Securing Windows NT/2000 Servers for the Internet: A Checklist for System Administrators
In recent years, Windows NT and Windows 2000 systems have emerged as viable platforms for Internet servers. More and more organizations are now entrusting the full spectrum of business activities—including e-commerce—to Windows.\ Unfortunately, the typical Windows NT/2000 installation makes a Windows server an easy target for attacks, and configuring Windows for secure Internet use is a complex task. Securing Windows NT/2000 Servers for the Internet suggests a two-part strategy to accomplish...
Search in google:
This concise guide pares down installation and configuration instructions into a series of checklists for Windows administrators. Topics include: Windows NT/2000 security threats, architecture of the Windows NT/2000 operating system and typical perimeter networks, how to build a Windows NT bastion host, and configuring Windows and network services. Internet Book Watch In Securing Windows NT/2000 Servers For The Internet, Stefan Norberg is designed to assist the experienced users of Windows NT/2000 to protect their computers from Internet intrusion, sabotage, information theft, and other unwanted encroachments. Very highly recommended for systems administrators and the non-specialist general users concerned with security issues, Securing Windows NT/2000 Servers For The Internet covers every aspect of building Windows 2000 security systems is comprehensively presented.
\ \ Chapter 1: Windows NT/2000 Security\ Hardening the Bastion Host\ Microsoft's success in the network operating system market is largely because its products are so easy to use. The Windows server version has the familiar user interface that almost all office workers use every day. It's easy to get started, and you don't need in-depth knowledge of the operating system to install a Windows NT/2000 server. Most components are configured and started automatically, just as they are in the consumer Windows 95/Windows 98 operating system. These characteristics are attractive for an internal file and print server that isn't exposed to direct attack. However, you want something quite different for an external web server that serves the organization's customers and partners over the Internet. A system exposed in this way should provide a minimum of services and needs to be properly configured to ensure a higher level of security. As I mentioned earlier in this chapter, a system configured in this manner is referred to as a bastion host.\ Basically, a bastion host is a computer system that is a critical component in a network security system, and one that is exposed to attack. Examples of bastion hosts are firewall gateways, web servers, FTP servers, and Domain Name Service (DNS) servers. Because bastion hosts are so important--and so vulnerable--such systems must be highly fortified. You must pay special attention to fortifying (i.e., establishing the maximum possible security for) the bastion host during both initial construction and ongoing operation.\ Why are such systems called bastion hosts? The American Heritage Dictionary defines a bastion as:\ \ A projecting part of a rampart or other fortification.\ A well-fortified position or area.\ Something regarded as a defensive stronghold.\ \ Marcus J. Ranum is generally credited with applying the term bastion to hosts that are exposed to attack, and with the popularization of the term in the firewall community. In "Thinking About Firewalls V2.0: Beyond Perimeter Security"[6] he wrote:\ Bastions are the highly fortified parts of a medieval castle; points that overlook critical areas of defense, usually having stronger walls, room for extra troops, and the occasional useful tub of boiling hot oil for discouraging attackers. A bastion host is a system identified by the firewall administrator as a critical strong point in the network's security. Generally, bastion hosts will have some degree of extra attention paid to their security, may undergo regular audits, and may have modified software.\ Bastion hosts are not general-purpose computing resources. They differ in both their intent and their specific configuration. The process of configuring or constructing a bastion host is often referred to as hardening.\ The effectiveness of a specific bastion host configuration can usually be judged by answering two questions:\ \ How does the bastion host protect itself from attack?\ How does the bastion host protect the network behind it from attack?\ \ Chapter 2, Building a Windows NT Bastion Host, and Chapter 3, Building a Windows 2000 Bastion Host, provide detailed instructions for building a bastion host, using Windows NT and Windows 2000 respectively.\ Exercise extreme caution when installing software on bastion hosts. Very few software products have been designed and tested to run safely on these exposed systems. For a thorough treatment of bastion hosts, and on firewalls in general, I recommend reading Building Internet Firewalls, Second Edition.\ Configuring the Perimeter Network\ No matter how carefully you configure your bastion host to withstand direct attacks, you can't be entirely confident about its security. Most software code has bugs in it, and therefore all systems potentially have undiscovered security vulnerabilities. For this reason, it's important to provide extra layers of security for systems that are as exposed and as vulnerable as bastion hosts.\ A common way to protect exposed servers on the Internet is to implement some kind of network-based access control mechanism that serves as extra protection for the bastion hosts. One such very effective mechanism is provided by a perimeter network. A perimeter network is a network that connects your private internal network to the public Internet or another untrusted network. This makes the perimeter network very important from a security standpoint. The purpose of this network is to serve as a single point of access control. All components in a perimeter must act in concert to implement a site's firewall policy. In other words, the perimeter network is a firewall system.\ The perimeter network is a key part of the architecture of many current Internet sites. The reasons are partly historical. When the Internet took off commercially, many companies wanted to get on the Net to do business. The first step was often simply to publish product information on a web server. These web servers typically contained only static information, and thus didn't need to be connected to the internal network. With the advent of e-commerce, such web servers had to be connected in some way both to the clients on the Internet and to the legacy systems on the internal network -- for example, to process orders and check the availability of products.\ Many companies now faced the requirement to connect their internal networks to the Internet--and to the accompanying security risks. Since the Internet could not be trusted for obvious reasons, there was an increasing need for company-controlled networks that could act as secured perimeters...
Prefaceix1.Windows NT/2000 Security1Internet Threats2Building a Secure Site on the Internet4The Windows NT/2000 Architectures16Windows NT/2000 in the Perimeter Network23Cryptography Basics282.Building a Windows NT Bastion Host32Installation33Using the Security Configuration Editor36Basic Configuration38Advanced Configuration47Setting System Policies57TCP/IP Configuration64Configuring Administrative Tools and Utilities76Setting Permissions773.Building a Windows 2000 Bastion Host80Differences Between the Systems80IPSec in Windows 2000874.Setting Up Secure Remote Administration102Symantec pcAnywhere103Windows 2000 Terminal Services110Open Source (SSH, Cygwin, TCP Wrappers, and VNC)1165.Backing Up and Restoring Your Bastion Host136Defining Your Backup Policy136Backup Methods137Types of Backups139Backup Software1416.Auditing and Monitoring Your Perimeter Network145System Auditing in Windows145Time Synchronization Using NTP153Remote Logging and Log Management160Integrity Checking163Network-Based Intrusion Detection Systems1667.Maintaining Your Perimeter Network169Setting Up Policies and Procedures169Performing Third-Party Audits170Staying Informed173A.Well-Known Ports Used by Windows NT/2000177B.Security-Related Knowledge Base Articles180C.Build Instructions for OpenSSH on Cygwin182Index185
\ In Securing Windows NT/2000 Servers For The Internet, Stefan Norberg is designed to assist the experienced users of Windows NT/2000 to protect their computers from Internet intrusion, sabotage, information theft, and other unwanted encroachments. Very highly recommended for systems administrators and the non-specialist general users concerned with security issues, Securing Windows NT/2000 Servers For The Internet covers every aspect of building Windows 2000 security systems is comprehensively presented.\ \
