Hardening Security of Server- The Bottom Line

Securing Servers from internal and external threat is the key aspect of managing and administering Windows Servers. If you carefully design, implement and maintain IT Infrastructure you will have a better night sleep knowing you are safe. There will not be music in the ears of oncall Engineer facing nightmare. So how you accomplish a tight security and control on IT infrastructure without compromising work environment. Here are some tips for you.

Infrastructure Firewalls

You must have an isolated Head Office network from branch office. You can purchase MPLS or IP WAN service from your ISP. Alternatively you can create site to site VPN using security appliance or application like Forefront TMG 2010. A better design approach would be a multi-tier firewall so that your internal server, DMZ servers and branch servers stay securely connected. You can have specific VLANs for specific servers/services/applications with correct Access Control List (ACL) in Cisco switches and routers. This will add another layer of firewall to the network.

Computer based Firewalls

In Windows Server 2008 and Windows Server 2012, there is built in firewall. You can configure that built-in firewall for a group of servers or individual server to provide host based firewall. Both Server 2008 and Server 2012 shipped with advanced Firewall and security configuration tools which you can administer through Group Policy object.

Intrusion Detection System

Another key aspect of firewall is security appliance that provide you to harden security using Intrusion Detection System (IDS) /Intrusion Protection System (IPS). These are third-party Devices or appliance. The IDS helps you monitor network traffic, logs data about the traffic, analyses the traffic based on signatures and anomalies, recognizes potential attacks, and alerts the IT staff to the perceived attack. The IPS does all that, but it also has the capability to react to the perceived  attack. IPS is also capable of reacting to an attack based on your configured rules.

Server Hardening- The bottom line

You execute the following action to stop being hacked or take these actions to prevent hacking

• Isolate Administrator Role for individual tasks similar to their job description.
• Stopping and disabling all unnecessary services and applications
• Renaming the Administrator account
• Implement password policy using Default Domain Policy in Group Policy Object
• Implement GPO to secure servers and clients
• Deleting or disabling all unnecessary user accounts
• Use of Service Account to run services and application instead of running services using IT Admin’s generic account and store password to safe location
• Create Role Based User Account instead of using user account by user name
• Requiring strong authentication and certificates to access applications
• Performing regular firmware, operating system and application updates using WSUS or SCCM
• Installing renowned Antivirus and Anti-Spyware program and manage them centrally 
• Document all system configurations and store these documents in safe location
• Audit and monitor IT infrastructure regularly to prevent any misconfiguration
• Use Read only Domain Controller (RODC) for branch office
• Utilize great benefit of Server Core Technology reducing surface attack further
• Utilize NPS, NAP and Certificate Servers to secure access to applications and services.

Love My Blog Stats

Total Stats

Blog Referrer

Most viewed articles:

FF TMG 2010—Can future be altered?

I read the following articles about Microsoft Forefront TMG 2010. I was shocked by the news. TMG 2010 is one of the beautiful product Wintel Engineers and Security Administer can be proud off. I believe I am one of the biggest admirer of Forefront Product lines.

                                                                    Death of TMG? by Deb Shinder 

What will happen with TMG?

The demise of Threat Management Gateway: Is Microsoft backing away from the edge?

I would like to voice my own opinion on this matter. I am sure I will find lots of similar minded techie out there who would love to share same opinion as me. I would like to send an open request to Microsoft Corp and MVPs to pursue for an advanced version of TMG that incorporate cloud security and address modern day security challenges.

I decided to write on a different perspective of TMG 2010 what I would like to see next service pack of Forefront Threat Management Gateway or in a future version if there is one. This is not an official account of Microsoft Corp. This is just my wish list. I hope and cross my finger that Microsoft will listen to those who are on the field working for a better and even bigger Microsoft community.   

