Hardened Notification Server Configuration White Paper 22 March 2005 © 2006 Altiris Inc. All rights reserved. ABOUT ALTIRIS Altiris, Inc. is a pioneer of IT lifecycle management software that allows IT organizations to easily manage desktops, notebooks, thin clients, handhelds, industry-standard servers, and heterogeneous software including Windows, Linux, and UNIX. Altiris automates and simplifies IT projects throughout the life of an asset to reduce the cost and complexity of management. Altiris client and mobile, server, and asset man agement solutions natively integrate via a common W eb -based console and repository. For more information, visit www.altiris.com. NOTICE INFORMATION IN THI S DO CUMENT: ( I) IS PRO VIDED FOR I NFORMATIONAL PURPOSES O NLY W ITH RESPECT TO PRODUCTS OF ALTIRI S OR ITS SUBSI DIARI ES (“PRODUCT S”), (II) REPRESENTS ALTIRI S’ VIEW S AS OF THE DAT E OF PUBLICATION OF THIS DO CUMENT, (III) IS SUBJECT TO CHANGE W ITHOUT NOTICE, AND (I V) SHO ULD NOT BE CONSTRUED AS ANY CO MMIT MENT BY ALTI RI S. EXCEPT AS PROVI DED IN ALTIRI S’ LICENSE AGREEMENT GOVERNING ANY PRO DUCTS OF ALTI RIS OR IT S SUBSIDIARIES (“PRODUCT S”), ALTIRIS ASSUMES NO LIABILIT Y W HATSOEVER, AND DI SCLAI MS ANY EXPRESS OR IMPLIED W ARRANTIES RELATING TO THE USE OF ANY PRODUCT S, INCL UDIN G W ITHOUT LIMITATION, W ARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, O R INF RINGEMENT OF ANY THIRD PARTY INTELLECTUAL PROPERTY RIGHTS. ALTIRIS ASSUMES NO RESPO NSI BIL ITY FOR ANY ERRORS OR OMISSIONS CO NTAINED IN THI S DO CUMENT AND ALTIRIS SPE CIFICALL Y DISCLAI MS ANY AND ALL LIABILITIES AND/O R OBLIG ATIONS F OR ANY CL AIMS, SUITS O R DAMAGES ARI SING FRO M O R IN CONNECTION W ITH THE USE OF, RELIANCE UPON OR DISSEMINATION O FTHIS DOCUMENT AND/OR THE INFORMATION CO NTAINED HEREIN. Altiris may ha ve patent s or pending patent applications, trademarks, cop yrights, or other intellectual property rights that relate to the Products referenced herein. The furnishing of this docu ment and other materials and information does not provide any license, express or i mpl ied, by estoppel or otherwise, to any foregoing intellectual property rights. No part of this docu ment may be reproduced, stored in a retrieval system, or transmitted in any form or by any means without the e xpress written con sent of Altiris, Inc. Custo mers are solely responsible for assessing the suitability of the Products for use in particular applications. Products are not intended for use in medical, life saving, life sustaining, critical control or safety systems, or in nuclear facility applicatio ns. Copyright © 2006, Altiris, Inc. All rights reserved. Altiris, Inc. 588 W est 400 South Lindon, UT 84042 Phone: (801) 226-8500 Fax: (801) 226-8506 *Other co mpany na me s or products me ntioned are or may be trade marks of th eir respective owners. Infor mation in this document is sub ject to change without notice. For the latest docu mentation, visit www.altiris.com. www.altiris.com CONTENTS Introduction ................................................................................... 1 Windows Server 2003 Installation ................................................. 2 Operating System Install .............................................................. 2 Post Operating System install ...................................................... 2 Post Operating System Install Security ......................................... 3 SQL Installation ............................................................................ 4 SQL install ................................................................................... 4 UrlScan Security Tool Configuration ............................................ 5 Windows Server 2003 Components and Services Configuration . 6 Essential Web Service Extensions Configuration ........................ 8 Delete Virtual Directories ............................................................. 8 Remove unused application extensions ........................................ 9 Enabling Only Essential IIS Components and Services ............. 10 Subcomponents of the Application Ser ver .................................. 10 Subcomponents of Internet Information Services (IIS) ................ 11 Subcomponents of Message Queuing ......................................... 11 Subcomponents of the Background Intelligent Transfer Service (BITS) Server Extension ....................................................................... 11 Subcomponents of the World Wide W eb Service ......................... 11 Initiate Notification Server Install ............................................... 13 NTFS Permissions ....................................................................... 14 Complete CoreSettings config .................................................... 18 Complete Notification Server Setup ........................................... 19 Altiris Solutions .......................................................................... 20 Alert Manager ............................................................................ 20 Altiris Knowledgebase ................................................................ 20 Inventory Solution ...................................................................... 20 Software Delivery for W indows ................................................... 20 Directory Connector ................................................................... 21 Patch Management Solution ....................................................... 21 Other Security Options ............................................................... 22 SSL encrypted communications .................................................. 22 IIS IP security ............................................................................ 22 Comments and Feedback ............................................................ 23 Appendix A .................................................................................. 24 Windows Server 2003 Components and Services Configurat ion List24 Subcomponents of the Application Server List ............................ 37 www.altiris.com Subcomponents of Internet Information Services (IIS) List .......... 38 Subcomponents of the World Wide W eb Service List .................. 