Attack Surface
The File Services role provides technologies for storage management, file replication, distributed namespace management, fast file searching, and streamlined client access to files. To determine the attack surface of this role service, you need to identify the following.
Installed files. The files that are installed as part of the File Server role.
Installed services. The services that are installed as part of the File Server role.
Note You can use the RootkitRevealer and Sigcheck utilities that are part of Windows Sysinternals to verify the integrity of the installed files and the files that the services run.
Firewall rules. The firewall rules that the File Server role uses.
The details of the attack surface for the File Services role are included in the Windows Server 2008 Attack Surface Reference workbook that accompanies this Solution Accelerator. To view the attack surface for this server role, on the File tab of the workbook, view the sections that correspond to each of the items in the previous list.
Security Measures
This section describes the security measures that you can incorporate into your File Server role service configuration to protect the server against malicious attacks. The recommendations that follow assume that you have only selected the File Server role service option on the Select Role Services page of the Add Roles Wizard. Recommendations for other role services are not included.
Configuration Checklist
This section includes configuration recommendations and a checklist based on best practices to further harden the File servers in your environment. Recommendations for the DFS, FSRM, Services for Network File System, Windows Search Service, and Windows Server 2003 File Services role services are not included. For more information about how to configure these services, see File Services in the Windows Server 2008 TechNet Library.
While these configuration changes help to protect your File servers against these threats, Microsoft recommends using additional antivirus protection to ensure that the File servers in your organization have real-time monitoring of files transferred through these servers. For more information about real-time antivirus protection for Windows Server 2008, see Security and Protection in the Windows Server 2008 TechNet Library.
The following table summarizes the recommended security configuration tasks for hardening servers performing the File Server role service. If you need help to complete any of the checklist items, see the following sections in this chapter for additional details and recommendations.
Table 7.1 Configuration Checklist
|
Configuration tasks
|
|
Deploy a server core installation of Windows Server 2008.
|
|
Digitally sign communications.
|
|
Consider removing administrative shares.
|
|
Consider using encryption for drives and files.
|
Deploy a Server Core Installation of Windows Server 2008
Deploying Windows Server 2008 using the Server Core installation option further reduces the attack surface of the operating system by reducing the number of installed files and running services. The advantage of the Server Core installation option is that a graphical user interface (GUI) is not installed, so the files and services required by the normal GUI are not installed.
When you use the Server Core installation option of Windows Server 2008 to deploy the operating system, you can only locally manage the server using command-line tools. To manage the server using GUI-based tools, you must install and run these tools on another computer with a Windows-based GUI.
The Server service installs and starts by default when you create a Windows Server 2008 Server Core installation and this service supports the File Server role service. If you need to install other services associated with the File Services role on a computer running a Server Core installation of Windows Server 2008, see the Server Core Installation Option of Windows Server 2008 Step-by-Step Guide.
You can use the following command-line tools to manage the File Server role services:
net share
chkdsk
chkntfs
dfsutil
diskpart
fsutil
vssadmin
This is a partial list. For a complete list of command line tools and information about how to use them, see the "Command Reference" section of the Windows Server 2008 TechNet Library.
You can also use WMI scripts or WS-Management and the Windows Remote Shell to remotely manage File Services role services on computers running Windows Server 2008 Server Core installations.
For more information about WMI, see Windows Management Instrumentation.
For more information about WS-Management and the Windows Remote Shell, see Windows Remote Management.
Note This rest of this section assumes that you are running a standard installation of Windows Server 2008. If you have installed Windows Server 2008 Server Core for your File Server role, you can follow these steps using the Microsoft Management Console (MMC) snap-in from a remote computer.
Digitally Sign Communications
The SMB protocol provides the basis for Microsoft file and print sharing, and many other network operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports SMB packet digital signing. You can configure the Group Policy setting for Microsoft network server: Digitally sign communications (always) in the following location in the Group Policy Object Editor:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB client is permitted. The setting for Microsoft network server: Digitally sign communications (always) is set to Disabled by default in Windows Server 2008. Microsoft recommends enabling this setting for files servers running in the EC and SSLF environments defined in this guide.
For more information about this security setting, see Microsoft network server: Digitally sign communications (always).
Consider Removing Administrative Shares
Windows Server 2008 creates by default a number of shares that are only accessible to users with administrator user rights on the File Server role service computer. For a File server with a single hard disk drive running the File Server role service, the following table defines these shares.
Table 7.2 File Server Administrative Shares
Share
|
Description
|
Path
|
Admin$
|
A share that an administrator uses to perform remote administration on a computer.
|
C:\Windows
|
DriveLetter$
|
Root partitions and volumes are shared as the drive letter name appended with the $ character.
|
C:\
|
For each additional volume on the server that you create, Windows Server 2008 creates a corresponding share of the volume root to make it available over the network to administrators.
In general, Microsoft recommends not to modify these special shares. However, if your organization has specific security requirements to remove these default folder shares, and prevent the operating system from automatically creating them, you can perform the following procedure by using the Registry Editor.
Caution If you use the Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using the Registry Editor incorrectly. Use the Registry Editor at your own risk.
To remove administrative shares and prevent automatically creating them in Windows
Click Start, click Run, and then in the Open box, type regedit and press ENTER.
If you receive a User Access Control warning, click Continue.
Locate, and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\AutoShareServer
Note If the registry key is not listed, add it manually. AutoShareServer must be set as type REG_DWORD. When you set the value of this key to 0 (zero), Windows Server 2008 does not automatically create administrative shares. This does not apply to the IPC$ share or shares that you create manually.
On the Edit menu, click Modify, and then in the Value data box, type 0, and click OK.
Quit the Registry Editor.
Click Start, and then click Run.
In the Open box, type cmd and then click OK.
At the command prompt, type the following lines, and press ENTER after each line:
net stop server
net start server
Type exit and then press ENTER.
Note If you use the user interface to stop the administrative shares and do not modify the registry, the shares will start again once you restart the Server service or if the server is reset.
Consider Using Encryption for Drives and Files
For environments with elevated security requirements, consider using encryption to secure the hard disk drives and data on your Windows Server 2008 computers performing the File Server role service. You can use one of two options for this on computers running Windows Server 2008 that perform the File Server role service:
Microsoft BitLocker™ Drive Encryption.
Encrypting File System (EFS).
BitLocker protects data on the server by preventing unauthorized users from breaking Windows file and system protection on lost or stolen computers. BitLocker encrypts entire volumes, including all user and system files, and within those files the swap and hibernation files.
For more information about how to use BitLocker to protect data on a computer running the File Server role service, see Windows BitLocker Drive Encryption.
EFS enables you to encrypt files stored on volumes that use the NTFS file system. EFS is integrated with NTFS, is easy to manage, and is difficult to attack. EFS enhancements in Windows Vista® and Windows Server 2008 include improvements in manageability and support for storing encryption keys on smart cards.
For more information about how to use EFS to protect data on your computer running the File Server role service, see Encrypting File System.
|
