Windows Server SP1: Best Windows Server SP1: Best Practises for Hardening and Practises for Hardening and Lessons LearnedLessons Learned

Michael KleefMichael KleefIT Pro EvangelistIT Pro EvangelistMicrosoft CorporationMicrosoft Corporation

SEC315

AgendaAgendaBest PractisesBest PractisesTerminal ServicesTerminal ServicesWhat breaks with Windows Server 2003 What breaks with Windows Server 2003 SP1?SP1?What tools are available to harden?What tools are available to harden?What breaks when you do What breaks when you do ☺☺What's not covered by the tools?What's not covered by the tools?

WhatWhat’’s still manual?s still manual?Application level securityApplication level security

SQL, Exchange, SMS etcSQL, Exchange, SMS etcEach has its own security guideEach has its own security guide

Terminal ServicesTerminal Serviceshttp://www.nsa.gov/snac/os/win2k/w2k_terhttp://www.nsa.gov/snac/os/win2k/w2k_terminal_serv.pdfminal_serv.pdf

Host isolation (IPSEC)Host isolation (IPSEC)See Steve Riley See Steve Riley ☺☺

Some IIS applicationsSome IIS applicationsParts of host hardening itselfParts of host hardening itselfTCP/IP Protocol hardeningTCP/IP Protocol hardening

WhatsWhats best practise?best practise?AdministrationAdministration

Use organisational unit controlsUse organisational unit controlsGroup Policy Group Policy ““likelike”” machinesmachinesUse tools to create policy (SCW, SCE)Use tools to create policy (SCW, SCE)

Understand the purpose of system servicesUnderstand the purpose of system servicesThreats and Countermeasures GuideThreats and Countermeasures GuideWindows Server 2003 Security GuideWindows Server 2003 Security GuideBe aware of app dependenciesBe aware of app dependenciesThreat ModellingThreat Modelling

Use smartcards for administrative tasksUse smartcards for administrative tasksInteractive logonInteractive logonTerminal Services works! (with WS2003)Terminal Services works! (with WS2003)

Use Process and Change Control!!Use Process and Change Control!!Audit!!Audit!!

WhatWhat’’s best practise?s best practise?Application ConfigurationApplication Configuration

Always opt for higher securityAlways opt for higher securityTerminal Services Terminal Services CompatCompatRRAS RRAS CompatCompatNTLMv2 over NTLMv2 over LANManLANManOther appsOther appsAlways choose stronger protocolsAlways choose stronger protocols

If possible run a single app on a single serverIf possible run a single app on a single serverDonDon’’t install stuff that you dont install stuff that you don’’t needt need

QtnQtn: Is a virus/: Is a virus/spywarespyware scanner needed on a SQL Server?scanner needed on a SQL Server?Extra agents/services/tools Extra agents/services/tools Think of extra patching workThink of extra patching work

Watch out for apps that Watch out for apps that requirerequire high privilegehigh privilegeEvaluate thoroughly security requirementsEvaluate thoroughly security requirements

Only enable services and permissions that you needOnly enable services and permissions that you needBe aware of service dependency issuesBe aware of service dependency issuesEnable least privilegeEnable least privilege

WhatWhat’’s best practise?s best practise?Limit AccessLimit Access

Isolate hosts using Isolate hosts using IPsecIPsecRoles: Limit access to the box Roles: Limit access to the box

Service AdminsService AdminsData AdminsData Admins

Physically limit access to the roomPhysically limit access to the room

TCP/IPTCP/IPDenial of Service MitigationDenial of Service Mitigation

SynAttackProtectSynAttackProtect (def=0)(def=0)TcpMaxHalfOpenTcpMaxHalfOpenTcpMaxHalfRetriedTcpMaxHalfRetriedTcpMaxPortsExhaustedTcpMaxPortsExhausted

NoNameReleaseOnDemandNoNameReleaseOnDemandDefault=0, Recommended=1Default=0, Recommended=1

KeepAliveTimeKeepAliveTimeDefault = 2 hoursDefault = 2 hoursRecommended = 5 minutesRecommended = 5 minutes

EnableICMPRedirectsEnableICMPRedirectsNote: Mitigation doesnNote: Mitigation doesn’’t mean no attackt mean no attack

DNS TTLDNS TTL

http://http://support.microsoft.com/default.aspx?scidsupport.microsoft.com/default.aspx?scid=kb;en=kb;en--us;324270us;324270

TCP/IPTCP/IPDenial of Service MitigationDenial of Service Mitigation

The two to ignore are:The two to ignore are:EnablePMTUDiscoveryEnablePMTUDiscoveryEnableDeadGWDetectEnableDeadGWDetect

Authentication MethodsAuthentication MethodsWhy choose strongest?Why choose strongest?

Choosing MSChoosing MS--CHAP?CHAP?CHAP and MSCHAP and MS--CHAP are NOT secureCHAP are NOT secureMSMS--CHAPv2 uses mutual authCHAPv2 uses mutual authCHAP and MSCHAP and MS--CHAP use a shared secretCHAP use a shared secret

Choosing Choosing LANManLANMan over NTLMv2 or over NTLMv2 or Kerberos?Kerberos?

LANManLANMan is NOT secureis NOT secureLANManLANMan uses a shared secretuses a shared secret

Reasons why you may opt otherwiseReasons why you may opt otherwiseCompatibility etcCompatibility etcOld clients, old implementations etcOld clients, old implementations etc

Implications of bad choicesImplications of bad choiceshttp://crimemachine.com/Tuts/Flash/pptphttp://crimemachine.com/Tuts/Flash/pptp--vpn.htmlvpn.html

Authentication Authentication LockdownLockdown

Terminal ServicesTerminal Services

Terminal ServicesTerminal ServicesTop SecurityTop Security TipsTips

Never ever install App Mode on a DCNever ever install App Mode on a DCRemove legacy NT 4.0 Remove legacy NT 4.0 CompatCompat

Nottsid.infNottsid.inf (W2K)(W2K)NT 4.0 NT 4.0 compatcompat weakens security and allows weakens security and allows reg/system file accessreg/system file access

Default RDP encryption is Default RDP encryption is ““HighHigh””Its sets 128bit RC4 encryption onIts sets 128bit RC4 encryption onIPSEC is unnecessary tooIPSEC is unnecessary too

Set a disconnected session timeoutSet a disconnected session timeoutDisable wallpapers, clock, cursor flashing, Disable wallpapers, clock, cursor flashing, virus animationsvirus animations……any other icon flashing etcany other icon flashing etc

Screen redraws take extra bandwidthScreen redraws take extra bandwidth

Terminal ServicesTerminal ServicesTop SecurityTop Security TipsTips

In Server 2003 SP1 TLS is configurable and In Server 2003 SP1 TLS is configurable and required for TS over Internet!!required for TS over Internet!!If one app only then deliver one app only!If one app only then deliver one app only!

Environment SettingsEnvironment SettingsAppSecAppSec (W2K)(W2K)Software Restriction PoliciesSoftware Restriction Policies

Remote Control should include notificationRemote Control should include notificationDisable redirections not neededDisable redirections not needed

LPT, COM, Drive, Printer, Clipboard etcLPT, COM, Drive, Printer, Clipboard etcUse/Delete Temporary Folders Use/Delete Temporary Folders –– On!On!Active Desktop Active Desktop –– Off!Off!Watch file permissions on app installsWatch file permissions on app installs

Service Pack 1 IssuesService Pack 1 Issues

What breaks with SP1?What breaks with SP1?Includes all the Windows XP SP2 lockdownIncludes all the Windows XP SP2 lockdown

DCOM lockdown present DCOM lockdown present Windows FirewallWindows Firewall

Lots of apps are known to work Lots of apps are known to work –– see Q article belowsee Q article belowA few break A few break –– inclincl MSFT ones! MSFT ones! –– fixes for manyfixes for many

NetIQNetIQ AppManagerAppManager 5.0.15.0.1Microsoft Exchange Server 2003Microsoft Exchange Server 2003Microsoft Internet Security and Acceleration (ISA) Server 2004 SMicrosoft Internet Security and Acceleration (ISA) Server 2004 Standard tandard EditionEdition

Known App Compatibility listKnown App Compatibility listhttp://support.microsoft.com/kb/896367http://support.microsoft.com/kb/896367

Terminal Server/DC Terminal Server/DC ReplReplhttp://http://support.microsoft.comsupport.microsoft.com/?id=898060/?id=898060

RPC Based IssuesRPC Based Issueshttp://support.microsoft.com/kb/899148/http://support.microsoft.com/kb/899148/

Other Known OnesOther Known Oneshttp://blogs.technet.com/mkleef/archive/2005/05/10/404699.aspxhttp://blogs.technet.com/mkleef/archive/2005/05/10/404699.aspx

Up to Date InformationUp to Date Informationhttp://support.microsoft.com/ph/3198http://support.microsoft.com/ph/3198

Tools availableTools availablePolicy ToolsPolicy Tools

Security Configuration WizardSecurity Configuration WizardSecurity Configuration EditorSecurity Configuration Editor

Security Configuration and Analysis SnapSecurity Configuration and Analysis Snap--inin

GuidesGuidesWindows Server 2003 Security Guide Templates Windows Server 2003 Security Guide Templates and Scriptsand ScriptsThreats and Countermeasures GuideThreats and Countermeasures Guide

Scan ToolsScan ToolsMBSA 2.0MBSA 2.0SuperscanSuperscanGFI GFI LANGuardLANGuard Network Security ScannerNetwork Security Scanner

Security Configuration Security Configuration WizardWizard

What does SCW lockdown?What does SCW lockdown?Services (database defined)Services (database defined)PortsPortsRestrictions to ports exposedRestrictions to ports exposedIISIISProtocol restrictionsProtocol restrictionsAuditing and Registry SettingsAuditing and Registry Settings

SCW LockdownSCW LockdownCreate Policy File for later useCreate Policy File for later use

Likely issues: SCWLikely issues: SCWKnown IssuesKnown Issues

GPOGPO’’s overriding SCW settingss overriding SCW settingsFirewall IssuesFirewall IssuesService ConfigurationService ConfigurationDCOMDCOMIISIISResults missing from remote analysisResults missing from remote analysisPolicy RollbacksPolicy Rollbacks

Only SCW applied successfully worksOnly SCW applied successfully works

Likely Issues: SCWLikely Issues: SCWTroubleshootingTroubleshooting

Policy/Registry overridesPolicy/Registry overridesAnalyze a machine for complianceAnalyze a machine for compliance

ScwcmdScwcmd analyze analyze //p:c:p:c:\\windowswindows\\securitysecurity\\msscwmsscw\\policiespolicies\\MyPolicMyPolicy.xmly.xml /e/e

View a created templateView a created templateScwcmdScwcmd view /x:<hostname>.xmlview /x:<hostname>.xml

Demo!Demo!

Likely Issues: SCWLikely Issues: SCWTroubleshootingTroubleshooting

FirewallFirewallnetstatnetstat ––anoanoTask Manager to show Task Manager to show PIDPID’’ssNetshNetsh firewall show firewall show allowedprogramallowedprogramWatch for security event log errors!Watch for security event log errors!Notes:Notes:

SCW will override existing WF settingsSCW will override existing WF settingsRRAS can break if WF policy appliedRRAS can break if WF policy appliedApps must be installed exactly the same on all Apps must be installed exactly the same on all machinesmachines

Demo!Demo!

Likely Issues: SCWLikely Issues: SCWTroubleshootingTroubleshooting

Default Service StatesDefault Service StatesSCW SCW ““knowsknows”” the best the best practisepractise for a for a serviceserviceSome apps may need a different Some apps may need a different behaviourbehaviourResult: a service may be changed Result: a service may be changed unexpectedlyunexpectedly

Likely Issues: SCWLikely Issues: SCWTroubleshootingTroubleshooting

IPSECIPSECWill not define a reciprocal ruleWill not define a reciprocal rule

Service ConfigurationService ConfigurationExplicit DisablesExplicit DisablesThirdThird--party apps not in party apps not in configconfig databasedatabase

DCOM Calls/CallbacksDCOM Calls/CallbacksAnonymous COM disabledAnonymous COM disabledNeed to explicitly allow if neededNeed to explicitly allow if neededSet appropriate Firewall exceptions for the Set appropriate Firewall exceptions for the appappBeforeBefore you do it: Realize the riskyou do it: Realize the risk

Likely Issues: SCWLikely Issues: SCWTroubleshootingTroubleshooting

IIS 6.0IIS 6.0SCW created GPO Objects cannot manage SCW created GPO Objects cannot manage IISIISNo role for FPSENo role for FPSE

SCW disables indexing serviceSCW disables indexing serviceSCW will disable a site based on a UNC pathSCW will disable a site based on a UNC path

Can enforce anonymous writes Can enforce anonymous writes –– can can break apps!break apps!

If you need anonymous writes If you need anonymous writes –– do it manuallydo it manuallyProject ServerProject Server

Must tell SCW to leave MSADC directory aloneMust tell SCW to leave MSADC directory alone

Where does SCE fit?Where does SCE fit?SCW works with SCESCW works with SCE……with caveats!with caveats!

SCE templates had a higher tendency to SCE templates had a higher tendency to break stuff (often custom)break stuff (often custom)SCW has inbuilt knowledge to prevent SCW has inbuilt knowledge to prevent potential problemspotential problemsWindows Server 2003 Security Guide had Windows Server 2003 Security Guide had good onesgood onesTroubleshooting:Troubleshooting:

Rollbacks must be generated beforehandRollbacks must be generated beforehandSeceditSecedit //generaterollbackgeneraterollbackWill not contain file system, registry Will not contain file system, registry permissions or audit settingspermissions or audit settingsApply a bit at a time and reApply a bit at a time and re--testtestUse Virtual PC with Undo DisksUse Virtual PC with Undo Disks

SCW: Other IssuesSCW: Other IssuesSome Services appear as Some Services appear as ““AdditionalAdditional””

Legacy services Legacy services arentarent coveredcoveredUpload Manager Service: Now not usedUpload Manager Service: Now not used

Exchange isn't included?Exchange isn't included?Only if not in default locationOnly if not in default location

GPO ConversionGPO ConversionPer interface settings donPer interface settings don’’t convertt convert

ThirdThird--Party Known IssuesParty Known IssuesApplication

Issue Workaround (if any)

CommVault Galaxy Security policy created with SCW default settings prevents communication with the client agents and prevents backup jobs from processing on client systems. It will also prevent any new clients from connecting during installation, thus preventing them from validating licensing and completing configuration.

The CommVault services must be included in the allow-list in the WF policy.

Domino Server 6.5 Lotus Notes Clients are unable to connect to the Domino mail server.

You must include nlnotes.exe in the allow list for WF on the client and nserver.exe in the allow list for WF on the server.

Citrix MetaFrame XPe FR3 Citrix MetaFrame XPe FR3 ICA client is unable to connect to Metaframe Server.

You must specify port TCP 1494 in the allow list on WF.

ResourcesResourcesIPSEC Troubleshooting Guide (W2k3): http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_ipsectrouble.asp

IPSEC Troubleshooting Guide (W2k): http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/cnet/cndb_ips_wnkk.asp

SCW Website: http://www.microsoft.com/windowsserver2003/technologies/security/configwiz/default.mspx

SCW Troubleshooting Guide: http://go.microsoft.com/fwlink/?LinkId=43853

Threats and Countermeasures Guide: http://www.microsoft.com/technet/security/topics/serversecurity/tcg/tcgch00.mspx

We invite you to participate in ourWe invite you to participate in ouronline evaluationonline evaluation on CommNet,on CommNet,

accessible Friday onlyaccessible Friday onlyIf you choose to complete the evaluation online, If you choose to complete the evaluation online,

there isthere is no need to complete the paper evaluationno need to complete the paper evaluation

© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.