FF TMG 2010: Here is details of evolution of today’s TMG 

TMG 2010 can be more advanced in terms Firewall Policy, Publishing Rules and Cloud Security. TMG 2010 may be available in Downloadable virtual Appliance build on Windows Server “Code name 8” and physical appliance through the Microsoft partners program. Microsoft declared TMG 2010 is in sustainable mode and will not invest on TMG for further development so my dream to administer TMG administration console via internet explorer and Silverlight will be just a dream. I would like to see TMG service pack as separate installed and TMG 2010+SP3 integrated together in a installer for those who wants to refresh TMG and adopt as a new customer.

Topology and Installation Changes: I would like to see a Hyper-V network incorporated into TMG. As you all know when installing TMG, TMG installer prompt you for subnets of Local area network. The new version will prompt you to add your cloud networks in an installation window. The installer will secure the local area network and private cloud network using default configuration which you will be able to modify and align later on with your desired topology and network layout.  

Incorporating Cloud Security:

clients and partners have serious concern over the years about Service provides who sells cloud solutions. For example, service provider selling Exchange cloud, SharePoint cloud, Anti-Spam  and Security Cloud Solution. There are questions to be asked when you buying public cloud solutions. This is not just having a hypervisor and virtual center. what about application security, identity and governance. How would to address your client’s concern of internal threat and external threat. How client will trust a provider when they place their data in somewhere service provider’s cloud.

Microsoft can/should/must address these issues by providing Security as a service. Forefront TMG can play a key role if Microsoft is willing take a step ahead to the bottom line.

• Application security
• Privacy
• Legal issues
• Availability
• Identity management
• Compliance
• Business Continuity and data recovery
• Data Security

Firewall Rules: New Publishing Tools in Tasks pan should include

• Publish FTP Servers
• Publish Lync Server
• Publish Streaming Media Server
• Secure Cloud Network

Configure IM and Social media policy: Web Access Policy Tasks Pan should include

• Configure IM Access (Allow/Deny Skype/Lync/MSN/Yahoo Messenger)
• Configure Social Media Access (Allow/Deny Social Media such as Twitter/FaceBook/Google+/Youtube)

Networks: Network rules incorporate a build-in cloud network and network rules establishing communication from LAN to Cloud network and External to Cloud network. During installation of TMG; allow rules to be configured automatically when selecting Hyper-V Server in DMZ.

Multicast NLB Configuration: NLB Properties should be added another check box to create firewall rule for Multicast NLB in a virtualized environment. That means Multicast NLB mac address can communicate within array members in a virtualized environment if there is strict security policy deployed through out the infrastructure.

List of New Protocol available: New Protocols includes following protocols and many more:

• Cloud Protocols
• Lync Protocol
• Hyper-v Protocols

Generate offline Certificate request: There should be an option to generate offline certificate request in Systems>Tasks pan.

Integrating Bing Search with TMG 2014 Cache: Search result cached in TMG from Bing Search Engine and presented to client.

Bandwidth Management: TMG should be able to manage bandwidth by single user, multiple users, AD Security groups, IP address, Computer Name, Department, Site, Branch.

Configure Branch or Site TMG Server: Option can be selected during installation of TMG 2010+SP3 (integrated installer) whether TMG is a primary site or branch site. Selecting Branch Site will auto configure site server with site to site VPN (if selected) and even replicate with primary sites firewall rules and policies (depending on topology). when installing a branch TMG branch TMG will automatically create branch cache depending on selection of topology .

Reporting: Following are the examples of the reports will be available in TMG 2010 SP3. there will be many more.

• User based report
• AD Security Group Based report
• Web Site Visited
• IP Address visited
• Web/Content Uses report
• Download reports by users/Group/Department
• Bandwidth Uses report
• Caching report
• Search Engine Visitor by Search Engine report
• Real Time/Custom Traffic report
• Traffic Trending report
• Top 20 Net users
• Top 20 Site Visited
• Default Monthly report
• Default Yearly report
• TMG Health report

Audit and Change Management: TMG will include complete change manage and recording of Tasks/Events generated by role based user and systems itself.

Role based TMG management: TMG Workgroup Deployment and Domain Member deployment should include RBAC management.

