There are no Group Policy settings available for the Password Synchronization role service.
More Information
The following resources on Microsoft.com provide further security best practice information about how to harden server computers:
For computers running the Active Directory Domain Controller role service, see:
Active Directory.
AD DS: Fine-Grained Password.
Appendix D: Active Directory.
Best Practices for Delegating Active Directory.
BitLocker Drive Encryption.
Configuring Active Directory.
IT Showcase: Optimizing Client Security by Using Windows Vista.
Managing Active Directory.
"RODC filtered attribute set" in RODC Features.
Secure Hardware - Overview.
Server Core.
Set computer-specific synchronization properties.
For information about the Server for Network Information Services (NIS) role service, see:
"Server for NIS" in the Help and Support for Windows Server 2008.
For information about the Password Synchronization role service, see:
Controlling password synchronization for user accounts.
"Password Synchronization" in the Help and Support for Windows Server 2008.
Set computer-specific synchronization properties.
"Setting the default port" in the Help and Support for Windows Server 2008.
"Setting the password encryption key" in the Help and Support for Windows Server 2008.
Chapter 4: Hardening DHCP Services
Organizations use Dynamic Host Configuration Protocol (DHCP) servers on their networks to automatically provide client computers and other TCP/IP-based network devices with valid IP addresses. DHCP can also provide additional configuration parameters for client computers and devices called DHCP options, which allow them to connect to other network resources, such as DNS servers and routers.
The DHCP Server service and the DHCP Client service in Windows Server® 2008 include the following security-related enhancements that did not exist in previous versions of Windows Server:
DHCPv6 functionality. In Windows Server 2008, Microsoft has introduced DHCPv6 functionality to the DHCP server. Client computers use the DHCPv6 stateless mode only to obtain network configuration parameters other than the IPv6 address. In this scenario, client computers configure an IPv6 address through a mechanism not based on DHCPv6, such as through IPv6 address autoconfiguration based on the IPv6 prefixes included in Router Advertisements, or through static configuration. In the DHCPv6 stateful mode, client computers acquire both the IPv6 address, and other network configuration parameters through DHCPv6. If IPv6 is not deployed in your environment, then DHCP provides IP configuration for IPv4 addresses only. For more information about DHCPv6, see "The DHCPv6 Protocol" article on Microsoft TechNet.
Network Access Protection (NAP). NAP is integrated with DHCP to require DHCP clients to prove their system and security health state before they can receive an IP address to gain access to your intranet. NAP is supported on DHCP for IPv4 addresses, not IPv6 addresses. For more information about NAP, see the following resources:
"Network Access Protection."
Step-by-Step Guide: Demonstrate DHCP NAP Enforcement in a Test Lab.
This chapter provides prescriptive guidance for hardening the DHCP Server role. The DHCP Server role has no subordinate role services.
Attack Surface
The DHCP role is susceptible to many of the same security attacks as any server computer that provides DHCP services. To determine the attack surface for this role, you need to identify the following:
Installed files. The files that are installed as part of the DHCP Server role.
Running services. The services that run as part of the DHCP Server role.
Note You can use the RootkitRevealer and Sigcheck utilities that are part of Windows Sysinternals to verify the integrity of the installed files and the files that the services run.
Firewall rules. The firewall rules that the DHCP Server role uses.
Role dependencies. The dependencies for the DHCP Server role.
The details of the DHCP Server role attack surface are included in the Windows Server 2008 Attack Surface Reference workbook that accompanies this Solution Accelerator. To view the attack surface for this server role, on the DHCP tab of the workbook, view the sections that correspond to each of the items in the previous list.
Security Measures
This section describes the security measures that you can incorporate into your DHCP Server role configuration to protect the server against malicious attacks. The recommendations that follow assume that you have only selected the DHCP Server option on the Select Role Services page of the Add Roles Wizard. Recommendations for other role services are not included.
Configuration Checklist
The following table summarizes the recommended security configuration tasks for hardening servers performing the DHCP Server role. If you need help to complete any of the checklist items, see the following sections in this chapter for additional details and recommendations.
