S 4.277 Protection of SMB, LDAP, and RPC communication under Windows Servers
Initiation responsibility: Head of IT, IT Security Officer
Implementation responsibility: Administrator
The basic protocols used for internal network communication between Windows servers and clients are SMB, RPC, and LDAP. These protocols are tightly integrated into the security architecture of Windows and benefit from the use of integrated techniques to ensure secure communication.
In principle, the use of plain text logins, referred to in Windows as standard authentication, must be prohibited. The same applies to several other login procedures using weak encryption that can be compromised easily using commonly available auditing tools. The login procedure must be secured using encryption adequate for communication in a Windows environment and for communication between Windows and other IT systems such as Samba or Mac OS X.
When planning, it must be taken into account that some required security settings for SMB, RPC, and LDAP are not set in a standard installation. Information on the settings can be found in the Resources for IT-Grundschutz (see RPC, SMB, and LDAP under Windows Server 2003 in the Resources for Windows Server 2003). The security settings should be checked and changed accordingly, if necessary. These settings also apply to Windows Server 2008. Depending on the role (AD or member server), some of the extended settings are already set by default (in particular in the field of encryption and LM hashes), but most must be adapted.
In addition to the settings mentioned there, the standard security settings of Service Pack 1 should be enabled for Windows Server 2003 at a minimum (see Windows Default Security and Services Configuration.xls from Version 2.0 of the Microsoft Security Guide "Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP" released on 27 December 2005).
Compatibility
The security settings to be specified after a standard installation come in conjunction with the risks described at SMB, RPC and LDAP in T 2.114 Inconsistent security settings for SMB, RPC, and LDAP under Windows Server. In a heterogeneous network, these settings should only be released by the change management after their compatibility with all types of systems affected has been tested successfully on an isolated test system. The test should also check the availability when the load is high. Different types of systems in this context mean clients and servers running different Windows versions and Service Packs or using different operating system platforms. Detailed information on compatibility is documented in the Microsoft Knowledge Base Article 823659 Revision 22 of 10 December 2010 (or a later revision). Usually, the German revision is a somewhat earlier revision and, due to the automatic translation, often contains ambiguous wording; thus, it should not be used as a reference.
Some basic information on compatibility, suitable tools, and the activation procedure can be found in the Resources for IT-Grundschutz (see RPC, SMB and LDAP under Windows Server 2003 in the Resources for Windows Server 2003).
Security template
The settings are to be specified in a security template for the server, see S 2.366 Use of security templates under Windows Server 2003 and S 2.491 Use of roles and security templates under Windows Server 2008.
Documentation
A minimum documentation must include at least the security template in effect for each server and the contents of the security template. If individual settings are not applied globally, then the areas to which they apply must be specified, reasons for the restrictions must be provided, and alternative security safeguards, for example stronger isolation of the server or enabling the use of IPSec, must be stated (see S 5.90 Use of IPSec under Windows).
Review questions:
- Is use of standard authentication as well as other login methods with weak encryption avoided, and is a login method with sufficiently high encryption compulsory used instead?
- Are the most recent service packs installed on the Windows servers, and are the standard security settings configured?
- Are the security settings applied on Windows servers tested beforehand for compatibility with all involved system types, and is the availability under high load tested?
- Are the effective security templates documented for each server?