Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing Windows Internet Servers 23.org / Covert Systems Jon Miller Senior Security Engineer Covert Systems, Inc.

Published byOscar Harrison Modified over 8 years ago

Similar presentations

Presentation on theme: "Securing Windows Internet Servers 23.org / Covert Systems Jon Miller Senior Security Engineer Covert Systems, Inc."— Presentation transcript:

1

2 Securing Windows Internet Servers 23.org / Covert Systems jon.miller@covertsystems.net Jon Miller Senior Security Engineer Covert Systems, Inc.

3 A lways try to use a fresh install and migrate existing data over M ake sure to convert to NTFS D efault Security Settings are not applied You must apply them manually using MMC Upgrading? Installation

4 Service Packs A lways check windows update and TechNet to make sure you have the most current patches and SPs HFNETCHK Installation

5 NTFS or FAT File Systems

6 A lways decide what services you require prior to installation N ow is the time to decide what form of remote administration software, if any you will use… Terminal Server Vshell SSH & SFTP (www.vandyke.com)www.vandyke.com Services N ever install superfluous services

7 COMPAQ INSTALLATION = Services

8 TCP/IP should be the only protocol Use TCP/IP Filtering (and IPSec when applicable) Nmap the server to make sure you don’t have any surprise ports open If it is an IIS box it can NEVER be on a domain Use second Ethernet card for remote admin and have only the “Internet Service” on the primary interface Network Configuration

9 Customize your own security template and use it Establish standards within your template that apply to all servers from “PDCs” to desktops Using the MMC

10 Password Complexity / Length Event Log Access Always remember passwords so they cannot be reused Define Permissions for Services Rename Administrator Account Security Configuration

11 Delete or rename files that may be used against you in the event of an attack Create partitions or move directory structure to protect against directory transversal Do you really use MS TFTP? Remove OWA Do you really want an IIS server running on your companies Mail server? Rename CMD.exe Microsoft Security Alerts microsoft.com/technet/security/notify.asp microsoft.com/technet/security/notify.asp Common Sense

12 IIS 4 / 5 Try to run only base services The services below are the only services required to run a functional IIS server: –Event Log –License Logging Service –Windows NTLM Security Support Provider –Remote Procedure Call (RPC) Service –Windows NT Server or Windows NT Workstation –IIS Admin Service –MSDTC –World Wide Web Publishing Service –Protected Storage

13 Stuff to Remove C:\inetpub - sample files c:\inetpub\iissamples c:\inetpub\iissamples\sdk c:\inetpub\AdminScripts c:\Program Files\Common Files\System\msadc\Samples * HTW Mapping IISADMPWD RDS (Remote Data Services)

14 Parent Paths? (Disallows “..” *be careful*) Web server | Properties | Home Directory | Configuration | App Options Stuff to Remove Script Mappings (.htr.idc.stm.shtml.shtm.printer.ida.idq.hta ) Web server | Properties | Master Properties | WWW Service | Edit | Home Directory | Configuration

15 Misc. Restrict Anonymous HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA Name: RestrictAnonymous Type: REG_DWORD Value: 1.

16 Permissions Set Your ACL's (next page) Make sure that the IIS log files are not publicly readable winnt\system32\LogFiles

17 Everyone (X) Permissions CGI’s - (.exe,.dll,.cmd,.pl) Administrators (Full Control) System (Full Control)

18 Everyone (X) Script Files - (.asp) Administrators (Full Control) System (Full Control) Permissions

19 Everyone (X) Include Files - (.inc,.shtm,.shtml) Administrators (Full Control) System (Full Control) Permissions

20 Everyone (R) Static Content - (.txt,.gif,.jpg,.html) Administrators (Full Control) System (Full Control)

21 Exchange is one of the few servers that does outgoing mail authentication well Take advantage of that and don’t have an open relay (5.5) Anti-Virus Use Encrypted File System (EFS) to protect data Exchange Internet Mail Connector Limit your outgoing size Relaying from DMZ server to Exchange Use sendmail to relay all mail to an internal exchange server Or with another copy of Exchange: install Exchange, add the Internet Mail Connector, and add it to your existing site. No mailboxes or folders are required

22 Exchange Setup Exchange Administrators (2000) Not All Admins are Full Admins Exchange Administrator Exchange Full Administrator Exchange View Only Administrator Security Page HKCU\Software\Microsoft\Exchange\ExAdmin Value: ShowSecurityPage Date: 1 (REG_DWORD) Tracking Logs Remove Everyone Read \Exchsrvr\%COMPUTERNAME%.log

23 Outlook Web Access Lock Down IIS Use SSL Front End / Back End Mode http://www.microsoft.com/Exchange/techinfo/deployment/2000/E2KFrontBack.asp

24 Exchange Diagram

25 Tools URL Scan (Microsoft) Baseline Security Analyzer (Microsoft) IIS Lockdown (Microsoft) Secure IIS (Eeye) Tripwire for NT (Tripwire) Anti-Virus (Symantec, McAfee) http://www.23.org/~humperdink/ Hire a Security Company

26 Q & A Y’all ask me stuff jon.miller@covertsystems.net http://www.23.org/~humperdink/ http://www.covertsystems.net

Download ppt "Securing Windows Internet Servers 23.org / Covert Systems Jon Miller Senior Security Engineer Covert Systems, Inc."

Similar presentations

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Windows 2003 Server. Windows 2003 Server Contents Fitur Windows 2003 Server Installation And Configuration Windows Management Resource  User Management.

Windows 2003 Server. Windows 2003 Server Contents Fitur Windows 2003 Server Installation And Configuration Windows Management Resource  User Management.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 13: Administering Web Resources.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 13: Administering Web Resources.
11 CONFIGURING AND MANAGING SHARED FOLDER SECURITY Chapter 8.

11 CONFIGURING AND MANAGING SHARED FOLDER SECURITY Chapter 8.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 13: Administering Web Resources.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 13: Administering Web Resources.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.
Exchange server 2003. Mail system Four components Mail user agent (MUA) to read and compose mail Mail transport agent (MTA) route messages Delivery agent.

Exchange server Mail system Four components Mail user agent (MUA) to read and compose mail Mail transport agent (MTA) route messages Delivery agent.
Hands-On Microsoft Windows Server 2003 Administration Chapter 7 Administering Web Resources in Windows Server 2003.

Hands-On Microsoft Windows Server 2003 Administration Chapter 7 Administering Web Resources in Windows Server 2003.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.

Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.
Hands-On Microsoft Windows Server 2003 Chapter 2 Installing Windows Server 2003, Standard Edition.

Hands-On Microsoft Windows Server 2003 Chapter 2 Installing Windows Server 2003, Standard Edition.
Module 6 Windows 2000 Professional 6.1 Installation 6.2 Administration/User Interface 6.3 User Accounts 6.4 Managing the File System 6.5 Services.

Module 6 Windows 2000 Professional 6.1 Installation 6.2 Administration/User Interface 6.3 User Accounts 6.4 Managing the File System 6.5 Services.
1 Module 2 Installing Windows NT. 2  Overview Preparing for Installation Installing Windows NT Performing a Server-based Installation Troubleshooting.

1 Module 2 Installing Windows NT. 2  Overview Preparing for Installation Installing Windows NT Performing a Server-based Installation Troubleshooting.
Guide to MCSE 70-290, Enhanced 1 Activity 10-1: Restarting Windows Server 2003 Objective: to restart Windows Server 2003 Start  Shut Down  Restart Configure.

Guide to MCSE , Enhanced 1 Activity 10-1: Restarting Windows Server 2003 Objective: to restart Windows Server 2003 Start  Shut Down  Restart Configure.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW Create and manage file system shares and work with.

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW Create and manage file system shares and work with.

Similar presentations

Ads by Google