System hardening

The following details the process of hardening servers that are hosting the service to reduce their attack surface and is done by performing the following:

• Things to know before you begin
• Windows operating system hardening
• Applying Windows operating system updates
• Using anti-virus software
• Disabling network protocols
• Configuring Windows logging and auditing
• Verifying firewall configuration
• Disabling default accounts
• Disabling unnecessary default shares in Windows
• Windows Internet Information Server (IIS) hardening
• Securing Hyper-scalable PAS
• Windows Server Update Services (WSUS)

Things to know before you begin

The following is intended for Windows Server 2016 systems only. It assumes you have completed the installation steps as detailed in:

• installed Centrify Scalable Privilege Access Service successfully.
• the operating system has been hardened in accordance with either:
  • the Microsoft’s Windows Server Security Guide.
  • the Center for Internet Security Windows Server (Level 1 benchmarks).

The following should be used in conjunction with any applicable organizational security policies and hardening guidelines. General hardening of the Windows Server 2016 instances should be performed before applying the more detailed steps below. If there are conflicts between the following and organizational policy documents, they should be raised with the internal security team for assessment and resolution.

Note:   As a general rule, the most restrictive policy that allows for the desired operation of Hyper-scalable PAS without adversely effecting it or any other required element of Windows functionality should be implemented.

All Hyper-scalable PAS components, with the exception of the management node, should be installed on dedicated servers. The servers should not serve any other purpose than that required by the Hyper-scalable PAS solution. The systems considered to be direct components of the Hyper-scalable PAS solution are as follows:

• Centrify Centrify PAS
• Connectors

Windows operating system hardening

For Microsoft Windows Server Operating Systems hardening, refer to the Center for Internet Security Level 1 Benchmarks for Windows Server at https://www.cisecurity.org/benchmark/microsoft_windows_server/.

Applying Windows operating system updates

Windows updates should be applied in a timely fashion in accordance with the organizational security policy. These may be applied manually or automatically using the Windows Server Update Service (WSUS). Configuration of WSUS is beyond the scope of this document and will also depend on the organization’s update strategy. Microsoft provides comprehensive documentation for WSUS and should be consulted as needed.

Using anti-virus software

It is recommended consult with your company IT and/or compliance departments to discuss anti-virus needs.

Disabling network protocols

The following networking components are not required by Hyper-scalable PAS or the supporting Windows infrastructure and can therefore be safely disabled on all network adapters:

• File and Printer Sharing for Microsoft Networks.
• QoS Packer Scheduler.
• Microsoft LLDP Protocol Driver.
• Internet Protocol Version 6 (TCP/IPv6).
• Link-Layer Topology Discovery Responder.
• Link-Layer-Topology Discovery Mapper I/O Driver.

This should leave only the following networking components enabled:

• Internet Protocol Version 4 (TCP/IPv4).
• Client for Microsoft Networks.

The following image illustrates how the network adapter properties should look following these changes:

Configuring Windows logging and auditing

By default, Windows Server 2016 does not log all events of potential interest. Unless organizational policies mandate them and they have previously been enabled, perform the following steps:

1. Go to Start Menu → Administrative Tools → Group Policy Management. In the left pane, navigate to Forest → Domains → Domain Name. Expand it.
2. If it does not already exist, create a new Group Policy Object called “Centrify” by right-clicking on Domain Name and selecting Create a GPO in this domain and link it here….
3. Right-click on the “Centrify” policy object.
4. Click Edit in the context menu. It shows Group Policy Management Editor. Navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies. It lists all audit policies in the right pane. Here, enable the following policies for both “Successful” and “Failed” events:
5. Configure the following keys as follows:

Key	Value
Logon/Logoff → Audit Logoff	Success & Failure
Logon/Logoff → Audit Logon	Success & Failure
Object Access → Audit Detailed File Share	Success & Failure
Object Access → Audit File Share	Success & Failure
Object Access → Audit File System	Success & Failure
Object Access → Audit Registry	Success & Failure
Object Access → Audit Handle Manipulation	Success & Failure

Following making the above changes open an Administrative command prompt and enter gpupdate/force.

Verifying firewall configuration

During the installation process, the Windows Firewall is correctly configured to allow Hyper-scalable PAS components to operate correctly. No further steps should be required. If a firewall other than the Windows Firewall is in use, it must be configured according to the following values:

Disabling default accounts

The local administrator account should be disabled to prevent its use. Before you do this, ensure you have another administrative account configured.

To disable local administrator account, enter the following command into an administrative command prompt:

net user administrator /active:no

The same steps should be taken for the "Guest" and "DefaultAccount" accounts.

To list the accounts present on a server, enter the following command into an administrative command prompt:

net users

To learn if a given account is active or not, enter the following command into an administrative command prompt:

net user <account name>

For instance, net user guest should return output of the following form:

Note:    Note the line "Account active No."

C:\Windows\system32>net user guest

User name                    	Guest

Full Name

Comment                      	Built-in account for guest access to the computer/domain

User's comment

Country code                 	000 (System Default)

Account active               	No

Account expires              	Never

Password last set            	14/09/2018 15:41:54

Password expires             	Never

Password changeable          	14/09/2018 15:41:54

Password required            	No

User may change password     	No

Workstations allowed         	All

Logon script

User profile

Home directory

Last logon                   	Never

Logon hours allowed          	All

Local Group Memberships      	*Guests

Global Group memberships     	*None

The command completed successfully.

Disabling unnecessary default shares in Windows

To disable the share, perform the following steps:

Disable default shares on all Hyper-scalable PAS servers by running regedit (Windows key + R → regedit) and setting the value of the following registry key to (REG_DWORD) 0:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters AutoShareServer

Create the AutoShareServer key if it does not already exist .

Restart the server.

To confirm the change run the following in a command prompt: net share

The result should be as follows:

C:\>net share

Share name   Resource                        Remark

-------------------------------------------------------------------------------

IPC$                                         Remote IPC

The command completed successfully.

Windows Internet Information Server (IIS) hardening

Perform the following steps:

1. Remove all unnecessary IIS Application Pools on all Hyper-scalable PAS servers.
2. Start Internet Information Services (IIS) Manager (Windows Key + R → inetmgr).
3. Open the Application Pools leaf under the server being managed and remove all application pools apart from the DefaultAppPool and the Centrify entry. The results should appear as follows:

4. Restart the server.

Securing Hyper-scalable PAS

Understanding Hyper-scalable PAS user password policy

Due to the sensitivity of the information and functionality handled by a Hyper-scalable PAS implementation, the standard organizational password policies might not provide adequate protection. The following settings are recommended for Hyper-scalable PAS users.

1. To apply these polices, log into the Admin Portal and navigate to Core Services → Policies → Add Policy Set.
2. Under User Security Policies → Password Settings set the values above as follows:

Setting	Recommendation
Minimum password length	16 characters
Maximum password age	31 days
Password history	20
Require at least one digit	yes
Require at least one upper case and one lower case letter	yes
Require at least one symbol	yes
Maximum consecutive bad password attempts allowed within window	3
Capture window for consecutive bad password attempts	10
Lockout duration before password re-attempt allowed	30
Password expiration notification	7
Escalated password expiration notification	24
Enable password expiration notification on enrolled devices	yes
Show password complexity requirements when entering a new password	yes

Alternatively, if there is an available OAUTH or RADIUS solution in place, with appropriate password policies, these may be configured in the same place.

Endpoint and infrastructure password profiles

The following settings password policy settings are recommended to enforce a strong level of protection for endpoints and infrastructure using Hyper-scalable PAS.

1. To apply these policies, log into the Admin Portal and navigate to Settings → Users > Password Profiles → Add.

2. Create new profiles with the following values:

Setting	Recommendation
Minimum password length	12
Maximum password length	32 (or greater)
At least one lower-case alpha character	Checked
At least one upper-case alpha character	Checked
At least one digit	Checked
No consecutive repeated characters	Checked
At least one special character	Checked
Restrict number of character occurrences	Checked (3)
Special characters	!#$%&()*+,-./:;<=>?@[\]^_{|}~
A leading alpha or alphanumeric character	Unchecked
A trailing alpha or alphanumeric character	Unchecked
Min number of alpha characters	3
Min number of non-alpha characters	3

Setting idle user timeout

Users should be timed out and required to re-authenticate after a period of inactivity exceeding five minutes. This setting can be configured through the Admin portal by:

1. Navigating to Settings → Users → Idle User Session Timeout.
2. Automatically Logout Idle Users should be checked and a value of 5 entered for the Minutes of inactivity before idle users are logged out setting.

Reviewing infrastructure security settings

To enforce a strong level of protection for endpoints and infrastructure using Hyper-scalable PAS the following settings password policy settings are recommended:

Setting	Recommendation
Allow multiple password checkouts	Unchecked
Enable periodic password history clean-up at specified interval	Check and set to 90
Enable periodic password rotation at specified interval	Check and set to 90
Default account password checkout lifetime	60
Minimum password age	0
SSH Custom Banner	Checked and set according to organizational security policy

To apply these policies, log into the Admin Portal and navigate to Settings → Authentication → SecuritySettings.

Windows Server Update Services (WSUS)

Microsoft pushes updates and reboots to your systems. For this reason, it is strongly recommended you follow the best practice of running a Windows Server Update Services (WSUS) for your installation cluster. This allows you control of the updates. Configure as follows:

• Configure WSUS to only install upon administrator approval.
• Automatic updates must be disabled.
• Deploy new nodes with the latest operating system patches and with the current deployment package. Then, decommission the nodes in need of an operating system update.

For more information on WSUS, see Windows Server Update Services (WSUS).