| | | | | | |

  Terminal Services
 

Popular Search Engines

Google.com

Yahoo.com

MSN.com

Certificate Authorities

VeriSign

GeoTrust

Thawte
 
 


Security Best Practices For NFuse/CSG & STA

 

This section highlights the security considerations that need to be addressed in a CSG environment in respect to the NFuse and CSG implementation.

 

 

CSG Server

 

1.             Remove Sample Code                                                                       Critical

 

The following directories and virtual directories should be removed if they are present.

 

IIS Samples \IISSamples c:\inetpub\iissamples

IIS Documentation \IISHelp c:\winnt\help\iishelp

Data Access \MSADC c:\program files\common files\system\msadc

 

Apply to NFUSE, CSG and STA

 

2.             Authentication                                                                                     Critical

 

                1. Within the Microsoft Management Console (MMC), load the Security Templates and

Security Configuration and Analysis snap-ins.

2. Copy the template securews and call it securews_ccs.

3. Select Local Policies\Security Options\LAN Manger Authentication Level.

4. Modify this setting to “Send NTLMv2 responses only\refuse LM & NTLM” as shown in the figure below.

 

                Apply to NFUSE and STA

 

3.             User Account                                                                                      Critical

 

The following settings are recommended:

 

• Password History – 7 Passwords remembered

• Maximum Password Age – 180 days or less

• Minimum Password Age – 1 day or more

• Minimum Password Length – 8 characters

• Passwords must meet complexity requirements – Enabled

• Reverse Encryption – Disabled

• Account Lockout duration – 3 minutes or more

• Account Lockout Threshold - 3

 

All unused local user accounts must be disabled. These include the following:

• IUSR_SERVERNAME

• Guest

 

                Apply to NFUSE, CSG and STA

 

 

4.             IIS Anonymous Access User Account                                          Critical

 

1. Start Computer Management and select Local Users and Groups

2. Select IUSR_COMPUTERNAME and disable this account

3. Create a new account called CCS_ANON with a strong password. A strong password is at least 10 characters long and has a combination of alphanumeric characters. The passwords should not contain natural language words.

               

                                4. Within the Internet Information Services console

5. Right-click Default Web Site

6. Select the Directory Security tab

7. Click on the Edit button for Anonymous access and authentication control

8. Repeat steps 5 through 7 for all virtual websites and subdirectories in the Internet Services Manager.

9. Uncheck Allow IIS to control password and then modify the User Name to be

SERVERNAME\CCS_ANON.

 

Apply to NFuse and STA

 

 

5.             Disable Unused Services                                                                 Critical

 

The following is a list of services that need to be disabled:

 

• Application Management

• Clipbook

• Computer Browser

• DHCP

• DFS

• DNS Server

• Fax Service

• File Replication Service

• Index Service

• Internet Connection Sharing

• Intersite Messaging

• Messenger

• Net Meeting Remote Desktop Sharing

• Network DDE

• Network DDE DSDM

• Performance Logs and Alerts

• Print Spooler

• QoS RSVP

• Remote Access Auto Connection Manager

• Remote Access Connection Manager

• Remote Registry Service

• RunAs Service

• SMTP

• Smart Card

• Smart Card Helper

• TCP/IP NetBIOS Helper Service

• Telephony

• Telnet

• Terminal Services

• Windows Installer

• WINS

 

Apply To NFuse, CSG and STA

 

 

 

 

 

 

 

 

6.             Remove Windows Components                                                     Critical

 

1. Start Control Panel and select Add/Remove Programs

2. Deselect all Windows Components except Internet Information Services

3. Within the IIS options deselect everything except Common Files, Internet Information Services Snap-In and World Wide Web Server

 

Apply To NFuse, CSG and STA

 

 

7.             Hotfixes and Service Packs                                                            Critical

 

                                1. Turn off Microsoft automatic Update.

                                2. Perform all critical Microsoft Updates from the Windows Update Site.

 

 

 

 

8.             Remove Unused File Associations                                                Highly Recommended

 

Remove the following file associations:

• .printer

• .htw

• .ida

• .idg

• .cdf

• .asa

• .htr

• .idc

• .stm

 

Solution

1. Within Computer Management, select IIS

2. Right-click Default Web Site

3. Select the Home Directory tab

4. Under Application Settings, select Configuration

5. Remove the Unused File Associations Listed above as depicted in the figure below:

 

                Apply To NFuse and STA

 

9.             IIS Security                                                                                           Critical

 

Solution NFuse

1. Only the newly created CCS_ANON account needs Read/Write access to the NFuseIcons folder. All other directories should have no Execute Permissions and be set to Read Only.

 

Solution STA

1. The Scripts folder on the STA requires that the "Scripts and executables" permission be enabled in Internet Information Server snap-in. Only the newly created CCS_ANON account needs Modify access to the Scripts folder. All other directories should have no Execute Permissions and be set to Read Only.

 

                Apply To NFuse and STA

 

 

 

10.          Auditing                                                                                 Critical

 

It is essential that the following objects be audited:

 

• Account management

• Logon events

• Policy change

 

Solution

 

1. Within the MMC, load the Security Templates and Security Configuration and Analysis snap-ins

2. Copy the template securews and call it securews_ccs

3. Select Local Policies\Audit Policy and configure as in the figure below:

 

            Apply To NFuse, CSG and STA

 

 

NetBIOS                                                                                                                Critical

 

In an ideal configuration, the NFuse and CSG servers are located in the DMZ, with all MetaFrame servers located on the inside of the corporate network., protected by the DMZ with only certain ports opened through the DMZ. 

 

UC Davis MC currently does not have this ideal configuration, and turning off NetBios on the NFuse and CSG servers will only provide a small measure of protection, since all MetaFrame servers are exposed to the Internet and have NetBios turned on.

 

Recommendation:  Configure the servers to limit the information returned by Null Sessions with the next setting  in this list. Refer to “Information Leakage via NULL Sessions”

 

 

Information Leakage via NULL Sessions                                                     Highly Recommended

 

1. Start REGEDT32.EXE

2. Set the following registry value

3. HKLM/System/CurrentControlSet/Control/LSA/RestrictAnonymous=2

4. This will bar all anonymous access to NULL sessions. By setting this value to 1 the

information returned is restricted.

 

                Apply To NFuse, CSG and STA

 

Port Filtering                                                                                                        Highly Recommended

 

On each of the servers:

1. Right-click My Network Places

2. Select TCP/IP and click Properties

3. Click Advanced

4. Select TCP/IP filtering and select Properties

5. On the TCP Ports, select Permit Only

6. Add the ports listed below for the server that is being configured

 

                • SSL Port 443

• ICA Port 1494

• XML Port 8080

 

                Apply To NFuse, CSG and STA

 

 

Denial of Service Registry Entries                                                 Highly Recommended

 

The following registry entries need to be applied to help guard against denial-of-service registry

attacks. The following numerical values are in decimal.

 

HKLM\System\CurrentControlSet\Services

Key: Tcpip\Parameters

Value: SynAttackProtect

Value Type: REG_DWORD

Parameter: 2

 

Key: Tcpip\Parameters

Value: TcpMaxHalfOpen

Value Type: REG_DWORD

Parameter: 100

 

                Key: Tcpip\Parameters

Value: TcpMaxHalfOpenRetried

Value Type: REG_DWORD

Parameter: 80

 

Key: Tcpip\Parameters

Value: EnablePMTUDiscovery

Value Type: REG_DWORD

Parameter: 0

 

Key: Tcpip\Parameters

Value: EnableDeadGWDetect

Value Type: REG_DWORD

Parameter: 0

 

Key: Tcpip\Parameters

Value: KeepAliveTime

Value Type: REG_DWORD

Parameter: 300000

 

Key: Tcpip\Parameters

Value: EnableICMPRedirect

Value Type: REG_DWORD

Parameter: 0

 

Key: Tcpip\Parameters\Interfaces\

Value: PerformRouterDiscovery

Value Type: REG_DWORD

Parameter: 0

 

Key: Netbt\Parameters

Value: NoNameReleaseOnDemand

Value Type: REG_DWORD

Parameter: 1

 

 

                Apply To NFuse, CSG

 

Disable Internet Printing                                                                                   Highly Recommended

               

This option is already configured.

Quick Links

schiara@thin-world.com