Hardening Security of Server- The Bottom Line

Securing Servers from internal and external threat is the key aspect of managing and administering Windows Servers. If you carefully design, implement and maintain IT Infrastructure you will have a better night sleep knowing you are safe. There will not be music in the ears of oncall Engineer facing nightmare. So how you accomplish a tight security and control on IT infrastructure without compromising work environment. Here are some tips for you.

Infrastructure Firewalls

You must have an isolated Head Office network from branch office. You can purchase MPLS or IP WAN service from your ISP. Alternatively you can create site to site VPN using security appliance or application like Forefront TMG 2010. A better design approach would be a multi-tier firewall so that your internal server, DMZ servers and branch servers stay securely connected. You can have specific VLANs for specific servers/services/applications with correct Access Control List (ACL) in Cisco switches and routers. This will add another layer of firewall to the network.

Computer based Firewalls

In Windows Server 2008 and Windows Server 2012, there is built in firewall. You can configure that built-in firewall for a group of servers or individual server to provide host based firewall. Both Server 2008 and Server 2012 shipped with advanced Firewall and security configuration tools which you can administer through Group Policy object.

Intrusion Detection System

Another key aspect of firewall is security appliance that provide you to harden security using Intrusion Detection System (IDS) /Intrusion Protection System (IPS). These are third-party Devices or appliance. The IDS helps you monitor network traffic, logs data about the traffic, analyses the traffic based on signatures and anomalies, recognizes potential attacks, and alerts the IT staff to the perceived attack. The IPS does all that, but it also has the capability to react to the perceived  attack. IPS is also capable of reacting to an attack based on your configured rules.

Server Hardening- The bottom line

You execute the following action to stop being hacked or take these actions to prevent hacking

  • Isolate Administrator Role for individual tasks similar to their job description.
  • Stopping and disabling all unnecessary services and applications
  • Renaming the Administrator account
  • Implement password policy using Default Domain Policy in Group Policy Object
  • Implement GPO to secure servers and clients
  • Deleting or disabling all unnecessary user accounts
  • Use of Service Account to run services and application instead of running services using IT Admin’s generic account and store password to safe location
  • Create Role Based User Account instead of using user account by user name
  • Requiring strong authentication and certificates to access applications
  • Performing regular firmware, operating system and application updates using WSUS or SCCM
  • Installing renowned Antivirus and Anti-Spyware program and manage them centrally 
  • Document all system configurations and store these documents in safe location
  • Audit and monitor IT infrastructure regularly to prevent any misconfiguration
  • Use Read only Domain Controller (RODC) for branch office
  • Utilize great benefit of Server Core Technology reducing surface attack further
  • Utilize NPS, NAP and Certificate Servers to secure access to applications and services.

FF TMG 2010—Can future be altered?

I read the following articles about Microsoft Forefront TMG 2010. I was shocked by the news. TMG 2010 is one of the beautiful product Wintel Engineers and Security Administer can be proud off. I believe I am one of the biggest admirer of Forefront Product lines.

                                                                    Death of TMG? by Deb Shinder 

What will happen with TMG?

The demise of Threat Management Gateway: Is Microsoft backing away from the edge?

I would like to voice my own opinion on this matter. I am sure I will find lots of similar minded techie out there who would love to share same opinion as me. I would like to send an open request to Microsoft Corp and MVPs to pursue for an advanced version of TMG that incorporate cloud security and address modern day security challenges.

I decided to write on a different perspective of TMG 2010 what I would like to see next service pack of Forefront Threat Management Gateway or in a future version if there is one. This is not an official account of Microsoft Corp. This is just my wish list. I hope and cross my finger that Microsoft will listen to those who are on the field working for a better and even bigger Microsoft community.   

FF TMG 2010: Here is details of evolution of today’s TMG 

image

TMG 2010 can be more advanced in terms Firewall Policy, Publishing Rules and Cloud Security. TMG 2010 may be available in Downloadable virtual Appliance build on Windows Server “Code name 8” and physical appliance through the Microsoft partners program. Microsoft declared TMG 2010 is in sustainable mode and will not invest on TMG for further development so my dream to administer TMG administration console via internet explorer and Silverlight will be just a dream. I would like to see TMG service pack as separate installed and TMG 2010+SP3 integrated together in a installer for those who wants to refresh TMG and adopt as a new customer.

Topology and Installation Changes: I would like to see a Hyper-V network incorporated into TMG. As you all know when installing TMG, TMG installer prompt you for subnets of Local area network. The new version will prompt you to add your cloud networks in an installation window. The installer will secure the local area network and private cloud network using default configuration which you will be able to modify and align later on with your desired topology and network layout.  

image

Incorporating Cloud Security:

clients and partners have serious concern over the years about Service provides who sells cloud solutions. For example, service provider selling Exchange cloud, SharePoint cloud, Anti-Spam  and Security Cloud Solution. There are questions to be asked when you buying public cloud solutions. This is not just having a hypervisor and virtual center. what about application security, identity and governance. How would to address your client’s concern of internal threat and external threat. How client will trust a provider when they place their data in somewhere service provider’s cloud.

Microsoft can/should/must address these issues by providing Security as a service. Forefront TMG can play a key role if Microsoft is willing take a step ahead to the bottom line.

  • Application security
  • Privacy
  • Legal issues
  • Availability
  • Identity management
  • Compliance
  • Business Continuity and data recovery
  • Data Security

Firewall Rules: New Publishing Tools in Tasks pan should include

  • Publish FTP Servers
  • Publish Lync Server
  • Publish Streaming Media Server
  • Secure Cloud Network

image

Configure IM and Social media policy: Web Access Policy Tasks Pan should include

  • Configure IM Access (Allow/Deny Skype/Lync/MSN/Yahoo Messenger)
  • Configure Social Media Access (Allow/Deny Social Media such as Twitter/FaceBook/Google+/Youtube)

image

Networks: Network rules incorporate a build-in cloud network and network rules establishing communication from LAN to Cloud network and External to Cloud network. During installation of TMG; allow rules to be configured automatically when selecting Hyper-V Server in DMZ.

image

Multicast NLB Configuration: NLB Properties should be added another check box to create firewall rule for Multicast NLB in a virtualized environment. That means Multicast NLB mac address can communicate within array members in a virtualized environment if there is strict security policy deployed through out the infrastructure.

image

List of New Protocol available: New Protocols includes following protocols and many more:

  • Cloud Protocols
  • Lync Protocol
  • Hyper-v Protocols

image

Generate offline Certificate request: There should be an option to generate offline certificate request in Systems>Tasks pan.

image

Integrating Bing Search with TMG 2014 Cache: Search result cached in TMG from Bing Search Engine and presented to client.

Bandwidth Management: TMG should be able to manage bandwidth by single user, multiple users, AD Security groups, IP address, Computer Name, Department, Site, Branch.

Configure Branch or Site TMG Server: Option can be selected during installation of TMG 2010+SP3 (integrated installer) whether TMG is a primary site or branch site. Selecting Branch Site will auto configure site server with site to site VPN (if selected) and even replicate with primary sites firewall rules and policies (depending on topology). when installing a branch TMG branch TMG will automatically create branch cache depending on selection of topology .

Reporting: Following are the examples of the reports will be available in TMG 2010 SP3. there will be many more.

image

  • User based report
  • AD Security Group Based report
  • Web Site Visited
  • IP Address visited
  • Web/Content Uses report
  • Download reports by users/Group/Department
  • Bandwidth Uses report
  • Caching report
  • Search Engine Visitor by Search Engine report
  • Real Time/Custom Traffic report
  • Traffic Trending report
  • Top 20 Net users
  • Top 20 Site Visited
  • Default Monthly report
  • Default Yearly report
  • TMG Health report

Audit and Change Management: TMG will include complete change manage and recording of Tasks/Events generated by role based user and systems itself.

Role based TMG management: TMG Workgroup Deployment and Domain Member deployment should include RBAC management.

  • Administrator
  • Organization Administrator (member of this group manages cluster of Arrays )
  • Backup operator (Commvault/Symantec Client/SCDPM client integrated)
  • Auditor/User (view permission)
  • Firewall Rules and Web Access Policy Operator
  • Single or Multiple array administrator

Tool Box: Pre-installed BPA, Troubleshooting, Monitoring & Capturing  Real Time Traffic.

Learn more about TMG here .

Ban portable application/games through GPO

Ø Open GPO management console

Ø Right click and edit the specific GPO or Create and link new GPO and Edit

Ø User Configuration>Security Settings>Software Restriction Policies

Ø Right Click Software restriction policies>create

Ø Right click on Additional Rules>New Hash Rule>Browse and select application exe/icon>open

Ø Apply>ok

Ø Close GPO

You are laughing now!

Screen Shot Example:

1 2 3 4 5

How to block ports using ISA server

Here I will show an example, how to block port specific communication in an entire computer networks. You have to add an user defined protocol in ISA server to block those ports. you may ask now why so? Let me explain little bit.

A port is an application-specific or process-specific piece of software that serves as a communication endpoint used by transmission layer protocols of the internet protocol suite, such as TCP or UDP. The port numbers are divided into three ranges: the Well Known Ports, the Registered Ports, and the Dynamic and/or Private Ports. The Well Known Ports are those from 0 through 1023. The Registered Ports are those from 1024 through 49151. The Dynamic and/or Private Ports are those from 49152 through 65535.

Sometimes these port are used for evil purposes such as spreading viruses in local area network. One example would be conficker virus. It communicate via netbios port 135-139. Here is the “how to” screen shots to block these ports.

