System Lockdown Policy
|Version: 1.00||Issue Date: 12/16/2014|
This System Lockdown Policy is intended to ensure that computer systems are properly locked down and secure as is reasonably possible.
This System Lockdown Policy is an internal IT policy which defines a general process that should be used to lock down servers and workstations.
This System Lockdown Policy is required to establish a minimum lockdown process for protecting the organizational computers on the network. This System Lockdown Policy is designed to minimize risk to organizational resources and data by establishing a process for increasing the security of servers and workstations by stopping unneeded services and testing for vulnerabilities.
This System Lockdown Policy applies to all computer equipment operated by the organization or functioning on the organizational network. Althoough mainly intended for securing and locking down servers, this System Lockdown Policy also applies to workstations since to reduce vulnerabilities all non-essential services should be shut off. This policy is effective as of the issue date and does not expire unless superceded by another policy.
4.0 Server Lockdown and Hardening
The server hardening process should be a key part of the System Development Life Cycle (SDLC).
This section describes a general process used to lock down servers. When they are initially installed and configured. Types of servers or equipment that need hardening include but are not limited to file sharing servers, email servers, Web servers, FTP servers, DNS servers, DHCP servers, Database servers, Domain controllers, Directory servers, Network devices such as firewalls, routers, and switches.
List services that will be required to run on the server. Examples include:
List services that are running on the server and turn off any that the administrator is sure are not needed.
Do a port scan on the server - Use a security tool to test and determine any ports that the server is responding to.
Shut down any services that are not on the required list of services for the server. Especially remember to shut down services listed in Appendix A - Services Recommended for Shutdown. If any services are required for the business process that are not services normally permitted to operate due to security concerns, the security officer or Head of computer security must approve the additional service after a security assessment is done.
Remove any unnecessary programs, services, and drivers from the server especially those not loaded by default on the server.
Patch the server with the latest patches and patch all services running on the server.
Disable or change the password of any default accounts on the server or related to any operating services.
Be sure all passwords used to access the system or used by services on the system meet minimum requirements including length and complexity parameters.
Be sure all users and services have minimum required rights and do not have rights to items not needed.
Be sure file share and file permissions are as tight as possible.
Perform a vulnerability assessment scan of the server.
Patch or fix any vulnerabilities found.
Where appropriate, install and run additional security programs such as:
Anti-virus - Install and perform latest update of software and virus definitions.
Intrusion detection software - Some approved host based intrusion detection software is recommended to be run on all servers.
Change of system and system files detection
All this software should have the latest updates installed.
Set security parameters on all software such as where anti-virus programs will scan, how often it will scan, and how often it will get virus definition updates.
Enable audit logging to log any unauthorized access.
Perform another vulnerability assessment scan of the server, and fix any discrepancies.
Take additional account management security measures including:
Disable the guest account
Rename default administrator accounts
Set accounts for minimum possible access
Be sure all accounts have passwords meeting minimum complexity and length rules.
Test the server to be sure all desired services are operating properly.
5.0 User Responsibilities
Users and administrators must not start unneeded services without approval. Any deviation from standard practices must be approved by the security officer.
Since locking down servers is critical to the security of the organization and everyone, this policy must be enforced by management through review and auditing. Employees that purposely violate this policy may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.
7.0 Other Requirements
Procedures for hardening servers and shutting down unnecessary services should be written in compliance with the Change Management Policy.
Auditors should periodically audit servers to be sure servers are properly hardened according to policy.
A listing of standard allowed services must be created and published for IT department use and possible business use for some services.
Minimum security requirements on all servers and services must be created and published. This document must include:
What architectural configurations are normal or alled regarding placement, both physical and on what network zone, of various servers regarding server types and data stored on them.
What firewall rules are allowed across various network zones and what is not allowed.
Types of configuration that are required or not allowed on various servers such as not allowing open relaying on a mail server.
Requirements or restrictions for accounts on servers.
Appendix A - Services Recommended for Shutdown
Alerter service - The alerter service allows system administrators to send messages to selected users. This service should be disabled unless specifically needed. (Disable)
Application Management - Provides software installation services for Active Directory IntelliMirror group policy programs. Intellimirror allows user's data to follow them.
Clip Book - Allows remote computers to share the clip book. (Disable)
Computer Browser - For home users and most organizational users, this service can be disabled. Running this service is a moderate security risk. It is required if your computer needs to find other Windows computers or Windows resources on the network without using DNS.
Distributed Link Tracking Client - Maintains links between NTFS files across computers or on a single computer. It allows shortcuts and links that are moved to be tracked, even when on other computers.
Distributed Transaction Coordinator - Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems.
Error Reporting - Reports serious errors to Microsoft.
Fast User Switching Capability - Provides management for applications that require assistance in a multiple user environment.
Help and Support - I turn this on only when I use the Windows help information which is rare.
File and Printer Sharing for Microsoft Networks - Uninstallation of this service is recommended. This service is not needed unless you want to share a printer on your local computer or share folders on your local computer with other computers. This is disabled in the "network connections" applet and not in the "Services" applet.
