Security Settings & Hardening

Iwan Sumantri
CEH- CEI - CHFI - CISM - CISSP - MCSE
Trainer - Telkom PDC (http://www.telkompdc.com)
Technical Perspective
Windows Server 2003 Family
Q & A
Windows Server 2003
Produk Windows Server
Windows Server 2003 Web Edition
Windows Server 2003 Standard Edition
Windows Server 2003 Enterprise Edition
Windows Server 2003 Datacenter Edition
Perbandingan antar produk :
http://www.microsoft.com/windows.netserver
/evaluation/features/compareeditions.mspx
ebutuhan Sistem
Minimum
CPU: Pentium 133*
RAM: 128MB**
Disk: 1.5GB (x86), 2.0GB (Itanium)
Recommended
CPU: 550MHz or greater
RAM: 256MB or more
Disk: 2.5GB or more
*Datacenter : minimum of 400Mhz untuk x86 systems. Datacenter dan Enterprise :
minimum 733MHz untuk Sistem tanium
**Datacenter : 512MB RAM minimum.
Web Edition
Untuk kebutuhan ISPs/ASPs/Web Hosting
Native ASP.NET & .NET Framework
2-way SMP
2GB Memory
Network Load Balancing
Single VPN connection
SMB Connection Limit - 10 concurrent
Per seat
No CALs required
Disabled/Unavailable Services and Features
Enterprise UDDI Services
Removable and Remote Storage
FAX Service
Services for Macintosh (File/Print)
DCPromo
Certificate Services
Terminal Services - Application Mode
Windows Media Service
Itanium/64-bit support
Cluster Service
MMS
RIS
Internet Connection Sharing/Internet Connection Firewall
PI/Smart Cards (client-side only)
Web Edition
Standard Edition
Includes features in Web Edition, plus
Enterprise UDDI Services
Requires MSDE or SQL Server 2000 w/SP3 or later
Directory used by applications to locate web services
Internet Authentication Service (50 RADIUS
servers max; unlimited users)
Internet Connection Firewall (LAN, VPN &
PPPoE)
Internet Connection Sharing
Network Bridge
4-way SMP
4GB memory
Can be DC/GC
Disabled/Unavailable Services & Features
Itanium/64-bit support
Cluster Service
Terminal Server Session Directory
MMS
Standard Edition
Enterprise Edition
Moving from `Advanced back to `Enterprise
Includes features in Standard Edition, plus
Server Clusters (8 nodes!)
Supports Itanium Processors
8-way SMP
32GB memory (x86); 64GB memory (Itanium)
Integration with Microsoft Metadirectory Services
Hot-Add Memory*
Non-Uniform Memory Access (NUMA)*
Terminal Services Session Directory (NLB, F5, Radware)
Windows System Resource Manager
*Requires OEM hardware support
Datacenter Edition
Only available from Datacenter OEMs
Includes features in Enterprise Edition, plus
64-way SMP
64GB memory (x86); 512GB memory
(Itanium)
Windows Sockets: Direct access for SANs
(Winsock Direct)
Security Level
Priority Shift
Access was a top priority
Open-by-default
Start with everything open and then start
locking down as needed
Control is now a top priority
Closed-by-default
Start with everything closed and open only
what is needed
Security Enhancements
Server 2003 Defaults
IIS - Internet Information Services
IIS is not installed by default
When you install IIS 6 it is locked down
More startup services are disabled in
2003
Everyone Group
No longer has full control it has read and
execute
No longer includes anonymous users
Server 2003 Defaults
Accounts with null passwords are console-
bound
NTFS
Permissions & auditing
EFS - Encrypted File System (multiple
users)
VSS - Volume Shadow Copy (Server 2003)
Quotas
ABE (Server 2003 SP1)
ABE (Access-Based Enumeration)
|nternet 6onnect|on F|rewa|| w|ndows F|rewa||
ICF vs. Windows Firewall
Boot-time Security
Global configuration
Audit logging
Scope restrictions
Command-line
support
Program-based
exceptions
Multiple Profiles
Unattended setup
support
Enhanced multicast
and broadcast support
IPv6 support
New Group Policy
Support
PSSU (Post-Setup Security Updates)
Service Pack 1
enhancement
Protects the computer until
it can update
Uses Windows Firewall
TCP/IP protection
Enhancements:
Smart TCP port
allocation
SYN attack protection is
enabled by default
New SYN attack
notification IP Helper
APIs
Winsock self-healing
Windows Command Line
TCP / IP Command
IPCONFIG
PING
TRACERT
NETSTAT
TELNET
ARP
NBTSTAT
NET
Administrator Command
*.msc
SERVICES.MSC
SECPOL.MSC
COMPMGMT.MSC
DEVMGMT.MSC
EVENTVWR.MSC
GPEDIT.MSC
ETC
Server Hardening
Hardening : Security Policy
Pn!Icy pcnggunaan knmputcr
Tidak loIoh noninjankan accounl kopada oiang Iain
Tidak loIoh nonganliI/nonaiuh fiIo daii konpuloi kanloi, dII
Pn!Icy pcnggunaan Insta!!asI prngram
Tidak loIoh nonginsaII piogian lanpa soijin slaff IT
Tidak loIoh nonginsaII piogian iIogaI, dII
Pn!Icy pcnggunaan Intcrnct
Tidak loIoh nonggunakan inloinol unluk kogialan caiding, hacking dkk
Tidak loIoh nonggunakan inloinol unluk nongaksos silus-silus yang
loipolonsi nonyolaikan viius, dII
Pn!Icy pcnggunaan EmaI!
Tidak loIoh nonggunakan onaiI kanloi unluk kogialan niIis, dII
Hardening : Physical Security
Gedung dan Ruangan
Akses ke Gedung / Ruangan
Hardware
Listrik
Pendingin
dll
Hardening : BIOS
Password BIOS
Proteksi ke beberapa media,
seperti : CDROM, USB Drive, dll
Hardening : OS - Installation
Rencanakan Hardware secara optimal sesuai dengan
kebutuhan
Gunakan produk Windows 2003 Server yang sesuai
dengan kebutuhan
Rencanakan partisi, sesuai dengan kebutuhan, misalnya :
Drive C System windows
Drive D Install aplikasi
Drive E Data
Drive F Database
Gunakan Partisi NTFS
Jangan Lakukan Install Secara Default
C:\Windows C:\WINSERVER
UnInstall service / aplikasi default yang tidak dibutuhkan
Install Service Pack Terakhir
Hardening : OS - User
Disable Guest Account
Rename Administrator Account
Administrator Boss
Hardening : OS - Command Line
Rename, beberapa command line, seperti :
CMD.EXE, NET.EXE, PING.EXE
Rename / Delete, -e-erapa command line, seperti :
TFTP.EXE, TELNET.EXE
Hardening : Windows Services
UnInstall service / aplikasi default yang tidak dibutuhkan
Jalankan SERVICE MANAGER dan STOP beberapa service
yang tidak diperlukan.
Hardening : Server
Jalankan AUTOUPDATE
Aktifkan FIREWALL
Blok Port yang tidak digunakan
Firewall
cnIs-jcnIs
!ackol fiIloiing
!ioxy lasod
SlalofuII
Imana?
osl (!oisonaI fiiovaII)
Rouloi
EfcktIfItas= 20% tnn!s + 80% knnfIgurasI
Firewall
Packct FI!tcrIng FIrcwa!!
!aianoloi:
!iolokoI, conloh TC!, UD!, ICM!
!oil AsaI, conloh 25, 1O24:65536
!oil Tujuan, conloh 25
I! AsaI/Nolvoik lujuan, conloh 81.52.22.1, 81.52.22.O/29
I! Tujuan /Nolvoik lujuan , conloh 81.52.22.1,
81.52.22.O/29
Codo lil, conloh ACK
}udgo, conloh DRO!, ACCL!T
!iosos fiIloiing copal
Firewall
!Iran pakct data (chaIn)
Inpul = iuIo unluk pakol yang nasuk
Oulpul = iuIo unluk pakol yang koIuai
Ioivaid = iuIo unluk pakol yang diloiuskan (khusus iouloi)
Firewall
$tatcfu!! Packct FI!tcr
!ackol fiIloiing yang dikonlangkan sohingga nanpu
nongingal pakol yang diinpIononlasikan daIan 89,909,-0
!iosos fiIloiing sodang dilanding packol fiIloiing dan pioxy
lasod
Prnxy Bascd
IiIloiing di IovoI apIikasi
!iosos fiIloiing Iolih Ianlal
Firewall
PnsIsI fIrcwa!! yang nptIma!
IiiovaII diIolakkan di Rouloi/Calovay unluk
nonganlisipasi soiangan daii INTLRNLT
IiiovaII diIolakkan di Rouloi,NAT unluk nonganlisipasi
soiangan daii INTRANLT
Firewall
Firewall
Firewall
Add Port
nformation
Logging
Options
Firewall - Default Service
Firewall
Firewall - Services & Ports
Description Description Port Port
AD Authentication (TCP) AD Authentication (TCP) 1025 1025
DNS (TCP & UDP) DNS (TCP & UDP) 53 53
Ker-eros (TCP & UDP) Ker-eros (TCP & UDP) 88 88
LDAP (TCP & UDP) LDAP (TCP & UDP) 389 389
File Sharing (TCP & UDP) File Sharing (TCP & UDP) 445 445
Network Time Protocol (TCP & UDP) Network Time Protocol (TCP & UDP) 123 123
NetBOS (TCP) NetBOS (TCP) 139 139
Firewall - Services & Ports
IDS - Intrusion Detection System
ara dctcksI
Doloksi anonaIy (piosossoi, landvidlh, nonoiy dan Iain-
Iain)
Signaluio yang disinpan daIan dalalaso
$crangan tcrdctcksI, !a!u apa?
AIoil via SMS, onaiI dan Iain-Iain
Konfiguiasi uIang fiiovaII
MonjaIankan piogian iospon loihadap soiangan
Logging soiangan dan ovonl
cnIs-cnIs
Nolvoik IDS
osl IDS
IDS - Intrusion Detection System
ctwnrdk I$ vs Hnst I$
NDS HDS
IDS - Intrusion Detection System
nntnh-cnntnh prnduk I$-$nnrt
IDS - Intrusion Detection System
nntnh-cnntnh prnduk I$-B!ackIE
Security Tools
Available Tools - GPMC
New User Interface
Backup and restore
Import and export
Group Policy Modeling
Resultant Set of Policy
(RSoP)

Available Tools - MBSA

Microsoft Baseline Security Analyzer (v2)
Available Tools - MSAT
Microsoft Security Assessment Tool
Available Tools - Windows Defender
Microsoft Anti-Spyware - Windows Defender
Spyware detection
Scheduled scanning and removal
Straightforward operation and thorough removal
technology
3
rd
Party Tools
Winternals http://www.winternals.com/
Sysinternals http://www.systernals.com/
CERT http://www.cert.org/
SANS http://www.sans.org/
Links
Windows Server History
http://www.microsoft.com/windows/WinHistoryServer.mspx
Windows Server 2003 Product Home
http://www.microsoft.com/windows2003
Windows Server 2003 Developers
http://msdn.microsoft.com/nhp/default.asp?contentid=28001691
IIS 6.0 Technical Overview
http://www.microsoft.com/windows.netserver/docs/IISOverview.doc
Links
Windows Server 2003 Security Guide
http://go.microsoft.com/fwlink/?LinkId=14846
WindowSecurity.com
SecWish@microsoft.com (Feedback email)
Microsoft Windows Security Resource it (2
nd
Ed.)
ISBN 0-7356-2174-8
Service Pack 1 Overview
http://www.microsoft.com/technet/prodtechnol
/windowsserver2003/servicepack/overview.ms
px
Downloads
Microsoft Security Assessment Tool (MSAT)
https://www.securityguidance.com/
Microsoft Security
http://www.microsoft.com/security/default.mspx
Microsoft Baseline Security Analyzer (MBSA)
http://www.microsoft.com/technet/security/tools
/mbsahome.mspx
Microsoft Anti-Spyware (beta) Defender
http://www.microsoft.com/athome/security/spyw
are/software/default.mspx
Downloads
Rootit Revealer
http://www.sysinternals.com/Utilities/RootkitRev
ealer.html
Strider GhostBuster Project (Rootkit detector)
http://research.microsoft.com/rootkit/
Threats and Countermeasures: Security Settings
in Windows Server 2003 and Windows XP
http://go.microsoft.com/fwlink/?LinkId=15160
Questions?
Security Settings & Hardening
Iwan Sumantri
CEH CEI CHFI CISM CISSP MCSE
Trainer - Telkom PDC (http://www.telkompdc.com)