Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hardening Small Business Server 2003 Published: July 2005 Dana Epp Computer Security Software Architect Scorpion Software Corp. SBS Security HOWTO.

Published byLambert Chambers Modified over 9 years ago

Similar presentations

Presentation on theme: "Hardening Small Business Server 2003 Published: July 2005 Dana Epp Computer Security Software Architect Scorpion Software Corp. SBS Security HOWTO."— Presentation transcript:

1 Hardening Small Business Server 2003 Published: July 2005 Dana Epp Computer Security Software Architect Scorpion Software Corp. SBS Security HOWTO

2 AgendaAgenda Understanding the SBS Architecture from a security perspective Understanding the SBS Architecture from a security perspective Network Security Management Network Security Management Patch Management Patch Management Hardening the core OS Hardening the core OS Hardening the Services Hardening the Services Audit and Logging Audit and Logging Other considerations Other considerations

3 Risks of SBS from an information security perspective To effectively secure something, you must mitigate the risks associated with it by removing the threats around it. To effectively secure something, you must mitigate the risks associated with it by removing the threats around it. Isolating critical business resources and services to their own machines, followed by strengthening its offerings with the rule of least privilege, will significantly reduce the attack surface of the object you are trying to secure. Isolating critical business resources and services to their own machines, followed by strengthening its offerings with the rule of least privilege, will significantly reduce the attack surface of the object you are trying to secure. SBS ignores both of these points by having everything on a single machine SBS ignores both of these points by having everything on a single machine

4 Reducing the Attack Surface of SBS Network Security Management Patch Management Hardening

5 Mitigating Risks on SBS Thorough network security management Thorough network security management Layered defenses Layered defenses Least privilege packet control Least privilege packet control Extreme vigilance in patch management Extreme vigilance in patch management NOT just the core OS NOT just the core OS Consider tools like WSUS and HFNetChkPro Consider tools like WSUS and HFNetChkPro Hardening of all critical components on the server Hardening of all critical components on the server Use Microsoft Security Guidelines and Best Practices Use Microsoft Security Guidelines and Best Practices Use the built-in SBS wizards when possible Use the built-in SBS wizards when possible

6 MINIMUM SBS Network Ports to Allow Though Firewall 25 – SMTP (Exchange mail) 25 – SMTP (Exchange mail) 443 – HTTPS (Secure IIS web) 443 – HTTPS (Secure IIS web) 444 – Sharepoint (ONLY if you want Company web/sharepoint externally available) 444 – Sharepoint (ONLY if you want Company web/sharepoint externally available) 4125 - Remote Web access (RDP via web) 4125 - Remote Web access (RDP via web)

7 Secondary SBS Network Ports to Allow Though Firewall 20/21 - FTP 20/21 - FTP 80 - HTTP (Unencrypted IIS web) 80 - HTTP (Unencrypted IIS web) 139 – SMB over Netbios (for file and print) 139 – SMB over Netbios (for file and print) 445 - License logging service 445 - License logging service 1723 - VPN 1723 - VPN 3389 - RDP (Terminal services) 3389 - RDP (Terminal services)

8 Why Patch Management is Important Patch management mitigates and lessens the impact from threats in the Window of Exposure

9 Understanding the Window of Exposure

10 Real WOE Example - Blaster

11 Real WOE Example - Sasser

12 What about Antivirus and Antispyware? Very important as another layer of defense Very important as another layer of defense You SHOULDN’T be running ANY applications, browsing the web or checking mail etc ON the SBS Server, limiting your exposure to malware in the first place. You SHOULDN’T be running ANY applications, browsing the web or checking mail etc ON the SBS Server, limiting your exposure to malware in the first place. AV is reactive… making it a secondary line of defense not as critical as proactive measures as discussed here AV is reactive… making it a secondary line of defense not as critical as proactive measures as discussed here

13 SBS “Onion” Approach to Hardening ISA Firewall Policies Web Server Hardening Mail Server Hardening Database Server Hardening OSHardening PatchManagement

14 Microsoft’s Hardening Guidelines and Security Best Practices Doesn’t EXIST for Small Business Server Doesn’t EXIST for Small Business Server Has POTENTIALLY conflicting information between guides (ie: Srv03 vs Exchange 03) Has POTENTIALLY conflicting information between guides (ie: Srv03 vs Exchange 03) Should be FULLY understood before used Should be FULLY understood before used IS well documented if you take the time to read it (You are looking at over 600 pages of information) IS well documented if you take the time to read it (You are looking at over 600 pages of information) Includes helpful templates to import via GPO Includes helpful templates to import via GPO

15 Hardening Guides Operating System Hardening Operating System Hardening Windows Server 2003 Security Guide Windows Server 2003 Security Guide Includes info for web server hardening Includes info for web server hardening Mail Server Hardening Mail Server Hardening Microsoft Exchange Server 2003 Security Hardening Guide Microsoft Exchange Server 2003 Security Hardening Guide Database Hardening Database Hardening SQL Server 2000 Security Features and Best Practices SQL Server 2000 Security Features and Best Practices * Links to Hardening Guides at end of presentation

16 Using Microsoft’s Hardening security GPO templates Pros include: Pros include: Easy installation Easy installation Well tested Well tested Well documented Well documented Cons include: Cons include: All or nothing approach All or nothing approach Blindly makes security decisions for you without knowing your network configuration Blindly makes security decisions for you without knowing your network configuration Not easy to ensure settings will stay configured over time Not easy to ensure settings will stay configured over time

17 Password Policy Considerations Enforce password history = 24 remembered Enforce password history = 24 remembered Maximum password age = 42 days Maximum password age = 42 days Minimum password age = 2 days Minimum password age = 2 days Minimum password length = 8 characters Minimum password length = 8 characters Password must meet complexity requirements = Enabled Password must meet complexity requirements = Enabled Store password using reversible encryption = Disabled Store password using reversible encryption = Disabled

18 Account Lockout Policy Considerations Account Lockout Duration = 15 minutes Account Lockout Duration = 15 minutes Account lockout threshold = 20 attempts Account lockout threshold = 20 attempts Reset account lockout counter after = 15 minutes Reset account lockout counter after = 15 minutes

19 Hardening the Network Stack (tcp) EnableICMPRedirect = 0 EnableICMPRedirect = 0 SynAttackProtect = 1 SynAttackProtect = 1 EnableDeadGWDetect = 0 EnableDeadGWDetect = 0 EnablePMTUDiscovery = 0 EnablePMTUDiscovery = 0 KeepAliveTime = 300,000 KeepAliveTime = 300,000 DisableIPSourceRouting = 2 DisableIPSourceRouting = 2 TcpMaxConnectResponseRetransmissions = 2 TcpMaxConnectResponseRetransmissions = 2 TcpMaxDataRetransmissions = 3 TcpMaxDataRetransmissions = 3 PerformRouterDiscovery = 0 PerformRouterDiscovery = 0 TCPMaxPortsExhausted = 5 TCPMaxPortsExhausted = 5 * Found in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\

20 Hardening the Network Stack (afd.sys) DynamicBacklogGrowthDelta = 10 DynamicBacklogGrowthDelta = 10 EnableDynamicBacklog = 1 EnableDynamicBacklog = 1 MinimumDynamicBacklog = 20 MinimumDynamicBacklog = 20 MaximumDynamicBacklog = 20000 MaximumDynamicBacklog = 20000 * Found in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AFD\Parameters\

21 Event Log Policy Considerations Maximum security log size – increase to 81,920 KB to allow for more in depth auditing Maximum security log size – increase to 81,920 KB to allow for more in depth auditing Retention method for security log – set to “As needed” to ensure wrapping is FIFO in the removal cycle (removes oldest items) Retention method for security log – set to “As needed” to ensure wrapping is FIFO in the removal cycle (removes oldest items) Shut down system immediately if unable to log – Set to “Disabled” to prevent shutdown Shut down system immediately if unable to log – Set to “Disabled” to prevent shutdown

22 Audit Policy Considerations Audit account logon events - Success, Failure Audit account logon events - Success, Failure Audit account management – Success, Failure Audit account management – Success, Failure Audit directory service access - No Auditing Audit directory service access - No Auditing Audit logon events – Success Audit logon events – Success Audit object access - No Auditing Audit object access - No Auditing Audit policy change – Success Audit policy change – Success Audit privilege use - No Auditing Audit privilege use - No Auditing Audit process tracking - No Auditing Audit process tracking - No Auditing Audit system events - Success Audit system events - Success

23 A Simpler way to do Hardening…

24

25 ResourcesResources Windows Server 2003 Security Guide http://www.microsoft.com/technet/security/prodtech/windowsserver2003/W2003HG /SGCH00.mspx Windows Server 2003 Security Guide http://www.microsoft.com/technet/security/prodtech/windowsserver2003/W2003HG /SGCH00.mspx http://www.microsoft.com/technet/security/prodtech/windowsserver2003/W2003HG /SGCH00.mspx http://www.microsoft.com/technet/security/prodtech/windowsserver2003/W2003HG /SGCH00.mspx Microsoft Exchange Server 2003 Security Hardening Guide http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/exsecure. mspx Microsoft Exchange Server 2003 Security Hardening Guide http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/exsecure. mspx http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/exsecure. mspx http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/exsecure. mspx SQL Server 2000 Security Features and Best Practices http://www.microsoft.com/technet/prodtechnol/sql/2000/maintain/sp3sec00.mspx SQL Server 2000 Security Features and Best Practices http://www.microsoft.com/technet/prodtechnol/sql/2000/maintain/sp3sec00.mspx http://www.microsoft.com/technet/prodtechnol/sql/2000/maintain/sp3sec00.mspx How To Harden the TCP Stack http://msdn.microsoft.com/library/default.asp?url=/library/en- us/secmod/html/secmod109.asp How To Harden the TCP Stack http://msdn.microsoft.com/library/default.asp?url=/library/en- us/secmod/html/secmod109.asp http://msdn.microsoft.com/library/default.asp?url=/library/en- us/secmod/html/secmod109.asp http://msdn.microsoft.com/library/default.asp?url=/library/en- us/secmod/html/secmod109.asp http://go.microsoft.com/fwlink/?linkid=15160 Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP http://go.microsoft.com/fwlink/?linkid=15160 http://go.microsoft.com/fwlink/?linkid=15160 Dana Epp’s personal blog http://silverstr.ufies.org/blog/ Dana Epp’s personal blog http://silverstr.ufies.org/blog/ http://silverstr.ufies.org/blog/

26 This document is provided for informational purposes only. SCORPION SOFTWARE MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2003-2005 Scorpion Software Corp. All rights reserved. This presentation is for informational purposes only. SCORPION SOFTWARE MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Scorpion Software, Carina, SES, and IPLinks are either registered trademarks or trademarks of Scorpion Software Corp in Canada and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Download ppt "Hardening Small Business Server 2003 Published: July 2005 Dana Epp Computer Security Software Architect Scorpion Software Corp. SBS Security HOWTO."

Similar presentations

MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 7: Troubleshoot Security Settings and Local Security.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 7: Troubleshoot Security Settings and Local Security.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Paula Kiernan Senior Consultant Ward Solutions

Paula Kiernan Senior Consultant Ward Solutions
Module 4: Implementing User, Group, and Computer Accounts

Module 4: Implementing User, Group, and Computer Accounts
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Hands-On Microsoft Windows Server 2003 Administration Chapter 4 Managing Group Policy.

Hands-On Microsoft Windows Server 2003 Administration Chapter 4 Managing Group Policy.
Chapter 6: Configuring Security. Options for Managing Security Configurations LGPO (Local Group Policy Object) –Used if Computer is not part of a domain.

Chapter 6: Configuring Security. Options for Managing Security Configurations LGPO (Local Group Policy Object) –Used if Computer is not part of a domain.
11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.

11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.
Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.

Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Installing and Configuring a Secure Web Server COEN 351 David Papay.

Installing and Configuring a Secure Web Server COEN 351 David Papay.
Module 8: Implementing Administrative Templates and Audit Policy.

Module 8: Implementing Administrative Templates and Audit Policy.
Computer Security for Student-Administered Computers.

Computer Security for Student-Administered Computers.
Security of Communication & IT systems Bucharest, 21 st September 2004 Stephen McGibbon Chief Technology Officer, Eastern Europe, Russia & CIS Senior Director,

Security of Communication & IT systems Bucharest, 21 st September 2004 Stephen McGibbon Chief Technology Officer, Eastern Europe, Russia & CIS Senior Director,
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
11 WORKING WITH USER ACCOUNTS Chapter 6. Chapter 6: WORKING WITH USER ACCOUNTS2 CHAPTER OVERVIEW Understand the differences between local user and domain.

11 WORKING WITH USER ACCOUNTS Chapter 6. Chapter 6: WORKING WITH USER ACCOUNTS2 CHAPTER OVERVIEW Understand the differences between local user and domain.
Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.

Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.
Module 7: Implementing Security Using Group Policies.

Module 7: Implementing Security Using Group Policies.
Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs Content may be customized.

Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs Content may be customized.

Similar presentations

Ads by Google