Sunday, June 26, 2005

SBS 2003 & Security... Things you need to do to a new install

Top 10 Security Recommendations
To expedite installation and configuration, setup doesn't enable several obvious security controls. Here's a list of 10 adjustments you can implement to make the server more secure and to monitor events that might warn of malicious activity. The fastest way to implement these controls on workstations and servers that aren't domain controllers (DCs) is to modify the Domain Security Policy settings under Administrative Tools. The price you pay for using the fastest method is that, after you alter the default policies, you can't revert to a previously working Group Policy. If you prefer to work with a guaranteed fallback position, you should create separate Group Policy Objects (GPOs) that implement these settings on the server and SBS clients.

1. Administrator account: To eliminate a well-known target, rename the administrator account on the server. Perform this task manually in the Server Management Users key (right-click Administrator and select Rename User from the drop-down menu). The online Help gives step-by-step instructions for using a GPO to automatically rename the Administrator account on the server and all Windows XP and Win2K workstations.

2. Passwords: Setup prompts you several times to enable a password policy that enforces length, complexity, and password-history rules. If you don't enable the password policy during the initial setup, you can enable the default password policy later by expanding the Users link in the Server Management console and clicking Configure Password Policies. You can also enable a password policy by modifying the Domain Security Policy under Administrative Tools. The Server Management Users link displays only accounts that you add after the server is up and running; to view the built-in accounts and groups, open the Active Directory Users and Computers link under Advanced Management.

3. Interactive and network account lockout: Setup doesn't enable account lockout for failed local or network logon attempts. To enable account lockout for failed interactive and network logons, go to Start Menu, Administrative Tools and open the Default Domain Security Policy. Expand the Account Policies key and define all three account-lockout controls. I routinely set the lockout threshold to 3 and the duration and reset values to 47.

4. Remote access account lockout: If you offer VPN access to the server, you should also enable remote access account lockout. Remote account lockout has no GUI interface, so to implement this feature you must modify the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
\Parameters\AccountLockout registry subkey as follows:

* The value entry MaxDenials:REG_DWORD enables or disables remote access account lockout. This feature is disabled by default, so MaxDenials is initially set to 0. To enable lockout, set MaxDenials to the desired number of failed logon attempts that will lock out the account.

* The value entry ResetTime:REG_DWORD defines the number of minutes the account will remain locked out. By default, this value is 2880 minutes. I recommend you change the ResetTime to a more reasonable value between 30 and 47 minutes.
When RRAS locks out an account, the service creates a temporary registry key below AccountLockout by using the format \. You can manually reset a remote account lockout by deleting this key, which is a handy tip when emergencies arise.

5. Security auditing: Setup enables success auditing for six of the eight security audit categories on SBS DCs. Although success auditing helps you track user activity, failure auditing is the only way you can track potential intrusion attempts. At a minimum, enable failure auditing for account logon events, account management, logon events, policy change, and system events. On SBS workstations, enable failure audits for account management, logon events, policy change, and system events. Workstation Security event logs can expedite the process of diagnosing and isolating an infected system.

6. NetBIOS and WINS: SBS supports legacy Windows 9x clients that rely on NetBIOS name resolution. When you consider how unreliable these old systems are and the long history of successful NetBIOS exploits, the decision to support legacy clients is difficult to understand. If you can mandate that all SBS customers use XP and Win2K workstations, you can tighten security by stopping the WINS service (this closes two open TCP ports and two open UDP ports) and setting the startup type to disabled. If you can live without NetBIOS, you should also disable LMHOSTS lookup and NetBIOS over TCP/IP (NetBT) on all network adapters. Setup enables both these features by default on the adapter for the internal network.

7. Remote access connections: If your site has more stringent security requirements, for example, a law office or drug-testing facility, I recommend you modify the default Remote Access Policy to negotiate Layer Two Tunneling Protocol (L2TP) instead of PPTP connections. When you enable any type of incoming VPN connections, the remote access wizard automatically creates an IP spoofing filter on the external interface to prevent users on the Internet from masquerading as an internal system to gain access to network resources.

8. Server monitoring and reporting: Configure and activate the Monitoring and Reporting tool. This utility uses a SQL Server MSDE 2000 database engine to store and report data that affects system performance, preconfigured and site-specific alerts, services that should be running but are stopped (e.g., the spooler service or WINS), warning and error messages in the six event logs, and system shutdown and restart activity. Review the logs frequently to monitor server usage and critical security events.

9. Client administrator group: The SBS client setup utility automatically adds local user accounts to the workstation's Administrator group. To limit potential damage from malicious software (malware) that runs in the context of the locally logged-on user, you might want to move local accounts out of the Administrators group and into the Users group.

10. Test your firewall: Regardless of whether you have a separate firewall or you enable the SBS basic firewall, run Nmapwin (see "Tools for Your Security Arsenal") to probe the Internet connection and the internal network connection. After you identify the firewall's attack surface, run Active Ports to identify which process or service is listening on which port (and which TCP/IP address). Using information from both tools, you can further reduce the network's exposure by adding firewall rules or stopping services that aren't required.


Anonymous said...

Very handy. Thanks Gordon.

Anonymous said...

Thanks. Please can you say if the account lockout facility you suggest for remote access should also stop FTP hackers.


Anonymous said...

Thanks for your help.