Page tree
Skip to end of metadata
Go to start of metadata

On this page:

Summary: this page describes the recommended configuration settings for deploying the CAST AIP Back Office components (see Deployment - sizing and security for more information about what are deemed "Back Office" components and who uses them) in a Virtual Machine environment. These settings not only apply to a secured deployment, i.e. they can be used even if you do not intend to deploy CAST AIP Back Office components via Citrix XenApp.

Users/Groups configuration

The following basic users/groups configuration should be set up in a distinct OU (Organizational Unit) using the Active Directory Users and Groups snap-in:

 

 Groups

Group Member

Information

CAST

CASTADMINS

CASTUSERS

Used to deploy delivery group

CASTADMINS

USER1

USER2

Used for CAST admin users. This group has access to the CAST AIP admin tools such as:

  • CAST Server Manager
  • CAST Update Tool
  • CAST Extension Downloader

CASTUSERS

USER3

USER4

USER5

USER6

Used for CAST users:

  • CAST Management Studio
  • CAST Transaction Configuration Center
  • CAST Architecture Checker
This is just a recommendation and you are free to add more users/groups as required.

Folder/Share configuration

The following folder/share hierarchy should be set up on a networked Windows File Server (click to enlarge). This is also available as downloadable PDF.

There are various "root" folders located in C:\shares:

Folder namePathShare nameDescription
castconfigC:\shares\castconfigcastconfig$Used to store the CAST AIP configuration files (connection profiles etc.)
castusersC:\shares\castuserscastusers$Used to store files created during a user session when using CAST AIP
castltsaC:\shares\castltsacastltsa$Used to store the CAST AIP LTSA files (Large Temporary Storage Area). These are temporary files generated during a CAST AIP analysis.
castlisaC:\shares\castlisacastlisa$Used to store the CAST AIP LISA files (Large Intermediate Storage Area). These are miscellaneous files generated during a CAST AIP analysis.
castlogsC:\shares\castlogscastlogs$Used to store CAST AIP log files generated when using CAST AIP
SCDFC:\shares\SCDFSCDF$Source Code Delivery Folder: Used to store files related to the delivery of source code (see Source code delivery - an introduction)
Note that the share name includes a $ sign to prevent the shares from being seen when browsing the Windows file server.

Creating the folders/shares

castusers

The share has been set as indicated below:

The permissions for the share have been set as follows:


NTFS permissions

Inheritance has been disabled for the castusers folder:

 

and we have added the CAST security group:

with the following Advanced permissions on "This folder only":

castconfig

The share has been set as indicated below:

The permissions for the share have been set as follows:

NTFS permissions

Inheritance has been disabled for the castconfig folder:

and we have added the CAST security group:

with the following Basic permissions on "This folder, subfolders and files":

Mapping the shares with a GPO

Once the shares have been created on the File Server, the next step is to create two GPOs:

  • CAST - Folders
  • CAST - Mapped Drives

CAST - Folders

This GPO will create a folder called %username% (i.e. named for the current user) in the castusers$ (C:\shares\castusers) share when a user logs in. The GPO uses User Configuration settings:

CAST - Mapped Drives

This GPO will create the following mapped drives when a user logs in:

DriveLocation
U:\\\SERVER\castusers$\%username%
S:\\\SERVER\castconfig$
T:\\\SERVER\castltsa$
L:\\\SERVER\castlisa$
I:\\\SERVER\castlogs$
Z:\\\SERVER\SCDF$

The GPO uses User Configuration settings (example showing only the S: and U: drives):

Applying the GPOs

When you have created the two GPOs you must apply them to the appropriate Organizational Unit so that they are valid for the users you need.

Please also take note of the "Link Order" as highlighted below: the CAST - Folders GPO MUST be ordered before the CAST - Mapped Drives GPO.

Setting the CAST AIP file storage locations

Once the GPOs are in place and functioning, the next step is to use the mapped drives to set the various CAST AIP file storage locations:

Using the CastGlobalSettings.ini

As shown in the folders and shares diagram below, the CastGlobalSettings.ini file (located at the root of the CAST AIP installation folder) must always be used to define the various file storage locations required by CAST AIP (click to enlarge):

A suggested configuration for the CastGlobalSettings.ini, based on the above folder/share structure, is as follows (the drives are mapped on the machine on which CAST AIP has been installed):

; ******************************
; *** CastGlobalSettings.ini ***
; ******************************
; Set All users' path
CAST_ALL_USERS_PATH=S:\CAST\CAST\$CAST_MAJOR_VERSION$.$CAST_MINOR_VERSION$\
; Set folder containing plugins
CAST_PLUGINS_ROOT_PATH=S:\CAST\CAST\Extensions\
; Set program files common files' path
CAST_PROGRAM_FILES_COMMON_PATH=S:\Common\CAST\$CAST_MAJOR_VERSION$.$CAST_MINOR_VERSION$\
; Set unversioned program files common files' path
CAST_PROGRAM_FILES_COMMON_UNVERSIONED_PATH=S:\Common\CAST\
; Set current user's path
CAST_CURRENT_USER_WORK_PATH=U:\CAST\CAST\$CAST_MAJOR_VERSION$.$CAST_MINOR_VERSION$\
; Set current user's temporary path
CAST_CURRENT_USER_TEMP_PATH=U:\Temp\CAST\CAST\$CAST_MAJOR_VERSION$.$CAST_MINOR_VERSION$\ 
Note that you can find out more information about the CastGlobalSettings.ini file in Appendix - Modifying default CAST data storage locations.

Using CAST Management Studio preferences

As shown in the folders and shares diagram various preferences for storing CAST Management Studio generated files must be defined (click to enlarge).

PathDescriptionDrive required
workingPathCorresponds to the LISA folderL:\
temporaryPathCorresponds to the LTSA folderT:\
logRootPathCorresponds to the CMS log root folderI:\

To set these preferences, there are two choices:

cast-ms.preferences.pmx

Edit this file (located by default in the castusers share mapped as the U:\ drive), as instructed in the comment surrounded by <!-- and -->:

<?xml version="1.0" encoding="UTF-8"?>
<document version="1.1">
 <lot symbol="Preferences" label="Cast General" requires="pmcgeneral:3.1;preferences:2.3;system:1.0">

<!-- modify the logRootPath, workingPath and temporaryPath as shown below -->

  <preferences.Preferences logRootPath="I:\" logIncludeDate="true" workingPath="L:\" temporaryPath="T:\" audience="preferences.Regular"/>

  <preferences.Preferences2 protocol="preferences.SmtpMailProtocol" port="25"/>
 </lot>
</document>

CAST Management Studio GUI

This screen can be accessed in the CAST Management Studio: Window > Preferences:

General Windows security configuration

In order to limit the ability of a potential attacker to A) execute code on the operating system of the host server from the remote session and B) grant him/herself additional privileges to circumvent the protection and security that has been put in place, the following general Windows configuration settings should be applied.

Operating System updates

  • The Operating System of any Virtual Machine hosting CAST AIP related components should be updated on a monthly basis with official security updates from Microsoft
  • Updates should be tested in a "development" environment before they are applied to production servers. This is to check that the Operating System is not negatively impacted by the updates.

Use of Anti-Virus

On each Virtual Machine:

  • anti-virus software should be installed
  • all files related to the anti-virus software should be read only to end-users
  • any services installed by the anti-virus software must be configured to start when the host Operating System is started and it should not be possible for end-users to manually stop them
  • a password should be implemented in the anti-virus administration console to prevent unauthorised modification of any of the anti-virus settings by the end-user
  • the anti-virus software should be scheduled to receive new virus definition updates at least once a day
  • the "local" anti-virus administration console should be connected to a "centralized" anti-virus administration console so that any incident (for example prevention of anti-virus updates from being downloaded, unexpected stopping of the anti-virus service, virus detection, uninstallation etc.) will be flagged

Network

The Virtual Machines should be isolated from other company servers using a firewall and should only be accessible from client workstations in the Back Office zone.

Internet

  • The Virtual Machines should not have internet access using TCP or UDP protocols on any of the available 65535 ports, nor via ICMP. This will prevent ping requests or DNS lookups reaching the outside world, which are often methods used to tunnel connections.
  • If internet access is required to apply specific updates, then this access should be limited to the IP address or fully qualified domain name of the target server.

Software

  • The installation of software other than CAST AIP applications should be prevented.
  • The server does not require any text editor software such as Microsoft Office, Wordpad or Notepad, and does not require an additional browser (Chrome, Firefox etc.): Internet Explorer is sufficient.

Accounts

  • No service or scheduled task that uses a domain user account should be enabled or created on these servers. This prevents the domain password from being stored in memory.

Event Viewer

  • Events must be regularly exported from the servers on to a secure server so that access records/events can be traced even if local events have been deleted.

DLL hijacking

  • Do not add any folder path to the user's PATH environment variable that the user has write access to.
  • In the Windows Registry under HKLM\System\CurrentControlSet\Control\Session Manager, create a new DWORD entry called "CWDIllegalInDLLSearch" with a value of 2. See https://support.microsoft.com/en-us/kb/2264107.
  • Disable the service "IKE and AuthIP IPsec Keying Modules" (i.e. prevent it from being started):

Command execution

GPO

Modify the options in User configuration > Policies > Administrative template:

System

  • Prevent access to registry editing tools = Enabled
    • Disable regedit from running silently = Yes
  • Prevent access to the command prompt = Enabled
    • Disable the command prompt script processing = Yes

Windows Components / File explorer

  • Do not request alternate credentials = Enabled
  • Prevent access to drive from my computer = Enabled
    • Pick one of the following combinations = Restrict A, B and C drives only
  • Remove File Explorer’s default context menu = Enabled
  • Remove File menu from File Explore = Enabled

Applocker

In Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker > Executable Rules create the following rules:

  • Allow Everyone All files located in Program Files by Path
  • Allow Everyone All files located in Windows by Path
  • Allow BUILTIN\Administrators All files by Path
  • Deny Everyone %WINDIR%\WinSxS\* by Path
  • Deny Everyone Wordpad.exe by File Hash
  • Deny Everyone Powershell.exe by File Hash

For the folder used by the CAST applications, an analysis of the CAST executables should be performed with the AppLocker assistant so that a digital signature of the applications can be established for each of the following rules:

Security Policy

The security policy implemented for the servers should be configured as follows:

Account policies

Password policy

  • Enforce password history = 24
  • Maximum password age = 60
  • Minimum password age = 1
  • Minimum password length = 15
  • Password must meet complexity requirements = Enabled
  • Store passwords using reversible encryption = Disabled

Account lockout policy

  • Account lockout duration = 15
  • Account lockout threshold = 6
  • Reset account lockout counter after = 15

Local policies

User Rights Assignment

  • Access Credential Manager as a trusted caller = No One
  • Access this computer from the network = Administrators, Authenticated Users
  • Access this computer from the network = Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS
  • Act as part of the operating system = No One
  • Add workstations to domain = Administrators
  • Adjust memory quotas for a process = Administrators, Local Service, Network Service
  • Allow log on locally = Administrators
  • Allow log on through Remote Desktop Services = Administrators
  • Back up files and directories = Administrators
  • Bypass traverse checking = Administrators, Authenticated Users, Backup Operators, Local Service, Network Service
  • Bypass traverse checking = Administrators, Authenticated Users, Local Service, Network Service
  • Change the system time = LOCAL SERVICE, Administrators
  • Change the time zone = LOCAL SERVICE, Administrators
  • Create a pagefile = Administrators
  • Create a token object = No One
  • Create global objects = Administrators, SERVICE, LOCAL SERVICE, NETWORK SERVICE

Security Options

Accounts

  • Guest account status = Disabled
  • Limit local account use of blank passwords to console logononly = Enabled

Audit

  • Force audit policy subcategory settings (Windows Vista orlater) to override audit policy category settings = Enabled
  • Shut down system immediately if unable to log security audits = Disabled

Devices

  • Allowed to format and eject removable media = Administrators
  • Allowed to format and eject removable media = Administrators and Interactive Users
  • Allow undock without having to log on = Disabled
  • Prevent users from installing printer drivers = Enabled

Domain controller

  • Allow server operators to schedule tasks = Disabled
  • LDAP server signing requirements = Requiresigning
  • Refuse machine account password changes = Disabled

Domain member

  • Digitally encrypt or sign secure channel data(always) = Enabled
  • Digitally encrypt secure channel data (whenpossible) = Enabled
  • Digitally sign secure channel data (when possible) = Enabled
  • Disable machine account password changes = Disabled
  • Maximum machine account password age = 30
  • Require strong (Windows 2000 or later) sessionkey = Enabled

Interactive logon

  • Do not display last user name = Enabled
  • Do not require CTRL+ALT+DEL = Disabled
  • Number of previous logons to cache (in casedomain controller is not available) = 0
  • Prompt user to change password before expiration = 14
  • Require Domain Controller authentication tounlock workstation = Enabled
  • Smart card removal behavior = Lock Workstation

Microsoft network client

  • Digitally sign communications (always) = Enabled
  • Digitally sign communications (if serveragrees) = Enabled
  • Send unencrypted password to third-partySMB servers = Disabled

Microsoft network server

  • Amount of idle time required beforesuspending session = 15
  • Digitally sign communications (always) = Enabled
  • Digitally sign communications (if clientagrees) = Enabled
  • Disconnect clients when logon hours expire = Enabled

Network access

  • Allow anonymous SID/Name translation = Disabled
  • Do not allow anonymous enumeration of SAMaccounts and shares = Enabled
  • Do not allow anonymous enumeration of SAMaccounts = Enabled
  • Let Everyone permissions apply to anonymous users = Disabled
  • Remotely accessible registry paths and sub-paths = System\CurrentControlSet\Control\Print\PrintersSystem\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP ServerSoftware\Microsoft\Windows NT\CurrentVersion\Print Sof
  • Remotely accessible registry paths = System\CurrentControlSet\Control\ProductOptionsSystem\CurrentControlSet\Control\Server Applications Software\Microsoft\WindowsNT\CurrentVersion
  • Restrict anonymous access to Named Pipes andShares = Enabled
  • Network access: Shares that can be accessed anonymously =
  • Network access: Sharing and security model for local accounts = Classic - local users authenticate as themselves
  • Allow LocalSystem NULL session fallback = Disabled
  • Allow Local System to use computer identity forNTLM = Enabled
  • Allow PKU2U authentication requests to thiscomputer to use online identities = Disabled
  • Do not store LAN Manager hash value on nextpassword change = Enabled
  • Force logoff when logon hours expire = Enabled
  • LAN Manager authentication level = Send NTLMv2response only. Refuse LM &amp; NTLM
  • LDAP client signing requirements = Negotiatesigning
  • Minimum session security for NTLM SSP based(including secure RPC) clients = Require NTLMv2 session security,Require 128-bitencryption
  • Minimum session security for NTLM SSP based(including secure RPC) servers = Require NTLMv2 session security,Require 128-bitencryption

Recovery console

  • Allow automatic administrative logon = Disabled
  • Allow floppy copy and access to all drives and allfolders = Disabled

Shutdown

  • Allow system to be shut down without having to log on = Disabled
  • Clear virtual memory pagefile = Disabled
  • System cryptography
  • Use FIPS compliant algorithms for encryption,hashing, and signing = Enabled

System objects

  • Require case insensitivity for non-Windowssubsystems = Enabled
  • Strengthen default permissions of internal systemobjects (e.g. Symbolic Links) = Enabled

System settings

  • Use Certificate Rules on Windows Executables for Software Restriction Policies = Enabled

User Account Control

  • Admin Approval Mode for the Built-inAdministrator account = Enabled
  • Allow UIAccess applications to prompt forelevation without using the secure desktop = Disabled
  • Behavior of the elevation prompt foradministrators in Admin Approval Mode = Prompt for consent for non-Windowsbinaries
  • Behavior of the elevation prompt for standardusers = Prompt for credentials
  • Detect application installations and prompt forelevation = Enabled
  • Only elevate executables that are signed andvalidated = Disabled
  • Only elevate UIAccess applications that areinstalled in secure locations = Enabled
  • Run all administrators in Admin ApprovalMode = Enabled
  • Switch to the secure desktop when promptingfor elevation = Enabled
  • Virtualize file and registry write failures to per-user locations = Enabled
  • Create permanent shared objects = No One
  • Debug programs = Administrators
  • Deny access to this computer from the network = Guests
  • Deny log on as a batch job = Guests
  • Deny log on as a service = No one
  • Deny log on locally = Guests
  • Enable computer and user accounts to be trusted for delegation = No
  • Force shutdown from a remote system = Administrators
  • Generate security audits = Local Service, Network Service
  • Impersonate a client after authentication = Administrators, SERVICE, Local Service, Network Service
  • Increase a process working set = Administrators, Local Service
  • Increase scheduling priority = Administrators
  • Load and unload device drivers = Administrators
  • Lock pages in memory = No One
  • Log on as a batch job = Administrators
  • Manage auditing and security log = Administrators
  • Modify an object label = No One
  • Modify firmware environment values = Administrators
  • Perform volume maintenance tasks = Administrators
  • Profile single process = Administrators
  • Profile system performance = Administrators, NT SERVICE\WdiServiceHost
  • Remove computer from docking station = Administrators
  • Replace a process level token = Local Service, Network Service
  • Restore files and directories = Administrators
  • Shut down the system = Administrators
  • Synchronize directory service data = No one
  • Take ownership of files or other objects = Administrators

Application control policies

See the application limitation for more information.

Advanced audit policy configuration

Account logon

  • Credential Validation = Success and Failure
  • Kerberos Authentication Service = No Auditing
  • Kerberos Service Ticket Operations = No Auditing
  • Other Account Logon Events = No Auditing

Account Management

  • Application Group Management = No Auditing
  • Computer Account Management = Success
  • Computer Account Management = Success and Failure
  • Distribution Group Management = No Auditing
  • Other Account Management Events = Success and Failure
  • Security Group Management = Success and Failure
  • User Account Management = Success and Failure

Detailed tracking

  • DPAPI Activity = No Auditing
  • Process Creation = Success
  • Process Termination = No Auditing
  • RPC Events = No Auditing

DS Access

  • Detailed Directory Service Replication = No Auditing
  • Directory Service Access = No Auditing
  • Directory Service Access = Success and Failure
  • Directory Service Changes = No Auditing
  • Directory Service Changes = Success and Failure
  • Directory Service Replication = No Auditing

Logon-Logoff

  • Account Lockout = No Auditing
  • IPsec Extended Mode = No Auditing
  • IPsec Main Mode = No Auditing
  • IPsec Quick Mode = No Auditing
  • Logoff = Success
  • Logon = Success and Failure
  • Network Policy Server = No Auditing
  • Other Logon/Logoff Events = No Auditing
  • Special Logon = Success

Object access

  • Application Generated = No Auditing
  • Certification Services = No Auditing
  • Detailed File Share = No Auditing
  • File Share = No Auditing
  • File System = No Auditing
  • Filtering Platform Connection = No
  • Filtering Platform Packet Drop = No
  • Handle Manipulation = No Auditing
  • Kernel Object = No Auditing
  • Other Object Access Events = No Auditing
  • Registry = No Auditing
  • SAM = No Auditing

Policy change

  • Audit Policy Change = Success and Failure
  • Authentication Policy Change = Success
  • Authorization Policy Change = No Auditing
  • Filtering Platform Policy Change = No Auditing
  • MPSSVC Rule-Level Policy Change = No Auditing
  • Other Policy Change Events = No Auditing

Privilege use

  • Non Sensitive Privilege Use = No Auditing
  • Other Privilege Use Events = No Auditing
  • Sensitive Privilege Use = Success and Failure

System

  • IPsec Driver = Success and Failure
  • Other System Events = No Auditing
  • Security State Change = Success and Failure
  • Security System Extension = Success and Failure
  • System Integrity = Success and Failure

 

  • No labels