Physical Security Issues

Server security is basically one of the initial security requirements when you install any server operating system. Servers have to be physically secure from physical threats such as physical unauthorized access. Physical security prevents an individual from physically accessing your server, and performing malicious actions.

A few guidelines and recommendations for implementing physical server security are detailed below:

  • All servers should be secured in a locked server room.

  • Only those individuals that need access should be permitted to access the server room using a key or security code. You can also implement a mechanism that monitors who enters and leaves the server room.

  • All hubs, routers and switches should be placed in a wiring closet, or in a locked cable room.

  • You should use case locks on your servers. You can also install case locks on other systems that can be physically accessed.

  • You should restrict access to the floppy drive as well.

  • Set a BIOS password on all systems. This would prevent an unauthorized person from accessing the BIOS.

  • You should change the operating system selection timeout interval to 0 in order for Windows to boot automatically.

  • When you are setting up Windows, disconnect the server from the Internet.

  • Install Windows operating systems to a NTFS partition.

  • Ensure that you use a strong local administrator password during setup.Identifying Security Issues Common to All Server Roles

Using NT File System (NTFS)

To store data on a local partition on a Windows server, you have to format it with a file system. The system that you use determines the manner in which data is stored on the disk. It also specifies the security that can be defined for folders and files stored on the partitions. While Windows operating systems offer support for the File Allocation Table (FAT) file system, NT file system (NTFS), and CDFS (Compact Disc File System), the file systems generally utilized by local partitions is the FAT file system and NTFS file system. The file system that offers the best level of security is NT file system (NTFS).

NTFS partitions enable you to specify security for the file system after a user has logged on. NTFS permissions control the access users and groups have to files and folders on NTFS partitions. You can set an access level for each particular user to the folders and files hosted on NTFS partitions. You can allow access to the NTSF files and folders, or you can deny access to the NTFS files and folders. The NTFS file system also includes other features such as encryption, disk quotas, file compression, mounted drives, NTFS change journal, and multiple data streams. You can also store Macintosh files on NTFS partitions.

Encrypting File System (EFS) enables users to encrypt files and folders, and entire data drives on NTFS formatted volumes. Users that are utilizing EFS can share encrypted files with other users on file shares and even Web folders. You can configure EFS features through Group Policy and command-line tools. Through disk quotas, you can manage disk space utilization of your users for critical NTFS volumes. Disk quotas are used to track disk space usage on a per user, per NTFS volume basis.

Before you can apply NTFS permissions, you have to format the disk partition as an NTFS partition. NTFS permissions are applied through Windows Explorer. You simply have to right-click the particular file or folder that you want to control access to and select Properties from the shortcut menu. The Properties dialog box of NTFS files and folders contains a Security tab. This the tab utilized to apply NTFS permissions.

Deploying Service Packs and Hotfixes

A service pack is a collection of updates, or executable files that relate to an operating system (OS). Service packs typically deal with setup, security, and application compatibility enhancements or issues. Service packs are issued y Microsoft every couple of months to ensure that the operating system is up to date, and to correct any existing issues. Service packs improve on the functionality of a computer when they include new tools and capabilities. They can also contain device drivers.

A hotfix consists of one or multiple files that are applied to the operating system to fix a specific critical problem. Hotfixes corrects a particular critical operating system fault. A hotfix can include once-off fixes for a server or client problem. Hotfixes can be downloaded from the Windows Update site, or from the TechNet Security page at www.microsoft.com/technet/security/default.asp. The Microsoft Network Security Hotfix Checker (HFNetChk) included with the Microsoft Baseline Security Analyzer (MBSA) tool can be used to determine whether your network computers have all the necessary hotfixes. This powerful tool can speedily check all your network computers. The MBSA tool can also be used to identify security misconfigurations and weaknesses.

Microsoft Baseline Security Analyzer (MBSA) can be run on Windows 2000, Windows XP and Windows Server 2003 computers to scan for security weaknesses and missing hotfixes. MBSA works for:

  • Windows 2000 Server, Windows 2000 Advanced Server, Windows 2000 Professional, Windows XP Professional, Windows NT 4.0, SQL Server 2000, SQL Server 7.0, Internet Information Server 4.0 / 5.0, IE 5.01, and Office 2000, and Office 2002 – XP

The Microsoft Network Security Hotfix Checker (HFNetChk) included in the Microsoft Baseline Security Analyzer tool can be used to analyze one or multiple computers for necessary service packs. The attractive feature of this tool is that it can be scripted to scan a number of different configurations. It can also scan for necessary updates for one or multiple products. The HFNetChk tool uses a XML file when it runs that contains detailed information on all the available hotfixes for many products. The XML file is downloaded from the Microsoft Web site when it is not included in the directory from where HFNetChk is run.

HFNetChk can scan the following:

  • Windows 2000 Server, Windows 2000 Advanced Server, Windows 2000 Professional, Windows XP Professional, Windows NT 4.0, Windows Media Player, Microsoft Data Engine 1.0, Exchange Server 5.0, and 2000, SQL Server 2000, SQL Server 7.0, Internet Information Server 4.0 / 5.0, IE 5.01, and Office 2000 and Office 2002 – XP

You can use either of the following methods or technologies to deploy necessary updates on your existing computers:

  • Windows Update, Automatic Updates, Software Update Services (SUS), Scripting, Systems Management Server (SMS), or Group Policy

  • You can also manually deploy an update from a network share or CD-ROM after you have obtained it.

Automatic Updates, manual deployment, and Windows Update can only deploy the update to a single computer or a small number of computers. Software Update Services (SUS), Group Policy, and scripting, can apply updates to multiple computers. Software Update Services (SUS) can only be used to deploy service packs and hot fixes for Windows 2000, Windows XP and Windows Server 2003 computers. Scripting and SMS can be used to deploy hot fixes and service packs to all the versions of Windows computers. The Software Installation and Maintenance feature of Group Policy, and scripting work well when a large number of network computers require the identical update.

You can only use Automatic Updates on:

  • Windows 2000 Server, Windows 2000 Advanced Server, Windows 2000 Professional with SP2 or above, Windows XP Professional Windows XP Home Edition with SP1

You can use Systems Management Server (SMS) to install service packs on SMS client computers from a network distribution share. Using SMS for deploying updates involves the following steps:

  • You have to create a SMS package that includes the location of the service pack source files and the package definition file (.pdf) for distributing the service pack. The package definition file includes the information that would be needed to create the SMS package. The SMS package includes command-line executable runs as well. These executable runs on the SMS client computers to manage how the SMS package executes.

  • You then have to distribute the SMS package to the distribution points that you have identified

  • Lastly, you have to create an SMS advertisement that will inform the SMS clients of the available service packs.

Disabling Unnecessary Services

When you install the Windows Server 2003 operating system, there are a few services which are automatically installed with the operating system. These services are usually configured with the Automatic startup type. This means that the service starts automatically when the operating system starts. The startup type specified for the service controls when and how the service starts.

The configuration of a service is stored in the following location in the Registry

  • HKEY_LOCAL_MACHINESystemCurrentControlSetServices key

A service can also be configured with one of the startup types listed below:

  • Automatic; the service starts automatically when the operating system starts or boots. Some services that have the Automatic startup type configured when you install Windows Server 2003 are Automatic Updates, DHCP Client, DNS Client, IPSec Services, Remote Procedure Call (RPC), Server, Security Accounts Manager, and System Event Notification.

  • Manual; this service needs to be started manually by an Administrator. However, if a service or process needs to start a particular service, it can start the service.

  • Disabled; for a service with the Disabled startup type to start, the actual startup type needs to be changed to either Automatic or Manual. A service cannot start another service if that particular service's startup type is Disabled.

For the following services, it is recommended that you configure the Disabled startup type, if the server does not require the service:

    • Alerter

    • Application Management

    • ClipBook

    • Distributed File System

    • Distributed Transaction Coordinator

    • Fax Service

    • Indexing Service

    • Internet Connection Sharing (ICS)

    • Internet Connection Firewall (ICF)

    • License Logging

    • Messenger

    • NetMeeting Remote Desktop Sharing

    • Network DDE

    • Network DDE DSDM

    • Print Spooler

    • Remote Access Auto Connection Manager

    • Remote Access Connection Manager

    • Removable Storage

    • Routing And Remote Access

    • Secondary Logon

    • Task Scheduler

    • Telephony

    • Telnet

    • Uninterruptible Power Supply

The System Services area of the Security Configuration and Analysis management console is used to manage startup and permissions for system services. If you have unnecessary services running within your environment, you can disable the services. When services are disabled, they are stopped from starting when the computer starts. The components of the service which you disable are not uninstalled.

