Hardening Windows 2003 Web Servers

groundcombInternet and Web Development

Oct 31, 2013 (3 years and 7 months ago)

91 views

1

Hardening Windows 2003
Web Servers


©

Ezenta A/S

200
5

2

Agenda



Physical Security


OS Installation


Account Policies


Local Policies


Services


User Accounts


IP Policies


Permissions


Hardening IIS


Additional Hardening

3

General


©

Ezenta A/S

200
5

4

General

Who should take this course



System Consultants


Security Consultants


System Architects


Anyone who is responsible for the configuration and/or the
administration of a Windows 2003 environment




©

Ezenta A/S

200
5

5

General

Strategy: Creating a secure environment



Secure current and/or new implementations of the Windows
2003 operating system




©

Ezenta A/S

200
5

6

General

Strategy: Maintaining a secure environment



Maintain a secure environment by staying on top of security
issues that are relevant to your installation



This is a proactive process!!




©

Ezenta A/S

200
5

7

General

Scope of this course



This course will focus on the secure configuration of a
Windows 2003 server hosting Internet Information Services
(IIS) version 6.0




©

Ezenta A/S

200
5

8

General

Prerequisites



Experience with IT security


Experience with MMC


Experience deploying web applications in enterprise
environments


Some web application development knowledge will be useful
but is not mandatory


©

Ezenta A/S

200
5

9

General

What happens if I don’t harden my web server?



Most systems can be compromised within 72 hours


Corporate humilliation


Won’t know if your system is has been/is being attacked


Money wasted on reparation and down time


Company data/ secrets could be stolen


Some web sites are fed with data that comes from the same database as
other internal systems



©

Ezenta A/S

200
5

10

Hardening one step at a time




Physical Security
---------------------------------------


OS Installation
-----------------------------------------


Account Policies
----------------------------------------


Local Policies
-------------------------------------------


Services
------------------------------------------------


User Accounts
-----------------------------------------


IP Policies
-------------

---------------------------------


Permissions
--------------------------------------------


Hardening IIS
------------------------------------------


Additional Hardening
----------------------------------


Number

of

Weaknesses


©

Ezenta A/S

200
5

11

Prerequisites

What should



Install
ALL
necessary software/ services before you begin.


Make sure that they ALL work.


Why?


If software/ service dosn’t work:


Because of the hardening?


Did it work before we started?


These are time wasting situations



Let’s begin.

12

Physical Security


©

Ezenta A/S

200
5

13

Physical Security



We assume that physical security is in place.



14

OS Installation


©

Ezenta A/S

200
5

15

OS Installation



No system upgrades


Why? Too many grey areas


ONLY

clean installations



Two partitions (we shall be using one)


01


system files


02


web applications



Strong administrative passwords


Rainbow attacks make 8 character passwords trivial to break



Only install necessary components


©

Ezenta A/S

200
5

16

OS Installation



Use a static IP instead of DHCP if possible (one less service)



If there are multiple servers in the DMZ, consider making a
DMZ domain from which critical servers will inherit their
baseline GPOs.

17

Proof of concept scan


©

Ezenta A/S

200
5

18

Proof of concept scan

Windows 2003 v. Windows 2000



Why bother using windows 2003?


More secure by default.



Can Windows 2000 be as secure?


Yes. It requires work.



©

Ezenta A/S

200
5

19

Proof of concept scan

Windows 2003 v. Windows 2000



We will use standard tools to inspect a default Windows 2003
installation.



Tools to use:


Nmap. Scans to perform:


Nmap

sS

P0

O

p1
-
65535


Nmap

sS

P0

O

g 53

p 1
-
65535


Nmap

sT

P0

O

p1
-
65535



NStealth



Windows 2003: xx.xx.xx.xx

20

Local Security Settings


©

Ezenta A/S

200
5

21

Policies

Local Security Settings













©

Ezenta A/S

200
5

22

Policies

Account Policies



Never use dictionary words.


Never reuse old passwords by altering only one digit.


Never choose passwords based on pets, habits, likes or
dislikes. One must never be able to identify a password by
looking at the things on your desk.


Use upper
-

and lowercase with symbols and numbers.


Choose passwords based on phrases:


Th15 comput

r i5 prot

cted by a str0ng p@ssword





©

Ezenta A/S

200
5

23

Policies

Account Policies: password Policy



Enforce Password History:



24


Maximum Password Age:



42 days


Minimum Password Age:



2 days


Minimum Password Length:


14


Complexity requirements:



Enabled


Use Reversible Encryption:


Disabled





©

Ezenta A/S

200
5

24

Policies

Account Policies: Account Lockout Policy



Account Lockout Duration:


15 Minutes


Account Lockout Threshold:


10 invalid attempts


Reset Lockout Counter:



15 Minutes




25

Services


©

Ezenta A/S

200
5

26

Services



What services does a web
-
server need?


Are you sure they are needed?


YES: secure them


NO: remove them



This is the hardest to get right




27

Or…


©

Ezenta A/S

200
5

28

System Settings

Isn’t there a quicker way to change system settings?



Yes. Meet the ”
Security Analysis and Configuration”

snap
-
in







©

Ezenta A/S

200
5

29

System Settings

Security Analysis and Configuration



Run mmc


File


Add/Remove Snap
-
in


Add


Security Configuration and Analysis


Add


Right Click on
Security Analysis and Configuration


Open
Database


Choose a File Name


Open


Navigate to ”High Security Baseline.inf”


Open


Right Click on
Security Analysis and Configuration


Analyse
Computer Now…


Save the log to your desktop





30

User Accounts


©

Ezenta A/S

200
5

31

User Accounts

Securing Well known User Accounts



Rename all built
-
in accounts:


Administrator


Guest



Why?


Everyone knows the names of these two Windows accounts.


50% of a brute force attack is already common knowledge.



The descriptions should also be altered.



©

Ezenta A/S

200
5

32

User Accounts

Securing Well known User Accounts



Assign strong passwords to these accounts


Th15 1s @ v

ry st0ng p@s5word don’t y0u th1nk?



Disable default guest accounts (if not already done by default)



33

IP Policies


©

Ezenta A/S

200
5

34

IP Policies

Structure



IP Filter advice: give your rules good names. Examples might
look like this:


<POLICY>

<DIRECTION>


<SERVICE>


Permit


INBOUND


HTTP(S)


Permit


OUTBOUND


SSH


Permit


OUTBOUND


DNS


Permit


OUTBOUND


HTTP(S)


Deny


BIDIRECTIONAL


ALL



©

Ezenta A/S

200
5

35

IP Policies

Example scenario



A web server might look similar to this:


Permit INBOUND:


HTTP


HTTPS?


TS?



Permit OUTBOUND:


HTTP


HTTPS


DNS


©

Ezenta A/S

200
5

36

IP Policies

Local Security Settings


©

Ezenta A/S

200
5

37

IP Policies

Lets get started



Create IP Security Policy…


Name: Secure Web


Uncheck “Activate the default response rule”


Check “Edit Properties”


Uncheck “Use Add Wizard”


©

Ezenta A/S

200
5

38

IP Policies

Basic rules



Create 4 rules


Deny

BIDIRECTIONAL

ALL


Permit

INBOUND

HTTP(S)


Permit

OUTBOUND

HTTP(S)


Permit

OUTBOUND

DNS



When you’re done, assign your new policy


©

Ezenta A/S

200
5

39

IP Policies

Lets look at the results



Tools needed:


NMap



Exercise


Groups of two or three


Choose which computer will perform the scan


Un
-
assign IP Policies as they also block outboud traffic


Perform the following port scans:


Nmap

sS

P0

O

p1
-
65535


Nmap

sS

P0

O

g 53

p 1
-
65535


Nmap

sT

P0

O

p1
-
65535

40

File Permissions


©

Ezenta A/S

200
5

41

Permissions

Assigning correct NTFS permissions



CGI files: .EXE, .DLL, .CMD, .PL


Administrators: Full Control


System: Full Control


IUSR_SERVER: Read & Execute, Read



Script Files: .ASPX, .ASP, .PHP


Administrators: Full Control


System: Full Control


IUSR_SERVER: Read & Execute, Read



Include Files: .INC, .SHTML, .SHTM


Administrators: Full Control


System: Full Control


IUSR_SERVER: Read & Execute, Read


©

Ezenta A/S

200
5

42

Permissions

Assigning correct NTFS permissions



Static Files: .HTML, .HTM, .TXT, .GIF, .JPG


Administrators: Full Control


System: Full Control


IUSR_SERVER: Read



Data Files: .MDB


Administrators: Full Control


System: Full Control


IUSR_SERVER: Read, Write, Read & Execute, Modify

43

Hardening IIS


©

Ezenta A/S

200
5

44

Hardening IIS



Web server extensions


Application Debugging


Custom Errors


HTTP Verbs


URL Scan


Logging


©

Ezenta A/S

200
5

45

Web server Extensions

Predefined Web Service Extensions



Everything is turned
off

by default


A default IIS 6.0 installation will only run sites with static
pages, .HTML, .HTM.



