Many techniques are available for hardening clients and servers. Here we’ll focus on commonly used tools, techniques related to Group Policy, and security capabilities of security templates.
Two of the most important areas that need attention when you harden computers are ports and services. We will discuss various ways to control these areas on a computer and also look at some tools that can help you investigate the current state of a computer for which ports are being used.
Ports are used by services and other applications to allow two computers to communicate. These ports are doorways into a client or server. Over the years, attackers have exploited ports to gain access to Windows–based computers. Therefore, if a port is open that is not being used by the computer, the port should be closed to help protect the computer from an attacker.
Many approaches are available for closing these ports. Some are manual and can be time consuming and cumbersome when you consider the number of clients and servers in your organization. The following three other approaches are efficient and provide ease of administration and persistence of the configurations:
Windows Firewall. Windows Firewall is designed to control the inbound and outbound communication of a computer. When you configure Windows Firewall, you have a set list of services that you can allow or deny. These services are associated with ports within Windows Firewall. If you have a special port that is not listed through a service, you can add individual ports and services that can be controlled.
More Info
For more information on Windows Firewall and how to configure these settings, see Chapter 11.
Security Configuration Wizard. The Security Configuration Wizard provides a seamless method for configuring ports for servers. It uses server roles, administrative options, and Windows Firewall to open and close ports to protect the server. Within the wizard, you have the option to add specific UDP and TCP ports, as well as add approved applications. (You need not know the ports that the application uses.) You can apply these port restrictions using the wizard, or you can export the security policy to a GPO for deployment through Active Directory.
Note
For more information on the Security Configuration Wizard and how to configure these settings, see the "Using the Security Configuration Wizard" section in this chapter.
IPSec policies. IPSec filters can provide an effective method for controlling communication to ports on clients and servers. An IPSec filter contains information about the source port, destination port, protocol, and the action that should be taken when any communication occurs for each port. These IPSec policies and filters can be deployed to clients and servers manually or deployed using Group Policy. For the most efficient and stable results, using Group Policy is the best choice.
More Info
For more information on IPSec policies and filters, as well as how to configure these settings, see Chapter 11.
Many services are installed and started on a default installation of Windows Server 2003, Windows XP, and Windows 2000. These services are meant to give your computer the most flexibility and functionality possible, but some of them can also expose your computer and make it vulnerable to attack.
To reduce the vulnerability of your computer, you should remove or disable unnecessary services whenever possible. You can disable services using some automated approaches; removal of services is typically done manually. The following automated methods allow you to efficiently control the services, while also ensuring that the settings are consistent for multiple computers in your organization.
Security templates. An entire section in security templates is dedicated to system services. This section allows you to control the startup mode for the services that are running on the computers in your environment. Once you have the security template configured for the selected services, you can use the secedit command or a GPO to deploy the settings to your computers.
More Info
For more information on security templates and how to deploy them, see the "Deploying Security Templates" section in this chapter.
Security Configuration Wizard. The Security Configuration Wizard allows you to control every service that is running on a server. You do this by selecting the server role and administrative features and specifying how to manage services that are not included in these two categories. The wizard controls every service that is running on the servers that you target with the security policy that is generated from the wizard. You can deploy these service restrictions to servers using the wizard, or you can export the security policy to a GPO for deployment through Active Directory.
More Info
For more information about the Security Configuration Wizard and how to configure these settings, see the "Using the Security Configuration Wizard" section in this chapter.
Group Policy. You have three options for using Group Policy to control services. First, you can import a security template into an existing GPO. Second, you can convert a security policy generated with the Security Configuration Wizard into a GPO, which then can be linked to a site, the domain, or an OU. Finally, a standard GPO has a section on system services, which you can configure to control computers in the organization.
Many tools are available for querying, investigating, probing, configuring, troubleshooting, and assisting with security configurations. However, two particular tools come to mind when it comes to general hardening of clients and servers: Netstat and Portqry.
Netstat (Netstat.exe) is a command-line tool that displays TCP/IP protocol statistics and active connections to and from your computer. Netstat can also display the number of bytes sent and received, as well as network packets dropped (if any). The tool is useful if you want to quickly verify that your computer can send and receive information over the network. It can also be used to identify all ports and their state on a computer.
To identify the ports and the process ID for each port, complete these steps:
Click Start, Run, and then type cmd in the Open box. Click OK.
Obtain a list of all listening ports by typing the following at a command prompt and then pressing Enter:
netstat -ano > c: etstat.txtObtain the process identifiers for the processes that are running by typing the following command at the command prompt and then pressing Enter:
tasklist > tasklist.txtOpen Tasklist.txt, and locate the program you are troubleshooting. Note the process identifier for the process.
Open Netstat.txt, and note any entries that are associated with that process identifier. Also note the protocol in use (TCP or UDP).
The Portqry command-line tool reports the status of TCP and UDP ports on a target computer. You use it to troubleshoot TCP/IP connectivity issues. It provides an additional level of detail on port status not provided by other port scanning tools. You can use PortQry to query a single port, an ordered list of ports, or a sequential range of ports.
If the target port does respond, it is characterized as "listening." If an "ICMP destination unreachable" message is returned from the port, the port is characterized as "not listening." However, some port scanning utilities will report that a port is listening simply if an "ICMP destination unreachable" message is not returned from a target port. This might actually be inaccurate because no response to a directed datagram might also indicate that the target port is being filtered.
To get a listing of the ports and their state using Portqry, type the following at a command prompt, and then press Enter:
Portqry -n <IP address> -r <port range> -p both -l <file path>