S 2.369 Regular security-relevant maintenance of a Windows Server 2003

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

Maintenance serves to maintain the value of a Windows Server 2003 and to maintain the functionality and usability of the server for its intended purpose. Maintenance may only be performed by qualified and authorised personnel and can be part of a guarantee. When performing maintenance, the requirements in safeguard S 2.4 Maintenance / repair regulations are to be taken into account, especially when using external maintenance personnel.

Maintenance is performed regularly, is planned based on a maintenance plan, and is generally performed outside of normal operation. If clusters are used for network load balancing (NLB), then it is also possible to perform maintenance without disrupting normal operation. Maintenance consists of configuration tasks, cleaning, inspection and replacement of wear parts, extending hardware, and eliminating minor defects. The manufacturer specifications are to be followed when performing maintenance (see S 2.213 Inspection and maintenance of the technical infrastructure).

Maintenance is therefore performed to eliminate known errors, implement changes and updates, and provide new functions and applications through hardware and software extensions. The extensions may only be implemented after adequate testing and after authorisation to make the changes has been granted. Changes to the server are to be documented.

Maintenance requirements and the performing of maintenance are to be co-ordinated (see module M 1.9 Hardware and software management) and documented (safeguard S 2.34 Documentation on changes made to an existing IT system) by the person responsible for maintenance, which is usually the corresponding administrator.

Preparing for maintenance

The areas to be covered by maintenance should be identified based on the subconcepts for the roles and components of the server. For aspects relating to maintenance, consult the corresponding IT-Grundschutz safeguards. Starting points for other aspects relating to maintenance in a variety of application scenarios can be found in the Microsoft Operations Framework (MOF) documentation library for Windows Server 2003.

Certain maintenance-related system properties can only be examined during normal operation. For this reason, the corresponding information must be determined and taken into account in advance using the System Monitor, Network Monitor, Task Manager, and role-specific consoles. Special attention is to be paid in this context to page faults arising in connection with the swap file and to the resource utilisation of the processes (see S 2.365 Planning of system monitoring under Windows Server 2003).

In the Enterprise and Data Center editions, you can use the Windows System Resource Manager (WSRM) to define and control the resource utilisation of applications, processes, and services using policies.

A record of the steps performed during maintenance containing the date and the person responsible should be prepared. The record should be placed in storage after completing maintenance so it is possible to track down any eventual irregularities later on, for example when evaluating the event log in the Event Viewer.

The system log of the Event Viewer is to be checked for errors and warnings. For each occurrence of an error or warning event, you must assess the risk the error or warning poses to the secure operation of the server.

If a high frequency of certain event types is to be expected when performing maintenance, then this should be announced in advance to prevent false alarms. In certain circumstances, this may also apply to other logs affected by the maintenance tasks.

The server hardware can also be monitored using other tools. Many manufacturers offer their own monitoring software for their hardware that is also able to send and process warnings. Depending on the functionality provided, it may be possible to monitor the hard disks, the CPU fan speed, the power supply voltage, or the uninterruptible power supply. In many cases, high quality hard disks also offer early warning detection systems that warn you in advance to replace the hard disk before it fails. Thus, it is possible to replace the hard disk in good time before it fails. It must be ensured that this information is taken into account when performing maintenance (see also S 2.365 Planning of system monitoring under Windows Server 2003).

Regular maintenance

The server hardware must be checked for completeness, and it must be ensured that it does not contain any components not permitted to be used in the organisation. For secure operation of the server, all devices and services must operate without malfunctions. For this reason, the proper operation of the devices and services is to be checked in the Computer Management (Device Manager and Services).

The current System Properties of the server are to be compared to the documented configuration specifications. The settings under Advanced, System Restore, and Automatic Updates in particular must be examined. If security templates are used, then the settings should be checked to ensure they conform to the current template versions.

Patches

When performing maintenance, it must be checked if there are new security patches available for installation. The Microsoft Security Baseline Analyser (MBSA) can be used for this task. However, you should check beforehand if the MBSA is able to detect all relevant patches, as well as which patches detected are actually relevant to the server. Normally, the necessary security patches are installed quickly after release.

Since individual patches may require devices, services, or even the server to be restarted before the changes take effect, updates should only be installed while performing maintenance. Reasons must be provided for all deviations from this rule.

Accounts and passwords

The organisation policies for handling accounts and passwords also apply to the local accounts on the server and the service accounts (see S 4.48 Password protection under Windows NT/2000/XP). When performing maintenance and integrity inspections on the Windows Server 2003 system, it should also be checked if the organisation policies for handling accounts and passwords and the policies in the authorisation concept are being followed. In particular, the server should be checked for unused local accounts, empty passwords, and passwords that do not conform to the organisation's password policy. The tools and scripts available in the MBSA can be used for this purpose. Special attention is also to be paid to temporary accounts, meaning accounts that are only intended to exist for a limited period of time.

Service accounts often have extensive privileges and therefore require special protection. When the password of the service account is changed, the new password must also be entered in the properties of the affected services on the Login tab. It is necessary to restart the affected services after making this change. If these services are needed during normal operation, then such changes can only be implemented when performing maintenance (see also safeguard S 4.284 Handling of services under Windows Server 2003 and higher).

Data media and databases

The databases on the server are to be checked for unauthorised data types and unauthorised software. Deviations are to be handled according to the rules of the organisation. During the check, any encrypted databases not meeting the specifications of the organisation's encryption policy are to be noted. File systems using the undesired EFS can be located using the EFSInfo tool, for example (see also S 4.278 Secure use of EFS under Windows Server 2003).

The storage space utilisation (e.g. the maximum directory size or the archiving of old data) is to be checked for conformity to the specifications, and if necessary, the specifications are to be implemented. Hard disk quotas can help you perform this task, but only one quota can be applied in Windows Server 2003 (up to and including SP1) per user and partition. In Windows Server 2003 R2, extensive and easy to use tools with reporting functions are available in addition to enhanced disk quota management and file screening functionality.

The current authorisations for data, shared resources, registrations, and printers are to be examined for irregularities and deviations from the specifications. For relatively static databases and system data, it is recommended to use the .inf files (security templates) and security configuration and analysis to check and document the privileges granted.

For data media, maintenance consists of monitoring the amount of free storage space in the partition as well as cleaning and defragmenting the data media. Sufficient time for these tasks must be planned.

On NTFS partitions, major inconsistencies between the total storage space used by all files stored on the hard disk, the expected total storage space, and the amount of space still available on the hard disk can indicate the presence of undesired, hidden streams of data, which are referred to as alternate data streams (ADS). If there is evidence of alternate data streams, then it should be ensured that the antivirus software used checks for alternate data streams (see S 2.157 Selection of a suitable virus protection program). If the hard disk utilisation is too high and you suspect the presence of alternate data streams, then an analysis of the hard disk should be performed using suitable tools from third-party manufacturers (see T 2.116 Data loss relating to copying or moving data under Windows Server 2003 and higher).

Visual inspection

The external environment of the server is to be examined by performing a visual inspection. During inspection, the cables and connections are to be checked, and the plug-in cards are to be checked to ensure they are tightly in place. Furthermore, the general cleanliness is to be inspected, and the ventilation ducts, fans, and heat sinks are to be cleaned if necessary.

Special maintenance tasks

If data media are to be reliably deleted in the course of maintenance work, this can only be carried out using tools from third-party providers. For this purpose, suitable products must be selected, see M 1.15 Deleting and destroying data.

If redundantly designed hardware is used, for example RAID 5 systems, dual power supplies, or clusters, then a redundant component must be replaced immediately when it fails because otherwise the hardware is not redundant any more and may not be reliable.

All hardware manufacturers offer current information, firmware, and drivers for their products. It is recommended to check for such offerings regularly and update the maintenance plan accordingly when major changes are released.

Guarantee and maintenance contracts

The adherence to guarantee and maintenance contracts is to be monitored so that any maintenance required can be performed by the contract partner and no unnecessary failures or costs are incurred. The Purchasing department is to be informed in advance of the action it needs to take.

Review questions: