Hardening IAS Server for Windows 2003 Security Guide

Overview

This chapter provides information about working with Microsoft? Windows Server? Recommendations and resources for security hardening on Internet Authentication Service (IAS) servers above 2003. IAS is a Remote Authentication Dial-In User Service (RADIUS) server that implements the functions of user authentication, authorization, and centralized management of accounts. IAS can be used to authenticate users in Windows Server 2003, Windows NT 4.0, or the Windows 2000 domain controller database. IAS supports a variety of network access servers (NAS), including Routing and Remote Access (RRAS).

The RADIUS concealment mechanism encrypts the user's password and other attributes using the shared ciphertext radius, Request authenticator, and the MD5 hash algorithm, such as the tunnel password (tunnel–password) and ms–chap–mppe– Keys. RFC 2865 identifies the potential need for users to assess environmental threats and determine whether additional security should be used.

You can provide more protection for hidden attributes by taking advantage of the ESP (Encapsulating Security Payload) and an encryption algorithm (for example, 3DES), while providing data confidentiality for all RADIUS messages.

Windows Server 2003 to have a secure default configuration at the time of release. To improve the ease of use of this chapter, only the settings that are not modified by the Member Server Baseline Policy (MSBP) are described here. For more information on the MSBP settings, see Chapter 3rd, "Creating a Member Server Baseline." For information on all default settings, see the sister article "Threats and Countermeasures: Windows Server 2003 and Windows XP security Settings" in this guide.

Note: The setup requirements for the IAS server role are tested only in the Enterprise customer (Enterprise client) environment. Therefore, this guide does not include information about IPSec filters and Dos attacks that are provided by most other server roles in this guidance.

Audit Policy settings

The audit policy settings for the IAS server are configured through the MSBP in the three environments defined in this guidance. To learn more about the MSBP, see Chapter 3rd, "Creating a Member Server Baseline." The MSBP setting ensures that all security-related information can be logged on all IAS servers.

User Rights Assignment

The user rights assignments of the IAS servers are also configured via the MSBP in the three environments defined in this guidance. To learn more about the MSBP, see Chapter 3rd, "Creating a Member Server Baseline." The MSBP settings ensure that the enterprise is able to properly configure IAS access.

Security options

The security option settings for the IAS server are also configured via the MSBP in the three environments defined in this guidance. To learn more about the MSBP, see Chapter 3rd, "Creating a Member Server Baseline." The MSBP settings ensure that the enterprise can configure secure access to the IAS servers in a unified configuration.

Event Log

In the three environments defined in this guidance, the event log settings for the IAS server are configured via the MSBP. To learn more about the MSBP, see Chapter 3rd, "Creating a Member Server Baseline."

System Services

Any service or application is a potential point of attack, so any unnecessary service or executable file should be disabled or deleted. In the MSBP, these optional services, as well as any other unnecessary services, will be disabled.

Therefore, the recommendations in this guide regarding the role of the IAS server may not apply to your environment. Adjust the recommendations of these IAS server group policies to meet your organization's needs, as appropriate to your actual needs.

IAS services

Table 9.1: Setting
　　
Service Name member server default Enterprise Client

IAS does not install automatic
　　
The IAS service setting implements an IETF standard for RADIUS protocols that allows heterogeneous network access to devices. Disabling this setting causes authentication requests to not reach the standby IAS server, and users will not be able to connect to the network without an alternate IAS server. Disabling the service will also invalidate any services that explicitly depend on it.

Setting up the IAS service is the work that the IAS server role must perform. You can use Group Policy to protect and set the startup mode of the service to grant the server administrator unique access to this setting, and therefore to prevent the service from being configured or manipulated by unauthorized or malicious users. Group Policy can also prevent administrators from inadvertently disabling the service.

Additional Security settings

Security settings applied through the MSBP greatly improve the security of the IAS servers. However, we should also consider other matters. Some steps cannot be accomplished through Group Policy, but should be done manually on all IAS servers.

Security of well-known accounts protected

Windows Server 2003 has many built-in accounts that cannot be deleted, but can be renamed. The most common two built-in accounts in Windows 2003 are the guest and Administrator accounts.

On member servers and domain controllers, the Guest account defaults to disabled status. You should not change this setting. The built-in Administrator account should be renamed and its description should be changed to prevent an attacker from destroying a remote server through that account.

Many variants of malicious code attempt to use the built-in Administrator account to destroy a single server. In recent years, the significance of these renaming configurations has been greatly reduced because there are a number of new attack tools that attempt to encroach on the server by specifying the security identity (SID) of the built-in Administrator account to determine the real name of the account. SIDs are the only values that determine each user, group, computer account, and logon session in the network. It is not possible to change the SID of a built-in account. By changing the local administrator account to a special name, you can easily monitor attack attempts on that account.

Securing the well-known accounts on the IAS server

1. Rename the Administrator and Guest accounts, and change the password on each domain and server to a long and complex value.

2. Use a different name and password on each server. If you use the same account name and password on all domains and servers, an attacker will have access to all other servers that have the same account name and password only if they are only accessed by a single member server.

3, modify the account default description to prevent the account is easily recognized.

4. Record these changes in a secure location.

Note: The built-in Administrator account can be renamed through Group Policy. Because you must choose a unique name for your environment, these settings are not configured in any of the security templates provided in this guide. In the three environments defined in this guidance, you can configure the account: Rename administrator account setting to rename the Administrator account. This setting is part of the security option settings in Group Policy.

Secure the service Account

Do not configure the service to run in the security context of the domain account unless absolutely necessary. If the physical security of the server is compromised, the domain account password can easily be obtained by dumping the Local Security Authority (LSA) secret.

Summarize

This chapter explains the server hardening settings that you must follow to protect IAS server security in the Enterprise Client environment defined in this guidance. These settings may also apply in other environments defined in this guidance, but are not tested or validated. The settings we discuss are configured and applied through Group Policy. Based on the services provided by these servers, you can link the Group Policy object (GPO) that can provide useful supplements to the MSBP to the organizational unit (OU) that contains the IAS servers in your organization to provide additional security.