Your SlideShare is downloading. ×
PPT
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
996
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
21
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Windows Server Security Charles H. Leggett EITS - Office of Information Security University of Georgia
  • 2. Ground Rules
    • We won’t talk about each individual setting, service, script, tweak, hack, etc. We could spend days …
    • This is a Windows Server Security overview. Feel free to ask questions and be sure to study up on anything that you don’t understand.
    • Remember to context our discussion as opinion and recommendation. Everyone’s shop is different.
  • 3. Server Security Principles Source: NIST – Guide to General Server Security (http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf)
  • 4. Stay Informed
    • Stay on top of latest patches, Service Packs, vulnerabilities/exploits, and news:
      • http://www.microsoft.com/security
      • http://www.securityfocus.com/microsoft
      • http://www.sans.org
      • http://www.kbalertz.com
    • Remember to stay up on each of the services and applications that you have installed as well (IIS, Apache, PHP, etc.)
  • 5. Microsoft Updates
    • Not just Windows Updates anymore…
      • Exchange Server
      • SQL Server
      • Microsoft Office
      • … and more.
    • Turn on Automatic Updates
  • 6. Windows Server Update Services
    • With your own WSUS server you can:
      • Cache updates locally
      • Control which updates to deploy
      • Schedule installations for off peak hours
      • Manage groups of workstations with different policies
      • Allow for patch testing before general release
  • 7. Backup and Restore
    • Keep yourself out of trouble!
    • Create Backups
    • Test Restores
    • Encrypt Backups if Possible
    • Store Backups Off Site
  • 8. NTFS Filesystem
    • Always use NTFS during OS install and hard drive partitioning.
    • NTFS Allows:
      • Permissions
      • Auditing
      • Encryption (EFS)
      • Compression
      • Transaction-Oriented Processing
      • Max Volume Size of 16,000 GB
  • 9. NTFS Discretionary Access Control Lists (DACLs) Inheritance Deny Overrides Allow Standard Access Control Entries (ACEs) Individual Access Control Entries (ACEs)
  • 10.
    • Remember Simplicity:
      • Less complexity means less chance of errors and confusion.
    • Remember Least Privilege:
      • Grant users the least access necessary to do their job
    • Remember AGULP:
      • Create a unique A ccount for each user
      • Add users with common needs to G lobal groups
      • Add global groups to U niversal groups if the need spans multiple domains
      • Add global and universal groups to domain L ocal groups on the computers with resources that need to be secured.
      • Assign P ermissions for these local groups to the resources that need to be secured.
    When Assigning NTFS Permissions
  • 11. Shared Folder Permissions
    • Share Permissions are an additional level of access control when files are shared over a network
    • Be sure to check the permissions of your hidden and administrative shares:
      • C$, ADMIN$, and IPC$
    • Routinely audit for unexpected shares!
      • “ net share” command
  • 12. Security Templates
    • Configuration file that contains Security Settings which can be applied to a system.
    • Don’t start from scratch!
    • Many Preconfigured Templates are available from:
      • Microsoft
      • Center for Internet Security (CIS)
      • SANS Institute
      • National Institute of Standards and Technology (NIST)
      • National Security Agency (NSA), ...
  • 13. Security Templates MMC Snap-In
  • 14. Security Configuration & Analysis MMC Snap-In
  • 15. Apply a Security Template with SCA
    • Applies settings to Local Security Policy
    • Be careful:
      • There is no “undo”
      • Test settings first
      • Take a backup before
    • That’s great for one computer but, what about the rest of them …
  • 16. Apply Security Template to Group Policy Object
    • Can be Applied at any level in the domain.
    • What if the Local Security Policy and the Group Policy Object settings conflict?
  • 17. Group Policy Inheritance
  • 18. Authentication Protocols Protocol Initial Support Kerberos Windows 2000 NTLMv2 Windows NT 4.0 SP4/ Windows 9x (w/ ADCE) NTLM Windows NT LM MS-DOS
  • 19.
    • Kerberos is the preferred authentication protocol for Windows 2000 and above machines that are members of an Active Directory domain.
    • NTLM is still used in the following situations:
      • The client is authenticating to a server using an IP Address.
      • The client is authenticating to a server that belongs to a different Active Directory forest, or doesn't belong to a domain.
      • No Active Directory domain exists (commonly referred to as "workgroup" or "peer-to-peer").
      • Where a firewall would otherwise restrict the ports required by Kerberos (of which there are quite a few).
    Source: Wikipedia (http://en.wikipedia.org/wiki/NTLM)
  • 20.
    • Limit to Kerberos and NTLMv2 if possible
    • Falling back to NTLM and LM may be needed for Backwards Compatibility but, check!
      • Legacy Clients (Windows 9x, Windows NT, etc .)
      • Windows Embedded Devices
      • Network Attached Storage
      • Print Servers
    Source: Wikipedia (http://en.wikipedia.org/wiki/NTLM)
  • 21.  
  • 22.
    • There are others but the two worth mentioning are:
    • Send LM and NTLM – use NTLMv2 session security if negotiated
      • Balances security and usability
      • Kerberos first, NTLMv2 second, NTLM third, LM last
    • Send NTLMv2 response only efuse LM & NTLM
      • Most secure
      • Use only Kerberos and NTLMv2 and reject everything else
    • Also, enable “Network security: Do not store LAN Manager hash value on next password change”
    Network Security: LAN Manager authentication level
  • 23.
    • Turn Windows Firewall ON.
    • Grant Exceptions
    • Manage Scope
    • But, then I can’t ping.
    • Enable Logging
    • Manage with a GPO to be sure firewall state remains consistent
    Windows Firewall
  • 24.  
  • 25.  
  • 26. Have Laptops?
  • 27.
    • You should know what to expect to see in your logs. What is normal?
    • Lookup Event IDs that you are not familiar with.
      • Google: “Windows Event ID XXXX”.
    • Security Event Logs are not enabled by default!
    Windows Event Logs
  • 28. Security Event Log Source: SANS Security 401.5 Windows Security – Recommended Settings
  • 29.
    • Modify log size
      • 4GB theoretical max
      • 300MB actual max (see KB183097)
    • Log Retention Policy should meet operational and compliance needs.
    Event Log Size and Retention
  • 30.
    • Configure System Access Control Lists (SACLs) for:
      • NTFS Files
      • NTFS Folders
      • Registry Keys
      • Printers
    • SACLs can be applied with Security Templates
    One more step for “Audit Object Access”
  • 31.
    • Windows has no built-in log consolidation but, analysis is simplified if you have a centralized copy of all of your logs. Consider:
      • Microsoft Operations Manager (MOM)
      • Syslog: Snare, Kiwi, Splunk, etc.
      • Scripted log dumps and syncs.
    • Remember not all logs are Event Logs.
      • C:WINDOWSpfirewall.log
    • Use NTP to sync clocks on all devices!
    Log Monitoring and Consolidation
  • 32.
    • The more skilled the attack, the more subtle the changes.
    • Consider using a Host Based Intrusion Detection System.
    • Be prepared to act if you become suspicious:
      • SANS Intrusion Discovery Cheat Sheet (http://www.sans.org/info/3826)
    Change Detection and Analysis
  • 33. More Resources
    • Microsoft Baseline Security Analyzer (MBSA)
    • Microsoft Security Assessment Tool (MSAT)
      • A risk assessment questionnaire
    • Security Configuration Wizard (SCW)
      • “ an attack-surface reduction tool”
      • Can create Security Templates
    • Microsoft Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP
      • “ guide provides you with a reference to all security settings that provide countermeasures for specific threats”
  • 34. Campus Resources
    • Active Directory
    • Windows Server Update Services (WSUS)
    • UGA Routable Private IP Addresses (172.1[6-8].x.x)
    • UGANET Wiki
    • CheckIT on http://infosec.uga.edu
  • 35. Thank You! Charles H. Leggett EITS - Office of Information Security University of Georgia