Your SlideShare is downloading. ×
0
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Securing Windows web servers
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Securing Windows web servers

1,556

Published on

Published in: Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,556
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
35
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Hardening Windows 2003 Web Servers
  • 2.
    • Agenda
    • Physical Security
    • OS Installation
    • Account Policies
    • Local Policies
    • Services
    • User Accounts
    • IP Policies
    • Permissions
    • Hardening IIS
    • Additional Hardening
  • 3. General
  • 4.
    • General
    • Who should take this course
    • System Consultants
    • Security Consultants
    • System Architects
    • Anyone who is responsible for the configuration and/or the administration of a Windows 2003 environment
  • 5.
    • General
    • Strategy: Creating a secure environment
    • Secure current and/or new implementations of the Windows 2003 operating system
  • 6.
    • General
    • Strategy: Maintaining a secure environment
    • Maintain a secure environment by staying on top of security issues that are relevant to your installation
    • This is a proactive process!!
  • 7.
    • General
    • Scope of this course
    • This course will focus on the secure configuration of a Windows 2003 server hosting Internet Information Services (IIS) version 6.0
  • 8.
    • General
    • Prerequisites
    • Experience with IT security
    • Experience with MMC
    • Experience deploying web applications in enterprise environments
    • Some web application development knowledge will be useful but is not mandatory
  • 9.
    • General
    • What happens if I don’t harden my web server?
    • Most systems can be compromised within 72 hours
    • Corporate humilliation
    • Won’t know if your system is has been/is being attacked
    • Money wasted on reparation and down time
    • Company data/ secrets could be stolen
      • Some web sites are fed with data that comes from the same database as other internal systems
  • 10.
    • Hardening one step at a time
    • Physical Security ---------------------------------------
    • OS Installation -----------------------------------------
    • Account Policies ----------------------------------------
    • Local Policies -------------------------------------------
    • Services ------------------------------------------------
    • User Accounts -----------------------------------------
    • IP Policies------------- ---------------------------------
    • Permissions --------------------------------------------
    • Hardening IIS ------------------------------------------
    • Additional Hardening ----------------------------------
    Number of Weaknesses
  • 11.
    • Prerequisites
    • What should
    • Install ALL necessary software/ services before you begin.
    • Make sure that they ALL work.
    • Why?
      • If software/ service dosn’t work:
        • Because of the hardening?
        • Did it work before we started?
      • These are time wasting situations
    • Let’s begin.
  • 12. Physical Security
  • 13.
    • Physical Security
    • We assume that physical security is in place.
  • 14. OS Installation
  • 15.
    • OS Installation
    • No system upgrades
      • Why? Too many grey areas
      • ONLY clean installations
    • Two partitions (we shall be using one)
      • 01  system files
      • 02  web applications
    • Strong administrative passwords
      • Rainbow attacks make 8 character passwords trivial to break
    • Only install necessary components
  • 16.
    • OS Installation
    • Use a static IP instead of DHCP if possible (one less service)
    • If there are multiple servers in the DMZ, consider making a DMZ domain from which critical servers will inherit their baseline GPOs.
  • 17. Proof of concept scan
  • 18.
    • Proof of concept scan
    • Windows 2003 v. Windows 2000
    • Why bother using windows 2003?
      • More secure by default.
    • Can Windows 2000 be as secure?
      • Yes. It requires work.
  • 19.
    • Proof of concept scan
    • Windows 2003 v. Windows 2000
    • We will use standard tools to inspect a default Windows 2003 installation.
    • Tools to use:
      • Nmap. Scans to perform:
        • Nmap –sS –P0 –O –p1-65535
        • Nmap –sS –P0 –O –g 53 –p 1-65535
        • Nmap –sT –P0 –O –p1-65535
      • NStealth
    • Windows 2003: xx.xx.xx.xx
  • 20. Local Security Settings
  • 21.
    • Policies
    • Local Security Settings
  • 22.
    • Policies
    • Account Policies
    • Never use dictionary words.
    • Never reuse old passwords by altering only one digit.
    • Never choose passwords based on pets, habits, likes or dislikes. One must never be able to identify a password by looking at the things on your desk.
    • Use upper- and lowercase with symbols and numbers.
    • Choose passwords based on phrases:
      • Th15 comput€r i5 prot€cted by a str0ng p@ssword
  • 23.
