Security in Server 2003 and 2008

Securing Windows Server 2003 and Windows Server 2008 Ranjana Jain IT Pro Evangelist Microsoft India MCSE, MCT, RHCE, CISSP, CIW Security AnalystAgenda • Windows Server 2003 Security • Windows Server 2003 Security Guide • Security Threats And Countermeasures • Windows Server 2008 Security • ConclusionSecure in Deployment 􀂄 Windows Server 2003 Security Guide 􀂄 Configuration automation 􀂄 Monitoring infrastructure 􀂄 Prescriptive guidance Secure by Design 􀂄 Code reviews 􀂄 IIS re-architecture 􀂄 Threat models 􀂄 $200M investment Secure by Default 􀂄 60% less attack surface area by default compared to Windows NT 4.0 SP3 􀂄 Services off by default 􀂄 Services run at lower privilege Communications 􀂄 Communities 􀂄 Architecture webcasts 􀂄 Conferences 􀂄 TechNetWhy Is The Default Not Hardened • Hardening must be in response to the environment • One-size does not fit all • Breaks existing applications –Bad user experience • Default configuration generally appropriate for trusted networksWindows Server 2003 Security Guide: Design Goals • Provide actionable, authoritative, guidelines for – End users – System Administrators – Security Administrators • Guidelines are – Proven in real world testing – Relevant and accomplish real security – Accurate http://www.microsoft.com/technet/security/prodtech/windowsserver2 003/W2003HG/SGCH00.mspxServer Hardening Securing Domain Infrastructure Member Server Baseline Policy Domain Controllers Infrastructure Servers File & Print Servers Internet Information Servers PKI Servers RADIUS Servers Bastion Servers Applied through Incremental Group Policy Hardening Procedures • Apply to Relevant Servers in your OrganizationDomain Infrastructure • Establishing Security Boundaries – Security starts at the domain infrastructure • Forest versus Domain – True Security Boundary = Forest – Domain is a Management Boundary of Well-Meaning Administrators – Administrative distinctions • Enterprise Administrators are just that • Delegate administration – Organizational Unit Structure • Structuring Support for Administration & Group PolicyBaseline Policy Member Server Baseline Policy • Core Security Template – Group Policy for all Member Servers – Audit Policies • Monitor Object Access, Logon & Logoff, Policy Changes – User Rights Assignment • Controlling Server Logon’s & User Functionality • Tip: Use “Deny logon from the network” to prevent service accounts from logging on remotely – Security Options • Increase LM Compatibility Level, Restrict Anonymous… – Event Logs • Setting Log Sizes & Access Permissions – System Services • Disabling or Removing Irrelevant ServicesHardening DC’s • Most important server role, physical isolation needed • DC baseline policy – GP template – Duplicates most member server policies – Further lockdown on user rights assignments – Configure DC specific system services – ensure consistency • Additional security settings – Relocating DC database and logs – Increasing event log sizes – Protecting DNS • Secure dynamic updates • Limiting zone transfers – Blocking ports with ipsec filters • Tip: Don’t forget to configure nodefaultexemptHardening Infrastructure • Providing DNS and WINS Services • Foundation: Member Server Baseline Policy • Incremental Infrastructure Group Policy – Adjusting Infrastructure System Services • Additional Security Settings – Configure DHCP Logging • Limit Log Sizes (Registry DWORD Addition) • Limit Access Permissions to Administrators – Port Blocking with IPSec Filters: Infrastructure Servers • Does not Fully Secure System During StartupHardening File & Print Servers • File and Print Group Policy – Foundation: Member Server Baseline Policy – Incremental GP • Modifying Security Options – Print Server: Disable Digital Signing of Communications • System Service Adjustments – File Server: Enable DFS & File Replication – Print Server: Enable Print Spooler • Additional Security Settings – Port Blocking with IPSec Filters • Utilize Terminal Services for Remote Management • Management Tools May Have Specific Port Needs – Example: Microsoft Operations ManagerHardening IIS Servers • Secure by default – IIS is NO LONGER a default installation – Initial installation is a highly secure “locked down” configuration • Web server group policy – Foundation: member server baseline policy – Modifying system services • Additional security settings – IIS • Installation of required IIS components only • Enabling essential web service extensions • Granting web site permissions • Configuring IIS logging – Dedicating a disk for content – Setting file level permissions – IPSec port filtering • Tip: Configure outbound filtering for IIS servers on external interfaceHardening Certificate Services • Air gap to root CA paramount to security • PKI group policy – Foundation: Member server baseline policy – Security options • Certificate server – Use FIPS compliant algorithm for encryption, hashing, & signing – HSM – Luna, nCipher – System service adjustments • Additional security settings – Setting file system ACLs on certificate server folders • Establish file level auditing – Separating certificate database and logsHardening Bastion Hosts • Servers accessible publicly • Bastion Host group policy – Rarely domain members: local policy required – Foundation: member server baseline policy • Tip: Deny network logon right to sensitive accounts – System service adjustments • Disabled – Automatic updates & backup intelligent transfer agent – DHCP client & netlogon – Plug & play – Remote administration & registry – Server & terminal services • Additional security settings – Essential network