HARDENING SERVERS

1
HARDENING SERVERS

• Chapter 7

2
DEFAULT SECURITY TEMPLATES

• Set up Security.inf and DC Security.inf
• Compatws.inf
• Securews.inf and Securedc.inf
• Hisecws.inf and Hisecdc.inf
• Rootsec.inf
• Iesacls.inf

3
DESIGNING SECURITY TEMPLATES

• Create a custom security template for each role,
  not each computer
• Base custom templates on a default template
• Never modify default security templates
• Apply multiple security templates to computers
  with multiple roles

4
SECURITY TEMPLATE SETTINGS

• Account policies
• Local policies
• Event logs
• Group memberships
• Services
• Registry permissions
• File and folder permissions

5
SETTING NOT AVAILABLE IN SECURITY TEMPLATES

• Configuration of Automatic Updates
• Which Microsoft Windows components and
  applications are installed
• IPSec policies
• Software restrictions
• Wireless network policies
• EFS settings
• Certification Authority (CA) settings

6
CONFIGURING EARLIER VERSIONS OF WINDOWS

• Support Group Policy
• Windows Server 2003
• Windows 2000 Server
• Windows 2000 Professional
• Windows XP Professional
• Support System Policy
• Windows NT 4.0
• Windows 95
• Windows 98
• Windows Me

7
SYSTEM POLICY EDITOR
8
DEPLOYING SECURITY CONFIGURATION WITH GROUP POLICY

• Import templates into Group Policy
• Leverage inheritance
• Filter Group Policy objects (GPOs) with security
  groups
• Use Windows Management Instrumentation (WMI)
  filtering only where necessary

9
SERVER HARDENING BEST PRACTICES

• Use the Configure Your Server Wizard
• Disable unnecessary services
• Develop a process for updating all software
• Change default port numbers
• Use network and host-based firewalls

10
SERVER HARDENING BEST PRACTICES (CONT.)

• Require IPSec
• Place Internet servers in perimeter networks
• Use physical security
• Restrict removable media
• Backup application-specific information

11
SERVER HARDENING BEST PRACTICES (CONT.)

• Audit backups and restores
• Rename default user accounts
• Develop security requirements for
  application-specific user databases
• Monitor each server role for failures
• Read security guides at http//www.microsoft.com

12
HARDENING DOMAIN CONTROLLERS

• A compromised domain controller can lead to
  compromises of domain members
• Domain controllers can be identified with a DNS
  query
• Avoid storing application data in Active
  Directory
• Create a separate security group for users with
  privileges to backup domain controllers
• Use source-IP filtering to block domain requests
  from external networks

13
REQUIRE DOMAIN CONTROLLER SERVICES

• File Replication Service
• Intersite Messaging
• Kerberos Key Distribution Center
• Netlogon
• Remote Procedure Call (RPC) Locator
• Windows Management Instrumentation
• Windows Time

14
HARDENING DNS SERVERS

• When DNS servers are compromised, attackers can
  use them to
• Identify internal network resources
• Launch man-in-the-middle attacks
• Perform a denial-of-service (DoS) attack

15
BEST PRACTICES FOR HARDENING DNS SERVERS

• Use Active Directoryintegrated zones. If not
  Active Directory integrated
• Restrict permissions on zone files
• Use IPSec to protect zone transfers
• Disable recursion where possible
• Use separate internal and Internet servers
• Remove root hints on internal servers
• Allow only secure DNS updates if possible

16
HARDENING DHCP SERVERS

• Dynamic Host Configuration Protocol (DHCP)
  servers running Windows 2000 and later must be
  authorized in a domain
• DHCP servers can automatically update DNS
• Protect DHCP servers with 802.1X authentication

17
HARDENING FILE SERVERS

• Carefully audit share permission and NTFS file
  system permissions
• Use source-IP filtering to block requests from
  external networks
• Audit access to critical and confidential files

18
HARDENING IAS SERVERS

• Enable Remote Authentication Dial-In User Service
  (RADIUS) message authenticators
• Use quarantine control
• Enable logging
• Audit logs frequently

19
HARDENING EXCHANGE SERVER COMPUTERS

• Encrypt mail traffic with Transport Layer
  Security (TLS)
• Use Secure Sockets Layer (SSL) to protect Outlook
  Web Access (OWA)
• Enable Security events logging
• Audit for open relays to protect against spam

20
HARDENING EXCHANGE SERVER COMPUTERS (CONT.)

• Use antispam software
• Use antivirus software
• Require strong passwords
• Audit with MBSA

21
HARDENING SQL SERVER COMPUTERS

• Use Windows authentication when possible
• Use delegated authentication
• Configure granular authentication in SQL Server
  databases
• Audit SQL authentication requests
• Disable SQL communication protocols except
  TCP/IP, and require encryption
• Change the default port number

22
HARDENING SQL SERVER COMPUTERS (CONT.)

• Audit custom applications for vulnerability to
  SQL injection attacks
• Audit databases for unencrypted confidential
  contents
• User names and passwords
• Credit-card numbers
• Social Security numbers

23
SUMMARY

• Create security templates for every server role
  in your organization
• Apply security templates by using GPOs
• Techniques such as disabling unnecessary services
  and enabling host-based firewalls can be used to
  harden any type of server
• Server roles each have role-specific
  considerations, including
• Services that should be enabled
• Ports that must be allowed
• Logging that should be enabled