Security Management

advertisement
Windows Server 2003 Security
Donald E. Hester
CISSP, CISA, MCT, MCSE, MCSA, MCDST, Security+, CTT+, MV
Maze & Associates
San Diego City College
Los Medanos College
What we are looking at today
Priority Shift

Access was a top priority



Open-by-default
Start with everything open and then start locking
down as needed
Control is now a top priority


Closed-by-default
Start with everything closed and open only what
is needed
Security Enhancements
Server 2003 Defaults

IIS – Internet Information Services




IIS is not installed by default
When you install IIS 6 it is locked down
More startup services are disabled in 2003
Everyone Group


No longer has full control it has read and execute
No longer includes anonymous users
Server 2003 Defaults


Accounts with null passwords are console-bound
Software restriction policies






Hash rule
Path rule
Certificate rule
Internet Zone rule
Protected EAP (PEAP)
Detailed security auditing
File System

NTFS






Permissions & auditing
EFS - Encrypted File System (multiple users)
VSS - Volume Shadow Copy (Server 2003)
Quotas
ABE (Server 2003 SP1)
Future developments WinFS

Won’t be in Longhorn
ABE (Access-Based Enumeration)
Internet Connection Firewall
Windows Firewall
ICF vs. Windows Firewall







Boot-time Security
Global configuration
Audit logging
Scope restrictions
Command-line support
Program-based
exceptions
Multiple Profiles




Unattended setup
support
Enhanced multicast
and broadcast support
IPv6 support
New Group Policy
Support
PSSU (Post-Setup Security Updates)



Service Pack 1
enhancement
Protects the computer
until it can update
Uses Windows
Firewall
DEP (Data Execution Prevention)


Prevent malicious software rather than error out and
potentially crashing the system
Hardware-enforced DEP




Protects memory locations
The no-execute page-protection (NX) processor feature as
defined by AMD.
The Execute Disable Bit (XD) feature as defined by Intel.
Software-enforced DEP


Protects system binaries and exception-handling
Software built with SafeSEH
TCP/IP protection

Enhancements:




Smart TCP port
allocation
SYN attack protection
is enabled by default
New SYN attack
notification IP Helper
APIs
Winsock self-healing
What Is Network Access Quarantine?
Remote access
client authenticates
1. RAS client fails
policy check
2. Quarantine timeout
Reached
RAS client
disconnected
RAS client placed in
Quarantine
RAS client meets
Quarantine policies
RAS client
gets full
access to
network
Trusts in Windows Server 2003
Parent/Child
Trust
Tree/Root
Trust
Shortcut Trust
Forest
Trust
Realm
Trust
External
Trust
Coming Soon: IE 7

Information Security Magazine (Jan 2006)
Server Hardening
Server Hardening

Appropriate settings for a secure baseline





Settings for applications and services
Operating system components
Permissions and rights
Administrative procedures
Physical access
Server Hardening - Templates



Predefined Security Templates
Security Guide Templates
Industrial Templates





SANS
CIAC
NSA
DoD
Custom Templates
Template Deployment


Test before deployment
Periodic analysis



Security Configuration and Analysis snap-in
Scripting (Secedit.exe)
Deployment Methods



Group Policy (Active Directory)
Security Configuration and Analysis snap-in
Scripting (Secedit.exe)
Server Hardening

Security Configuration Wizard (SCW)








Comes with Service Pack 1 (Server 2003)
Disables unneeded services
Blocks unused ports
Allows further address or security restrictions for ports that are left
open
Prohibits unnecessary Internet Information Services (IIS) Web
extensions, if applicable
Reduces protocol exposure to server message block (SMB), NTLM,
LanMan, and Lightweight Directory Access Protocol (LDAP)
Defines a high signal-to-noise audit policy
Best for servers with multiple roles
Security Configuration Wizard

Supports







Rollback
Analysis
Remote configuration
Command-line support
Active Directory integration
Policy editing
Export to Group Policy
Security Tools
Updates

Manual


Windows Updates


Automatic process fine for small deployments
SUS


Requires user intervention – labor intensive
Updates approved critical patches for multiple machines
at an administrator appointed time (replaced with WSUS)
WSUS

Same as SUS but includes support for other patches such
as Office and critical drivers
PKI

Some uses





EFS, Authentication, Smart Card, IPSec, Servers
Auto enrollment
Command line tools (Certreq.exe,
Certutil.exe)
Key recovery (DRA or KRA)
Delta CRL
Available Tools - GPMC





New User Interface
Backup and restore
Import and export
Group Policy
Modeling
Resultant Set of
Policy (RSoP)
Available Tools - MBSA

Microsoft Baseline Security Analyzer (v2)
Available Tools - MSAT

Microsoft Security Assessment Tool
Available Tools – Windows Defender

Microsoft Anti-Spyware – Windows Defender



Spyware detection
Scheduled scanning and removal
Straightforward operation and thorough removal
technology
Available Tools

Security Resource Kit


Various tools to enumerate access control lists,
list drivers, list services, dump event logs, parse
logs, determine authentication method, and much
more
Security Guide


Templates
Various test scripts
3rd Party Tools




Winternals http://www.winternals.com/
Sysinternals http://www.systernals.com/
CERT http://www.cert.org/
SANS http://www.sans.org/
Resources

Windows Server 2003 Security Guide





http://go.microsoft.com/fwlink/?LinkId=14846
WindowSecurity.com
SecWish@microsoft.com (Feedback email)
Microsoft Windows Security Resource Kit (2nd Ed.)
ISBN 0-7356-2174-8
Service Pack 1 Overview

http://www.microsoft.com/technet/prodtechnol/windowss
erver2003/servicepack/overview.mspx
Resources








Microsoft Security Assessment Tool (MSAT)
https://www.securityguidance.com/
Microsoft Security
http://www.microsoft.com/security/default.mspx
Microsoft Baseline Security Analyzer (MBSA)
http://www.microsoft.com/technet/security/tools/mbs
ahome.mspx
Microsoft Anti-Spyware (beta) Defender
http://www.microsoft.com/athome/security/spyware/
software/default.mspx
Resources






RootKit Revealer
http://www.sysinternals.com/Utilities/RootkitReveal
er.html
Strider GhostBuster Project (Rootkit detector)
http://research.microsoft.com/rootkit/
Threats and Countermeasures: Security Settings in
Windows Server 2003 and Windows XP
http://go.microsoft.com/fwlink/?LinkId=15160
Contact Info

Donald E. Hester

DonaldH@MazeAssociates.com

https://www.linkedin.com/in/donaldehester
Download