• Administrator
• Organization Administrator (member of this group manages cluster of Arrays )
• Backup operator (Commvault/Symantec Client/SCDPM client integrated)
• Auditor/User (view permission)
• Firewall Rules and Web Access Policy Operator
• Single or Multiple array administrator

Tool Box: Pre-installed BPA, Troubleshooting, Monitoring & Capturing  Real Time Traffic.

Learn more about TMG here .

How did this blog perform in the year of 2011

This blog was viewed about 190,000 times in 2011.

The busiest day of the year was December 7th with 1,150 views. The most popular post that day was Install and Configure Lync Server 2010—Step by Step.

Some visitors came searching, mostly for tmg reverse proxy, lync server, tmg 2010 pdf, fax server windows 2008, and forefront site to site vpn configuration.

The top referring sites in 2011 were:

• araihan.wordpress.com
• experts-exchange.com
• social.technet.microsoft.com
• blogs.isaserver.org
• siancom.blogspot.com

The most commented on post in 2011 was Microsoft Active Directory—Best Practice

The popular posts:

1.  Install and Configure Lync Server 2010—Step by Step
2.  Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step
3.  How to configure reverse proxy using Forefront TMG 2010— step by step
4.  Configure FAX server using Windows Server 2008 and Standard Fax Modem
5.  Configure 3-Leg Perimeter (DMZ) using Forefront TMG 2010—step by step

I look forward to serving you again in 2012! Happy New Year!

FF TMG 2010 Service Pack 2 is Now Available

Before you start installing TMG 2010 SP2, make sure you have the following infrastructure ready.

1. TMG 2010 installed on Win2k8 or Win2k8 R2 Server.
2. TMG 2010 SP1  and TMG 2010 Service Pack 1 Update 1 installed on top of TMG 2010.
3. Download FF TMG 2010 SP2 and save on your server.

Pre-cautions: Take following steps before you run service pack installer

Verify/Note Current version

Check any alerts/issue in TMG 2010 server

Check event logs for any existing underlying issues

Back up an enterprise configuration: In the Forefront TMG Management console, in the tree, click the Enterprise node. On the Tasks tab>click Export Enterprise Configuration.

To export confidential information, such as user passwords and certificates, select Export confidential information and provide a password. Confidential information is encrypted during the export process. The password you enter here will be required to import the configuration.

To export user permissions, select Export user permission settings.

In Save this data in this file, specify the folder in which the export file will be saved, and the file name. In File name, enter a name for the exported file.

Important! To restore an enterprise configuration

In the Forefront TMG Management console, in the tree, click the Enterprise node>On the Tasks tab>click Import Enterprise Configuration.

Select the file that you saved when you exported the configuration.

Select Overwrite (restore) to restore configuration settings. If you exported user permissions, select Import user permission settings. If you exported confidential information, enter the password that you specified when you exported the file.

Install TMG 2010 SP2 on a TMG standalone server:

Installing SP2 in TMG 2010 standalone server is pretty straight forward.

Open elevated Command prompt, locate directory where you saved TMG 2010 SP2

run TMG-KB2555840-amd64-ENU or TMG-KB2555840-x86-ENU based on your architecture.

Install TMG 2010 Sp2 on Enterprise Array Members:

• In-place upgrade

1. Install the service pack on the EMS master with same credentials that were used to install the EMS during the initial Forefront TMG setup otherwise setup will fail.
2. upgrade first the reporting server and then the array members.
3. Install Service Pack 2 to all EMS array members.

• Clone array upgrade

1. Install Forefront TMG Enterprise Management on a different computer.

2. Create a new array and import the previously exported enterprise configuration.
3. Install the service pack on cloned EMS
4. disjoin array members from the reporting server from the array, installing the service pack, and then joining it to the new array that is running the service pack. Continue the process with the other array members.

Installation steps for servers that use load balancing If the server is load-balanced by using network load balancing (NLB) or any other load-balancing mechanism, do the following:

• Remove the server from the load-balancing configuration.
• Drain existing connections that are served by the server.
• Set NLB to suspended to prevent auto-rejoin when you restart.
• Install the update.
• Restart the server if it is required.
• Start NLB on the updated server.

