Chapter 7
Download
1 / 23

HARDENING SERVERS - PowerPoint PPT Presentation


  • 715 Views
  • Updated On :

Chapter 7. HARDENING SERVERS. DEFAULT SECURITY TEMPLATES. Set up Security.inf and DC Security.inf Compatws.inf Securews.inf and Securedc.inf Hisecws.inf and Hisecdc.inf Rootsec.inf Iesacls.inf. DESIGNING SECURITY TEMPLATES.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'HARDENING SERVERS' - elina


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Chapter 7 l.jpg

Chapter 7

HARDENING SERVERS


Default security templates l.jpg

Chapter 7: Hardening Servers

DEFAULT SECURITY TEMPLATES

  • Set up Security.inf and DC Security.inf

  • Compatws.inf

  • Securews.inf and Securedc.inf

  • Hisecws.inf and Hisecdc.inf

  • Rootsec.inf

  • Iesacls.inf


Designing security templates l.jpg

Chapter 7: Hardening Servers

DESIGNING SECURITY TEMPLATES

  • Create a custom security template for each role, not each computer

  • Base custom templates on a default template

  • Never modify default security templates

  • Apply multiple security templates to computers with multiple roles


Security template settings l.jpg

Chapter 7: Hardening Servers

SECURITY TEMPLATE SETTINGS

  • Account policies

  • Local policies

  • Event logs

  • Group memberships

  • Services

  • Registry permissions

  • File and folder permissions


Setting not available in security templates l.jpg

Chapter 7: Hardening Servers

SETTING NOT AVAILABLE IN SECURITY TEMPLATES

  • Configuration of Automatic Updates

  • Which Microsoft Windows components and applications are installed

  • IPSec policies

  • Software restrictions

  • Wireless network policies

  • EFS settings

  • Certification Authority (CA) settings


Configuring earlier versions of windows l.jpg

Chapter 7: Hardening Servers

CONFIGURING EARLIER VERSIONS OF WINDOWS

  • Support Group Policy:

    • Windows Server 2003

    • Windows 2000 Server

    • Windows 2000 Professional

    • Windows XP Professional

  • Support System Policy:

    • Windows NT 4.0

    • Windows 95

    • Windows 98

    • Windows Me


System policy editor l.jpg

Chapter 7: Hardening Servers

SYSTEM POLICY EDITOR


Deploying security configuration with group policy l.jpg

Chapter 7: Hardening Servers

DEPLOYING SECURITY CONFIGURATION WITH GROUP POLICY

  • Import templates into Group Policy

  • Leverage inheritance

  • Filter Group Policy objects (GPOs) with security groups

  • Use Windows Management Instrumentation (WMI) filtering only where necessary


Server hardening best practices l.jpg

Chapter 7: Hardening Servers

SERVER HARDENING BEST PRACTICES

  • Use the Configure Your Server Wizard

  • Disable unnecessary services

  • Develop a process for updating all software

  • Change default port numbers

  • Use network and host-based firewalls


Server hardening best practices cont l.jpg

Chapter 7: Hardening Servers

SERVER HARDENING BEST PRACTICES (CONT.)

  • Require IPSec

  • Place Internet servers in perimeter networks

  • Use physical security

  • Restrict removable media

  • Backup application-specific information


Server hardening best practices cont11 l.jpg

Chapter 7: Hardening Servers

SERVER HARDENING BEST PRACTICES (CONT.)

  • Audit backups and restores

  • Rename default user accounts

  • Develop security requirements for application-specific user databases

  • Monitor each server role for failures

  • Read security guides at http://www.microsoft.com


Hardening domain controllers l.jpg

Chapter 7: Hardening Servers

HARDENING DOMAIN CONTROLLERS

  • A compromised domain controller can lead to compromises of domain members

  • Domain controllers can be identified with a DNS query

  • Avoid storing application data in Active Directory

  • Create a separate security group for users with privileges to backup domain controllers

  • Use source-IP filtering to block domain requests from external networks


Require domain controller services l.jpg

Chapter 7: Hardening Servers

REQUIRE DOMAIN CONTROLLER SERVICES

  • File Replication Service

  • Intersite Messaging

  • Kerberos Key Distribution Center

  • Netlogon

  • Remote Procedure Call (RPC) Locator

  • Windows Management Instrumentation

  • Windows Time


Hardening dns servers l.jpg

Chapter 7: Hardening Servers

HARDENING DNS SERVERS

  • When DNS servers are compromised, attackers can use them to:

    • Identify internal network resources

    • Launch man-in-the-middle attacks

    • Perform a denial-of-service (DoS) attack


Best practices for hardening dns servers l.jpg

Chapter 7: Hardening Servers

BEST PRACTICES FOR HARDENING DNS SERVERS

  • Use Active Directory–integrated zones. If not Active Directory integrated:

    • Restrict permissions on zone files

    • Use IPSec to protect zone transfers

  • Disable recursion where possible

  • Use separate internal and Internet servers

  • Remove root hints on internal servers

  • Allow only secure DNS updates if possible


Hardening dhcp servers l.jpg

Chapter 7: Hardening Servers

HARDENING DHCP SERVERS

  • Dynamic Host Configuration Protocol (DHCP) servers running Windows 2000 and later must be authorized in a domain

  • DHCP servers can automatically update DNS

  • Protect DHCP servers with 802.1X authentication


Hardening file servers l.jpg

Chapter 7: Hardening Servers

HARDENING FILE SERVERS

  • Carefully audit share permission and NTFS file system permissions

  • Use source-IP filtering to block requests from external networks

  • Audit access to critical and confidential files


Hardening ias servers l.jpg

Chapter 7: Hardening Servers

HARDENING IAS SERVERS

  • Enable Remote Authentication Dial-In User Service (RADIUS) message authenticators

  • Use quarantine control

  • Enable logging

  • Audit logs frequently


Hardening exchange server computers l.jpg

Chapter 7: Hardening Servers

HARDENING EXCHANGE SERVER COMPUTERS

  • Encrypt mail traffic with Transport Layer Security (TLS)

  • Use Secure Sockets Layer (SSL) to protect Outlook Web Access (OWA)

  • Enable Security events logging

  • Audit for open relays to protect against spam


Hardening exchange server computers cont l.jpg

Chapter 7: Hardening Servers

HARDENING EXCHANGE SERVER COMPUTERS (CONT.)

  • Use antispam software

  • Use antivirus software

  • Require strong passwords

  • Audit with MBSA


Hardening sql server computers l.jpg

Chapter 7: Hardening Servers

HARDENING SQL SERVER COMPUTERS

  • Use Windows authentication when possible

  • Use delegated authentication

  • Configure granular authentication in SQL Server databases

  • Audit SQL authentication requests

  • Disable SQL communication protocols except TCP/IP, and require encryption

  • Change the default port number


Hardening sql server computers cont l.jpg

Chapter 7: Hardening Servers

HARDENING SQL SERVER COMPUTERS (CONT.)

  • Audit custom applications for vulnerability to SQL injection attacks

  • Audit databases for unencrypted confidential contents:

    • User names and passwords

    • Credit-card numbers

    • Social Security numbers


Summary l.jpg

Chapter 7: Hardening Servers

SUMMARY

  • Create security templates for every server role in your organization

  • Apply security templates by using GPOs

  • Techniques such as disabling unnecessary services and enabling host-based firewalls can be used to harden any type of server

  • Server roles each have role-specific considerations, including:

    • Services that should be enabled

    • Ports that must be allowed

    • Logging that should be enabled


ad