Securing Windows web servers


Published on

Published in: Education
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Securing Windows web servers

  1. 1. Hardening Windows 2003 Web Servers
  2. 2. <ul><li>Agenda </li></ul><ul><li>Physical Security </li></ul><ul><li>OS Installation </li></ul><ul><li>Account Policies </li></ul><ul><li>Local Policies </li></ul><ul><li>Services </li></ul><ul><li>User Accounts </li></ul><ul><li>IP Policies </li></ul><ul><li>Permissions </li></ul><ul><li>Hardening IIS </li></ul><ul><li>Additional Hardening </li></ul>
  3. 3. General
  4. 4. <ul><li>General </li></ul><ul><li>Who should take this course </li></ul><ul><li>System Consultants </li></ul><ul><li>Security Consultants </li></ul><ul><li>System Architects </li></ul><ul><li>Anyone who is responsible for the configuration and/or the administration of a Windows 2003 environment </li></ul>
  5. 5. <ul><li>General </li></ul><ul><li>Strategy: Creating a secure environment </li></ul><ul><li>Secure current and/or new implementations of the Windows 2003 operating system </li></ul>
  6. 6. <ul><li>General </li></ul><ul><li>Strategy: Maintaining a secure environment </li></ul><ul><li>Maintain a secure environment by staying on top of security issues that are relevant to your installation </li></ul><ul><li>This is a proactive process!! </li></ul>
  7. 7. <ul><li>General </li></ul><ul><li>Scope of this course </li></ul><ul><li>This course will focus on the secure configuration of a Windows 2003 server hosting Internet Information Services (IIS) version 6.0 </li></ul>
  8. 8. <ul><li>General </li></ul><ul><li>Prerequisites </li></ul><ul><li>Experience with IT security </li></ul><ul><li>Experience with MMC </li></ul><ul><li>Experience deploying web applications in enterprise environments </li></ul><ul><li>Some web application development knowledge will be useful but is not mandatory </li></ul>
  9. 9. <ul><li>General </li></ul><ul><li>What happens if I don’t harden my web server? </li></ul><ul><li>Most systems can be compromised within 72 hours </li></ul><ul><li>Corporate humilliation </li></ul><ul><li>Won’t know if your system is has been/is being attacked </li></ul><ul><li>Money wasted on reparation and down time </li></ul><ul><li>Company data/ secrets could be stolen </li></ul><ul><ul><li>Some web sites are fed with data that comes from the same database as other internal systems </li></ul></ul>
  10. 10. <ul><li>Hardening one step at a time </li></ul><ul><li>Physical Security --------------------------------------- </li></ul><ul><li>OS Installation ----------------------------------------- </li></ul><ul><li>Account Policies ---------------------------------------- </li></ul><ul><li>Local Policies ------------------------------------------- </li></ul><ul><li>Services ------------------------------------------------ </li></ul><ul><li>User Accounts ----------------------------------------- </li></ul><ul><li>IP Policies------------- --------------------------------- </li></ul><ul><li>Permissions -------------------------------------------- </li></ul><ul><li>Hardening IIS ------------------------------------------ </li></ul><ul><li>Additional Hardening ---------------------------------- </li></ul>Number of Weaknesses
  11. 11. <ul><li>Prerequisites </li></ul><ul><li>What should </li></ul><ul><li>Install ALL necessary software/ services before you begin. </li></ul><ul><li>Make sure that they ALL work. </li></ul><ul><li>Why? </li></ul><ul><ul><li>If software/ service dosn’t work: </li></ul></ul><ul><ul><ul><li>Because of the hardening? </li></ul></ul></ul><ul><ul><ul><li>Did it work before we started? </li></ul></ul></ul><ul><ul><li>These are time wasting situations </li></ul></ul><ul><li>Let’s begin. </li></ul>
  12. 12. Physical Security
  13. 13. <ul><li>Physical Security </li></ul><ul><li>We assume that physical security is in place. </li></ul>
  14. 14. OS Installation
  15. 15. <ul><li>OS Installation </li></ul><ul><li>No system upgrades </li></ul><ul><ul><li>Why? Too many grey areas </li></ul></ul><ul><ul><li>ONLY clean installations </li></ul></ul><ul><li>Two partitions (we shall be using one) </li></ul><ul><ul><li>01  system files </li></ul></ul><ul><ul><li>02  web applications </li></ul></ul><ul><li>Strong administrative passwords </li></ul><ul><ul><li>Rainbow attacks make 8 character passwords trivial to break </li></ul></ul><ul><li>Only install necessary components </li></ul>
  16. 16. <ul><li>OS Installation </li></ul><ul><li>Use a static IP instead of DHCP if possible (one less service) </li></ul><ul><li>If there are multiple servers in the DMZ, consider making a DMZ domain from which critical servers will inherit their baseline GPOs. </li></ul>
  17. 17. Proof of concept scan
  18. 18. <ul><li>Proof of concept scan </li></ul><ul><li>Windows 2003 v. Windows 2000 </li></ul><ul><li>Why bother using windows 2003? </li></ul><ul><ul><li>More secure by default. </li></ul></ul><ul><li>Can Windows 2000 be as secure? </li></ul><ul><ul><li>Yes. It requires work. </li></ul></ul>
  19. 19. <ul><li>Proof of concept scan </li></ul><ul><li>Windows 2003 v. Windows 2000 </li></ul><ul><li>We will use standard tools to inspect a default Windows 2003 installation. </li></ul><ul><li>Tools to use: </li></ul><ul><ul><li>Nmap. Scans to perform: </li></ul></ul><ul><ul><ul><li>Nmap –sS –P0 –O –p1-65535 </li></ul></ul></ul><ul><ul><ul><li>Nmap –sS –P0 –O –g 53 –p 1-65535 </li></ul></ul></ul><ul><ul><ul><li>Nmap –sT –P0 –O –p1-65535 </li></ul></ul></ul><ul><ul><li>NStealth </li></ul></ul><ul><li>Windows 2003: xx.xx.xx.xx </li></ul>
  20. 20. Local Security Settings
  21. 21. <ul><li>Policies </li></ul><ul><li>Local Security Settings </li></ul>
  22. 22. <ul><li>Policies </li></ul><ul><li>Account Policies </li></ul><ul><li>Never use dictionary words. </li></ul><ul><li>Never reuse old passwords by altering only one digit. </li></ul><ul><li>Never choose passwords based on pets, habits, likes or dislikes. One must never be able to identify a password by looking at the things on your desk. </li></ul><ul><li>Use upper- and lowercase with symbols and numbers. </li></ul><ul><li>Choose passwords based on phrases: </li></ul><ul><ul><li>Th15 comput€r i5 prot€cted by a str0ng p@ssword </li></ul></ul>
  23. 23. <ul><li>Policies </li></ul><ul><li>Account Policies: password Policy </li></ul><ul><li>Enforce Password History: 24 </li></ul><ul><li>Maximum Password Age: 42 days </li></ul><ul><li>Minimum Password Age: 2 days </li></ul><ul><li>Minimum Password Length: 14 </li></ul><ul><li>Complexity requirements: Enabled </li></ul><ul><li>Use Reversible Encryption: Disabled </li></ul>
  24. 24. <ul><li>Policies </li></ul><ul><li>Account Policies: Account Lockout Policy </li></ul><ul><li>Account Lockout Duration: 15 Minutes </li></ul><ul><li>Account Lockout Threshold: 10 invalid attempts </li></ul><ul><li>Reset Lockout Counter: 15 Minutes </li></ul>
  25. 25. Services
