Tuesday, January 16, 2007

Configuring User Rights

User rights are privileges that are configured on a member server by member server basis. Some of the more common, and security sensitive user rights include:

  • Backing up files and folders
  • Restoring files and folders
  • Logging in locally
  • Log on as a service
  • Manage auditing and security log
  • Take ownership of files or other objects

Regardless of the user right, the list of users and groups that have been granted these privileges on member servers should be investigated and controlled. The best way to control user rights for member servers is to use a GPO, as shown in Figure 2.

Figure 2: User rights for member servers can be controlled centrally by using a GPO

Controlling Ports and Services

Often ports and services go hand-in-hand, since some services require the use of certain ports. For example, Internet Information Services (IIS) is responsible for the World Wide Web (WWW) Publishing Service, which relies on port 80 by default. Many services, like IIS and WWW, provide excellent benefits, but can expose security vulnerabilities. If a member server does not require a service or port to be enabled, then the service or port should be disabled.

The control of ports and services is not as simple a task as the others in this article. Services can be controlled by the use of GPOs, but not all of the essential settings associated with services. To control a service it is ideal that you control the service startup mode and service account. The built-in GPO settings for services only supports the control of the startup mode, not the service account. With PolicyMaker, you can include the control of the service account within a GPO.

If you run Windows 2000 Server on your member servers, the control of the ports is a manual process. This can cause some ports to be exposed and thus cause the server to be vulnerable. However, if you run Windows Server 2003, Microsoft has just released a new tool in Service Pack 1 that can help you control both ports and services. The tool is called the Security Configuration Wizard. The wizard creates security policies (which can then be turned into GPOs) which enable and disable the appropriate ports and services, depending on which roles the server is responsible for. (For more information about the Security Configuration Wizard, refer to http://www.windowsecurity.com/articles/Security-Configuration-Wizard-Windows-Server-2003-SP1.html).

If you want to control ports and services independent of the roles that Microsoft has specified, you can read up on which ports and services are essential and what each is responsible for providing in Microsoft’s Security Guides (which can be located at http://www.microsoft.com/technet/security/topics/ServerSecurity.mspx).

Application Level Security

For your member servers that run one or more applications, you might be stuck in a common situation. Basically, you want to have one or more users have administrative control over the application, but not the server. With the built-in configurations that Microsoft provides, there is no method to specify that a user has administrative control over one application, but not the server. If you are in this situation, your best solution is to attempt to place the user in the Power Users group on the member server, and hope that this is enough privilege to run the application. If not, then you might need to add the user to the Administrators group to provide them with the proper privilege to support the application.

If you want to take your solution to the next level, install Application Security (http://www.desktopstandard.com/PolicyMakerApplicationSecurity.aspx) to control which groups can control which applications, on a server-by-server basis. This will take the security of your application servers to a whole new level, allowing full control of who can administer which applications.

Summary

Member servers are responsible for most of the companies data, financial applications, HR resources, and other mission critical company resources. It is essential that member servers are protected to ensure that the data they house remain protected from attackers. This is best accomplished by utilizing the built-in GPO settings, and can be expanded by using some excellent third party GPO extension tools. After the Local SAM, user rights, ports, services, and applications are protected, you are well on your way to making your member servers well protected.

http://www.windowsecurity.com/articles/Securing-Windows-Member-Servers.html