Securing Your Servers

Paula Kiernan

Senior Consultant

Ward Solutions

Session Overview

Defense in Depth

Malware Defense for Servers

Malware Outbreak Control and Recovery

Hardening Servers

Defense-in-Depth

Using a layered approach:Increases an attacker’s risk of detection Reduces an attacker’s chance of success

Security policies, procedures, and educationPolicies, procedures, and awarenessPolicies, procedures, and awareness

Guards, locks, tracking devicesPhysical securityPhysical security

Application hardeningApplication

OS hardening, authentication, update management, antivirus updates, auditing

Host

Network segments, IPSec, NIDSInternal network

Firewalls, boarder routers, VPNs with quarantine proceduresPerimeter

Strong passwords, ACLs, encryption, EFS, backup and restore strategy

Data

Server Security Best Practices

Apply the latest Service Pack and all available security patches

Use Group Policy to harden servers

Restrict physical and network access to servers

Keep anti-virus software up-to-date

Protecting Servers: What Are the Challenges?

Challenges to protecting servers include:Challenges to protecting servers include:

Maintaining reliability and performance

Maintaining security updates

Maintaining antivirus updates

Applying specialized defense solutions based upon server role

Securing servers with multiple roles

Maintaining reliability and performance

Maintaining security updates

Maintaining antivirus updates

Applying specialized defense solutions based upon server role

Securing servers with multiple roles

Session Overview

Defense in Depth

Malware Defense for Servers

Malware Outbreak Control and Recovery

Hardening Servers

What Is Server-Based Malware Defense?

Basic steps to defend servers against malware include:Basic steps to defend servers against malware include:

Reduce the attack surfaceReduce the attack surface

Analyze using configuration scannersAnalyze using configuration scanners

Enable a host-based firewall Enable a host-based firewall

Apply security updatesApply security updates

Analyze port informationAnalyze port information

Implementing Server-Based Host Protection Software

Considerations when implementing server-based antivirus software include:Considerations when implementing server-based antivirus software include:

CPU utilization during scanning

Application reliability

Management overhead

Application interoperability

CPU utilization during scanning

Application reliability

Management overhead

Application interoperability

Implementing Security Patch Management

Use the appropriate patch management tools for your environment:Use the appropriate patch management tools for your environment:

Windows Update

Office Update

WSUS / SUS

SMS

MBSA

Windows Update

Office Update

WSUS / SUS

SMS

MBSA

Protecting Servers: Best Practices

Consider each server role implemented in your organization to implement specific host protection solutions

Consider each server role implemented in your organization to implement specific host protection solutions

Stage all updates through a test environment before releasing into production Stage all updates through a test environment before releasing into production

Deploy regular security and antivirus updates as requiredDeploy regular security and antivirus updates as required

Implement a self-managed host protection solution to decrease management costsImplement a self-managed host protection solution to decrease management costs

Session Overview

Defense in Depth

Malware Defense for Servers

Malware Outbreak Control and Recovery

Hardening Servers

How to Confirm the Malware Outbreak

The process for infection confirmation includes:The process for infection confirmation includes:

Reporting unusual activity

Gathering the basic information

Evaluating the data

Gathering the details

Responding to unusual activity

False alarm?

Hoax?

Known infection?

New infection?

Reporting unusual activity

Gathering the basic information

Evaluating the data

Gathering the details

Responding to unusual activity

False alarm?

Hoax?

Known infection?

New infection?

How to Respond to a Malware Outbreak

Outbreak control mechanism tasks include:Outbreak control mechanism tasks include:Disconnect the compromised systems from the network

Isolate the network(s) containing the infected hosts

Disconnect the network from all external networks

Research outbreak control and cleanup techniques

Disconnect the compromised systems from the network

Isolate the network(s) containing the infected hosts

Disconnect the network from all external networks

Research outbreak control and cleanup techniques

Examples of recovery goals include:Examples of recovery goals include:Minimal disruption to the organization’s business

Fastest possible recovery time

The capture of information to support prosecution

The capture of information to allow for additional security measures to be developed

Prevention of further attacks of this type

Minimal disruption to the organization’s business

Fastest possible recovery time

The capture of information to support prosecution

The capture of information to allow for additional security measures to be developed

