Skip to main content

Windows 2012 R2 - SecureAuth IdP Appliance Baseline Security Hardening Settings

Introduction

SecureAuth IdP appliances running on Windows Server 2012 R2 use the Microsoft-recommended best practices for baseline security hardening settings. However, there are some configuration changes that must be made to these settings to allow the IIS role and the SecureAuth IdP appliance to function; these modifications are explained in this document.

The contents of this guide are based on the Microsoft Security Baselines, as maintained and published by Microsoft.

Microsoft default permissions and user rights for IIS servers IIS 7.x and 8.x, maintained and published by Microsoft, are found in KB 981949.

Prerequisites

Windows Local Security policy and / or Active Directory Group policy tools are required to modify policies described in this document.

IMPORTANT:If you join the SecureAuth IdP appliance to an Active Directory domain, any Group Policy Objects (GPOs) applied to the appliance can override the pre-configured security settings.

We recommend you do not join your appliance to an existing domain, but if you do, you should check to see how the existing GPOs will interact with the pre-configured security settings and adjust the GPOs as required.

We recommend you put the SecureAuth IdP appliance computer account in a separate Organization Unit (OU) and block inheritance of other GPOs to this OU, and then create a custom GPO to apply only the minimum settings required for your corporate Active policies.

Default security policy configuration

All settings from the Microsoft security baseline settings for Windows Server 2012 R2 have been applied except the following listed below.

IMPORTANT: If you make changes to these policies after deployment of the SecureAuth IdP appliance, it is important to track these changes in case support issues arise in the future.

Setting Name

Microsoft Baseline Setting

SecureAuth Setting

Reason for change

Path

Access this computer from the network

AuthenticatedUsers, Administrators

Everyone, Administrators, Users

Everyone group is required for anonymous/unauthenticated client connections to IIS

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Access this computer from the network

Adjust memory quotas for a process

LocalService, NetworkService, Administrators

LocalService, NetworkService, Administrators, *S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415

Adds the GUID of the IIS AppPool\DefaultAppPool created by .Net 4

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Adjust memory quotas for a process

Audit account logon events

No Auditing

Success and Failure

Recommended auditing level

Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit account logon events

Audit account management

No Auditing

Success and Failure

Recommended auditing level

Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit account management

Audit directory service access

No Auditing

Success and Failure

Recommended auditing level

Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit directory service access

Audit logon events

No Auditing

Success and Failure

Recommended auditing level

Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit logon events

Audit object access

No Auditing

Success and Failure

Recommended auditing level

Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit object access

Audit policy change

No Auditing

Success and Failure

Recommended auditing level

Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit policy change

Audit Policy: Account Logon: Kerberos Authentication Service

No Auditing

Success and Failure

Recommended auditing level

Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Logon\Audit Policy: Account Logon: Kerberos Authentication Service

Audit Policy: Account Logon: Kerberos Service Ticket Operations

No Auditing

Success and Failure

Recommended auditing level

Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Logon\Audit Policy: Account Logon: Kerberos Service Ticket Operations

Audit Policy: Account Logon: Other Account Logon Events

No Auditing

Success and Failure

Recommended auditing level

Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Logon\Audit Policy: Account Logon: Other Account Logon Events

Audit Policy: Account Management: Application Group Management

No Auditing

Success and Failure

Recommended auditing level

Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit Policy: Account Management: Application Group Management

Audit Policy: Account Management: Computer Account Management

Success

Success and Failure

Recommended auditing level

Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit Policy: Account Management: Computer Account Management

Audit Policy: Account Management: Distribution Group Management

No Auditing

Success and Failure

Recommended auditing level

Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit Policy: Account Management: Distribution Group Management

Audit Policy: DS Access: Detailed Directory Service Replication

No Auditing

Success and Failure

Recommended auditing level

Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access\Audit Policy: DS Access: Detailed Directory Service Replication

Audit Policy: DS Access: Directory Service Access

No Auditing

Success and Failure

Recommended auditing level

Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access\Audit Policy: DS Access: Directory Service Access

Audit Policy: DS Access: Directory Service Changes

No Auditing

Success and Failure

Recommended auditing level

Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access\Audit Policy: DS Access: Directory Service Changes

Audit Policy: DS Access: Directory Service Replication

No Auditing

Success and Failure

Recommended auditing level

Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access\Audit Policy: DS Access: Directory Service Replication

Audit Policy: Logon-Logoff: Account Lockout

Success

Success and Failure

Recommended auditing level

Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\Audit Policy: Logon-Logoff: Account Lockout

Audit Policy: Logon-Logoff: IPsec Extended Mode

No Auditing

Success and Failure

Recommended auditing level

Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\Audit Policy: Logon-Logoff: IPsec Extended Mode

Audit Policy: Logon-Logoff: IPsec Main Mode

No Auditing

Success and Failure

Recommended auditing level

Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\Audit Policy: Logon-Logoff: IPsec Main Mode

Audit Policy: Logon-Logoff: IPsec Quick Mode

No Auditing

Success and Failure

Recommended auditing level

Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\Audit Policy: Logon-Logoff: IPsec Quick Mode

Audit Policy: Logon-Logoff: Logoff

Success

Success and Failure

Recommended auditing level

Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\Audit Policy: Logon-Logoff: Logoff

Audit Policy: Logon-Logoff: Network Policy Server

No Auditing

Success and Failure

Recommended auditing level

Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\Audit Policy: Logon-Logoff: Network Policy Server

Audit Policy: Logon-Logoff: Other Logon/Logoff Events

No Auditing

Success and Failure

Recommended auditing level

Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\Audit Policy: Logon-Logoff: Other Logon/Logoff Events

Audit Policy: Logon-Logoff: Special Logon

Success

Success and Failure

Recommended auditing level

Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\Audit Policy: Logon-Logoff: Special Logon

Audit Policy: Object Access: Application Generated

No Auditing

Success and Failure

Recommended auditing level

Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Policy: Object Access: Application Generated

Audit Policy: Object Access: Certification Services

No Auditing

Success and Failure

Recommended auditing level

Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Policy: Object Access: Certification Services

Audit Policy: Object Access: Detailed File Share

No Auditing

Success and Failure

Recommended auditing level

Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Policy: Object Access: Detailed File Share

Audit Policy: Object Access: File Share

No Auditing

Success and Failure

Recommended auditing level

Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Policy: Object Access: File Share

Audit Policy: Object Access: File System

No Auditing

Success and Failure

Recommended auditing level

Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Policy: Object Access: File System

Audit Policy: Object Access: Filtering Platform Connection

No Auditing

Success and Failure

Recommended auditing level

Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Policy: Object Access: Filtering Platform Connection

Audit Policy: Object Access: Filtering Platform Packet Drop

No Auditing

Success and Failure

Recommended auditing level

Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Policy: Object Access: Filtering Platform Packet Drop

Audit Policy: Object Access: Handle Manipulation

No Auditing

Success and Failure

Recommended auditing level

Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Policy: Object Access: Handle Manipulation

Audit Policy: Object Access: Kernel Object

No Auditing

Success and Failure

Recommended auditing level

Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Policy: Object Access: Kernel Object

Audit Policy: Object Access: Other Object Access Events

No Auditing

Success and Failure

Recommended auditing level

Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Policy: Object Access: Other Object Access Events

Audit Policy: Object Access: Registry

No Auditing

Success and Failure

Recommended auditing level

Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Policy: Object Access: Registry

Audit Policy: Object Access: Removable Storage

No Auditing

Success and Failure

Recommended auditing level

Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Policy: Object Access: Removable Storage

Audit Policy: Object Access: SAM

No Auditing

Success and Failure

Recommended auditing level

Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Policy: Object Access: SAM

Audit Policy: Policy Change: Authentication Policy Change

Success

Success and Failure

Recommended auditing level

Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Policy: Policy Change: Authentication Policy Change

Audit Policy: Policy Change: Authorization Policy Change

No Auditing

Success and Failure

Recommended auditing level

Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Policy: Policy Change: Authorization Policy Change

Audit Policy: Policy Change: Filtering Platform Policy Change

No Auditing

Success and Failure

Recommended auditing level

Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Policy: Policy Change: Filtering Platform Policy Change

Audit Policy: Policy Change: MPSSVC Rule-Level Policy Change

No Auditing

Success and Failure

Recommended auditing level

Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Policy: Policy Change: MPSSVC Rule-Level Policy Change

Audit Policy: Policy Change: Other Policy Change Events

No Auditing

Success and Failure

Recommended auditing level

Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Policy: Policy Change: Other Policy Change Events

Audit Policy: Privilege Use: Non Sensitive Privilege Use

No Auditing

Failure

Recommended auditing level

Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Privilege Use\Audit Policy: Privilege Use: Non Sensitive Privilege Use

Audit Policy: Privilege Use: Other Privilege Use Events

No Auditing

Failure

Recommended auditing level

Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Privilege Use\Audit Policy: Privilege Use: Other Privilege Use Events

Audit privilege use

No Auditing

Failure

Recommended auditing level

Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit privilege use

Deny access to this computer from the network

*S-1-5-113, Guests

Guests

Allows local users to connect

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny access to this computer from the network

Generate security audits

LocalService, NetworkService

LocalService, NetworkService, *S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415

Adds the GUID of the IIS AppPool\DefaultAppPool created by .Net 4

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Generate security audits

Replace a process level token

LocalService, NetworkService

LocalService, NetworkService, *S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415

Adds the GUID of the IIS AppPool\DefaultAppPool created by .Net 4

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Replace a process level token

Settings listed in KB 981949 are added by installing the IIS Role. Where they modify the Security Baseline settings, or have been modified by SecureAuth settings they are detailed below:

Setting Name

Microsoft Baseline Setting

Microsoft IIS Setting

SecureAuth Setting (If different)

Reason for change

Path

Bypass traverse checking

*S-1-5-90-0, Network Service, Local Service, Backup Operators, Authenticated Users, Administrators

Everyone, LOCAL SERVICE, NETWORK SERVICE, Administrators, Users, Backup operators

*S-1-5-113, Everyone, LOCAL SERVICE, NETWORK SERVICE, Administrators, Users

We remove Backup Operators by default, these need to be re-added if required

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

Impersonate a client after authentication

Administrators, Service, Local Service, Network Service

LOCAL SERVICE, NETWORK SERVICE, Administrators, IIS_IUSRS, SERVICE

Default setting from IIS role

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

Log on as a batch job

Not defined

Administrators, Backup operators, Performance log users, IIS_IUSRS

Administrators, Performance log users, IIS_IUSRS

We remove Backup Operators by default, these need to be re-added if required

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

All security hardening settings for Internet Explorer 11 have been applied except the following:

Setting Name

Microsoft Baseline Setting

SecureAuth Setting (If different)

Reason for change

Path

PreventIgnoreCertErrors

1

0

Allows access to SSL sites via the https://localhost path which are required for SecureAuth IDP administration.

Note - If desired this can be re-enabled as long as you have installed a valid SSL certificate and changed your shortcuts to use the host name on the certificate instead of "Localhost".

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

DisableDeleteBrowsingHistory

1

0

Allows deletion of browsing history if required for support purposes.

Software\Policies\Microsoft\Internet Explorer\Control Panel