    • Policies
    • Account Policies: password Policy
    • Enforce Password History: 24
    • Maximum Password Age: 42 days
    • Minimum Password Age: 2 days
    • Minimum Password Length: 14
    • Complexity requirements: Enabled
    • Use Reversible Encryption: Disabled
  • 24.
    • Policies
    • Account Policies: Account Lockout Policy
    • Account Lockout Duration: 15 Minutes
    • Account Lockout Threshold: 10 invalid attempts
    • Reset Lockout Counter: 15 Minutes
  • 25. Services
  • 26.
    • Services
    • What services does a web-server need?
    • Are you sure they are needed?
      • YES: secure them
      • NO: remove them
    • This is the hardest to get right
  • 27. Or…
  • 28.
    • System Settings
    • Isn’t there a quicker way to change system settings?
    • Yes. Meet the ” Security Analysis and Configuration” snap-in
  • 29.
    • System Settings
    • Security Analysis and Configuration
    • Run mmc
    • File  Add/Remove Snap-in
    • Add  Security Configuration and Analysis  Add
    • Right Click on Security Analysis and Configuration  Open Database
    • Choose a File Name  Open
    • Navigate to ”High Security Baseline.inf”  Open
    • Right Click on Security Analysis and Configuration  Analyse Computer Now…
    • Save the log to your desktop
  • 30. User Accounts
  • 31.
    • User Accounts
    • Securing Well known User Accounts
    • Rename all built-in accounts:
      • Administrator
      • Guest
    • Why?
      • Everyone knows the names of these two Windows accounts.
      • 50% of a brute force attack is already common knowledge.
    • The descriptions should also be altered.
  • 32.
    • User Accounts
    • Securing Well known User Accounts
    • Assign strong passwords to these accounts
      • Th15 1s @ v€ry st0ng p@s5word don’t y0u th1nk?
    • Disable default guest accounts (if not already done by default)
  • 33. IP Policies
  • 34.
    • IP Policies
    • Structure
    • IP Filter advice: give your rules good names. Examples might look like this:
      • <POLICY> <DIRECTION> <SERVICE>
      • Permit INBOUND HTTP(S)
      • Permit OUTBOUND SSH
      • Permit OUTBOUND DNS
      • Permit OUTBOUND HTTP(S)
      • Deny BIDIRECTIONAL ALL
  • 35.
    • IP Policies
    • Example scenario
    • A web server might look similar to this:
      • Permit INBOUND:
        • HTTP
        • HTTPS?
        • TS?
      • Permit OUTBOUND:
        • HTTP
        • HTTPS
        • DNS
  • 36.
    • IP Policies
    • Local Security Settings
  • 37.
    • IP Policies
    • Lets get started
    • Create IP Security Policy…
    • Name: Secure Web
    • Uncheck “Activate the default response rule”
    • Check “Edit Properties”
    • Uncheck “Use Add Wizard”
  • 38.
    • IP Policies
    • Basic rules
    • Create 4 rules
      • Deny BIDIRECTIONAL ALL
      • Permit INBOUND HTTP(S)
      • Permit OUTBOUND HTTP(S)
      • Permit OUTBOUND DNS
    • When you’re done, assign your new policy
  • 39.
    • IP Policies
    • Lets look at the results
    • Tools needed:
      • NMap
    • Exercise
      • Groups of two or three
      • Choose which computer will perform the scan
      • Un-assign IP Policies as they also block outboud traffic
      • Perform the following port scans:
        • Nmap –sS –P0 –O –p1-65535
        • Nmap –sS –P0 –O –g 53 –p 1-65535
        • Nmap –sT –P0 –O –p1-65535
  • 40. File Permissions
  • 41.
    • Permissions
    • Assigning correct NTFS permissions
    • CGI files: .EXE, .DLL, .CMD, .PL
      • Administrators: Full Control
      • System: Full Control
      • IUSR_SERVER: Read & Execute, Read
    • Script Files: .ASPX, .ASP, .PHP
      • Administrators: Full Control
      • System: Full Control
      • IUSR_SERVER: Read & Execute, Read
    • Include Files: .INC, .SHTML, .SHTM
      • Administrators: Full Control
      • System: Full Control
      • IUSR_SERVER: Read & Execute, Read
  • 42.
    • Permissions
    • Assigning correct NTFS permissions
    • Static Files: .HTML, .HTM, .TXT, .GIF, .JPG
      • Administrators: Full Control
      • System: Full Control
      • IUSR_SERVER: Read
    • Data Files: .MDB
      • Administrators: Full Control
      • System: Full Control
      • IUSR_SERVER: Read, Write, Read & Execute, Modify
  • 43. Hardening IIS
  • 44.
    • Hardening IIS
    • Web server extensions
    • Application Debugging
    • Custom Errors
    • HTTP Verbs
    • URL Scan
    • Logging
  • 45.
    • Web server Extensions
    • Predefined Web Service Extensions
    • Everything is turned off by default
    • A default IIS 6.0 installation will only run sites with static pages, .HTML, .HTM.
  • 46.
    • Web server Extensions
    • Predefined Web Service Extensions (cont.)
    • Active Server Pages
    • ASP.NET version 1.1.4322
    • FrontPage Server Extensions 2002
    • Internet Data Connector
    • Server-Side Includes
    • WebDAV
  • 47.
    • Application Debugging
    • Stop IIS from sending error messages to clients
    • Stop applications from sending debugging details to clients:
      • Right click on your web site in the IIS manager
      • Home Directory  Configuration
      • App Debugging
      • Check ”Send text error to client” and leave the box blank
  • 48.
    • Custom Errors
    • Redirect to a custom error page when error occur
    • Send custom error pages to clients for HTTP 500’s, 404’s:
      • Right click on your web site in the IIS manager
      • Custom Errors  double click on 500
      • Message Type: URL
      • URL: /<LOCATION OF CUSTOM PAGE>
      • Make certain that error 500 messages don’t get sent to the browser!
  • 49.
    • HTTP Verbs
    • Limit access to HTTP Verbs
    • Remove all un-needed HTTP verbs from each application:
      • Generally required: GET, HEAD, POST
  • 50.
    • URL Scan
    • Url filtering
    • What is URL Scan?
    • What can it do?
      • Enable/disable HTTP verbs
      • Disable HTTP headers
      • Enable/disable specific file extensions
      • Disable character sequences
      • Remove/alter the server header
      • Restrict header lengths
    • Questions concerning URL Scan?
  • 51.
    • URL Scan
    • Url filtering
    • How does it work: Configuration File
    • Installation
    • Fine tuning
  • 52.
    • Logging
    • Configuring Logging
    • Create seperate logs for each site
    • Log Folder Permissions
      • Administrators: Full Control
      • System: Full Control
      • IUSR_SERVER: Read, Write, Modify, List Folder Contents, Read & Execute
  • 53. Additional Hardening
  • 54.
    • Additional Hardening
    • Uninstallable Components
    • Special Binaries
  • 55.
    • Uninstallable Components
    • Load “%systemroot%inf sysoc.inf” into notepad
    • Replace ”hide” with ””
    • Run Add/Remove Applications
    • Remove any unwanted/ unneeded components (be careful!)
  • 56.
    • Special Binaries
    • Several executables exist on a standard Windows 2000 installation that could become rather useful to an attacker
    • Special access rights need to be set on all of these executables
  • 57.
    • Special Binaries (cont.)
    • Uncheck ”Allow inheritable permissions from parent to propagate this object”.
    • Remove all users from the name list, including SYSTEM.
    • Assign ”Full Control” to a user that is to be used to access these files – an administrator.
  • 58.
    • Special Binaries (cont.)
    • rsh.exe, secfixup.exe, telnet.exe, tftp.exe, ipconfig.exe, nbtstat.exe, netstat.exe, ping.exe, qbasic.exe, rdisk.exe, regdit32.exe, net.exe, nslookup.exe, posix.exe, rcp.exe, regedit.exe, rexec.exe, tracert.exe, command.com, regedit.exe, os2.exe, os2ss.exe, arp.exe, at.exe, atsvc.exe, cacls.exe, cmd.exe, debug.exe, edit.com, edlin.exe, finger.exe, ftp.exe, xcopy.exe, os2srv.exe, cscript.exe, wscript.exe, iisreset.exe, route.exe, runonce.exe, syskey.exe
  • 59.
    • What have we learned today?
    • Physical Security
    • OS Installation
    • Account Policies
    • Local Policies
    • Services
    • User Accounts
    • IP Policies-
    • Permissions
    • Hardening IIS
    • Additional Hardening
  • 60. ?

×