Táto kapitola udáva možné prispôsobenia nastavení Windows slúžiace na zvýšenie úrovne zabezpečenia. Z veľkej časti sa jedná o nastavenia, ktoré priamo nesúvisia s D2000
Príkazy odporúčame spúšťať z príkazového riadku spusteného s administrátorskými právami, inak sa niektoré nemusia vykonať korektne (napr. premenovanie účtu).
Zabránenie pripojeniu klientských diskov pri pripojení cez RDP (nastavenie zároveň znemožňuje kopírovanie súborov cez RDP)
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fDisableCdm /t REG_DWORD /d 1 /f
Elektronické podpisovanie paketov SMB komunikácie servera
REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v requiresecuritysignature /t REG_DWORD /d 1 /f
Zabránenie anonymnému listovaniu údajov o účtoch zo SAM (Security Accounts Manager)
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v restrictanonymous /t REG_DWORD /d 1 /f
Premenovanie účtu lokálneho administrátora
wmic useraccount where name='Administrator' rename some_unknown_name
Zakázanie služby DHCP Client (nepotrebné, ak sa používajú fixné IP adresy)
sc config "Dhcp" start= disabled
Zrušenie autoštartu služby "IKE and AuthIP IPsec Keying Modules" (nepotrebné, ak sa z počítača nevytvárajú VPN spojenia).
sc config "IKEEXT" start= disabled
Zrušenie autoštartu služby "IPsec Policy Agent" (nepotrebné, ak sa z počítača nevytvárajú VPN spojenia).
sc config "PolicyAgent" start= disabled
Vynútenie vyššej úrovne šifrovania (High - aspoň 128 bitov) pri pripojení cez RDP
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t REG_DWORD /d 3 /f
Zvýšenie úrovne auditovania
auditpol /set /subcategory:"Sensitive Privilege Use" /failure:enable /success:enable
auditpol /set /subcategory:"Security System Extension" /failure:enable /success:enable
auditpol /set /subcategory:"IPsec Driver" /failure:enable /success:enable
auditpol /set /subcategory:"Credential Validation" /failure:enable /success:enable
auditpol /set /subcategory:"Application Group Management" /failure:enable /success:enable
auditpol /set /subcategory:"Computer Account Management" /failure:enable /success:enable
auditpol /set /subcategory:"Other Account Management Events" /failure:enable /success:enable
auditpol /set /subcategory:"Security Group Management" /failure:enable /success:enable
auditpol /set /subcategory:"User Account Management" /failure:enable /success:enable
auditpol /set /subcategory:"Process Creation" /success:enable
auditpol /set /subcategory:"Account Lockout" /failure:enable /success:enable
auditpol /set /subcategory:"Other Logon/Logoff Events" /failure:enable /success:enable
auditpol /set /subcategory:"Other Object Access Events" /failure:enable /success:enable
auditpol /set /subcategory:"Removable storage" /failure:enable /success:enable
auditpol /set /subcategory:"Audit Policy Change" /failure:enable /success:enable
auditpol /set /subcategory:"Authorization Policy Change" /success:enable
Zablokovanie použitia starších a zraniteľných TLS 1.0 a 1.1 a povolenie TLS 1.2 v rámci Terminal Services
powershell -command "New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Force | Out-Null"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null"
powershell -command "New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -Force | Out-Null"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null"
powershell -command "New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force | Out-Null"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null"
powershell -command "New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Force | Out-Null"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null"
powershell -command "New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force | Out-Null"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null"
powershell -command "New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-Null"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null"
Zablokovanie použitia sifrovania DES-CBC3-SHA, RC4-SHA a RC4-MD5 v rámci Terminal Services
powershell -command "([Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine,$env:COMPUTERNAME)).CreateSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56')"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null"
powershell -command "([Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine,$env:COMPUTERNAME)).CreateSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128')"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null"
powershell -command "([Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine,$env:COMPUTERNAME)).CreateSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128')"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null"
powershell -command "([Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine,$env:COMPUTERNAME)).CreateSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128')"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null"
powershell -command "([Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine,$env:COMPUTERNAME)).CreateSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128')"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null"
powershell -command "([Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine,$env:COMPUTERNAME)).CreateSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168')"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null"
Zrušenie zraniteľných šifrovacích sád
powershell -command "Disable-TlsCipherSuite -Name "TLS_RSA_WITH_AES_256_GCM_SHA384""
powershell -command "Disable-TlsCipherSuite -Name "TLS_RSA_WITH_AES_128_GCM_SHA256""
powershell -command "Disable-TlsCipherSuite -Name "TLS_RSA_WITH_3DES_EDE_CBC_SHA""
powershell -command "Disable-TlsCipherSuite -Name "TLS_RSA_WITH_NULL_SHA256""
powershell -command "Disable-TlsCipherSuite -Name "TLS_RSA_WITH_NULL_SHA""
powershell -command "Disable-TlsCipherSuite -Name "TLS_PSK_WITH_AES_256_GCM_SHA384""
powershell -command "Disable-TlsCipherSuite -Name "TLS_PSK_WITH_AES_128_GCM_SHA256""
Zablokovanie použitia komunikačného protokolu SMBv1 a zapnutie SMBv2
powershell -command "Get-SmbServerConfiguration | Select EnableSMB1Protocol"
powershell -command "Set-SmbServerConfiguration -EnableSMB1Protocol $false"
powershell -command "Get-SmbServerConfiguration | Select EnableSMB2Protocol"
powershell -command "Set-SmbServerConfiguration -EnableSMB2Protocol $true"
Ďalšie odporúčania:
- Odporúčame zapnúť šifrovanie D2000 komunikácie medzi procesmi.
- Odporúčame použiť D2000 Security Access Server na prístup klientov z vonkajších sietí.
- Odporúčame použiť SFTP namiesto FTP v mechanizme aktualizácie klientských inštalácií D2000 (D2u_*).
- Pokiaľ sú niektoré systémové procesy (napr. OPC UA Server, KOM proces, Event Handler) v oddelenej sieti s nižšou úrovňou bezpečnosti, je možné nakonfigurovať reverzné pripojenie (D2000 Server sa pripája na príslušný proces).
- Odporúčame pre šifrovanú komunikáciu používať certifikáty vydané známou certifikačnou autoritou (internou alebo externou), ktorých pravosť je možné jednoznačne overiť a ktoré poskytujú dostatočnú záruku svojho pôvodu. Odporúčanie sa týka služieb ako Terminal Services, HTTPS a iné.
Pridať komentár