Implementing Security Baseline Settings

One of the first steps you need to take to implement standard network administration procedures is to establish a baseline. What exactly is a secure baseline? The idea or concept behind a secure baseline or secure build is to implement a common standard security configuration that is used throughout an organization for installing any operating system, whether it is for a client or server platform. The baseline establishes a set of rules or recommendations that outline the minimum acceptable security configuration for new installations. Certainly no common baseline can be implemented across all organizationsneeds undoubtedly vary from organization to organization. Each organization must assess its own needs and security requirements when establishing a secure baseline.

A secure baseline or build involves installing the operating system, applying service packs and hot fixes, and configuring various operating system settings, as well as documenting each step of the process so that it can be repeated. You must determine what procedures need to be performed on the computer and then establish documentation outlining the secure baseline and how to manage deployment. Remember, the purpose here is to increase security. The secure baseline therefore needs to be implemented consistently throughout an organization.

The first step in adding a new server to the network is to install the base operating system. Because the initial installation of an operating system is often vulnerable to attacks, precautions must be taken after installation to ensure that the system is not compromised. Service packs and hot fixes exist that eliminate many of the known security issues associated with the base installation of an operating system. Until those updates are installed, the server might be left vulnerable to attacks.

To perform a secure baseline installation of an operating system, it is recommended that the server be disconnected from the network until the necessary service packs and hot fixes have been added. Keep in mind that because the server will not be connected to the network, you must have the service packs and hot fixes available on CD, external drive, or even DVD.

Preparing the Development and Test Environment

One of the steps that should be taken to ensure server security during installation is to disconnect the server from the production network until the service packs and hot fixes have been applied. Ideally, an organization will have a development and test environment that is separate from the production network where installations can be performed securely.

The goal of a development and test environment is to provide a way for administrators to securely test server installations and configurations (as well as the installation of different services and applications). The test and development environment should mirror the actual production environment as closely as possible.

Applying Service Packs and Hot Fixes

Soon after an operating system is released, Microsoft normally releases a service pack. Service packs allow a vendor to easily distribute updates to an operating system. Users can simply access the vendor's website and download the service pack for installation. In terms of security and monitoring the updates that are installed, you can use a technology called Software Update Services, which is discussed later in the chapter. Service packs are intended to fix known issues with an operating system, keep the product up-to-date, and introduce new features. Service packs can include any of the following:

• Updates to the operating system

• New administrative tools

• Drivers

• Additional components

It is not uncommon for several service packs to be released over time for a single operating system. Keep in mind when using service packs that they are cumulative, so any new service packs contain all the fixes in the previous service packs, along with new updates.

Most organizations opt to keep up-to-date and install the latest service packs on their servers after they have been assessed in a test environment. Because service packs often contain fixes for known security issues for an operating system, applying the latest service pack is an important step in creating a secure baseline installation for servers.

Between the releases of service packs, Microsoft releases hot fixes, which are used to temporarily patch a specific problem with an operating system. One of the issues associated with installing hot fixes is that they are developed and released rather quickly and, therefore, are not tested thoroughly. So, installing the hot fix can, in turn, have a negative impact. It is important to evaluate the hot fixes released by Microsoft to determine whether they are necessary. If a particular vulnerability does not apply to your server, the patch should not be applied.

When service packs and hot fixes are deployed, they should first be deployed within a test environment so that you can evaluate the impact on the server before installing it in the production environment.

You can use the Hfnetchk.exe utility to determine the hot fixes that might be required for your server. When the command-line utility is run, it scans the system to determine the operating system, service packs, and programs installed. It then determines the security patches available for your system based on the components running. Hfnetchk.exe displays the hot fixes that should be installed to bring the system up-to-date.

You can run HFNetChk from Windows NT 4.0, Windows 2000, Windows XP, or Windows Server 2003 systems, and it will scan either the local system or remote systems for patches available for the following products:

• Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003

• Internet Information Server 4.0 and 5.0

• SQL Server 7.0 and 2000 (including Microsoft Data Engine)

• Internet Explorer 5.01 and later

The system requirements to run the utility include the following:

• Windows NT 4.0, Windows 2000, Windows XP, or Windows Server 2003

• Internet Explorer 5.0 or later (an XML parser is required and one is included with Internet Explorer 5.0)

Securing the Operating System

After the operating system has been installed and the necessary service packs and hot fixes have been added, a number of configuration changes can be made to the operating system to make it more secure. This is often referred to as operating system hardening. Again, the changes that are made to harden the server should be documented and made standard for all servers throughout an organization. Some of the steps that should be included with securing the operating system are as follows:

• Install antivirus software. All servers (and workstations) should run antivirus software.

• During the installation of Windows Server 2003, you must select the type of file system to use. If you did not choose NTFS during the installation, you should convert any partitions from FAT to NTFS. You can do so using the convert command without losing any data. Because NTFS offers security features that FAT does not, such as file-level security, ensure that this is the file system being used on network servers.

• Configure a strong password for the Administrator account. During the installation of Windows Server 2003, you are prompted to create a password for the Administrator account. Keep in mind that Windows Server 2003 does not allow you to create noncomplex passwords. Passwords must be at least six characters and they cannot contain the words "Administrator" or "Admin." Passwords must contain characters from three of the following categories: lowercase letters, uppercase letters, numbers, and non-alphanumeric characters.

• Disable unnecessary services. In Windows Server 2003, many of the services enabled in previous versions are now disabled by default. You can use the Services applet within the Control Panel to further restrict which services will be running.

• Remove or disable any unnecessary protocols, such as IPX/SPX. By default, when Windows Server 2003 is installed, the only protocol added is TCP/IP (unless you perform a custom network setup). If any other protocols are inadvertently installed and are not required, they should be removed.

• Any unnecessary user accounts should be disabled or deleted. Accounts that are considered inactive should be disabled, and those that are no longer needed should be removed entirely.

• Configure the various security settings within the local or domain security policy. This includes a password policy, an account lockout policy, a Kerberos policy, and an audit policy. You can use the Windows Server 2003 Security Guide, published by Microsoft, as a basis for configuring security settings for various server roles. You can find a copy of the guide at http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/sgch00.mspx.

Keeping the System Secure

When your organization has a secure baseline installation that is followed by all administrators when installing new servers and workstations, what happens after the installation? What about after the service packs and updates have been applied? Or after you've taken the time to harden the operating system? To ensure that the level of security is maintained, some standardized methods must be put in place outlining how to maintain the security of servers. There is no point in taking the time to perform a secure baseline installation if the security configuration is not documented and maintained afterward. To ensure that the required level of security is maintained, follow these guidelines:

• Check for operating system updates on a regular basis. Because software updates are often released quite frequently, you should check for updates on a regular basis to determine whether any are applicable to your server configuration. You can also automate this process by using the Windows Update feature. Again, before deploying updates, you should test them within a controlled environment.

• Keep antivirus signature files updated. Again, many vendors have an automatic update option, so this can be done automatically.

• View the information in the audit logs on a regular basis.

• Use the Security Baseline Analyzer to ensure that the minimum security requirements continue to be met. The Security Baseline Analyzer enables you to analyze the current security settings on a computer and compare them to those within a database to find discrepancies that might occur over time.

Implementing the Principle of Least Privilege

Implementing the principle of least privilege adds another level of security to your network. The principle of least privilege is based on the idea that a user who is logged on should have only the minimum privileges required to perform a task. This minimizes the amount of damage that can occur if the user becomes compromised. This means that even network administrators should be logged on with user accounts that have restrictive permissions when performing routine tasks. These users can perform administrative tasks under the context of another user account with additional privileges either by logging off and logging on under that account or by using the Runas command.