Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Advice on Secureing a Windows Server 2003 Network....

  1. #1
    Junior Member
    Join Date
    Mar 2008
    Posts
    94

    Question Advice on Secureing a Windows Server 2003 Network....

    I recently got a call from a loan company who just got started and they were installing there computers and "wanted" a server....They talked to another compny I do work for and got a P4 3Ghz and a copy of Windows Server 2003 small business Edition.

    After visiting the site and taking a look at the used computers they had and the server hardware I got to work! Also note they have financal data on the hard drives.

    They have 6 employees with 5 computers....ATT gave them a linksys wireless router with a DSL modem...I don't think its a Static IP. 3 are XP and 2 are Vista.

    I installed the Windows Server 2003 and plugged everything in.

    I setup WPA2-PSK encryption and MAC filtering. All the computers have there Firewalls on and so does the server. They are using AVG on all there computers. Also the router has its SPI firewall on.

    Where things got complicated is where the Windows Server started to configure Active Directory....They are just on a Work group and I dont think they want to be on a domain...but I just left it...I made a account on the server, made a share that accepts that account (not the Everyone group) and mapped the share on all there computers. Should i run a dcpromo and roll back Active Directory since they will not be using it?

    I have done some labs installing Windows Server 2003 in my classes but this is the first time I did a Windows server install for a real company and i hesitantly announced the Network Secure.

    Ill be going back Monday to see how everything's going.

    Now the manager wants to set up a Web server and SharePoint....SharePoint is jsut going to be for the company on there intranet but a web server is going to be on the internet. Well be using DDNS.

    Since making a web server useing IIS is I think risky...does anyone have any ideas of further securing the system since well be running a IIS web server?

    I thought about disabling LM hashing...but SharePoint needs it I think.

    Also I need to keep in mind he wants to setup a VPN so he can access the share from home. Would a SFTP client be better then a Microsoft VPN connection?
    QUOTE=cybrsnpr;118082]I think you have the right idea, but I also think you are really trying to kill a gnat with a small nuclear device!

  2. #2
    Very good friend of the forum Virchanza's Avatar
    Join Date
    Jan 2010
    Posts
    863

    Default

    When are you going to bite the bullet? The network server is running MSWindoze Server 2003. So long as that computer is running MSWindoze, the business is gonna be like an immuno-compromised patient walking through a cholera-infested town.

    There's no if's, but's, or maybe's about it. If you want security, Microsoft has to go. I suggest you replace it with Linux (it's superior in every way except for playing games as far as I know).
    Ask questions on the open forums, that way everybody benefits from the solution, and everybody can be corrected when they make mistakes. Don't send me private messages asking questions that should be asked on the open forums, I won't respond. I decline all "Friend Requests".

  3. #3
    Junior Member
    Join Date
    Mar 2008
    Posts
    94

    Default

    I know....I ran Windows Update also....Its just what they had...I didnt have any say in what they were buying.

    Thats why im asking for advice on Securing Microsoft....least the best it can be reasonably.
    QUOTE=cybrsnpr;118082]I think you have the right idea, but I also think you are really trying to kill a gnat with a small nuclear device!

  4. #4
    dguitar
    Guest

    Default

    Sounds to me like you'll need more boxes. Afaik, you will not be able to run SharePoint (WSS) on the same server as the internet facing web site.

    You might think about VMs if this is all the hardware you can work with. I did something similar for an NPO. Setup a linux server running 2 VMs, 1 windows for the crap they needed and 1 linux for the network stuff. Not ideal obviously...

    The financial data on the HD's sounds dangerous to me. Do they need to follow any regulations related to that data? Are they backing up said data? Safely? Are hd's encrypted?

    Lots of things to think about when dealing with things of that nature...

    Also, take a look around M$'s website, they actually have 'some' good info on securing the OS.

  5. #5
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by Virchanza View Post
    When are you going to bite the bullet? The network server is running MSWindoze Server 2003. So long as that computer is running MSWindoze, the business is gonna be like an immuno-compromised patient walking through a cholera-infested town.

    There's no if's, but's, or maybe's about it. If you want security, Microsoft has to go. I suggest you replace it with Linux (it's superior in every way except for playing games as far as I know).
    Don't necessarily agree that Microsoft stuff is impossible to secure. It IS possible to make a Microsoft network reasonably resilient and secure if you use proper network design and know what you are doing. Microsoft stuff definitely isn't secure "out of the box" though, and some significant effort is required to make it secure and actually keep it working. It takes much more effort than for a Linux equivalent, but it is possible.

    @OP

    Sharing Internet facing web server duty and any type of internal networking duty like file sharing is a very bad idea, no matter what OS you are running. At a minimum the web server should be on a dedicated box, hardened and patched, and in a dmz off a dedicated firewall. If the company cannot afford to dedicated the hardware for this, they should use hosted services for the webserver instead of trying to do it themselves.

    If you are not using Active Directory you should disable it, but I would recommend using individual user accounts instead of one shared account for accessing information on the server. You will have no accountability for users otherwise, and wont be able to allocate different permissions to different people, revoke peoples access, etc.

    There are security templates available for hardening Windows, and a guide from Microsoft themselves on the subject. There are various hardening settings for various roles. You should use the guide, because as I already mentioned Windows is not secure out of the box.

    If you're dead set on hosting the web server, you could run apache on the Windows box and add modsecurity, or you could use IIS lockdown if you are wedded to IIS. There is also a security template for a webserver but that wont help if that server needs to do filesharing too (and did I mention thats a really bad idea yet?)

    The Microsoft VPN isnt too bad, just choose good passwords, think about multi factor authentication and do your best to ensure the remote system is secure - use the basic Network Access Quarantine Control feature in Windows Server 2003. Consider using Terminal Servers to access files instead of allowing drive mappings over the VPN, you'll be much safer then from infections spreading from the client to the server. Using SFTP instead may also help protect you from malware that spreads over MS file shares (SMB/CIFS protocol).
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  6. #6
    Very good friend of the forum Virchanza's Avatar
    Join Date
    Jan 2010
    Posts
    863

    Default

    Quote Originally Posted by >Dart> View Post
    I know....I ran Windows Update also....Its just what they had...I didnt have any say in what they were buying.
    It will cost $0.00 to upgrade to Linux.

    After upgrading to Linux, you can sell the Windows license, so you'll make a profit. The profit can be spent on presents for employees' kids at the work Christmas party.

    Thats why im asking for advice on Securing Microsoft....least the best it can be reasonably.
    That will cost about $80,000 a year.

    Let me explain:

    Each day contains three 8-hour chunks, so you need to hire three people to cover the entire day if they each work 8 hours a day. You need a fourth person for when they're on their lunch breaks.

    You're gonna have to pay each of these people $20,000 a year to sit for 8 hours a day watching Wireshark to make sure there's no dodgy packets going to the Microsoft machine. They can pull the plug when they think something fishy's going on.
    Ask questions on the open forums, that way everybody benefits from the solution, and everybody can be corrected when they make mistakes. Don't send me private messages asking questions that should be asked on the open forums, I won't respond. I decline all "Friend Requests".

  7. #7
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default

    Get a copy of "How to Cheat at Small Business Server 2003" by Susan Snedaker, Syngress Publishing, 2004. It covers just about everything you need to know, including how to set up AD, and security.

    Don't consider switching to Linux unless you have a compelling business reason to do so. It does cost less up front, but it tends to have very high back end costs unless the company has a full time admin with a lot of *nix experience. That doesn't seem to be the case from your description. SBS2003 is designed to fit and compliment that kind of small business environment. Unfortunately, Linux/Samba/LDAP also does not work 100% with Vista or XP workstations, which are the clear majority of business workstations out there.

    This is from personal experience, by the way. I have set up both Linux w/Samba and SBS2003 networks for businesses of this size, and have found that in most cases you can set up SBS 2003 with less fuss, and significantly lower time spent on initial configuration than compared to a similar Linux server, and you can obtain adequate security if you pay attention to the details.

    In an ideal world, Linux would be the preferred OS, but when you look at the reality of what it takes to set and configure, SBS2003 makes much better sense from a business perspective.

    Again, get a copy of "How to Cheat at Small Business Server 2003". It's what I use as a reference for setting up and administering SBS.
    Thorn
    Stop the TSA now! Boycott the airlines.

  8. #8
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default

    I have done some setups with sbs2003 and this site should be your first stop. It helped me out a lot.
    Granted you won't have a lot of time to sit and read everything but in addition too, or as an alternative to the book Thorn mentioned the site is official and has lots of info about server 2003 family. Look for the getting started guide and the section on system administration setup.
    If you want to discuss if windows vs. linux is the correct way to go have a look at this site . Granted the site is owned by MS but they try to have independent studies done (Yes I know it is subjective) to compare MS vs. Linux as servers.
    As for what others have mentioned try to keep the server roles to a minimum.
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  9. #9
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    Quote Originally Posted by archangel.amael View Post
    If you want to discuss if windows vs. linux is the correct way to go have a look at this site . Granted the site is owned by MS but they try to have independent studies done (Yes I know it is subjective) to compare MS vs. Linux as servers.
    HIGHLY subjective

    Quote Originally Posted by archangel.amael View Post
    As for what others have mentioned try to keep the server roles to a minimum.
    True indeed

    @op whave a look Win2K3 here Operating Systems - NSA/CSS
    dd if=/dev/swc666 of=/dev/wyze

  10. #10
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    There are many published guides and books form the likes of the Centre for Internet Security, the NSA/CIA/FBI, Microsoft, O'Reilly, etc. on securing the OSes and web servers in question, just fire up google.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •