This action might not be possible to undo. Are you sure you want to continue?
IT Pro Evangelist Microsoft India MCSE, MCT, RHCE, CISSP, CIW Security Analyst
• Windows Server 2003 Security • Windows Server 2003 Security Guide • Security Threats And Countermeasures • Windows Server 2008 Security • Conclusion
Secure by Design Code reviews IIS re-architecture Threat models $200M investment Secure by Default 60% less attack surface area by default compared to Windows NT 4.0 SP3 Services off by default Services run at lower privilege Secure in Deployment Windows Server 2003 Security Guide Configuration automation Monitoring infrastructure Prescriptive guidance Communications Communities Architecture webcasts Conferences TechNet .
Why Is The Default Not Hardened • Hardening must be in response to the environment • One-size does not fit all • Breaks existing applications –Bad user experience • Default configuration generally appropriate for trusted networks .
mspx .com/technet/security/prodtech/windowsserver2 003/W2003HG/SGCH00. guidelines for – End users – System Administrators – Security Administrators • Guidelines are – Proven in real world testing – Relevant and accomplish real security – Accurate http://www.microsoft. authoritative.Windows Server 2003 Security Guide: Design Goals • Provide actionable.
Server Hardening • Apply to Relevant Servers in your Organization Domain Controllers Infrastructure Servers Hardening Procedures File & Print Servers Securing Domain Infrastructure Member Server Baseline Policy Internet Information Servers Applied through Incremental Group Policy RADIUS Servers PKI Servers Bastion Servers .
Domain Infrastructure • Establishing Security Boundaries – Security starts at the domain infrastructure • Forest versus Domain – True Security Boundary = Forest – Domain is a Management Boundary of Well-Meaning Administrators – Administrative distinctions • • • Enterprise Administrators are just that Delegate administration Structuring Support for Administration & Group Policy – Organizational Unit Structure .
Policy Changes Member Server Baseline Policy – User Rights Assignment • Controlling Server Logon’s & User Functionality • Tip: Use “Deny logon from the network” to prevent service accounts from logging on remotely – Security Options • Increase LM Compatibility Level. Restrict Anonymous… – Event Logs • Setting Log Sizes & Access Permissions – System Services • Disabling or Removing Irrelevant Services .Baseline Policy • Core Security Template – Group Policy for all Member Servers – Audit Policies • Monitor Object Access. Logon & Logoff.
Hardening DC’s • • Most important server role. physical isolation needed DC baseline policy – GP template – Duplicates most member server policies – Further lockdown on user rights assignments – Configure DC specific system services – ensure consistency • Additional security settings – Relocating DC database and logs – Increasing event log sizes – Protecting DNS • Secure dynamic updates • Limiting zone transfers – Blocking ports with ipsec filters • Tip: Don’t forget to configure nodefaultexempt .
Hardening Infrastructure • Providing DNS and WINS Services • Foundation: Member Server Baseline Policy • Incremental Infrastructure Group Policy – Adjusting Infrastructure System Services • Additional Security Settings – Configure DHCP Logging • Limit Log Sizes (Registry DWORD Addition) • Limit Access Permissions to Administrators – Port Blocking with IPSec Filters: Infrastructure Servers • Does not Fully Secure System During Startup .
Hardening File & Print Servers • File and Print Group Policy – Foundation: Member Server Baseline Policy – Incremental GP • • Modifying Security Options – Print Server: Disable Digital Signing of Communications System Service Adjustments – File Server: Enable DFS & File Replication – Print Server: Enable Print Spooler • Additional Security Settings – Port Blocking with IPSec Filters • • Utilize Terminal Services for Remote Management Management Tools May Have Specific Port Needs – Example: Microsoft Operations Manager .
Hardening IIS Servers • • Secure by default – IIS is NO LONGER a default installation – Initial installation is a highly secure “locked down” configuration Web server group policy – Foundation: member server baseline policy – Modifying system services • Additional security settings – IIS • • • • Installation of required IIS components only Enabling essential web service extensions Granting web site permissions Configuring IIS logging – Dedicating a disk for content – Setting file level permissions – IPSec port filtering • Tip: Configure outbound filtering for IIS servers on external interface .
& signing – HSM – Luna. nCipher – System service adjustments • Additional security settings – Setting file system ACLs on certificate server folders • Establish file level auditing – Separating certificate database and logs . hashing.Hardening Certificate Services • Air gap to root CA paramount to security • PKI group policy – Foundation: Member server baseline policy – Security options • Certificate server – Use FIPS compliant algorithm for encryption.
Hardening Bastion Hosts • • Servers accessible publicly Bastion Host group policy – Rarely domain members: local policy required – Foundation: member server baseline policy • • Tip: Deny network logon right to sensitive accounts Disabled – – – – – Automatic updates & backup intelligent transfer agent DHCP client & netlogon Plug & play Remote administration & registry Server & terminal services – System service adjustments • Additional security settings – Essential network protocols only • • Disable SMB Disable netbios over TCP/IP .
Guide To Threat Mitigation • Using this guide – Majority of security related settings occur through group policy • Not all countermeasures are available through gpo’s: understand registry editing – Increasing security typically means a decrease in functionality • Mitigating top vulnerabilities – – – – Denial of service – securing the stack Password policies – providing high security Logging – tracking successful or failed attacks Decrease the attack surface! .
Default Install: Mitigate DoS Attacks • Mitigating DoS risks –Registry: Synflood attack protection • Vulnerability – Simple synflood attack • Countermeasure – Accelerate connection timeout when synflood attacks are detected –Registry: Keep alive time • Vulnerability – Numerous connections exhaust resources • Countermeasure – Establish maximum keep alive for inactive connections .
Secure Password Policies • Establishing high security for passwords – Group policy: Enforcing password history • • • • Vulnerability – frequent password reuse reduces effectiveness of enterprise password policies Countermeasure – setting a password history value of 24 Vulnerability – brute force password attacks & misuse of wrongfully obtained password Countermeasure – establish a maximum password age of between 30 and 60 days Vulnerability – alphanumeric passwords easily cracked Countermeasure – Longer = better – Use at least 3 of the 5 complexities – Think pass phrase – Group policy: Maximum password age – Group policy: Password complexity requirements • • .
full access to trusted security operators – Group policy: retention methods for event logs – Registry: delegating access to event logs • • . use a log collection system Vulnerability – Unintentional deletion or malicious cover-up of security log data Countermeasure – Grant read-only access to certain IT members.Comprehensive Logging • Establishing audit policies – Logging features • • • • Vulnerability – It is generally preferable to know when attacks happen Countermeasure – Set all logging features active Vulnerability – A delicate balance exists between log size and maintaining relevant log history Countermeasure – Set to overwrite logs as necessary.
Summary • Default configuration appropriate for trusted environment • Windows Server 2003 Security Guide documents hardening • Key point: Optimal security requires a thorough understanding of the environment .
• Server Manager provides a single source for managing a server's identity and system information. and managing all roles installed on the server.Windows Server 2008 Security Guide • Default installation of Windows Server 2008 does not provide any services to the network. identifying problems with server role configuration. displaying server status. . • You can use the SCW to help ensure that the servers remain configured as intended.
• Roles are configured with Microsoftrecommended security settings by default. and Add or Remove Windows Components. Configure Your Server.Server Manager • Replaces several features included with Windows Server 2003. including Manage Your Server. • Server Manager also automatically configures any firewall rules that are required to support the new role .
Server Core • Helps reduce the attack surface of the supported server roles by installing only a subset of the binary files that a server requires to operate • Explorer shell and Microsoft Internet Explorer® cannot be installed • Requires only about 1 GB of space on the server's hard disk drive to install. and an additional 2 GB for normal operations Server Core Installation Option of Windows Server 2008 Step-By-Step Guide .
Tips • Deny logon from the network protects sensitive accounts • NoDefaultExempt ensures IPSec policies are effective • SafeDllSearchMode prevents Nimda • RestrictAnonymous protects sensitive information • Outbound IPSec filters make additional compromise very hard • NoLMHash exponentially increases password cracking time .
asp For Security Guidance And Training Securing Windows 2000 Server Security Solution http://www.Resources From Microsoft To locate a partner who can help with Microsoft security: Microsoft Certified Providers Directory http://mcspreferral.microsoft.com/technet/security/pr odtech/Windows/Win2kHG.com/ For training and certification questions: Microsoft Training and Certification http://www.com/technet/security/pr odtech/Windows/SecWin2k/Default.com/technet/security Windows Server 2003 http://www.microsoft.com/fwlink/?Linkid=14840 Windows Server 2008 Security Guide .asp Windows 2000 Security Hardening Guide http://www.com/fwlink/?LinkId=15160 MBSA http://www.microsoft.microsoft.microsoft.microsoft.com/technet/security/tool s/Tools/mbsahome.microsoft.microsoft.microsoft.com/BUSINESS/services/mcs.asp Windows Server 2003 Security Guide http://go.com/fwlink/?LinkId=14846 Windows XP Security Guide http://go.asp For technical information: Security information on Microsoft Produts http://www.com/windowsserver2003/ Threats and Countermeasures in Windows Server 2003 and Windows XP http://go.com/training Microsoft Consulting Services http://www.microsoft.microsoft.
com/ communities/newsgroups/en-us/default.mspx http://www.Attend a free chat or web cast http://www.com/communities/usergroups/default.microsoft.mspx Locate Local User Groups http://www.microsoft.asp List of newsgroups http://communities2.aspx MS Community Sites http://www.microsoft.com/ITDelhiUG .microsoft.com/usa/webcasts/default.mspx Delhi IT Pro Community http://groups.msn.microsoft.com/communities/chats/default.com/communities/default.
© 2004 Microsoft Corporation. This presentation is for informational purposes only. . Microsoft makes no warranties. All rights reserved. in this summary. express or implied.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue reading from where you left off, or restart the preview.