protocols only • Disable SMB • Disable netbios over TCP/IPGuide To Threat Mitigation • Using this guide – Majority of security related settings occur through group policy • Not all countermeasures are available through gpo’s: understand registry editing – Increasing security typically means a decrease in functionality • Mitigating top vulnerabilities – Denial of service – securing the stack – Password policies – providing high security – Logging – tracking successful or failed attacks – Decrease the attack surface!Default Install: Mitigate DoS Attacks • Mitigating DoS risks –Registry: Synflood attack protection • Vulnerability – Simple synflood attack • Countermeasure – Accelerate connection timeout when synflood attacks are detected –Registry: Keep alive time • Vulnerability – Numerous connections exhaust resources • Countermeasure – Establish maximum keep alive for inactive connectionsSecure Password Policies • Establishing high security for passwords – Group policy: Enforcing password history • Vulnerability – frequent password reuse reduces effectiveness of enterprise password policies • Countermeasure – setting a password history value of 24 – Group policy: Maximum password age • Vulnerability – brute force password attacks & misuse of wrongfully obtained password • Countermeasure – establish a maximum password age of between 30 and 60 days – Group policy: Password complexity requirements • Vulnerability – alphanumeric passwords easily cracked • Countermeasure – Longer = better – Use at least 3 of the 5 complexities – Think pass phraseComprehensive Logging • Establishing audit policies – Logging features • Vulnerability – It is generally preferable to know when attacks happen • Countermeasure – Set all logging features active – Group policy: retention methods for event logs • Vulnerability – A delicate balance exists between log size and maintaining relevant log history • Countermeasure – Set to overwrite logs as necessary, use a log collection system – Registry: delegating access to event logs • Vulnerability – Unintentional deletion or malicious cover-up of security log data • Countermeasure – Grant read-only access to certain IT members, full access to trusted security operatorsSummary • Default configuration appropriate for trusted environment • Windows Server 2003 Security Guide documents hardening • Key point: Optimal security requires a thorough understanding of the environmentWindows Server 2008 Security Guide • Default installation of Windows Server 2008 does not provide any services to the network. • Server Manager provides a single source for managing a server's identity and system information, displaying server status, identifying problems with server role configuration, and managing all roles installed on the server. • You can use the SCW to help ensure that the servers remain configured as intended.Server Manager • Replaces several features included with Windows Server 2003, including Manage Your Server, Configure Your Server, and Add or Remove Windows Components. • Roles are configured with Microsoftrecommended security settings by default, • Server Manager also automatically configures any firewall rules that are required to support the new roleServer Core • Helps reduce the attack surface of the supported server roles by installing only a subset of the binary files that a server requires to operate • Explorer shell and Microsoft Internet Explorer® cannot be installed • Requires only about 1 GB of space on the server's hard disk drive to install, and an additional 2 GB for normal operations Server Core Installation Option of Windows Server 2008 Step-By-Step GuideTips • Deny logon from the network protects sensitive accounts • NoDefaultExempt ensures IPSec policies are effective • SafeDllSearchMode prevents Nimda • RestrictAnonymous protects sensitive information • Outbound IPSec filters make additional compromise very hard • NoLMHash exponentially increases password cracking timeResources From Microsoft To locate a partner who can help with Microsoft security: Microsoft Certified Providers Directory http://mcspreferral.microsoft.com/Microsoft Consulting Services http://www.microsoft.com/BUSINESS/services/mcs.asp For technical information: Security information on Microsoft Produts http://www.microsoft.com/technet/security Windows Server 2003 http://www.microsoft.com/windowsserver2003/Threats and Countermeasures in Windows Server 2003 and Windows XP http://go.microsoft.com/fwlink/?LinkId=15160 MBSA http://www.microsoft.com/technet/security/tool s/Tools/mbsahome.asp For training and certification questions: Microsoft Training and Certification http://www.microsoft.com/training For Security Guidance And Training Securing Windows 2000 Server Security Solution http://www.microsoft.com/technet/security/pr odtech/Windows/SecWin2k/Default.asp Windows 2000 Security Hardening Guide http://www.microsoft.com/technet/security/pr odtech/Windows/Win2kHG.asp Windows Server 2003 Security Guide http://go.microsoft.com/fwlink/?LinkId=14846 Windows XP Security Guide http://go.microsoft.com/fwlink/?Linkid=14840 Windows Server 2008 Security GuideAttend a free chat or web cast http://www.microsoft.com/communities/chats/default.mspx http://www.microsoft.com/usa/webcasts/default.asp List of newsgroups http://communities2.microsoft.com/communities/newsgroups/en-us/default.aspx MS Community Sites http://www.microsoft.com/communities/default.mspx Locate Local User Groups http://www.microsoft.com/communities/usergroups/default.mspx Delhi IT Pro Community http://groups.msn.com/ITDelhiUG© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.