©

Ezenta A/S

200
5

46

Web server Extensions

Predefined Web Service Extensions (cont.)



Active Server Pages


ASP.NET version 1.1.4322


FrontPage Server Extensions 2002


Internet Data Connector


Server
-
Side Includes


WebDAV



©

Ezenta A/S

200
5

47

Application Debugging

Stop IIS from sending error messages to clients



Stop applications from sending debugging details to clients:


Right click on your web site in the IIS manager


Home Directory


Configuration


App Debugging


Check ”Send text error to client” and leave the box blank




©

Ezenta A/S

200
5

48

Custom Errors

Redirect to a custom error page when error occur



Send custom error pages to clients for HTTP 500’s, 404’s:


Right click on your web site in the IIS manager


Custom Errors


double click on 500


Message Type: URL


URL: /<LOCATION OF CUSTOM PAGE>



Make certain that error 500 messages don’t get sent to the
browser!



©

Ezenta A/S

200
5

49

HTTP Verbs

Limit access to HTTP Verbs



Remove all un
-
needed HTTP verbs from each application:


Generally required: GET, HEAD, POST



©

Ezenta A/S

200
5

50

URL Scan

Url filtering



What is URL Scan?


What can it do?


Enable/disable HTTP verbs


Disable HTTP headers


Enable/disable specific file extensions


Disable character sequences


Remove/alter the server header


Restrict header lengths



Questions concerning URL Scan?





©

Ezenta A/S

200
5

51

URL Scan

Url filtering



How does it work:
Configuration File


Installation


Fine tuning



©

Ezenta A/S

200
5

52

Logging

Configuring Logging



Create seperate logs for each site


Log Folder Permissions


Administrators: Full Control


System: Full Control


IUSR_SERVER: Read, Write, Modify, List Folder Contents, Read & Execute




53

Additional Hardening


©

Ezenta A/S

200
5

54

Additional Hardening



Uninstallable Components


Special Binaries



©

Ezenta A/S

200
5

55

Uninstallable Components


1.
Load “%systemroot%
\
inf
\
sysoc.inf” into notepad

2.
Replace ”hide” with ””

3.
Run Add/Remove Applications

4.
Remove any unwanted/ unneeded components (be careful!)



©

Ezenta A/S

200
5

56

Special Binaries



Several executables exist on a standard Windows 2000
installation that could become rather useful to an attacker



Special access rights need to be set on all of these
executables



©

Ezenta A/S

200
5

57

Special Binaries (cont.)



Uncheck ”Allow inheritable permissions from parent to
propagate this object”.



Remove all users from the name list, including SYSTEM.



Assign ”Full Control” to a user that is to be used to access
these files


an administrator.



©

Ezenta A/S

200
5

58

Special Binaries (cont.)



rsh.exe, secfixup.exe, telnet.exe, tftp.exe, ipconfig.exe,
nbtstat.exe, netstat.exe, ping.exe, qbasic.exe, rdisk.exe,
regdit32.exe, net.exe, nslookup.exe, posix.exe, rcp.exe,
regedit.exe, rexec.exe, tracert.exe, command.com,
regedit.exe, os2.exe, os2ss.exe, arp.exe, at.exe, atsvc.exe,
cacls.exe, cmd.exe, debug.exe, edit.com, edlin.exe,
finger.exe, ftp.exe, xcopy.exe, os2srv.exe, cscript.exe,
wscript.exe, iisreset.exe, route.exe, runonce.exe, syskey.exe





©

Ezenta A/S

200
5

59

What have we learned today?



Physical Security


OS Installation


Account Policies


Local Policies


Services


User Accounts


IP Policies
-


Permissions


Hardening IIS


Additional Hardening


©

Ezenta A/S

200
5

60

?