Blog: How Tos
Windows Server settings. Administrative Templates – Network Items. A security how-to
This is the first part of a multi part series looking at the settings within Windows Server that are looked at as part of a standard build review.
Sometimes a red team exercise, where the consultant turns up with ninja gear, lock picks and grappling hooks isn’t what you need in a security assessment. If you are setting up a new environment or have a very large install base it is often a more cost effective solution to give your security consultant a full administrative account and just ask them to take a look at things like your standard server and workstation builds and see if they can spot any obvious problems.
If you’ve never had a penetration test before this is a really good place to start, and if you’ve been tested before it’s a good sanity check that what you thought you’d deployed is reflected in what’s actually on the network.
Not sexy, but essential
Build reviews are not the super sexy hacking that people think of when ordering a security assessment. There are no reverse shells flying around, and the consultant doesn’t get to say “I’m in” when they compromise your domain controller, but the amount of data you can get out of a good build review is invaluable.
There are a number of standards you can use to base your operating system hardening, from the Microsoft Security Baselines and the Centre for Internet Security Benchmarks to the US Government NIST hardening guidelines. In this series of posts I am going to focus on the CIS benchmarks as they are the most common hardening guidelines that I have seen in use.
I have been doing a lot of work here at PTP to make sure that we extract the most data possible for our customers, but also to present it in a way that means it is immediately useful to them, without having to have an in depth understanding of every facet of Windows Server configuration options. I am going to pick a section of CIS for each post, go through the setting that they recommend, explain why the recommendation is what it is, and highlight the settings that we feel are actually really important.
TL;DR the whole benchmark?
When your standard has 280+ options it can be easy to overlook the settings that have a big impact on security in the sea of logging levels and IPSec requirement. I hope that these posts will serve as an in depth reference for each section that means you can dive in where you want and you don’t have to read the entire 816 page benchmark PDF.
In the tradition of good multi part guides I am going to start in the middle, with the Administrative Templates – Network Items section of the Windows Server 2016 RTM V1.0.0 benchmark. It’s actually a good place to dive in as it has some settings with multiple options which are described with quite technical language, some settings that have a fairly low impact on the security of the network and some that have quite a large impact on security.
It’s also a section where I found an error, so getting this information out there seems like a good idea. I reported the error to CIS and they have acknowledged it and indicated that it will be updated in the next version of the benchmark. I get the impression that not a lot of people read these benchmarks in depth though, as this error has been present 14 months without being picked up. So let’s begin.
- Set ‘NetBIOS node type’ to ‘P-node’ (Ensure NetBT Parameter ‘NodeType’ is set to ‘0x2 (2)’) [IMPORTANT]
- Ensure ‘Turn off multicast name resolution’ is set to ‘Enabled’ (MS Only) [IMPORTANT]
- Ensure ‘Enable Font Providers’ is set to ‘Disabled’
- Ensure ‘Enable insecure guest logons’ is set to ‘Disabled’ [IMPORTANT]
- Ensure ‘Turn on Mapper I/O (LLTDIO) driver’ is set to ‘Disabled’ (Scored)
- Ensure ‘Turn on Responder (RSPNDR) driver’ is set to ‘Disabled’ (Scored)
- Ensure ‘Turn off Microsoft Peer-to-Peer Networking Services’ is set to ‘Enabled’ (Scored)
- Ensure ‘Prohibit installation and configuration of Network Bridge on your DNS domain network’ is set to ‘Enabled’ [IMPORTANT]
- Ensure ‘Prohibit use of Internet Connection Sharing on your DNS domain network’ is set to ‘Enabled’
- Ensure ‘Require domain users to elevate when setting a network’s location’ is set to ‘Enabled’
- Ensure ‘Hardened UNC Paths’ is set to ‘Enabled, with “Require Mutual Authentication” and “Require Integrity” set for all NETLOGON and SYSVOL shares’ [IMPORTANT]
- Disable IPv6 (Ensure TCPIP6 Parameter ‘DisabledComponents’ is set to ‘0xff (255)’)
- Ensure ‘Configuration of wireless settings using Windows Connect Now’ is set to ‘Disabled’
- Ensure ‘Prohibit access of the Windows Connect Now wizards’ is set to ‘Enabled’
- Ensure ‘Minimize the number of simultaneous connections to the Internet or a Windows Domain’ is set to ‘Enabled’
- Ensure ‘Prohibit connection to non-domain networks when connected to domain authenticated network’ is set to ‘Enabled’ (MS only)
Set ‘NetBIOS node type’ to ‘P-node’ (Ensure NetBT Parameter ‘NodeType’ is set to ‘0x2 (2)’) [IMPORTANT]>
The first one up, and it’s one of those technical ones which will probably make someone not familiar with 20 year old network protocols raise an eyebrow.
