Securing

Microsoft Windows 2003 Server

Matthew Cook
http://escarpment.net/

Agenda
• Background
• Why Bother?
• Pre-Installation
• Vendor Specifics
• Installation of Windows Server 2003
• Post-Installation Configuration
• Firewall Software
• Patching the System
• Day to Day Administration
• Further Advice and Guidance

Background
• The Security Service is running a number
of similar courses in conjunction with
Professional Development.
• Details are available at:
http://www.lboro.ac.uk/computing/security/
• By increasing the security of networked
machines on campus, we hope to reduce
the number of compromised machines and
IT Support Staff workload.

1
 Why bother?
Why bother?
• Keeping control and service availability
• Spreading infection
• Data Integrity (DPA)
• Legal Liability
• Reactive Work Loads
• Bad Public Relations
• Personal Responsibility

Pre-Installation
• Disconnect the machine from the network.
– Essential with some vendor installs.
• Ensure you have the appropriate network
details at hand.
• Ensure you have the latest Microsoft
patches on removable media.
• Don’t forget physical security.

Pre-Installation
• Consider partitioning structure
– System
– User Storage
– Services
– Logs
• Consider which features to install
– Do you really need IIS on each server
– More things; to patch, to secure, to configure
and to slow the server down

2
 Vendor Specifics
• Always re-install!

• When using a vendor specific install CD,

make sure you are aware of any security
issues.
• DELL’s Open Manage Server assistant
has security issues with the SNMP server
and the Open Manage package.

Installation of Windows Server 2003

• Limit the system partition to 10-20Gb
• Ensure you set a secure password
• Ensure you only select the services you
require.

Post-Installation Configuration
• Network Configuration
– Add all DNS Servers
– Add both WINS Servers
– Remove LMHosts Lookup
– Remove ‘Register this connection’s address
in the DNS’
– Enable Net BIOS over IP
– Remove any un-necessary network clients
and services

3
Post-Installation Configuration…
• Disable Null Authentication
– HKLM\SYSTEM\CurrentControlSet\Control\LS
A\RestrictAnonymous - REG_DWORD=2
– HKLM\SYSTEM\CurrentControlSet\Control\Se
curePipeServers\RestrictAnonymous -
REG_DWORD=1
• There has been an edition to Windows
Server 2003 RestrictAnonymousSAM!

Post-Installation Configuration…
• Configure Logging
– Create a separate partition to ‘sandbox’ the
logs. L: is a good idea, between 1-10Gb.
– Eventlog locations set at:
HKLM\System\CurrentControlSet\Services\Ev
entLog\Application, Security and System
– Change the file key to point at L:\eventlogs\*
– Move IIS, Exchange logs et al to the new
locations

Post-Installation Configuration…
• Windows Patches and Service Packs
– Install in a secure fashion
– From removable media
– From slipstreamed media
– Via a SOHO firewall
– NOT via an unprotected network connection

4
Post-Installation Configuration…
• Install McAfee Virus Scan Enterprise
– Running Anti-Virus software is essential
– Requires Auto-Update twice for the Engine
and DAT file initially
– Ensure the software is configured for auto-
update
• Available from:
\\adadmin2\software\mcafee\vse7svrs\

Post-Installation Configuration…
• Automatic Updates
– My Computer > Select Properties > Select
Automatic Updates tab.
– We do NOT recommend Automatic or Turning
Automatic Updates off.
– Either; Download updates for me, but let me
choose when to install them.
– OR Notify me but don’t automatically
download or install them.

Post-Installation Configuration…
• Terminal Services
– My Computer > Select Properties > Remote
tab.
– Select ‘Allow users to connect remotely to this
computer’
– Ensure only the users you want to connect
are configured.

5
Post-Installation Configuration…
• Microsoft Baseline Security Analyser
• Freely available from Microsoft
• Provides advice on
– Security best practices
– Strong passwords
– Security mis-configurations
– Application configurations

Post-Installation Configuration…
• NTFS ACL defaults are more secure than
in Windows 2000 Server
• The Everyone group has only read &
execute on the root of each drive.
• The permissions are not inherited.
• The Everyone group has no permissions
to a new folder or file.
• The Everyone group has only read
permissions on a new share

Post-Installation Configuration…
• Configure the NTFS ACLs for the machine
to provide more security.
• Note: Anonymous users are no longer part
of the Everyone group!

6
Post-Installation Configuration…
• Security Templates
– Legacy Client
– Enterprise Client
– High Security

• Not straight forward, very easy to cripple a

machine.
• Further advice in the security guides.

Post-Installation Configuration…
• Create and document a machine baseline
– Use Performance Monitor
– Save the output of a ‘Netstat –A’
– Save the output of a ‘fport /p’
– Save the output of a ‘net user’

Firewall Software
• Why bother?
– Computing Services already runs one
– Open ports are needed for service
– False sense of security
– Too many false positives
– Machine should be secure
• There are exceptions
– Insecure services for limited machines
– Provide protection for services only needed
locally

7
 Patching the System
• Essential!
• Operating Systems do contain bugs, and
patches are a common method of
distributing these fixes.
• A patch or hot fix usually contains a fix for
one discovered bug.
• Service Packs contain multiple patches or
hotfixes. There are well over 200 hotfixes
in most Service Packs.

Patching the System

• Only install patches after you have tested
them in a development environment.
• Only install patches obtained direct from
the vendor.
• Install security patches as soon as
possible after released.
• Install feature patches as and when
needed.
• Subscribe to the security lists.

Day to Day Administration

• Well not every day, but at least weekly!

• Check logs
– Get them emailed to you
– Investigate rogue activity
• Compare against the baseline saved
• Check listening ports
• Check for required patches

8
Further Advice and Guidance
• http://www.lboro.ac.uk/computing/security/
• http://www.microsoft.com/security/
• http://www.windowsecurity.com/

• Mailing lists:
– [email protected]
– [email protected]

Further Advice and Guidance

• Introduction to I.T. Security
• Securing Microsoft Windows 2000 Server
• Securing Microsoft Windows 2003 Server
• Securing Microsoft Internet Information
Server (I.I.S.) 5 and 6
• Securing Fedora Linux
• Securing RedHat Enterprise Server
• Securing The Apache Web Server

Questions and Answers

http://escarpment.net/