  26. 26. <ul><li>Services </li></ul><ul><li>What services does a web-server need? </li></ul><ul><li>Are you sure they are needed? </li></ul><ul><ul><li>YES: secure them </li></ul></ul><ul><ul><li>NO: remove them </li></ul></ul><ul><li>This is the hardest to get right </li></ul>
  27. 27. Or…
  28. 28. <ul><li>System Settings </li></ul><ul><li>Isn’t there a quicker way to change system settings? </li></ul><ul><li>Yes. Meet the ” Security Analysis and Configuration” snap-in </li></ul>
  29. 29. <ul><li>System Settings </li></ul><ul><li>Security Analysis and Configuration </li></ul><ul><li>Run mmc </li></ul><ul><li>File  Add/Remove Snap-in </li></ul><ul><li>Add  Security Configuration and Analysis  Add </li></ul><ul><li>Right Click on Security Analysis and Configuration  Open Database </li></ul><ul><li>Choose a File Name  Open </li></ul><ul><li>Navigate to ”High Security Baseline.inf”  Open </li></ul><ul><li>Right Click on Security Analysis and Configuration  Analyse Computer Now… </li></ul><ul><li>Save the log to your desktop </li></ul>
  30. 30. User Accounts
  31. 31. <ul><li>User Accounts </li></ul><ul><li>Securing Well known User Accounts </li></ul><ul><li>Rename all built-in accounts: </li></ul><ul><ul><li>Administrator </li></ul></ul><ul><ul><li>Guest </li></ul></ul><ul><li>Why? </li></ul><ul><ul><li>Everyone knows the names of these two Windows accounts. </li></ul></ul><ul><ul><li>50% of a brute force attack is already common knowledge. </li></ul></ul><ul><li>The descriptions should also be altered. </li></ul>
  32. 32. <ul><li>User Accounts </li></ul><ul><li>Securing Well known User Accounts </li></ul><ul><li>Assign strong passwords to these accounts </li></ul><ul><ul><li>Th15 1s @ v€ry st0ng p@s5word don’t y0u th1nk? </li></ul></ul><ul><li>Disable default guest accounts (if not already done by default) </li></ul>
  33. 33. IP Policies
  34. 34. <ul><li>IP Policies </li></ul><ul><li>Structure </li></ul><ul><li>IP Filter advice: give your rules good names. Examples might look like this: </li></ul><ul><ul><li><POLICY> <DIRECTION> <SERVICE> </li></ul></ul><ul><ul><li>Permit INBOUND HTTP(S) </li></ul></ul><ul><ul><li>Permit OUTBOUND SSH </li></ul></ul><ul><ul><li>Permit OUTBOUND DNS </li></ul></ul><ul><ul><li>Permit OUTBOUND HTTP(S) </li></ul></ul><ul><ul><li>Deny BIDIRECTIONAL ALL </li></ul></ul>
  35. 35. <ul><li>IP Policies </li></ul><ul><li>Example scenario </li></ul><ul><li>A web server might look similar to this: </li></ul><ul><ul><li>Permit INBOUND: </li></ul></ul><ul><ul><ul><li>HTTP </li></ul></ul></ul><ul><ul><ul><li>HTTPS? </li></ul></ul></ul><ul><ul><ul><li>TS? </li></ul></ul></ul><ul><ul><li>Permit OUTBOUND: </li></ul></ul><ul><ul><ul><li>HTTP </li></ul></ul></ul><ul><ul><ul><li>HTTPS </li></ul></ul></ul><ul><ul><ul><li>DNS </li></ul></ul></ul>
  36. 36. <ul><li>IP Policies </li></ul><ul><li>Local Security Settings </li></ul>
  37. 37. <ul><li>IP Policies </li></ul><ul><li>Lets get started </li></ul><ul><li>Create IP Security Policy… </li></ul><ul><li>Name: Secure Web </li></ul><ul><li>Uncheck “Activate the default response rule” </li></ul><ul><li>Check “Edit Properties” </li></ul><ul><li>Uncheck “Use Add Wizard” </li></ul>
  38. 38. <ul><li>IP Policies </li></ul><ul><li>Basic rules </li></ul><ul><li>Create 4 rules </li></ul><ul><ul><li>Deny BIDIRECTIONAL ALL </li></ul></ul><ul><ul><li>Permit INBOUND HTTP(S) </li></ul></ul><ul><ul><li>Permit OUTBOUND HTTP(S) </li></ul></ul><ul><ul><li>Permit OUTBOUND DNS </li></ul></ul><ul><li>When you’re done, assign your new policy </li></ul>
