Securing Your Servers Paula Kiernan Senior Consultant Ward Solutions.
Transcript of Securing Your Servers Paula Kiernan Senior Consultant Ward Solutions.
Session Overview
Defense in Depth
Malware Defense for Servers
Malware Outbreak Control and Recovery
Hardening Servers
Defense-in-Depth
Using a layered approach:Increases an attacker’s risk of detection Reduces an attacker’s chance of success
Security policies, procedures, and educationPolicies, procedures, and awarenessPolicies, procedures, and awareness
Guards, locks, tracking devicesPhysical securityPhysical security
Application hardeningApplication
OS hardening, authentication, update management, antivirus updates, auditing
Host
Network segments, IPSec, NIDSInternal network
Firewalls, boarder routers, VPNs with quarantine proceduresPerimeter
Strong passwords, ACLs, encryption, EFS, backup and restore strategy
Data
Server Security Best Practices
Apply the latest Service Pack and all available security patches
Use Group Policy to harden servers
Restrict physical and network access to servers
Keep anti-virus software up-to-date
Protecting Servers: What Are the Challenges?
Challenges to protecting servers include:Challenges to protecting servers include:
Maintaining reliability and performance
Maintaining security updates
Maintaining antivirus updates
Applying specialized defense solutions based upon server role
Securing servers with multiple roles
Maintaining reliability and performance
Maintaining security updates
Maintaining antivirus updates
Applying specialized defense solutions based upon server role
Securing servers with multiple roles
Session Overview
Defense in Depth
Malware Defense for Servers
Malware Outbreak Control and Recovery
Hardening Servers
What Is Server-Based Malware Defense?
Basic steps to defend servers against malware include:Basic steps to defend servers against malware include:
Reduce the attack surfaceReduce the attack surface
Analyze using configuration scannersAnalyze using configuration scanners
Enable a host-based firewall Enable a host-based firewall
Apply security updatesApply security updates
Analyze port informationAnalyze port information
Implementing Server-Based Host Protection Software
Considerations when implementing server-based antivirus software include:Considerations when implementing server-based antivirus software include:
CPU utilization during scanning
Application reliability
Management overhead
Application interoperability
CPU utilization during scanning
Application reliability
Management overhead
Application interoperability
Implementing Security Patch Management
Use the appropriate patch management tools for your environment:Use the appropriate patch management tools for your environment:
Windows Update
Office Update
WSUS / SUS
SMS
MBSA
Windows Update
Office Update
WSUS / SUS
SMS
MBSA
Protecting Servers: Best Practices
Consider each server role implemented in your organization to implement specific host protection solutions
Consider each server role implemented in your organization to implement specific host protection solutions
Stage all updates through a test environment before releasing into production Stage all updates through a test environment before releasing into production
Deploy regular security and antivirus updates as requiredDeploy regular security and antivirus updates as required
Implement a self-managed host protection solution to decrease management costsImplement a self-managed host protection solution to decrease management costs
Session Overview
Defense in Depth
Malware Defense for Servers
Malware Outbreak Control and Recovery
Hardening Servers
How to Confirm the Malware Outbreak
The process for infection confirmation includes:The process for infection confirmation includes:
Reporting unusual activity
Gathering the basic information
Evaluating the data
Gathering the details
Responding to unusual activity
False alarm?
Hoax?
Known infection?
New infection?
Reporting unusual activity
Gathering the basic information
Evaluating the data
Gathering the details
Responding to unusual activity
False alarm?
Hoax?
Known infection?
New infection?
