1 / 39

Security and Windows 2000

Security and Windows 2000. A guide to installation and configuration of Windows 2000 with emphasis on Internet Information Server (IIS) Al Lilianstrom x2028 Al.Lilianstrom@fnal.gov CD/OSS/CSI. What?. This talk describes how I build a Windows 2000 system I really do things this way

normac
Download Presentation

Security and Windows 2000

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security and Windows 2000 A guide to installation and configuration of Windows 2000 with emphasis on Internet Information Server (IIS) Al Lilianstrom x2028 Al.Lilianstrom@fnal.gov CD/OSS/CSI Securing Windows 2000

  2. What? • This talk describes how I build a Windows 2000 system • I really do things this way • I didn't think of all this by myself • This information comes from experience – my own and countless others • Yes - I have had a webserver defaced • Note - This is not CD, OSS, or CSI policy Securing Windows 2000

  3. Build the system securely • The system should be off the network from the time you start the OS installation until all patches are applied and all required changes are made • If you use a product like Ghost to load the PC over the network be sure the downloaded image is patched properly • NTFS filesystems only! • Windows 2000 Server – If this is going to be a web server pay attention to the install so you can choose what parts of IIS you want installed. Securing Windows 2000

  4. Build the system securely -2 Patches • Windows 2000 (Pro and Server) requires Service Pack 2 and numerous patches. • IIS requires even more patches • Batch files are provided to make installation easier • Patches are available at • \\pckits\fermi-rollup • \\pckits2\fermi-rollup (FERMI Domain) • http://pckits2.fermi.win.fnal.gov/fermi-rollup • \\beamssrv1\Win2k-Setup (Beams Domain) Securing Windows 2000

  5. Do I need a web server? • Think about this - • Can I publish this data elsewhere? • Am I going to pay attention to this server? • Alternatives • Professional home pages available in AFS space • Project web sites available on CD managed servers Securing Windows 2000

  6. Installing IIS – Two Choices • As part of the OS install • You have to do the post install changes for home and log directories. • Post OS install • A answer file can be created and the install run silently to put IIS where you want with the major options you want. See the following URL http://www.iisanswers.com/articles/Upgrading_to_IIS5/Changing_IIS5_install_location.htm • Permission settings and other post install configuration must be done with either method Securing Windows 2000

  7. Where to install? • Web servers should not be on any type of domain controller • Unless you absolutely have to, web servers should not be on fileservers • A separate system, while not necessarily cost effective, allows more flexibility and doesn’t have as much impact on regular business if the web server must be removed from the network or rebuilt. Securing Windows 2000

  8. IIS Installation Options • This is a good start • Note – • No Index Server • No FrontPage Extensions • Not all IIS options are selected • Only install what you need • Apply all applicable patches • This should be done off the network Securing Windows 2000

  9. Remember • The NT and Windows 2000 default location for the web server root is c:\inetpub\wwwroot. This has to be changed! • The default file permissions here are Everyone:Full Control • The default permissions for any new file system created in NT/W2K are Everyone:Full Control Securing Windows 2000

  10. Post Install (Still off the net) Prepare a new home for your web site. It should NOT be on the system disk. I normally use d:\inetpub. Create a wwwroot directory below inetpub. Be sure that permissions are set properly. By default IIS accesses files using the properties of the the IUSR_machinename account. Read only access! Securing Windows 2000

  11. Post Install (Still off the net) Open up the IIS MMC - there are known holes in MSADC and IISSAMPLES. Remove everything you don't need Securing Windows 2000

  12. Post Install (Still off the net) Move the logs. Default is c:\winnt\system32\logfiles. I tend to use d:\logfiles. Right click on the default web site and go to properties. Near the bottom make sure that logging is enabled and click on Properties. Securing Windows 2000

  13. Post Install (Still off the net) Change the logfiles directory to d:\logfiles and click on Ok. This is also where you would change the type of logfile generated and what properties are in the logfile. Securing Windows 2000

  14. Post Install (Still off the net) Click on the Home Directory tab and set the local path to d:\inetpub\wwwroot. (Note - this can also be a share on another computer) Click on apply. Securing Windows 2000

  15. Post Install (Still off the net) Click on Configuration. This will bring up the default script mappings. Remove all unnecessary items Securing Windows 2000

  16. Post Install (Still off the net) I usually leave the .asp mapping as I use these for some applications. The web site will function without this mapping so it can be removed if you don't need it. Click on OK and exit the MMC. Securing Windows 2000

  17. Post Install (Connect to the net) • At this time (assuming that you have applied all the appropriate patches) you can connect to the network. Good time to test the basic function of the web server. • Put a couple of files to test with in the root of your new web server. If you have a particular application that this web server is to be used for - install it and test. Securing Windows 2000

  18. Restricting Access - IP Address What is your target audience? On site? Off site? If this is meant to be a FNAL only site, IIS can (and should) be set to only accept connections from our network. Open up the IIS MMC and right click on the web site (or directory in the site) that you want to protect. Click on the Directory Security tab. Click on the Edit tab by the IP Address and Domain Name restrictions. Securing Windows 2000

  19. Restricting Access - IP Address Click on Add. Select Group of Computers and put in the Network ID and Subnet Mask as shown. Click on OK a couple of times to get back to the MMC. This site is now only available from machines on the Fermilab network. Other networks can be added. Securing Windows 2000

  20. Restricting Access – Headers You can require the use of host headers to access your pages. This keeps the script kiddies away as they are not using (at least not yet) DNS names in their attacks. With host headers enabled if the DNS name of the site is not included in the header of the request the the request is ignored. Current attacks fall in this category. To do this open the IIS MMC, right click on the web site and go to Properties. Click on the advanced button next to the IP address of the web site. Securing Windows 2000

  21. Restricting Access – Headers Edit and add DNS names to match your IP address. Click on OK to get back to the MMC. Warning- • This feature can't be used with SSL encrypted pages or sites • Older browsers will no longer be able to view the site Securing Windows 2000

  22. Restricting Access – Headers IP address based requests will fail The same request using a DNS name works Securing Windows 2000

  23. Restricting Access – Permissions IIS allows you to grant access to files based on NT username/password credentials. I only recommend doing this if the clients accessing the protected files meet the following: • Internet Explorer is the browser • The user has an account in the domain that the web server is configured to use for authentication Do NOT use any other browsers as the users domain password will be transmitted in the clear over the network. The Computer Security people won’t be happy with you… Securing Windows 2000

  24. Restricting Access – Permissions Open up the IIS MMC and right click on the web site/folder/file that you want to protect. Click on the Directory (or File) Security tab and then the Edit button next to Anonymous Access controls. Securing Windows 2000

  25. Restricting Access – Permissions Remove Anonymous access. Make sure that NT Challenge/Response is selected and Basic Authentication is NOT selected. Click on OK to get back to the MMC. Now your file permissions decide who gets to see the files. Securing Windows 2000

  26. Scripts • IIS can run scripts written in a variety of languages – Perl, VBScript, ASP or compiled programs from C, C++, etc. • Be careful how these are configured to run and how they run. • Some publicly available scripts have large security holes in them. • Watch permissions – some scripts like full control… Securing Windows 2000

  27. Other Options There are some other steps than can be taken to tighten security on a Windows 2000 installation • Disable any unnecessary services. The spooler, index server, and SNMP come to mind. If you must have SNMP configure it properly • Rename administrator account • Disable 8.3 filename support • Disable null session enumeration Securing Windows 2000

  28. Other Options • IIS Lockdown tool from Microsoft • URLCheck from Microsoft • Restrict access for command line tools to local System account and Administrators group • Remove write access for IUSR, IWAM, and Everyone group anywhere it exists. • Watch those share permissions Securing Windows 2000