Table 4.1 Configuration Checklist
|
Configuration tasks
|
|
Dedicate a computer to running the DHCP Server role.
|
|
Deploy a Server Core installation of Windows Server 2008.
|
|
Use DHCPv6 Functionality.
|
|
Eliminate computers running rogue DHCP services.
|
|
Add DHCP reservation and exclusion ranges for IP addresses.
|
|
Use NAP to enforce computer configuration health.
|
|
Restrict DHCP security group membership.
|
|
Configure DNS record ownership to help prevent stale DNS records.
|
Dedicate a Computer to Running the DHCP Server Role
Combining server roles is not generally recommended except in specific circumstances. For example, combining the DNS and AD DS server roles could be appropriate for some organizations. However, DHCP servers are often critical to the environment. Combining server roles expands the attack surface of the server, and increases the chance of a successful denial of service (DoS) attack. For these reasons, Microsoft does not typically recommend combining the DHCP server role with another role.
However, if budgetary or other reasons dictate that your organization must combine server roles, you can combine the DHCP Server role with other infrastructure server roles. A suitable combination could include the Windows Internet Name Service (WINS) server role, although many Windows Server 2008 environments no longer require a WINS server. Microsoft recommends avoiding combining the DHCP Server role with the following roles:
Less restrictive server roles, such as the Web Server role or the Terminal Services Server role.
AD DS Server role, due to the importance of minimizing the attack surface of this server role.
AD CS Server role due to the importance of minimizing the attack surface of this server role.
Deploy a Server Core Installation of Windows Server 2008
Deploying Windows Server 2008 using the Server Core installation option reduces the attack surface of the operating system by limiting the number of required files and services. The advantage of the Server Core option is that it does not install files and services required for the graphical user interface (GUI).
When you use the Server Core installation option of Windows Server 2008 to deploy the operating system, you can only locally manage the server using command-line tools. To manage the server using GUI-based tools, you must install and run these tools on another computer with a Windows-based GUI.
You can use the following command line management tools to manage the DHCP Server role:
To install the DHCP Server role, run the following command:
start /w ocsetup DHCPServerCore
To configure the DHCP Server service, run the following command:
sc config dhcpserver start = auto
Note A space is required between "start" and "=". Also, a space is required between "=" and "auto".
To start the DHCP Server service, run the following command:
net start dhcpserver
netsh DHCP
netsh DHCP server
netsh DHCP server scope
netsh DHCP server mscope
For more information about managing the DHCP Server role using netsh, see Netsh commands for DHCP.
To uninstall the DHCP Server role, run the following command:
start /w ocsetup DHCPServerCore /uninstall
For more information about installing and managing the DHCP Server role using the Server Core installation option, see the Server Core Installation Option of Windows Server 2008 Step-By-Step Guide.
Use DHCPv6 Functionality
IPv6 allows computers to obtain IP addresses automatically using stateless autoconfiguration. This protocol does not require a DHCP server, and it ensures IP addresses are unique by using the media access control (MAC) address of the network adapter as part of the overall address, and then sending a multicast packet to determine if any other hosts on the network segment have the same IP address.
If the DHCP server uses stateless autoconfiguration, you can still use the server to provide additional network configuration options. Although Windows Server 2008 supports stateless autoconfiguration, use the stateful mode in DHCP to provide IPv6 address allocation.
The addresses generated by a DHCPv6 server are sparsely distributed over the available address space of a subnet. Potential attackers are less likely to guess IPv6 network addresses because the DHCP Server can randomly distribute the addresses over a large address range that the 64-bit IPv6 prefix makes available.
The DHCP Server role also supports permanent and temporary addresses through DHCPv6. You can use a permanent IPv6 address for Dynamic DNS registration, so that the client computer is "known" by that address. You also can use a temporary IPv6 address to establish outgoing connections for scenarios in which the client computer requires privacy for a permanent address. Administrators can automate the IPv6 configuration of computers to use the stateless or stateful mode by using Router Advertisements.
Eliminate Computers Running Rogue DHCP Services
One of the most common forms of attack involving DHCP servers is to use rogue servers to supply addresses to client computers. In most cases, this is an easy attack to launch, because it involves simply adding an additional DHCP server to the network that services client computers.
To help prevent rogue DHCP servers, Windows Server 2008 supports server authorization in Active Directory®. In order for a Windows Server 2008–based computer that is part of a domain to issue addresses, it must first be authorized in Active Directory.
Stand-alone servers that are running a Windows Server® operating system do not have to be authorized in Active Directory to issue DHCP leases. However, if a stand-alone DHCP server determines an existing domain, the stand-alone DHCP server discontinues issuing future IP addresses.
