1 / 28

Securing Windows Server 2003

Securing Windows Server 2003. Objectives. Understand the use of Group Policy Secure Windows Server 2003 using security policies Manage security by using the Security Templates Snap-in Configure client security by using Windows Server 2003 policies Configure the Encrypting File System.

judah
Download Presentation

Securing Windows Server 2003

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing Windows Server 2003

  2. Objectives • Understand the use of Group Policy • Secure Windows Server 2003 using security policies • Manage security by using the Security Templates Snap-in • Configure client security by using Windows Server 2003 policies • Configure the Encrypting File System

  3. Introduction to Group Policy • Group Policy in Windows Server 2003 allows a standardized working environment for clients and servers • Evolved from the NT Server 4.0 system policy concept • Has more capabilities than system policy • Can extend to cover multiple domains in one site • Set for more environments • More secure because users cannot modify policies • Dynamically updates, and configured to reflect current needs

  4. Group Policy characteristics • Can be set for a site, domain, OU, or local computer • Cannot be set for non-OU folder containers • Policy settings for groups are stored in Group Policy objects (GPOs) • Each GPO has a unique name and GUID • There are local and nonlocal GPOs • When there are multiple GPOs, their effect is incremental • The ordering is local, default domain, site, OUs • Group Policy can be set up to affect user accounts, computers, or both • When Group Policy is updated, old policies are removed or updated for all clients

  5. Securing Windows Server 2003 Using Security Policies • Security policies are a subset of the Group Policy • Some commonly used security policies • Account policies • Audit policy • User rights • Security options • IP Security policies • Can be configured with the following tools • Domain Security Policy tool can be used for domain and local computer • Group Policy Object Editor Snap-in has the most functionality • Active Directory Users and Computers tool can be used for domain or OU

  6. Establishing Account Policies • Account policies are located in the following Group Policy path: • Computer Configuration, Windows Settings, Security Settings • Account policy options • Password security • Account Lockout • Kerberos security

  7. Password Security Options • Enforce password history • Requires users to choose new passwords when they make a password change • Maximum password age • Sets maximum time before password expires • Commonly 45 to 90 days • Minimum password age • Minimum password length • A minimum of seven characters for a “strong password” • Password must meet complexity requirements • Filter of customized password requirements • Store passwords using reversible encryption

  8. Account Lockout Options • Account lockout duration • Permits you to specify in minutes how long the system keeps an account locked out after reaching the specified number of unsuccessful logon attempts • Account lockout threshold • Enables you to set a limit to the number of unsuccessful attempts to log on to an account • Reset account lockout counter after • Enables you to specify the number of minutes between two consecutive unsuccessful logon attempts to make sure that the account is not locked out too soon

  9. Kerberos Security • Involves the use of tickets that are exchanged between the client who requests access and the server or Active Directory that grants access • A key distribution center (DC or server) stores user accounts and passwords • The client computer sends an account name and password to the key distribution center • The key distribution center issues a temporary ticket granting access to the ticket-granting server • The ticket-granting server issues a service ticket for the duration of a logon session

  10. Kerberos Security Options • Enforce user logon restrictions • Turns on Kerberos security, which is the default • Maximum lifetime for a service ticket • Maximum time in minutes that a ticket can access a particular service in one service session • Maximum lifetime for a user ticket • Maximum time in hours that a ticket can be used in one continuous session for access to a computer or domain • Maximum lifetime for user ticket renewal • Maximum number of days that the same Kerberos ticket can be renewed each time a user logs on • Maximum tolerance for computer clock synchronization • Length in minutes a client waits until synchronizing its clock

  11. Establishing Audit Policies • Account management • Directory service and object access • Logon and logoff events for an account and at the local computer • Policy change and privilege use • Process tracking and system events

  12. Configuring User Rights • User rights enable an account or group to perform predefined tasks such as the following: • Access a server • Create accounts • Manage server functions • Assign user rights to groups instead of to individual user accounts • Members of a group inherit the user rights of the group

  13. Configuring Security Options • Over 65 specialized security options in the following categories • Accounts • Audit • Devices • Domain controller • Domain member • Interactive logon • Microsoft network client • Network access

  14. Configuring Security Options (cont.) • Network security • Recovery console • Shutdown • System cryptography • System objects • System settings • Options in each category are specialized to the category

  15. Security Templates Snap-in • Useful when there are multiple Group Policies or multiple OUs that share the same Group Policy • Sets up security for the following • Account and local policies • Event log tracking policies • Group restrictions • Service access security • Registry security • File system security

  16. Configuring Client Security • Provides improvements in security • Ensures a consistent working environment in an organization • When a client logs onto to the server or network, the policies are applied to the client • Examples of use: • Folder redirection for sensitive data • Desktop icon management to start applications the same way for all clients

  17. Manually Configuring Policies for Clients • Use the Group Policy Object Editor Snap-in

  18. Summary • A Group Policy enables you to standardize how people use server and client computers on a network • Security policies are part of a Group Policy and are configured to protect users and resources • Configure account policies to apply to OU, domains, sites, or local computers • Password policies, account lockout policies, and Kerberos authentication policies • Use audit policies to track how resources are accessed, such as folders, files, or user accounts

  19. Summary • User rights policies enable you to create specific security controls over privileges and logon access • Security options are specialized policies for accounts, auditing, devices, domain controllers, logon, clients, network access, network security, and other activities • Use the Security Templates Snap-in to apply default security settings or to create different Group Policy objects for different OUs, domains, or sites • For better control over the activities of clients, manually configure administrative templates or apply preconfigured administrative templates (or both)

  20. Summary • Publish and assign applications to manage how clients use them • Use the Resultant Set of Policy Snap-in to plan and troubleshoot Group Policies • Fine-tune the use of the Encrypting File System by using the cipher command in the Command Prompt window

More Related