Subject: Security UPDATE, May 7, 2003

1.

IN FOCUS

(contributed by Mark Joseph Edwards, News Editor, mark@ntsecurity.net)

* SECURITY: OUT OF THE BOX AND INTO THE GUIDES

As you know, Microsoft recently launched Windows Server 2003. One significant aspect of the new OS is Microsoft's pledge of better security. As history has shown, rushing a new OS out the door to eager users complete with all the bells and whistles blowing loudly isn't the best practice. Microsoft has taken longer than usual to develop this new OS, especially in regard to security. So when you deploy it, you'll find that rather than having loads of features turned on by default, the OS has many features that you must intentionally enable.

Even when you enable features such as Microsoft Internet Information Services (IIS) 6.0, you might find that they install with minimum functionality enabled. Security professionals will prefer this approach, but it doesn't address the larger question of how to reasonably open up functionality while maintaining adequate security levels.

To help you balance functionality and security in your Windows 2003 environment, Microsoft has released an extensive security guide. Microsoft designed the guide to help you deploy Windows 2003 effectively while maintaining adequate security in three basic environments: a legacy client environment, an enterprise environment, and a high-security environment.

The "Windows Server 2003 Security Guide" contains 12 chapters. Chapters 2 through 12 deal directly with configuring various network elements and their associated systems. They help you configure domain infrastructure, create baseline security for member servers, and harden several system elements: domain controllers (DCs) and infrastructure servers, file servers and print servers, IIS and Internet Authentication Server (IAS), Certificate Services Servers (CSSs), and bastion hosts.

All told, the security guide contains 290 pages of highly useful recommendations. In addition to the main guide, you'll find delivery guides (3), checklists (10), scripts (8), and templates (25) to help you further secure your Windows 2003 environment.

Microsoft recommends that those charged with deploying and securing Windows 2003 and Windows XP in an enterprise have MSCE 2000 certification, 2 or more years of security-related experience, in-depth knowledge of Active Directory (AD), and experience with these features and functions: Microsoft Management Console (MMC) and other tools, Group Policy administration, and workstation and application deployment in enterprise environments.

If you're considering using the security guide and wonder how Microsoft arrived at the security recommendations, refer to the "Testing Windows Server 2003 Security Guide" documentation included in the overall security guide package. The documentation outlines how Microsoft configured and tested the three basic network environments (legacy, enterprise, and high security) to ensure that the guide's recommendations are both accurate and adequate.

The test documentation explains, chapter by chapter, the steps Microsoft took to test the guide's recommendations. Microsoft also used a third party to perform extensive penetration testing against the enterprise and high-security environments. After several weeks of testing, the servers remained secure. Microsoft notes one vulnerability, however: Where brute-force attacks can expose user passwords, intruders might be able to intercept Kerberos network traffic. According to Microsoft, to mitigate this vulnerability, you can use complex user passwords or IP Security (IPSec) to encrypt network traffic. The guide recommends strong user passwords.

Obviously, the guide can't guarantee that Windows 2003 users won't encounter security problems. Nevertheless, if you follow the guide's advice, you'll be less likely to find your systems compromised. Microsoft's third-party testing helps assure that much.

If you still wonder about various threats and possible countermeasures, you can find additional security help. Microsoft has released "Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP." This guide details threats and potential countermeasures in detail--and discusses how deploying the recommended configuration settings affects users.

The 287-page threat guide also discusses domain level and audit policies, user rights assignments, security options, event logs, system services, software restriction policies, administrative templates, additional registry settings, and additional procedures for hardening member servers.

So--with the new OS, Microsoft offers two guides full of security-related configuration recommendations. Microsoft hopes you'll use this information to secure your Windows 2003 network environment. If you wonder whether your company can benefit from Windows 2003's strengthened security, review the guides to gain insight.

If you use the security guides, send me an email message about their usefulness. I want to know how they work for you and whether you found significant problems when you used them in your network environment.

You can download the new guides from Microsoft's Web site. You can also link to them from Paul Thurrott's news story, "Continued Windows 2003 Documentation Push Focuses on Security." \[http://www.secadministrator.com/articles/index.cfm?articleid=38837\]