Implementing Security Baselines | MCSE: Windows(r) Server 2003 Network Security Design Study Guide (70-298)

< Day Day Up >

One of the best techniques to secure your infrastructure is through the use of security templates. A security template will contain a definition of the security settings that are to be configured for a computer. The template can be used either to implement the configuration or to evaluate the differences between the settings in effect on the machine and those defined in the template. To better define the settings that should be configured in the templates for your organization, you will need to begin with a trusted computing base.

The trusted computing base is made of the following components:

The detailed configuration and procedure of each component. Each option should have a required setting—for example, Enforce Password History should be 24 passwords remembered.
Elaborate documentation. Each configuration step should documented.
Change and configuration management. Procedures must be defined for applying changes, such as service packs and hotfixes.
Procedural review. All procedures should be reviewed regularly to identify potential weaknesses.

A secure baseline is a detailed description of how to configure and administer a computer. The secure baseline will implement the components of the trusted computing base on an individual computer.

A secure baseline contains the following elements:

Service and application settings You will specify the settings that need to be configured for each service that runs on a machine as well as the settings and business rules for each application. An example would be a business rule that specifies that only users in the human resources department can run the human resources application. You may also include for a service a rule that dictates that it should accept only connections coming from a specific machine or network segment.

Operating system component configuration You will also want to specify the settings for the operating system components. For example, your organization might specify that IIS’s home directory must be systemvolume\IISApp\WebROOT. Having a policy in place for the configuration of each of the operating system components should introduce a standard configuration and lower the total cost of ownership of the computers in your organization because you will know, based on the role of the machine, how it is configured.

Tip

Changing the default directory that IIS uses as its home directory can alleviate some Internet worms that have the path of IIS hard-coded in their code.

Permissions and user rights assignments. You should also create a policy that specifies the standards that your organization will follow as it relates to permissions and user rights assignments. Examples of this would be having a rule that states that only members of the Domain Administrators security group will be able to log on locally to the domain controllers. You would also want to have a written guideline for resource permissions—for example, only auditors can access client financial data for their clients remotely.

Administrative procedures The business that your organization is in will determine the importance of administrative procedures. An example of a procedure that must be defined and carried out would be a rule stating that the password must be changed on all administrative accounts every 30 days.

Before you can define a template for the computers in your organization, you will need to audit your environment by completing the following steps:

Record all applications and services on a computer. You must make an inventory of all of the hardware and software components on a system. Without this inventory, you might fail to properly secure an essential component or you might not notice a hardware change that will require a change to be made in the baseline.

Record the required security configuration for the operating system and its applications and services. Each security-related setting and configuration task, including administrative procedures, must be documented clearly.

Automate the application of these settings for all computers. Consider using Group Policy or some other automated technique to apply these settings to the computers in your environment. This will minimize errors, ensure consistent configuration settings, and save time.

Establish procedures to audit computers in order to detect changes to the baseline. Regular audits will detect changes in the computer settings in addition to changes in the baseline that haven’t been applied.

In the following sections, you will learn how to define security baseline templates that can be automatically verified and or applied to computers within your organization. You will be introduced to the main types of servers that you will encounter and how they may require different types of baseline templates based on their role in the organization.

Defining a Secure Server Baseline Template

The secure member baseline provides common settings for all of the member servers in an organization. In this section, you will learn how to plan a secure baseline for your member servers. You will also learn about security templates and the ways to create, modify, and deploy them.

Windows Server 2003 can perform several different roles, that of domain controller, POP3 mail server, database server, web server, and so on. Because a server can assume a vast array of roles, you must take great care to remove the components and services that it doesn’t need to perform its role. For example, if a computer is running as a database server, you do not need to include services such as IIS, DNS, or DHCP.

