Windows Server 2003 Security Donald E. Hester CISSP, CISA, MCT, MCSE, MCSA, MCDST, Security+, CTT+, MV Maze & Associates San Diego City College Los Medanos College What we are looking at today Priority Shift Access was a top priority Open-by-default Start with everything open and then start locking down as needed Control is now a top priority Closed-by-default Start with everything closed and open only what is needed Security Enhancements Server 2003 Defaults IIS – Internet Information Services IIS is not installed by default When you install IIS 6 it is locked down More startup services are disabled in 2003 Everyone Group No longer has full control it has read and execute No longer includes anonymous users Server 2003 Defaults Accounts with null passwords are console-bound Software restriction policies Hash rule Path rule Certificate rule Internet Zone rule Protected EAP (PEAP) Detailed security auditing File System NTFS Permissions & auditing EFS - Encrypted File System (multiple users) VSS - Volume Shadow Copy (Server 2003) Quotas ABE (Server 2003 SP1) Future developments WinFS Won’t be in Longhorn ABE (Access-Based Enumeration) Internet Connection Firewall Windows Firewall ICF vs. Windows Firewall Boot-time Security Global configuration Audit logging Scope restrictions Command-line support Program-based exceptions Multiple Profiles Unattended setup support Enhanced multicast and broadcast support IPv6 support New Group Policy Support PSSU (Post-Setup Security Updates) Service Pack 1 enhancement Protects the computer until it can update Uses Windows Firewall DEP (Data Execution Prevention) Prevent malicious software rather than error out and potentially crashing the system Hardware-enforced DEP Protects memory locations The no-execute page-protection (NX) processor feature as defined by AMD. The Execute Disable Bit (XD) feature as defined by Intel. Software-enforced DEP Protects system binaries and exception-handling Software built with SafeSEH TCP/IP protection Enhancements: Smart TCP port allocation SYN attack protection is enabled by default New SYN attack notification IP Helper APIs Winsock self-healing What Is Network Access Quarantine? Remote access client authenticates 1. RAS client fails policy check 2. Quarantine timeout Reached RAS client disconnected RAS client placed in Quarantine RAS client meets Quarantine policies RAS client gets full access to network Trusts in Windows Server 2003 Parent/Child Trust Tree/Root Trust Shortcut Trust Forest Trust Realm Trust External Trust Coming Soon: IE 7 Information Security Magazine (Jan 2006) Server Hardening Server Hardening Appropriate settings for a secure baseline Settings for applications and services Operating system components Permissions and rights Administrative procedures Physical access Server Hardening - Templates Predefined Security Templates Security Guide Templates Industrial Templates SANS CIAC NSA DoD Custom Templates Template Deployment Test before deployment Periodic analysis Security Configuration and Analysis snap-in Scripting (Secedit.exe) Deployment Methods Group Policy (Active Directory) Security Configuration and Analysis snap-in Scripting (Secedit.exe) Server Hardening Security Configuration Wizard (SCW) Comes with Service Pack 1 (Server 2003) Disables unneeded services Blocks unused ports Allows further address or security restrictions for ports that are left open Prohibits unnecessary Internet Information Services (IIS) Web extensions, if applicable Reduces protocol exposure to server message block (SMB), NTLM, LanMan, and Lightweight Directory Access Protocol (LDAP) Defines a high signal-to-noise audit policy Best for servers with multiple roles Security Configuration Wizard Supports Rollback Analysis Remote configuration Command-line support Active Directory integration Policy editing Export to Group Policy Security Tools Updates Manual Windows Updates Automatic process fine for small deployments SUS Requires user intervention – labor intensive Updates approved critical patches for multiple machines at an administrator appointed time (replaced with WSUS) WSUS Same as SUS but includes support for other patches such as Office and critical drivers PKI Some uses EFS, Authentication, Smart Card, IPSec, Servers Auto enrollment Command line tools (Certreq.exe, Certutil.exe) Key recovery (DRA or KRA) Delta CRL Available Tools - GPMC New User Interface Backup and restore Import and export Group Policy Modeling Resultant Set of Policy (RSoP) Available Tools - MBSA Microsoft Baseline Security Analyzer (v2) Available Tools - MSAT Microsoft Security Assessment Tool Available Tools – Windows Defender Microsoft Anti-Spyware – Windows Defender Spyware detection Scheduled scanning and removal Straightforward operation and thorough removal technology Available Tools Security Resource Kit Various tools to enumerate access control lists, list drivers, list services, dump event logs, parse logs, determine authentication method, and much more Security Guide Templates Various test scripts 3rd Party Tools Winternals http://www.winternals.com/ Sysinternals http://www.systernals.com/ CERT http://www.cert.org/ SANS http://www.sans.org/ Resources Windows Server 2003 Security Guide http://go.microsoft.com/fwlink/?LinkId=14846 WindowSecurity.com SecWish@microsoft.com (Feedback email) Microsoft Windows Security Resource Kit (2nd Ed.) ISBN 0-7356-2174-8 Service Pack 1 Overview http://www.microsoft.com/technet/prodtechnol/windowss erver2003/servicepack/overview.mspx Resources Microsoft Security Assessment Tool (MSAT) https://www.securityguidance.com/ Microsoft Security http://www.microsoft.com/security/default.mspx Microsoft Baseline Security Analyzer (MBSA) http://www.microsoft.com/technet/security/tools/mbs ahome.mspx Microsoft Anti-Spyware (beta) Defender http://www.microsoft.com/athome/security/spyware/ software/default.mspx Resources RootKit Revealer http://www.sysinternals.com/Utilities/RootkitReveal er.html Strider GhostBuster Project (Rootkit detector) http://research.microsoft.com/rootkit/ Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP http://go.microsoft.com/fwlink/?LinkId=15160 Contact Info Donald E. Hester DonaldH@MazeAssociates.com https://www.linkedin.com/in/donaldehester