Server hardeningServer hardening consists of creating a baseline for the security on your servers in your organization. The default configurations of a Windows Server 2003 computer are not designed with security as the primary focus. Rather, a default installed computer is designed for communication and functionality. To protect your servers, you must establish solid and sophisticated security policies for all types of servers in your organization. In this section, we will discuss the basic security baseline for a member server that is running in a Windows Server 2003 Active Directory domain . We will also discuss the best-practice security configurations in the security templates, starting with the generic best practices that appl y to most member servers in the organization. We will then move on to the specific types of member servers, as well as domain controllers. We will discuss which services, ports, applications, and so forth need to be hardened for different server roles, and compare this to the bas eline security for simple member servers. TABLE OF CONTENTS Member serversDomain controllersFile and print serversWeb serversMember serversYou must establish a baseline of security for all members servers before creating add itional security templates and policies to tailor security for specific types of servers. One of the most important aspects of applying hardening settings to member servers is deve loping the OU hierarchy that will support the security template and policies that you develop. You must also understand the various levels of security that are rou tinely used to develop and deplo y security to all servers. OU design considerations The only way to efficiently and su ccessfully deploy security to the different server roles in your enterprise is to design Active Directory to support those roles. The design should not only provide an efficient method to deploy security, but it should also organize the computer accounts into OUs for easier management and troubleshooting. Although Active Directory design is extremely flexible, you must consider a number of factors when organizing servers into OUs based on server role. The first factor is Group Policy application. For example, if you hav e two server roles that each need different security policy settings, you should separate the computer accoun ts into different OUs. The second factor is
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Server hardening consists of creating a baseline for the security on your servers in yourorganization. The default configurations of a Windows Server 2003 computer are not designedwith security as the primary focus. Rather, a default installed computer is designed for
communication and functionality. To protect your servers, you must establish solid andsophisticated security policies for all types of servers in your organization.
In this section, we will discuss the basic security baseline for a member server that is running ina Windows Server 2003 Active Directory domain. We will also discuss the best-practice securityconfigurations in the security templates, starting with the generic best practices that apply tomost member servers in the organization. We will then move on to the specific types of memberservers, as well as domain controllers. We will discuss which services, ports, applications, and soforth need to be hardened for different server roles, and compare this to the baseline security forsimple member servers.
TABLE OF CONTENTS Member servers Domain controllers File and print servers Web servers
Member servers
You must establish a baseline of security for all members servers before creating additionalsecurity templates and policies to tailor security for specific types of servers. One of the mostimportant aspects of applying hardening settings to member servers is developing the OUhierarchy that will support the security template and policies that you develop. You must alsounderstand the various levels of security that are routinely used to develop and deploy security toall servers.
OU design considerations
The only way to efficiently and successfully deploy security to the different server roles in your
enterprise is to design Active Directory to support those roles. The design should not only provide an efficient method to deploy security, but it should also organize the computer accountsinto OUs for easier management and troubleshooting.
Although Active Directory design is extremely flexible, you must consider a number of factorswhen organizing servers into OUs based on server role. The first factor is Group Policyapplication. For example, if you have two server roles that each need different security policysettings, you should separate the computer accounts into different OUs. The second factor is
administration of the computer accounts within Active Directory. Even though you have onlytwo different server roles, you might have two different administrators controlling the same typeof server role. This might force you to have OUs not only for server roles, but also for serverroles based on the administrator in charge.
Figures 5-7 illustrates an OU structure that does not consider location or administrative needs butdoes consider server roles. Figure 5-8 illustrates an OU structure that has a different set ofadministrators for the Main Office and Branch Office, where each office also has the same typesof server roles.
Figure 5-8: An OU structure that considers location and administrative needs as well as
server roles
TIP OUs are also commonly organized by physical location -- for example, the Main Officeand Branch Office model. For more information on organizing OUs based on GPOdeployment, see Chapter 4.
Member server security environment levels
Member server security environments are based on the operating systems of the clients andservers in your enterprise. Legacy clients and servers can't take advantage of the robust featuresand functions that Active Directory provides, such as Group Policy, Kerberos, and other securityfeatures. As the operating systems of domain members rise to levels that support all ActiveDirectory functions and features, it becomes possible to raise the overall security for theenterprise and thus create a solid security environment.
There are three different security environment levels typically found in an enterpriseenvironment:
Legacy Client When you have a mixed operating system environment of new and olderversions, you must provide adequate security that will not constrain the operation oflegacy clients. This is the lowest security level, but it needs to be that way forcommunication to occur and legacy applications to work properly. This businessenvironment might include legacy clients such as Windows 95, Windows 98, orWindows NT 4.0 Workstation. You should limit this environment to having onlyWindows 2000 Server and Windows Server 2003 domain controllers. You should notsupport Windows NT 4.0 Server domain controllers, although you can have Windows NTServer computers configured as member servers.
Enterprise Client This security level removes the legacy operating systems and usesonly those that support the features and functions that Active Directory offers. Thisincludes clients running Windows 2000 Professional and Windows XP Professional.These clients all support Group Policy, Kerberos authentication, and new securityfeatures that the legacy clients don't support. The domain controllers must be Windows2000 Server or later. There will not be any Windows NT Server computers, even asmember servers.
High Security This security level is basically the same as for Enterprise Client -- itchanges only the level of security that is implemented. This level enhances securitystandards so that all computers conform to stringent security policies for both clients andservers. This environment might be constrictive enough that loss of functionality andmanageability occurs. However, this must be acceptable because the higher security
levels are a good tradeoff for the functionality and manageability that you are losing.
"Windows Server 2003 Security Guide" The three enterprise environments described earlier and the procedures outlined in this chapterfor hardening different server roles in each environment are discussed more fully in theWindows Server 2003 Security Guide. The Security Guide also includes a set of additionalsecurity templates that can be imported into GPOs to harden different server roles in legacyclient, enterprise client, and high security environments. It also includes additional procedures
for hardening security settings that cannot be configured using Group Policy. Using theseadditional security templates can simplify the hardening of different server roles on yournetwork, and you can further customize these security templates to meet the specific needs ofyour Active Directory environment.
Security settings for member servers
This section will cover some common security settings that apply to standard member servers inthe domain. These settings are best created in a GPO that is then linked to the top-level serverOU. In Figure 5-7 or 5-8, this would be the Member Servers OU.
Table 5-7 provides a full list of security settings for a member server.
NOTE Account Policies, which include Password Policy, Account Lockout Policy, andKerberos Policy, are not specified in the member servers security baseline outlined here. Thisis because Account Policies must be defined at the domain level in Active Directory, while themember servers security baseline is defined in GPOs linked to OUs where member servers arefound. For best practices concerning domain Account Policies, see "Account Policies" under"Sections of the Security Template" earlier in this chapter, and also refer to the WindowsServer 2003 Security Guide described in the "Windows Server 2003 Security Guide" sidebar.
For a member server to function on the network with other computers, specific ports must beopened. Table 5-8 presents a list of those critical ports. As we investigate specific server roles,additional ports will need to be added to ensure the server functions properly.
Used by the browse master service. This must be openfor WINS and browse master servers.
138 (NetBIOS datagramservice)
Must be open to accept inbound datagrams from NetBIOSapplications such as the Messenger service or theComputer Browser service.
139 (NetBIOS sessionservice)
Must be closed unless you run applications or operatingsystems that need to support Windows networking (SMB)connections. If you run Windows NT 4.0, WindowsMillennium Edition, Windows 98, or Windows 95, this port must be open on your servers.
445 (CIFS/SMB server)Used by basic Windows networking, including file sharing, printer sharing, and remote administration.
3389 (Remote DesktopProtocol)
Must be open if you are using Terminal Services for appli-cation sharing, remote desktop, or remote assistance.
Domain controllers Return to Table of
Contents
Domain controllers are the heart of any environment that runs Active Directory. Thesecomputers must be stable, protected, and available to provide the key services for the directoryservice, user authentication, resource access, and more. If there is any loss or compromise of adomain controller in the environment, the result can be disastrous for clients, servers, andapplications that rely on domain controllers for authentication, Group Policy, and the LDAPdirectory.
Not only should these domain controllers be hardened with security configurations, they mustalso be physically secured in locations that are accessible only to qualified administrative staff. Ifdomain controllers are stored in unsecured locations due to limitations of the facility (such as in a branch office), you should apply additional security configurations to limit the potential damagefrom physical threats against the computer.
Along the same lines as the Member Server hardening guidelines, domain controllers also havedifferent levels of security based on the environment in which they are deployed. These levelsare the same as those defined in the "Member Servers" section in this chapter: Legacy Client,Enterprise Client, and High Security.
Security settings for domain controllers
Security settings that apply specifically to domain controllers are best created in a GPO that isthen linked to the Domain Controllers OU. The settings for domain controllers should be basedon those we reviewed in the earlier "Member Servers" section. Of course, a domain controlleralso has additional functions or features compared to a member server, and this requiresadditional open ports and security configuration. You must review the security settings list toensure that you are not restricting a key feature for your domain controller.
Table 5-9 lists the settings that differ from those specified in Table 5-7. In other words, the baseline security settings for domain controllers as outlined below should be incrementally added
to the baseline security settings for member servers described previously.
MORE INFO For more information on hardening domain controllers in different enterpriseenvironments, see the Windows Server 2003 Security Guide.
Table 5-9 Security settings for domain controllers
Domain controllers are responsible for specific functions, as seen in the different settings listedin Table 5-9. Many of these different security template settings are due to required services to
authenticate users and maintain consistency of the Active Directory database between otherdomain controllers. Table 5-10 lists additional ports that you must open for domain controllers.
Table 5-10 Ports for domain controllers
Port Description
88 (Kerberos)The Kerberos protocol is used by Windows 2000 and lateroperating systems to log on and retrieve tickets for accessingother servers.
123 (NTP) This port provides time synchronization for network clientsusing the Network Time Protocol (NTP).
135 (RPC endpointmapper/DCOM)
This port allows RPC clients to discover the ports that the RPCserver is listening on.
389 (LDAP)This port the primary way that clients access Active Directoryto obtain user information, e-mail addresses, services, andother directory service information.
464 (KerberosPassword Changes)
This port provides secure methods for users to change passwords using Kerberos.
636 (LDAP over SSL)This port is needed if LDAP will use SSL to provideencryptionand mutual authentication for LDAP traffic.
3268 (Global Catalog)This port provides the means for clients to search ActiveDirectory information that spans multiple domains.
3269 (Global Catalog This port is needed because the Global Catalog uses SSL to
over SSL) provide encryption and mutual authentication for GlobalCatalog traffic.
NOTE If your domain controller is running DNS, you will need to also open port 53.
File and print servers
File and print servers are responsible for resource storage and controlling access to theseresources throughout the enterprise. These servers house the company's documents, trade secrets,financial data, and much more. If these computers are not protected, the entire company might bein jeopardy. These computers must be stable, protected, and available to provide users andapplications access to resources stored on these computers.
Like the domain controllers, these servers must be physically protected. If someone were to gethold of a file server, they could potentially use other tools to gain access to the resources on theserver. You should take action to protect against this.
Table 5-11 lists security settings for file and print servers that differ from the settings in theMember Servers section earlier in the chapter. In other words, the baseline security settings forfile and print servers as outlined here should be incrementally added to the baseline securitysettings for member servers described previously. These settings are best created in a GPO that isthen linked to the OU that contains the file servers.
MORE INFO For more information on hardening file and print servers in different
enterprise environments, see the Windows Server 2003 Security Guide.
Table 5-11 Security settings for file and print servers
Microsoft networkserver:Digitally signcommuni-cations (always)
Disabled (PrintServers only)
Disabled (PrintServers only)
Disabled (PrintServers only)
Security Setting Legacy Client
Configuration Enterprise Client
Configuration High Security
Configuration
System Services
Distributed FileSystem
Disabled Disabled Disabled
File Replication Disabled Disabled Disabled
Print SpoolerAutomatic (PrintServers only)
Automatic (PrintServers only)
Automatic (PrintServers only)
Web servers
Microsoft Internet Information Services (IIS) is the service that provides Web services on aWindows server. Web servers must be properly secured from malicious attackers, while stillallowing legitimate clients to access intranet or public Web sites hosted on the server.
IIS is not installed by default on the Windows Server 2003 family of servers, and when you doinstall IIS, it installs in "locked" mode -- a highly secure mode that protects IIS against threats.Beyond the best-practice security settings presented in this section for IIS, be sure to protect yourWeb servers by monitoring security using some form of intrusion detection system, and by
implementing proper incident response procedures.
Security settings for Web servers
Security settings for Web servers are best created in a GPO that is then linked to the OU thatcontains the Web servers. Table 5-12 lists only the settings that differ from those in the Table 5-7. In other words, the baseline security settings for Web servers as outlined here should beincrementally added to the baseline security settings for member servers described previously.
MORE INFO For more information on hardening Web servers in different enterpriseenvironments, see the Windows Server 2003 Security Guide.
Table 5-12 Security settings for Web servers
Security Setting Legacy Client
Configuration Enterprise Client
Configuration High Security
Configuration
User Rights
Deny access tothis computerfrom the network
ANONYMOUSLOGON; Built-in Administrator;Support_388945a0;Guest; all NON-Operating Systemservice accounts
ANONYMOUSLOGON; Built-in Administrator;Support_388945a0;Guest; all NON-Operating Systemservice accounts
ANONYMOUSLOGON; Built-in Administrator;Support_388945a0;Guest; all NON-Operating Systemservice accounts
System Services
HTTP SSL Automatic Automatic Automatic
IIS Admin Service Automatic Automatic Automatic
World Wide WebPublishing Service
Automatic Automatic Automatic
Ports required for Web servers
Web servers should have limited ports available, to reduce their exposure to attacks from thelocal network and the Internet. The fewer the ports that are open, the better. Table 5-13 is a list ofadditional ports that you will need to open for Web servers.
Table 5-13 Ports for Web servers
Ports Description
80 (HTTP)
The standard HTTP port for providing Web services to users. Thiscan be easily changed and is not required. If you do change the portfor HTTP, be sure to add that new port to this list and configurethat