BUILDING A SAFE, SECURE & FRIENDLY
DOMAIN USING WINDOWS 2003 AD Part 2
BY: Ian Trump
20 March 2009
TALKING ABOUT PROTECTION, BABY
A Server running Windows 2003, IIS and MS Exchange is the perfect environment for all sorts of virus, spam and open relay nightmares. There are a couple of things that you can do to reduce the attack profile of all the crap that is floating around the Internet. At that Battle of Cannae in 216 B.C Hannibal employed a Defence in Depth strategy in order to encircle and destroy 10 Roman Legions all at once, resulting in the largest single slaughter of Roman troops in the history of the republic. As much as we would like to trap and slaughter the virus, malware and other Internet dirt bags that are constantly attacking our networks we cannot. Offensive cyber warfare (great term to Google) is beyond the scope of these writings.
The only thing we can do is work very hard to keep the network that we are responsible for relatively safe and secure for the day to day business activities. It is diagram time again:
->FIREWALL/ROUTER-> [ZONE-1:
DMZ PORT-> WIRELESS ACCESS POINT]
-> [ZONE-2: INTERNAL
NETWORK->MAN. SWITCH]-> [ZONE-3:
SERVERS] -> [ZONE-1 CLIENTS]
In order to defend our network from evil
doers we need to think in terms of a ring of defences which provides for layered
defence. Greatest security should be found at the center, greater security in
the middle ring and some decent security around the edges.
I try to evaluate Security by assuming the worst: Evil Internet Hackers
(EIH’s) have penetrated the Firewall and are going after the information in
ZONE-3: Our Servers. The question is how can we stop them at a reasonable cost?
Fortunately Windows 2003 can provide some pretty decent defences against the
EIHs.
The first place to start is to harden the Servers and restrict access to the servers. Unfortunately out of the box Windows 2003 is not really very secure; we need to make some changes to NTFS permissions, Share Permissions and install some 3rd party software to make it a little bit harder to get at than the server down the metaphorical internet street.
EVERYONE IS BAD
The EVERYONE permission set is un-needed where it indicates Everyone you need change this to Authenticated Users, this provides a great deal more protection at the NTFS file level. This is a good best practice as I am deeply suspicious of EVERYONE. There are many white papers on securing a windows server; but I would provide a word of caution: Security changes can kill servers and no changes should be enacted without a backup and recovery plan and avoid anything with the words “once this is installed it cannot be un-done” changes.
SERVICE WITH A SMILE
Some Windows Services are a lot more critical than other Windows Services to the functioning of a network. Sometimes when you go out to your car in the morning, it fails to start; the same scenario can be true for windows services. Pending updates, aggressive anti-virus and memory leaks in applications can grab a large amount of memory and degrade system performance to the point where windows services can fail. DNS Server, Windows Server, Spooler Service, Windows Time, RPC and Network Connections are pretty vital to keep users “File and Printer Serving” so I like to make a couple of changes on these:
1. Open the Computer Management Console and expand the services tab.
2. Locate the DNS Server, right click on properties Click on the Recovery Tab
3. On First, Second and Third Failures select restart the service
4. Leave the default of restart in 1 min
5. Click “OK”
This will put failure entries in the error log. And cause a intermittent outage of the service.
I recommend adjusting the critical services to these parameters. For all the Exchange related services (including IIS) I recommend that you adjust the recovery options to this.
1. Open the Computer Management Console and expand the services tab.
2. Locate the DNS Server, right click on properties Click on the Recovery Tab
3. On First, select restart the service
4. Leave the default of restart in 1 min
5. Click “OK”
This is to deal for those occurrences where a hard working exchange server fails because of a memory leak on the server.