Security Best Practices: Servers and the Network
This thread is the direct descendant of the thread Security Best Practices: The Desktop.
For the purposes of this discussion, assume the following:
Setup A: Small mixed network of 10 Windows 2000 Pro desktops + Linux box w/Samba as a dc/file/print server.
- Desktops run Windows 2000 Professional SP4, with Norton AntiVirus Corporate Edition configured to update defs every wednesday night at 6 PM, and to scan for viruses every day at 6 AM. Standard software includes Office 2000. The mail client is Outlook Express.
- Mail services are provided by their ISP.
- The Linux box also serves out an Apache webserver for staffers situated at staff.domain.com. The webserver only handles Basic auth over HTTPS, and is there only so staff can retrieve documents in their personal folders remotely. It has only the httpd and mod_ssl installed, no extra packages. Apache is 1.3.29
- A firewall exists between the network and the internet (which is piped in via Business DSL). This is configured so that it only forwards port 443 (HTTPS) to the web server, and everything incoming connection is blocked. Desktops are permitted to surf and FTP and so forth.
- There are three printers on the network: A LexMark Optra S series with NIC installed, and two HP LaserJet IIIs hooked up to two of the desktops.
- Never been targeted for attack by a cracker/hacker.
Setup B: Mid-sized contract developer's network of mixed operating systems. 10 Desktop developer boxes, and 14 servers.
- 5 of the Developer boxes run Slackware 9.1, the other 5 run Windows XP Pro SP1a.
- 4 of the servers are linux boxes dedicated to tasks other than development:
- - One box is running OpenBSD 3.3 serving DHCP, DNS (internal), and acting as the firewall.
- - - Firewall is configured to allow external access only via the web to the Slackware box housing webmail, and the two Windows servers dedicated to client app. testing, both on TCP/80 and TCP/443. Surfing is allowed similarly to the network above.
- - Another is running Slackware 8.1 serves mail services only for a webmail client on the same box via Apache and PHP. This is the mail server, as well as doubling as the unix based production test site, where clients having web development done can login to their accounts and see notes from the developers about progress, as well as test the latest copy of the application.
- - The third box is running Windows 2003 Server, serving out all ASP.NET web applications for clients in similar fashion to the second box.
- - The fourth box is a Windows 2000 Server box, serving out domain services and file/print sharing.
- The other 10 servers are
- - 2 Windows 2003 Servers
- - 3 Windows 2000 SP3 Servers
- - 2 Linux Slackware 8.1 Servers
- - 1 Linux RedHat 6.2 Server
- - 2 Linux Debian 3.0 Servers
- All servers are running on a mix of Pentium III/Pentium 4 servers from Dell, with the exception of the 2 Debian servers, which are running on completely new PowerPC 970 servers from IBM.
- CVS is handled by one of the debian servers, which is still also a nix dev box.
- There are two printers on the network: an Epson EPL6200 connected directly to the lan and shared by the Windows 2000 print sharing server, and a Lexmark Z22 Inkjet printer, which is hooked up to the print sharing server via USB.
- Has been the target of a hack once before.
- Note: The client app testing logins are handled via custom-designed software, which for the purposes of this excercise is impenetrable.
The goal here is to provide advice and recommendations on how to secure this network, as well as any and all patching you might do. There is no budget to target here, as the goal is to make this as secure an environment as possible.