Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Securing the Infrastructure
Windows Server 2003 SP1 and Windows XP SP2
Ken Schaefer
System Engineer, MVP
Avanade
Sorry
• No funny jokes or pictures
• But there will be good technical content
Agenda
• Why we are releasing Windows Server 2003 SP1• Goals for Windows Server 2003 SP1• Key security enhancements and functions of SP1• Windows 2003 & Windows XP SP2 Firewall• Other enhancements• Additional resources to ramp up on Windows Server
2003 SP1• Summary
Why are we releasing WS03 SP1?
• To reduce customer pain around security of our operating systems, and to provide a more robust and secure OS to customers
• To provide some new security enhancements – Setup Protection SECOOBE – Windows Firewall – Role-based Security Configuration Wizard
• To increase adoption of Windows Server 2003 – some customers wait for SP1 before deploying
WS03 Customer Pains & SP1
Why?– Patch management too complex
– Time to exploit decreasing
– Exploits are more sophisticated
= Current approach is not sufficient
151151151151180180180180
331331331331
Blaster
Blaster
Welchia/ Nachi
Welchia/ Nachi
NimdaNimda
25252525
SQL Slammer
SQL Slammer
Days between patch Days between patch and exploitand exploit
How?– Role based approach will give flexibility to our customers
in terms of time to test/deploy– Proactive instead of reactive engineering i.e. Windows Firewall and AD policy for
Windows Firewall rule sets
= A step in the journey to more secure computing platforms, applications, and devices.
What are the goals of SP1?• Enhanced Security
– Reduced attack surface – New security enhancements
• Stronger defaults and privilege reduction on services (RPC & DCOM)• Support for No Execute (NX) hardware (Intel & AMD)• Windows Firewall enabled by default for new installs
– Includes boot time protection• Provide a Security Configuration Wizard to assist IT Admins
– Role-based configuration and lockdown• RAS/VPN Quarantine
– Client inspection, Fix-up, Isolation• IIS 6.0 metabase auditing• IE security enhancements
• Enhanced Reliability• Enhanced Performance
– 10%+ improvement in TPC, TPC-H, SAP, SSL, etc.
SP1 Features and Enhancements
• Post-Setup Security Updates (PSSU)• Security Configuration Wizard• Relevant XP SP2 enhancements
– RPC, DCOM lockdown– Windows Firewall configuration
• Terminal Services Improvements• Base 64-bit extension system x86-64 is reality
WS03SP1 Post-Setup Security Updates (1)
• A new feature designed to protect servers between first boot and application of most recent security updates
• Opens on first admin login if Windows Firewall was not explicitly enabled/disabled using unattend script or GPO
• Blocks inbound connections until customer clicks “Finish” on PSSU dialog box
WS03SP1 Post-Setup Security Updates (2)
• Offers links to Windows Update
• Creates an opportunity to configure Automatic Updates
• Re-opens if not completed before first restart
• Forced closure (ALT+F4) makes no change to the firewall, system runs tests to display PSSU again at next log on
WS03SP1 Post-Setup Security Updates (3)
• Applies To:– Windows server admins who are concerned that new Windows Server
2003 servers may not be fully protected before application of updates– Admins who perform new installs of Windows Server 2003 with a
Service Pack
• Does Not Apply When:– OS install with an unattend script enabling or disabling Windows
Firewall– Windows Firewall is enabled or disabled through GP before PSSU is
displayed– Performing OS updates to existing Windows Server 2003 server, or
upgrading existing Windows 2000 server to Windows Server 2003 SP1
Post-Setup Security Updates
Security Configuration Wizard
• Guided Attack Surface Reduction for Windows Servers– Security Coverage
• Roles-Based Metaphor• Disables Unnecessary Services• Disables Unnecessary IIS Web Extensions• Blocks unused Ports, including multi-homed scenarios• Helps Secure Ports that are left open by using IPSEC• Reduces protocol exposure (LDAP, NTLM, SMB)• Configures Audit Setting with high Signal to Noise ratio
• Security for mere mortals– Roles-based makes answering questions easy– Automated versus Paper-Based Guidance– Fully tested and supported by Microsoft
SCW Operational Coverage
• Supports approximately 60 server roles OOB
• Rollback, when applied policies disrupt service expectation
• Analysis, to check that machines are in compliance with policies
• Remotability for configuration and analysis operations
• Command Line Support for remote config and analysis en-masse
• Active Directory Integration for Group Policy-based deployment
• Editing of previously created policies, when machines are repurposed
• XSL Views of Knowledge base, policies and analysis results
Security Configuration Wizard
RPC and DCOM EnhancementsDovetails with Windows XP SP2
• New RPC registry keys – Allow server applications to restrict access to the interface,
typically through a security call back– Optionally deny all remote anonymous access– Enables application developers to more closely control
access
• Additional DCOM access control restrictions– Strengthening of DCOM authentication security model– Overall reduction of risk of a successful network attack
• RPC and DCOM ports handled as a special case by Windows Firewall
Windows Firewall
• Goals and customer benefit– Provide by default better protection from network attacks– Focus on role-based server configuration
• What we’re doing– Windows Firewall (formerly ICF) will be on by default in almost all
configurations– More configuration options
• Group policy, command line, unattended setup• Better user interface
– Boot time protection– Restrict anonymous connections to DCOM/RPC interfaces
• Application impact– In-bound network connections will not be permitted by default– Listening ports only open as long as the application is running
Windows Firewall and AD Firewall Policy Deployment
Administering Windows XP SP2Recommended Enterprise Settings (1)
Guidelines only, review all settings prior to deployment!!
• Windows Firewall: Protect all network connections – Enabled
• Windows Firewall: Do not allow exceptions – Not configured
• Windows Firewall: Define program exceptions– Set to the names of applications and services used by the computers
running Windows XP SP2 on your network for managed, server, listener, or peer applications. (e.g. SMS)
Administering Windows XP SP2Recommended Enterprise Settings (2)
• Windows Firewall: Allow local program exceptions – Enabled
• Windows Firewall: Allow remote administration exception – Disabled, unless the Windows XP SP2-based computers are
configured remotely using MMC snap-in or monitored remotely using WMI.
• Windows Firewall: Allow file and print sharing exception – Enabled only if the computers running Windows XP SP2 are sharing
local folders and printers.
Administering Windows XP SP2Recommended Enterprise Settings (3)
• Windows Firewall: Allow ICMP exceptions– Enabled only to allow diagnostic or management capabilities that are
based on ICMP traffic.
• Windows Firewall: Allow Remote Desktop exception – Enabled only if you use Remote Desktop to connect to Windows XP
SP2-based computers.
• Windows Firewall: Allow UPnP framework exception – Enabled only if you use UPnP devices on your network.
• Windows Firewall: Prohibit notifications– Disabled
Administering Windows XP SP2Recommended Enterprise Settings (4)
• Windows Firewall: Allow logging– Not configured
• Windows Firewall: Prohibit unicast response to multicast or broadcast requests– Disabled – may break Wake On LAN
• Windows Firewall: Define port exceptions– Set to the TCP and UDP ports used by the Windows XP SP2
computers on your network for managed, server, listener, or peer applications that cannot be specified by filename. (Add SMS and similar ports here)
• Windows Firewall: Allow local port exceptions– Enabled (pending corporate policy)
Administering Windows XP SP23rd Party firewalls scenarios
• Disable Windows Firewall• Disable Windows Firewall via accidental installation
– Unattend.txt or Netfw.inf – Deploy registry settings to disable WF
• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall=0 (DWORD data type)
• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\EnableFirewall=0 (DWORD data type)
• Configure GPOs accordingly
Terminal Services Improvements
• Fallback Printer Driver– Addresses Client to Server Printing issues when driver
mismatch occurs– Heuristic that does name matching on printer driver strings
provided from TS client– Will do a best guess and then substitute for a lowest
common denominator PCL or PS driver• PCL and - "HP DeskJet 500“• Color PCL - "HP DeskJet 500C“• PS - "HP LaserJet 4/4M PS"• Color PS - "HP Color LaserJet 5/5M PS“
• Licensing Server Improvements
SP1 Terminal Services
• Key value– Core OS functionality & performance
benefits (64-bit)– Runs most existing 32-bit apps with
increased performance– Provides evolutionary path to 64-bit
applications
• Single code-base based on WS03 SP1– AMD Opteron/Athlon 64 & Intel Xeon
EM64T supported with one product– Basis for Windows XP Professional, x64
Edition
• Compatibility– WS03 SP1 level compatibility– Application kernel mode code and drivers
must be 64-bit
Windows Server 2003 x64 Editions
Workload Performance and Scale
32-bit Database up 17%
32-bit Business Apps SAP 10% more users
Networking Record 7Gbit/sec xfer
File 111% higher user capacity
Active Directory 2x higher throughput
Terminal Services 50% more Users
How To Get Involved
• Share your ideas with the Windows Server development team at:http://www.windowsserverfeedback.com
• You can also participate in:– Online surveys about product feature priorities– Product focus groups– TechBeta
Summary
• Windows Server 2003 SP1 exists to encourage adoption of Windows Server 2003, migration from NT4 and 2000
• Security-focused service pack, also includes performance, feature and reliability improvements
• Exciting roadmap – complement to XP SP2, precursor to Windows Server 2003 R2 and Longhorn
• What you can do:
– Review the reference material on the following slides
– Test the available Release Candidate 2 (RC2) version
– Provide your ideas on how we can make further improvements in this area
More Information:
• Windows Server 2003 SP1 Release Candidate 2: http://www.microsoft.com/windowsserver2003/downloads/servicepacks/sp1/default.mspx
• Windows XP SP2 on Microsoft TechNet:http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/winxpsp2.mspx
• MBSA v2 Beta (use Beta GuestID: MBSA20): http://beta.microsoft.com http://www.microsoft.com/technet/security/tools/mbsahome.mspx
• Windows Update Services Betahttp://www.microsoft.com/windowsserversystem/wus/default.mspx
• Technet Security Centre for IT Pros: http://www.microsoft.com/technet/security/default.mspx
• Microsoft IT practices: http://www.microsoft.com/itshowcase
Evaluation:Prescriptive Guidance
• Overall how satisfied where you with the event? 9
• Rate the session: Windows 2003 SP1 9
Related Documents
