Upload
nelson-porter
View
216
Download
1
Embed Size (px)
Citation preview
Windows Server 2003 Security
Donald E. HesterCISSP, CISA, MCT, MCSE, MCSA, MCDST, Security+, CTT+, MV
Maze & Associates
San Diego City College
Los Medanos College
What we are looking at today
Priority Shift Access was a top priority
Open-by-default Start with everything open and then start locking
down as needed Control is now a top priority
Closed-by-default Start with everything closed and open only what
is needed
Security Enhancements
Server 2003 Defaults IIS – Internet Information Services
IIS is not installed by default When you install IIS 6 it is locked down
More startup services are disabled in 2003 Everyone Group
No longer has full control it has read and execute No longer includes anonymous users
Server 2003 Defaults Accounts with null passwords are console-bound Software restriction policies
Hash rule Path rule Certificate rule Internet Zone rule
Protected EAP (PEAP) Detailed security auditing
File System NTFS
Permissions & auditing EFS - Encrypted File System (multiple users) VSS - Volume Shadow Copy (Server 2003) Quotas ABE (Server 2003 SP1)
Future developments WinFS Won’t be in Longhorn
ABE (Access-Based Enumeration)
Internet Connection Firewall Windows Firewall
ICF vs. Windows Firewall Boot-time Security Global configuration Audit logging Scope restrictions Command-line support Program-based
exceptions Multiple Profiles
Unattended setup support
Enhanced multicast and broadcast support
IPv6 support New Group Policy
Support
PSSU (Post-Setup Security Updates) Service Pack 1
enhancement Protects the computer
until it can update Uses Windows
Firewall
DEP (Data Execution Prevention) Prevent malicious software rather than error out and
potentially crashing the system Hardware-enforced DEP
Protects memory locations The no-execute page-protection (NX) processor feature as
defined by AMD. The Execute Disable Bit (XD) feature as defined by Intel.
Software-enforced DEP Protects system binaries and exception-handling Software built with SafeSEH
TCP/IP protection Enhancements:
Smart TCP port allocation
SYN attack protection is enabled by default
New SYN attack notification IP Helper APIs
Winsock self-healing
What Is Network Access Quarantine?
RAS client meets RAS client meets Quarantine policiesQuarantine policies
RAS client RAS client gets full gets full
access to access to networknetwork
RAS client RAS client disconnecteddisconnected
1.1. RAS client fails RAS client fails policy checkpolicy check
2.2. Quarantine timeout Quarantine timeout ReachedReached
RAS client placed in RAS client placed in QuarantineQuarantine
Remote access Remote access client authenticatesclient authenticates
Trusts in Windows Server 2003
Forest(root)
Tree/RootTrust
Tree/RootTrust
Forest Trust
Forest Trust
Shortcut TrustShortcut TrustExternal
TrustExternal
Trust
Kerberos Realm
Realm Trust
Realm Trust
Domain D
Forest 1
Domain BDomain ADomain E
Domain F
Forest(root)
Domain P Domain Q
Parent/ChildTrust
Parent/ChildTrust
Forest 2
Domain C
Coming Soon: IE 7 Information Security Magazine (Jan 2006)
Server Hardening
Server Hardening Appropriate settings for a secure baseline
Settings for applications and services Operating system components Permissions and rights Administrative procedures Physical access
Server Hardening - Templates Predefined Security Templates Security Guide Templates Industrial Templates
SANS CIAC NSA DoD
Custom Templates
Template Deployment Test before deployment Periodic analysis
Security Configuration and Analysis snap-in Scripting (Secedit.exe)
Deployment Methods Group Policy (Active Directory) Security Configuration and Analysis snap-in Scripting (Secedit.exe)
Server Hardening Security Configuration Wizard (SCW)
Comes with Service Pack 1 (Server 2003) Disables unneeded services Blocks unused ports Allows further address or security restrictions for ports that are left
open Prohibits unnecessary Internet Information Services (IIS) Web
extensions, if applicable Reduces protocol exposure to server message block (SMB), NTLM,
LanMan, and Lightweight Directory Access Protocol (LDAP) Defines a high signal-to-noise audit policy Best for servers with multiple roles
Security Configuration Wizard Supports
Rollback Analysis Remote configuration Command-line support Active Directory integration Policy editing Export to Group Policy
Security Tools
Updates Manual
Requires user intervention – labor intensive Windows Updates
Automatic process fine for small deployments SUS
Updates approved critical patches for multiple machines at an administrator appointed time (replaced with WSUS)
WSUS Same as SUS but includes support for other patches such
as Office and critical drivers
PKI Some uses
EFS, Authentication, Smart Card, IPSec, Servers Auto enrollment Command line tools (Certreq.exe,
Certutil.exe) Key recovery (DRA or KRA) Delta CRL
Available Tools - GPMC New User Interface Backup and restore Import and export Group Policy
Modeling Resultant Set of
Policy (RSoP)
Available Tools - MBSA Microsoft Baseline Security Analyzer (v2)
Available Tools - MSAT Microsoft Security Assessment Tool
Available Tools – Windows Defender Microsoft Anti-Spyware – Windows Defender
Spyware detection Scheduled scanning and removal Straightforward operation and thorough removal
technology
Available Tools Security Resource Kit
Various tools to enumerate access control lists, list drivers, list services, dump event logs, parse logs, determine authentication method, and much more
Security Guide Templates Various test scripts
3rd Party Tools Winternals http://www.winternals.com/ Sysinternals http://www.systernals.com/ CERT http://www.cert.org/ SANS http://www.sans.org/
Resources Windows Server 2003 Security Guide
http://go.microsoft.com/fwlink/?LinkId=14846 WindowSecurity.com [email protected] (Feedback email) Microsoft Windows Security Resource Kit (2nd Ed.)
ISBN 0-7356-2174-8 Service Pack 1 Overview
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/servicepack/overview.mspx
Resources Microsoft Security Assessment Tool (MSAT) https://www.securityguidance.com/ Microsoft Security http://www.microsoft.com/security/default.mspx Microsoft Baseline Security Analyzer (MBSA) http://www.microsoft.com/technet/security/tools/
mbsahome.mspx Microsoft Anti-Spyware (beta) Defender http://www.microsoft.com/athome/security/
spyware/software/default.mspx
Resources RootKit Revealer http://www.sysinternals.com/Utilities/
RootkitRevealer.html Strider GhostBuster Project (Rootkit detector) http://research.microsoft.com/rootkit/ Threats and Countermeasures: Security Settings in
Windows Server 2003 and Windows XP http://go.microsoft.com/fwlink/?LinkId=15160