Securing Win03 08
-
Upload
david-parkinson -
Category
Documents
-
view
222 -
download
0
Transcript of Securing Win03 08
-
8/6/2019 Securing Win03 08
1/26
Securing Windows Server 2003and Windows Server 2008
Ranjana JainIT Pro Evangelist
Microsoft India
MCSE, MCT, RHCE, CISSP, CIW Security Analyst
-
8/6/2019 Securing Win03 08
2/26
Agenda
Windows Server 2003 Security
Windows Server 2003 Security Guide
Security Threats
And Countermeasures Windows Server 2008 Security
Conclusion
-
8/6/2019 Securing Win03 08
3/26
Secure in DeploymentSecure in Deployment
Windows Server 2003Windows Server 2003Security GuideSecurity Guide
Configuration automationConfiguration automation
Monitoring infrastructureMonitoring infrastructure
Prescriptive guidancePrescriptive guidance
Secure by DesignSecure by Design
Code reviewsCode reviews
IIS reIIS re--architecturearchitecture
Threat modelsThreat models
$200M investment$200M investment
Secure by DefaultSecure by Default
60% less attack surface area60% less attack surface areaby default compared toby default compared toWindows NT 4.0 SP3Windows NT 4.0 SP3
Services off by defaultServices off by default
Services run at lower privilegeServices run at lower privilege
CommunicationsCommunications
CommunitiesCommunities
Architecture webcastsArchitecture webcasts
ConferencesConferences
TechNetTechNet
-
8/6/2019 Securing Win03 08
4/26
Why Is The DefaultNot Hardened
Hardening must be in response to theenvironment
One-size does not fit all
Breaks existing applicationsBad user experience
Default configuration generally appropriatefor trusted networks
-
8/6/2019 Securing Win03 08
5/26
Windows Server 2003 SecurityGuide: Design Goals Provide actionable, authoritative,
guidelines for End users
System Administrators
Security Administrators
Guidelines are Proven in real world testing
Relevant and accomplish real security
Accuratehttp://www.microsoft.com/technet/security/prodtech/windowsserver2
003/W2003HG/SGCH00.mspx
-
8/6/2019 Securing Win03 08
6/26
Server Hardening
Securing DomainInfrastructure
Member ServerBaseline Policy
Domain Controllers
Infrastructure Servers
File & Print Servers
Internet InformationServers
PKI Servers
RADIUS Servers
Bastion Servers
Applied throughIncremental
Group Policy
Hardening
Procedure
s
Apply to Relevant Servers in your Organization
-
8/6/2019 Securing Win03 08
7/26
Domain Infrastructure
Establishing Security Boundaries
Security starts at the domain infrastructure Forest versus Domain True Security Boundary = Forest
Domain is a Management Boundary of Well-Meaning
Administrators
Administrative distinctions
Enterprise Administrators are just that
Delegate administration
Organizational Unit Structure Structuring Support for Administration & Group Policy
-
8/6/2019 Securing Win03 08
8/26
Baseline Policy Member ServerBaseline Policy
Core Security Template Group Policy for all MemberServers
Audit Policies
Monitor Object Access, Logon & Logoff, Policy Changes
User Rights Assignment
Controlling Server Logons & User Functionality
Tip: Use Deny logon from the network to prevent service accountsfrom logging on remotely
Security Options
Increase LM Compatibility Level, Restrict Anonymous
Event Logs
Setting Log Sizes & Access Permissions
System Services
Disabling or Removing Irrelevant Services
-
8/6/2019 Securing Win03 08
9/26
Hardening DCs
Most important server role, physical isolation needed
DC baseline policy GP template
Duplicates most member server policies Further lockdown on user rights assignments
Configure DC specific system services ensure consistency
Additional security settings
Relocating DC database and logs Increasing event log sizes
Protecting DNS
Secure dynamic updates
Limiting zone transfers Blocking ports with ipsec filters
Tip: Dont forget to configure nodefaultexempt
-
8/6/2019 Securing Win03 08
10/26
Hardening Infrastructure
Providing DNS and WINS Services
Foundation: Member Server Baseline Policy
Incremental Infrastructure Group Policy Adjusting Infrastructure System Services
Additional Security Settings
Configure DHCP Logging
Limit Log Sizes (Registry DWORD Addition)
Limit Access Permissions to Administrators
Port Blocking with IPSec Filters:Infrastructure Servers
Does not Fully Secure System During Startup
-
8/6/2019 Securing Win03 08
11/26
Hardening File & Print Servers
File and Print Group Policy
Foundation: Member Server Baseline Policy
Incremental GP
Modifying Security Options
Print Server: Disable Digital Signing of Communications
System Service Adjustments
File Server: Enable DFS & File Replication
Print Server: Enable Print Spooler
Additional Security Settings
Port Blocking with IPSec Filters
Utilize Terminal Services for Remote Management
Management Tools May Have Specific Port Needs Example: Microsoft Operations Manager
