1 / 23

HARDENING SERVERS

Chapter 7. HARDENING SERVERS. DEFAULT SECURITY TEMPLATES. Set up Security.inf and DC Security.inf Compatws.inf Securews.inf and Securedc.inf Hisecws.inf and Hisecdc.inf Rootsec.inf Iesacls.inf. DESIGNING SECURITY TEMPLATES.

acton
Download Presentation

HARDENING SERVERS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 7 HARDENING SERVERS

  2. Chapter 7: Hardening Servers DEFAULT SECURITY TEMPLATES • Set up Security.inf and DC Security.inf • Compatws.inf • Securews.inf and Securedc.inf • Hisecws.inf and Hisecdc.inf • Rootsec.inf • Iesacls.inf

  3. Chapter 7: Hardening Servers DESIGNING SECURITY TEMPLATES • Create a custom security template for each role, not each computer • Base custom templates on a default template • Never modify default security templates • Apply multiple security templates to computers with multiple roles

  4. Chapter 7: Hardening Servers SECURITY TEMPLATE SETTINGS • Account policies • Local policies • Event logs • Group memberships • Services • Registry permissions • File and folder permissions

  5. Chapter 7: Hardening Servers SETTING NOT AVAILABLE IN SECURITY TEMPLATES • Configuration of Automatic Updates • Which Microsoft Windows components and applications are installed • IPSec policies • Software restrictions • Wireless network policies • EFS settings • Certification Authority (CA) settings

  6. Chapter 7: Hardening Servers CONFIGURING EARLIER VERSIONS OF WINDOWS • Support Group Policy: • Windows Server 2003 • Windows 2000 Server • Windows 2000 Professional • Windows XP Professional • Support System Policy: • Windows NT 4.0 • Windows 95 • Windows 98 • Windows Me

  7. Chapter 7: Hardening Servers SYSTEM POLICY EDITOR

  8. Chapter 7: Hardening Servers DEPLOYING SECURITY CONFIGURATION WITH GROUP POLICY • Import templates into Group Policy • Leverage inheritance • Filter Group Policy objects (GPOs) with security groups • Use Windows Management Instrumentation (WMI) filtering only where necessary

  9. Chapter 7: Hardening Servers SERVER HARDENING BEST PRACTICES • Use the Configure Your Server Wizard • Disable unnecessary services • Develop a process for updating all software • Change default port numbers • Use network and host-based firewalls

  10. Chapter 7: Hardening Servers SERVER HARDENING BEST PRACTICES (CONT.) • Require IPSec • Place Internet servers in perimeter networks • Use physical security • Restrict removable media • Backup application-specific information

  11. Chapter 7: Hardening Servers SERVER HARDENING BEST PRACTICES (CONT.) • Audit backups and restores • Rename default user accounts • Develop security requirements for application-specific user databases • Monitor each server role for failures • Read security guides at http://www.microsoft.com

  12. Chapter 7: Hardening Servers HARDENING DOMAIN CONTROLLERS • A compromised domain controller can lead to compromises of domain members • Domain controllers can be identified with a DNS query • Avoid storing application data in Active Directory • Create a separate security group for users with privileges to backup domain controllers • Use source-IP filtering to block domain requests from external networks

  13. Chapter 7: Hardening Servers REQUIRE DOMAIN CONTROLLER SERVICES • File Replication Service • Intersite Messaging • Kerberos Key Distribution Center • Netlogon • Remote Procedure Call (RPC) Locator • Windows Management Instrumentation • Windows Time

  14. Chapter 7: Hardening Servers HARDENING DNS SERVERS • When DNS servers are compromised, attackers can use them to: • Identify internal network resources • Launch man-in-the-middle attacks • Perform a denial-of-service (DoS) attack

  15. Chapter 7: Hardening Servers BEST PRACTICES FOR HARDENING DNS SERVERS • Use Active Directory–integrated zones. If not Active Directory integrated: • Restrict permissions on zone files • Use IPSec to protect zone transfers • Disable recursion where possible • Use separate internal and Internet servers • Remove root hints on internal servers • Allow only secure DNS updates if possible

  16. Chapter 7: Hardening Servers HARDENING DHCP SERVERS • Dynamic Host Configuration Protocol (DHCP) servers running Windows 2000 and later must be authorized in a domain • DHCP servers can automatically update DNS • Protect DHCP servers with 802.1X authentication

  17. Chapter 7: Hardening Servers HARDENING FILE SERVERS • Carefully audit share permission and NTFS file system permissions • Use source-IP filtering to block requests from external networks • Audit access to critical and confidential files

  18. Chapter 7: Hardening Servers HARDENING IAS SERVERS • Enable Remote Authentication Dial-In User Service (RADIUS) message authenticators • Use quarantine control • Enable logging • Audit logs frequently

  19. Chapter 7: Hardening Servers HARDENING EXCHANGE SERVER COMPUTERS • Encrypt mail traffic with Transport Layer Security (TLS) • Use Secure Sockets Layer (SSL) to protect Outlook Web Access (OWA) • Enable Security events logging • Audit for open relays to protect against spam

  20. Chapter 7: Hardening Servers HARDENING EXCHANGE SERVER COMPUTERS (CONT.) • Use antispam software • Use antivirus software • Require strong passwords • Audit with MBSA

  21. Chapter 7: Hardening Servers HARDENING SQL SERVER COMPUTERS • Use Windows authentication when possible • Use delegated authentication • Configure granular authentication in SQL Server databases • Audit SQL authentication requests • Disable SQL communication protocols except TCP/IP, and require encryption • Change the default port number

  22. Chapter 7: Hardening Servers HARDENING SQL SERVER COMPUTERS (CONT.) • Audit custom applications for vulnerability to SQL injection attacks • Audit databases for unencrypted confidential contents: • User names and passwords • Credit-card numbers • Social Security numbers

  23. Chapter 7: Hardening Servers SUMMARY • Create security templates for every server role in your organization • Apply security templates by using GPOs • Techniques such as disabling unnecessary services and enabling host-based firewalls can be used to harden any type of server • Server roles each have role-specific considerations, including: • Services that should be enabled • Ports that must be allowed • Logging that should be enabled

More Related