Securing-windows-2003-server
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Securing-windows-2003-server as PDF for free.
More details
- Words: 1,005
- Pages: 9
Securing Microsoft Windows 2003 Server Matthew Cook http://escarpment.net/
Agenda • • • • • • • • • •
Background Why Bother? Pre-Installation Vendor Specifics Installation of Windows Server 2003 Post-Installation Configuration Firewall Software Patching the System Day to Day Administration Further Advice and Guidance
Background • The Security Service is running a number of similar courses in conjunction with Professional Development. • Details are available at: http://www.lboro.ac.uk/computing/security/ • By increasing the security of networked machines on campus, we hope to reduce the number of compromised machines and IT Support Staff workload.
1
Why bother? Why bother? • Keeping control and service availability • Spreading infection • Data Integrity (DPA) • Legal Liability • Reactive Work Loads • Bad Public Relations • Personal Responsibility
Pre-Installation • Disconnect the machine from the network. – Essential with some vendor installs.
• Ensure you have the appropriate network details at hand. • Ensure you have the latest Microsoft patches on removable media. • Don’t forget physical security.
Pre-Installation • Consider partitioning structure – System – User Storage – Services – Logs
• Consider which features to install – Do you really need IIS on each server – More things; to patch, to secure, to configure and to slow the server down
2
Vendor Specifics • Always re-install! • When using a vendor specific install CD, make sure you are aware of any security issues. • DELL’s Open Manage Server assistant has security issues with the SNMP server and the Open Manage package.
Installation of Windows Server 2003 • Limit the system partition to 10-20Gb • Ensure you set a secure password • Ensure you only select the services you require.
Post-Installation Configuration • Network Configuration – Add all DNS Servers – Add both WINS Servers – Remove LMHosts Lookup – Remove ‘Register this connection’s address in the DNS’ – Enable Net BIOS over IP – Remove any un-necessary network clients and services
3
Post-Installation Configuration… • Disable Null Authentication – HKLM\SYSTEM\CurrentControlSet\Control\LS A\RestrictAnonymous - REG_DWORD=2 – HKLM\SYSTEM\CurrentControlSet\Control\Se curePipeServers\RestrictAnonymous REG_DWORD=1
• There has been an edition to Windows Server 2003 RestrictAnonymousSAM!
Post-Installation Configuration… • Configure Logging – Create a separate partition to ‘sandbox’ the logs. L: is a good idea, between 1-10Gb. – Eventlog locations set at: HKLM\System\CurrentControlSet\Services\Ev entLog\Application, Security and System – Change the file key to point at L:\eventlogs\* – Move IIS, Exchange logs et al to the new locations
Post-Installation Configuration… • Windows Patches and Service Packs – Install in a secure fashion – From removable media – From slipstreamed media – Via a SOHO firewall – NOT via an unprotected network connection
4
Post-Installation Configuration… • Install McAfee Virus Scan Enterprise – Running Anti-Virus software is essential – Requires Auto-Update twice for the Engine and DAT file initially – Ensure the software is configured for autoupdate
• Available from: \\adadmin2\software\mcafee\vse7svrs\
Post-Installation Configuration… • Automatic Updates – My Computer > Select Properties > Select Automatic Updates tab. – We do NOT recommend Automatic or Turning Automatic Updates off. – Either; Download updates for me, but let me choose when to install them. – OR Notify me but don’t automatically download or install them.
Post-Installation Configuration… • Terminal Services – My Computer > Select Properties > Remote tab. – Select ‘Allow users to connect remotely to this computer’ – Ensure only the users you want to connect are configured.
5
Post-Installation Configuration… • Microsoft Baseline Security Analyser • Freely available from Microsoft • Provides advice on – Security best practices – Strong passwords – Security mis-configurations – Application configurations
Post-Installation Configuration… • NTFS ACL defaults are more secure than in Windows 2000 Server • The Everyone group has only read & execute on the root of each drive. • The permissions are not inherited. • The Everyone group has no permissions to a new folder or file. • The Everyone group has only read permissions on a new share
Post-Installation Configuration… • Configure the NTFS ACLs for the machine to provide more security. • Note: Anonymous users are no longer part of the Everyone group!
