Presentation is loading. Please wait.

Presentation is loading. Please wait.

Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

Similar presentations


Presentation on theme: "Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview."— Presentation transcript:

1 Module 9 Configuring Server Security Compliance

2 Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview of Windows Server® Update Services (WSUS) Managing WSUS

3 Lesson 1: Securing a Windows Infrastructure Discussion: Challenges of Securing a Windows® Infrastructure Applying Defense-in-Depth to Increase Security Core Server Security Practices

4 Discussion: Challenges of Securing a Windows Infrastructure Discuss consequences of not addressing security within your network environment. Discuss challenges related to implementing and managing secure configuration of servers. Discuss challenges related to protecting against malicious software threats and intrusions. Discuss challenges implementing effective identity and access control.

5 Applying Defense-in-Depth to Increase Security Defense-in-depth provides multiple layers of defense to protect a networking environment Security documents, user education Policies, Procedures, & Awareness Physical Security OS hardening, authentication Firewalls Guards, locks Network segments, IPsec Application hardening, antivirus ACLs, encryption, EFS Perimeter Internal Network Host Application Data

6 Core Server Security Practices Apply the latest service pack and all available security updates Use the Security Configuration Wizard to scan and implement server security Use Group Policy and security templates to harden servers Restrict scope of access for service accounts Restrict who can log on locally to servers Restrict physical and network access to servers

7 Lesson 2: Overview of EFS What Is Encrypting File System? What Is BitLocker Drive Encryption? Troubleshooting EFS

8 What Is Encrypting File System? EFS: File contents are protected by a symmetrical key The symmetrical key is protected by asymmetrical encryption Enabled in the properties of a file Requires a user certificate Can be used on shared files Can be configured with a recovery agent in case user certificates are lost Encrypting File System (EFS) is a system for encrypting files

9 What Is BitLocker Drive Encryption? BitLocker Drive Encryption: Helps protect data on the operating system drive Helps protect the operating system from modification Access to the operating system drive is controlled by encryption keys BitLocker is a system that encrypts the entire operating system drive and potentially data volumes

10 Troubleshooting EFS Check the following items: Unable to Encrypt The volume is NTFS User has Write access to file Roaming user profiles generally required to encrypt remote files Unable to Decrypt File location is trusted for delegation Roaming profile is available User account cannot be delegated Certificate or Private Key problems Determine if the problem occurs when encrypting or decrypting files, and whether the files are local or remote

11 Lesson 3: Configuring an Audit Policy What Is Auditing? What Is an Audit Policy? Types of Events to Audit Troubleshooting Audit Policy

12 What Is Auditing? Auditing tracks user and operating system activities, and records selected events in security logs, such as: What occurred? Who did it? When? What was the result? Enable auditing to: Create a baseline Detect threats and attacks Determine damages Prevent further damage Audit access to objects, management of accounts, and users logging on and off

13 What Is an Audit Policy? An audit policy determines the security events that will be reported to the network administrator Set up an audit policy to: Track success or failure of events Minimize unauthorized use of resources Maintain a record of activity Security events are stored in security logs

14 Types of Events to Audit Account Logon Account Management Directory Service Access Directory Service Changes Directory Service Replication Detailed Directory Service Replication Logon Object Access Policy Change Privilege Use Process Tracking System

15 Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.

16

17 Troubleshooting Audit Policy View Security Log in Event Viewer After you configure auditing, it may not work for the following reasons: A site, a domain, or an organizational unit policy setting overrides the audit policy that you configured A GPO that overrides the audit policy setting has a higher priority The site, the domain, or the organizational unit policy setting that contains the audit policy setting has not replicated to other computers Object Access Auditing Understand how inheritance affects file and folder auditing Test an audit rule for a file or folder Open and close the file or folder View the security log to ensure Event ID 4663 is logged

18 Demonstration: How to Configure Auditing In this demonstration, you will see how to: Enable auditing for various events Enable object access auditing

19 Lesson 4: Overview of Windows Server Update Services (WSUS) What Is Windows Server Update Services? Obtaining Updates Windows Server Update Services Process WSUS Deployment Considerations Server Requirements for WSUS Installing WSUS WSUS Group Policy Settings Automatic Updates Configuration

20 What Is Windows Server Update Services? Automatic Updates Server running Windows Server Update Services Automatic Updates LAN Microsoft Update Web site Internet Test Clients

21 Obtaining Updates WSUS Windows Update WSUS

22 Windows Server Update Services Process Update Management Phase 1: Assess Set up a production environment that will support update management for both routine and emergency scenarios Phase 3: Evaluate and Plan Test updates in an environment that resembles, but is separate from, the production environment Determine the tasks necessary to deploy updates into production, plan the update releases, build the releases, and then conduct acceptance testing of the releases Phase 4: Deploy Approve and schedule update installations Review the process after the deployment is complete Phase 4: Deploy Approve and schedule update installations Review the process after the deployment is complete Phase 2: Identify Discover new updates in a convenient manner Determine whether updates are relevant to the production environment Identify Evaluate and Plan Deploy Assess

23 WSUS Deployment Considerations Internet connectivity Number of WSUS servers Simple WSUS deployment WSUS server hierarchy Computer groups Update storage Internet connectivity Number of WSUS servers Simple WSUS deployment WSUS server hierarchy Computer groups Update storage

24 Server Requirements for WSUS Software requirements: Windows Server 2003 SP1 or Windows Server 2008 IIS 6.0 or later Windows Installer 3.1 or later Microsoft.NET Framework 2.0 SQL Server 2005 SP1 or later (optional) Microsoft Report Viewer Redistributable 2005 Windows Server 2003 SP1 or Windows Server 2008 IIS 6.0 or later Windows Installer 3.1 or later Microsoft.NET Framework 2.0 SQL Server 2005 SP1 or later (optional) Microsoft Report Viewer Redistributable 2005

25 Installing WSUS Considerations for installing the WSUS Server: Select Update Source Select the software used to manage the WSUS database Select the Web site that WSUS will use to point client computers to WSUS Select Update Source Select the software used to manage the WSUS database Select the Web site that WSUS will use to point client computers to WSUS The WSUS Administration Console: The WSUS 3.0 administration console can be used to manage any WSUS server that has a trust relationship with the administration console computer

26 WSUS Group Policy Settings Group Policy can specify: Which WSUS server to use Whether update notifications are displayed Frequency of checking for updates Auto-restart behavior WSUS computer group membership Whether computers should wake up to apply updates Which WSUS server to use Whether update notifications are displayed Frequency of checking for updates Auto-restart behavior WSUS computer group membership Whether computers should wake up to apply updates

27 Automatic Updates Configuration Configure Automatic Updates by using Group Policy Computer Configuration/Administrative Templates/ Windows Components/Windows Update Requires updated wuau.adm administrative template Requires: Windows Vista Windows Server 2008 Windows Server 2003 Windows XP Professional SP2 Windows 2000 Professional SP4, Windows 2000 Server/Advanced Server SP3 or SP4 Configure Automatic Updates by using Group Policy Computer Configuration/Administrative Templates/ Windows Components/Windows Update Requires updated wuau.adm administrative template Requires: Windows Vista Windows Server 2008 Windows Server 2003 Windows XP Professional SP2 Windows 2000 Professional SP4, Windows 2000 Server/Advanced Server SP3 or SP4

28 Demonstration: Configuring WSUS In this demonstration, you will see how to: Configure Automatic Update client settings using Group Policy

29 Lesson 5: Managing WSUS WSUS Administration Managing Computer Groups Approving Updates Server Core Security Updates

30 WSUS Administration Command-line tools for managing updates: Wuauclt.exe – controls the Windows Update Agent Wsusutil.exe – management of WSUS Wuauclt.exe – controls the Windows Update Agent Wsusutil.exe – management of WSUS

31 Managing Computer Groups Computers are automatically added Default computer groups All Computers Unassigned Computers Client-side targeting Computers are automatically added Default computer groups All Computers Unassigned Computers Client-side targeting

32 Approving Updates Approval options include: Install Decline Unapprove Removal Automate approval is also supported Approval options include: Install Decline Unapprove Removal Automate approval is also supported

33 Demonstration: Managing WSUS In this demonstration, you will see how to: Add a computer to WSUS Approve an update

34 Server Core Security Updates To enable Windows Update on Server Core: Cscript c:\Windows\system32\scregedit.wsf /au /4 To manually install updates onto Server Core: Wsua.exe.msu /quiet To manually remove updates from Server Core: In.xml, replace Install with Remove and save the file. pkgmgr /n:.xml In.xml, replace Install with Remove and save the file. pkgmgr /n:.xml

35 Lab: Manage Server Security Exercise 1: Configuring Windows Software Update Services Exercise 2: Configure Auditing Logon information Virtual machine NYC-DC1, NYC-SVR1, NYC-CL2 User nameAdministrator Password Pa$$w0rd Estimated time: 60 minutes

36 Lab Scenario As the Windows Infrastructure Services Technology Specialist, you have been tasked with configuring and managing server and client security patch compliance as well as implementing an audit policy to track specific events occurring in AD DS. You must ensure systems maintain compliance with corporate standards.

37 Lab Review After installing the WSUS server software, a wizard appears to help you with the configuration of WSUS properties. How can you change any incorrectly assigned properties after the wizard has been completed? When implementing directory service auditing, what criteria are relevant when choosing to implement success and or failure?

38 Module Review and Takeaways Review Questions Best Practices


Download ppt "Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview."

Similar presentations


Ads by Google