Securing Your Servers

1
Securing Your Servers

• Paula Kiernan
• Senior Consultant
• Ward Solutions

2
Session Overview

• Defense in Depth
• Malware Defense for Servers
• Malware Outbreak Control and Recovery
• Hardening Servers

3
Defense-in-Depth

• Using a layered approach
• Increases an attackers risk of detection
• Reduces an attackers chance of success

4
Server Security Best Practices
Apply the latest Service Pack and all available
security patches
Keep anti-virus software up-to-date
Restrict physical and network access to servers
Use Group Policy to harden servers
5
Protecting Servers What Are the Challenges?
Challenges to protecting servers include

• Maintaining reliability and performance
• Maintaining security updates
• Maintaining antivirus updates
• Applying specialized defense solutions based upon
  server role
• Securing servers with multiple roles

6
Session Overview

• Defense in Depth
• Malware Defense for Servers
• Malware Outbreak Control and Recovery
• Hardening Servers

7
What Is Server-Based Malware Defense?
Basic steps to defend servers against malware
include
Reduce the attack surface
ü
Apply security updates
ü
Enable a host-based firewall
ü
Analyze using configuration scanners
ü
Analyze port information
ü
8
Implementing Server-Based Host Protection Software
Considerations when implementing server-based
antivirus software include

• CPU utilization during scanning
• Application reliability
• Management overhead
• Application interoperability

9
Implementing Security Patch Management
Use the appropriate patch management tools for
your environment

• Windows Update
• Office Update
• WSUS / SUS
• SMS
• MBSA

10
Protecting Servers Best Practices
Consider each server role implemented in your
organization to implement specific host
protection solutions
ü
Stage all updates through a test environment
before releasing into production
ü
Deploy regular security and antivirus updates as
required
ü
Implement a self-managed host protection solution
to decrease management costs
ü
11
Session Overview

• Defense in Depth
• Malware Defense for Servers
• Malware Outbreak Control and Recovery
• Hardening Servers

12
How to Confirm the Malware Outbreak
The process for infection confirmation includes

• Reporting unusual activity
• Gathering the basic information
• Evaluating the data
• Gathering the details
• Responding to unusual activity
• False alarm?
• Hoax?
• Known infection?
• New infection?

13
How to Respond to a Malware Outbreak
Outbreak control mechanism tasks include

• Disconnect the compromised systems from the
  network
• Isolate the network(s) containing the infected
  hosts
• Disconnect the network from all external networks
  
• Research outbreak control and cleanup techniques

Examples of recovery goals include

• Minimal disruption to the organizations business
  
• Fastest possible recovery time
• The capture of information to support prosecution
  
• The capture of information to allow for
  additional security measures to be developed
• Prevention of further attacks of this type

14
How to Analyze the Malware Outbreak
The following analysis tasks help you to
understand the nature of the outbreak

• Checking for active processes and services
• Checking the startup folders
• Checking for scheduled applications
• Analyzing the local registry
• Checking for corrupted files
• Checking users and groups
• Checking for shared folders
• Checking for open network ports
• Checking and exporting system event logs
• Running MSCONFIG

15
How to Recover from a Malware Outbreak
Use the following process to recover from a virus
outbreak
Restore missing or corrupt data
1
Remove or clean infected files
2
Confirm that your computer systems are free of
malware
3
Reconnect your computer systems to the network
4
16
How to Perform a Postrecovery Analysis
Postrecovery analysis steps include the following

• Postattack review meeting

• Postattack updates

17
Session Overview

• Defense in Depth
• Malware Defense for Servers
• Malware Outbreak Control and Recovery
• Hardening Servers

18
Hardening Servers

• Core Server Hardening Tasks
• Active Directory Security
• Hardening Servers with Specific Roles
• Hardening Application Servers

19
Core Server Hardening Tasks
Apply the latest Service Pack and all available
security patches
Keep anti-virus software up-to-date
Restrict physical and network access to servers
Use Group Policy to harden servers - Disable
services that are not required - Implement
secure password policies - Disable LAN Manager
and NTLMv1 authentication
20
Additional Recommendations for Securing Servers

• Rename the built-in Administrator and Guest
  accounts
• Restrict access for built-in and non-operating
  system service accounts
• Do not configure a service to log on using a
  domain account
• Use NTFS to secure files and folders
• Educate IT staff on secure password practices

21
Active Directory Security

• Identify the Active Directory security boundary-
  Forest- Site- Domain- Organizational Unit
• Base the Active Directory design on Group Policy
  and delegation requirements

22
Using Group Policy
Strengthen the settings in the Default Domain
Policy
Ensure that password and account policies meet
your organizations security requirements
Review audit settings on important Active
Directory objects
23
Security Templates

• Security Templates can be used to harden servers
• Security Templates are implemented using
• Security Configuration and Analysis Tool
• secedit
• Group Policy
• Windows Server 2003 Security Guide supplies
  default templates
• http//www.microsoft.com/technet/security/prodtech
  /windowsserver2003/w2003hg/sgch00.mspx

24
Security Template Best Practices
Review and modify security templates before using
them
Use security configuration and analysis tools to
review template settings before applying them
Test templates thoroughly before deploying them
Store security templates in a secure location
25
Demonstration Using Security Templates

• Implementing Security Templates

26
Hardening Servers with Specific Roles
Apply Member Server Baseline Policy
Securing Active Directory
Hardening Procedures
RADIUS (IAS) Servers

• Apply baseline security settings to all member
  servers
• Apply additional settings for specific server
  roles
• Use GPResult to ensure that settings are applied
  correctly

27
Best Practices for Hardening Servers for
Specific Roles
Secure well-known user accounts
Enable only services required by role
Enable service logging to capture relevant
information
Use IPSec filtering to block specific ports based
on server role
Modify templates as needed for servers with
multiple roles
28
Hardening Application Servers
Application servers that typically have
specialized protection requirements include
29
Application Server Best Practices
Configure security on the base operating system
Apply operating system and application service
packs and patches
Install or enable only those services that are
required
Assign only those permissions needed to perform
required tasks
Application accounts should be assigned minimal
permissions
Apply defense-in-depth principles to increase
protection
30
Securing IIS Servers

• Apply the security settings in the IIS Server
  Security Template
• Install the IIS Lockdown and configure URLScan on
  all IIS 5.0 installations
• Enable only essential IIS components
• Configure NTFS permissions for all folders that
  contain Web content
• Install IIS and store Web content on a dedicated
  disk volume
• If possible, do not enable both the Execute and
  Write permissions on the same Web site
• On IIS 5.0 servers, run applications using Medium
  or High Application Protection
• Use IPSec filters to allow only ports 80 and 443

31
Hardening the Messaging Environment
To harden your Exchange messaging environment,
deploy the following
32
Securing Exchange Servers
Limit Exchange Server functionality to clients
that are strictly required
ü
Remain current with the latest updates for both
Exchange Server 2003 and the operating system
ü
Use ISA Server 2004 to regulate access for HTTP,
RPC over HTTPS, POP3, and IMAP4 traffic
ü
Use SSL/TLS and forms-based authentication for
Outlook Web Access
ü
33
Validating Exchange Server Configuration Settings
ExBPA can examine your Exchange servers to
Generate a list of issues, such as
misconfigurations or unsupported or
non-recommended options
ü
ü
Judge the general health of a system
ü
Help troubleshoot specific problems
34
Demonstration Analyzing Configuration Settings
on Exchange Server 2003

• Analyze Exchange Server using MBSA and the ExBPA
  Tool

35
Basic SQL Server Security Configuration

• Apply service packs and patches
• Use MBSA to detect missing SQL updates
• Disable unused services
• MSSQLSERVER (required)
• SQLSERVERAGENT
• MSSQLServerADHelper
• Microsoft Search
• Microsoft DTC

36
Database Server Security Considerations
37
Session Summary
Understanding malware will help you to implement
an effective defense against malware attacks
ü
Use a defense-in-depth approach to defend against
malware
ü
Harden operating systems and applications by
applying security updates, installing and
maintaining an antivirus software strategy, and
restricting computers using Group Policy
ü
Stage all updates through a test server before
implementing into production, in order to
minimize disruption
ü
An efficient response and recovery plan will
ensure that if a malware attack occurs, your
organization can quickly recover with minimal
disruption
ü
38
Next Steps

• Find additional security training events
• http//www.microsoft.com/seminar/events/security.
  mspx
• Sign up for security communications
• http//www.microsoft.com/technet/security/signup/
  default.mspx
• Order the Security Guidance Kit
• http//www.microsoft.com/security/guidance/order/
  default.mspx
• Get additional security tools and content
• http//www.microsoft.com/security/guidance

39
Questions and Answers