Open ISA Management Console>Task pan>Tool Box>Protocols

Select user-defined>New>Protocol> Type W32.conficker, click next

 conficker 

conficker1

 conficker2 conficker3 conficker4 conficker5 conficker6 

ISA Management Console>Task pan>Tasks>Create New Policy

conficker7

 conficker8 conficker9 conficker10

Add User-defined policy i.e. W32.Conficker .

 conficker11 conficker12

conficker13

Remove All Users and click next>ok

conficker14 conficker15

conficker16

How to create an access rule for Microsoft Update sites in MS ISA

 

  • Open the ISA Management console.
  • In the left pane, right-click Firewall Policy, click New, and then click Access Rule.
  • In the Name field, type Windows Update, and then click Next.
  • Click Allow, and then click Next.
  • In the This rule applies to list, click Selected Protocols.
  • Click Add.
  • In the Add Protocols dialog box, expand Web.
  • Click HTTP, and then click Add.
  • Click HTTPS, and then click Add.
  • Click Close, and then click Next.
  • In the Access Rule Sources dialog box, click Add.
  • In the Add Network Entities dialog box, expand Networks.
  • Click Internal, and then click Add.
  • Click the network object for each network that requires access to Windows Update, and then click Add.
  • Click Close, and then click Next.
  • In the Access Rule Destinations window, click Add.
  • In the Add Network Entities window menu bar, click New, and then click URL Set.
  • In the New URL Set Rule Element window, in the Name field, type Microsoft Windows Update.
  • Click New.
  • In the URLs included in this set list, change the new entry to type url mentioned here. repeat this to add all the urls, then click ok.
  •  

    http://download.windowsupdate.com

    https://*.windowsupdate.microsoft.com

    http://*.windowsupdate.microsoft.com

    http://*.update.microsoft.com

    http://*.download.windowsupdate.com

    http://update.microsoft.com

    http://*.windowsupdate.com

    http://download.microsoft.com

    http://windowsupdate.microsoft.com

    http://ntservicepack.microsoft.com

    http://wustat.windows.com

    https://*.update.microsoft.com

    https://update.microsoft.com

  • In the Add Network Entities window, in the URL Sets section, click Windows Update, click Add, and then click Close.
  • Click Next two times, and then click Finish.
  • In the top part of the middle pane, click Apply.
    In the top part of the middle pane, Apply and Discard buttons appear.
  • Click Apply.
  • When a “Changes to the configuration were successfully applied” message appears in the Apply New Configuration dialog box, click OK.
  • How to create Microsoft update cache rule in MS ISA

    Microsoft Update keeps systems up to date. whenever you are updating through http://update.microsoft.com it is costing your bandwidth. Everybody does it repeatedly. So a clever way to manage this issue is to add a cache rule in Microsoft ISA server. It will cache necessary Microsoft update. whenever a request for Microsoft update pop up it will check ISA cache. this will save bandwidth as a result save money too. Here are the screen shots to help you with the cache rule.

    Open ISA Management console>View>check task pan

    Cache Rule2

    Toolbox>Network Objects>Domain name Set>New Domain Name Set

    Cache Rule

    Type Microsoft Update Domain Name Set as Name and Add all the update sites mentioned here. Apply>ok.

  • http://download.windowsupdate.com
  • https://*.windowsupdate.microsoft.com
  • http://*.windowsupdate.microsoft.com
  • http://*.update.microsoft.com
  • http://*.download.windowsupdate.com
  • http://update.microsoft.com
  • http://*.windowsupdate.com
  • http://download.microsoft.com
  • http://windowsupdate.microsoft.com
  • http://ntservicepack.microsoft.com
  • http://wustat.windows.com
  • https://*.update.microsoft.com
  • https://update.microsoft.com
  •  Cache Rule1 

    On the left hand side pan, expand ISA array>expand configuration>right click on cache>new>Cache rule

     Cache Rule3 Cache Rule4 

    Cache Rule5

     Cache Rule6 Cache Rule7 Cache Rule8 Cache Rule9 Cache Rule10 Cache Rule11 Cache Rule12

    As you have added a cache rule, it might take a bit disk space. so change cache drive from system partition to another. In my case, I set up D:\ drive for urlcache. To do that right click on cahce>cache drives>Set D:\ drive or different in your case.

    Cache Rule13

    Cache Rule14

    How to ban inappropriate URL or contents/keywords using MS ISA

    You can ban inappropriate URL or contents that contain keywords such as pornography, torrentz etc using signature blocking option in MS ISA.

    Step1 create an allow access policy as follows

    name Action Protocols listener To Condition
    Allow users Allow HTTP
    HTTPS
    Internal
    Local Host
    External All Users

     keyword1 keyword2 keyword3 keyword4 keyword5 keyword6 keyword7 

    Step2 Right click on Allow policy you just created>Configure HTTP>Signature>Add

    keyword8

    keyword9

     keyword10

    Click ok>Apply>Ok>Apply on ISA Management console

    keyword11

    Similarly, you add more signature to block. Now the entire contents/url will be blocked whenever any user search or browse it.