We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byCarlos Rivera
Modified over 2 years ago
1 Hardening Windows 2003 Web Servers
© Ezenta A/S Agenda Physical Security OS Installation Account Policies Local Policies Services User Accounts IP Policies Permissions Hardening IIS Additional Hardening
© Ezenta A/S General Who should take this course System Consultants Security Consultants System Architects Anyone who is responsible for the configuration and/or the administration of a Windows 2003 environment
© Ezenta A/S General Strategy: Creating a secure environment Secure current and/or new implementations of the Windows 2003 operating system
© Ezenta A/S General Strategy: Maintaining a secure environment Maintain a secure environment by staying on top of security issues that are relevant to your installation This is a proactive process!!
© Ezenta A/S General Scope of this course This course will focus on the secure configuration of a Windows 2003 server hosting Internet Information Services (IIS) version 6.0
© Ezenta A/S General Prerequisites Experience with IT security Experience with MMC Experience deploying web applications in enterprise environments Some web application development knowledge will be useful but is not mandatory
© Ezenta A/S General What happens if I dont harden my web server? Most systems can be compromised within 72 hours Corporate humilliation Wont know if your system is has been/is being attacked Money wasted on reparation and down time Company data/ secrets could be stolen Some web sites are fed with data that comes from the same database as other internal systems
© Ezenta A/S Hardening one step at a time Physical Security OS Installation Account Policies Local Policies Services User Accounts IP Policies Permissions Hardening IIS Additional Hardening Number of Weaknesses
© Ezenta A/S Prerequisites What should Install ALL necessary software/ services before you begin. Make sure that they ALL work. Why? If software/ service dosnt work: Because of the hardening? Did it work before we started? These are time wasting situations Lets begin.
12 Physical Security
© Ezenta A/S Physical Security We assume that physical security is in place.
14 OS Installation
© Ezenta A/S OS Installation No system upgrades Why? Too many grey areas ONLY clean installations Two partitions (we shall be using one) 01 system files 02 web applications Strong administrative passwords Rainbow attacks make 8 character passwords trivial to break Only install necessary components
© Ezenta A/S OS Installation Use a static IP instead of DHCP if possible (one less service) If there are multiple servers in the DMZ, consider making a DMZ domain from which critical servers will inherit their baseline GPOs.
17 Proof of concept scan
© Ezenta A/S Proof of concept scan Windows 2003 v. Windows 2000 Why bother using windows 2003? More secure by default. Can Windows 2000 be as secure? Yes. It requires work.
© Ezenta A/S Proof of concept scan Windows 2003 v. Windows 2000 We will use standard tools to inspect a default Windows 2003 installation. Tools to use: Nmap. Scans to perform: Nmap –sS –P0 –O –p Nmap –sS –P0 –O –g 53 –p Nmap –sT –P0 –O –p NStealth Windows 2003: xx.xx.xx.xx
20 Local Security Settings
© Ezenta A/S Policies Local Security Settings
© Ezenta A/S Policies Account Policies Never use dictionary words. Never reuse old passwords by altering only one digit. Never choose passwords based on pets, habits, likes or dislikes. One must never be able to identify a password by looking at the things on your desk. Use upper- and lowercase with symbols and numbers. Choose passwords based on phrases: Th15 computr i5 protcted by a str0ng
© Ezenta A/S Policies Account Policies: password Policy Enforce Password History:24 Maximum Password Age:42 days Minimum Password Age:2 days Minimum Password Length:14 Complexity requirements:Enabled Use Reversible Encryption:Disabled
© Ezenta A/S Policies Account Policies: Account Lockout Policy Account Lockout Duration:15 Minutes Account Lockout Threshold:10 invalid attempts Reset Lockout Counter:15 Minutes
© Ezenta A/S Services What services does a web-server need? Are you sure they are needed? YES: secure them NO: remove them This is the hardest to get right
© Ezenta A/S System Settings Isnt there a quicker way to change system settings? Yes. Meet the Security Analysis and Configuration snap-in
© Ezenta A/S System Settings Security Analysis and Configuration Run mmc File Add/Remove Snap-in Add Security Configuration and Analysis Add Right Click on Security Analysis and Configuration Open Database Choose a File Name Open Navigate to High Security Baseline.inf Open Right Click on Security Analysis and Configuration Analyse Computer Now… Save the log to your desktop
30 User Accounts
© Ezenta A/S User Accounts Securing Well known User Accounts Rename all built-in accounts: Administrator Guest Why? Everyone knows the names of these two Windows accounts. 50% of a brute force attack is already common knowledge. The descriptions should also be altered.
© Ezenta A/S User Accounts Securing Well known User Accounts Assign strong passwords to these accounts Th15 vry st0ng dont y0u th1nk? Disable default guest accounts (if not already done by default)
33 IP Policies
© Ezenta A/S IP Policies Structure IP Filter advice: give your rules good names. Examples might look like this: Permit INBOUND HTTP(S) Permit OUTBOUND SSH PermitOUTBOUNDDNS PermitOUTBOUNDHTTP(S) Deny BIDIRECTIONAL ALL
© Ezenta A/S IP Policies Example scenario A web server might look similar to this: Permit INBOUND: HTTP HTTPS? TS? Permit OUTBOUND: HTTP HTTPS DNS
© Ezenta A/S IP Policies Local Security Settings
© Ezenta A/S IP Policies Lets get started Create IP Security Policy… Name: Secure Web Uncheck Activate the default response rule Check Edit Properties Uncheck Use Add Wizard
© Ezenta A/S IP Policies Basic rules Create 4 rules Deny BIDIRECTIONAL ALL Permit INBOUND HTTP(S) Permit OUTBOUND HTTP(S) Permit OUTBOUND DNS When youre done, assign your new policy
© Ezenta A/S IP Policies Lets look at the results Tools needed: NMap Exercise Groups of two or three Choose which computer will perform the scan Un-assign IP Policies as they also block outboud traffic Perform the following port scans: Nmap –sS –P0 –O –p Nmap –sS –P0 –O –g 53 –p Nmap –sT –P0 –O –p
40 File Permissions
© Ezenta A/S Permissions Assigning correct NTFS permissions CGI files:.EXE,.DLL,.CMD,.PL Administrators: Full Control System: Full Control IUSR_SERVER: Read & Execute, Read Script Files:.ASPX,.ASP,.PHP Administrators: Full Control System: Full Control IUSR_SERVER: Read & Execute, Read Include Files:.INC,.SHTML,.SHTM Administrators: Full Control System: Full Control IUSR_SERVER: Read & Execute, Read
© Ezenta A/S Permissions Assigning correct NTFS permissions Static Files:.HTML,.HTM,.TXT,.GIF,.JPG Administrators: Full Control System: Full Control IUSR_SERVER: Read Data Files:.MDB Administrators: Full Control System: Full Control IUSR_SERVER: Read, Write, Read & Execute, Modify
43 Hardening IIS
© Ezenta A/S Hardening IIS Web server extensions Application Debugging Custom Errors HTTP Verbs URL Scan Logging
© Ezenta A/S Web server Extensions Predefined Web Service Extensions Everything is turned off by default A default IIS 6.0 installation will only run sites with static pages,.HTML,.HTM.
© Ezenta A/S Web server Extensions Predefined Web Service Extensions (cont.) Active Server Pages ASP.NET version FrontPage Server Extensions 2002 Internet Data Connector Server-Side Includes WebDAV
© Ezenta A/S Application Debugging Stop IIS from sending error messages to clients Stop applications from sending debugging details to clients: Right click on your web site in the IIS manager Home Directory Configuration App Debugging Check Send text error to client and leave the box blank
© Ezenta A/S Custom Errors Redirect to a custom error page when error occur Send custom error pages to clients for HTTP 500s, 404s: Right click on your web site in the IIS manager Custom Errors double click on 500 Message Type: URL URL: / Make certain that error 500 messages dont get sent to the browser!
© Ezenta A/S HTTP Verbs Limit access to HTTP Verbs Remove all un-needed HTTP verbs from each application: Generally required: GET, HEAD, POST
© Ezenta A/S URL Scan Url filtering What is URL Scan? What can it do? Enable/disable HTTP verbs Disable HTTP headers Enable/disable specific file extensions Disable character sequences Remove/alter the server header Restrict header lengths Questions concerning URL Scan?
© Ezenta A/S URL Scan Url filtering How does it work: Configuration FileConfiguration File Installation Fine tuning
© Ezenta A/S Logging Configuring Logging Create seperate logs for each site Log Folder Permissions Administrators: Full Control System: Full Control IUSR_SERVER: Read, Write, Modify, List Folder Contents, Read & Execute
53 Additional Hardening
© Ezenta A/S Additional Hardening Uninstallable Components Special Binaries
© Ezenta A/S Uninstallable Components 1.Load %systemroot%\inf\sysoc.inf into notepad 2.Replace hide with 3.Run Add/Remove Applications 4.Remove any unwanted/ unneeded components (be careful!)
