 Alright, if I could have everyone's quasi-attention here. My name's Humperdink, or as you can all see from the slide, my real name's John Miller. I'm the Senior Security Engineer for Cover Systems, we're a company based out of LA, and today I'm going to be talking on how you can secure your Windows Internet servers. What I want to hit on is a little of the old stuff, a little of the new stuff, and hopefully, what I really want to stress is, no matter what Windows OS you're running or any OS, if you have good fundamentals and use common sense while setting up your server, you're going to be fine. So let me start off here with the first slide. Let me turn this mic off. Oh, and there's my email address and a little thingy. Alright, number one, anytime you have, let's say you guys are running an NT4 server and you're looking to upgrade 2000, should you do that? Never, it is like one of the worst things you can ever do. I remember there were problems, there were originally issues with upgrading from NT4 to 2000 with leaving password list accounts and stuff like that. And so I've always tried to use a fresh install no matter what you do, even if let's say you're redoing your site, try to use a fresh install for everything, or if you guys have one set server, do like a ghost image and just ghost image everything, because I've seen a lot of people where they actually have a compromised machine and they just keep upgrading it and stuff like that and the machine's still compromised. Always use NTFS. I see people out there running file systems on web servers and stuff like that and you always screw up with the file permissions. What else? When you upgrade, your default security settings are not applied. You have to go into the MMC every time you upgrade and load up your security template and reapply everything. Make sure you have the current service packs. A lot of times you might be a week or two late on stuff and stuff will go by it. A lot of companies I do audits for, this seems to be a killer item. They're either running legacy applications and they don't know how to respond with current service packs and so they just let them go. Always test it if you're running something, this legacy that's dependent on it, try finding a new solution. HF NetCheck is a great tool that allows you from an administrator account on the network to run a check against any IP. As long as you have administrator access on that computer and it'll tell you what hot fixes are and aren't installed and it'll give you the TechNet ID and you can go and locate everything online. Mod file systems, NTFS or FAT. When you're running NTFS, you get the actual file permissions that you don't get with FAT. So never, ever, ever use FAT. Services. I see a lot of people who decide that they're going to run, let's say, an iOS server. So when they go and they do the full install, they figure they'll just install everything and either disable what they don't need later or they'll use the idea of, well, I might not need SMTP on my web server but it never hurts to have it there. This seems to be a killer because people end up running things on servers that they don't know are actually running. Lots of people when they do a default iOS install will have an anonymous FTP running but let's not know. That always seems to be a problem. Always make sure that you actually go through and don't install anything you don't need. In a corporate environment remote administration is always a problem and so lots of places if they decide to go with Compact hardware like Compact remote inside manager, PC anywhere, terminal server. You'd be surprised. VNC is very popular. You need to, before you actually install your server, you need to decide what you're going to run because if you want to set up terminal server, the time to do it is during the installation. Similarly, I like using VShell which does SSH and SFTP for Windows. It is not free but it is a great program. It's available at VanDyke.com. Okay, this is something like 99% of the people out there who run Compact hardware, Compact actually ships with their Compact RestoreDisk which has Windows on it. You actually use that server installation and installs all of the Compact software which includes Compact remote inside manager and stuff like that. Compact remote inside manager operates on port 2301. You might want to scan your machines for it. In reality, a fairly insecure web server that there are oodles and oodles and oodles of exploits for it that your local neighborhood script kitty can get a hold of. So it is the devil. All right, next slide. All right, now we need to talk about network configuration. A lot of places, if let's say you're running an iOS service, they'll decide to run Windows networking and just update the website via a network share or something like that. Any Windows machine you have that is actually physically touching the Internet should only be running TCPIP. That should be the only protocol. Use TCPIP filtering which is, I mean, more or less, it's a firewall built into Windows that's been there forever. Since as far back as I remember, NT4 has it. Barely anybody uses that. It's pretty straightforward. You just go to the advanced user settings on your actual TCPIP protocol and you can set in what ports you actually want to allow TCPIP traffic to and from on your machine. So if you're running a web server, and let's say you have Van Dyke's SSH on there, so all you have to allow is 22 and 80, and you can have people do SFTP uploads. You can actually SSH in, restart services, and you can have people browsing the web onto that machine. So it's wonderful. If you ever get back door, it prevents a lot of problems with people watching services on ports that aren't applicable. Always end map your servers, port scan them to make sure you don't have extra ports running. A lot of times you'll go into places and they'll be like, that's a web server, you know, it's just running web services, you scan it, it's running all sorts of crap. That just kind of gives you an extra level of protection to make sure it's okay before you put it on the internet. Never ever ever put an iOS server on your corporate domain. For the sheer fact that if there's one Microsoft server that is the most compromised, or actually it's probably the most compromised server ever known, it would be iOS. And so by doing that, you're allowing people to actually compromise your iOS server, which is more or less inevitable. If anyone's determined enough, they can compromise an iOS server, no matter what you do. And then it gives them a stepping stone on your entire domain. So always put your iOS server on an external IP, on a DMZ, and just leave it alone. Another way I personally like to do it is you can put it in two ethernet cards. You can do a private card and a public card and then just do SSH or whatever on your second ethernet card. So the only port that anyone sees from the web is port 80. It's also great, I love telling people this, that I've seen people running Microsoft FTP forever and ever on all their iOS web servers because, hey, we need to update with front page and stuff like that. And before SSH for Windows, the best way to do that was burn it to a CD and walk it over to machine and upload it. So having a second ethernet card is great, especially if you have it on a totally separate address space, if you have it on a separate class C or something like that, if someone's scanning, they won't even find it. Using the Microsoft Management Console, most people do not use this. I wouldn't be surprised if half the people in the room do not know what the MMC is. More or less, when you go to computer management on your NT server, all that is is a snap in for the MMC. The MMC is a mystical, magical thing you can use to do almost anything to your Windows server. You can access it by clicking your start icon by clicking on run and typing in MMC and it will pop up. It's a great, great tool. What is it? Through it, you can manage your security templates, which allows you to do user policies, ACLs, what else, account restrictions, everything. Never use a default Microsoft custom security template. Either you can take one and customize it to your own needs or you can build one from scratch. If you're doing this in a corporate setting, you need to establish standards for what you actually want these servers to do and build a security template for each machine based on an original security template. And then every time you build a machine, apply that security template. Security configuration. Password complexity. I can't tell you how many times people out there who have web developers and email users, people do not apply password complexity rules through the security template. So you have people with password list accounts, people with dictionary words and stuff like that. You can actually, through the MMC and your security template, set complexity rules and always make sure that your passwords are at least a minimum of eight characters long. You can also do the settings where your PDC or Active Directory Server will actually remember passwords so they can't be used again. So if your machine does get compromised and somebody obtains the SAM file and cracks it, hopefully by the time you set your expiration date to by the time they go back, the password won't be valid anymore and it can't be reused. Event log access. Lots of people have, especially with NT4, they did a lot where you could have public read access to your event log. And by your event log, I mean that's your security log, your application log, everything. So always go through a series of registry changes you can find to change that. Define permissions for services. Most people don't do this, which is funny though because on almost every Linux machine, you always have, you know, a patch and he's running as nobody and stuff like that. People don't really define permissions what everything can run out. So you have services that don't need it running as an administrator. Always rename your administrator account. More or less, if you have anyone who knows anything it won't fool them. But it will stop on a lot of stupid scanning tools that just scan for passwordless administrator accounts or administrator accounts with simple passwords. I like to actually create a new administrator account and you can do registry changes to disable your original one. Common sense. With IES, especially, people like to just do a default configuration and everything's up and running and leave it at that. What you need to do is actually go in and think like a hacker and what they actually exploit with a lot of stuff like Code Red, you did use IDA, crap, script mappings and stuff like that. Delete them out if you're not using them. Most hackers, when they go and actually compromise your machine the only way or the easiest way and they can do it directly from a command line to upload files to your machine is to use TFDP. Delete TFDP off your computer. Number one, if you're configuring like Cisco devices or anything that uses TFDP from a web server you're probably not going to use the Microsoft default one. Go out and download the Cisco one. And also a great thing you can do is rename your command prompt from CMD to something else. So let's say a new worm comes out that does directly and transversal or something like that and actually launches a command shell from a web browser if it calls for command.exe and your command is shell.exe. You're fine. Do you really need Microsoft TFDP? No. Rename your command prompt. What I like to do with IS web servers is do not put them on the same partition as your system files. Just create a second partition just for your actual web hosting. The nice thing about it is it's easy to back up. It's easy to maintain. If you ever need to restore something you can just blow away the old partition put in the new one and you're fine. Yes, people running IAS on exchange. I would say the most important computer in any corporate structure is the mail server. Everybody uses email. When email goes down, productivity comes to a halt. Do you really want IS running on your company's most important server? IAS is compromised a lot and do you really want to risk someone compromising IS and reading people's emails? Or at the very least halting your email server? I would web access on exchange 2000 and exchange 5.5. It's beautiful. CEOs love it because they can check their email when they're on the road and it's pretty and it looks like Outlook. But then again you're doing the exact same thing where you're running an IAS server with not only are you running an IAS server on your email server, you're running an IAS server that's capable of changing user passwords. It's just not a good idea. You can go to Microsoft Security Works website. It's really a great website. Not that many people know about it. It's Microsoft