An Overview to Windows Server Security

Transcription

1 An Overview to Windows Server Security Anil Sagar CERT-In Department of Information Technology Ministry of Communications & Information Technology Electronics Niketan, 6 C.G.O. Complex New Delhi

2 Contents Security Overview Best practices Server Security References

3 Security Overview Why we need security? Keeping control and service availability Data Integrity Legal Liability Reactive Work Loads Bad Public Relations Personal Responsibility

4 Best Practices Isolate sensitive information and insecure services Don t run IIS, check , surf untrusted sites, etc. on Domain Controllers Consider additional security measures, for servers with critical data. Host-based packet filter or a dedicated firewall

5 Best Practices (contd.) Grant minimum amount of access required to accomplish a task NTFS File and NetBIOS Share Access Control Lists (ACLs) Group memberships Don t login as Administrator for regular use use runas system service

6 Best Practices (contd.) Keep a watch Monitor system logs Off-site, centralized logging Consider using a system monitoring package

7 Best Practices (contd.) Run as few services as possible and make sure they are configured securely IIS is installed and insecure by default on Windows 2000 Server Disable unused services Watch for services listening on the network. Beware of phantom services being installed as part of other packages Close unnecessary ports

8 Best Practices (concluded) Backup systems regularly and test restoration procedures Attackers often damage systems Network Security will require to format and reinstall any system which has been compromised with a root or Administrator level compromise

9 Server Security

10 Physical Security Secure physical access Prevent from booting into alternate OS -Disable/remove floppy drive, unless required by SYSKEY Disable/remove CD-ROM/DVD drive Set the [timeout] parameter in the boot.ini file to 0 Disable remote network boot and installation, for example,by RIS or BOOTP In case SYSKEY with a password or floppy disk is not used, require a BIOS password to boot the computer Protect from restart by using SYSKEY Secure backup media against physical access Enhance network infrastructure security

11 Secure Installation Apply Patches & Security updates Install Anti-Virus software File System Security Format using NTFS 5 Secure file system using ACLs Restrict access to administrative tools and utilities, e.g. cmd, regedit, rexec Disable default shares Use EFS

12 Patch Management Use automated patching technology: SUS Microsoft Software Update Service SMS Microsoft Systems Management Server MBSA-Microsoft Baseline Security Analyzer

13 Secure Installation (Contd.) Additional file system security settings Remove OS2 and POSIX subsystems Prevent data remnants Disable dump file creation Encrypt the Temp folder Clear the Paging file at shutdown Create encrypted file checksums

14 Secure Installation (Contd.) Keep strong password for Administrator a/c Disable or Delete Unnecessary Accounts Apply Registry ACLs, (make sure Anonymous access is disabled) Set Stronger Password Policies (length, lockout, complexity, etc) Configure the Administrator Account (rename, disable, establish decoy)

15 Secure Installation (Contd.) Enable Auditing! Impossible to scan huge logs? Use event log analyzer tools DNS Servers Allow zone transfers only to listed server. It s not restricted by default!

16 Security Policies Microsoft Management Console (MMC) snap-in tools for setting many security options previously set through the registry can be controlled through: Local Security Policy tool Security Templates Group Policy Objects (Windows 2000 Domains only)

17 Security Templates Security Configuration and Analysis and Security Templates MMC snap-ins can be used for standardizing lockdowns The default templates assume you are applying them sequentially (ie. basic, secure, hisec) Be careful with hisec templates Custom Templates can be written and can include custom file and registry settings

18 Default Security Templates SETUPSECURITY Default, Out-of-The Box COMPATWX Relaxed Security from Default Windows 2000 Pro Install BASICDC / BASICSV/ BASICWK Default Security Settings OCFILESW Applies More Secure Configuration to Optionally-installed W2K Server Components HISECDC More secure Windows 2000-only Enhancements Beyond SECUREDC HISECWS More Secure Windows 2000-only Enhancements Beyond SECUREWS

19 Group Policy Objects Stored in Active Directory at a variety of levels Can be used cumulatively to set security policies for machines and users Also gives additional functionality for software distribution and other information

20 Account Policies Lockouts will help stop brute-force password attacks, but may result in a DoS. Too frequent password rotation may encourage poor user behavior. Strong passwords and strong encryption are essential.

21 Auditing and Logging Security Logging (auditing) is not enabled by default. Audit all successes and failures except for Process tracking. Increase log file size to > 10MB for each log.

22 Auditing and Logging (cont.) Log files can be moved to another location through the registry: HKLM\System\CurrentControlSet\ Services\EventLog\<LogName>\ File:REG_EXPAND_SZ: <path to log file> Prevent non-administrative access to Event Logs through ACLs as well as Security Policy.

23 User Rights Assignment Assign user rights as per their roles and scope, like Backup operators Print operators System operators (for shutdown etc.)

24 Security Options Additional Restrictions for Anonymous Connections Restricts null-session NetBIOS access to machine. Should at least deny enumeration of SAM accounts. LAN Manager Authentication Level LM and NTLMv1 are not secure and should be denied if at all possible.

25 Security Options (Contd.) Disable NTLM in pure W2K environments Refer TechNet How todisable LM Authentication on Windows NT Remove LM Hashes from AD and SAM Refer TechNet New Registry Key to Remove LM Hashes from AD and SAM Use Hidden Shares and Disable Automatic Creation of Default Administrative Shares AutoShareServer=1 \\HKLM\System\CurrentControlSet\Services\LanmanServer\Parame ters Disable Enumeration of Shares RestrictAnonymous=1 \\HKLM\System\CurrentControlSet\Control\Lsa Restrict Remote Registry Access Refer TechNet How to Restrict Access to the Registry from

26 Additional Registry Settings Set registry keys to: Disable anonymous remote registry and file access. Minimize the danger of SYN flood DoSes. Disable other vulnerable features.

27 Additional Registry Settings (Contd.) Set Registry Settings to Harden TCP/IP \\HKLM\SYSTEM\ CurrentControlSet\Services \ Tcpip\Parameters Registry Value SynAttackProtect Value Type REG_DWORD Default 0 More Secure 2 Tcpip\Parameters EnableDeadGWDetect REG_DWORD 1 0 Tcpip\Parameters EnablePMTUDiscovery REG_DWORD 1 0 Tcpip\Parameters KeepAliveTime REG_DWORD 7,200K 300K NetBt\Parameters NoNameReleaseOnDemand REG_DWORD n/a 0 Interfaces\<interface> PerformRouterDiscovery REG_DWORD 2 0

28 Conclusion Go through the security checklists Apply the latest patches and service packs Periodically Assess network security Incorporate required changes in the security policy

29 References Microsoft Best Practice Guide for Securing Active Directory Installations and Day-to-Day Operations NIST Systems Administration Guidance for Securing Windows 2000 Professional Systems The Centre for Internet Security Windows 2000 Server Operating System Lavel2 Benchmark Consensus Baseline Security Settings Microsoft TechNet Knowledgebase Articles Windows Security on an Open Network

30 Thanks