Windows 2012 R2 - SecureAuth IdP appliance baseline security hardening settings
Introduction
SecureAuth IdP appliances running on Windows Server 2012 R2 use the Microsoft-recommended best practices for baseline security hardening settings. However, there are some configuration changes that must be made to these settings to allow the IIS role and the SecureAuth IdP appliance to function; these modifications are explained in this document.
The contents of this guide are based on the Microsoft Security Baselines, as maintained and published by Microsoft.
Microsoft default permissions and user rights for IIS servers IIS 7.x and 8.x, maintained and published by Microsoft, are found in KB 981949.
Prerequisites
Windows Local Security policy and / or Active Directory Group policy tools are required to modify policies described in this document.
IMPORTANT:If you join the SecureAuth IdP appliance to an Active Directory domain, any Group Policy Objects (GPOs) applied to the appliance can override the pre-configured security settings.
We recommend you do not join your appliance to an existing domain, but if you do, you should check to see how the existing GPOs will interact with the pre-configured security settings and adjust the GPOs as required.
We recommend you put the SecureAuth IdP appliance computer account in a separate Organization Unit (OU) and block inheritance of other GPOs to this OU, and then create a custom GPO to apply only the minimum settings required for your corporate Active policies.
Default security policy configuration
All settings from the Microsoft security baseline settings for Windows Server 2012 R2 have been applied except the following listed below.
IMPORTANT: If you make changes to these policies after deployment of the SecureAuth IdP appliance, it is important to track these changes in case support issues arise in the future.
Setting Name | Microsoft Baseline Setting | SecureAuth Setting | Reason for change | Path |
---|---|---|---|---|
Access this computer from the network | AuthenticatedUsers, Administrators | Everyone, Administrators, Users | Everyone group is required for anonymous/unauthenticated client connections to IIS | Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Access this computer from the network |
Adjust memory quotas for a process | LocalService, NetworkService, Administrators | LocalService, NetworkService, Administrators, *S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415 | Adds the GUID of the IIS AppPool\DefaultAppPool created by .Net 4 | Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Adjust memory quotas for a process |
Audit account logon events | No Auditing | Success and Failure | Recommended auditing level | Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit account logon events |
Audit account management | No Auditing | Success and Failure | Recommended auditing level | Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit account management |
Audit directory service access | No Auditing | Success and Failure | Recommended auditing level | Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit directory service access |
Audit logon events | No Auditing | Success and Failure | Recommended auditing level | Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit logon events |
Audit object access | No Auditing | Success and Failure | Recommended auditing level | Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit object access |
Audit policy change | No Auditing | Success and Failure | Recommended auditing level | Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit policy change |
Audit Policy: Account Logon: Kerberos Authentication Service | No Auditing | Success and Failure | Recommended auditing level | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Logon\Audit Policy: Account Logon: Kerberos Authentication Service |
Audit Policy: Account Logon: Kerberos Service Ticket Operations | No Auditing | Success and Failure | Recommended auditing level | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Logon\Audit Policy: Account Logon: Kerberos Service Ticket Operations |
Audit Policy: Account Logon: Other Account Logon Events | No Auditing | Success and Failure | Recommended auditing level | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Logon\Audit Policy: Account Logon: Other Account Logon Events |
Audit Policy: Account Management: Application Group Management | No Auditing | Success and Failure | Recommended auditing level | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit Policy: Account Management: Application Group Management |
Audit Policy: Account Management: Computer Account Management | Success | Success and Failure | Recommended auditing level | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit Policy: Account Management: Computer Account Management |
Audit Policy: Account Management: Distribution Group Management | No Auditing | Success and Failure | Recommended auditing level | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit Policy: Account Management: Distribution Group Management |