How to Respond to a Malware Outbreak
Outbreak control mechanism tasks include:Outbreak control mechanism tasks include:Disconnect the compromised systems from the network
Isolate the network(s) containing the infected hosts
Disconnect the network from all external networks
Research outbreak control and cleanup techniques
Disconnect the compromised systems from the network
Isolate the network(s) containing the infected hosts
Disconnect the network from all external networks
Research outbreak control and cleanup techniques
Examples of recovery goals include:Examples of recovery goals include:Minimal disruption to the organization’s business
Fastest possible recovery time
The capture of information to support prosecution
The capture of information to allow for additional security measures to be developed
Prevention of further attacks of this type
Minimal disruption to the organization’s business
Fastest possible recovery time
The capture of information to support prosecution
The capture of information to allow for additional security measures to be developed
Prevention of further attacks of this type
How to Analyze the Malware Outbreak
The following analysis tasks help you to understand the nature of the outbreak: The following analysis tasks help you to understand the nature of the outbreak:
Checking for active processes and services
Checking the startup folders
Checking for scheduled applications
Analyzing the local registry
Checking for corrupted files
Checking users and groups
Checking for shared folders
Checking for open network ports
Checking and exporting system event logs
Running MSCONFIG
Checking for active processes and services
Checking the startup folders
Checking for scheduled applications
Analyzing the local registry
Checking for corrupted files
Checking users and groups
Checking for shared folders
Checking for open network ports
Checking and exporting system event logs
Running MSCONFIG
How to Recover from a Malware Outbreak
Use the following process to recover from a virus outbreak:Use the following process to recover from a virus outbreak:
Restore missing or corrupt dataRestore missing or corrupt data
Remove or clean infected filesRemove or clean infected files
Reconnect your computer systems to the network Reconnect your computer systems to the network
Confirm that your computer systems are free of malwareConfirm that your computer systems are free of malware
11
33
44
22
How to Perform a Postrecovery Analysis
Postrecovery analysis steps include the following:Postrecovery analysis steps include the following:
Postattack review meeting Postattack review meeting
Postattack updatesPostattack updates
Session Overview
Defense in Depth
Malware Defense for Servers
Malware Outbreak Control and Recovery
Hardening Servers
Hardening Servers
Core Server Hardening Tasks
Active Directory Security
Hardening Servers with Specific Roles
Hardening Application Servers
Core Server Hardening Tasks
Apply the latest Service Pack and all available security patches
Use Group Policy to harden servers- Disable services that are not required- Implement secure password policies- Disable LAN Manager and NTLMv1 authentication
Restrict physical and network access to servers
Keep anti-virus software up-to-date
Additional Recommendations for Securing Servers
Rename the built-in Administrator and Guest accounts
Restrict access for built-in and non-operating system service accounts
Do not configure a service to log on using a domain account
Use NTFS to secure files and folders
Educate IT staff on secure password practices
Active Directory Security
Identify the Active Directory security boundary- Forest- Site- Domain- Organizational Unit
Base the Active Directory design on Group Policy and delegation requirements
Using Group Policy
Strengthen the settings in the Default Domain Policy
Review audit settings on important Active Directory objects
Ensure that password and account policies meet your organization’s security requirements
Security Templates
Security Templates can be used to harden servers
Security Templates are implemented using
Security Configuration and Analysis Tool
secedit
Group Policy
Windows Server 2003 Security Guide supplies default templates
http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/sgch00.mspx
Security Template Best Practices
Review and modify security templates before using them
Use security configuration and analysis tools to review template settings before applying them
Test templates thoroughly before deploying them
Store security templates in a secure location
Demonstration: Using Security Templates
Implementing Security Templates
Internal Network10.10.0.0/16
Internet
London.nwtraders.msftDomain Controller
Exchange Server 2003IIS 6.0 Server
Software Update ServicesDNS Server
Enterprise CA Server10.10.0.2/16
Vancouver.nwtraders.msftISA Server 2004
10.10.0.1/16131.107.0.1/16
Denver.nwtraders.msftWindows XP SP2
Office 2003131.107.0.1/16
Glasgow.nwtraders.msftMIIS Server
ADAM Server10.10.0.3
131.107.0.8
Denver.nwtraders.msftWindows XP SP2
Office 200310.10.0.10/16
Brisbane.northwindtraders.msftDomain Controller
IIS 6.0 Server10.10.0.20
Hardening Servers with Specific Roles
Apply baseline security settings to all member servers
Apply additional settings for specific server roles
Use GPResult to ensure that settings are applied correctly
Infrastructure Servers
File & Print Servers
IIS Servers
Certificate Services Servers
Bastion Hosts
Apply Member Server
Baseline PolicyRADIUS (IAS) Servers
Ha
rde
nin
g P
roc
ed
ure
s
Apply Incremental Role-Based
Security SettingsSecuring Active
Directory
Best Practices for Hardening Servers for Specific Roles
Secure well-known user accounts
Enable only services required by role
Enable service logging to capture relevant information
Use IPSec filtering to block specific ports based on server role
Modify templates as needed for servers with multiple roles
Hardening Application Servers
Application servers that typically have specialized protection requirements include:Application servers that typically have specialized protection requirements include:
Application Example
Web servers Internet Information Services (IIS)
Messaging servers Microsoft Exchange 2003
Database servers Microsoft SQL Server 2000
Application Server Best Practices
Configure security on the base operating system
Apply operating system and application service packs and patches
Install or enable only those services that are required
Application accounts should be assigned minimal permissions
Apply defense-in-depth principles to increase protection
Assign only those permissions needed to perform required tasks
Securing IIS Servers
Apply the security settings in the IIS Server Security Template
Install the IIS Lockdown and configure URLScan on all IIS 5.0 installations
Enable only essential IIS components
Configure NTFS permissions for all folders that contain Web content
Install IIS and store Web content on a dedicated disk volume
If possible, do not enable both the Execute and Write permissions on the same Web site
On IIS 5.0 servers, run applications using Medium or High Application Protection
Use IPSec filters to allow only ports 80 and 443
Hardening the Messaging Environment
To harden your Exchange messaging environment, deploy the following:To harden your Exchange messaging environment, deploy the following:
Environment Configuration
Server environment
Domain, Domain Controller, and Member Server Baseline Policy templatesWindows Server 2003 Security Guide at http://go.microsoft.com/fwlink/?LinkId=21638
Messaging environment
Exchange Domain Controller Baseline Policy templateExchange Server 2003 Security Hardening Guide at http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/exsecure.mspx
Securing Exchange Servers
Limit Exchange Server functionality to clients that are strictly requiredLimit Exchange Server functionality to clients that are strictly required
Remain current with the latest updates for both Exchange Server 2003 and the operating systemRemain current with the latest updates for both Exchange Server 2003 and the operating system
Use SSL/TLS and forms-based authentication for Outlook Web AccessUse SSL/TLS and forms-based authentication for Outlook Web Access
Use ISA Server 2004 to regulate access for HTTP, RPC over HTTPS, POP3, and IMAP4 trafficUse ISA Server 2004 to regulate access for HTTP, RPC over HTTPS, POP3, and IMAP4 traffic
Validating Exchange Server Configuration Settings
ExBPA can examine your Exchange servers to:ExBPA can examine your Exchange servers to:
Generate a list of issues, such as misconfigurations or unsupported or non-recommended optionsGenerate a list of issues, such as misconfigurations or unsupported or non-recommended options
Judge the general health of a systemJudge the general health of a system
Help troubleshoot specific problemsHelp troubleshoot specific problems
Demonstration: Analyzing Configuration Settings on Exchange Server 2003
Analyze Exchange Server using MBSA and the ExBPA Tool
Basic SQL Server Security Configuration
Apply service packs and patches
Use MBSA to detect missing SQL updates
Disable unused services
MSSQLSERVER (required)
SQLSERVERAGENT
MSSQLServerADHelper
Microsoft Search
Microsoft DTC
Database Server Security Considerations
Net
wor
kO
pera
ting
Syst
emSQ
L Se
rver
Patc
hes
and
Upd
ates
Shares
Services
Accounts
Auditing and Logging
Files and Directories
Registry
Protocols Ports
SQL Server Security
Database ObjectsLogins, Users, and
Roles
Session Summary
Understanding malware will help you to implement an effective defense against malware attacks Understanding malware will help you to implement an effective defense against malware attacks
Use a defense-in-depth approach to defend against malwareUse a defense-in-depth approach to defend against malware
Harden operating systems and applications by applying security updates, installing and maintaining an antivirus software strategy, and restricting computers using Group Policy
Harden operating systems and applications by applying security updates, installing and maintaining an antivirus software strategy, and restricting computers using Group Policy
Stage all updates through a test server before implementing into production, in order to minimize disruption Stage all updates through a test server before implementing into production, in order to minimize disruption
An efficient response and recovery plan will ensure that if a malware attack occurs, your organization can quickly recover with minimal disruption
An efficient response and recovery plan will ensure that if a malware attack occurs, your organization can quickly recover with minimal disruption
Next Steps
Find additional security training events:
http://www.microsoft.com/seminar/events/security.mspx
Sign up for security communications:
http://www.microsoft.com/technet/security/signup/default.mspx
Order the Security Guidance Kit:
http://www.microsoft.com/security/guidance/order/default.mspx
Get additional security tools and content:
http://www.microsoft.com/security/guidance