Securing Windows web servers

60
1 Hardening Windows 2003 Web Servers

Transcript of Securing Windows web servers

Page 1: Securing Windows web servers

1

Hardening Windows 2003 Web Servers

Page 2: Securing Windows web servers

2 © Ezenta A/S 2005

Agenda

Physical Security OS Installation Account Policies Local Policies Services User Accounts IP Policies Permissions Hardening IIS Additional Hardening

Page 3: Securing Windows web servers

3

General

Page 4: Securing Windows web servers

4 © Ezenta A/S 2005

GeneralWho should take this course

System Consultants Security Consultants System Architects Anyone who is responsible for the configuration and/or the

administration of a Windows 2003 environment

Page 5: Securing Windows web servers

5 © Ezenta A/S 2005

GeneralStrategy: Creating a secure environment

Secure current and/or new implementations of the Windows 2003 operating system

Page 6: Securing Windows web servers

6 © Ezenta A/S 2005

GeneralStrategy: Maintaining a secure environment

Maintain a secure environment by staying on top of security issues that are relevant to your installation

This is a proactive process!!

Page 7: Securing Windows web servers

7 © Ezenta A/S 2005

GeneralScope of this course

This course will focus on the secure configuration of a Windows 2003 server hosting Internet Information Services (IIS) version 6.0

Page 8: Securing Windows web servers

8 © Ezenta A/S 2005

GeneralPrerequisites

Experience with IT security Experience with MMC Experience deploying web applications in enterprise

environments Some web application development knowledge will be useful

but is not mandatory

Page 9: Securing Windows web servers

9 © Ezenta A/S 2005

GeneralWhat happens if I don’t harden my web server?

Most systems can be compromised within 72 hours Corporate humilliation Won’t know if your system is has been/is being attacked Money wasted on reparation and down time Company data/ secrets could be stolen

Some web sites are fed with data that comes from the same database as other internal systems

Page 10: Securing Windows web servers

10 © Ezenta A/S 2005

Hardening one step at a time

Physical Security --------------------------------------- OS Installation ----------------------------------------- Account Policies ---------------------------------------- Local Policies ------------------------------------------- Services ------------------------------------------------ User Accounts ----------------------------------------- IP Policies------------- --------------------------------- Permissions -------------------------------------------- Hardening IIS ------------------------------------------ Additional Hardening ----------------------------------

Numberof

Weaknesses

Page 11: Securing Windows web servers

11 © Ezenta A/S 2005

PrerequisitesWhat should

Install ALL necessary software/ services before you begin. Make sure that they ALL work. Why?

If software/ service dosn’t work: Because of the hardening? Did it work before we started?

These are time wasting situations

Let’s begin.

Page 12: Securing Windows web servers

12

Physical Security

Page 13: Securing Windows web servers

13 © Ezenta A/S 2005

Physical Security

We assume that physical security is in place.

Page 14: Securing Windows web servers

14

OS Installation

Page 15: Securing Windows web servers

15 © Ezenta A/S 2005

OS Installation

No system upgrades Why? Too many grey areas ONLY clean installations

Two partitions (we shall be using one) 01 system files 02 web applications

Strong administrative passwords Rainbow attacks make 8 character passwords trivial to break

Only install necessary components

Page 16: Securing Windows web servers

16 © Ezenta A/S 2005

OS Installation

Use a static IP instead of DHCP if possible (one less service)

If there are multiple servers in the DMZ, consider making a DMZ domain from which critical servers will inherit their baseline GPOs.

Page 17: Securing Windows web servers

17

Proof of concept scan

Page 18: Securing Windows web servers

18 © Ezenta A/S 2005

Proof of concept scanWindows 2003 v. Windows 2000

Why bother using windows 2003? More secure by default.

Can Windows 2000 be as secure? Yes. It requires work.

Page 19: Securing Windows web servers

19 © Ezenta A/S 2005

Proof of concept scanWindows 2003 v. Windows 2000

We will use standard tools to inspect a default Windows 2003 installation.

Tools to use: Nmap. Scans to perform:

Nmap –sS –P0 –O –p1-65535 Nmap –sS –P0 –O –g 53 –p 1-65535 Nmap –sT –P0 –O –p1-65535

NStealth

Windows 2003: xx.xx.xx.xx

Page 20: Securing Windows web servers

20

Local Security Settings

Page 21: Securing Windows web servers

21 © Ezenta A/S 2005

PoliciesLocal Security Settings

Page 22: Securing Windows web servers

22 © Ezenta A/S 2005

PoliciesAccount Policies

Never use dictionary words. Never reuse old passwords by altering only one digit. Never choose passwords based on pets, habits, likes or

dislikes. One must never be able to identify a password by looking at the things on your desk.

