Module 14: Configuring Server Security Compliance

Slides:



Advertisements
Similar presentations
Planning and Administering Windows Server® 2008 Servers
Advertisements

Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Lesson 17: Configuring Security Policies
Module 5: Creating and Configuring Group Policy
Managing User Settings with Group Policy
Paula Kiernan Senior Consultant Ward Solutions
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Chapter 7 HARDENING SERVERS.
12.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Implementing Server Security on Windows 2000 and Windows Server 2003 Steve Lamb Technical Security Advisor
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
Corso referenti S.I.R.A. – Modulo 2 Local Security 20/11 – 27/11 – 05/12 11/12 – 13/12 (gruppo 1) 12/12 – 15/12 (gruppo 2) Cristiano Gentili, Massimiliano.
Module 8: Implementing Administrative Templates and Audit Policy.
Module 16: Software Maintenance Using Windows Server Update Services.
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
Microsoft ® Official Course Module 9 Configuring Applications.
Module 7: Implementing Security Using Group Policies.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.
Securing Windows Servers Using Group Policy Objects
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
1 Objectives Windows Firewalls with Advanced Security Bit-Lock Update and maintain your clients using Windows Server Update Service Microsoft Baseline.
Module 4: Add Client Computers and Devices to the Network.
Securing Microsoft® Exchange Server 2010
Hands-On Microsoft Windows Server 2008
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Module 13: Maintaining Software by Using Windows Server Update Services.
Implementing Update Management
Implementing Network Access Protection
Configuring Encryption and Advanced Auditing
1 Objectives Audit Policies Update and maintain your clients using Windows Server Update Service Microsoft Baseline Security Analyzer Windows Firewalls.
Module 15: Manage the Windows ® Small Business Server 2008 Environment Using Group Policy.
Securing AD DS Module A 3: Securing AD DS
Module 7: Fundamentals of Administering Windows Server 2008.
20411B 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role Presentation: 60 minutes Lab: 60 minutes After completing this module,
Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement.
Module 1: Installing and Configuring Servers. Module Overview Installing Windows Server 2008 Managing Server Roles and Features Overview of the Server.
Module 11: Remote Access Fundamentals
Module 7 Planning Server and Network Security. Module Overview Overview of Defense-in-Depth Planning for Windows Firewall with Advanced Security Planning.
Module 8: Configuring Network Access Protection
Module 2: Installing and Maintaining ISA Server. Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients.
Module 6: Configuring User Environments Using Group Policy.
1 Objectives Windows Firewalls with Advanced Security Bit-Lock Update and maintain your clients using Windows Server Update Service Microsoft Baseline.
Labs. Lab Session 1: Administering Windows Server 2008 Exercise 1: Install the DNS Server Role Exercise 2: Configuring Remote Desktop for Administration.
CN2140 Server II Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
Module 6: Designing Security for Network Hosts
Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.
Module 4: Configuring and Troubleshooting DHCP
Module 8: Implementing an Active Directory Domain ® Services Monitoring Plan.
Module 1: Implementing Active Directory ® Domain Services.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.
Module 5: Creating and Configuring Group Policies.
Module 4 Planning for Group Policy. Module Overview Planning Group Policy Application Planning Group Policy Processing Planning the Management of Group.
Vulnerability Scanning Vulnerability scanners are automated tools that scan hosts and networks for known vulnerabilities and weaknesses Credentialed vs.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Module 7: Implementing Security Using Group Policy.
Module 10: Windows Firewall and Caching Fundamentals.
Module 12: Configuring and Managing Storage Technologies
Module 9 Planning and Implementing Monitoring and Maintenance.
Module 10: Implementing Administrative Templates and Audit Policy.
Implementing Server Security on Windows 2000 and Windows Server 2003 Fabrizio Grossi.
Module 6: Configuring User Environments Using Group Policies.
Module 8 Implementing Security Using Group Policy.
Implementing Update Management
Configuring Windows Firewall with Advanced Security
Designing IIS Security (IIS – Internet Information Service)
Presentation transcript:

Module 14: Configuring Server Security Compliance Course 6421A Module 14: Configuring Server Security Compliance Presentation: 90 minutes Lab: 90 minutes Module 14: Configuring Server Security Compliance This module helps students to secure servers and maintain update compliance. After completing this module, students will be able to: Secure a Windows infrastructure. Use security templates to secure servers. Configure an audit policy. Describe Windows Server Update Services (WSUS). Manage WSUS. Required materials To teach this module, you need the Microsoft® Office PowerPoint® file 6421A_14.ppt. Important It is recommended that you use PowerPoint 2002 or a later version to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, all the features of the slides might not be displayed correctly. Preparation tasks To prepare for this module: Read all of the materials for this module. Practice performing the demonstrations and the lab exercises. Work through the Module Review and Takeaways section, and determine how you will use this section to reinforce student learning and promote knowledge transfer to on-the-job performance. Make sure that students are aware that there are additional information and resources for the module on the Course Companion CD.

Module 14: Configuring Server Security Compliance Course 6421A Module Overview Module 14: Configuring Server Security Compliance Securing a Windows Infrastructure Using Security Templates to Secure Servers Configuring an Audit Policy Overview of Windows Server Update Services Managing WSUS

Lesson 1: Securing a Windows Infrastructure Course 6421A Lesson 1: Securing a Windows Infrastructure Module 14: Configuring Server Security Compliance Challenges of Securing a Windows Infrastructure Applying Defense-in-Depth to Increase Security Core Server Security Practices What Is the Security Configuration Wizard? What Is Windows Firewall? Demonstration: Using the Security Configuration Wizard to Secure Server Roles

Challenges of Securing a Windows Infrastructure Course 6421A Challenges of Securing a Windows Infrastructure Module 14: Configuring Server Security Compliance Challenges of securing a Windows infrastructure include: Start this topic by asking students what they think are the consequences of not addressing security within their network environment. For this topic, it is important to introduce common security challenges that most organizations face. Discussion points related to each category include the following: Implementing and managing secure configuration of servers Discuss how organizations typically find it challenging to implement and manage secure configurations, often for servers that perform more than one role. It typically has been difficult to determine and manage required services, and which ports need to be open and who needs access to servers. (Related Technologies: Security Configuration Wizard, Group Policy, Security Templates) Protecting against malicious software threats and intrusions Discuss how organizations need to determine the most effective way to ensure that their environment is protected from software threats that result from an inadequate update- management process. Organizations also tend to protect a network’s perimeter, without giving any thought to protecting specific servers or segments within their network environment. (Related Technologies: Windows Server Update Services [WSUS], Network Access Protection [NAP], Internet Protocol security [IPsec], Windows Firewall) Implementing effective identify and access control Organizations may require more effective methods to identify and control who is logging on and accessing resources. (Related Technologies: Smart cards, Encrypting File System [EFS], Bit locker, Public Key Infrastructure [PKI], Rights Management Services, Federation Services) Use this topic to introduce the challenges, but do not necessarily go into the solutions, as they will be discussed in the next topic. Related technologies are provided only to help direct the discussion to the challenges that these solutions help address. References Windows Server 2008: Windows Help and Support: Security Overview Implementing and managing secure configuration of servers Protecting against malicious software threats and intrusions Implementing effective identity and access control

Applying Defense-in-Depth to Increase Security Course 6421A Applying Defense-in-Depth to Increase Security Module 14: Configuring Server Security Compliance Defense-in-depth provides multiple layers of defense to protect a networking environment As you describe each layer, provide an example of a Windows Server® 2008 technology that can help secure the layer. Host: Security Configuration Wizard, Security Templates, host-based firewall, WSUS Internal Network: NAP, IPsec Point out that the rest of this module focuses on host-based security. References Antivirus Defense-in-Depth Guide http://go.microsoft.com/fwlink/?LinkId=102264&clcid=0x409 Policies, Procedures, & Awareness Physical Security Data ACLs, encryption, EFS Application Application hardening, antivirus Host OS hardening, authentication Internal Network Network segments, IPsec Perimeter Firewalls Guards, locks Security documents, user education

Core Server Security Practices Course 6421A Core Server Security Practices Module 14: Configuring Server Security Compliance Apply the latest service pack and all available security updates ü Describe examples of core server security practices, and emphasize the importance of implementing consistent security based upon roles. Both of these concepts will be discussed with the Security Configuration Manager and security templates topics. Use the Security Configuration Wizard to scan and implement server security ü Use Group Policy and security templates to harden servers ü Restrict scope of access for service accounts ü Restrict who can log on locally to servers ü Restrict physical and network access to servers ü

What Is the Security Configuration Wizard? Course 6421A What Is the Security Configuration Wizard? Module 14: Configuring Server Security Compliance SCW provides guided attack-surface reduction SCW supports: Describe that Security Configuration Wizard (SCW) is an attack surface-reduction tool for Windows Server 2008. SCW determines the minimum functionality that a server’s roles require, and it disables functionality that is not required. References Security Configuration Wizard Documentation http://go.microsoft.com/fwlink/?LinkID=112097&clcid=0x409 Security Configuration Wizard Quick Start Guide http://go.microsoft.com/fwlink/?LinkID=112098&clcid=0x409 Disables unnecessary services and IIS Web extensions Uses IPsec to block unused ports and secure ports that are left open Reduces protocol exposure Configures audit settings Rollback Analysis Remote configuration Command-line support Active Directory integration Policy editing

What Is Windows Firewall? Course 6421A What Is Windows Firewall? Module 14: Configuring Server Security Compliance Windows Firewall is a stateful host-based application that provides the following features: Module 9 introduced students to the Advanced features of the Windows Firewall. However, be sure to point out that Windows firewall is an important part of securing a host system. References Introduction to Windows Firewall with Advanced Security http://go.microsoft.com/fwlink/?LinkID=112099&clcid=0x409 Windows Firewall http://go.microsoft.com/fwlink/?LinkID=112100&clcid=0x409 Filters both incoming and outgoing network traffic Integrates both firewall filtering and IPsec protection settings Can be managed by the Control Panel tool or by the more advanced Windows Firewall with Advanced Security MMC console Provides Group Policy support Enabled by default in new installs

Module 14: Configuring Server Security Compliance Course 6421A Demonstration: Using the Security Configuration Wizard to Secure Server Roles Module 14: Configuring Server Security Compliance In this demonstration, you will see how to implement security using the Security Configuration Wizard Perform the following tasks in the demonstration: Start the Security Configuration Wizard (SCW), and discuss each of the configuration tasks and steps.

Lesson 2: Using Security Templates to Secure Servers Course 6421A Lesson 2: Using Security Templates to Secure Servers Module 14: Configuring Server Security Compliance What Is a Security Policy? What Are Security Templates? Demonstration: Configuring Security Template Settings What Is the Security Configuration and Analysis Tool? Demonstration: Analyzing Security Policy Using the Security Configuration and Analysis Tool

What Is a Security Policy? Course 6421A What Is a Security Policy? Module 14: Configuring Server Security Compliance A Security Policy is a combination of security settings to be applied to a computer Local Security Policies include: Active Directory Security Policies include: Describe what a security policy is, and how it differs based on where you create or apply it. Active Directory®-based security policies contain more options that you can use to affect domain-based computers. Account Policies Local Policies Windows Firewall with Advanced Security Public Key Policies Software Restriction Policies IP Security Policies on Local Computer Event Log Restricted Groups System Services Registry File System Wired and Wireless Network Policies Network Access protection IP Security Policies on Active Directory

What Are Security Templates? Course 6421A What Are Security Templates? Module 14: Configuring Server Security Compliance A security template is a collection of configured security settings used to apply a security policy Describe security templates and how you can use them to help deploy and manage security policies. References How to apply predefined security templates in Windows Server 2003 http://go.microsoft.com/fwlink/?LinkID=112101&clcid=0x409 Security Templates: Created and modified using the Security Templates MMC snap-in Default security templates stored in %SystemRoot%\Security\Templates Custom security templates are stored in local user profile folder Deployment Considerations: Create templates based upon server role Deploy to individual computers using the SECEDIT command Deploy to groups of computers using Group Policy

Demonstration: Configuring Security Template Settings Course 6421A Demonstration: Configuring Security Template Settings Module 14: Configuring Server Security Compliance In this demonstration, you will see how to: Add the Security Templates snap-in and configure a custom security template for the DHCP server role Import a security template into Active Directory For this demonstration, open the Microsoft Management Console (MMC) and add the Security snap-in: Create a new security template called Dynamic Host Configuration Protocol (DHCP) servers. Configure various security settings. Import the security template into Active Directory.

What Is the Security Configuration and Analysis Tool? Course 6421A What Is the Security Configuration and Analysis Tool? Module 14: Configuring Server Security Compliance Describe how you can use the Security Configuration and Analysis tool to compare the actual local security settings of a computer to a security template’s configured settings. Consistencies are marked with a green check mark, while discrepancies are marked with a red X. Point out that if you require frequent analysis of a large number of computers, use Secedit.exe, which you can use in a batch file or schedule to run at specific times. References Best practices for Security Configuration and Analysis http://go.microsoft.com/fwlink/?LinkID=112102&clcid=0x409

Module 14: Configuring Server Security Compliance Course 6421A Demonstration: Analyzing Security Policy Using the Security Configuration and Analysis Tool Module 14: Configuring Server Security Compliance In this demonstration, you will see how to use the Security Configuration and Analysis Tool to analyze and configure local security policy settings For this demonstration, perform the following tasks: Create a custom security template. Import the custom template into the Security Configuration and Analysis Tool. Run an analysis to compare the current settings to the custom security template.

Lesson 3: Configuring an Audit Policy Course 6421A Lesson 3: Configuring an Audit Policy Module 14: Configuring Server Security Compliance What Is Auditing? What Is an Audit Policy? Types of Events to Audit Demonstration: How to Configure Auditing

Module 14: Configuring Server Security Compliance Course 6421A What Is Auditing? Module 14: Configuring Server Security Compliance Auditing tracks user and operating system activities, and records selected events in security logs, such as: What occurred? Who did it? When? What was the result? Use this topic to discuss auditing and its use. Mention that the most common types of events to audit are: Access to objects, such as files and folders. Management of user and group accounts. Users logging on and off the system. References Auditing overview http://go.microsoft.com/fwlink/?LinkId=102268&clcid=0x409 Enable auditing to: Create a baseline Detect threats and attacks Determine damages Prevent further damage Audit access to objects, management of accounts, and users logging on and off

Module 14: Configuring Server Security Compliance Course 6421A What Is an Audit Policy? Module 14: Configuring Server Security Compliance An audit policy determines the security events that will be reported to the network administrator Set up an audit policy to: Track success or failure of events Minimize unauthorized use of resources Maintain a record of activity Security events are stored in security logs Describe how an auditing policy defines the types of events that are recorded in each computer’s security log. Events are written to the computer in which the event occurs. You can implement audit polices using the local security policy or by configuring Group Policy. References Auditing Policy http://go.microsoft.com/fwlink/?LinkID=112103&clcid=0x409

Types of Events to Audit Course 6421A Types of Events to Audit Module 14: Configuring Server Security Compliance Account Logon Account Management Directory Service Access Directory Service Changes Directory Service Replication Detailed Directory Service Replication Logon Object Access Policy Change Privilege Use Process Tracking System The first step in configuring an audit policy is to determine which events to audit. The following table lists the auditable events: References Windows Server 2008 Auditing AD DS Changes Step-by-Step Guide http://go.microsoft.com/fwlink/?LinkID=112104&clcid=0x409 Event Example Account Logon An account is authenticated by a security database. When a user logs on to the local computer, the computer records the Account Logon event. When a user logs on to a domain, the authenticating domain controller records the Account Logon event. Account Management An administrator creates, changes, or deletes a user account or group; a user account is renamed, disabled, or enabled; or a password is set or changed. Directory Service Access Directory Service Changes Directory Service Replication Detailed Directory Service Replication A user accesses an Active Directory object. To log this type of access, you must configure specific Active Directory objects for auditing. The subcategories are new to Windows Server 2008. If you enable Directory Service Access, you enable all of the subcategories. Note that you still need to modify the system access control list (SACL) on the specific objects for auditing to take place. You can also modify individual subcategories using the Auditpol command- line utility: Example: auditpol /set /subcategory:"directory service changes" /success:enable Logon A user logs on or off a local computer, or a user makes or cancels a network connection to the computer. The event is recorded on the computer that the user accesses, regardless of whether a local or domain account is used. Object Access A user accesses a file, folder, or printer. The administrator must configure specific files, folders, or printers to be audited, the users or groups that are being audited, and the actions for which they will be audited. Policy Change A change is made to the user security options (for example, password options or account-logon settings), user rights, or audit policies. Privilege Use A user exercises a user right, such as changing the system time (this does not include rights that are related to logging on and off) or taking ownership of a file. Process Tracking An application performs an action. This information typically is useful only for programmers who want to track details about application execution. System A user restarts or shuts down the computer, or an event occurs that affects Windows Server 2003 security or the security log.

Demonstration: How to Configure Auditing Course 6421A Demonstration: How to Configure Auditing Module 14: Configuring Server Security Compliance In this demonstration, you will see how to: Enable auditing for various events Enable object access auditing Demonstrate the following tasks: Show how to enable auditing on various event categories. Demonstrate how to enable auditing on object access. Demonstrate how to modify the SACL to provide object auditing.

Lesson 4: Overview of Windows Server Update Services Course 6421A Lesson 4: Overview of Windows Server Update Services Module 14: Configuring Server Security Compliance What Is Windows Server Update Services? Windows Server Update Services Process Server Requirements for WSUS Automatic Updates Configuration Demonstration: Installing and Configuring WSUS

What Is Windows Server Update Services? Course 6421A What Is Windows Server Update Services? Module 14: Configuring Server Security Compliance Microsoft Update Web site Describe how WSUS enables you to deploy the latest Microsoft product updates to computers running Microsoft Windows Server 2003, Windows Server® 2008, Windows Vista™, Microsoft Windows® XP with Service Pack 2, and Windows 2000 with Service Pack 4 operating systems. Describe the following: Microsoft Update This is the Microsoft Web site that distributes Microsoft product updates. Windows Server Update Services server This component is installed on a Windows Server 2003 SP1 or Windows Server 2008 server inside the corporate firewall. The WSUS server allows administrators to manage and distribute updates through the WSUS 3.0 Administration console, which can be installed on any Windows computer in the domain. Additionally, a WSUS server can be the update source for the organization’s other WSUS servers. At least one WSUS server in the network must connect to Microsoft Update to get available update information. The administrator can determine, based on network security and configuration, whether other servers should connect directly to Microsoft Update. Automatic Updates This component is built into the Windows Server 2008, Windows Vista, Windows Server 2003, Windows XP, and Windows 2000 SP4 operating systems. Automatic Updates enables both server and client computers to receive updates from Microsoft Update or from a WSUS server. References Microsoft Windows Server Update Services 3.0 Overview http://go.microsoft.com/fwlink/?LinkId=102269&clcid=0x409 Automatic Updates Server running Windows Server Update Services Test Clients LAN Internet Automatic Updates

Windows Server Update Services Process Course 6421A Windows Server Update Services Process Module 14: Configuring Server Security Compliance Phase 1: Assess Set up a production environment that will support update management for both routine and emergency scenarios Assess Explain the four phases that Microsoft recommends for the update-management process: assess, identify, evaluate and plan, and deploy. Emphasize that it is essential to repeat the update-management process on an ongoing basis, as new updates become available that can enhance and protect the production environment. Explain that each phase has different goals and methods for using WSUS features to ensure success during the update-management process. It is important to note that you can employ many of the features in more than one phase. Phase 4: Deploy Approve and schedule update installations Review the process after the deployment is complete Phase 4: Deploy Approve and schedule update installations Review the process after the deployment is complete Phase 2: Identify Discover new updates in a convenient manner Determine whether updates are relevant to the production environment Deploy Identify Update Management Evaluate and Plan Phase 3: Evaluate and Plan Test updates in an environment that resembles, but is separate from, the production environment Determine the tasks necessary to deploy updates into production, plan the update releases, build the releases, and then conduct acceptance testing of the releases

Server Requirements for WSUS Course 6421A Server Requirements for WSUS Module 14: Configuring Server Security Compliance Software requirements: Windows Server 2003 SP1 or Windows Server 2008 IIS 6.0 or later Windows Installer 3.1 or later Microsoft .NET Framework 2.0 SQL Server 2005 SP1 or later (optional) Microsoft Report Viewer Redistributable 2005 Describe the software requirements for implementing WSUS 3.0. For Internet Information Services (IIS), you must enable the following components : Windows Authentication ASP.NET 6.0 Management Compatibility IIS Metabase Compatibility References Server and Client Requirements http://go.microsoft.com/fwlink/?LinkID=112105&clcid=0x409 Microsoft Report Viewer Redistributable 2005 http://go.microsoft.com/fwlink/?LinkID=70410

Automatic Updates Configuration Course 6421A Automatic Updates Configuration Module 14: Configuring Server Security Compliance Configure Automatic Updates by using Group Policy Computer Configuration/Administrative Templates/ Windows Components/Windows Update Requires updated wuau.adm administrative template Requires: Windows Vista Windows Server 2008 Windows Server 2003 Windows XP Professional SP2 Windows 2000 Professional SP4, Windows 2000 Server/Advanced Server SP3 or SP4 Describe that Automatic Updates configuration involves pointing the client to the WSUS server. You can do this with Group Policy for Active Directory environments, or you can configure it by editing the local Group Policy or by using the registry editor for clients in a non- Active Directory environment. Group Policy Settings Configure Automatic Updates: The settings for this policy enable you to configure how Automatic Updates works. Specify intranet Microsoft Update service location: The settings for this policy enable you to specify a WSUS server that Automatic Updates will contact for updates. Enable client-side targeting: This policy enables client computers to add themselves to target computer groups on the WSUS server when Automatic Updates is redirected to a WSUS server. Reschedule Automatic Updates scheduled installations: This policy specifies the time that Automatic Updates should wait after system startup before proceeding with a scheduled installation that did not occur earlier. No autorestart for scheduled Automatic Update installation options: This policy specifies that to complete a scheduled installation, Automatic Updates will wait for the computer to be restarted instead of causing the computer to restart automatically. Automatic Update detection frequency: This policy specifies the number of hours that Windows will wait before checking for available updates. The exact wait time is determined by using the number of hours you specify minus a random value between 0 and 20 percent of that number. Allow Automatic Update Immediate Installation: This policy specifies whether Automatic Updates should install certain updates automatically that neither interrupt Windows services nor restart Windows. References Determine a Method to Configure Clients http://go.microsoft.com/fwlink/?LinkID=112106&clcid=0x409

Demonstration: Installing and Configuring WSUS Course 6421A Demonstration: Installing and Configuring WSUS Module 14: Configuring Server Security Compliance In this demonstration, you will see how to: Install WSUS Configure Automatic Update client settings using Group Policy For this demonstration, perform the following tasks: Install WSUS. On the domain controller, configure Group Policy settings to configure automatic-update retrieval from the WSUS server.

Module 14: Configuring Server Security Compliance Course 6421A Lesson 5: Managing WSUS Module 14: Configuring Server Security Compliance WSUS Administration Managing Computer Groups Approving Updates Demonstration: Managing WSUS

Module 14: Configuring Server Security Compliance Course 6421A WSUS Administration Module 14: Configuring Server Security Compliance Describe how a major change in WSUS 3.0 is that it now uses an MMC console for administration. Describe each of the nodes in the console tree. Explain that the first configuration step is to open the options window and configure options such as synchronization schedule. References Managing Windows Server Update Services 3.0 http://go.microsoft.com/fwlink/?LinkId=102274&clcid=0x409

Managing Computer Groups Course 6421A Managing Computer Groups Module 14: Configuring Server Security Compliance Computers are automatically added Default computer groups All Computers Unassigned Computers Client-side targeting Be sure to point out that for clients to be added automatically, you first must configure client computers to contact the WSUS server before you can manage them from that server. Until you perform this task, your WSUS server will not recognize your client computers and they will not be displayed in the list on the Computers page. Computers always are assigned to the All Computers group, and remain assigned to the Unassigned Computers group until you assign them to another group. Computers can belong to more than one group. Computer groups can be set up in hierarchies, for such as the Payroll and Accounts Payable groups below the Accounting group. Updates that are approved for a higher group will be deployed automatically to lower groups, and to the higher group itself. Thus, if you approve Update1 for the Accounting group, the update will be deployed to all the computers in the Accounting group, as well as all the computers in the Payroll and Accounts Payable groups. References Managing the Client Computers and Computer Groups http://go.microsoft.com/fwlink/?LinkID=112107&clcid=0x409

Module 14: Configuring Server Security Compliance Course 6421A Approving Updates Module 14: Configuring Server Security Compliance Approval options include: Install Decline Unapprove Removal Automate approval is also supported Mention that you can approve installation of updates for all the computers in your WSUS network or for different computer groups. After approving an update, you can do one or more of the following: Apply this approval to child groups, if any. Set a deadline for automatic installation. When you select this option, you set specific times and dates to install updates, overriding any settings on the client computers. Additionally, you can specify a past date for the deadline if you want to approve an update immediately, which means it is installed the next time client computers contact the WSUS server. Remove an installed update if that update supports removal. References Approving the Updates http://go.microsoft.com/fwlink/?LinkID=112108&clcid=0x409

Demonstration: Managing WSUS Course 6421A Demonstration: Managing WSUS Module 14: Configuring Server Security Compliance In this demonstration, you will see how to: Add a computer to WSUS Approve an update In this demonstration, perform the following tasks: Add a computer to the WSUS console. Approve an update to be applied to the computer.

Lab: Configuring Server Security Compliance Course 6421A Lab: Configuring Server Security Compliance Module 14: Configuring Server Security Compliance Exercise 1: Configuring and Analyzing Security Exercise 2: Analyzing Security Templates Exercise 3: Configuring Windows Software Update Services Lab objectives: Configure and analyze security using the Security Configuration Wizard (SCW) Use the Security Configuration and Analysis Wizard to analyze security templates Configure Windows Software Update Services Scenario: The Windows Infrastructure Services Technology Specialist (WIS TS) has been tasked with configuring and managing server and client security-patch compliance. The WIS TS needs to ensure systems maintain compliance with corporate standards. Exercise 1: Configuring and Analyzing Security The student will use the SCW to secure the local server. Exercise 2: Analyzing Security Templates The student will use the Security Configuration and Analysis tool to create, analyze, and apply security templates. Exercise 3: Configuring Windows Software Update Services Students will install and configure a WSUS server. Students also will configure Group Policy to allow for client computers to contact the WSUS server. Inputs: Provided scenario Virtual machines Outputs: WSUS server installed Logon information Virtual machine NYC-DC1, NYC-SVR1, and NYC-CL2 User name Administrator Password Pa$$w0rd Estimated time: 90 minutes

Module 14: Configuring Server Security Compliance Course 6421A Lab Review Module 14: Configuring Server Security Compliance What recourse do you have if the desired result is not met when applying changes using the Security Configuration Wizard to secure server infrastructure? How can you verify compatibility with existing settings before you apply a template to a GPO for deployment or apply the template to a local computer? After installing the WSUS server software, a wizard appears to help you with the configuration of WSUS properties. How can you change any incorrectly assigned properties after the wizard has been completed? Question: What recourse do you have if the desired result is not met when applying changes using the Security Configuration Wizard to secure server infrastructure? Answer: You can use the rollback feature to revert to a point in time prior to applying the SCW policy. Question: How can you verify compatibility with existing settings before you apply a template to a GPO for deployment or apply the template to a local computer? Answer: You can use the Security Configuration and Analysis tool to compare the template settings against those that are applied already and review discrepancies to verify compatibility. Question: After installing the WSUS server software, a wizard appears to help you with the configuration of WSUS properties. How can you change any incorrectly assigned properties after the wizard has been completed? Answer: You can use the WSUS administration console, and select Options in the list pane. You then can change individual properties or choose to run the wizard again to reconfigure the WSUS installation.

Module Review and Takeaways Course 6421A Module Review and Takeaways Module 14: Configuring Server Security Compliance Review Questions Best Practices Review Questions Question: What kind of challenges might a small to medium-sized business experience that a larger enterprise would not? Answer: Expertise in specific departments may be lacking, servers might host a multitude of roles, there may not be enough individuals available to implement and manage a more robust solution, and a lack of funds for hardware, and in some cases, physical security. Question: What is one benefit of using the Security Configuration and Analysis tool to compare template settings against the settings presently applied to the computer? Answer: You can identify conflicting items or items that are configured differently prior to assigning the template to the computer. Question: If you decide to put an audit policy in place, how should you configure the security- log properties in Event Viewer? Answer: You should ensure that there is adequate space for generated events, configure the log to not overwrite events, and specify an interval when administrators should save and clear the log for reference or legal reasons. Question: What must an administrator do before any update is sent to clients and servers via WSUS? Answer: Configure automatic approval of certain types of updates or manually specify that the update is approved for installation. Question: What is the reason for setting a deadline for automatic installation to a past date? Answer: The update would be applied immediately at the next interval when the computer contacts the WSUS server. Best Practices Regardless of the operating system you are using, the basic steps for securing it are the same. Consider the following best practices for securing an operating system: Install all operating-system patches. Verify user-account security. Eliminate unnecessary applications and network services. Install and configure necessary applications and network services. Configure system logging to record significant events. Keep applications and operating-system patches up to date.

Module 14: Configuring Server Security Compliance Course 6421A Course Evaluation Module 14: Configuring Server Security Compliance Remind students to complete the course evaluation.