Human Interface Device Access (HID) - Enables generic input access to Human Interface Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices. If this service is stopped, hot buttons controlled by this service will no longer function.
Indexing Service - The fast file search through indexing would not be available
Logical Disk Manager Administrative Service (Don't disable Logical Disk Manager) - Configures hard disk drives and volumes. The service only runs for configuration processes and then stops. This service will be required if you add or change a hard disk.
Machine Debug Manager - Supports local and remote debugging for Visual Studio and script debuggers.
Messenger - Disable this service in the Services applet of Administrative Tools. This service has some serious security bugs and problems. It has very little use for managing the network and is used by network administrators to send messages to users. Spammers may use this service to send annoying spam to users. (Disable)
MS Software Shadow Copy Provider - Needed to use Windows Backup so it can be left on Manual if this Windows Backup is used.
NetMeeting Remote Desktop Sharing - A person on a remote computer can access your desktop to help you. This service may be used by network administrators to help users with tasks. Normally this service should be disabled unless needed. Running this service is a moderate security risk.
Network DDE Service - Provides network transport and security for Dynamic Data Exchange (DDE) for programs running on the same computer or on different computers. It allows two running programs to share the same data on the same computer or on different computers. Running this service is a moderate security risk. Normally this service should be disabled unless needed. (Disable)
Network DDE DSDM Service - Manages DDE network shares. Running this service is a moderate security risk. Normally this service should be disabled unless needed. (Disable)
Network Location Awareness (NLA) - Collects and stores network configuration and location information, and notifies applications when this information changes. Required for Internet Connection Sharing or for the Internet Connection Firewall.
Network Provisioning Service - Manages XML configuration files on a domain basis for automatic network provisioning.
NT LM Security support provider - Used for backward compatibility with older Microsoft operating systems. Running this service is a moderate security risk. Normally this service should be disabled unless needed or set to manual.
Office Source Engine - Saves installation files used for updates and repairs and is required for the downloading of Setup updates and Watson error reports.
Performance Logs and Alerts - Collects performance data from local or remote computers based on preconfigured schedule parameters, then writes the data to a log or triggers an alert.
Portable Media Serial Number Service - Retrieves the serial number of any portable media player connected to this computer.
QOS RSVP - Provides network signaling and local traffic control setup functionality for QoS-aware programs and control applets.
Remote Access Auto Connection Manager (Don't confuse with Remote Access Connection Manager which should be left alone) - Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address. Detects unsuccessful connection attempts and gives an alternet connection method such as a different protocol. (May want to leave enabled, at least on Manual)
Remote Desktop Help Session Manager service - A person on a remote computer can access your desktop to help you. This service may be used by network administrators to help users with tasks. Normally this service should be disabled unless needed. Running this service is a moderate security risk.
Remote registry service - This service should be set to manual or disabled since it allows people from remote locations to modify your registry. It is a serious security risk and should only be run if required by network administrators. Set this service to manual or disabled in the Services applet of Administrative Tools.
Removable Storage - Allows removable to be managed and cataloged. (Can set to manual but is worth enabling)
Routing and Remote Access - Offers routing services to businesses in local area and wide area network environments. (Recommend to disable or not install)
Secondary Logon service - If it is not necessary for lower privileged users to use the "Run As" command to run commands that only administrators or power users can run, this service should be disabled.
Server - Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. Allows resources on the local computer to be shared.
Smart Card - Manages access to smart cards read by this computer.
SSDP Discovery service - Allows the computer to connect with networked plug and play devices on the network. This service does not support internal PnP devices. This service should be disabled unless the computer needs to connect to external networked plug and play devices.
System Event Notification - Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events.
Task Scheduler - Enables a user to configure and schedule automated tasks on this computer.
Telephony - Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service. Required to use a modem or FAX.
Telnet service - The telnet service allows a terminal connection to or from a remote computer but sends passwords in the clear. Running this service is a moderate security risk. Normally this service should be disabled unless needed or set to manual.
Terminal services - Allows a remote connection from a remote computer usually used by network administrators to help users. Running this service is a moderate security risk. Normally this service should be disabled unless needed or set to manual. This service is commonmly used by system administrators to administer servers remotely.
Themes - Provides user experience theme management.
Uninterruptable Power Supply - Manages an uninterruptible power supply (UPS) connected to the computer.
Universal Plug and Play Device Host service - It broadcasts unnecessary information about the computer running the service. It may be used by MSN messenger. This service is a high security risk and should be disabled unless dependent services are required. (Disable)
Volume Shadow Copy - Manages and implements Volume Shadow Copies used for backup and other purposes. Needed for Windows Backup.
WebClient - Enables Windows-based programs to create, access, and modify Internet-based files.
Wireless Zero Configuration service - Used to support wireless connections. If you are not using wireless, this should be disabled. This service is a high security risk and should be disabled unless needed. (disable)
Types of servers that need hardening (This list is not inclusive of all devices that should be hardened):
Network devices such as firewalls, routers, and switches
Approved by:__________________________ Signature:_____________________ Date:_______________