In most cases within an organization, the security settings for a specific role will be the same on multiple machines. For example, the security settings for one Microsoft SQL Server computer in your organization are likely to have the same configuration requirements as those of another Microsoft SQL Server computer running in your organization. That being said, you can create a template for all of the servers running Microsoft SQL Server and another for another computer role, such as Microsoft Exchange Server, and have different templates for each. You can utilize Group Policy to automate the assignment of the templates to the different computers. Group Policy will also automatically reapply the template settings should any of the settings be modified on a computer.

You will want to monitor the changes to the baseline using the Security Configuration And Analysis Microsoft Management Console (MMC) snap-in. The Security Configuration And Analysis snap-in is used to analyze and configure the security of the local machine. It will detect any conflicts that exist between the settings defined in a specified template file and those that are in effect on the computer. After it analyzes the two, it can be used to apply the templates settings to the computer.

The expression security template also refers to the name of the file that some of the Microsoft tools can utilize to examine and apply security settings to computers. Windows Server 2003 provides several predefined security templates that contain the Microsoft-recommended security settings for some of the more common configurations. Table 8.1 lists each of the predefined templates that come with Windows Server 2003.

Table 8.1: Table 8.1 Predefined security templates
Name (filename)	Description
Default Security (setup security.inf)	Default security settings that are applied when the operating system is installed, including the file permissions for the root of the system volume.
Domain Controller Default Security (DC security.inf)	Default security settings on files, Registry keys, and services. This template is created when a server is promoted to a domain controller, and if reapplied to an existing DC, it may overwrite permissions on new files, Registry keys, and services that were created by other applications.
Compatible (compatws.inf)	Default settings for workstations and servers. Grants the typical permissions to three local groups: Administrators, Power Users, and Users. The Administrators group is granted the most privileges.
Secure (securedc.inf and securews.inf)	The secure templates for enhanced security with a low likelihood of conflicting with application compatibility. The secure templates limit the use of LAN Manager and NTLM authentication by configuring workstations to use NTLMv2 and servers to refuse LAN Manager; therefore, for this to work in your organization, all domain controllers must be running Windows NT 4 Service Pack 4 or higher. The securedc.inf file is used for Domain Controllers, while the securews.inf file would be used for workstations and member servers.
Highly Secure (hisecdc.inf and hisecws.inf)	A superset of the Secure templates. Even more secure configuration settings than those defined in the Secure templates. The highly secure templates will impose higher restrictions on LAN Manager authentication and the like. In order to apply the hisecdc.inf template on a DC, all of the DCs in all trusted or trusting domains must be running Windows 2000 or later. The hisecdc.inf file is used for Domain Controllers, while the hisecws.inf file would be used for workstations and member servers.
System Root Security (rootsec.inf)	Default root permissions for the OS partition. Applies the permissions and propagates them to child objects that are inheriting from the root.

Note

Be sure you know which predefined template should be used for specific situations.

You can use the MMC snap-in named Security Templates to create, view, and modify security templates. Figure 8.1 shows the snap-in within a custom MMC session.

click to expand
Figure 8.1: Security Templates MMC snap-in

As you can see, there is not a predefined template for a Microsoft SQL Server or any other application server role. Therefore, you will need to define them yourself. The templates that you create are referred to as custom templates, and it is usually a good idea to use a predefined template as a starting point for them.

To create a new template, right-click the template directory in the Security Templates snap-in and choose New Template.

All computers running Windows Server 2003 store the security templates in the SystemRoot\security\templates folder, and by default, authenticated users can read all of the settings within a GPO. You will want to make sure that your production baseline templates are secured such that only authorized administrators have the ability to view and modify them. It is also considered best practice to designate a single domain controller to hold the master copies of the templates; this diminishes versioning problems that can occur with multiple copies being modified at the same time.

There are three classifications that Microsoft defines based on security needs: a Legacy Client environment, an Enterprise Client environment, and a High Security environment. The following list will explain the differences in these environments:

Legacy Client environment The Legacy Client environment supports Windows 98, Windows NT 4 Workstation, Windows 2000 Professional, and Windows XP Professional as clients and supports only Windows 2000 or later domain controllers. Windows NT 4 member servers can exist. This environment only supports the predefined templates because they do not discriminate by operating system version. It’s the least secure of the three environment classifications.

Enterprise Client environment The Enterprise Client environment supports Windows 2000 and Windows XP Professional as clients, and all domain controllers and member servers must run Windows 2000 or higher. This environment supports both predefined and custom templates. It is more secure than the Legacy Client environment yet less secure than the High Security environment.

High Security environment The High Security environment has the same operating system support as the Enterprise Client environment: Windows 2000 and Windows XP Professional as clients and all servers running Windows 2000 or higher. This environment supports predefined as well as custom templates yet places more emphasis on security than on functionality and manageability. For example, terminal services are disabled on all computers and all administration must be performed locally at each machine.

You should customize the templates supplied for the classifications to further secure member servers in your domain. The template that you create will be referred to as the Member Server Baseline Policy (MSBP). You create this baseline template by modifying the predefined templates and manually making changes to the respective security templates. The manual modifications for the Audit Policy portion of the template are defined in the Microsoft Windows Server 2003 Security Guide. For the most part, you will be auditing the success and failure of the security-related tasks, such as logon events, privilege use, and so on. For Legacy, Enterprise, and High Security machines, you should manually configure the following User Rights assignments in your custom templates for the listed accounts:

Deny Access To This Computer From The Network:
- Built-In Administrator
- Support_388945a0
- Guest
- All NON-Operating System service accounts
Deny Log On As A Batch Job
- Support_388945a0
- Guest
Deny Log On Through Terminal Services
- Built-In Administrator
- Guests
- Support_388945a0
- Guest
- All NON-Operating System service accounts

Note

All NON-Operating System service accounts does not include LOCAL SYSTEM, LOCAL SERVICE, or the NETWORK SERVICE accounts, which are built-in accounts that the operating system uses. The Support_388945a0 account is used by Remote Assistance.

You will also disable all services that are not required by the server that you are configuring. You can examine the Security Guide for a complete list of the services that are typically installed and which ones should be disabled. The actual implementation is going to be specific for each individual server. Figure 8.2 shows the Properties window for the World Wide Web Publishing service from the Security Templates snap-in.

click to expand
Figure 8.2: Security Templates World Wide Web Publishing Service properties

Using the environment classifications, you can make determinations as to what templates you can use and whether or not there may be compatibility issues.

In the “Determining the Security Environment” Design Scenario, you will evaluate a scenario and decide what environment you will use when choosing security templates.

You will also want to define IPSec filters that prevent networks that shouldn’t be able to from accessing the server. Any service that is not to be consumed across the Internet should have a filter defined that prevents it from being accessed from the Internet or DMZ.

In the next section, you will learn about some of the modifications to these generic templates that you would make in order to secure servers that have specific roles.

Defining a Domain Controller Baseline Template

The domain controller role is the most important server role to secure in an Active Directory environment. Because these servers are so critical to the domain, you should make sure that they are physically stored in a secure location and are only accessible to qualified and authorized administrative staff. If you must store a domain controller in an unsecured location, such as a satellite office, there are several security settings that can be configured to minimize the potential damage resulting from physical threats.

Design Scenario: Determining the Security Environment

You are the security architect of a large corporation that manufactures and distributes office furniture. The corporate headquarters is located in Philadelphia and there are warehouses all across the country. All servers are physically located in the headquarters and are running the Windows Server 2003 operating system. There are workstations in each warehouse that run the mission-critical inventory application that communicates with the database server in Philadelphia. The workstations are running Windows 2000 and Windows XP Professional. The application must continue to operate regardless of security enhancements. The database server is running the Windows 2000 Server operating system and SQL Server 2000.

You decide to upgrade the database server’s operating system to Windows Server 2003 in order to achieve better performance, stability, and scalability, as well as to increase the security supported.

Question: Which predefined security templates could be used to secure the database server? Answer: The server is not a domain controller, therefore the only templates that should be candidates for the database server are securews.inf and hisecws.inf.
Question: Which security environment classification should you use for security template decisions? Answer: Now that the server has been upgraded, there is no need to maintain the Legacy Client environment. You need to mak e sure that the inventory application continues to run unaffected by security policies, which means that functionality has a higher precedence than security for this application and you are limited to using the Enterprise Client environment.

Once the Domain Controllers Baseline Policy (DCBP) is created, you should link the policy to the Domain Controllers organizational unit (OU), and once linked, you should make sure that it takes precedence over the Default Domain Controllers Policy.

Warning

Linking an improperly configured GPO to the Domain Controllers OU could severely impact the operation of the domain.

Depending on the environment you are using, the DCBP will specify additional settings for the various sections of the template. One of the sections that provides a higher degree of security is the User Rights Assignment section under the Local Policy heading. It is in this portion that you can specify who is permitted to perform certain tasks.

The following is a partial list of the user rights assignments that are configurable:

Access This Computer From The Network The Access This Computer From The Network user right permits the users granted it the ability to communicate with the server, and access shares and services over the network.

Add Workstations To Domain The Add Workstations To Domain user right gives the user or group the ability to join the computer to the Active Directory Domain.

Change The System Time This user right allows the user or group to change the time on the machine.

Log On Locally The Log On Locally user right allows a user or group to log on interactively on the computer.

Log On As A Service The Log On As A Service right grants a user or group the ability to register a process as a service.

Manage Auditing And Security Log The Manage Auditing and Security Log right grants a user or group the ability to configure the audit and security log.

As you can see, securing these rights could be critical to the overall security of your server and environment. Figure 8.3 shows the User Rights Assignment portion of the Security Templates snap-in when the Access This Computer From The Network assignment is being configured.

click to expand
Figure 8.3: User Rights Assignment

In addition to the predefined settings, you should manually add some configuration settings to the templates to further secure your domain controllers. You should use these advanced rights to make the domain controller as secure as possible. According to the Windows Server 2003 Security Guide, your domain controllers should have the following rights configured in the template:

Deny Access To This Computer From The Network:
- Built-In Administrator
- Support_388945a0
- Guest
- All NON-Operating System service accounts
Deny Log On As A Batch Job
- Support_388945a0
- Guest
Deny Log On Through Terminal Services
- Built-In Administrator
- All NON-Operating System service accounts

When configuring the template for an Enterprise Client or High Security environment, you will want to enable the Network Security: Do Not Store LAN Manager Hash Value On Next Password Change setting. Figure 8.4 shows this setting being configured from the Security Templates MMC snap-in.

click to expand
Figure 8.4: Do Not Store LAN Manager Hash Value On Next Password Change Setting dialog

Warning

Some legacy operating systems and third-party applications may fail when this setting is enabled. See Chapter 5, “Designing an Access Control Strategy for Network Resources,” for more information.

All classifications of domain controllers have the following services configured to start automatically in the System Services section of the predefined templates, including the Domain Controller Default template:

Distributed File System (DFS)
DNS
File Replication (NTFrs)
Intersite Messaging (IsmServ)
Kerberos Key Distribution Center (KDC)
Remote Procedure Call Locator (RpcLocator)

In addition to configuring the template, you will want to use Internet Protocol Security (IPSec) to increase the level of security for your servers. In a High Security environment, you would create IPSec traffic filters that allow traffic from any trusted source to reach the domain controller for these services:

CIFS/SMB server
RPC server
NetBIOS server
Terminal Services server
Global Catalog
DNS server
Kerberos server
LDAP server
NTP server
Predefined RPC range (ports 57901-57950)

You would also create a filter that blocks all other protocols and ports not explicitly granted access from the preceding list.

Warning

All traffic rules should be mirrored to allow for two-way communication.

Now that you have created a template for your organization’s domain controllers, you will next focus on creating baseline templates for other specific server roles.

Defining an Infrastructure Server Baseline Template

In this section, we will explain the baseline template that will be used for infrastructure servers, which refers to servers providing Dynamic Host Configuration Protocol (DHCP) or Microsoft Windows Internet Name Service (WINS) functionality. We will demonstrate only the settings that have been modified from the Member Server Baseline Policy (MSBP) template you learned about earlier in this chapter.

If the server is a DHCP server, then you will want to modify the System Services settings such that the DHCP service is set to Automatic in all environment classifications. Likewise, if the server is a WINS server, you would configure the WINS service to be set to Automatic. You can configure these settings in the baseline template for the server role and make sure each setting persists by configuring a GPO that will maintain it.

Most of the settings for infrastructure servers are defined in the MSBP. However, separate templates should be created for servers with the infrastructure role to guarantee consistency.

You should also configure IPSec filters to allow the following services:

Terminal Services
WINS Resolution server (if a WINS server)
WINS Replication client (to a WINS Replication partner only)
WINS Replication server (to a WINS Replication partner only)
All ports and protocols for domain member communication with domain controllers (to domain controllers only)

You would also create an additional filter that blocks all other inbound traffic from any of the services and protocols not listed in the preceding list. All traffic rules should be mirrored to allow for two-way communication.

In the next section, you will learn how to modify the MSBP for file servers.

Defining a File Server Baseline Template

In this section, we will explain the settings for the baseline template for file servers within your organization. We, again, will demonstrate only the settings that are different from those configured in the MSBP template defined earlier in the chapter.

A recurring theme throughout this book has been to minimize the attack surface of your organization generally and your servers specifically. One of the most effective techniques is to disable or remove any unneeded service or application from the server. You will make organization-specific determinations as to which services that will entail for the file server role.

The following services were enabled in the MSBP, but if you do not require them to be running on all file servers, you should modify the baseline template to disable them accordingly. These services, for example, should be disabled unless they are required to be enabled by all servers affected by the template:

Distributed File System (DFS)
File Replication Service (NTFRS)

You should also configure IPSec filters to allow the following services and their respective ports and protocols:

CIFS server
NetBIOS server
Terminal Services
All ports and protocols for domain member communication with domain controllers

You would also create an additional filter that blocks all other inbound traffic from any of the services and protocols not listed in the preceding lists. All traffic rules should be mirrored to allow for two-way communication.

Remember that the changes listed here for File Servers are to be made to the original member server baseline policy (MSBP) template and should be used as a baseline template for all of the file servers in your organization.

Next, you will learn about the security settings that need to be specified for a POP3 mail server.

Defining a POP3 Mail Server Baseline Template

As is the case with other server role templates, the MSBP will act as a starting point. The settings are specified here. If you are using the Microsoft POP3 service, you will need to modify the System Services portion of the template in order to allow the POP3SVC to start automatically. You should also configure IPSec filters to allow the following services and their respective protocols:

POP3 server
All ports and protocols for domain member communication with domain controllers (to domain controllers only)

You would also create an additional filter that blocks all other inbound traffic from any of the services and protocols not listed here. All traffic rules should be mirrored to allow for two-way communication.

In the “Defining custom templates for servers with specific roles” Design Scenario, you will determine what customizations must be made, if any, to the predefined templates for servers that have specific roles.

In the next section, you will learn how to deal with modifications to the baseline templates and what you can do to ensure a smooth application of their settings to your existing servers.

Modifying Baseline Templates

As changes occur in your organization, you may need to make changes to some of your baseline templates. Changing a template is simple using the various tools that Microsoft provides, one of which is the Security Templates snap-in. In addition, you can evaluate and apply the policy template, that you created or modified in the Security Templates snap-in, to a computer using the Security Configuration And Analysis MMC snap-in.

To use the Security Configuration And Analysis MMC snap-in to analyze and configure a machine, you would complete the following steps:

Start the Microsoft Management Console.
From the File menu, choose Add/Remove Snap-In.
Click the Add button in the Add/Remove Snap-In dialog box.
Select the Security Configuration And Analysis snap-in from the Add Standalone Snap-In dialog box and click Add. Then click Close.
Click OK in the Add/Remove Snap-In dialog box.
From the MMC, right-click the Security Configuration And Analysis snap-in and select Open Database (if a database does not already exist, type a name in the File Name text field of the Open Database dialog box) and select the database from the file system.
If prompted to import a template, choose the template that you would like to configure or apply to the current machine. If you are not prompted to import a template, follow these steps:
- From the MMC, right-click the Security Configuration And Analysis snap-in and select Import Template.
- From the Import Template dialog box, select the template that you would like to compare or apply to the current system; for example, hisecws.inf.
From the MMC, right-click the Security Configuration And Analysis snap-in and select Analyze Computer Now.
Enter the path and filename for the location of the error log and click OK to begin the analysis.
Expand the various settings to see if any conflicts exist between the template and the machine. The Database Setting column contains the settings defined in the template.
If you want to apply the configuration settings that are defined in the template to the machine, right-click the Security Configuration And Analysis snap-in and select Configure Computer Now.

You can take advantage of Active Directory Group Policy to assign the security settings to a container. Once you link the template settings to a GPO, the security settings will be refreshed automatically in the following conditions:

Each time a computer is restarted
Every 90 minutes for workstations (if a change has been made)
Every 5 minutes for servers (if a change has been made)
Every 16 hours regardless of whether or not a change was made
When the gpupdate command-line utility has been manually executed (the/refreshpolicy switch of the secedit utility is no longer supported)

If there are conflicting settings defined by Group Policy objects, the following precedence is used to resolve the conflicting settings:

OU
Domain
Site
Local computer

For example, if an OU has a GPO linked to it that states that the maximum password age is 30 days and the site has a GPO that states 42 days for this policy, because the OU has a higher precedence than the site, the setting will be 30 days for all of the users and computers located within the OU.

As another example, if the DNS service is disabled in the domain policy GPO but enabled in the OU policy for the just-created DNS Servers OU, then all computers in the DNS Servers OU will have the DNS service enabled. In Figure 8.5 an OU named “DNS” was created in order to separate the policy application on the DNS Servers within that organizational unit. By creating a different OU for the DNS Servers, whose policies differ from those that are assigned at the parent OU. By having children OUs under the “Servers” OU, the GPO inheritance model becomes easier to maintain. Figure 8.5 shows that a GPO could be linked to the Servers OU that would apply to all computers in all children OUs. In addition, the DNS Server–specific policy settings would be stored in a GPO that would be applied to the DNS OU. Likewise, SQL Server database servers are placed in a separate OU, SQL Servers, that is also a child of the “Servers” OU. The figure is an example of how the policy application can drive the design of your OU model.

click to expand
Figure 8.5: Sample OU design for Group Policy

Design Scenario: Defining Custom Templates for Servers with Specific Roles

Examine each of the following scenarios and choose the correct template for the server’s baseline.

Scenario 1

You need to design a technique in which all of the member servers in your organization meet the requirements set forth in the written policies of your company. The solution must be implemented with the least amount of administrative effort.

Question: What should you do? Answer: You should create and apply a custom security template that contains the security settings that are defined in your company’s security policy.

Scenario 2

You have been told that the security settings have been modified on one of your member servers and it is no longer in compliance with the security policy. You have created a custom template that holds the settings that should be configured on the server.

Question: What should you do to evaluate the compliance of the server; the solution should use the least amount of administrative effort? Answer: You should use the Security Confi guration And Analysis utility to compare the settings that are current on the server with those that are defi ned in the template.

< Day Day Up >