Chapter 7: Hardening File Services

Article
02/28/2008

This chapter focuses on how to harden computers that perform the File Services role service available in Windows Server® 2008. Computers that perform this role can provide a particular challenge to harden, because balancing the security and functionality of the fundamental services that they provide is a fine art. Windows Server 2008 introduces a number of new features that can help you to control and harden the File services in your environment.

Server Message Block (SMB) is the file-sharing protocol that Windows®-based computers use by default. SMB is an extension of the Common Internet File System (CIFS). Windows Server 2008 features SMB version 2.0, which provides enhanced performance.

You can configure and apply most of the policy settings this chapter discusses through Group Policy. You can link a Group Policy object (GPO) that complements the Member Server Baseline Policy (MSBP) to the appropriate organizational units (OUs) that contain computers running Windows Server 2008 that perform the File Services role. Doing this provides the required security settings for this server role. This chapter only discusses Group Policy settings that vary from those for the MSBP.

The File Services role service also allows you to install the Distributed File System (DFS) role service. DFS consists of the following two technologies that you can use together or independently to provide fault-tolerant and flexible file sharing and replication services on a Windows-based network:

DFS Namespaces. This technology enables you to group shared folders located on different servers into one or more logically structured namespaces. Each namespace appears to users as a single shared folder with a series of subfolders. However, the underlying structure of the namespace can consist of numerous shared folders located on different servers and in multiple sites. Because the underlying structure of shared folders is hidden from users, a single folder in a DFS namespace can correspond to multiple shared folders on multiple servers. This structure provides fault tolerance and the ability to automatically connect users to local shared folders, instead of routing them over wide area network (WAN) connections.
DFS Replication. This technology is a multimaster replication engine that enables you to synchronize folders on multiple servers across local or WAN network connections. This service uses the Remote Differential Compression (RDC) protocol to update only the portions of files that have changed since the last replication. You can use DFS Replication in conjunction with DFS Namespaces or by itself.

In addition, you can install the File Server Resource Manager (FSRM) role service, which provides a suite of tools that enables administrators to understand, control, and manage the quantity and type of stored data that the File services use. By using FSRM, you can place quotas on folders and volumes, actively screen files, and generate comprehensive storage reports.

The Services for Network File System (NFS) role service provides another file sharing solution for an enterprise that has a mixed Windows and UNIX environment. With Services for NFS, you can transfer files between computers running Windows Server 2008 and UNIX operating systems using the NFS protocol. The Windows Search Service also enables you to perform fast file searches on a server from client computers that are compatible with Windows Search.

The Windows Server® 2003 File Server role provides the following services to Windows Server 2008 file servers to make them compatible with file servers running Windows Server 2003 and Windows® 2000:

File Replication Service (FRS), which supports synchronizing folders with file servers that use FRS instead of the newer DFS Replication service. To enable a server to synchronize folders with servers that use FRS with the Windows Server 2003 or Windows 2000 implementations of Distributed File System, install FRS. To enable the latest and most efficient replication technology, install DFS Replication.
Indexing Service, which catalogs the contents and properties of files on local and remote computers. This service also enables you to quickly find files through a flexible query language. You cannot install Indexing Service and Windows Search Service on the same computer.

You can also install the following optional sub-elements for the File Services role:

Windows Server Backup, which helps you reliably back up and recover the operating system, Windows Server System™ applications, and files and folders stored on the server. This sub-element introduces new backup and recovery technology, and replaces the previous Backup feature available in earlier versions of Windows.
Storage Manager for SANs, which enables you to provision Fibre Channel or iSCSI storage subsystems on a storage area network (SAN).
Multipath I/O, which allows you to increase data availability by providing redundant connections to storage subsystems. Multipathing can also provide load balancing of I/O traffic to improve system and application performance.

The following figure illustrates the role services that make up the Windows Server 2008 File Services role.

a05b5388-8315-4aac-819f-0621f4535663

Figure 7.1. Role services hierarchy for the File Services role

Attack Surface

The File Services role provides technologies for storage management, file replication, distributed namespace management, fast file searching, and streamlined client access to files. To determine the attack surface of this role service, you need to identify the following.

Installed files. These are files that are installed as part of the File Server role.
Installed services. These are services that are installed as part of the File Server role.

Note You can use the RootkitRevealer and Sigcheck utilities that are part of Windows Sysinternals to verify the integrity of the installed files and the files that the services run.

Firewall rules. These are the firewall rules that the File Server role uses.

The details of the attack surface for the File Services role are included in the Windows Server 2008 Attack Surface Reference workbook that accompanies this Solution Accelerator. To view the attack surface for this server role, on the File tab of the workbook, view the sections that correspond to each of the items in the previous list.

Security Measures

This section describes the security measures that you can incorporate into your File Server role service configuration to protect the server against malicious attacks. The recommendations that follow assume that you have only selected the File Server role service option on the Select Role Services page of the Add Roles Wizard. Recommendations for other role services are not included.

Configuration Checklist

This section includes configuration recommendations and a checklist based on best practices to further harden the File servers in your environment. Recommendations for the DFS, FSRM, Services for Network File System, Windows Search Service, and Windows Server 2003 File Services role services are not included. For more information about how to configure these services, see File Services in the Windows Server 2008 Technical Library.

While these configuration changes help to protect your File servers against these threats, Microsoft recommends using additional antivirus protection to ensure that the File servers in your organization have real-time monitoring of files transferred through these servers. For more information about real-time antivirus protection for Windows Server 2008, see Security and Protection in the Windows Server 2008 Technical Library.

The following table summarizes the recommended security configuration tasks for hardening servers performing the File Server role service. If you need help to complete any of the checklist items, see the following sections in this chapter for additional details and recommendations.

Table 7.1. Configuration Checklist

Configuration tasks

Deploy a server core installation of Windows Server 2008.

Digitally sign communications.

Consider removing administrative shares.

Consider using encryption for drives and files.

Deploy a Server Core Installation of Windows Server 2008

Deploying Windows Server 2008 using the Server Core installation option further reduces the attack surface of the operating system by reducing the number of installed files and running services. The advantage of the Server Core installation option is that a graphical user interface (GUI) is not installed, so the files and services required by the normal GUI are not installed.

When you use the Server Core installation option of Windows Server 2008 to deploy the operating system, you can only locally manage the server using command-line tools. To manage the server using GUI-based tools, you must install and run these tools on another computer with a Windows-based GUI.

The Server service installs and starts by default when you create a Windows Server 2008 Server Core installation and this service supports the File Server role service. If you need to install other services associated with the File Services role on a computer running a Server Core installation of Windows Server 2008, see the Server Core Installation Option of Windows Server 2008 Step-by-Step Guide.

You can use the following command-line tools to manage the File Server role services:

net share
chkdsk
chkntfs
dfsutil
diskpart
fsutil
vssadmin

This is a partial list. For a complete list of command line tools and information about how to use them, see the "Command Reference" section of the Windows Server 2008 Technical Library.

You can also use WMI scripts or WS-Management and the Windows Remote Shell to remotely manage File Services role services on computers running Windows Server 2008 Server Core installations.

For more information about WMI, see Windows Management Instrumentation.

For more information about WS-Management and the Windows Remote Shell, see Windows Remote Management.

Note This rest of this section assumes that you are running a standard installation of Windows Server 2008. If you have installed Windows Server 2008 Server Core for your File Server role, you can follow these steps using the Microsoft Management Console (MMC) snap-in from a remote computer.

Digitally Sign Communications

The SMB protocol provides the basis for Microsoft file and print sharing, and many other network operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports SMB packet digital signing. You can configure the Group Policy setting for Microsoft network server: Digitally sign communications (always) in the following location in the Group Policy Object Editor:

Computer Configuration\Windows Settings\Security Settings\Local Policies**\Security Options**

This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB client is permitted. The setting for Microsoft network** server: Digitally sign communications (always)** is set to Disabled by default in Windows Server 2008. Microsoft recommends to enable this setting for files servers running in the EC and SSLF environments defined in this guide.

For more information about this security setting, see Microsoft network server: Digitally sign communications (always).

Consider Removing Administrative Shares

Windows Server 2008 creates by default a number of shares that are only accessible to users with administrator user rights on the File Server role service computer. For a File server with a single hard disk drive running the File Server role service, the following table defines these shares.

Table 7.2. File Server Administrative Shares

Share

Description

Path

Admin$

A share that an administrator uses to perform remote administration on a computer.

C:\Windows

DriveLetter$

Root partitions and volumes are shared as the drive letter name appended with the $ character.

C:\

For each additional volume on the server that you create, Windows Server 2008 creates a corresponding share of the volume root to make it available over the network to administrators.

In general, Microsoft recommends not to modify these special shares. However, if your organization has specific security requirements to remove these default folder shares, and prevent the operating system from automatically creating them, you can perform the following procedure by using the Registry Editor.

Caution If you use the Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using the Registry Editor incorrectly. Use the Registry Editor at your own risk.

To remove administrative shares and prevent automatically creating them in Windows

Click Start, click Run, and then in the Open box, type regedit and press ENTER.
If you receive a User Access Control warning, click Continue.

Locate, and then click the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\AutoShareServer

Note If the registry key is not listed, add it manually. AutoShareServer must be set as type REG_DWORD. When you set the value of this key to 0 (zero), Windows Server 2008 does not automatically create administrative shares. This does not apply to the IPC$ share or shares that you create manually.

On the Edit menu, click Modify, and then in the Value data box, type 0, and click OK.
Quit Registry Editor.
Click Start, and then click Run.
In the Open box, type cmd, and then click OK.
At the command prompt, type the following lines, and press ENTER after each line:
```
net stop server
net start server
```
Type exit and then press ENTER.

Note If you use the user interface to stop the administrative shares and do not modify the registry, the shares will start again once you restart the Server service or if the server is reset.

Consider Using Encryption for Drives and Files

For environments with elevated security requirements, consider using encryption to secure the hard disk drives and data on your Windows Server 2008 computers performing the File Server role service. You can use one of two options for this on computers running Windows Server 2008 that perform the File Server role service:

Microsoft BitLocker™ Drive Encryption.
Encrypting File System (EFS).

BitLocker protects data on the server by preventing unauthorized users from breaking Windows file and system protection on lost or stolen computers. BitLocker encrypts entire volumes, including all user and system files, and within those files the swap and hibernation files.

For more information about how to use BitLocker to protect data on a computer running the File Server role service, see Windows BitLocker Drive Encryption.

EFS enables you to encrypt files stored on volumes that use the NTFS file system. EFS is integrated with NTFS, is easy to manage, and is difficult to attack. EFS enhancements in Windows Vista® and Windows Server 2008 include improvements in manageability and support for storing encryption keys on smart cards.

For more information about how to use EFS to protect data on your computer running the File Server role service, see Encrypting File System.

More Information

The following resources on Microsoft.com can provide you with more security best practice information about how to design and maintain a server running Windows Server 2008 that performs the File Server role: