Client Login International Blog Contact Home Compliance Services Technology Solutions PCI DSS Identity Solutions Compliance
GRC Solutions ISO 27000 Industries Identity Compliance HIPAA and Access Management Clients Financial Identity FederatedServices PA-DSS Validation AboutCompliance Framework Development Healthcare User Provisioning Government Strong Authentication Risk Assessments Retail Single Sign-On Penetration Testing BioTech/Pharmaceuticals Data Loss Prevention Source Code Security Audit Energy/Utilities Encryption Policies & Procedures Development Manufacturing Log Management Tuesday, 2 December 2008 by Daniel De Carvalho Mobile Data Protection
10 steps to harden Windows Server 2008
Ever since it’s debut, Microsoft Windows 2008 Server has awed security and systems administrators with its complex and innovative features. With threats becoming each day more immanent and efficient, security system administrators
Also. In order to configure a security policy. The SCW detects ports and services.face the tedious task of protecting Microsoft’s new giant. In this article we compiled some of the industries best practices such as NIST to show you some of the features and ways to reduce your windows 2008 servers’ exposure. you will need to use the SCW (Security Configuration Wizard). you can: * Disable unneeded services based on the server role. Configure a security policy
The first step in securing the 2008 server is to configure a security policy. by using the version of SCW in Windows Server2008. The version of SCW in Windows Server2008 includes over 200server role configurations and security settings than the version of SCW in Windows Server2003.
1. The SCW uses a set of XML templates which can easily be deployed and managed. * Remove unused firewall rules and constrain existing firewall rules. >>
. which can be installed through “add and remove windows components”. * Define restricted audit policies. and configures registry and audit settings according to the servers “role” or installed applications.
three local user accounts are automatically created: the Administrator.Administrators can create custom profiles and deploy them using a set o XML files. server hardening includes blocking unused ports and protocols as well as disabling services that are not required. Although this can be done as seen above using the SCW. Some applications make use of service backdoors. It is a good idea to test these applications out in a separate environment before deploying them on the production network. Disable or delete unnecessary accounts. Guest and Help Assistant.
2. make sure that you double check to see if the application created any firewall exception or created a service user account. ports and services
Attackers often gain access to servers through unused or not configured ports and services. by default. The Administrator account bears high privileges. your server is a vital part of your network and services that you provide. and requires special diligence.During the installation of the 2008 server. As a security best practice the administrator account should be disabled or renamed to make it more difficult for an attacker to gain access. the server administrator would need to double check to see if all the services are configured properly and that only the necessary ports are open. The number of applications installed on these servers should be role related and set to a minimum.
.server’s operating system will be changed according to the profile or template selected. These accounts should be disabled at all times. After installing each application. Both Guest and Help Assistant accounts provide an easy target for attackers which exploited this vulnerability before on the earlier Windows Server 2003. To limit entry points. which can sometimes compromise the overall security of the server.
3. Uninstall Unnecessary Applications Remember.
* GUI interface: a MMC snap-in available for the Advanced Firewall Configuration. and displays the results in your Web browser. As a security best practice. all servers should have its own host based firewall. This firewall needs to be double checked to see if there are no unnecessary rules or exceptions.” This tool is free for personal use. Process Explorer. Commercial. anti-virus status. These tools include: REGMON.
4. I have outlined some of the new features that the Windows Server 2008 provides. FILEMON. These tools are great for understanding what a certain application or software does “under the sheets”. Configure the windows 2008 Firewall Windows 2008 server comes with a phenomenal built in firewall called the Windows Firewall with Advanced Security. Root Kit Revealer. missing Microsoft hot fixes. government.
* Bi-directional filtering: the firewall now filters outbound traffic as well as inbound traffic. and non-profit organizations should look at their other products which include many more features for managing security on multiple computers.
* Microsoft SysInternal Tools: Microsoft provides a set of tools which can be used to monitor the server’s activity.* Belarc Advisor : The Belarc Advisor “builds a detailed profile of your installed software and hardware.
* Advanced Rules configuration: you can create firewall rules using Windows Active Directory objects.* IPSEC operability: now the firewall rules and IPSEC encryption configurations are integrated into one interface.
. destination IP addresses and protocols.
In Windows Server 2008 the auditing policy is more granular. the following events should be logged and audited on the Windows Server 2008.Configure Auditing
One of the most significant changes on Windows Server 2008 auditing is that now you can not only audit who and what attribute was changed but also what the new and old value was. As a security best practice. This is significant because you can now tell why it was changed and if something doesn’t look right you’re able to easily find what it should be restored to.
* Audit account logon events
* Audit account management * Audit directory service access
* Audit logon events * Audit object access
Another significant change is that in the past Server versions you were only able to turn auditing policy on or off for the entire Active Directory structure.
* Audit policy change
* Audit privilege use * Audit process tracking
* Audit system events
After a server or application deployment. these numbers can be used to troubleshoot the server. A best practice would also be to forward these audit logs to a centralized server as required by PCI DSS 10.3 and other industry standards.net share
Share name Resource Remark ——————————————————————————ADMIN$ C:\WINDOWS Remote Admin C$ C:\ Default
.eventid. http://www. This can be done using the following command: · Net Share
This will display a list of all shares on the server. If there is a need to use a share.5. Windows Server 2008 offers a native log subscription feature which forwards all system and security audit logs to a centralized server. Disable unnecessary shares
Unnecessary shares pose a great threat to vital servers.log events on the event viewer have registered incident ID numbers. system and security administrators should check to see if the server has any unnecessary shares. system and security administrators should configure the share as a hidden share and harden all NTFS and Share permissions.
C:\Documents and Settingsgt.net/ is a good site which aids security and system administrators in finding out what actually happened with their servers.
To install BitLocker. In Windows Server 2008.share IPC$ Remote IPC
In order to create a hidden share. The share will still be accessible. BitLocker protects the operating system and data stored on the disk. such as HIPAA and GLBA require that certain servers which host sensitive information should make use of encryption. Configure Encryption on 2008 server According to industry best practices. put a $ sign after the share name. Example: · Accounting$
7. select it in Server Manager or type the following at a command prompt:
· ServerManagerCmd -install BitLocker –restart
. Windows Server 2008 provides a built in whole disk encryption feature called BitLocker Drive Encryption (BitLocker). however it will not be easily listed through the network. BitLocker is an optional component that must be installed before it can be used.
administrators can manage the distribution of Microsoft hot fixes and updates released through Automatic Updates to computers in a corporate environment. By using Windows Server Update Services. Windows Server 2008 offers a set of tools which helps administrator update and patch their servers. but also any application which is hosted on them. These patches are not limited to the operating system.
· * WSUS: Windows Server Update Services (WSUS) provides a software update service for Microsoft Windows operating systems and other Microsoft software. System and security administrators should be constantly updating and patching their servers against zero day vulnerabilities. Updates amp.8. Administrators should periodically check the vendor’s websites for updates.
. Hot fixes Updates and hot fixes are key elements when hardening a server. WSUS helps administrators track the “update health” of each individual server.
.and medium-sized businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance.· * MBSA: Microsoft Baseline Security Analyzer (MBSA) is an easy-to-use tool designed for the IT professional that helps small. Improve your security management process by using MBSA to detect common security misconfigurations and missing security updates on your computer systems.
permits them access to parts of your production network. which helps administrators to isolate viruses from spreading out into the network.
* Restricting Network Access: Computers or servers which don’t meet the established policy standards can be restricted to a “quarantine” subnet where they would later be remediate the security issues. Windows server 2008 NAP uses a set of policies which cleans the affected machines and when they are healthy. NAP
Anti Virus software is also a crucial step for hardening a server. NAP consists of client server technology which scans and identifies machines that don’t have the latest virus signatures.Some of the key functions of a Windows Server 2008 NAP server includes: * Validating Machines: The mission of NAP is to preserve the integrity of the network by allowing only healthy machines to have IP addresses. Windows Server 2008 offers a Network Access Protection (NAP).
. Windows Server 2008 offers a set of tools which can help combat unauthorized network access and malicious code execution. service packs or security patches. * Fixing Unhealthy Machines: Windows Server 2008 NAP has the ability to direct hosts to a remediation server.Anti Virus amp. where the latest antivirus signatures and patches are deployed through SMS packages.
The concept of least privilege has been adopted by many of today’s industry standards. more accurate audits and a vastly streamlined experience for users of the network. Most of the known security breaches are often caused by elevated privileges bared by accounts. Windows Server 2008 has a couple of tools which can aid administrator to grant or revoke access to specific sections of the server.
. Server services should not be configured using enterprise wide administrator accounts.
* Script Logic’s Cloak: Script Logic Cloak is a product which enhances the Windows NT File System (NTFS) by providing increased security.10. A hardened server needs to have all its access reduced to a bare operational minimum.
On the next Post I will go over each feature here described. creating a setp by step guideline on how to configure and install the following features: * SCW * Bitlocker * NAP * Windows Firewall with Advanced Security
Stay Tuned. The ability to control security at such a granular level also helps organizations comply with regulatory mandates such as the Sarbanes-Oxley. HIPAA and Gramm-Leach-Bliley acts. This tool allows administrators to adjust application privilege levels to the lowest possible point in order to limit damages stemming from network attacks or user error.Application Security: PolicyMaker is an add-on for the Group Policy Management Console (GPMC). Daniel de Carvalho : MCSA. MCITP : Windows 2008 Enterprise Administrator Share and Enjoy:
Leave a Reply
Name (required) Mail (will not be published) (required) Website
. MCSE. MCTS.
Authentication (6) Calendar Events (29) Enterprise Applications (8) File Integrity (3) General Security (30) IAM (4) Incident Reponse (3) Info (14) Intrusion Detection (1) News and Events (44) Events (19) News (26) Webinars (6) PABP (1) PCI (16) Penetration Testing (8) Physical Security (2) Security Rants (6) Splunk Configuration (3) Tevora Labs (1) Webinar Archive (1)
Adam Brand (6) Brennen Reynolds (10) Daniel De Carvalho (7) Jason Pieters (8) Jason Pittman (12) Jesse Salmon (8) Justin Hohner (1) Londyn van Zyl (2) Londyn Van Zyl (11) Nazy Fouladirad (62) Ray Zadjmool (14) Shawn Kelly (1)
com Driving directions
7485 Rush River Drive.Brasil Tel:+55 11 3063-1853 www.br
PCI DSS ISO 27000 Compliance HIPAA Compliance PA-DSS Validation Compliance Framework Development Risk Assessments Penetration Testing Source Code Security Audit
. Tel: 949.250.0307 Email: norcal@tevora. 95831 Tel: (888) 4-TEVORA Fax: 925.tevora. California 92630.
(888) 4-TEVORA Contact Us Now!
Tevora has offices at the following locations:
Southern California: (Headquarters)
One Spectrum Pointe Drive. CA.com Driving directions
Tevora South America Alameda Jaú 1742 / 8 Andar CJ 81 .São Paulo .250.com.369.Archives
Let's Talk If you have any questions about our services. Suite 200 Lake Forest. please contact us. Suite 710 Sacramento.9993 Email: email@example.com Fax: 949.
CONTACT FORM | CALL US: (888) 4 – TEVORA Copyright © 2010 Tevora
.Policies & Procedures Development
GRC Solutions Identity and Access Management Federated Identity User Provisioning Strong Authentication Single Sign-On Data Loss Prevention Encryption Log Management Mobile Data Protection
Identity & Access Management User Provisioning & Lifecycle Management Enterprise Single Sign-On Federated Identity IAM Strategy Consulting Virtual Directory Tevora is the nation's premier provider of end-to-end security solutions designed to create the secure enterprise.