Implementing Server Security on Windows 2000 and Windows Server 2003 Steve Lamb Technical Security Advisor
Agenda Prescriptive Guidance Introduction to Server Security Securing Active Directory Hardening Member Servers Hardening Domain Controllers Hardening Servers for Specific Roles Hardening Stand-Alone Servers
Security Guidance Centre ult.mspx
Prescriptive Guidance - Server Security
W2K3 Security Guide Free download from W2K3 Security Guide Free download from Copy templates from the “Security Templates” directory to “\windows\security\templates”
Security Configuration Guide - Templates Access the “Security Templates” via the Microsoft Management Console
Agenda Prescriptive Guidance Introduction to Server Security Securing Active Directory Hardening Member Servers Hardening Domain Controllers Hardening Servers for Specific Roles Hardening Stand-Alone Servers
Security Considerations Servers with a variety of roles Internal or accidental threat Limited resources to implement secure solutions Lack of security expertise Older systems in use Physical access negates many security procedures Legal Consequences
Defense in Depth Using a layered approach Increases an attacker’s risk of detection Reduces an attacker’s chance of success Policies, Procedures, & Awareness OS hardening, patch management, authentication, HIDS Firewalls, VPN quarantine Guards, locks, tracking devices Network segments, IPSec, NIDS Application hardening, antivirus ACL, encryption User education Physical Security Perimeter Internal Network Host Application Data
Agenda Prescriptive Guidance Introduction to Server Security Securing Active Directory Hardening Member Servers Hardening Domain Controllers Hardening Servers for Specific Roles Hardening Stand-Alone Servers
Active Directory Components ForestDomain Organizational Unit Site User account Security group Group Policy Security Templates
Planning Active Directory Security Analyze the environment Intranet datacenter Branch office Extranet datacenter Perform threat analysis Identify threats to Active Directory Identify types of threats Identify sources of threats Implement a deterrent to each identified threat Establish contingency plans
Establishing Secure Active Directory Boundaries Specify security and administrative boundaries Select an Active Directory structure based on delegation requirements Establish secure collaboration with other forests
Establishing a Role-Based OU Hierarchy An OU hierarchy based on server roles: Simplifies security management issues Applies security policy settings to servers and other objects in each OU Domain Policy Domain Domain Engineering Member Server Baseline Policy Member Servers Domain Controllers Domain Controller Policy Print Server Policy File Server Policy IIS Server Policy Print Servers File Servers Web Servers Operations Admin Web Service Admin
Agenda Prescriptive Guidance Introduction to Server Security Securing Active Directory Hardening Member Servers Hardening Domain Controllers Hardening Servers for Specific Roles Hardening Stand-Alone Servers
Infrastructure Servers File & Print Servers IIS Servers Certificate Services Servers Bastion Hosts Server Hardening Overview Apply baseline security settings to all member servers Apply additional settings for specific server roles Use GPResult to ensure that settings are applied correctly “Windows Server 2003 Security Guide” on microsoft.com Securing Active Directory Apply Member Server Baseline Policy RADIUS (IAS) Servers Hardening Procedures Apply Incremental Role-Based Security Settings
Member Server Baseline Security Template Modify and apply the Member Server Baseline security template to all member servers Settings in Member Server Baseline security template: Audit Policy User Rights Assignment Security Options Event Log System Services Use Group Policy to apply these security templates
Security Configuration Guide - templates
Best Practices for Using Security Templates Review and modify security templates before using them Use security configuration and analysis tools to review template settings before applying them Test templates thoroughly before deploying them Store security templates in a secure location
Additional Recommendations for Hardening Member Servers Rename the built-in Administrator and Guest accounts Restrict access for built-in and non-operating system service accounts Do not configure a service to log on using a domain account unless absolutely required Use NTFS to secure files and folders Be aware that Error Reporting to Microsoft in in clear text.
Agenda Prescriptive Guidance Introduction to Server Security Securing Active Directory Hardening Member Servers Hardening Domain Controllers Hardening Servers for Specific Roles Hardening Stand-Alone Servers
Deploying Secure Domain Controllers Secure the domain controller build environment Establish secure domain controller build practices Maintain physical security
Recommendations for Hardening Domain Controllers REMEMBER: Domain controllers hold your “security keys” Disable services that are not required Remove unnecessary user rights to domain controllers Strengthen domain controller policy settings Use Syskey to alter how the Windows master secret is stored in Active Directory
Best Practices for Hardening Domain Controllers Use appropriate security methods to control physical access to domain controllers Use Syskey to alter how the Windows master secret is stored in Active Directory Use Group Policy to apply the Domain Controller security template to all DCs
Agenda Prescriptive Guidance Introduction to Server Security Securing Active Directory Hardening Member Servers Hardening Domain Controllers Hardening Servers for Specific Roles Hardening Stand-Alone Servers
Using Security Templates for Specific Server Roles Servers that perform specific roles can be organized by OU under the Member Servers OU First, apply the Member Server Baseline template to the Member Servers OU Then, apply the appropriate role-based security template to each OU under the Member Servers OU Customize security templates for servers that perform multiple roles
Specific Roles Infrastructure Server (WINS\DHCP) Configure DHCP Logging Protect against DHCP Denial of Service attacks File Server Consider disabling DFS and FRS if they are not required Secure shared files and folders by using NTFS and share permissions Print Server Ensure that the Print Spooler service is enabled Ensure that SMB signing is disabled
Security Configuration Wizard Guided Attack Surface Reduction for Windows Servers Security Coverage Roles-Based Metaphor Disables Unnecessary Services Disables Unnecessary IIS Web Extensions Blocks unused Ports, including multi-homed scenarios Helps Secure Ports that are left open using IPSEC Reduces protocol exposure (LDAP, NTLM, SMB) Configures Audit Setting with high Signal to Noise Security for mere mortals Roles-based makes answering questions easy Automated versus Paper-Based Guidance Fully tested and supported by Microsoft
SCW Operational Coverage Rollback, when applied policies disrupt service expectation Analysis, to check that machines are in compliance with policies Remotability for configuration and analysis operations Command Line Support for remote config and analysis en-masse Active Directory Integratation for Group Policy-based deployment Editing of previously created policies, when machines are repurposed XSL Views of Knowledge base, policies and analysis results
Hardening IIS6 Web Servers Apply the security settings in the IIS Server security template Manually configure each IIS server IIS Lockdown is built into IIS 6 Some functionality of URLScan is built into IIS 6, however URLScan can be installed on IIS6 Enable only essential IIS components IIS 6 is NOT installed on Windows Server 2003 by default Configure NTFS permissions for all folders that contain Web content Store Web content on a dedicated disk volume If possible, do not enable both the Execute and Write permissions on the same Web site Use IPSec filters to allow only ports 80 and 443
Best Practices for Hardening Servers for Specific Roles Secure well-know user accounts Enable only services required by role Enable service logging to capture relevant information Use IPSec filtering to block specific ports based on server role Modify templates as needed for servers with multiple roles
Event Information What’s Next? Technical Roadshow Post Event Website Available from Monday 18 th April Please complete your Evaluation Form!
© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.