Planning and Administering Windows

Server® 2008 Servers

Module 5: Managing Windows Server 2008 Security

• Planning a Defense-in-Depth Strategy

• Implementing Host-Level Security for Windows Server 2008

• Implementing Network Security for Windows Server 2008

Lesson: Planning a Defense-in-Depth Strategy

• Characteristics of a Defense-in-Depth Strategy

• Layers in a Defense-in-Depth Strategy

Characteristics of a Defense in Depth Strategy

A robust defense-in-depth strategy includes:A robust defense-in-depth strategy includes:

A security risk management framework

Identity and access management policies

Network protection

Update management

Education

Incident response

Continual reassessment and optimization

A security risk management framework

Identity and access management policies

Network protection

Update management

Education

Incident response

Continual reassessment and optimization

Layers in a Defense-in-Depth Strategy

Policies and proceduresPolicies and procedures

Physical securityPhysical security

Perimeter defensesPerimeter defenses

Network defensesNetwork defenses

Host defensesHost defenses

Application defensesApplication defenses

Data defensesData defenses

Lesson: Implementing Host-Level Security for Windows Server 2008

• Assigning Administrative Permissions

• Windows Server 2008 Firewall Configuration

• Implementing Security Policies

• Implementing Security Templates

• Converting Security Configuration Wizard Settings to Security Templates

Assigning Administrative Permissions

• Principle of least privilege Identify administrative permissions or

privileges required Grant only those permissions or privileges

• Granting privileges Factors affecting decision Relinquishing rights

• Principle of least privilege Identify administrative permissions or

privileges required Grant only those permissions or privileges

• Granting privileges Factors affecting decision Relinquishing rights

Windows Server 2008 Firewall Configuration

• Direction

• Port

• Program

• Protocol

• Source IP address

• Destination IP address

• Connection security rule

• Direction

• Port

• Program

• Protocol

• Source IP address

• Destination IP address

• Connection security rule

Implementing Security Policies

Security Configuration Wizard template settings include:

• Server roles

• Client features

• Additional services

• Firewall rules

• Authentication options

• Audit policy

Security Configuration Wizard template settings include:

• Server roles

• Client features

• Additional services

• Firewall rules

• Authentication options

• Audit policy

Implementing Security Templates

• Built-in templates Configure default security settings or

recommended values

• Built-in templates Configure default security settings or

recommended values

• Microsoft templates Download additional templates with

security guides

• Microsoft templates Download additional templates with

security guides

• Custom templates Security Templates MMC snap-in Security Configuration and Analysis MMC

snap-in

• Custom templates Security Templates MMC snap-in Security Configuration and Analysis MMC

snap-in

Converting Security Configuration Wizard Settings to Security Templates

Convert SCW security policies directly to GPOsConvert SCW security policies directly to GPOs

Scwcmd.exe transform /p:SCWpolicyname.xml /g:GPOnameScwcmd.exe transform /p:SCWpolicyname.xml /g:GPOname

Lesson: Implementing Network Security for Windows Server 2008

• Windows Server 2008 Server Locations

• Options for Network Security

• Recommendations for Implementing Windows Server 2008 Server Core

Windows Server 2008 Server Locations

• Perimeter network

• Bastion host

• Internal

• Segmented networks

• Perimeter network

• Bastion host

• Internal

• Segmented networksSegmented networks

Segmented networks

Perimeter Network

Perimeter Network

InternalInternal

Bastion hostBastion host

Options for Network Security

Requirement Security Measures

Secure Network Access

• Physical security

• 802.1x authentication

• Network segmentation

• Firewalls

• Network Access Protection (NAP)

Secure Network Traffic

• Network segmentation

• Firewalls

• IPSec

Server Core enables you to install roles without additional services or the GUI

Server Core enables you to install roles without additional services or the GUI

Recommendations for Implementing Windows Server 2008 Server Core

• AD DS

• AD LDS

• DHCP

• DNS

• File Server

• Print Server

• IIS

• Streaming Media

• AD DS

• AD LDS

• DHCP

• DNS

• File Server

• Print Server

• IIS

• Streaming Media

ExtranetExtranet

Perimeter network

Perimeter network

Lab: Managing Windows Server 2008 Security

• Exercise 1: Planning a Windows Server 2008 Security Configuration

• Exercise 2: Implementing File Server Security

Logon information

Virtual machine6430A-NYC-DC1-05

6430A-NYC-SVR1-05

User name Woodgrovebank\Administrator

Password Pa$$w0rd

Estimated time: 45 minutes

Module Review and Takeaways

• Review Questions

• Best Practices

• Tools