Minimizing Cyber Risk in Microsoft Environments

This post was originally published here by UpGuard.

Microsoft’s enterprise software powers the majority of large environments. Though often hybridized with open source solutions and third party offerings, the core components of Windows Server, Exchange, and SQL Server form the foundation of many organizations’ data centers. Despite their prevalence in the enterprise, Microsoft systems have also carried a perhaps unfair reputation for insecurity, compared to Linux and other enterprise options. But the insecurities exploited in Microsoft software are overwhelmingly caused by misconfigurations and process errors, not flaws in the technology— patches are not applied on a quick and regular cadence; settings are not hardened according to best practices; dangerous defaults are left in place in production; unused modules and services are not disabled and removed.

Microsoft has come a long way to bring its out-of-the-box security up to snuff with its famous usability, not to mention introducing command-line and programmatic methods by which to manage their systems. But even now, the careful control necessary to run a secure and reliable data center on any platform can be difficult to maintain all of the time at scale.

UpGuard Builds Trust
 supports all type of digital assets, from servers and network gear to APIs, GitHub repos, Amazon S3 buckets, and more. Because so many organizations rely on Microsoft technology, it has always been a key focus for UpGuard’s core product. We go beyond supporting just standard Windows Servers and feature specific controls and procedures for the most critical Microsoft products, like SQL Server and Exchange. In this guide, we will look at some common problems facing Microsoft technologies and how UpGuard can help resolve them and create an environment you can trust.

The UpGuard Homepage

Microsoft Enterprise Technologies
As any Windows systems administrator knows, the Microsoft enterprise suite is large and complex, with technologies ranging from sophisticated relational databases to  enterprise email systems, all glued together by Active Directory, Microsoft’s proprietary LDAP counterpart. Making everything work together as one well-oiled machine requires intimate knowledge of every system and the ability to trust that they are all configured correctly. UpGuard does just that, only monitoring the parts of the system state that are important to you, across every digital surface. Because UpGuard utilizes Powershell, nearly every configuration item of every Microsoft product is supported for automated testing and validation.

Get Started: Harden Your Windows Server Now

Windows Server
Microsoft’s Server platform can perform many different functions: Active Directory domain controllers, DHCP, DNS, AAA and RADIUS, web servers, file and print, and on and on and on. The versatility of Microsoft server has also been counted among its weaknesses, because a large footprint means a large attack surface. However you’re using a Windows server, the rule of thumb should be to make that footprint as small as possible to operate as intended.

Microsoft has established a regular patch release cadence that can be used to guide patch management efforts within organizations. Keeping Microsoft systems up to date is one of the best defenses against compromise. However, across dozens or hundreds of servers, managing patches becomes more complicated, creating potential blindspots where important systems are not being updated.

Finally, best practices have been established by industry leaders like the Center for Internet Security on how Windows servers should be hardened to best protect them and the data and services they house. But even though these best practices are known, applying them can be a different matter entirely. Most shops can’t dedicate the time necessary to thoroughly check systems against these benchmarks. When it is done, the cadence is usually extremely slow, once or twice a year at most.

UpGuard for Windows Server
UpGuard covers every facet of Windows Server, from top level configurations all the way down to file level integrity monitoring. Examples of the questions UpGuard can ask, answer, and visualize are:

  • Do any servers have dangerous ports open?
  • Which systems are behind on their Windows updates and what patches are they missing?
  • Have any new accounts been added to the administrators group?
  • Is the telnet service disabled on all servers?
  • Is a group of servers running the same software, the same version, the same configurations?
  • Is a scheduled task configured to run under the correct user account on all systems?
  • Have all non-essential Windows roles and features been removed from domain controllers?
  • Do my systems meet security best practices? What do I need to change to harden them?

UpGuard node visualization

This is information the IT department constantly needs to know in order to grasp the posture of their environment. UpGuard automatically asks and answers the questions that are important to you and proactively notifies you if an answer comes back wrong. If an existing system is changed from a compliant state to a non-compliant state, UpGuard can surface that change automatically and bring it to the attention of relevant parties. Resilience is about reducing risk in day-to-day operations, which in turn produces low risk assets, audited and validated for security and production readiness.

Active Directory
Microsoft’s Active Directory (AD) houses the users, groups, and computer accounts in a Windows environment, along with group policy objects (GPOs) and other important infrastructure information, like DNS zones and scripts that run on client workstations. Large AD installations can have tens of thousands of users and computers, with hundreds or thousands of groups, logically organized into dozens of organizational units (OUs). Some organizations have the luxury of a dedicated AD team or administrator, while most AD management is done by Microsoft generalists who count AD as just one among many technologies for which they are responsible.

Because AD is so critical to Microsoft environments, monitoring and configuration audits for AD settings are among the highest priorities for admins, ensuring that unauthorized privileges are not granted, that user, computer, and group objects are where they belong and receiving the correct policies, and that the AD infrastructure is hardened against compromise. At scale, or as one duty of many, this can be a daunting task, creating blindspots in a crucial piece of business technology.

UpGuard for Active Directory and Microsoft DNS
With UpGuard, important AD objects and settings are automatically audited for compliance to your standards. UpGuard tracks the state of every user, computer, group, and OU in AD, and can tell you which objects comply with your policies— is the administrator account enabled? Are all the systems in the servers OU all running the right operating system? Are all of the domain controllers configured identically? Who is in the Domain Admins group? Questions like these can be easy to answer one by one for a well-informed sysadmin, but UpGuard proactively asks them daily or at your preferred cadence, and alerts you only if an unsatisfactory answer is returned.

Differencing configurations on Microsoft AD domain controllers with UpGuard

UpGuard can also interface with AD-integrated DNS, checking important DNS settings like zone transfer permissions and configurations, security options, and forwarding information. UpGuard can even check DNS records themselves, allowing you to create checks on mission critical records like the company website or primary database system. Best of all, UpGuard uses Powershell to talk to AD, ensuring the maximum granularity of control over what UpGuard looks at and how it determines whether an asset is healthy.

Microsoft Exchange has provided collaborative email and calendar functionality for twenty years, with Exchange 2000 integrating with Windows 2000 Server’s Active Directory, providing the blueprint for the Exchange being used today. Despite that core similarity, current versions of Exchange little resemble the older editions, having been overhauled and re-overhauled in every major release of the software. In some workplaces, Exchange is the primary communication method, putting it high on criticality and priority lists.

But just as the dependence on Exchange has grown, so has its complexity. Instead of one server, roles are usually divided into specialized servers— database, edge, web access, and so on. Not only has Exchange grown in scope, it has also grown in depth. Now ultra-configurable, and accessible through Powershell, Exchange has a large configuration surface area. An email database often contains every type of sensitive information in some form or another. Financial records, trade secrets, even usernames and passwords, not to mention the inherent privacy needs of intra-organizational communications and scheduling. Organizations need to ensure that every piece of the Exchange infrastructure is visible and properly configured.

UpGuard for Exchange
When it comes to Exchange server, configuration is doubly important because administrators are faced with both the surface area of the software itself, which needs to be locked down and minimized to the particular use of the server, and also the surface area of an email application, including relaying, authentication, connection limits, throttling, and mail logs.

Managing Microsoft Exchange with UpGuard

Microsoft has made it so that every bit of Exchange can now be manipulated through Powershell. UpGuard can create configuration items from Powershell scripts, which means the entire Exchange system is available for configuration auditing and reporting, across all roles and server distributions. Since UpGuard already handles AD objects and Powershell queries, full Exchange information can be discovered and tracked across the forest.

SQL Server
Microsoft’s SQL database server software has arguably been their flagship enterprise product. Combining Microsoft’s GUI usability with an extremely powerful database backend allows admins the flexibility to handle large and complicated data sets at scale and without necessarily having high-level T-SQL programming capabilities. But almost all companies store sensitive information in production MSSQL databases— customer records, financials, analytics information— meaning that SQL servers have to do more than just operate to deliver value: they have to operate securely and reliably across the board, protecting the information they house and manipulate.

Like other large, multi-user systems, SQL has internal permission controls that regulate access to the data and actions within the databases. Users are mapped to roles, which in turn have access set per database. In addition to misconfigurations of the database software, errant permissions and unauthorized users can also prove a security concern for production databases if they go unchecked.

UpGuard for MS SQL Server
UpGuard automates SQL Server security and configuration auditing on every important object in your databases. Know which user accounts exist and how they are configured. Check important database objects like functions, stored procedures, views, tables, and more to ensure they match expectations. Receive alerts if important roles change. In fact, UpGuard can check the results of any SQL query against your expectations, opening up virtually any possibility within the database system to audit and secure your data, verify backups, or check permissions for users and roles.

Managing Microsoft SQL Server with UpGuard

Internet Information Services (IIS) has been a standard part of Windows Server for some time, and as such has been the go-to web server for Microsoft-based environments. Securing an internet-facing IIS server requires care and consideration— the out-of-the-box defaults simply won’t cut it. Unused modules need to be removed or disabled, banners need to be cleared, encryption needs to be configured and certificates installed and kept current.

With today’s demand on websites for both performance and uptime, multiple IIS servers are usually deployed for a single site to provide redundancy and load balancing. Keeping these servers in-line becomes increasingly difficult with scale. Do they all have the same modules loaded at the same version? Are they all configured identically? Have they all been hardened using best practices?

UpGuard for IIS
With dedicated sections for IIS modules and configurations, UpGuard helps your IIS servers stay resilient against data breaches. UpGuard creates visibility into the IIS environment by quickly visualizing answers to the important questions administrators need to ask. Do you think your IIS servers are the same, or do you know? UpGuard can difference any number of servers and display where and how their configurations differ. Deploying a new IIS server? UpGuard can automatically put it into the appropriate group and apply your IIS policies to ensure the server is production ready before it goes live. Worried about servers drifting out of compliance as changes are made? Set a policy in UpGuard to continuously check important configurations against your expectations so changes that modify critical settings can be surfaced immediately, before they can be exploited.

Differencing two IIS servers with UpGuard

By continuously auditing systems and automating the processes that change them, misconfigurations and other process errors can be stopped entirely, or caught early enough to prevent them from turning into data breaches or other cyber incidents. Because UpGuard ties directly into Microsoft software, every important facet can be checked for problems, from the same perspective that an administrator would use when looking at a system. Are the permissions right? Has this server been hardened to best practices? Is the version of the software consistent across systems and up to date? Is my patch management cadence working? These questions and thousands of others can be automatically answered with UpGuard. Running a Microsoft environment doesn’t make you insecure— running any kind of environment without process controls and audits does.



No posts to display