-
8/6/2019 Securing Win03 08
12/26
Hardening IIS Servers
Secure by default IIS is NO LONGER a default installation
Initial installation is a highly secure locked down configuration
Web server group policy
Foundation: member server baseline policy Modifying system services
Additional security settings
IIS
Installation of required IIS components only Enabling essential web service extensions
Granting web site permissions
Configuring IIS logging
Dedicating a disk for content
Setting file level permissions
IPSec port filtering
Tip: Configure outbound filtering for IIS servers on external interface
-
8/6/2019 Securing Win03 08
13/26
HardeningCertificate Services Air gap to root CA paramount to security
PKI group policy Foundation: Member server baseline policy
Security options
Certificate server
Use FIPS compliant algorithm for encryption, hashing, & signing HSM Luna, nCipher
System service adjustments
Additional security settings
Setting file system ACLs on certificate server folders Establish file level auditing
Separating certificate database and logs
-
8/6/2019 Securing Win03 08
14/26
Hardening Bastion Hosts Servers accessible publicly
Bastion Host group policy
Rarely domain members: local policy required
Foundation: member server baseline policy Tip: Deny network logon right to sensitive accounts
System service adjustments
Disabled
Automatic updates & backup intelligent transfer agent
DHCP client & netlogon Plug & play
Remote administration & registry
Server & terminal services
Additional security settings
Essential network protocols only
Disable SMB
Disable netbios over TCP/IP
-
8/6/2019 Securing Win03 08
15/26
Guide To Threat Mitigation
Using this guide
Majority of security related settings occur throughgroup policy
Not all countermeasures are available through gpos:understand registry editing
Increasing security typically means a decrease
in functionality Mitigating top vulnerabilities
Denial of service securing the stack
Password policies providing high security Logging tracking successful or failed attacks
Decrease the attack surface!
-
8/6/2019 Securing Win03 08
16/26
Default Install: Mitigate DoSAttacks
Mitigating DoS risksRegistry: Synflood attack protection
Vulnerability Simple synflood attack
Countermeasure Accelerate connection timeout
when synflood attacks are detected
Registry: Keep alive time
Vulnerability Numerous connections exhaust
resources Countermeasure Establish maximum keep alive
for inactive connections
-
8/6/2019 Securing Win03 08
17/26
Secure Password Policies Establishing high security for passwords
Group policy: Enforcing password history
Vulnerability frequent password reuse reduces effectiveness of
enterprise password policies
Countermeasure setting a password history value of 24
Group policy: Maximum password age
Vulnerability brute force password attacks & misuse of wrongfullyobtained password
Countermeasure establish a maximum password age of between 30and 60 days
Group policy: Password complexity requirements
Vulnerability alphanumeric passwords easily cracked
Countermeasure Longer = better
Use at least 3 of the 5 complexities
Think pass phrase
-
8/6/2019 Securing Win03 08
18/26
Comprehensive Logging Establishing audit policies
Logging features
Vulnerability It is generally preferable to know when attacks happen
Countermeasure Set all logging features active Group policy: retention methods for event logs
Vulnerability A delicate balance exists between log size and
maintaining relevant log history
Countermeasure Set to overwrite logs as necessary, use a logcollection system
Registry: delegating access to event logs
Vulnerability Unintentional deletion or malicious cover-up of securitylog data
Countermeasure Grant read-only access to certain IT members, fullaccess to trusted security operators
-
8/6/2019 Securing Win03 08
19/26
Summary
Default configuration appropriate for
trusted environment Windows Server 2003 Security Guide
documents hardening Key point: Optimal security requires a
thorough understanding of theenvironment
-
8/6/2019 Securing Win03 08
20/26
Windows Server 2008 SecurityGuide
Default installation of Windows Server 2008 does notprovide any services to the network.
Server Managerprovides a single source formanaging a server's identity and system information,
displaying server status, identifying problems with serverrole configuration, and managing all roles installed on theserver.
You can use the SCW to help ensure that the serversremain configured as intended.
-
8/6/2019 Securing Win03 08
21/26
Server Manager
Replaces several features included withWindows Server 2003, including Manage Your
Server, Configure Your Server, and Add orRemove Windows Components.
