Although network administrators generally focus on
server-level security, which protects data stored on the server itself,
the administrators must keep in mind that the server they are attempting
to protect is connected to a local area network (LAN), and usually the
Internet, to allow it to function to its full potential.
To properly protect a
server from attack, administrators should implement multiple layers of
defense, each reinforcing the other, and each specializing in repelling
certain types of attacks. Firewalls, network perimeters, accessibility
options for users, security policies, and more are integral components
that must be well designed and properly implemented to be effective.
A phrase coined by the
military, “defense in depth,” is used to describe this strategy. Defense
in depth increases a server’s security by creating multiple layers of
protection between the server and potential attackers. An attacker who
successfully maneuvers through the first line of defense finds himself
faced with a second challenge, one requiring different skills and tools
to bypass, and then a third, and so on.
Hardening Windows Server 2008
Exchange Server 2010 is
designed to run on Windows Server 2008 or Windows Server 2008 R2. No
matter what steps you take to secure your Exchange Server 2010 servers,
if the underlying operating system (OS) is not secure, the Exchange
Server installation is vulnerable to attack. Therefore, it is critical
that you secure Windows Server 2008 by utilizing a combination of your
organization’s security standards and industry best practices.
Layered Approach to Server Security
When discussing
security measures, whether server-level or transport-level, protective
measures work best when they are applied in layers. For example, if a
thief were to attempt to steal your car, it might not be very
challenging if all they had to do was break the window and hot-wire the
vehicle. However, if you were to add a car alarm, or install an
ignition block that requires a coded key, the level of difficulty is
increased. Each of these obstacles takes additional time, as well as
additional skill sets, to overcome.
This same principle
applies to both server- and transport-level security methods. By
applying multiple layers of security, you can effectively decrease the
likelihood of a malicious user successfully tampering with your systems.
Many security features are already built in to Windows Server 2008. Among these are the following:
Kerberos authentication—
Windows Server 2008 uses the Kerberos authentication protocol to
provide a mechanism for authentication between a client and a server, or
between two servers.
NTFS file security—
Utilizing the NTFS file system provides improved performance and
reliability over traditional file allocation table (FAT) file systems.
NTFS has built-in security features, such as file and folder permissions
and the Encrypting File System (EFS).
Windows Server
2008 also includes built-in security tools and features to help secure
your environment. Among these are object-based access control, automated
security policies, auditing, Public Key Infrastructure (PKI), and
trusts between domains.
Physical Security Considerations
The first layer of
security for any server, and one that is often overlooked, is preventing
physical access to the computer. It takes very little skill or
knowledge to simply unplug a computer or to remove it from the network;
however, this could have a serious impact on your environment even if
the intruder was not able to access your data. In addition, just as
security professionals have tools and utilities to assist with the
defense of computer systems, hackers have tools and utilities to assist
them with their attacks. If a hacker can get physical access to a
server, he can use a variety of methods to circumvent basic password
security.
At a minimum, servers should be physically secured behind locked doors, preferably in an environmentally controlled area.
Some common physical security methods are the following:
Configure the server BIOS so that it will not boot from a floppy disk drive or CD-ROM.
Password protect the BIOS so that it cannot be reconfigured.
Lock the server case to prevent access to the BIOS jumpers on the motherboard.
Enclose the server in a locked cage or locked room that has limited access.
Restricting Logon Access
All servers should
be configured so that only administrators can log on physically to the
console. By default, Exchange Server 2010 does not allow any members of
the domain users group local logon privileges. This prevents non
administrators from logging on to the server even if they can gain
physical access to the server.
Auditing Security Events
Auditing
is a way to gather and keep track of activity on the network, devices,
and entire systems. By default, Windows Server 2008 enables some
auditing, but there are many additional auditing functions that must be
manually turned on to be used. This control allows your system to easily
be customized to monitor those features that you desire.
Although the primary
use of auditing methods is to identify security breaches, this feature
can also be used to monitor suspicious activity and to gain insight into
who is accessing the servers and what they are doing. Windows Server
2008’s auditing policies must first be enabled before activity can be
monitored.
Auditing Policies
Audit policies are the
basis for auditing events on a Windows Server 2008 system. Bear in mind
that auditing can require a significant amount of server resources and
can potentially slow server performance, especially if the server does
not have adequate memory or CPU bandwidth available. Also, as more and
more data is collected by auditing policies, it can require a
significant amount of effort to evaluate. Administrators should be
cautious, as gathering too much data can sometimes be overwhelming,
effectively diminishing the desired benefits. As such, it is important
to take the time to properly plan how your systems will be audited.
Audit policies
can track successful or unsuccessful event activity in a Windows Server
2008 environment. These policies can audit the success and failure of
events. The types of events that can be monitored include the following:
Account logon events—
Each time a user attempts to log on, the successful or unsuccessful
event can be recorded. Failed logon attempts can include logon failures
for unknown user accounts, time restriction violations, expired user
accounts, insufficient rights for the user to log on locally, expired
account passwords, and locked-out accounts.
Account management—
When an account is changed, an event can be logged and later examined.
Although this pertains more to Windows Server 2008 than Exchange Server
2010, it is still very relevant because permissions granted in Active
Directory can have an effect on what data or services an individual has
access to in Exchange Server.
Directory service access—
Whenever a user attempts to access an Active Directory object that has
its own system access control list (SACL), the event is logged.
Logon events— Logons over the network or by services are logged.
Object access— The object access policy logs an event when a user attempts to access a resource such as a printer or shared folder.
Policy change—
Each time an attempt to change a policy is made, the event is recorded.
This can apply to changes made to user rights, account audit policies,
and trust policies.
Privileged use— Privileged
use is a security setting and can include a user employing a user
right, changing the system time, and more. Successful or unsuccessful
attempts can be logged.
Process tracking—
An event can be logged for each program or process that a user launches
while accessing a system. This information can be very detailed and
take a significant amount of resources.
System events— The system events policy logs specific system events, such as a computer restart or shutdown.
The audit policies can
be enabled or disabled through either the local system policy or Group
Policy Objects (GPOs), which can be accessed using the Group Policy
Management Console (GPMC).
Keeping Services to a Minimum
Depending on the role
that an Exchange Server 2010 server will fulfill, not all services that
are installed by default are necessary for the server to function. It is
considered a best practice to limit the number of entry points
(services) into a server to only those required. Any services that are
not necessary for the system to operate properly should be disabled.
Although this can be done manually on a server-by-server basis, it can
also be performed using a customized security template to ensure all
servers in your environment are configured properly.
Locking Down the File System
Files stored on a
Windows Server 2008, including mail databases, are only as secure as the
permissions that are assigned to protect them. As such, it is good to
know that Windows Server 2008 does not grant the Everyone
group full control over share-level and NTFS-level permissions by
default. In addition, critical operating system files and directories
are secured to disallow their unauthorized use.
Despite the
overall improvements made, a complete understanding of file-level
security is recommended to ensure that your files are properly
protected.
Note
For increased file-level
security, the Exchange Server 2010 installation process requires that
partitions on the underlying operating system are formatted as NTFS.
Using the Microsoft Baseline Security Analyzer
The Microsoft Baseline
Security Analyzer (MBSA) is a tool that identifies common security
misconfigurations and missing hotfixes. This information is gathered via
local or remote scans of Windows systems. MBSA allows administrators to
have the ability to scan a single Windows system and obtain a security
assessment, as well as a list of recommended corrective actions. In
addition, administrators can use the MBSA tool to scan multiple
functional roles of a Windows-based server on the network for
vulnerabilities. This allows administrators to ensure systems are up to
date with the latest security-related patches.
The MBSA can be downloaded from the Microsoft website at www.microsoft.com/mbsa.
Implementing Industry Standards and Guidelines
As
discussed previously, Microsoft has gone to great lengths to provide
secure and reliable products. Moreover, it has worked closely with
companies, government agencies, security consultants, and others to
address security issues in the computer industry.
In addition to
Microsoft security standards and guidelines, it is advisable that
organizations use recommended best practices compiled by the National
Institute of Standards and Technologies (NIST) and the National Security
Agency (NSA). Both NIST and NSA provide security lockdown configuration
standards and guidelines that can be downloaded from their websites (http://www.nist.gov and http://www.nsa.gov, respectively).
Using the Security Configuration Wizard
The Security Configuration
Wizard (SCW) is an attack-surface reduction tool for Windows Server 2008
RTM/R2. The SCW guides administrators in creating security policies
based on the minimum functionality required for a server’s role or
roles.
SCW reviews the computer configuration, including but not limited to, the following:
Services— SCW limits the number of services in use.
Packet filtering— SCW can configure certain ports and protocols.
Auditing— Auditing can be configured based on the computer’s role and the organization’s security requirements.
