S 5.131 Protection of IP protocols under Windows Server 2003

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

The TCP/IP stack is enabled after a standard installation. The default security settings are a compromise between security on the one hand and downward compatibility and openness to other systems on the other hand. This is only adequate in some individual cases, and even then only under certain conditions. Advanced settings for protection against denial-of-service attacks can be found in safeguard S 4.279 Advanced security aspects for Windows Server 2003.

Note: In Windows Server 2003 with Service Pack 1 and higher, the Security Configuration Wizard (SCW) automatically sets the values of some additional settings for certain roles (see S 2.366 Use of security templates under Windows Server 2003) to protect against denial-of-service attacks (see T 4.22 Software vulnerabilities or errors).

Communication protocols in the Internet protocol suite

Some TCP/IP stack protocols can also be configured optionally. They are integrated into the security architecture of the operating system with varying levels of quality and often do not provide adequate authentication or protection of the data integrity. In a standard installation of a Windows Server 2003 system, there are no insecure protocols configured in the system. If an optional protocol is installed, then mechanisms for protecting the information exchanged (e.g. cryptographic functions, authentication functions) must be configured according to the area of application and the security requirements.

The Resources for IT-Grundschutz (see Resources for Windows Server 2003) provide an overview of the protocols in the Internet protocol suite for various areas of Windows Server 2003. Here you will find information on how to handle these protocols suitably.

The protocols for distributing IP addresses (DHCP) and resolving names (DNS and WINS) have a particularly large influence on the security and stability of a Windows Server 2003 infrastructure. Suitable concepts that differ according to the particular area of application must be created for the entire infrastructure. Guidelines on how to reach the required security level can be found in the Resources for IT-Grundschutz (see DHCP/DNS/WINS as infrastructure services under Windows Server 2003 in the Resources for Windows Server 2003).

Other protocol groups such as IP routing, multicasting, and Quality of Service (QoS) protocols are used when the server is configured for special roles. They should be disabled otherwise. The following generally applies for secure operation:

• The most suitable protocol should be selected, and all other protocols must be disabled.
• The integrity and the use of encrypted authentication must always be ensured in a Windows Server 2003, preferably using NTLMv2 or Kerberos.
• The user data must be encrypted if the protection requirements are higher.
• The use of the desired protocol should be defined in the guideline for the IT system and the affected IT systems, and corresponding security requirements should also be formulated for its use.
• Consideration should be given to using IPSec when a desired protocol under Windows Server 2003 does not meet the security requirements (see S 5.90 Use of IPSec under Windows).

Documentation

All network protocols enabled on the server should be documented. If the server was configured using a template from the SCW, then the template is adequate for use as a minimum level of documentation (see S 2.366 Use of security templates under Windows Server 2003). The authentication and encryption methods used as well as the purpose for using each protocol must be documented.

Review questions:

• Are the efficient authentication and encryption methods as well as the purpose for using each protocol documented?
• Is the TCP/IP stack of the server sufficiently protected against DoS attacks?
• Are no insecure network protocols configured?
• Were all unneeded network protocols disabled?
• Is a suitable infrastructure concept developed and implemented for distributing IP addresses (DHCP) and resolving names (DNS and WINS)?
• Are all optional IP protocols adequately secured, for example by using authentication and encryption methods?