Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. Windows Server Security Charles H. Leggett EITS - Office of Information Security University of Georgia
  2. 2. Ground Rules <ul><li>We won’t talk about each individual setting, service, script, tweak, hack, etc. We could spend days … </li></ul><ul><li>This is a Windows Server Security overview. Feel free to ask questions and be sure to study up on anything that you don’t understand. </li></ul><ul><li>Remember to context our discussion as opinion and recommendation. Everyone’s shop is different. </li></ul>
  3. 3. Server Security Principles Source: NIST – Guide to General Server Security (http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf)
  4. 4. Stay Informed <ul><li>Stay on top of latest patches, Service Packs, vulnerabilities/exploits, and news: </li></ul><ul><ul><li>http://www.microsoft.com/security </li></ul></ul><ul><ul><li>http://www.securityfocus.com/microsoft </li></ul></ul><ul><ul><li>http://www.sans.org </li></ul></ul><ul><ul><li>http://www.kbalertz.com </li></ul></ul><ul><li>Remember to stay up on each of the services and applications that you have installed as well (IIS, Apache, PHP, etc.) </li></ul>
  5. 5. Microsoft Updates <ul><li>Not just Windows Updates anymore… </li></ul><ul><ul><li>Exchange Server </li></ul></ul><ul><ul><li>SQL Server </li></ul></ul><ul><ul><li>Microsoft Office </li></ul></ul><ul><ul><li>… and more. </li></ul></ul><ul><li>Turn on Automatic Updates </li></ul>
  6. 6. Windows Server Update Services <ul><li>With your own WSUS server you can: </li></ul><ul><ul><li>Cache updates locally </li></ul></ul><ul><ul><li>Control which updates to deploy </li></ul></ul><ul><ul><li>Schedule installations for off peak hours </li></ul></ul><ul><ul><li>Manage groups of workstations with different policies </li></ul></ul><ul><ul><li>Allow for patch testing before general release </li></ul></ul>
  7. 7. Backup and Restore <ul><li>Keep yourself out of trouble! </li></ul><ul><li>Create Backups </li></ul><ul><li>Test Restores </li></ul><ul><li>Encrypt Backups if Possible </li></ul><ul><li>Store Backups Off Site </li></ul>
  8. 8. NTFS Filesystem <ul><li>Always use NTFS during OS install and hard drive partitioning. </li></ul><ul><li>NTFS Allows: </li></ul><ul><ul><li>Permissions </li></ul></ul><ul><ul><li>Auditing </li></ul></ul><ul><ul><li>Encryption (EFS) </li></ul></ul><ul><ul><li>Compression </li></ul></ul><ul><ul><li>Transaction-Oriented Processing </li></ul></ul><ul><ul><li>Max Volume Size of 16,000 GB </li></ul></ul>
  9. 9. NTFS Discretionary Access Control Lists (DACLs) Inheritance Deny Overrides Allow Standard Access Control Entries (ACEs) Individual Access Control Entries (ACEs)
  10. 10. <ul><li>Remember Simplicity: </li></ul><ul><ul><li>Less complexity means less chance of errors and confusion. </li></ul></ul><ul><li>Remember Least Privilege: </li></ul><ul><ul><li>Grant users the least access necessary to do their job </li></ul></ul><ul><li>Remember AGULP: </li></ul><ul><ul><li>Create a unique A ccount for each user </li></ul></ul><ul><ul><li>Add users with common needs to G lobal groups </li></ul></ul><ul><ul><li>Add global groups to U niversal groups if the need spans multiple domains </li></ul></ul><ul><ul><li>Add global and universal groups to domain L ocal groups on the computers with resources that need to be secured. </li></ul></ul><ul><ul><li>Assign P ermissions for these local groups to the resources that need to be secured. </li></ul></ul>When Assigning NTFS Permissions
  11. 11. Shared Folder Permissions <ul><li>Share Permissions are an additional level of access control when files are shared over a network </li></ul><ul><li>Be sure to check the permissions of your hidden and administrative shares: </li></ul><ul><ul><li>C$, ADMIN$, and IPC$ </li></ul></ul><ul><li>Routinely audit for unexpected shares! </li></ul><ul><ul><li>“ net share” command </li></ul></ul>
  12. 12. Security Templates <ul><li>Configuration file that contains Security Settings which can be applied to a system. </li></ul><ul><li>Don’t start from scratch! </li></ul><ul><li>Many Preconfigured Templates are available from: </li></ul><ul><ul><li>Microsoft </li></ul></ul><ul><ul><li>Center for Internet Security (CIS) </li></ul></ul><ul><ul><li>SANS Institute </li></ul></ul><ul><ul><li>National Institute of Standards and Technology (NIST) </li></ul></ul><ul><ul><li>National Security Agency (NSA), ... </li></ul></ul>
  13. 13. Security Templates MMC Snap-In
  14. 14. Security Configuration & Analysis MMC Snap-In
  15. 15. Apply a Security Template with SCA <ul><li>Applies settings to Local Security Policy </li></ul><ul><li>Be careful: </li></ul><ul><ul><li>There is no “undo” </li></ul></ul><ul><ul><li>Test settings first </li></ul></ul><ul><ul><li>Take a backup before </li></ul></ul><ul><li>That’s great for one computer but, what about the rest of them … </li></ul>
  16. 16. Apply Security Template to Group Policy Object <ul><li>Can be Applied at any level in the domain. </li></ul><ul><li>What if the Local Security Policy and the Group Policy Object settings conflict? </li></ul>
  17. 17. Group Policy Inheritance
  18. 18. Authentication Protocols Protocol Initial Support Kerberos Windows 2000 NTLMv2 Windows NT 4.0 SP4/ Windows 9x (w/ ADCE) NTLM Windows NT LM MS-DOS
  19. 19. <ul><li>Kerberos is the preferred authentication protocol for Windows 2000 and above machines that are members of an Active Directory domain. </li></ul><ul><li>NTLM is still used in the following situations: </li></ul><ul><ul><li>The client is authenticating to a server using an IP Address. </li></ul></ul><ul><ul><li>The client is authenticating to a server that belongs to a different Active Directory forest, or doesn't belong to a domain. </li></ul></ul><ul><ul><li>No Active Directory domain exists (commonly referred to as &quot;workgroup&quot; or &quot;peer-to-peer&quot;). </li></ul></ul><ul><ul><li>Where a firewall would otherwise restrict the ports required by Kerberos (of which there are quite a few). </li></ul></ul>Source: Wikipedia (http://en.wikipedia.org/wiki/NTLM)
  20. 20. <ul><li>Limit to Kerberos and NTLMv2 if possible </li></ul><ul><li>Falling back to NTLM and LM may be needed for Backwards Compatibility but, check! </li></ul><ul><ul><li>Legacy Clients (Windows 9x, Windows NT, etc .) </li></ul></ul><ul><ul><li>Windows Embedded Devices </li></ul></ul><ul><ul><li>Network Attached Storage </li></ul></ul><ul><ul><li>Print Servers </li></ul></ul>Source: Wikipedia (http://en.wikipedia.org/wiki/NTLM)
  21. 22. <ul><li>There are others but the two worth mentioning are: </li></ul><ul><li>Send LM and NTLM – use NTLMv2 session security if negotiated </li></ul><ul><ul><li>Balances security and usability </li></ul></ul><ul><ul><li>Kerberos first, NTLMv2 second, NTLM third, LM last </li></ul></ul><ul><li>Send NTLMv2 response only efuse LM & NTLM </li></ul><ul><ul><li>Most secure </li></ul></ul><ul><ul><li>Use only Kerberos and NTLMv2 and reject everything else </li></ul></ul><ul><li>Also, enable “Network security: Do not store LAN Manager hash value on next password change” </li></ul>Network Security: LAN Manager authentication level
  22. 23. <ul><li>Turn Windows Firewall ON. </li></ul><ul><li>Grant Exceptions </li></ul><ul><li>Manage Scope </li></ul><ul><li>But, then I can’t ping. </li></ul><ul><li>Enable Logging </li></ul><ul><li>Manage with a GPO to be sure firewall state remains consistent </li></ul>Windows Firewall
  23. 26. Have Laptops?
  24. 27. <ul><li>You should know what to expect to see in your logs. What is normal? </li></ul><ul><li>Lookup Event IDs that you are not familiar with. </li></ul><ul><ul><li>Google: “Windows Event ID XXXX”. </li></ul></ul><ul><li>Security Event Logs are not enabled by default! </li></ul>Windows Event Logs
  25. 28. Security Event Log Source: SANS Security 401.5 Windows Security – Recommended Settings
  26. 29. <ul><li>Modify log size </li></ul><ul><ul><li>4GB theoretical max </li></ul></ul><ul><ul><li>300MB actual max (see KB183097) </li></ul></ul><ul><li>Log Retention Policy should meet operational and compliance needs. </li></ul>Event Log Size and Retention
  27. 30. <ul><li>Configure System Access Control Lists (SACLs) for: </li></ul><ul><ul><li>NTFS Files </li></ul></ul><ul><ul><li>NTFS Folders </li></ul></ul><ul><ul><li>Registry Keys </li></ul></ul><ul><ul><li>Printers </li></ul></ul><ul><li>SACLs can be applied with Security Templates </li></ul>One more step for “Audit Object Access”
  28. 31. <ul><li>Windows has no built-in log consolidation but, analysis is simplified if you have a centralized copy of all of your logs. Consider: </li></ul><ul><ul><li>Microsoft Operations Manager (MOM) </li></ul></ul><ul><ul><li>Syslog: Snare, Kiwi, Splunk, etc. </li></ul></ul><ul><ul><li>Scripted log dumps and syncs. </li></ul></ul><ul><li>Remember not all logs are Event Logs. </li></ul><ul><ul><li>C:WINDOWSpfirewall.log </li></ul></ul><ul><li>Use NTP to sync clocks on all devices! </li></ul>Log Monitoring and Consolidation
  29. 32. <ul><li>The more skilled the attack, the more subtle the changes. </li></ul><ul><li>Consider using a Host Based Intrusion Detection System. </li></ul><ul><li>Be prepared to act if you become suspicious: </li></ul><ul><ul><li>SANS Intrusion Discovery Cheat Sheet (http://www.sans.org/info/3826) </li></ul></ul>Change Detection and Analysis
  30. 33. More Resources <ul><li>Microsoft Baseline Security Analyzer (MBSA) </li></ul><ul><li>Microsoft Security Assessment Tool (MSAT) </li></ul><ul><ul><li>A risk assessment questionnaire </li></ul></ul><ul><li>Security Configuration Wizard (SCW) </li></ul><ul><ul><li>“ an attack-surface reduction tool” </li></ul></ul><ul><ul><li>Can create Security Templates </li></ul></ul><ul><li>Microsoft Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP </li></ul><ul><ul><li>“ guide provides you with a reference to all security settings that provide countermeasures for specific threats” </li></ul></ul>
  31. 34. Campus Resources <ul><li>Active Directory </li></ul><ul><li>Windows Server Update Services (WSUS) </li></ul><ul><li>UGA Routable Private IP Addresses (172.1[6-8].x.x) </li></ul><ul><li>UGANET Wiki </li></ul><ul><li>CheckIT on http://infosec.uga.edu </li></ul>
  32. 35. Thank You! Charles H. Leggett EITS - Office of Information Security University of Georgia
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.