Appendix H: Using MBSA to Audit the Security Configuration of Deployment Servers
Use the MBSA to determine whether deployment servers have unknown vulnerabilities. While some services must be enabled and accessible from the network, such as file sharing, resolve any unnecessary vulnerabilities that MBSA identifies.
To run MBSA
Download the MBSA from http://www.microsoft.com/mbsa and install it.
Launch the MBSA.
Complete the wizard by selecting options to scan the entire network with appropriate credentials.
On the welcome page, click Scan more than one computer.
On the Pick Multiple Computers To Scan page, type the IP address range of the deployment servers. Then, click Start scan.
When the scan is complete, the computers should be free of all issues except for the Shares informational alert. On an Active Directory server, carefully review any shared folders and the permissions assigned to them. The standard ADMIN$, NETLOGON, SYSVOL, CAP_domain_name, and root drive shares (for example, C$ and D$) exist. In addition, if SMS is installed on the computer, the SMSPKGC$, SMS_HQ1, SMS_SITE, and SMS_SUIAgent shares exist. Finally, remove all unnecessary shares.
Windows DS servers also have the Shares informational alert. Carefully review any shared folders and the permissions assigned to them. The Deployment Workbench automatically creates a hidden shared folder when a team member updates a deploy point, using the name “ShareName$”. In addition, the standard ADMIN$ and root drive shares (for example, C$ and D$) exist. Restrict permissions on the distribution share to only personnel who require access to the images. Then, further restrict access by configuring NTFS file system permissions, as described in “Appendix F. Restricting File Permissions on Deployment Servers.” Finally, remove all unnecessary shares.
Resolve other vulnerabilities to minimize the risk that a compromised deployment server can be used to infect newly deployed client computers. In particular, address the following types of vulnerabilities if they were identified:
Accounts with blank or simple passwords. Because compromise of a distribution infrastructure has the potential to enable an attacker to compromise all new computers, protecting all accounts with complex passwords is critical. For more information about complex passwords, see Creating a Strong Password Policy at http://technet2.microsoft.com/WindowsServer/en/library/041728b4-5ed9-44a8-99fe-c050333d42451033.mspx?mfr=true.
Accounts with non-expiring passwords. Non-expiring passwords present a security risk for several reasons:
Attackers have more time to use a brute-force attack to derive a password.
An attacker who has compromised a password has access to the user’s system until the user changes the password.
Employees who once had legitimate access to the system but have left the organization will continue to have access until passwords are changed
Missing security updates. Security updates often remove newly discovered security vulnerabilities.
Unnecessary services installed. The MBSA does not alert team members to the presence of any services required in a distribution environment. Therefore, remove or disable any unnecessary services.
Auditing not enabled. By default, only Logon Success auditing is enabled. Enable Logon Failure auditing to track unsuccessful attempts to authenticate to the build server. While logging failure auditing exposes the server to the possibility of a denial of service attack, the risk of this type of attack in a distribution environment is minimal. For instructions on how to change auditing settings, see Define or modify auditing policy settings for an event category at http://technet2.microsoft.com/WindowsServer/en/library/d9fea7ea-61e5-43b1-98cd-b02a09f101561033.mspx?mfr=true.
Unnecessary shares present. As described earlier, build servers must have at least one hidden distribution share. Remove any unnecessary shared to reduce security risks.
For detailed instructions on how to use the MBSA, including tutorials, see http://www.microsoft.com/resources/sam/partnerguide/howto_inv_tool.aspx.