Posted: 4/13/2006 3:36:30 PM EDT
|
What kind of programs and such do you use to secure a server? I'm doing a final exam/project in one of my classes, and our job is to secure a Windows 2k3 server so that a hacking team can't get in. I'm looking for real simple, basic stuff. We've got Zone Alarm running, and a CA on the network to use with IPSec. Will update later. |
|
Here is the OS hardening procedure I follow for win2k3 boxes. Hope this helps. ETA: I know you said basic so heres a few quick things you can do: Applications: - Active Ports (download.com) - Process Explorer (download.com) - Registry Explorer Anti-Malware/Spyware/Virus: - Spybot Search and Destroy - Spyware Doctor - ClamWin Close down any unused ports. Make sure the system is FULLY updated. Remove Guest accounts. Turn off file sharing. Encrypt any connections made to any other box (via VPN, SSH, tightVNC...etc). Have a good password with mixed numbers, letters, characters (minimum of 8 chars). That should keep ya busy for a while. OS Hardening for Windows 2000 & 2003 1. Check to see if the server has been compromised. We do NOT harden compromised servers. • This can be done by running one of the following free virus scans: http://housecall.trendmicro.com/ or http://www.download.com/McAfee-VirusScan/3000-2239_4-10447467.html • Process Explorer and Active Ports are also good tools that can be used to determine if the server has been compromised. 2. Automatic Updates Control Panel > Automatic Updates • Run Automatic Updates on the server to ensure it is running the latest service pack. Then, set Automatic updates to download and automatically install on Mondays at 3am. 3. Update XML to Service Pack4 • http://www.microsoft.com/downloads/details.aspx?FamilyID=3144b72b-b4f2-46da-b4b6-c5d7485f2b42&DisplayLang=en#filelist 4. Windows Firewall • If the customer doesn’t currently have a hardware firewall and is not interested in purchasing one convince them to use the built-in Windows firewall. Make sure to tell the customer that we will do the initial firewall configuration but they must administer the firewall after that point. • If the Security Configuration Wizard is not installed you can install it from the Add/Remove Windows Component menu. After you start the firewall wizard it will walk you through several questions. Administrative tool > Security Configuration Wizard. The section that we are most concerned about is Network Security. In that section place a check mark next to the ports you want opened. If any ports you need opened are not listed click Add and insert the port number in the text box. Continue to follow the wizard. At the end you will be giving the option to apply the firewall rule now or later. Select now and you’re finished. 5. Manage Accounts My Computer > Manage • Rename the Administrator Account and change the password to a more complex password. • Create a user named Administrator and remove all groups from this user and disable the account. This account will be used as a decoy. Add decoy under the description of this account to eliminate confusion for the customer. • Disable the Guest Account. 6. Internet Information Services Administrative tools > IIS • Stop the default FTP Site. • Verify that anonymous ftp is disabled. • Stop the default SMTP Server. • Banner Grabbing (Telnet for information) • Delete the printer’s virtual directory under the default website. • Tell the customer to disable parent paths under app options. **This may have adverse affects** 6.1 - WWWROOT FOLDER PERMISSIONS: (c:\inetpub\wwwroot) • Administrators: Full control • NTSystem/Authority: Full Control • System: Full Control • Web Anonymous User And Applications: Deny • IUSR_Machinename: Read • IWAM_Machinename: Read 6.2 - W3C LOGGING TAB: Check for the following under Advanced Logging: Website > Properties > W3C > Properties • Client IP address, User Name, Method, URI Stem, HTTP Status, Winstatus, User Agent, Server IP Address, Server Port 6.3 - FTP SERVER FTPROOT FOLDER PERMISSIONS: (c:\inetpub\ftproot) • Administrators: Full Control • System: Full Control • Anonymous User: Deny all 6.4 FTP - WC3 LOGGING TAB: Same as WWW above 7. DNS • Disable Zone Transfers-Lock down to slave servers only. 8. SQL Server • Recommend customer install latest Service Packs • Recommend SQL Server Lockdown Script from (SQLSECURITY.COM) • Enable integrated Windows Authentication. • Configure sa account password to be minimum of 14 characters, high complexity. • Configure SQL server logging such that authentication failures against SQL • Check SQL Agent settings and jobs. • Services will be reported to the Windows Event Viewer reporting matrix. 9. Event Viewer Administrative tools > Event Viewer • Increase Maximum Log Size to 16384K • Clear each event Log 10. Services to Disable Administrative tools > Services Alerter Used to notify Admin of events ClipBook Create & share of data for viewing remotely Computer Browser (except Domain Controllers) Maintains a lists of computers on the network Distributed Link Tracking Client Maintains links between NTFS files across computers in a domain Distributed Link Tracking Server Stores info on files for each volume in the domain Fax Service Win 2000 Allows fax messages File Replication Automatic copying of file changes to other servers IMAP CD-Burning Enables CD-burning service Indexing Service Provides rapid access to files through flexible querying Intersite Messaging Used for mail-based replication between Active Directory sites License Logging Service Monitors client access licensing for IIS Message Queuing Tool for developing messaging applications for Windows Messenger Sends messages from users NetMeeting Remote Desktop Sharing Allows NetMeeting sessions Network DDE DSDM Used by Network DDE to manage shard conversations Portable Media Serial Retrieves the serial number of portable music players Print Spooler Manages local printer queues Remote Desktop Help Manger Manages Remote Assistance Remote Procedure Call Locator Enables RPC clients using the RpcNs family of APIs to locate RPC servers Remote Registry Services Enables remote users to edit registry Resultant Set of Policy Provider Simulates Resultant Set of Policy for Group Policy settings Smart Card Manages access to smart cards Telephony Provides support for telephony devices Telnet Provides terminal sessions to telnet clients UPS Manages UPS systems Windows Audio Manages audio devices Windows Image Acquisition (WIA) Provides services for scanners Wireless Configuration Enables wireless adapters 11. Local Security Settings Administrative tools > Local Security Policy • Password Policy • Max Password Age 42 • Min Password Age 5 days • Min Password length to 10 • Set Password Complexity Requirements - Enable • Account Lockout Policy • Account lockout threshold 10 Invalid attempts • Account lockout duration 20 minutes • Reset account lockout after 20 minutes 11.1 Audit Policies: (Successes and Failures) • Logon Events • Account Management • Policy Changes 11.2 Failure Only • System Events • Priv Use 11.3 User Rights • Log on as a batch job - (Ensure no user accounts are in this list). • Log on as a service - (Ensure no user accounts are in this list). • Change System Time – Remove Power users • Debug Programs – Remove Administrator Group • Force Shutdown – Remove Operators Group • Load Device Drivers – Remove Print Operators group 11.4 Security Options • Interactive Logon- Do not display last username – Enabled • Network Access- Allow anonymous SID – Disable • Network Access – Do Not allow Anonymous SAM accounts – Enable • Network Access – Do Not allow Anonymous SAM shares – Enable • Network Access – Let Everyone Permissions Apply to Anonymous users - Disable • Network Access- Enumeration Countermeasure:Restrict Anonymous Access-No access w/out explicit permission – Enabled* • Microsoft Network Client Send Unencrypted password - Disabled • Shutdown- Allow system to be shut down without logging on - Enabled • Microsoft network - Automatically Log off users when logon time expires - Disabled • Devices - Restrict CDRom/Floppy to locally logged on users - Enable • Interactive Logon - Message Title for log on: "Warning!" • Interactive Logon - Message text: This commercial computer system is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy. Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to authorized site, ISP, and law enforcement personnel, as well as authorized officials of other agencies, both domestic and foreign and The Planet Information Security team. By using this system, the user consents to such interception, monitoring, recording, copying, auditing, inspection, and disclosure at the discretion of authorized site or The Planet Information Security team. Unauthorized or improper use of this system may result civil and criminal penalties. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning. • Reload the policies. Security Setting > Reload 12. Registry Setting • Clear Paging file: run > regedit > (Follow the path below): HKEY_LOCAL_MACHINE\HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\MemoryManagement\ClearPageFile = 1 • Restrict anonymous logging: run > regedit > (Follow the path below): HKEY_LOCAL_MACHINE\HKLM\System\CurrentControlSet\Control\LSA RestrictAnonymous = 1 • Restrict null session access: run > regedit > (Follow the path below): HKEY_LOCAL_MACHINE\HKLM\System\CurrentControlSet\Services\LanManServer\Parameter RestrictNullSessAccess = 1 • Remove administrative shares: run > regedit > (Follow the path): HKEY_LOCAL_MACHINE\HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters AutoShareServer = 0 • Registry Enumeration Countermeasure: run > regedit > (Follow the path below): HKEY_LOCAL_MACHINE\HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\ AllowedExactPaths Click on Machine and delete the paths in the textbox. • Registry Enumeration Countermeasure: run > regedit > (Follow the path below): HKEY_LOCAL_MACHINE\HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\ AllowedPaths Click on Machine and delete the paths in the textbox. 13. TCP/IP Stack Hardening (Only do this on special occasions) run > regedit > (Follow the path below): HKEY_LOCAL_MACHINE\HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters SynAttackProtect = 2 Tcpip\parameters\TcpMaxPortsExhausted = 5 TCPMaxHalfOpen = 350 TCPMaxHalfOpenRetried = 200 EnableDynamicBacklog = 1 MinimumDynamicBacklog = 20 MaximumDynamicBacklog = 20000 14. Verification The following tools can be used to check for additional security holes: • Nessus • CIS Benchmark Audit and Scoring Tool www.cisecurity.org • Microsoft Baseline Security Analyzer http://www.microsoft.com/technet/security/tools/mbsa2/default.mspx 15. GENERAL THOUGHTS FOR DISCUSSION: 1. Recommend Security Mailing Lists/Sites 2. Tell the administrator to logoff server when there finished working instead of just closing the window. 3. Recommend a firewall to lock down 3389/22/1434 to specific Ip’s 4. FTP 4.1 FTP traffic is always sent in the clear text and can be a big security risk. 4.2 Countermeasures: No account with server wide administrative privileges ever is used to connect to the FTP service. Only base user accounts should be used for FTP. If multiple FTP users need to be prevented from seeing each other's home directories, use system of nested virtual directories. Specify the user accounts that will have access to subdirectories individually. 5. Brute Force Attacks: Windows FTP User Account 5.1 Countermeasure: Account lockout configuration. Regularly audit the security logs for evidence of account lockout events so that they can be aware of brute force attempts and take appropriate counter measures. |
No I can't take any of the credit. Most of it was written by an ex coworker and has been improved upon over time by many different security techs, however, I do have some hardening documentation that I did help write covering Redhat Enterprise 4, as well as a case study on botnets using Snort and a sensor management system. I also have a complete written text on penetration testing, enumeration, and exploitation that I threw together as a reference guide, as well as a "desktop reference" for forensics (mostly just useful commands/tools). If anyones interested in seeing these docs, lemme know and I can shoot ya an email. jason99xj, I would be very interested to see how your final exam project turns out (whether or not anyone is able to get into the server). |
TheStig, Yes, I'd be interested in all the stuff you mentioned. I tried using the e-mail button, but got a non-delivery message in return. Thanks, HBruns |
TheStig, I'd like to see what you've got written up if it's not much trouble. I'll be sure and post the results. My group is one class behind everyone else as we elected to work on a case study for our cisco class, so we're kind of pressed for time to get the server set up. I can't guarentee how much I'm going to do of what you listed, but I'll definately post what I did. There are maybe 6 groups in the class, so two groups pair up and try to attack eachother's server. I've got no idea what everyone else is doing to protect theirs, and there are some IT professionals in the class so I'm anxious to see what happens with them.
Duly noted. 
|
|
Very good advice from TheStig. However. If they really want to hack your system, they can do so just by getting physical access to your box. All they need is a Bootable O/S program, and a password-cracking utility. Once they steal the SAM file, they can login as an administrator. (I didn't give any program names, but jason99xj, if you pm me, I'll let you know the names...you can get yourself in alot of trouble with them if their used incorrectly) If you're doing the project, see if they will let you lock the server in a room, and not have physical access to it. Mention that with physical access to the box, they can do anything. (which is why most of them are locked up) I doubt it will work, but it might get you extra points for pointing this out.  Good luck, and let us know how it goes. |
|
Good ole eEye. Never fails. The DoD windows hardening guide is pretty thorough, perhaps too restricting. The hardening procedure I posted above is used in the kind of environment that sees all types of traffic and 3rd party control panels and applications (ie plesk/cpanel) so it's designed not to break certain things. Physical security is beyond the scope of that document since we cover that with strict datacenter access. If you wanted to be tin-foil paranoid...unplug the box, and bury it. "To guard against someone being able to access your data (and possibly delete it even if it is encrypted), you are left with one choice. Not only should you not execute any untrusted application, these days you also should not view any untrusted images, you shouldn't browse any untrusted Web sites, you shouldn't chat on any untrusted instant messaging platforms, and, upon further consideration, you probably shouldn't do anything that involves turning your computer on." If you wanna mess around with trying to break things, I highly recommend Metasploit Framework. |
While that might work for a small network, once you get up into enterprise size configurations it will take more than on box to manage the flow + you need a ready redundant backup online at all times. Afew claymores hung on the racks can discourage physical access. Good info in this thread. 
|
|
Physical access to the machines was not allowed and neither was any form of social engineering. Though we did try. Update: It was a disaster. There were six groups, each of which used 2 computers. The first had a hardened Windows 2k3, the second was supposed to have a secured XP Pro running, and an unsecured VMWare Windows Server 2k running. IP addresses were put on the board for everyone to see. Two groups were successful in accessing the VMWare 2k/XP machine. Mine wasn't one of them. Nobody told how they gained access, so I'll have to find out next Thursday when we have a discussion. First, the defense: I used most of what Stig posted for the 2k3 machine. Our XP machine used Zone Alarm and some misc. user configurations. The Windows 2000 VMWare machine was left unsecured. Our 2k3 machine came under a DOS attack about half way through class, as did our XP machine. The group that was attacking us did not gain access to anything including the Windows 2000 VMWare machine. For the offense: Here's where that whole 'disaster' thing kicked in. We tried using a few different scanners that we had used in class, Legion, Superscan, GFI Languard, and XScan. We were unsuccessful at finding any ports to attack, including on the supposedly unsecured Windows 2k3 machine. When we tried to use XScan, it only found our two machines. We left class dissappointed and pissed off. Observations: I think we should have had 4 seperate machines per group, so we wouldn't have had to use VMWare and so we could have a dedicated machine to attack from. Also, we should have set up a small network instead of trying to use the one that was set up in class. My group thinks that having XP secured and trying to have the VMWare Windows 2k machine running at the same time was a mistake. More than once, our XP machine applied Windows' Firewall to the VMWare machine, so we think that was a big reason nobody could get into even the Windows 2k machine. I'm still kind of pissed. If the class is offered again next spring, I'm going to consider taking it again. The IT program here isn't that well developed and there are only 2 instructors so there's only a few classes offered each semester. This security class is the first time it's been offered. Thanks for all the replies and suggestions, fellas. 
|
|
Sorry to hear that. If you do it again download nmap. It will run on windose or *nix. It is probably the best network scanner out there. If you are building an attack box Linux is the best solution. From there try the SANS top 20 exploits then new M$ security alerts. Check out insecure.org Links to good tools. http://www.insecure.org/ |