How to get to Windows 7 USGCB compliance a few CCEs at a time
Purpose of this page –
This is the starting point for my own USGCB notes. If I get a different job, I’ll have this to build my GPO faster next time. If it helps someone else I am more than happy to share. A few weeks ago I went to a Toshiba security focused conference at the Pepsi center in Denver. I was amazed at the ability of most of the attendees to earn a paycheck. They have no security plans, read no logs, just fly by the seat of their pants all day every day. If my notes can help one person like that, I am happy. USGCB is a good starting point for secure windows computing, not the best solution overall. You have to add that custom tuning for your environment.
USGCB compliance paths-
InstaGPO- You can download a group policy and blindly install it on all your machines. Hopefully on a test group first. If this works, great. In my experience there are a few items that will cause problems with an app you run that is critical to business.
Manual -I prefer to go through all the failed items in a SCAP scan and apply a gpo with 10 changes at a time, then let it sit for a few days waiting for trouble tickets. This takes a long time, but troubleshooting times decrease significantly and you will understand more about how windows, networking and general security work. I use this methodology for most testing tools. MBSA, OVAL, old nessus etc.
As part of my deployment strategy, I create a GPO named USGCB win7 8xxx, another named USGCB win7 9xxx etc. When problems pop up, disable one of the GPOs, run gpudate.exe on the machine you have the problem on and test. If it does’t work move on to the next GPO. Within a 8xxx GPO you can then go study the list to see which one is causing the problem. Check your log for when you added new features etc.
Scanning for compliance-
I get notices of noncompliance from an SCAP scanner sitting on a Dell Kbox. You can use any scanner you like, but you have to do it on a regular scheduled basis and then read the logs on a regular scheduled basis. Like it or not, if you do compliance work, a large portion of your job is reading logs and taking action based on those logs. SCAP scanners will require you to download a file once in a while to keep up on your compliance list.
First – you need to download this excel file for Windows 7 firewall and client config – USGCB Settings Major Version 1.1.x.0 or above. This is the best place to start in order to understand all of the CCEs. It is a list of all of them. The first paragraph on these CCEs is directly from the spreadsheet. I’ll list 4 to get started on this page, then child pages from here with the rest that I’m working on defining. I’m leaving out the ones that I’m pretty sure are set up by default in a windows 2008r2 domain. If you have any with questions, leave comments here and I’ll try to help out. If there are any you found difficult to understand I’ll build diagrams etc if you think it will help others.
To clean up your CCE list, you need to know how to use a group policy editor and/or registry editor. I recommend creating a group policy per OS or smaller group of systems. Do not add this to your default domain policy. If you do, you are going to regret it about 6 months from now.
Additional security- I like to add my own more secure options to the default gpo in order to be more secure than the NIST baseline. The NIST baseline is just that, a list of minimums that you need.
Links to the other CCEs are at the bottom of this page. (Will be as I document them.) Other helpful links:
Known Issues – Please help me with comments to document known issues with individual CCEs. For example enabling FIPS-140 approved cyptography has cause problems for us with Salesforce.
Resources – Links to the MS USGCB page, NIST etc.
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment Bypass traverse checking Administrators, Users, Local Service, Network Service
To ensure that Windows and applications function as expected. Removing this user right from the Users group will cause serious problems. The Everyone and Backup Operators groups will not have this privilege, the impact should be minimal since Users do have the privilege. AC-3 User Rights security settings are not registry keys
This setting effects the ability of a user to jump from say z:\server to z:\server\folder1\folder2 without permissions to folder1. If you need the functionality of jumping from A to C, your file server is probably grown a little too organically and needs to be rebuilt. Your folder structure is not compliant. Microsoft link look at 3a for traverse checking
The NIST doc says to set this to Administrators, Users, Local Service and Network. So far I haven’t found any problems with this.
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options Accounts: Rename administrator account Renamed_Admin
Renaming this account makes it slightly more difficult for a malicious user to attempt a brute force password guessing attack, the value of this setting is diminished by the fact that the account has a well known security identifier (SID) and attackers can use the SID rather then the account name when attempting to log on via the network. The account will be renamed. AC-7 CM-6 Not a registry key
The administrator account should always be renamed on any system as one of the first actions you take. This is really easy to do in the AD, and then all administrator accounts will be renamed. And just a hint, if you are going to name it something, naming it supergodacccount is probably a bad idea. Maybe you should choose something less obvious. If you don’t allow account enumeration, cached last user, and that sort of thing it is less of a problem.
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options Interactive logon: Number of previous logons to cache
(in case domain controller is not available) 2 Configuring this policy setting to two ensures that the primary user of the computer can logon even if no domain controller is available. Two is specified so that even if an administrator logs on to the computer to perform maintenance the primary user’s credentials will still be cached. Users who logon with a domain account will have their credentials cached, the computer will allow users with cached credentials to logon if it is unable to communicate with a domain controller. AC-3 CM-6 CM-7 SC-5 HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount
Dangers with this one – User with a laptop travels far far away and cant get on the network. User 2 and 3 who are employees want to get on and do some excel work. Now user1 has no cached credentials. A policy and education fix this one. But I have seen it happen and giggled.
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options Microsoft network server: Server SPN target name validation level Accept if provided by client
To lower the risk of a computer name being spoofed on the network. This setting affects the SMB server component, so it will only affect attempts to access shared resources on the computer, not when the computer attempts to connect to other servers. SC-9 HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\SMBServerNameHardeningLevel
SPN authentication is supported by all versions of windows. I have a feeling this one is going to break some macs and linux boxes. I’ll let you know. You can set SPN validation to none, or check when a client tries to use it, fail if it is invalid, or require. I would suggest require, because saying “you can use it, but if you don’t use it right it breaks” is a little silly.
NIST might be wrong on this one. But I don’t know how much things break if you force SPN auth. Saying do it optionally is a lot like leaving the garage door wide open but putting 3 factor authentication and a laser on the back door. I’ll go through the gaping hole a truck fits through thanks very much.
Added but not checked for which cce- interactive logon- i added forced ctl alt del by selecting disable, also added a company policy message and title bar to the password screen