Chapter 7: The File Server Role
Published: December 31, 2003 | Updated: April 26, 2006 OverviewIt can be a challenge to harden file server computers that run Microsoft® Windows Server™ 2003 with Service Pack 1 (SP1), because the most essential services that these servers provide are the ones that require the Server Message Block (SMB) and Common Internet File System (CIFS) protocols. These protocols can provide rich information to unauthenticated users, and they are often disabled in high security Windows environments. However, it will be difficult for both users and administrators to access file servers if these protocols are disabled. Most of the policy settings in this chapter are configured and applied through Group Policy. A Group Policy object (GPO) that complements the Member Server Baseline Policy (MSBP) can be linked to the appropriate organizational units (OUs) that contain the file servers to provide the required security settings for this server role. This chapter only discusses those policy settings that vary from the MSBP. Where possible, these policy settings are gathered in an incremental Group Policy object that will be applied to the File Servers OU. Some of the policy settings in this chapter cannot be applied through Group Policy. Detailed information about how to configure these policy settings manually is provided. The following table shows the names of the file server security templates for the three environments that are defined in this guide. These templates provide the settings for the incremental File Server template, which in turn is used to create a new GPO that is linked to the File Servers OU in the appropriate environment. Step-by-step instructions are provided in Chapter 2, "Windows Server 2003 Hardening Mechanisms" to help you create the OUs and Group Policies and then import the appropriate security template into each GPO. Table 7.1 File Server Security Templates
For information about policy settings in the MSBP, see Chapter 4, “The Member Server Baseline Policy.” For information on all default policy settings, see the companion guide, Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP, which is available at https://go.microsoft.com/fwlink/?LinkId=15159. Audit Policy SettingsThe Audit policy settings for file servers in the three environments that are defined in this guide are configured through the MSBP. For more information about the MSBP, see Chapter 4, "The Member Server Baseline Policy." The MSBP settings activate security audit information logging on all file servers. User Rights AssignmentsThe user rights assignment settings for file servers in the three environments that are defined in this guide are configured through the MSBP. For more information about the MSBP, see Chapter 4, "The Member Server Baseline Policy." The MSBP settings uniformly configure all appropriate user rights assignments on all file servers. Security OptionsThe security options settings for file servers in the three environments that are defined in this guide are configured through the MSBP. For more information about the MSBP, see Chapter 4, "The Member Server Baseline Policy." The MSBP settings uniformly configure all relevant security option settings on all file servers. Event Log SettingsThe event log settings for file servers in the three environments that are defined in this guide are configured through the MSBP. For more information about the MSBP, see Chapter 4, "The Member Server Baseline Policy." Additional Security SettingsAlthough the security settings that the MSBP applies significantly enhance the security of file servers, this section discusses some additional considerations. However, the settings in this section cannot be implemented through Group Policy and must therefore be performed manually on all file servers. Securing Well-Known AccountsWindows Server 2003 with SP1 has a number of built-in user accounts that cannot be deleted but can be renamed. Two of the most well-known built-in accounts in Windows Server 2003 are Guest and Administrator. By default, the Guest account is disabled on member servers and domain controllers. This configuration should not be changed. Many variations of malicious code use the built-in Administrator account in an initial attempt to compromise a server. Therefore, you should rename the built-in Administrator account and alter its description to help prevent compromise of remote servers by attackers who try to use this well-known account. The value of this configuration change has diminished over the past few years since the release of attack tools that specify the security identifier (SID) of the built-in Administrator account to determine its true name and then break into the server. A SID is the value that uniquely identifies each user, group, computer account, and logon session on a network. It is not possible to change the SID of this built-in account. However, your operations groups can easily monitor attempted attacks against this Administrator account if you rename it with a unique name. To secure well-known accounts on file servers
Note: You can rename the built-in Administrator account through Group Policy. This setting was not implemented in any of the security templates that are provided with this guide because every organization should choose a unique name for this account. However, you can configure the Accounts: Rename administrator account setting to rename administrator accounts in all three environments that are defined in this guide. This policy setting is a part of the Security Options settings of a GPO. Securing Service AccountsNever configure a service to run under the security context of a domain account unless it is unavoidable. If the server is physically compromised, domain account passwords could be easily obtained by dumping LSA secrets. For more information about how to secure service accounts, see The Services and Service Accounts Security Planning Guide at https://go.microsoft.com/fwlink/?LinkId=41311. Creating the Policy Using SCWTo deploy the necessary security settings, you must use both the Security Configuration Wizard (SCW) and the security templates that are included with the downloadable version of this guide to create a server policy. When you create your own policy, be sure to skip the "Registry Settings" and “Audit Policy” sections. These settings are provided by the security templates for your chosen environment. This approach is necessary to ensure that the policy elements that are provided by the templates take precedence over those that would be configured by SCW. You should use a new installation of the operating system to begin your configuration work, which helps ensure that there are no legacy settings or software from previous configurations. If possible, you should install the operating system on hardware that is similar to the hardware that is used in your deployment to help ensure as much compatibility as possible. The new installation is called a reference computer. To create the file server policy
Test the Policy Using SCWAfter you create and save the policy, Microsoft strongly recommends that you deploy it to your test environment. Ideally, your test servers will have the same hardware and software configuration as your production servers. This approach will allow you to find and fix potential problems, such as the presence of unexpected services that are required by specific hardware devices. Two options are available to test the policy. You can use the native SCW deployment facilities, or deploy the policies through a GPO. When you start to author your policies, you should consider using the native SCW deployment facilities. You can use the SCW GUI to push a policy to a single server at a time, or use Scwcmd to push the policy to a group of servers. The native deployment method allows you to easily roll back deployed policies from within SCW. This capability can be very useful when you make multiple changes to your policies during the test process. The policy is tested to ensure that the application of this policy to the target servers will not adversely affect their critical functions. After you apply the configuration changes, you should begin to verify the core functionality of the computer. For example, if the server is configured as a certification authority (CA), ensure that clients can request and obtain certificates, download a certificate revocation list, and so on. When you are confident in your policy configurations, you can use Scwcmd as shown in the following procedure to convert the policies to GPOs. For more information about how to test SCW policies, see the Deployment Guide for the Security Configuration Wizard at https://technet2.microsoft.com/WindowsServer/en/Library/5254f8cd-143e-4559-a299-9c723b3669461033.mspx and the Security Configuration Wizard Documentation at https://go.microsoft.com/fwlink/?linkid=43450. Convert and Deploy the PolicyAfter you thoroughly test the policy, complete the following steps to convert it into a GPO and deploy it:
Note that if the SCW security policy file contains Windows Firewall settings, Windows Firewall must be active on the local computer for this procedure to complete successfully. To verify that Windows Firewall is active, open Control Panel and then double-click Windows Firewall. You should now perform a final test to ensure that the GPO applies the desired settings. To complete this procedure, confirm that the appropriate settings were made and that functionality is not affected. SummaryThis chapter explained the policy settings that can be used to configure file servers that run Windows Server 2003 with SP1 in the three environments that are defined in this guide. Most of the policy settings are applied through a Group Policy object (GPO) that was designed to complement the MSBP. GPOs can be linked to the appropriate organizational units (OUs) that contain the file servers to provide additional security. Some policy settings cannot be applied through Group Policy. For these policy settings, manual configuration details were provided. More InformationThe following links provide additional information about topics that relate to hardening file servers that run Windows Server 2003 with SP1.
|
|