Platform Security | Microsoft Application Center 2000 Resource Kit 2001

In dealing with Application Center clusters, you have to take a holistic approach to security by reviewing the security configurations of the individual software elements that make up the cluster environment. These include:

The network
The operating system and Web server
The applications and components
The back-end databases

NOTE
Your cluster topology and application architecture will play an important role in determining how some of these elements are configured, particularly when firewalls are implemented as part of the environment.

Before beginning any security assessment and configuration for your environment, you should read the "Site Security Planning" documentation in Appendix B of the Microsoft Internet Information Services 5.0 Resource Guide (Microsoft Press, 1999).

Network Security

Although they're not exhaustive, the following steps, which are extracted from an article called "Security Considerations for Network Attacks" (Microsoft TechNet), provide a good starting point for general network security. These steps can lower the vulnerability of your Web site to DoS and other network attacks:

Monitor networks boundaries for attacks. Use an intrusion detection tool to detect attacks.
Ensure that routers are not converting layer 3 broadcasts into layer 2 broadcasts. The default setting for routers that use Cisco Internetwork Operating System (IOS) version 12.0 or greater is no ip directed-broadcast.
Restrict routers to allow only the use of ports that are necessary for the site to function. (See the sidebar below.)
Disable unnecessary or optional services (for example, the Client for Microsoft Networks on a computer running Internet Information Server 4.0).
Enable TCP/IP filtering, and restrict access to only the ports that are necessary for the server to function.
Unbind NetBIOS over TCP/IP where it is not needed.
Configure static IP addresses and parameters for public network adapters.
Configure registry settings for maximum protection.
Consult the Microsoft security Web site regularly for security bulletins (http://www.microsoft.com/technet/security/default.asp).

The "Security Considerations for Network Attacks" article also provides detailed information about the registry settings that will increase the resistance of the Windows 2000 network stack to DoS attacks.

General Security Guidelines for Windows 2000 Server and Web Servers

Because the Web server (IIS) runs as a Windows 2000 Server service and you can regard the two programs as a single entity, we'll start by looking at general security measures that can be applied to both, specifically the use of security templates and site hardening techniques. Following this, we've provided specific checklists for configuring Windows 2000 Server and IIS.

NOTE
As you may recall from earlier chapters, the Windows 2000 server and IIS settings that you configure on the cluster controller provide the master configuration settings for every cluster member. Therefore, overall cluster security is only as good as the lockdown you implement on the cluster controller.

Security Templates

Windows 2000 provides standard and incremental security templates that can you can use in conjunction with the Windows 2000 Security Configuration and Analysis tool. This tool provides a single point of administration for Windows system security. It allows you to:

Define one or more security policies based on the role of the computer.
Configure a server to match a security policy.
Audit against an existing policy and report differences.

Port probes and attacks
Gaining entry to computer systems via unsecured ports is probably one of the easiest avenues of attack, even for the least sophisticated hacker. The Internet has dozens of popular sites where anyone can download a port scanner for virtually any operating system. Software for detecting port probes is as essential to your operation as virus detection software.
TIP
Have a look at the Intrusion Detection FAQ published by the SANS Institute. The FAQ can be obtained at http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm

There are several excellent tools available for detecting the port probe intrusion as well as checking for security weaknesses. You should regularly run a security scanner on your Web server by using software from one of the companies listed at the Microsoft Security Advisor site (http://www.microsoft.com/technet/security/partners/default.asp).

TIP
If you want to find out what ports are active on your server, as well as their state, from the Windows 2000 command prompt, run nstat {-a | more}. You'll get output similar to the following:
   TCP    ACDW 01:2756        sam-xyz-99.samples.microsoft.com:3670  ESTABLISHED   TCP    ACDW01:2789         ACDW01.samples.microsoft.com:0  LISTENING   UDP    ACDW 01:epmap       *:*   UDP    ACDW 01:1029        *:* 
To find out which running application is actually holding open each listening port, you'll need a special tool. The best, and perhaps only, tool is Inzider. Developed by Arne Vidstrom, it's available from his Web site at http://ntsecurity.nu.

The following sample output illustrates the type of information that Inzider provides:
 Checked E:\Program Files\Microsoft Office\Office\OUTLOOK.EXE (PID=1504) Found UDP port  4079 bound at 0.0.0.0 by E:\Program Files\Microsoft Office\Office\OUTLOOK.EXE (PID=1504) [UDP client] Found UDP port  4080 bound at 0.0.0.0 by E:\Program Files\Microsoft Office\Office\OUTLOOK.EXE (PID=1504) [UDP client] Checked E:\WINNT\Explorer.exe (PID=1320) Checked C:\Inoculan\realmon.exe (PID=1572) Checked E:\Program Files\Common Files\Microsoft Shared\Service Manager\sqlmangr.exe (PID=1076) Checked E:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE (PID=1452) Found UDP port  4087 bound at 0.0.0.0 by E:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE (PID=1452) [UDP client] Found UDP port  4088 bound at 0.0.0.0 by E:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE (PID=1452) [UDP client] 
After you've installed Inzider, you can use it to track down the executable that is using each port to see what it is. Keep a close eye out for odd programs, such as "Explorer," opening ports because this is usually an indication that you've been infected by a Trojan—Explorer does not open ports.

Table 12.4 summarizes the areas where you can use the Security Configuration and Analysis tool to apply and verify security settings on a system.

Table 12.4 Configurable Security Areas

Area	Configurable items
Account policies	Password, lockout, and Kerberos authentication settings
Local policies	Audit, user rights, and security options
Event Log	Settings for system application, security, and directory service logs
Restricted groups	Policy regarding group membership
System services	Start-up modes and access control for system services
Registry	Access control for registry keys
File system	Access control for folders and files

You can use the following components of the Security Configuration and Analysis tool set to configure some or all of the security areas described in Table 12.4.

Security Templates snap-in—allows you to create a text-based template file that contains security settings for all security areas.
Security Configuration and Analysis snap-in—use this snap-in to configure or analyze Windows 2000 operating system security. This snap-in uses the contents of an existing security template to support its operations.
Secedit.exe—a command-line version of the Security Configuration and Analysis snap-in.
Security Settings extension to Group Policy—use this extension snap-in to the Group Policy editor to configure local security policies, as well as security policies for domains or organizational units (OUs). Local security policies only include the account policy and local policy security areas described in Table 12.4. However, security policies defined for domains or OUs can include all security areas.

You should obtain the "Step-by-Step Guide to Using the Security Configuration Tool Set" from Microsoft TechNet (http://www.microsoft.com/windows2000/library/planning/security/secconfsteps.asp).

TIP
Take advantage of the incremental security template, Hisecweb.inf, which you can download from the Secure Internet Information Services 5 Checklist page. You can use this template as a baseline that is applicable to most secure Web sites (see the following section).

Pre-Defined Security Templates

Windows 2000 provides a collection of pre-defined security templates that you can apply against your cluster members. This collection consists of default security templates and incremental templates that you can use to extend the security defaults that you've already applied.

Windows 2000 Default Security Templates

The Windows 2000 default security settings are applied only to Windows 2000-based systems that have been clean-installed on an NTFS partition. In an upgrade scenario, where computers are upgraded from Windows NT 4.0 or earlier, the existing security settings are not modified. The following default security templates are provided so you can secure upgraded NTFS computers in the same manner as clean-installed NTFS computers:

Basic Workstation (Basicwk.inf)—is for computers running Windows 2000 Professional.
Basic Server (Basicsv.inf)—is for computers running Windows 2000 Server.
Basic Domain Controller (Basicdc.inf)—is for domain controllers running Windows 2000 Server.

You can use the preceding templates to specify default Windows 2000 security settings for all security areas with the exception of user rights and groups.

NOTE
You cannot apply the default settings in these templates if Windows 2000 is installed on a FAT file system.

Incremental Security Templates

Windows 2000 also ships with incremental security templates. The settings specified in the incremental security templates were created on the assumption that the templates would be applied to computers that had the default Windows 2000 security settings applied. As the name implies, the incremental templates simply extend the default security settings—they do not include the default settings plus modifications.

You should apply incremental templates on computers where Windows 2000 has been clean-installed onto an NTFS partition. If you want to apply any of the incremental security templates to an NTFS computer that was upgraded from Windows NT 4.0 or earlier, apply the corresponding basic template (as described in the preceding section) first. Table 12.5 describes the incremental templates.

Table 12.5 Incremental Security Templates

Security level	File name	System	Comments
Compatible	Compatws.inf	Workstation or server	If you do not want your users to run as power users, the compatible configuration opens the default permissions for the Users group so that legacy applications are more likely to run correctly. Microsoft Office 97 should run successfully when you are logged on as a user to a computer running Windows 2000 that has had the compatible security template applied over the default settings. Note that this is not considered a secure environment.
Secure	Securews.inf Securedc.inf	Workstation or server Domain controller	These secure configurations provide increased security for areas of the op- erating system not covered by permissions. This includes increased security settings for Account Policy, Auditing, and some well-known security-relevant registry keys. Access control lists are not modified by the secure configurations because the secure configurations assume that default Windows 2000 security settings are in effect.
Highly secure	Hisecws.inf Hisecdc.inf	Workstation or server Domain controller	The high security configuration is provided for computers running Windows 2000 that operate in native Windows 2000 environments only. In this configuration, all network communications must be digitally signed and encrypted at a level that can only be provided by Windows 2000. Therefore, communications between a highly secure computer running Windows 2000 and a client running Windows with a down-level operating system cannot be performed.

Site Hardening

Site hardening involves removing programs and services that are not required, leaving only those that are necessary to support the role of the server. Several of these programs, such as the OS/2 subsystem, have already been identified in the preceding sections.

TIP
Don't install unneeded application software or development tools on your cluster member. Remove applications that aren't required, such as Microsoft Outlook Express, and others contained in the Accessibility, Games, Entertainment, and Communications folders.

You should determine if the services identified in Tables 12.6 and 12.7 are required by any of the programs or applications on your cluster members. If these services aren't needed, remove them from the members.

Table 12.6 Services That May Be Required By Your Installation

Service	Comment	Required by Application Center
Certificate Authority	Required to issue certificates.	No
Content Index	Required if using Index Server.	No
FTP Publishing	Required if using the FTP service. It's highly recommended that FTP and Web services run on separate servers.	No
NNTP	Required if using Network News Transfer Protocol (NNTP).	No
Plug and Play		Yes
Remote Access Services	Required if you use dial-up access. It's recommended that this run on a server outside of the cluster.	No
RPC Locator		Yes
Server	Can be disabled, but required to run User User Manager.	No
SMTP	Required if using SMTP.	Optional
Telephony	Required if access is by dial-up connection. This is not needed for the cluster.	No
Terminal Services	Required if using Terminal Services for remote administration.	Optional
Uninterruptible Power Supply (UPS)	Optional, but recommended that you use a UPS.	No
Workstation	Optional, but important if you have UNC virtual roots.

Table 12.7 Services That Are Not Required By Most Installations

Service	Required by Application Center
Alerter
ClipBook Server	No
Computer Browser	No
DHCP Client	Optional¹
Messenger	No
NetBIOS Interface	Yes
Net Logon	Yes
Network DDE and Network DDE DSDM	No
Network Monitor Agent	Optional
NWLink NetBIOS	No
NWLink IPX/SPX Compatible Transport	No
Simple TCP/IP	No
Spooler	No
TCP/IP NetBIOS Helper	Yes
WINS Client (TCP/IP)	Yes

^{1. The DHCP client is only required if you are using DHCP on the network adapter.}

WARNING
Sometimes a Setup program will reset operating system or IIS configuration settings back to their original defaults. After you install a security patch, service pack, hotfix, or software program, check all your lockdown settings to make sure that they haven't been reset.

Windows 2000 Server Settings

The following guidelines, taken from the Windows 2000 Server documentation, identify settings and actions that you should consider when setting up your server running Windows 2000 Server:

Review and apply the appropriate secure configuration template settings (see "Security Templates" earlier in this chapter).
Turn off NTFS 8.3 name generation.
Set the system start time to zero seconds.
Remove the OS/2 subsystem.
Remove the Portable Operating System Interface for UNIX (POSIX) subsystem.
Format the hard disk(s) to NTFS.
Set appropriate NTFS Directory Access Lists (DACLs).
Remove all network shares.
Unbind NetBIOS from TCP/IP unless it is absolutely required.
Disable IP routing.
Disable the Guest account.
Check user accounts, group membership, and privileges. Only give users the privileges they need to do their work.
Set a very strong password for the Administrators account (at least nine characters).

You should read the article "Default Access Control Settings in Windows 2000," which is available at the Microsoft TechNet Web site (http://www.microsoft.com/technet/win2000/win2ksrv/technote/secdefs.asp). Compare and contrast these settings with those that are required and implemented by Application Center Setup. This article provides detailed information about the permissions given to the three main user categories: administrator, power user, and user. In addition, this article includes information about the default file system and registry ACLs for the three user types.

TIP
Secure your servers from physical access by hackers. If an unauthorized user has physical access to the server, they can find a way around the standard password protection. You can:

Configure the BIOS so the server won't start from a floppy disk drive.

Password protect the BIOS so it can't be reconfigured.

Lock the server case to prevent access to the BIOS jumpers on the motherboard.

Put the server in a locked room with limited access.

IIS Settings

The next step in securing your Windows 2000 and Web server environment is to read the "Secure Internet Information Services 5 Checklist" (http://www.microsoft.com/technet/security/iis5chk.asp) written by Michael Howard, a member of the Windows 2000 security team. His article highlights issues that are specific to securing IIS 5.0 and includes the "why" and "how" for the following items:

Setting appropriate ACLs on virtual directories
Recommended default ACLs by file type
How to set appropriate log file ACLs
How to enable and configure logging
Setting IP address/DNS address restrictions
Validating executable content for trustworthiness
Updating root CA certificates at the server running IIS
Disabling or removing all sample applications
Disabling or removing unneeded COM components
Removing the IISADMPWD virtual directory
Removing unused script mappings
Removing extensions from IIS 5.0
Checking <FORM> and Querystring input in ASP code
Disabling parent paths
Disabling the IP address in Content-Location

In addition to the preceding information, this article shows you how to get automatic notification of security issues via e-mail by subscribing to the Microsoft Security Notification service.

The Applications and Components

Your applications and components span both the presentation and business services tiers, and these elements should be secured in accordance to the tier that they support.

Before deploying an application, you should:

Make sure that the application validates all user input on the client-side before passing on data to the other layers.
Remove all hard-coded values, such as user names and passwords that were used for testing the applications.
Configure IIS to ensure that all ASP pages are set as Execute Only.
Verify that components are not vulnerable to buffer overflow attacks by using a code analysis tool such as Prefix.
TIP
Read Marco Gregorini's articles, "The Subtleties of Client Impersonation with IIS, ASP and MTS/COM(+)." You can find Parts 1 and 2 on the ASP Today Web site (http://www.asptoday.com/articles/20000302.htm).

COM+ is a key technology in the business services layer because it provides a programming model for integrated security checking, automatic enlistment in resource pooling and transactions, threading synchronization, and lifetime management of component instances.

NOTE
Components can be organized into business and data components. Business components create and enlist data components during a method call in existing transactions, of which the business component may be the root. Typically the business component uses COM+ to check security, while the data components are usually instantiated by the business object. This optimizes security because security is not checked when the data object's methods are invoked. The business objects, rather than the data objects, are instantiated by an ASP page or DCOM call.
Use DCOM config to ensure that DCOM interfaces are secure by only allowing specific users to instantiate these interfaces.

Data objects manage the data on the back-end and massage it into a form that the business object can handle. This encapsulation hides the underlying data structure so the client isn't aware of data structures such as tables, relationships, or even column names.

The following articles relate to component security and are available from MSDN:

"Using Distributed COM with Firewalls," adapted from an article by Michael Nelson (http://msdn.microsoft.com/library/backgrnd/html/msdn_dcomfirewall.htm)
"Security Briefs," by Keith Brown, Microsoft Systems Journal (http://msdn.microsoft.com/library/periodic/period99/security1199.htm)
"The COM+ Security Model Gets You Out of the Programming Business," by Guy Eddon, Microsoft Systems Journal (http://msdn.microsoft.com/library/periodic/period99/comsecurity.htm)
TIP
Check the permissions on application executables and components to ensure that they can't be overwritten with malicious code.

The Back-End Databases

The final element to secure in the three-tier security model is your database server. As we noted in "Data Services" earlier in this chapter, we recommend that you implement strong security on your back-end database—do not rely solely on the business services layer to secure your data.

SQL Server Settings

The following check list provides some guidelines to follow for securing a Microsoft SQL Server database:

Harden the database server by stopping all unnecessary services and removing programs that aren't required. Look for samples (that is to say, database applications, stored procedures, databases), and test material such as stored procedures and data that can be removed.
Whenever possible, use Windows 2000 authentication, rather than SQL Server authentication. Known as integrated security, Windows 2000 authentication lets you take advantage of the Windows 2000 password management features (for example, aging and strength).
Exploit SQL Server's user access privileges (select, insert, delete, and update) and roles on objects such as tables and views.
Prevent direct access to tables by using execute privileges for specific stored procedures.
Enable the SQL Server audit feature to monitor logon successes and failures.