To check the status of a service,

  1. Open the Computer Management console

  2. Right-click Computer Management in the left console pane, and click Connect To Another Computer on the shortcut menu.

  3. Specify whether you want to check the status of a service on the local computer, or on a remote computer.

  4. Proceed to expand the Services And Applications node.

  5. Select Services.

  6. The Services window displays the service name, startup type and status of he service, as well as other information.

To disable unnecessary services,

  1. Open the Computer Management console.

  2. Right-click Computer Management in the left console pane, and click Connect To Another Computer on the shortcut menu. Specify whether you want to manage services on the local computer, or on a remote computer.

  3. Expand the Services And Applications node, and select Services

  4. Right-click the particular service which you want to disable, and then select Properties from the shortcut menu.

  5. On the General tab of the Properties dialog box, select Disabled in the Startup Type drop-down list box.

  6. Click OK.

Disabling Unnecessary Accounts

All accounts which are not being utilized should be deleted or disabled.

  • For employees that are no longer employed at the company, delete this specific employee's user account.

  • For employees or users that have some form of definite temporarily absence period, disable the specific employee's user account.

Additionally, it is recommended that you also disable the following accounts:

  • Administrator account: The Administrator account is a well-known account which provides access to services, files and directories. The Administrator account has full system access. Once the system is installed, administrators are typically made members of the Administrators group. You can easily remove administrative rights when administrators are members of the Administrators group. Ensure that the local Administrator account has a secure password. If the Administrator account's password is weak, unauthorized individuals might be able to access the domain or system. You can also rename the account, and create a fake Administrator account that has no permissions.

  • Guest Account: The Guest account is normally used for users who need infrequent access. The Guest account is by default disabled when Windows Server 2003 is installed. Because the Guest account is a member of the Everyone group, it has access to files and folders. It is recommended to restrict the utilization of the Guest account. You can also rename the Guest account, and you should change the password regularly.

Allowing users and computers unlimited access to system resources and network resources can ultimately compromise the security organization. Even though users and computers need to access network and system resources to perform certain tasks, the access that they require should be limited to those necessary to perform their required tasks.

User accounts are required to log on to a Windows NT, Windows 2000, Windows XP and Windows Server 2003 network. User accounts are used for authentication, authorization, and auditing. A user account enables a user to log on to the domain and to access resources. A local user account enables a user to log on to a computer and access local resources on that particular computer. A domain user account enables a user to log on to a domain, and access network resources. Built-in user accounts are typically used for administrative tasks. You should strive to assign users, services, and computers with the least number of privileges necessary to perform the tasks they need to.

Enforce Strong Password Usage

Passwords are used to protect networks and computers from unauthorized individuals from accessing network resources. A strong password stands a better chance of protecting network resources because they are harder to interpret by unauthorized individuals. A good strong password should not be an alteration of the log-on name, and should definitely not be the name of the user. It should at least be seven characters in length, and should include two alphabetic characters and a non-alphabetic character.

Passwords are probably the component that presents the most vulnerability in an authentication implementation. Passwords that are weak can easily be identified, even when password encryption is used. Password encryption is the process whereby the password of the user is encrypted. What this means is that the password is not transmitted over the network in clear text. When users actually use strong complicated passwords, an unauthorized individual attempting to access the system should not easily be able to interpret or decipher the password. Regularly having users change their passwords also ensures that even when a strong password is deciphered by an unauthorized user, the password would probably be invalid.

A weak password is a password that includes some of the following information:

  • The name of the user

  • The name of the organization

  • The login ID of the user

  • The word ‘password'

  • Blank passwords

A strong password contains none of the above mentioned pieces of information. Strong passwords have the following characteristics:

  • The password is intricate so that it cannot be deciphered by unauthorized network users, but can also be remembered by the user. The user should not need to document the password to remember it.

  • The password should be at least seven characters in length.

  • The password should include characters from three of the following groups:

    • Uppercase characters: Letters A through to Z

    • Lowercase characters: Letters a through to z

    • Non-alphabetic characters such as: $, #, %

    • Numeric digits such as 0 through to 9

Password rules are based on the settings defined in password policies. You can define password policies by:

  • Enforce Password History. Used to prohibit users from using the identical password when they are specifying a new password. By default, 24 passwords are remembered.

  • Maximum Password Age. Indicates the time, in days, that a user can have the identical password. The default setting is 42 days

  • Minimum Password Age. Indicates the time, in days, that a user is required to use the identical password. The default setting is 1 day.

  • Minimum Password Length. Indicates the least number of characters a password has to have. The default setting is 7 characters.

  • Password Must Meet Complexity Requirements. The password in this case has to be at least six characters in length, and cannot include the account name of the user. The password also has to include characters from three of these groups: Numbers, non alphabetic numbers, English uppercase letters, And English Lowercase Letters. The default setting is enabled.

  • Store Passwords Using Reversible Encryption. Indicates whether the operating system uses reversible encryption when storing the password of the user. The default setting is disabled.

Perform Regular Backups

A backup is the process of archiving data and system files on a computer to a different location on a hard disk, or other media type.

Backups are typically preformed for a number of reasons, including the following:

  • Protect the network environment from the accidental deletion of, or modification of data, and from hardware failures: Backups prove invaluable when authorized users intentionally delete or modify data. The backup would enable you to restore data to its previous state of integrity. Because certain hardware failures such as corrupted hard disk drives can cause considerable loss of data, backing up your data would ensure that the company can continue to perform its mission critical functions when such an event does occur.

  • Store mission critical data: It is recommended to regularly back up mission critical data so that any previous version of information can be accessed, if necessary, at some time in the future.

A backup plan should be drawn u to detail the data that has to be backed up, the manner in which the data should be backed up, the frequency at which the backups should occur, and the manner in which data restorations should occur. Mission critical data should be backed up, while temporary files do not possibly need to be backed up. System State data should be backed up. System State data contains the files which the operating system utilizes, such as the boot files and system files, and any additional files which the Windows operating system needs to restore the system. System state data basically contains the main configuration information in Windows 2000, and Windows Server 2003. What actual information is included in system state data is determined by operating system configuration.

System state typically includes the following important data, files and components:

  • The Windows Registry

  • The contents of the SYSVOL directory

  • Files which are protected by the Windows File Protection system

  • Boot and system files: Ntdetect.com, Ntldr and Bootsect.dat.

  • The COM+ Class Registration database

  • The Active Directory database (Ntds.dit), including all log files and checkpoint files

  • Cluster service files

  • Certificate service files

  • The Internet Information Server (IIS) metabase

It is recommended to backup all data on a server and System State data. You are then prepared for a disaster such as a hard disk failure on the server because a full backup exists to restore the server.

The Windows Server 2003 Backup utility offers a few methods that you can use to create backup jobs and execute backup jobs. You create a backup job by specifying the drives, directories and files that should be backed up, the storage medium for the backup, the time when the backup should occur, and other backup options.

  1. Click Start, Programs, Accessories, System Tools, and Backup to start the Windows Server 2003 Backup utility.

  2. The Welcome page for the Backup Or Restore Wizard is displayed.

The Backup Or Restore Wizard guides you through the process of backing up the server, and restoring an existing backup from the hard disk or other media. You can use the Welcome page of the Backup Or Restore Wizard to open Backup in Advanced Mode. The Advanced Mode provides more features and flexibility. Clear the checkbox for Always Start In Wizard mode and select the Advanced Mode link.

With Backup in Advanced Mode, you are given the following options:

  • Start the Backup Wizard

  • Start the Restore Wizard

  • Start the Automated System Recovery Wizard

Previously in Windows NT and Microsoft Windows 2000 operating systems, the emergency repair disk (ERD) feature was used to recover the system when disasters occurred. Windows XP Professional and Windows Server 2003 now include the Automated System Recovery (ASR) feature for recovering the system in disaster situations. The Automated System Recovery (ASR) feature is a new feature found in the Windows Backup utility.

The ASR disk contains vital configuration information which can be used to fix the following:

  • Boot sector

  • System files

  • Startup environment

When a server failure occurs, all you have to do is restart the computer using the Windows XP Professional or Windows Server 2003 installation CD-ROM. During Setup, select the Automated System Recovery option. The information on the ASR disk is then utilized to restore all standard drivers and files, and the ASR backup is used to restore the rest of the files.

The Windows Backup utility is used to create ASR sets. You can access the Backup Utility through one of the following methods:

  • Click Start, click Run, and enter Ntbackup.exe in the dialog box.

  • Click Start, All Programs, Accessories, System Tools nd then select the Backup utility.

Simply follow the prompts of the Automated System Recovery Preparation Wizard to back up your system configuration and to create the ASR floppy disk listing the information for restoring your system. The ASR floppy disk that is created is specific to the system and the time when ASR set was created