Use upper- and lowercase with symbols and numbers. Choose passwords based on phrases:

Th15 comput€r i5 prot€cted by a str0ng p@ssword

Page 23: Securing Windows web servers

23 © Ezenta A/S 2005

PoliciesAccount Policies: password Policy

Enforce Password History: 24 Maximum Password Age: 42 days Minimum Password Age: 2 days Minimum Password Length: 14 Complexity requirements: Enabled Use Reversible Encryption: Disabled

Page 24: Securing Windows web servers

24 © Ezenta A/S 2005

PoliciesAccount Policies: Account Lockout Policy

Account Lockout Duration: 15 Minutes Account Lockout Threshold: 10 invalid attempts Reset Lockout Counter: 15 Minutes

Page 25: Securing Windows web servers

25

Services

Page 26: Securing Windows web servers

26 © Ezenta A/S 2005

Services

What services does a web-server need? Are you sure they are needed?

YES: secure them NO: remove them

This is the hardest to get right

Page 27: Securing Windows web servers

27

Or…

Page 28: Securing Windows web servers

28 © Ezenta A/S 2005

System SettingsIsn’t there a quicker way to change system settings?

Yes. Meet the ”Security Analysis and Configuration” snap-in

Page 29: Securing Windows web servers

29 © Ezenta A/S 2005

System SettingsSecurity Analysis and Configuration

Run mmc File Add/Remove Snap-in Add Security Configuration and Analysis Add Right Click on Security Analysis and Configuration Open

Database Choose a File Name Open Navigate to ”High Security Baseline.inf” Open Right Click on Security Analysis and Configuration Analyse

Computer Now… Save the log to your desktop

Page 30: Securing Windows web servers

30

User Accounts

Page 31: Securing Windows web servers

31 © Ezenta A/S 2005

User AccountsSecuring Well known User Accounts

Rename all built-in accounts: Administrator Guest

Why? Everyone knows the names of these two Windows accounts. 50% of a brute force attack is already common knowledge.

The descriptions should also be altered.

Page 32: Securing Windows web servers

32 © Ezenta A/S 2005

User AccountsSecuring Well known User Accounts

Assign strong passwords to these accounts Th15 1s @ v€ry st0ng p@s5word don’t y0u th1nk?

Disable default guest accounts (if not already done by default)

Page 33: Securing Windows web servers

33

IP Policies

Page 34: Securing Windows web servers

34 © Ezenta A/S 2005

IP PoliciesStructure

IP Filter advice: give your rules good names. Examples might look like this: <POLICY> <DIRECTION> <SERVICE> Permit INBOUND HTTP(S) Permit OUTBOUND SSH Permit OUTBOUND DNS Permit OUTBOUND HTTP(S) Deny BIDIRECTIONAL ALL

Page 35: Securing Windows web servers

35 © Ezenta A/S 2005

IP PoliciesExample scenario

A web server might look similar to this: Permit INBOUND:

HTTP HTTPS? TS?

Permit OUTBOUND: HTTP HTTPS DNS

Page 36: Securing Windows web servers

36 © Ezenta A/S 2005

IP PoliciesLocal Security Settings

Page 37: Securing Windows web servers

37 © Ezenta A/S 2005

IP PoliciesLets get started

Create IP Security Policy… Name: Secure Web Uncheck “Activate the default response rule” Check “Edit Properties” Uncheck “Use Add Wizard”

Page 38: Securing Windows web servers

38 © Ezenta A/S 2005

IP PoliciesBasic rules

Create 4 rules Deny BIDIRECTIONAL ALL Permit INBOUND HTTP(S) Permit OUTBOUND HTTP(S) Permit OUTBOUND DNS

When you’re done, assign your new policy

Page 39: Securing Windows web servers

39 © Ezenta A/S 2005

IP PoliciesLets look at the results

Tools needed: NMap

Exercise Groups of two or three Choose which computer will perform the scan Un-assign IP Policies as they also block outboud traffic Perform the following port scans:

Nmap –sS –P0 –O –p1-65535 Nmap –sS –P0 –O –g 53 –p 1-65535 Nmap –sT –P0 –O –p1-65535

Page 40: Securing Windows web servers

40

File Permissions

Page 41: Securing Windows web servers

41 © Ezenta A/S 2005

PermissionsAssigning correct NTFS permissions

CGI files: .EXE, .DLL, .CMD, .PL Administrators: Full Control System: Full Control IUSR_SERVER: Read & Execute, Read

Script Files: .ASPX, .ASP, .PHP Administrators: Full Control System: Full Control IUSR_SERVER: Read & Execute, Read

Include Files: .INC, .SHTML, .SHTM Administrators: Full Control System: Full Control IUSR_SERVER: Read & Execute, Read

Page 42: Securing Windows web servers

42 © Ezenta A/S 2005

PermissionsAssigning correct NTFS permissions

Static Files: .HTML, .HTM, .TXT, .GIF, .JPG Administrators: Full Control System: Full Control IUSR_SERVER: Read

Data Files: .MDB Administrators: Full Control System: Full Control IUSR_SERVER: Read, Write, Read & Execute, Modify

Page 43: Securing Windows web servers

43

Hardening IIS

Page 44: Securing Windows web servers

44 © Ezenta A/S 2005

Hardening IIS

Web server extensions Application Debugging Custom Errors HTTP Verbs URL Scan Logging

Page 45: Securing Windows web servers

45 © Ezenta A/S 2005

Web server ExtensionsPredefined Web Service Extensions

Everything is turned off by default A default IIS 6.0 installation will only run sites with static

pages, .HTML, .HTM.

Page 46: Securing Windows web servers

46 © Ezenta A/S 2005

Web server ExtensionsPredefined Web Service Extensions (cont.)

Active Server Pages ASP.NET version 1.1.4322 FrontPage Server Extensions 2002 Internet Data Connector Server-Side Includes WebDAV

Page 47: Securing Windows web servers

47 © Ezenta A/S 2005

Application DebuggingStop IIS from sending error messages to clients

Stop applications from sending debugging details to clients: Right click on your web site in the IIS manager Home Directory Configuration App Debugging Check ”Send text error to client” and leave the box blank

Page 48: Securing Windows web servers

48 © Ezenta A/S 2005

Custom ErrorsRedirect to a custom error page when error occur

Send custom error pages to clients for HTTP 500’s, 404’s: Right click on your web site in the IIS manager Custom Errors double click on 500 Message Type: URL URL: /<LOCATION OF CUSTOM PAGE>

Make certain that error 500 messages don’t get sent to the browser!

Page 49: Securing Windows web servers

49 © Ezenta A/S 2005

HTTP VerbsLimit access to HTTP Verbs

Remove all un-needed HTTP verbs from each application: Generally required: GET, HEAD, POST

Page 50: Securing Windows web servers

50 © Ezenta A/S 2005

URL ScanUrl filtering

What is URL Scan? What can it do?

Enable/disable HTTP verbs Disable HTTP headers Enable/disable specific file extensions Disable character sequences Remove/alter the server header Restrict header lengths

Questions concerning URL Scan?

Page 51: Securing Windows web servers

51 © Ezenta A/S 2005

URL ScanUrl filtering

How does it work: Configuration File Installation Fine tuning

Page 52: Securing Windows web servers

52 © Ezenta A/S 2005

LoggingConfiguring Logging

Create seperate logs for each site Log Folder Permissions

Administrators: Full Control System: Full Control IUSR_SERVER: Read, Write, Modify, List Folder Contents, Read & Execute

Page 53: Securing Windows web servers

53

Additional Hardening

Page 54: Securing Windows web servers

54 © Ezenta A/S 2005

Additional Hardening

Uninstallable Components Special Binaries

Page 55: Securing Windows web servers

55 © Ezenta A/S 2005

Uninstallable Components

1. Load “%systemroot%\inf\sysoc.inf” into notepad2. Replace ”hide” with ””3. Run Add/Remove Applications4. Remove any unwanted/ unneeded components (be careful!)

Page 56: Securing Windows web servers

56 © Ezenta A/S 2005

Special Binaries

Several executables exist on a standard Windows 2000 installation that could become rather useful to an attacker

Special access rights need to be set on all of these executables

Page 57: Securing Windows web servers

57 © Ezenta A/S 2005

Special Binaries (cont.)

Uncheck ”Allow inheritable permissions from parent to propagate this object”.

Remove all users from the name list, including SYSTEM.

Assign ”Full Control” to a user that is to be used to access these files – an administrator.

Page 58: Securing Windows web servers

58 © Ezenta A/S 2005

Special Binaries (cont.)

rsh.exe, secfixup.exe, telnet.exe, tftp.exe, ipconfig.exe, nbtstat.exe, netstat.exe, ping.exe, qbasic.exe, rdisk.exe, regdit32.exe, net.exe, nslookup.exe, posix.exe, rcp.exe, regedit.exe, rexec.exe, tracert.exe, command.com, regedit.exe, os2.exe, os2ss.exe, arp.exe, at.exe, atsvc.exe, cacls.exe, cmd.exe, debug.exe, edit.com, edlin.exe, finger.exe, ftp.exe, xcopy.exe, os2srv.exe, cscript.exe, wscript.exe, iisreset.exe, route.exe, runonce.exe, syskey.exe

Page 59: Securing Windows web servers

59 © Ezenta A/S 2005

What have we learned today?

Physical Security OS Installation Account Policies Local Policies Services User Accounts IP Policies- Permissions Hardening IIS Additional Hardening

Page 60: Securing Windows web servers

60 © Ezenta A/S 2005

?