Security Self-Help Tool Program Summary
This document is also available for download as a Microsoft Word file.
Purpose
To provide a way to automate the “hardening” of computer systems by applying security settings and configuration changes.
Intended Uses
- By end users who want to make sure that their computers are configured properly for Stanford’s infrastructure.
- By schools and departments that want to use the tool to configure new computers before they connect to Stanford’s infrastructure.
- By students who bring laptops that will connect to Stanford’s network.
- By other universities that want to establish their own set of security standards.
- By ITSS consultants to quickly apply security settings to their client’s computers to insure consistency of configuration settings.
Requirements
Windows 2000 or Windows XP (Pro or Home).
Where We Are
Final Release 2.0 is available for download on the Essential Stanford Software web site.
Features
Self-updating
The core application (program logic, user authentication, report generation, local site selection, configuration and support file maintenance, and screen rendering) will auto update if a newer version is available on the network.
“RunAs” built in
Since the change functions require administrator access, the program will allow the user to authenticate as an administrator if the program is started by a user that is not in the administrators group. If the user provides a valid administrator id and password, the program will re-launch itself in the security context of that administrator account.
All functionality is provided by external DLLs
All tests and settings changes are accomplished by the core program by external DLLs. This allows the program to change the list of tests and changes without requiring a core program upgrade.
Support files are updated at program load time
If a network connection exists, the program will update all support files at load time. Those support files are:
- Program bitmaps
- Configuration files (site-wide and local group)
- HTML report template
- Registry settings files (site-wide and local group)
- Support DLLs (site-wide and local group)
Local group configuration
Groups within Stanford can define and implement their own settings that the program will apply for their users. Settings are applied in the following order:
- Site-wide settings
- Local settings
Undo wizard
Settings that have been changed by the program can be undone by running the program’s Undo Wizard. This will help the troubleshooting of problems that might have resulted from a settings change.
Password strength check
The program will allow users to test the strength of the passwords that they have assigned to user accounts by running the Secure Password Test. The test will attempt to log on as the selected account or accounts by trying:
- A list of either 900 or 3,000 commonly used passwords
- The user’s SUnet ID (uppercase, lowercase, mixed case, forward and backward)
- The user’s Windows short name (uppercase, lowercase, mixed case, forward and backward)
- The user’s Windows long name (uppercase, lowercase, mixed case, forward and backward)
- The PC NetBios name (uppercase, lowercase, mixed case, forward and backward)
- The PC DNS host name (uppercase, lowercase, mixed case, forward and backward)
- The PC workgroup name (uppercase, lowercase, mixed case, forward and backward)
- The names of any shares that are found (uppercase, lowercase, mixed case, forward and backward)
High-risk services
The program displays a list of active (non-disabled) high risk and medium risk services, and allows the user to selectively disable those high risk services.
Blank admin password
If the program discovers any administrator accounts that have not been assigned a password, it will allow the user to assign a password for those accounts. This can be used to assign password to administrator accounts on XP Home Edition computers without requiring rebooting into safe mode.
The password that is entered will be checked against all of the passwords that are used in the password strength test and the dictionary (if Word is installed). If a match is found, the user is asked to try another password.
Batch mode
The program can be run in batch mode which will not display the UI to the user. Batch mode will run all of the tests, and apply all settings changes that have been defined as “Just Do It” items. This mode could be useful to maintain and/or apply changes in a domain by way of a logon script, or by a program like BigFix.
Does not require Stanford’s infrastructure
By changing configuration files and bitmaps, the program can be altered to be used at other universities.
Current List of Tests
| Test | View | Allow Change | Serious | “Just Do It” | Undo |
|---|---|---|---|---|---|
| No Administrator passwords are blank | Normal | X | X | ||
| Logged-in user is not an administrator | Normal | ||||
| The Guest account is disabled | Normal | ||||
| The Guest account name is not “Guest” | Normal | X | X | X | |
| DCOM is disabled | Normal | X | X | X | X |
| Symantec AntiVirus (SAV) is installed | Normal | X | |||
| SAV LiveUpdate is enabled | Normal | X | X | X | X |
| Internet Explorer is at version 6.0 or higher | Normal | ||||
| PC-Leland is installed and at the current version | Normal | ||||
| BigFix is Installed | Normal | X | X | X |
| Test | View | Allow Change | Serious | “Just Do It” | Undo |
|---|---|---|---|---|---|
| Restrict Anonymous (set to at least 1) | Advanced | X | X | X | |
| XP Fast User Switching is disabled | Advanced | X | |||
| Simple File Sharing is disabled | Advanced | X | |||
| All local drives are NTFS | Advanced | ||||
| Computer is joined to a domain | Advanced | ||||
| There are no active High Risk Services (see list of services below) | Advanced | X | X | X | X |
| Auto Logon is disabled | Advanced | X | |||
| Widows Automatic Update is enabled | Advanced | X | X | X | X |
| IIS Admin is not running | Advanced | ||||
| Outlook is in the Restricted Zone | Advanced | X | X | ||
| XP Firewall is enabled * | Advanced | ||||
| Registry Settings are enforced (see below) | Advanced | X | X | X |
* This item does contain a change function that will enable the firewall and open any ports that need to be opened (BigFix, S/Ident, etc.), but that functionality is not being implemented in the site-wide file. Since there may be many applications that require that certain ports be opened, it made more sense to allow this to be a locally controlled item.
| Item | View | Allow Change | Serious | “Just Do It” | Undo |
|---|---|---|---|---|---|
| No local File Shares | Local | X | X | ||
| No Persistent Drives Mapped to Network Resources | Local | X | X |
High Risk Services
Windows 2000
- Alerter
- ClipBook
- Internet Connection Sharing
- Messenger
- NetMeeting Remote Desktop Sharing
- Network DDE
- Network DDE DSDM
- Remote Registry Service
- Routing and Remote Access
- Telnet
- HP Web Jetadmin
Windows XP
- Alerter
- ClipBook
- Messenger
- NetMeeting Remote Desktop Sharing
- Network DDE
- Network DDE DSDM
- Remote Registry
- Routing and Remote Access
- SSDP Discovery Service
- Telnet
- Universal Plug and Play Device Host
- HP Web Jetadmin
Registry Settings:
The following registry settings will be enforced by the Registry Settings security item:
- Key=HKLM\Software\Microsoft\DrWatson
Item=CreateCrashDump
Value_Change=0 - Key=HKLM\Software\Microsoft\Windows NT\CurrentVersion\AEDebug
Item=Auto
Value_Change=0 - Key=HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
Item=DisableIPSourceRouting
Value_Change=2 - Key=HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
Item=EnableDeadGWDetect
Value_Change=0 - Key=HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
Item=EnablePMTUDiscovery
Value_Change=1 - Key=HKLM\System\CurrentControlSet\Services\Netbt\Parameters
Item=NoNameReleaseOnDemand
Value_Change=1 - Key=HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
Item=SynAttackProtect
Value_Change=2 - Key=HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
Item=TcpMaxHalfOpen
Value_Change=100 - Key=HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
Item=TcpMaxHalfOpenRetired
Value_Change=80 - Key=HKLM\SYSTEM\CurrentControlSet\Control
Item=SafeDllSearchMode
Value_Change=1 - Key=HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00000566-0000-0010-8000-00AA006D2EA4}
Item=Compatibility Flags
Value_Change=1024 - Key=HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Item=limitblankpassworduse
Value_Change=1