Top 10 Windows Security Configurations: Where and How! (Part 1)

If you would like to read the other parts in this article series please go to

Introduction

There are always top 10 lists that grab your attention; and this one should be no different. Windows provides many settings, options, and areas of configuration. In reality, this might be a Top 100 list, but there is only room for 10. This list is created from years of educating and asking myself questions like, “what do administrators do and not do when it comes to security?” This list seems to be where administrators fail to look and setup security. It also includes a few settings that are not all that well known, but certainly have huge rewards for securing your Windows environment. I have tried to include references to other articles that go deeper into the topic, in case you want to read more about the security setting being suggested.

1. Service Account Restricting Workstation Logon

Since service accounts are designed to support services running on only a limited number of computers, it makes sense to limit the scope as to where the service can logon. This will help with overall security attack surface and will also narrow the attacks to just the computers where the service account is allowed to logon when being attacked by the service account itself.

The setting to restrict the workstations where the service account can logon is located where the user is configured, which is Active Directory Users and Computers within Active Directory. When you find the service account, right-click on it and select properties. Then, maneuver over to the Account tab. From there, select the Log On To button, which will display the Logon Workstations dialog box, shown in Figure 1.


Figure 1: This configuration allows the administrator to restrict where the service account can logon

For more info on service accounts, follow this link.

2. Administrator Can Not Access Computer from Network

This depends on the way you have been taught to use the Administrator account. If you were taught by me or another security professional, you should know not to use this account unless you are performing a disaster recovery. So, in that instance, you will be logging in to the box to perform the recovery, not over the network. If you can log on over the network, you should be using your admin account. A security option example is to limit the Administrator account to only have the ability to logon locally, not over the network.

This setting is in a GPO, and of course, all GPO linking and application rules apply. You will want to edit your GPO linked to the appropriate organizational unit, then open up the GPO to the following path; Computer Configuration|Windows Settings|Security Settings|Local Policies|User Rights Assignment|Deny access to this computer from the network, which can be seen in Figure 2.


Figure 2: You can limit the Administrator account to only have the ability to logon locally to your servers

For more information on this topic take a look at this article on www.WindowSecurity.com.

3. Ensure Membership in Local Administrators Group

When you provide a user the ability to have administrative control over a server or their desktop, strange things might happen. For the most part, these are usually internet security risks. The solution? Remove the Domain Admins and local Administrator from the local Administrators group.

To ensure that both of the accounts have membership in the local Administrators group, in every server and desktop, you can use Group Policy. You will need to access the Group Policy Preferences and open the Group Policy Object to the following node: Computer Configuration\Preferences\Control Panel Settings\Local Users and Groups\New\Local Group, which is shown in Figure 3.


Figure 3: Ensure membership in the local Administrators group is secure

For more info on this topic, check the following link out.

4. Reset Local Administrator Password

For a while now my favorite question has been; “When was the last time you reset the local Administrator password on every desktop?” Every time I seem to get the same answers. “During installation”, “three years ago”, “never”, which are all unacceptable! This is a key configuration and one that should be addressed on a monthly to quarterly basis. You do not want worms, viruses, and attackers having that much time against your local computers by not resetting the local Administrator password. With Group Policy Preferences this has become increasingly easy!

To configure this setting you will need to expand a Group Policy Object that understands Group Policy Preferences.

Note:
Like the previous setting, this must be done on a computer running Windows Sever 2008 or Vista SP1, but is backwards compatible to Windows XP SP2 and Windows Server 2003 SP1. Follow this link for more info on this topic.
If you open the GPO in the editor to Configuration\Preferences\Control Panel Settings\Local Users and Groups\New\Local User, as seen in Figure 4.


Figure 4: You can reset the local Administrator password on each desktop from a single GPO

For more information on this topic, click here.

5. Enable UAC for Administrators

I know, I know… you do not like UAC. However, you owe it to your company to not only install Vista/7, but to enable UAC for the most secure level. There is of course no time to go into the nitty gritty details here, but trust me, UAC is awesome for administrators.

To configure this setting you will need to get into a Group Policy Object in edit mode. From there, you will open up the following node: Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|User Account Control: Admin Approval Mode for Built-in Administrator account AND User Account Control. Behavior of the elevation prompt for administrators in Admin Approval Mode is shown in Figure 5.


Figure 5: UAC has two settings that control how administrators will use the feature

If you would like more information on the topic, take a look at this article.

Summary

Even though many in the IT industry like to slam Microsoft for not being secure, it can be secured if the administrators take the time to do so. This article tackles some of the most under configured and hard to reach (and understand) security settings within Windows. Each security setting adds just that much more for security to your Windows environment. Here, we tackled settings related to the service accounts running on key servers, as well as the local Administrators group and local Administrator account on every desktop and server in the organization. That is powerful configuration! In the next installment, we will tackle more security settings that are a must for configuration to help protect your Windows environment to the level that it deserves and you owe to your company!

 

If you would like to read the other parts in this article series please go to

 

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top