Date post: | 14-Dec-2015 |
Category: |
Documents |
Upload: | christopher-sherman |
View: | 218 times |
Download: | 1 times |
Implementing Server Security on Windows 2000 and Windows Server 2003
Implementing Server Security on Windows 2000 and Windows Server 2003Jurgen Van DuvelSystems [email protected]
What’s This?What’s This?
445/tcp adserver.exe Avserve.exe – avserve2.exe FTP server on 5554/tcp command shell on 9996/tcp.
W32.S
ASSER (A,B
, C o
r D)
AgendaAgenda
Introduction Implementing Advanced Server
Security Methods for Securing IIS Server Protecting Exchange Server Protecting SQL Server Providing Data Security
Defense in DepthDefense in Depth Using a layered approach:
Increases an attacker’s risk of detection Reduces an attacker’s chance of success
Policies, Procedures, & Awareness
Policies, Procedures, & Awareness
OS hardening, update management, OS hardening, update management, authentication, HIDSauthentication, HIDS
Firewalls, VPN quarantineFirewalls, VPN quarantine
Guards, locks, tracking devicesGuards, locks, tracking devices
Network segments, IPSec, NIDSNetwork segments, IPSec, NIDS
Application hardening, antivirusApplication hardening, antivirus
ACL, encryptionACL, encryption
User educationUser education
Physical SecurityPhysical Security
PerimeterPerimeter
Internal NetworkInternal Network
HostHost
ApplicationApplication
DataData
Why Application Security MattersWhy Application Security Matters Perimeter defenses provide limited
protection Many host-based defenses are not
application specific Most modern attacks occur at the
application layer
Why Data Security MattersWhy Data Security Matters
Secure your data as the last line of defense
Configure file permissions Configure data encryption
Protects the confidentiality of information when physical security is compromised
Core Active Directory Security PracticesCore Active Directory Security Practices
Establish secure Active Directory boundaries
Strengthen domain policy settings
Use a role-based OU hierarchy
Establish secure administrative practices
Harden DNS
Core Server Security PracticesCore Server Security Practices
Apply the latest Service Pack and all available security patches
Use Group Policy to harden servers - Disable services that are not required - Implement strict password policies - Disable LAN Manager and NTLMv1
authentication
Restrict physical and network access to servers
AgendaAgenda
Introduction Implementing Advanced Server
Security Methods for Securing IIS Server Protecting Exchange Server Protecting SQL Server Providing Data Security
Services You Might Want to DisableServices You Might Want to Disable
Services ClipBook
Error Reporting Service
HTTP SSL
IMAPI CD-Burning COM Service
Indexing Service
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)
Messenger
Microsoft POP3 Service
NetMeeting® Remote Desktop Sharing
Remote Access Auto Connection Manager
Remote Access Connection Manager
World Wide Web Publishing Service
Services You Should Not DisableServices You Should Not Disable
Services Cryptographic
Services
DHCP Client
DNS Client
Event Log
IPSec Services
Netlogon
NTLM Security Support Provider
Plug and Play
Protected Storage
Remote Procedure Call (RPC)
Remote Registry Service
Security Accounts Manager
Server
System Event Notification
TCP/IP NetBIOS Helper
Windows Installer
Windows Management Instrumentation
Windows Time
Workstation
Determining Service DependenciesDetermining Service Dependencies
Determine service dependencies before disabling a service
Use the Services snap-in in Computer Management to view service dependencies
Configuring Services on Servers That Perform Multiple Roles
Configuring Services on Servers That Perform Multiple Roles Security templates
contain settings that control service behavior
Use Group Policy to apply a modified, role-specific security template to servers that perform multiple roles
Securing Servers by Using IPSec FilteringSecuring Servers by Using IPSec Filtering In general, block all traffic to and from
the server except that which is required by the server to fulfill its role
Test the IP Security Policy before deploying
Use the IP Security Policy Management snap-in, Group Policy, or scripting to configure IPSec filtering
Use specific IPSec filters for servers based on their server role
IPSec Filters for Domain ControllersIPSec Filters for Domain Controllers
Service Protocol Source Port
Destination Port
Source Address
Destination Address
Action Mirror
CIFS/SMB Server
TCP Any 445 Any Me Allow Yes
UDP Any 445 Any Me Allow Yes
RPC Server
TCP Any 135 Any Me Allow Yes
UDP Any 135 Any Me Allow Yes
NetBIOS Server
TCP Any 137 Any Me Allow Yes
UDP Any 137 Any Me Allow Yes
UDP Any 138 Any Me Allow Yes
TCP Any 139 Any Me Allow Yes
Monitoring Client
Any Any ANY Me MOM Server
Allow Yes
Terminal Services Server
TCP Any 3389 Any Me Allow Yes
Global Catalog Server
TCP Any 3268 Any Me Allow Yes
TCP Any 3269 Any Me Allow Yes
IPSec Filters for Domain Controllers (Continued)IPSec Filters for Domain Controllers (Continued)Service Protocol Source
PortDestination Port
Source Address
Destination Address
Action Mirror
DNS Server
TCP Any 53 Any Me Allow Yes
UDP Any 53 Any Me Allow Yes
Kerberos Server
TCP Any 88 Any Me Allow Yes
UDP Any 88 Any Me Allow Yes
LDAP Server
TCP Any 389 Any Me Allow Yes
UDP Any 389 Any Me Allow Yes
TCP Any 636 Any Me Allow Yes
UDP Any 636 Any Me Allow Yes
NTP Server
TCP Any 123 Me Me Allow Yes
UDP 123 Me
Predefined RPC Range
TCP Any 57901-57950
Any Me Allow Yes
DC Comms ANY Any ANY Me Domain Controller 1
Allow Yes
DC Comms ANY Any ANY Me Domain Controller 2
Allow Yes
ICMP ICMP Any ANY Me Any Allow Yes
All Inbound Traffic
ANY Any ANY Any Me Block YES
Registry Entries for Securing Domain Controllers
Registry Entries for Securing Domain Controllers When using IPSec filtering on a domain
controller: Use a small range of dynamic RPC ports to
support the client logon process Include ports over 50,000 Limit the range of dynamic RPC ports by
configuring registry settings on all domain controllers
50 ports should be enough(*)
(*) Depends on the number of clients to support
How to Create an IP Security PolicyHow to Create an IP Security Policy1. Open GPMC 2. Edit the GPO in which you want to assign
the IP Security Policy3. Create one or more IPSec filter lists4. Create one or more filter actions5. Create an IP Security Policy6. Within the IP Security Policy, create an IP
Security Rule for each filter list you created
7. Assign the IP Security Policy
Security AuditingSecurity Auditing
Administrators should establish an audit policy
When establishing an audit policy: Analyze the threat model Consider system and user capabilities Test and refine the policy
Consider centralized log monitoring
Microsoft Audit Collection Services (MACS)Microsoft Audit Collection Services (MACS)
WMI
Monitored Clients
Monitored Servers
SQLCollector
Events subject to tampering Events under control of auditorsEvent logs
Event logs
Real-Time Intrusion Detection Applications
Real-Time Intrusion Detection Applications
Forensic AnalysisForensic Analysis
Management SystemManagement System
Recommended Audit Policy Settings for Member ServersRecommended Audit Policy Settings for Member Servers
Audit PolicyRecommended Settings for
an Enterprise Client Environment
Audit account logon events Success
Audit account management Success
Audit directory service access Only if required by threat model
Audit logon events Success
Audit object access Only if required by threat model
Audit policy change Success
Audit privilege use No auditing
Audit process tracking Only if required by threat model
Audit system events Success
AgendaAgenda
Introduction Implementing Advanced Server
Security Methods for Securing IIS Server Protecting Exchange Server Protecting SQL Server Providing Data Security
IIS Lockdown Tool IIS Lockdown Tool
The IIS Lockdown Tool turns off unnecessary features to reduce the attack surface of IIS 4.0, IIS 5.0, and IIS 5.1To provide defense in depth, the Lockdown Tool integrates URLScan, which includes customized templates for each supported server role
IIS Lockdown Results (X denotes enabled)IIS Lockdown Results (X denotes enabled)
WW
W
FTP
SM
TP
NN
TP
AS
P
Inde
x
SS
INC
IDC
.pri
nter
HTR
Web
DA
V
Den
y E
xecu
te
Den
y W
rite
IIS S
ampl
es
Scr
ipts
MS
AD
C
IIS A
dmin
IIS H
elp
UR
LSca
n
Win2k
sbs2000 X X X X X X X X X X X X X
exchange5.5 X X X X X X X X X X X X
exchange2k X X X X X X X X X X X X X
sharepoint_portal X X X X X X X X X X X
frontpage X X X X X X X X X X
biztalk X X X X X X X X X X
commerce X X X X X X X X X X X X
proxy X X X X X X X
staticweb X X X X X X X X X
dynamicweb X X X X X X X X X X
other X X X X X X X Xiis_uninstalled X X X X X X X
Services Script Mappings Advanced Security
URLScanURLScan
URLScan helps prevent potentially harmful requests from reaching the server
URLScan restricts the types of HTTP requests that IIS will process: Requests for long URLs Requests using alternate character sets Requests containing disallowed methods Requests matching any pattern
Harden the operating system and apply all relevant security patches
Remove unnecessary components
Run the IIS Lockdown Tool
Configure URLScan
Place content on a separate NTFS partition
Protect files by using minimal permissions
Require encryption for sensitive Web traffic
If possible, do not enable both the Execute and Write permissions on the same website
Run applications using Medium or High Application Protection
Use IPSec filtering to only allow required traffic (HTTP and HTTPS) to the Web server
Top 10 Things to Secure IIS 5.xTop 10 Things to Secure IIS 5.x
1
2
3
4
5
6
7
8
9
10
Security Enhancements in IIS 6.0Security Enhancements in IIS 6.0IIS 6.0 is “locked down” out of the box with the
strongest time-outs and content limits set by default.Feature DescriptionLocked-down server
IIS 6.0 is not installed by default. A clean install only provides static file support.
Web service extensions list
The default installation does not compile, execute, or serve files with dynamic content.
Default low-privilege account
IIS processes run with significantly lowered privileges by logging on using the NETWORK SERVICE account.
AuthorizationURL authentication with Authorization Manager. Constrained, delegated authentication.
URL checkingConfigure time-outs and URL length limits. Checking whether file exists before attempting to run it. No executable virtual directories.
Process Isolation
Improved sandboxing of application. Third-party code runs only in worker processes, resource recycling.
IIS 6.0 Application PoolsIIS 6.0 Application Pools
Application pools are isolated sets of applications and the worker processes that service them
If an application fails, it does not affect the availability of applications that are running in other application pools
Create separate application pools for applications that do not depend on each other
AgendaAgenda
Introduction Implementing Advanced Server
Security Methods for Securing IIS Server Protecting Exchange Server Protecting SQL Server Providing Data Security
Exchange Security DependenciesExchange Security Dependencies
Exchange security is dependent on: Operating system security Network security IIS security (if you use OWA) Client security (Outlook) Active Directory security
Remember: Remember: Defense in DepthDefense in Depth
Remember: Remember: Defense in DepthDefense in Depth
Securing Exchange ServersSecuring Exchange Servers Exchange 2000 Back-End Servers
Apply baseline security template and the Exchange back-end incremental template
Exchange 2000 Front-End Servers Apply baseline security template and the
Exchange front-end incremental template Dismount private and public stores
Exchange 2000 OWA Server Apply IIS Lockdown, including URLScan
Exchange 2003 Back-End Server Apply protocol security templates
Exchange 2003 Front-End and OWA Server IIS Lockdown and URLScan integrated with IIS 6.0 Use application isolation mode
Aspects of Exchange Server SecurityAspects of Exchange Server Security Securing Access to Exchange Server
Blocking unauthorized access Securing Communications
Blocking and encrypting communications Blocking Spam
Filtering incoming mail Relay restrictions: Don’t aid spammers!
Blocking Insecure E-Mail Messages Virus scanning Attachment blocking
Configuring Authentication, Part 1Configuring Authentication, Part 1
Secure Outlook client authentication Configure Exchange & Outlook 2003 to
use RPC over HTTPS Configure SPA to encrypt authentication
for Internet protocol clients
Remember: Secure authentication Remember: Secure authentication does not equal encryption of datadoes not equal encryption of dataRemember: Secure authentication Remember: Secure authentication does not equal encryption of datadoes not equal encryption of data
Configuring Authentication, Part 2Configuring Authentication, Part 2
Authentication Method
Considerations
Basic authentication Insecure, unless you require SLLIntegrated authentication
Limited client support, issues across firewalls
Digest authentication Limited client support
Forms-based authentication
Ability to customize authentication Wide client support Available with Exchange Server
2003
OWA supports several authentication methods:
Securing CommunicationsSecuring Communications Configure RPC encryption
Client side setting Enforcement with ISA Server FP1
Firewall blocking Mail server publishing with ISA Server
Configure HTTPS for OWA Use S/MIME for message encryption Outlook 2003 Enhancements
Kerberos authentication RPC over HTTPS
Encrypting a MessageEncrypting a MessageActive Directory
Domain Controller
Client 1
Client 2
SMTP VS1SMTP VS 2
Locate Client 2’s public key
Message sent using S/MIME
Message encrypted with a shared key
New message
1
2
3
4
Message arrivesencrypted5
Client 2’s private key is used to decrypt the shared key, and the shared key is used to decrypt the message
6
Blocking Spam – Exchange 2000Blocking Spam – Exchange 2000 Close open relays! Protect against address spoofing Prevent Exchange from resolving
recipient names to GAL accounts Configure reverse DNS lookups
Blocking Spam – Exchange 2003Blocking Spam – Exchange 2003 Use additional features in Exchange
Server 2003 Support for real-time block lists Global deny and accept lists Sender and inbound recipient filtering Improved anti-relaying protection Integration with Outlook 2003 and third-
party junk mail filtering
Blocking Insecure MessagesBlocking Insecure Messages Implement antivirus gateways
Monitor incoming and outgoing messages Update signatures often
Configure Outlook attachment security Web browser security determines whether
attachments can be opened in OWA Implement ISA Server
Message Screener can block incoming messages
Using Permissions to Secure ExchangeUsing Permissions to Secure Exchange
Administration models
CentralizedCentralized DecentralizedDecentralized
Delegating permissionsDelegating permissions Creating administrative groupsCreating administrative groups Using administrative rolesUsing administrative roles Delegating administrative controlDelegating administrative control
Enhancements in Exchange Server 2003 Enhancements in Exchange Server 2003
Many secure-by-default settings More restrictive permissions New mail transport features New Internet Connection Wizard Cross-forest authentication support
Defense in DepthDefense in DepthEfficiency Continuity
Performance TuningExchange SystemPoliciesCapacity Management
Security
StorageManagement
Hardware UpgradesPerformanceMonitoring
Disaster RecoverySupportAntivirus
Event MonitoringChange
Management
Security PoliciesFirewall Issues
Exchange System PoliciesAD Group Membership
UPSRecovery TestingAvailability MonitoringAvailability Management
Group Policies Backup
Top Ten Things to Secure ExchangeTop Ten Things to Secure Exchange
Install the latest service pack
Install all applicable security patches
Run MBSA
Check relay settings
Disable or secure well-known accounts
Use a layered antivirus approach
Use a firewall
Evaluate ISA Server
Secure OWA
Implement a backup strategy
1
2
3
4
5
6
7
8
9
10
AgendaAgenda
Introduction Implementing Advanced Server
Security Methods for Securing IIS Server Protecting Exchange Server Protecting SQL Server Providing Data Security
Basic Security ConfigurationBasic Security Configuration
Apply service packs and patches Use MBSA to detect missing SQL updates
Disable unused services MSSQLSERVER (required) SQLSERVERAGENT MSSQLServerADHelper Microsoft Search Microsoft DTC
Common Database Server Threats and Countermeasures
Common Database Server Threats and Countermeasures
SQL Server
Browser Web App
Unauthorized External Access
SQL Injection
Password Cracking Network
Eavesdropping
Network VulnerabilitiesFailure to block SQL ports
Configuration VulnerabilitiesOver privileged service account
Weak permissionsNo certificate
Web App VulnerabilitiesOver privileged accounts
Weak input validation
Internal Firewall
Perimeter Firewall
Database Server Security Categories Database Server Security Categories N
etw
ork
Op
erat
ing
Sys
tem
SQ
L S
erve
r
Pat
ches
an
d U
pd
ates
Shares
Services
Accounts
Auditing and Logging
Files and Directories
Registry
Protocols Ports
SQL Server Security
Database ObjectsLogins, Users, and
Roles
Operating System SecurityOperating System Security
Configure the SQL Server service account with the lowest possible permissions
Delete or disable unused accounts Secure authentication traffic
Logins, Users, and RolesLogins, Users, and Roles
Use a strong system administrator (sa) password
Remove the SQL guest user account
Remove the BUILTIN\Administrators server login
Do not grant permissions for the public role
Files, Directories, and SharesFiles, Directories, and Shares Verify permissions on SQL Server
installation directories Verify that Everyone group does not
have permissions to SQL Server files Secure setup log files Secure or remove tools, utilities, and
SDKs Remove unnecessary shares Restrict access to required shares Secure registry keys with ACLs
SQL SecuritySQL Security
Set authentication to Windows only
If you must use SQL Server authentication, ensure that authentication traffic is encrypted
SQL AuditingSQL Auditing
Log all failed Windows login attempts Log successful and failed actions across
the file system Enable SQL Server login auditing Enable SQL Server general auditing
Securing Database ObjectsSecuring Database Objects
Remove the sample databases Secure stored procedures Secure extended stored procedures Restrict cmdExec access to the
sysadmin role
Using Views and Stored ProceduresUsing Views and Stored Procedures SQL queries may contain confidential
information Use stored procedures whenever possible Use views instead of direct table access
Implement security best practices for Web-based applications
Securing Web ApplicationsSecuring Web Applications
Validate all data input Secure authentication and authorization Secure sensitive data Use least-privileged process and service
accounts Configure auditing and logging Use structured exception handling
Top Ten Things to Protect SQL ServerTop Ten Things to Protect SQL Server
Install the most recent service pack
Run MBSA
Configure Windows authentication
Isolate the server and back it up
Check the sa password
Limit privileges of SQL services
Block ports at your firewall
Use NTFS
Remove setup files and sample databases
Audit connections
1
2
3
4
5
6
7
8
9
10
AgendaAgenda
Introduction Implementing Advanced Server
Security Methods for Securing IIS Server Protecting Exchange Server Protecting SQL Server Providing Data Security
Role and Limitations of File PermissionsRole and Limitations of File Permissions Prevent unauthorized access Limit administrators Do not protect against intruders with
physical access Encryption provides additional security
Role and Limitations of EFSRole and Limitations of EFS
Benefit of EFS encryption Ensures privacy of information Uses robust public key technology
Danger of encryption All access to data is lost if the private key is lost
Private keys on client computers Keys are encrypted with derivative of user’s password Private keys are only as secure as the password Private keys are lost when user profile is lost
EFS Architecture
Win32 APIs
NTFS
I/O Manager
EFS.sys
ApplicationsApplications
Encrypted on-disk data storageEncrypted on-disk data storage
User modeUser mode
Kernel modeKernel mode
Crypto API
EFS Service
EFS Differences Between Windows VersionsEFS Differences Between Windows Versions Windows 2000 and newer Windows versions
support EFS on NTFS partitions Windows XP and Windows Server 2003
include new features: Additional users can be authorized Offline files can be encrypted The triple-DES (3DES) encryption algorithm can
replace DESX A password reset disk can be used EFS preserves encryption over WebDAV Data recovery agents are recommended Usability is enhanced
Implementing EFS: How to Do It RightImplementing EFS: How to Do It Right
Use Group Policy to disable EFS until ready for central implementation
Plan and design policies Designate recovery agents Assign certificates Implement via Group Policy
Server Security FeaturesServer Security Features
Service Pack 1 Boot-time network protection with
Windows Firewall Relevant XP SP2 security features
(RPC, DCOM Lockdown) Feature packs Security Configuration Wizard (SCW) Network quarantine
Network QuarantineNetwork Quarantine
Health checkup IT checks “health” of
client Network Access
Control Clients who pass get
network access Clients who do not
pass are blocked Health maintenance Quarantined clients
can be given access to resources to get healthy
From Home(VPN, Dial up)
Returning Laptops
ConsultantsGuests
UnhealthyDesktops
Windows Server 2003 SP1Windows Server 2003 SP1
In SP1In SP1
Fixes, updates, removal of unused Fixes, updates, removal of unused techs techs
(EDlin, TFTP)(EDlin, TFTP)
Basis for 64-bit Extensions releaseBasis for 64-bit Extensions release
Boottime network protection Boottime network protection
Relevant XP SP2 enhancementsRelevant XP SP2 enhancements
Security Configuration WizardSecurity Configuration Wizard
Post-SP1Post-SP1 Network client inspection Network client inspection Feature Pack Feature Pack
Next StepsNext Steps1. Stay informed about security
Sign up for security bulletins:http://www.microsoft.com/security/security_bulletins/alerts2.asp
Get the latest Microsoft security guidance:http://www.microsoft.com/security/guidance/
2. Get additional security training Find online and in-person training seminars:
http://www.microsoft.com/seminar/events/security.mspx Find a local CTEC for hands-on training:
http://www.microsoft.com/learning/
For More InformationFor More Information
Microsoft Security Site (all audiences) http://www.microsoft.com/security
TechNet Security Site (IT professionals) http://www.microsoft.com/technet/security
MSDN Security Site (developers) http://msdn.microsoft.com/security