Internet Information Services (IIS)— SCW can secure IIS, including web extensions and legacy virtual directories.
Server roles and tasks—
The role (file, database, messaging, web server, and so on), specific
tasks (backup, content indexing, and so on), and placement in an
environment of a computer is a critical component in any lockdown
process or procedure. Application services are also evaluated from
products such as Exchange Server, SQL Server, ISA Server, SharePoint
Portal Server, and Operations Manager.
Caution
The SCW is a very
flexible and powerful security analysis and configuration tool. As a
result, it is important to keep control over when and how the tool is
used because system performance can be greatly degraded while the wizard
is running. Equally important is testing possible configurations in a
segmented lab environment prior to implementation. Without proper
testing, environment functionality can be stricken or completely locked.
The SCW is used
to assist in building specific security-related policies and to analyze
computers against those policies to ensure compliance. SCW actually
combines many of the security-related tasks performed by several other
Microsoft security tools. For instance, SCW can take existing security
templates created from the Security Configuration and Analysis tool and
expand upon the restrictions to meet an organization’s security policy requirements.
In addition, SCW can analyze computers for any security updates that
are needed, integrate with Group Policy, and provide a knowledge base
repository.
Running SCW
The SCW is installed
by default on all Windows Server 2008 installations and is located in
the Administrative Tools section of the Start menu. When you run the
SCW, you will have an opportunity to select what roles the server plays.
Note that the SCW has already selected the roles that it is aware of,
as shown in Figure 1.
The SCW continues, giving
you the opportunity to select client features (such as domain name
system [DNS], Dynamic Host Configuration Protocol [DHCP], or the
Automatic Update Client), and installed options (such as a global
catalog, Windows Firewall, or time synchronization). Finally, there
might be an additional screen for additional services. After you have
selected all of the appropriate features, you must confirm service
changes.
The SCW
continues through network security changes (locking down unused ports),
Registry settings, and configuring policy auditing. After finishing, you
have the option to apply the security policy to the computer
immediately, or save it to apply to this server (or other servers)
later.
Securing Servers with Security Templates
Security templates
are a practical and effective means to apply security policies and
configurations to Exchange servers. Although security templates are
provided with Windows Server 2008, it is recommended to customize them
prior to applying them using the Security Configuration and Analysis
Microsoft Management Console (MMC) snap-in.
This not only
ensures that computers are identically configured with the same security
configurations, but it also is an easy way to configure appropriate
security measures for those computers that are not managed using GPOs.
Note
Microsoft
creates Exchange Server-specific security templates and distributes
them through their website. However, at the time of this writing, the
security templates for Exchange Server 2010 have not yet been released.
Keeping Up with Security Patches and Updates
One of the least
glamorous, but most important, security measures an organization can
take is to ensure all of their products have the latest security patches
implemented in a timely fashion. Applying service packs, security
updates, and hotfixes for the operating system, as well as applications
such as Exchange Server 2010, are crucial to maintaining a secure
environment. As security shortcomings are identified, these service
packs and hotfixes close the holes, often before they become publicly
known, effectively protecting your environment from malicious users.
Note
Thoroughly test
and evaluate service packs and hotfixes in a lab environment before
installing them on production servers. Also, install the appropriate
service packs and hotfixes on each production server to keep all systems
consistent.
Windows Update
Windows Update
is a web service, accessed in Microsoft Internet Explorer (Tools,
Windows Update) that scans a local system and determines if the system
has all current updates installed. This tool is extremely useful on
individual systems, but can be time consuming when used to update
multiple systems within an organization.
Windows Server Update Services
Windows Server
Update Services (WSUS), an upgrade from its predecessor Software Update
Services (SUS), minimizes administration, management, and maintenance of
small- to midsized organizations by allowing them to communicate
directly and securely with Microsoft to gather the latest security
updates and service packs. WSUS is available for Windows Server 2008 and
for Exchange servers.
The primary differences between WSUS and its predecessor are as follows:
Support for a greater number of products, including service pack updates
The ability to target computers using Group Policy or scripts
Reports on update installation status
Performs basic hardware inventory
With WSUS, the
updates are downloaded from Microsoft to a local WSUS server. They can
then be distributed to a lab environment for testing, or to targeted
production servers. After being tested and approved, WSUS can be used to
automatically distribute the updates
throughout your environment. By utilizing this service, updates can be
downloaded from Microsoft once, and distributed locally, saving a
significant amount of bandwidth when compared to hundreds (or thousands)
of systems each downloading the updates themselves.