Implementing Server Security on Windows 2000 and Windows Server 2003 Jurgen Van Duvel Systems...

Implementing Server Security on Windows 2000 and Windows Server 2003

Implementing Server Security on Windows 2000 and Windows Server 2003Jurgen Van DuvelSystems [email protected]

What’s This?What’s This?

445/tcp adserver.exe Avserve.exe – avserve2.exe FTP server on 5554/tcp command shell on 9996/tcp.

W32.S

ASSER (A,B

, C o

r D)

AgendaAgenda

Introduction Implementing Advanced Server

Security Methods for Securing IIS Server Protecting Exchange Server Protecting SQL Server Providing Data Security

Defense in DepthDefense in Depth Using a layered approach:

Increases an attacker’s risk of detection Reduces an attacker’s chance of success

Policies, Procedures, & Awareness

Policies, Procedures, & Awareness

OS hardening, update management, OS hardening, update management, authentication, HIDSauthentication, HIDS

Firewalls, VPN quarantineFirewalls, VPN quarantine

Guards, locks, tracking devicesGuards, locks, tracking devices

Network segments, IPSec, NIDSNetwork segments, IPSec, NIDS

Application hardening, antivirusApplication hardening, antivirus

ACL, encryptionACL, encryption

User educationUser education

Physical SecurityPhysical Security

PerimeterPerimeter

Internal NetworkInternal Network

HostHost

ApplicationApplication

DataData

Why Application Security MattersWhy Application Security Matters Perimeter defenses provide limited

protection Many host-based defenses are not

application specific Most modern attacks occur at the

application layer

Why Data Security MattersWhy Data Security Matters

Secure your data as the last line of defense

Configure file permissions Configure data encryption

Protects the confidentiality of information when physical security is compromised

Core Active Directory Security PracticesCore Active Directory Security Practices

Establish secure Active Directory boundaries

Strengthen domain policy settings

Use a role-based OU hierarchy

Establish secure administrative practices

Harden DNS

Core Server Security PracticesCore Server Security Practices

Apply the latest Service Pack and all available security patches

Use Group Policy to harden servers - Disable services that are not required - Implement strict password policies - Disable LAN Manager and NTLMv1

authentication

Restrict physical and network access to servers

AgendaAgenda



Services You Might Want to DisableServices You Might Want to Disable

Services ClipBook

Error Reporting Service

HTTP SSL

IMAPI CD-Burning COM Service

Indexing Service

Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)

Messenger

Microsoft POP3 Service

NetMeeting® Remote Desktop Sharing

Remote Access Auto Connection Manager

Remote Access Connection Manager

World Wide Web Publishing Service

Services You Should Not DisableServices You Should Not Disable

Services Cryptographic

Services

DHCP Client

DNS Client

Event Log

IPSec Services

Netlogon

NTLM Security Support Provider

Plug and Play

Protected Storage

Remote Procedure Call (RPC)

Remote Registry Service

Security Accounts Manager

Server

System Event Notification

TCP/IP NetBIOS Helper

Windows Installer

Windows Management Instrumentation

Windows Time

Workstation

Determining Service DependenciesDetermining Service Dependencies

Determine service dependencies before disabling a service

Use the Services snap-in in Computer Management to view service dependencies

Configuring Services on Servers That Perform Multiple Roles

Configuring Services on Servers That Perform Multiple Roles Security templates

contain settings that control service behavior

Use Group Policy to apply a modified, role-specific security template to servers that perform multiple roles

Securing Servers by Using IPSec FilteringSecuring Servers by Using IPSec Filtering In general, block all traffic to and from

the server except that which is required by the server to fulfill its role

Test the IP Security Policy before deploying

Use the IP Security Policy Management snap-in, Group Policy, or scripting to configure IPSec filtering

Use specific IPSec filters for servers based on their server role

IPSec Filters for Domain ControllersIPSec Filters for Domain Controllers

Service Protocol Source Port

Destination Port

Source Address

Destination Address

Action Mirror

CIFS/SMB Server

TCP Any 445 Any Me Allow Yes

UDP Any 445 Any Me Allow Yes

RPC Server



NetBIOS Server





Monitoring Client

Any Any ANY Me MOM Server

Allow Yes

Terminal Services Server


Global Catalog Server



IPSec Filters for Domain Controllers (Continued)IPSec Filters for Domain Controllers (Continued)Service Protocol Source

