Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Windows Server SP1: Best Windows Server SP1: Best Practises for Hardening and Practises for Hardening and Lessons LearnedLessons Learned
Michael KleefMichael KleefIT Pro EvangelistIT Pro EvangelistMicrosoft CorporationMicrosoft Corporation
SEC315
AgendaAgendaBest PractisesBest PractisesTerminal ServicesTerminal ServicesWhat breaks with Windows Server 2003 What breaks with Windows Server 2003 SP1?SP1?What tools are available to harden?What tools are available to harden?What breaks when you do What breaks when you do ☺☺What's not covered by the tools?What's not covered by the tools?
WhatWhat’’s still manual?s still manual?Application level securityApplication level security
SQL, Exchange, SMS etcSQL, Exchange, SMS etcEach has its own security guideEach has its own security guide
Terminal ServicesTerminal Serviceshttp://www.nsa.gov/snac/os/win2k/w2k_terhttp://www.nsa.gov/snac/os/win2k/w2k_terminal_serv.pdfminal_serv.pdf
Host isolation (IPSEC)Host isolation (IPSEC)See Steve Riley See Steve Riley ☺☺
Some IIS applicationsSome IIS applicationsParts of host hardening itselfParts of host hardening itselfTCP/IP Protocol hardeningTCP/IP Protocol hardening
WhatsWhats best practise?best practise?AdministrationAdministration
Use organisational unit controlsUse organisational unit controlsGroup Policy Group Policy ““likelike”” machinesmachinesUse tools to create policy (SCW, SCE)Use tools to create policy (SCW, SCE)
Understand the purpose of system servicesUnderstand the purpose of system servicesThreats and Countermeasures GuideThreats and Countermeasures GuideWindows Server 2003 Security GuideWindows Server 2003 Security GuideBe aware of app dependenciesBe aware of app dependenciesThreat ModellingThreat Modelling
Use smartcards for administrative tasksUse smartcards for administrative tasksInteractive logonInteractive logonTerminal Services works! (with WS2003)Terminal Services works! (with WS2003)
Use Process and Change Control!!Use Process and Change Control!!Audit!!Audit!!
WhatWhat’’s best practise?s best practise?Application ConfigurationApplication Configuration
Always opt for higher securityAlways opt for higher securityTerminal Services Terminal Services CompatCompatRRAS RRAS CompatCompatNTLMv2 over NTLMv2 over LANManLANManOther appsOther appsAlways choose stronger protocolsAlways choose stronger protocols
If possible run a single app on a single serverIf possible run a single app on a single serverDonDon’’t install stuff that you dont install stuff that you don’’t needt need
QtnQtn: Is a virus/: Is a virus/spywarespyware scanner needed on a SQL Server?scanner needed on a SQL Server?Extra agents/services/tools Extra agents/services/tools Think of extra patching workThink of extra patching work
Watch out for apps that Watch out for apps that requirerequire high privilegehigh privilegeEvaluate thoroughly security requirementsEvaluate thoroughly security requirements
Only enable services and permissions that you needOnly enable services and permissions that you needBe aware of service dependency issuesBe aware of service dependency issuesEnable least privilegeEnable least privilege
WhatWhat’’s best practise?s best practise?Limit AccessLimit Access
Isolate hosts using Isolate hosts using IPsecIPsecRoles: Limit access to the box Roles: Limit access to the box
Service AdminsService AdminsData AdminsData Admins
Physically limit access to the roomPhysically limit access to the room
TCP/IPTCP/IPDenial of Service MitigationDenial of Service Mitigation
SynAttackProtectSynAttackProtect (def=0)(def=0)TcpMaxHalfOpenTcpMaxHalfOpenTcpMaxHalfRetriedTcpMaxHalfRetriedTcpMaxPortsExhaustedTcpMaxPortsExhausted
NoNameReleaseOnDemandNoNameReleaseOnDemandDefault=0, Recommended=1Default=0, Recommended=1
KeepAliveTimeKeepAliveTimeDefault = 2 hoursDefault = 2 hoursRecommended = 5 minutesRecommended = 5 minutes
EnableICMPRedirectsEnableICMPRedirectsNote: Mitigation doesnNote: Mitigation doesn’’t mean no attackt mean no attack
DNS TTLDNS TTL
http://http://support.microsoft.com/default.aspx?scidsupport.microsoft.com/default.aspx?scid=kb;en=kb;en--us;324270us;324270
TCP/IPTCP/IPDenial of Service MitigationDenial of Service Mitigation
The two to ignore are:The two to ignore are:EnablePMTUDiscoveryEnablePMTUDiscoveryEnableDeadGWDetectEnableDeadGWDetect
Authentication MethodsAuthentication MethodsWhy choose strongest?Why choose strongest?
Choosing MSChoosing MS--CHAP?CHAP?CHAP and MSCHAP and MS--CHAP are NOT secureCHAP are NOT secureMSMS--CHAPv2 uses mutual authCHAPv2 uses mutual authCHAP and MSCHAP and MS--CHAP use a shared secretCHAP use a shared secret
Choosing Choosing LANManLANMan over NTLMv2 or over NTLMv2 or Kerberos?Kerberos?
LANManLANMan is NOT secureis NOT secureLANManLANMan uses a shared secretuses a shared secret
Reasons why you may opt otherwiseReasons why you may opt otherwiseCompatibility etcCompatibility etcOld clients, old implementations etcOld clients, old implementations etc
Implications of bad choicesImplications of bad choiceshttp://crimemachine.com/Tuts/Flash/pptphttp://crimemachine.com/Tuts/Flash/pptp--vpn.htmlvpn.html
Authentication Authentication LockdownLockdown
Terminal ServicesTerminal Services
Terminal ServicesTerminal ServicesTop SecurityTop Security TipsTips
Never ever install App Mode on a DCNever ever install App Mode on a DCRemove legacy NT 4.0 Remove legacy NT 4.0 CompatCompat
Nottsid.infNottsid.inf (W2K)(W2K)NT 4.0 NT 4.0 compatcompat weakens security and allows weakens security and allows reg/system file accessreg/system file access
Default RDP encryption is Default RDP encryption is ““HighHigh””Its sets 128bit RC4 encryption onIts sets 128bit RC4 encryption onIPSEC is unnecessary tooIPSEC is unnecessary too
Set a disconnected session timeoutSet a disconnected session timeoutDisable wallpapers, clock, cursor flashing, Disable wallpapers, clock, cursor flashing, virus animationsvirus animations……any other icon flashing etcany other icon flashing etc
Screen redraws take extra bandwidthScreen redraws take extra bandwidth
Terminal ServicesTerminal ServicesTop SecurityTop Security TipsTips
In Server 2003 SP1 TLS is configurable and In Server 2003 SP1 TLS is configurable and required for TS over Internet!!required for TS over Internet!!If one app only then deliver one app only!If one app only then deliver one app only!
Environment SettingsEnvironment SettingsAppSecAppSec (W2K)(W2K)Software Restriction PoliciesSoftware Restriction Policies
Remote Control should include notificationRemote Control should include notificationDisable redirections not neededDisable redirections not needed
LPT, COM, Drive, Printer, Clipboard etcLPT, COM, Drive, Printer, Clipboard etcUse/Delete Temporary Folders Use/Delete Temporary Folders –– On!On!Active Desktop Active Desktop –– Off!Off!Watch file permissions on app installsWatch file permissions on app installs
Service Pack 1 IssuesService Pack 1 Issues
What breaks with SP1?What breaks with SP1?Includes all the Windows XP SP2 lockdownIncludes all the Windows XP SP2 lockdown
DCOM lockdown present DCOM lockdown present Windows FirewallWindows Firewall
Lots of apps are known to work Lots of apps are known to work –– see Q article belowsee Q article belowA few break A few break –– inclincl MSFT ones! MSFT ones! –– fixes for manyfixes for many
NetIQNetIQ AppManagerAppManager 5.0.15.0.1Microsoft Exchange Server 2003Microsoft Exchange Server 2003Microsoft Internet Security and Acceleration (ISA) Server 2004 SMicrosoft Internet Security and Acceleration (ISA) Server 2004 Standard tandard EditionEdition
Known App Compatibility listKnown App Compatibility listhttp://support.microsoft.com/kb/896367http://support.microsoft.com/kb/896367
Terminal Server/DC Terminal Server/DC ReplReplhttp://http://support.microsoft.comsupport.microsoft.com/?id=898060/?id=898060
RPC Based IssuesRPC Based Issueshttp://support.microsoft.com/kb/899148/http://support.microsoft.com/kb/899148/
Other Known OnesOther Known Oneshttp://blogs.technet.com/mkleef/archive/2005/05/10/404699.aspxhttp://blogs.technet.com/mkleef/archive/2005/05/10/404699.aspx
Up to Date InformationUp to Date Informationhttp://support.microsoft.com/ph/3198http://support.microsoft.com/ph/3198
Tools availableTools availablePolicy ToolsPolicy Tools
Security Configuration WizardSecurity Configuration WizardSecurity Configuration EditorSecurity Configuration Editor
Security Configuration and Analysis SnapSecurity Configuration and Analysis Snap--inin
GuidesGuidesWindows Server 2003 Security Guide Templates Windows Server 2003 Security Guide Templates and Scriptsand ScriptsThreats and Countermeasures GuideThreats and Countermeasures Guide
Scan ToolsScan ToolsMBSA 2.0MBSA 2.0SuperscanSuperscanGFI GFI LANGuardLANGuard Network Security ScannerNetwork Security Scanner
Security Configuration Security Configuration WizardWizard
What does SCW lockdown?What does SCW lockdown?Services (database defined)Services (database defined)PortsPortsRestrictions to ports exposedRestrictions to ports exposedIISIISProtocol restrictionsProtocol restrictionsAuditing and Registry SettingsAuditing and Registry Settings
SCW LockdownSCW LockdownCreate Policy File for later useCreate Policy File for later use
Likely issues: SCWLikely issues: SCWKnown IssuesKnown Issues
GPOGPO’’s overriding SCW settingss overriding SCW settingsFirewall IssuesFirewall IssuesService ConfigurationService ConfigurationDCOMDCOMIISIISResults missing from remote analysisResults missing from remote analysisPolicy RollbacksPolicy Rollbacks
Only SCW applied successfully worksOnly SCW applied successfully works
Likely Issues: SCWLikely Issues: SCWTroubleshootingTroubleshooting
Policy/Registry overridesPolicy/Registry overridesAnalyze a machine for complianceAnalyze a machine for compliance
ScwcmdScwcmd analyze analyze //p:c:p:c:\\windowswindows\\securitysecurity\\msscwmsscw\\policiespolicies\\MyPolicMyPolicy.xmly.xml /e/e
View a created templateView a created templateScwcmdScwcmd view /x:<hostname>.xmlview /x:<hostname>.xml
Demo!Demo!
Likely Issues: SCWLikely Issues: SCWTroubleshootingTroubleshooting
FirewallFirewallnetstatnetstat ––anoanoTask Manager to show Task Manager to show PIDPID’’ssNetshNetsh firewall show firewall show allowedprogramallowedprogramWatch for security event log errors!Watch for security event log errors!Notes:Notes:
SCW will override existing WF settingsSCW will override existing WF settingsRRAS can break if WF policy appliedRRAS can break if WF policy appliedApps must be installed exactly the same on all Apps must be installed exactly the same on all machinesmachines
Demo!Demo!
