module 14 securing windows server 2003
Download
Skip this Video
Download Presentation
Module 14: Securing Windows Server 2003

Loading in 2 Seconds...

play fullscreen
1 / 31

Module 14: Securing Windows Server 2003 - PowerPoint PPT Presentation


  • 147 Views
  • Uploaded on

Module 14: Securing Windows Server 2003. Overview. Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline Security Analyzer. Lesson: Introduction to Securing Servers. Security Challenges for Small and Medium-Sized Businesses

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Module 14: Securing Windows Server 2003' - kay


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
overview
Overview
  • Introduction to Securing Servers
  • Implementing Core Server Security
  • Hardening Servers
  • Microsoft Baseline Security Analyzer
lesson introduction to securing servers
Lesson: Introduction to Securing Servers
  • Security Challenges for Small and Medium-Sized Businesses
  • Fundamental Security Trade-Offs
  • What Is the Defense-in-Depth Model?
  • Microsoft Windows Server Security Guidance
security challenges for small and medium sized businesses
Security Challenges for Small and Medium-Sized Businesses

Servers with a Variety of Roles

Limited Resources to Implement Secure Solutions

Older Systems in Use

Internal or Accidental Threat

Legal Consequences

Lack of Security Expertise

Physical Access Negates Many Security Measures

fundamental security trade offs
Fundamental Security Trade-Offs

Security

Security Trade-Offs

Low Cost

Usability

what is the defense in depth model
What Is the Defense-in-Depth Model?
  • Increases an attacker’s risk of detection
  • Reduces an attacker’s chance of success

Policies, Procedures, & Awareness

Physical Security

Data

ACLs, encryption, EFS

Application

Application hardening, antivirus

Host

OS hardening, authentication

Internal Network

Network segments, IPSec

Perimeter

Firewalls

Guards, locks

Security documents, user education

microsoft windows server security guidance
Microsoft Windows Server Security Guidance
  • Threats and Countermeasures Guide
  • Windows Server 2003 Security Guide
  • Default Access Control Settings in Windows Server 2003
  • Security Innovations in Windows Server 2003
  • Technical Overview of Windows Server 2003 Security Services
lesson implementing core server security
Lesson: Implementing Core Server Security
  • Core Server Security Practices
  • Recommendations for Hardening Servers
  • Windows Server 2003 SP1 Security Enhancements
  • What Is Windows Firewall?
  • Post-Setup Security Updates
  • What Is the Security Configuration Wizard?
  • Practice: Implementing Core Server Security
core server security practices
Core Server Security Practices
  • Apply the latest service pack and all available security updates
  • Use Group Policy to harden servers
  • Use MBSA to scan server security configurations
  • Restrict physical and network access to servers
recommendations for hardening servers
Recommendations for Hardening Servers

Rename the built-in Administrator and Guest accounts

Use restricted groups

Restrict who can log on locally to servers

Restrict access for built-in and non-operating-system service accounts

Do not configure a service to log on using a domain account

Use NTFS permissions to secure files and folders

windows server 2003 sp1 security enhancements
Windows Server 2003 SP1 Security Enhancements

SP1 uses a proactive approach to securing the server by reducing the attack surface

  • Restricts anonymous access to RPC services
  • Restricts DCOM activation, launch, and call privileges and differentiate between local and remote clients
  • Supports no execute hardware to prevent executables from running in memory spaces marked as nonexecutable
  • Supports VPN Quarantine
  • Supports IIS 6.0 metabase auditing
what is windows firewall
What Is Windows Firewall?
  • Enabled by default in new installs
  • Audit logging to track firewall activity
  • Boot-time security
  • Global configuration
  • Port restrictions based on the client network
  • On with no exceptions
  • Exceptions list
  • Group Policy support
what is the security configuration wizard
What Is the Security Configuration Wizard?

SCW provides guided attack surface reduction

SCW supports:

Rollback

Analysis

Remote configuration

Command-line support

Active Directory integration

Policy editing

  • Disables unnecessary services and IIS Web extensions
  • Blocks unused ports and secure ports that are left open using IPSec
  • Reduces protocol exposure
  • Configures audit settings
practice implementing core server security
Practice: Implementing Core Server Security

In this practice, you will:

  • Configure Windows Firewall
  • Install the Security Configuration Wizard
  • Use the Security Configuration Wizard
lesson hardening servers
Lesson: Hardening Servers
  • What Is Server Hardening?
  • What Is the Member Server Baseline Security Template?
  • Security Threats to Domain Controllers
  • Implement Password Security
  • Security Templates for Specific Server Roles
  • Best Practices for Hardening Servers for Specific Roles
  • Practice: Hardening Servers
what is server hardening
What Is Server Hardening?

Infrastructure Servers

File and Print Servers

Securing Active Directory

Apply Baseline Settings

IIS Servers

Verify settings application

RADIUS (IAS) Servers

Certificate Services Servers

Bastion Hosts

what is the member server baseline security template
What Is the Member Server Baseline Security Template?

Modify and apply the Member Server Baseline security template to all member servers

Audit Policy

User Rights Assignment

Security Options

Event Log

System Services

Settings in the Member Server Baseline security template:

security threats to domain controllers
Security Threats to Domain Controllers
  • Modification of Active Directory data
  • Password attacks against administrator accounts
  • Denial-of-service attacks
  • Replication prevention attacks
  • Exploitation of known vulnerabilities
implement password security
Implement Password Security
  • Use complex passwords to help prevent security breaches
  • Do not implement authentication protocols that require reversible encryption
  • Disable LM hash value storage in Active Directory
security templates for specific server roles
Security Templates for Specific Server Roles

Organize servers that perform specific roles by OU under the Member Servers OU

Apply the Member Server Baseline security template to the Member Servers OU

Apply the appropriate role-based security template to each OU under the Member Servers OU

Customize security templates for servers that perform multiple roles

best practices for hardening servers for specific roles
Best Practices for Hardening Servers for Specific Roles

Modify security templates as needed for servers with multiple roles

Enable only services required by role

Enable service logging

Use IPSec filtering to block all ports except the specific ports needed

Secure service accounts and well-known user accounts

practice hardening servers
Practice: Hardening Servers
  • In this practice, you will apply a security template by using Group Policy
lesson microsoft baseline security analyzer
Lesson: Microsoft Baseline Security Analyzer
  • What Is MBSA?
  • MBSA Benefits
  • How MBSA Works
  • MBSA Scan Options
  • Practice: Microsoft Baseline Security Analyzer
what is mbsa
What Is MBSA?
  • Scans systems for:
    • Missing security updates
    • Potential configuration issues
  • Works with a broad range of Microsoft software
  • Allows an administrator to centrally scan multiple computers simultaneously

MBSA is a free tool, and can be downloaded from the Microsoft TechNet Web site

mbsa benefits
MBSA Benefits

MBSA reports important vulnerabilities:

  • Password weaknesses
  • Guest account not disabled
  • Auditing not configured
  • Unnecessary services installed
  • IIS product vulnerabilities
  • IE zone settings
  • Automatic Updates configuration
  • Windows XP firewall configuration
how mbsa works
How MBSA Works

Windows Download Center

MSSecure.xml

MBSAComputer

mbsa scan options
MBSA Scan Options

MBSA has three scan options:

  • MBSA graphical user interface (GUI)
  • MBSA standard command-line interface (mbsacli.exe)
  • HFNetChk scan (mbsacli.exe /hf)
practice microsoft baseline security analyzer
Practice: Microsoft Baseline Security Analyzer

In this practice, you will:

  • Install MBSA
  • Scan a computer by using MBSA
lab securing windows server 2003
Lab: Securing Windows Server 2003

In this lab, you will:

  • Use the Security Configuration Wizard
  • Configure a Group Policy object for member servers
  • Scan a range of computers by using MBSA
ad