  29. Scan the machine The Computing Division Computer Security Group will scan your machine on request and send you the results. Request this through your division/section GCSC (General Computer Security Contact) Use the results of this scan to modify your configuration as necessary. Do this before the machine goes into production. This would also be a good time to get a baseline backup of the system. Securing Windows 2000

  30. Scan the machine (cont’d) Microsoft distributes a free tool called hfnetchk. It uses a XML data file to compare your system to all known patches. It can be used by “* By users checking their own desktop systems, * By admins checking any system on which they have administrator access.” Matt Crawford crawdad@fnal.gov 8/17/2001 8:43 AM message to the pc-manager list. See the list archive for the complete text of the message (http://listserv.fnal.gov/archives/pc-manager.html) Securing Windows 2000

  31. Scan the machine (cont’d) C:\hfc3>hfnetchk -x mssecure.xml -h newpckits Microsoft Network Security Hotfix Checker, 3.2 Developed for Microsoft by Shavlik Technologies, LLC info@shavlik.com (www.shavlik.com) Using XML data version = 1.0.1.159 Last modified on 10/24/2001. * WINDOWS 2000 SERVER SP2 Patch NOT Found MS01-013 Q285156 NOTE MS01-022 Q296441 * Internet Information Services 5.0 INFORMATION All necessary hotfixes have been applied * Internet Explorer 6 Gold INFORMATION All necessary hotfixes have been applied. Securing Windows 2000

  32. Conclusion • Running a server connected to the internet requires discipline and attention. You need to watch your event logs and web server logs (if applicable). You need to be aware of the latest attacks and patches. Securing Windows 2000

  33. Links • Microsoft Security http://www.microsoft.com/security • IIS4 Security Checklist http://www.microsoft.com/technet/security/tools/iischk.asp • IIS5 Security Checklist http://www.microsoft.com/technet/security/iis5chk.asp • Microsoft IIS http://www.microsoft.com/technet/prodtechnol/iis/ • URLScan Security Tool http://www.microsoft.com/technet/security/tools/urlscan.asp Securing Windows 2000

  34. Links • LabMice.Net http://www.labmice.net/ • RealTime Publishers http://realtimepublishers.com/eBooks/ • IIS Lockdown Tool http://www.microsoft.com/technet/security/tools/locktool.asp • Security Focus http://www.securityfocus.com/infocus/1311 • NSA Security Guides http://nsa1.www.conxion.com/win2k/download.htm Securing Windows 2000

  35. Links • Patch CD available for offline builds. This is a mirror of the PCKITS site. ISO image is available if you want to burn your own – See the OSS home page at http://www-oss.fnal.gov under Miscellaneous • Technical assistance available. Don't be afraid to ask! • helpdesk@fnal.gov • pc-manager@fnal.gov Securing Windows 2000

  36. Mailing Lists • Microsoft Product Security Notification Service http://www.microsoft.com/technet/security/bulletin/notify.asp • NTSysadmin, Active Directory, Windows Security http://www.sunbelt-software.com/forums/ • NT Bug Traq - http://www.ntbugtraq.com/ • Win2K Security, Security Update - http://www.ntsecurity.net/ • VulnWatch - http://www.vulnwatch.org/ • WINNT-L - http://peach.ease.lsoft.com/archives/winnt-l.html Securing Windows 2000

  37. Publications • Mastering Windows 2000 Server – Mark Minasi • Windows & .Net Magazine • Microsoft Resource Kits In my opinion – the best resources are online Securing Windows 2000

  38. Miscellaneous • If you are a administrator of a system on the Fermilab network you should be a registered system admin - See http://miscomp.fnal.gov/sysadmindb/ • Manage NT/2000/etc • Join the pc-manager list http://listserv.fnal.gov/users.asp#subscribe%20to%20list • Join the Microsoft Security bulletin mailing list http://www.microsoft.com/technet/security/bulletin/notify.asp Securing Windows 2000

  39. Questions? Securing Windows 2000

More Related