Contents v
Domain Controller Baseline Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Domain Controller Baseline Audit and Security Options Policy . . . . . . . . . . . . . . . . . 66
Domain Controller Baseline Services Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Other Baseline Security Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Securing Each Server Role. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Windows 2000 Application Server Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Windows 2000 File and Print Server Role. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Windows 2000 Infrastructure Server Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Windows 2000 IIS Server Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Changes to the Recommended Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Administration Changes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Security Modifications if HFNETCHK is Not Implemented. . . . . . . . . . . . . . . . . . . . . 76
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Chapter 5
Patch Management 79
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Service Packs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Hotfixes or QFEs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Security Patches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Patch Management in Your Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Assessing Your Current Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Security Update Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Patch Management and Change Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Microsoft Security Tool Kit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Patch Management Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Analyze Your Environment for Missing Patches . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Testing the Patches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Assessing the Patch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Deploying the Patches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Reviewing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Client Side Patch Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Windows Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Windows Update Corporate Edition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Microsoft Baseline Security Analyzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Other Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
References/Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Contentsvi
Chapter 6
Auditing and Intrusion Detection 101
Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
How to Enable Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Defining Event Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Events to Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Protecting Event Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Monitoring for Intrusion and Security Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
The Importance of Time Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Passive Detection Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Active Detection Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Vulnerability Assessment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Chapter 7
Responding to Incidents 141
Minimizing the Number and Severity of Security Incidents . . . . . . . . . . . . . . . . . . . . . 141
Assembling the Core Computer Security Incident Response Team . . . . . . . . . . . . . 143
Defining an Incident Response Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Making an Initial Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Communicate the Incident . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Contain the Damage and Minimize the Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Identify the Severity of the Compromise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Protect Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Notify External Agencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Recover Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Compile and Organize Incident Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Assess Incident Damage and Cost. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Review Response and Update Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Case Study – Northwind Traders Incident Handling . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Related Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Contents vii
Appendix A 159
Additional Files Secured
Appendix B
Default Windows 2000 Services 163
Appendix C
Additional Services 167
Job Aid 1:
Threat and Vulnerability Analysis Table 169
Job Aid 2:
Top Security Blunders 171
Top 11 Client-side Security Blunders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Top 8 Server-side Security Blunders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Job Aid 3:
Attacks and Countermeasures 175
Job Aid 4:
Incident Response Quick Reference Card 181
1
Introduction
Welcome to the Security Operations Guide for Windows 2000 Server. As the world
becomes more and more connected, the vision of information being available any-
where, at any time, and on any device comes closer to reality. Businesses and their
customers will only trust such an environment to store their sensitive data if they
can be sure the environment is secure.
The 2001 Computer Crime and Security Survey by the Computer Security Institute
(CSI) and the Federal Bureau of Investigation (FBI) showed 85 percent of large corpo-
rations and government agencies detected security breaches. The average loss over
the year for each respondent was estimated to be over 2 million US dollars. Recent
months have seen a spate of attacks against computer environments, many of them
through the Internet, and many of them targeted at systems running the Microsoft®
Windows® operating system. However, these are just the most public of the security
issues facing organizations today. This guide will look at the many different threats
to security in your environment and how you most effectively guard against them.
Whatever your environment, you are strongly advised to take security seriously.
Many organizations make the mistake of underestimating the value of their infor-
mation technology (IT) environment, generally because they exclude substantial
indirect costs. If the attack is severe enough, this could be up to the value of your
entire organization. For example, an attack in which your corporate website is
subtly altered to announce fictional bad news could lead to the collapse of your
corporation’s stock price. When evaluating security costs, you should include the
indirect costs associated with any attack, as well as the costs of lost IT functionality.
The most secure computer systems in the world are ones that are completely iso-
lated from users or other systems. However, in the real world, we generally require
functional computer systems that are networked, often using public networks. This
guide will help you identify the risks inherent in a networked environment, help
you to work out the level of security appropriate for your environment, and show
you the steps necessary to achieve that level of security. Although targeted at the
enterprise customer, much of this guide is appropriate for organizations of any size.
Microsoft Security Operations Guide for Windows 2000 Server2
Microsoft Operations Framework (MOF)
For operations in your environment to be as efficient as possible, you must manage
them effectively. To assist you, Microsoft has developed the Microsoft Operations
Framework (MOF). This is essentially a collection of best practices, principles, and
models providing you with operations guidance. Following MOF guidelines should
help your mission critical production systems remain secure, reliable, available,
supportable, and manageable using Microsoft products.
The MOF process model is split into four integrated quadrants, as follows:
●
Changing
●
Operating
●
Supporting
●
Optimizing
Together, the phases form a spiral life cycle (see Figure 1.1) that can apply to anything
from a specific application to an entire operations environment with multiple data
centers. In this case, you will be using MOF in the context of security operations.
O
p
t
i
m
i
z
i
n
g
C
h
a
n
g
i
n
g
S
u
p
p
o
r
t
i
n
g
O
p
e
r
a
t
i
n
g
Optimize cost,
performance, capacity,
and availability.
Track and resolve
incidents, problems,
and inquiries quickly.
Facilitate CRM.
Execute day-to-day
operations tasks
effectively.
Introduce new service
solutions, technologies,
systems, applications,
hardware, and processes.
