Implementing Server Security on Windows 2000 and Windows Server 2003 Dave Sayers Technology Specialist Microsoft UK

Session Prerequisites Hands-on experience with Windows 2000 Server or Windows Server 2003 Experience with Windows management tools Knowledge of Active Directory and Group Policy concepts Level 200 - 300

Introduction to Securing Servers Core Server Security Active Directory Security Hardening Member Servers Hardening Servers for Specific Roles Hardening Stand-Alone Servers

Security Challenges for Small and Medium-Sized Businesses Servers with a Variety of Roles Limited Resources to Implement Secure Solutions Internal or Accidental Threat Older Systems in Use Physical Access Negates Many Security Measures Lack of Security Expertise Legal Consequences

Fundamental Security Trade-Offs Usability Low Cost

Core Server Security Introduction to Securing Servers Active Directory Security Hardening Member Servers Hardening Servers for Specific Roles Hardening Stand-Alone Servers

Core Server Security Practices Restrict physical and network access to servers Restrict Privileged Users Use Group Policy to harden servers Apply the latest service pack and all available security patches

Active Directory Security Introduction to Securing Servers Core Server Security Active Directory Security Hardening Member Servers Hardening Servers for Specific Roles Hardening Stand-Alone Servers

Process for Securing Active Directory Establish Secure AD Boundaries Deploy Secure Domain Controllers Establish Secure Domain and Domain Controller Policies Establish Secure Administrative Practices Secure DNS Establish Secure Domain Controller Operations Establish Active Directory Security Monitoring Establish a Recovery Plan for Active Directory Attacks

Security Boundaries Forest is a security boundary in Active Directory A domain is an administrative boundary Autonomy and isolation via additional forest AD domains different than NT4.0 domains Share config, schema, GC Certain assumptions about trust between KDCs Domains do not provide complete isolation from malicious service admins Any person with physical access to a domain controller can elevate themselves to service admin Restrict physical access to DCs in a manner equivalent to restricting who gets to be a service admin

Deploy Secure DCs Build in a secure location Deploy only to secure locations Ensure process is secure and repeatable – for example Install Windows 2003 Server with the latest hot fixes Disable LM Hash Disable unnecessary services Run virus-scanning software on the server Select secure domain controller promotion settings Protect LDAP traffic between domain controllers and administrative workstations Create a reserve file to enable recovery from potential disk-space denial-of-service attacks

Secure Policies Domain Policy Domain Controller Policies Password Policies Account Lockout Kerberos Policies Domain Controller Policies User Rights Policy Auditing Security Options Event Log Settings

Secure Administrative Practices Limit the number of service administrators Separate Admin accounts and User accounts Hide the Administrator account Create a controlled OU subtree (block inheritance) Smart card Logon Controlled Administrative workstations

Secure DNS Use secure dynamic updates Ensure DNS Admins are trusted Use forwarders instead of secondary zones Restrict zone transfer

Establish Secure DC Operations Publish Backup Policies Store DC backup media in a secure location Never disable virus scanner on DCs or administrative workstations Exclude SYSVOL and AD database locations Hotfixes and Service Packs

Monitoring Monitor for all security sensitive changes Schema Audit additions, defunctions and modifications to the schema Configuration NC Creation of domains Modification of LDAP Policies Modification of dsheuristics attribute Domain NC Domain wide policy implemented Migration of SIDhistory

Recovery Plan Use NTDSutil to remove breached DC Reset Service Admin Passwords Change all user account passwords Review audit trail Review membership of all service administrator groups Review installed software on DCs and Admin workstations

Group Policy Management Console Group Policy Results Reporting after policy has applied Group Policy Modeling Allows What-If Scenarios Backup/Restore capabilities Import/Export capabilities Testing

Using GPMC

Active Directory Security Additional Features : Object ACLs DSQuotas SID Filtering Gotchas Watch out for Drag and Drop functionality in Active Directory Users & Computers

Selective Authentication Restricts connections across a trust to certain users/groups Require ‘Allowed to authenticate’ permission on resource server Property of the trust Requires Windows 2003 Native Mode forest But external domain can be Windows 2000 Also referred to as “Authentication Firewall” Useful to restrict amount of collaboration

Creating a Forest Trust with Selective Authentication

Establishing a Role-Based OU Hierarchy Domain Policy Domain Domain Engineering Member Server Baseline Policy Member Servers Domain Controllers Domain Controller Policy Print Server Policy File Server Policy IIS Server Policy Print Servers File Servers Web Servers Operations Admin Web Service Admin An OU hierarchy based on server roles: Simplifies security management issues Applies security policy settings to servers and other objects in each OU

Administrative Best Practices Distinguish between service and data administrative roles Take steps to secure administrative accounts Delegate the minimum permissions required

Hardening Member Servers Introduction to Securing Servers Core Server Security Active Directory Security Hardening Member Servers Hardening Servers for Specific Roles Hardening Stand-Alone Servers

Server Hardening Overview Infrastructure Servers File and Print Servers Securing Active Directory Apply Member Server Baseline Settings IIS Servers Apply Incremental Role-Based Security Settings RADIUS (IAS) Servers Certificate Services Servers Bastion Hosts

Member Server Baseline Security Template Modify and apply the Member Server Baseline security template to all member servers Settings in the Member Server Baseline security template: Audit Policy User Rights Assignment Security Options Event Log System Services

Common Server Settings Limit use of blank passwords to console only Shut down system immediately if unable to log security events Restrict media access Require LDAP Signing Always digitally encrypt or sign secure channel data Previous logons to cache Digitally sign communications LAN Manager Authentication level Clear Virtual Memory pagefile

Configuring Security Templates

Best Practices for Using Security Templates Review and modify security templates before using them Use Security Configuration and Analysis tool to review template settings before applying them Test templates thoroughly before deploying them Store security templates in a secure location Use GPMC – Import/Export and RSoP

Hardening Servers for Specific Roles Introduction to Securing Servers Core Server Security Active Directory Security Hardening Member Servers Hardening Servers for Specific Roles Hardening Stand-Alone Servers

Hardening File Servers Apply the security settings in the File Server security template Manually configure additional settings on each file server: Disable DFS and FRS if not required Secure all shared files and folders by using NTFS and share permissions Enable auditing of critical files Restrict ports by using IPSec filters

Hardening Print Servers Apply the security settings in the Print Server security template Manually configure additional settings on each print server: Ensure that the Print Spooler service is enabled Set permissions on the printers Restrict ports by using IPSec filters

Hardening IIS Servers (Part 1) Apply the security settings in the IIS Server security template If possible, upgrade Web servers to Windows Server 2003 and IIS 6.0 Install and run the IIS Lockdown Wizard and configure URLScan to help secure IIS 4.x and 5.x installations

Hardening IIS Servers (Part 2) Enable only essential IIS components Install IIS and store Web content on a dedicated disk volume Configure NTFS permissions for all folders that contain Web content Take care with write permissions Use Logging Use IPSec filters to allow only TCP Port 80 and Port 443

Best Practices for Hardening Servers for Specific Roles Secure service accounts and well-known user accounts Enable only services required by role Enable service logging to capture relevant information Use IPSec filtering to block all ports except the specific ports needed, based on server role Modify security templates as needed for servers with multiple roles

Hardening Stand-Alone Servers Introduction to Securing Servers Core Server Security Active Directory Security Hardening Member Servers Hardening Servers for Specific Roles Hardening Stand-Alone Servers

Applying Security Templates on Stand-Alone Servers You must manually apply security settings to each stand-alone server You may need to create a customized security template for each stand-alone server Use the Security Configuration and Analysis tool, Secedit, or GPEdit.msc to apply security template settings on stand-alone servers

Best Practices for Hardening Stand-Alone Servers Create a customized security template for each type of stand-alone server Enable only services required by role Enable service logging to capture relevant information Use IPSec filters to restrict ports based on server role

Session Summary Introduction to Securing Servers Core Server Security Active Directory Security Hardening Member Servers Hardening Servers for Specific Roles Hardening Stand-Alone Servers

Additional Security Software Restriction Policies Security Settings

What Is Software Restriction Policy? A policy-driven mechanism that identifies and controls software on a client computer Can be used to fight viruses and to ensure that only approved software can be run on computers Two components: A default rule for which programs can run An inventory of exceptions to the default rule

How Software Restriction Policy Works Use Group Policy Editor to define the policy for the site, domain, or OU 1 Policy is downloaded and applied to a computer 2 Policy is enforced by the operating system when software is run 3

Four Rules for Identifying Software Hash Rule Compares the MD5 or SHA1 hash of a file to the one attempting to run Use when you want to allow or prohibit a certain version of a file from being run Certificate Rule Checks for digital signature on application (for example, Authenticode) Use when you want to restrict both Win32 applications and ActiveX content Path Rule Compares path of file being run to an allowed path list Use when you have a folder with many files for the same application Essential when SRPs are strict Internet Zone Rule Controls how Internet Zones can be accessed Use in high-security environments to control access to Web applications

Next Steps Find additional security training events: http://www.microsoft.com/seminar/events/security.mspx Sign up for security communications: http://www.microsoft.com/technet/security/signup/ default.mspx Order the Security Guidance Kit: http://www.microsoft.com/security/guidance/order/ default.mspx Get additional security tools and content: http://www.microsoft.com/security/guidance

© 2003 Microsoft Limited. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.