Securing Windows Internet Servers 23.org / Covert Systems Jon Miller Senior Security Engineer Covert Systems, Inc.

Slides:

Advertisements

Similar presentations

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

Advertisements

Windows 2003 Server. Windows 2003 Server Contents Fitur Windows 2003 Server Installation And Configuration Windows Management Resource  User Management.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 13: Administering Web Resources.

11 CONFIGURING AND MANAGING SHARED FOLDER SECURITY Chapter 8.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 13: Administering Web Resources.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Chapter 7 HARDENING SERVERS.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.

Exchange server Mail system Four components Mail user agent (MUA) to read and compose mail Mail transport agent (MTA) route messages Delivery agent.

Hands-On Microsoft Windows Server 2003 Administration Chapter 7 Administering Web Resources in Windows Server 2003.

Introduction To Windows NT ® Server And Internet Information Server.

Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.

Hands-On Microsoft Windows Server 2003 Chapter 2 Installing Windows Server 2003, Standard Edition.

Module 6 Windows 2000 Professional 6.1 Installation 6.2 Administration/User Interface 6.3 User Accounts 6.4 Managing the File System 6.5 Services.

1 Module 2 Installing Windows NT. 2  Overview Preparing for Installation Installing Windows NT Performing a Server-based Installation Troubleshooting.

Guide to MCSE , Enhanced 1 Activity 10-1: Restarting Windows Server 2003 Objective: to restart Windows Server 2003 Start  Shut Down  Restart Configure.

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW Create and manage file system shares and work with.

Test Review. What is the main advantage to using shadow copies?

Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.

Services and Disk Management. Default Services (some) Alerter ClipBook Server Computer Browser DNS Client Event Log Messenger Net Logon Network DDE Network.

Configuring a Web Server. Overview Overview of IIS Preparing for an IIS Installation Installing IIS Configuring a Web Site Administering IIS Troubleshooting.

Module 8: Managing Client Configuration and Connectivity.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

Securing Microsoft® Exchange Server 2010

Hands-On Microsoft Windows Server 2008

User Manager for Domains.  Manages the user accounts in a domain  It is located in the PDC  While User Manager exists in each NT machine, but it is.

Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.

MIGRATING FROM MICROSOFT EXCHANGE SERVER AND OTHER MAIL SYSTEMS Appendix B.

Gorman, Stubbs, & CEP Inc. 1 Introduction to Operating Systems Lesson 12 Windows 2000 Server.

INSTALLING MICROSOFT EXCHANGE SERVER 2003 CLUSTERS AND FRONT-END AND BACK ‑ END SERVERS Chapter 4.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 13: Administering Web Resources.

15.47 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.

Copyright 2000 eMation SECURITY - Controlling Data Access with

Microsoft Internet Information Services 5.0 (IIS) By: Edik Magardomyan Fozi Abdurhman Bassem Albaiady Vince Serobyan.

Module 14: Configuring Server Security Compliance

11 MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY Chapter 5.

Course ILT Internet/intranet support Unit objectives Use the Internet Information Services snap-in to manage IIS, Web sites, virtual directories, and WebDAV.

Internet Information Server © N. Ganesan, Ph.D. All Rights Reserved.

Module 2: Installing and Maintaining ISA Server. Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Two Installing and Configuring Exchange Server 2003.

Introduction to Microsoft Management Console (MMC) MMC is a common console framework for management applications. MMC provides a common environment for.

Module 4 : Installation Jong S. Bok

Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local.

Dirty-Dozen: Top 12 Issues in Windows 2000 Security Roberta Bragg Security Evangelist Have Computer Will Travel, Inc.

Hands-On Microsoft Windows Server Implementing Microsoft Internet Information Services Microsoft Internet Information Services (IIS) –Software included.

Chris Almida Sr. Program Manager Microsoft Corporation SESSION CODE: WSV206.

NT4 SP4 Security Jack Schmidt - Fermilab

Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.

Chapter 10 Chapter 10: Managing the Distributed File System, Disk Quotas, and Software Installation.

PLANNING A MICROSOFT EXCHANGE SERVER 2003 INFRASTRUCTURE Chapter 2.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.

Minimizing your vulnerabilities. Lets start with properly setting up your servers which includes… Hardening your servers Setting your file and folder.

NetTech Solutions Security and Security Permissions Lesson Nine.

1 Chapter Overview Creating Web Sites and FTP Sites Creating Virtual Directories Managing Site Security Troubleshooting IIS.

WebCCTV 1 Contents Introduction Getting Started Connecting the WebCCTV NVR to a local network Connecting the WebCCTV NVR to the Internet Restoring the.

Implementing Server Security on Windows 2000 and Windows Server 2003 Fabrizio Grossi.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter One Introduction to Exchange Server 2003.

4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.

1 Installing Microsoft Exchange 2000 Server Installation Types Postinstallation Considerations.

SBS 2003 Exchange Lars Wallin. Agenda Limitations Limitations Installation Installation Configuration Configuration Security Security SPAM SPAM Mobility.

