Presentation is loading. Please wait.

Presentation is loading. Please wait.

Implementing Server Security on Windows 2000 and Windows Server 2003

Published byChristopher Sherman Modified over 9 years ago

Similar presentations

Presentation on theme: "Implementing Server Security on Windows 2000 and Windows Server 2003"— Presentation transcript:

1 Implementing Server Security on Windows 2000 and Windows Server 2003
Jurgen Van Duvel Systems Engineer M

2 W32.SASSER (A,B, C or D) What’s This? 445/tcp adserver.exe
Avserve.exe – avserve2.exe FTP server on 5554/tcp command shell on 9996/tcp. W32.SASSER (A,B, C or D)

3 Agenda Introduction Implementing Advanced Server Security
Methods for Securing IIS Server Protecting Exchange Server Protecting SQL Server  Providing Data Security

4 Policies, Procedures, & Awareness
Defense in Depth Using a layered approach: Increases an attacker’s risk of detection Reduces an attacker’s chance of success Policies, Procedures, & Awareness Physical Security Data ACL, encryption Application Application hardening, antivirus OS hardening, update management, authentication, HIDS Host Internal Network Network segments, IPSec, NIDS Perimeter Firewalls, VPN quarantine Guards, locks, tracking devices User education

5 Why Application Security Matters
Perimeter defenses provide limited protection Many host-based defenses are not application specific Most modern attacks occur at the application layer

6 Why Data Security Matters
Secure your data as the last line of defense Configure file permissions Configure data encryption Protects the confidentiality of information when physical security is compromised

7 Core Active Directory Security Practices
Establish secure Active Directory boundaries Strengthen domain policy settings Use a role-based OU hierarchy Establish secure administrative practices Harden DNS

8 Core Server Security Practices
Apply the latest Service Pack and all available security patches Use Group Policy to harden servers - Disable services that are not required - Implement strict password policies - Disable LAN Manager and NTLMv1 authentication Restrict physical and network access to servers

9 Agenda Introduction Implementing Advanced Server Security
Methods for Securing IIS Server Protecting Exchange Server Protecting SQL Server  Providing Data Security

10 Services You Might Want to Disable
ClipBook Error Reporting Service HTTP SSL IMAPI CD-Burning COM Service Indexing Service Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) Messenger Microsoft POP3 Service NetMeeting® Remote Desktop Sharing Remote Access Auto Connection Manager Remote Access Connection Manager World Wide Web Publishing Service

11 Services You Should Not Disable
Cryptographic Services DHCP Client DNS Client Event Log IPSec Services Netlogon NTLM Security Support Provider Plug and Play Protected Storage Remote Procedure Call (RPC) Remote Registry Service Security Accounts Manager Server System Event Notification TCP/IP NetBIOS Helper Windows Installer Windows Management Instrumentation Windows Time Workstation

12 Determining Service Dependencies
Determine service dependencies before disabling a service Use the Services snap-in in Computer Management to view service dependencies

13 Configuring Services on Servers That Perform Multiple Roles
Security templates contain settings that control service behavior Use Group Policy to apply a modified, role-specific security template to servers that perform multiple roles

14 Securing Servers by Using IPSec Filtering
In general, block all traffic to and from the server except that which is required by the server to fulfill its role Test the IP Security Policy before deploying Use the IP Security Policy Management snap-in, Group Policy, or scripting to configure IPSec filtering Use specific IPSec filters for servers based on their server role

15 IPSec Filters for Domain Controllers
Service Protocol Source Port Destination Port Source Address Destination Address Action Mirror CIFS/SMB Server TCP Any 445 Me Allow Yes UDP RPC Server 135 NetBIOS Server 137 138 139 Monitoring Client ANY MOM Server Terminal Services Server 3389 Global Catalog Server 3268 3269

16 IPSec Filters for Domain Controllers (Continued)
Service Protocol Source Port Destination Port Source Address Destination Address Action Mirror DNS Server TCP Any 53 Me Allow Yes UDP Kerberos Server 88 LDAP Server 389 636 NTP Server 123 Predefined RPC Range DC Comms ANY Domain Controller 1 Domain Controller 2 ICMP All Inbound Traffic Block YES

17 Registry Entries for Securing Domain Controllers
When using IPSec filtering on a domain controller: Use a small range of dynamic RPC ports to support the client logon process Include ports over 50,000 Limit the range of dynamic RPC ports by configuring registry settings on all domain controllers  50 ports should be enough(*) (*) Depends on the number of clients to support

18 How to Create an IP Security Policy
Open GPMC Edit the GPO in which you want to assign the IP Security Policy Create one or more IPSec filter lists Create one or more filter actions Create an IP Security Policy Within the IP Security Policy, create an IP Security Rule for each filter list you created Assign the IP Security Policy

19 Security Auditing Administrators should establish an audit policy
When establishing an audit policy: Analyze the threat model Consider system and user capabilities Test and refine the policy Consider centralized log monitoring

20 Microsoft Audit Collection Services (MACS)
Management System Monitored Clients Event logs Real-Time Intrusion Detection Applications WMI Event logs Monitored Servers Collector SQL Forensic Analysis Events subject to tampering Events under control of auditors

21 Recommended Audit Policy Settings for Member Servers
Recommended Settings for an Enterprise Client Environment Audit account logon events Success Audit account management Audit directory service access Only if required by threat model Audit logon events Audit object access Audit policy change Audit privilege use No auditing Audit process tracking Audit system events

22 Auditing Using EventCombMT to View Event Logs

23 Agenda Introduction Implementing Advanced Server Security
Methods for Securing IIS Server Protecting Exchange Server Protecting SQL Server  Providing Data Security

24 IIS Lockdown Tool The IIS Lockdown Tool turns off unnecessary features to reduce the attack surface of IIS 4.0, IIS 5.0, and IIS 5.1 To provide defense in depth, the Lockdown Tool integrates URLScan, which includes customized templates for each supported server role

25 IIS Lockdown Results (X denotes enabled)

26 URLScan URLScan helps prevent potentially harmful requests from reaching the server URLScan restricts the types of HTTP requests that IIS will process: Requests for long URLs Requests using alternate character sets Requests containing disallowed methods Requests matching any pattern

27 Top 10 Things to Secure IIS 5.x
Harden the operating system and apply all relevant security patches 1 Remove unnecessary components 2 Run the IIS Lockdown Tool 3 Configure URLScan 4 Place content on a separate NTFS partition 5 Protect files by using minimal permissions 6 Require encryption for sensitive Web traffic 7 If possible, do not enable both the Execute and Write permissions on the same website 8 Run applications using Medium or High Application Protection 9 Use IPSec filtering to only allow required traffic (HTTP and HTTPS) to the Web server 10

28 Security Enhancements in IIS 6.0
IIS 6.0 is “locked down” out of the box with the strongest time-outs and content limits set by default. Feature Description Locked-down server IIS 6.0 is not installed by default. A clean install only provides static file support. Web service extensions list The default installation does not compile, execute, or serve files with dynamic content. Default low-privilege account IIS processes run with significantly lowered privileges by logging on using the NETWORK SERVICE account. Authorization URL authentication with Authorization Manager. Constrained, delegated authentication. URL checking Configure time-outs and URL length limits. Checking whether file exists before attempting to run it. No executable virtual directories. Process Isolation Improved sandboxing of application. Third-party code runs only in worker processes, resource recycling.

29 IIS 6.0 Application Pools Application pools are isolated sets of applications and the worker processes that service them If an application fails, it does not affect the availability of applications that are running in other application pools Create separate application pools for applications that do not depend on each other

30 Agenda Introduction Implementing Advanced Server Security
Methods for Securing IIS Server Protecting Exchange Server Protecting SQL Server  Providing Data Security

31 Exchange Security Dependencies
Exchange security is dependent on: Operating system security Network security IIS security (if you use OWA) Client security (Outlook) Active Directory security Remember: Defense in Depth

32 Securing Exchange Servers
Exchange 2000 Back-End Servers Apply baseline security template and the Exchange back-end incremental template Exchange 2000 Front-End Servers Apply baseline security template and the Exchange front-end incremental template Dismount private and public stores Exchange 2000 OWA Server Apply IIS Lockdown, including URLScan Exchange 2003 Back-End Server Apply protocol security templates Exchange 2003 Front-End and OWA Server IIS Lockdown and URLScan integrated with IIS 6.0 Use application isolation mode

33 Aspects of Exchange Server Security
Securing Access to Exchange Server Blocking unauthorized access Securing Communications Blocking and encrypting communications Blocking Spam Filtering incoming mail Relay restrictions: Don’t aid spammers! Blocking Insecure Messages Virus scanning Attachment blocking

34 Configuring Authentication, Part 1
Secure Outlook client authentication Configure Exchange & Outlook 2003 to use RPC over HTTPS Configure SPA to encrypt authentication for Internet protocol clients Remember: Secure authentication does not equal encryption of data

35 Configuring Authentication, Part 2
OWA supports several authentication methods: Authentication Method Considerations Basic authentication Insecure, unless you require SLL Integrated authentication Limited client support, issues across firewalls Digest authentication Limited client support Forms-based authentication Ability to customize authentication Wide client support Available with Exchange Server 2003

36 Securing Communications
Configure RPC encryption Client side setting Enforcement with ISA Server FP1 Firewall blocking Mail server publishing with ISA Server Configure HTTPS for OWA Use S/MIME for message encryption Outlook 2003 Enhancements Kerberos authentication RPC over HTTPS

37 Locate Client 2’s public key Message sent using S/MIME
Encrypting a Message Active Directory Domain Controller 2 Locate Client 2’s public key 6 Client 2’s private key is used to decrypt the shared key, and the shared key is used to decrypt the message 4 Message sent using S/MIME 1 SMTP VS1 New message SMTP VS 2 5 Message arrives encrypted 3 Message encrypted with a shared key Client 2 Client 1

38 Blocking Spam – Exchange 2000
Close open relays! Protect against address spoofing Prevent Exchange from resolving recipient names to GAL accounts Configure reverse DNS lookups

39 Blocking Spam – Exchange 2003
Use additional features in Exchange Server 2003 Support for real-time block lists Global deny and accept lists Sender and inbound recipient filtering Improved anti-relaying protection Integration with Outlook 2003 and third-party junk mail filtering

40 Blocking Insecure Messages
Implement antivirus gateways Monitor incoming and outgoing messages Update signatures often Configure Outlook attachment security Web browser security determines whether attachments can be opened in OWA Implement ISA Server Message Screener can block incoming messages

41 Using Permissions to Secure Exchange
Administration models Centralized Decentralized Delegating permissions Creating administrative groups Using administrative roles Delegating administrative control

42 Enhancements in Exchange Server 2003
Many secure-by-default settings More restrictive permissions New mail transport features New Internet Connection Wizard Cross-forest authentication support

43 Exchange System Policies
Defense in Depth Efficiency Continuity Performance Tuning Exchange System Policies Capacity Management Security Storage Management Hardware Upgrades Performance Monitoring Disaster Recovery Support Antivirus Event Monitoring Change Security Policies Firewall Issues Exchange System Policies AD Group Membership UPS Recovery Testing Availability Monitoring Availability Management Group Policies Backup

44 Top Ten Things to Secure Exchange
Install the latest service pack 1 Install all applicable security patches 2 Run MBSA 3 Check relay settings 4 Disable or secure well-known accounts 5 Use a layered antivirus approach 6 Use a firewall 7 Evaluate ISA Server 8 Secure OWA 9 Implement a backup strategy 10

45 Agenda Introduction Implementing Advanced Server Security
Methods for Securing IIS Server Protecting Exchange Server Protecting SQL Server  Providing Data Security

46 Basic Security Configuration
Apply service packs and patches Use MBSA to detect missing SQL updates Disable unused services MSSQLSERVER (required) SQLSERVERAGENT MSSQLServerADHelper Microsoft Search Microsoft DTC

47 Common Database Server Threats and Countermeasures
SQL Server Browser Web App Unauthorized External Access SQL Injection Password Cracking Network Eavesdropping Network Vulnerabilities Failure to block SQL ports Configuration Vulnerabilities Over privileged service account Weak permissions No certificate Web App Vulnerabilities Over privileged accounts Weak input validation Internal Firewall Perimeter Firewall

48 Database Server Security Categories
Network Operating System SQL Server Patches and Updates Shares Services Accounts Auditing and Logging Files and Directories Registry Protocols Ports SQL Server Security Database Objects Logins, Users, and Roles

49 Network Security Restrict SQL to TCP/IP Harden the TCP/IP stack
Restrict ports

50 Operating System Security
Configure the SQL Server service account with the lowest possible permissions Delete or disable unused accounts Secure authentication traffic

51 Logins, Users, and Roles Use a strong system administrator (sa) password Remove the SQL guest user account Remove the BUILTIN\Administrators server login Do not grant permissions for the public role

52 Files, Directories, and Shares
Verify permissions on SQL Server installation directories Verify that Everyone group does not have permissions to SQL Server files Secure setup log files Secure or remove tools, utilities, and SDKs Remove unnecessary shares Restrict access to required shares Secure registry keys with ACLs

53 SQL Security Set authentication to Windows only
If you must use SQL Server authentication, ensure that authentication traffic is encrypted

54 SQL Auditing Log all failed Windows login attempts
Log successful and failed actions across the file system Enable SQL Server login auditing Enable SQL Server general auditing

55 Securing Database Objects
Remove the sample databases Secure stored procedures Secure extended stored procedures Restrict cmdExec access to the sysadmin role

56 Using Views and Stored Procedures
SQL queries may contain confidential information Use stored procedures whenever possible Use views instead of direct table access Implement security best practices for Web-based applications

57 Securing Web Applications
Validate all data input Secure authentication and authorization Secure sensitive data Use least-privileged process and service accounts Configure auditing and logging Use structured exception handling

58 Top Ten Things to Protect SQL Server
Install the most recent service pack 1 Run MBSA 2 Configure Windows authentication 3 Isolate the server and back it up 4 Check the sa password 5 Limit privileges of SQL services 6 Block ports at your firewall 7 Use NTFS 8 Remove setup files and sample databases 9 10 Audit connections

59 Agenda Introduction Implementing Advanced Server Security
Methods for Securing IIS Server Protecting Exchange Server Protecting SQL Server  Providing Data Security

60 Role and Limitations of File Permissions
Prevent unauthorized access Limit administrators Do not protect against intruders with physical access Encryption provides additional security

61 Role and Limitations of EFS
Benefit of EFS encryption Ensures privacy of information Uses robust public key technology Danger of encryption All access to data is lost if the private key is lost Private keys on client computers Keys are encrypted with derivative of user’s password Private keys are only as secure as the password Private keys are lost when user profile is lost

62 Encrypted on-disk data storage
EFS Architecture Win32 APIs NTFS I/O Manager EFS.sys Applications Encrypted on-disk data storage User mode Kernel mode Crypto API EFS Service

63 EFS Differences Between Windows Versions
Windows 2000 and newer Windows versions support EFS on NTFS partitions Windows XP and Windows Server 2003 include new features: Additional users can be authorized Offline files can be encrypted The triple-DES (3DES) encryption algorithm can replace DESX A password reset disk can be used EFS preserves encryption over WebDAV Data recovery agents are recommended Usability is enhanced

64 Implementing EFS: How to Do It Right
Use Group Policy to disable EFS until ready for central implementation Plan and design policies Designate recovery agents Assign certificates Implement via Group Policy

65 Windows Server 2003 SP 1

66 Server Security Features
Service Pack 1 Boot-time network protection with Windows Firewall Relevant XP SP2 security features (RPC, DCOM Lockdown) Feature packs Security Configuration Wizard (SCW) Network quarantine

67 Network Quarantine From Home (VPN, Dial up) Health checkup
IT checks “health” of client Network Access Control Clients who pass get network access Clients who do not pass are blocked Health maintenance Quarantined clients can be given access to resources to get healthy Returning Laptops Unhealthy Desktops Consultants Guests

68 Windows Server 2003 SP1 In SP1 Network client inspection Feature Pack
Fixes, updates, removal of unused techs (EDlin, TFTP) Basis for 64-bit Extensions release Boottime network protection Relevant XP SP2 enhancements Security Configuration Wizard Post-SP1 Network client inspection Feature Pack

69 Next Steps Stay informed about security
Sign up for security bulletins: Get the latest Microsoft security guidance: Get additional security training Find online and in-person training seminars: Find a local CTEC for hands-on training:

70 For More Information Microsoft Security Site (all audiences)
TechNet Security Site (IT professionals) MSDN Security Site (developers)

71

72 © 2003-2004 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Download ppt "Implementing Server Security on Windows 2000 and Windows Server 2003"

Similar presentations

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.

Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Paula Kiernan Senior Consultant Ward Solutions

Paula Kiernan Senior Consultant Ward Solutions
Web Server Administration TEC 236 Securing the Web Environment.

Web Server Administration TEC 236 Securing the Web Environment.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Implementing Application and Data Security Fred Baumhardt Senior Consultant – Security and Architecture Microsoft Consulting Services - UK.

Implementing Application and Data Security Fred Baumhardt Senior Consultant – Security and Architecture Microsoft Consulting Services - UK.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
© 2003 Microsoft Limited. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied,

© 2003 Microsoft Limited. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied,
Implementing Application and Data Security Presenter Name Job Title Company.

Implementing Application and Data Security Presenter Name Job Title Company.
Implementing Server Security on Windows 2000 and Windows Server 2003 Steve Lamb Technical Security Advisor

Implementing Server Security on Windows 2000 and Windows Server 2003 Steve Lamb Technical Security Advisor
Secure SQL Server configuration Pat Larkin Ward Solutions

Secure SQL Server configuration Pat Larkin Ward Solutions
Installing and Configuring a Secure Web Server COEN 351 David Papay.

Installing and Configuring a Secure Web Server COEN 351 David Papay.
Implementing Exchange Server Security Ward Solutions.

Implementing Exchange Server Security Ward Solutions.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
Security of Communication & IT systems Bucharest, 21 st September 2004 Stephen McGibbon Chief Technology Officer, Eastern Europe, Russia & CIS Senior Director,

Security of Communication & IT systems Bucharest, 21 st September 2004 Stephen McGibbon Chief Technology Officer, Eastern Europe, Russia & CIS Senior Director,

Similar presentations

Ads by Google