11

HARDENING SERVERS

Chapter 7

Chapter 7: Hardening Servers 2

DEFAULT SECURITY TEMPLATES

Set up Security.inf and DC Security.inf

Compatws.inf

Securews.inf and Securedc.inf

Hisecws.inf and Hisecdc.inf

Rootsec.inf

Iesacls.inf

Chapter 7: Hardening Servers 3

DESIGNING SECURITY TEMPLATES

Create a custom security template for each role, not each computer

Base custom templates on a default template

Never modify default security templates

Apply multiple security templates to computers with multiple roles

Chapter 7: Hardening Servers 4

SECURITY TEMPLATE SETTINGS

Account policies

Local policies

Event logs

Group memberships

Services

Registry permissions

File and folder permissions

Chapter 7: Hardening Servers 5

SETTING NOT AVAILABLE IN SECURITY TEMPLATES

Configuration of Automatic Updates

Which Microsoft Windows components and applications are installed

IPSec policies

Software restrictions

Wireless network policies

EFS settings

Certification Authority (CA) settings

Chapter 7: Hardening Servers 6

CONFIGURING EARLIER VERSIONS OF WINDOWS

Support Group Policy: Windows Server 2003 Windows 2000 Server Windows 2000 Professional Windows XP Professional

Support System Policy: Windows NT 4.0 Windows 95 Windows 98 Windows Me

Chapter 7: Hardening Servers 7

SYSTEM POLICY EDITOR

Chapter 7: Hardening Servers 8

DEPLOYING SECURITY CONFIGURATION WITH GROUP POLICY

Import templates into Group Policy

Leverage inheritance

Filter Group Policy objects (GPOs) with security groups

Use Windows Management Instrumentation (WMI) filtering only where necessary

Chapter 7: Hardening Servers 9

SERVER HARDENING BEST PRACTICES

Use the Configure Your Server Wizard

Disable unnecessary services

Develop a process for updating all software

Change default port numbers

Use network and host-based firewalls

Chapter 7: Hardening Servers 10

SERVER HARDENING BEST PRACTICES (CONT.)

Require IPSec

Place Internet servers in perimeter networks

Use physical security

Restrict removable media

Backup application-specific information

Chapter 7: Hardening Servers 11

SERVER HARDENING BEST PRACTICES (CONT.)

Audit backups and restores

Rename default user accounts

Develop security requirements for application-specific user databases

Monitor each server role for failures

Read security guides at http://www.microsoft.com

Chapter 7: Hardening Servers 12

HARDENING DOMAIN CONTROLLERS

A compromised domain controller can lead to compromises of domain members

Domain controllers can be identified with a DNS query

Avoid storing application data in Active Directory

Create a separate security group for users with privileges to backup domain controllers

Use source-IP filtering to block domain requests from external networks

Chapter 7: Hardening Servers 13

REQUIRE DOMAIN CONTROLLER SERVICES

File Replication Service

Intersite Messaging

Kerberos Key Distribution Center

Netlogon

Remote Procedure Call (RPC) Locator

Windows Management Instrumentation

Windows Time

Chapter 7: Hardening Servers 14

HARDENING DNS SERVERS

When DNS servers are compromised, attackers can use them to: Identify internal network resources

Launch man-in-the-middle attacks

Perform a denial-of-service (DoS) attack

Chapter 7: Hardening Servers 15

BEST PRACTICES FOR HARDENING DNS SERVERS

Use Active Directory–integrated zones. If not Active Directory integrated: Restrict permissions on zone files

Use IPSec to protect zone transfers

Disable recursion where possible

Use separate internal and Internet servers

Remove root hints on internal servers

Allow only secure DNS updates if possible

Chapter 7: Hardening Servers 16

HARDENING DHCP SERVERS

Dynamic Host Configuration Protocol (DHCP) servers running Windows 2000 and later must be authorized in a domain

DHCP servers can automatically update DNS

Protect DHCP servers with 802.1X authentication

Chapter 7: Hardening Servers 17

HARDENING FILE SERVERS

Carefully audit share permission and NTFS file system permissions

Use source-IP filtering to block requests from external networks

Audit access to critical and confidential files

Chapter 7: Hardening Servers 18

HARDENING IAS SERVERS

Enable Remote Authentication Dial-In User Service (RADIUS) message authenticators

Use quarantine control

Enable logging

Audit logs frequently

Chapter 7: Hardening Servers 19

HARDENING EXCHANGE SERVER COMPUTERS

Encrypt mail traffic with Transport Layer Security (TLS)

Use Secure Sockets Layer (SSL) to protect Outlook Web Access (OWA)

Enable Security events logging

Audit for open relays to protect against spam

Chapter 7: Hardening Servers 20

HARDENING EXCHANGE SERVER COMPUTERS (CONT.)

Use antispam software

Use antivirus software

Require strong passwords

Audit with MBSA

Chapter 7: Hardening Servers 21

HARDENING SQL SERVER COMPUTERS

Use Windows authentication when possible

Use delegated authentication

Configure granular authentication in SQL Server databases

Audit SQL authentication requests

Disable SQL communication protocols except TCP/IP, and require encryption

Change the default port number

Chapter 7: Hardening Servers 22

HARDENING SQL SERVER COMPUTERS (CONT.)

Audit custom applications for vulnerability to SQL injection attacks

Audit databases for unencrypted confidential contents: User names and passwords

Credit-card numbers

Social Security numbers

Chapter 7: Hardening Servers 23

SUMMARY

Create security templates for every server role in your organization

Apply security templates by using GPOs Techniques such as disabling unnecessary

services and enabling host-based firewalls can be used to harden any type of server

Server roles each have role-specific considerations, including: Services that should be enabled Ports that must be allowed Logging that should be enabled