IS 4506 Windows NTFS and IIS Security Features.  Overview Windows NTFS Server security Internet Information Server security features Securing communication.

SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #

Configuring Windows Firewall with Advanced Security

Implementing a Secure ISA Server

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 13: Administering Web Resources.

Implementing Client Security on Windows 2000 and Windows XP Level 150

Designing IIS Security (IIS – Internet Information Service)

Presentation transcript:

Securing Windows Internet Servers 23.org / Covert Systems Jon Miller Senior Security Engineer Covert Systems, Inc.

A lways try to use a fresh install and migrate existing data over M ake sure to convert to NTFS D efault Security Settings are not applied You must apply them manually using MMC Upgrading? Installation

Service Packs A lways check windows update and TechNet to make sure you have the most current patches and SPs HFNETCHK Installation

NTFS or FAT File Systems

A lways decide what services you require prior to installation N ow is the time to decide what form of remote administration software, if any you will use… Terminal Server Vshell SSH & SFTP ( Services N ever install superfluous services

COMPAQ INSTALLATION = Services

TCP/IP should be the only protocol Use TCP/IP Filtering (and IPSec when applicable) Nmap the server to make sure you don’t have any surprise ports open If it is an IIS box it can NEVER be on a domain Use second Ethernet card for remote admin and have only the “Internet Service” on the primary interface Network Configuration

Customize your own security template and use it Establish standards within your template that apply to all servers from “PDCs” to desktops Using the MMC

Password Complexity / Length Event Log Access Always remember passwords so they cannot be reused Define Permissions for Services Rename Administrator Account Security Configuration

Delete or rename files that may be used against you in the event of an attack Create partitions or move directory structure to protect against directory transversal Do you really use MS TFTP? Remove OWA Do you really want an IIS server running on your companies Mail server? Rename CMD.exe Microsoft Security Alerts microsoft.com/technet/security/notify.asp microsoft.com/technet/security/notify.asp Common Sense

IIS 4 / 5 Try to run only base services The services below are the only services required to run a functional IIS server: –Event Log –License Logging Service –Windows NTLM Security Support Provider –Remote Procedure Call (RPC) Service –Windows NT Server or Windows NT Workstation –IIS Admin Service –MSDTC –World Wide Web Publishing Service –Protected Storage

Stuff to Remove C:\inetpub - sample files c:\inetpub\iissamples c:\inetpub\iissamples\sdk c:\inetpub\AdminScripts c:\Program Files\Common Files\System\msadc\Samples * HTW Mapping IISADMPWD RDS (Remote Data Services)

Parent Paths? (Disallows “..” *be careful*) Web server | Properties | Home Directory | Configuration | App Options Stuff to Remove Script Mappings (.htr.idc.stm.shtml.shtm.printer.ida.idq.hta ) Web server | Properties | Master Properties | WWW Service | Edit | Home Directory | Configuration

Misc. Restrict Anonymous HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA Name: RestrictAnonymous Type: REG_DWORD Value: 1.

Permissions Set Your ACL's (next page) Make sure that the IIS log files are not publicly readable winnt\system32\LogFiles

Everyone (X) Permissions CGI’s - (.exe,.dll,.cmd,.pl) Administrators (Full Control) System (Full Control)

Everyone (X) Script Files - (.asp) Administrators (Full Control) System (Full Control) Permissions

Everyone (X) Include Files - (.inc,.shtm,.shtml) Administrators (Full Control) System (Full Control) Permissions

Everyone (R) Static Content - (.txt,.gif,.jpg,.html) Administrators (Full Control) System (Full Control)

Exchange is one of the few servers that does outgoing mail authentication well Take advantage of that and don’t have an open relay (5.5) Anti-Virus Use Encrypted File System (EFS) to protect data Exchange Internet Mail Connector Limit your outgoing size Relaying from DMZ server to Exchange Use sendmail to relay all mail to an internal exchange server Or with another copy of Exchange: install Exchange, add the Internet Mail Connector, and add it to your existing site. No mailboxes or folders are required

Exchange Setup Exchange Administrators (2000) Not All Admins are Full Admins Exchange Administrator Exchange Full Administrator Exchange View Only Administrator Security Page HKCU\Software\Microsoft\Exchange\ExAdmin Value: ShowSecurityPage Date: 1 (REG_DWORD) Tracking Logs Remove Everyone Read \Exchsrvr\%COMPUTERNAME%.log

Outlook Web Access Lock Down IIS Use SSL Front End / Back End Mode

Exchange Diagram

Tools URL Scan (Microsoft) Baseline Security Analyzer (Microsoft) IIS Lockdown (Microsoft) Secure IIS (Eeye) Tripwire for NT (Tripwire) Anti-Virus (Symantec, McAfee) Hire a Security Company

Q & A Y’all ask me stuff