December 2, 2008
10 steps to harden Windows Server 2008
Ever
since it’s debut, Microsoft Windows 2008 Server has
awed security and systems administrators with its complex and innovative features.
With threats becoming each day more immanent and efficient, security system administrators
face the tedious task of protecting Microsoft’s new giant. In this article we compiled
some of the industries best practices such as NIST to
show you some of the features and ways to reduce your windows 2008 servers’ exposure.
Configure a security policy
The
first step in securing the 2008 server is to configure a security policy. In order
to configure a security policy, you will need to use the SCW (Security
Configuration Wizard),
which can be installed through “add and remove windows components”. The
SCW detects ports and services, and configures registry and audit settings according
to the servers “role” or installed applications. The SCW uses a set of XML templates
which can easily be deployed and managed. The
version of SCW in Windows Server2008 includes over 200server role configurations
and security settings than the version of SCW in Windows Server2003. Also, by
using the version of SCW in Windows Server2008, you can:
- * Disable unneeded services based on the server role.
- * Remove unused firewall rules and constrain existing firewall rules.
- * Define restricted audit policies.
>>
The
server’s operating system will be changed according to the profile or template selected.Administrators
can create custom profiles and deploy them using a set o XML files.
2.
Disable or delete unnecessary accounts, ports and services
Attackers
often gain access to servers through unused or not configured ports and services.
To limit entry points, server hardening includes blocking unused ports and protocols
as well as disabling services that are not required. Although this can be done as
seen above using the SCW, the server administrator would need to double check to see
if all the services are configured properly and that only the necessary ports are
open.During
the installation of the 2008 server, by default, three local user accounts are automatically
created: the Administrator, Guest and Help Assistant. The Administrator account bears
high privileges, and requires special diligence. As a security best practice the administrator
account should be disabled or renamed to make it more difficult for an attacker to
gain access. Both
Guest and Help Assistant accounts provide an easy target for attackers which exploited
this vulnerability before on the earlier Windows Server 2003. These
accounts should be disabled at all times.
Uninstall Unnecessary Applications
Remember,
your server is a vital part of your network and services that you provide. The number
of applications installed on these servers should be role related and set to a minimum.
It is a good idea to test these applications out in a separate environment before
deploying them on the production network. Some applications make use of service backdoors,
which can sometimes compromise the overall security of the server. After installing
each application, make sure that you double check to see if the application created
any firewall exception or created a service user account.
- * Belarc
Advisor :
The Belarc Advisor “builds a detailed profile of your installed software and hardware,
missing Microsoft hot fixes, anti-virus status, and displays the results in your Web
browser.” This tool is free for personal use. Commercial, government, and non-profit
organizations should look at their other products which include many more features
for managing security on multiple computers. - *
Microsoft SysInternal Tools:
Microsoft provides a set of tools which can be used to monitor the server’s activity.
These tools include: REGMON, FILEMON,
Process Explorer, Root Kit Revealer. These tools are great for understanding what
a certain application or software does “under the sheets”.
Configure the windows 2008 Firewall
Windows
2008 server comes with a phenomenal built in firewall called the Windows Firewall
with Advanced Security. As a security best practice, all servers should have its own
host based firewall. This firewall needs to be double checked to see if there are
no unnecessary rules or exceptions. I have outlined some of the new features that
the Windows Server 2008 provides.
- * GUI
interface:
a MMC snap-in available for the Advanced Firewall Configuration. - * Bi-directional
filtering:
the firewall now filters outbound traffic as well as inbound traffic.
- * IPSEC
operability:
now the firewall rules and IPSEC encryption configurations are integrated into one
interface. - * Advanced
Rules configuration:
you can create firewall rules using Windows Active Directory objects, source amp;
destination IP addresses and protocols.
Configure Auditing
One
of the most significant changes on Windows
Server 2008 auditing is that now you can not only audit who and what attribute
was changed but also what the new and old value was.
This
is significant because you can now tell why it was changed and if something doesn’t
look right you’re able to easily find what it should be restored to.
Another
significant change is that in the past Server versions you were only able to turn
auditing policy on or off for the entire Active Directory structure. In Windows Server
2008 the auditing policy is more granular.
As
a security best practice, the following events should be logged and audited on the
Windows Server 2008.
- *
Audit account logon events
- *
Audit account management - *
Audit directory service access - *
Audit logon events - *
Audit object access - *
Audit policy change
- *
Audit privilege use - *
Audit process tracking - *
Audit system events
Most
log events on the event viewer have registered incident ID numbers; these numbers
can be used to troubleshoot the server. http://www.eventid.net/ is
a good site which aids security and system administrators in finding out what actually
happened with their servers. A best practice would also be to forward these audit
logs to a centralized server as required by PCI
DSS 10.5.3 and other industry standards. Windows
Server 2008 offers a native log subscription feature which forwards all system
and security audit logs to a centralized server.
Disable unnecessary shares
Unnecessary
shares pose a great threat to vital servers. After a server or application deployment,
system and security administrators should check to see if the server has any unnecessary
shares. This can be done using the following
command:
- Net
Share
This
will display a list of all shares on the server. If there is a need to use a share,
system and security administrators should configure the share as a hidden share and
harden all NTFS and Share permissions.
C:Documents
and Settingsgt;net share
Share
name Resource Remark
——————————————————————————-
ADMIN$ C:WINDOWS Remote
Admin
C$ C: Default
share
IPC$ Remote
IPC
In
order to create a hidden share, put a $ sign
after the share name. The share will still be accessible; however it will not be easily
listed through the network. Example:
- Accounting$
Configure Encryption on 2008 server
According
to industry best practices, such as HIPAA and GLBA require
that certain servers which host sensitive information should make use of encryption. Windows
Server 2008 provides a built in whole disk encryption feature called BitLocker
Drive Encryption (BitLocker). BitLocker protects the operating system and data
stored on the disk. In Windows Server 2008, BitLocker is an optional component that
must be installed before it can be used. To install BitLocker, select it in Server
Manager or type the following at a command prompt:
- ServerManagerCmd
-install BitLocker –restart
Updates amp; Hot fixes
Updates
and hot fixes are key elements when hardening a server. System and security administrators
should be constantly updating and patching their servers against zero day vulnerabilities.
These patches are not limited to the operating system, but also any application which
is hosted on them. Administrators should periodically check the vendor’s websites
for updates. Windows Server 2008 offers a set of tools which helps administrator update
and patch their servers.
- * WSUS: Windows
Server Update Services (WSUS) provides a software
update service for Microsoft
Windows operating
systems and other Microsoft software. By using Windows Server Update Services,
administrators can manage the distribution of Microsoft hot
fixes and updates released through Automatic
Updates to computers in a corporate environment. WSUS helps administrators
track the “update health” of each individual server.
- * MBSA: Microsoft
Baseline Security Analyzer (MBSA) is an easy-to-use tool designed for the IT professional
that helps small- and medium-sized businesses determine their security state in accordance
with Microsoft security recommendations and offers specific remediation guidance.
Improve your security management process by using MBSA to detect common security misconfigurations
and missing security updates on your computer systems.
Anti Virus amp; NAP
Anti
Virus software is also a crucial step for hardening a server. Windows Server 2008
offers a set of tools which can help combat unauthorized network access and malicious
code execution.
Windows
Server 2008 offers a Network Access Protection (NAP), which helps administrators to
isolate viruses from spreading out into the network. Windows server 2008 NAP uses
a set of policies which cleans the affected machines and when they are healthy, permits
them access to parts of your production network.
NAP
consists of client server technology which scans and identifies machines that don’t
have the latest virus signatures, service packs or security patches.Some of
the key functions of a Windows Server 2008 NAP server includes:
- * Validating
Machines:
The mission of NAP is to preserve the integrity of the network by allowing only healthy
machines to have IP addresses. - * Restricting
Network Access:
Computers or servers which don’t meet the established policy standards can be restricted
to a “quarantine” subnet where they would later be remediate the security issues. - * Fixing
Unhealthy Machines:
Windows Server 2008 NAP has the ability to direct hosts to a remediation server, where
the latest antivirus signatures and patches are deployed through SMS packages.
Least Privilege
The
concept of least privilege has been adopted by many of today’s industry standards.
A hardened server needs to have all its access reduced to a bare operational minimum.
Most of the known security breaches are often caused by elevated privileges bared
by accounts. Server services should not be configured using enterprise wide administrator
accounts. Windows Server 2008 has a couple of tools which can aid administrator to
grant or revoke access to specific sections of the server.
- * Script
Logic’s Cloak: Script
Logic Cloak is a product which enhances the Windows NT File System (NTFS) by providing
increased security,
more accurate audits and a vastly streamlined experience for users of the network. - * PolicyMaker
Application Security: PolicyMaker
is an add-on
for the Group Policy Management Console (GPMC). This tool allows administrators to
adjust application privilege levels to the lowest possible point in order to limit
damages stemming from network attacks or user error. The ability to control security
at such a granular level also helps organizations comply with regulatory mandates
such as the Sarbanes-Oxley, HIPAA and Gramm-Leach-Bliley acts.
On
the next Post I will go over each feature here described, creating a setp by step
guideline on how to configure and install the following features:
*
SCW
*
Bitlocker
*
NAP
*
Windows Firewall with Advanced Security
Stay Tuned.
Daniel de Carvalho : MCSA, MCSE, MCTS, MCITP
: Windows 2008 Enterprise Administrator