TechNet slash security slash notify.asp. They will actually, Microsoft will notify you when new security alerts come out if you're not on bug track or something like that. All right. Configuration for IS-4 and IS-5. Try to run base services. Don't run SMTP or FTP. Get away from that. These are on an entire server. If you're running a sole IAS server, these are the only services that you need running for that machine to actually work. You need your event log, your license logging service, NTLM security support provider, your RPC service, your NT server, IAS admin service, MSDTC, road-wide publishing service and protected storage. With that, you can actually stop every other service on the machine and your web server will run beautifully. Stuff to remove. Do not ever leave sample files or admin scripts on your web server. It's just too easy for people to mess with them. I don't like using iNet Pub at all. Like I said, I'll make a new partition and I'll just call it HTTP files and just upload everything to that. Remove your HCW mapping. It's one of the tabs you can actually do in your internet service manager. It's more or less useless. Remove your IAS admin password. That is the actual file that allows people to change passwords using Outlook Web Access. If you are going to run Outlook Web Access, I would recommend removing that anyway. When people click on the Change Password button, they'll get a 404, but you don't have to worry about someone getting in someone's email and then changing their password and marking them out. Remote data services, don't need them. What else? I have more stuff here. Parent pass. You can actually disallow the use of directory transversal. It's great, but 90% of your web developers out there use it in their actual code. So if you disallow that, there is a possibility that you're going to end up breaking the website. That's something that you'd probably want to talk to your developer or whoever makes the site before you actually host it. That is where you can go to change that. You can open up your web server properties, the home directory configuration, app options, script mappings. All of those script mappings you do not need. They can all be removed. I'm sure that if some of you out there have been keeping up on Windows security, you've seen some good ones there. IDA, you know, printer wrappings. You do not need those. This is the place to go to remove the script mappings. You go to your web server, your properties, master properties, www service, edit, home directory configuration. It's a bit of a mouthful. By the way, if anyone needs any of this, you don't have to write it down. It's actually in my PowerPoint on the DEF CON CD. Miscellaneous stuff. Never allow anonymous access to your computer for anything. This will take down you don't have to worry about null sessions. And this is the registry key where you go to actually change that. Permissions, second ACLs. A lot of people out there don't really know what ACLs are. Stands for access control list. It's your permissions that tell your computer who can do what and what not. I'll get into it in the next page. Make sure your IS log files are not publicly readable. That is the directory. You can actually go and change the option on that using your properties and your security tab. And you can view that it's not readable by everyone. What else? Ooh, that goes quick. Okay. You can set down that CGI should not be run by... These are the only people that should be able to execute CGI's. Which use the four file extensions there. What else? Crip files. Everyone needs executable permissions on that, administrative, full control, system, full control. What else here? Include files. It's the same thing. Just make sure this I take a note of. Make sure you do this when you deploy an IS server. Static content isn't really that much of a problem. Everyone... you don't need execute properties. All you need is to execute and just give administrative full control. Okay, now let's get into the world of exchange. All right. For a while, send mail is getting into it now and it's working rather well. But exchange for the longest time was one of the few email servers that would actually do outgoing mail authentication rather than using relaying. Even though it was capable of doing that exchange 5.5, still did the default permission of using your servers in open relay. So always make sure you don't have to worry about relaying mail for spammers because spammers fucking suck. Try using your encrypted file system. Nobody's really played with that much. It's going to be a big player in .NET. I mean, I can't think of a better thing to use it for than exchange. I mean, encrypt all of your users mail. You don't want people reading that if they compromise the system. Anti-virus. Always make sure you're running anti-virus on your email server. Otherwise, you're going to have much larger problems down the road where you have users infected with all sorts of viruses and the easiest way to stop them is write your exchange server. Internet mail connector. Oh, Internet mail connector. I had no idea what that was for a while. Okay, you can actually use that to limit your outgoing size so you don't have to worry about people like blasting your pipe or spamming. You can do, I mean, more or less no users should really be throwing over 100 meg emails on a T-run. I mean, that'd really fill it up. Here's kind of a neat thing you can do. Let's say that you guys want to run Outlook Wide Access because somebody high up said you guys need to and so you have no real choice. Well, what you can do is you can put a send mail server or another exchange server out on the DMZ so it's on the public space, lock it down to Friday and then relay the mail to an internal exchange server using Internet mail connector. There it is right there. You can add the, this is just when you do it, when you're actually installing the exchange, make sure you add the Internet mail connector and you can add it to your existing exchange server on the DMZ and you don't even have to you don't even have to add mail boxes or folders to the one on the DMZ because all our access is a relay, your internal exchange server will sort everything out so you only have to manage users in one place. Oh, exchange administrators. Instead of using the default administrator account for 2000, they have exchange administrators where not all administrators on the machine are full