Embed Size (px)
Citation preview
Module 14: Securing Windows Server 2003
Overview
Introduction to Securing Servers
Implementing Core Server Security
Hardening Servers
Microsoft Baseline Security Analyzer
Lesson: Introduction to Securing Servers
Security Challenges for Small and Medium-Sized Businesses
Fundamental Security Trade-Offs
What Is the Defense-in-Depth Model?
Microsoft Windows Server Security Guidance
Security Challenges for Small and Medium-Sized Businesses
Servers with a Variety of RolesServers with a
Variety of RolesLimited Resources to
Implement Secure SolutionsLimited Resources to
Implement Secure Solutions
Internal or Accidental Threat
Internal or Accidental Threat
Older Systems in Use
Older Systems in Use
Physical Access Negates Many
Security Measures
Physical Access Negates Many
Security Measures
Lack of Security Expertise
Lack of Security Expertise
Legal Consequences
Legal Consequences
Fundamental Security Trade-Offs
Security Trade-Offs
UsabilityUsability Low CostLow Cost
SecuritySecurity
What Is the Defense-in-Depth Model?
Increases an attacker’s risk of detection
Reduces an attacker’s chance of success
Security documents, user education
Policies, Procedures, & AwarenessPolicies, Procedures, & Awareness
Physical SecurityPhysical Security
OS hardening, authentication
Firewalls
Guards, locks
Network segments, IPSec
Application hardening, antivirus
ACLs, encryption, EFS
Perimeter
Internal Network
Host
Application
Data
Microsoft Windows Server Security Guidance
Threats and Countermeasures Guide
Windows Server 2003 Security Guide
Default Access Control Settings in Windows Server 2003
Security Innovations in Windows Server 2003
Technical Overview of Windows Server 2003 Security Services
Lesson: Implementing Core Server Security
Core Server Security Practices
Recommendations for Hardening Servers
Windows Server 2003 SP1 Security Enhancements
What Is Windows Firewall?
Post-Setup Security Updates
What Is the Security Configuration Wizard?
Practice: Implementing Core Server Security
Core Server Security Practices
Apply the latest service pack and all available security updates
Use Group Policy to harden servers
Use MBSA to scan server security configurations
Restrict physical and network access to servers
Apply the latest service pack and all available security updates
Use Group Policy to harden servers
Use MBSA to scan server security configurations
Restrict physical and network access to servers
Rename the built-in Administrator and Guest accountsRename the built-in Administrator and Guest accounts
Use restricted groupsUse restricted groups
Restrict who can log on locally to serversRestrict who can log on locally to servers
Restrict access for built-in and non-operating-system service accountsRestrict access for built-in and non-operating-system service accounts
Do not configure a service to log on using a domain accountDo not configure a service to log on using a domain account
Use NTFS permissions to secure files and foldersUse NTFS permissions to secure files and folders
Recommendations for Hardening Servers
Windows Server 2003 SP1 Security Enhancements
SP1 uses a proactive approach to securing the server by reducing the attack surfaceSP1 uses a proactive approach to securing the server by reducing the attack surface
Restricts anonymous access to RPC services
Restricts DCOM activation, launch, and call privileges and differentiate between local and remote clients
Supports no execute hardware to prevent executables from running in memory spaces marked as nonexecutable
Supports VPN Quarantine
Supports IIS 6.0 metabase auditing
Restricts anonymous access to RPC services
Restricts DCOM activation, launch, and call privileges and differentiate between local and remote clients
Supports no execute hardware to prevent executables from running in memory spaces marked as nonexecutable
Supports VPN Quarantine
Supports IIS 6.0 metabase auditing
What Is Windows Firewall?
Enabled by default in new installs
Audit logging to track firewall activity
Boot-time security
Global configuration
Port restrictions based on the client network
On with no exceptions
Exceptions list
Group Policy support
Post-Setup Security Updates
What Is the Security Configuration Wizard?
SCW provides guided attack surface reductionSCW provides guided attack surface reduction
Disables unnecessary services and IIS Web extensions
Blocks unused ports and secure ports that are left open using IPSec
Reduces protocol exposure
Configures audit settings
Disables unnecessary services and IIS Web extensions
Blocks unused ports and secure ports that are left open using IPSec
Reduces protocol exposure
Configures audit settings
SCW supports:SCW supports:
Rollback
Analysis
Remote configuration
Command-line support
Active Directory integration
Policy editing
Rollback
Analysis
Remote configuration
Command-line support
Active Directory integration
Policy editing
Practice: Implementing Core Server Security
In this practice, you will:
Configure Windows Firewall
Install the Security Configuration Wizard
Use the Security Configuration Wizard
Lesson: Hardening Servers
What Is Server Hardening?
What Is the Member Server Baseline Security Template?
Security Threats to Domain Controllers
Implement Password Security
Security Templates for Specific Server Roles
Best Practices for Hardening Servers for Specific Roles
Practice: Hardening Servers
What Is Server Hardening?
Bastion Hosts
Bastion Hosts
Verify settings
application
Verify settings
application
Apply Baseline Settings
Apply Baseline Settings
Securing Active
Directory
Securing Active
Directory
Infrastructure Servers
Infrastructure Servers
File and Print Servers
File and Print Servers
IIS ServersIIS Servers
RADIUS (IAS) Servers
RADIUS (IAS) Servers
Certificate Services Servers
Certificate Services Servers
Modify and apply the Member Server Baseline security template to all member serversModify and apply the Member Server Baseline security template to all member servers
Audit Policy
User Rights Assignment
Security Options
Event Log
System Services
Audit Policy
User Rights Assignment
Security Options
Event Log
System Services
Settings in the Member Server Baseline security template:
What Is the Member Server Baseline Security Template?
Security Threats to Domain Controllers
Modification of Active Directory data
Password attacks against administrator accounts
Denial-of-service attacks
Replication prevention attacks
Exploitation of known vulnerabilities
Modification of Active Directory data
Password attacks against administrator accounts
Denial-of-service attacks
Replication prevention attacks
Exploitation of known vulnerabilities
Implement Password Security
Use complex passwords to help prevent security breaches
Do not implement authentication protocols that require reversible encryption
Disable LM hash value storage in Active Directory
Use complex passwords to help prevent security breaches
Do not implement authentication protocols that require reversible encryption
Disable LM hash value storage in Active Directory
Security Templates for Specific Server Roles
Organize servers that perform specific roles by OU under the
Member Servers OU
Organize servers that perform specific roles by OU under the
Member Servers OU
Apply the Member Server Baseline security template to the
Member Servers OU
Apply the Member Server Baseline security template to the
Member Servers OU
Customize security templates for servers that
perform multiple roles
Customize security templates for servers that
perform multiple roles
Apply the appropriate role-based security template to each OU under the Member
Servers OU
Apply the appropriate role-based security template to each OU under the Member
Servers OU
Best Practices for Hardening Servers for Specific Roles
Modify security templates as needed for servers with multiple rolesModify security templates as needed for servers with multiple roles
Enable only services required by roleEnable only services required by role
Enable service loggingEnable service logging
Use IPSec filtering to block all ports except the specific ports neededUse IPSec filtering to block all ports except the specific ports needed
Secure service accounts and well-known user accountsSecure service accounts and well-known user accounts
Practice: Hardening Servers
In this practice, you will apply a security template by using Group Policy
Lesson: Microsoft Baseline Security Analyzer
What Is MBSA?
MBSA Benefits
How MBSA Works
MBSA Scan Options
Practice: Microsoft Baseline Security Analyzer
What Is MBSA?
Scans systems for:
Missing security updates
Potential configuration issues
Works with a broad range of Microsoft software
Allows an administrator to centrally scan multiple computers simultaneously
MBSA is a free tool, and can be downloaded from the Microsoft TechNet Web site
MBSA Benefits
MBSA reports important vulnerabilities:MBSA reports important vulnerabilities:
Password weaknesses
Guest account not disabled
Auditing not configured
Unnecessary services installed
IIS product vulnerabilities
IE zone settings
Automatic Updates configuration
Windows XP firewall configuration
Password weaknesses
Guest account not disabled
Auditing not configured
Unnecessary services installed
IIS product vulnerabilities
IE zone settings
Automatic Updates configuration
Windows XP firewall configuration
How MBSA Works
Windows Download Center
MBSAComputer
MSSecure.xmlMSSecure.xml
MBSA Scan Options
MBSA has three scan options:MBSA has three scan options:
MBSA graphical user interface (GUI)
MBSA standard command-line interface (mbsacli.exe)
HFNetChk scan (mbsacli.exe /hf)
MBSA graphical user interface (GUI)
MBSA standard command-line interface (mbsacli.exe)
HFNetChk scan (mbsacli.exe /hf)
Practice: Microsoft Baseline Security Analyzer
In this practice, you will:
Install MBSA
Scan a computer by using MBSA
Lab: Securing Windows Server 2003
In this lab, you will:
Use the Security Configuration Wizard
Configure a Group Policy object for member servers
Scan a range of computers by using MBSA
Course Evaluation
