Threats and Countermeasures Guide: Security Settings in Windows 7 and Windows Server 2008 R2

Threats and Countermeasures Guide: Security Settings in Windows 7 and Windows Server 2008 R2


If you are looking to understand what the security policies in Windows 7 and 2008 R2 mean and how they can impact your environment, then this guide is a must read.

Threats and Countermeasures Guide: Security Settings in Windows 7 and Windows Server 2008 R2

The document is covers the following categories in some depth:

Account Policies

This section discusses the Group Policy settings that are applied at the domain level: password policies, account lockout policies, and Kerberos protocol authentication policies.

Advanced Security Audit Policy

This section discusses the use of advanced audit policy settings, which are now integrated with Group Policy to monitor and enforce your security measures. It describes the various settings, and it provides examples of how audit information is modified when the settings are changed.

User Rights

This section discusses the various logon rights and privileges that are provided by the Windows 7 and Windows Server 2008 R2 operating systems, and it provides guidance about which accounts should be assigned these rights.

Security Options

This section provides guidance about security settings for digital data signatures, Administrator and Guest account names, drive access, driver installation behaviour, and logon prompts.

Event Log

This section provides guidance about how to configure the settings that relate to the various event logs on computers running Windows Server 2008 R2 or Windows 7.

System Services

Windows Server 2008 R2 and Windows 7 include a variety of system services. Many of these services are configured to run by default, but others are not present unless you install specific components. This section describes the various services included with the operating systems so that you can best decide which ones to leave enabled and which ones can be safely disabled.

Software Restriction Policies

This section provides a brief overview of the Software Restriction Policy feature that is available in Windows Server 2008 R2 and Windows 7. It provides links to additional resources about how to design and use policy settings to control which applications can be used in your organization.

Application Control Policies

This section provides a brief overview of the AppLocker™ feature that is available in Windows Server 2008 R2 and Windows 7. It provides links to additional resources about how to design and use policy settings to control which applications can be used in your organization.

External Storage Devices

This section describes Group Policy settings that can be used to limit, prevent, or allow the use of external storage devices in networked computers.

Additional Resources

This section provides links to additional information sources about Windows security topics from Microsoft that you may find useful.

Threats and Countermeasures Guide: Security Settings in Windows 7 and Windows Server 2008 R2

Slipping in under the Office 2010 Radar – System Center Essentials 2010 and Data Protection Manager 2010 – RTM

Slipping in under the Office 2010 RTM radar,  Microsoft Released To Manufacturing (RTM’d) yesterday (19/4/10)

Microsoft System Center Essentials 2010 and System Centre Data Protection Manager (DPM) 2010.

Microsoft System Center Essentials 2010

System Center Essentials 2010 (SCE 2010) provides IT professionals in mid-sized organizations with a unified physical and virtual management experience. It enables you to better secure, update, monitor, and troubleshoot from a single console, so you can efficiently and proactively manage your IT environment. The main addition to this second System Center Essentials release is the seamless integration of Virtual Machine Manager 2008 R2 technology, making it quick and easy for midsize business to begin realizing the cost-cutting benefits of server consolidation using virtualization. SCE 2010 will enable you to rapidly move from a physical to virtual server environment while maintaining the control and simple management you have come to expect from the product.

System Centre Data Protection Manager (DPM) 2010

Data Protection Manager (DPM) 2010 is part of the System Center family of management products from Microsoft. It delivers unified data protection for Windows servers such as SQL Server, Exchange, SharePoint, Virtualization and file servers — as well as Windows desktops and laptops.

DPM seamlessly uses disk, tape, and cloud-based repositories to deliver an easy-to-use and best-of-breed backup and recovery solution for Windows environments from Microsoft. Windows customers of all sizes can rely on Microsoft to provide a scalable and manageable protection solution that is cost-effective, secure, and reliable.

Security Compliance Manager (Guidance on how to harden your Windows environments).

