Configuring Server Security Compliance

Apply Defense-in-Depth to Increase Security

Defense-in-depth provides multiple layers of defense to protect a network environment.

Policies, Procedures, and Awareness - Security documentation and user education

Physical Security - Guards and/or locks

Perimeter - Firewalls

Internal Network - Network segments (subnets), IPSec

Host - OS hardening (latest patches and updates), authentication

Application - Application hardening and testing, antivirus patches

Data - ACLs (Access Control Lists/permissions), encryption, EFS (Encrypting File System)

Core Server Security Practices

Core server security practices should be developed to effectively manage and maintain our servers.

• Always apply and test the latest service pack and all available security updates
• Use the Security Configuration Wizard (SCW) to implement server security
• Use Group Policy to apply security templates to servers and manage the servers
• Restrict scope of access for service accounts
• Restrict who is able to log on locally to servers
• Restrict physical and network access to servers

Security Configuration Wizard (SCW)

SCW reduces the surface attack area of the server:

• You can create your security policies and apply later. They can be saved as XML files so that they can be opened in XML notepad and changes can be made, if needed.
• We can roll back a security policy, if we decide there is a problem.
• We can use Ipsec to block unused ports and secure ports left open.
• Reduces protocol exposure.
• You can configure audit settings.
• You  can disable unnecessary services.

Note: Before you run the SCW on a Server 2008 computer, make sure you have all the roles and applications installed, so that it can make an effective scan of the ports in use and services required, so an appropriate policy will be generated.

What exactly is Windows Firewall?

Windows Firewall is a stateful host-based application that provides:

• Filters both incoming and outgoing network traffic
• Can be managed either by the Control Panel tool or by the advanced Windows Firewall with the Advanced Security MMC console
• Integrates firewall filtering and IPSec protection settings
• Group Policy support
• Enabled by default

Stateful firewall

WindowsServer 2008 Security Guide

Windows Server 2008 R2

Security rules for Windows Firewall and for IPsec-based connections in Windows Vista and in Windows Server 2008

Demo – Security Configuration Wizard

1. Start | Administrative Tools | Security Configuration Wizard
2. Click Next
3. Configuration Action (choose Create a new security policy)
   1. Create a new security policy
   2. Edit and existing security policy
   3. Apply an existing security policy
   4. Rollback the last applied security policy
4. Click Next
5. Select Server. In the Server text box, type: nyc-dc1
6. Click Next
7. Processing Security Configuration Database. Press View Configuration Database. The SCW is looking at the local machine to determine what roles and services are installed. Accept the ActiveX warning display. From here we can see the following. Scroll through and read the list in each of the following:
   1. Server Roles
   2. Client Features
   3. Administration and Other Options
   4. Services
   5. Windows Firewall
8. Close the viewer dialog box after the above is viewed.
9. Click Next
10. Role-Based Service Configuration. We can configure security based on the roles this server is running. Click Next
11. Select Server Roles. You can see the currently installed and active roles on the server. You can view:
    1. All roles
    2. Installed roles
    3. Uninstalled roles
    4. Selected roles
12. Click Next
13. Installed features. View the installed features.
14. Click Next
15. Installed Options. View the installed options.
16. Handling Unspecified Services. Unspecified services are services that are not installed on the selected server and not listed in the security configuration database. You can select:
    1. Do not change the startup mode of the service
    2. Disable the service
17. Click Next
18. Confirm Service Changes. Scroll through the list to see which services are disabled.
19. Click Next
20. Network Security. This section is where you configure rules for Windows Firewall with Advanced Security.
21. Click Next
22. Network Security Rules. You can see the ports that are currently open and the rules configured.
23. Click Next
24. Registry Settings. Modify any required registry settings here. We will skip this section.
25. Click Next
26. Audit Policy. Configure auditing in this section. We will skip this section.
27. Click Next
28. Save Security Policy. Click Next.
29. Security Policy File Name. The default path is c:\Windows\security\msscw\Policies. Type in a name and description at the end of the default path (it will be saved as an xml file). You can View Security Policy or Include Security Templates.
30. Click Next
31. Apply later or Apply now. We will Apply later.
32. Click Next
33. Click Finish
34. Start | Computer
35. Go to the path indicated in step 29, c:\Windows\security\msscw\Policies (you will see the security policy)

Using Security Templates to Secure Servers

WindowsServer 2008 R2 Overview

What is a Security Policy?

A Security Policy is a combination of security settings to be applied to a computer, locally or in Active Directory.

Local Security Policies include:

(do not have the same level of security as Active Directory)

• Account Policies
• Local Policies
• Windows Firewall with Advanced Security
• Public Key Policies
• IP Security Policies on Local Computer

Active Directory Security Policies include:

• Event Log
• Restricted Groups
• System Services (allows you to disable a system service through Group Policy)
• Registry
• File System
• Wired and Wireless Network Policies
• Network Access protection
• IP Security Policies on Active Directory

What are Security Templates?

A security template is a collection of configured security settings used to apply a security policy locally or through Group Policy to a group of computers.

Built-in templates are located in %SystemRoot%\Security\Templates. These templates are typically used as a base to build your own customized security policies. Custom security templates are stored in your local user profile folder. The security templates are created and modified using the Security Templates MMC snap-in.

• Security templates are deployed based on the server role. Some server roles are more security related, such as Active Directory Rights Management Services (AD RMS) and Active Directory Certificate Services (AD CS). To see a complete list of available server roles, run the Server Manager Wizard from Administrative Tools.
• Security templates can be deployed to individual computers using the SECEDIT command.
• Security Templates can be deployed to groups of computers using Group Policy.

Demo – Configuring Security Templates

1. Start | mmc | Press Enter
2. Select File
3. Click Add/Remove Snap-in...
4. Scroll down and select Security Templates from the list of Available snap-ins
5. Click Add button
6. Click OK
7. Expand Security Templates (notice the default for saving the security templates is your user profile)
8. Right-click on your user profile (the template path) and select New Template...
9. We are going to create a base security template for a DHCP server...
10. In the Template name: text box, type: DHCP Base Security policy
11. Type something into the Description: text box
12. Click OK
13. Expand your user profile, and you will see the DHCP Base Security policy
14. Expand DHCP Base Security policy to see the settings that you can modify and set:
    • Account Policies
    • Password Policy
    • Account Lockout
    • Kerberos Policy
    • Local Policies
      • Audit Policy
      • User Rights Assignment
      • Security Options
    • Event Log (change event log settings here)
    • Restricted Groups
    • System Services (all the system services are listed here, you can stop and disable the service from here)
    • Registry
    • File System
15. Close the MMC and click Close the MMC and click Yes to Save Security Templates

If you want to apply the security policy locally to an individual computer, you can use the Local Group Policy on the machine and import this security template into the local security settings.

If you want to apply the security policy to a group of computers, then you use Group Policy through Active Directory:

1. Start | Administrative Tools | Group Policy Management
2. If you want to bring the security template into the Default Domain Policy, right-click Default Domain Policy and select Edit
3. Expand Policies
4. Expand Window Settings
5. Expand Security Settings
6. Right-click Security Settings and Import Policy...
7. It is now defaulted to the security policy we just created in our profile. Select the policy and Open. Every machine that falls into the scope will then pickup these security settings.

What is the Security Configuration and Analysis Tool?

The Security and Configuration Analysis Tool allows us to look at the current security configuration of a computer and analyze that computer’s security configuration against the configuration we have stored in one of our templates.

You can launch it from an mmc, you will then be presented with an option to create a security database. You are then asked which of your security templates you wish to import into that security database. We can then analyze the computer’s current security to see if it is compliant and where it fails.

If you then want to bring the computer up to date, you can right-click Security Configuration and Analysis and select Configure Computer Now.... This will override the current computer security settings with the settings from the security database.

Demo – Using the Security Configuration and Analysis Snap-in

1. Start | mmc | Press Enter
2. Select File
3. Click Add/Remove Snap-in...
4. Scroll down and select Security Configuration and Analysis from the list of Available snap-ins
5. Click Add button
6. Click OK
7. Select Security Configuration and Analysis and the wizard displays
8. Right-click Security Configuration and Analysis and select Open Database...
9. Type demo into the File name: text box
10. Click Open
11. From here, we need to select a security template to use as a baseline to measure the local computer’s security. Earlier, for example, we created a Server baseline security template. Select this and click Open.
12. We now have the ability to analyze the local computer against the template settings in our security database.
13. Right-click Security Configuration and Analysis and select Analyze Computer Now...
14. A Perform Analysis dialog box appears. There is and Error log file path: in the text box field
15. Click OK
16. Go to the Event Log in the main mmc console, and check the log for red x’s for discrepancies in the policy. You can click on the error and make changes to the security policy on the database. Or, when you want to bring the local computer up to date, you can right-click Security Configuration and Analysis and select Configure Computer Now....

Note: Before you Configure Computer Now...., you should Export Template... of the current machine in case you need to restore, if needed.

Configure an Audit Policy

If you ever need to find out what happened to a deleted file or folder, you can configure an audit policy to tell you:

• Who deleted it?
• Where the file was deleted?
• What was the time the file was deleted?

The first three elements of an audit policy are deployed in Active Directory. Other elements have to be configured on the local computer.

What is Auditing?

Auditing tracks user and operating system activities, and records selected events in security logs:

• What occurred?
• Who did it?
• When?
• What was the result?

Enable auditing to create a baseline, detect threats and attacks, determine damages, and prevent further damage.

You should audit access to objects, management of accounts, and users logging on and off.

What is an Audit Policy?

An audit policy determines the security events reported to the network administrator.

We can configure an audit policy on a local computer, or through Group Policy.

Set up an audit policy to track success or failure of events, minimize unauthorized use of resources, and to maintain a record of activity.

Security events are stored in security logs.

The key to a good security policy is to make it manageable. Who has time to go through and review a security log with event viewer? If you don’t have something like Microsoft Operations Manager(MOM) or Systems Center Operations Manager (SCOM), you will have to put aside time to review the event logs.

Types of Events to Audit

Audit Policy Summary

Audit for the success or failure or both on the particular event.

The following are types of events to audit:

Events that occur within Active Directory:

• Account Logon. When the user logs onto AD through a domain controller.
• Account Management. Changes made to user, group, or computer accounts within AD.
• Directory Service Access
  • Directory Service Changes
  • Directory Service Replication
  • Detailed Directory Service Replication

Changes made to the local computer through Group Policy:

• Logon
• Object Access
• Policy Change
• Privilege Use
• Process Tracking
• System

Question: You need to monitor Active Directory replication and changes to Active Directory. You need these events to be recorded in the Windows Security Event log. What tool should you use?

Answer: Use Auditpol.exe. Active Directory Audit Policy supports Directory Service Access, Directory Service Changes, Directory Service Replication, and Detailed Directory Service Replication.

Demo – Configure Auditing

Go to the local policy of SVR1 machine.

1. Start | gpedit.msc
2. Press Enter
3. The Local Group Policy Editor displays
4. Under Local Computer Policy, expand Computer Configuration, Windows Settings, Security Settings, and Local Policies
5. Highlight Audit Policy
6. The audit events display. Double-click on the one you want, Audit object access, for example
7. Choose Success or Failure under Audit these attempts: (you can do both, if you like)
8. Click Apply
9. Click OK

When we configure file and object access, we have to configure the actual files and folders that we want to audit access to. We do this through the Access Control List (ACL) NTFS Permissions. How do we do this?

1. Start | Computer
2. Click on the C: drive
3. Pretend you have some sensitive documents in the Resume folder. Right-click the Resume folder.
4. Select Properties
5. Go to the Security tab
6. Click on the Advanced button at the bottom of the dialog box
7. Click on the Auditing tab
8. Click on the Edit button
9. You need to set what users or group that you would like to audit. Click on the Add button.
10. Under Enter the object name to select (examples): type in domain users in the text box.
11. Click the Check Names button and click OK
12. The Auditing Entry for Resume dialog box displays. Let’s choose Create file / write data. Check the Successful and Failed boxes.
13. Click OK
14. Click Apply
15. Click OK
16. Click OK
17. Click OK

Now, we need to update the local policy on SVR1:

1. Start | cmd
2. Press Enter
3. Type: gpupdate /force
4. Type: Exit

Later, when you are ready to check the security log within Event Viewer:

1. Start | Administrative Tools | Event Viewer
2. Expand Windows Logs
3. Select Security to review the events

Windows Server Update Services (WSUS)

We can deploy our own WSUS machines, and from there we can deploy and test Windows software updates on a schedule. This way we have complete control and really good reporting functionality. This will minimize the amount of traffic generated from the root WSUS server. The update is transferred once from the root server to each WSUS server in remote locations. Local clients can receive updates from the local servers without generating additional traffic across the remote links where the root server is deployed.

The first version of WSUS was know as SUS, Software Update Services. SUS only delivered hotfixes and patches to Windows. Support for SUS ended in July, 2007. To migrate update information from SUS to WSUS, run

WSUSutil.exe command line utility on the WSUS server.

Windows Server Update Services

Downloads for Windows Server Update Services 3.0 SP2

The list of available updates from the Microsoft Update Web Site is propagated by a cab file, Wsusscan.cab or wsusscn2.cab. This cab file is downloaded by the server that runs WSUS, a Windows 2003 SP1 machine or later.

The settings for automatic updates can be modified using Group Policy.

WSUS Process:

Phase 1: Assess

• Set up the production environment supporting update management using WSUS for routine and emergency installations

Phase 2: Identify

• Discover the new updates that are relevant for our production environment

Phase 3: Evaluate and Plan

• Test updates in a test environment that resembles the production environment. Set up the tasks necessary to deploy updates to production, plan, build, and schedule the update releases, and conduct acceptance testing of the releases.

Phase 4: Deploy

• Approve and schedule update installations. SCCM System Center Configuration Manager integrated with WSUS gives us enterprise reporting. SCCM supports Wake-On-Lan (WOL) so that we can update patches to computers that are turned off.

Server Requirements for WSUS:

• Windows Server 2003 SP1 or Windows Server 2008
• IIS 6.0 or later
• Windows Installer 3.1 or later
• Microsoft .NET Framework 2.0
• SQL Server 2005 SP1 or later (optional)
• Microsoft Report Viewer Redistributable 2005

Use Group Policy or the registry to configure Automatic Updates. In a non-Active Directory environment, use the Local Group Policy object (GPO) or edit the registry directly.

Demo – Installing and Configure WSUS

1. Start | Computer
2. Go to the D: drive (where we have already downloaded the installation pkg)
3. Double-click on the WSUS install pkg
4. Extracting Files
5. The Windows Server Update Services Setup Wizard dialog box displays
6. Click Next
7. On the Installation Mode Selection page:
   1. Full server installation including Administration Console (we will choose this one)
   2. Administration Console only
8. Click Next
9. The license agreement displays. Read and click I accept. Click Next.
10. Now, pick where to install WSUS. Click Next.
11. On the Database Options page, we will Use existing Windows Internal Database on this Computer and click Next
12. You will see Connecting to SQL Server Instance. Click Next.
13. You can Use existing database or Create new database. We will Create new database.
14. Click Next
15. We will Use the existing IIS Default Web Site (recommended). This will create a virtual directory within the default web site. Click Next.
16. On the Ready to Install Windows Server Update Services page, click Next
17. Installing...
18. Click Finish

At the end of the WSUS installation, you can configure the server using a wizard.

However, here is another way. WSUS 3.0 SP1 supports client-side targeting that allows you to create groups of computers and approve updates only for specific groups. In this exercise we will create a computer group and approve an update:

1. Start | Administrative Tools | Microsoft Windows Server Update Services
2. The snap-in is added automatically and launched
3. Select Options
   1. Update Source and Proxy Server you are going to use to connect to the Internet and choose the Update Source
   2. Products and Classifications. The types of products for which you want to synchronize updates and what classification (Critical updates, Drivers, Security Updates, etc.)
   3. Update Files and Languages.
   4. Synchronization Schedule. Manually or automatically.
   5. Automatic Approvals. Specify rules for automatically approving new updates when they are synchronized.
   6. Computers. Click All Computers. In the Actions pane, click Add Computer Group
      • In the Add Computer Group dialog box, specify a computer group name of Payroll Computers and click Add
      • In the Update Services list pane, under Computers and All Computers, click Unassigned Computers. In the Unassigned Computers details pane, specify Any in the Status drop-down list, and click Refresh
      • Right-click one of the listed computers, and then click Change Membership...
      • In the Set Computer Group Membership dialog box, select the Payroll Computers check box, and click OK
      • In the Update Services administrative tool, in the list pane, expand Updates, and click Critical Updates. In the details pane, change Approval: drop-down box to Any Except Declined. Change the Status: drop-down box to Any and click Refresh (review the updates available)
      • In the Critical Updates details pane, right-click on of the updates and then select Approve from the context menu
      • In the Approve Updates dialog box that appears, click the arrow next to All Computers, select Approved for Install, and click OK
      • On the Approval Progress page, when the process is complete, click Close
      • The message appears stating the update is approved, but must be downloaded to complete
      • In the Update Services console, click Reports to view the reports available in WSUS.
   7. Server Cleanup Wizard.
   8. Reporting Rollup.
   9. E=Mail Notifications.
   10. Microsoft Update Improvement Program.
   11. 
       
       Personalization.
   12. WSUS Server Configuration Wizard.

Managing Windows Server Update Services

Windows Server Update Services (WSUS)

Client Behavior with Update Deadlines

Best Practices with Windows Server Update Services 3.0

WSUS uses the MMC for its administration. Within the console tree, there is a section for the WSUS server and there is an Actions pane. The WSUS server section encompasses:

• Updates
• Computers
• Downstream Servers
• Synchronizations (to the Windows Update Servers)
• Reports
• Options

Managing Computer Groups

We must configure the computers to contact the WSUS server so that the WSUS server can recognize the computers. Once the computer has been recognized, it will be assigned to the All Computers and the Unassigned Computers group.

Computers can be assigned to more than one group. Best practice is to create a computer group to test updates before you deploy the updates to other computers.

We can use Client-side targeting and Server-side targeting to set up computer groups. Client-side targeting involves using Group Policy and modifying registry keys. Server-side targeting involves manually adding each computer to a group.

Enable the Client-Side Targeting Group Policy setting and specify a target group name for the computer:

1. Go to the Update Services console and select Options. In the details pane, click Computers.
2. In the Computers dialog box, select Use Group Policy Or Registry Settings On Computers. Click OK.

The next step is to configure GPOs to place computers in the correct computer group. Create a separate GPO for each computer group and configure each one to apply to the appropriate computers.

1. Open the GPO in the Group Policy Management Editor.
2. Select the Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update
3. In the details pane, double-click Enable Client-Side Targeting policy.
4. In the Properties dialog box, select Enabled. Type the name of the computer group that you want to add the computer to and then click OK.

After the client computers have applied the Group Policy settings, restart the Windows Update services and contact the WSUS server.

Create Computer Groups for Computers

Approving Updates

• Install
• Decline
• Unapprove
• Removal

The WSUS environment is configured. The updates are downloaded. The updates now need to be approved before they go out to the client machines. We can approve the installation of updates for all of the computers within the WSUS environment or we can apply the updates to different computer groups.

After the update is approved, we can install the update, remove the update if the application supports removal, or we can set a deadline for automatic installation. If we set up an automatic installation, it will override the client computer settings.

Demo – Managing WSUS

Configure client machines to get their updates from the internal WSUS server, rather than going to the Internet. Use the Group Policy Management Console to create and link a Group Policy Object (GPO) to the domain to configure client updates:

1. Start | Administrative Tools | Group Policy Management
2. Expand Domains and expand your domain
3. Highlight Group Policy Objects and highlight Default Domain Policy
4. Right-click and select Edit
5. Under Computer Configuration, expand Policies
6. Select Administrative Templates
7. Expand Windows Components
8. Scroll down and select Windows Update
9. Select and double-click Configure Automatic Updates and set Enabled on the Setting tab
10. Under Configure automatic updating:
    • 2 – Notify for download and notify for install
    • 3 – Auto download and notify for install
    • 4 – Auto download and schedule the install (we will choose this one)
    • Allow local admin to choose the setting
11. Under Scheduled install day:, we will choose 1 – Every Sunday
12. Under Scheduled install time: we will choose 3:00
13. Click Apply
14. Click OK
15. Select and double-click Specify intranet Microsoft update service location
16. Set to Enabled
17. In the text boxes of Set the intranet update service for detecting updates: and Set the intranet statistics server: type: http://nyc-svr1 (example)
18. Click Apply
19. Click OK
20. Examine the other settings in Windows Update to see if they need modifying
21. Close down Group Policy itself and the Group Policy Management console
22. Start | Run | cmd
23. Type: gpupdate /force to update the Group Policy
24. Close down command prompt
25. Start | Control Panel | Windows Update
26. You can see the changed settings in the Windows Update dialog box

A useful command line utility, wuaclt/detectnow is a Microsoft product that comes with Windows and is a way to let users acquire critical security updates from the windows update website.

Manage the updates on WSUS server, nyc-svr1 (example)

WindowsServer Update Services (WSUS)

1. Start | Administrative Tools | Microsoft Windows Server Update Services 3.0 SP1 (note: as of today , the current release is SP2. This demo is based on SP1)
2. In this example, we see a number of security and critical updates waiting to be approved
3. In the console tree, under Updates, we can review the update status:
   • All Updates
   • Critical Updates
   • Security Updates
   • WSUS Updates
4. Right-click any status to get a context menu:
   • Approve...
   • Decline
   • Group By
   • Revision History
   • File Information
   • Status Report
   • Help
5. Back to the console tree, under Computers, All Computers, Unassigned Computers, we can see the status of the updates for the computers. Select the machine and:
   • Delete
   • Group By
   • Status Report
   • Help