Build a Bastion Host

Email this Article

Printer-Friendly

View Reader Comments

[October 29, 2001]
Build a Bastion Host
By: Christopher Witter
Feature
InstantDoc #22797
Web Exclusive from Windows IT Pro

DOWNLOAD THE CODE:

22797.zip

This server will help keep even the best intruders at bay

Do you think that your Windows NT server is safe? Before you answer, if you're the administrator of an NT server that connects to the Internet, consider the following:

At the time of this writing, Netcraft's Web Server Survey (http://www.net craft.com/survey) reports that about 30 percent of the computers in active Internet sites are Microsoft servers and that the vast majority of those are NT servers. Although Microsoft servers constitute less than a third of the market, they have been the favorite targets of intruders. The Attrition Defacement Statistics Web site (http:// www.attrition.org/mirror/attrition/ os.html#all) reports that from August 1999 through May 2001, almost 55 percent of all defacements were against NT and almost 7 percent of all defacements were against Windows 2000.
During a Black Hat Windows Security convention, three intruders easily infiltrated one of the most popular firewalls, Check Point Software Technology's FireWall-1. This demonstration brought home that a firewall is only as secure as the underlying OS. (For more information, see "Hackers Breach FireWall-1," http://www .zdnet.com/zdnn/stories/news/ 0,4586,2610719,00.html?chkpt=zdhp news01, and "A Stateful Inspection of FireWall-1," http://www.dataprotect .com/bh2000/blackhat-fw1.html.)

To provide the highest level of security for your NT network, you can build a bastion host. A bastion host is typically an Internet-connected server that has no devices (e.g., filtering routers) to protect against Internet attacks. Instead, the bastion host's defense is a stripped down, highly secure OS.

You can configure a bastion host for a variety of server roles on the Internet. For example, you can use the bastion host as an FTP, Microsoft IIS, SMTP, POP3, Network News Transfer Protocol (NNTP), or firewall server. First, let's look at three good practices to keep in mind as you're building a bastion host; then, we'll discuss how to configure an NT server as a bastion host.

Good Practices
When building a bastion host, you should follow three good practices. First, you should build it in stages so that you're applying the security measures in layers. That way, if problems occur later, you can peel back and check each layer until you find the root of the problem. Second, you should install only programs that are absolutely necessary to achieve the desired functionality. This practice is often referred to as the minimalist approach. Finally, you should document every action you perform on the bastion host. I keep a separate notebook for each bastion host for the entire life of that server. If more than one administrator manages a Web site, keep the notebook in a central location. That way, the notebook becomes a communications tool.

In the notebook, document events and measurements, including hardware and software installations, upgrades, and removals; services running; server reboots; and server statistics (e.g., memory, disk-space utilization). By keeping track of how the server usually behaves, you'll be better able to tell when it's behaving abnormally. Unusual behavior can be a symptom of defacement or another problem.

Keeping these three good practices in mind, let's build a bastion host. Building a host is a six-stage process:

Install NT and the application.
Remove unnecessary network services.
Disable unnecessary local services.
Change the network configuration.
Run setup.cmd.
Test the application.

Install NT and the Application
The first step to building a bastion host is to install NT 4.0 on the server. You're likely experienced in installing NT, so I won't detail that process here. When you install the OS, though, make sure that you

configure all volumes as NTFS. If you have enough space, make a separate partition for user data and logs. Separating the OS from user data and logs makes assigning permissions much easier and eliminates the risk of crashing the system should the user data and logs fill up the root partition.
select TCP/IP as the only protocol.
configure the bastion host as a standalone server.
don't install IIS, even if the bastion host will be an IIS server. If you plan to install IIS, you should do so after you finish working with the OS.

The next step is to install the latest service pack. When you install NT 4.0 from a CD-ROM, the CD-ROM typically includes Service Pack 1 (SP1). To avoid any hardware and software problems, I always install the latest service pack and update all my drivers with OEM drivers that I know are solid and stable.

Now you can install your application (e.g., IIS, firewall software). Install updates and hotfixes that the application might need. In following the minimalist approach, you probably won't need to install Microsoft Internet Explorer (IE). However, if you need to install IE, don't install the Shell Update Release (SUR) add-on component (aka Active Desktop). This component isn't necessary and consumes a lot of memory.

With the OS and the application installed, you can tweak your bastion host. Specifically, you need to remove unnecessary network services, disable unnecessary local services, and change the network configuration.

Prev. page [1] 2 3 next page

You must log on before posting a comment.

If you don't have a username & password, please register now.

ADS BY GOOGLE SPONSORED LINKS

Order Your SharePoint Fundamentals CD!: Learn how to uncover rich information management capabilities with this free SharePoint CD.

Try Idera’s new SQL admin toolset!: 24 essential desktop tools for managing SQL Server for $495.

Simplify your data management: Affordable multi-database query and design tool-- free trial!

Virtualization Congress Oct. 14-16: Don't miss Virtualization Congress, the premiere EMEA conference dedicated to hardware, OS and application virtualization. Oct. 14-16 in London.

FEATURED LINKS

Master SharePoint with 3 eLearning Seminars: Learn how to customize field types, create scheduled services, and go further with the Content Query Web Part with MVP Andrew Connell. Register today!

Microsoft BI Conference – Oct. 6-8: Discover best practices and gain product insight from Microsoft’s product experts in the 2nd annual event in Seattle.

Attention User Groups & User Group Leaders...: Announcing the eNews Generator—a FREE HTML e-newsletter builder for user group leaders. Build your HTML and text e-newsletters in minutes. And add Windows IT Pro & SQL Server Mag articles alongside your own message!.

Get SQL Server 2008 at SQL Connections: Don’t miss SQL Server Magazine Connections Conference, the premier event for Microsoft developers and DBAs, in Las Vegas, November 10-13. Every attendee will receive a copy of SQL Server 2008 Standard Edition with one CAL.

SQL Server Magazine Master CD: Take the Experts with You!: Find the solutions you need in thousands of searchable articles, helpful bonus content, and loads of expert advice with the SQL Server Magazine Master CD. Order comes with a 1-year subscription to the new, online articles posted every day!

	SQL Server Magazine Register Subscribe FAQ for Windows WinInfoNews
	Contact Us / Customer Service Editorial Calendar Media Kit Affiliates / Licensing Technical Resources Directory
	Windows IT Pro Office & SharePoint Pro Windows Dev Pro IT Library Connected Home Windows Excavator SuperSite IT Job Hound ITTV

	Copyright © 2008 Penton Media, Inc. All rights reserved. Terms and Use Privacy Statement Reprints and Licensing

Search

Related Whitepapers

Related Events

Related eBooks

Related Essential Guides

Related Resources

vLabs Links

SQL Job Openings

ADS BY GOOGLE SPONSORED LINKS

FEATURED LINKS