© Ezenta A/S Special Binaries Several executables exist on a standard Windows 2000 installation that could become rather useful to an attacker Special access rights need to be set on all of these executables
© Ezenta A/S Special Binaries (cont.) Uncheck Allow inheritable permissions from parent to propagate this object. Remove all users from the name list, including SYSTEM. Assign Full Control to a user that is to be used to access these files – an administrator.
© Ezenta A/S Special Binaries (cont.) rsh.exe, secfixup.exe, telnet.exe, tftp.exe, ipconfig.exe, nbtstat.exe, netstat.exe, ping.exe, qbasic.exe, rdisk.exe, regdit32.exe, net.exe, nslookup.exe, posix.exe, rcp.exe, regedit.exe, rexec.exe, tracert.exe, command.com, regedit.exe, os2.exe, os2ss.exe, arp.exe, at.exe, atsvc.exe, cacls.exe, cmd.exe, debug.exe, edit.com, edlin.exe, finger.exe, ftp.exe, xcopy.exe, os2srv.exe, cscript.exe, wscript.exe, iisreset.exe, route.exe, runonce.exe, syskey.exe
© Ezenta A/S What have we learned today? Physical Security OS Installation Account Policies Local Policies Services User Accounts IP Policies- Permissions Hardening IIS Additional Hardening
© Ezenta A/S ?
1 GREY BOX TESTING Web Apps & Networking Session 1 Boris Grinberg
CSC Proprietary 2/11/2014 3:44:12 AM 008_P2_CSC_white 1 Active Server Pages (ASP)
1 GREY BOX TESTING Web Apps & Networking Session 4 Boris Grinberg
Database Controls 2012 National State Auditors Association Information Technology Conference September 2012.
1 GREY BOX TESTING Web Apps & Networking Session 3 Boris Grinberg
State of Connecticut Core-CT Project Query 8 hrs Updated 4/14/2003.
The ESC-QuickBooks Integration For Use with ESC Version 12.
Securing Your Swiss Cheese Environment PAUL KOUFALIS PRESIDENT PROGRESSWIZ CONSULTING.
1 Introduction to ASP.NET. 2 Static and Dynamic Web Applications HTML is used to create static content Browser software interprets HTML tags and formats.
1 The Attack and Defense of Computers Dr.. 2 BackDoors.
UNIT 2: Firewalls Content : Firewalls in general basic operation and architecture Main border firewalls using stateful inspection Screening firewalls.
PrevNext | Slide 1 Last Updated: 4/14/2003 SPECIAL EDUCATION MEGS Update for School Year The Michigan Electronic.
PrevNext | Slide 1 MEGS Updates for School Year The Michigan Electronic Grants System Last Updated: 5/27/2004.
PrevNext | Slide 1 MACUL 2004 Conference Grand Rapids, MI March 10, 2004 The Michigan Electronic Grants System MEGS Last.
PrevNext | Slide 1 Michigan Electronic Grants System MEGS MEGS Overview and Updates for DLEG Adult Education.
SWE 681 / ISA 681 Secure Software Design & Programming Lecture 1: Introduction Dr. David A. Wheeler
CTT Corp. Derechos reservados CHANNEL READINESS PROGRAM FOR CISCO PARTNERS Selling Cisco SMB Solutions Advanced Security Selling SMB Solutions.
Chapter 11: The Internet. 2 Objectives Discuss the responsibilities of the Internet Protocol (IP) and how IP can be used to create a connection between.
SpiderAlert Software Training June This list covers the basic steps to follow when designing a new project: Install Software Install new DLLs.
Rev 8/10/07ETS -- FileMaker Pro 8.5 Conversion 1 Converting to FileMaker 8.5 Education Technology Services.
Introduction to NT Administration Objectives: How to use DOMAINS Create Users & Set Properties to user accounts Manage User Accounts & Assign Security.
PrevNext | Slide 1 Welcome to MEGS The Michigan Electronic Grants System Comprehensive School Reform Application Last.
© 2004 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Command View XP 2.0 HP Restricted.
Advanced Features for INCOSE Connect Administrators with Windows SharePoint Services 3.0 Prepared by: James Chism, Adjunct Faculty-Johns Hopkins University.
1 Network Security Workshop BUSAN 2003 Rahmat Budiarto
SharePoint Governance Questions January 2014 ©2014 SUSAN HANLEY LLC.
Introduction Purpose of Session: - Provide Overview Web Application Security Threats and Defense Using the Open Web Application Security Project (OWASP)
Colorado Online Testing Site Readiness Fall Field Test 2013.
© 2016 SlidePlayer.com Inc. All rights reserved.