Audit Policy: DS Access: Detailed Directory Service Replication | No Auditing | Success and Failure | Recommended auditing level | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access\Audit Policy: DS Access: Detailed Directory Service Replication |
Audit Policy: DS Access: Directory Service Access | No Auditing | Success and Failure | Recommended auditing level | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access\Audit Policy: DS Access: Directory Service Access |
Audit Policy: DS Access: Directory Service Changes | No Auditing | Success and Failure | Recommended auditing level | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access\Audit Policy: DS Access: Directory Service Changes |
Audit Policy: DS Access: Directory Service Replication | No Auditing | Success and Failure | Recommended auditing level | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access\Audit Policy: DS Access: Directory Service Replication |
Audit Policy: Logon-Logoff: Account Lockout | Success | Success and Failure | Recommended auditing level | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\Audit Policy: Logon-Logoff: Account Lockout |
Audit Policy: Logon-Logoff: IPsec Extended Mode | No Auditing | Success and Failure | Recommended auditing level | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\Audit Policy: Logon-Logoff: IPsec Extended Mode |
Audit Policy: Logon-Logoff: IPsec Main Mode | No Auditing | Success and Failure | Recommended auditing level | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\Audit Policy: Logon-Logoff: IPsec Main Mode |
Audit Policy: Logon-Logoff: IPsec Quick Mode | No Auditing | Success and Failure | Recommended auditing level | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\Audit Policy: Logon-Logoff: IPsec Quick Mode |
Audit Policy: Logon-Logoff: Logoff | Success | Success and Failure | Recommended auditing level | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\Audit Policy: Logon-Logoff: Logoff |
Audit Policy: Logon-Logoff: Network Policy Server | No Auditing | Success and Failure | Recommended auditing level | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\Audit Policy: Logon-Logoff: Network Policy Server |
Audit Policy: Logon-Logoff: Other Logon/Logoff Events | No Auditing | Success and Failure | Recommended auditing level | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\Audit Policy: Logon-Logoff: Other Logon/Logoff Events |
Audit Policy: Logon-Logoff: Special Logon | Success | Success and Failure | Recommended auditing level | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\Audit Policy: Logon-Logoff: Special Logon |
Audit Policy: Object Access: Application Generated | No Auditing | Success and Failure | Recommended auditing level | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Policy: Object Access: Application Generated |
Audit Policy: Object Access: Certification Services | No Auditing | Success and Failure | Recommended auditing level | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Policy: Object Access: Certification Services |
Audit Policy: Object Access: Detailed File Share | No Auditing | Success and Failure | Recommended auditing level | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Policy: Object Access: Detailed File Share |
Audit Policy: Object Access: File Share | No Auditing | Success and Failure | Recommended auditing level | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Policy: Object Access: File Share |
Audit Policy: Object Access: File System | No Auditing | Success and Failure | Recommended auditing level | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Policy: Object Access: File System |
Audit Policy: Object Access: Filtering Platform Connection | No Auditing | Success and Failure | Recommended auditing level | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Policy: Object Access: Filtering Platform Connection |
Audit Policy: Object Access: Filtering Platform Packet Drop | No Auditing | Success and Failure | Recommended auditing level | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Policy: Object Access: Filtering Platform Packet Drop |
Audit Policy: Object Access: Handle Manipulation | No Auditing | Success and Failure | Recommended auditing level | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Policy: Object Access: Handle Manipulation |
Audit Policy: Object Access: Kernel Object | No Auditing | Success and Failure | Recommended auditing level | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Policy: Object Access: Kernel Object |
Audit Policy: Object Access: Other Object Access Events | No Auditing | Success and Failure | Recommended auditing level | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Policy: Object Access: Other Object Access Events |
Audit Policy: Object Access: Registry | No Auditing | Success and Failure | Recommended auditing level | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Policy: Object Access: Registry |
Audit Policy: Object Access: Removable Storage | No Auditing | Success and Failure | Recommended auditing level | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Policy: Object Access: Removable Storage |
Audit Policy: Object Access: SAM | No Auditing | Success and Failure | Recommended auditing level | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Policy: Object Access: SAM |
Audit Policy: Policy Change: Authentication Policy Change | Success | Success and Failure | Recommended auditing level | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Policy: Policy Change: Authentication Policy Change |
Audit Policy: Policy Change: Authorization Policy Change | No Auditing | Success and Failure | Recommended auditing level | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Policy: Policy Change: Authorization Policy Change |
Audit Policy: Policy Change: Filtering Platform Policy Change | No Auditing | Success and Failure | Recommended auditing level | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Policy: Policy Change: Filtering Platform Policy Change |
Audit Policy: Policy Change: MPSSVC Rule-Level Policy Change | No Auditing | Success and Failure | Recommended auditing level | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Policy: Policy Change: MPSSVC Rule-Level Policy Change |
Audit Policy: Policy Change: Other Policy Change Events | No Auditing | Success and Failure | Recommended auditing level | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Policy: Policy Change: Other Policy Change Events |
Audit Policy: Privilege Use: Non Sensitive Privilege Use | No Auditing | Failure | Recommended auditing level | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Privilege Use\Audit Policy: Privilege Use: Non Sensitive Privilege Use |
Audit Policy: Privilege Use: Other Privilege Use Events | No Auditing | Failure | Recommended auditing level | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Privilege Use\Audit Policy: Privilege Use: Other Privilege Use Events |
Audit privilege use | No Auditing | Failure | Recommended auditing level | Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit privilege use |
Deny access to this computer from the network | *S-1-5-113, Guests | Guests | Allows local users to connect | Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny access to this computer from the network |
Generate security audits | LocalService, NetworkService | LocalService, NetworkService, *S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415 | Adds the GUID of the IIS AppPool\DefaultAppPool created by .Net 4 | Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Generate security audits |
Replace a process level token | LocalService, NetworkService | LocalService, NetworkService, *S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415 | Adds the GUID of the IIS AppPool\DefaultAppPool created by .Net 4 | Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Replace a process level token |
Settings listed in KB 981949 are added by installing the IIS Role. Where they modify the Security Baseline settings, or have been modified by SecureAuth settings they are detailed below:
Setting Name | Microsoft Baseline Setting | Microsoft IIS Setting | SecureAuth Setting (If different) | Reason for change | Path |
---|---|---|---|---|---|
Bypass traverse checking | *S-1-5-90-0, Network Service, Local Service, Backup Operators, Authenticated Users, Administrators | Everyone, LOCAL SERVICE, NETWORK SERVICE, Administrators, Users, Backup operators | *S-1-5-113, Everyone, LOCAL SERVICE, NETWORK SERVICE, Administrators, Users | We remove Backup Operators by default, these need to be re-added if required | Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment |
Impersonate a client after authentication | Administrators, Service, Local Service, Network Service | LOCAL SERVICE, NETWORK SERVICE, Administrators, IIS_IUSRS, SERVICE | Default setting from IIS role | Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment | |
Log on as a batch job | Not defined | Administrators, Backup operators, Performance log users, IIS_IUSRS | Administrators, Performance log users, IIS_IUSRS | We remove Backup Operators by default, these need to be re-added if required | Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment |
All security hardening settings for Internet Explorer 11 have been applied except the following:
Setting Name | Microsoft Baseline Setting | SecureAuth Setting (If different) | Reason for change | Path |
---|---|---|---|---|
PreventIgnoreCertErrors | 1 | 0 | Allows access to SSL sites via the https://localhost path which are required for SecureAuth IDP administration. Note - If desired this can be re-enabled as long as you have installed a valid SSL certificate and changed your shortcuts to use the host name on the certificate instead of "Localhost". | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings |
DisableDeleteBrowsingHistory | 1 | 0 | Allows deletion of browsing history if required for support purposes. | Software\Policies\Microsoft\Internet Explorer\Control Panel |