Hardening Security of Server- The Bottom Line

Securing Servers from internal and external threat is the key aspect of managing and administering Windows Servers. If you carefully design, implement and maintain IT Infrastructure you will have a better night sleep knowing you are safe. There will not be music in the ears of oncall Engineer facing nightmare. So how you accomplish a tight security and control on IT infrastructure without compromising work environment. Here are some tips for you.

Infrastructure Firewalls

You must have an isolated Head Office network from branch office. You can purchase MPLS or IP WAN service from your ISP. Alternatively you can create site to site VPN using security appliance or application like Forefront TMG 2010. A better design approach would be a multi-tier firewall so that your internal server, DMZ servers and branch servers stay securely connected. You can have specific VLANs for specific servers/services/applications with correct Access Control List (ACL) in Cisco switches and routers. This will add another layer of firewall to the network.

Computer based Firewalls

In Windows Server 2008 and Windows Server 2012, there is built in firewall. You can configure that built-in firewall for a group of servers or individual server to provide host based firewall. Both Server 2008 and Server 2012 shipped with advanced Firewall and security configuration tools which you can administer through Group Policy object.

Intrusion Detection System

Another key aspect of firewall is security appliance that provide you to harden security using Intrusion Detection System (IDS) /Intrusion Protection System (IPS). These are third-party Devices or appliance. The IDS helps you monitor network traffic, logs data about the traffic, analyses the traffic based on signatures and anomalies, recognizes potential attacks, and alerts the IT staff to the perceived attack. The IPS does all that, but it also has the capability to react to the perceived  attack. IPS is also capable of reacting to an attack based on your configured rules.

Server Hardening- The bottom line

You execute the following action to stop being hacked or take these actions to prevent hacking

  • Isolate Administrator Role for individual tasks similar to their job description.
  • Stopping and disabling all unnecessary services and applications
  • Renaming the Administrator account
  • Implement password policy using Default Domain Policy in Group Policy Object
  • Implement GPO to secure servers and clients
  • Deleting or disabling all unnecessary user accounts
  • Use of Service Account to run services and application instead of running services using IT Admin’s generic account and store password to safe location
  • Create Role Based User Account instead of using user account by user name
  • Requiring strong authentication and certificates to access applications
  • Performing regular firmware, operating system and application updates using WSUS or SCCM
  • Installing renowned Antivirus and Anti-Spyware program and manage them centrally 
  • Document all system configurations and store these documents in safe location
  • Audit and monitor IT infrastructure regularly to prevent any misconfiguration
  • Use Read only Domain Controller (RODC) for branch office
  • Utilize great benefit of Server Core Technology reducing surface attack further
  • Utilize NPS, NAP and Certificate Servers to secure access to applications and services.

FF TMG 2010—Can future be altered?

I read the following articles about Microsoft Forefront TMG 2010. I was shocked by the news. TMG 2010 is one of the beautiful product Wintel Engineers and Security Administer can be proud off. I believe I am one of the biggest admirer of Forefront Product lines.

                                                                    Death of TMG? by Deb Shinder 

What will happen with TMG?

The demise of Threat Management Gateway: Is Microsoft backing away from the edge?

I would like to voice my own opinion on this matter. I am sure I will find lots of similar minded techie out there who would love to share same opinion as me. I would like to send an open request to Microsoft Corp and MVPs to pursue for an advanced version of TMG that incorporate cloud security and address modern day security challenges.

I decided to write on a different perspective of TMG 2010 what I would like to see next service pack of Forefront Threat Management Gateway or in a future version if there is one. This is not an official account of Microsoft Corp. This is just my wish list. I hope and cross my finger that Microsoft will listen to those who are on the field working for a better and even bigger Microsoft community.   

FF TMG 2010: Here is details of evolution of today’s TMG 

image

TMG 2010 can be more advanced in terms Firewall Policy, Publishing Rules and Cloud Security. TMG 2010 may be available in Downloadable virtual Appliance build on Windows Server “Code name 8” and physical appliance through the Microsoft partners program. Microsoft declared TMG 2010 is in sustainable mode and will not invest on TMG for further development so my dream to administer TMG administration console via internet explorer and Silverlight will be just a dream. I would like to see TMG service pack as separate installed and TMG 2010+SP3 integrated together in a installer for those who wants to refresh TMG and adopt as a new customer.

Topology and Installation Changes: I would like to see a Hyper-V network incorporated into TMG. As you all know when installing TMG, TMG installer prompt you for subnets of Local area network. The new version will prompt you to add your cloud networks in an installation window. The installer will secure the local area network and private cloud network using default configuration which you will be able to modify and align later on with your desired topology and network layout.  

image

Incorporating Cloud Security:

clients and partners have serious concern over the years about Service provides who sells cloud solutions. For example, service provider selling Exchange cloud, SharePoint cloud, Anti-Spam  and Security Cloud Solution. There are questions to be asked when you buying public cloud solutions. This is not just having a hypervisor and virtual center. what about application security, identity and governance. How would to address your client’s concern of internal threat and external threat. How client will trust a provider when they place their data in somewhere service provider’s cloud.

Microsoft can/should/must address these issues by providing Security as a service. Forefront TMG can play a key role if Microsoft is willing take a step ahead to the bottom line.

  • Application security
  • Privacy
  • Legal issues
  • Availability
  • Identity management
  • Compliance
  • Business Continuity and data recovery
  • Data Security

Firewall Rules: New Publishing Tools in Tasks pan should include

  • Publish FTP Servers
  • Publish Lync Server
  • Publish Streaming Media Server
  • Secure Cloud Network

image

Configure IM and Social media policy: Web Access Policy Tasks Pan should include

  • Configure IM Access (Allow/Deny Skype/Lync/MSN/Yahoo Messenger)
  • Configure Social Media Access (Allow/Deny Social Media such as Twitter/FaceBook/Google+/Youtube)

image

Networks: Network rules incorporate a build-in cloud network and network rules establishing communication from LAN to Cloud network and External to Cloud network. During installation of TMG; allow rules to be configured automatically when selecting Hyper-V Server in DMZ.

image

Multicast NLB Configuration: NLB Properties should be added another check box to create firewall rule for Multicast NLB in a virtualized environment. That means Multicast NLB mac address can communicate within array members in a virtualized environment if there is strict security policy deployed through out the infrastructure.

image

List of New Protocol available: New Protocols includes following protocols and many more:

  • Cloud Protocols
  • Lync Protocol
  • Hyper-v Protocols

image

Generate offline Certificate request: There should be an option to generate offline certificate request in Systems>Tasks pan.

image

Integrating Bing Search with TMG 2014 Cache: Search result cached in TMG from Bing Search Engine and presented to client.

Bandwidth Management: TMG should be able to manage bandwidth by single user, multiple users, AD Security groups, IP address, Computer Name, Department, Site, Branch.

Configure Branch or Site TMG Server: Option can be selected during installation of TMG 2010+SP3 (integrated installer) whether TMG is a primary site or branch site. Selecting Branch Site will auto configure site server with site to site VPN (if selected) and even replicate with primary sites firewall rules and policies (depending on topology). when installing a branch TMG branch TMG will automatically create branch cache depending on selection of topology .

Reporting: Following are the examples of the reports will be available in TMG 2010 SP3. there will be many more.

image

  • User based report
  • AD Security Group Based report
  • Web Site Visited
  • IP Address visited
  • Web/Content Uses report
  • Download reports by users/Group/Department
  • Bandwidth Uses report
  • Caching report
  • Search Engine Visitor by Search Engine report
  • Real Time/Custom Traffic report
  • Traffic Trending report
  • Top 20 Net users
  • Top 20 Site Visited
  • Default Monthly report
  • Default Yearly report
  • TMG Health report

Audit and Change Management: TMG will include complete change manage and recording of Tasks/Events generated by role based user and systems itself.

Role based TMG management: TMG Workgroup Deployment and Domain Member deployment should include RBAC management.

  • Administrator
  • Organization Administrator (member of this group manages cluster of Arrays )
  • Backup operator (Commvault/Symantec Client/SCDPM client integrated)
  • Auditor/User (view permission)
  • Firewall Rules and Web Access Policy Operator
  • Single or Multiple array administrator

Tool Box: Pre-installed BPA, Troubleshooting, Monitoring & Capturing  Real Time Traffic.

Learn more about TMG here .

Forefront TMG 2010: organise different firewall rules by grouping rules

In this little article, I am going to show you how to group different firewall rules published and applied in Forefront TMG standard or enterprise version. You can do the following steps in TMG standard management console or TMG enterprise management server console. It can be done in a single standard array or multiple arrays in EMS.

Log on to TMG server using administrative credentials. open TMG management console. Click on Firewall Policy on the left hand side pan. You will be presented with rules you applied in TMG server.

1

Select more then on rules by simply pressing ctrl button and left side mouse click. Now right mouse click and click on create group.

2

On the policy group name box, type name of the group as shown on picture. Click ok.

3

Now Apply changes. Click OK and see the organised rules and polices.

   4 5 

You repeat these steps for web access policy and Email-policy also.

shareAdd to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine