HP StorageWorks X5000 NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC
HP StorageWorks X5000 Manual
View all HP StorageWorks X5000 manuals
Add to My Manuals
Save this manual to your list of manuals |
HP StorageWorks X5000 manual content summary:
- HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 1
technical guide to Manual Hardening Procedures 107 2.9 Hardening File Servers...111 2.9.1 Audit Policy Settings ...112 2.9.2 2.9.2 User Rights Assignments 112 2.9.3 Security Options...113 2.9.4 Event Log Settings...117 2.9.5 System Services...117 2.9.6 Additional Security Settings 125 2.9.7 HP - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 2
2.11.2 User Rights Assignments 135 2.11.3 Security Options...136 2.11.4 Event Log Settings...136 2.11.5 System Services...136 2.11.6 Additional Security Settings 139 2.11.7 HP NAS Specific Security Settings 148 3 C2 / CC Security Compliancy 148 3.1 Security Policy Modifications 149 3.2 Registry - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 3
compliant environments. HP Windows StorageServer 2003 NAS NSA security compliancy are based on Microsoft's "Windows Server 2003 Security Guide: Patterns and .html. All E3/F-C2 system modifications within this document are based upon the Information Technology Evaluation Manual (ITSEM) at http://www - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 4
requirements. All E3/F-C2 system modifications within this document are based upon the Information Technology Evaluation Manual (ITSEM) at http the NAS system and other systems within the network to meet NSA security compliancy based on Microsoft's "Windows Server 2003 Security Guide: Patterns and - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 5
acceptable tradeoff in order to achieve the highest level of security. Figure 1. This figure shows the three layers of security and the clients supported in each. Organizations that want to provide a phased approach to securing their environments may choose to start at the Legacy Client environment - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 6
Active Directory domain. The W32Time service synchronizes the client clocks of Windows the desired time sources: w32tm /config /syncfromflags:manual /manualpeerlist:PeerList 3. To update type: w32tm an entry is written to the Event Log. Computer systems running Windows 98, Windows NT 4.0, or Windows - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 7
by applying specific settings, rights, and behaviors to all servers, devices, users, and groups within an OU. By using group policy rather than manual steps, it is simple to update a number of servers with any additional changes required in the future. Figure 2. Group policies are accumulated and - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 8
Console (MMC). All computers running Windows 2003 and Windows Storage Server 2003 store their security templates in the %SystemRoot%\ the guide. Warning: Although the security templates within the Microsoft guide does increase network security, some applicational and operating system functionality - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 9
policy objects has been applied successfully. For more information, see Help and Support Center at . If the above requirements for infrastructure servers differ from those for servers running HP NAS. 2.4 Domain Level: Hardening the Domain Infrastructure - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 10
guidelines should also be used for all service account passwords in the organization. The following consistent across all environments defined within this guide. Also, there are no known issues the potential for an increase in calls to help desk support. In order to balance the needs of security and - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 11
depends on the length of the password, the size of the potential character set, and the computational power available to the attacker. This guide recommends setting the value for password length in the High Security environment to 12 characters. Passwords are stored in the Security Accounts Manager - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 12
rules. For the source code for passfilt.dll, see the Microsoft Knowledge Base article 151082 at http://support.microsoft.com/default.aspx?kbid=151082 labelled "HOW TO: Password Change Filtering & Notification in Windows NT , this is the recommendation the three environments defined in this guide. 12 - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 13
system stores passwords using reversible encryption or not. This policy supports level decreases the amount of operation overhead during a denial of service (DoS) attack. In a DoS attack, the attacker maliciously guide recommends setting the value to 15 minutes in the High Security environment. 13 - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 14
acceptable usability. This setting value will prevent accidental account lockouts and reduce help desk calls, but will not prevent a DoS attack as mentioned above. This guide recommends setting the value to 10 invalid login attempts in the High Security environment. 14 - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 15
other values configured as part of this guide, leaving this setting at its default value, the account lockout, administrators would have to manually unlock all accounts. Conversely, if there , it causes client sessions with the SMB service to be forcibly disconnected when the client's - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 16
anonymous multi-protocol communications to cross platform systems, this guide recommends setting this security option to Enabled. the new name cannot be used to access the Web application. • Remote Access Service servers running on Windows 2000-based computers that are located in Windows NT 3.x - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 17
supplied within the Microsoft "Windows Server 2003 Security Guide" that is most appropriate to their corresponding network the security events to report to the network administrators so that user or system activity in specified event categories is recorded. The administrator can monitor security- - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 18
(TGS) ticket was granted. A TGS is a ticket issued by the Kerberos v5 ticket-granting service TGS that allows a user to authenticate to a specific service in the domain. A security principal renewed an AS ticket or TGS ticket. Pre- authentication failed. This event is generated on a Key Distribution - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 19
Event ID 624 627 628 630 631 632 633 634 635 636 637 638 639 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 Event Description A user account was created. A user password was changed. A user password was set. A user account was deleted. A global group was created. A - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 20
determines whether to audit the event of a user accessing a Microsoft Active Directory® directory service object that has its own system access control list (SACL) specified. Setting Audit directory service access to No Auditing makes it difficult or impossible to determine what Active Directory - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 21
logs on to the system regardless of where the accounts reside on the system. If the user logs for all three security environments defined in this guide. Event ID 528 529 530 531 532 account has expired. Logon failure. The Net Logon service is not active. Logon failure. The logon attempt failed - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 22
forests. 550 Notification message that could indicate a possible denial-of-service (DoS) attack. 551 A user initiated the logoff process. 552 changes to or even the reading of sensitive documents. Therefore, this guide recommends enabling both the Success and Failure auditing values for this - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 23
used by file systems when the FILE_DELETE_ON_CLOSE Services received a request to shut down. Certificate Services backup started. Certificate Services backup completed. Certificate Services restore started. Certificate Services restore completed. Certificate Services started. Certificate Services - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 24
Services changed. 795 A configuration entry changed in Certificate Services. 796 A property of Certificate Services changed. 797 Certificate Services archived a key. 798 Certificate Services well as to trust relationships. Note: This guide recommends configuring the value for this setting to - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 25
: See event description for event 769. 805 The event log service read the security log configuration for a session. Member Server Default log, which may constrain the performance of the NAS and other server systems. To audit the following excluded rights, administrators must enable the Audit: - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 26
in this guide has unique recommendations for these settings. Failed use of a user right is an indicator of a general network problem and often can when the user logs on. A user attempted to perform a privileged system service operation. Privileges were used on an already open handle to a protected - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 27
groups have logon rights or privileges on the computers on the network. Logon rights and privileges govern the rights that users have on the target system. They are used to grant the right to perform certain actions, such as logging on from the network or locally, as well as administrative tasks - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 28
Support Center. Support_388945a0 is a member of this group by default. • Telnet Clients Members of this group have access to Telnet Server on the system. Domain Controllers • Server Operators Members of this group can administer domain servers. • Terminal Server License Services Security Guide - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 29
security group. For this reason, this guide recommends removing the Everyone security group from the system user right allows a process to assume the identity of any user and thus gain access to the resources that the user is authorized to access. Typically, only low-level authentication services - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 30
SERVICE, LOCAL SERVICE system Services Services user right determines which users or groups have permission to log on as a Terminal Services Services client. Member Server Default Administrators and Power Users Change The System system occurred. Limit the Change the system time privilege to users with - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 31
; Support_388945a0; Guest; all Guest; all Guest; all NONOperating System NONOperating System NONOperating System service accounts service accounts service accounts Important: For all HP NAS server systems, administrators should only deny the Support_388945a0 account. Note: ANONOYMOUS - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 32
system service accounts Important: For all HP NAS server systems, administrators should only deny Guests, Support_388945a0, Guest, and all NON-operating system service manually. For further information, see the Manual Hardening Procedures in section 2.8.7. The Deny log on through Terminal Services - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 33
Client Not Defined Not Defined High Security Client NETWORK SERVICE, LOCAL SERVICE The Generate security audits user privilege allows a process to generate audit records in the security log. The security log can be used to trace unauthorized system access. Accounts that are able to write to the - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 34
is not required by administrative tools supplied with the operating system but might be required by software development tools. A user user to log on by using a batch-queue facility such as the Task Scheduler service. This is a low-risk vulnerability so the default settings for this user right - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 35
The Profile single process user right determines which users can use performance monitoring tools to monitor the performance of non-system processes. This is a moderate vulnerability; an attacker with this privilege could monitor a computer's performance to help identify critical processes that - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 36
controller. In the High Security environment, only Administrators should be granted the Shut down the system user right. Member Server Default Not Defined Synchronize directory service data Legacy Client Enterprise Client Not Defined Not Defined High Security Client Revoke all security groups - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 37
LDAP directory synchronization (Dirsync) services. The default setting specifies no system, including Active Directory objects, NTFS file system (NTFS) files, and folders, printers, registry keys, services all types of systems. Also, many need to be manually modified on a system where the target - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 38
the Audit: Audit the access of global system objects and the Audit object access audit policy settings are enabled, a large number of audit events will be generated. This setting is configured to the default in all three environments defined in this guide. Note: Changes to the configuration of this - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 39
to be too high; therefore, Group Policy configures the Shut down system immediately if unable to log security audits setting to Disabled. However, setting is the default for all three of the environments defined in this guide. Devices: Restrict CD-ROM access to locally logged-on user only Member - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 40
Server 2003. One potential problem with configuring this setting to in all three environments defined in this guide. The impact of disabling this setting Service Account can be modified in order to select a different account rather than the LOCAL SYSTEM account. To change the account, open System - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 41
Disabled in the three environments defined in this guide. Domain member: Digitally encrypt or sign secure Service Pack 6a or later; this is not supported in Windows 98 Second Edition clients (unless they have the dsclient installed). This setting must be set to Disabled for HP NAS server systems - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 42