PortDestination Port

Source Address

Destination Address

Action Mirror

DNS Server



Kerberos Server



LDAP Server





NTP Server

TCP Any 123 Me Me Allow Yes

UDP 123 Me

Predefined RPC Range

TCP Any 57901-57950

Any Me Allow Yes

DC Comms ANY Any ANY Me Domain Controller 1

Allow Yes

DC Comms ANY Any ANY Me Domain Controller 2

Allow Yes

ICMP ICMP Any ANY Me Any Allow Yes

All Inbound Traffic

ANY Any ANY Any Me Block YES

Registry Entries for Securing Domain Controllers

Registry Entries for Securing Domain Controllers When using IPSec filtering on a domain

controller: Use a small range of dynamic RPC ports to

support the client logon process Include ports over 50,000 Limit the range of dynamic RPC ports by

configuring registry settings on all domain controllers

50 ports should be enough(*)

(*) Depends on the number of clients to support

How to Create an IP Security PolicyHow to Create an IP Security Policy1. Open GPMC 2. Edit the GPO in which you want to assign

the IP Security Policy3. Create one or more IPSec filter lists4. Create one or more filter actions5. Create an IP Security Policy6. Within the IP Security Policy, create an IP

Security Rule for each filter list you created

7. Assign the IP Security Policy

Security AuditingSecurity Auditing

Administrators should establish an audit policy

When establishing an audit policy: Analyze the threat model Consider system and user capabilities Test and refine the policy

Consider centralized log monitoring

Microsoft Audit Collection Services (MACS)Microsoft Audit Collection Services (MACS)

WMI

Monitored Clients

Monitored Servers

SQLCollector

Events subject to tampering Events under control of auditorsEvent logs

Event logs

Real-Time Intrusion Detection Applications

Real-Time Intrusion Detection Applications

Forensic AnalysisForensic Analysis

Management SystemManagement System

Recommended Audit Policy Settings for Member ServersRecommended Audit Policy Settings for Member Servers

Audit PolicyRecommended Settings for

an Enterprise Client Environment

Audit account logon events Success

Audit account management Success

Audit directory service access Only if required by threat model

Audit logon events Success

Audit object access Only if required by threat model

Audit policy change Success

Audit privilege use No auditing

Audit process tracking Only if required by threat model

Audit system events Success

Auditing

Using EventCombMT to ViewEvent Logs

AgendaAgenda



IIS Lockdown Tool IIS Lockdown Tool

The IIS Lockdown Tool turns off unnecessary features to reduce the attack surface of IIS 4.0, IIS 5.0, and IIS 5.1To provide defense in depth, the Lockdown Tool integrates URLScan, which includes customized templates for each supported server role

IIS Lockdown Results (X denotes enabled)IIS Lockdown Results (X denotes enabled)

WW

W

FTP

SM

TP

NN

TP

AS

P

Inde

x

SS

INC

IDC

.pri

nter

HTR

Web

DA

V

Den

y E

xecu

te

Den

y W

rite

IIS S

ampl

es

Scr

ipts

MS

AD

C

IIS A

dmin

IIS H

elp

UR

LSca

n

Win2k

sbs2000 X X X X X X X X X X X X X

exchange5.5 X X X X X X X X X X X X

exchange2k X X X X X X X X X X X X X

sharepoint_portal X X X X X X X X X X X

frontpage X X X X X X X X X X

biztalk X X X X X X X X X X

commerce X X X X X X X X X X X X

proxy X X X X X X X

staticweb X X X X X X X X X

dynamicweb X X X X X X X X X X

other X X X X X X X Xiis_uninstalled X X X X X X X

Services Script Mappings Advanced Security

URLScanURLScan

URLScan helps prevent potentially harmful requests from reaching the server

URLScan restricts the types of HTTP requests that IIS will process: Requests for long URLs Requests using alternate character sets Requests containing disallowed methods Requests matching any pattern

Harden the operating system and apply all relevant security patches

Remove unnecessary components

Run the IIS Lockdown Tool

Configure URLScan

Place content on a separate NTFS partition

Protect files by using minimal permissions

Require encryption for sensitive Web traffic

If possible, do not enable both the Execute and Write permissions on the same website

Run applications using Medium or High Application Protection

Use IPSec filtering to only allow required traffic (HTTP and HTTPS) to the Web server

Top 10 Things to Secure IIS 5.xTop 10 Things to Secure IIS 5.x

1

2

3

4

5

6

7

8

9

10

Security Enhancements in IIS 6.0Security Enhancements in IIS 6.0IIS 6.0 is “locked down” out of the box with the

strongest time-outs and content limits set by default.Feature DescriptionLocked-down server

IIS 6.0 is not installed by default. A clean install only provides static file support.

