Configure Local Security Policy on Windows Server Core

Setting the account policy and local security on a Windows Server  Core system, you must first create a security template on a full Windows Server  installation and subsequently apply these settings to the Windows Server Core system:

On the reference server (ie Windows Server full installation)

  1. From the Start menu, enter secpol.msc in the Start Search box and hit Enter to launch the Local Security Policy snap-in on another system.
  2. Configure the security policies according to your needs,  then right-click the Security Settings and click Export policy to save this as a security template.

On the Server Core server

  1. Copy the newly created security template from the reference server to the Server Core system.
  2. Run the below command to apply the security policy to the server Core system:
    secedit /configure /cfg <Policy File Name> /db secedit.sdb

Install an SSL Certificate using IIS 7

To install an SSL in IIS , you first  need to issue a certificate for your web server. For this purpose you have to select the webserver root node in the navigation tree of the management console, and select the Server Certificates feature, as shown below:

SSL Certificate IIS

After selecting Sever Certificates, the IIS management console lists all the server certificates installed on the web server (see below). The first thing to note is that  in IIS 7   you can install multiple server certificates on one web server, which can be used for multiple websites set up  on the web server (previous IIS versions allowed you to install only one server certificate per web server).

SSL Certificate IIS
In the Server Certificates feature details view in the IIS Management Console, the task pane on the right side  shows the necessary task(s) for installing server certificates. You can create a certificate request automatically that you can then use to requesting a new certificate at a CA. To create a new request, click the Create Certificate Request task link on the  pane,  this creates the same Base64-encoded request as  in previous versions of IIS. Use this Base64-encoded request file for submitting your request at the CA. After retrieving the certificate from the CA, you complete the running request by clicking the Complete Certificate Request  link. Thus you can both request and configure an SSL certificate for a standalone webserver. If you need to request an SSL  certificate for your own CA, use the Online Certification Authority wizard by clicking the Create Domain Certificate link. This certificate will then be configured in your own CA and will be used for signing certificates issued by this CA.

This process is quite laborious if you are a developer who just wants to test SSL with your own web apps. Therefore, IIS 7  ships with an additional option – creating a self-signed certificate for just your own machine. Just click the Create a Self-Signed Certificate link in the console and all you will need to specify  is a friendly name which will be displayed in the listing. The wizard creates a certificate by using the cryptographic functions of your local machine and automatically installs the certificate in your web server. 
Continues…

Windows Server File Level Security

Files on Windows Server are only as secure as their permissions. Thus, it is essential to know that Windows Server 2008 R2 does not give the Everyone group full control over NTFS-level and share-level. Additionally, important   system files and directories are secured to prevent  unauthorized access. This is a definite improvement over previous versions of Windows Server, but  a solid understanding of file-level security is still  important to fully ensure the security of files on Windows Server.

Understanding NT File System (NTFS) Security

Windows Server 2008 R2 ships with the latest revision of NTFS (NT File System). Each object which is referenced in NTFS, including files and folders, is marked by an ACE (access control entry) that physically limits the users that can access a resource. NTFS permissions use this concept to control the read, write, and other access type permissions on files. File servers should avail of NTFS-level permissions, and all directories should have their file-level permissions examined to ascertain if there are holes in the NTFS permission set. Modifying NTFS permissions in Windows Server 2008 R2 is a simple process; simply follow the below steps:

  1. Right-click the file or folder to which the security will be applied, and select Properties.
  2. Click the Security tab.
  3. Click  Advanced.
  4. Click  Change Permissions .
  5. Uncheck   Include Inheritable Permissions from This Object’s Parent .
  6. When prompted about the use of parent permissions click Remove.
  7. When in the Advanced dialog box, click Add to grant access to the users and/or groups  who require access to the files or folders.
  8. Check  Replace All Child Object Permissions with Inheritable Permissions from This Object checkbox. Click OK.
  9. When prompted regarding replacing security on child objects, hit Yes to replace the child object security.
  10. Click OK, and finally click OK again to close Properties.

Share-Level Security Versus NTFS Security

Previous versions of Windows Server security used share-level permissions that were independently set. Continues…

Windows Intune Review

Windows Intune is a new product from Microsoft which is designed for system admins to manage and secure PC’s across an enterprise.

