In dealing with Application Center clusters, you have to take a holistic approach to security by reviewing the security configurations of the individual software elements that make up the cluster environment. These include:
NOTE
Your cluster topology and application architecture will play an important role in determining how some of these elements are configured, particularly when firewalls are implemented as part of the environment.
Before beginning any security assessment and configuration for your environment, you should read the "Site Security Planning" documentation in Appendix B of the Microsoft Internet Information Services 5.0 Resource Guide (Microsoft Press, 1999).
Although they're not exhaustive, the following steps, which are extracted from an article called "Security Considerations for Network Attacks" (Microsoft TechNet), provide a good starting point for general network security. These steps can lower the vulnerability of your Web site to DoS and other network attacks:
The "Security Considerations for Network Attacks" article also provides detailed information about the registry settings that will increase the resistance of the Windows 2000 network stack to DoS attacks.
Because the Web server (IIS) runs as a Windows 2000 Server service and you can regard the two programs as a single entity, we'll start by looking at general security measures that can be applied to both, specifically the use of security templates and site hardening techniques. Following this, we've provided specific checklists for configuring Windows 2000 Server and IIS.
NOTE
As you may recall from earlier chapters, the Windows 2000 server and IIS settings that you configure on the cluster controller provide the master configuration settings for every cluster member. Therefore, overall cluster security is only as good as the lockdown you implement on the cluster controller.
Windows 2000 provides standard and incremental security templates that can you can use in conjunction with the Windows 2000 Security Configuration and Analysis tool. This tool provides a single point of administration for Windows system security. It allows you to:
Port probes and attacks
Gaining entry to computer systems via unsecured ports is probably one of the easiest avenues of attack, even for the least sophisticated hacker. The Internet has dozens of popular sites where anyone can download a port scanner for virtually any operating system. Software for detecting port probes is as essential to your operation as virus detection software.TIP
Have a look at the Intrusion Detection FAQ published by the SANS Institute. The FAQ can be obtained at http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htmThere are several excellent tools available for detecting the port probe intrusion as well as checking for security weaknesses. You should regularly run a security scanner on your Web server by using software from one of the companies listed at the Microsoft Security Advisor site (http://www.microsoft.com/technet/security/partners/default.asp).
TIP
If you want to find out what ports are active on your server, as well as their state, from the Windows 2000 command prompt, run nstat {-a | more}. You'll get output similar to the following:
TCP ACDW 01:2756 sam-xyz-99.samples.microsoft.com:3670 ESTABLISHED TCP ACDW01:2789 ACDW01.samples.microsoft.com:0 LISTENING UDP ACDW 01:epmap *:* UDP ACDW 01:1029 *:*To find out which running application is actually holding open each listening port, you'll need a special tool. The best, and perhaps only, tool is Inzider. Developed by Arne Vidstrom, it's available from his Web site at http://ntsecurity.nu.
The following sample output illustrates the type of information that Inzider provides:
Checked E:\Program Files\Microsoft Office\Office\OUTLOOK.EXE (PID=1504) Found UDP port 4079 bound at 0.0.0.0 by E:\Program Files\Microsoft Office\Office\OUTLOOK.EXE (PID=1504) [UDP client] Found UDP port 4080 bound at 0.0.0.0 by E:\Program Files\Microsoft Office\Office\OUTLOOK.EXE (PID=1504) [UDP client] Checked E:\WINNT\Explorer.exe (PID=1320) Checked C:\Inoculan\realmon.exe (PID=1572) Checked E:\Program Files\Common Files\Microsoft Shared\Service Manager\sqlmangr.exe (PID=1076) Checked E:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE (PID=1452) Found UDP port 4087 bound at 0.0.0.0 by E:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE (PID=1452) [UDP client] Found UDP port 4088 bound at 0.0.0.0 by E:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE (PID=1452) [UDP client]After you've installed Inzider, you can use it to track down the executable that is using each port to see what it is. Keep a close eye out for odd programs, such as "Explorer," opening ports because this is usually an indication that you've been infected by a Trojan—Explorer does not open ports.
Table 12.4 summarizes the areas where you can use the Security Configuration and Analysis tool to apply and verify security settings on a system.