Post installation notes:

1. Forefront TMG services may not start or may not sync with EMS after you install or remove a service pack. In this case, use the Monitoring node of the Forefront TMG Management console to manually restart the services.
2. If you are logging to a remote SQL database, you are required to migrate the log database to the new schema. For instructions, see Upgrading a remote SQL database for Forefront TMG SP1
3. Run BPA in TMG 2010 and check event logs as best practice.

Known issues: The following issues relate to the configuration and operation of Forefront TMG SP2:

• Reload failure with local user
  

  Issue: After configuring the Firewall service user as a local user, reloading the configuration fails.

  Workaround: Configure a domain user for the Firewall service. See Kerberos authentication on an NLB array.

• Uninstall failure
  

  Issue: After configuring the Firewall service user as a domain user, you cannot uninstall Forefront TMG SP2.

  Workaround: Reconfigure the Firewall service user to be the network service, then you can uninstall Forefront TMG SP2.

TMG2010: Server Configuration does not match the stored configuration

Issue: Not Synced Server Configuration does not match with stored configuration

Cause: FF TMG 2010 Array certificates expired.

Solutions: The following steps will fix the issue. Please note that I am explaining the situation where my TMG 2010 enterprise Array is deployed in workgroup.

Step1: Run ISA BPA on TMG 2010 Array Member

Step2: Verify certificate expiry date

1. From the Start menu, click Run. Type MMC, and then click OK.

2. In MMC, click File, and then click Add/Remove Snap-in.

3. Click Add to open the Add Standalone Snap-in dialog box.

4. From the list of snap-ins, select Certificates, and then click Add.

5. Select the service account and click Next.

6. Click Next.

7. Select ISASTGCTRL and click Finish.

8. Browse to ADAM_ISASTGCTRLPersonal > Certificates.

9. Open the certificate to see if it is expired.

Step3: Create a Request.inf file. Open notepad and copy the following and paste into notepad. modify CN and domain details as per your own requirement. rename the file as request.inf. An example of the inf file is:

[Version]

Signature=”$Windows NT$

[NewRequest]

Subject = “CN=myTMG.mydomain.com”

EncipherOnly = FALSE

Exportable = TRUE  

KeyLength = 1024

KeySpec = 1 ; Key Exchange

KeyUsage = 0xA0 ; Digital Signature, Key Encipherment

MachineKeySet = True

ProviderName = “Microsoft RSA SChannel Cryptographic Provider”

ProviderType = 12

RequestType = CMC

; Omit entire section if CA is an enterprise CA

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1 ; Server Authentication

[RequestAttributes]

CertificateTemplate = WebServer

Step4: request Certificate to the Root/Subordinate CA

Open a elevated command prompt. At the command prompt, type the following command, and then press ENTER:

certreq -new –f request.inf certnew.req

Important! This command uses the information in the Request.inf file to create a request in the format that is specified by the RequestType value in the .inf file. When the request is created, the public and private key pair is automatically generated and then put in a request object in the enrollment requests store on the local computer.

Step5:Submit the request and obtain certificate

Open a elevated command prompt. At the command prompt, type the following command, and then press ENTER:

certreq -submit certnew.req certnew.cer

Important! certnew.req is generated in the previous command. certnew.cer is the certificate you are looking for.

An alternative way of submitting certificate to CA

1. Open Certificate Authority
2. Right Click on CA Server>All Task>Submit a New request
3. Point to the location of certnew.req file
4. Save Certificate As certnew.CER file into the preferred location

