Hardened Server Platform
ID-Synch® is a security application. It can and should be installed on the most secure server platform possible.
Basic precautions
Some of the most effective security measures are common sense:
- Use a single-purpose server for ID-Synch. Sharing this server
with other applications introduces more complexity and more
administrators, each of which carries its own incremental risk.
- Use strong passwords for every administrative account on the server.
- Maintain a current, well-patched operating system on the ID-Synch
server. This eliminates well-known bugs that have already been
addressed by the vendor (Microsoft).
- Keep the ID-Synch server in a physically secure location.
- Do not leave a login session open and unattended on the
ID-Synch server's console.
- Place the ID-Synch server on your internal network, rather
than on the Internet, if this is at all possible in your
environment.
To make ID-Synch available to the Extranet, use a reverse web proxy.
Operating system
The first step in configuring a secure ID-Synch server is to harden its operating system.
Hitachi ID suggests that ID-Synch be installed on the Windows 2000/2003 server operating system. The following are suggestions on how to lock down this operating system.
Securing the server setup
Since the ID-Synch server contains (encrypted) sensitive information, it makes sense to limit the number of users who can access its files.
Domain membership
One way to limit the number of users who can access the ID-Synch server is to remove it from any Windows NT or Active Directory domains. Since the ID-Synch server will not be a member of any domain, this reduces the risk of a security intrusion in the domain being leveraged to gain unauthorized access to the ID-Synch server.
Accounts
The ID-Synch setup program creates one local user on the ID-Synch server, called psadmin.The account is, by default, a member of the Administrators group. It is the only account needed by ID-Synch. We recommend removing unused accounts, leaving just:
- psadmin - The ID-Synch service account.
- One account to be used by the ID-Synch administrator to manage the
server.
Note: use the DENY NETWORK LOGON feature in the local security policy to protect the Administrator account from remote access attempts using brute force password attacks.
If you must have other accounts on the ID-Synch server, then:
- Remove all guest account access to resources.
- Do not increase the default level of access for the Everyone group.
- Do not assign files/directories to the EVERYONE group.
- Limit the number of administrator-level accounts needed to manage the system.
- Remove the terminal services user account TsInternetUser if it is not needed.
Securing services
An important way to secure a server on any platform is to reduce the amount of software that it runs. This eliminates potential sources of software bugs that could be exploited to violate the server's security.
Only the following services are required on ID-Synch servers:
Service |
Notes |
| DNS Client | Required to resolve host names |
| Event Log | Core O.S. component |
| IIS Admin Service | Only required if IIS is used |
| IPSEC Policy Agent | Core O.S. component |
| Logical Disk Manager | Core O.S. component |
| Network Connections | Required to manage network interfaces |
| Plug and Play | Hardware support |
| Protected Storage | Core O.S. component |
| Remote Procedure Call (RPC) | Core O.S. component |
| Removable Storage | Required to open CD-ROM drives |
| RunAs Service | Core O.S. security component |
| Security Accounts Manager | Core O.S. security component |
| TCP/IP NetBIOS Helper Service | Only required if directly managing WinNT, Win2000 or Win2003 passwords |
| Workstation | Only required if directly managing WinNT, Win2000 or Win2003 passwords |
| World Wide Web Publishing Service | Only required if IIS is used |
All other services should be disabled unless there is some specific reason (not related to ID-Synch) to enable them.
Network and session security
Packet filtering
The ID-Synch server can also take advantage of simple packet filtering services in Windows 2000/2003, to block all inbound connections other than those to the web service, as shown in the figure below:
Open ports are an exploitable means of system entry. By limiting the number of open ports, you effectively reduce the number of potential entry points into the server. Typically only port 443 needs to be open before ID-Synch is installed.
The process table on the same server looks like this:
Note: VMWare entries reflect the fact that this sample was taken from a VMWare virtual PC.
This server was running with just the mandatory services described earlier.
Harden the IP stack
Enable the following TCP/IP registry settings as shown below to make the ID-Synch server resistant to denial of service (DOS) attacks:
-
HKLM\System\CurrentControlSet\Services \Tcpip\Parameters\SynAttackProtectType: REG_DWORD
Value: 1 - reduced re-transmission retries and delayed RCE (route cache entry) creation of the TcpMaxHalfOpen and TcpMaxOpenRetried settings are satisfied (see below). -
HKLM\System\CurrentControlSet\Services \Tcpip\Parameters\TcpMaxHalfOpenType: REG_DWORD
Value: 100 - for Windows 2000 Professional or Server Value: 500 - for Windows 2000 Advanced Server -
HKLM\System\CurrentControlSet\Services \Tcpip\Parameters\TcpMaxHalfOpenRetriedType: REG_DWORD
Value: 80 - for Windows 2000 Professional or Server Value: 400 - for Windows 2000 Advanced Server -
HKLM\System\CurrentControlSet\Services \Tcpip\Parameters\TcpMaxPortsExhaustedType: REG_DWORD
Value: 5
The following keys, not present on a default Windows server installation, are also helpful to protect against a variety of attacks against the IP stack:
-
HKLM\System\CurrentControlSet\Services \AFD\Parameters\EnableDynamicBacklogType: REG_DWORD
Value: 1 -
HKLM\System\CurrentControlSet\Services \AFD\Parameters\MinimumDynamicBacklogType: REG_DWORD
Value: 20 -
HKLM\System\CurrentControlSet\Services \AFD\Parameters\MaximumDynamicBacklogType: REG_DWORD
Value: 5000 -
HKLM\System\CurrentControlSet\Services \AFD\Parameters\DynamicBacklogGrowthDeltaType: REG_DWORD
Value: 20 -
HKLM\System\CurrentControlSet\Services \Tcpip\Parameters\EnableDeadGWDetectType: REG_DWORD
Value: 0 -
HKLM\System\CurrentControlSet\Services \Tcpip\Parameters\KeepAliveTimeType: REG_DWORD
Value: 300,000 -
HKLM\System\CurrentControlSet\Services \Tcpip\Parameters\PerformRouterDiscoveryType: REG_DWORD
Value: 0 -
HKLM\System\CurrentControlSet\Services \Tcpip\Parameters\EnableICMPRedirectsType: REG_DWORD
Value: 0 -
HKLM\System\CurrentControlSet\Services \Tcpip\Parameters\DisableIPSourceRoutingType: REG_DWORD
Value: 2
Web server
The web server is a required component since it provides all user interface modules. It should therefore be carefully protected.
Since ID-Synch does not require any web server functionality beyond the ability to serve static documents (HTML, images) and to execute self-contained CGI executable programs, all non-essential web server content should be removed.
Several web servers are commonly available for Windows servers, including Apache, IIS, Sun ONE and more. Most Hitachi ID customers use Apache or IIS.
Apache
The Apache server is recommended, as it is well supported and has had a very good security track record.
If you select Apache, you can harden it by:
- Denying access from all clients except those coming from
the internal domain. Do this by using the Allow,
Deny directives for the ID-Synch virtual directories.
- Ensuring that you use only Apache modules that are needed by
ID-Synch. For example, you do not need modules for PERL, PHP
or any other scripting languages. Read through the Apache
configuration file and disable LoadModule directives
by deleting or commenting them out in httpd.conf.
- Moving the DocumentRoot to a different drive than your system disk (e.g., if your WINNT directory is on C:, then move DocumentRoot to D:).
IIS (Internet Information Server)
IIS is more than a web server - it is also an FTP server, indexing server, proxy for database applications and a server for active content / applications.
If you run ID-Synch on IIS, you should disable most of these features, as a bug in any of them would represent a security risk.
Lock down IIS as follows:
Use separate NTFS partitions
Create two separate NTFS partitions - one for the operating system and one for IIS. This will separate most of the operating system files from the application files, allowing a more controlled distribution of permission sets.
Remove non-essential web server content
As stated previously, ID-Synch only requires the web server to serve static documents (HTML, images) and to execute self-contained CGI executable programs, which means all non-essential web server content should be removed. This means removing IISAdmin, Printers, Scripts and similar folders, as shown in the figure below:
The web server's scripting, indexing and data access subsystems should likewise be removed as shown in the figure below:
Remove RDS registry keys
As an extra precaution, remote data services (RDS) should be disabled by removing the following registry keys:
-
HKLM\System\CurrentControlSet\Services \W3SVC\Parameters\ADCLaunch\RDSServer.DataFactory -
HKLM\System\CurrentControlSet\Services \W3SVC\Parameters\ADCLaunch\AdvancedDataFactory -
HKLM\System\CurrentControlSet\Services \W3SVC\Parameters\ADCLaunch\BusObj.VbBusObjCls
Remove ODBC drivers
All ODBC drivers that are not required should also be disabled because they can introduce possible security concerns for IIS. To disable the ODBC drivers, remove the data sources manually and add this entry to the registry:
-
HKLM\Software\Microsoft\Jet\4.0\engines\SandBoxMode = 3
The above registry entry will ensure that no cmd.exe commands can be chained with ODBC queries.
Consult the Microsoft Knowledge Base for more information:
http://support.microsoft.com/support/kb/articles/Q239/1/04.asp
Restrict IUSR and IWAM account permissions
The IUSR account is created during the IIS installation and provides the mechanism that allows web clients to access the web server anonymously. The IWAM account is used to start out-of-process web applications in IIS. Do not add these accounts to a privileged group such as Administrators. Delete these accounts if possible as ID-Synch does not use them.
Service packs
Install the latest service packs, as these frequently include security patches and updates.
We recommend that to be notified of the latest Microsoft security upgrades, you subscribe to the Microsoft's security bulletin at:
http://www.microsoft.com/technet/security/bulletin/notify.asp
Equally important to installing the latest service pack is testing the service pack installation before deployment on a production platform. This will ensure there are no adverse affects on ID-Synch.
Communication defenses
ID-Synch sends and receives sensitive data over the network. Its communications include user passwords, administrator credentials and personal user information. These are all valuable assets that must be defended.
A basic defense against packet sniffers and similar attacks is to ensure that ID-Synch can only be accessed over HTTPS.
Physical security
ID-Synch servers should be physically protected, since any logical security measures can be bypassed by an intruder with physical access to the server, time and skill.
Suggestions for physically securing the ID-Synch server include:
- Location and access
Put the ID-Synch server(s) in a locked and secured room. Restrict access to authorized personnel only. Access should be logged.
- Power
Protect the ID-Synch server with uninterruptable power sources (UPS). UPS equipment will protect the server from temporary power loss that could cause a server crash or corruption of critical user files.
- Removable media
Restrict the boot process so it is more difficult for intruders to circumvent Windows 2000/2003 security by booting from floppy disks or a CD-ROM. Specifically, use a BIOS-level password, disable boot from a floppy drive or CD-ROM drive and lock the system BIOS to prevent unauthorized changes to the BIOS configuration.