Hardening Small Business Server 2003Hardening Small Business Server 2003

Published: July 2005Published: July 2005

Dana EppDana EppComputer Security Software ArchitectComputer Security Software ArchitectScorpion Software Corp.Scorpion Software Corp.

SBS Security HOWTOSBS Security HOWTO

AgendaAgendaAgendaAgenda

Understanding the SBS Architecture from a Understanding the SBS Architecture from a security perspectivesecurity perspective

Network Security ManagementNetwork Security Management Patch ManagementPatch Management Hardening the core OSHardening the core OS Hardening the ServicesHardening the Services Audit and LoggingAudit and Logging Other considerationsOther considerations

Risks of SBS from an information Risks of SBS from an information security perspectivesecurity perspectiveRisks of SBS from an information Risks of SBS from an information security perspectivesecurity perspective To effectively secure something, you must To effectively secure something, you must

mitigate the risks associated with it by removing mitigate the risks associated with it by removing the threats around it. the threats around it.

Isolating critical business resources and services Isolating critical business resources and services to their own machines, followed by strengthening to their own machines, followed by strengthening its offerings with the rule of least privilege, will its offerings with the rule of least privilege, will significantly reduce the attack surface of the significantly reduce the attack surface of the object you are trying to secure. object you are trying to secure.

SBS ignores both of these points by having SBS ignores both of these points by having everything on a single machineeverything on a single machine

Reducing the Attack Surface of SBSReducing the Attack Surface of SBSReducing the Attack Surface of SBSReducing the Attack Surface of SBS

Network Security Network Security ManagementManagement

Patch ManagementPatch Management

HardeningHardening

Mitigating Risks on SBSMitigating Risks on SBSMitigating Risks on SBSMitigating Risks on SBS

Thorough network security managementThorough network security management Layered defensesLayered defenses Least privilege packet control Least privilege packet control

Extreme vigilance in patch managementExtreme vigilance in patch management NOT just the core OSNOT just the core OS Consider tools like WSUS and HFNetChkPro Consider tools like WSUS and HFNetChkPro

Hardening of all critical components on the serverHardening of all critical components on the server Use Microsoft Security Guidelines and Best PracticesUse Microsoft Security Guidelines and Best Practices Use the built-in SBS wizards when possibleUse the built-in SBS wizards when possible

MINIMUM SBS Network Ports to Allow MINIMUM SBS Network Ports to Allow Though FirewallThough FirewallMINIMUM SBS Network Ports to Allow MINIMUM SBS Network Ports to Allow Though FirewallThough Firewall 25 – SMTP (Exchange mail)25 – SMTP (Exchange mail) 443 – HTTPS (Secure IIS web)443 – HTTPS (Secure IIS web) 444 – Sharepoint (ONLY if you want Company 444 – Sharepoint (ONLY if you want Company

web/sharepoint externally available)web/sharepoint externally available) 4125 - Remote Web access (RDP via web)4125 - Remote Web access (RDP via web)

Secondary SBS Network Ports to Allow Secondary SBS Network Ports to Allow Though FirewallThough FirewallSecondary SBS Network Ports to Allow Secondary SBS Network Ports to Allow Though FirewallThough Firewall 20/21 - FTP20/21 - FTP 80 - HTTP (Unencrypted IIS web)80 - HTTP (Unencrypted IIS web) 139 – SMB over Netbios (for file and print)139 – SMB over Netbios (for file and print) 445 - License logging service445 - License logging service 1723 - VPN1723 - VPN 3389 - RDP (Terminal services)3389 - RDP (Terminal services)

Why Patch Management is ImportantWhy Patch Management is ImportantWhy Patch Management is ImportantWhy Patch Management is Important

Patch management Patch management

mitigates and lessens themitigates and lessens the

impact from threats in the impact from threats in the

Window of ExposureWindow of Exposure

Understanding the Window of ExposureUnderstanding the Window of ExposureUnderstanding the Window of ExposureUnderstanding the Window of Exposure

00 30 60 90 120 150 180 210 240 270 300 330 360DAY

WINDOW OF EXPOSUREON AVERAGE, BUSINESSES CAN BE EXPOSED FROM 90 TO 360 DAYS

INFORMATIONPROTECTED

PATCH DEPLOYEDON UPDATE SERVERS

30 – 180 DAYS

PATCH DEVELOPEDAND RELEASED

30 – 90 DAYS

VULNERABILITYVERIFIED BY VENDOR

30 - 90 DAYS

VULNERABILITYIDENTIFIED

Real WOE Example - BlasterReal WOE Example - BlasterReal WOE Example - BlasterReal WOE Example - Blaster

00 30 60 90 120 150 180 210 240 270 300 330 360DAY

WINDOW OF EXPOSUREMOST BUSINESSES WERE EXPOSED TO RPC VULNERABILITY (BLASTER) FOR 180 – 360 DAYS

INFORMATIONPROTECTED

PATCH DEVELOPEDAND RELEASED

JULY 16, 2003 (210 DAYS)

VULNERABILITYVERIFIED BY MICROSOFT

FEBRUARY 2003

VULNERABILITYIDENTIFIED

BLASTER LAUNCHED AUGUST 11, 2003

(16 DAYS)

PATCH DEPLOYED30 – 180 DAYS

Real WOE Example - SasserReal WOE Example - SasserReal WOE Example - SasserReal WOE Example - Sasser

00 30 60 90 120 150 180 210 240 270 300 330 360DAY

WINDOW OF EXPOSUREMOST BUSINESSES WERE EXPOSED TO LSASS VULNERABILITY (SASSER) FOR 190 – 260 DAYS

INFORMATIONPROTECTED

PATCH DEVELOPEDAND RELEASED

APRIL 13, 2004 (188 DAYS)

VULNERABILITYVERIFIED BY MICROSOFT

OCTOBER 2003

VULNERABILITYIDENTIFIED

SASSER LAUNCHED MAY 1, 2004 (18 DAYS)

PATCH DEPLOYED30 – 180 DAYS

What about Antivirus and Antispyware?What about Antivirus and Antispyware?What about Antivirus and Antispyware?What about Antivirus and Antispyware?

Very important as another layer of defenseVery important as another layer of defense You SHOULDN’T be running ANY applications, You SHOULDN’T be running ANY applications,

browsing the web or checking mail etc ON the browsing the web or checking mail etc ON the SBS Server, limiting your exposure to malware SBS Server, limiting your exposure to malware in the first place.in the first place.

AV is reactive… making it a secondary line of AV is reactive… making it a secondary line of defense not as critical as proactive measures as defense not as critical as proactive measures as discussed herediscussed here

SBS “Onion” Approach to HardeningSBS “Onion” Approach to HardeningSBS “Onion” Approach to HardeningSBS “Onion” Approach to Hardening

ISA Firewall PoliciesISA Firewall Policies

Web ServerWeb ServerHardeningHardening

Mail ServerMail ServerHardeningHardening

Database ServerDatabase ServerHardeningHardening

OSOSHardeningHardening

PatchPatchManagementManagement

Microsoft’s Hardening Guidelines and Microsoft’s Hardening Guidelines and Security Best PracticesSecurity Best PracticesMicrosoft’s Hardening Guidelines and Microsoft’s Hardening Guidelines and Security Best PracticesSecurity Best Practices Doesn’t EXIST for Small Business ServerDoesn’t EXIST for Small Business Server Has POTENTIALLY conflicting information Has POTENTIALLY conflicting information

between guides (ie: Srv03 vs Exchange 03)between guides (ie: Srv03 vs Exchange 03) Should be FULLY understood before usedShould be FULLY understood before used ISIS well documented if you take the time to read it well documented if you take the time to read it

(You are looking at over 600 pages of (You are looking at over 600 pages of information)information)

Includes helpful templates to import via GPOIncludes helpful templates to import via GPO

Hardening GuidesHardening GuidesHardening GuidesHardening Guides

Operating System HardeningOperating System Hardening Windows Server 2003 Security GuideWindows Server 2003 Security Guide

Includes info for web server hardeningIncludes info for web server hardening Mail Server HardeningMail Server Hardening

Microsoft Exchange Server 2003 Security Hardening Microsoft Exchange Server 2003 Security Hardening GuideGuide

Database HardeningDatabase Hardening SQL Server 2000 Security Features and Best SQL Server 2000 Security Features and Best

PracticesPractices

* Links to Hardening Guides at end of presentation

Using Microsoft’s Hardening security Using Microsoft’s Hardening security GPO templatesGPO templatesUsing Microsoft’s Hardening security Using Microsoft’s Hardening security GPO templatesGPO templates Pros include:Pros include:

Easy installationEasy installation Well testedWell tested Well documentedWell documented

Cons include:Cons include: All or nothing approachAll or nothing approach Blindly makes security decisions for you without Blindly makes security decisions for you without

knowing your network configurationknowing your network configuration Not easy to ensure settings will stay configured over Not easy to ensure settings will stay configured over

timetime

Password Policy ConsiderationsPassword Policy ConsiderationsPassword Policy ConsiderationsPassword Policy Considerations

Enforce password history Enforce password history = 24 remembered= 24 remembered Maximum password age Maximum password age = 42 days= 42 days Minimum password age Minimum password age = 2 days= 2 days Minimum password length Minimum password length = 8 characters= 8 characters Password must meet complexity requirements Password must meet complexity requirements = Enabled= Enabled Store password using reversible encryption Store password using reversible encryption = Disabled= Disabled

Account Lockout Policy ConsiderationsAccount Lockout Policy ConsiderationsAccount Lockout Policy ConsiderationsAccount Lockout Policy Considerations

Account Lockout Duration Account Lockout Duration = 15 minutes= 15 minutes Account lockout threshold Account lockout threshold = 20 attempts= 20 attempts Reset account lockout counter after Reset account lockout counter after = 15 = 15

minutesminutes

Hardening the Network Stack (tcp)Hardening the Network Stack (tcp)Hardening the Network Stack (tcp)Hardening the Network Stack (tcp) EnableICMPRedirect = 0EnableICMPRedirect = 0 SynAttackProtect = 1SynAttackProtect = 1 EnableDeadGWDetect = 0EnableDeadGWDetect = 0 EnablePMTUDiscovery = 0EnablePMTUDiscovery = 0 KeepAliveTime = 300,000KeepAliveTime = 300,000 DisableIPSourceRouting = 2DisableIPSourceRouting = 2 TcpMaxConnectResponseRetransmissions = 2TcpMaxConnectResponseRetransmissions = 2 TcpMaxDataRetransmissions = 3TcpMaxDataRetransmissions = 3 PerformRouterDiscovery = 0PerformRouterDiscovery = 0 TCPMaxPortsExhausted = 5TCPMaxPortsExhausted = 5

* Found in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\

Hardening the Network Stack (afd.sys)Hardening the Network Stack (afd.sys)Hardening the Network Stack (afd.sys)Hardening the Network Stack (afd.sys)

DynamicBacklogGrowthDelta = 10DynamicBacklogGrowthDelta = 10 EnableDynamicBacklog = 1EnableDynamicBacklog = 1 MinimumDynamicBacklog = 20MinimumDynamicBacklog = 20 MaximumDynamicBacklog = 20000MaximumDynamicBacklog = 20000

* Found in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AFD\Parameters\

Event Log Policy ConsiderationsEvent Log Policy ConsiderationsEvent Log Policy ConsiderationsEvent Log Policy Considerations

Maximum security log sizeMaximum security log size – increase to – increase to 81,920 KB to allow for more in depth auditing81,920 KB to allow for more in depth auditing

Retention method for security logRetention method for security log – set to “As – set to “As needed” to ensure wrapping is FIFO in the needed” to ensure wrapping is FIFO in the removal cycle (removes oldest items)removal cycle (removes oldest items)

Shut down system immediately if unable to Shut down system immediately if unable to log log – Set to “Disabled” to prevent shutdown– Set to “Disabled” to prevent shutdown

Audit Policy ConsiderationsAudit Policy ConsiderationsAudit Policy ConsiderationsAudit Policy Considerations

Audit account logon events - Success, FailureAudit account logon events - Success, Failure Audit account management – Success, FailureAudit account management – Success, Failure Audit directory service access - No AuditingAudit directory service access - No Auditing Audit logon events – SuccessAudit logon events – Success Audit object access - No AuditingAudit object access - No Auditing Audit policy change – SuccessAudit policy change – Success Audit privilege use - No AuditingAudit privilege use - No Auditing Audit process tracking - No AuditingAudit process tracking - No Auditing Audit system events - SuccessAudit system events - Success

A Simpler way to do Hardening…A Simpler way to do Hardening…A Simpler way to do Hardening…A Simpler way to do Hardening…

A Simpler way to do Hardening…A Simpler way to do Hardening…A Simpler way to do Hardening…A Simpler way to do Hardening…

ResourcesResourcesResourcesResources Windows Server 2003 Security GuideWindows Server 2003 Security Guide

http://www.microsoft.com/technet/security/prodtech/windowsserver2003/W2003HGhttp://www.microsoft.com/technet/security/prodtech/windowsserver2003/W2003HG/SGCH00.mspx/SGCH00.mspx

Microsoft Exchange Server 2003 Security Hardening GuideMicrosoft Exchange Server 2003 Security Hardening Guidehttp://www.microsoft.com/technet/prodtechnol/exchange/2003/library/exsecure.http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/exsecure.mspxmspx

SQL Server 2000 Security Features and Best PracticesSQL Server 2000 Security Features and Best Practiceshttp://www.microsoft.com/technet/prodtechnol/sql/2000/maintain/sp3sec00.mspxhttp://www.microsoft.com/technet/prodtechnol/sql/2000/maintain/sp3sec00.mspx

How To Harden the TCP StackHow To Harden the TCP Stackhttp://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/htmlhttp://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod109.asp/secmod109.asp

Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XPhttp://go.microsoft.com/fwlink/?linkid=15160

Dana Epp’s personal blogDana Epp’s personal bloghttp://http://silverstr.ufies.org/blogsilverstr.ufies.org/blog//

This document is provided for informational purposes only. This document is provided for informational purposes only. SCORPION SOFTWARE MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.SCORPION SOFTWARE MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.

© 2003-2005 Scorpion Software Corp. All rights reserved. © 2003-2005 Scorpion Software Corp. All rights reserved. This presentation is for informational purposes only. SCORPION SOFTWARE MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. This presentation is for informational purposes only. SCORPION SOFTWARE MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Scorpion Software, Carina, SES, and IPLinks are either registered trademarks or trademarks of Scorpion Software Corp in Canada and/or other countries. Scorpion Software, Carina, SES, and IPLinks are either registered trademarks or trademarks of Scorpion Software Corp in Canada and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.