Post on 11-May-2015
1
Hardening Windows 2003 Web Servers
2 © Ezenta A/S 2005
Agenda
Physical Security OS Installation Account Policies Local Policies Services User Accounts IP Policies Permissions Hardening IIS Additional Hardening
3
General
4 © Ezenta A/S 2005
GeneralWho should take this course
System Consultants Security Consultants System Architects Anyone who is responsible for the configuration and/or the
administration of a Windows 2003 environment
5 © Ezenta A/S 2005
GeneralStrategy: Creating a secure environment
Secure current and/or new implementations of the Windows 2003 operating system
6 © Ezenta A/S 2005
GeneralStrategy: Maintaining a secure environment
Maintain a secure environment by staying on top of security issues that are relevant to your installation
This is a proactive process!!
7 © Ezenta A/S 2005
GeneralScope of this course
This course will focus on the secure configuration of a Windows 2003 server hosting Internet Information Services (IIS) version 6.0
8 © Ezenta A/S 2005
GeneralPrerequisites
Experience with IT security Experience with MMC Experience deploying web applications in enterprise
environments Some web application development knowledge will be useful
but is not mandatory
9 © Ezenta A/S 2005
GeneralWhat happens if I don’t harden my web server?
Most systems can be compromised within 72 hours Corporate humilliation Won’t know if your system is has been/is being attacked Money wasted on reparation and down time Company data/ secrets could be stolen
Some web sites are fed with data that comes from the same database as other internal systems
10 © Ezenta A/S 2005
Hardening one step at a time
Physical Security --------------------------------------- OS Installation ----------------------------------------- Account Policies ---------------------------------------- Local Policies ------------------------------------------- Services ------------------------------------------------ User Accounts ----------------------------------------- IP Policies------------- --------------------------------- Permissions -------------------------------------------- Hardening IIS ------------------------------------------ Additional Hardening ----------------------------------
Numberof
Weaknesses
11 © Ezenta A/S 2005
PrerequisitesWhat should
Install ALL necessary software/ services before you begin. Make sure that they ALL work. Why?
If software/ service dosn’t work: Because of the hardening? Did it work before we started?
These are time wasting situations
Let’s begin.
12
Physical Security
13 © Ezenta A/S 2005
Physical Security
We assume that physical security is in place.
14
OS Installation
15 © Ezenta A/S 2005
OS Installation
No system upgrades Why? Too many grey areas ONLY clean installations
Two partitions (we shall be using one) 01 system files 02 web applications
Strong administrative passwords Rainbow attacks make 8 character passwords trivial to break
Only install necessary components
16 © Ezenta A/S 2005
OS Installation
Use a static IP instead of DHCP if possible (one less service)
If there are multiple servers in the DMZ, consider making a DMZ domain from which critical servers will inherit their baseline GPOs.
17
Proof of concept scan
18 © Ezenta A/S 2005
Proof of concept scanWindows 2003 v. Windows 2000
Why bother using windows 2003? More secure by default.
Can Windows 2000 be as secure? Yes. It requires work.
19 © Ezenta A/S 2005
Proof of concept scanWindows 2003 v. Windows 2000
We will use standard tools to inspect a default Windows 2003 installation.
Tools to use: Nmap. Scans to perform:
Nmap –sS –P0 –O –p1-65535 Nmap –sS –P0 –O –g 53 –p 1-65535 Nmap –sT –P0 –O –p1-65535
NStealth
Windows 2003: xx.xx.xx.xx
20
Local Security Settings
21 © Ezenta A/S 2005
PoliciesLocal Security Settings
22 © Ezenta A/S 2005
PoliciesAccount Policies
Never use dictionary words. Never reuse old passwords by altering only one digit. Never choose passwords based on pets, habits, likes or
dislikes. One must never be able to identify a password by looking at the things on your desk.
Use upper- and lowercase with symbols and numbers. Choose passwords based on phrases:
Th15 comput€r i5 prot€cted by a str0ng p@ssword
23 © Ezenta A/S 2005
PoliciesAccount Policies: password Policy
Enforce Password History: 24 Maximum Password Age: 42 days Minimum Password Age: 2 days Minimum Password Length: 14 Complexity requirements: Enabled Use Reversible Encryption: Disabled
24 © Ezenta A/S 2005
PoliciesAccount Policies: Account Lockout Policy
Account Lockout Duration: 15 Minutes Account Lockout Threshold: 10 invalid attempts Reset Lockout Counter: 15 Minutes
25
Services
26 © Ezenta A/S 2005
Services
What services does a web-server need? Are you sure they are needed?
YES: secure them NO: remove them
This is the hardest to get right
27
Or…
28 © Ezenta A/S 2005
System SettingsIsn’t there a quicker way to change system settings?
Yes. Meet the ”Security Analysis and Configuration” snap-in
29 © Ezenta A/S 2005
System SettingsSecurity Analysis and Configuration
Run mmc File Add/Remove Snap-in Add Security Configuration and Analysis Add Right Click on Security Analysis and Configuration Open
Database Choose a File Name Open Navigate to ”High Security Baseline.inf” Open Right Click on Security Analysis and Configuration Analyse
Computer Now… Save the log to your desktop
30
User Accounts
31 © Ezenta A/S 2005
User AccountsSecuring Well known User Accounts
Rename all built-in accounts: Administrator Guest
Why? Everyone knows the names of these two Windows accounts. 50% of a brute force attack is already common knowledge.
The descriptions should also be altered.
32 © Ezenta A/S 2005
User AccountsSecuring Well known User Accounts
Assign strong passwords to these accounts Th15 1s @ v€ry st0ng p@s5word don’t y0u th1nk?
Disable default guest accounts (if not already done by default)
33
IP Policies
34 © Ezenta A/S 2005
IP PoliciesStructure
IP Filter advice: give your rules good names. Examples might look like this: <POLICY> <DIRECTION> <SERVICE> Permit INBOUND HTTP(S) Permit OUTBOUND SSH Permit OUTBOUND DNS Permit OUTBOUND HTTP(S) Deny BIDIRECTIONAL ALL
35 © Ezenta A/S 2005
IP PoliciesExample scenario
A web server might look similar to this: Permit INBOUND:
HTTP HTTPS? TS?
Permit OUTBOUND: HTTP HTTPS DNS
36 © Ezenta A/S 2005
IP PoliciesLocal Security Settings
37 © Ezenta A/S 2005
IP PoliciesLets get started
Create IP Security Policy… Name: Secure Web Uncheck “Activate the default response rule” Check “Edit Properties” Uncheck “Use Add Wizard”
38 © Ezenta A/S 2005
IP PoliciesBasic rules
Create 4 rules Deny BIDIRECTIONAL ALL Permit INBOUND HTTP(S) Permit OUTBOUND HTTP(S) Permit OUTBOUND DNS
When you’re done, assign your new policy
39 © Ezenta A/S 2005
IP PoliciesLets look at the results
Tools needed: NMap
Exercise Groups of two or three Choose which computer will perform the scan Un-assign IP Policies as they also block outboud traffic Perform the following port scans:
Nmap –sS –P0 –O –p1-65535 Nmap –sS –P0 –O –g 53 –p 1-65535 Nmap –sT –P0 –O –p1-65535
40
File Permissions
41 © Ezenta A/S 2005
PermissionsAssigning correct NTFS permissions
CGI files: .EXE, .DLL, .CMD, .PL Administrators: Full Control System: Full Control IUSR_SERVER: Read & Execute, Read
Script Files: .ASPX, .ASP, .PHP Administrators: Full Control System: Full Control IUSR_SERVER: Read & Execute, Read
Include Files: .INC, .SHTML, .SHTM Administrators: Full Control System: Full Control IUSR_SERVER: Read & Execute, Read
42 © Ezenta A/S 2005
PermissionsAssigning correct NTFS permissions
Static Files: .HTML, .HTM, .TXT, .GIF, .JPG Administrators: Full Control System: Full Control IUSR_SERVER: Read
Data Files: .MDB Administrators: Full Control System: Full Control IUSR_SERVER: Read, Write, Read & Execute, Modify
43
Hardening IIS
44 © Ezenta A/S 2005
Hardening IIS
Web server extensions Application Debugging Custom Errors HTTP Verbs URL Scan Logging
45 © Ezenta A/S 2005
Web server ExtensionsPredefined Web Service Extensions
Everything is turned off by default A default IIS 6.0 installation will only run sites with static
pages, .HTML, .HTM.
46 © Ezenta A/S 2005
Web server ExtensionsPredefined Web Service Extensions (cont.)
Active Server Pages ASP.NET version 1.1.4322 FrontPage Server Extensions 2002 Internet Data Connector Server-Side Includes WebDAV
47 © Ezenta A/S 2005
Application DebuggingStop IIS from sending error messages to clients
Stop applications from sending debugging details to clients: Right click on your web site in the IIS manager Home Directory Configuration App Debugging Check ”Send text error to client” and leave the box blank
48 © Ezenta A/S 2005
Custom ErrorsRedirect to a custom error page when error occur
Send custom error pages to clients for HTTP 500’s, 404’s: Right click on your web site in the IIS manager Custom Errors double click on 500 Message Type: URL URL: /<LOCATION OF CUSTOM PAGE>
Make certain that error 500 messages don’t get sent to the browser!
49 © Ezenta A/S 2005
HTTP VerbsLimit access to HTTP Verbs
Remove all un-needed HTTP verbs from each application: Generally required: GET, HEAD, POST
50 © Ezenta A/S 2005
URL ScanUrl filtering
What is URL Scan? What can it do?
Enable/disable HTTP verbs Disable HTTP headers Enable/disable specific file extensions Disable character sequences Remove/alter the server header Restrict header lengths
Questions concerning URL Scan?
51 © Ezenta A/S 2005
URL ScanUrl filtering
How does it work: Configuration File Installation Fine tuning
52 © Ezenta A/S 2005
LoggingConfiguring Logging
Create seperate logs for each site Log Folder Permissions
Administrators: Full Control System: Full Control IUSR_SERVER: Read, Write, Modify, List Folder Contents, Read & Execute
53
Additional Hardening
54 © Ezenta A/S 2005
Additional Hardening
Uninstallable Components Special Binaries
55 © Ezenta A/S 2005
Uninstallable Components
1. Load “%systemroot%\inf\sysoc.inf” into notepad2. Replace ”hide” with ””3. Run Add/Remove Applications4. Remove any unwanted/ unneeded components (be careful!)
56 © Ezenta A/S 2005
Special Binaries
Several executables exist on a standard Windows 2000 installation that could become rather useful to an attacker
Special access rights need to be set on all of these executables
57 © Ezenta A/S 2005
Special Binaries (cont.)
Uncheck ”Allow inheritable permissions from parent to propagate this object”.
Remove all users from the name list, including SYSTEM.
Assign ”Full Control” to a user that is to be used to access these files – an administrator.
58 © Ezenta A/S 2005
Special Binaries (cont.)
rsh.exe, secfixup.exe, telnet.exe, tftp.exe, ipconfig.exe, nbtstat.exe, netstat.exe, ping.exe, qbasic.exe, rdisk.exe, regdit32.exe, net.exe, nslookup.exe, posix.exe, rcp.exe, regedit.exe, rexec.exe, tracert.exe, command.com, regedit.exe, os2.exe, os2ss.exe, arp.exe, at.exe, atsvc.exe, cacls.exe, cmd.exe, debug.exe, edit.com, edlin.exe, finger.exe, ftp.exe, xcopy.exe, os2srv.exe, cscript.exe, wscript.exe, iisreset.exe, route.exe, runonce.exe, syskey.exe
59 © Ezenta A/S 2005
What have we learned today?
Physical Security OS Installation Account Policies Local Policies Services User Accounts IP Policies- Permissions Hardening IIS Additional Hardening
60 © Ezenta A/S 2005
?