securing win03 08

8/6/2019 Securing Win03 08

1/26

Securing Windows Server 2003and Windows Server 2008

Ranjana JainIT Pro Evangelist

Microsoft India

MCSE, MCT, RHCE, CISSP, CIW Security Analyst


2/26

Agenda

Windows Server 2003 Security

Windows Server 2003 Security Guide

Security Threats

And Countermeasures Windows Server 2008 Security

Conclusion


3/26

Secure in DeploymentSecure in Deployment

Windows Server 2003Windows Server 2003Security GuideSecurity Guide

Configuration automationConfiguration automation

Monitoring infrastructureMonitoring infrastructure

Prescriptive guidancePrescriptive guidance

Secure by DesignSecure by Design

Code reviewsCode reviews

IIS reIIS re--architecturearchitecture

Threat modelsThreat models

$200M investment$200M investment

Secure by DefaultSecure by Default

60% less attack surface area60% less attack surface areaby default compared toby default compared toWindows NT 4.0 SP3Windows NT 4.0 SP3

Services off by defaultServices off by default

Services run at lower privilegeServices run at lower privilege

CommunicationsCommunications

CommunitiesCommunities

Architecture webcastsArchitecture webcasts

ConferencesConferences

TechNetTechNet


4/26

Why Is The DefaultNot Hardened

Hardening must be in response to theenvironment

One-size does not fit all

Breaks existing applicationsBad user experience

Default configuration generally appropriatefor trusted networks


5/26

Windows Server 2003 SecurityGuide: Design Goals Provide actionable, authoritative,

guidelines for End users

System Administrators

Security Administrators

Guidelines are Proven in real world testing

Relevant and accomplish real security

Accuratehttp://www.microsoft.com/technet/security/prodtech/windowsserver2

003/W2003HG/SGCH00.mspx


6/26

Server Hardening

Securing DomainInfrastructure

Member ServerBaseline Policy

Domain Controllers

Infrastructure Servers

File & Print Servers

Internet InformationServers

PKI Servers

RADIUS Servers

Bastion Servers

Applied throughIncremental

Group Policy

Hardening

Procedure

s

Apply to Relevant Servers in your Organization


7/26

Domain Infrastructure

Establishing Security Boundaries

Security starts at the domain infrastructure Forest versus Domain True Security Boundary = Forest

Domain is a Management Boundary of Well-Meaning

Administrators

Administrative distinctions

Enterprise Administrators are just that

Delegate administration

Organizational Unit Structure Structuring Support for Administration & Group Policy


8/26

Baseline Policy Member ServerBaseline Policy

Core Security Template Group Policy for all MemberServers

Audit Policies

Monitor Object Access, Logon & Logoff, Policy Changes

User Rights Assignment

Controlling Server Logons & User Functionality

Tip: Use Deny logon from the network to prevent service accountsfrom logging on remotely

Security Options

Increase LM Compatibility Level, Restrict Anonymous

Event Logs

Setting Log Sizes & Access Permissions

System Services

Disabling or Removing Irrelevant Services


9/26

Hardening DCs

Most important server role, physical isolation needed

DC baseline policy GP template

Duplicates most member server policies Further lockdown on user rights assignments

Configure DC specific system services ensure consistency

Additional security settings

Relocating DC database and logs Increasing event log sizes

Protecting DNS

Secure dynamic updates

Limiting zone transfers Blocking ports with ipsec filters

Tip: Dont forget to configure nodefaultexempt


10/26

Hardening Infrastructure

Providing DNS and WINS Services

Foundation: Member Server Baseline Policy

Incremental Infrastructure Group Policy Adjusting Infrastructure System Services

Additional Security Settings

Configure DHCP Logging

Limit Log Sizes (Registry DWORD Addition)

Limit Access Permissions to Administrators

Port Blocking with IPSec Filters:Infrastructure Servers

Does not Fully Secure System During Startup


11/26

Hardening File & Print Servers

File and Print Group Policy

Foundation: Member Server Baseline Policy

Incremental GP

Modifying Security Options

Print Server: Disable Digital Signing of Communications

System Service Adjustments

File Server: Enable DFS & File Replication

Print Server: Enable Print Spooler

Additional Security Settings

Port Blocking with IPSec Filters

Utilize Terminal Services for Remote Management

Management Tools May Have Specific Port Needs Example: Microsoft Operations Manager


12/26

Hardening IIS Servers

Secure by default IIS is NO LONGER a default installation

Initial installation is a highly secure locked down configuration

Web server group policy

Foundation: member server baseline policy Modifying system services


IIS

Installation of required IIS components only Enabling essential web service extensions

Granting web site permissions

Configuring IIS logging

Dedicating a disk for content

Setting file level permissions

IPSec port filtering

Tip: Configure outbound filtering for IIS servers on external interface


13/26

HardeningCertificate Services Air gap to root CA paramount to security

PKI group policy Foundation: Member server baseline policy

Security options

Certificate server

Use FIPS compliant algorithm for encryption, hashing, & signing HSM Luna, nCipher

System service adjustments


Setting file system ACLs on certificate server folders Establish file level auditing

Separating certificate database and logs


14/26

Hardening Bastion Hosts Servers accessible publicly

Bastion Host group policy

Rarely domain members: local policy required

Foundation: member server baseline policy Tip: Deny network logon right to sensitive accounts

System service adjustments

Disabled

Automatic updates & backup intelligent transfer agent

DHCP client & netlogon Plug & play

Remote administration & registry

Server & terminal services


Essential network protocols only

Disable SMB

Disable netbios over TCP/IP


15/26

Guide To Threat Mitigation

Using this guide

Majority of security related settings occur throughgroup policy

Not all countermeasures are available through gpos:understand registry editing

Increasing security typically means a decrease

in functionality Mitigating top vulnerabilities

Denial of service securing the stack

Password policies providing high security Logging tracking successful or failed attacks

Decrease the attack surface!


16/26

Default Install: Mitigate DoSAttacks

Mitigating DoS risksRegistry: Synflood attack protection

Vulnerability Simple synflood attack

Countermeasure Accelerate connection timeout

when synflood attacks are detected

Registry: Keep alive time

Vulnerability Numerous connections exhaust

resources Countermeasure Establish maximum keep alive

for inactive connections


17/26

Secure Password Policies Establishing high security for passwords

Group policy: Enforcing password history

Vulnerability frequent password reuse reduces effectiveness of

enterprise password policies

Countermeasure setting a password history value of 24

Group policy: Maximum password age

Vulnerability brute force password attacks & misuse of wrongfullyobtained password

Countermeasure establish a maximum password age of between 30and 60 days

Group policy: Password complexity requirements

Vulnerability alphanumeric passwords easily cracked

Countermeasure Longer = better

Use at least 3 of the 5 complexities

Think pass phrase


18/26

Comprehensive Logging Establishing audit policies

Logging features

Vulnerability It is generally preferable to know when attacks happen

Countermeasure Set all logging features active Group policy: retention methods for event logs

Vulnerability A delicate balance exists between log size and

maintaining relevant log history

Countermeasure Set to overwrite logs as necessary, use a logcollection system

Registry: delegating access to event logs

Vulnerability Unintentional deletion or malicious cover-up of securitylog data

Countermeasure Grant read-only access to certain IT members, fullaccess to trusted security operators


19/26

Summary

Default configuration appropriate for

trusted environment Windows Server 2003 Security Guide

documents hardening Key point: Optimal security requires a

thorough understanding of theenvironment


20/26

Windows Server 2008 SecurityGuide

Default installation of Windows Server 2008 does notprovide any services to the network.

Server Managerprovides a single source formanaging a server's identity and system information,

displaying server status, identifying problems with serverrole configuration, and managing all roles installed on theserver.

You can use the SCW to help ensure that the serversremain configured as intended.


21/26

Server Manager

Replaces several features included withWindows Server 2003, including Manage Your

Server, Configure Your Server, and Add orRemove Windows Components.

Roles are configured with Microsoft-

recommended security settings by default, Server Manager also automatically configures

any firewall rules that are required to support the

new role


22/26

Server Core

Helps reduce the attack surface of the supportedserver roles by installing only a subset of thebinary files that a server requires to operate

Explorer shell and Microsoft Internet Explorer cannotbe installed

Requires only about 1 GB of space on the server's harddisk drive to install, and an additional 2 GB for normaloperations

Server Core Installation Option of Windows Server 2008Step-By-Step Guide


23/26

Tips

Deny logon from the network protects sensitiveaccounts

NoDefaultExempt ensures IPSec policies areeffective

SafeDllSearchMode prevents Nimda

RestrictAnonymous protects sensitiveinformation

Outbound IPSec filters make additional

compromise very hard NoLMHash exponentially increases password

cracking time


24/26

Resources From MicrosoftTo locate a partner who can helpTo locate a partner who can helpwith Microsoft security:with Microsoft security:Microsoft Certified Providers DirectoryMicrosoft Certified Providers Directoryhttp://mcspreferral.microsoft.com/http://mcspreferral.microsoft.com/

Microsoft Consulting ServicesMicrosoft Consulting Serviceshttp://www.microsoft.com/BUSINESS/services/mcs.asphttp://www.microsoft.com/BUSINESS/services/mcs.asp

For technical information:For technical information:

Security information on Microsoft ProdutsSecurity information on Microsoft Produtshttp://www.microsoft.com/technet/securityhttp://www.microsoft.com/technet/security

Windows Server 2003Windows Server 2003http://www.microsoft.com/windowsserver2003/http://www.microsoft.com/windowsserver2003/

Threats and Countermeasures in WindowsThreats and Countermeasures in WindowsServer 2003 and Windows XPServer 2003 and Windows XP

http://go.microsoft.com/fwlink/?LinkId=15160http://go.microsoft.com/fwlink/?LinkId=15160

MBSAMBSA

http://www.microsoft.com/technet/security/toolhttp://www.microsoft.com/technet/security/tools/Tools/mbsahome.asps/Tools/mbsahome.asp

For training andFor training andcertification questions:certification questions:Microsoft Training and CertificationMicrosoft Training and Certificationhttp://www.microsoft.com/traininghttp://www.microsoft.com/training

For Security Guidance And TrainingFor Security Guidance And Training

Securing Windows 2000 Server SecuritySecuring Windows 2000 Server SecuritySolutionSolution

http://www.microsoft.com/technet/security/prhttp://www.microsoft.com/technet/security/prodtech/Windows/SecWin2k/Default.aspodtech/Windows/SecWin2k/Default.asp

Windows 2000 Security Hardening GuideWindows 2000 Security Hardening Guidehttp://www.microsoft.com/technet/security/prhttp://www.microsoft.com/technet/security/prodtech/Windows/Win2kHG.aspodtech/Windows/Win2kHG.asp

Windows Server 2003 Security GuideWindows Server 2003 Security Guidehttp://go.microsoft.com/fwlink/?LinkId=14846http://go.microsoft.com/fwlink/?LinkId=14846

Windows XP Security GuideWindows XP Security Guide

http://go.microsoft.com/fwlink/?Linkid=14840http://go.microsoft.com/fwlink/?Linkid=14840

Windows Server 2008 Security GuideWindows Server 2008 Security Guide


25/26

Attend a free chat or web castAttend a free chat or web casthttp://www.microsoft.com/communities/chats/default.mspxhttp://www.microsoft.com/communities/chats/default.mspx

http://www.microsoft.com/usa/webcasts/default.asphttp://www.microsoft.com/usa/webcasts/default.asp

List of newsgroupsList of newsgroupshttp://communities2.microsoft.com/http://communities2.microsoft.com/

communities/newsgroups/encommunities/newsgroups/en--us/default.aspxus/default.aspx

MS Community SitesMS Community Siteshttp://www.microsoft.com/communities/default.mspxhttp://www.microsoft.com/communities/default.mspx

Locate Local User GroupsLocate Local User Groupshttp://www.microsoft.com/communities/usergroups/default.mspxhttp://www.microsoft.com/communities/usergroups/default.mspx

Delhi IT Pro CommunityDelhi IT Pro Communityhttp://groups.msn.com/ITDelhiUGhttp://groups.msn.com/ITDelhiUG

securing win03 08

Documents