Windows Server administrators have numerous tools to manage a network of Servers (for example security patches etc  can be managed in-house using WSUS), however for the managing individual PC’s spread across multiple locations in the  enterprise.

Intune is a cloud based solution, allowing  administrators to logon to the Intune online portal and manage remote PC’s. Note that every remote PC which is being administered from Intune will need to have the Intune client installed.

Intune can performance the below roles:

  • Manage Updates :  Manage the deployment of the Windows OS updates and service packs to remote PCs.
  • Protect PCs from malware : Helps safeguard the enterprises PCs from the latest threats with  centralized protection built using the Microsoft Malware Protection Engine, Microsoft Forefront Endpoint Protection and Microsoft Security Essentials.
  • Proactively monitor PCs : Get alerts on updates and threats to proactively identify and resolve problems PCs.
  • Provide remote assistance : Resolve PC issues using remote assistance.
  • Track hardware and software inventory : Track the hardware and software assets used in the enterprise to efficiently manage your assets, licenses, and compliance.
  • Set global security policies : Centrally manage updates as well as  firewall and malware protection settings across the enterprise even on remote machines outside the corporate network.

Requirements are quite minimal, for client PCs XP or higher is required and for administrators to access the online portal a browser support Silverlight 2 is required.

Getting Started Using Windows Intune

The first screen you are presented with after logging into the Intune online portal is the Overview screen which provides a summary of the PC system status’ across the enterprise.

Windows Intune

Windows Intune Overview Page

Clicking on the Computers link on the left gives a listing of the computers which are being administered using Windows Intune. PCs can also be grouped for the purposes of administration.

Windows Intune

Windows Intune Computers Listing


Selecting one of the computers in the listing provides the full details of the hardware and software specs of the  PC as well as the system updates applied.

Windows Intune

PC System Details

Across the enterprises PCs Intune will show a listing of all the software products installed.

Windows Intune

Listing of Software Installed across all the enterprise’s PCs

From the Intune online portal admins can assign updates for distribution to PC’s connected to Intune. Click on security updates for a listing of all updates for the various Windows OSs on the PC’s connected via Intune.  The patches can be reviewed and the Approved for distribution to PCs.

Windows Intune

Intune provides in-built protection against malware (such as trojans, spyware, rootkits and virsuses) using the Microsoft Malware Protection Engine.  PCs will automatically be protected with no intervention required from the administrator via Intune. In the event an attack is detected the malware engine will attempt to block the attack and report the events on Alerts Overview page of the Intune portal.

Security policies can be set for managed PCs using the Policy Overview page. A security policy allows  you to create new policy settings based on simple template based configurations. The template agent allows administrators to  create standard policies to configure security updates, firewall policies and malware protection.

A common issue for administrators is diagnosing and fixing issues on remote PCs. Windows Intune allows admins to remotely access, diagnose and fix problems on PCs managed by Intune.

The Windows Intune Center which will be installed on client PCs allows the admin to remotely take control of the client desktop (after the client grants permission) via Microsoft Easy Assist.

In addition the PC user will also be able to check the status of Windows Updates and scan their PC or attached storage for malware from their native Windows Intune Center.

Windows Intune Center
Microsoft Windows Intune Center

Overall, Intune is a capable offering from Microsoft. It will offer admins a simple and efficient way to manage a PCs across and enterprise. However the product does still have some shortcomings such as the lack of an ability to manage software application distributions and versioning across managed PCs.

Windows Server Update Services – Installing WSUS

A major issue with security on Windows Server installations is the difficulty in keeping all servers up to date with the latest security patches and fixes. The Windows Update service which allowed for automatically download and installation of security fixes is really only suitable for smaller enterprises, large enterprises with numerous Windows Server installations do not wish to run the bandwidth and overhead of having each server run its own individual update. Windows Server Update Services (WSUS) is a free download from Microsoft which effectively gives enterprise their own, independent of the Windows Update server. Clients then connect to the central intranet Windows Server Update Services (WSUS) server for all security patches and OS updates.

Windows Server Update Services (WSUS) Requirements

It is optimal to install WSUS on a dedicated server, but it can also be installed on a Windows Server 2008 R2 server that is running other tasks, provided the  server is running Internet Information Services (IIS). The below is the minimum requirements for WSUS:

  • Windows Server 2003 SP1 or higher
  • Background Intelligent Transfer Service (BITS)
  • Internet Information Services (IIS)
  • Windows Internal Database role or, alternatively  SQL Server 2005 (or higher) installed locally or on a remote server
  • .NET Framework 2.0 or higher

Installing WSUS on  Windows Server 2008 R2

WSUS installation is a simple process as it is installed as a server role from Server Manager. The below steps install Windows Server Update Services plus all required components.
To complete the initial installation of WSUS, follow these steps:

  1. Launch the Server Manager.
  2. On the Roles Summary pane, select Add Roles to launch the wizard and click Next.
  3. Select Windows Server Update Services, and then click Next.
  4. Next, the Add Role Services and Features Required for Windows Server Update Services window will prompt you  for additional components to be installed, if necessary. The required components are the  IIS web server and management tools, the Windows Process Activation Service Process Model, and the .NET framework. Once this is complete, click Add Required Role Services to continue and then lick Next.
  5. Read the Introduction to Web Server (IIS) overview (if necessary) and then click Next.
  6. Hit Next to select the default role services to install for IIS.
  7. Read the Introduction to Windows Server Update Services overview(if necessary) and then click Next.
  8. After reading the summary of installation selections,  click Install.
  9. The Server Manager will show “Searching for Updates” and “Downloading” while it connects to the Microsoft’s server and downloads   WSUS. It will also install IIS and the Windows Process Activation Service, if required.
  10. The Windows Server Update Services Setup Wizard will be shown displays as the installation progresses. Click Next.
  11. Read and accept the license agreement for WSUS, and then click Next.
  12. If alerted that Report Viewer 2005 is not installed just click Next to continue with the installation (note that some reports will be unavailable without Report Viewer installed).
  13. Select the Store Updates Locally check box, and then enter a location  to store them. This location needs be sufficient to hold a large number of downloadable patches. Click Next.
  14. Select Install the Windows Internal Database on This Computer, or alternatively, Use an Existing Database Server on a Remote Computer if you wish to use a remote SQL Server.
  15. Select to Use the Existing IIS Web Site and then click Next to continue with the installation.
  16. Review the security settings on the Ready to Install page and then Click Next.
  17. The installation then completes in the Server Manager and, once the Finish button is clicked, the WSUS Configuration Wizard is shown. Review the information and then click Next.
  18. Click Next to sign up to the Microsoft Update Improvement Program.
  19. Select Synchronize from Microsoft Update, and then click Next.
  20. If necessary, configure your proxy server settings  and then click Next.
  21. Click on Start Connecting to save your settings and download update information. This process can  take several minutes. Then click Next.
  22. Select the preferred update language(s), and then click Next.
  23. Select the products which you want to have updates for, and click Next.
  24. Select the classifications of the updates that you wish to  download, and click Next.
  25. Set the schedule that you want WSUS to automatically synchronize with  the Microsoft Update servers or alternatively you can select Synchronize Manually. Click Next.
  26. Make sure that Begin Initial Synchronization is selected, and then click Finish.
  27. Finally, review the installation results, click Close, and then close the Server Manager.

Windows Server Update Services is  administered   from the WSUS MMC which is the main location for all the configuration settings for WSUS and is its only administrative console. WSUS MMC is located  at Administrative Tools > Microsoft Windows Server Update Services 3.0 SP1, or can directly accessed from Server Manager.

Integrated Windows Firewall with Advanced Security in Windows Server 2008 R2

The integrated firewall that is included with Windows Server 2008 R2 vastly improved over previous versions integrated firewall which is turned on
by default. The firewall, which is administered from an MMC snap-in as shown below (that can be accessed at Start>All Programs>Administrative Tools>Windows Firewall with Advanced Security) and provides unprecedented security and control on a server.

Windows Firewall with Advanced Features MMC Snap in

The new  firewall with advanced security is n0w fully integrated into the Server Manager utility and also the Server Roles Wizard. If, for example,  an admin runs the Server Roles Wizard and elects to make the server a file server,   the ports and protocols which are required for file server access are only then opened on the server.

Most Windows Server admins instinctively disable software firewalls on servers, due to the numerous problems with this functionality in the past. This approach is, however,  not recommended in Windows Server 2008 R2  as the product is now tightly integrated with the firewall, and the firewall  provides  a much higher level of security than in previous versions of Windows Server .

Creating Outbound and Inbound   Rules with Windows Firewall

In some instances, when a third-party app isn’t integrated with Server Manager, or when the need arises to  to open specific individual ports, it may be necessary to create firewall rules to ensure individual services to run properly. Both inbound rules (ie addressing traffic coming to the server) and  outbound rules (ie addressing  the server’s outward communication) can be created with the Windows Firewall. These rules can be based on the below factors:

  • Program—A rules which allow  specific program executable access can be created. For example, you could specify that the c:\Program Files\XYZ Program\xyzprogram.exe file has full outbound access when it is running.  Windows Firewall  will then allow any type of connections that are made by that program full access. This is  useful in scenarios where a specific application server uses multiple varied ports, but the overarching  security of  firewall provides is still required.
  • Port—Entering a traditional TCP or UDP port in the Add Rules Wizard is supported which covers the traditional scenarios like the requirement to open  Port 8787 on the server.
  • Predefined—Windows Server also ships with  predefined rules, such as those which allow AD DS, DFS, BITS, HTTP, and numerous more. The advantage to using  these predefined rules is that Microsoft has performed all the work in advance, and it will be  much more straightforward to allow a specific service.
  • Custom—Custom rule types not covered in the other categories can also be created.

For example, the below steps shows how to create  an inbound rule to allow a custom app to use TCP Port 8787 for inbound communication:

  1. Start Windows Firewall MMC (Start > All Programs >Administrative Tools >  Windows Firewall with Advanced Security).
  2. Select  the Inbound Rules node in the node panel.
  3. On the Actions pane, select  New Rule link.
  4. In the Rule Type page on the New Inbound Rule Wizard select Port to create a rule based on the port, and the click Next.
  5. On the Protocol and Ports page  select TCP, and then enter 8787 in the Specific Local Ports field and then Click Next.
  6. Select Allow to enable the connection on the Action page. This Action page of the New Inbound Rule Wizard also enables a  rule to be configured which will only allow a connection   secured using IPSec technologies.
  7. On the Profile page  check all the three check boxes. This will enable an admin to specify that a rule will only apply when connected to specific networks. Then click Next.
  8. Enter a name for the rule, and then click Finish to complete the process.

You should review the rule settings in the Inbound Rules node which will provide a  quick-glance view of the rule settings. You may also include a rule within a rule group – this allows for multiple rules to be bound together for simple on/off application.
Integrated Windows Firewall is now a  vital part of the Windows Server security. The newly added ability to define rules based on factors such as profile, scope, IPSec status, etc positions the Windows Server as an OS with one of the highest  levels of integrated security.

BitLocker ToGo Encryption for Windows Server 2008 R2

BitLocker ToGo encryption is a new feature that ships with Windows Server 2008 R2 which provides encryption for removable drives. This is a very important feature for backups as it ensures that backups are protected.

Before using BitLocker ToGo, you will need to add the BitLocker feature to Windows Server 2008 R2. From Server Manager, select the server then click Add Features from the Action menu which will open up the Add Features Wizard. From there, select BitLocker Drive Encryption and you will see the regular BitLocker designed for non-removable drives and uses a TPM (Trusted Platform Module) for encryption, and also the new BitLocker ToGo used for removable drives.

To add BitLocker Drive Encryption from PowerShell, use the below code from an elevated PowerShell command line:

Import-Module ServerManager
Add-WindowsFeature BitLocker

BitLocker ToGo can be managed by double-clicking the BitLocker Drive Encryption icon in the Control Panel. From there, to enable BitLocker ToGo on a removable drive, click Turn On BitLocker beside the drive icon.

The first time BitLocker or BitLocker ToGo is run on the server, you will see a warning message that this can impact performance, click Yes at this prompt and , the BitLocker Drive Encryption Wizard will start.

Firstly, select how to  unlock the drive by using either a password or  smart card. Next you will be offered a several methods for saving the recovery key, normally it is preferable to use all possible methods – save to a file and keep the file   safe, print the recovery key  and store the printout  in a safe location. Make sure you store the recovery key where it can be easily accessed when you need it.