administrators of an exchange server. It's great if you have desktop support or someone who's in charge of adding users that you actually restrict them where they can't dick up the settings on your exchange server. These are the three different types of exchange administrators. Jesus Christ is hot. Alright, the security page. Make that registry setting and you will actually get one more page in your exchange setup that allows you to do other security options. Tracking logs for your exchange server. That one. I can't point to it. But remove the read permission for everyone, more or less anyone with an email account and the ability to log on locally would be able to read your exchange tracking logs. You can do it through the file permissions at that location. I work with Access. Make sure you lock down IAS quite hard. The best way to do it is using SSL what's it called. Just do an automatic redirect from your standard ACDB to an ACBS so even when people screw up they'll still get to it and you can just generate your own certificate and it'll be fine. One of the neat things with Outlook Web Access is it supports something called front and back end mode. This is front and back end mode. It's kind of like if I knew how to go back a slide, which I don't. There you have the background. You can read more about it at that address on the Microsoft Web site. Again it's on the CD. This is more or less a diagram of how it works. You do a front end exchange it was just like I was saying with the internet mail connector. You do a front end exchange over on your untrusted DMZ that relays everything through another firewall to your back end exchange over on your trusted network. There are default rules here that would make everything work peachy. If you have to do it and you know little or nothing about firewalling a lot. Again on the CD. Tools. Perfect. There are multiple tools that you can use for securing your Microsoft web servers. URL scan is a great tool by Microsoft. It actually sits in between the internet and your actual iOS server and scans URLs for transversals that shouldn't be happening. Baseline security analyzer is a great tool by Microsoft. It's more or less a it's exactly what it is. I'll pop it up here in a second and show you what it looks like. It allows you to type an IP or a host name of a computer on your corporate land. You have to be in the administrator to run it. It will run HFNet check against it. It will check for common misconfigurations and stuff like that and tell you what you need to do. Everyone should really check that out. I'm going to all of these tools on my 23 order account. At the end of it I'll give you the address of that. And you can download them there. The iOS lockdown tool. I heard good things and bad things about this. Originally it was fabled that it was useless and it actually left your server open more than it locked it down. I personally don't like to use it. It comes with URL scan both into it. But that's just because I like to know what I'm doing to my server. If it's one of your first signs installing an iOS server or you just don't really care that much it's a great tool. Give it a try. SecureIAS is a tool by a company called EI. I'm sure they're here. You can buy it from EI. It was originally it's claimed to fame was that it discovered the code red worm. What it does is it acts just like URL scan only to a much greater extent and it is much, much more expensive. It's great if you work in a corporation and you know $5, $6,000 for a piece of software to sit on your web server to give you an extra layer of security to pick it up. Tripwire for NT which is a little bit of host-based iOS. It's a great thing. Again it's expensive. It's great for a web server because if it gives you that extra notification if any of your web files ever get defaced or anything like that. It's a great tool. Tripwire is talking to them. They're going to come and hook up free software for attendees and stuff like that but everything fell through at the last second. I'm probably going to have stuff up for them on my website in a little bit where people can go and download evals and check it out. It's a great tool. There's a lot of corporate backing behind it. They're a great company. I really recommend checking it out. Always make sure you're running a good antivirus. I can't stress that enough. I'm just getting owned by the class virus and stuff like that. If you run antivirus on all of your web servers it cuts down on a lot of problems that the desktop admins and anyone internally are going to have to deal with. You can always hire computer companies such as Covert Systems to come out and do a full audit and lock you guys down and take care of all of your needs and you can sit back and drink a cold beer. That works too. It's kind of passing the buck. If it's not your job that's what I do. That's the website address where I'm going to have all my tools at. Right now the directory is not viewable by the public. I'm going to go and have that fixed right when I'm done with the talk. I kind of forgot about it. All you have to do is connect to it. It has a picture of me when I'm 7 years old staying in my hallway holding an AR15 go down below and click on tools they'll take care of you. What else? We have like 10 minutes for questions. Anyone have any questions? It depends what script mapping. You're going to have to customize that on an actual it depends what scripts for ASP. That's something you'll have to get together with whoever's designing your ASP Yeah. What's that? Removing everyone from the authenticated users. Is that what the trouble is? I'm totally not here. Removing everyone in cases and only allowing authenticated users. Authenticated users to do what? To manage to what? You can do that but then again you might run into problems that Microsoft actually uses to everyone group instead of not having to administer you'd actually have to go through and make sure that you have administer added to directories where the only group allowed is everyone. Yeah. I've done it before and it does break things. So I wouldn't recommend doing it but if you have the time you can customize one, do it and it just goes to silver and use it over and over again. Any other questions? I can't hear you at all. If anyone has questions why don't you just come up to the stage and ask me. Alright everyone, have a good night. Thanks for coming out. Drink a lot of beers. Okay.