9-2 Chapter 9 Hardening Servers Lesson 1: Creating a Baseline for Member Servers The Windows Server 2003 default configuration is far more secure than those of previ- ous versions of the Microsoft Windows operating system, but there are still security set- tings that you should consider modifying from their defaults. The security requirements for the various servers on your network might differ, but a good place to start is creat- ing a security configuration for a standard member server. This gives you a baseline security configuration for member servers and a starting point for modifications needed by servers performing specific roles. After this lesson, you will be able to ■ Use a GPO to create a secure baseline installation for a member server ■ Configure audit and Event Log policies using GPOs ■ Configure service startup types using GPOs ■ Configure security options using GPOs Estimated lesson time: 0 minutes 3 Creating a Baseline Policy Many of the Windows Server 2003 security parameters used to create a baseline instal- lation can be configured using a Group Policy Object (GPO). A GPO can contain set- tings for a myriad of different configuration parameters associated with the operating system and the applications running on it. To use a GPO, you associate it with a par- ticular Active Directory directory service object, such as a domain, a site, or an organi- zational unit. When you associate a GPO with an object, that object’s contents receive all the configuration settings in the GPO. For example, when you associate a GPO with a domain, all the objects in that domain inherit the GPO settings. Note Member servers are computers running Windows Server 2003 that are joined to a domain, but are not domain controllers. By default, Windows Server 2003 places all the member servers joined to a domain in a container object, beneath the domain, called Computers (see Figure 9-1). The Com- puters object is not a domain, site, or organizational unit object, however, so you can- not associate a GPO with it. Furthermore, this container also contains the computer objects for all your workstations, so you would not want to apply a member server baseline to it. Lesson 1 Creating a Baseline for Member Servers 9-3 Exam Tip You should have a basic familiarity with all of the security settings found in group policy objects. ! Figure 9-1 The Computers container in the Active Directory Users And Computers console Understanding Container Objects The Computers container object is a special Active Directory object called a con- tainer, which Windows Server 2003 creates by default when you create the first domain controller for a new domain. The system also creates other container objects called Users, Builtin, and ForeignSecurityPrincipals. The term container can be misleading in the case of these four container objects, because many directory services, including Active Directory, refer to any object that can have other objects beneath it as a container. Objects that cannot contain other objects are called leaves. The Computers, Users, Builtin, and ForeignSecurityPrincipals container objects are different, however, because their object type is literally called a container. These container objects do not have the same properties as Active Directory objects, such as domains, sites, and organizational units, which function as generic containers. You cannot delete the Computers, Users, Builtin, and For- eignSecurityPrincipals container objects, nor can you create new objects using the container object type. You also cannot associate GPOs with these objects. You can, however, create new generic containers, such as organizational units, and associate GPOs with them. 9-4 Chapter 9 Hardening Servers To create a baseline installation for your member servers only, the best practice is to create a new organizational unit in your domain, then move the computer objects rep- resenting the member servers into it, as shown with the Members object in Figure 9-2. This way, you can associate a GPO containing your security baseline with the member servers’ organizational unit and all the objects in that container will inherit the baseline security settings. Figure 9-2 A container object for member servers in the Active Directory Users And Computers console Tip Do not put the computer objects for other types of systems, such as domain controllers or workstations, in your member servers organizational unit unless you want them to have the same baseline configuration as your member servers. Workstations do not need most of the configuration settings discussed in this lesson, and domain controllers have their own require- ments. As a rule, you should place each type of computer that requires a different configura- tion in its own organizational unit. Setting Audit Policies Auditing is an important part of a secure baseline installation because it enables you to gather information about the computer’s activities as they happen. If a security incident occurs, you want to have as much information about the event as possible, and auditing specific system elements makes the information available. The problem with audit- ing is that it can easily give you an embarrassment of riches. You can’t have too much information when a security breach occurs, but most of the time your servers will be operating normally. If you configure the system to audit too many events, you can end up with enormous log files consuming large amounts of disk space and making it dif- ficult to find the information you need. The object of an audit configuration is to achieve a balance between enough auditing information and too much. Lesson 1 Creating a Baseline for Member Servers 9-5 When you configure Windows Server 2003 to audit events, the system creates entries in the Security log that you can see in the Event Viewer console (see Figure 9-3). Each audit entry contains the action that triggered the event, the user and computer objects involved, and the event’s date and time. Figure 9-3 The Event Viewer console A GPO’s audit policies are located in the Group Policy Object Editor console in the Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Pol- icy container, as shown in Figure 9-4. Each policy creates an audit entry in response to the following events: Figure 9-4 The Audit Policy container in the Group Policy Object Editor console 9-6 Chapter 9 Hardening Servers ■ Audit Account Logon Events A user logging on to or off another computer. The policy uses this computer to authenticate the account. This policy is intended primarily for domain controllers, which authenticate users as they log on to other computers. There is typically no need to activate this policy on a member server. ■ Audit Account Management Each account management event that occurs on the computer, such as creating, modifying, or deleting a user object, or changing a password. On a member server, this policy only applies to local account man- agement events. If your network relies on Active Directory for its accounts, administrators seldom have to work with local accounts. However, activating this policy can detect unauthorized users who are trying to gain access to the local computer. ■ Audit Directory Service Access A user accessing an Active Directory object that has its own system access control list (SACL). This policy only applies to domain controllers, so there is no need for you to enable it on your member servers. ■ Audit Logon Events Users logging on to or off the local computer when the local computer or a domain controller authenticates them. You use this policy to track user logons and logoffs, enabling you to determine which user was access- ing the computer when a specific event occurred. ■ Audit Object Access A user accesses an operating system element such as a file, folder, or registry key. To audit elements like these, you must enable this policy and you must enable auditing on the resource that you want to monitor. For example, to audit user accesses of a particular file or folder, you display its Properties dialog box with the Security tab active, navigate to the Auditing tab in the Advanced Security Settings dialog box for that file or folder (see Figure 9-5), and then add the users or groups whose access to that file or folder you want to audit. ■ Audit Policy Change Someone changes one of the computer’s audit policies, user rights assignments, or trust policies. This policy is a useful tool for tracking changes administrators make to the computer’s security configuration. For exam- ple, an administrator might disable a policy temporarily to perform a specific task and then forget to reenable it. Auditing enables you to track the administrator’s activities and notice the oversight. ■ Audit Privilege Use A user exercises a user right. By default, Windows Server 2003 excludes the following user rights from auditing because they tend to gener- ate large numbers of log entries: Bypass Traverse Checking, Debug Programs, Cre- ate A Token Object, Replace Process Level Token, Generate Security Audits, Backup Files And Directories, and Restore Files And Directories. Lesson 1 Creating a Baseline for Member Servers 9-7 Tip It is possible to enable auditing of the user rights listed here by adding the following key to the registry in the Windows operating system: HKEY_LOCAL_MACHINE\SYSTEM\Current- ControlSet\Control\Lsa\FullPrivilegeAuditing=3,1. However, if you do this, you should be pre- pared to deal with the large number of log entries that auditing these user rights generates by increasing the maximum size of the logs and having a policy for frequent evaluation and clear- ance of the logs. ■ Audit Process Tracking The computer experiences an event such as a program activation or a process exit. While this policy gathers information that is valuable when analyzing a security incident, it also generates a large number of log entries. ■ Audit System Events Someone shuts down or restarts the computer or an event affecting system security or the security log occurs. Figure 9-5 The Advanced Security Settings dialog box When you enable one of these audit policies, you can select three possible values, which determine the conditions for creating an audit entry, as follows: ■ Successes only (select the Success check box) Only when the specified action completes successfully ■ Failure only (select the Failure check box) Only when the specified action fails ■ Successes and Failures (select both the Success and Failure check boxes) Whether the specified action succeeds or fails ■ No auditing (clear both the Success and Failure check boxes) No audit entries for the specified actions under any circumstances 9-8 Chapter 9 Hardening Servers Real World GPO Application Although it might appear that the no auditing option is the same as leaving the policy disabled, this is not necessarily the case. You can associate multiple GPOs with a single Active Directory object and control the order in which the system applies the GPO settings. If you have a GPO that enables a particular policy, you can override the value for that policy by creating another GPO with a different value for the same policy and configuring it to override the first GPO’s settings. For example, if one GPO enables the Success and Failure options for the Audit Logon Events policy, you can override this setting with another GPO that has the same policy enabled, but the Success and Failure check boxes are cleared. For security purposes, auditing failures can often be more valuable than auditing suc- cesses. For example, the default Audit Account Logon Events policy value for domain controllers is to audit successful logons only. This enables you to determine who was logged on to the network at any time. However, if an unauthorized user attempts to penetrate an administrative account by guessing passwords, the audit log would not contain any evidence of these attempts. Selecting the Failure check box for the Audit Account Logon Events policy gives you information about the failed logon attempts as well as the successful ones. Setting Event Log Policies The Event Log is an essential tool for Windows Server 2003 administrators, and the Event Log policies control various aspects of the log’s performance, including the max- imum size of the logs, who has access to them, and how the logs behave when they reach their maximum size. The Event Log policies in a GPO are located in the Com- puter Configuration\Windows Settings\Security Settings\Event Log container, as shown in Figure 9-6. Figure 9-6 The Event Log container in the Group Policy Object Editor console Lesson 1 Creating a Baseline for Member Servers 9-9 For each of the following, there are three policies, one for each of the logs: application, security, and system. ■ Maximum log size Specifies the maximum size the system permits, in kilo- bytes. Values must be in 64 KB increments, and the maximum value is 4,194,240 (4 gigabytes). ■ Prevent local guests group from accessing log Specifies whether members of the local Guests group on the computer are permitted to view the log file. ■ Retain log Specifies the number of days for which the log should retain information. ■ Retention method for log Specifies the behavior of the log when it reaches its maximum size, using the following options: ❑ Overwrite Events By Days—The log retains the number of days of entries specified by the retain log policy. Once the log grows to the specified number of days, the system erases the oldest day’s entries each day. ❑ Overwrite Events As Needed—The log erases the oldest individual entries as needed once the log file has reached the size specified in the maximum log size policy. ❑ Do Not Overwrite Events (Clear Log Manually)—The system stops creating new entries when the log reaches the size specified in the maximum log size policy. Creating an event logging configuration for a member server usually requires some experimentation. The best way to proceed is to configure the events and resources that you want to audit, and then let the logs accrue for several days. Calculate the average number of entries for each log per day and then decide how many days of history you want to retain. This enables you to determine a suitable maximum size for your logs. Before setting the retain log and retention method for log policies, you should decide how often someone is going to review the logs and clear or archive them when neces- sary. If it is essential to retain all log information, you can specify a maximum size for the log and then enable the Security Options policy, Audit: Shut Down System Immediately If Unable To Log Security Audits, which forces you to manage the logs regularly. Configuring Services Windows Server 2003 installs a great many services with the operating system, and configures quite a few with the Automatic startup type, so that these services load auto- matically when the system starts. Many of these services are not needed in a typical member server configuration, and it is a good idea to disable the ones that the com- puter doesn’t need. Services are programs that run continuously in the background, waiting for another application to call on them. For this reason, services are also poten- tial points of attack, which intruders might be able to exploit. 9-10 Chapter 9 Hardening Servers Instead of controlling the services manually, using the Services console, you can con- figure service parameters as part of a GPO. Applying the GPO to a container object causes the services on all the computers in that container to be reconfigured. To con- figure service parameters in the Group Policy Object Editor console, you browse to the Computer Configuration\Windows Settings\Security Settings\System Services con- tainer and select the policies corresponding to the services you want to control (see Figure 9-7). Figure 9-7 The System Services container in the Group Policy Object Editor console Tip When a service policy is left undefined, the service retains the default status that the Windows Server 2003 Setup program assigned it during the operating system installation. For example, even if you do not configure a particular service with the Automatic startup type, Windows Server 2003 itself might configure that service to load automatically. If you want to be certain that a service is disabled, you must activate the System Services policy and choose the Disabled option. Table 9-1 contains the services that Windows Server 2003 typically installs on a mem- ber server. The Automatic column contains the services that Windows Server 2003 requires for basic system management and communications. The Manual column con- tains services that do not have to be running all the time, but which must be available so that other processes can activate them. The Disabled column contains services that the typical member server does not need, and which you can permanently deactivate, unless the computer has a specific need for them. Lesson 1 Creating a Baseline for Member Servers 9-11 Table 9-1 Typical Member Server Service Assignments Automatic Manual Disabled Automatic Updates Computer Browser DHCP Client Distributed Link Tracking Client DNS Client Event Log IPSEC Services Logical Disk Manager Net Logon Plug And Play Protected Storage Remote Procedure Call (RPC) Remote Registry Security Accounts Manager Server System Event Notification TCP/IP NetBIOS Helper Windows Management Instrumentation Windows Time Workstation Background Intelligent Transfer Service COM+ Event System Logical Disk Manager Administrative Service Network Connections NT LM Security Support Provider Performance Logs And Alerts Terminal Services Windows Installer Windows Management Instrumentation Driver Extensions Alerter Application Management ClipBook Distributed File System Distributed Transaction Coordinator Fax Service (only present when a modem is installed) Indexing Service Internet Connection Firewall (ICF)/Internet Connection Sharing (ICS) License Logging Messenger NetMeeting Remote Desktop Sharing Network (DDE) Network DDE DSDM Print Spooler Remote Access Auto Connection Manager Remote Access Connection Manager Removable Storage Routing And Remote Access Secondary Logon Smart Card Task Scheduler Telephony Telnet Uninterruptible Power Supply [...]... box appears 4 Click the Group Policy tab and then click Add The Add A Group Policy Object Link dialog box appears 5 In the Look In drop-down list, select contoso.com  9-3 6 Chapter 9 Hardening Servers 6 In the Domains, OUs, And Linked Group Policy Objects list, double-click the Member Servers.contoso.com entry 7 Select the Member Server Baseline GPO, and then click OK A link to the Member Server Baseline... 9-2 4 Chapter 9 Hardening Servers Protecting Active Directory-Integrated DNS When you create Active Directoryintegrated zones on your DNS server, the zone database is stored as part of the Active Directory database, which protects it from direct access by unauthorized users However, you should still take steps to ensure that the MicrosoftDNS con­ tainer object in Active Directory (shown in Figure 9-1 0)... 9-1 0) is secure Figure 9-1 0 The MicrosoftDNS container in the Active Directory Users And Computers console Tip To access the MicrosoftDNS container object in the Active Directory Users And Comput­ ers console, you must first select the Advanced Features option from the console’s View menu The console then displays additional containers, including the System container, which contains MicrosoftDNS By default,... Control, while the Server Operators group receives all permissions except Full Control The Authenticated Lesson 2 Creating Role-Specific Server Configurations 9-2 5 Users group receives the permissions needed to read and execute files in this folder (see Figure 9-1 1) Figure 9-1 1 The DNS Properties dialog box You don’t need file system permissions to maintain the DNS zone databases using the DNS console... Rights Assignment container The list of user rights appears in the details pane 11 Double-click the Debug Programs user right The Debug Programs Properties dia­ log box appears 12 Select the Administrators group, and then click Remove Click OK Lesson 2 Creating Role-Specific Server Configurations 9-2 9 13 Double-click the Add Workstations To Domain user right The Add Workstations To Domain Properties... Media Specifies which local groups are permitted to format and eject removable NTFS file system media ■ Devices: Restrict CD-ROM Access To Locally Logged-on User Only network users from accessing the computer’s CD-ROM drives Prevents ■ Devices: Restrict Floppy Access To Locally Logged-on User Only network users from accessing the computer’s floppy disk drive Prevents ■ Domain Member: Maximum Machine Account... Baseline and then press Enter 4 Click Edit The Group Policy Object Editor console appears, with the Member Server Baseline GPO at the root of the console tree 5 In the Computer Configuration container, expand the Windows Settings, Security Settings, and Local Policies containers 6 Click the Audit Policy container A list of audit policies appears in the console’s details pane 7 Double-click the Audit... services appears in the details pane 14 Double-click the Alerter service entry The Alerter Properties dialog box appears 15 Select the Define This Policy Setting check box The Disabled service startup mode is selected by default 16 Leave the default service startup mode unchanged, and then click OK 17 Activate each of the other service policies listed in Table 9-1 and configure their service startup modes... a computer ■ GPOs include a great many security options that you can use to configure specific behaviors of a computer running Windows Server 2003 Lesson 2 Creating Role-Specific Server Configurations 9-1 9 Lesson 2: Creating Role-Specific Server Configurations Once a baseline security configuration for your servers is in place, you can consider the special needs of the servers performing particular... Security Options container of your GPO ensures that your clients can access the print queue on the server Lesson 2 Creating Role-Specific Server Configurations 9-2 7 Note To view print queues on file and print servers, client computers must have the Secu­ rity Options policy, Microsoft Network Client: Digitally Sign Communications (Always) (or its equivalent) disabled as well Configuring Permissions Using . container, as shown in Figure 9 -6 . Figure 9 -6 The Event Log container in the Group Policy Object Editor console Lesson 1 Creating a Baseline for Member Servers 9-9 For each of the following,. Devices: Restrict CD-ROM Access To Locally Logged-on User Only Prevents network users from accessing the computer’s CD-ROM drives. ■ Devices: Restrict Floppy Access To Locally Logged-on User Only. Creating a Baseline for Member Servers 9-3 Exam Tip You should have a basic familiarity with all of the security settings found in group policy objects. ! Figure 9-1 The Computers container in the