securing-windows-2003-server
Content
Securing Microsoft Windows 2003 Server
Matthew Cook http://escarpment.net/
Agenda
• • • • • • • • • • Background Why Bother? Pre-Installation Vendor Specifics Installation of Windows Server 2003 Post-Installation Configuration Firewall Software Patching the System Day to Day Administration Further Advice and Guidance
Background
• The Security Service is running a number of similar courses in conjunction with Professional Development. • Details are available at: http://www.lboro.ac.uk/computing/security/ • By increasing the security of networked machines on campus, we hope to reduce the number of compromised machines and IT Support Staff workload.
Why bother?
Why bother? • Keeping control and service availability • Spreading infection • Data Integrity (DPA) • Legal Liability • Reactive Work Loads • Bad Public Relations • Personal Responsibility
Pre-Installation
• Disconnect the machine from the network.
– Essential with some vendor installs.
• Ensure you have the appropriate network details at hand. • Ensure you have the latest Microsoft patches on removable media. • Don’t forget physical security.
Pre-Installation
• Consider partitioning structure
– System – User Storage – Services – Logs
• Consider which features to install
– Do you really need IIS on each server – More things; to patch, to secure, to configure and to slow the server down
Vendor Specifics
• Always re-install! • When using a vendor specific install CD, make sure you are aware of any security issues. • DELL’s Open Manage Server assistant has security issues with the SNMP server and the Open Manage package.
Installation of Windows Server 2003
• Limit the system partition to 10-20Gb • Ensure you set a secure password • Ensure you only select the services you require.
Post-Installation Configuration
• Network Configuration
– Add all DNS Servers – Add both WINS Servers – Remove LMHosts Lookup – Remove ‘Register this connection’s address in the DNS’ – Enable Net BIOS over IP – Remove any un-necessary network clients and services
Post-Installation Configuration…
• Disable Null Authentication
– HKLM\SYSTEM\CurrentControlSet\Control\LS A\RestrictAnonymous - REG_DWORD=2 – HKLM\SYSTEM\CurrentControlSet\Control\Se curePipeServers\RestrictAnonymous REG_DWORD=1
• There has been an edition to Windows Server 2003 RestrictAnonymousSAM!
Post-Installation Configuration…
• Configure Logging
– Create a separate partition to ‘sandbox’ the logs. L: is a good idea, between 1-10Gb. – Eventlog locations set at: HKLM\System\CurrentControlSet\Services\Ev entLog\Application, Security and System – Change the file key to point at L:\eventlogs\* – Move IIS, Exchange logs et al to the new locations
Post-Installation Configuration…
• Windows Patches and Service Packs
– Install in a secure fashion – From removable media – From slipstreamed media – Via a SOHO firewall – NOT via an unprotected network connection
Post-Installation Configuration…
• Install McAfee Virus Scan Enterprise
– Running Anti-Virus software is essential – Requires Auto-Update twice for the Engine and DAT file initially – Ensure the software is configured for autoupdate
• Available from: \\adadmin2\software\mcafee\vse7svrs\
Post-Installation Configuration…
• Automatic Updates
– My Computer > Select Properties > Select Automatic Updates tab. – We do NOT recommend Automatic or Turning Automatic Updates off. – Either; Download updates for me, but let me choose when to install them. – OR Notify me but don’t automatically download or install them.
Post-Installation Configuration…
• Terminal Services
– My Computer > Select Properties > Remote tab. – Select ‘Allow users to connect remotely to this computer’ – Ensure only the users you want to connect are configured.
Post-Installation Configuration…
• Microsoft Baseline Security Analyser • Freely available from Microsoft • Provides advice on
– Security best practices – Strong passwords – Security mis-configurations – Application configurations
Post-Installation Configuration…
• NTFS ACL defaults are more secure than in Windows 2000 Server • The Everyone group has only read & execute on the root of each drive. • The permissions are not inherited. • The Everyone group has no permissions to a new folder or file. • The Everyone group has only read permissions on a new share
Post-Installation Configuration…
• Configure the NTFS ACLs for the machine to provide more security. • Note: Anonymous users are no longer part of the Everyone group!
Post-Installation Configuration…
• Security Templates
– Legacy Client – Enterprise Client – High Security
• Not straight forward, very easy to cripple a machine. • Further advice in the security guides.
Post-Installation Configuration…
• Create and document a machine baseline
– Use Performance Monitor – Save the output of a ‘Netstat –A’ – Save the output of a ‘fport /p’ – Save the output of a ‘net user’
Firewall Software
• Why bother?
– Computing Services already runs one – Open ports are needed for service – False sense of security – Too many false positives – Machine should be secure
• There are exceptions
– Insecure services for limited machines – Provide protection for services only needed locally
Patching the System
• Essential! • Operating Systems do contain bugs, and patches are a common method of distributing these fixes. • A patch or hot fix usually contains a fix for one discovered bug. • Service Packs contain multiple patches or hotfixes. There are well over 200 hotfixes in most Service Packs.
Patching the System
• Only install patches after you have tested them in a development environment. • Only install patches obtained direct from the vendor. • Install security patches as soon as possible after released. • Install feature patches as and when needed. • Subscribe to the security lists.
Day to Day Administration
• Well not every day, but at least weekly! • Check logs
– Get them emailed to you – Investigate rogue activity
• Compare against the baseline saved • Check listening ports • Check for required patches
Further Advice and Guidance
• http://www.lboro.ac.uk/computing/security/ • http://www.microsoft.com/security/ • http://www.windowsecurity.com/ • Mailing lists:
– [email protected] – [email protected]
Further Advice and Guidance
• • • • Introduction to I.T. Security Securing Microsoft Windows 2000 Server Securing Microsoft Windows 2003 Server Securing Microsoft Internet Information Server (I.I.S.) 5 and 6 • Securing Fedora Linux • Securing RedHat Enterprise Server • Securing The Apache Web Server
Questions and Answers
http://escarpment.net/
Matthew Cook http://escarpment.net/
Agenda
• • • • • • • • • • Background Why Bother? Pre-Installation Vendor Specifics Installation of Windows Server 2003 Post-Installation Configuration Firewall Software Patching the System Day to Day Administration Further Advice and Guidance
Background
• The Security Service is running a number of similar courses in conjunction with Professional Development. • Details are available at: http://www.lboro.ac.uk/computing/security/ • By increasing the security of networked machines on campus, we hope to reduce the number of compromised machines and IT Support Staff workload.
Why bother?
Why bother? • Keeping control and service availability • Spreading infection • Data Integrity (DPA) • Legal Liability • Reactive Work Loads • Bad Public Relations • Personal Responsibility
Pre-Installation
• Disconnect the machine from the network.
– Essential with some vendor installs.
• Ensure you have the appropriate network details at hand. • Ensure you have the latest Microsoft patches on removable media. • Don’t forget physical security.
Pre-Installation
• Consider partitioning structure
– System – User Storage – Services – Logs
• Consider which features to install
– Do you really need IIS on each server – More things; to patch, to secure, to configure and to slow the server down
Vendor Specifics
• Always re-install! • When using a vendor specific install CD, make sure you are aware of any security issues. • DELL’s Open Manage Server assistant has security issues with the SNMP server and the Open Manage package.
Installation of Windows Server 2003
• Limit the system partition to 10-20Gb • Ensure you set a secure password • Ensure you only select the services you require.
Post-Installation Configuration
• Network Configuration
– Add all DNS Servers – Add both WINS Servers – Remove LMHosts Lookup – Remove ‘Register this connection’s address in the DNS’ – Enable Net BIOS over IP – Remove any un-necessary network clients and services
Post-Installation Configuration…
• Disable Null Authentication
– HKLM\SYSTEM\CurrentControlSet\Control\LS A\RestrictAnonymous - REG_DWORD=2 – HKLM\SYSTEM\CurrentControlSet\Control\Se curePipeServers\RestrictAnonymous REG_DWORD=1
• There has been an edition to Windows Server 2003 RestrictAnonymousSAM!
Post-Installation Configuration…
• Configure Logging
– Create a separate partition to ‘sandbox’ the logs. L: is a good idea, between 1-10Gb. – Eventlog locations set at: HKLM\System\CurrentControlSet\Services\Ev entLog\Application, Security and System – Change the file key to point at L:\eventlogs\* – Move IIS, Exchange logs et al to the new locations
Post-Installation Configuration…
• Windows Patches and Service Packs
– Install in a secure fashion – From removable media – From slipstreamed media – Via a SOHO firewall – NOT via an unprotected network connection
Post-Installation Configuration…
• Install McAfee Virus Scan Enterprise
– Running Anti-Virus software is essential – Requires Auto-Update twice for the Engine and DAT file initially – Ensure the software is configured for autoupdate
• Available from: \\adadmin2\software\mcafee\vse7svrs\
Post-Installation Configuration…
• Automatic Updates
– My Computer > Select Properties > Select Automatic Updates tab. – We do NOT recommend Automatic or Turning Automatic Updates off. – Either; Download updates for me, but let me choose when to install them. – OR Notify me but don’t automatically download or install them.
Post-Installation Configuration…
• Terminal Services
– My Computer > Select Properties > Remote tab. – Select ‘Allow users to connect remotely to this computer’ – Ensure only the users you want to connect are configured.
Post-Installation Configuration…
• Microsoft Baseline Security Analyser • Freely available from Microsoft • Provides advice on
– Security best practices – Strong passwords – Security mis-configurations – Application configurations
Post-Installation Configuration…
• NTFS ACL defaults are more secure than in Windows 2000 Server • The Everyone group has only read & execute on the root of each drive. • The permissions are not inherited. • The Everyone group has no permissions to a new folder or file. • The Everyone group has only read permissions on a new share
Post-Installation Configuration…
• Configure the NTFS ACLs for the machine to provide more security. • Note: Anonymous users are no longer part of the Everyone group!
Post-Installation Configuration…
• Security Templates
– Legacy Client – Enterprise Client – High Security
• Not straight forward, very easy to cripple a machine. • Further advice in the security guides.
Post-Installation Configuration…
• Create and document a machine baseline
– Use Performance Monitor – Save the output of a ‘Netstat –A’ – Save the output of a ‘fport /p’ – Save the output of a ‘net user’
Firewall Software
• Why bother?
– Computing Services already runs one – Open ports are needed for service – False sense of security – Too many false positives – Machine should be secure
• There are exceptions
– Insecure services for limited machines – Provide protection for services only needed locally
Patching the System
• Essential! • Operating Systems do contain bugs, and patches are a common method of distributing these fixes. • A patch or hot fix usually contains a fix for one discovered bug. • Service Packs contain multiple patches or hotfixes. There are well over 200 hotfixes in most Service Packs.
Patching the System
• Only install patches after you have tested them in a development environment. • Only install patches obtained direct from the vendor. • Install security patches as soon as possible after released. • Install feature patches as and when needed. • Subscribe to the security lists.
Day to Day Administration
• Well not every day, but at least weekly! • Check logs
– Get them emailed to you – Investigate rogue activity
• Compare against the baseline saved • Check listening ports • Check for required patches
Further Advice and Guidance
• http://www.lboro.ac.uk/computing/security/ • http://www.microsoft.com/security/ • http://www.windowsecurity.com/ • Mailing lists:
– [email protected] – [email protected]
Further Advice and Guidance
• • • • Introduction to I.T. Security Securing Microsoft Windows 2000 Server Securing Microsoft Windows 2003 Server Securing Microsoft Internet Information Server (I.I.S.) 5 and 6 • Securing Fedora Linux • Securing RedHat Enterprise Server • Securing The Apache Web Server
Questions and Answers
http://escarpment.net/
Sponsor Documents
Recommended
No recommend documents