January 1, 2010

Windows Security Check/Auditing

To secure the windows servers, please take the following actions in our servers.

1) Go through the event viewer logs of the server to check any hack incidents. From the event viewer you can obtain information regarding the hack attempts from the various IPs. If any such incidents are noted, you can block access to such IPs by writing the required firewall rule in

Start >> Programs >> Administrative Tools >> Local Security Policy >> IP Security Policies on Local Computer .

You can ban or accept an IP/Host by writing the required rule.

2) Install the antirootkit softwares in our windows servers. You can install the antirootkit softwares like

a) RootkitRevealer - Provided by Microsoft. It is required to be installed by DC end itself, since the installation can be done only from the physical location of the server. Installation cannot be donw via the terminal services.

b) Malicious Software Removal Tool Kit - Provided by Microsoft. It is available with all Microsoft OSes. To use, type the command mrt in run.

Start >> Run >> mrt

c) Install a good antirootkit software.

Free Software :
-----------------
Sophos antirootkit


Paid Software
----------------

RootKit Buster - Trend Micro


Refer : http://www.antirootkit.com/software/index.htm


3) Install the Nessus Network Security Scanner. Use the version 3. It is free while the nessus4 is a paid software. You can download the following software from the following link.

http://www.nessus.org/download/nessus_download.php

Select Nessus 3.2.1.1.exe

http://downloads.nessus.org/nessus3dl.php?file=Nessus-3.2.1.1.exe&licence_accept=yes&t=00e6d5dee038bea390ddcc3f5fdf197f


After the install create a user named 'localuser'. To create the localuser

Start >> Programs >> Tenable >> Nessus >> Manage Users

Once the user is created, take the nessus client.

In nessus client add a new network by clicking the '+' button. Name the network as 'localhost'.

then click the button 'connect'. You will get a pop up window. Click edit in popup window. Add the user 'localuser' and its password. Then proceed.

Select the 'default policy' in the succeeding window. then select 'Scan now'. You will get a detailed report about the various vulnerabilities if anything present.


4) Next aspect of security auditing in the windows server is to find the anonymous users/hack users etc. So we need to remove them from the registry. Be careful when you edit the windows registry keys. Careless editing of the windows registry keys may damage/corrupt the windows OS. So make sure to take a copy/backup of the windows registry, before touhing it.

To access the windows registry.

Start >> run >> regedit

In regedit, take

My computer >> HKEY_LOCAL_MACHINE >> SOFTWARE >> Microsoft >> Windows NT >> Current Version >> ProfileList

At this location, you can see various profiles. Check for the hacker profile here. If you are finding the hacker profile, say;support, remove that key from the registry. Note down the image path. before making ANY CHANGE in keys.

Before deleting the user from the registry profile, have a look at the Computer Management.

Start >> Programs >> Administrative Tools >> Local Users and Groups >> Users.

Here you should double check the hacker profile is existing or not. If it is existing, check the permissions assigned to it. Remove the administrator/Full privilieges if any. Also upon checking the image path, you willl get an idea about the directories to which the hacker user have the access. Also check the permissions assigned to the folder. If you are finding the hacker user have the access to that folder, remove that user from the permission list. Then remove the hacker user from the Start >> Programs >> Administrative Tools >> Local Users and Groups >> Users.

Also make sure to remove the profile from the registry. Keep an eye at the server and keep on checking the logs for any other hack attempts.

5) Install a good antivirus software in the server. Always prefer only the paid ones like Karspersky,Trend Micro, Avira etc. If the customer is asking for free one itself, you can go for free anti virus softwares like AVG Free Edition, Panda Free Edition. It is recommeded to the firewall software provided by the anti virus software, since it may block access the web users.

6) Make sure to provide only the required premissions to the users. Only the Administrator user should be given with the full privilege. Other users should not be given with full privilege/write/execute privileges.

7) If you are finding any server software is in a degraded status, please make sure to upgrade them to their latest versions. Apply windows updates regularly to ensure maximum security. You can obtain windows updates/patches from the technet,microsoft sites. Make sure that server is applied with the latest service pack available.

8) Reset the server/software/account passwords regularly(once in a week/month). Use only complex passwords having a mix of letters,symbols and extra characters etc. Do not use easy to remember passwords like password 123 etc.

No comments:

Post a Comment