_____________________________________________________________________________________

10 steps to harden Windows Server 2008

 

    Ever since it’s debut, Microsoft Windows 2008 Server has awed security and systems administrators

with its complex and innovative features. With threats becoming each day more immanent and efficient,

security system administrators face the tedious task of protecting Microsoft’s new giant. In this article we

compiled some of the industries best practices such as NIST to show you some of the features and ways

to reduce your windows 2008 servers’ exposure. 

Confidential 1

_____________________________________________________________________________________

1. Configure a security policy

The first step in securing the 2008 server is to configure a security policy. In order to configure a

security policy, you will need to use the SCW (Security Configuration Wizard), which can be installed

through “add and remove windows components”. The SCW detects ports and services, and configures

registry and audit settings according to the servers “role” or installed applications. The SCW uses a set of

XML templates which can easily be deployed and managed. The version of SCW in Windows

Server 2008 includes over 200 server role configurations and security settings than the version of SCW in

Windows Server 2003. Also, by using the version of SCW in Windows Server 2008, you can:

* Disable unneeded services based on the server role.

* Remove unused firewall rules and constrain existing firewall rules.

* Define restricted audit policies.

 

The server’s operating system will be changed according to the profile or template

selected. Administrators can create custom profiles and deploy them using a set o XML files.

2. Disable or delete unnecessary accounts, ports and services

Attackers often gain access to servers through unused or not configured ports and services. To

limit entry points, server hardening includes blocking unused ports and protocols as well as disabling

services that are not required. Although this can be done as seen above using the SCW, the server

administrator would need to double check to see if all the services are configured properly and that only

Confidential 2

_____________________________________________________________________________________

the necessary ports are open.  During the installation of the 2008 server, by default, three local user

accounts are automatically created: the Administrator, Guest and Help Assistant. The Administrator

account bears high privileges, and requires special diligence. As a security best practice the administrator

account should be disabled or renamed to make it more difficult for an attacker to gain access. Both

Guest and Help Assistant accounts provide an easy target for attackers which exploited this vulnerability

before on the earlier Windows Server 2003. These accounts should be disabled at all times.

 

3. Uninstall Unnecessary Applications

 

Remember, your server is a vital part of your network and services that you provide. The number

of applications installed on these servers should be role related and set to a minimum. It is a good idea to

test these applications out in a separate environment before deploying them on the production network.

Some applications make use of service backdoors, which can sometimes compromise the overall security

of the server. After installing each application, make sure that you double check to see if the application

created any firewall exception or created a service user account.

* Belarc Advisor : The Belarc Advisor “builds a detailed profile of your installed

software and hardware, missing Microsoft hot fixes, anti-virus status, and

displays the results in your Web browser.” This tool is free for personal use.

Commercial, government, and non-profit organizations should look at their other

products which include many more features for managing security on multiple

computers.

 

* Micr os oft SysInternal Tools : Microsoft provides a set of tools which can be

used to monitor the server’s activity. These tools include: REGMON, FILEMON,

Process Explorer, Root Kit Revealer. These tools are great for understanding

what a certain application or software does “under the sheets”.

Confidential 3

_____________________________________________________________________________________

4. Configure the windows 2008 Firewall

 

Windows 2008 server comes with a phenomenal built in firewall called the Windows Firewall with

Advanced Security. As a security best practice, all servers should have its own host based firewall. This

firewall needs to be double checked to see if there are no unnecessary rules or exceptions. I have

outlined some of the new features that the Windows Server 2008 provides.

* GUI interface: a MMC snap-in available for the Advanced Firewall

Configuration.

 

* Bi-directional filtering: the firewall now filters outbound traffic as well as

inbound traffic.

 

* IPSEC operability: now the firewall rules and IPSEC encryption configurations

are integrated into one interface.

 

* Advanced Rules configuration: you can create firewall rules using Windows

Active Directory objects, source & destination IP addresses and protocols.

 

Confidential 4

_____________________________________________________________________________________

 

5. Configure Auditing

One of the most significant changes on Windows Server 2008 auditing is that now you can not

only audit who and what attribute was changed but also what the new and old value was.

This is significant because you can now tell why it was changed and if something doesn’t look right you’re

able to easily find what it should be restored to.

Another significant change is that in the past Server versions you were only able to turn auditing

policy on or off for the entire Active Directory structure. In Windows Server 2008 the auditing policy is

more granular.

As a security best practice, the following events should be logged and audited on the Windows Server

2008.

Confidential 5

_____________________________________________________________________________________

* Audit account logon events

* Audit account management

* Audit directory service access

* Audit logon events

* Audit object access

* Audit policy change

* Audit privilege use

* Audit process tracking

* Audit system events

Confidential 6

_____________________________________________________________________________________

 

Most log events on the event viewer have registered incident ID numbers; these numbers can be used to

troubleshoot the server. http://www.eventid.net/ is a good site which aids security and system

administrators in finding out what actually happened with their servers. A best practice would also be to

forward these audit logs to a centralized server as required by PCI DSS 10.5.3 and other industry

standards. Windows Server 2008 offers a native log subscription feature which forwards all system and

security audit logs to a centralized server.

 

6. Disable unnecessary shares

Confidential 7

_____________________________________________________________________________________

 

Unnecessary shares pose a great threat to vital servers. After a server or application deployment,

system and security administrators should check to see if the server has any unnecessary shares. This

can be done using the following command:

         Net Share

This will display a list of all shares on the server. If there is a need to use a share, system and security

administrators should configure the share as a hidden share and harden all NTFS and Share

permissions.

 

C:\Documents and Settings>net share

Share name Resource Remark

-------------------------------------------------------------------------------

ADMIN$ C:\WINDOWS Remote Admin

C$ C:\ Default share

IPC$ Remote IPC

In order to create a hidden share, put a $ sign after the share name. The share will still be accessible;

however it will not be easily listed through the network. Example:

 

          Accounting$

7. Configure Encryption on 2008 server

 

According to industry best practices, such as HIPAA and GLBA require that certain servers

which host sensitive information should make use of encryption. Windows Server 2008 provides a built in

whole disk encryption feature called BitLocker Drive Encryption (BitLocker). BitLocker protects the

operating system and data stored on the disk. In Windows Server 2008, BitLocker is an optional

component that must be installed before it can be used. To install BitLocker, select it in Server Manager

or type the following at a command prompt:

         ServerManagerCmd -install BitLocker –restart

Confidential 8

_____________________________________________________________________________________

 

 

8. Updates & Hot fixes

 

Updates and hot fixes are key elements when hardening a server. System and security

administrators should be constantly updating and patching their servers against zero day vulnerabilities.

These patches are not limited to the operating system, but also any application which is hosted on them.

Administrators should periodically check the vendor’s websites for updates. Windows Server 2008 offers

a set of tools which helps administrator update and patch their servers.

         * WSUS: Windows Server Update Services (WSUS) provides a software update service

for Microsoft Windows operating systems and other Microsoft software. By using

Windows Server Update Services, administrators can manage the distribution of

Microsoft hot fixes and updates released through Automatic Updates to computers in a

corporate environment. WSUS helps administrators track the “update health” of each

individual server.

Confidential 9

_____________________________________________________________________________________

         * MBSA: Microsoft Baseline Security Analyzer (MBSA) is an easy-to-use tool designed

for the IT professional that helps small- and medium-sized businesses determine their

security state in accordance with Microsoft security recommendations and offers specific

remediation guidance. Improve your security management process by using MBSA to

detect common security misconfigurations and missing security updates on your

computer systems.

 

 

 

9. Anti Virus & NAP

Anti Virus software is also a crucial step for hardening a server. Windows Server 2008 offers a

set of tools which can help combat unauthorized network access and malicious code execution.

Confidential 10

_____________________________________________________________________________________

Windows Server 2008 offers a Network Access Protection (NAP), which helps administrators to

isolate viruses from spreading out into the network. Windows server 2008 NAP uses a set of policies

which cleans the affected machines and when they are healthy, permits them access to parts of your

production network.

NAP consists of client server technology which scans and identifies machines that don't have the

latest virus signatures, service packs or security patches. Some of the key functions of a Windows Server

2008 NAP server includes:

* Validating Machines :   The mission of NAP is to preserve the integrity

of the network by allowing only healthy machines to have IP addresses.

 

* Restricting Network Access :   Computers or servers which don't meet

the established policy standards can be restricted to a “quarantine”

subnet where they would later be remediate the security issues. 

 

* Fixing Unhealthy Machines :   Windows Server 2008 NAP has the

ability to direct hosts to a remediation server, where the latest antivirus

signatures and patches are deployed through SMS packages.

Confidential 11

_____________________________________________________________________________________

 

10. Least Privilege

The concept of least privilege has been adopted by many of today’s industry standards. A

hardened server needs to have all its access reduced to a bare operational minimum. Most of the known

security breaches are often caused by elevated privileges bared by accounts. Server services should not

be configured using enterprise wide administrator accounts. Windows Server 2008 has a couple of tools

which can aid administrator to grant or revoke access to specific sections of the server.

* Script Logic’s Cloak : Script Logic Cloak is a product which enhances the Windows NT File

System (NTFS) by providing increased security, more accurate audits and a vastly streamlined

experience for users of the network.

* PolicyMaker Application Security: PolicyMaker is an add-on for the Group Policy

Management Console (GPMC). This tool allows administrators to adjust application privilege

levels to the lowest possible point in order to limit damages stemming from network attacks or

user error. The ability to control security at such a granular level also helps organizations comply

with regulatory mandates such as the Sarbanes-Oxley, HIPAA and Gramm-Leach-Bliley acts.

Confidential 12

_____________________________________________________________________________________

On the next Post I will go over each feature here described, creating a setp by step guideline on how to

configure and install the following features:

 

* SCW

* Bitlocker

* NAP

* Windows Firewall with Advanced Security

Confidential 13