What does it do? It tells the server if it should shout computer name requests to every system on its local network, or just ask a named server instead.
Is it an important setting? Yes. A favourite trick of testers like me is to set up a system listening out for servers broadcasting requests for system names. We then reply to all these requests with our own address, which usually leads to the broadcasting system attempting to connect to us. We then either capture the password hash of the user account on the broadcasting system and crack it offline, or we replay that hash against another system and pretend to be that user. If that user is a domain admin, it’s an instant win for us.
Is it safe by default? No. By default Windows will query a WINS server if it’s configured, which it’s probably not going to be in a modern network, and then broadcast it’s request to the network if that doesn’t get it the address it’s after.
Should I set this as recommended? If you do not have to interact with very old systems that do not use DNS for name resolution then you should absolutely set this. You could even disable NetBIOS on the network interfaces entirely, but this setting in your GPO will mean that any system that enables it isn’t going to be broadcasting all over the local network. If you can set this then you will upset your pen testers, and that’s got to be good.
Where can I find this setting in Windows? The registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters:NodeType. Not very helpfully this isn’t a standard GPO setting in Windows, so you’ll have to use a third party template or find a way of setting this directly.
Ensure ‘Turn off multicast name resolution’ is set to ‘Enabled’ (MS Only) [IMPORTANT]
This is the modern version of the NetBT config above, although in this case it’s a simple enabled/disabled setting.
What does it do? It prevents the system from broadcasting a Link Local request to systems on its local network when it can’t resolve a system name from DNS.
Is it an important setting? Yes, for the same reason as NetBT resolution above.
Is it safe by default? No. Windows wants to “Just Work” and that means that it will do its best to find that system you asked for. On a modern Active Directory domain everything should be in DNS, and this being available will only help if you want to talk to something not in DNS and in your broadcast domain. You do segment your network, right 😊
Should I set this as recommended? As above, if everything is discoverable through DNS then you should configure this. Not very intuitively enabling this setting disables this function, which is what we want. You’ll see a few settings like this, where the setting is a negative that to use you must enable. Thanks Microsoft.
Where can I find this setting in Windows? There is a GPO you can set at Computer Configuration\Policies\Administrative Templates\Network\DNS Client\Turn off multicast name resolution
Ensure ‘Enable Font Providers’ is set to ‘Disabled’
Fonts? In the network section? Yep. It does make sense though
What does it do? It tells the system if it is allowed to download fonts from the internet if they are required.
Is it an important setting? No, not really. It is a low impact setting but on the other hand it is unlikely to have a big impact if it’s disabled. Note that CIS class this as a Level 2 item, meaning it’s Defence in Depth.
Is it safe by default? No. By default Windows will attempt to retrieve fonts from an online repository if they are required but not available locally. But you don’t let your servers talk to the internet, right?
Should I set this as recommended? Yes. But as we recommend with all these settings, make sure you test it first. Note that CIS class this as a Level 2 item, meaning its recommended for High Security environments and can probably be passed over on a regular Windows domain.
Where can I find this setting in Windows? There is a GPO at Computer Configuration\Policies\Administrative Templates\Network\Fonts\Enable Font Providers
Ensure ‘Enable insecure guest logons’ is set to ‘Disabled’ [IMPORTANT]
Insecure Guest logons sound bad. This is because they are.
What does it do? It tells Windows that if anyone wants to access any SMB functionality that they must authenticate.
Is it an important setting? Yes. There are very few reasons that you want to give unauthenticated access to a system resource that don’t involve interacting with legacy systems. If you leave stuff configured that allows Guest, and the Guest account is enabled then your pen testers will find it.
Is it safe by default? No, by default Windows will allow you to assign unauthenticated access to a resource.
Should I set this as recommended? Yes, although if you have an already established network then look out for this setting breaking stuff when you apply it. If someone on the network is relying on a Guest share for their system to work, then disabling this will break it. As always, test before rolling out across the network.
Where can I find this setting in Windows? There is a handy GPO at Computer Configuration\Policies\Administrative Templates\Network\Lanman Workstation\Enable insecure guest logons
Ensure ‘Turn on Mapper I/O (LLTDIO) driver’ is set to ‘Disabled’ (Scored)
I’m addressing these setting as a single entry as they are two sides of the same coin.
What does it do? These settings control the modern equivalent of the old Windows Network Browser service that is used to map out the “Network” tab you can see in explorer.
They are both the query and responder for this service and control whether the system asks for information about what is on the network, or responds with information about its services when queried.
Is it an important setting? This is in the same arena as NetBT when you look at the functionality, but I have not seen many testers actively exploiting it to entice network connections from users. The techniques to exploit this are more complex than NetBT and LLMNR poisoning and from my research look to require specific user interaction to exploit, therefore my current thinking on this one is no.
Is it safe by default? Yes, Windows Server disables these services by default.
Where can I find this setting in Windows? GPOs can be found at Computer Configuration\Policies\Administrative Templates\Network\Link-Layer Topology Discovery\Turn on Mapper I/O (LLTDIO) driver and Computer Configuration\Policies\Administrative Templates\Network\Link-Layer Topology Discovery\Turn on Responder (RSPNDR) driver
Ensure ‘Turn off Microsoft Peer-to-Peer Networking Services’ is set to ‘Enabled’ (Scored)
The cloud? On my network? It’s more likely than you think.
What does it do? Where IPV6 is in use, and I realise I’ve just lost most readers after saying that, it allows IPV6 peers to share knowledge of systems within the peer to allow for collaboration.
Is it an important setting? No, not really. Uptake of IPV6 is very low and this setting only governs IPV6 connectivity. I have yet to come across any system requiring this.
Is it safe by default? No, in the sense that it allows IPV6 peers to collaborate by default.
Should I set this as recommended? I class this as an unnecessary service, and use the maxim that if you’re not using it then you should switch it off. This is another Level 2 setting though, so is recommended only for High Security environments. Leaving it enabled should not do any harm though on a normal Windows domain.
Where can I find this setting in Windows? GPO can be found at Computer Configuration\Policies\Administrative Templates\Network\Microsoft Peer-to-Peer Networking Services\Turn off Microsoft Peer-to-Peer Networking Services
Ensure ‘Prohibit installation and configuration of Network Bridge on your DNS domain network’ is set to ‘Enabled’ [IMPORTANT]
Another pair of settings that control a similar function.
What does it do? This setting controls whether a user can connect 2 network adapters together on their system and route traffic between those networks. It allows you to turn a multi-homed system into a router. The Internet Connection Sharing is specific to Mobile Hotspots so requires WiFi to be present. Not likely on a server, but if you are looking at this for a Windows 10 laptop you don’t want to bridge your wireless adapter to your wired network.
Is it an important setting? Yes. If you want to route traffic between network segments then use a router. Also use a firewall, but you should not be using a Windows system to do this. In a situation where a system is multi-homed this is usually because one of the networks is considered sensitive, such as a Management VLAN that should not be accessible to the production network.
Is it safe by default? No, by default an administrator can bridge two network interfaces together.
Should I set this as recommended? Yes, there is no good reason I can see for an administrator to do this. Setting this will prevent someone from doing this accidently, and creating a serious breach of your carefully planned network segmentation.
