This document provides guidance on applying CIS Security Benchmarks to systems running Altiris Notification Server and Altiris Deployment Server without disabling or limiting the management functionality. Additionally, an explanation of CIS benchmarks is presented, as well as how to obtain and follow those standards.

As more and more emphasis is placed on protecting information systems operations and safeguarding informational assets, a need to implement and maintain security standards is paramount. Altiris products are designed to allow for maximum functionality when managing the life-cycle of information system assets as well as provide administrators the ability to secure the environment and still perform to required specifications. Continual improvements are ongoing to Altiris products to continue to allow the necessary configurations to adhere to secure environments such as the standards and benchmarks developed and maintained by the Center for Internet Security (CIS).

Any recommendation for enhancement to security of production systems should always be prefaced with the need for appropriate planning and complete testing prior to full production usage. The security configurations discussed in this document could potentially have significant effects on system processing as well as communication between systems within the target environment.

Table of Contents

• The Center for Internet Security (CIS) Benchmarks
  • Obtaining the CIS Benchmarks
  • CIS Security Configurations
  • Installing CIS Security Benchmarks
• Altiris Notification Server with CIS
  
  • CIS Benchmark Alterations
    • System Services
    • Guests Group Access from Network
• Altiris Deployment Server with CIS
• Altiris NS and DS SQL Server with CIS
• Conclusion

The Center for Internet Security (CIS) Benchmarks

The Center for Internet Security (CIS) is a non-profit organization that was developed to help provide more detailed standards on system security controls. Security benchmarks from CIS are derived from configuration guides developed by various private and government organizations. These benchmarks have become more and more widely accepted by IT organizations since it allows administrators to push security improvements to management as a necessary industry standard and not just nice to have security measures.

Obtaining the CIS Benchmarks

The benchmark standards for the Center for Internet Security can be found at the http://www.cisecurity.org. There are three methods for obtaining the standards. The first method is to use the Scoring Tool that can be downloaded by the CIS web site. This Scoring Tool will allow administrators to evaluate the settings of a targeted system and then provide details on necessary configurations to adhere to the standard. Secondly, as a member of the CIS web site Security Templates (INF files) can be downloaded that be directly applied to the security policy of a single machine or through Group Policy on an Active Directory Domain.

Lastly, the CIS security standards can be implemented via Altiris Security Expressions Solution. This solution has been designed and developed as a comprehensive tool for evaluating, auditing and implementing systems settings and configurations.

CIS Security Configurations

The security settings defined in the CIS standard are meant for stand-alone servers but can be implemented via Active Directory; however no domain specific settings are included in the security templates. The following areas are defined in the CIS benchmark standards:

• Security settings for passwords
• Auditing
• File and registry permissions
• Service Settings

Installing CIS Security Benchmarks

The simplest method for applying CIS Security Benchmarks to a system is through implementation of the Windows Security Template. The Security Template can be imported into the Local Security Policy via management console that can be opened by running secpol.msc from the run prompt.

Alternatively, the security settings can be applied manually one at a time as defined by the CIS Scoring Tool.

It is important to note that once security templates are imported to the Local Security Policy there is no easy way to rollback those changes. Therefore, it is important that appropriate testing is conducted to ensure necessary functionality before implemented these standards to production machines.

Altiris Notification Server with CIS

Altiris Notification Server is at the heart of managing the information flow between the Altiris Solutions and the managed client machines in the environment. Since communication between Altiris NS server and clients is handled via web-based functionality it is necessary to implement the CIS benchmark standard allowing this communication to continue.

The following configurations for applying CIS to Altiris Notification Server assume using Windows 2003 Server and the Enterprise level of CIS.

CIS Benchmark Alterations

There are two areas where CIS benchmarks need to be altered to allow continued communication between Altiris Notification Server and managed clients. Both of these areas are part of necessary functionality with Microsoft Internet Information Services (IIS). The first area is allowing the IIS server services to run on the CIS secured machine and the second deals with anonymous requests to Altiris Notification Server web pages.

System Services

By default, the general standard for CIS benchmarks is to disable various system services necessary to the NS web management console. The following system services must be enabled and started for both Internet Information Services (IIS) and Altiris Notification Server to function properly:

• IISAdmin service
• World Wide Publishing service
• Event Log service
• Protected Storage service

Disabling unneeded system services is a focus of the CIS security benchmarks, since unneeded services provide targets for unauthorized access to the system. The services defined above are not generally a security issue when enabled on a fully patched operating system. Both the IISAdmin and World Wide Publishing services are disabled by the general CIS benchmarks and therefore need to be enabled so that Altiris Notification Server functions.

Guests Group Access from Network

By default, the general standard for CIS disables Guests Group access to the machine from the network. The reasoning for restricting Guests access from the network is important to ensure accountability. This means that all communication and requests can be linking to specific resources or locations. Using Guests access does not allow for auditing and confirmation of specific users and resources making requests to the system.

Currently, the use of the IIS anonymous user account (ex. IUSR_...), which is by default part of the Guests Group, is necessary for provisioning new managed resources using the Altiris Agent. When a new machine is being added to the managed resources of the Altiris Notification Server a request is sent by the client Altiris Agent via the IIS anonymous user account to the NS to request a computer GUID. This GUID is necessary for all future communications between the client and the server. Additionally, the first inventory upload by the client also uses the IIS anonymous user account. After the initial communication between the client and server using the anonymous access, the clients will use the application credentials defined in the "Global Altiris Agent Settings" configuration page of the NS.

The following steps ensure that the Guests Group access from the network exists:

1. Open Security Policy console. If security settings are managed by the domain, access the Security Policy via "Active Directory Users and Computers" Group Policy for the domain. If managed locally, use the Local Security Policy. To open the Local Security Policy click on "Start", "Run", enter secpol.msc and click "OK".
   

   Figure 1

   Click to view.

2. Select "Local Policies", "User Rights Assignment", and then double click on "Deny access to this computer from the network".
   
   

   Figure 2

   Click to view.

3. The "Deny access to this computer from the network Properties" dialog box will allow you to remove the Guests account from this configuration, thereby allowing Guest Group access to the system.
   
   

   Figure 3

   Click to view.

Note
The changes defined for Guest Group access for Altiris Notification Server are the same changes required to enable Microsoft Outlook Web Access to function. See "How to Enable the Guests Group in the Windows Server 2003 Baseline Security Policy"

Altiris Deployment Server with CIS

Assuming that Altiris Deployment Server is being installed on Windows 2003 Server and that the Enterprise Level of CIS benchmarks are being implemented, the Altiris Deployment Server functions as designed and appropriately in conjunction with the default CIS security settings and configurations. No additional changes to the CIS benchmarks are required to allow DS functionality, including the use of PXE server installed on the same machine.

However, if Deployment Solution Web console is requested to execute on the same machine as DS server then changes to allow the web services defined for Altiris Notification Server System Services above will be necessary.

Altiris NS and DS SQL Server with CIS

The SQL server used for both Altiris Notification Server and Altiris Deployment Server functions appropriately in conjunction with the default Enterprise CIS security settings and configurations on Windows 2003 Servers. No additional changes to the CIS benchmarks are required to allow the SQL required functionality.

Conclusion

Secure environments are not obtained with a single strategy but require multiple techniques, tools and standards. The Altiris Notification Server and Altiris Deployment Server can be configured to function in a secured operating system environment such as the benchmarks provided by the Center for Internet Security (CIS) to provide a layer of protection at the operating system level.