logged on interactively, the floppy media is accessible over the network.
Page 154 The DirectDraw feature exists to enable high-performance multimedia applications by providing applications with the most direct path possible to the 2-D graphics hardware on a system. For CC compliancy, the DirectDraw feature set is disabled by setting the DCI registry key to 0. Remove OS/2 and POSIX subsystems Key Path: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager Format...
Page 155 The following devices have been recommended to be Disabled for CC compliancy. Protect Kernel Object Attributes Key Path: HKLM\SYSTEM\CurrentControlSet\Control Format Value Key: Session Manager Value REG_DWORD Name: EnhancedSecurityLevel Important: The aforementioned key path, registry key, registry value name, and registry value all need to be created.
Page 156: E3/F-C2 Security Compliancy
5 For more information www.hp.com/go/nas © 2004 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.

This manual is also suitable for:

Nsa security compliancy C2 security compliancy E3-fc2 security compliancy Cc security compliancy

HP StorageWorks X5000 Technical Manual

1 Introduction

2 NSA Security Compliancy

3 C2 / CC Security Compliancy

4 E3/F-C2 Security Compliancy

5 For more Information

Quick Links

Related Manuals for HP StorageWorks X5000

Summary of Contents for HP StorageWorks X5000

This manual is also suitable for:

Table of Contents