1 Objectives Windows Firewalls with Advanced Security Bit-Lock Update and maintain your clients using Windows Server Update Service Microsoft Baseline Security Analyzer
Security Configuration Wizard Security Configuration Wizard (SCW) –Wizard for hardening your network servers –Available in Administrative Tools Security policies can be created for: –Role-based service configuration –Network security –Registry settings –Audit policy 2
Windows Firewall Allows users to turn the firewall off or on By default, Windows Firewall is turned on and allows exceptions for programs and ports Allows you to create exceptions for inbound traffic Exception –Instruction to open a port briefly, allow a program or service to pass information, and then close the port 3
4
5
Windows Firewall with Advanced Security Used to manage Windows Firewall based on port, services, applications, and protocols 6
Windows Firewall with Advanced Security Available Nodes: –Inbound rules –Outbound rules –Connection security rules (IPSec configuration) –Monitoring Available network profiles –Public (E.g. WiFi hot spots, non-company networks) Most hardened –Private (internal network behind of firewall) Less hardened –Domain Deploying Windows Firewall Settings via Group Policy – WFAS allows you to import or export firewall policies 7
BitLocker Provides hard drive–based encryption of servers and Windows Vista computers Encrypts entire Windows system volume of a computer running Windows Server 2008 Designed to enhance protection against data theft or exposure on computers that are lost or stolen 8
BitLocker Authentication Modes Four authentication modes used by BitLocker –BitLocker with a TPM Not prevent boot –BitLocker with Universal Serial Bus (USB) flash drive in place of TPM Protect boot. Key on a flash drive –BitLocker with a TPM and a personal identification number (PIN) Protect boot with PIN. Multifactor authentication –BitLocker with a TPM and a USB flash drive Protect boot and Multifactor authentication 9
Installing BitLocker Hard drive that supports BitLocker needs to be configured before installing BitLocker –Download BitLocker Drive Preparation Tool from –BitLocker requires at least 1.5 GB of unallocated or available drive space System volume is responsible for maintaining the unencrypted boot information Boot volume will contain the OS files and be encrypted by BitLocker Turn on BitLocker from Control Panel BitLocker Drive Encryption Group Policy to allow turn on Bitlocker without TPM –Computer Configuration\Administrative Template\ 10
Installing BitLocker (Continue) Control Panel BitLocker Drive Encryption 11 Group Policy to turn on BitLocker without TPM –Computer Configuration Administrative Templates Windows Components BitLocker Drive Encryption
Updating Windows Server 2008 Windows Update (in Control Panel) –Suite of tools and services for applying updates to systems –Responsible for download and install updates from Microsoft –Requires access to the Internet 12
Windows Server Update Services Benefits: –Centralizes the updating tasks for client and server –Minimizes effects on the WAN connection –Improves network security and reliability –Improves installation of relevant updates –Targets updates to specific computers and groups Basic requirements before installing WSUS 3.0 SP1 –Microsoft Internet Information Services (IIS) 7.0 –Microsoft Report Viewer Redistributable 2005 –Minimum of 6 GB of free space for storing downloaded updates –WSUS requires a database to keep records of updates Internal DB or SQL Sever 2005 SP1 or later Windows authentication (SQL authentication is not supported) 13
Working with WSUS –WSUS Administrative console allows you to: Generate reports Daily/Weekly reports via & when updates are synchronized. Manage updates Monitor the computer through the console –WSUSutil.exe: a command-line tool managing WSUS 14
15
Windows Server Update Services Configuring clients –To use the WSUS server for updates –Clients must be Windows 2000 SP3 or later –By default, client checks for update every 17 – 22 hrs. Approving and deploying updates –Using the Update Services console, you can control Which updates are applied Which computers receive the updates When the updates are distributed 16
Microsoft Baseline Security Analyzer 2.1 A tool to analyze your current security posture MBSA scans for missing security updates for the following products –Windows 2000 SP4 and later –Microsoft Office XP and later –Microsoft Exchange Server 2000 and later –Microsoft SQL Server 2000 SP4 and later MBSA –Free download from Microsoft –Can be used on a local computer or to connect to one or more remote computers on your network Options for running MBSA on remote computers –Domain name and IP address range 17
Microsoft Baseline Security Analyzer (Continue) When MBSA scans a computer, it creates a report that is organized into the following areas –Security Assessment –Security Update Scan Results –Windows Scan Results –Internet Information Services (IIS) Scan Results –SQL Server Scan Results –Desktop Application Scan Results Scanning a computer with MBSA –You can perform MBSA scans using: The GUI-based tool The mbsacli.exe command- line tool –Requires Internet connectivity –Can scan computer, remote computer, or groups of remote computers. 18