The Server 2008 Hardening Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Server 2008 implements a new feature helping to reduce the attack surface of the supported server roles by installing only a subset of the binary files that a server requires to operate. It requires only about 1 GB of space on the server's hard disk drive to install. Above mentioned roles managed via command prompt, remotely by using Remote Desktop, or using MMC or command-line tools that support remote use. This approach also reduces the size of the server installation, diminishes attack surface.

Create Role Policies:

After installing the appropriate server roles ( DHCP, DNS for example) Security Configuration Wizard is used to configure security settings such as Selecting Additional Services, Handling unspecified Services, Network Security rules, Registry Settings.

Following step is converting SCW policy into GPO using promp scwcmd transform /p:<PathToPolicy.xml> /g:<GPODisplayName> command. Next through Group Policy Management Console (GPMC) we link the newly created GPO to the appropriate OUs.

Domain Policy Settings:

Following security settings are applied to the domain via Computer Configuration node in the Group Policy Object Editor:

Password Policy Settings - helps reduce the likelihood of a successful

password attack.

Account Lockout Policy Settings - prevents logon after a certain number of

failed logon attempts occur within a specified period.

User Rights Assignment Settings:

These rights used to perform a specific administrative task or tasks without giving full administrative control to that user or group (set following settings via GPO or direct configuration using MMC):

User Account Control: reduces the exposure and attack surface of the operating system by requiring that all users run in standard user mode, even if they have logged on

with administrative credentials.

Server Message Block Signing Policies: prevents server authenticated connections from being maliciously downgraded to a guest session or to an anonymous session.

Audit policy: to monitor security-related activity enable consider using following policies:

Logon/Logoff - makes it possible to determine which users have accessed or attempted to access your organization's computers.

Object Access - entry is generated each time that a user accesses an specified object .

Detailed Tracking - provides tracking in case of a program activation, process exit, handle duplication, and indirect object access.

Policy Change - monitors every incident of a change to user rights assignment policies, Windows Firewall policies, Trust policies, or changes to the Audit policy itself.

Account Management - tracks attempts to create new users or groups, rename users or groups, enable or disable user accounts, change account passwords, and enable auditing for Account Management events.

Hardening Active Directory:

Domain Services:

Installed files - running hash against them to later check integrity.

Uninstalling / Disabling not used services.

Implementing Firewall rules - hiding default ports.

Hide service banners where applicable.

Carefully configuring role dependencies.

Delegate local administration of RODCs.

Limit secure information stored on RODCs.

Combine the DNS role service and the Domain Controller role service.

Restrict administrator group members and administration scope.

Prevent service administrators from bypassing password policies.

Configure fine-grained password policies.

Require multifactor authentication for users with elevated privileges.

Manage service administrators in a controlled OU structure.

Manage group membership for service administrator accounts.

Encrypt data stored on local drives using BitLocker™ Drive Encryption.

Backup BitLocker and TPM recovery information in Active Directory.

Protect the computer startup key using Syskey.

Encrypt Data on Local Drives Using BitLocker Drive Encryption.

Backup BitLocker and TPM Recovery Information in Active Directory

NIS role service:

Configure the computer to run Server for - NIS in master mode.

Require users to change their Windows passwords.

Configuring Password Synchronization Ensure the Windows and UNIX password policies are consistent.

Specify a computer-specific password encryption key.

Explicitly list users allowed or blocked from password synchronization.

Block password synchronization of disabled UNIX user accounts.

Avoid synchronizing passwords for user accounts with elevated privileges.

Do not use the default port number and encryption key.

Hardening DHCP Services:

Server 2008 implements new features for increased security: Network Access Protection (NAP). In order to require DHCP clients to prove their system and security health state before they can receive an IP address to gain access to your intranet. Consider following setting:

Use DHCPv6 Functionality.

Eliminate computers running rogue DHCP services.

Add DHCP reservation and exclusion ranges for IP addresses.

Use NAP to enforce computer configuration health.

Restrict DHCP security group membership.

Configure DNS record ownership to help prevent stale DNS records.

Hardening DNS Services:

Server 2008 innovation: Support for READ-ONLY domain controllers (RODCs).

Following security measures can be considered:

Protect DNS zones in unsecured locations by using read-only domain controllers

Combine the DNS and AD DS server roles on the same server.

Configure zones to use secure dynamic updates.

Restrict zone transfers to specific server computers running DNS.

Deploy separate server computers for internal and external DNS resolution.

Configure the firewall to protect the internal DNS namespace.

Enable recursion to only the appropriate DNS servers.

Configure DNS to ignore non-authoritative resource records.

Configure root hints for the internal DNS namespace.

Hardening Web server:

Set the authentication mechanism.

Remove unused IIS components.

Configure a unique binding.

Move root directories to a separate data partition.

Configuring user account permissions.

Enable Secure Sockets Layer (SSL).

Hardening File Services:

Digitally sign communications via Computer Configuration\Windows Settings\Security Settings\LocalPolicies\Security Options.

Consider using encryption for drives and files using two methods Microsoft BitLocker™ Drive Encryption.

Encrypting File System (EFS).

Hardening Print Services:

Digitally sign communications - To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol provides SMB packet digital signing.

Consider Using the Point and Print feature Point and Print Restrictions Group Policy setting has been updated in Windows via Userconfiguration\Administrative Templates\Control Panel\Printers.

Server 2008 and Windows Vista to help you manage the improved security

Control printer share access

Everyone Print

CREATOR OWNER Manage documents

Administrator Print, Manage printers, Manage documents

Relocate the default Print Spooler file - for elevated security or performance requirements

Hardening Network Policy and Access Services that responsible for virtual private network (VPN), a dialup network, 802.1X-protected wired and wireless access:

Restrict traffic based on the services offered.

Prohibit Legacy RADIUS requests, protect RADIUS shared secrets.

Explicitly specify RADIUS clients to prevent potential rogue RADIUS clients from communicating with NPS.

Configure firewall rules on intervening firewalls and to protect computers that run NPS

Use IPsec to secure communication between NPS and RADIUS clients.

Enable the Message-Authenticator attribute when not using EAP authentication.

Use the PEAP or EAP-TLS authentication protocol to authenticate client computers

and users.

Routing Role Service

Place computers that run the Routing role service in perimeter networks.

Configure the firewall rules on intervening firewalls.

Limit routing connections to known end points.

Make computers that run the Routing role service members of an extranet forest.

Use secured tunnels to secure communication between routers.

Require multifactor authentication for authenticating routers.

Use the PEAP or EAP-TLS authentication protocol to authenticate routers.

Hardening Terminal Services supporting RDP:

Configure the network level authentication.

Enable Single Sign-On for Terminal Services.

Enable secure use of saved credentials with Windows Vista RDP clients.

Change the default RDP port.

Use smart cards with Terminal Services.

Use the NTFS file system.

Use TS Easy Print exclusively.

Partition user data on a dedicated disk.

Create specialized OUs for terminal servers.

Set Group Policy settings for the terminal servers.

Set Group Policy settings for the remote desktops.

Restrict users to specific programs.

Limit terminal server security auditing.

Additional important security configurations:

Renaming Administrative accounts ( preventing easy detection)

Disabling guest account option

Specifying access rights to Application, Security and System logs.

Disabling driver/program installation by users

Disabling access to Windows binary files and registry

Disable floppy disk drive access.

Disable CD-ROM drive access

Disable USB drive access

Set logon prompts

Digital signing of data

Disable Scrip execution

Disable Access to use all Windows Update features

Enable Remove programs on Settings menu

Remove Network Connections from Start Menu

Remove Search link from Start Menu

Remove Run menu from Start Menu

Add Logoff to the Start Menu

Remove and prevent access to Shut Down, Restart, Sleep, and Hibernate cmds.

Remove Add or Remove Programs

Prohibit access to the Control Panel

Prevent addition of printers

Remove Properties from the Documents icon context menu

Remove Properties from the Computer icon context menu

Remove Properties from the Recycle Bin context menu

Prevent access to the command prompt

Prevent access to registry editing tools

Run only specified Windows applications