Step6:Convert certificate into .pfx format

Import the certificate certnew.cer into a server or an admin workstation

1. On the head node, click Start, click Run, and then type mmc to start the Microsoft Management Console.

2. On the File menu, click Add/Remove Snap-in. The Add or Remove Snap-ins dialog box appears.

3. In Available snap-ins, click Certificates, and then click Add.

4. Select Computer account, and then click Next.

5. Select Local computer, and then click Finish.

6. If you have no more snap-ins to add to the console, click OK.

7. In the Microsoft Management Console, in the console tree, expand Certificates, and then expand Personal.

8. In the details pane, click the certificate you want to manage.

9. On the Action menu, point to All Tasks, and then click Import. The Certificate Export Wizard appears. Click Next.

10. Browse to location of certnew.cer file

11. Import Certificate

To export a certificate in PFX format using the Certificates snap-in

1. On the head node, click Start, click Run, and then type mmc to start the Microsoft Management Console.

2. On the File menu, click Add/Remove Snap-in. The Add or Remove Snap-ins dialog box appears.

3. In Available snap-ins, click Certificates, and then click Add.

4. Select Computer account, and then click Next.

5. Select Local computer, and then click Finish.

6. If you have no more snap-ins to add to the console, click OK.

7. In the Microsoft Management Console, in the console tree, expand Certificates, and then expand Personal.

8. In the details pane, click the certificate you want to manage.

9. On the Action menu, point to All Tasks, and then click Export. The Certificate Export Wizard appears. Click Next.

10. On the Export Private Key page, click Yes, export the private key. Click Next.

11. On the Export File Format page, select Personal Information Exchange – PKCS #12 (.PFX). Click Next.

12. On the Password page, type and confirm the password that is used to encrypt the private key. Click Next.

13. Follow the pages of the wizard to export the certificate in PFX format.

Step7: Import Certificate into TMG Array

Log on to the TMG Server

Open FF TMG 2010 Console

Click on System>Click Server that is one of the array member>Click Import Server Certificate from the task pan>Browse location of the certificate import certnew.PFX format certificate

Click Ok.

Click refresh on the systems

Step8: Repeat the entire steps into all array members

Step9: Refresh Array members and check system

Check TMG related services.

More information on certificates visit the following URLs.

http://technet.microsoft.com/en-us/library/cc754329.aspx

http://technet.microsoft.com/en-us/library/dd362553.aspx

http://support.microsoft.com/kb/931351

FF TMG 2010: Configure Network Load Balancing Across Enterprise Array Members

NLB is an wonderful in built TMG feature you can utilize to balance high network traffic. you can configure network load balancing across up to eight FF TMG array members.

The following is an example of FF TMG 2010 NLB Configuration.  

To configure network load balancing among FF TMG 2010 enterprise array members, Open FF TMG enterprise Management server console, Click on the Networking Node>Select preferred networks. For this article, I have chosen internal networks for load balancing.

 

Click on Enable Network Load Balancing Integration, you will be presented with NLB Integration Wizard, Click Next.

Select Internal>Click Configure NLB Settings

Type Primary virtual IP (VIP), Select Unicast, Click OK. note that VIP will be similar IP range of internal networks of both TMG servers. VIP will be registered as a DNS record in DNS server once you click finish.

click Finish. Click OK.

Apply Changes. Click Ok.

To Change or add additional VIP, Click on Networking node>Right Click on Internal Network>Click Property>Click NLB Tab

Change FF TMG Client configuration to new VIP. Client proxy address will be new VIP.

Now you have finished configuring NLB. To test NLB, open internet explorer, add VIP as new proxy address and browse bing.com.

To test that you are able to browse internet using VIP proxy address if one NLB node fails, reboot one TMG server while you keep surfing internet on a client. you will experience slow browsing though depending on your load. you will see following error in TMG EMS but once all array members are up and running it will sync itself.

Important!    you can centrally manage up to 15 EMS x 200 arrays per EMS x 50 TMG servers per array that is in total 150,000 TMG servers. 

Relevant Articles:

FF TMG 2010: Configure ISP Redundancy— Step by Step

Install and configure Forefront TMG 2010 Enterprise Management Server (EMS) for centralized Management (part II)—Step by Step

Install and configure Forefront TMG 2010 Enterprise Management Server (EMS) for centralized Management—Step by Step

Install and configure Forefront TMG step by step

Forefront Threat Management Gateway (TMG) 2010

Configure back to back perimeter step by step

Configure reverse proxy step by step