40 www.altiris.com INTRODUCTION The aim of this document is to provide a build guide for Altiris Administrators to configure secure Notification Servers using Microsoft recommendations on W eb server/IIS–based application security. As Notification Server was designed as an internal infrastructure server to manage many (mostly anonymous) resources of various operating systems across multiple networks, some exceptions must be made to default Microsoft recommendations to provide required functionality. This has been done while still providing the absolute minimum access privileges to the minimum number of services and areas of the file system. Use of corporate firewall infrastructure to limit server access to managed resources will further reduce the possibility of unauthorized access or exploitation of a Notification Server. This Hardened Notification Server Configuration document has been designed for use as either a build guide for new secure Notification Servers or for comparison against customers existing server build standards. www.altiris.com Hardened Notification Server Configuration > 1 WINDOWS SERVER 2003 INSTALLATION Both Altiris and Microsoft recommend using the Windows Server 2003 * and Internet Information Server 6.0 for the most secure and stable W ebbased application hosting. This document has been written specifically for W indows 2003 server and should not be implemented on any other operating system. To ensure the operating system is in a known state, this process begins with an installation on a clean machine as follows: Operating System Install 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. Insert the Boot CD, turn on the computer, and boot from the CD. Press the F6 key if SCSI or RaidDrivers are required. Press the Enter key to set up W indows. Press the F8 key to Agree to EULA. Select a partition to install to: (Recommended) 4 GB for SYSTEM (SYS) (4096 MB) (Recommended minimum) 6 GB for NS/Application Drive (DATA) (6144 MB) SQL data and log files on DATA or additional partition (size dependant on number of managed resources X solutions installed) Format using NTFS (required on all partitions) . Restart your computer as instructed to continue the install process. Enter Region and Language options. Enter Name and Organization details. Enter the Product Key. Select License Mode from one of the following: Per Server—Must have sufficient licenses for Agents Per Device or User (Recommended)—Limited by license levels; won’t cause client to server communication failures if license capacity is reached. Enter Computer Name and an Administrator password. Make sure that the Administrator Password conforms to complex password rules Select Date & Time and the Timezone. Select Network Settings: Custom—choose Protocols & Static IP (recommended) Select Maximize data throughput for network applications under File & Print properties. For Workgroup or Computer Domain, select the computer as a member of a Domain if required (Notification Server cannot be installed on a DC). Post Operating System install The system will restart after the installation process is complete. Next, perform the following steps: 1. Install the latest drivers. 2 < Hardened Notification Server Configuration www.altiris.com 2. Using the Manage Your Server wizard add a role, Application Server (IIS ASP.NET) with the following configurations : Do not enable FrontPage Extensions Enable ASP.NET 3. Apply .NET SP1 for 1.1 (W indows 2003 version). 4. Restart the computer. 5. Run Manual W indows Update to install latest Microsoft hofixes. Automatic update should be disabled to ensure patches are reviewed before implementation. Altiris Patch Management can be used to automate this function. Post Operating System Install Security Once the Machine is updated change the default Security Settings. 1. Manage ‘Local Users and Groups.’ 2. Change the Administrator password to a non default n ame. 3. Create a user for the NS application identity, this must be (at a minimum) a member of the local administrators group and remove user from the local users group. A domain administrator account can be used, but to limit potential access to a malicious user a local admin is preferred. www.altiris.com Hardened Notification Server Configuration > 3 SQL INSTALLATION This section describes the steps involved when installing SQL onto the same host machine you have just configured for a Notification Server. Note: If you are using a SQL database on a remote host then skip this section. SQL install 1. Run the SQL 2000 setup .exe (setupSQL.exe). 2. Set up Type with the following configurations: Select Custom. 3. Select your Destination Folder : Program Files—Located on a System or Application partition . Data Files—Located on a non-system or non-application partition. 4. Select your Components: All—Server Components All—Management Tools All—Client Connectivity 5. Configure Services Accounts: Use same account for both services Use the local system 6. Configure Authentication Mode: Mixed Mode—If SQL authentication to be used for NS database access Set a SA password that conforms to complex password rules 7. Configure Collation Settings: Recommend default SQL collation— ‘Latin1_General’ 8. Install SQL2000 SP3a—This is a minimum requirement of Notification Server 6. 4 < Hardened Notification Server Configuration www.altiris.com URLSCAN SECURITY TOOL CONFIGURATION The UrlScan* application from Microsoft is not required for IIS 6.0 as it contains many of the UrlScan security changes as default. The additional security features installed on IIS 6.0 by UrlScan are known to cause failures in Notification Server client to server communications and localization support. W e therefore strongly recommend that UrlScan is not installed on any IIS 6.0 system hosting Notification Server. For more information on UrlScan and IIS 6.0, consult the following Microsoft document: http://www.microsoft.com/technet/security/tools/urlscan.mspx?pf=true www.altiris.com Hardened Notification Server Configuration > 5 WINDOWS SERVER 2003 COMPONENTS AND SERVICES CONFIGURATION For Notification Server specific configuration, implement the following Microsoft settings. A comprehensive list of W indows Server 2003 Components and Services Configuration settings is listed in Appendix A and at the following URL: http://www.microsoft.com/resources/documentation/W indowsServ/2003/a ll/deployguide/en-us/Default.asp? Service Name State Application Management Disable Automatic Updates Disable Background Intelligent Transfer Service Disable ClipBook Disable Distributed File System Disable Distributed Link Tracking Client Disable Distributed Link Tracking Server Disable Error Reporting Service Disable Fax Service Disable Indexing Service Disable Internet Connection Firewall (ICF)/Internet Connection Sharing (ICS) Disable NetMeeting Remote Desktop Sharing Disable Performance Logs and Alerts See Comment (Index A) Optional setting. Print Spooler Disable Remote Access Auto Disable 6 < Hardened Notification Server Configuration www.altiris.com Service Name State Connection Manager www.altiris.com Remote Access Connection Manager Disable Remote Desktop Help Sessions Manager Disable Remote Procedure Call (RPC) Locater Disable Remote Registry Disable Removable Storage Disable Telephony Disable Telnet Disable Upload Managers Disable WinHTTP Web Proxy AutoDiscovery Disable Wireless Configuration Disable WMI Performance Adapter Disable Hardened Notification Server Configuration > 7 ESSENTIAL WEB SERVICE EXTENSIONS CONFIGURATION For Notification Server–specific configuration, implement the following Microsoft settings. If using this document as a server install guide, FrontPage Server Extensions 2002 will not be an option. Please refer to the link below for more information: http://www.microsoft.com/resources/documentation/W indowsServ/2003/a ll/deployguide/enus/Default.asp?url=/resources/documentation/W indowsServ/2003/all/depl oyguide/en-us/iisdg_sec_ntwp.asp Web Service Extension Description Active Server Pages Notification Server requires this extensio n to be Allowed. ASP.NET version 1.1.4322 Notification Server requires this extension to be Allowed. FrontPage Server Extensions 2002 Neither Notification Server nor any Solutions require this setting to be enabled. This is set to Prohibited for maximum security. Internet Data Connector Neither Notification Server nor any Solutions require this setting to be enabled. This is set to Prohibited for maximum security. Server-Side Includes Neither Notification Server nor any Solutions require this setting to be enabled. This is set to Prohibited for maximum security. WebDAV Neither Notification Server nor any Solutions require this setting to be enabled. This is set to Prohibited for maximum security. Delete Virtual Directories Open the IIS configuration m anager and, from the IIS Default site, delete the following virtual directories if they occur: Note: If using this document as a server install guide, these folders will not be present. /IIS Samples /MSADC /IIS Help /Scripts /IIS Admin 8 < Hardened Notification Server Configuration www.altiris.com /Printers Remove unused application extensions This section lists the application extensions that are required by Notification Server in the IIS configuration manager. Unnecessary extensions will be removed. 1. Open Default Web Site properties. 2. On the Home Directory tab, click the Configuration button in the Application Settings section. 3. In the Application extensions section of the Mappings tab, delete all extensions with the exception of the following which are used by Notification Server: .asa .asax .asmx .asp .aspx www.altiris.com Hardened Notification Server Configuration > 9 ENABLING ONLY ESSENTIAL IIS COMPONENTS AND SERVICES IIS 6.0 includes other components and services in addition to the WWW service, such as the File Transfer Protocol Service (FTP service) and the Simple Mail Transfer Protocol (SMTP) service. You can install and enable IIS components and services by using the Application Server subcomponent, which is found in Add or Remove Windows Components in Add or Remove Programs in Control Panel. After installing IIS, you need to enable the IIS 6.0 components and services that ar e required by the Web sites and applications running on your Web server. Enable only the essential IIS 6.0 components and services that are required by your W eb sites and applications. Enabling unnecessary components and services increases the attack surfa ce of the W eb server. Subcomponents of the Application Server The following settings apply to the Notification Server hardened configuration. Please see Appendix A for the complete list of Subcomponents of the Application Server. Service Name Setting Enable network DTC access Disable Message Queuing Disable 10 < Hardened Notification Server Configuration www.altiris.com Subcomponents of Internet Information Services (IIS) The following settings apply to the Notification Server hardened configuration. See Appendix A for the complete list of Subcomponents of Information Services (IIS). Service Name Setting Background Intelligent Transfer Service (BITS) server extension Disable File Transfer Protocol (FTP) Service Disable FrontPage 2002 Server Extensions Disable Internet Information Services Manager Enabled Internet Printing Disable NNTP Service Disable SMTP Service Disable Subcomponents of Message Queuing Message Queuing is not required by Notification Server and should be disabled. Subcomponents of the Background Intelligent Transfer Service (BITS) Server Extension BITS Server extensions is not required by Notification Server and should be disabled. Subcomponents of the World Wide Web Service The following settings apply to the Notification Server hardened configuration. Please see Appendix A for the complete list of Subcomponents of the World Wide W eb Service. www.altiris.com Hardened Notification Server Configuration > 11 Service Name Setting Active Server Pages Enabled Internet Data Connector Disable Remote Administration (HTML) Disable Remote Desktop W eb Connection Disable Server-Side Includes Disable WebDav Publishing Disable 12 < Hardened Notification Server Configuration www.altiris.com INITIATE NOTIFICATION SERVER INSTALL www.altiris.com 4. Copy Altiris_NS_6_0.exe to a local partitio n and execute while logged on as an Administrator on the local host. Run through the install wizard using all defaults. 5. When the Notification Server setup wizard is launched, exit Internet Explorer without entering any details. Hardened Notification Server Configuration > 13 NTFS PERMISSIONS Variables used in this section: IUSR_% represents the Internet Guest Account, where the % is the local hostname %Windir% is the windows install folder %NSinstallpath% is the Notification Server install path When applying permissions during this section , ignore errors on files. (for example, Pagefile.sys) 1. Open the properties on all partition/drive roots (for example, C, D, and so on) and click the Security tab and configure as follows: Remove the Everyone user. Remove the User group. Add Network Service with List permissions. Select Replace permissions on all child objects. Note: Network Service must have minimum permissions to the root of all partitions from which IIS will load content. 2. Modify the security on all sub-folders of all partition roots as follows: Uncheck the Allow Inheritable permissions to propagate from Parent object option and Copy existing permissions. Remove the Network Service user. Select Replace permissions on all child objects. 3. Modify the security of the Documents and Settings folder as follows: Add the Network Service user with Full Control permissions . Select Replace permissions on all child objects. 4. Modify the Program Files\Common Files folder security as follows: Add the Network Service user with List, Read, and Execute permissions. Add the IUSR_% user with List, Read, and Execute permissions . Add the IIS_WPG group with List, Read, and Execute permissions. Select Replace permissions on all child objects. 5. Modify the Inetpub folder security as follows: Add the Network Service user with List, Read, and Execute permissions. Select Replace permissions on all child objects. 6. Modify the Inetpub\wwwroot folder security: Add the IUSR_% user with List, Read, and Execute permissions Add the IIS_WPG group with List, Read, and Execute permissions. Select Replace permissions on all child objects. 7. Modify the security of the %windir%\Microsoft.NET\Framework\v1.1.4322 folder Add the Network Service user with Full Control permissions Select Replace permissions on all child objects 8. Modify the %windir%\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll file security as follows: 14 < Hardened Notification Server Configuration www.altiris.com 9. 10. 11. 12. 13. 14. 15. 16. www.altiris.com Add the IUSR_% user with Read, and Execute permissions . Add the IIS_WPG group with Read, and Execute permissions. Modify the security of the %windir%\Help, %windir%\Assembly, and %windir%\Fonts folders as follows (use the Ctrl key to select all three folders at once. Click Properties on Help or Fonts, not Assembly): Add the Network Service user with List, Read, and Execute permissions. Select Replace permissions on all child objects. Modify the security of the %windir%\W inSxS folder: Add the Network Service user with List, Read, and Execute permissions Select Replace permissions on all child objects. Modify the security of the %windir%\Temp, %windir%\Registration, and %windir%\Debug folders as follows (use the Ctrl key to select all three folders at once): Add the Network Service user with Full Control permissions . Select Replace permissions on all child objects. Modify the %windir%\IIS Temporary Compressed Files folder security: Add the Network Service user with Full Control permissions . Add the IIS_WPG group with List, Read, and Execute permissions. Select Replace permissions on all child objects. Modify the security of the %windir%\System32 folder as follows: Add the Network Service user with Lis t, Read, and Execute permissions. Select Replace permissions on all child objects. Add the Local Service group with List, Read, and Execute permissions (this step should be done after replacing permissions on child objects). Note: Local Service is a hidden group. Modify the %windir%\System32\MsDtc folder as follows Edit Local Service group with Modify, List, Read, Execute and Write. Edit Network Service group with Modify, List, Read, Execute and Write. Select Replace permissions on all child objects. Modify the %windir%\System32\Inetsrv folder security: Edit the Network Service user to with Full Control permissions . Add the IUSR_% user with List, Read, and Execute permissions . Add the IIS_WPG group with List, Read, and Execute permissions. Select Replace permissions on all child objects. Modify the security of the %windir%\System32\Inetsrv\History, %windir%\System32\Inetsrv\Iisadmpwd, and %windir%\System32\Inetsrv\Metaback folders as follows (use the Ctrl key to select all three folders at once): Hardened Notification Server Configuration > 15 17. 18. 19. 20. 21. 22. Uncheck the Allow Inheritable permissions to propagate from Parent object option and copy existing permissions. Remove the IUSR_% user. Remove the IIS_W PG group. Select Replace permissions on all child objects. Modify the security of the %windir%\Help\iisHelp\common folder as follows: Add the IUSR_% user with List, Read, and Execute permissions . Add the IIS_WPG group with List, Read, and Execute permissions. Select Replace permissions on all child objects. Modify the security of the %NSinstallpath% \Altiris folder: Edit the Network Service user with List, Read, and Execute permissions. Select Replace permissions on all child objects. Modify the %NSinstallpath%\Altiris\Altiris Web folder security as follows: Add the IUSR_% user with List, Read, and Execute permissions . Add the IIS_WPG group with List, Read, and Execute permissions. Select Replace permissions on all child objects. Modify the security of the %NSinstallpath% \Notification Server\Logs folder: Add the Network Service user with Full Control permissions . Add the IUSR_% user with Full Control permissions . Add the IIS_WPG group with Full Control permissions . Select Replace permissions on all child objects . Modify the security of the %NSinstallpath% \Notification Server\NScap\Bin, and Notification Server\NScap\Help folders as follows (use the Ctrl key to select all three folders at once): Add the IUSR_% user with List, Read, and Execute permissions . Add the IIS_WPG group with List, Read, and Execute permissions. Select Replace permissions on all child objects. Modify the security of the %NSinstallpath%\Notification Server\NScap\EvtInbox folder: Add the IUSR_% user with List, Read, and Execute permissions . Add the IIS_WPG group with List, Read, and Execute permissions. Select Replace permissions on all child objects. Note: The IUSR_% user and local Users group will require Full Control of this folder if strand alone inventory is to be posted to the Notification Server. 23. Modify the security of the %NSinstallpath% \Notification Server\NScap\EvtQFast, Notification Server \NScap\EvtQLarge, 16 < Hardened Notification Server Configuration www.altiris.com 24. 25. 26. 27. www.altiris.com Notification Server\NScap\EvtQSlow, Notification Server\NScap\EvtQueue, and Notification Server\NScap\Temp folders as follows (use the Ctrl key to select all five folders at once): Edit the Network Service user to with Full Control permissions . Add the IUSR_% user with Write, and Modify permissions . Add the IIS_WPG group with Write, and Modify permissions . Select Replace permissions on all child objects. Modify the security of the %NSinstallpath% \Notification Server\Agent folder: Add the IUSR_% user with List, Read, and Execute permissions . Add the IIS_WPG group with List, Read, and Execute permissions. Select Replace permissions on all child objects. Modify the security of the %NSinstallpath% \Notification Server\Bin\Aexloglib.dll, and Notification Server\Bin\AeXNSEventRouter.dll files as follows: Add the IUSR_% user with Read, and Execute permissions . Add the IIS_WPG group with Read, and Execute permissions . Modify the %NSinstallpath%\Notification Server\Bin\Isapi folder security: Add the IUSR_% user with List, Read, and Execute permissions . Add the IIS_WPG group with List, Read, and Execute permissions. Select Replace permissions on all child objects. At the command prompt run the Iisreset command. Hardened Notification Server Configuration > 17 COMPLETE CORESETTINGS CONFIG 1. Modify %NSinstallpath%\ Notification Server\Config\CoreSettings.config to change the value in the <custonSettings key=”GenerateNSUNCPackageCodebases” type=”local” value=”0” /> line to 0. As displayed in the above example. This setting is to disable UNC package downloads as UNC validation is problematic in a secure environment. 18 < Hardened Notification Server Configuration www.altiris.com COMPLETE NOTIFICATION SERVER SETUP www.altiris.com Ensure SQL service is running, open Internet Explorer , and run the Notification Server setup wizard from. http://localhost/altiris/ns/install/NSsetup.aspx Hardened Notification Server Configuration > 19 ALTIRIS SOLUTIONS Alert Manager After the initial Notification Server configuration, Alert Manager (installed with NS) will not function. If Alert Manager is required complete the following steps: This step may not be required on some configurations. 1. Open the Altiris\Helpdesk\AeXHD folder properties, click the Security tab and configure it as follows: Add the IIS_WPG group with List, Read, and Execute permissions. Select Replace permissions on all child objects. 