  39. 39. <ul><li>IP Policies </li></ul><ul><li>Lets look at the results </li></ul><ul><li>Tools needed: </li></ul><ul><ul><li>NMap </li></ul></ul><ul><li>Exercise </li></ul><ul><ul><li>Groups of two or three </li></ul></ul><ul><ul><li>Choose which computer will perform the scan </li></ul></ul><ul><ul><li>Un-assign IP Policies as they also block outboud traffic </li></ul></ul><ul><ul><li>Perform the following port scans: </li></ul></ul><ul><ul><ul><li>Nmap –sS –P0 –O –p1-65535 </li></ul></ul></ul><ul><ul><ul><li>Nmap –sS –P0 –O –g 53 –p 1-65535 </li></ul></ul></ul><ul><ul><ul><li>Nmap –sT –P0 –O –p1-65535 </li></ul></ul></ul>
  40. 40. File Permissions
  41. 41. <ul><li>Permissions </li></ul><ul><li>Assigning correct NTFS permissions </li></ul><ul><li>CGI files: .EXE, .DLL, .CMD, .PL </li></ul><ul><ul><li>Administrators: Full Control </li></ul></ul><ul><ul><li>System: Full Control </li></ul></ul><ul><ul><li>IUSR_SERVER: Read & Execute, Read </li></ul></ul><ul><li>Script Files: .ASPX, .ASP, .PHP </li></ul><ul><ul><li>Administrators: Full Control </li></ul></ul><ul><ul><li>System: Full Control </li></ul></ul><ul><ul><li>IUSR_SERVER: Read & Execute, Read </li></ul></ul><ul><li>Include Files: .INC, .SHTML, .SHTM </li></ul><ul><ul><li>Administrators: Full Control </li></ul></ul><ul><ul><li>System: Full Control </li></ul></ul><ul><ul><li>IUSR_SERVER: Read & Execute, Read </li></ul></ul>
  42. 42. <ul><li>Permissions </li></ul><ul><li>Assigning correct NTFS permissions </li></ul><ul><li>Static Files: .HTML, .HTM, .TXT, .GIF, .JPG </li></ul><ul><ul><li>Administrators: Full Control </li></ul></ul><ul><ul><li>System: Full Control </li></ul></ul><ul><ul><li>IUSR_SERVER: Read </li></ul></ul><ul><li>Data Files: .MDB </li></ul><ul><ul><li>Administrators: Full Control </li></ul></ul><ul><ul><li>System: Full Control </li></ul></ul><ul><ul><li>IUSR_SERVER: Read, Write, Read & Execute, Modify </li></ul></ul>
  43. 43. Hardening IIS
  44. 44. <ul><li>Hardening IIS </li></ul><ul><li>Web server extensions </li></ul><ul><li>Application Debugging </li></ul><ul><li>Custom Errors </li></ul><ul><li>HTTP Verbs </li></ul><ul><li>URL Scan </li></ul><ul><li>Logging </li></ul>
  45. 45. <ul><li>Web server Extensions </li></ul><ul><li>Predefined Web Service Extensions </li></ul><ul><li>Everything is turned off by default </li></ul><ul><li>A default IIS 6.0 installation will only run sites with static pages, .HTML, .HTM. </li></ul>
  46. 46. <ul><li>Web server Extensions </li></ul><ul><li>Predefined Web Service Extensions (cont.) </li></ul><ul><li>Active Server Pages </li></ul><ul><li>ASP.NET version 1.1.4322 </li></ul><ul><li>FrontPage Server Extensions 2002 </li></ul><ul><li>Internet Data Connector </li></ul><ul><li>Server-Side Includes </li></ul><ul><li>WebDAV </li></ul>
  47. 47. <ul><li>Application Debugging </li></ul><ul><li>Stop IIS from sending error messages to clients </li></ul><ul><li>Stop applications from sending debugging details to clients: </li></ul><ul><ul><li>Right click on your web site in the IIS manager </li></ul></ul><ul><ul><li>Home Directory  Configuration </li></ul></ul><ul><ul><li>App Debugging </li></ul></ul><ul><ul><li>Check ”Send text error to client” and leave the box blank </li></ul></ul>
  48. 48. <ul><li>Custom Errors </li></ul><ul><li>Redirect to a custom error page when error occur </li></ul><ul><li>Send custom error pages to clients for HTTP 500’s, 404’s: </li></ul><ul><ul><li>Right click on your web site in the IIS manager </li></ul></ul><ul><ul><li>Custom Errors  double click on 500 </li></ul></ul><ul><ul><li>Message Type: URL </li></ul></ul><ul><ul><li>URL: /<LOCATION OF CUSTOM PAGE> </li></ul></ul><ul><ul><li>Make certain that error 500 messages don’t get sent to the browser! </li></ul></ul>
  49. 49. <ul><li>HTTP Verbs </li></ul><ul><li>Limit access to HTTP Verbs </li></ul><ul><li>Remove all un-needed HTTP verbs from each application: </li></ul><ul><ul><li>Generally required: GET, HEAD, POST </li></ul></ul>
  50. 50. <ul><li>URL Scan </li></ul><ul><li>Url filtering </li></ul><ul><li>What is URL Scan? </li></ul><ul><li>What can it do? </li></ul><ul><ul><li>Enable/disable HTTP verbs </li></ul></ul><ul><ul><li>Disable HTTP headers </li></ul></ul><ul><ul><li>Enable/disable specific file extensions </li></ul></ul><ul><ul><li>Disable character sequences </li></ul></ul><ul><ul><li>Remove/alter the server header </li></ul></ul><ul><ul><li>Restrict header lengths </li></ul></ul><ul><li>Questions concerning URL Scan? </li></ul>
  51. 51. <ul><li>URL Scan </li></ul><ul><li>Url filtering </li></ul><ul><li>How does it work: Configuration File </li></ul><ul><li>Installation </li></ul><ul><li>Fine tuning </li></ul>
  52. 52. <ul><li>Logging </li></ul><ul><li>Configuring Logging </li></ul><ul><li>Create seperate logs for each site </li></ul><ul><li>Log Folder Permissions </li></ul><ul><ul><li>Administrators: Full Control </li></ul></ul><ul><ul><li>System: Full Control </li></ul></ul><ul><ul><li>IUSR_SERVER: Read, Write, Modify, List Folder Contents, Read & Execute </li></ul></ul>
  53. 53. Additional Hardening
  54. 54. <ul><li>Additional Hardening </li></ul><ul><li>Uninstallable Components </li></ul><ul><li>Special Binaries </li></ul>
  55. 55. <ul><li>Uninstallable Components </li></ul><ul><li>Load “%systemroot%inf sysoc.inf” into notepad </li></ul><ul><li>Replace ”hide” with ”” </li></ul><ul><li>Run Add/Remove Applications </li></ul><ul><li>Remove any unwanted/ unneeded components (be careful!) </li></ul>
  56. 56. <ul><li>Special Binaries </li></ul><ul><li>Several executables exist on a standard Windows 2000 installation that could become rather useful to an attacker </li></ul><ul><li>Special access rights need to be set on all of these executables </li></ul>
  57. 57. <ul><li>Special Binaries (cont.) </li></ul><ul><li>Uncheck ”Allow inheritable permissions from parent to propagate this object”. </li></ul><ul><li>Remove all users from the name list, including SYSTEM. </li></ul><ul><li>Assign ”Full Control” to a user that is to be used to access these files – an administrator. </li></ul>
  58. 58. <ul><li>Special Binaries (cont.) </li></ul><ul><li>rsh.exe, secfixup.exe, telnet.exe, tftp.exe, ipconfig.exe, nbtstat.exe, netstat.exe, ping.exe, qbasic.exe, rdisk.exe, regdit32.exe, net.exe, nslookup.exe, posix.exe, rcp.exe, regedit.exe, rexec.exe, tracert.exe,, regedit.exe, os2.exe, os2ss.exe, arp.exe, at.exe, atsvc.exe, cacls.exe, cmd.exe, debug.exe,, edlin.exe, finger.exe, ftp.exe, xcopy.exe, os2srv.exe, cscript.exe, wscript.exe, iisreset.exe, route.exe, runonce.exe, syskey.exe </li></ul>
  59. 59. <ul><li>What have we learned today? </li></ul><ul><li>Physical Security </li></ul><ul><li>OS Installation </li></ul><ul><li>Account Policies </li></ul><ul><li>Local Policies </li></ul><ul><li>Services </li></ul><ul><li>User Accounts </li></ul><ul><li>IP Policies- </li></ul><ul><li>Permissions </li></ul><ul><li>Hardening IIS </li></ul><ul><li>Additional Hardening </li></ul>
  60. 60. ?