Roles are configured with Microsoft-
recommended security settings by default, Server Manager also automatically configures
any firewall rules that are required to support the
new role
-
8/6/2019 Securing Win03 08
22/26
Server Core
Helps reduce the attack surface of the supportedserver roles by installing only a subset of thebinary files that a server requires to operate
Explorer shell and Microsoft Internet Explorer cannotbe installed
Requires only about 1 GB of space on the server's harddisk drive to install, and an additional 2 GB for normaloperations
Server Core Installation Option of Windows Server 2008Step-By-Step Guide
-
8/6/2019 Securing Win03 08
23/26
Tips
Deny logon from the network protects sensitiveaccounts
NoDefaultExempt ensures IPSec policies areeffective
SafeDllSearchMode prevents Nimda
RestrictAnonymous protects sensitiveinformation
Outbound IPSec filters make additional
compromise very hard NoLMHash exponentially increases password
cracking time
-
8/6/2019 Securing Win03 08
24/26
Resources From MicrosoftTo locate a partner who can helpTo locate a partner who can helpwith Microsoft security:with Microsoft security:Microsoft Certified Providers DirectoryMicrosoft Certified Providers Directoryhttp://mcspreferral.microsoft.com/http://mcspreferral.microsoft.com/
Microsoft Consulting ServicesMicrosoft Consulting Serviceshttp://www.microsoft.com/BUSINESS/services/mcs.asphttp://www.microsoft.com/BUSINESS/services/mcs.asp
For technical information:For technical information:
Security information on Microsoft ProdutsSecurity information on Microsoft Produtshttp://www.microsoft.com/technet/securityhttp://www.microsoft.com/technet/security
Windows Server 2003Windows Server 2003http://www.microsoft.com/windowsserver2003/http://www.microsoft.com/windowsserver2003/
Threats and Countermeasures in WindowsThreats and Countermeasures in WindowsServer 2003 and Windows XPServer 2003 and Windows XP
http://go.microsoft.com/fwlink/?LinkId=15160http://go.microsoft.com/fwlink/?LinkId=15160
MBSAMBSA
http://www.microsoft.com/technet/security/toolhttp://www.microsoft.com/technet/security/tools/Tools/mbsahome.asps/Tools/mbsahome.asp
For training andFor training andcertification questions:certification questions:Microsoft Training and CertificationMicrosoft Training and Certificationhttp://www.microsoft.com/traininghttp://www.microsoft.com/training
For Security Guidance And TrainingFor Security Guidance And Training
Securing Windows 2000 Server SecuritySecuring Windows 2000 Server SecuritySolutionSolution
http://www.microsoft.com/technet/security/prhttp://www.microsoft.com/technet/security/prodtech/Windows/SecWin2k/Default.aspodtech/Windows/SecWin2k/Default.asp
Windows 2000 Security Hardening GuideWindows 2000 Security Hardening Guidehttp://www.microsoft.com/technet/security/prhttp://www.microsoft.com/technet/security/prodtech/Windows/Win2kHG.aspodtech/Windows/Win2kHG.asp
Windows Server 2003 Security GuideWindows Server 2003 Security Guidehttp://go.microsoft.com/fwlink/?LinkId=14846http://go.microsoft.com/fwlink/?LinkId=14846
Windows XP Security GuideWindows XP Security Guide
http://go.microsoft.com/fwlink/?Linkid=14840http://go.microsoft.com/fwlink/?Linkid=14840
Windows Server 2008 Security GuideWindows Server 2008 Security Guide
-
8/6/2019 Securing Win03 08
25/26
Attend a free chat or web castAttend a free chat or web casthttp://www.microsoft.com/communities/chats/default.mspxhttp://www.microsoft.com/communities/chats/default.mspx
http://www.microsoft.com/usa/webcasts/default.asphttp://www.microsoft.com/usa/webcasts/default.asp
List of newsgroupsList of newsgroupshttp://communities2.microsoft.com/http://communities2.microsoft.com/
communities/newsgroups/encommunities/newsgroups/en--us/default.aspxus/default.aspx
MS Community SitesMS Community Siteshttp://www.microsoft.com/communities/default.mspxhttp://www.microsoft.com/communities/default.mspx
Locate Local User GroupsLocate Local User Groupshttp://www.microsoft.com/communities/usergroups/default.mspxhttp://www.microsoft.com/communities/usergroups/default.mspx
Delhi IT Pro CommunityDelhi IT Pro Communityhttp://groups.msn.com/ITDelhiUGhttp://groups.msn.com/ITDelhiUG
-
8/6/2019 Securing Win03 08
26/26
2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.