NetMeeting Remote Desktop Sharing and Internet Connection Sharing
Windows has two remote sharing services: Microsoft NetMeeting Remote Desktop Sharing and Internet Connection Sharing (ICS). Disabling NetMeeting Remote Desktop Sharing prevents someone from using NetMeeting to take over your server. Unless your Web server does double duty as the Internet gateway for users at your company, you shouldn't need to enable ICS. However, this scenario is dangerous because configuring one computer to handle both tasks securely is complex.
Win2K Server Terminal Services, Remote Registry, Telnet, and FTP
Administrators use these services for remote administration. However, malicious intruders also look for them because when these services are improperly configured, they provide remote access to the system console, command prompt, registry, and file system. I regard all these services as dangerous because of the level of access they provide and the history of vulnerabilities discovered, particularly in Telnet and FTP. If you need any of these services, make sure that you understand how to configure them securely so that only appropriate users can access them.
Limiting Terminal Services access. Terminal Services options exist on each user account, and each Terminal Services object has an ACL. Therefore, you must secure Terminal Services connection objects and set Terminal Services —related options on individual user accounts. (For more information about securing Terminal Services, see my four-part Terminal Services series in "Related Reading.")
Limiting Remote Registry access. To limit remote access to the registry, create a new group called RemoteRegistryEditors, then edit the ACL of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg registry subkey and replace the current entries with RemoteRegistryEditors. (For more information about limiting remote access to the registry, see the Microsoft article "How to Restrict Access to the Registry from a Remote Computer" at http://support.microsoft.com/default.aspx?scid=kb;en-us;q153183.) It doesn't matter whether you grant Read or Full Control permission. After you make this change, only members of the Remote RegistryEditors group will be able to access the registry remotely.
Limiting Telnet access. To limit access to your Telnet service, create a group called TelnetClients and populate it with only those users who should be able to connect through Telnet. When this group is present, Win2K automatically uses it to control Telnet access.
Limiting FTP access. Securing IIS's FTP service is a bit more complicated. If possible, your FTP server shouldn't reside on the same computer as your Web server. Enable FTP only if your Web server must accept file uploads through FTP. For some good tips about FTP security, see Tim Huckaby, "Running an FTP Server on IIS 5.0," http://www.winnetmag.com, InstantDoc ID 16395.
The Server Service
Finally, you might consider disabling the Server service. Microsoft states simply that this service provides file and printer sharing, which is true. If you disable the Server service on a given system, no one will be able to map drives or use printers connected to that system. However, this service also provides administrators with remote access to other Win2K resources managed through the Microsoft Management Console (MMC) Computer Management snap-in, including event logs, local user and group maintenance, services, and scheduled tasks. Even if no user has explicitly shared any folders, the Server service automatically creates hidden administrative shares at the root of each volume, such as C$ for the C drive. You're certainly safer with the Server service disabled, but your ability to administer the IIS server is severely restricted.
Take Advantage of IPSec
Although limiting access to vulnerable services is important, doing so won't protect you against more advanced attacks such as buffer overflows that can provide intruders with the opportunity to run arbitrary code under the system context. Win2K's IP Security (IPSec) feature includes support for the IPSec protocol and flexible policy management, making it easy to block or secure certain types of traffic. IPSec wraps a layer of solid security around otherwise-vulnerable services. With IPSec, you can use simple packet-filter rules to limit which client IP addresses can access given ports. Next month, I'll show you how to limit connections to services such as Terminal Services, Remote Registry, Telnet, and FTP through strong certificate- or shared-secret —based authentication.
Register
stefano malatesta May 31, 2004