Security and Windows 2000

1
Security and Windows 2000

• A guide to installation and configuration of
  Windows 2000 with emphasis on Internet
  Information Server (IIS)
• Al Lilianstrom
• x2028
• Al.Lilianstrom_at_fnal.gov
• CD/OSS/CSI

2
What?

• This talk describes how I build a Windows 2000
  system
• I really do things this way
• I didn't think of all this by myself
• This information comes from experience my own
  and countless others
• Yes - I have had a webserver defaced
• Note - This is not CD, OSS, or CSI policy

3
Build the system securely

• The system should be off the network from the
  time you start the OS installation until all
  patches are applied and all required changes are
  made
• If you use a product like Ghost to load the PC
  over the network be sure the downloaded image is
  patched properly
• NTFS filesystems only!
• Windows 2000 Server If this is going to be a
  web server pay attention to the install so you
  can choose what parts of IIS you want installed.

4
Build the system securely -2

• Patches
• Windows 2000 (Pro and Server) requires Service
  Pack 2 and numerous patches.
• IIS requires even more patches
• Batch files are provided to make installation
  easier
• Patches are available at
• \\pckits\fermi-rollup
• \\pckits2\fermi-rollup (FERMI Domain)
• http//pckits2.fermi.win.fnal.gov/fermi-rollup
• \\beamssrv1\Win2k-Setup (Beams Domain)

5
Do I need a web server?

• Think about this -
• Can I publish this data elsewhere?
• Am I going to pay attention to this server?
• Alternatives
• Professional home pages available in AFS space
• Project web sites available on CD managed servers

6
Installing IIS Two Choices

• As part of the OS install
• You have to do the post install changes for home
  and log directories.
• Post OS install
• A answer file can be created and the install run
  silently to put IIS where you want with the major
  options you want. See the following URL
• http//www.iisanswers.com/articles/Upgrading_to_II
  S5/Changing_IIS5_install_location.htm
• Permission settings and other post install
  configuration must be done with either method

7
Where to install?

• Web servers should not be on any type of domain
  controller
• Unless you absolutely have to, web servers should
  not be on fileservers
• A separate system, while not necessarily cost
  effective, allows more flexibility and doesnt
  have as much impact on regular business if the
  web server must be removed from the network or
  rebuilt.

8
IIS Installation Options

• This is a good start
• Note
• No Index Server
• No FrontPage Extensions
• Not all IIS options are selected
• Only install what you need
• Apply all applicable patches
• This should be done off the network

9
Remember

• The NT and Windows 2000 default location for the
  web server root is c\inetpub\wwwroot. This has
  to be changed!
• The default file permissions here are
  EveryoneFull Control
• The default permissions for any new file system
  created in NT/W2K are EveryoneFull Control

10
Post Install (Still off the net)

• Prepare a new home for your web site. It should
  NOT be on the system disk. I normally use
  d\inetpub. Create a wwwroot directory below
  inetpub. Be sure that permissions are set
  properly. By default IIS accesses files using the
  properties of the the IUSR_machinename account.
  Read only access!

11
Post Install (Still off the net)

• Open up the IIS MMC - there are known holes in
  MSADC and IISSAMPLES.

Remove everything you don't need
12
Post Install (Still off the net)

• Move the logs. Default is c\winnt\system32\logfil
  es. I tend to use d\logfiles. Right click on the
  default web site and go to properties. Near the
  bottom make sure that logging is enabled and
  click on Properties.

13
Post Install (Still off the net)

• Change the logfiles directory to d\logfiles and
  click on Ok.

This is also where you would change the type of
logfile generated and what properties are in the
logfile.
14
Post Install (Still off the net)

• Click on the Home Directory tab and set the local
  path to d\inetpub\wwwroot. (Note - this can also
  be a share on another computer) Click on apply.

15
Post Install (Still off the net)

• Click on Configuration. This will bring up the
  default script mappings.
• Remove all unnecessary items

16
Post Install (Still off the net)

• I usually leave the .asp mapping as I use these
  for some applications. The web site will function
  without this mapping so it can be removed if you
  don't need it. Click on OK and exit the MMC.

17
Post Install (Connect to the net)

• At this time (assuming that you have applied all
  the appropriate patches) you can connect to the
  network. Good time to test the basic function of
  the web server.
• Put a couple of files to test with in the root of
  your new web server. If you have a particular
  application that this web server is to be used
  for - install it and test.

18
Restricting Access - IP Address

• What is your target audience? On site? Off site?
  If this is meant to be a FNAL only site, IIS can
  (and should) be set to only accept connections
  from our network.
• Open up the IIS MMC and right click on the web
  site (or directory in the site) that you want to
  protect. Click on the Directory Security tab.
  Click on the Edit tab by the IP Address and
  Domain Name restrictions.

19
Restricting Access - IP Address

• Click on Add. Select Group of Computers and put
  in the Network ID and Subnet Mask as shown. Click
  on OK a couple of times to get back to the MMC.
  This site is now only available from machines on
  the Fermilab network. Other networks can be added.

20
Restricting Access Headers

• You can require the use of host headers to access
  your pages. This keeps the script kiddies away as
  they are not using (at least not yet) DNS names
  in their attacks. With host headers enabled if
  the DNS name of the site is not included in the
  header of the request the the request is ignored.
  Current attacks fall in this category. To do this
  open the IIS MMC, right click on the web site and
  go to Properties. Click on the advanced button
  next to the IP address of the web site.

21
Restricting Access Headers

• Edit and add DNS names to match your IP address.
  Click on OK to get back to the MMC.
• Warning -
• This feature can't be used with SSL encrypted
  pages or sites
• Older browsers will no longer be able to view the
  site

22
Restricting Access Headers

• IP address based requests will fail
• The same request using a DNS name works

23
Restricting Access Permissions
IIS allows you to grant access to files based on
NT username/password credentials. I only
recommend doing this if the clients accessing the
protected files meet the following

• Internet Explorer is the browser
• The user has an account in the domain that the
  web server is configured to use for authentication

Do NOT use any other browsers as the users domain
password will be transmitted in the clear over
the network. The Computer Security people wont
be happy with you
24
Restricting Access Permissions
Open up the IIS MMC and right click on the web
site/folder/file that you want to protect. Click
on the Directory (or File) Security tab and then
the Edit button next to Anonymous Access controls.

25
Restricting Access Permissions
Remove Anonymous access. Make sure that NT
Challenge/Response is selected and Basic
Authentication is NOT selected. Click on OK to
get back to the MMC. Now your file permissions
decide who gets to see the files.

26
Scripts

• IIS can run scripts written in a variety of
  languages Perl, VBScript, ASP or compiled
  programs from C, C, etc.
• Be careful how these are configured to run and
  how they run.
• Some publicly available scripts have large
  security holes in them.
• Watch permissions some scripts like full
  control

27
Other Options
There are some other steps than can be taken to
tighten security on a Windows 2000 installation

• Disable any unnecessary services. The spooler,
  index server, and SNMP come to mind. If you must
  have SNMP configure it properly
• Rename administrator account
• Disable 8.3 filename support
• Disable null session enumeration

28
Other Options

• IIS Lockdown tool from Microsoft
• URLCheck from Microsoft
• Restrict access for command line tools to local
  System account and Administrators group
• Remove write access for IUSR, IWAM, and Everyone
  group anywhere it exists.
• Watch those share permissions

29
Scan the machine

• The Computing Division Computer Security Group
  will scan your machine on request and send you
  the results. Request this through your
  division/section GCSC (General Computer Security
  Contact) Use the results of this scan to modify
  your configuration as necessary. Do this before
  the machine goes into production.
• This would also be a good time to get a baseline
  backup of the system.

30
Scan the machine (contd)

• Microsoft distributes a free tool called
  hfnetchk. It uses a XML data file to compare your
  system to all known patches. It can be used by
• By users checking their own desktop systems,
• By admins checking any system on which they
  have administrator access.
• Matt Crawford crawdad_at_fnal.gov 8/17/2001 843 AM
  message to the pc-manager list.
• See the list archive for the complete text of the
  message (http//listserv.fnal.gov/archives/pc-mana
  ger.html)

31
Scan the machine (contd)

• C\hfc3gthfnetchk -x mssecure.xml -h newpckits
• Microsoft Network Security Hotfix Checker, 3.2
• Developed for Microsoft by Shavlik Technologies,
  LLC
• info_at_shavlik.com (www.shavlik.com)
• Using XML data version 1.0.1.159 Last modified
  on 10/24/2001.
• WINDOWS 2000 SERVER SP2
• Patch NOT Found MS01-013 Q285156
• NOTE MS01-022 Q296441
• Internet Information Services 5.0
• INFORMATION All necessary hotfixes
  have been applied
• Internet Explorer 6 Gold
• INFORMATION
• All necessary hotfixes have been applied.

32
Conclusion

• Running a server connected to the internet
  requires discipline and attention. You need to
  watch your event logs and web server logs (if
  applicable). You need to be aware of the latest
  attacks and patches.

33
Links

• Microsoft Security
• http//www.microsoft.com/security
• IIS4 Security Checklist
• http//www.microsoft.com/technet/security/tools/ii
  schk.asp
• IIS5 Security Checklist
• http//www.microsoft.com/technet/security/iis5chk.
  asp
• Microsoft IIS
• http//www.microsoft.com/technet/prodtechnol/iis/
• URLScan Security Tool
• http//www.microsoft.com/technet/security/tools/ur
  lscan.asp

34
Links

• LabMice.Net
• http//www.labmice.net/
• RealTime Publishers
• http//realtimepublishers.com/eBooks/
• IIS Lockdown Tool
• http//www.microsoft.com/technet/security/tools/lo
  cktool.asp
• Security Focus
• http//www.securityfocus.com/infocus/1311
• NSA Security Guides
• http//nsa1.www.conxion.com/win2k/download.htm

35
Links

• Patch CD available for offline builds. This is a
  mirror of the PCKITS site. ISO image is available
  if you want to burn your own See the OSS home
  page at http//www-oss.fnal.gov under
  Miscellaneous
• Technical assistance available. Don't be afraid
  to ask!
• helpdesk_at_fnal.gov
• pc-manager_at_fnal.gov

36
Mailing Lists

• Microsoft Product Security Notification Service
• http//www.microsoft.com/technet/security/bulletin
  /notify.asp
• NTSysadmin, Active Directory, Windows Security
• http//www.sunbelt-software.com/forums/
• NT Bug Traq - http//www.ntbugtraq.com/
• Win2K Security, Security Update -
  http//www.ntsecurity.net/
• VulnWatch - http//www.vulnwatch.org/
• WINNT-L - http//peach.ease.lsoft.com/archives/win
  nt-l.html

37
Publications

• Mastering Windows 2000 Server Mark Minasi
• Windows .Net Magazine
• Microsoft Resource Kits
• In my opinion the best resources are online

38
Miscellaneous

• If you are a administrator of a system on the
  Fermilab network you should be a registered
  system admin - See http//miscomp.fnal.gov/sysadmi
  ndb/
• Manage NT/2000/etc
• Join the pc-manager list
• http//listserv.fnal.gov/users.aspsubscribe20to
  20list
• Join the Microsoft Security bulletin mailing list
• http//www.microsoft.com/technet/security/bullet
  in/notify.asp

39
Questions?