No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
eSight V300R010C00SPC200, 300, and 500 Single-Node System Software Installation Guide (Windows) 18
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Security Hardening

Security Hardening

Overview

Security hardening aims to enhance the defense capabilities of operating systems and databases.

Security hardening has the following functions on the eSight server:

  • Disable unnecessary system services on eSight to reduce the possibility of malicious attacks.
  • Strictly restrict the file permission and environment variables of the system to reduce the possibility of unauthorized operations.

Security Hardening Objects

The objects of security hardening include the operating system and database.

Table 10-1 Security hardening objects

Object

Method

Windows operating system

Use the SetWin tool.

SQL Server database

Use the hardening script.

Security Hardening Scenarios

Security hardening needs to be performed after service installation and commissioning, or backup-based restoration. If security hardening has been performed on the operating system, roll back the security hardening before the uninstallation.

Table 10-2 Security hardening scenarios

Operation

Scenario

Description

Security hardening

After installation and commissioning

After each component is installed and commissioned, security hardening should be performed for the system where the component runs to enhance system security.

Rollback

Before uninstallation

Before uninstallation, if the operating system has been hardened, roll back the security hardening. Otherwise, the uninstallation may fail.

Security Hardening Impacts

  • Impacts on the operating system
    • Some services of the Windows operating system may be restricted by the hardening policy. Therefore, the services are unavailable after the hardening.

      For details, see descriptions in the hardening policy package.

    • After the Windows operating system is hardened, the Administrator account is renamed SWMaster.

      For details, see descriptions in the hardening policy package.

    • After the security hardening, some hardening items of the Windows operating system cannot be rolled back. Table 10-3 describes these items.
      Table 10-3 Windows hardening items that cannot be rolled back

      Hardening Item

      Obtaining Path

      Store Password Using Reversible Encryption

      SetWin Policies > Auditing and Account policies > Account Policy

      Allow Anonymous SID/Name Translation

      SetWin Policies > Security Settings > Security Options > Network Access

      Kerberos Policy

      SetWin Policies > Auditing and Account policies > Kerberos Policy

      Patch Scripts

      SetWin Policies > Patch Scripts
  • Impacts on the database

    After the security of a database is hardened, certain parameters and user permission are changed.

  • Impacts on the service

    The system is stopped during security hardening and rollback. As a result, the eSight services cannot be used.

Duration

Table 10-4 describes the time required for security hardening.

Table 10-4 Duration

Object

Operation

Time Required (Minutes)

Windows operating system

Hardening

10

Hardening rollback

10

SQL Server database

Hardening

5

Security hardening duration is an approximate duration of security hardening in a laboratory, and it is for reference only. Time required for security hardening is subject to the environment, network, and security hardening items.

Hardening the Windows Operating System

This section describes how to harden the Windows operating system.

Installing SetWin

The SetWin tool is used to harden the Windows operating system. This section describes how to install the SetWin tool.

Prerequisites

You have obtained the SetWin installation package. For details, see Stopping the eSight Service.

Context

SetWin is an independent tool used to protect the operating system from attacks and vulnerabilities. SetWin offers preconfigurations recommended by industry-accepted benchmarks (such as CIS).

Procedure

  1. Log in to the operating system to be hardened as the Administrator user.
  2. Double-click the SetWin installation file. Select a required language, and click OK.

  3. Click Next.

  4. Select I accept the terms of the License Agreement and click Next.

  5. Select the installation directory (C:\Program Files (x86)\Huawei\SetWin by default) and click Next.

  6. Select No configuration, and click Install.

    For details about importing the security hardening configuration file to the security hardening tool, see Hardening the Windows Operating System Using SetWin.

  7. The system displays the message "Installation will proceed without any configuration file. Would you like to proceed". Click Yes.

    The system starts to install the SetWin tool and displays the installation progress and details.

  8. After the installation is complete, deselect Run SecureCAT SetWin 3.0.0.1, and click Finish.

  9. Delete the installation package and temporary files from the server after the installation is complete.

Hardening the Windows Operating System Using SetWin

You can use the SetWin tool to harden the Windows operating system. You must comply with the procedure when executing a hardening policy.

Prerequisites

Procedure

  1. Log in to the server as the Administrator user.
  2. On the Windows Logs page, view the Application, Security, Setup, and System Log size.

    The sizes of Application, Security, and System Logs should not exceed 20 MB, and the Setup Log should not exceed 1 MB.

    If the Windows logs are too large, clear the logs. For details, see What Can I Do If Windows Logs Occupy Too Many Memory Resources on the Windows Server OS.

    Table 10-5 Windows log entrance

    Windows

    Log Entrance

    Windows Server 2012 R2 System

    Right-click Start and choose Computer Management.

    On the Computer Management page, choose Computer Management > System Tools > Event Viewer > Windows Logs.

    Windows Server 2008 R2 System
    1. Click Start, right-click Computer, and choose Manage.
    2. On the Server Manager page, choose Diagnostics > Event Viewer > Windows Logs.

  3. Right-click SetWin and choose Run as administrator. The Initial Backup dialog box is displayed.

  4. Select the backup path and click OK.

    After the file is backed up, the system displays the message "Backup completed".

  5. Click OK.

    The message "Configuration file not present or corrupted. Please import a valid configuration file" is displayed. Click OK.

  6. Choose Configuration > Import Configuration File on the SetWin (Online Mode) page.
  7. Select the security hardening configuration file of the operating system eSight_Win2012R2_SetWin.zip, and click Open.

  8. The system displays the message "Import successful". Click OK.

    Imported policies are displayed on the SetWin home page.

    To view details about a hardening item, perform the following steps:

    1. Choose Help > SetWin Help Contents on SetWin.
    2. Click the Search tab on the help and enter a hardening item name.
    3. Click topic.
    4. Find the topic for the hardening item based on the hardening item path and view details about the hardening item.

  9. Choose Policy > Execute.
  10. In the dialog box that is displayed, click Yes.

  11. When the system displays the message "Do you want to create a backup point?", click Yes and select the backup path.

    Save the security hardening policy and create a file to store the security hardening policy that will be used in rollback. Otherwise, the operating system cannot be rolled back to the pre-hardened state.

  12. When the system displays the message "Backup completed", click OK.
  13. In the Policy(s) Configured dialog box that is displayed, click Yes to harden the security of the operating system.

  14. After the hardening is complete, the system displays the message "Execution completed". Click OK.
  15. The system displays the message "Please restart system to affect all policies. Do you want to restart now?". Click Yes to restart the system.

    • After the security hardening policy takes effect, the administrator account changes from Administrator to SWMaster, the guest account changes from guest to SWVisitor, but the password remains unchanged.
    • After security hardening, you can log in to the operating system only as the SWMaster user.

Hardening the SQL Server Database

This section describes how to harden the SQL Server database.

Procedure

  1. Log in to the SQL Server as the administrator user.
  2. In the eSight installation directory, open eSight\mttools\tools\securityharden\SQLServer.
  3. Execute the SQLServer.bat file to start security hardening.

    Please input the host IP:

  4. Enter the IP address of the eSight database to be hardened, which is 127.0.0.1, and press Enter.

    Please input the Dbuser:

  5. Enter the user name (which is sa by default) of the database administrator and press Enter.

    Please input the DbPassword:

  6. Enter the password of the database administrator and press Enter. For the initial password, see the eSight User List released with the version (Support: https://support.huawei.com/carrier/docview!docview?nid=DOC1100897230; Support-E: https://support.huawei.com/enterprise/en/doc/EDOC1100230257).
  7. Enter the port number 1433 of the eSight database, and press Enter.

    The system starts to harden the SQL Server database.

    When the security hardening is complete, information similar to the following is displayed:

    harden SQLServer Success

Translation
简体中文
Download
Updated: 2022-02-11

Document ID: EDOC1100044388

Views: 349533

Downloads: 1226

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :