Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

"Shields Up, Mr Chekov" - Server Security

Status
Not open for further replies.
lumpusmaximus

lumpusmaximus

MIS
Jul 22, 2009
24
US
I need to harden my server security. Windows Server 2003 R2, SP2, single domain. 1 DC, 1 Exchange, 3 Terminal Servers. The Administrator account is active, I am the only one with the password (famous last words). I am the only user in Domain Admins and Enterprise Admins. There are 2 users in the Local Admins group and the Print Operators group. Yes, I should deactivate the Administrator account and/or give it a randomly generated, long, case sensitive alpha-numeric password and never use it.

Physical security aside, I want to prevent someone from bypassing or changing that account's password or any password used to lock the servers with things like BartPE,
KNOPPIX, ubcd etc. Since Linux is less susceptible to these methods, am I dreaming or is there a way to boot to a Linux partition first which then loads Windows?

Any suggestions? Things like auditing bad logon attempts or other things, using arcane GPs, 3rd party apps, VX nerve agent, etc to prevent this from happening would be appreciated.

"Just because youre paranoid, doesnt mean people arent out to get you.
 
Sort by date Sort by votes
You may find some useful bits here;


and here;


Physical security aside, I want to prevent someone from bypassing or changing that account's password or any password used to lock the servers with things like BartPE,
KNOPPIX, ubcd etc.
Click to expand...

But if they physically can't get to the server then they can't use those methods..


Paul
MCTS: Exchange 2007, Configuration
MCSA:2003
MCSE:2003
MCITP:Enterprise Administrator

RFC 2795 - The Infinite Monkey Protocol Suite (IMPS)
 
Upvote 0 Downvote
Physical security aside, I want to prevent someone from bypassing or changing that account's password or any password used to lock the servers with things like BartPE,
KNOPPIX, ubcd etc.
Click to expand...

Ummm.... physical security NOT aside.

If I have physical access to your box, I will get in it. Period.

Physical security IS your first line of defense.

Aside from that, disable the administrator account (or change the login to something besides "Administrator"), make sure it's a long, cryptic password. There are a number of things that you can do to increase security, but a lot of it is physical.

Let me ask you some "simple" security questions.

1) Do you hand out DHCP Addresses? If you do, then don't.
2) Does a common area (such as conference room, lunch room, empty cube) have an active LAN port?
3) Have you enforced password strength policies and expiration?
4) Do you have a good, up-to-date anti-virus/anti-spyware running on every machine?
5) Are you running a good hardware firewall that does intrusion detection, and SPI (Stateful Packet Inspection)?
6) Do you have wireless? Is it secured?
7) Do you allow dialin, VPN, remote desktop access? How do you control and monitor it?
8) Have you done an internal penetration test, to make sure there are no un-necessary open ports on any systems?
9) Have you done a user security edit to make sure that there are no un-necessary accounts, "Forgotten" accounts, etc.?

If you're concerned about someone getting into your server(s) using BartPE or the like, then you have bigger issues... and physical security SHOULD be your first priority.

Now, if I *Wanted* to get into a server (I have been asked to do this after a disgruntled admin has left a company, for example)... I have several ways.

My first is to boot from a Linux CD and clear the administrator password. Got booting from CD turned off in the bios? OH, well... shut it down and pull the battery usually works to get me back into there.

If I can't boot from a CD, I would try booting the same thing from a USB drive.

My second way would be to pull the hard drive (if it's a single drive) and mount it in another machine and edit the hive.

What I'm trying to say is what I said above. If I have PHYSICAL ACCESS to your machine, I can get into it. Period.



Just my 2¢

"What the captain doesn't realize is that we've secretly replaced his Dilithium Crystals with new Folger's Crystals."

--Greg
 
Upvote 0 Downvote
>change the login to something besides "Administrator"

A fairly pointless exercise, frankly
 
Upvote 0 Downvote
Sorry all, Im doing too many things at once, didnt check the thread for updates.

1) Do you hand out DHCP Addresses?
If you do, then don't.
Yes I do. Are you saying set static IP's on 75 machines?

2) Does a common area (such as conference room, lunch room, empty cube) have an active LAN port?
No, but are you thinking staff or visitors?

3) Have you enforced password strength policies and expiration?
Presently they must 6 characters, expiring every 90 days.

4) Do you have a good, up-to-date anti-virus/anti-spyware running on every machine?
Yes, Symantec 10.2, up to date.

5) Are you running a good hardware firewall that does intrusion detection, and SPI (Stateful Packet Inspection)?
Cisco ASA 5500 series, the outside int security level is 0, VLAN5 and the inside int sec level is 100, VLAN1.

6) Do you have wireless? Is it secured?
Yes, secured with a RADIUS shared key.

7) Do you allow dialin, VPN, remote desktop access? How do you control and monitor it?
No dialin, Cisco VPN client 5.0, transparent tunneling active on UDP port 4500, 128 bit AES encryption, no access from LAN. Im the only one w password. Terminal Server with a locked down desktop, RDP over VPN with username and password.

8) Have you done an internal penetration test, to make sure there are no un-necessary open ports on any systems?
No


9) Have you done a user security edit to make sure that there are no un-necessary accounts, "Forgotten" accounts, etc.?
Ive been waiting HR to give me a list of current staff but havent gotten it yet.

The server rack is locked. Standard stock Dell locks, nothing bullet proof. But I wonder if another set of keys from some other rack will open mine. I know the keys to the locking covers on the front of the servers are interchangeable from server to server.

 
Upvote 0 Downvote
>Are you saying set static IP's on 75 machines?

I think Greg is saying that DHCP is insecure. Once again I have to respectfully disagree. I don't think DHCP is any more or less secure than static IPs.
 
Upvote 0 Downvote
I'm reminded of a true story, from a company that does professional penetration testing.

A bank president made a wager with the tester; that if his group could get into their network, he would pay them double their normal fee. If he couldn't, he didn't pay them anything.

The tester had just one question; the location of the conference room.

About a week later, one of the guy's testing team showed up in a 3-piece suit and a briefcase, about the time the bank opened. He walked up to the receptionist, who's name was prominently displayed on her desk. He says "Hello <name>, how are you?" She says "I'm fine... yourself?" He says "Never better." and proceeds to walk to the conference room and close the door.

Once inside, he opens up his briefcase, and plugs his laptop into the conference room network port. Getting a DHCP address (remember, he had no knowledge of the network, but the DHCP address gave him a LOT of information) he turned on a packet sniffer and started watching for passwords floating around the network. Not seeing what he was looking for, he walked out of the conference room, to a door prominently marked "Server Room". He walked inside, and there was their windows server.

In the bank's defense, the screensaver had a password. *NOT* in their defense, the password was the name of the bank.

He popped a floppy into the drive, and proceeded to copy over the windows files necessary to return to his office and reverse-engineer the passwords. He walked back into the conference room, packed up his laptop, and walked out of the bank.

Nobody ever questioned what he was doing there, who he was there to see, nothing.

A few days later, the tester who had made the wager walked in and dropped a disk on the bank president's desk which contained every logon and password for everybody at the bank.

It was a beautifully crafted bit of social engineering.

Now... my wife works at a bank. And I'm quite proud of her.

Recently, when the examiners came to the bank, one of them announced "I'm going to need the administrator login and password to check your files." My wife responded "I don't think so...." and proceeded to log into the administrator account for him, then stood there as he did his work.

When the examination report came out, the bank's network security was compared to Fort Knox. (Which is cool, since I set up their network for them, and I do their security audit and internal penetration testing). :)



Just my 2¢

"What the captain doesn't realize is that we've secretly replaced his Dilithium Crystals with new Folger's Crystals."

--Greg
 
Upvote 0 Downvote
>Getting a DHCP address (remember, he had no knowledge of the network, but the DHCP address gave him a LOT of information) he turned on a packet sniffer and started watching for passwords floating around the network.

He didn't need DHCP to sniff the network. Even if everything had a static address he'd still have been able to sniff.
 
Upvote 0 Downvote
<Sigh> The point was the story about the social engineering.



Just my 2¢

"What the captain doesn't realize is that we've secretly replaced his Dilithium Crystals with new Folger's Crystals."

--Greg
 
Upvote 0 Downvote
gbaughma, are you going to assess my answers to your questionnaire?

Thanks!

Im retarded, I cant find the 'quote' button you used.
 
Upvote 0 Downvote
1) Do you hand out DHCP Addresses?
If you do, then don't.
Yes I do. Are you saying set static IP's on 75 machines?
Click to expand...
Well, on 75 machines that may not be an easy task. And, as strongm pointed out (and whose opinion I do have faith in), it wouldn't make a big difference. Especially given your answer to #2.

2) Does a common area (such as conference room, lunch room, empty cube) have an active LAN port?
No, but are you thinking staff or visitors?
Click to expand...
Visitors, mainly, as shown in my story above about social engineering.

3) Have you enforced password strength policies and expiration?
Presently they must 6 characters, expiring every 90 days.
Click to expand...
6 characters is a good start.... Upper/Lowercase and a number in those rules as well? 6 characters with no numbers would take only a few hours on a good machine with a brute force hack, and only a few minutes with a dictionary hack.

4) Do you have a good, up-to-date anti-virus/anti-spyware running on every machine?
Yes, Symantec 10.2, up to date.
Click to expand...
I'm sorry. (lol... I just dumped Symantec at the bank... I mean, good lord, 450MB on a machine for the ANTI-VIRUS???? Please!)

5) Are you running a good hardware firewall that does intrusion detection, and SPI (Stateful Packet Inspection)?
Cisco ASA 5500 series, the outside int security level is 0, VLAN5 and the inside int sec level is 100, VLAN1.
Click to expand...
Sounds like you have that under control.

6) Do you have wireless? Is it secured?
Yes, secured with a RADIUS shared key.
Click to expand...
RADIUS for the login... what about a WPA key?

7) Do you allow dialin, VPN, remote desktop access? How do you control and monitor it?
No dialin, Cisco VPN client 5.0, transparent tunneling active on UDP port 4500, 128 bit AES encryption, no access from LAN. Im the only one w password. Terminal Server with a locked down desktop, RDP over VPN with username and password.
Click to expand...
Sounds good again.

8) Have you done an internal penetration test, to make sure there are no un-necessary open ports on any systems?
No
Click to expand...
You'd be surprised what this will show... use something like Tenable Nessus. (Used to be free, now it's pay for over 20 IP's... arrrgh!)

9) Have you done a user security edit to make sure that there are no un-necessary accounts, "Forgotten" accounts, etc.?
Ive been waiting HR to give me a list of current staff but havent gotten it yet.
Click to expand...
This is an important one. You should be the "Second to know" when someone is leaving the company's employ. (The first to know, of course, is whoever is doing the termination... lol) If nothing else, the account should be disabled as soon as someone is physically out of the building.



Just my 2¢

"What the captain doesn't realize is that we've secretly replaced his Dilithium Crystals with new Folger's Crystals."

--Greg
 
Upvote 0 Downvote
4) I'm sorry. (lol... I just dumped Symantec at the bank... I mean, good lord, 450MB on a machine for the ANTI-VIRUS???? Please!)"

Its more like 200MB on these machines.

"RADIUS for the login... what about a WPA key? "

My mistake, I meant a WPA key.

"You'd be surprised what this will show... use something like Tenable Nessus. (Used to be free, now it's pay for over 20 IP's... arrrgh!)"

Being a non-profit organization I got Tenable to donate a 5 year Professional Feed for the Nessus vulnerability scanner!
Looking forward to using it. Good suggestion.

"You should be the "Second to know" when someone is leaving the company's employ. (The first to know, of course, is whoever is doing the termination... lol) If nothing else, the account should be disabled as soon as someone is physically out of the building" I always get a call just before the person is terminated. The account is locked out before the poor guy gets the bad news.

I've always wondered what they'd do if they wanted to terminate ME. [nosmiley]

 
Upvote 0 Downvote
You can secure DHCP further to only include known machines.

Agree that physical security to the server is key. You can use Bitlocker or similar to encrypt the boot partition which (I think and if I'm wrong I know I'll get flamed) will help.

Create a new Administrator account with a different name. Long password. Store that password in Password Manager. Delete Administrator account. Rename Guest account to Administrator and disable it (it doesn't do much more but can flumox a clumsy hacker).

Make sure all shares are shared to correct groups only. Make sure NTFS permissions are for correct groups only. I'm amazed how many shares are "Everyone full control" and so are the NTFS permissions.

There's loads more but that will help!
 
Upvote 0 Downvote
Beg pardon, got carried away. Rename Administrator account and disable.
Check Administrator group and delete anyone in there that doesn't need to be in there.

BTW I always have TWO Administrators on each box, both are women's names to look like normal users with complicated passwords. Admins group is populated with things like domain admins group.
 
Upvote 0 Downvote
I like the Rename Guest account to Administrator ploy. I'd like to watch that attempt. ;)


In a small organization its easy enough to find out if John Smith is really an employee. What to rename the Administrator account to that wont attract attention - like what appears to be a built in account?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

MaioMaio
  • Locked
  • Question
Server Remote Desktop License
Replies
0
Views
233
MaioMaio
MaioMaio
Aquiles Vidal
  • Locked
  • Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
290
Aquiles Vidal
Aquiles Vidal
rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
345
suncit
suncit
antonio_dsanchez
  • Locked
  • Question
post-installation WSUS windows server 2016
Replies
0
Views
240
antonio_dsanchez
antonio_dsanchez
jamescpp
  • Locked
  • Question
Windos OpenSSH server vulnerability
Replies
0
Views
277
jamescpp
jamescpp

Part and Inventory Search

Sponsor

Back
Top