Client Login International Blog Contact

HomeCompliance Services

PCI DSSISO 27000 ComplianceHIPAA CompliancePA-DSS ValidationCompliance Framework DevelopmentRisk AssessmentsPenetration TestingSource Code Security AuditPolicies & Procedures Development

Technology SolutionsGRC SolutionsIdentity and Access ManagementFederated IdentityUser ProvisioningStrong AuthenticationSingle Sign-OnData Loss PreventionEncryptionLog ManagementMobile Data Protection

Identity SolutionsIndustries

Financial ServicesHealthcareGovernmentRetailBioTech/PharmaceuticalsEnergy/UtilitiesManufacturing

ClientsAbout

10 steps to harden Windows Server 2008Tuesday, 2 December 2008 by Daniel De Carvalho

Eversince it’s debut, Microsoft Windows 2008 Server hasawed security and systems administrators with its complex and innovative features.With threats becoming each day more immanent and efficient, security system administrators

face the tedious task of protecting Microsoft’s new giant. In this article we compiledsome of the industries best practices such as NIST toshow you some of the features and ways to reduce your windows 2008 servers’ exposure.

1.Configure a security policy

Thefirst step in securing the 2008 server is to configure a security policy. In orderto configure a security policy, you will need to use the SCW (SecurityConfiguration Wizard),which can be installed through “add and remove windows components”. TheSCW detects ports and services, and configures registry and audit settings accordingto the servers “role” or installed applications. The SCW uses a set of XML templateswhich can easily be deployed and managed. Theversion of SCW in Windows Server2008 includes over 200server role configurationsand security settings than the version of SCW in Windows Server2003. Also, byusing the version of SCW in Windows Server2008, you can:

* Disable unneeded services based on the server role.

* Remove unused firewall rules and constrain existing firewall rules.

* Define restricted audit policies.

>>

The

server’s operating system will be changed according to the profile or templateselected.Administratorscan create custom profiles and deploy them using a set o XML files.

2.Disable or delete unnecessary accounts, ports and services

Attackersoften gain access to servers through unused or not configured ports and services.To limit entry points, server hardening includes blocking unused ports and protocolsas well as disabling services that are not required. Although this can be done asseen above using the SCW, the server administrator would need to double check to seeif all the services are configured properly and that only the necessary ports areopen.Duringthe installation of the 2008 server, by default, three local user accounts are automaticallycreated: the Administrator, Guest and Help Assistant. The Administrator account bearshigh privileges, and requires special diligence. As a security best practice the administratoraccount should be disabled or renamed to make it more difficult for an attacker togain access. BothGuest and Help Assistant accounts provide an easy target for attackers which exploitedthis vulnerability before on the earlier Windows Server 2003. Theseaccounts should be disabled at all times.

3.Uninstall Unnecessary Applications

Remember,your server is a vital part of your network and services that you provide. The numberof applications installed on these servers should be role related and set to a minimum.It is a good idea to test these applications out in a separate environment beforedeploying them on the production network. Some applications make use of service backdoors,which can sometimes compromise the overall security of the server. After installingeach application, make sure that you double check to see if the application createdany firewall exception or created a service user account.

* BelarcAdvisor :The Belarc Advisor “builds a detailed profile of your installed software andhardware,missing Microsoft hot fixes, anti-virus status, and displays the results in your Webbrowser.” This tool is free for personal use. Commercial, government, and non-profitorganizations should look at their other products which include many more featuresfor managing security on multiple computers.

*Microsoft SysInternal Tools:Microsoft provides a set of tools which can be used to monitor the server’s activity.These tools include: REGMON, FILEMON,Process Explorer, Root Kit Revealer. These tools are great for understanding whata certain application or software does “under the sheets”.

4.Configure the windows 2008 Firewall

Windows2008 server comes with a phenomenal built in firewall called the Windows Firewallwith Advanced Security. As a security best practice, all servers should have its ownhost based firewall. This firewall needs to be double checked to see if there areno unnecessary rules or exceptions. I have outlined some of the new features thatthe Windows Server 2008 provides.

* GUIinterface:a MMC snap-in available for the Advanced Firewall Configuration.

* Bi-directionalfiltering:the firewall now filters outbound traffic as well as inbound traffic.

* IPSECoperability:now the firewall rules and IPSEC encryption configurations are integrated into oneinterface.

* AdvancedRules configuration:you can create firewall rules using Windows Active Directory objects, source amp;destination IP addresses and protocols.

5.

Configure Auditing

Oneof the most significant changes on WindowsServer 2008 auditing is that now you can not only audit who and what attributewas changed but also what the new and old value was.

Thisis significant because you can now tell why it was changed and if something doesn’tlook right you’re able to easily find what it should be restored to.

Anothersignificant change is that in the past Server versions you were only able to turnauditing policy on or off for the entire Active Directory structure. In Windows Server2008 the auditing policy is more granular.

Asa security best practice, the following events should be logged and audited on theWindows Server 2008.

*Audit account logon events

*Audit account management

*Audit directory service access

*Audit logon events

*Audit object access

*Audit policy change

*Audit privilege use

*Audit process tracking

*Audit system events

Most

log events on the event viewer have registered incident ID numbers; these numberscan be used to troubleshoot the server. http://www.eventid.net/ isa good site which aids security and system administrators in finding out what actuallyhappened with their servers. A best practice would also be to forward these auditlogs to a centralized server as required by PCIDSS 10.5.3 and other industry standards. WindowsServer 2008 offers a native log subscription feature which forwards all systemand security audit logs to a centralized server.

6.Disable unnecessary shares

Unnecessaryshares pose a great threat to vital servers. After a server or application deployment,system and security administrators should check to see if the server has any unnecessaryshares. This can be done using the followingcommand:

· NetShare

Thiswill display a list of all shares on the server. If there is a need to use a share,system and security administrators should configure the share as a hidden share andharden all NTFS and Share permissions.

C:\Documentsand Settingsgt;net share

Sharename Resource Remark

——————————————————————————-ADMIN$ C:\WINDOWS RemoteAdmin

C$ C:\ Default

share

IPC$ RemoteIPC

Inorder to create a hidden share, put a $ signafter the share name. The share will still be accessible; however it will not be easilylisted through the network. Example:

· Accounting$

7.Configure Encryption on 2008 server

Accordingto industry best practices, such as HIPAA and GLBA requirethat certain servers which host sensitive information should make use of encryption. WindowsServer 2008 provides a built in whole disk encryption feature called BitLockerDrive Encryption (BitLocker). BitLocker protects the operating system and datastored on the disk. In Windows Server 2008, BitLocker is an optional component thatmust be installed before it can be used. To install BitLocker, select it in ServerManager or type the following at a command prompt:

· ServerManagerCmd-install BitLocker –restart

8.Updates amp; Hot fixes

Updatesand hot fixes are key elements when hardening a server. System and security administratorsshould be constantly updating and patching their servers against zero day vulnerabilities.These patches are not limited to the operating system, but also any application whichis hosted on them. Administrators should periodically check the vendor’s websitesfor updates. Windows Server 2008 offers a set of tools which helps administrator updateand patch their servers.

·* WSUS: WindowsServer Update Services (WSUS) provides a softwareupdate service for MicrosoftWindows operatingsystems and other Microsoft software. By using Windows Server Update Services,administrators can manage the distribution of Microsoft hotfixes and updates released through AutomaticUpdates to computers in a corporate environment. WSUS helps administratorstrack the “update health” of each individual server.

·* MBSA: MicrosoftBaseline Security Analyzer (MBSA) is an easy-to-use tool designed for the ITprofessionalthat helps small- and medium-sized businesses determine their security state inaccordancewith Microsoft security recommendations and offers specific remediation guidance.Improve your security management process by using MBSA to detect common securitymisconfigurationsand missing security updates on your computer systems.

9.

Anti Virus amp; NAP

AntiVirus software is also a crucial step for hardening a server. Windows Server 2008offers a set of tools which can help combat unauthorized network access and maliciouscode execution.

WindowsServer 2008 offers a Network Access Protection (NAP), which helps administrators toisolate viruses from spreading out into the network. Windows server 2008 NAP usesa set of policies which cleans the affected machines and when they are healthy, permitsthem access to parts of your production network.

NAPconsists of client server technology which scans and identifies machines that don’thave the latest virus signatures, service packs or security patches.Some ofthe key functions of a Windows Server 2008 NAP server includes:

* ValidatingMachines:The mission of NAP is to preserve the integrity of the network by allowingonly healthymachines to have IP addresses.

* RestrictingNetwork Access:Computers or servers which don’t meet the established policy standards can berestrictedto a “quarantine” subnet where they would later be remediate the securityissues.

* FixingUnhealthy Machines:Windows Server 2008 NAP has the ability to direct hosts to a remediationserver, wherethe latest antivirus signatures and patches are deployed through SMS packages.

10.Least Privilege

Theconcept of least privilege has been adopted by many of today’s industry standards.A hardened server needs to have all its access reduced to a bare operational minimum.Most of the known security breaches are often caused by elevated privileges baredby accounts. Server services should not be configured using enterprise wide administratoraccounts. Windows Server 2008 has a couple of tools which can aid administrator togrant or revoke access to specific sections of the server.

* ScriptLogic’s Cloak: ScriptLogic Cloak is a product which enhances the Windows NT File System (NTFS) by providingincreased security,more accurate audits and a vastly streamlined experience for users of the network.

* PolicyMaker

Application Security: PolicyMakeris an add-onfor the Group Policy Management Console (GPMC). This tool allows administrators toadjust application privilege levels to the lowest possible point in order to limitdamages stemming from network attacks or user error. The ability to control securityat such a granular level also helps organizations comply with regulatory mandatessuch as the Sarbanes-Oxley, HIPAA and Gramm-Leach-Bliley acts.

Onthe next Post I will go over each feature here described, creating a setp by stepguideline on how to configure and install the following features:

*SCW

*Bitlocker

*NAP

*Windows Firewall with Advanced Security

Stay Tuned.

Daniel de Carvalho : MCSA, MCSE, MCTS, MCITP: Windows 2008 Enterprise Administrator

Share and Enjoy:

Leave a Reply

Name (required)

Mail (will not be published) (required)

Website

Submit Comment

Blog Search Go

Tevora Blog

CategoriesAuthentication (6)Calendar Events (29)Enterprise Applications (8)File Integrity (3)General Security (30)IAM (4)Incident Reponse (3)Info (14)Intrusion Detection (1)News and Events (44)

Events (19)News (26)Webinars (6)

PABP (1)PCI (16)Penetration Testing (8)Physical Security (2)Security Rants (6)Splunk Configuration (3)Tevora Labs (1)Webinar Archive (1)

AuthorsAdam Brand (6)Brennen Reynolds (10)Daniel De Carvalho (7)Jason Pieters (8)Jason Pittman (12)Jesse Salmon (8)Justin Hohner (1)Londyn van Zyl (2)Londyn Van Zyl (11)Nazy Fouladirad (62)Ray Zadjmool (14)Shawn Kelly (1)

ArchivesSelect Month

Let's Talk

If you have any questions about our services, please contact us.

(888) 4-TEVORA Contact Us Now!

Tevora has offices at the following locations:Southern California: (Headquarters)

One Spectrum Pointe Drive, Suite 200Lake Forest, California 92630.Tel: 949.250.3290Fax: 949.250.9993Email: info@tevora.com

Driving directions

Northern California

7485 Rush River Drive, Suite 710Sacramento, CA. 95831Tel: (888) 4-TEVORAFax: 925.369.0307Email: norcal@tevora.com

Driving directions

International Locations:

Tevora South AmericaAlameda Jaú1742 / 8 AndarCJ 81 - São Paulo - BrasilTel:+55 11 3063-1853www.tevora.com.br

COMPLIANCE:

PCI DSSISO 27000 ComplianceHIPAA CompliancePA-DSS ValidationCompliance Framework DevelopmentRisk AssessmentsPenetration TestingSource Code Security Audit

Policies & Procedures Development

TECHNOLOGY:

GRC SolutionsIdentity and Access ManagementFederated IdentityUser ProvisioningStrong AuthenticationSingle Sign-OnData Loss PreventionEncryptionLog ManagementMobile Data Protection

IDENTITY SOLUTIONS:

Identity & Access ManagementUser Provisioning & Lifecycle ManagementEnterprise Single Sign-OnFederated IdentityIAM Strategy ConsultingVirtual Directory

Tevora is the nation's premier provider of end-to-end security solutions designed to create the secureenterprise.

CONTACT FORM | CALL US: (888) 4 – TEVORA

Copyright © 2010 Tevora