University of California, Riverside

Security



Windows


Critical Security Recommendations for Windows-Based Servers

There are numerous steps that system administrators can take to protect their servers from attack. The increase in the number and severity of hacking attempts in recent years has lead to the forming of many organizations that offer consultation on issues of computer security. Many of these organizations freely offer lists of recommended "best practices" to counter the hacker problem. We have examined many of these documents and based on the most current data available, we have compiled our own set of recommendations. Most of the attacks that we have experienced on campus would have been prevented or at least minimized had the recommendations below been in place.

Our recommendations are listed in order of importance. Each of them is important, but if time or resources are limited, we suggest starting at the top of the list and work down.

Check all servers at least weekly for compliance with respect to all available Service Packs, patches and Hotfixes.

This is the most critical action one can take to reduce the likelihood of an attack. Once a bug or vulnerability is made public, hackers begin to search for systems that have not been "patched". The possibility of an attempted assault increases with each passing day. System administrators should make this step their highest ongoing priority.

There are numerous techniques and tools available to assist administrators in keeping their servers up-to-date with patches and hotfixes. Here is a list of some of those resources:

Verify that all users (and especially those users with administrative rights) have strong passwords. Enforce stronger password policies.

The only thing standing between a potential intruder and complete control of the server is administrator enabled account password(s). If an attacker can obtain the password for an account with administrator privileges, they can do anything. Each and every account with administrator rights should have a strong password. Individual user accounts should also have strong passwords, but there are human factors which may limit the ability to enforce stricter password policies on the average user. There is a fine balance between enforcing password policies and creating a burden on users that will actually lead to a net loss of protection. For example, if users are forced to change their passwords too often, they may resort to writing them down on post-it notes and sticking them on their monitor.

Strong password characteristics:

  • Passwords should contain a minimum of eight characters.
  • Passwords should NOT contain dictionary words.
  • Passwords should use a combination of uppercase, lowercase, numeric and special characters.
  • Accounts should be locked out after a maximum of five invalid login attempts.
  • Maximum password duration should be no more than 60 days (a 60 day "maximum password duration" setting would cause a password to expire after 60 days).
  • Minimum password duration should be set to two or three days to prevent users from changing their passwords when required, then immediately changing them back to what they were previously.
  • Do not allow "null" passwords (setting a minimum password length as mentioned in the first point above will accomplish this).

Provide at least a minimum level of physical security for all servers

  • Every server should be behind a locked door with access limited to only those individuals who have a legitimate need for access.
  • When there is no one working at the server console, the console session should be either logged out or "locked" so that a password is required to gain access.
  • The server room should be arranged in a way that people outside the room cannot see the keyboard (thus seeing users/admin passwords).
  • Written evidence of user ID's and passwords should not be left lying around the server room.

Implement backup procedures for all systems.

  • Create and maintain backup copies of at least the data files on all servers. Backups should be created regularly using well conceived procedures that should include some form of off-site storage of backup media in case of loss of the facility.
  • Create and maintain a current Emergency Repair Disk (ERD) for all systems. 
  • Regularly test the restore procedures to verify that backups are valid and restorable.
  • Microsoft article on Backup/Recovery procedures: http://support.microsoft.com/default.aspx?scid=kb;en-us;q287061

Use up-to-date anti-virus software

Anti-virus software on a server may not stop hacking attempts, but they can detect many of the "Trojan horse" programs that hackers often use to "sneak" into systems. After installing anti-virus software, be sure there is routine updates of the virus signatures to ensure that the software will be able to detect all viruses, including the most recently discovered ones.

Block access to/from any unnecessary TCP/UDP ports.

There are over 65,000 TCP and UDP ports on any given server, most of which could become the path used by an attacker to gain unauthorized access to systems. Use whatever means possible to block access to the ports on the server where there is no legitimate use. The most common and effective way to block access to these ports is the use of a firewall. Firewalls can be separated into two categories:

Personal Firewall

A "personal" firewall can be installed on the server itself and can be extremely effective at blocking unwanted traffic to and from the server. Below is a list of a few such products:

Network Firewall

This type of firewall is placed on the campus network, between the server and the "rest of the world". The network firewall's job is to block access to/from any particular port on the server. Computing and Communications currently offers a firewall service.

Firewalls cannot prevent every type of attack and they can be somewhat difficult to configure. Determining which ports to leave open to allow the traffic this IS wanted and which ones to block to filter the traffic that is NOT wanted can be a lengthy and tedious process.

Additional firewall information resources:

Enable security logging on all servers.

"Prevention is ideal, but detection is a must" is a commonly repeated axiom in the computer security world. Hence, security forensics is one of the many keys to securing Windows-based servers. "Turning on" the auditing features on Windows-based servers can enhance it's ability to determine how an attempted attack was carried out and to what extent, if at all, the systems were compromised. Auditing can also help administrators detect unsuccessful attacks so that configuration changes can be made to defend against future attacks.

Enable logging of the following events:
  • Logon and Logoff - Success and Failure
  • File and Object Access - Failure only
  • Use of User Rights - Failure only
  • User and Group Management - Success and Failure
  • Security Policy Changes - Success and Failure
  • Restart, Shutdown and System - Success and Failure
  • Process Tracking - None

Note: Once auditing is enabled, make a habit of scanning the security logs on a regular basis. This may lead to discovering events that could provide tips whether an attack that was unsuccessful and provide the information required to stop future attacks.

Disable any unnecessary services.

If performing a default installation, Windows servers are configured to run many services which may not be required. Running services on servers that aren't needed is like having doors in a house that no one ever goes through. Why risk someone "breaking in" when the "door" can be eliminate altogether? Examine each server and look at each service that is running and ask "Is this service really needed"? If the answer is "no", then disable or remove the service.

A freeware tool from Foundstone (a computer security company) called Vision can help identify the services running on the server and the TCP/UDP ports with which they are associated.

The article referenced below can help in the determination of which services are needed and which ones are not required:

Default Services Required for Internet Information Server Services:

https://www.iis.net/configreference/system.applicationhost/sites/sitedefaults

Disable anonymous user account enumeration.

By default on all Windows systems a "user" can log on without a user name and password and can then list all of the user account names and shares. The attacker could also be provided with the information they need to determine which listed accounts have administrator privileges and shared resources. This security "hole" has been used in the past against campus servers to allow hackers to gain access to a list of server usernames, including information regarding which accounts have administrator privileges. Disabling anonymous enumeration of accounts and shares will help prevent the loss of data and increase the security on the servers.

Use NTFS

All Windows NT and Windows 2000 systems should be formatted using NTFS and not FAT/FAT32. Neither FAT nor FAT32 utilize file level security and using them represents substantial risk of compromise.

Subscribe to e-mail lists that focus on security.

Subscribe to one or more of the many periodicals that discuss security related issues:

Other

  • Visit security-focused web sites on a regular basis.
  • Use checklists to provide a reminder on what steps should be taken and when.
  • Create written procedures for all security related activities so that others can complete important security tasks if the primary administrators are away.

Summary

The most important idea to take away from this information is this: Securing windows-based servers is a journey, not a destination. There will never be a point at which anyone can stop and say "This is finished now -- all of my servers are secure". Computer security means staying constantly vigilant both proactively and reactively. Here are some tips:

To learn more about Windows security see the included links to some very informative web resources:

More Information 

General Campus Information

University of California, Riverside
900 University Ave.
Riverside, CA 92521
Tel: (951) 827-1012

Department Information

Computing & Communications
Computing & Communications Bldg.

Tel: (951) 827-4741
Fax: (951) 827-4541
E-mail: helpdesk@ucr.edu

Footer