Hardened Windows OS compatibility

Hardened Windows OS compatibility

Postby Nayab » 07.06.2017, 00:54

Hi

I have been using this tool to download and install updates on standalone systems earlier, but those systems had standard Windows local group policy settings. This tool worked as it has been designed to and I was very happy with it.

But now I have hardened images of Windows 7 and Windows 10, based on industry standard CIS Benchmarks. These benchmarks essentially give recommendations for changing default settings on the local group policy to recommended "more secure" settings. This tool now does not work on it as intended on the secure image. Reference: https://www.cisecurity.org/cis-benchmarks/

The behavior of the tool with secure configurations is as follows:

- As I run the update installer on my target system, it starts the command prompt for installing updates, installs 1/2 updates and then heads for a reboot
- upon reboot, it logs into the WOUTemp account and just stays there. No scripts run, nothing happens, it's just idle
- I then have to log out of the WOUTemp account, do the CleanupRecall and start the whole process again
- even upon doing so, it takes multiple passes before I can get the tool to install the entire update package

Can someone please help me identify what could possibly be causing this issue??

Thanks!!
Nayab
 

Re: Hardened Windows OS compatibility

Postby aker » 07.06.2017, 19:16

Could you tell, what's actually changed in the hardened image?
Any modifications in WHS, WMI, the login policies, task scheduler or something similar?

Could you post the content of C:\Windows\wsusofflineupdate.log?
Wer Rechtschreibfehler findet, darf sie behalten oder an den Meistbietenden versteigern. / Everybody finding a misspelling is allowed to keep or sell it.
aker

WSUS Offline Update „Community Edition“
https://gitlab.com/wsusoffline/wsusoffline/-/releases
aker
 
Posts: 3999
Joined: 02.03.2011, 15:32

Re: Hardened Windows OS compatibility

Postby Nayab » 08.06.2017, 16:23

I have attached the GP settings that were changed. I will be sending out the log file momentarily.

