Approach to security hardening the Microsoft Server Stack

So you just deployed your brand new Microsoft infrastructure hosting your critical application, be it in the Public Cloud, leased infrastructure or in your own datacenter. You configured all your servers and application and are ready to publish it for external access (either authenticated or anonymous).

Microsoft Server products are established in the corporate, intranet networks, but still relatively less existent in the internet/extranet space.

How do you approach hardening of the Microsoft Server stack? What process do you follow? What tools do you use? How do you test and validate your setup?

This blog post aims to give you a few general hints and guidelines how you can with a few simple steps, increase your Windows Server security.

General approach

The approach we have used with success with many of our customers boils down to 3 main things:

  • Holistic (‘360’) approach to security. Examples: even if you have top notch security configuration on your servers, but the servers are not physically secure, any person can crack the password/encryption given enough time with the machine. Security must be implemented at all layers
  • Technology is one thing, but you also need to take care of the people (their knowledge, skills, team work) and process (procedures in place that ‘shape’ the proper people behaviour)
  • Verify/test! Even if you plan and execute the most security plan, you need to verify by running extensive tests (e.g. penetration/attack surface analysis) – ideally before and after applying your security plan

Technical details

Below I provide several points which are worth taking into account when building your security plan.

For hardware security ensure:

For Windows Server stack security hardening do not forget:

  • Up-to-date kernel (ensure responsive patching procedure)
  • Enable ONLY required roles and services
  • Once this is done, disable unused services – e.g. for a standalone (or domain-joined) web server we were able to disable 42 base windows services w/o any impact on the functionality of the webserver
  • Unbind unnecessary protocols from the network interfaces – most often you will only TCPIP (v4 or v6) and (if you need it) file and printer sharing
  • Disable netbios on your TCPIP properties of network connection
  • Change the default RDP port (http://support.microsoft.com/kb/306759) and enforce Network Level Authentication (NLA)
  • Enable and configure Windows Firewall – you can disable most out-of-the box enabled rules (except RDP – if you use it, and not some other remote connectivity tool) and your application traffic
  • Optimize your security via local or domain group policy (follow links below for guidance on recommended settings, esp. CIS) – definitely focus on enforcing NTLMv2, password/account policies, user rights assignment and audit policies
  • Enable UAC
  • Enable IE Enhanced Security Configuration, or even disable IE and other programs via Software Restriction Policies in GPO
  • Ensure only 2-3 people (with dedicated accounts) are members of local administrators
  • Rename the default administrator account and create a decoy administrator account (http://technet.microsoft.com/en-us/library/cc700835.aspx)
  • Ensure you are able to get the most out of your auditing, with tools like Dell/Quest ChangeAuditor (http://www.quest.com/changeauditor/)
  • Harden your TCPIP stack – disable automatic admin shares (e.g. C$), disable SSLv2, you might want to decrease default TTL, Disable ICMP redirect. The TCPIP stack since WS2008 is much more secure by default than 2003, but you still can make a few tweaks
  • And much more… Contact us if you are interested in securing your Microsoft-based business applications :)

In the area of network, take into account:

Tools and links

These are the tools I found quite useful:

FIM 2010 authorization workflow fails with EventID 3

If there is software, there have to be a bug. FIM 2010 as nice platform for identity management projects is not free from bugs of course, we have to live with them, wait for fixes to come and sometimes get to know how to handle them. This one is the latter case.

Story …

One of nice features of FIM is possibility to use approval activity to construct approval processes for user actions in FIM service. As every consultant working with FIM I can easily come with few things I would improve in approval activity, but this doesn’t change the fact, that this is easy to use and fast way to build approval workflows. If you will combine it with a little of custom activities it can be used even in a cases as dynamically calculated approvers based on conditions or conditional approval based on result some condition check (just two examples how we use it).

While working on rather simple case of approval for user actions I came across a problem that my approval activity stopped to work and on every instance of request I’ve got “Access Denied” because my workflow failed with exception “Object reference not set to an instance of an object“.

On FIM Service in Event Log I’ve found Event ID 3 which was caused by this exception, but with not a lot more details.

(…)

Error message from Event ID 3:

Microsoft.ResourceManagement.Service: System.NullReferenceException: Object reference not set to an instance of an object.

at Microsoft.ResourceManagement.Workflow.Hosting.HostActivator.ActivateHost(ResourceManagementWorkflowDefinition workflowDefinition, Boolean suspendWorkflowStartupAndTimerOperations)

at Microsoft.ResourceManagement.Workflow.Hosting.WorkflowManager.StartWorkflowInstance(Guid workflowInstanceIdentifier, KeyValuePair`2[] additionalParameters)

(…)

Getting to the source …

Troubleshooting of built-in activities is a bit troublesome, if not say that there is no option for that. Custom activities are rather easy to troubleshoot with debugger however here out options are limited. Only option was to try to narrow down possible causes for this error.

This particular workflow has used mix of custom and built-in activities, as first step for troubleshooting I’ve started to troubleshoot and finally remove from workflow custom activities to exclude possible bug in my code.

Troubleshooting Tip Of the Day

It is generally good idea to start to narrow down the area you are troubleshooting if you are experiencing problem in your solution, code, network. Removing elements of a solution and then adding them again will greatly improve ability to find element which is causing a problem. This might be custom activity, network load balancer or load balancing in general etc.

Quickly I’ve found out that this workflow is failing even with only single, built-in activity. So my code was OK. What was wrong then?

At Predica we are using scripts to deploy our FIM solution and this was not a different case. This solution was deployed from the script including this workflow definition. However as this was development environment, later I was testing some change introduced manually to this workflow. And this was it. After re-deploying this workflow from the script and later editing workflow definition in FIM portal problem occurred again.

Quick XOML comparison showed a problem – there was single difference between original versions:

(…)

xmlns:ns1=”clr-namespace:System.Workflow.Activities;Assembly=System.WorkflowServices, Version=3.5.0.0

(…)

And version altered in FIM portal:

(…)

xmlns:ns1=”clr-namespace:System.Workflow.Activities;Assembly=System.WorkflowServices, Version=4.0.0.0,

(…)

It looks like this behaviour happens only when FIM portal is deployed together with Sharepoint 2013

And now … workaround.

Workaround for this behaviour is simple but not very convinient to use if you want to do this through portal. In order to fix this situation you need to edit XOML definition of workflow (XOML is actually description of your workflow) and  find following piece of definition:

(…)

xmlns:ns1=”clr-namespace:System.Workflow.Activities;Assembly=System.WorkflowServices, Version=4.0.0.0,

(…)

Now you have to replace version of .NET in this reference to 3.5.0.0

(…)

xmlns:ns1=”clr-namespace:System.Workflow.Activities;Assembly=System.WorkflowServices, Version=3.5.0.0

(…)

In order to get to XOML you can open your workflow definition and click “Advanced view” button. XOML workflow definition can be found on “Extended attributes” page. You can safely copy it out of there to your text editor of choice (try SublimeText – my editor of choice for such things).

What is less fortunate is that you will have to do this every time your authorization workflow will be edited through FIM portal. One more reason why to script all configuration tasks in FIM – PowerShell really helps with this task.

47 Ronins … actually 2 MVPs … again

Ronin …

… was a samurai with no lord or master during the feudal period (1185–1868) of Japan. A samurai became masterless from the death or fall of his master, or after the loss of his master’s favor or privilege.

Actually there ar 47 Ronin right now entering cinema … to be honest I have not seen this movie yet so I don’t know if it is any good.

Ronin was a lonely samurai without a master, at least in movies often depict as good man fighting for a cause and doing good … often not understood by its society.

MVP…

Most Valuable Professional, MVP is exceptional award which Microsoft awards some individuals who commit their time to master their skills (like samurai) and  share it in one way or another with community. One more similarity to ronins (if any) is that MVPs are doing a lot of good job for community in which they work and often are well recognized for that.

At Predica we don’t have any ronins – few good people has left us but we think about them still as members of our team (a bit extended) and we are not thinking about ourselves as masters (except our areas of expertise).

At Predica we are proud to have as members of our team two individuals and experts, who besides of supporting our customers and our team as part of their daily duties are committing their time and expertise to support and share with communities. And for that, in January 2014 Microsoft has awarded two of our experts with  Most Valuable Professional, MVP award.

Microsoft_MVP_Logo

Dariusz Porowski … who is our cloud infrastructure architect and house expert for all kind of and management solution, was proudly awarded for 4’th year in a row with MVP award in Hyper-V area.

Tomek Onyszko, who constantly evangelizes customers and Predica team and about importance of identity in our modern ward was awarded for 3’rd time with MVP awarded in Enterprise Security area (which is his 6’th award – in the past, before joining Microsfot ranks, he used to be  MVP for Directory Services).

Congrats to both of them and keep doing good work!!!

Great start into 2014 for our Predica team, and even if we can’t get MVP award as a team in general we will still keep working hard and contribute to community where it is possible. Here on the blog, on Technet Forums and other places … look out for us and stay tuned here on the blog.