Microsoft Windows Server Security

Security Checklist for Windows 2003 Servers

I created a personal checklist for locking down a server after building it. This is a compilation of reading security books and Windows security guides over the past couple of years. This checklist also assumes that you are putting your server behind a firewall with only the ports open that you need (port 80, 443 for example). The first thing I do is find out what role the server will take. Once you know what role it will be then there are a couple of setting that can be changed. A typical server that I used to set up a lot was a web server. I will use a web server as an example. Here is the base O/S.

Windows 2003 Server Standard Edition (32-bit)
IIS 6 installed with SMTP and FTP (I know that all of these roles shouldn't be on the same server and you probably wouldn't want to use Microsoft's SMTP or FTP but I used to, so I will write about it.)

Step One - Building Your Server
When you build your server you should use NTFS as the file system. This is absolutely critical, I almost didn't mention it because it seems so obvious. After the basic installation make sure you run all of the Windows updates until they say "0". You may get a couple of hardware updates that you won't need if you are using the manufacturer's drivers instead of the windows drivers.

Step Two - Lockdown FTP
Unfortunately the default setting for a freshly installed server in still anonymous access is allowed. So you must go in the IIS Manager MMC and change this. In the MMC expand the FTP sites folder under you see "Default FTP site" right click on this site and click properties. Once this window opens up click on the "Security Accounts" tab and uncheck the "Allow anonymous connections" checkbox. After you uncheck this checkbox Microsoft will warn you about how this action will allow users to see the username and password in plaintext. This is true and one of the reason why you shouldn't use Microsoft's FTP. Use one that implements FTP over SSL.




Step Three - Lockdown SMTP
My experience with MS's SMTP is that either it is used for Exchange or SQL Server used it to send out messages to the developers for whatever trigger they set. Thankfully, MS has decided not to allow relaying as the default setting in Windows 2003. Whenever I set it up I always went one step further and didn't let any computers connection except for the ones that I allowed. In order to access the settings of the SMTP server go to the IIS Manager MMC and right click on "Default SMTP Virtual Server" and click on properties. Next click on the "Access" tab and the bottom two boxed areas are what we want to change. So the settings would be as follows;
1. Connection Control - Set to "Only the list below" with either your IP range or the one or two other computers that need to connect to it. Remember to add the local server if it will be connecting to it to send messages.
2. Relay Restrictions - Set it exactly how Connection Control is set. Remember to add the local server if it will be connecting to it to send messages.

Step Four - Disable Any Services that the Web Server Won't Need
Here are a couple of services that I would stop and disable for a web server
1. Print Spooler
2. Wireless Configuration
3. Windows Audio

Since Windows 2003 already disables services like "Alerter" and "Messenger" most of the services that I disable are to make sure that RAM and other server resources don't get allocated to starting, stopping and managing them.

Step Five - Change the Local Security Policy
There are many settings in the local security policy that should be changed to increase security. In order to access the local security policy click on Start/Administrative Tools/Local Security Policy. You will see five different sub-sections, Account Policies, Local Policies, Public key Policies, Software Restriction Policies and IP Security Policies on Local Computer. I will be discussing the first two, Account Polices and Local Policies.

Account Policies
Within Account Policies there are two sub sections, Password Policy and Account Lockout Policy. My custom password policy uses the following settings with success (so far). Remember I don't work for the government if so these settings would probably be much more restrictive.

Password policy
Enforce password history - 4 passwords remembered
Maximum password age - 90 days
Minimum password age - 2 days
Minimum password length - 8 Characters
Password must meet complexity requirements - enabled.

Account lockout policy

Account lockout duration - 30 minutes
Account lockout threshold - 10 invalid logon attempt
Reset account lockout counter after - 30 minutes.

I have heard many many different ways to set this. Some set the threshold to 3 attempts others never reset the lockout counter (in this case an administrator must manually unlock it). My belief is that my settings will stop any hacker from trying to dictionary or brute force your password.

Local Policies
Withing this section there are three sub-sections, Audit Policy, User Rights Assignment and Security Options

Audit Policy - I used to log everything but this really only allows for a couple of hours of security logs. I now set this to failure for everything and success for "Audit account logon events".

User Rights Assignments - Here I remove the everyone group anywhere I see it. The following policies should have it, Access this computer from the network and Bypass traverse checking.

Security Options - Once again Microsoft has changed some of these settings to be a more restrictive security setting. I will discuss the ones that I change. I will not go through each one but starting at the top I will move down probably skipping several entries until you see the next one.

Accounts: Rename administrator account - Change this to anything you want besides the default

Interactive logon: Message text for users attempting to log on - Put some warning in this area along with a "if you aren't authorized do not logon" also. I got something that I saw about the local computer system law. It looks pretty good. (If you want it just email me)

Interactive logon: Message title for users attempting to log on - This is the title of the window. Put something like "WARNING!", just a simple one line of text for this one.

