Presentation on theme: "Windows Server SP1: Best Practises for Hardening and Lessons Learned Michael Kleef IT Pro Evangelist Microsoft Corporation SEC315."— Presentation transcript:
Windows Server SP1: Best Practises for Hardening and Lessons Learned Michael Kleef IT Pro Evangelist Microsoft Corporation SEC315
Agenda Best Practises Terminal Services What breaks with Windows Server 2003 SP1? What tools are available to harden? What breaks when you do What breaks when you do What's not covered by the tools?
What’s still manual? Application level security SQL, Exchange, SMS etc Each has its own security guide Terminal Services http://www.nsa.gov/snac/os/win2k/w2k_ter minal_serv.pdf Host isolation (IPSEC) See Steve Riley See Steve Riley Some IIS applications Parts of host hardening itself TCP/IP Protocol hardening
Whats best practise? Administration Use organisational unit controls Group Policy “like” machines Use tools to create policy (SCW, SCE) Understand the purpose of system services Threats and Countermeasures Guide Windows Server 2003 Security Guide Be aware of app dependencies Threat Modelling Use smartcards for administrative tasks Interactive logon Terminal Services works! (with WS2003) Use Process and Change Control!! Audit!!
What’s best practise? Application Configuration Always opt for higher security Terminal Services Compat RRAS Compat NTLMv2 over LANMan Other apps Always choose stronger protocols If possible run a single app on a single server Don’t install stuff that you don’t need Qtn: Is a virus/spyware scanner needed on a SQL Server? Extra agents/services/tools Think of extra patching work Watch out for apps that require high privilege Evaluate thoroughly security requirements Only enable services and permissions that you need Be aware of service dependency issues Enable least privilege
What’s best practise? Limit Access Isolate hosts using IPsec Roles: Limit access to the box Service Admins Data Admins Physically limit access to the room
TCP/IP Denial of Service Mitigation SynAttackProtect (def=0) TcpMaxHalfOpenTcpMaxHalfRetriedTcpMaxPortsExhaustedNoNameReleaseOnDemand Default=0, Recommended=1 KeepAliveTime Default = 2 hours Recommended = 5 minutes EnableICMPRedirects Note: Mitigation doesn’t mean no attack DNS TTL http://support.microsoft.com/default.aspx?scid=kb;en-us;324270
TCP/IP Denial of Service Mitigation The two to ignore are: EnablePMTUDiscoveryEnableDeadGWDetect
Authentication Methods Why choose strongest? Choosing MS-CHAP? CHAP and MS-CHAP are NOT secure MS-CHAPv2 uses mutual auth CHAP and MS-CHAP use a shared secret Choosing LANMan over NTLMv2 or Kerberos? LANMan is NOT secure LANMan uses a shared secret Reasons why you may opt otherwise Compatibility etc Old clients, old implementations etc Implications of bad choices http://crimemachine.com/Tuts/Flash/pptp- vpn.html
Terminal Services Top Security Tips Never ever install App Mode on a DC Remove legacy NT 4.0 Compat Nottsid.inf (W2K) NT 4.0 compat weakens security and allows reg/system file access Default RDP encryption is “High” Its sets 128bit RC4 encryption on IPSEC is unnecessary too Set a disconnected session timeout Disable wallpapers, clock, cursor flashing, virus animations…any other icon flashing etc Screen redraws take extra bandwidth
Terminal Services Top Security Tips In Server 2003 SP1 TLS is configurable and required for TS over Internet!! If one app only then deliver one app only! Environment Settings AppSec (W2K) Software Restriction Policies Remote Control should include notification Disable redirections not needed LPT, COM, Drive, Printer, Clipboard etc Use/Delete Temporary Folders – On! Active Desktop – Off! Watch file permissions on app installs
What breaks with SP1? Includes all the Windows XP SP2 lockdown DCOM lockdown present Windows Firewall Lots of apps are known to work – see Q article below A few break – incl MSFT ones! – fixes for many NetIQ AppManager 5.0.1 Microsoft Exchange Server 2003 Microsoft Internet Security and Acceleration (ISA) Server 2004 Standard Edition Known App Compatibility list http://support.microsoft.com/kb/896367 http://support.microsoft.com/kb/896367http://support.microsoft.com/kb/896367 Terminal Server/DC Repl http://support.microsoft.com/?id=898060 http://support.microsoft.com/?id=898060http://support.microsoft.com/?id=898060 RPC Based Issues http://support.microsoft.com/kb/899148/ Other Known Ones http://blogs.technet.com/mkleef/archive/2005/05/10/404699.aspx Up to Date Information http://support.microsoft.com/ph/3198
Tools available Policy Tools Security Configuration Wizard Security Configuration Editor Security Configuration and Analysis Snap-in Guides Windows Server 2003 Security Guide Templates and Scripts Threats and Countermeasures Guide Scan Tools MBSA 2.0 Superscan GFI LANGuard Network Security Scanner
Likely issues: SCW Known Issues GPO’s overriding SCW settings Firewall Issues Service Configuration DCOMIIS Results missing from remote analysis Policy Rollbacks Only SCW applied successfully works
Likely Issues: SCW Troubleshooting Policy/Registry overrides Analyze a machine for compliance Scwcmd analyze /p:c:\windows\security\msscw\policies\MyPolic y.xml /e View a created template Scwcmd view /x:.xml Demo!
Likely Issues: SCW Troubleshooting Firewall netstat –ano Task Manager to show PID’s Netsh firewall show allowedprogram Watch for security event log errors! Notes: SCW will override existing WF settings RRAS can break if WF policy applied Apps must be installed exactly the same on all machines Demo!
Likely Issues: SCW Troubleshooting Default Service States SCW “knows” the best practise for a service Some apps may need a different behaviour Result: a service may be changed unexpectedly
Likely Issues: SCW Troubleshooting IPSEC Will not define a reciprocal rule Service Configuration Explicit Disables Third-party apps not in config database DCOM Calls/Callbacks Anonymous COM disabled Need to explicitly allow if needed Set appropriate Firewall exceptions for the app Before you do it: Realize the risk
Likely Issues: SCW Troubleshooting IIS 6.0 SCW created GPO Objects cannot manage IIS No role for FPSE SCW disables indexing service SCW will disable a site based on a UNC path Can enforce anonymous writes – can break apps! If you need anonymous writes – do it manually Project Server Must tell SCW to leave MSADC directory alone
Where does SCE fit? SCW works with SCE…with caveats! SCE templates had a higher tendency to break stuff (often custom) SCW has inbuilt knowledge to prevent potential problems Windows Server 2003 Security Guide had good ones Troubleshooting: Rollbacks must be generated beforehand Secedit /generaterollback Will not contain file system, registry permissions or audit settings Apply a bit at a time and re-test Use Virtual PC with Undo Disks
SCW: Other Issues Some Services appear as “Additional” Legacy services arent covered Upload Manager Service: Now not used Exchange isn't included? Only if not in default location GPO Conversion Per interface settings don’t convert
Third-Party Known Issues Application IssueWorkaround (if any) CommVault GalaxySecurity policy created with SCW default settings prevents communication with the client agents and prevents backup jobs from processing on client systems. It will also prevent any new clients from connecting during installation, thus preventing them from validating licensing and completing configuration. The CommVault services must be included in the allow-list in the WF policy. Domino Server 6.5Lotus Notes Clients are unable to connect to the Domino mail server. You must include nlnotes.exe in the allow list for WF on the client and nserver.exe in the allow list for WF on the server. Citrix MetaFrame XPe FR3Citrix MetaFrame XPe FR3 ICA client is unable to connect to Metaframe Server. You must specify port TCP 1494 in the allow list on WF.
We invite you to participate in our online evaluation on CommNet, accessible Friday only If you choose to complete the evaluation online, there is no need to complete the paper evaluation Your Feedback is Important!