Table 12.4 Configurable Security Areas
Area | Configurable items |
---|---|
Account policies | Password, lockout, and Kerberos authentication settings |
Local policies | Audit, user rights, and security options |
Event Log | Settings for system application, security, and directory service logs |
Restricted groups | Policy regarding group membership |
System services | Start-up modes and access control for system services |
Registry | Access control for registry keys |
File system | Access control for folders and files |
You can use the following components of the Security Configuration and Analysis tool set to configure some or all of the security areas described in Table 12.4.
You should obtain the "Step-by-Step Guide to Using the Security Configuration Tool Set" from Microsoft TechNet (http://www.microsoft.com/windows2000/library/planning/security/secconfsteps.asp).
TIP
Take advantage of the incremental security template, Hisecweb.inf, which you can download from the Secure Internet Information Services 5 Checklist page. You can use this template as a baseline that is applicable to most secure Web sites (see the following section).
Pre-Defined Security Templates
Windows 2000 provides a collection of pre-defined security templates that you can apply against your cluster members. This collection consists of default security templates and incremental templates that you can use to extend the security defaults that you've already applied.
Windows 2000 Default Security Templates
The Windows 2000 default security settings are applied only to Windows 2000-based systems that have been clean-installed on an NTFS partition. In an upgrade scenario, where computers are upgraded from Windows NT 4.0 or earlier, the existing security settings are not modified. The following default security templates are provided so you can secure upgraded NTFS computers in the same manner as clean-installed NTFS computers:
You can use the preceding templates to specify default Windows 2000 security settings for all security areas with the exception of user rights and groups.
NOTE
You cannot apply the default settings in these templates if Windows 2000 is installed on a FAT file system.
Incremental Security Templates
Windows 2000 also ships with incremental security templates. The settings specified in the incremental security templates were created on the assumption that the templates would be applied to computers that had the default Windows 2000 security settings applied. As the name implies, the incremental templates simply extend the default security settings—they do not include the default settings plus modifications.
You should apply incremental templates on computers where Windows 2000 has been clean-installed onto an NTFS partition. If you want to apply any of the incremental security templates to an NTFS computer that was upgraded from Windows NT 4.0 or earlier, apply the corresponding basic template (as described in the preceding section) first. Table 12.5 describes the incremental templates.
Table 12.5 Incremental Security Templates
Security level | File name | System | Comments |
---|---|---|---|
Compatible | Compatws.inf | Workstation or server | If you do not want your users to run as power users, the compatible configuration opens the default permissions for the Users group so that legacy applications are more likely to run correctly. Microsoft Office 97 should run successfully when you are logged on as a user to a computer running Windows 2000 that has had the compatible security template applied over the default settings. Note that this is not considered a secure environment. |
Secure | Securews.inf Securedc.inf | Workstation or server Domain controller | These secure configurations provide increased security for areas of the op- erating system not covered by permissions. This includes increased security settings for Account Policy, Auditing, and some well-known security-relevant registry keys. Access control lists are not modified by the secure configurations because the secure configurations assume that default Windows 2000 security settings are in effect. |
Highly secure | Hisecws.inf Hisecdc.inf | Workstation or server Domain controller | The high security configuration is provided for computers running Windows 2000 that operate in native Windows 2000 environments only. In this configuration, all network communications must be digitally signed and encrypted at a level that can only be provided by Windows 2000. Therefore, communications between a highly secure computer running Windows 2000 and a client running Windows with a down-level operating system cannot be performed. |
Site hardening involves removing programs and services that are not required, leaving only those that are necessary to support the role of the server. Several of these programs, such as the OS/2 subsystem, have already been identified in the preceding sections.
TIP
Don't install unneeded application software or development tools on your cluster member. Remove applications that aren't required, such as Microsoft Outlook Express, and others contained in the Accessibility, Games, Entertainment, and Communications folders.
You should determine if the services identified in Tables 12.6 and 12.7 are required by any of the programs or applications on your cluster members. If these services aren't needed, remove them from the members.