Interactive logon: Prompt user to change password before expiration - the default is 14 days. That seems like a long time to me. I change this to 3 days.

Most of the other setting should be in a "locked down" state. There are detailed Microsoft guides that discuss exactly what each of these setting do. If you want some more detail then click here. There is one caveat about the local security policy is that if the server is part of a Windows domain then a domain security policy will replace the local security policy.

HP Procurve 2810 Switch Setup

Using VLANs for Failover/Disaster Recovery

A recent project at work required me to implement a couple of switches with VLANs. I decided that I would be able to include a failover/disaster recovery setup with two VLANs and two switches. Just to refresh anyone about my project; it is a Microsoft Windows 2003 Server (R2) webfarm with Microsoft SQL Server 2005 back-end (click here). The switches I chose were HP procurve 2810-24G for the following reasons:

1. Procurve switches have a lifetime warranty.
2. Procurve switches are one of the top 3 in the switch manufacturer business.
3. The ease in which they can be setup.
4. My personal familiarity and experience working with Procurves.

Some background about these switches.

HP Procurve switches are data center class switches that have a choice of three different interfaces and two forms of accessing them. The three interfaces are; CLI (command line interface), web based and text based. I have never used the CLI but I would imagine that it is similar to Cisco's switch CLI. The text based interface is what I use. This interface can be extremely fast once you get used to navigating the menus. I am able to logon change a port to a different VLAN and logoff within about 10-15 seconds. The web GUI takes that long just to logon. I do like the web GUI to get a "feel" for the switch and the traffic patterns, but the full feature set when configuring these is not available. Creating VLANs for example cannot be done with the web based GUI. The text based or CLI are needed for such configurations. The two way of accessing these switches is either with the console port or by the IP address. The console port is the "first time" way to access the switch. It doesn't have an IP address with the factory default settings.

Initial switch setup
Once you have connected to the switch with the console cable you are presented with a CLI prompt. At this point type "setup" without quotes. This will bring up the Switch Setup menu. You have several options at this point. You can give the switch a name, set up SNMP, change the logon default (CLI or text) and give it an IP address among other options. I filled out all of the needed IP information and chose text for the logon default. I saved the settings then connected by IP address.

How I setup my switches
Once again to review. I am connecting to the switches by IP address through Ethernet and utilizing the text menu to configure them. My webfarm is similar to the majority of webfarms out there. There is a front-end network for handling the Internet traffic and a back-end network for intra-system communication. This is pretty standard stuff, I may write a post about it or you can email me and I can explain it to you (bradATitnetworkguruDOTcom). Back to how I setup my switches. I have two switches, one for each network. But since I only need to use about 8 ports, I setup half of the ports in one VLAN and the other half in another one (photo of my firewall and switch setup is here). The front-end switch currently has the webservers and the uplinks to the firewalls as the only ports used. So, with my two webservers and failover firewalls attached to the switch only 4 ports are used. The photo shows the other ports on the right being used also but this is for firewall external ports and are only used temporarily. The back-end switch (bottom one in the photo) has teamed NICs using LACP (802.3ad). This means that I am using two physical cables per logical network connection. This also means that I am using twice the amount of switch ports.

In order to configure the VLANs with the text menu do the following;

1. Logon to the switch with telnet in manager mode
2. press number 2 "Switch Configuration"
3. press number 7 "VLAN Menu..."
4. press number 1 "VLAN Names"
5. press "Add"

VLANs can be added at this point. The 802.1Q VLAN ID can be any unique number from 1 - 4096. The name can be anything you want also (up to 12 characters). I call it something descriptive like BackEnd for the back-end network.

6. press "save"

Repeat this procedure for adding as many VLANs as you need. We should now have at least 2 VLANs, one of the front-end traffic and one of the back-end traffic. None of our switch ports are in the new VLANs yet but I will go over this in a moment. But first let's create the switch trunks.

I would recommend at this point to create the trunks. We are creating the trunks for the teamed NICs in the back-end, one trunk per teamed NIC. After this step we can go back and add the necessary ports to the VLANs. If we add the ports now and then create the trunks we will have to go back and add the trunks. It seems like double the amount of work.

To create the trunks make sure you are still logged on in manager mode with telnet in text menu mode.

1. press number 2 "Switch Configuration"
2. press number 2 "Port/Trunk Settings"
3. scroll to Edit option with the arrow keys and press enter.
4. scroll to the ports that you are using for your teamed NICs. I always put these NICs in sequential order. So for example port 13 and 14 will be for Trk1
5. scroll over to "Group" and press the space bar to change the trunk number. If this is the first truck then I would recommend "Trk1"
6. scroll to the right to the "Type" column and press the space bar until you see "LACP".
7. scroll to the port of second NIC in the team and follow the same procedure as the first NIC
8. Repeat steps 5 -7 until you have all of the teamed NICs in separate trunks.
9. Once finished press enter and save.

We are now ready to add all of the ports necessary to the proper VLAN. Since I only have 2 VLANs and I want half of the ports in one and the other half in the other it is pretty simple. First we need to get back into the VLAN Menu. We do this by doing the same VLAN steps that we did to create the VLAN.

1. Logon to the switch with telnet in manager mode
2. press number 2 "Switch Configuration"
3. press number 7 "VLAN Menu..."
4. press number 3 "VLAN Port Assignment"
5. Scroll to Edit and press enter.
6. Scroll with the arrow keys to the first port that you want to change.

Each port that you want in a VLAN must be "untagged" only for that VLAN. You can't untag a port in two VLANs. As you look at the GUI, all of the ports should be untagged in the Default_VLAN and a "No" in the second VLAN column. You can use the Default_VLAN as one of your VLANs, as I did. Iif we are adding ports to the back-end VLAN then we need to highlight the port in the default_VLAN column and do the following;

REMEMBER: Changing the port that you are using to connect to the switch will disconnect you!

7. press the space bar twice until it says "No".
8. scroll to the right and press the space bar twice again until it says, "No".
9. repeat this procedure until all of the ports are untagged in the proper port.
10. press enter and scroll to Save and press enter.

That's it, once you are ready to log off press 0 twice to exit the menu and confirm the logoff.

How the Failover/Disaster Recovery Works
The reason for setting up the switches in the manner is for failover. As I mentioned earlier the HP switches have a lifetime warranty. But the problem is what do you do after the switch fails and you are waiting for a replacement. With this setup any of the switches can fail and my total downtime will be dependent on how long it take me to drive to the data center or for the data center staff to change over all of the ports. The is an acceptable risk considering that only one HP switch has ever failed on me in my career.

Conclusion
This is how you create VLANs and use switches for disaster recovery. This is a very basic introduction to VLANs and I didn't get into the other options such as tagging and forbidding ports. I will save this for another post...

Data Centers Use 90% More Electricity

Data Centers are using 90% more electricity. Although it's not because of the price of electricity, it is the amount of servers that each data center houses. The main factor as to why such as large increase can be attributed to the amount of smaller low end servers. These lower end servers are used for VoIP, video and music. A way to stop such an increase from continuing is using virtualization software. This will reduce the physical number of servers needed thus reducing the amount of electricity needed.

[Via InformationWeek]

HP Integrated Lights-Out 2 (iLO) - Management Network

My past experience was unfortunately with Dell servers. I could never convince my old employer that HP servers were better. I guess they didn't care or didn't mind that I needed to drive to the data center to reboot a frozen server in the middle of the night. At my new job with uptime being so important the obvious choice for servers was HP. Compared to Dell...well there is no comparison. Dell is always a generation behind on their management programs. I had limited experience with HP servers at some of my old clients and I could see that this is the way to go.

There are several versions of the iLO software and every HP Proliant DL server comes with the basic version. The basic version gives you virtual power switch control. You have a couple of options whether you want to just press the power button or press and hold for several seconds. The basic version is what I am using for now. My main concern is rebooting a frozen server at 3:00am without having to drive to the data center ;). The advanced version gives you full KVM access even to the boot screen. I haven't recommended to management the advanced version yet, but I can see that having it would be very useful.

The way I set up my server environment was with a separate private "iLO network". The network is totally closed with no access to the Internet. I have a separate server which I use for monitoring my production servers. (See my blog "My Latest Project" for a description of the hardware setup.) First I setup all of my production servers with an iLO "private" 192.168.0.0/24 network address. You do this when the server boots, press F8 when you see the iLO prompt. There are several options in this menu. You need to turn off "get a DHCP address" and manually input your private IP address. I chose a simple sequential numbering scheme starting with 192.168.0.3 for my servers (.1 and .2 are for my two firewalls). 192.168.0.9 is my last IP address which is for the monitoring server. I actually probably can never access this server when it crashes with iLO since my only access is from this same server.

Here is my monitoring server NIC setup.

NIC 1 - front-end IP address
NIC 2 - back-end 172.16.0.0/24 address
NIC 3 - iLO network 192.168.0.9
NIC 4 - iLO management 192.168.0.8

From this server I can see all of my other servers with the iLO web interface. As long as this server is up and running I will be able to reboot and control my production servers.

The NICs of my other production web/sql servers are setup in a similar way except they only have the front-end, back-end and iLO management NICs. These servers can't actually communicate over the iLO network they only listen for commands from the monitoring server. Within my production setup (photo of my firewall/switch setup here) I don't include my iLO switch. Since the production network can't have any downtime I bought a pair of high-end switches. But the uptime of the iLO network is not as critical so I just used a cheap workgroup switch. If it fails then no big deal. I will just go buy another one and pop it in during business hours. I think the risk of this switch failing and one of the servers failing at the same time is very low.

That's it...the iLO network is setup. I put some favorites in my web browser so I could quickly access each server without having to remember the IP address. Also for an cool effect use different color Ethernet cables for each network. I personally try to use a different color for each one; one for the front-end, one for the back-end and a different one for the iLO network. Makes it easier when it is time to move on and the new sys admin is trying to figure out how the system works...but we don't care about him/her now do we???? :)

Setting up two Cisco ASA 5510s - Active/Passive

Part of the project for doublepositive was to setup everything so that if one piece of hardware failed a backup would be in place and able to handle the failure. While spec'ing the requirements for this project I looked at the 5505 and the 5510s. Both are on the lower end of as far as capacity and throughput goes (Here is a link to their specs), but for the amount of traffic we are anticipating the 5510 would work well for the next 3-5 years. The 5510 also has stateful active/passive failover, the 5505 does not. Since most if not all of our applications require clients to use our web applications a stateful failover is very important.

The 5510 has 7 Ethernet ports. One for each of the following; management, console, aux and 4 for actually handling the traffic. The management port is nice since it has a built in DHCP server. I used this for the initial setup (no crossover cable needed). The console port is for the CLI interface. I normally use this for my day to day administration like access list changes, adding static maps or names. I have never used the aux port before, if anyone does use it and would like to share their experience with it, let me know. The 4 traffic ports can be setup in any way that you like. They are numbered from 0-3. I have the 0 port as my outside interface, port 1 as my inside, port 2 as my failover port and port 3 as my stateful failover port. Using a separate port for the stateful failover port is optional but since I will not have any other networks (just inside and outside) I chose to use the extra port. Here is a link to a photo of my setup. Once you come up with an IP scheme or given an IP address to use the set up is pretty straight forward.

More on this in the next part...

Cisco/HP Hardware Project

Here is what I have been doing lately. Some background...The company I work for needed to expand their IT infrastructure from a small business server with one additional webserver to a web server farm with replicated SQL servers. They are a Microsoft shop (and that is where my talents are also) so they use MS for everything. I was given one requirement...the system can't go down. So with this in mind I was going to build the system of my dreams. At the beginning I had visions of geographically load balanced farms in several locations. Maybe one in Spain and one in the US. Just so I could have a reason to go to Europe ;). But of course $ matters so I needed to build something a bit more realistic.

Here is the system that I build(ing).

2 - Cisco ASA 5510 (with security bundle)
2 - HP Procurve switches (2810-24G)
2 - HP ProLiant DL 380 G5 Web Servers
2 - HP ProLiant DL 380 G5 SQL Servers
1 - HP ProLiant DL 320 G5 Monitoring Server

The two 5510s are setup in a Active/Passive failover configuration. Here is the document I used to set this up. Click Here

The two HP Procurve switches are setup in a sort of manual failover. I have each switch setup with 2 VLANs. One VLAN is for the Front-end (web) traffic and the other is for the Back-end (SQL) traffic. Each of these switches is only using one of the VLANs at a time, unless a switch fails. When this happens I will be able to (drive to the datacenter to do this but...) move all of the cables from the failed switch to the one that is functioning and everything will come back up. Here is a link for more information about these switches. Click Here

All of the HP 380 Servers are in the same failover configuration except for the amount of RAM and disk drives. The webservers have 2GB of RAM and a RAID 1 with SAS 72GB drives. The SQL servers have 4 GB of RAM with the same RAID 1 as the webservers but also a RAID 5 for the database files. I choose 5 - 146GB SAS drives for this. The NIC configuration is a little different. For the web servers I used 2 - PCIe dual gig NICs along with the on-board NICs. I was able to team two of the ports of each PCIe NIC with each other to provide cable, switch port, and NIC port failure. (LACP trunking needed to be set up on the switches)

The HP 320 server is a 1U server and isn't to powerful or special. This server will have adventNet's OpManager and HP's insight manager installed on it an will be used to monitor (and send me emails in the middle of the night). I will also use this server for the database mirror witness role but more about this another night...

Technology Companies

I sometimes wonder how a company can stay in business. I used to work for a company that would stumble over itself internally. Every manager or vice president had his/her own idea about how to do something. One vice president would want to direct the company toward a special technology and another one would want to move another way. They would accept contracts for which they didn't have any specialists. They would then feverishly look for someone with that speciality (even offering referral bonuses to employees). It they couldn't find someone they would down the contract. I really couldn't believe it.

Will this technology Work?

here I am starting to blog. I remember hating to write when I was in school. I guess that is what happens when you get old.