Vulnerability and patch management
Un patched systems are ripe to be attacked and exploited by malicious hackers to gain unauthorized privileges. Systems should be updated constantly with latest patches and updates for the operation systems, applications and any other software running on them. These patches are available from the vendor site generally and should be first tested for any unwanted consequences before applying them on the production systems.
To automate and to make the patch management process less cumbersome, WSUS (Windows Server Update Services) service can be used. Using WSUS, one can manage deployment of Microsoft patches/hot fixes/updates on multiple systems with relative ease. WSUS also provides the patch status of each system in the network.
In addition to the above, systems should be periodically assessed for any vulnerability due to missing patches or mis configurations. For this purpose Microsoft Baseline Security Analyzer (MBSA) tool can be installed on the Windows 2008 server. This tool can be used to assess vulnerabilities in the target system and to determine the remediation measures that can be implemented to close such vulnerabilities. MBSA can be downloaded from ww.microsoft.com.
Fig 2: The MBSA tool
Other tools such as Nessus (www.tenablesecurity.com) can also be used for the periodic vulnerability assessment of critical systems. The vendor website describes Nessus as: “The Nessus® vulnerability scanner is the world-leader in active scanners, featuring high-speed discovery, configuration auditing, asset profiling, sensitive data discovery and vulnerability analysis of your security posture. Nessus scanners can be distributed throughout an entire enterprise, inside DMZs and across physically separate networks. “
Nessus is free for non commercial usage.
Disabling insecure user accounts
Publically known user accounts are an easy target for attackers looking to break into servers through brute forcing (password guessing) attacks since one half of the puzzle (the username) is already known in this case. In Windows 2008 server installation, two accounts are created by default: Administrator and Guest. To mitigate the risk arising out of a hacker tries to enumerate and break into these publically known user accounts, ensure that the Guest account remains disabled (it’s disabled by default). Also, consider disabling or at least renaming the Administrator account which is a super user account since no security measure may hold good if this account is compromised. Specific named user account should be created for administration purposes and appropriate privileges should be assigned to them. If there are multiple system administrators, create unique named user accounts for each of them. This would also help in establishing accountability if an audit trail has been established since multiple administrators would not be sharing the “administrator” account.
Fig 3: Computer Management
User accounts can be managed through the Computer Management option which be accessed from Control Panel under the Administrative Tools menu.
Malicious Code protection through Windows 2008 NAP
Windows 2008 NAP (Network Access Protection) monitors and assess the ‘health” of hosts in a network to determine their level of compliance to the configured health policy. NAP ensures that vulnerable/infected systems don’t become a launch pad for a more wide spread hacker/malicious code attack. Depending on how NAP has been configured, it can do the following:
- Quarantine a non compliant system and effectively stop it from communicating with any other hosts on the network until it’s manually updated.
- Update the AV signature, hot fixes and patches on the non complaint host and allow the host to regain network access. To update the non compliant systems, NAP re directs them to a “remediation server” which assists in deployment of latest Antivirus updates, software patches etc.
This concludes the two article series on Hardening Windows 2008 server. Remember, for optimal security, it’s best to initiate implementation of hardening procedures from the installation stage. Once the hardening procedures have been implemented, diligent system/security administrators would continue to periodically assess their systems for vulnerabilities and apply appropriate remediation measures.