Identify hardware – server is physically located in Snohomish Hall, Room 124.  The server is part of EDCC network.

*just guessing on type of hardware  (all hardware should have the same stats as server)

Description

Where

Attachment

Server

Domain – sandbox.edcc.edu

Server (virtual)

sandbox_w2k3_pamz

username – pamz

password – 1@fishing

Server – backup

sandbox_w2k3_pamzbu

username – pamz

password – 1@fishing

Server – test environment

sandbox_w2k3_pamztest

username – pamz

password – 1@fishing

Firewall

Watchguard

Server

·         PowerEdge R210
1-Socket, Quad-Core Entry

·         Purchased July 2009

·         Serial # JMX3RTY

·         Warranty:  EDCC carries a gold plan  with Dell which includes onsite & replacement maintenance for 3 years.

Router

Cisco

SMTP & POP3 virtual server

Name -- LynnwoodElks13

NNTP virtual server

Identify software –  all software that should be loaded on virtual server.  Labs setup specific software in an orderly fashion.  This documentation should include version and licensing information.

Where

Task

Attachment

McAffee

Antivirus protection

VMware

Server version

c:\program files

Lab 1

PHP engine (5.2.12

General-purpose scripting language that was originally designed for web development to produce dynamic web pages

http://us/php.net/downloads.php

Assignment 1

IIS  - Internet Information Systems

Install components from control panel, add/remove programs, Application Server, click on IIS

Lab 3

IIS  6.0 Resource Kit Tools

Metabase Explorer tool

C:\program files\

Self SSL 1.0

http://www.microsoft.com/downloads/details.aspx?FamilyID=56FC92EE-A71A-4C73-B628-ADE629C89499&displaylang=en

Lab 5b

MBSA – Microsoft Security Base Analyzer

Use MBSA to detect common security misconfigurations and missing security updates on your computer systems.

http://technet.microsoft.com/en-us/security/cc184924.aspx

Lab 4

Outlook Express

Utilized for information feeds

Lab

UrlScan 2.5

Reduce the attack surface of server

Lab 5b

Windows Server 2003 Enterprise Edition

Lab 1

Windows Server 2003 Security Guide

This technical guidance provides information about how to harden computers that run Microsoft Windows Server 2003 with Service Pack 1 (SP1).

http://www.microsoft.com/downloads/details.aspx?familyid=8A2643C1-0685-4D89-B655-521EA6C7B4DB&displaylang=en

Lab 4

Security Compliance Management Toolkit

provide  recommendations for hundreds of Group Policy security settings designed to assist customers in making the environments of their organizations more secure

http://www.microsoft.com/downloads/details.aspx?FamilyID=5534bee1-3cad-4bf0-b92b-a8e545573a3e&displaylang=en

Lab 4

Administrator                                                       other             

Userid         pamz                           userid            cis225

Password   11@fishing                 password      N0th1ngSpec1al

MMC – Microsoft Management Console

·         Command Line Interface, accessed at start, run

·         Use add/remove snap-ins

·         Utilized to grant users access

General Info

(each bullet should be checked for validity prior to deployment)

·         Administrator account is renamed and has a strong password.

·         Establish user account

·         Disable guest account

·         do NOT disable IUSR_Guest

·         Unused accounts are removed from the server.

·         Verify IUSR_Class_XXX has read & execute

·         IUSR_MACHINE account is disabled if it is not used by the application.

·         If your applications require anonymous access, a custom least-privileged anonymous account is created.

·         The anonymous account does not have write access to Web content directories and cannot execute command-line tools.

·         ASP.NET process account is configured for least privilege. (This only applies if you are not using the default ASPNET account, which is a least-privileged account.)

·         Remote logons are restricted. (The "Access this computer from the network" user-right is removed from the Everyone group.)

·         Null sessions (anonymous logons) are disabled.

·         Policy procedures should be in place from EDCC

o   Accounts are not shared among administrators.

o   Approval is required for account delegation.

·         No more than two accounts exist in the Administrators group.

·         Users and administrators do not share accounts.

Group Policy Object Editor

·         Setup Password Policy

·         (EDCC should have a password policy)

Lab 2, page 1-2

Metabase

·         The metabase is a repository for most Internet Information Services (IIS) configuration values.  Utilized to configure registry rather than configuring registry directly.

·         Access to metabase is restricted by using NTFS permissions (%systemroot%\system32\inetsrv\metabase.bin).

Registry

·         Remote registry access is restricted.

FTP

·         Remote administration of the server is secured and configured for encryption, low session time-outs, and account lockouts.

Lab 7

Port access

·         Internet-facing interfaces are restricted to port 80 (and 443 if SSL is used).

·         Intranet traffic is encrypted (for example, with SSL) or restricted if you do not have a secure data center infrastructure.

Supplemental SMB & NetBIOS

C:\inetpub\wwwroot

·         Permission should be read & execute

Assignment 1

Script mapping

·         Extensions not used by the application are mapped to 404.dll (.idq, .htw, .ida, .shtml, .shtm, .stm, idc, .htr, .printer).

·         Unnecessary ASP.NET file type extensions are mapped to "HttpForbiddenHandler" in Machine.config.

ISAPI filter

·         Unnecessary or unused ISAPI filters are removed from the server.

Machine.config

·         Protected resources are mapped to HttpForbiddenHandler

·         Unused HttpModules are removed

·         Tracing is disabled <trace enable="false"/>

·         Debug compiles are turned off.  Copy Code  <compilation debug="false" explicit="true" defaultLanguage="vb">

Code Access Security

·         Code access security is enabled on the server.

·         All permissions have been removed from the local intranet zone.

·          All permissions have been removed from the Internet zone.

Sites & Virtual Directories

·         Web sites are located on a non-system partition.

·         "Parent paths" setting is disabled.

·         Potentially dangerous virtual directories, including IISSamples, IISAdmin, IISHelp, and Scripts virtual directories, are removed

·         Include directories do not have Read Web permission.

·         Virtual directories that allow anonymous access restrict Write and Execute Web permissions for the anonymous account.

·         There is script source access only on folders that support content authoring.

·         There is write access only on folders that support content authoring and these folders are configured for authentication (and SSL encryption, if required).

·         FrontPage Server Extensions (FPSE) are removed.

Lab 5a

IWA authentication

·         use in intranets where all the clients are within a single domain

·         user name --   ER     full name – exalted ruler

·         password  -- 2117Er2010

Anonymous & Basic authentication

·         Utilizing your EDCC security policies, plan setup for server

Lab 5a

Static IP address for virtual machine

Subnet Mask

Default Gateway

DNS

10.1.12.213

255.255.255.0

10.1.12.251

10.1.12.251

Lab 2, page 1

Install McAffee

Virus protection

Lab 2, page 3

Disable Services

Alerter

Application management

Clipbook

DHCP Client

DHCP Server

DNS server

File replication

IMAPI Cd-Burning COM service

Intersite messaging

Messenger

MS software shadow copy provider

Portable media serial number

Print spooler

Remote registry

Secondary login

Telephony

Themes

Upload manager

Windows media services

Wireless configuration WZCCVC

Unnecessary Windows services are disabled.

Lab 2, page 4

FTP, SMTP, and NNTP services are disabled if they are not required.  Telnet service is disabled. 

Lab 7a

Lab 8

Lab 9

Patches and updates will be addressed in Maintenance section

Usage of  MBSA and/or automatic notification

ASP.NET state service is disabled and is not used by your applications.

Disable SMB & NetBIOS

·         Reduce attacks against internet ports

·         NetBIOS and SMB are disabled (closes ports 137, 138, 139, and 445)

supplemental

MBSA

MBSA is run on a regular interval to check for latest operating system and components updates.

Updates & patches

The latest updates and patches are applied for Windows, IIS server, and the .NET Framework. (These are tested on development servers prior to deployment on the production servers.)

Set up test scenario

See Tasks/Log for daily, weekly, monthly scenarios

Backup

Create a procedure for backup.

Audit

·         Failed logon attempts are audited.

·         Event viewer

o   System

o   Application

o   Security

·         HTTP API error

UrlScan & Custom errors

Setup UrlScan

Lab 5b

supplemental

Certificate

Should have a renewal time – put it on calendar

Logging

·         IIS is configured for W3C Extended log file format auditing.

·         IIS log files are relocated and secured.

·         Log files are configured with an appropriate size depending on the application security requirement.

·         Log files are regularly archived and analyzed.

Sources for security bulletins

·         Technet.microsoft.com/en-us/Security

·         Subscribe to the Microsoft Security Notification Service at http://www.microsoft.com/technet/security/bulletin/notify.asp.

·         Setup Outlook Express for information feeds from multiple sites

SMTP logging

W3C Extended Log File format

%windir%\system32\logfiles\ -- default

C:\smtplogfiles

Lab 8

NNTP information

Newsgroup – information

Description – titled --  IIS_Issues

W3C Extended Log File Format

lab 9

NNTP logging

IIS manager – log files – can determine what want

Tool good for –