Likely Issues: SCWLikely Issues: SCWTroubleshootingTroubleshooting
Default Service StatesDefault Service StatesSCW SCW ““knowsknows”” the best the best practisepractise for a for a serviceserviceSome apps may need a different Some apps may need a different behaviourbehaviourResult: a service may be changed Result: a service may be changed unexpectedlyunexpectedly
Likely Issues: SCWLikely Issues: SCWTroubleshootingTroubleshooting
IPSECIPSECWill not define a reciprocal ruleWill not define a reciprocal rule
Service ConfigurationService ConfigurationExplicit DisablesExplicit DisablesThirdThird--party apps not in party apps not in configconfig databasedatabase
DCOM Calls/CallbacksDCOM Calls/CallbacksAnonymous COM disabledAnonymous COM disabledNeed to explicitly allow if neededNeed to explicitly allow if neededSet appropriate Firewall exceptions for the Set appropriate Firewall exceptions for the appappBeforeBefore you do it: Realize the riskyou do it: Realize the risk
Likely Issues: SCWLikely Issues: SCWTroubleshootingTroubleshooting
IIS 6.0IIS 6.0SCW created GPO Objects cannot manage SCW created GPO Objects cannot manage IISIISNo role for FPSENo role for FPSE
SCW disables indexing serviceSCW disables indexing serviceSCW will disable a site based on a UNC pathSCW will disable a site based on a UNC path
Can enforce anonymous writes Can enforce anonymous writes –– can can break apps!break apps!
If you need anonymous writes If you need anonymous writes –– do it manuallydo it manuallyProject ServerProject Server
Must tell SCW to leave MSADC directory aloneMust tell SCW to leave MSADC directory alone
Where does SCE fit?Where does SCE fit?SCW works with SCESCW works with SCE……with caveats!with caveats!
SCE templates had a higher tendency to SCE templates had a higher tendency to break stuff (often custom)break stuff (often custom)SCW has inbuilt knowledge to prevent SCW has inbuilt knowledge to prevent potential problemspotential problemsWindows Server 2003 Security Guide had Windows Server 2003 Security Guide had good onesgood onesTroubleshooting:Troubleshooting:
Rollbacks must be generated beforehandRollbacks must be generated beforehandSeceditSecedit //generaterollbackgeneraterollbackWill not contain file system, registry Will not contain file system, registry permissions or audit settingspermissions or audit settingsApply a bit at a time and reApply a bit at a time and re--testtestUse Virtual PC with Undo DisksUse Virtual PC with Undo Disks
SCW: Other IssuesSCW: Other IssuesSome Services appear as Some Services appear as ““AdditionalAdditional””
Legacy services Legacy services arentarent coveredcoveredUpload Manager Service: Now not usedUpload Manager Service: Now not used
Exchange isn't included?Exchange isn't included?Only if not in default locationOnly if not in default location
GPO ConversionGPO ConversionPer interface settings donPer interface settings don’’t convertt convert
ThirdThird--Party Known IssuesParty Known IssuesApplication
Issue Workaround (if any)
CommVault Galaxy Security policy created with SCW default settings prevents communication with the client agents and prevents backup jobs from processing on client systems. It will also prevent any new clients from connecting during installation, thus preventing them from validating licensing and completing configuration.
The CommVault services must be included in the allow-list in the WF policy.
Domino Server 6.5 Lotus Notes Clients are unable to connect to the Domino mail server.
You must include nlnotes.exe in the allow list for WF on the client and nserver.exe in the allow list for WF on the server.
Citrix MetaFrame XPe FR3 Citrix MetaFrame XPe FR3 ICA client is unable to connect to Metaframe Server.
You must specify port TCP 1494 in the allow list on WF.
ResourcesResourcesIPSEC Troubleshooting Guide (W2k3): http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_ipsectrouble.asp
IPSEC Troubleshooting Guide (W2k): http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/cnet/cndb_ips_wnkk.asp
SCW Website: http://www.microsoft.com/windowsserver2003/technologies/security/configwiz/default.mspx
SCW Troubleshooting Guide: http://go.microsoft.com/fwlink/?LinkId=43853
Threats and Countermeasures Guide: http://www.microsoft.com/technet/security/topics/serversecurity/tcg/tcgch00.mspx
We invite you to participate in ourWe invite you to participate in ouronline evaluationonline evaluation on CommNet,on CommNet,
accessible Friday onlyaccessible Friday onlyIf you choose to complete the evaluation online, If you choose to complete the evaluation online,
there isthere is no need to complete the paper evaluationno need to complete the paper evaluation
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.