Windows Server 2003

bubblesradiographerΔιακομιστές

4 Δεκ 2013 (πριν από 3 χρόνια και 8 μήνες)

120 εμφανίσεις

Module 14: Securing
Windows Server 2003

Overview

Introduction to Securing Servers

Implementing Core Server Security

Hardening Servers

Microsoft Baseline Security Analyzer


Lesson: Introduction to Securing Servers

Security Challenges for Small and Medium
-
Sized
Businesses

Fundamental Security Trade
-
Offs

What Is the Defense
-
in
-
Depth Model?

Microsoft Windows Server Security Guidance

Security Challenges for Small and Medium
-
Sized Businesses

Servers with a
Variety of Roles

Limited Resources to
Implement Secure Solutions

Internal or
Accidental Threat

Older Systems
in Use

Physical Access
Negates Many
Security Measures

Lack of Security
Expertise

Legal
Consequences

Fundamental Security Trade
-
Offs

Security
Trade
-
Offs

Usability

Low Cost

Security

What Is the Defense
-
in
-
Depth Model?

Increases an attacker’s risk of detection

Reduces an attacker’s chance of success

Security documents, user
education














Policies, Procedures, & Awareness

Physical Security

OS hardening, authentication

Firewalls

Guards, locks

Network segments, IPSec

Application hardening, antivirus

ACLs, encryption, EFS

Perimeter

Internal Network

Host

Application

Data

Microsoft Windows Server Security Guidance

Threats and Countermeasures Guide

Windows Server 2003 Security Guide

Default Access Control Settings in Windows
Server 2003

Security Innovations in Windows Server 2003

Technical Overview of Windows Server 2003
Security Services

Lesson: Implementing Core Server Security

Core Server Security Practices

Recommendations for Hardening Servers

Windows Server 2003 SP1 Security Enhancements

What Is Windows Firewall?

Post
-
Setup Security Updates

What Is the Security Configuration Wizard?

Practice: Implementing Core Server Security

Core Server Security Practices

Apply the latest service pack and all available

security updates

Use Group Policy to harden servers

Use MBSA to scan server security configurations

Restrict physical and network access to servers

Rename the built
-
in Administrator and Guest
accounts

Use restricted groups

Restrict who can log on locally to servers

Restrict access for built
-
in and non
-
operating
-
system service accounts

Do not configure a service to log on using a domain
account

Use NTFS permissions to secure files and folders

Recommendations for Hardening Servers

Windows Server 2003 SP1 Security Enhancements

SP1 uses a proactive approach to securing the server
by reducing the attack surface

Restricts anonymous access to RPC services

Restricts DCOM activation, launch, and call privileges
and differentiate between local and remote clients

Supports no execute hardware to prevent executables
from running in memory spaces marked as
nonexecutable

Supports VPN Quarantine

Supports IIS 6.0 metabase auditing

What Is Windows Firewall?

Enabled by default in new installs

Audit logging to track firewall activity

Boot
-
time security

Global configuration

Port restrictions based on the client network

On with no exceptions

Exceptions list

Group Policy support

Post
-
Setup Security Updates

What Is the Security Configuration Wizard?

SCW provides guided attack
surface reduction


Disables unnecessary
services and IIS Web
extensions

Blocks unused ports and
secure ports that are left
open using IPSec

Reduces protocol exposure

Configures audit settings

SCW supports:


Rollback

Analysis

Remote configuration

Command
-
line
support

Active Directory
integration

Policy editing

Practice: Implementing Core Server Security

In this practice, you will:

Configure Windows Firewall

Install the Security Configuration Wizard

Use the Security Configuration Wizard



Lesson: Hardening Servers

What Is Server Hardening?

What Is the Member Server Baseline Security Template?

Security Threats to Domain Controllers

Implement Password Security

Security Templates for Specific Server Roles

Best Practices for Hardening Servers for Specific Roles

Practice: Hardening Servers



What Is Server Hardening?

Bastion
Hosts

Verify
settings
application

Apply

Baseline

Settings

Securing

Active

Directory

Infrastructure
Servers

File and Print
Servers

IIS Servers

RADIUS (IAS)
Servers

Certificate
Services
Servers

Modify and apply the Member Server Baseline security
template to all member servers



Audit Policy

User Rights Assignment

Security Options

Event Log

System Services

Settings in the Member Server Baseline security
template:

What Is the Member Server Baseline
Security Template?

Security Threats to Domain Controllers

Modification of Active Directory data

Password attacks against administrator accounts

Denial
-
of
-
service attacks

Replication prevention attacks

Exploitation of known vulnerabilities

Implement Password Security

Use complex passwords to help prevent

security breaches

Do not implement authentication protocols that require
reversible encryption

Disable LM hash value storage in Active Directory

Security Templates for Specific Server Roles

Organize servers that perform
specific roles by OU under the
Member Servers OU

Apply the Member Server
Baseline security template to
the Member Servers OU

Customize security
templates for servers that
perform multiple roles

Apply the appropriate
role
-
based security
template to each OU
under the Member
Servers OU

Best Practices for Hardening Servers for Specific
Roles

Modify security templates as needed for servers
with multiple roles

Enable only services required by role

Enable service logging

Use IPSec filtering to block all ports except the
specific ports needed

Secure service accounts and well
-
known user
accounts

Practice: Hardening Servers

In this practice, you will apply a security
template by using Group Policy



Lesson: Microsoft Baseline Security Analyzer

What Is MBSA?

MBSA Benefits

How MBSA Works

MBSA Scan Options

Practice: Microsoft Baseline Security Analyzer






What Is MBSA?

Scans systems for:


Missing security updates


Potential configuration issues

Works with a broad range of Microsoft software

Allows an administrator to centrally scan multiple
computers simultaneously




MBSA is a free tool, and can be downloaded from the
Microsoft TechNet Web site

MBSA Benefits

MBSA reports important vulnerabilities:









Password weaknesses

Guest account not disabled

Auditing not configured

Unnecessary services installed

IIS product vulnerabilities

IE zone settings

Automatic Updates configuration

Windows XP firewall configuration

How MBSA Works

Windows
Download Center

MBSA

Computer

MSSecure.xml

MBSA Scan Options

MBSA has three scan options:


MBSA graphical user interface (GUI)

MBSA standard command
-
line interface (mbsacli.exe)

HFNetChk scan (mbsacli.exe /hf)

Practice: Microsoft Baseline Security Analyzer

In this practice, you will:

Install MBSA

Scan a computer by using MBSA

Lab: Securing Windows Server 2003

In this lab, you will:

Use the Security Configuration Wizard

Configure a Group Policy object for
member servers

Scan a range of computers by using MBSA

Course Evaluation