Web service extensions list

The default installation does not compile, execute, or serve files with dynamic content.

Default low-privilege account

IIS processes run with significantly lowered privileges by logging on using the NETWORK SERVICE account.

AuthorizationURL authentication with Authorization Manager. Constrained, delegated authentication.

URL checkingConfigure time-outs and URL length limits. Checking whether file exists before attempting to run it. No executable virtual directories.

Process Isolation

Improved sandboxing of application. Third-party code runs only in worker processes, resource recycling.

IIS 6.0 Application PoolsIIS 6.0 Application Pools

Application pools are isolated sets of applications and the worker processes that service them

If an application fails, it does not affect the availability of applications that are running in other application pools

Create separate application pools for applications that do not depend on each other

AgendaAgenda



Exchange Security DependenciesExchange Security Dependencies

Exchange security is dependent on: Operating system security Network security IIS security (if you use OWA) Client security (Outlook) Active Directory security

Remember: Remember: Defense in DepthDefense in Depth

Remember: Remember: Defense in DepthDefense in Depth

Securing Exchange ServersSecuring Exchange Servers Exchange 2000 Back-End Servers

Apply baseline security template and the Exchange back-end incremental template

Exchange 2000 Front-End Servers Apply baseline security template and the

Exchange front-end incremental template Dismount private and public stores

Exchange 2000 OWA Server Apply IIS Lockdown, including URLScan

Exchange 2003 Back-End Server Apply protocol security templates

Exchange 2003 Front-End and OWA Server IIS Lockdown and URLScan integrated with IIS 6.0 Use application isolation mode

Aspects of Exchange Server SecurityAspects of Exchange Server Security Securing Access to Exchange Server

Blocking unauthorized access Securing Communications

Blocking and encrypting communications Blocking Spam

Filtering incoming mail Relay restrictions: Don’t aid spammers!

Blocking Insecure E-Mail Messages Virus scanning Attachment blocking

Configuring Authentication, Part 1Configuring Authentication, Part 1

Secure Outlook client authentication Configure Exchange & Outlook 2003 to

use RPC over HTTPS Configure SPA to encrypt authentication

for Internet protocol clients

Remember: Secure authentication Remember: Secure authentication does not equal encryption of datadoes not equal encryption of dataRemember: Secure authentication Remember: Secure authentication does not equal encryption of datadoes not equal encryption of data

Configuring Authentication, Part 2Configuring Authentication, Part 2

Authentication Method

Considerations

Basic authentication Insecure, unless you require SLLIntegrated authentication

Limited client support, issues across firewalls

Digest authentication Limited client support

Forms-based authentication

Ability to customize authentication Wide client support Available with Exchange Server

2003

OWA supports several authentication methods:

Securing CommunicationsSecuring Communications Configure RPC encryption

Client side setting Enforcement with ISA Server FP1

Firewall blocking Mail server publishing with ISA Server

Configure HTTPS for OWA Use S/MIME for message encryption Outlook 2003 Enhancements

Kerberos authentication RPC over HTTPS

Encrypting a MessageEncrypting a MessageActive Directory

Domain Controller

Client 1

Client 2

SMTP VS1SMTP VS 2

Locate Client 2’s public key

Message sent using S/MIME

Message encrypted with a shared key

New message

1

2

3

4

Message arrivesencrypted5

Client 2’s private key is used to decrypt the shared key, and the shared key is used to decrypt the message

6

Blocking Spam – Exchange 2000Blocking Spam – Exchange 2000 Close open relays! Protect against address spoofing Prevent Exchange from resolving

recipient names to GAL accounts Configure reverse DNS lookups

Blocking Spam – Exchange 2003Blocking Spam – Exchange 2003 Use additional features in Exchange

Server 2003 Support for real-time block lists Global deny and accept lists Sender and inbound recipient filtering Improved anti-relaying protection Integration with Outlook 2003 and third-

party junk mail filtering

Blocking Insecure MessagesBlocking Insecure Messages Implement antivirus gateways

Monitor incoming and outgoing messages Update signatures often

Configure Outlook attachment security Web browser security determines whether

attachments can be opened in OWA Implement ISA Server

Message Screener can block incoming messages

Using Permissions to Secure ExchangeUsing Permissions to Secure Exchange

Administration models

CentralizedCentralized DecentralizedDecentralized

Delegating permissionsDelegating permissions Creating administrative groupsCreating administrative groups Using administrative rolesUsing administrative roles Delegating administrative controlDelegating administrative control

Enhancements in Exchange Server 2003 Enhancements in Exchange Server 2003

Many secure-by-default settings More restrictive permissions New mail transport features New Internet Connection Wizard Cross-forest authentication support

Defense in DepthDefense in DepthEfficiency Continuity

Performance TuningExchange SystemPoliciesCapacity Management

Security

StorageManagement

Hardware UpgradesPerformanceMonitoring

Disaster RecoverySupportAntivirus

Event MonitoringChange

Management

Security PoliciesFirewall Issues

Exchange System PoliciesAD Group Membership

UPSRecovery TestingAvailability MonitoringAvailability Management

Group Policies Backup

Top Ten Things to Secure ExchangeTop Ten Things to Secure Exchange

Install the latest service pack

Install all applicable security patches

Run MBSA

Check relay settings

Disable or secure well-known accounts

Use a layered antivirus approach

Use a firewall

Evaluate ISA Server

Secure OWA

Implement a backup strategy

1

2

3

4

5

6

7

8

9

10

AgendaAgenda



Basic Security ConfigurationBasic Security Configuration

Apply service packs and patches Use MBSA to detect missing SQL updates

Disable unused services MSSQLSERVER (required) SQLSERVERAGENT MSSQLServerADHelper Microsoft Search Microsoft DTC

Common Database Server Threats and Countermeasures

Common Database Server Threats and Countermeasures

SQL Server

Browser Web App

Unauthorized External Access

SQL Injection

Password Cracking Network

Eavesdropping

Network VulnerabilitiesFailure to block SQL ports

Configuration VulnerabilitiesOver privileged service account

Weak permissionsNo certificate

Web App VulnerabilitiesOver privileged accounts

Weak input validation

Internal Firewall

Perimeter Firewall

Database Server Security Categories Database Server Security Categories N

etw

ork

Op

erat

ing

Sys

tem

SQ

L S

erve

r

Pat

ches

an

d U

pd

ates

Shares

Services

Accounts

Auditing and Logging

Files and Directories

Registry

Protocols Ports

SQL Server Security

Database ObjectsLogins, Users, and

Roles

Network SecurityNetwork Security

Restrict SQL to TCP/IP Harden the TCP/IP stack Restrict ports

Operating System SecurityOperating System Security

Configure the SQL Server service account with the lowest possible permissions

Delete or disable unused accounts Secure authentication traffic

Logins, Users, and RolesLogins, Users, and Roles

Use a strong system administrator (sa) password

Remove the SQL guest user account

Remove the BUILTIN\Administrators server login

Do not grant permissions for the public role

Files, Directories, and SharesFiles, Directories, and Shares Verify permissions on SQL Server

installation directories Verify that Everyone group does not

have permissions to SQL Server files Secure setup log files Secure or remove tools, utilities, and

SDKs Remove unnecessary shares Restrict access to required shares Secure registry keys with ACLs

SQL SecuritySQL Security

Set authentication to Windows only

If you must use SQL Server authentication, ensure that authentication traffic is encrypted

SQL AuditingSQL Auditing

Log all failed Windows login attempts Log successful and failed actions across

the file system Enable SQL Server login auditing Enable SQL Server general auditing

Securing Database ObjectsSecuring Database Objects

Remove the sample databases Secure stored procedures Secure extended stored procedures Restrict cmdExec access to the

sysadmin role

Using Views and Stored ProceduresUsing Views and Stored Procedures SQL queries may contain confidential

information Use stored procedures whenever possible Use views instead of direct table access

Implement security best practices for Web-based applications

Securing Web ApplicationsSecuring Web Applications

Validate all data input Secure authentication and authorization Secure sensitive data Use least-privileged process and service

accounts Configure auditing and logging Use structured exception handling

Top Ten Things to Protect SQL ServerTop Ten Things to Protect SQL Server

Install the most recent service pack

Run MBSA

Configure Windows authentication

Isolate the server and back it up

Check the sa password

Limit privileges of SQL services

Block ports at your firewall

Use NTFS

Remove setup files and sample databases

Audit connections

1

2

3

4

5

6

7

8

9

10

AgendaAgenda



Role and Limitations of File PermissionsRole and Limitations of File Permissions Prevent unauthorized access Limit administrators Do not protect against intruders with

physical access Encryption provides additional security

Role and Limitations of EFSRole and Limitations of EFS

Benefit of EFS encryption Ensures privacy of information Uses robust public key technology

Danger of encryption All access to data is lost if the private key is lost

Private keys on client computers Keys are encrypted with derivative of user’s password Private keys are only as secure as the password Private keys are lost when user profile is lost

EFS Architecture

Win32 APIs

NTFS

I/O Manager

EFS.sys

ApplicationsApplications

Encrypted on-disk data storageEncrypted on-disk data storage

User modeUser mode

Kernel modeKernel mode

Crypto API

EFS Service

EFS Differences Between Windows VersionsEFS Differences Between Windows Versions Windows 2000 and newer Windows versions

support EFS on NTFS partitions Windows XP and Windows Server 2003

include new features: Additional users can be authorized Offline files can be encrypted The triple-DES (3DES) encryption algorithm can

replace DESX A password reset disk can be used EFS preserves encryption over WebDAV Data recovery agents are recommended Usability is enhanced

Implementing EFS: How to Do It RightImplementing EFS: How to Do It Right

Use Group Policy to disable EFS until ready for central implementation

Plan and design policies Designate recovery agents Assign certificates Implement via Group Policy

Windows Server 2003 SP 1Windows Server 2003 SP 1

Server Security FeaturesServer Security Features

Service Pack 1 Boot-time network protection with

Windows Firewall Relevant XP SP2 security features

(RPC, DCOM Lockdown) Feature packs Security Configuration Wizard (SCW) Network quarantine

Network QuarantineNetwork Quarantine

Health checkup IT checks “health” of

client Network Access

Control Clients who pass get

network access Clients who do not

pass are blocked Health maintenance Quarantined clients

can be given access to resources to get healthy

From Home(VPN, Dial up)

Returning Laptops

ConsultantsGuests

UnhealthyDesktops

Windows Server 2003 SP1Windows Server 2003 SP1

In SP1In SP1

Fixes, updates, removal of unused Fixes, updates, removal of unused techs techs

(EDlin, TFTP)(EDlin, TFTP)

Basis for 64-bit Extensions releaseBasis for 64-bit Extensions release

Boottime network protection Boottime network protection

Relevant XP SP2 enhancementsRelevant XP SP2 enhancements

Security Configuration WizardSecurity Configuration Wizard

Post-SP1Post-SP1 Network client inspection Network client inspection Feature Pack Feature Pack

Next StepsNext Steps1. Stay informed about security

Sign up for security bulletins:http://www.microsoft.com/security/security_bulletins/alerts2.asp

Get the latest Microsoft security guidance:http://www.microsoft.com/security/guidance/

2. Get additional security training Find online and in-person training seminars:

http://www.microsoft.com/seminar/events/security.mspx Find a local CTEC for hands-on training:

http://www.microsoft.com/learning/

For More InformationFor More Information

Microsoft Security Site (all audiences) http://www.microsoft.com/security

TechNet Security Site (IT professionals) http://www.microsoft.com/technet/security

MSDN Security Site (developers) http://msdn.microsoft.com/security

© 2003-2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Date post:	14-Dec-2015
Category:	Documents
Upload:	christopher-sherman
View:	218 times
Download:	1 times

Implementing Server Security on Windows 2000 and Windows Server 2003 Jurgen Van Duvel Systems...

Documents