their account passwords are in risk of an attacker determining the password for the system's domain account. Therefore, set this countermeasure to Disabled across the three environments defined in this guide. Domain member: Maximum machine account password age Member Server Default Legacy Client - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 43
controllers and member computers are much stronger in Windows 2000 than they were in previous Microsoft operating systems. Therefore, since the three security environments described in this guide contain Windows 2000 domain controllers or later, this setting is configured to Enabled in all three - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 44
window that contains the Interactive logon users see when they log on to the system. The reasoning behind this setting is the same as that for the Message text , this setting is enabled in the three environments defined in this guide. Note: Any warning that gets displayed should first be approved by - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 45
The Enterprise Client and High Security environments defined in this guide only contain systems running Windows 2000 or later, which support signing digital communications. Therefore, to increase communications security between systems in this environment, this setting is configured to Enabled in - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 46
the three environments defined in this guide. Microsoft network client: Send unencrypted NFS, Services for UNIX, Services for Netware, etc...) have packet signing support. The unsigned SMB communications, legacy applications and operating systems will be unable to connect. Completely disabling - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 47
that support mutual authentication, which closes session hijacking attacks and supports message SMB communications, legacy applications and operating systems will be unable to connect. Completely three environments defined in this guide. Network access: Do not allow storage of credentials or .NET - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 48
This setting should be set to Enabled for all HP NAS server systems requiring anonymous user access within multi-protocol network environments. that are needed to support the applications within the company's network environment. As with all recommended settings in this guide, this setting should - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 49
setting in the baseline security templates for all three security environments defined in this guide. Note: Even if this security option is set, administrators should also start the Remote Registry system service if authorized users are going to be able to access the registry over the network - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 50
System\CurrentControl Set\ Services\ SysmonLog System\CurrentControl Set\ Services\ SysmonLog System\CurrentControl Set\ Services\ SysmonLog System\CurrentControl Set\ Services templates for all three security environments defined in this guide. Network access: Restrict anonymous access to Named - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 51
default setting option is used for the three environments defined in this guide. Network security: Do not store LAN Manager hash value on next setting is set. This setting must be set to Disabled for HP NAS server systems within multi- protocol network environments involving NFS, AFTP, or NCP. - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 52
the LDAP client. Therefore, the value for this setting is configured to Negotiate signing in the three environments defined in this guide. Network security: Minimum session security for NTLM SSP based (including secure RPC) clients Member Server Default Legacy Client Enterprise Client High - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 53
system. The Recovery Console can be very useful when troubleshooting and repairing systems that the default for the three environments defined in this guide. To use the Recovery Console when this setting is disabled variables: • AllowWildCards: Enables wildcard support for some commands (such as the - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 54
shut the system down. An attacker or misguided user could connect to the server via Terminal Services and shut (TL/SS) Security Provider supports only the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite. the three environments defined in this guide. System objects: Default owner for objects created - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 55
to support applications within the network. The default value for this setting in Windows Server 2003 is POSIX. In order to disable the POSIX subsystem, this setting is configured to None in the three environments defined in this guide. 2.8.4 Event Log The event logs records events on the system - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 56
prescribed security options for the three environments defined in this guide for the MSBP. Member Server Default 16,384 KB should adequately store enough information to conduct audits. Configuring this log for other systems to an adequate size is based on factors that include how frequently the - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 57
the security log. Therefore, this setting has no real effect on default systems. However, this setting is considered a defense-in-depth setting with no Computer Policy object. Prevent local guests group from accessing system log Member Server Default Legacy Client Enterprise Client Enabled - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 58
for either forensics or troubleshooting purposes. Overwriting events as needed ensures that the log always stores the most recent events, although this could result in a loss of historical data. 2.8.5 System Services When Windows Server 2003 and Windows Storage Server 2003 are first installed - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 59
greater security in the three environments defined in this guide and to prevent unauthorized computers from acting as Internet gateways, disable this system service. Service Name AppMgmt Member Server Default Manual Application Management Legacy Client Enterprise Client Disabled Disabled - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 60
. This service is configured to Manual in the three environments defined in this guide. Service Name CertSvc Member Server Default Not installed Certificate Services Legacy Client Enterprise Client Disabled Disabled High Security Client Disabled The Certificate Services system service is - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 61
security in the three environments defined in this guide, disable this service. Any services that explicitly depend on this service will fail to start. Clipbrd.exe can Service must be set to Automatic for all HP NAS server systems running Microsoft Clustering. The Cluster Service system service - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 62
defined in this guide, this service is set to Manual. COM+ System Application Service Name Member Server Legacy Client Enterprise Client High Security Client Default EventSystem Manual Disabled Disabled Disabled Important: COM+ System Application should be set to Manual for HP NAS server - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 63
greater security in the three environments defined in this guide, configure this setting to Automatic. If this service is stopped, the computer will not receive dynamic to Automatic for all HP NAS server systems. The Distributed Link Tracking Client system service maintains links between the NTFS - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 64
Client Default Manual Disabled Disabled High Security Client Disabled The Distributed Link Tracking Server system service stores information for the three environments defined in this guide. This value for this system service is set to Automatic only on DNS servers in the three environments - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 65
significantly reduce the ability to successfully diagnose system problems. Therefore, this service sets the value of Automatic in the three environments defined in this guide. Service Name Fax Member Server Default Not installed Fax Service Legacy Client Disabled Enterprise Client Disabled High - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 66
environments defined in this guide. HTTP SSL Service Name Member Server Legacy Client Enterprise Client High Security Client Default HTTPFilter Manual Disabled Disabled Disabled Important: HTTP SSL must be set to Automatic for HP NAS server systems in which the HP NAS WEB GUI interface - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 67
Client Default IISADMIN Not installed Disabled Disabled Disabled Important: IIS Admin Service must be set to Automatic for HP NAS server systems in which the HP NAS WEB GUI interface is used, HP Insight Manager is used, HP's Array Configuration Utility (ACU) is used, HTTP file shares are - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 68
Default cisvc Disabled Disabled Disabled Disabled Important: Although not required, Indexing Service can be set to Automatic within HP NAS server systems depending upon company requirements. The Indexing Service indexes contents and properties of files on local and remote computers and - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 69
this guide. IP Version 6 Helper Service Service Name Member Server Legacy Client Enterprise Client High Security Client Default 6to4 Not installed Disabled Disabled Disabled Important: IP Version 6 Helper Service must be set to Automatic for HP NAS server systems requiring IPv6 support - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 70
in the three environments defined in this guide. Service Name dmserver Member Server Default Automatic Logical Disk Manager Legacy Client Enterprise Client Manual Manual High Security Client Manual The Logical Disk Manager system service detects and monitors new hard disk drives and - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 71
be set to Manual or Automatic within an HP NAS server environment depending upon whether there are any 3rd party applications, especially server monitoring applications, that require the messenger service. The Messenger system service transmits and sends Alerter service messages between clients - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 72
: The .NET Framework Support Service may need to be set to Manual or Automatic within an HP NAS server environment depending upon whether there are any 3rd party applications that require the .NET Framework support. The .NET Framework Support Service system service notifies a subscribing client - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 73
three environments defined in this guide. Service Name NLA Network Location Awareness (NLA) Member Server Legacy Client Enterprise Client Default Manual Manual Manual High Security Client Manual The Network Location Awareness (NLA) system service collects and stores network configuration - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 74
in the three environments defined in this guide. Service Name SysmonLog Member Server Default Manual Performance Logs and Alerts Legacy Client Enterprise Client Manual Manual High Security Client Manual The Performance Logs and Alerts system service collects performance data from local or - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 75
guide. Print Spooler Service Name Member Server Legacy Client Enterprise Client High Security Client Default Spooler Automatic Disabled Disabled Disabled Important: The Print Spooler system service must be set to Automatic for HP NAS server systems requiring print server support. The - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 76
in the three environments defined in this guide. Service Name SrvcSurg Member Server Default Not installed Remote Administration Service Legacy Client Enterprise Client Manual Manual High Security Client Manual The Remote Administration Service system service is responsible for running the - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 77
operating system not loading numerous services that are dependent on it. Therefore, this service is configured to Automatic in the three environments defined in this guide. Service Name RpcLocator Remote Procedure Call (RPC) Locator Member Server Legacy Client Enterprise Client Default Manual - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 78
defined in this guide. Remote Storage Server Service Name Member Server Legacy Client Enterprise Client High Security Client Default Remote_Storage Not installed Disabled Disabled Disabled _Server Important: The Remote Storage Server system service must be set to Manual on HP NAS server - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 79
this guide. SAP Agent Service Member Server Legacy Client Enterprise Client High Security Client Name Default nwsapagent Not installed Disabled Disabled Disabled Important: The SAP Agent service must be set to Manual on HP NAS server systems using multi- protocol communication support - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 80
Secondary Logon system service should be set to Automatic on HP NAS server systems having 3rd service is configured to Disabled in the three environments defined in this guide. Service Security Client Automatic Automatic The Server system service provides RPC support, file, print, and named pipe - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 81
Not installed Disabled Disabled Disabled Important: The Simple TCP/IP Services may be set to Automatic on HP NAS server systems requiring the following TCP/IP feature sets. The Simple TCP/IP Services system service supports the following TCP/IP protocols: ● Echo (port 7, RFC 862) ● Discard - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 82
set to Manual. SNMP Service Service Name Member Server Legacy Client Enterprise Client High Security Client Default SNMP Not installed Disabled Disabled Disabled Important: The SNMP Service must be set to Automatic on HP NAS server systems requiring SNMP support. For example, HP Insight - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 83
environments defined in this guide. Service Name LMHosts Member Server Default Automatic TCP/IP NetBIOS Helper Service Legacy Client Enterprise Client Automatic Automatic High Security Client Automatic The TCP/IP NetBIOS Helper Service system service provides support for NetBIOS over the - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 84
Disabled Disabled Disabled Disabled Important: This service must be set to Manual or Automatic on HP NAS server systems using telnet. The Telnet system service for Windows provides ASCII terminal sessions to Telnet clients. This service supports two types of authentication and four types - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 85
defined in this guide. Trivial FTP Daemon Service Name Member Server Legacy Client Enterprise Client High Security Client Default tftpd Not installed Disabled Disabled Disabled Important: This service must be set to Automatic on HP NAS server systems requiring TFTP support. The Trivial - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 86
High Security Client Default VDS Manual Disabled Disabled Disabled Important: This service must be set to Manual on HP NAS server systems requiring VDS support. The Virtual Disk Service (VDS) system service provides a single interface for managing block storage virtualization whether done in - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 87
in the three environments defined in this guide. Service Name AudioSrv Member Server Default Disabled Windows Audio Legacy Client Enterprise Client High Security Client Disabled Disabled Disabled The Windows Audio system service provides support for sound and related Windows Audio event - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 88
defined in this guide. Service Name Wmi Windows Management Instrumentation Driver Extensions Member Server Legacy Client Enterprise Client Default Manual Manual Manual High Security Client Manual The Windows Management Instrumentation Driver Extensions system service monitors all drivers - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 89
Windows Media Services system service must be set to Automatic for HP NAS server systems requiring Windows streaming media services. The Windows Media Services system service provides streaming media services over IP-based networks. This service replaces the four separate services that comprised - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 90
Disabled Important: The WinHTTP Web Proxy Auto-Discovery Service system service must be set to Manual for HP NAS server systems using and requiring WinHTTP or HTTP WebProxy support. The WinHTTP Web Proxy Auto-Discovery Service system service implements the Web Proxy AutoDiscovery (WPAD) protocol - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 91
installed Disabled Disabled Disabled Important: The World Wide Web Publishing Service system service must be set to Automatic for HP NAS server systems in which the HP NAS WEB GUI interface is used, HP Insight Manager is used, HP's Array Configuration Utility (ACU) is used, HTTP file shares - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 92
\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun,4,%NoDriveTypeAutoR un%,3,0|%NoDriveTypeAutoRun0%,255|%NoDriveTypeAutoRun1% MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\WarningLevel,4,%WarningLevel%,3,50|%WarningLevel0 %,60|%WarningLevel1%,70|%WarningLevel2%,80 - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 93
defined within this guide for MSBP. 2.8.6.1 Security Consideration for Network Attacks To help prevent denial of service (DoS) attacks, tend to be of two classes: attacks that use an excessive number of system resources, for example, by opening numerous TCP connections; or attacks that send - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 94
First (OSPF)-generated routes. Vulnerability: This behavior is expected; the problem is that the 10 minute time-out period for the ICMP redirect- Defined Potential Impact: When Routing and Remote Access Service (RRAS) is configured as an autonomous system boundary router (ASBR), it does not correctly - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 95
Countermeasure: Configure MSS: Syn attack protection level (protects against DoS) to a value of Connections time out sooner if a SYN attack is detected. The possible values for this Registry value are: • 1 or 0; default is 0 (disabled) In the SCE UI, these options appear as: • Connections time-out - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 96
• 1 or 0; default is 1 (enabled) In the SCE UI, these options appear as: • Enabled • Disabled • Not Defined Potential Impact: Setting EnablePMTUDiscovery to 1 causes TCP to attempt to discover either the MTU or the largest packet size over the path to a remote host. TCP can eliminate fragmentation - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 97
DisableIPSourceRouting: IP source routing protection level (protects against packet spoofing) This entry appears as MSS: IP source routing protection level (protects against packet spoofing) in the SCE. IP source routing is a mechanism allowing the sender to determine the IP route that a datagram - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 98
on the network to impersonate a router. Other computers with IRDP enabled would then attempt to route their traffic through the already compromised system. Countermeasure: Configure MSS: Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) to a value of Disabled. The - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 99
2003, which supports the IRDP been refused by the system because the available backlog by the system because the available impact on the server or systems attempting to use it sys has been modified to support large numbers of connections in with Windows Server 2003 supports four registry parameters that - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 100
as a text entry box: • A user defined number • Not Defined Potential Impact: Setting this value to too large a number could cause a large amount of system resources to be assigned to allocating additional free connections that may not actually be needed. This could lead to poor performance or a DoS - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 101
as a text entry box: • A user defined number • Not Defined Potential Impact: Setting this value to too large a number could cause a large amount of system resources to be assigned to allocating additional free connections that may not actually be needed. This could lead to poor performance or a DoS - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 102
. The following registry value entry was added to the template file to the following registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters\ Subkey Registry Value Entry NoNameReleaseOnDemand Format DWORD Recommended Value (Decimal) 1 Vulnerability: The NetBIOS over - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 103
ensure that all applications rely upon Domain Name System (DNS) for name resolution services. While this is a recommended long-term strategy stop generating 8.3 style filenames in the SCE. Windows Server 2003 supports 8.3 file name formats for backward compatibility with16-bit applications. The - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 104
normally be difficult to locate. An attacker who has gained access to the file system could access data or execute applications. Countermeasure: Configure MSS: Enable the computer template in the following registry key: HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Services\Cdrom\ registry key. 104 - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 105
period in the default setting makes the computer vulnerable to a potential attack from someone walking up to the console to attempt to log onto the system before the lock takes effect. An entry to the registry can be made to adjust the length of the grace period. Countermeasure: Configure MSS: The - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 106
will generate a warning This entry appears as MSS: Percentage threshold for the security event log at which the system will generate a warning in the SCE. Windows Server 2003 and Service Pack 3 for Windows 2000 includes a new feature for generating a security audit in the security event log when the - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 107
DLLs in the system path first. problems. 2.8.7 Additional Security Settings (Manual guide were applied through Group Policy, there are additional settings that are difficult or impossible to apply with Group Policy. This section describes how some additional countermeasures were implemented manually - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 108
accounts for specific applications in the enterprise network. This does not include LOCAL SYSTEM, LOCAL SERVICE, or the NETWORK SERVICE accounts that are built-in accounts for the operating system. To manually add the above security groups to the Member Server Baseline Policy, follow the steps - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 109
configured to rename administrator accounts in the three environments defined in this guide. This setting is a part of the Security Options settings of a GPO. 2.8.7.3 Securing Service Accounts Never configure a service to run under the security context of a domain account unless absolutely necessary - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 110
For Windows 2003 Server-based systems, apply the following security templates locally to configure the default file system ACLs for workstations, servers, on Terminal Services sessions using a packet analyzer. Some older versions of the Terminal Services client do not support this high - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 111
maximum key strength supported by the guide recommends disabling Report Errors. 2.9 Hardening File Servers There are some challenges to further hardening file servers, since the most essential services they provide are the ones that require the Microsoft® Windows® Network Basic Input/Output System - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 112
System NONOperating System NONOperating System service accounts service accounts service accounts Important: For all HP NAS server systems access to IIS is by default a member of the Guests group. This guide recommends removing the Guests group from the Incremental IIS Group Policy to ensure - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 113
servers in the three environments defined in this guide are configured via the MSBP. For more information Service Pack 6a or later; this is not supported in Windows 98 Second Edition clients (unless they have the dsclient installed). This setting must be set to Disabled for HP NAS server systems - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 114
guide only contain systems running Windows 2000 or later, which support signing digital communications. Therefore, to increase communications security between systems (i.e. Server for NFS, Services for UNIX, Services for Netware, etc...) have packet signing support. The Microsoft network server: - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 115
setting is configured to None in the three environments defined in this guide. Network security: Do not store LAN Manager hash value on next this setting is set. This setting must be set to Disabled for HP NAS server systems within multi- protocol network environments involving NFS, AFTP, or NCP. - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 116
Microsoft Win32® subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as the Portable Operating System Interface for UNIX (POSIX). Since Windows is case insensitive this setting is set to Enabled in the three environments defined in this guide. 116 - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 117
support applications within the network. The default value for this setting in Windows Server 2003 is POSIX. In order to disable the POSIX subsystem, this setting is configured to None in the three environments defined in this guide HP NAS server systems. The Automatic Updates system service - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 118
in this guide, disable this service. COM+ System Application Service Name Member Server Legacy Client Enterprise Client High Security Client Default EventSystem Manual Disabled Disabled Disabled Important: COM+ System Application should be set to Manual for HP NAS server systems that have - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 119
defined in this guide. Help and Support Service Name Member Server Legacy Client Enterprise Client High Security Client Default helpsvc Automatic Disabled Disabled Disabled Important: Help and Support should be set to Automatic within HP NAS server systems only if Administrators - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 120
Server Monitor may be set to Manual or Automatic on HP NAS server systems that have 3rd party applications requiring watchdog timer hardware management support. The Remote Server Monitor system service provides monitoring of critical system resources and manages optional watchdog timer hardware - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 121
in this guide. SAP Agent Service Name Member Server Legacy Client Enterprise Client High Security Client Default nwsapagent Not installed Disabled Disabled Disabled Important: The SAP Agent service must be set to Manual on HP NAS server systems using multi- protocol communication support - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 122
in this guide. SNMP Service Service Name Member Server Legacy Client Enterprise Client High Security Client Default SNMP Not installed Disabled Disabled Disabled Important: The SNMP Service must be set to Automatic on HP NAS server systems requiring SNMP support. For example, HP Insight - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 123
Disabled Disabled Disabled Disabled Important: This service must be set to Manual or Automatic on HP NAS server systems using telnet. The Telnet system service for Windows provides ASCII terminal sessions to Telnet clients. This service supports two types of authentication and four types - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 124
High Security Client Default VDS Manual Disabled Disabled Disabled Important: This service must be set to Manual on HP NAS server systems requiring VDS support. The Virtual Disk Service (VDS) system service provides a single interface for managing block storage virtualization whether done in - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 125
System Resource Manager (WSRM) system service must be set to Automatic for HP NAS server systems that are used to deploy applications. The Windows System Resource Manager (WSRM) system service should be performed manually on all file servers SCE. Windows Server 2003 supports 8.3 file name formats - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 126
defined in this guide. This setting is a part of the Security Options settings in Group Policy. Never configure a service to run under the environment defined in this guide. Important: For Legacy Client and Enterprise Client environments, HP does not recommend blocking ports with IPSec filters - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 127
All of the rules listed in the table above should be mirrored when they are implemented. This ensures that any network traffic coming into the server will also be allowed to return to the originating server. The table above represents the base ports that should be opened for the server to perform - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 128
need to go to their specific HP NAS Windows Storage Server 2003 model for the latest software and drivers for their NAS server system. 2.9.7.2 HP Integrated Lights-Out (iLO) Accounts HP Integrated Lights-Out (iLO) is integrated into every HP NAS server system. iLO consists of an intelligent - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 129
HP StorageWorks Secure Path Account HP StorageWorks Secure Path is a high availability multi-pathing software product providing continuous data access from HP's RAID Array to host servers running the Windows Server 2003, Windows StorageServer 2003, Windows 2000, Windows Powered Operating System - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 130
problems before those problems result in costly downtime. HP Insight Manager also introduces powerful new functionality for system services they provide are the ones that require the Microsoft® Windows® Network Basic Input/Output System environments defined in this guide are configured via the MSBP - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 131
this guide. Print Spooler Service Name Member Server Legacy Client Enterprise Client High Security Client Default Spooler Automatic Automatic Automatic Automatic Important: The Print Spooler system service must be set to Automatic for HP NAS server systems requiring print server support - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 132
guide. TCP/IP Print Server Service Name Member Server Legacy Client Enterprise Client High Security Client Default LPDSVC Not installed Disabled Disabled Disabled Important: This service must be set to Automatic on HP NAS server systems and should be performed manually on all print servers - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 133
in this guide. This setting is a part of the Security Options settings in Group Policy. Never configure a service to run the High Security environment defined in this guide. Important: For Legacy Client and Enterprise Client environments, HP does not recommend blocking ports with IPSec filters - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 134
have been effectively closed, Terminal Services has been enabled. This will support other applications. Included with the Microsoft's "Windows Server 2003 Security Guide: Patterns and Practices" security guide HP NAS Specific Security Settings The hardening of specific HP NAS accounts and applications - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 135
HP NAS Windows Storage Server 2003 model for the latest software and drivers for their NAS server system services can be enabled through the Web Service Extensions node in Internet Information Services servers in the three environments defined in this guide are configured via the MSBP. For more - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 136
System NONOperating System NONOperating System service accounts service accounts service accounts Important: For all HP NAS server systems access to IIS is by default a member of the Guests group. This guide recommends removing the Guests group from the Incremental IIS Group Policy to ensure - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 137
: The .NET Framework Support Service may need to be set to Manual or Automatic within an HP NAS server environment depending upon whether there are any 3rd party applications that require the .NET Framework support. The .NET Framework Support Service system service notifies a subscribing client - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 138
Disabled Important: The WinHTTP Web Proxy Auto-Discovery Service system service must be set to Manual for HP NAS server systems using and requiring WinHTTP or HTTP WebProxy support. The WinHTTP Web Proxy Auto-Discovery Service system service implements the Web Proxy AutoDiscovery (WPAD) protocol - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 139
disabling the service. For these reasons, the World Wide Web Publishing Service setting is configured to Automatic for IIS servers in all three environments defined in this guide. 2.11.6 account. These steps cannot be completed via Group Policy and should be performed manually on all IIS servers. 139 - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 140
the Control Panel. After installing IIS, all necessary IIS components and services required by Web sites and applications must be enabled. Important: Various IIS components are already installed and configured within the HP NAS server systems. Removal of the default IIS components in the NAS server - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 141
to reduce the attack surface of IIS servers as much as possible, only necessary Web service extensions should be enabled on IIS servers in the three environments defined in this guide. Enabling only the Web Service Extensions required by the Web sites and applications running on IIS servers on the - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 142
, where is the drive on which the Windows Server 2003 operating system is installed. Place all files and folders that make up Web sites and applications defined in this guide. Placing these files and folders on a dedicated disk volume that does not contain the operating system on an IIS - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 143
user who has no authenticated credentials accesses system resources. Anonymous accounts include the built-in IIS servers in the three environments defined in this guide. Web site permissions can be used in conjunction Web site permissions supported by IIS 6.0, and provides a brief description explaining when to - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 144
environments defined in this guide. Separate logs can be To improve server performance, logs should be stored on a non-system striped or striped/mirrored disk volume. Furthermore, logs can be for administrators to set up centralized log file storage and backup. However, writing the log file over - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 145
or log file is deleted. 2.11.6.7 Manually Adding Unique Security Groups to User Rights the security templates that accompany this guide. However, there are a few System Operating System Operating System service accounts service accounts service accounts Important: For all HP NAS server systems - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 146
defined in this guide. This setting is a part of the Security Options settings in Group Policy. Never configure a service to run under the environment defined in this guide. Important: For Legacy Client and Enterprise Client environments, HP does not recommend blocking ports with IPSec filters - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 147
ports, therefore disallowing remote procedure call (RPC) traffic. This can make management of the server difficult. Because so many ports have been effectively closed, Terminal Services has been enabled. This will allow administrators to perform remote administration. 147 - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 148
to be added to support other applications. Included with the Microsoft's "Windows Server 2003 Security Guide: Patterns and Practices" security guide is a .cmd file go to their specific HP NAS Windows Storage Server 2003 model for the latest software and drivers for their NAS server system. 3 C2 / - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 149
Security Client Remove Floppy and DVD-ROM It is recommended that the floppy and DVD-ROM drives remain installed within all HP NAS server systems in Legacy Client and Enterprise Client environments. However, both devices should be removed within High Security Client environments to prevent rogue - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 150
may constrain the performance of the NAS and other server systems. However, CC security recommends modifying this setting to Success Failure defined in this guide has unique recommendations for these settings. Failed use of a user right is an indicator of a general network problem and often can - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 151
this guide. Note: Changes to the configuration of this security option setting will not take effect until Windows Storage Server access to domain controllers. This setting must be set to Disabled for HP NAS server systems within multi-protocol network environments involving NFS, AFTP, or NCP. - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 152
to ignore all unsigned SMB communications, legacy applications and operating systems will be unable to connect. Completely disabling all SMB the following Recovery Console environment variables: • AllowWildCards: Enables wildcard support for some commands (such as the DEL command) • AllowAllPaths - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 153
compliancy, this value is set to Enabled. Audit: Shut down system immediately if unable to log security audits Member Server Default Legacy Client have not been certified to run on Windows Server 2003. One potential problem with configuring this setting to the Warn but allow installation value is - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 154
support for OS/2 and POSIX subsystem support. For CC compliancy, all subsystem support should be removed. Disable Devices Key Path: HKLM\SYSTEM\CurrentControlSet\Services halt if the aforementioned devices are disabled. HP do not recommend Administrators disable any devices listed above. 154 - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 155
This key prevents unauthorized access to the HP NAS server system by disabling all null session access over mouse input messages from interfering with the session lock. Generate An Audit Event When The Audit Log Reaches a Percent Full Threshold Key Path: HKLM\SYSTEM\CurrentControlSet\Services - HP StorageWorks X5000 | NAS Security: Technical Guide to NSA, C2, E3-FC2, and CC - Page 156
defined: The AD's LDAP agent always supports LDAP client request for LDAP traffic signing when HP NAS server systems. All E3/F-C2 system modifications within this document are based upon the Information Technology Evaluation Manual instructions listed within Chapter 3, "C2/CC Security Compliancy". HP
NAS Security:
A technical guide to NSA, C2, E3-FC2, and CC Security
Compliancy
1
Introduction
.................................................................................................................................
3
1.1
NSA Security Compliancy Overview
.......................................................................................
3
1.2
C2/CC Security Compliancy Overview
...................................................................................
4
1.3
E3/F-C2 Security Compliancy Overview
..................................................................................
4
2
NSA Security Compliancy
.............................................................................................................
4
2.1
Domain Model Design:
Windows NT 4.0, Windows 2000, and Windows 2003
.......................
5
2.2
Time Synchronization
............................................................................................................
6
2.3
Organizational Unit (OU) and Group Policy Objects (GPOs) Design
...........................................
7
2.4
Domain Level:
Hardening the Domain Infrastructure Password Policy
..........................................
9
2.5
Domain Level:
Hardening the Domain Infrastructure Account Lockout Policy
..............................
13
2.6
Domain Level:
Hardening the Domain Infrastructure Kerberos Policy
.........................................
15
2.7
Domain Level:
Hardening the Domain Infrastructure Security Options
.......................................
15
2.8
Baseline Level
.....................................................................................................................
17
2.8.1
Audit Policy
..................................................................................................................
17
2.8.2
User Rights Assignments
.................................................................................................
27
2.8.3
Security Options
............................................................................................................
37
2.8.4
Event Log
......................................................................................................................
55
2.8.5
System Services
.............................................................................................................
58
2.8.6
Additional Security Settings
............................................................................................
91
2.8.7
Additional Security Settings (Manual Hardening Procedures)
............................................
107
2.9
Hardening File Servers
.......................................................................................................
111
2.9.1
Audit Policy Settings
....................................................................................................
112
2.9.2
2.9.2
User Rights Assignments
.....................................................................................
112
2.9.3
Security Options
..........................................................................................................
113
2.9.4
Event Log Settings
........................................................................................................
117
2.9.5
System Services
...........................................................................................................
117
2.9.6
Additional Security Settings
..........................................................................................
125
2.9.7
HP NAS Specific Security Settings
.................................................................................
128
2.10
Hardening Print Servers
..................................................................................................
130
2.10.1
Audit Policy Settings
.................................................................................................
130
2.10.2
User Rights Assignments
............................................................................................
130
2.10.3
Security Options
.......................................................................................................
131
2.10.4
Event Log Settings
.....................................................................................................
131
2.10.5
System Services
........................................................................................................
131