2. In the IIS configuration manager open the properties for the AeXHD virtual directory under the Default Web Site and configure it as follows: On the Virtual Directory tab, select the Create option in the application section. Select AeXHD as the application pool. At the command prompt run the Iisreset command . Altiris Knowledgebase After the initial Notification Server configuration , the Altiris Knowledgebase (installed with Notification Server) will not function. If the Altiris Knowledgebase is required, complete the following steps. This may not be required on some configurations. 1. Open the Altiris\Helpdesk\AeXKB folder’s properties (right-click > Properties), click the Security tab and configure it as follows: Add the IIS_WPG group with List, Read, and Execute permissions. Select Replace permissions on all child objects. 2. In the IIS configuration manager open the AeXKB virtual directory properties in the Default Web Site and : On the Virtual Directory tab select the Create option in the application section. Select AeXKB as the application pool. At the command prompt run the Iisreset command. Inventory Solution This process has been tested with Inventory Solution for Windows version 6.0.139 with no further security modifications required. Software Delivery for Windows This process has been tested with Software Delivery Solution for Windows version 6.1.1011 with no further security modifications required. 20 < Hardened Notification Server Configuration www.altiris.com Directory Connector This process has been tested with Directory Connector Solution version 6.0.577 with no further security modifications required. Patch Management Solution This process has been tested with Patch Management Solution for Windows version 6.0.1136 with the following security modifications required: Open Properties on the Altiris\Patch Management\Packages folder and click the Security tab and configure as follows: Add the IUSR_% user with List, Read, and Execute permissions . Add the IIS_WPG group with List, Read, and Execute permissions. Select Replace permissions on all child objects. www.altiris.com Hardened Notification Server Configuration > 21 OTHER SECURITY OPTIONS SSL encrypted communications Secure Sockets Layer encryption can be used to encrypt client server communications and to prevent impersonation of the server by an alternate host. Please see the Configuring Notification Server to use S SL section of the Notification Server Help Guide for instructions on configuring SSL. IIS IP security IIS can be configured to use and source IP based security processes to allow or deny access to IIS based upon a client’s source IP address. The preferred configuration option is to configure IIS to deny all hosts except those listed in an exceptions list. This list may contain either a single IP address, a range of IP addresses, or source machine domain names. Listing all the IP ranges of machines managed b y the Notification Server (and none others) is a good method of preventing access to the Notification Server by external networks. Note: Specifying source domain names can cause an impact on system performance as a reverse DNS lookup is required for every client to server connection and is not recommended in environments where performance is a concern. 22 < Hardened Notification Server Configuration www.altiris.com COMMENTS AND FEEDBACK www.altiris.com This is a first revision document and the processes contained within have not been subjected to wide scale production implementation. W e recommend that for maximum security only Notification Server (including Altiris Solutions) and Microsoft SQL server are hosted on the server. The recommendations made in this document do not consider requirements of any other applications and may likely impact their operation. For comments and feedback, click on the Submit detailed feedback link to the right of this article. Hardened Notification Server Configuration > 23 APPENDIX A Windows Server 2003 Components and Services Configuration List Service Name Default Startup Type Recommended Startup Type Comment Alerter Disabled No change Notifies selected users and computers of administrative alerts. Application Layer Gateway Service Manual No change Provides support for application-level plug-ins and enables network and protocol connectivity. Application Management Manual Disable Provides software installation services for applications that are deployed in Add or Remove Programs in Control Panel. Neither Notification Server nor any Solutions require this service to be running. Disable this setting for maximum security. NOTE: This Service must be reset to Manual should any changes be made to ‘Add/Remove Programs’ or ‘W indows Components’ section. Automatic Updates Automatic Disable Provides the download and installation of critical Windows updates, such as security patches and hotfixes. Manual Windows Update may still be run. Neither Notification Server nor any Solutions require this service to be running. Disable this setting for maximum security. Background Intelligent Transfer Service Manual Disable Provides a background file-transfer mechanism and queue management, and it is used by Automatic Update to automatically download programs (such as security patches). Neither Notification Server nor any Solutions require this service to be 24 < Hardened Notification Server Configuration www.altiris.com Service Name Default Startup Type Recommended Startup Type Comment running. Disable this setting for maximum security. ClipBook Disabled See comment Enables the Clipbook Viewer to create and share data that can be reviewed by remote users. COM+ Event System Manual No change Provides automatic distribution of events to COM+ components. COM+ System Application Manual No change Manages the configuration and tracking of COM+-based components. Computer Browser Automatic No change Maintains the list of computers on the network, and supplies the list to programs that request the list. Cryptographic Services Automatic No change Provides three management services: Catalog Database Service, which confirms the signatures of W indows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from the Web server; and Key Service, which helps in enrolling certificates. DHCP Client Automatic No change Required to automatically obtain IP configuration and to dynamically update records in DNS. Distributed File System Automatic Disable Manages logical volumes that are distributed across a local area network (LAN) or wide area network (WAN). Neither Notification Server nor any Solutions require this service to be running. Disable this setting for maximum security. Distributed Link Tracking www.altiris.com Automatic Disable Maintains links between NTFS V5 file system files within the Web server and Hardened Notification Server Configuration > 25 Service Name Default Startup Type Recommended Startup Type Client Comment other servers in the domain. Neither Notification Server nor any Solutions require this service to be running. Disable this setting for maximum security. Distributed Link Tracking Server Manual Disable Tracks information about files that are moved between NTFS V5 volumes throughout a domain. Neither Notification Server nor any Solutions require this service to be running. Disable this setting for maximum security. Distributed Transaction Coordinator Automatic No Change Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems. DNS Client Automatic No change Allows resolution of DNS names. Error Reporting Service Automatic Disable Collects, stores, and reports unexpected application crashes to Microsoft. If this service is stopped, then Error Reporting will occur only for kernel faults. Neither Notification Server nor any Solutions require this service to be running. Disable this setting for maximum security. Event Log Automatic No change Writes event log messages that are issued by Windows-based programs and components to the log files. Fax Service Manual Disable Provides the ability to send and receive faxes through fax resources that are available on the Web server and network. 26 < Hardened Notification Server Configuration www.altiris.com Service Name Default Startup Type Recommended Startup Type Comment Neither Notification Server nor any Solutions require this service to be running. Disable this setting for maximum security. File Replication Service Manual No change Enables files to be automatically copied and maintained simultaneously on multiple servers. Help and Support Automatic No change Enables Help and Support Center to run on the W eb server. HTTP SSL Manual No change Implements the Secure Hypertext Transfer Protocol (HTTPS) for the HTTP service by using SSL. HTTP.sys automatically starts this service when any W eb sites require SSL. Human Interface Device Access Disabled No change Enables generic input to Human Interface Devices (HIDs), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices. IMAPI CDBurning COM Service Disabled No change Manages CD recording by using the Image Mastering API (IMAPI). Indexing Service Manual Disable Indexes content and properties of files on the Web server to provide rapid access to the file through a flexible query language. Neither Notification Server nor any Solutions require this service to be running. Disable this setting for maximum security. Internet Connection Firewall www.altiris.com Disabled Disable Provides network address translation (NAT), addressing and name resolution, and intrusion detection Hardened Notification Server Configuration > 27 Service Name Default Startup Type Recommended Startup Type (ICF)/Internet Connection Sharing (ICS) Comment when connected through a dial-up or broadband connection. Neither Notification Server nor any Solutions require this service to be running. Disable this setting for maximum security. Intersite Messaging Disabled No changes Required by Distributed File System (DFS). IPSec Services Automatic No change Provides management and coordination of Internet Protocol security (IPSec) policies with the IPSec driver. Kerberos Key Distribution enter Disabled No change Provides the ability for users to log on using the Kerberos V5 authentication protocol. License Logging Service Disabled No change Monitors and records client access licensing for portions of the operating system, such as IIS, Terminal Services, and file and print sharing, and for products that are not a part of the operating system, such as Microsoft SQL Server or Microsoft Exchange Server. On a dedicated Web server, this service can be disabled. Logical Disk Manager Automatic No change Required to ensure that dynamic disk information is up to date. Logical Disk Manager Administrative Service Manual No change Required to perform disk administration. Messenger Disabled No change Transmits net sends and Alerter service messages between clients and 28 < Hardened Notification Server Configuration www.altiris.com Service Name Default Startup Type Recommended Startup Type Comment servers. Microsoft Software Shadow Copy Manual No change Manages software-based volume shadow copies taken by the Volume Shadow Copy service. On a dedicated Web server, this service can be disabled when volume shadow copies are not used. Net Logon Manual No change Maintains a secure channel between the domain controller, other domain controllers, member servers, and workstations in the same domain an d trusted domains. NetMeeting Remote Desktop Sharing Manual Disable Eliminates potential security threats by allowing domain-controller remote administration through NetMeeting. Network Connections Manual No change Manages objects in the Network Connections directory. Network DDE Disabled No change Provides network transport and security for Dynamic Data Exchange (DDE) for programs running on the Web server. This service can be disabled when no DDE applications are running locally on the Web server. www.altiris.com Network DDE DSDM Disabled No change Used by Network DDE. This service can be disabled when Network DDE is disabled. Network Location Awareness (NLA) Manual No change Collects and stores network configuration and location information, and notifies applications when this information changes. Hardened Notification Server Configuration > 29 Service Name Default Startup Type Recommended Startup Type Comment NTLM Security Support Provider Manual No change Provides security to RPC programs that use transports other than named pipes, and enables users to log on using the NTLM authentication protocol. Performance Logs and Alerts Manual See comment Collects performance data for the domain controller, writes the data to a log, or generates alerts. This service can be set to automatic when you want to log performance data or generate alerts without an administrator being logged on. Plug and Play Automatic No change Required to automatically recognize and adapt to changes in the Web server hardware with little or no user input. Portable Media Serial Number Service Manual No change Retrieves the serial number of any portable media player that is connected to the computer. Print Spooler Automatic Disable Manages all local and network print queues and controls all print jobs. Neither Notification Server nor any Solutions require this service to be running. Disable this setting for maximum security. Protected Storage Automatic No change Protects storage of sensitive information, such as private keys, and prevents access by unauthorized services, processes, or users. This service is used on a dedicated Web server for smart-card logon. Remote Access Auto Connection Manual 30 < Hardened Notification Server Configuration Disable Detects unsuccessful attempts to connect to a remote network or computer and provides alternative www.altiris.com Service Name Default Startup Type Recommended Startup Type Manager Comment methods for connection. Neither Notification Server nor any Solutions require this service to be running. Disable this setting for maximum security. Remote Access Connection Manager Manual Disable Manages VPN and dial-up connection from the W eb server to the Internet or other remote networks. Remote Desktop Help Sessions Manager Manual Remote Procedure Call (RPC) Automatic No change Serves as the RPC endpoint mapper for all applications and services that use RPC communications. Remote Procedure Call (RPC) Locater Manual Disable Enables RPC clients using the RpcNs* family of application programming interfaces (APIs) to locate RPC servers and manage the RPC name service database. Neither Notification Server nor any Solutions require this service to be running. Disable this setting for maximum security. Disable Manages and controls Remote Assistance. Neither Notification Server nor any Solutions require this service to be running. Disable this setting for maximum security. Neither Notification Server nor any Solutions require this service to be running. Disable this setting for maximum security. Remote Registry Service www.altiris.com Automatic Disable Enables remote users to modify registry settings on the Web server, provided the remote users have the required permissions. By default, only Hardened Notification Server Configuration > 31 Service Name Default Startup Type Recommended Startup Type Comment members of the Administrators and Backup Operators groups can access the registry remotely. Neither Notification Server nor any Solutions require this service to be running. Disable this setting for maximum security. Removable Storage Manual Disable Manages and catalogs removable media, and operates automated removable media devices, such as tape auto loaders or CD jukeboxes. Neither Notification Server nor any Solutions require this service to be running. Disable this setting for maximum security. Resultant Set of Policy Provider Manual No change Enables a user to connect to a remote computer, access the Windows Management Instrumentation (WMI) database for that W eb server, and then either verify the current Group Policy settings or check the settings before they are applied. Routing and Remote Access Disabled No change Enables LAN-to-LAN, LAN-to-W AN, VPN, and NAT routing services. Secondary Logon Automatic No change Allows you to run specific tools and programs with different permissions and user rights than the default permissions and user rights of the account under which you logged on. Security Accounts Manager Automatic No change A protected subsystem that manages user and group account information. Server Automatic No change Provides RPC support, file sharing, 32 < Hardened Notification Server Configuration www.altiris.com Service Name Default Startup Type Recommended Startup Type Comment print sharing, and named pipe sharing over the network. Shell Hardware Detection Automatic No change Provides notification for AutoPlay hardware events. Smart Card Manual No change Manages and controls access to a smart card that is inserted into a smart card reader attached to the W eb server. Special Administration Console Helper Manual No change Allows administrators to remotely access a command prompt by using Emergency Management Services. This service can be disabled when Emergency Management Services is not being used to remotely manage the Web server. System Event Notification Automatic No change Monitors system events and notifies subscribers to the COM+ Event System of these events. Task Scheduler Automatic No change Provides the ability to schedule automated tasks on the Web server. TCP/IP NetBIOS Helper Service Automatic No change Provides support for the NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution for clients. Telephony Manual Disable Provides Telephony API (TAPI) support of client programs that control telephony devices and IP-based voice connections. Neither Notification Server nor any Solutions require this service to be running. Disable this setting for maximum security. Telnet www.altiris.com Manual Disable Enables a remote user to log on and Hardened Notification Server Configuration > 33 Service Name Default Startup Type Recommended Startup Type Comment run applications from a command line on the Web server. Neither Notification Server nor any Solutions require this service to be running. Disable this setting for maximum security. Terminal Services Manual See comment Allows multiple remote users to be connected interactively to the W eb server, and provides display of desktops and run applications. To reduce the attack surface, disable Terminal Services unless it is used for remote administration of branch offices or headless W eb servers. Terminal Services Session Directory Disabled No change Enables a user connection request to be routed to the appropriate terminal server in a cluster. Themes Disabled No change Provides user-experience theme management. Uninterruptible Power Supply Automatic No change Manages an uninterruptible power supply (UPS) that is connected to the Web server by a serial port. Upload Managers Manual Disable Manages the synchronous and asynchronous file transfers between clients and servers on the network. Driver data is anonymously uploaded from these transfers and then used by Microsoft to help users find the drivers they need. Neither Notification Server nor any Solutions require this service to be running. Disable this setting for maximum security. To reduce the attack surface, disable this service on 34 < Hardened Notification Server Configuration www.altiris.com Service Name Default Startup Type Recommended Startup Type Comment dedicated W eb servers. Virtual Disk Services Manual No change Provides software volume and hardware volume management service. Volume Shadow Copy Manual No change Manages and implements volume shadow copies that are used for backup and other purposes. This service can be disabled when volume shadow copies are used on the Web server. www.altiris.com WebClient Disabled No change Enables W indows-based programs to create, access, and modify Internetbased files. Windows Audio Disabled No change Manages audio devices for Windowsbased programs. Windows Image Acquisition (WIA) Disabled No change Provides image acquisition services for scanners and cameras. Windows Installer Manual No change Adds, modifies, and removes applications that are provided as a Windows Installer (.msi) package. Windows Management Instrumentation Automatic No change Provides a common interface and object model to access management information about the Web server through the WMI interface. Windows Management Instrumentation Driver Extensions Manual No change Monitors all drivers and event trace providers that are configured to publish W MI or event trace information. Hardened Notification Server Configuration > 35 Service Name Default Startup Type Recommended Startup Type Comment Windows Time Automatic No change Sets the W eb server clock, and maintains date and time synchronization for all computers in the network. WinHTTP Web Proxy AutoDiscovery Service Manual Disable Implements the W eb Proxy AutoDiscovery (W PAD) protocol for Windows HTTP services (WinHTTP) and enables an HTTP client to automatically discover a proxy configuration. Neither Notification Server nor any Solutions require this service to be running. Disable this setting for maximum security. Wireless Configuration Automatic Disable Enables automatic configuration for IEEE 802.11 adapters. Neither Notification Server nor any Solutions require this service to be running. Disable this setting for maximum security. WMI Performance Adapter Manual Disable Provides performance library information from W MI providers to clients on the network. Neither Notification Server nor any Solutions require this service to be running. Disable this setting for maximum security. Workstation Automatic 36 < Hardened Notification Server Configuration No change Creates and maintains client network connections to remote servers. www.altiris.com Subcomponents of the Application Server List Subcomponent Default Setting Recommended Setting Comment Application Server Console Enabled No change Provides an MMC snap-in that includes administration for all of the Web Application Server (W AS) components. On a dedicated Web server, this component is not required because only IIS Manager is used. ASP.NET Disabled See comment Provides support for ASP.NET applications. Enable this component when you need to run ASP.NET applications on the W eb server. Enable network COM+ access Enabled Disable Allows the Web server to host COM+ components for distributed applications. Neither Notification Server or Solutions use this component. Disable this for maximum security. Enable network DTC access Disabled Disable Allows the Web server to host applications that participate in network transactions through Distributed Transaction Coordinator (DTC). Neither Notification Server or Solutions use this component. Disable this for maximum security. Internet Information Services (IIS) www.altiris.com Enabled (See Table 3.3 for subcomponents) No change Provides basic W eb and FTP services. This component is required on a Hardened Notification Server Configuration > 37 Subcomponent Default Setting Recommended Setting Comment dedicated W eb server. Note: If this component is not enabled, then all subcomponents are not enabled. Message Queuing Disabled (See Table 3.4 for subcomponents) Disable Provides guaranteed messaging, security, and transactional support for applications that communicate through messaging services provided by Message Queuing (also known as MSMQ). Neither Notification Server or Solutions use this component. Disable this for maximum security. Subcomponents of Internet Information Services (IIS) List Subcomponent Background Intelligent Transfer Service (BITS) server extension Default Setting Recommended Setting Comment Disabled Disable BITS is a background file transfer mechanism used by applications such as W indows Updates and Automatic Updates. Neither Notification Server or Solutions use this component. Disable this for maximum security. Common Files Enabled No change On a dedicated Web server, these files are required by IIS and must always be enabled. File Transfer Protocol (FTP) Disabled Disable Allows the Web server to provide FTP services. 38 < Hardened Notification Server Configuration www.altiris.com Subcomponent Default Setting Recommended Setting Service FrontPage 2002 Server Extensions Comment Neither Notification Server or Solutions use this component. Disable this for maximum security. Disabled Disable Provides FrontPage support for administering and publishing Web sites. Neither Notification Server or Solutions use this component. Disable this for maximum security. Internet Information Services Manager Enabled Internet Printing Disabled See comment Administrative interface for IIS. Disable when you do not want to administer the W eb server locally. Disable Provides Web-based printer management and allows printers to be shared by using HTTP. Neither Notification Server or Solutions use this component. Disable this for maximum security. NNTP Service Disabled Disable Distributes, queries, retrieves, and posts Usenet news articles on the Internet. Neither Notification Server or Solutions use this component. Disable this for maximum security. SMTP Service Enabled Disable Supports the transfer of electronic mail. Neither Notification Server or Solutions use this component. Disable this for maximum www.altiris.com Hardened Notification Server Configuration > 39 Subcomponent Default Setting Recommended Setting Comment security. World Wide W eb Service Enabled (See Table 3.6 for subcomponents) No change Provides Internet services, such as static and dynamic content, to clients. This component is required on a dedicated Web server. Note: If this component is not enabled, then all subcomponents are not enabled. Subcomponents of the World Wide Web Service List Subcomponent Default Setting Recommended Setting Comment Active Server Pages Disabled Enabled Provides support for Active Server Pages (ASP). Disable this component when none of the Web sites or applications on the Web server uses ASP. You can disable this component in Add or Remove Windows Components, which is accessible from Add or Remove Programs in Control Panel, or in the Web Service Extensions node in IIS Manager. For more information, see "Enabling Only Essential W eb Service Extensions " later in this chapter. Internet Data Connector Disabled Disable Provides support for dynamic content provided through files with .idc extensions. Neither Notification Server or Solutions use this component. Disable this for 40 < Hardened Notification Server Configuration www.altiris.com Subcomponent Default Setting Recommended Setting Comment maximum security. Remote Administration (HTML) Disabled Remote Desktop W eb Connection Disabled Disable Provides an HTML interface for administering IIS. Use IIS Manager instead to provide easier administration and to reduce the attack surface of the W eb server. This component is not required on a dedicated W eb server. Disable Includes Microsoft ActiveX® controls and sample pages for hosting Terminal Services client connections. Use IIS Manager instead to provide easier administration and to reduce the attack surface of the W eb server. This component is not required on a dedicated W eb server. Server-Side Includes Disabled Disable Provides support for .shtm, .shtml, and .stm files. Neither Notification Server or Solutions use this component. Disable this for maximum security. WebDav Publishing Disabled Disable Web Distributed Authoring and Versioning (WebDAV) extends the HTTP/1.1 protocol to allow clients to publish, lock, and manage resources on the Web. Neither Notification Server or Solutions use this component. Disable this for maximum security. World Wide Web Service Enabled No change Provides Internet services, such as static and dynamic content, to clients. This component is required on a dedicated W eb server. www.altiris.com Hardened Notification Server Configuration > 41