By now, security idioms such as “Use a strong administrative password” or “Install anti-virus software” are firmly ingrained in the minds of most System Administrators.
The steps comprise the regular hardening procedures for most production systems.
In this article, we describe seven hardening steps that you commonly don’t hear about, yet which are a crucial linchpin in ensuring security of your Windows servers.
These steps should be considered complementary to the regular hardening steps and are not meant to replace them.
1. Stop sharing all your files with the world. By default Windows enables sharing for each logical disk on your system. The intent of this feature was to enable the administrator to remotely access the machine via the network. For example, by typing “cd ADMIN$” the administrator can gain access to %systemroot% on that machine and by typing “cd C$” to the root directory of drive C:\. Of course the hacker, who cracks the administrator’s password can do the same. So it’s recommended to disable this functionality on critical servers.
To disable these shares, find the HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters registry key. Add the DWORD values AutoShareWks 0 and AutoShareServer 0 to the registry key. Verify that the default shares no longer exist by running net share --- you should not see any.
2. Secure your temporary folders.
Many applications create temporary files while you do your work. Most of the time these files are readable and writeable by any process. In theory, they should be cleaned up when the programs exit. But in practice it doesn’t always happen. Leaving them in the folder presents a bounty to the hacker. To protect your Windows servers, we recommend doing two things: encrypting contents of their temporary folders and regularly searching for sensitive data using a Spider tool.
3. Enable outbound filtering on the firewalls
Most organizations enable inbound filtering on their firewalls to prevent the bad guys from getting in, but they forget about outbound filtering. Outbound filtering aims to stop sensitive data from getting out of the CorpIT network even if the attacker managed to penetrate the defenses.
It makes sense to block traffic on the following ports from exiting the network : (25 SMTP, 139 NetBios, 143 IMAP, 445 SMB, 3389 RDP, 5900 VNC, and other various Trojan ports). You can see a good list of dangerous ports at the following link : here The ports can be blocked either at the network firewall level, or on firewalls of individual servers, or both!
4. Log suspicious activity to help spot intrusions.
To enable auditing in Windows, go to Control Panel -> Administrative Tools -> Local Security Policy. In the Local Security Settings window, click on Local Policies then Audit Policy. At the bare minimum, you should enable auditing for login events, privilege escalation, bad user names or passwords.
Logs contain a treasure trove of data. But they are useless if you don’t log proper events or don’t actively monitor them.
There are a multitude of SIEM solutions out there; some prominent ones include Splunk, Tripwire log center, and RSA Envision. Also if you are on a budget, you could write a script which copies all the windows security/audit logs onto a central windows server.
5. Set up intrusion detection software on your servers.
Installing anti-virus on your servers is no longer sufficient. Zero-day malware exploits vulnerabilities that are unknown to others, and usually doesn’t have its signatures included in the anti-virus database. According to AusCERT (Australian computer emergency team), top-selling anti-virus solutions let in nearly 80% of the new malware.
There are two emerging approaches to combat viruses.
6. Disable any unnecessary remotely accessible services.
In a typical network layout, DMZ servers will be hardened and have few ports open to the outside world; yet, internal servers may have a multitude of various ports ranging from VNC and Bonjour to unauthenticated MYSQL. The flawed thinking is that an attacker won’t get through the gateway firewalls, so there’s nothing to worry about. In reality, it’s a flawed strategy which can fall apart like a house of cards.
You should be able to explain every service that’s open. If you are in doubt, then close it.
7. Patch your servers correctly
Many companies manually patch their servers when critical patches come out. But they don’t have a sound strategy which articulates the patch lifecycle or sets the SLAs for fixing the vulnerabilities.
Go to User Configuration – Administrative Templates – Windows Components – Windows Update and select “Remove access to use all Windows Update features.”
To find out which patches are missing, you can use Microsoft Baseline Security Analyzer to assess the security of the host.
Dr. Aleksandr Yampolskiy heads Security and Compliance team at a well-known e-commerce company. Prior to that, he has been a lead technologist, developing SSO, authentication and authorization solutions in several Fortune 100 companies. Aleksandr has advised various businesses on best practices for integrating security into their products, while complying with external policies and regulations. He has been cited in NY Times, Yale Scientific, and published half a dozen articles in top cryptographic conferences. In 2006, he has been awarded the Best Paper Award in Public Key Cryptography conference for discovering the most efficient verifiable random function to-date. He has a B.A. in Mathematics from New York University, and a Ph.D. in Cryptography from Yale University. He maintains his website at http://www.alexyampolskiy.com. You can also follow him on Twitter at http://www.twitter.com/ayampolskiy.