Prevention of further attacks of this type

How to Analyze the Malware Outbreak

The following analysis tasks help you to understand the nature of the outbreak: The following analysis tasks help you to understand the nature of the outbreak:

Checking for active processes and services

Checking the startup folders

Checking for scheduled applications

Analyzing the local registry

Checking for corrupted files

Checking users and groups

Checking for shared folders

Checking for open network ports

Checking and exporting system event logs

Running MSCONFIG

Checking for active processes and services

Checking the startup folders

Checking for scheduled applications

Analyzing the local registry

Checking for corrupted files

Checking users and groups

Checking for shared folders

Checking for open network ports

Checking and exporting system event logs

Running MSCONFIG

How to Recover from a Malware Outbreak

Use the following process to recover from a virus outbreak:Use the following process to recover from a virus outbreak:

Restore missing or corrupt dataRestore missing or corrupt data

Remove or clean infected filesRemove or clean infected files

Reconnect your computer systems to the network Reconnect your computer systems to the network

Confirm that your computer systems are free of malwareConfirm that your computer systems are free of malware

11

33

44

22

How to Perform a Postrecovery Analysis

Postrecovery analysis steps include the following:Postrecovery analysis steps include the following:

Postattack review meeting Postattack review meeting

Postattack updatesPostattack updates

Session Overview

Defense in Depth

Malware Defense for Servers

Malware Outbreak Control and Recovery

Hardening Servers

Hardening Servers

Core Server Hardening Tasks

Active Directory Security

Hardening Servers with Specific Roles

Hardening Application Servers

Core Server Hardening Tasks

Apply the latest Service Pack and all available security patches

Use Group Policy to harden servers- Disable services that are not required- Implement secure password policies- Disable LAN Manager and NTLMv1 authentication

Restrict physical and network access to servers

Keep anti-virus software up-to-date

Additional Recommendations for Securing Servers

Rename the built-in Administrator and Guest accounts

Restrict access for built-in and non-operating system service accounts

Do not configure a service to log on using a domain account

Use NTFS to secure files and folders

Educate IT staff on secure password practices

Active Directory Security

Identify the Active Directory security boundary- Forest- Site- Domain- Organizational Unit

Base the Active Directory design on Group Policy and delegation requirements

Using Group Policy

Strengthen the settings in the Default Domain Policy

Review audit settings on important Active Directory objects

Ensure that password and account policies meet your organization’s security requirements

Security Templates

Security Templates can be used to harden servers

Security Templates are implemented using

Security Configuration and Analysis Tool

secedit

Group Policy

Windows Server 2003 Security Guide supplies default templates

http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/sgch00.mspx

Security Template Best Practices

Review and modify security templates before using them

Use security configuration and analysis tools to review template settings before applying them

Test templates thoroughly before deploying them

Store security templates in a secure location

Demonstration: Using Security Templates

Implementing Security Templates

Internal Network10.10.0.0/16

Internet

London.nwtraders.msftDomain Controller

Exchange Server 2003IIS 6.0 Server

Software Update ServicesDNS Server

Enterprise CA Server10.10.0.2/16

Vancouver.nwtraders.msftISA Server 2004

10.10.0.1/16131.107.0.1/16

Denver.nwtraders.msftWindows XP SP2

Office 2003131.107.0.1/16

Glasgow.nwtraders.msftMIIS Server

ADAM Server10.10.0.3

131.107.0.8

Denver.nwtraders.msftWindows XP SP2

Office 200310.10.0.10/16

Brisbane.northwindtraders.msftDomain Controller

IIS 6.0 Server10.10.0.20

Hardening Servers with Specific Roles

Apply baseline security settings to all member servers

Apply additional settings for specific server roles

Use GPResult to ensure that settings are applied correctly

Infrastructure Servers

File & Print Servers

IIS Servers

Certificate Services Servers

Bastion Hosts

Apply Member Server

Baseline PolicyRADIUS (IAS) Servers

Ha

rde

nin

g P

roc

ed

ure

s

Apply Incremental Role-Based

Security SettingsSecuring Active

Directory

Best Practices for Hardening Servers for Specific Roles

Secure well-known user accounts

Enable only services required by role

Enable service logging to capture relevant information

Use IPSec filtering to block specific ports based on server role

Modify templates as needed for servers with multiple roles

Hardening Application Servers

Application servers that typically have specialized protection requirements include:Application servers that typically have specialized protection requirements include:

Application Example

Web servers Internet Information Services (IIS)

Messaging servers Microsoft Exchange 2003

Database servers Microsoft SQL Server 2000

Application Server Best Practices

Configure security on the base operating system

Apply operating system and application service packs and patches

Install or enable only those services that are required

Application accounts should be assigned minimal permissions

Apply defense-in-depth principles to increase protection

Assign only those permissions needed to perform required tasks

Securing IIS Servers

Apply the security settings in the IIS Server Security Template

Install the IIS Lockdown and configure URLScan on all IIS 5.0 installations

Enable only essential IIS components

Configure NTFS permissions for all folders that contain Web content

Install IIS and store Web content on a dedicated disk volume

If possible, do not enable both the Execute and Write permissions on the same Web site

On IIS 5.0 servers, run applications using Medium or High Application Protection

Use IPSec filters to allow only ports 80 and 443

Hardening the Messaging Environment

To harden your Exchange messaging environment, deploy the following:To harden your Exchange messaging environment, deploy the following:

Environment Configuration

Server environment

Domain, Domain Controller, and Member Server Baseline Policy templatesWindows Server 2003 Security Guide at http://go.microsoft.com/fwlink/?LinkId=21638

Messaging environment

Exchange Domain Controller Baseline Policy templateExchange Server 2003 Security Hardening Guide at http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/exsecure.mspx

Securing Exchange Servers

Limit Exchange Server functionality to clients that are strictly requiredLimit Exchange Server functionality to clients that are strictly required

Remain current with the latest updates for both Exchange Server 2003 and the operating systemRemain current with the latest updates for both Exchange Server 2003 and the operating system

Use SSL/TLS and forms-based authentication for Outlook Web AccessUse SSL/TLS and forms-based authentication for Outlook Web Access

Use ISA Server 2004 to regulate access for HTTP, RPC over HTTPS, POP3, and IMAP4 trafficUse ISA Server 2004 to regulate access for HTTP, RPC over HTTPS, POP3, and IMAP4 traffic

Validating Exchange Server Configuration Settings

ExBPA can examine your Exchange servers to:ExBPA can examine your Exchange servers to:

Generate a list of issues, such as misconfigurations or unsupported or non-recommended optionsGenerate a list of issues, such as misconfigurations or unsupported or non-recommended options

Judge the general health of a systemJudge the general health of a system

Help troubleshoot specific problemsHelp troubleshoot specific problems

Demonstration: Analyzing Configuration Settings on Exchange Server 2003

Analyze Exchange Server using MBSA and the ExBPA Tool

Basic SQL Server Security Configuration

Apply service packs and patches

Use MBSA to detect missing SQL updates

Disable unused services

MSSQLSERVER (required)

SQLSERVERAGENT

MSSQLServerADHelper

Microsoft Search

Microsoft DTC

Database Server Security Considerations

Net

wor

kO

pera

ting

Syst

emSQ

L Se

rver

Patc

hes

and

Upd

ates

Shares

Services

Accounts

Auditing and Logging

Files and Directories

Registry

Protocols Ports

SQL Server Security

Database ObjectsLogins, Users, and

Roles

Session Summary

Understanding malware will help you to implement an effective defense against malware attacks Understanding malware will help you to implement an effective defense against malware attacks

Use a defense-in-depth approach to defend against malwareUse a defense-in-depth approach to defend against malware

Harden operating systems and applications by applying security updates, installing and maintaining an antivirus software strategy, and restricting computers using Group Policy

Harden operating systems and applications by applying security updates, installing and maintaining an antivirus software strategy, and restricting computers using Group Policy

Stage all updates through a test server before implementing into production, in order to minimize disruption Stage all updates through a test server before implementing into production, in order to minimize disruption

An efficient response and recovery plan will ensure that if a malware attack occurs, your organization can quickly recover with minimal disruption

An efficient response and recovery plan will ensure that if a malware attack occurs, your organization can quickly recover with minimal disruption

Next Steps

Find additional security training events:

http://www.microsoft.com/seminar/events/security.mspx

Sign up for security communications:

http://www.microsoft.com/technet/security/signup/default.mspx

Order the Security Guidance Kit:

http://www.microsoft.com/security/guidance/order/default.mspx

Get additional security tools and content:

http://www.microsoft.com/security/guidance

Questions and Answers