Release
Approved
Review
Operations
Review
SLA
Review
Release
Readiness
Review
MOF
Figure 1.1
MOF process model
Chapter 1: Introduction 3
The process model is supported by 20 service management functions (SMFs) and
an integrated team model and risk model. Each quadrant is supported with a
corresponding operations management review (also known as a review milestone),
during which the effectiveness of that quadrant’s SMFs are assessed.
It is not essential to be a MOF expert to understand and use this guide, but a good
understanding of MOF principles will help you manage and maintain a reliable,
available, and stable operations environment.
If you wish to learn more about MOF and how it can assist you in your enterprise,
visit the Microsoft Operations Framework website. See the “More Information”
section at the end of this chapter for details.
Get Secure and Stay Secure
In October 2001, Microsoft launched an initiative known as the Strategic Technology
Protection Program (STPP). The aim of this program is to integrate Microsoft
products, services, and support that focus on security. Microsoft sees the process
of maintaining a secure environment as two related phases: Get Secure and Stay
Secure.
Get Secure
The first phase is called Get Secure. To help your organization achieve an appropri-
ate level of security, follow the Get Secure recommendations in the Microsoft Secu-
rity Tool Kit, which can be accessed online (see the “More Information” section for
details).
Stay Secure
The second phase is known as Stay Secure. It is one thing to create an environment
that is initially secure. However, once your environment is up and running, it’s
entirely another to keep the environment secure over time, take preventative action
against threats, and respond to them effectively when they do occur.
Scope of this Guide
This guide is focused explicitly on the operations required to create and maintain
a secure environment on servers running Windows 2000. We examine specific roles
defined for servers, but do not show in detail how to run specific applications in
a secure manner.
Microsoft Security Operations Guide for Windows 2000 Server4
When implementing security, there are many areas that you must design and
implement. The diagram provides a high level view of these areas, the shaded
areas are covered in this guide.
Develop an IT
Security Policy
Design and
Implement a
Defense-in-
Depth Strategy
Design and
Implement an
Anti-Virus
Strategy
Design and
Implement a
Server
Lockdown
Design and
Implement as
Auditing and
Intrusion Detection
Strategy
Design and
Implement a
Backup and
Restore Strategy
Design and
Implement a Patch
Management
Strategy
Design an
Incident
Response Plan
Figure 1.2
Security areas
The diagram shows the steps required to help make a server secure (Get Secure)
and help keep it that way (Stay Secure). It also shows how the chapters of this guide
will help you achieve those aims.
Chapter 1: Introduction 5
Yes
No
Yes
Yes
No
Install latest
Service Pack
and hot fixes
Understand
your Security
Risks
Lockdown
Server in Test
Environment
Apply to
Production
Servers and
Validate
Modify
Lockdown
Group Policy
Regularly
Review Audit
Logs
Follow Incident
Response
Procedures
Use Hfnetchk to
check for
missing patches
Download and
test Patches in
non-Production
Environment
No
Does Server
still perform
functional role?
Apply Patches
to Production
Servers
Missing
Patches?
Possible
Incident
Detected
Chapter 2
Understanding
Risk
Chapter 3 Group
Policy and Chapter 4
Securing Servers
based on Role
Chapter 5
Patch Managment
Chapter 6 Auditing
and Intrusion
Detection
Chapter 7
Responding to
Incidents
Get Secure
Stay Secure
Figure 1.3
Security process flowchart
Microsoft Security Operations Guide for Windows 2000 Server6
Note: This diagram is not meant to show every task that should be involved in your stay secure
operational processes, such as running anti-virus software and performing regular back ups.
Instead, it is intended to show the tasks discussed in detail in this guide.
You should use this guide as part of your overall security strategy, not as a complete
reference to cover all aspects of creating and maintaining a secure environment.
Chapter Outlines
This guide consists of the following chapters, each of which takes you through
a part of the security operations process. Each chapter is designed to be read, in
whole or in part, according to your needs.
Chapter 2: Understanding Security Risk
Before you can attempt to make your environment secure, you have to understand
threats, vulnerabilities, exploits, and countermeasures in the context of IT security.
This chapter looks at these issues and examines business and technical decisions
that will help you to manage security risk in your environment more effectively.
Chapter 3: Managing Security with Windows 2000 Group Policy
Many security settings are defined in Windows 2000 through Group Policy, aimed
at controlling the behavior of objects on the local computer and in the Active Direc-
tory™ directory service. It is important to ensure that these policies are set appro-
priately, and that you monitor to ensure they are not changed without prior
authorization. This chapter will look in detail at managing security using Group
Policy.
Chapter 4: Securing Servers Based on Role
An application server, a file server and a web server all require different settings to
maximize their security. This chapter looks at domain controllers and a number of
different member server roles and shows the steps you should take to ensure that
each of these roles are as secure as possible.
Note: This guide assumes that servers perform specific defined roles. If your servers do not
match these roles, or you have multipurpose servers, you should use the settings defined here
as a guideline for creating your own security templates to give you the functionality you require.
However, you should bear in mind that the more functions each of your individual servers
performs, the more vulnerable you are to attack.
Không có nhận xét nào:
Đăng nhận xét