Table 12.6 Services That May Be Required By Your Installation
Service | Comment | Required by Application Center |
---|---|---|
Certificate Authority | Required to issue certificates. | No |
Content Index | Required if using Index Server. | No |
FTP Publishing | Required if using the FTP service. It's highly recommended that FTP and Web services run on separate servers. | No |
NNTP | Required if using Network News Transfer Protocol (NNTP). | No |
Plug and Play | Yes | |
Remote Access Services | Required if you use dial-up access. It's recommended that this run on a server outside of the cluster. | No |
RPC Locator | Yes | |
Server | Can be disabled, but required to run User User Manager. | No |
SMTP | Required if using SMTP. | Optional |
Telephony | Required if access is by dial-up connection. This is not needed for the cluster. | No |
Terminal Services | Required if using Terminal Services for remote administration. | Optional |
Uninterruptible Power Supply (UPS) | Optional, but recommended that you use a UPS. | No |
Workstation | Optional, but important if you have UNC virtual roots. |
Table 12.7 Services That Are Not Required By Most Installations
Service | Required by Application Center |
---|---|
Alerter | |
ClipBook Server | No |
Computer Browser | No |
DHCP Client | Optional1 |
Messenger | No |
NetBIOS Interface | Yes |
Net Logon | Yes |
Network DDE and Network DDE DSDM | No |
Network Monitor Agent | Optional |
NWLink NetBIOS | No |
NWLink IPX/SPX Compatible Transport | No |
Simple TCP/IP | No |
Spooler | No |
TCP/IP NetBIOS Helper | Yes |
WINS Client (TCP/IP) | Yes |
1. The DHCP client is only required if you are using DHCP on the network adapter.
WARNING
Sometimes a Setup program will reset operating system or IIS configuration settings back to their original defaults. After you install a security patch, service pack, hotfix, or software program, check all your lockdown settings to make sure that they haven't been reset.
The following guidelines, taken from the Windows 2000 Server documentation, identify settings and actions that you should consider when setting up your server running Windows 2000 Server:
You should read the article "Default Access Control Settings in Windows 2000," which is available at the Microsoft TechNet Web site (http://www.microsoft.com/technet/win2000/win2ksrv/technote/secdefs.asp). Compare and contrast these settings with those that are required and implemented by Application Center Setup. This article provides detailed information about the permissions given to the three main user categories: administrator, power user, and user. In addition, this article includes information about the default file system and registry ACLs for the three user types.
TIP
Secure your servers from physical access by hackers. If an unauthorized user has physical access to the server, they can find a way around the standard password protection. You can:
- Configure the BIOS so the server won't start from a floppy disk drive.
- Password protect the BIOS so it can't be reconfigured.
- Lock the server case to prevent access to the BIOS jumpers on the motherboard.
- Put the server in a locked room with limited access.
The next step in securing your Windows 2000 and Web server environment is to read the "Secure Internet Information Services 5 Checklist" (http://www.microsoft.com/technet/security/iis5chk.asp) written by Michael Howard, a member of the Windows 2000 security team. His article highlights issues that are specific to securing IIS 5.0 and includes the "why" and "how" for the following items:
In addition to the preceding information, this article shows you how to get automatic notification of security issues via e-mail by subscribing to the Microsoft Security Notification service.
Your applications and components span both the presentation and business services tiers, and these elements should be secured in accordance to the tier that they support.
Before deploying an application, you should:
TIP
Read Marco Gregorini's articles, "The Subtleties of Client Impersonation with IIS, ASP and MTS/COM(+)." You can find Parts 1 and 2 on the ASP Today Web site (http://www.asptoday.com/articles/20000302.htm).
COM+ is a key technology in the business services layer because it provides a programming model for integrated security checking, automatic enlistment in resource pooling and transactions, threading synchronization, and lifetime management of component instances.
NOTE
Components can be organized into business and data components. Business components create and enlist data components during a method call in existing transactions, of which the business component may be the root. Typically the business component uses COM+ to check security, while the data components are usually instantiated by the business object. This optimizes security because security is not checked when the data object's methods are invoked. The business objects, rather than the data objects, are instantiated by an ASP page or DCOM call.Use DCOM config to ensure that DCOM interfaces are secure by only allowing specific users to instantiate these interfaces.
Data objects manage the data on the back-end and massage it into a form that the business object can handle. This encapsulation hides the underlying data structure so the client isn't aware of data structures such as tables, relationships, or even column names.
The following articles relate to component security and are available from MSDN:
TIP
Check the permissions on application executables and components to ensure that they can't be overwritten with malicious code.
The final element to secure in the three-tier security model is your database server. As we noted in "Data Services" earlier in this chapter, we recommend that you implement strong security on your back-end database—do not rely solely on the business services layer to secure your data.
The following check list provides some guidelines to follow for securing a Microsoft SQL Server database: