UCR

Security

Breadcrumbs

Windows

Critical Security Recommendations for Windows-Based Servers

There are numerous steps that system administrators can take to protect their servers from attack. The increase in the number and severity of hacking attempts in recent years has lead to the forming of many organizations that offer consultation on issues of computer security. Many of these organizations freely offer lists of recommended "best practices" to counter the hacker problem. We have examined many of these documents and based on the most current data available, we have compiled our own set of recommendations. Most of the attacks that we have experienced on campus would have been prevented or at least minimized had the recommendations below been in place.

Our recommendations are listed in order of importance. Each of them is important, but if time or resources are limited, we suggest starting at the top of the list and work down.

Check all servers at least weekly for compliance with respect to all available Service Packs, patches and Hotfixes.

This is the most critical action one can take to reduce the likelihood of an attack. Once a bug or vulnerability is made public, hackers begin to search for systems that have not been "patched". The possibility of an attempted assault increases with each passing day. System administrators should make this step their highest ongoing priority.

There are numerous techniques and tools available to assist administrators in keeping their servers up-to-date with patches and hotfixes. Here is a list of some of those resources:

Verify that all users (and especially those users with administrative rights) have strong passwords. Enforce stronger password policies.

The only thing standing between a potential intruder and complete control of the server is administrator enabled account password(s). If an attacker can obtain the password for an account with administrator privileges, they can do anything. Each and every account with administrator rights should have a strong password. Individual user accounts should also have strong passwords, but there are human factors which may limit the ability to enforce stricter password policies on the average user. There is a fine balance between enforcing password policies and creating a burden on users that will actually lead to a net loss of protection. For example, if users are forced to change their passwords too often, they may resort to writing them down on post-it notes and sticking them on their monitor.

Strong password characteristics:

  • Passwords should contain a minimum of eight characters.
  • Passwords should NOT contain dictionary words.
  • Passwords should use a combination of uppercase, lowercase, numeric and special characters. Enable strong password functionality by doing the following:
  • Accounts should be locked out after a maximum of five invalid login attempts.
  • Maximum password duration should be no more than 60 days (a 60 day "maximum password duration" setting would cause a password to expire after 60 days).
  • Minimum password duration should be set to two or three days to prevent users from changing their passwords when required, then immediately changing them back to what they were previously.
  • Do not allow "null" passwords (setting a minimum password length as mentioned in the first point above will accomplish this).

Provide at least a minimum level of physical security for all servers

  • Every server should be behind a locked door with access limited to only those individuals who have a legitimate need for access.
  • When there is no one working at the server console, the console session should be either logged out or "locked" so that a password is required to gain access.
  • The server room should be arranged in a way that people outside the room cannot see the keyboard (thus seeing users/admin passwords).
  • Written evidence of user ID's and passwords should not be left lying around the server room.

Implement backup procedures for all systems.

Use up-to-date anti-virus software

Anti-virus software on a server may not stop hacking attempts, but they can detect many of the "Trojan horse" programs that hackers often use to "sneak" into systems. After installing anti-virus software, be sure there is routine updates of the virus signatures to ensure that the software will be able to detect all virus, including the most recently discovered ones.

Block access to/from any unnecessary TCP/UDP ports.

There are over 65,000 TCP and UDP ports on any given server, most of which could become the path used by an attacker to gain unauthorized access to systems. Use whatever means possible to block access to the ports on the server where there is no legitimate use. The most common and effective way to block access to these ports is the use of a firewall. Firewalls can be separated into two categories:

Personal Firewall

A "personal" firewall can be installed on the server itself and can be extremely effective at blocking unwanted traffic to and from the server. Below is a list of a few such products:

Network Firewall

This type of firewall is placed on the campus network, between the server and the "rest of the world". The network firewall's job is to block access to/from any particular port on the server. Computing and Communications will offer a firewall "service" in the next few months.

Firewalls cannot prevent every type of attack and they can be somewhat difficult to configure. Determining which ports to leave open to allow the traffic this IS wanted and which ones to block to filter the traffic that is NOT wanted can be a lengthy and tedious process.

Additional firewall information resources:

Enable security logging on all servers.

"Prevention is ideal, but detection is a must" is a commonly repeated axiom in the computer security world. Hence, security forensics is one of the many keys to securing Windows-based servers. "Turning on" the auditing features on Windows-based servers can enhance it's ability to determine how an attempted attack was carried out and to what extent, if at all, the systems were compromised. Auditing can also help administrators detect unsuccessful attacks so that configuration changes can be made to defend against future attacks. Follow the steps outlined at the links below to enable auditing on servers:

Enable logging of the following events:
  • Logon and Logoff - Success and Failure
  • File and Object Access - Failure only
  • Use of User Rights - Failure only
  • User and Group Management - Success and Failure
  • Security Policy Changes - Success and Failure
  • Restart, Shutdown and System - Success and Failure
  • Process Tracking - None

Note: Once auditing is enabled, make a habit of scanning the security logs on a regular basis. This may lead to discovering events that could provide tips whether an attack that was unsuccessful and provide the information required to stop future attacks.

Another article on auditing from Ernest Orlando Lawrence Berkeley National Laboratory: Enabling and Configuring System Auditing

Disable any unnecessary services.

If performing a default installation, Windows NT/2000 servers are configured to run many services which may not be required. Running services on servers that aren't needed is like having doors in a house that no one ever goes through. Why risk someone "breaking in" when the "door" can be eliminate altogether? Examine each server and look at each service that is running and ask "Is this service really needed"? If the answer is "no", then disable or remove the service.

A freeware tool from Foundstone (a computer security company) called Vision can help identify the services running on the server and the TCP/UDP ports with which they are associated.

The article referenced below can help in the determination of which services are needed and which ones are not required:

Default Services Required for Internet Information Server Services:

http://support.microsoft.com/kb/810866/en-us

Disable anonymous user account enumeration.

By default on all Windows NT systems and on some Windows 2000 systems, a "user" can log on without a user name and password and can then list all of the user account names on the system. In addition to being able to enumerate the user names, the attacker can is also provided with the information they need to determine which listed accounts have administrator privilege. This security "hole" has been used recently against campus servers to allow hackers to gain access to a list NT/2000 server usernames, including information regarding which accounts have administrator privileges. Using the RestrictAnonymous registry entry, can block routine access to user information.

Use NTFS

All Windows NT and Windows 2000 systems should be formatted using NTFS and not FAT/FAT32. Neither FAT nor FAT32 utilize file level security and using them represents substantial risk of compromise.

Summary

The most important idea to take away from this information is this: Securing windows-based servers is a journey, not a destination. There will never be a point at which anyone can stop and say "This is finished now -- all of my servers are secure". Computer security means staying constantly vigilant both proactively and reactively. Here are some tips:

To learn more about Windows NT/2000 security see the included links to some very informative web resources:

More Information

General Campus Information

University of California, Riverside
900 University Ave.
Riverside, CA 92521
 Tel: (951) 827-1012

 Career OpportunitiesUCR Libraries
Campus StatusDirections to UCR

Security Information

Computing & Communications
Computing & Communications Bldg.

Tel: (951) 827-4741
Fax: (951) 827-4541
E-mail: helpdesk@ucr.edu

Related Links

Footer