6
Post-Installation Configuration… • Security Templates – Legacy Client – Enterprise Client – High Security
• Not straight forward, very easy to cripple a machine. • Further advice in the security guides.
Post-Installation Configuration… • Create and document a machine baseline – Use Performance Monitor – Save the output of a ‘Netstat –A’ – Save the output of a ‘fport /p’ – Save the output of a ‘net user’
Firewall Software • Why bother? – Computing Services already runs one – Open ports are needed for service – False sense of security – Too many false positives – Machine should be secure
• There are exceptions – Insecure services for limited machines – Provide protection for services only needed locally
7
Patching the System • Essential! • Operating Systems do contain bugs, and patches are a common method of distributing these fixes. • A patch or hot fix usually contains a fix for one discovered bug. • Service Packs contain multiple patches or hotfixes. There are well over 200 hotfixes in most Service Packs.
Patching the System • Only install patches after you have tested them in a development environment. • Only install patches obtained direct from the vendor. • Install security patches as soon as possible after released. • Install feature patches as and when needed. • Subscribe to the security lists.
Day to Day Administration • Well not every day, but at least weekly! • Check logs – Get them emailed to you – Investigate rogue activity
• Compare against the baseline saved • Check listening ports • Check for required patches
8
Further Advice and Guidance • http://www.lboro.ac.uk/computing/security/ • http://www.microsoft.com/security/ • http://www.windowsecurity.com/ • Mailing lists: – [email protected] – [email protected]
Further Advice and Guidance • • • •
Introduction to I.T. Security Securing Microsoft Windows 2000 Server Securing Microsoft Windows 2003 Server Securing Microsoft Internet Information Server (I.I.S.) 5 and 6 • Securing Fedora Linux • Securing RedHat Enterprise Server • Securing The Apache Web Server
Questions and Answers http://escarpment.net/
9
Agenda • • • • • • • • • •
Background Why Bother? Pre-Installation Vendor Specifics Installation of Windows Server 2003 Post-Installation Configuration Firewall Software Patching the System Day to Day Administration Further Advice and Guidance
Background • The Security Service is running a number of similar courses in conjunction with Professional Development. • Details are available at: http://www.lboro.ac.uk/computing/security/ • By increasing the security of networked machines on campus, we hope to reduce the number of compromised machines and IT Support Staff workload.
1
Why bother? Why bother? • Keeping control and service availability • Spreading infection • Data Integrity (DPA) • Legal Liability • Reactive Work Loads • Bad Public Relations • Personal Responsibility
Pre-Installation • Disconnect the machine from the network. – Essential with some vendor installs.
• Ensure you have the appropriate network details at hand. • Ensure you have the latest Microsoft patches on removable media. • Don’t forget physical security.
Pre-Installation • Consider partitioning structure – System – User Storage – Services – Logs
• Consider which features to install – Do you really need IIS on each server – More things; to patch, to secure, to configure and to slow the server down
2
Vendor Specifics • Always re-install! • When using a vendor specific install CD, make sure you are aware of any security issues. • DELL’s Open Manage Server assistant has security issues with the SNMP server and the Open Manage package.
Installation of Windows Server 2003 • Limit the system partition to 10-20Gb • Ensure you set a secure password • Ensure you only select the services you require.
Post-Installation Configuration • Network Configuration – Add all DNS Servers – Add both WINS Servers – Remove LMHosts Lookup – Remove ‘Register this connection’s address in the DNS’ – Enable Net BIOS over IP – Remove any un-necessary network clients and services
3
Post-Installation Configuration… • Disable Null Authentication – HKLM\SYSTEM\CurrentControlSet\Control\LS A\RestrictAnonymous - REG_DWORD=2 – HKLM\SYSTEM\CurrentControlSet\Control\Se curePipeServers\RestrictAnonymous REG_DWORD=1
• There has been an edition to Windows Server 2003 RestrictAnonymousSAM!
Post-Installation Configuration… • Configure Logging – Create a separate partition to ‘sandbox’ the logs. L: is a good idea, between 1-10Gb. – Eventlog locations set at: HKLM\System\CurrentControlSet\Services\Ev entLog\Application, Security and System – Change the file key to point at L:\eventlogs\* – Move IIS, Exchange logs et al to the new locations
Post-Installation Configuration… • Windows Patches and Service Packs – Install in a secure fashion – From removable media – From slipstreamed media – Via a SOHO firewall – NOT via an unprotected network connection
4
Post-Installation Configuration… • Install McAfee Virus Scan Enterprise – Running Anti-Virus software is essential – Requires Auto-Update twice for the Engine and DAT file initially – Ensure the software is configured for autoupdate
• Available from: \\adadmin2\software\mcafee\vse7svrs\
Post-Installation Configuration… • Automatic Updates – My Computer > Select Properties > Select Automatic Updates tab. – We do NOT recommend Automatic or Turning Automatic Updates off. – Either; Download updates for me, but let me choose when to install them. – OR Notify me but don’t automatically download or install them.
Post-Installation Configuration… • Terminal Services – My Computer > Select Properties > Remote tab. – Select ‘Allow users to connect remotely to this computer’ – Ensure only the users you want to connect are configured.
5
Post-Installation Configuration… • Microsoft Baseline Security Analyser • Freely available from Microsoft • Provides advice on – Security best practices – Strong passwords – Security mis-configurations – Application configurations
Post-Installation Configuration… • NTFS ACL defaults are more secure than in Windows 2000 Server • The Everyone group has only read & execute on the root of each drive. • The permissions are not inherited. • The Everyone group has no permissions to a new folder or file. • The Everyone group has only read permissions on a new share
Post-Installation Configuration… • Configure the NTFS ACLs for the machine to provide more security. • Note: Anonymous users are no longer part of the Everyone group!
6
Post-Installation Configuration… • Security Templates – Legacy Client – Enterprise Client – High Security
• Not straight forward, very easy to cripple a machine. • Further advice in the security guides.
Post-Installation Configuration… • Create and document a machine baseline – Use Performance Monitor – Save the output of a ‘Netstat –A’ – Save the output of a ‘fport /p’ – Save the output of a ‘net user’
Firewall Software • Why bother? – Computing Services already runs one – Open ports are needed for service – False sense of security – Too many false positives – Machine should be secure
• There are exceptions – Insecure services for limited machines – Provide protection for services only needed locally
7
Patching the System • Essential! • Operating Systems do contain bugs, and patches are a common method of distributing these fixes. • A patch or hot fix usually contains a fix for one discovered bug. • Service Packs contain multiple patches or hotfixes. There are well over 200 hotfixes in most Service Packs.
Patching the System • Only install patches after you have tested them in a development environment. • Only install patches obtained direct from the vendor. • Install security patches as soon as possible after released. • Install feature patches as and when needed. • Subscribe to the security lists.
Day to Day Administration • Well not every day, but at least weekly! • Check logs – Get them emailed to you – Investigate rogue activity
• Compare against the baseline saved • Check listening ports • Check for required patches
8
Further Advice and Guidance • http://www.lboro.ac.uk/computing/security/ • http://www.microsoft.com/security/ • http://www.windowsecurity.com/ • Mailing lists: – [email protected] – [email protected]
Further Advice and Guidance • • • •
Introduction to I.T. Security Securing Microsoft Windows 2000 Server Securing Microsoft Windows 2003 Server Securing Microsoft Internet Information Server (I.I.S.) 5 and 6 • Securing Fedora Linux • Securing RedHat Enterprise Server • Securing The Apache Web Server
Questions and Answers http://escarpment.net/
9
More Documents from "Naveen"
Noika Mobile Kit
August 2019 59
Sql Tutorial
December 2019 53
Oracle 9i Notes
May 2020 48
File Server Aplication
December 2019 34
Instgd
May 2020 23