chapter 7 l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
HARDENING SERVERS PowerPoint Presentation
Download Presentation
HARDENING SERVERS

Loading in 2 Seconds...

play fullscreen
1 / 23

HARDENING SERVERS - PowerPoint PPT Presentation


  • 717 Views
  • Uploaded on

Chapter 7. HARDENING SERVERS. DEFAULT SECURITY TEMPLATES. Set up Security.inf and DC Security.inf Compatws.inf Securews.inf and Securedc.inf Hisecws.inf and Hisecdc.inf Rootsec.inf Iesacls.inf. DESIGNING SECURITY TEMPLATES.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'HARDENING SERVERS' - elina


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
default security templates
Chapter 7: Hardening Servers DEFAULT SECURITY TEMPLATES
  • Set up Security.inf and DC Security.inf
  • Compatws.inf
  • Securews.inf and Securedc.inf
  • Hisecws.inf and Hisecdc.inf
  • Rootsec.inf
  • Iesacls.inf
designing security templates
Chapter 7: Hardening Servers DESIGNING SECURITY TEMPLATES
  • Create a custom security template for each role, not each computer
  • Base custom templates on a default template
  • Never modify default security templates
  • Apply multiple security templates to computers with multiple roles
security template settings
Chapter 7: Hardening Servers SECURITY TEMPLATE SETTINGS
  • Account policies
  • Local policies
  • Event logs
  • Group memberships
  • Services
  • Registry permissions
  • File and folder permissions
setting not available in security templates
Chapter 7: Hardening Servers SETTING NOT AVAILABLE IN SECURITY TEMPLATES
  • Configuration of Automatic Updates
  • Which Microsoft Windows components and applications are installed
  • IPSec policies
  • Software restrictions
  • Wireless network policies
  • EFS settings
  • Certification Authority (CA) settings
configuring earlier versions of windows
Chapter 7: Hardening Servers CONFIGURING EARLIER VERSIONS OF WINDOWS
  • Support Group Policy:
    • Windows Server 2003
    • Windows 2000 Server
    • Windows 2000 Professional
    • Windows XP Professional
  • Support System Policy:
    • Windows NT 4.0
    • Windows 95
    • Windows 98
    • Windows Me
deploying security configuration with group policy
Chapter 7: Hardening Servers DEPLOYING SECURITY CONFIGURATION WITH GROUP POLICY
  • Import templates into Group Policy
  • Leverage inheritance
  • Filter Group Policy objects (GPOs) with security groups
  • Use Windows Management Instrumentation (WMI) filtering only where necessary
server hardening best practices
Chapter 7: Hardening Servers SERVER HARDENING BEST PRACTICES
  • Use the Configure Your Server Wizard
  • Disable unnecessary services
  • Develop a process for updating all software
  • Change default port numbers
  • Use network and host-based firewalls
server hardening best practices cont
Chapter 7: Hardening Servers SERVER HARDENING BEST PRACTICES (CONT.)
  • Require IPSec
  • Place Internet servers in perimeter networks
  • Use physical security
  • Restrict removable media
  • Backup application-specific information
server hardening best practices cont11
Chapter 7: Hardening Servers SERVER HARDENING BEST PRACTICES (CONT.)
  • Audit backups and restores
  • Rename default user accounts
  • Develop security requirements for application-specific user databases
  • Monitor each server role for failures
  • Read security guides at http://www.microsoft.com
hardening domain controllers
Chapter 7: Hardening Servers HARDENING DOMAIN CONTROLLERS
  • A compromised domain controller can lead to compromises of domain members
  • Domain controllers can be identified with a DNS query
  • Avoid storing application data in Active Directory
  • Create a separate security group for users with privileges to backup domain controllers
  • Use source-IP filtering to block domain requests from external networks
require domain controller services
Chapter 7: Hardening Servers REQUIRE DOMAIN CONTROLLER SERVICES
  • File Replication Service
  • Intersite Messaging
  • Kerberos Key Distribution Center
  • Netlogon
  • Remote Procedure Call (RPC) Locator
  • Windows Management Instrumentation
  • Windows Time
hardening dns servers
Chapter 7: Hardening Servers HARDENING DNS SERVERS
  • When DNS servers are compromised, attackers can use them to:
    • Identify internal network resources
    • Launch man-in-the-middle attacks
    • Perform a denial-of-service (DoS) attack
best practices for hardening dns servers
Chapter 7: Hardening Servers BEST PRACTICES FOR HARDENING DNS SERVERS
  • Use Active Directory–integrated zones. If not Active Directory integrated:
    • Restrict permissions on zone files
    • Use IPSec to protect zone transfers
  • Disable recursion where possible
  • Use separate internal and Internet servers
  • Remove root hints on internal servers
  • Allow only secure DNS updates if possible
hardening dhcp servers
Chapter 7: Hardening Servers HARDENING DHCP SERVERS
  • Dynamic Host Configuration Protocol (DHCP) servers running Windows 2000 and later must be authorized in a domain
  • DHCP servers can automatically update DNS
  • Protect DHCP servers with 802.1X authentication
hardening file servers
Chapter 7: Hardening Servers HARDENING FILE SERVERS
  • Carefully audit share permission and NTFS file system permissions
  • Use source-IP filtering to block requests from external networks
  • Audit access to critical and confidential files
hardening ias servers
Chapter 7: Hardening Servers HARDENING IAS SERVERS
  • Enable Remote Authentication Dial-In User Service (RADIUS) message authenticators
  • Use quarantine control
  • Enable logging
  • Audit logs frequently
hardening exchange server computers
Chapter 7: Hardening Servers HARDENING EXCHANGE SERVER COMPUTERS
  • Encrypt mail traffic with Transport Layer Security (TLS)
  • Use Secure Sockets Layer (SSL) to protect Outlook Web Access (OWA)
  • Enable Security events logging
  • Audit for open relays to protect against spam
hardening exchange server computers cont
Chapter 7: Hardening Servers HARDENING EXCHANGE SERVER COMPUTERS (CONT.)
  • Use antispam software
  • Use antivirus software
  • Require strong passwords
  • Audit with MBSA
hardening sql server computers
Chapter 7: Hardening Servers HARDENING SQL SERVER COMPUTERS
  • Use Windows authentication when possible
  • Use delegated authentication
  • Configure granular authentication in SQL Server databases
  • Audit SQL authentication requests
  • Disable SQL communication protocols except TCP/IP, and require encryption
  • Change the default port number
hardening sql server computers cont
Chapter 7: Hardening Servers HARDENING SQL SERVER COMPUTERS (CONT.)
  • Audit custom applications for vulnerability to SQL injection attacks
  • Audit databases for unencrypted confidential contents:
    • User names and passwords
    • Credit-card numbers
    • Social Security numbers
summary
Chapter 7: Hardening Servers SUMMARY
  • Create security templates for every server role in your organization
  • Apply security templates by using GPOs
  • Techniques such as disabling unnecessary services and enabling host-based firewalls can be used to harden any type of server
  • Server roles each have role-specific considerations, including:
    • Services that should be enabled
    • Ports that must be allowed
    • Logging that should be enabled