The Security Compliance Manager is a free Solution Accelerator from Microsoft which has been designed to enable organisations  to take advantage of the experience of Microsoft security professionals and reduce the time and cost required to harden Windows infrastructure.

The Security Compliance Manager provides access to the complete database of Microsoft recommended security settings; using this information you can configure and customise security baselines; these can then be exported to multiple formats,  including Excel, Group Policy objects (GPOs), Desired Configuration Management (DCM) packs or the Security Content Automation Protocol (SCAP), for analysis or implementation.

Download the Security Compliance Manager

Learn more about the Security Compliance Manager

Solution Accelerator’s are tools and guidance that help you solve your deployment, planning and operational IT problems. Solution Accelerator’s are free and fully supported.  Want to learn more about Microsoft Solution Accelerator’s, Click Here.

Windows XP SP2 – The end is nigh.

This year there are a few versions of  Windows which will go out of support. If you continue to use these version  of Windows beware;  it is effectively be the same as driving a Ford Capri around town; it works, everyone of a certain age knows what it is, but good luck if it goes wrong.

Windows 2000 Professional and Windows 2000 Server were both launched over 10 years ago and both products regardless of service pack will go out of support on July 13th, 2010.

Windows XP with Service Pack 2 will go out of support on July 13th, 2010; but support for Windows XP with Service Pack 3 will continue.  This means that from July 13th onwards, Microsoft will no longer support or provide free security updates for Windows XP with Service Pack 2.

To ensure you still receive security updates, Windows XP should be upgraded to Windows XP Service Pack 3; this is available for free via the Windows Update website or from

Windows Vista with no Service Packs installed will go out of support on April 13th 2010.
To ensure you still receive security updates,Windows Vista should be upgraded to Windows Vista Service Pack 2; this is available for free via the Windows Update website or from:

For more information and for further clarity, I recommend checking out:

Microsoft Security Compliance Manager (BETA)

This week see’s the beta of  “Microsoft Security Compliance Manager (SCM)” released, the tool will enable you to view, update, and export security baselines for the following Microsoft products.

Internet Explorer 8
Microsoft Office 2007 SP2
Windows 7
Windows Server 2003 SP2
Windows Server 2008 SP2
Windows Vista SP2
Windows XP SP3

I have not had a chance to experiment with the product too much as of yet, but it looks as if it may add some value.   If you are interested in joining the beta the URL to sign up is:

PCI-DSS – It’s not rocket science.

PCI-DSS – It’s not rocket science.


For nearly two years, I worked on a PCI-DSS project for one of the worlds most recognisable brands.

What is PCI-DSS?

PCI-DSS is a mandatory compliance standard for all companies, who process, store or transmit payment card information.

There is a sliding scale of compliance and reporting of compliance is primarily based on the number of credit card transactions completed in a year.

See for further details.

My Experience

Within days of starting the PCI-DSS project it soon became apparent to me and the rest of the project team, that what the standard was asking for was indeed not rocket science – but a series of best practices that in reality – you should be doing anyway.


Before you go off and spend thousands of £’s $’s or €’s to become compliant – take a step back and look at your scope of compliance, what do I mean by that?

If you have 10000 PC’s in your environment, but only 500 process credit card information – then that’s your target for compliance – making 500 PC’s compliant not 10000 as this would potentially have huge cost implications and huge management overheads.

The rule that our QSA gave us to work with for our audit was:

Any PC or server that processes card holder data; stores card holder data; or can access (or influence access) to card holder data is in scope.

If the network is encrypted then that is out of scope – if no encryption is present then the network is in scope.

Once you have the scope – speak to your QSA and have the scope ratified, agreed and signed off.

It is worth noting that at this stage – be totally honest with your QSA and do not try to hide anything under the carpet; as if there is a payment card security breach within your organisation, the kept secret may just be the cause of the breach and the ultimate punishment for a breach is that the ability to process payment cards of any type can is withdrawn.

Translating the rules into plain English and from an infrastructure prospective (summarised and not exhaustive)

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Document all firewall rules
Diagram all network flows
Remove any legacy rules
Justify all rules in the firewall
Review all firewall rules every six months
Segment the network (if possible)
Secure all router configuration files
All firewalls must be stateful packet inspection firewalls
Implement or confirm a rigid change control process for any new rules or when modifying existing rules

There are other considerations but it depends where your cardholder data is located.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Reset all vendor supplied defaults including passwords on all servers, applications, operating systems, networking equipment (SNMP) etc
Implement configuration hardening standards (such as CIS – Center for Internet Security)
Implement only one primary function per server (excludes virtualisation and Active Directory integrated DNS)

Requirement 3: Protect stored cardholder data

Encrypt all stored card holder data
Permission data so that access is only given to people or applications that need access
Develop data retention standards
Do NOT store sensitive authentication data after authorisation (even if encrypted)
Mask PAN when the number is displayed

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Encrypt the network or encrypt the data as it ‘travels’ over the network
Wireless networks have been banned from transmitting credit card data over WEP encrypted networks since 31st March 2009

Requirement 5: Use and regularly update anti-virus software

Have a valid anti-virus application installed on all systems in scope
Ensure the anti-virus can be updated on demand
Ensure the anti-virus can provide audit logs
Ensure your anti-virus also include a HIPS firewall   

Requirement 6: Develop and maintain secure systems and applications

Apply all security patches regularly and within 3 months of release (on a priority basis)
Establish a process to identify all new vulnerabilities
Test all vulnerability patched before application

Requirement 7: Restrict access to cardholder data by business need-to-know

Ensure only personnel who need to access the data can. Through for example file permissioning or two factor authentication
Ensure the default access to credit card holder data is set to “deny all”

Requirement 8: Assign a unique ID to each person with computer access

Remove all generic logons, ensuring all personnel use names or personably identifiable accounts
Ensure that two factor authentication is utilised for remote access
Ensure you have a compliant password policy
Ensure you have a compliant leavers and joiners policy

Requirement 9: Restrict physical access to cardholder data

Implement or validate security cameras on all servers in scope
Implement a guest register in the equipment rooms in scope
Ensure no PC’s in scope are in an area accessible to the general public
Restrict access to publicly accessible network points
Ensure all visitors to locations with equipment in scope are easily identifiable from employees
Securely store all backups, offsite if possible
Classify all backup media – so card holder data can be identified as confidential

Requirement 10: Track and monitor all access to network resources and cardholder data

Implement audit logging to a secured and centralised log server so that all systems can be analysed in the event of a security breach
Ensure the required minimum is actually logged
Synchronise time across all systems
Use file integrity monitoring or change detection software on all systems in scope

Requirement 11: Regularly test security systems and processes

Scan for wireless networks regularly
Run internal and external vulnerability scans at least quarterly and after significant network changes or application modifications
Run internal and external penetration tests at least once a year and after significant network changes or application modifications
Use IPS or IDS to monitor all traffic in the cardholder data environment
Use file integrity monitoring or change detection software on all systems in scope

Requirement 12: Maintain a policy that addresses information security

Maintain and publish an Information Security policy for your organisation – Review at least annually or after significant network changes or application modifications
Maintain and publish an acceptable use policy and ensure all personnel are aware of the policy and have signed up to it
Develop daily operational procedures to review log files, IDS/IPS out put on a daily basis
Label all equipment
Develop a software catalogue of approved applications
Develop an incident response team to respond to a system breach and test annually
Develop a program to monitor your service providers PCI-DSS status (if they are not compliant, you are not compliant)

In a nutshell, that’s it  – if you complete or have completed these tasks, you will be well on the road to PCI-DSS compliance, of course this is only the beginning, as once you are compliant you have to stay compliant and that’s when the fun really starts.