Implementing Server Security on Windows 2000 and Windows Server 2003 Fabrizio Grossi

Agenda  Introduction to Securing Servers  Core Server Security  Active Directory Security  Hardening Member Servers  Hardening Domain Controllers  Hardening Servers for Specific Roles  Hardening Stand-Alone Servers

Security Considerations for Small and Medium-Size Businesses Servers with a variety of roles Internal or accidental threat Limited resources to implement secure solutions Lack of security expertise Older systems in use Legal Consequences Physical access negates many security procedures

Server Security Principles  Confidentiality ensures protection of information access  Integrity ensures that information has not been modified  Availability ensures ready access to information Confidentiality IntegrityAvailability Security Principles

Defense in Depth  Using a layered approach:  Increases an attacker’s risk of detection  Reduces an attacker’s chance of success Policies, Procedures, & Awareness OS hardening, patch management, authentication, HIDS Firewalls, VPN quarantine Guards, locks, tracking devices Network segments, IPSec, NIDS Application hardening, antivirus ACL, encryption User education Physical Security Perimeter Internal Network Host Application Data

Agenda  Introduction to Securing Servers  Core Server Security  Active Directory Security  Hardening Member Servers  Hardening Domain Controllers  Hardening Servers for Specific Roles  Hardening Stand-Alone Servers

Core Server Security Practices Apply the latest Service Pack and all available security patches Use Group Policy to harden servers - Disable services that are not required - Implement secure password policies - Disable LAN Manager and NTLMv1 authentication Restrict physical and network access to servers

Recommendations for Hardening Servers  Rename the built-in Administrator and Guest accounts  Restrict access for built-in and non- operating system service accounts  Do not configure a service to log on using a domain account  Use NTFS to secure files and folders

Agenda  Introduction to Securing Servers  Core Server Security  Active Directory Security  Hardening Member Servers  Hardening Domain Controllers  Hardening Servers for Specific Roles  Hardening Stand-Alone Servers

Establishing a Role-Based OU Hierarchy  An OU hierarchy based on server roles:  Simplifies security management issues  Applies security policy settings to servers and other objects in each OU Domain Policy Domain Domain Engineering Member Server Baseline Policy Member Servers Domain Controllers Domain Controller Policy Print Server Policy File Server Policy IIS Server Policy Print Servers File Servers Web Servers Operations Admin Web Service Admin

Administrative Best Practices Establish secure directory service and data administration practices Delegate the minimum permissions required Distinguish between service and data administrative roles

Agenda  Introduction to Securing Servers  Core Server Security  Active Directory Security  Hardening Member Servers  Hardening Domain Controllers  Hardening Servers for Specific Roles  Hardening Stand-Alone Servers

Infrastructure Servers File & Print Servers IIS Servers Certificate Services Servers Bastion Hosts Server Hardening Overview  Apply baseline security settings to all member servers  Apply additional settings for specific server roles  Use GPResult to ensure that settings are applied correctly Securing Active Directory Apply Member Server Baseline Policy RADIUS (IAS) Servers Hardening Procedures Apply Incremental Role-Based Security Settings

Member Server Baseline Security Template  Modify and apply the Member Server Baseline security template to all member servers  Settings in Member Server Baseline security template:  Audit Policy  User Rights Assignment  Security Options  Event Log  System Services

Best Practices for Using Security Templates Review and modify security templates before using them Use security configuration and analysis tools to review template settings before applying them Test templates thoroughly before deploying them Store security templates in a secure location

Agenda  Introduction to Securing Servers  Core Server Security  Active Directory Security  Hardening Member Servers  Hardening Domain Controllers  Hardening Servers for Specific Roles  Hardening Stand-Alone Servers

Configuring Security for Domain Controllers Secure the domain controller build environment Establish domain controller build practices that provide security Maintain physical security

Best Practices for Hardening Domain Controllers Use appropriate security methods to control physical access to domain controllers Implement appropriate auditing and event log settings Use Group Policy to apply the Domain Controller security template to all domain controllers Disable services that are not required

Agenda  Introduction to Securing Servers  Core Server Security  Active Directory Security  Hardening Member Servers  Hardening Domain Controllers  Hardening Servers for Specific Roles  Hardening Stand-Alone Servers

Using Security Templates for Specific Server Roles  Servers that perform specific roles can be organized by OU under the Member Servers OU  First, apply the Member Server Baseline template to the Member Servers OU  Then, apply the appropriate role-based security template to each OU under the Member Servers OU  Customize security templates for servers that perform multiple roles

Hardening Infrastructure Servers  Apply the security settings in the Infrastructure Server security template  Manually configure additional settings on each infrastructure server  Configure DHCP logging  Protect against DHCP DoS attacks  Use Active Directory-integrated DNS for Active Directory zones  Secure service accounts  Allow only those ports needed for server applications by using IPSec filters

Hardening File Servers  Apply the security settings in the File Server security template  Manually configure additional settings on each file server  Disable DFS and FRS if they are not required  Secure shared files and folders by using NTFS and share permissions  Enable auditing of critical files  Secure service accounts  Allow only specific ports by using IPSec filters

Hardening Print Servers  Apply the security settings in the Print Server security template  Manually configure additional settings on each print server  Ensure that the Print Spooler service is enabled  Secure well-known accounts  Secure service accounts  Allow only specific ports by using IPSec filters

Hardening IIS Servers  Apply the security settings in the IIS Server security template  Manually configure each IIS server   Install the IIS Lockdown and configure URLScan on all IIS 5.0 installations   Enable only essential IIS components   Configure NTFS permissions for all folders that contain Web content   Install IIS and store Web content on a dedicated disk volume   If possible, do not enable both the Execute and Write permissions on the same Web site   On IIS 5.0 servers, run applications using Medium or High Application Protection   Use IPSec filters to allow only ports 80 and 443

Best Practices for Hardening Servers for Specific Roles Secure well-known user accounts Enable only services required by role Enable service logging to capture relevant information Use IPSec filtering to block specific ports based on server role Modify templates as needed for servers with multiple roles

Agenda  Introduction to Securing Servers  Core Server Security  Active Directory Security  Hardening Member Servers  Hardening Domain Controllers  Hardening Servers for Specific Roles  Hardening Stand-Alone Servers

Hardening Stand-Alone Servers  Must manually apply security settings to each stand-alone server instead of using Group Policy  May need to create a customized security template for each stand-alone server  Use Security Configuration and Analysis tool or Secedit to apply security template settings  Security Configuration And Analysis  Allows the comparison and application of various security templates  Secedit  Command-line version of the Security Configuration and Analysis tool that allows scripted application of security templates

How to Use Secedit to Harden Stand-Alone Servers 1. Configure a custom security template with the desired security settings for the stand-alone server 2. Open a command prompt on the stand-alone server 3. Create a settings database from the custom security template by typing: secedit /import /db c:\security.sdb /cfg security template name 4. Apply the settings in the database to the stand- alone server by typing: secedit /configure /db c:\security.sdb

Best Practices for Hardening Stand-Alone Servers Use the Security Configuration and Analysis tool to apply templates to stand-alone servers Configure service settings according to server role requirements Enable service logging to capture relevant information Use IPSec for port filtering based on server role

Next Steps 1. Stay informed about security  Sign up for security bulletins  Get the latest Microsoft security guidance: 2. Get additional security training  Find online and in-person training seminars:  Find a local CTEC for hands-on training:

For More Information  Microsoft Security Site (all audiences)   TechNet Security Site (IT professionals)   MSDN Security Site (developers) 