Hardening Small Business Hardening Small Business Server 2003 Server 2003 Published: July 2005 Published: July 2005 Dana Epp Dana Epp Computer Security Computer Security Software Architect Software Architect Scorpion Software Corp. Scorpion Software Corp. SBS Security HOWTO SBS Security HOWTO
26
Embed
Hardening Small Business Server 2003 Published: July 2005 Dana Epp Computer Security Software Architect Scorpion Software Corp. SBS Security HOWTO.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Hardening Small Business Server 2003Hardening Small Business Server 2003
Understanding the SBS Architecture from a Understanding the SBS Architecture from a security perspectivesecurity perspective
Network Security ManagementNetwork Security Management Patch ManagementPatch Management Hardening the core OSHardening the core OS Hardening the ServicesHardening the Services Audit and LoggingAudit and Logging Other considerationsOther considerations
Risks of SBS from an information Risks of SBS from an information security perspectivesecurity perspectiveRisks of SBS from an information Risks of SBS from an information security perspectivesecurity perspective To effectively secure something, you must To effectively secure something, you must
mitigate the risks associated with it by removing mitigate the risks associated with it by removing the threats around it. the threats around it.
Isolating critical business resources and services Isolating critical business resources and services to their own machines, followed by strengthening to their own machines, followed by strengthening its offerings with the rule of least privilege, will its offerings with the rule of least privilege, will significantly reduce the attack surface of the significantly reduce the attack surface of the object you are trying to secure. object you are trying to secure.
SBS ignores both of these points by having SBS ignores both of these points by having everything on a single machineeverything on a single machine
Reducing the Attack Surface of SBSReducing the Attack Surface of SBSReducing the Attack Surface of SBSReducing the Attack Surface of SBS
Mitigating Risks on SBSMitigating Risks on SBSMitigating Risks on SBSMitigating Risks on SBS
Thorough network security managementThorough network security management Layered defensesLayered defenses Least privilege packet control Least privilege packet control
Extreme vigilance in patch managementExtreme vigilance in patch management NOT just the core OSNOT just the core OS Consider tools like WSUS and HFNetChkPro Consider tools like WSUS and HFNetChkPro
Hardening of all critical components on the serverHardening of all critical components on the server Use Microsoft Security Guidelines and Best PracticesUse Microsoft Security Guidelines and Best Practices Use the built-in SBS wizards when possibleUse the built-in SBS wizards when possible
MINIMUM SBS Network Ports to Allow MINIMUM SBS Network Ports to Allow Though FirewallThough FirewallMINIMUM SBS Network Ports to Allow MINIMUM SBS Network Ports to Allow Though FirewallThough Firewall 25 – SMTP (Exchange mail)25 – SMTP (Exchange mail) 443 – HTTPS (Secure IIS web)443 – HTTPS (Secure IIS web) 444 – Sharepoint (ONLY if you want Company 444 – Sharepoint (ONLY if you want Company
web/sharepoint externally available)web/sharepoint externally available) 4125 - Remote Web access (RDP via web)4125 - Remote Web access (RDP via web)
Secondary SBS Network Ports to Allow Secondary SBS Network Ports to Allow Though FirewallThough FirewallSecondary SBS Network Ports to Allow Secondary SBS Network Ports to Allow Though FirewallThough Firewall 20/21 - FTP20/21 - FTP 80 - HTTP (Unencrypted IIS web)80 - HTTP (Unencrypted IIS web) 139 – SMB over Netbios (for file and print)139 – SMB over Netbios (for file and print) 445 - License logging service445 - License logging service 1723 - VPN1723 - VPN 3389 - RDP (Terminal services)3389 - RDP (Terminal services)
Why Patch Management is ImportantWhy Patch Management is ImportantWhy Patch Management is ImportantWhy Patch Management is Important
Patch management Patch management
mitigates and lessens themitigates and lessens the
impact from threats in the impact from threats in the
Window of ExposureWindow of Exposure
Understanding the Window of ExposureUnderstanding the Window of ExposureUnderstanding the Window of ExposureUnderstanding the Window of Exposure
WINDOW OF EXPOSUREMOST BUSINESSES WERE EXPOSED TO LSASS VULNERABILITY (SASSER) FOR 190 – 260 DAYS
INFORMATIONPROTECTED
PATCH DEVELOPEDAND RELEASED
APRIL 13, 2004 (188 DAYS)
VULNERABILITYVERIFIED BY MICROSOFT
OCTOBER 2003
VULNERABILITYIDENTIFIED
SASSER LAUNCHED MAY 1, 2004 (18 DAYS)
PATCH DEPLOYED30 – 180 DAYS
What about Antivirus and Antispyware?What about Antivirus and Antispyware?What about Antivirus and Antispyware?What about Antivirus and Antispyware?
Very important as another layer of defenseVery important as another layer of defense You SHOULDN’T be running ANY applications, You SHOULDN’T be running ANY applications,
browsing the web or checking mail etc ON the browsing the web or checking mail etc ON the SBS Server, limiting your exposure to malware SBS Server, limiting your exposure to malware in the first place.in the first place.
AV is reactive… making it a secondary line of AV is reactive… making it a secondary line of defense not as critical as proactive measures as defense not as critical as proactive measures as discussed herediscussed here
SBS “Onion” Approach to HardeningSBS “Onion” Approach to HardeningSBS “Onion” Approach to HardeningSBS “Onion” Approach to Hardening
ISA Firewall PoliciesISA Firewall Policies
Web ServerWeb ServerHardeningHardening
Mail ServerMail ServerHardeningHardening
Database ServerDatabase ServerHardeningHardening
OSOSHardeningHardening
PatchPatchManagementManagement
Microsoft’s Hardening Guidelines and Microsoft’s Hardening Guidelines and Security Best PracticesSecurity Best PracticesMicrosoft’s Hardening Guidelines and Microsoft’s Hardening Guidelines and Security Best PracticesSecurity Best Practices Doesn’t EXIST for Small Business ServerDoesn’t EXIST for Small Business Server Has POTENTIALLY conflicting information Has POTENTIALLY conflicting information
between guides (ie: Srv03 vs Exchange 03)between guides (ie: Srv03 vs Exchange 03) Should be FULLY understood before usedShould be FULLY understood before used ISIS well documented if you take the time to read it well documented if you take the time to read it
(You are looking at over 600 pages of (You are looking at over 600 pages of information)information)
Includes helpful templates to import via GPOIncludes helpful templates to import via GPO
Operating System HardeningOperating System Hardening Windows Server 2003 Security GuideWindows Server 2003 Security Guide
Includes info for web server hardeningIncludes info for web server hardening Mail Server HardeningMail Server Hardening
Microsoft Exchange Server 2003 Security Hardening Microsoft Exchange Server 2003 Security Hardening GuideGuide
Database HardeningDatabase Hardening SQL Server 2000 Security Features and Best SQL Server 2000 Security Features and Best
PracticesPractices
* Links to Hardening Guides at end of presentation
Using Microsoft’s Hardening security Using Microsoft’s Hardening security GPO templatesGPO templatesUsing Microsoft’s Hardening security Using Microsoft’s Hardening security GPO templatesGPO templates Pros include:Pros include:
Easy installationEasy installation Well testedWell tested Well documentedWell documented
Cons include:Cons include: All or nothing approachAll or nothing approach Blindly makes security decisions for you without Blindly makes security decisions for you without
knowing your network configurationknowing your network configuration Not easy to ensure settings will stay configured over Not easy to ensure settings will stay configured over
Enforce password history Enforce password history = 24 remembered= 24 remembered Maximum password age Maximum password age = 42 days= 42 days Minimum password age Minimum password age = 2 days= 2 days Minimum password length Minimum password length = 8 characters= 8 characters Password must meet complexity requirements Password must meet complexity requirements = Enabled= Enabled Store password using reversible encryption Store password using reversible encryption = Disabled= Disabled
Maximum security log sizeMaximum security log size – increase to – increase to 81,920 KB to allow for more in depth auditing81,920 KB to allow for more in depth auditing
Retention method for security logRetention method for security log – set to “As – set to “As needed” to ensure wrapping is FIFO in the needed” to ensure wrapping is FIFO in the removal cycle (removes oldest items)removal cycle (removes oldest items)
Shut down system immediately if unable to Shut down system immediately if unable to log log – Set to “Disabled” to prevent shutdown– Set to “Disabled” to prevent shutdown
Microsoft Exchange Server 2003 Security Hardening GuideMicrosoft Exchange Server 2003 Security Hardening Guidehttp://www.microsoft.com/technet/prodtechnol/exchange/2003/library/exsecure.http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/exsecure.mspxmspx
SQL Server 2000 Security Features and Best PracticesSQL Server 2000 Security Features and Best Practiceshttp://www.microsoft.com/technet/prodtechnol/sql/2000/maintain/sp3sec00.mspxhttp://www.microsoft.com/technet/prodtechnol/sql/2000/maintain/sp3sec00.mspx
How To Harden the TCP StackHow To Harden the TCP Stackhttp://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/htmlhttp://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod109.asp/secmod109.asp
Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XPhttp://go.microsoft.com/fwlink/?linkid=15160
Dana Epp’s personal blogDana Epp’s personal bloghttp://http://silverstr.ufies.org/blogsilverstr.ufies.org/blog//
This document is provided for informational purposes only. This document is provided for informational purposes only. SCORPION SOFTWARE MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.SCORPION SOFTWARE MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.