Where can I find this setting in Windows? Here is another negative setting that you have to enable to disable. GPO is at Computer Configuration\Policies\Administrative Templates\Network\Network Connections\Prohibit installation and configuration of Network Bridge on your DNS domain network and Computer Configuration\Policies\Administrative Templates\Network\Network Connections\Prohibit use of Internet Connection Sharing on your DNS domain network
Ensure ‘Require domain users to elevate when setting a network’s location’ is set to ‘Enabled’
What does it do? It controls whether or not a user has to be an Administrator to set the “location” of a network connection. In this context the location is the prompt asking you if a connection is “public” or “home/office”.
Is it an important setting? No. On a laptop it would have greater impact as a user may set their network to “home/office” on a public WiFi, and potentially expose some extra ports to other users on that network. You are not going to have non-administrative users logging into server though, the services exposed should be controlled via the Windows Firewall policies, and an extra UI popup isn’t going to stop an administrator from changing it if they want to. It would have no practical impact to an attacker.
Is it safe by default? No, but regular users should not be signed onto servers anyway.
Where can I find this setting in Windows? The GPO can be found at Computer Configuration\Policies\Administrative Templates\Network\Network Connections\Require domain users to elevate when setting a network’s location
Ensure ‘Hardened UNC Paths’ is set to ‘Enabled, with “Require Mutual Authentication” and “Require Integrity” set for all NETLOGON and SYSVOL shares’ [IMPORTANT]
What does it do? This setting is present due to a vulnerability discovered in 2015 (MS15-011) and is something testers see all the time on assessments. It requires that before a system is allowed to connect to the NETLOGON or SYSVOL shares that it check to see if the system it is connecting with is the system it expects. This is enforced though integrity checking.
Is it an important setting? Yes. Without this integrity checking an attacker positioned on the network between a system and the domain controller it is logging on to can modify the connection to the NETLOGON and SYSVOL shares to allow them to inject their own data. This can lead to complete takeover of the system logging on.
Is it safe by default? No, and that’s why we see it everywhere. In order to work with systems that don’t support UNC hardening this is disabled by default. This is one you should test before rolling out, but if you are working with a modern network (Server 2008 or higher) then you should be able to enable this without any issues. Also ensure that systems that require it (Server 2008R2 and Server 2012) have the patch MS15-011 installed.
Should I set this as recommended? If you’re happy that you don’t have to interact with any legacy systems that don’t support UNC hardening then you should enable this setting.
Where can I find this setting in Windows? Set the following GPO with these options Computer Configuration\Policies\Administrative Templates\Network\Network Provider\Hardened UNC Paths
\\*\NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1 \\*\SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1
Disable IPv6 (Ensure TCPIP6 Parameter ‘DisabledComponents’ is set to ‘0xff (255)’)
Do you use IPV6? No, you probably don’t
What does it do? Controls whether IPV6 is enabled.
Is it an important setting? Not really, but if you are not using IPV6 then there is no reason to leave it enabled. The last thing you want is a network admin adding support for IPV6 on a switch and all of a sudden your systems can bypass firewall rules because no one set any up for this protocol.
Is it safe by default? No. Your system will assign a Link Local IPV6 address when it boots.
Should I set this as recommended? Probably. There is no reason to leave unused protocols enabled. This is rated as a Level 2 High Security configuration option though, so take a look at your risk profile when deciding if this should be disabled.
Where can I find this setting in Windows? There is not a handy GPO to disable IPV6, so you will need to set the following key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters:DisabledComponents to 0xff (255) (DWORD)
Ensure ‘Configuration of wireless settings using Windows Connect Now’ is set to ‘Disabled’
What does it do? Windows Connect Now is where UPnP and similar protocols now live. These are helper protocols that allow devices to reconfigure each other in order for them to work without user intervention. An example of this is a firewall opening a port required by some new hardware or software.
Is it an important setting? No. Exploitation of UPnP is not something that I have seen as something that gets me further into a network during testing. The rest of the supported protocols require physical access or WiFi, something not usually possible on servers.
Is it safe by default? No, these services are enabled by default.