Code: Select all
1.1 - Password Policy   Set 'Enforce password history' to ' 10
   Set 'Maximum password age' to '60 or less (age will be set to 90 day according to industry best practice)
   Set 'Minimum password age' to '7 days
   Set 'Minimum password length' to ' 14 or more (length will be 8 according to industry best Practice)
   Set 'Account lockout threshold' to '10
   Set 'Access this computer from the network' to 'Administrators
   Set 'Adjust memory quotas for a process' to 'Administrators, LOCAL SERVICE, NETWORK SERVICE
   Set 'Allow log on locally' to 'Administrators, Users'
   Set 'Back up files and directories' to 'Administrators
   Set 'Deny access to this computer from the network' to include 'Guests, Local account
   Set 'Deny log on as a batch job' to include 'Guests'
   Set 'Deny log on as a service' to include 'Guests'
   Set 'Deny log on locally' to include 'Guests'
   Set 'Deny log on through Remote Desktop Services' to include 'Guests, Local account'
   Set 'Impersonate a client after authentication' to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'
   Set 'Replace a process level token' to 'LOCAL SERVICE, NETWORK SERVICE'
   Set 'Restore files and directories' to 'Administrators
   Set 'Shut down the system' to 'Administrators, Users'
   Set 'Accounts: Block Microsoft accounts' to 'Users can't add or log on with Microsoft accounts
   Configure 'Accounts: Rename administrator account
   Configure 'Accounts: Rename guest account
2.3.2 - Audit   Set 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' to 'Enabled'
2.3.4 - Devices   Set 'Devices: Allowed to format and eject removable media' to 'Administrators and Interactive Users
2.3.7 - Interactive Logon   Set 'Interactive logon: Do not display last user name' to 'Enabled'
   Set 'Interactive logon: Do not require CTRL+ALT+DEL' to 'Disabled'
   Set 'Require trusted path for credential entry' to 'Enabled
   Set 'Interactive logon: Machine account lockout threshold' to '10
   Set 'Interactive logon: Machine inactivity limit' to '900
   Configure 'Interactive logon:
   "Configure 'Interactive logon: Message title for users attempting to log on
""Important Notice"""
   Set 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' to '4
   Set 'Interactive logon: Prompt user to change password before expiration' to 5 days
2.3.8 - Micrsoft Network Client   Set 'Microsoft network client: Digitally sign communications (always)' to 'Enabled
   Set 'Microsoft network server: Digitally sign communications (always)' to 'Enabled
   Set 'Microsoft network server: Server SPN target name validation level' to 'Accept if provided by client' or higher
2.3.10 - Network Access   Set 'Network access: Allow anonymous SID/Name translation' to 'Disabled
   Set 'Network access: Do not allow anonymous enumeration of SAM accounts' to 'Enabled
   Set 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' to 'Enabled'
   Set 'Network access: Do not allow storage of passwords and credentials for network authentication' to 'Enabled
2.3.11 - Network Security   Set 'Network security: Allow Local System to use computer identity for NTLM' to 'Enabled'
   Set 'Network security: Allow LocalSystem NULL session fallback' to 'Disabled'
   Set 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' to 'Disabled
   Set 'Network Security: Configure encryption types allowed for Kerberos' to ' AES128_HMAC_SHA1 / AES256_HMAC_SHA1 / Future encryption types
   Set 'User Account Control: Behavior of the elevation prompt for standard users' to 'Automatically deny elevation requests
   Set 'User Account Control: Admin Approval Mode for the Built-in Administrator account' to 'Enabled
   Set 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' to 'Prompt for consent on the secure desktop
9.1 - Domain Profile   Set 'Windows Firewall: Domain: Firewall state' to 'On (recommended
   Set 'Windows Firewall: Domain: Inbound connections' to 'Block (default)'
   Set 'Windows Firewall: Domain: Outbound connections' to 'Allow (default)'
   Set 'Windows Firewall: Domain: Settings: Display a notification' to 'No
   Set 'Windows Firewall: Domain: Settings: Allow unicast response' to 'No
   Set 'Windows Firewall: Domain: Settings: Apply local firewall rules' to 'Yes (default)'
   Set 'Windows Firewall: Domain: Settings: Apply local connection security rules' to 'Yes (default)'
   Set 'Windows Firewall: Domain: Logging: Name' to '%SYSTEMROOT%\System32\logfiles\firewall\domainfw.log
   Set 'Windows Firewall: Domain: Logging: Size limit (KB)' to '16,384 KB or greater
   Set 'Windows Firewall: Domain: Logging: Log dropped packets' to 'Yes'
   Set 'Windows Firewall: Domain: Logging: Log successful connections' to 'Yes'
9.2 - Private Profile   Set 'Windows Firewall: Private: Firewall state' to 'On (recommended)'
   Set 'Windows Firewall: Private: Inbound connections' to 'Block (default)'
   Set 'Windows Firewall: Private: Outbound connections' to 'Allow (default)'
   Set 'Windows Firewall: Private: Settings: Display a notification' to 'No'
   Set 'Windows Firewall: Private: Settings: Allow unicast response' to 'No
   Set 'Windows Firewall: Private: Settings: Apply local firewall rules' to 'Yes (default)'
   Set 'Windows Firewall: Private: Settings: Apply local connection security rules' to 'Yes (default)'
   Set 'Windows Firewall: Private: Logging: Name' to '%SYSTEMROOT%\System32\logfiles\firewall\privatefw.log'
   Set 'Windows Firewall: Private: Logging: Size limit (KB)' to '16,384 KB or greater
   Set 'Windows Firewall: Private: Logging: Log dropped packets' to 'Yes'
   Set 'Windows Firewall: Private: Logging: Log successful connections' to 'Yes
9.3 - Public Profile   Set 'Windows Firewall: Public: Firewall state' to 'On (recommended)'
   Set 'Windows Firewall: Public: Inbound connections' to 'Block (default)'
   Set 'Windows Firewall: Public: Outbound connections' to 'Allow (default)'
   Set 'Windows Firewall: Public: Display a notification' to 'Yes
   Set 'Windows Firewall: Public: Allow unicast response' to 'No' (Scored)
   Set 'Windows Firewall: Public: Apply local firewall rules' to 'No'
   Set 'Windows Firewall: Public: Apply local connection security rules' to 'No'
   Set 'Windows Firewall: Public: Logging: Name' to '%SYSTEMROOT%\System32\logfiles\firewall\publicfw.log'
   Set 'Windows Firewall: Public: Logging: Size limit (KB)' to '16,384 KB or greater'
   Set 'Windows Firewall: Public: Logging: Log dropped packets' to 'Yes'
   Set 'Windows Firewall: Public: Logging: Log successful connections' to 'Yes'
   Set 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' to 'Enabled'
Group Policy Object   Set 'Configure registry policy processing: Do not apply during periodic background processing' to 'Enabled: FALSE
   Set 'Configure registry policy processing: Process even if the Group Policy objects have not changed' to 'Enabled: TRUE
   Set 'Turn off background refresh of Group Policy' to 'Disabled'
   Set 'Download Mode' to 'Enabled: None or LAN or Group' or 'Disabled'
WInRM   Set 'Allow Basic authentication' to 'Disabled'
   Set 'Allow unencrypted traffic' to 'Disabled
   Set 'Disallow Digest authentication' to 'Enabled
WinRM Service   Set 'Allow Basic authentication' to 'Disabled
   Set 'Allow unencrypted traffic' to 'Disabled
   Set 'Disallow WinRM from storing RunAs credentials' to 'Enabled
   Set 'Network security: LAN Manager authentication level' to 'Send NTLMv2 response only. Refuse LM & NTLM
   Set 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' to 'Require NTLMv2 session security, Require 128-bit encryption
   Set 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' to 'Require NTLMv2 session security, Require 128-bit encryption
"18.1 - Control Panel
18.1.1 - Personalization"   Set 'Prevent enabling lock screen camera' to 'Enabled
    Set 'Prevent enabling lock screen slide show' to 'Enabled
   Set 'Allow Input Personalization' to 'Disabled'
   Set 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires to 'Enabled: 5 seconds
Sleep Settings   Set 'Allow standby states (S1-S3) when sleeping (on battery)' to 'Disabled
   Set 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' to 'Enabled: Highest protection, source routing is completely disabled'
   Set 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' to 'Disabled
   Set 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' to 'Enabled
   Set 'Allow standby states (S1-S3) when sleeping (plugged in)' to 'Disabled'
"18.4.10 - Network Connections
18.4.10.1 - Windows Firewall"   Set 'Prohibit installation and configuration of Network Bridge on your DNS domain network' to 'Enabled
   Set 'Require domain users to elevate when setting a network's location' to 'Enabled'
10.4.13 - Network Provider   Set 'Hardened UNC Paths' to 'Enabled, with "Require Mutual Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares'
18.4.20 - Windows Connection Manager   Set 'Prohibit connection to non-domain networks when connected to domain authenticated network' to 'Enabled
18.4.22.2 - WLAN Settings   Set 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' to 'Disabled
18.6Pass the Hash Mitigations   Set 'Apply UAC restrictions to local accounts on network logons' to 'Enabled'
   Set 'WDigest Authentication' to 'Disabled'
Audit Process Creation   Set 'Include command line in process creation events' to 'Disabled'
Logon   Set 'Do not display network selection UI' to 'Enabled
   Set 'Do not enumerate connected users on domain-joined computers' to 'Enabled'
   Set 'Enumerate local users on domain-joined computers' to 'Disabled'
   Set 'Turn off app notifications on the lock screen' to 'Enabled'
   Set 'Turn on PIN sign-in' to 'Disabled
Mitigation Options   Set 'Untrusted Font Blocking' to 'Enabled: Block untrusted fonts and log events'
Remote Assistance   Set 'Configure Offer Remote Assistance' to 'Disabled
   Set 'Configure Solicited Remote Assistance' to 'Disabled
Remote Procedure Call   Set 'Enable RPC Endpoint Mapper Client Authentication' to 'Enabled'
   Set 'Restrict Unauthenticated RPC clients' to 'Enabled: Authenticated'
AutoPlay Policies   Set 'Disallow Autoplay for non-volume devices' to 'Enabled' (Scored)
   Set 'Set the default behavior for AutoRun' to 'Enabled: Do not execute any autorun commands
   Set 'Turn off Autoplay' to 'Enabled: All drives'
   Set 'Do not display the password reveal button' to 'Enabled'
   Set 'Enumerate administrator accounts on elevation' to 'Disabled'
   Set 'Allow Telemetry' to 'Enabled: 0 - Security [Enterprise Only]
   Set 'Disable pre-release features or settings' to 'Disabled
   Set 'Toggle user control over Insider builds' to 'Disabled
   Set 'Application: Control Event Log behavior when the log file reaches its maximum size' to 'Disabled
   Set 'Application: Specify the maximum log file size (KB)' to 'Enabled: 32,768 KB
   Set 'Security: Control Event Log behavior when the log file reaches its maximum size' to 'Disabled
   Set 'Security: Specify the maximum log file size (KB)' to 'Enabled: 196,608 KB
   Set 'Setup: Control Event Log behavior when the log file reaches its maximum size' to 'Disabled
   Set 'Setup: Specify the maximum log file size (KB)' to 'Enabled: 32,768
   Set 'System: Control Event Log behavior when the log file reaches its maximum size' to 'Disabled'
   Set 'System: Specify the maximum log file size (KB)' to 'Enabled: 32,768 KB
   Set 'Configure Windows SmartScreen' to 'Enabled: Require approval from an administrator before running downloaded unknown software
   Set 'Turn off Data Execution Prevention for Explorer' to 'Disabled'
   Set 'Turn off heap termination on corruption' to 'Disabled
   Set 'Turn off shell protocol protected mode' to 'Disabled
   Set 'Prevent the computer from joining a homegroup' to 'Enabled
   Set 'Prevent the usage of OneDrive for file storage' to 'Enabled'
   Set 'Do not allow passwords to be saved' to 'Enabled
   Set 'Do not allow drive redirection' to 'Enabled
   Set 'Always prompt for password upon connection' to 'Enabled'
   Set 'Require secure RPC communication' to 'Enabled
   Set 'Set client connection encryption level' to 'Enabled: High Level'
   Set 'Do not use temporary folders per session' to 'Disabled'
   Set 'Allow Cortana' to 'Disabled
   Set 'Allow indexing of encrypted files' to 'Disabled' (Scored)
   Set 'Allow search and Cortana to use location' to 'Disabled
   Set 'Enables or disables Windows Game Recording and Broadcasting' to 'Disabled
   Set 'Allow user control over installs' to 'Disabled
   Set 'Always install with elevated privileges' to 'Disabled
   Set 'Sign-in last interactive user automatically after a system-initiated restart' to 'Disabled
   Set 'Turn on PowerShell Script Block Logging' to 'Disabled
   Set 'Turn on PowerShell Transcription' to 'Disabled
   Set 'Password protect the screen saver' to 'Enabled
   Set 'Screen saver timeout' to 'Enabled: 900 seconds or fewer, but not 0'
   Set 'Network security: LDAP client signing requirements' to 'Negotiate signing or higher
   Set 'Turn off toast notifications on the lock screen' to 'Enabled'
   Set 'Notify antivirus programs when opening attachments' to 'Enabled'
   Set 'Prevent users from sharing files within their profile.' to 'Enabled'
   Set 'Always install with elevated privileges' to 'Disabled
17.1 - Account Logon   Set 'Audit Credential Validation' to 'Success and Failure'
17.2 - Account Management   Set 'Audit Application Group Management' to 'Success and Failure'
   Set 'Audit Computer Account Management' to 'Success and Failure'
   Set 'Audit Other Account Management Events' to 'Success and Failure'
   Set 'Audit Security Group Management' to 'Success and Failure'
   Set 'Audit User Account Management' to 'Success and Failure'
17.3 - Detailed Tracking   Set 'Audit PNP Activity' to 'Success
   Set 'Audit Process Creation' to 'Success
17.5 - Logon/Logoff   Set 'Audit Account Lockout' to 'Success'
   Set 'Audit Group Membership' to 'Success'
   Set 'Audit Logoff' to 'Success
   Set 'Audit Logon' to 'Success and Failure
   Set 'Audit Other Logon/Logoff Events' to 'Success and Failure
   Set 'Audit Special Logon' to 'Success'
17.6 - Object Access   Set 'Audit Removable Storage' to 'Success and Failure
17.7 - Policy Change   Set 'Audit Audit Policy Change' to 'Success and Failure
   Set 'Audit Authentication Policy Change' to 'Success
17.8 - Privilege Use   Set 'Audit Sensitive Privilege Use' to 'Success and Failure
17.9 - System   Set 'Audit IPsec Driver' to 'Success and Failure'
   Set 'Audit Other System Events' to 'Success and Failure
   Set 'Audit Security State Change' to 'Success
   Set 'Audit Security System Extension' to 'Success and Failure'
   Set 'Audit System Integrity' to 'Success and Failure'
   Set 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' to 'Enabled: 90% or less'



Thanks
Last edited by Dalai on 08.06.2017, 21:47, edited 1 time in total.
Reason: Inserted CODE tags for better readability
Nayab
 

Re: Hardened Windows OS compatibility

Postby Dalai » 08.06.2017, 22:14

Check C:\Windows\wsusofflineupdate.log for any errors. Check msconfig or any other autorun management tool to see if there's a WSUSOfflineUpdate entry (you can also do this manually by looking in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run in regedit). And, if you can disable half/part of the hardening things you can greatly increase the chance to find out which policy is the culprit.

My guess is that the temporary user doesn't have admin rights, the script is executed from the autorun, but terminates itself due to missing rights.

Regards
Dalai
Dalai
 
Posts: 1041
Joined: 12.07.2016, 21:00


Return to Installation / Updating

Who is online

Users browsing this forum: Google [Bot] and 41 guests