A 12-Step Plan for File Server Security

Securely bringing a Windows file server on the network may not sound difficult. But when it's running Windows Server 2003, there's a lot you need to know to do it right.

In the May issue, I wrote about hardening the first domain controller in the first domain in a new Windows Server 2003 forest. This month, I’m going to talk about hardening a typical Windows 2003 file server. But wait: Isn’t Windows 2003 secure right out of the box? Well, it is locked down, but it’s not locked down as much as it can be. Instead, it’s locked down enough so those who don’t think about security—who simply do a default install—can build a reasonably secure server and put it on the production line.

Why a mundane file server? Well, Windows servers are most commonly used as file servers or as file and print servers. A file server is also likely to be your first production Windows 2003 system. If you’ve invested heavily in Windows 2000, or are just easing your way away from Windows NT 4.0, bringing up a file server is a pretty painless way to begin the move and start reaping the benefits of Windows 2003.

So, grab your evaluation disk (get one if you don’t have one already, at www.microsoft.com/windowsserver2003/evaluation/trial/default.mspx), do a default install and follow these 12 steps.

Caution! These steps, if used to harden your production servers, may break something. That’s right; if you lock the doors too tight, nothing can get out or get in, and that’s probably not what you want. I’ll try to steer you away from common pitfalls, but you know your networks and business needs best.

1. Configure and Populate the Operator Group
Rather than use the default Administrators group, create a group of approved operators and give them the rights needed to secure and/or maintain the server. Reserve the Administrators group as a last resort or as the ultimate authority. There are some duties you may not want day-to-day administrators to perform, and having a separate group with narrowly defined rights allows this. If, for example, you want to allow some administrators to work with users, groups and object permissions, and others to be responsible for system-wide operations such as modifying security settings, it’ll be easier to do with separate groups.

If this server will be part of a domain, consider the permission settings on the Organizational Unit (OU) within which this server will lie, as you may want to change them. Open the OU properties and clear the “allow inheritable permissions from parent to propagate to this object and all child objects” button. Then, remove all unnecessary groups. Next, add an Operators group. At minimum, retain Domain Administrators and give both groups Full Control.

2. Prepare a Security Template
If you haven’t started using security templates to secure your Windows systems, shame on you! Templates are compilations of security settings and can be used in either domain or standalone environments. They’re a great way to consolidate security configuration, enforce written security policy and provide a repeatable, auditable strategy for security. You can develop as many templates as needed. Create one for each type of system in your network or hierarchical systems, which, when imported into Group Policy, can apply security across large numbers of systems without additional work.

Window 2003 has numerous de-fault settings that make it singularly more secure than Win2K. Using a security template can help ensure those settings don’t change, as well as provide a means to further tighten security.

Templates are divided into seven major sections. All are relevant to securing file servers, and most are relevant to all servers. Plan on having two templates: one that can be applied to all servers and an incremental one just for file servers. Both templates can be applied to the file server. Where settings don’t conflict, they’ll be merged; and where they do conflict, the last template applied will win. Make sure to apply the file server template second. In a domain, of course, an OU for servers can have a Group Policy into which the basic server template can be imported, and a child OU for file servers will use the specific file server template in its GPO.

Some security settings can be hardened beyond the defaults. In the list that follows, I don’t specify the default security settings with which I agree. Many of these default settings are enormous improvements over Win2K defaults.

To see baseline settings for a domain of Windows 2003 servers, download and examine the “Windows 2003 Security Guide,” http://go.microsoft.com/fwlink/?LinkId=14845.

Included with this document are a number of pre-configured templates that match the settings discussed in the document.

Account Policies
Account Policies consist of Password Policy, Account Lockout and Kerberos Policy. Kerberos Policy is only applicable at the domain level and, thus, won’t be addressed here. Nor is this a discussion about how to set domain account policies, though you might apply some of this thought process when developing those policies. These settings, whether applied in the baseline template or a specific file server template, apply to only local accounts on the file server.

If your Windows 2003 file server is standalone, these local accounts are the ones that must be used to access resources on this server and administer it. If the server is part of a domain, it still has a local account database, and you need to address security for those accounts and groups. You may also decide to use local administrative accounts for managing some servers, especially to limit the administrative reach of these accounts within the domain. Tables 1 and 2 list the Password and Account Lockout settings that should be tightened.

I recommend decreasing Maximum Password Age from 45 days to 29 days if the server is part of a domain. Because domain user accounts will be used to get data on the file server, settings made here will have no effect; but requiring more frequent password changes can strengthen the security of local Administrator accounts.

Likewise, changing the minimum password length of passwords to 15 will have no impact on ordinary user accounts in a domain environment, but it will affect how long it takes an attacker to crack the password of local accounts. In a standalone server environment, if you must reduce the password length, require administrators, by policy, to use longer passwords.

Account Lockout Duration is the length of time an account will be locked out. A setting of “0” locks out the user until an admin resets the password. By setting this to 30 minutes, fumble- fingered or stressed individuals can access their accounts without accidentally locking themselves out. It also prevents an attacker from waiting just a brief time for the lockout to be reset before trying more guesses.

Setting the Account Lockout Threshold to 10 invalid attempts gives nervous or clumsy users enough chances to get the password correct, while also preventing an attacker from compromising the account. It would take a rare attacker to deduce a password in fewer than 10 tries (of course, if weak passwords like “password” are allowed, 10 tries may be more than enough).

Table 1. Password Policy defaults and recommendations
Setting Default Robertra Recommends
Maximum Password Age 45 days 29 days and only when prompted by system
Minimum Password Length seven characters for domain members 15 characters
Passwords must meet complexity requirements Enabled Enabled, but admins should write their own filters

 

Table 2. Account Lockout Policy defaults and recommendations
Setting Default Roberta Recommends
Account Lockout Duration Not Defined 30 minutes
Account Lockout Threshold 0 10 invalid attempts

Local Policies
Local Polices include Audit Policy, User Rights and Security options. Let’s look at each in turn.

Audit Policy
Turning on Audit Object Access doesn’t generate any events but does allow requiring events at the object level. You can’t generate events by setting object level access unless Audit Object Access is turned on (see Table 3). Turning on this Audit Policy means activity involving files, folders, Registry keys and printers can be tracked. You must, however, choose which objects to monitor and the type of monitoring to do. For example, one audit setting useful for tracking executable files is “Write and Append Data.” This tracks the replacement of or changes to files, which might alert you to viruses, worms and Trojan horse attacks, as well as rogue administrator action.

You should audit the use of Privileges. Auditing Privilege Use can generate a lot of extraneous records. How-ever, in a high-security environment, knowing who’s done what is almost as important as preventing people from doing things.

Table 3. Defaults and recommended audit settings
Setting Default Roberta Recommends
Audit Account Management No auditing Success and failure
Audit Object access No auditing Success and failure
Audit Policy change Success Success and failure
Audit Privilege use No auditing Success and failure

User Rights
User rights set in a domain override user rights set on a computer. However, if a local user account is used, then rights like password policies are determined by the local policy.

Revoke those rights that ordinary users shouldn’t have, such as, “Act as part of the operating system.” Be explicit: Remember that rights not explicitly given are implicitly denied.

Security Options
Security options represent a large number of settings that can be maximized in hardening servers. Table 5, in the online version of this article, contains new Windows 2003 settings and changes in the default settings from Win2K.

Warning: Some default security settings may cause problems for legacy systems. Always test settings before deploying them in your network.

Event Log
Increase the size of the security Event Log to ensure adequate space for events.

Services
Many services are disabled by default; others aren’t installed. This is a really good thing. However, for a specific server role, it’s possible to lock down the system even tighter.

 Services not installed should be marked as Disabled in the template. This way, if the service is installed, it can’t run.

 Permissions should be set on the services in the template. Restrict who can stop, start and disable services. Additional services can be safely disabled, as they’re not needed for the file server’s normal operation.

 Two file-system-specific services should be disabled in certain circumstances: the Distributed File System (DFS) and the File Replication Service (NTFRS). DFS manages logical volumes distributed across a LAN or WAN. Disabling DFS requires the user to know the names of all servers and shares in order to access them, so it should be disabled in a high-security network. NTFRS enables automatic maintenance and copying of files on multiple servers. It’s required by Active Directory on domain controllers (and is often used with DFS) but not needed on a non-DC box like a file server.

 Never use a domain account as a service account. Service accounts often require administrative privileges, and their passwords are cached in the LSA secrets. If a computer is compromised, the attacker or rogue local administrator can obtain these secrets (using available attack tools) and use them to attack other domain computers.

