Hardening Windows

Táto kapitola udáva možné prispôsobenia nastavení Windows slúžiace na zvýšenie úrovne zabezpečenia. Z veľkej časti sa jedná o nastavenia, ktoré priamo nesúvisia s D2000

Príkazy odporúčame spúšťať z príkazového riadku spusteného s administrátorskými právami, inak sa niektoré nemusia vykonať korektne (napr. premenovanie účtu).

Zabránenie pripojeniu klientských diskov pri pripojení cez RDP (nastavenie zároveň znemožňuje kopírovanie súborov cez RDP)

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fDisableCdm /t REG_DWORD /d 1 /f

Elektronické podpisovanie paketov SMB komunikácie servera

REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v requiresecuritysignature /t REG_DWORD /d 1 /f

Zabránenie anonymnému listovaniu údajov o účtoch zo SAM (Security Accounts Manager)

REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v restrictanonymous /t REG_DWORD /d 1 /f

Premenovanie účtu lokálneho administrátora

wmic useraccount where name='Administrator' rename some_unknown_name

Zakázanie služby DHCP Client (nepotrebné, ak sa používajú fixné IP adresy)

sc config "Dhcp" start= disabled

Zrušenie autoštartu služby "IKE and AuthIP IPsec Keying Modules" (nepotrebné, ak sa z počítača nevytvárajú VPN spojenia).

sc config "IKEEXT" start= disabled

Zrušenie autoštartu služby "IPsec Policy Agent" (nepotrebné, ak sa z počítača nevytvárajú VPN spojenia).

sc config "PolicyAgent" start= disabled

Vynútenie vyššej úrovne šifrovania (High - aspoň 128 bitov) pri pripojení cez RDP

REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t REG_DWORD /d 3 /f

Zvýšenie úrovne auditovania

auditpol /set /subcategory:"Sensitive Privilege Use" /failure:enable /success:enable
auditpol /set /subcategory:"Security System Extension" /failure:enable /success:enable
auditpol /set /subcategory:"IPsec Driver" /failure:enable /success:enable
auditpol /set /subcategory:"Credential Validation" /failure:enable /success:enable
auditpol /set /subcategory:"Application Group Management" /failure:enable /success:enable
auditpol /set /subcategory:"Computer Account Management" /failure:enable /success:enable
auditpol /set /subcategory:"Other Account Management Events" /failure:enable /success:enable
auditpol /set /subcategory:"Security Group Management" /failure:enable /success:enable
auditpol /set /subcategory:"User Account Management" /failure:enable /success:enable
auditpol /set /subcategory:"Process Creation" /success:enable
auditpol /set /subcategory:"Account Lockout" /failure:enable /success:enable
auditpol /set /subcategory:"Other Logon/Logoff Events" /failure:enable /success:enable
auditpol /set /subcategory:"Other Object Access Events" /failure:enable /success:enable
auditpol /set /subcategory:"Removable storage" /failure:enable /success:enable
auditpol /set /subcategory:"Audit Policy Change" /failure:enable /success:enable
auditpol /set /subcategory:"Authorization Policy Change" /success:enable

Zablokovanie použitia starších a zraniteľných TLS 1.0 a 1.1 a povolenie TLS 1.2 v rámci Terminal Services

powershell -command "New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Force | Out-Null"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null"
powershell -command "New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -Force | Out-Null"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null"
powershell -command "New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force | Out-Null"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null"
powershell -command "New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Force | Out-Null"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null"

powershell -command "New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force | Out-Null"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null"
powershell -command "New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-Null"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null"

Zablokovanie použitia sifrovania DES-CBC3-SHA, RC4-SHA a RC4-MD5 v rámci Terminal Services

powershell -command "([Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine,$env:COMPUTERNAME)).CreateSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56')"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null"
powershell -command "([Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine,$env:COMPUTERNAME)).CreateSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128')"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null"
powershell -command "([Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine,$env:COMPUTERNAME)).CreateSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128')"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null"
powershell -command "([Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine,$env:COMPUTERNAME)).CreateSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128')"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null"
powershell -command "([Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine,$env:COMPUTERNAME)).CreateSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128')"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null"
powershell -command "([Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine,$env:COMPUTERNAME)).CreateSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168')"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null"

Zrušenie zraniteľných šifrovacích sád

powershell -command "Disable-TlsCipherSuite -Name "TLS_RSA_WITH_AES_256_GCM_SHA384""
powershell -command "Disable-TlsCipherSuite -Name "TLS_RSA_WITH_AES_128_GCM_SHA256""
powershell -command "Disable-TlsCipherSuite -Name "TLS_RSA_WITH_3DES_EDE_CBC_SHA""
powershell -command "Disable-TlsCipherSuite -Name "TLS_RSA_WITH_NULL_SHA256""
powershell -command "Disable-TlsCipherSuite -Name "TLS_RSA_WITH_NULL_SHA""
powershell -command "Disable-TlsCipherSuite -Name "TLS_PSK_WITH_AES_256_GCM_SHA384""
powershell -command "Disable-TlsCipherSuite -Name "TLS_PSK_WITH_AES_128_GCM_SHA256""

Zablokovanie použitia komunikačného protokolu SMBv1 a zapnutie SMBv2

powershell -command "Get-SmbServerConfiguration | Select EnableSMB1Protocol"
powershell -command "Set-SmbServerConfiguration -EnableSMB1Protocol $false"
powershell -command "Get-SmbServerConfiguration | Select EnableSMB2Protocol"
powershell -command "Set-SmbServerConfiguration -EnableSMB2Protocol $true"

Ďalšie odporúčania:

• Odporúčame zapnúť šifrovanie D2000 komunikácie medzi procesmi.
• Odporúčame použiť D2000 Security Access Server na prístup klientov z vonkajších sietí.
• Odporúčame použiť SFTP namiesto FTP v mechanizme aktualizácie klientských inštalácií D2000 (D2u_*).
• Pokiaľ sú niektoré systémové procesy (napr. OPC UA Server, KOM proces, Event Handler) v oddelenej sieti s nižšou úrovňou bezpečnosti, je možné nakonfigurovať reverzné pripojenie (D2000 Server sa pripája na príslušný proces).
• Odporúčame pre šifrovanú komunikáciu používať certifikáty vydané známou certifikačnou autoritou (internou alebo externou), ktorých pravosť je možné jednoznačne overiť a ktoré poskytujú dostatočnú záruku svojho pôvodu. Odporúčanie sa týka služieb ako Terminal Services, HTTPS a iné.