11 HARDENING SERVERS Chapter 7. Chapter 7: Hardening Servers2 DEFAULT SECURITY TEMPLATES Set up...
-
Upload
gerard-patterson -
Category
Documents
-
view
232 -
download
0
Transcript of 11 HARDENING SERVERS Chapter 7. Chapter 7: Hardening Servers2 DEFAULT SECURITY TEMPLATES Set up...
Chapter 7: Hardening Servers 2
DEFAULT SECURITY TEMPLATES
Set up Security.inf and DC Security.inf
Compatws.inf
Securews.inf and Securedc.inf
Hisecws.inf and Hisecdc.inf
Rootsec.inf
Iesacls.inf
Chapter 7: Hardening Servers 3
DESIGNING SECURITY TEMPLATES
Create a custom security template for each role, not each computer
Base custom templates on a default template
Never modify default security templates
Apply multiple security templates to computers with multiple roles
Chapter 7: Hardening Servers 4
SECURITY TEMPLATE SETTINGS
Account policies
Local policies
Event logs
Group memberships
Services
Registry permissions
File and folder permissions
Chapter 7: Hardening Servers 5
SETTING NOT AVAILABLE IN SECURITY TEMPLATES
Configuration of Automatic Updates
Which Microsoft Windows components and applications are installed
IPSec policies
Software restrictions
Wireless network policies
EFS settings
Certification Authority (CA) settings
Chapter 7: Hardening Servers 6
CONFIGURING EARLIER VERSIONS OF WINDOWS
Support Group Policy: Windows Server 2003 Windows 2000 Server Windows 2000 Professional Windows XP Professional
Support System Policy: Windows NT 4.0 Windows 95 Windows 98 Windows Me
Chapter 7: Hardening Servers 8
DEPLOYING SECURITY CONFIGURATION WITH GROUP POLICY
Import templates into Group Policy
Leverage inheritance
Filter Group Policy objects (GPOs) with security groups
Use Windows Management Instrumentation (WMI) filtering only where necessary
Chapter 7: Hardening Servers 9
SERVER HARDENING BEST PRACTICES
Use the Configure Your Server Wizard
Disable unnecessary services
Develop a process for updating all software
Change default port numbers
Use network and host-based firewalls
Chapter 7: Hardening Servers 10
SERVER HARDENING BEST PRACTICES (CONT.)
Require IPSec
Place Internet servers in perimeter networks
Use physical security
Restrict removable media
Backup application-specific information
Chapter 7: Hardening Servers 11
SERVER HARDENING BEST PRACTICES (CONT.)
Audit backups and restores
Rename default user accounts
Develop security requirements for application-specific user databases
Monitor each server role for failures
Read security guides at http://www.microsoft.com
Chapter 7: Hardening Servers 12
HARDENING DOMAIN CONTROLLERS
A compromised domain controller can lead to compromises of domain members
Domain controllers can be identified with a DNS query
Avoid storing application data in Active Directory
Create a separate security group for users with privileges to backup domain controllers
Use source-IP filtering to block domain requests from external networks
Chapter 7: Hardening Servers 13
REQUIRE DOMAIN CONTROLLER SERVICES
File Replication Service
Intersite Messaging
Kerberos Key Distribution Center
Netlogon
Remote Procedure Call (RPC) Locator
Windows Management Instrumentation
Windows Time
Chapter 7: Hardening Servers 14
HARDENING DNS SERVERS
When DNS servers are compromised, attackers can use them to: Identify internal network resources
Launch man-in-the-middle attacks
Perform a denial-of-service (DoS) attack
Chapter 7: Hardening Servers 15
BEST PRACTICES FOR HARDENING DNS SERVERS
Use Active Directory–integrated zones. If not Active Directory integrated: Restrict permissions on zone files
Use IPSec to protect zone transfers
Disable recursion where possible
Use separate internal and Internet servers
Remove root hints on internal servers
Allow only secure DNS updates if possible
Chapter 7: Hardening Servers 16
HARDENING DHCP SERVERS
Dynamic Host Configuration Protocol (DHCP) servers running Windows 2000 and later must be authorized in a domain
DHCP servers can automatically update DNS
Protect DHCP servers with 802.1X authentication
Chapter 7: Hardening Servers 17
HARDENING FILE SERVERS
Carefully audit share permission and NTFS file system permissions
Use source-IP filtering to block requests from external networks
Audit access to critical and confidential files
Chapter 7: Hardening Servers 18
HARDENING IAS SERVERS
Enable Remote Authentication Dial-In User Service (RADIUS) message authenticators
Use quarantine control
Enable logging
Audit logs frequently
Chapter 7: Hardening Servers 19
HARDENING EXCHANGE SERVER COMPUTERS
Encrypt mail traffic with Transport Layer Security (TLS)
Use Secure Sockets Layer (SSL) to protect Outlook Web Access (OWA)
Enable Security events logging
Audit for open relays to protect against spam
Chapter 7: Hardening Servers 20
HARDENING EXCHANGE SERVER COMPUTERS (CONT.)
Use antispam software
Use antivirus software
Require strong passwords
Audit with MBSA
Chapter 7: Hardening Servers 21
HARDENING SQL SERVER COMPUTERS
Use Windows authentication when possible
Use delegated authentication
Configure granular authentication in SQL Server databases
Audit SQL authentication requests
Disable SQL communication protocols except TCP/IP, and require encryption
Change the default port number
Chapter 7: Hardening Servers 22
HARDENING SQL SERVER COMPUTERS (CONT.)
Audit custom applications for vulnerability to SQL injection attacks
Audit databases for unencrypted confidential contents: User names and passwords
Credit-card numbers
Social Security numbers
Chapter 7: Hardening Servers 23
SUMMARY
Create security templates for every server role in your organization
Apply security templates by using GPOs Techniques such as disabling unnecessary
services and enabling host-based firewalls can be used to harden any type of server
Server roles each have role-specific considerations, including: Services that should be enabled Ports that must be allowed Logging that should be enabled