Posts

#infosec Securing your #WinServ and #MSExchange with an acceptable baseline security

Securing your Windows Server with a baseline security

In short, to have an acceptable baseline security for any Windows server you need to think all of the things below in this list.
Sadly enough, even if you follow all of these steps, you’re still not secured forever and ever. There’s no such thing as absolute security. That’s just the way it is but you might use this as some kind of checklist and also the links provided in this post.

Syspeace logo

Syspeace logo

Securing Windows Serves with an acceptable baseline security

1. Make sure all of your software is updated with all security patches. This includes the Windows operating system but also Adobe, Java,Office and any software really. This reduces the risk for so called 0day attacks or your server being compromised by software bugs.

2. Make sure you have a good and not too resource intensive antivirus running on everything. Personally I’m a fan of F Secure PSB for servers and workstations for lots of reasons. It’s not just a pretty logo.

3. Verify you have thought your file and directory access structure and that users and groups are only allowed to use and see what they’re supposed to. Setting file permissions is a very powerful tool to secure your server and crucial.

4. Always make sure to read best practices for securing applications and servers and Google for other ideas also. No manual is the entire gospel.

5. Enable logging. If you don’t know what’s happeing, you can’t really react to it can you ? It also makes any troubleshooting hopeless in restrospect.

7. Have a good monitoring and inventory system in place such as the free SpiceWorks at http://www.spiceworks.com

8. If your server has any monitoring agents from the manufacturer such as HP Server Agents, then install them and set them up with notifications for any hardware events to be prepared.

9. User Group Policies. It’s an extermely powerful tool once you start using it and it will make you day to day operations much easier.

10. If your server is reachable from the Internet, use valifd SSL certificates. They’re not that expensive and any communications should be encrypted and secured as fa as we’re able. Yes, think Mr. Snowden.Think NSA.

11. Disable any unused services and network protocols. They can be a point of entry and for the unused network protocols, you bascially fill your local network with useless chatter that comsume bandwidth. This also goes for workstations and printers and so on.

12. Enforce complex password policies! You won’t be well-liked but that’s not what you get paid for.
If people are having trouble remembering passwords the have all over the world, maybe you could have thme read this
http://jufflan.wordpress.com/2012/11/03/remembering-complex-online-passwords/ and on the topic of online passwords and identities also, http://jufflan.wordpress.com/2012/11/03/reflections-on-theft-and-protection-of-online-identity-on-the-internet-who-are-you/

13. Use a good naming standard for user logins. Not just their first name as login or something too obvious. Here’s an old blog post on why http://syspeace.wordpress.com/2012/10/21/securing-your-webmailowa-on-microsoft-exchange-and-a-few-other-tips/

14. Backups! Backups! and again. BACKUPS!!
Make sure you have good backups (and test them at least once a year for a complete disaster revovery scenario) and make sure you have multiple generations of them in case any of them is corrupted, preferrably stored offsite in some manner in case of a fire, theft or anything really.
For day to day operations and generation management I highly recommend using the builtin VSS snapshot method but never ever have it instead of backups.
You can also use the built in Windows Server backup for DR as described here http://jufflan.wordpress.com/2013/07/15/using-windows-server-backup-20082008-r2-for-a-disaster-recovery-from-a-network-share/

15. You need to have an automatic intrusion protection against brute force and dictionary attacks with Syspeace since the “classic” methods do not get the job done. Here’s an older blog post on why http://syspeace.wordpress.com/2013/07/11/using-various-brute-force-and-dictionary-attack-prevention-methods-to-prevent-hackers-and-why-they-dont-work-repost/ . I you don’t have the time to read the article then simply download the free Syspeace trial, install it and you’ve set up a pwerful and easy to use bruteforce prtection for your server in minutes.

If you’re up for it, I’ve written a few other related posts here:

http://jufflan.wordpress.com/2012/10/22/securing-your-server-environment-part-1-physical-environment/
and
http://jufflan.wordpress.com/2012/10/22/securing-server-environments-part-ii-networking/

By Juha Jurvanen @ JufCorp

Getting the datacenter ready for the Holidays – a few thoughts

Note: This was written just before Christmas 2012 but it does apply to any longer holidays or vacations ../Juha Jurvanen

The Christmas holidays are coming up and most people look forward to them as always.

One aspect of the holidays though that might be worth to remember is that your serves might be more attacked during the holiday seasons since many hackers assume that your ususal vigilance for monitoring brute force attacka and dictionary attacks is lowered.

This year, Christmas Eve is on a Tuesday and for quite a few the time away from work can be up to a couple of weeks, including system administrators and techs.

The downside to this well-deserved leave is that it might give an attacker at least two weeks to try and hack your servers without anyone noticing it.

A few things you may want to do before you leave work for Christmas then.

Security patches

Make sure your servers and systems (such as firmware for switches, WiFi and so on) have all necessary security patches installed.

Antivirus status

Make sure your antivirus is running and updated.

Firewalls and WiFi entry points

Have a final look at any entrypoints to your networks i.e. have a look at firewall rules and WiFi access points. Shutdown everything that doesn’t need to be running.

Test servers

Have look around and see that you don’t have any unncessary test systems running, if for no other reason than to save money on current. If your test-serevrs are in a virtual environment, shut them down since they could pose a securiy risk. Test systems are always test systems.

External access via VPN

Make sure you don’t have any rogue VPN certificates out in the wild or any users active that should’t have access. Also, consider changing administrative passwords if it’s been a while.

UPS

Have a look at battery and charging levels for your UPS ,
Should a power failure occur and these things don’t work , you might be forced to fix a failed hardrive on Christnmas Evev and nobody wants that.

Hardware health checks

Check for any hardware errors in your monitoring sodtware (such as the HP Insight interface ) to see make sure you don’t have hard drives that are predicted to fail or any other hardwrae malfuncion going on.

Backups

Have a good look at your backups, logs and doublecheck they’re running correctly and that data is duplicated automatically. Especially for any backups that clear logsfiles sucha as Exchange backups, SQL Server backups . You don’t want to fill up yur system drives if ou’re not around to take care of it.

Contingency plan

Make sure there’s an updated plan in place with the correct phone numbers and contact info to the right staff and suppliers in case of an emergency. Have a look at the schedules to see who’s on call and make sure the plan is reachable, even if the datacenter isn’t.

Network monitoring

Install software for monitoring and scanning your network and have it alert via email for anything strange such as a new device on your network, a newly created user somewhere, mismatch in network configurations and so on. You could have a look at SpiceWorks that’s free and gets the job done if don’t have anything in pace now,

Brute force and dictionary attacks and intrusion detection

Install Syspeace to automatically block, trace and report any brute force attacks against your Windows, Citrix, Exchange OWA, Sharepoint, Terminal servers, Sharepoint and so on.

I’m sure there’s even more things that might be worth doing but this is a start anyway.

By Juha Jurvanen – Senior IT Consultant

How to setup syspeace for rdp – intrusion prevention for Windows servers

This is actually just a post based on some of the search terms that have led to people finding this blog.

So,

how to setup syspeace for rdp

..
Actually , it might take you longer to read this blogentry than actualy set it up.

1. Go to the Syspeace website and download the software at /downloads.aspx

2. Read the requiremnets in the manual:

System requirements
Operating system: Windows 7, Windows Server 2003, Windows Server 2008/2008 R2 (32 or 64 bit), Windows Small Business Server SBS 2008 and so on . (We are currently working on the Windows Server 2012 validation and we have tested it successfully but in certain scenarios the source IP address isn’t displayed in the evenlog. This is a Windows Server issue)
.Net 4 (if not installed, it wil be installed for you )
1GB free disk, minimum 500M RAM.
Auditing
Auditing for failed login and successful log in switched on in local security policy or in the group policy for the domain. This will enable events in the event-log that Syspeace listens for.
Firewall
The built-in firewall in Windows must be up and running.

3. Install Syspeace which is quite straight forward

4. Start the GUI and type in a valid mailaddress to get your 30 day free trial license key emailed to you. This emai address is also going to be the account emai you need tp use when purchasing the license.

4. Paste the license number and the GUI will start.

5. By default, the Syspace service is NOT started.

6. Cllick teh Settings button and review the default rules (called the “Catcha all” rule” and alse set up messaging for blocked attacks (whom to alert, whom to emai license inforamtkion and so on )

7. Close the Settings section. Click the “START” butto and you’re done.

Now, your Windows server is instantly protected from brute force and dictionary attacks against youe Exchange Webmail OWA, Terminal Servers on RDP (terminal services, remote desktop services, remote app sessions) and the webinterface called RDWEB, your Sharepoint login , your Citrix server, winlogon services and even more.

There’s really not that much more to it.
Since the intrusion prevention for Syspeace monitor the Windows Server Evnetlog , it doens’t matter if you have set up RDP on other ports or if you are using a proxy. Sysoeace is a HIDS (Host Instrusion Protection System) thus eliminating the need for separate hardware, expensive consulans and redesigning you infrastructure.

Just sit back and start recieving resports and emails when an attack is blocked, tracked and reported.