1 / 31

Module 14: Securing Windows Server 2003

Module 14: Securing Windows Server 2003. Overview. Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline Security Analyzer. Lesson: Introduction to Securing Servers. Security Challenges for Small and Medium-Sized Businesses

kay
Download Presentation

Module 14: Securing Windows Server 2003

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Module 14: Securing Windows Server 2003

  2. Overview • Introduction to Securing Servers • Implementing Core Server Security • Hardening Servers • Microsoft Baseline Security Analyzer

  3. Lesson: Introduction to Securing Servers • Security Challenges for Small and Medium-Sized Businesses • Fundamental Security Trade-Offs • What Is the Defense-in-Depth Model? • Microsoft Windows Server Security Guidance

  4. Security Challenges for Small and Medium-Sized Businesses Servers with a Variety of Roles Limited Resources to Implement Secure Solutions Older Systems in Use Internal or Accidental Threat Legal Consequences Lack of Security Expertise Physical Access Negates Many Security Measures

  5. Fundamental Security Trade-Offs Security Security Trade-Offs Low Cost Usability

  6. What Is the Defense-in-Depth Model? • Increases an attacker’s risk of detection • Reduces an attacker’s chance of success Policies, Procedures, & Awareness Physical Security Data ACLs, encryption, EFS Application Application hardening, antivirus Host OS hardening, authentication Internal Network Network segments, IPSec Perimeter Firewalls Guards, locks Security documents, user education

  7. Microsoft Windows Server Security Guidance • Threats and Countermeasures Guide • Windows Server 2003 Security Guide • Default Access Control Settings in Windows Server 2003 • Security Innovations in Windows Server 2003 • Technical Overview of Windows Server 2003 Security Services

  8. Lesson: Implementing Core Server Security • Core Server Security Practices • Recommendations for Hardening Servers • Windows Server 2003 SP1 Security Enhancements • What Is Windows Firewall? • Post-Setup Security Updates • What Is the Security Configuration Wizard? • Practice: Implementing Core Server Security

  9. Core Server Security Practices • Apply the latest service pack and all available security updates • Use Group Policy to harden servers • Use MBSA to scan server security configurations • Restrict physical and network access to servers

  10. Recommendations for Hardening Servers Rename the built-in Administrator and Guest accounts Use restricted groups Restrict who can log on locally to servers Restrict access for built-in and non-operating-system service accounts Do not configure a service to log on using a domain account Use NTFS permissions to secure files and folders

  11. Windows Server 2003 SP1 Security Enhancements SP1 uses a proactive approach to securing the server by reducing the attack surface • Restricts anonymous access to RPC services • Restricts DCOM activation, launch, and call privileges and differentiate between local and remote clients • Supports no execute hardware to prevent executables from running in memory spaces marked as nonexecutable • Supports VPN Quarantine • Supports IIS 6.0 metabase auditing

  12. What Is Windows Firewall? • Enabled by default in new installs • Audit logging to track firewall activity • Boot-time security • Global configuration • Port restrictions based on the client network • On with no exceptions • Exceptions list • Group Policy support

  13. Post-Setup Security Updates

  14. What Is the Security Configuration Wizard? SCW provides guided attack surface reduction SCW supports: Rollback Analysis Remote configuration Command-line support Active Directory integration Policy editing • Disables unnecessary services and IIS Web extensions • Blocks unused ports and secure ports that are left open using IPSec • Reduces protocol exposure • Configures audit settings

  15. Practice: Implementing Core Server Security In this practice, you will: • Configure Windows Firewall • Install the Security Configuration Wizard • Use the Security Configuration Wizard

  16. Lesson: Hardening Servers • What Is Server Hardening? • What Is the Member Server Baseline Security Template? • Security Threats to Domain Controllers • Implement Password Security • Security Templates for Specific Server Roles • Best Practices for Hardening Servers for Specific Roles • Practice: Hardening Servers

  17. What Is Server Hardening? Infrastructure Servers File and Print Servers Securing Active Directory Apply Baseline Settings IIS Servers Verify settings application RADIUS (IAS) Servers Certificate Services Servers Bastion Hosts

  18. What Is the Member Server Baseline Security Template? Modify and apply the Member Server Baseline security template to all member servers Audit Policy User Rights Assignment Security Options Event Log System Services Settings in the Member Server Baseline security template:

  19. Security Threats to Domain Controllers • Modification of Active Directory data • Password attacks against administrator accounts • Denial-of-service attacks • Replication prevention attacks • Exploitation of known vulnerabilities

  20. Implement Password Security • Use complex passwords to help prevent security breaches • Do not implement authentication protocols that require reversible encryption • Disable LM hash value storage in Active Directory

  21. Security Templates for Specific Server Roles Organize servers that perform specific roles by OU under the Member Servers OU Apply the Member Server Baseline security template to the Member Servers OU Apply the appropriate role-based security template to each OU under the Member Servers OU Customize security templates for servers that perform multiple roles

  22. Best Practices for Hardening Servers for Specific Roles Modify security templates as needed for servers with multiple roles Enable only services required by role Enable service logging Use IPSec filtering to block all ports except the specific ports needed Secure service accounts and well-known user accounts

  23. Practice: Hardening Servers • In this practice, you will apply a security template by using Group Policy

  24. Lesson: Microsoft Baseline Security Analyzer • What Is MBSA? • MBSA Benefits • How MBSA Works • MBSA Scan Options • Practice: Microsoft Baseline Security Analyzer

  25. What Is MBSA? • Scans systems for: • Missing security updates • Potential configuration issues • Works with a broad range of Microsoft software • Allows an administrator to centrally scan multiple computers simultaneously MBSA is a free tool, and can be downloaded from the Microsoft TechNet Web site

  26. MBSA Benefits MBSA reports important vulnerabilities: • Password weaknesses • Guest account not disabled • Auditing not configured • Unnecessary services installed • IIS product vulnerabilities • IE zone settings • Automatic Updates configuration • Windows XP firewall configuration

  27. How MBSA Works Windows Download Center MSSecure.xml MBSAComputer

  28. MBSA Scan Options MBSA has three scan options: • MBSA graphical user interface (GUI) • MBSA standard command-line interface (mbsacli.exe) • HFNetChk scan (mbsacli.exe /hf)

  29. Practice: Microsoft Baseline Security Analyzer In this practice, you will: • Install MBSA • Scan a computer by using MBSA

  30. Lab: Securing Windows Server 2003 In this lab, you will: • Use the Security Configuration Wizard • Configure a Group Policy object for member servers • Scan a range of computers by using MBSA

  31. Course Evaluation

More Related