3. Determine Repeatable Strategy for Applying the Template
Templates can be imported into domain and OU Group Policies. This allows them to be distributed across multiple computer accounts and periodically refreshed. Security templates can be applied to standalone computers by using the Security Configuration and Analysis tool or the secedit command. Batch files or scripts can be written to refresh the settings.

Store templates in a safe place, as they can be used to reapply policy settings or audit security on the file servers. If all copies of templates are stored publicly, they can be altered to match less restrictive settings.

Before reconfiguring settings through templates, do a complete backup—including the System State, which in-cludes Registry settings.

4. Set Restricted Groups
Use local Group Policy (or a GPO in the OU) to set restricted groups. Restrict the local Administrators group and any special Operators groups created. Add approved user accounts to the restricted group in the policy. Users and groups added to these groups in the normal manner will be automatically removed unless also added here. Restricting the administrators who can change these settings prevents unauthorized additions to the groups.

5. Write and Apply IPSec Policy
Hardening file servers is difficult, as they usually provide services requiring NetBIOS-related protocols. These protocols—Server Message Blocks (SMB) and Common Internet File System (CIFS)—can provide tidbits of attacker-useful information to unauthorized individuals.

You can restrict access to these and other protocols by configuring and assigning IPSec Policies. Set an IPSec rule that blocks all access to all ports, and then applies more specific rules/filters, enabling access from specific computers or to specific ports. Some examples of what can be done through IPSec include:

 Allowing access from any source address to the file server for ports 445, 137, 138 and 139, but denying this kind of blanket access to other services.

 Restricting access to terminal services (port 3389) by allowing access from specific computers only. This helps to compensate for the blocking of RPC traffic used by many management services.

 Allowing all traffic to and from the file server and domain controllers.

 Allowing traffic between the file server and Microsoft Operations Manager.

6. Ensure Correct Time
Time is critical for many reasons:

 NTLMv2 authentication requires client and server clocks to be within 30 minutes of each other.

 Kerberos only allows a five-minute difference.

 Event correlations between computers won’t be possible if there are time differences.

 Evidence must be correctly identified to be valid. The time recorded must be correct to use logs in proving hack attempts.

Windows 2003 domain members will time-synch with their domain. However, you must ensure correct configuration of the PDC emulator in the domain with an accurate time source. Standalone servers require their own configuration.

7. Set Specific Account Restrictions
Account restrictions can be set on individual accounts. You can limit logon hours, restrict domain workstations from which a user can log on, prevent accounts from being delegated and so on. In a domain, these settings are made from the Account page of the user properties.

8. Set Local Server Security Settings
In a domain, security templates can automate security settings for groups of computers. Some special settings, though, can’t be automated. For example, the Guest user account, the Guests group and the Support 388045a0 account all have unique SIDs, which means these accounts can’t be centrally set. Set local policies where necessary.

9. Monitor for Attack Indicators
Event 539 reads “Logon Failure, the account was locked out at the time the logon attempt was made.” Seeing a large number of these events in the log should be interpreted as a possible password-cracking attack. A large number of such indicators exists. I’ll examine these in a future column.

10. Use NTFS
You can’t set file ACLs and SACLs on FAT volumes. Security relies on the ability to set defense in depth. A large part of that is file permissions.

11. Use Administrative Template Settings
A number of security settings aren’t available in Security Templates. Instead, they can be set through the Administrative Templates area of Group Policy. (On a standalone file server, load the local Group Policy by using a custom MMC.)

One important setting to disable is Error Reporting, through Computer Configuration | Administrative Templates | System | Error Reporting. Error reporting can contain sensitive or confidential data. The data crosses the network in clear text, making it easy to intercept.

12. Document, Secure and Maintain Security Settings
If the security settings for the file server can be modified, the file server won’t be secure. Obvious, isn’t it? But you still must take steps to ensure that settings can’t be modified by unauthorized individuals. If, however, settings are modified, you have the ability to determine it. The security and audit settings mentioned previously can help. Another tool is Security Configuration and Analysis. Use it to verify that security is in compliance with agreed-upon template settings. Finally, store those templates in a secure place so that modifications to the online templates don’t skew the analysis of approved security policy.

Featured