If a DHCP server is not running a Windows Server operating system, the DHCP server in the domain cannot notify the non-Windows-based computer to discontinue issuing IP addresses. To stop a non-Windows-based computer from providing DHCP services, Microsoft recommends preventing computers from accessing the internal network by using other mechanisms, such as physical controls over Ethernet and wireless connections.
You can use the DHCPLoc command-line tool to help identify rogue DHCP servers by obtaining a list of all DHCP servers on the local subnet. The DHCPLoc tool is available in the Windows Support Tools in the \Support\Tools folder on the product CD for Windows® XP, Windows Vista®, Windows Server® 2003, and Windows Server 2008.
For more information about the DHCPLoc utility, see the Dhcploc Overview page on TechNet.
Add DHCP Reservation and Exclusion Ranges for IP Addresses
You can help ensure that computers are assigned valid IP addresses by doing the following:
Reserve statically configured addresses so that they are not inadvertently allocated to other IP devices.
Configure a range of IP addresses to pre-allocate them for other devices.
Note If a reservation is configured for an IP address and the IP address falls within the range of an exclusion, the reservation will take precedence.
Use NAP to Enforce Computer Configuration Health
DHCP enforcement in Windows Server 2008 requires a computer to pass a health check performed by NAP before the computer is assigned an IPv4 configuration that provides access to your intranet. If a computer does not pass the health check, the computer is assigned an IPv4 configuration that only provides access to a quarantined network. The NAP health check verifies that the configuration of the target computer meets or exceeds the security requirements of your organization, such as having the most recent service packs or antivirus signature files.
DHCP enforcement through NAP enforces the health check policy requirements every time a DHCP client attempts to lease or renew an IP address. If the DHCP client fails the health check, it is only allowed to access the quarantined network.
The subelements of DHCP enforcement through NAP consist of a DHCP Quarantine Enforcement Server (QES) that is part of the DHCP Server service in Windows Server 2008, and a DHCP Quarantine Enforcement Client (QEC) that is part of the DHCP Client service. For more information about NAP, see Chapter 10, "Hardening Network Policy and Access Services" and the Network Access Protection page on TechNet.
Restrict DHCP Security Group Membership
You can configure security group membership to the following DHCP-related security groups in order to grant authorized users access to DHCP configuration data without having to grant them full administrative privileges:
DHCP Administrators. Members of this group have the right to administer DHCP servers, but with a lower level of privilege than the Domain Admins group. Assigning DHCP administrators to the DHCP Administrators group instead of the Domain Admins group allows you to apply the principle of least privilege. You can use the Restricted Groups feature of Group Policy to ensure the membership of the DHCP Administrators group does not change. For more information about this topic, see the "Relevant Group Policy Settings" section later in this chapter.
DHCP Users. Members in this group have read-only access to information through the DHCP Administration Microsoft Management Console (MMC).
Configure DNS Record Ownership to Help Prevent Stale DNS Records
You can configure a DHCP server so that it dynamically registers host (A) and pointer (PTR) resource records on behalf of DHCP clients. In this configuration, the use of secure dynamic update with DNS servers might cause stale resource records.
In some circumstances, this can cause problems. For example, if DHCP1 fails and a second backup DHCP server comes online, the second server cannot update the client name because it is not the owner of the name.
In another example, if the DHCP server performs DNS dynamic updates for legacy DHCP clients—client computers running a version of Windows® earlier than Windows® 2000—and those client computers are later upgraded to Windows 2000, Windows XP, or the Windows Server 2003 operating system, the upgraded client computer cannot take ownership of the update or update its own DNS records.
To solve this problem, a built-in security group called DnsUpdateProxy is provided. If you make all DHCP servers members of the DnsUpdateProxy group, then the records of one server can be updated by another server if the first server fails. Also, because all of the objects that are created by members of the DnsUpdateProxy group are not secured, the first server (that is not a member of the DnsUpdateProxy group) to modify the set of records associated with a DNS name becomes its owner.
Therefore, when legacy client computers are upgraded, they can take ownership of their name records at the DNS server. To eliminate these potential problems, make every DHCP server registering resource records for legacy clients a member of the DnsUpdateProxy group. You can configure the DnsUpdateProxy security group through Active Directory Users and Computers.
|