Continues…

Block IP Addresses in IIS

The IIS IP and Domain Restrictions role service enables admins to block IP addresses from accessing web apps.

To do this, open the IIS Manager, navigate to the required level (such as the site) and then click on IPv4 Address and Domain Restrictions :

Block IP Addresses in IIS

Next, select Deny Entry from the Actions menu at the top right:

Block IP Addresses in IIS
Continues…

Hardening Windows Server 2008 – Part 2

Bitlocker Encryption

In Windows 2008 server, Bitlocker drive encryption can be used to encrypt and therefore protect the operating system and data files stored on the hard disk. Bitlocker encryption will prevent unauthorized users from accessing your sensitive data on a drive which has been misappropriated. This is also important from compliance  perspective where data privacy and security are critical requirements.

To access the data protected by bit locker, a USB flash drive that stores the encryption key (created by Bitlocker) needs to be inserted into the USB port before system startup. Bitlocker also offers an optional feature which allows for integrity verification of system boot files so that any unauthorized changes such as malicious modification of boot files can be detected. However, for this feature to work, Bitlocker needs a computer system that has TPM (Trusted Platform Module) and TCG (Trusted Computing Group) compatible BIOS.

BitLocker Drive Encryption requires two different hard disk partitions to function properly:

  1. OS Volume: This volume is encrypted and stores OS (operating system) files and any other information/data which needs to remain confidential or in accessible to unauthorized users.
  2. System Volume: This volume contains the unencrypted boot information which is used by Bitlocker and needs to be at least 1.5 GB in size.

Bitlocker provides for full volume encryption and has to be installed and enabled before it can be used. To install BitLocker, go to Server manager > click on the Add New Features option > select Bitlocker Drive Encryption as shown below

hardening windows server

Fig 1: Installing Bitlocker

Alternatively, type the following at a command prompt: ServerManagerCmd -install BitLocker –restart to Install and enable Bitlocker.

Continues…

IIS 7.5 and IIS 7.0 Security Best Practices – Part I

In this series of two articles, we will review some key hardening mechanisms for a corporate intranet hosted IIS 7.5 or IIS 7.0 web server running on Windows server 2008. These best practices would mitigate the risk of unauthorized access to the IIS 7.5 or IIS 7.0 installation.

Microsoft IIS 7 has an inherently stronger security design as compared to its predecessors. A default installation of IIS 7 , will only provide minimal functionality and any additional one, if needed, will have to be explicitly selected and installed by the user.

This ‘minimal installation by default’ approach reduces the ‘attack surface area’ of our website. The less functionality one installs, the less exposed one is to attack from hackers and malicious code.

Let’s dive into some of the key security best practices that we can implement to strengthen IIS 7 security:

Secure Windows Server Installation

If the underlying OS is vulnerable, it will also render the IIS web server installation vulnerable to unauthorized access. Therefore, for optimal security, and if viable, we may wish to run IIS 7 out of a secure Windows 2008 installation. In Windows Server 2008 or Windows Server 2008 R2 environment, this can be achieved by deploying Server Core Installation.

Essentially, the server core option installs only the minimal components which are required for running a specific server role. This is very important from reducing the ‘attack service area’ perspective that we discussed earlier. Apart from the security aspect, a minimal installation will also decrease overhead in administering and maintainance activities.

A server running a Server Core installation of Windows Server 2008 supports various server roles such as DNS server, Web server, File server etc. For an exhaustive list of supported roles, visit: http://go.microsoft.com/fwlink/?LinkId=99832

Note that the server core installation does not include the Graphical User Interface functionality .Therefore, to manage it locally you can use the command shell or do the same remotely through MMC ( Microsoft Management Console) installed on another system. Additionally, since ASP.NET and .NET Framework related features are not supported by the server core installation, therefore if any of your web applications use these features you should not go for this type of installation.

For detailed procedures on installing (IIS) web server role with a Windows Server 2008 Server Core installation, visit Server Core Installation Option of Windows Server 2008 Step-By-Step Guide.

Configuring The Authentication Mechanism

If you don’t need public access to your website, you can leverage Windows authentication mode to restrict access to authorized individuals. Configuring windows authentication on your web server integrates it with Windows and Active Directory Domain Services .Each individual who wishes to access to your website will need to authenticate to your web server/integrated Active directory first.
Continues…