360 likes | 759 Vues
Windows Server 2003 Security Donald E. Hester CISSP, CISA, MCT, MCSE, MCSA, MCDST, Security+, CTT+, MV Maze & Associates San Diego City College Los Medanos College What we are looking at today Priority Shift Access was a top priority Open-by-default
E N D
Windows Server 2003 Security Donald E. Hester CISSP, CISA, MCT, MCSE, MCSA, MCDST, Security+, CTT+, MV Maze & Associates San Diego City College Los Medanos College
Priority Shift • Access was a top priority • Open-by-default • Start with everything open and then start locking down as needed • Control is now a top priority • Closed-by-default • Start with everything closed and open only what is needed
Server 2003 Defaults • IIS – Internet Information Services • IIS is not installed by default • When you install IIS 6 it is locked down • More startup services are disabled in 2003 • Everyone Group • No longer has full control it has read and execute • No longer includes anonymous users
Server 2003 Defaults • Accounts with null passwords are console-bound • Software restriction policies • Hash rule • Path rule • Certificate rule • Internet Zone rule • Protected EAP (PEAP) • Detailed security auditing
File System • NTFS • Permissions & auditing • EFS - Encrypted File System (multiple users) • VSS - Volume Shadow Copy (Server 2003) • Quotas • ABE (Server 2003 SP1) • Future developments WinFS • Won’t be in Longhorn
Internet Connection Firewall Windows Firewall
Boot-time Security Global configuration Audit logging Scope restrictions Command-line support Program-based exceptions Multiple Profiles Unattended setup support Enhanced multicast and broadcast support IPv6 support New Group Policy Support ICF vs. Windows Firewall
PSSU (Post-Setup Security Updates) • Service Pack 1 enhancement • Protects the computer until it can update • Uses Windows Firewall
DEP (Data Execution Prevention) • Prevent malicious software rather than error out and potentially crashing the system • Hardware-enforced DEP • Protects memory locations • The no-execute page-protection (NX) processor feature as defined by AMD. • The Execute Disable Bit (XD) feature as defined by Intel. • Software-enforced DEP • Protects system binaries and exception-handling • Software built with SafeSEH
TCP/IP protection • Enhancements: • Smart TCP port allocation • SYN attack protection is enabled by default • New SYN attack notification IP Helper APIs • Winsock self-healing
RAS client placed in Quarantine RAS client meets Quarantine policies • RAS client fails policy check • Quarantine timeout Reached RAS client disconnected RAS client gets full access to network What Is Network Access Quarantine? Remote access client authenticates
Forest (root) Trusts in Windows Server 2003 Forest 1 Forest 2 Tree/Root Trust Forest Trust Parent/ChildTrust Forest (root) Domain D Domain E Domain A Domain B Domain P Domain Q Shortcut Trust External Trust Realm Trust Domain F Domain C Kerberos Realm
Coming Soon: IE 7 • Information Security Magazine (Jan 2006)
Server Hardening • Appropriate settings for a secure baseline • Settings for applications and services • Operating system components • Permissions and rights • Administrative procedures • Physical access
Server Hardening - Templates • Predefined Security Templates • Security Guide Templates • Industrial Templates • SANS • CIAC • NSA • DoD • Custom Templates
Template Deployment • Test before deployment • Periodic analysis • Security Configuration and Analysis snap-in • Scripting (Secedit.exe) • Deployment Methods • Group Policy (Active Directory) • Security Configuration and Analysis snap-in • Scripting (Secedit.exe)
Server Hardening • Security Configuration Wizard (SCW) • Comes with Service Pack 1 (Server 2003) • Disables unneeded services • Blocks unused ports • Allows further address or security restrictions for ports that are left open • Prohibits unnecessary Internet Information Services (IIS) Web extensions, if applicable • Reduces protocol exposure to server message block (SMB), NTLM, LanMan, and Lightweight Directory Access Protocol (LDAP) • Defines a high signal-to-noise audit policy • Best for servers with multiple roles
Security Configuration Wizard • Supports • Rollback • Analysis • Remote configuration • Command-line support • Active Directory integration • Policy editing • Export to Group Policy
Updates • Manual • Requires user intervention – labor intensive • Windows Updates • Automatic process fine for small deployments • SUS • Updates approved critical patches for multiple machines at an administrator appointed time (replaced with WSUS) • WSUS • Same as SUS but includes support for other patches such as Office and critical drivers
PKI • Some uses • EFS, Authentication, Smart Card, IPSec, Servers • Auto enrollment • Command line tools (Certreq.exe, Certutil.exe) • Key recovery (DRA or KRA) • Delta CRL
Available Tools - GPMC • New User Interface • Backup and restore • Import and export • Group Policy Modeling • Resultant Set of Policy (RSoP)
Available Tools - MBSA • Microsoft Baseline Security Analyzer (v2)
Available Tools - MSAT • Microsoft Security Assessment Tool
Available Tools – Windows Defender • Microsoft Anti-Spyware – Windows Defender • Spyware detection • Scheduled scanning and removal • Straightforward operation and thorough removal technology
Available Tools • Security Resource Kit • Various tools to enumerate access control lists, list drivers, list services, dump event logs, parse logs, determine authentication method, and much more • Security Guide • Templates • Various test scripts
3rd Party Tools • Winternals http://www.winternals.com/ • Sysinternals http://www.systernals.com/ • CERT http://www.cert.org/ • SANS http://www.sans.org/
Resources • Windows Server 2003 Security Guide • http://go.microsoft.com/fwlink/?LinkId=14846 • WindowSecurity.com • SecWish@microsoft.com (Feedback email) • Microsoft Windows Security Resource Kit (2nd Ed.) ISBN 0-7356-2174-8 • Service Pack 1 Overview • http://www.microsoft.com/technet/prodtechnol/windowsserver2003/servicepack/overview.mspx
Resources • Microsoft Security Assessment Tool (MSAT) • https://www.securityguidance.com/ • Microsoft Security • http://www.microsoft.com/security/default.mspx • Microsoft Baseline Security Analyzer (MBSA) • http://www.microsoft.com/technet/security/tools/mbsahome.mspx • Microsoft Anti-Spyware (beta) Defender • http://www.microsoft.com/athome/security/spyware/software/default.mspx
Resources • RootKit Revealer • http://www.sysinternals.com/Utilities/RootkitRevealer.html • Strider GhostBuster Project (Rootkit detector) • http://research.microsoft.com/rootkit/ • Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP • http://go.microsoft.com/fwlink/?LinkId=15160
Contact Info • Donald E. Hester • DonaldH@MazeAssociates.com • https://www.linkedin.com/in/donaldehester