Should I set this as recommended? This is another Level 2 setting for High Security environments. On one hand you should not be relying on these protocols for the day to day operation of your network, but on the other hand things may break if they are in fact used. My advice is disable them if you can, but test carefully first, and roll it out slowly.
Where can I find this setting in Windows? There is a GPO at Computer Configuration\Policies\Administrative Templates\Network\Windows Connect Now\Configuration of wireless settings using Windows Connect Now That should be set to disabled and a GPO at Computer Configuration\Policies\Administrative Templates\Network\Network\Windows Connect Now\Prohibit access of the Windows Connect Now wizards Which should be enabled.
Ensure ‘Minimize the number of simultaneous connections to the Internet or a Windows Domain’ is set to ‘Enabled’
And here we finally come to the benchmark item which was found to contain an error.
What does it do? This setting controls what happens when Windows sees that you have two network connections to the same network. The CIS description is as follows:
This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same time.
The recommended state for this setting is: Enabled.
Blocking simultaneous connections can help prevent a user unknowingly allowing network traffic to flow between the Internet and the corporate network.”
This is incorrect. This is the functionality that the next benchmark item governs. This gives the impression that if you enable this setting, that you will prevent your system from being connected to a domain and non-domain network at the same time. In fact, this setting has a different impact, essentially disabling one interface if it detects that it is connected to the same network as another.
Is it an important setting? If you were to read the above from CIS then yes, this is an important setting as you do not want your roving laptops users to be able to connect to your LAN and a Wireless access point at the same time. If a user’s laptop is compromised this would grant whoever has compromised this system the ability to bridge through it onto your network. The actual impact of this setting is much lower though, it is basically a housekeeping function that offers little to no impact on security.
Is it safe by default? Yes, this setting is safe be default as it will make sure that paired connections are rationalised down to a single connection. But reading this might make you think that domain and non-domain connections are not possible, where they actually would be.
Should I set this as recommended? Yes, but as it’s set as default you should just leave it alone.
Where can I find this setting in Windows? There is a GPO at Computer Configuration\Policies\Administrative Templates\Network\Windows Connection Manager\Minimize the number of simultaneous connections to the Internet or a Windows Domain which should be left to Enabled.
Ensure ‘Prohibit connection to non-domain networks when connected to domain authenticated network’ is set to ‘Enabled’ (MS only)
Here is the setting that controls the behaviour described by the previous audit item.
What does it do? This prevents a system from maintaining a network connection to a domain and non-domain network at the same time. You generally do not want to bridge networks between domain attached and non-domain attached segments. Unlike network connection sharing this does not enable routing from one interface to the other, however a user on the system could see both networks and send data to either one.
Is it an important setting? It is more important to mobile devices that servers, as they are the ones most easily bridged onto insecure networks, so I would say yes for a mobile system, and probably no for a server. You may find that if you enable this on server that some systems that access a second network, such as a DMZ, may have issues, and may have to be excluded from this policy.
Is it safe by default? No, the default behaviour is for you to be allowed to connect to any networks you wish at the same time, and is done to ensure that Windows “just works”.
Should I set this as recommended? On mobile systems I would say that this should be enabled, on Windows Servers, who generally don’t migrate between networks, this needs more thought. Enabling it can prevent a misconfiguration giving a system more access than it should, but may also interfere with ongoing operations if it is not kept in mind when provisioning servers. If possible, this should be enabled, but be prepared to add exclusions in group policy where required. As befits a setting with such nuance, this is classed as a Level 2 High Security option.
Where can I find this setting in Windows? The GPO can be found at Computer Configuration\Policies\Administrative Templates\Network\Windows Connection Manager\Prohibit connection to non-domain networks when connected to domain authenticated network And should be set to Enabled.
And so ends our deep dive into Administrative Templates – Network Setting. I hope that this is useful to someone who has just had the results of a build review dropped on their desk and wants to know what’s really important and what can be sent to the architects for some thoughtful consideration. If you have any comments about any of the conclusions I’ve reached then I’d be happy to hear them, you can either contact me via the office number or find me on Twitter @fishermansenemy.