Windows Server 2003 Security

Donald E. HesterCISSP, CISA, MCT, MCSE, MCSA, MCDST, Security+, CTT+, MV

Maze & Associates

San Diego City College

Los Medanos College

What we are looking at today

Priority Shift Access was a top priority

Open-by-default Start with everything open and then start locking

down as needed Control is now a top priority

Closed-by-default Start with everything closed and open only what

is needed

Security Enhancements

Server 2003 Defaults IIS – Internet Information Services

IIS is not installed by default When you install IIS 6 it is locked down

More startup services are disabled in 2003 Everyone Group

No longer has full control it has read and execute No longer includes anonymous users

Server 2003 Defaults Accounts with null passwords are console-bound Software restriction policies

Hash rule Path rule Certificate rule Internet Zone rule

Protected EAP (PEAP) Detailed security auditing

File System NTFS

Permissions & auditing EFS - Encrypted File System (multiple users) VSS - Volume Shadow Copy (Server 2003) Quotas ABE (Server 2003 SP1)

Future developments WinFS Won’t be in Longhorn

ABE (Access-Based Enumeration)

Internet Connection Firewall Windows Firewall

ICF vs. Windows Firewall Boot-time Security Global configuration Audit logging Scope restrictions Command-line support Program-based

exceptions Multiple Profiles

Unattended setup support

Enhanced multicast and broadcast support

IPv6 support New Group Policy

Support

PSSU (Post-Setup Security Updates) Service Pack 1

enhancement Protects the computer

until it can update Uses Windows

Firewall

DEP (Data Execution Prevention) Prevent malicious software rather than error out and

potentially crashing the system Hardware-enforced DEP

Protects memory locations The no-execute page-protection (NX) processor feature as

defined by AMD. The Execute Disable Bit (XD) feature as defined by Intel.

Software-enforced DEP Protects system binaries and exception-handling Software built with SafeSEH

TCP/IP protection Enhancements:

Smart TCP port allocation

SYN attack protection is enabled by default

New SYN attack notification IP Helper APIs

Winsock self-healing

What Is Network Access Quarantine?

RAS client meets RAS client meets Quarantine policiesQuarantine policies

RAS client RAS client gets full gets full

access to access to networknetwork

RAS client RAS client disconnecteddisconnected

1.1. RAS client fails RAS client fails policy checkpolicy check

2.2. Quarantine timeout Quarantine timeout ReachedReached

RAS client placed in RAS client placed in QuarantineQuarantine

Remote access Remote access client authenticatesclient authenticates

Trusts in Windows Server 2003

Forest(root)

Tree/RootTrust

Tree/RootTrust

Forest Trust

Forest Trust

Shortcut TrustShortcut TrustExternal

TrustExternal

Trust

Kerberos Realm

Realm Trust

Realm Trust

Domain D

Forest 1

Domain BDomain ADomain E

Domain F

Forest(root)

Domain P Domain Q

Parent/ChildTrust

Parent/ChildTrust

Forest 2

Domain C

Coming Soon: IE 7 Information Security Magazine (Jan 2006)

Server Hardening

Server Hardening Appropriate settings for a secure baseline

Settings for applications and services Operating system components Permissions and rights Administrative procedures Physical access

Server Hardening - Templates Predefined Security Templates Security Guide Templates Industrial Templates

SANS CIAC NSA DoD

Custom Templates

Template Deployment Test before deployment Periodic analysis

Security Configuration and Analysis snap-in Scripting (Secedit.exe)

Deployment Methods Group Policy (Active Directory) Security Configuration and Analysis snap-in Scripting (Secedit.exe)

Server Hardening Security Configuration Wizard (SCW)

Comes with Service Pack 1 (Server 2003) Disables unneeded services Blocks unused ports Allows further address or security restrictions for ports that are left

open Prohibits unnecessary Internet Information Services (IIS) Web

extensions, if applicable Reduces protocol exposure to server message block (SMB), NTLM,

LanMan, and Lightweight Directory Access Protocol (LDAP) Defines a high signal-to-noise audit policy Best for servers with multiple roles

Security Configuration Wizard Supports

Rollback Analysis Remote configuration Command-line support Active Directory integration Policy editing Export to Group Policy

Security Tools

Updates Manual

Requires user intervention – labor intensive Windows Updates

Automatic process fine for small deployments SUS

Updates approved critical patches for multiple machines at an administrator appointed time (replaced with WSUS)

WSUS Same as SUS but includes support for other patches such

as Office and critical drivers

PKI Some uses

EFS, Authentication, Smart Card, IPSec, Servers Auto enrollment Command line tools (Certreq.exe,

Certutil.exe) Key recovery (DRA or KRA) Delta CRL

Available Tools - GPMC New User Interface Backup and restore Import and export Group Policy

Modeling Resultant Set of

Policy (RSoP)

Available Tools - MBSA Microsoft Baseline Security Analyzer (v2)

Available Tools - MSAT Microsoft Security Assessment Tool

Available Tools – Windows Defender Microsoft Anti-Spyware – Windows Defender

Spyware detection Scheduled scanning and removal Straightforward operation and thorough removal

technology

Available Tools Security Resource Kit

Various tools to enumerate access control lists, list drivers, list services, dump event logs, parse logs, determine authentication method, and much more

Security Guide Templates Various test scripts

3rd Party Tools Winternals http://www.winternals.com/ Sysinternals http://www.systernals.com/ CERT http://www.cert.org/ SANS http://www.sans.org/

Resources Windows Server 2003 Security Guide

http://go.microsoft.com/fwlink/?LinkId=14846 WindowSecurity.com SecWish@microsoft.com (Feedback email) Microsoft Windows Security Resource Kit (2nd Ed.)

ISBN 0-7356-2174-8 Service Pack 1 Overview

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/servicepack/overview.mspx

Resources Microsoft Security Assessment Tool (MSAT) https://www.securityguidance.com/ Microsoft Security http://www.microsoft.com/security/default.mspx Microsoft Baseline Security Analyzer (MBSA) http://www.microsoft.com/technet/security/tools/

mbsahome.mspx Microsoft Anti-Spyware (beta) Defender http://www.microsoft.com/athome/security/

spyware/software/default.mspx

Resources RootKit Revealer http://www.sysinternals.com/Utilities/

RootkitRevealer.html Strider GhostBuster Project (Rootkit detector) http://research.microsoft.com/rootkit/ Threats and Countermeasures: Security Settings in

Windows Server 2003 and Windows XP http://go.microsoft.com/fwlink/?LinkId=15160

Contact Info Donald E. Hester

DonaldH@MazeAssociates.com

https://www.linkedin.com/in/donaldehester