Presentation is loading. Please wait.

Presentation is loading. Please wait.

Module 14: Securing Windows Server 2003. Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.

Published byHilda Harvey Modified over 9 years ago

Similar presentations

Presentation on theme: "Module 14: Securing Windows Server 2003. Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline."— Presentation transcript:

1 Module 14: Securing Windows Server 2003

2 Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline Security Analyzer

3 Lesson: Introduction to Securing Servers Security Challenges for Small and Medium-Sized Businesses Fundamental Security Trade-Offs What Is the Defense-in-Depth Model? Microsoft Windows Server Security Guidance

4 Security Challenges for Small and Medium- Sized Businesses Servers with a Variety of Roles Limited Resources to Implement Secure Solutions Internal or Accidental Threat Older Systems in Use Physical Access Negates Many Security Measures Lack of Security Expertise Legal Consequences

5 Fundamental Security Trade-Offs Security Trade-Offs Usability Low Cost Security

6 What Is the Defense-in-Depth Model? Increases an attacker’s risk of detection Reduces an attacker’s chance of success Security documents, user education Policies, Procedures, & Awareness Physical Security OS hardening, authentication Firewalls Guards, locks Network segments, IPSec Application hardening, antivirus ACLs, encryption, EFS Perimeter Internal Network Host Application Data

7 Microsoft Windows Server Security Guidance Threats and Countermeasures Guide Windows Server 2003 Security Guide Default Access Control Settings in Windows Server 2003 Security Innovations in Windows Server 2003 Technical Overview of Windows Server 2003 Security Services

8 Lesson: Implementing Core Server Security Core Server Security Practices Recommendations for Hardening Servers Windows Server 2003 SP1 Security Enhancements What Is Windows Firewall? Post-Setup Security Updates What Is the Security Configuration Wizard? Practice: Implementing Core Server Security

9 Core Server Security Practices Apply the latest service pack and all available security updates Use Group Policy to harden servers Use MBSA to scan server security configurations Restrict physical and network access to servers Apply the latest service pack and all available security updates Use Group Policy to harden servers Use MBSA to scan server security configurations Restrict physical and network access to servers

10 Rename the built-in Administrator and Guest accounts Use restricted groups Restrict who can log on locally to servers Restrict access for built-in and non-operating- system service accounts Do not configure a service to log on using a domain account Use NTFS permissions to secure files and folders Recommendations for Hardening Servers

11 Windows Server 2003 SP1 Security Enhancements SP1 uses a proactive approach to securing the server by reducing the attack surface Restricts anonymous access to RPC services Restricts DCOM activation, launch, and call privileges and differentiate between local and remote clients Supports no execute hardware to prevent executables from running in memory spaces marked as nonexecutable Supports VPN Quarantine Supports IIS 6.0 metabase auditing Restricts anonymous access to RPC services Restricts DCOM activation, launch, and call privileges and differentiate between local and remote clients Supports no execute hardware to prevent executables from running in memory spaces marked as nonexecutable Supports VPN Quarantine Supports IIS 6.0 metabase auditing

12 What Is Windows Firewall? Enabled by default in new installs Audit logging to track firewall activity Boot-time security Global configuration Port restrictions based on the client network On with no exceptions Exceptions list Group Policy support

13 Post-Setup Security Updates

14 What Is the Security Configuration Wizard? SCW provides guided attack surface reduction Disables unnecessary services and IIS Web extensions Blocks unused ports and secure ports that are left open using IPSec Reduces protocol exposure Configures audit settings Disables unnecessary services and IIS Web extensions Blocks unused ports and secure ports that are left open using IPSec Reduces protocol exposure Configures audit settings SCW supports: Rollback Analysis Remote configuration Command-line support Active Directory integration Policy editing Rollback Analysis Remote configuration Command-line support Active Directory integration Policy editing

15 Practice: Implementing Core Server Security In this practice, you will: Configure Windows Firewall Install the Security Configuration Wizard Use the Security Configuration Wizard

16 Lesson: Hardening Servers What Is Server Hardening? What Is the Member Server Baseline Security Template? Security Threats to Domain Controllers Implement Password Security Security Templates for Specific Server Roles Best Practices for Hardening Servers for Specific Roles Practice: Hardening Servers

17 What Is Server Hardening? Bastion Hosts Verify settings application Apply Baseline Settings Securing Active Directory Infrastructure Servers File and Print Servers IIS Servers RADIUS (IAS) Servers Certificate Services Servers

18 Modify and apply the Member Server Baseline security template to all member servers Audit Policy User Rights Assignment Security Options Event Log System Services Audit Policy User Rights Assignment Security Options Event Log System Services Settings in the Member Server Baseline security template: What Is the Member Server Baseline Security Template?

19 Security Threats to Domain Controllers Modification of Active Directory data Password attacks against administrator accounts Denial-of-service attacks Replication prevention attacks Exploitation of known vulnerabilities Modification of Active Directory data Password attacks against administrator accounts Denial-of-service attacks Replication prevention attacks Exploitation of known vulnerabilities

20 Implement Password Security Use complex passwords to help prevent security breaches Do not implement authentication protocols that require reversible encryption Disable LM hash value storage in Active Directory Use complex passwords to help prevent security breaches Do not implement authentication protocols that require reversible encryption Disable LM hash value storage in Active Directory

21 Security Templates for Specific Server Roles Organize servers that perform specific roles by OU under the Member Servers OU Apply the Member Server Baseline security template to the Member Servers OU Customize security templates for servers that perform multiple roles Apply the appropriate role-based security template to each OU under the Member Servers OU

22 Best Practices for Hardening Servers for Specific Roles Modify security templates as needed for servers with multiple roles Enable only services required by role Enable service logging Use IPSec filtering to block all ports except the specific ports needed Secure service accounts and well-known user accounts

23 Practice: Hardening Servers In this practice, you will apply a security template by using Group Policy

24 Lesson: Microsoft Baseline Security Analyzer What Is MBSA? MBSA Benefits How MBSA Works MBSA Scan Options Practice: Microsoft Baseline Security Analyzer

25 What Is MBSA? Scans systems for:  Missing security updates  Potential configuration issues Works with a broad range of Microsoft software Allows an administrator to centrally scan multiple computers simultaneously MBSA is a free tool, and can be downloaded from the Microsoft TechNet Web site

26 MBSA Benefits MBSA reports important vulnerabilities: Password weaknesses Guest account not disabled Auditing not configured Unnecessary services installed IIS product vulnerabilities IE zone settings Automatic Updates configuration Windows XP firewall configuration Password weaknesses Guest account not disabled Auditing not configured Unnecessary services installed IIS product vulnerabilities IE zone settings Automatic Updates configuration Windows XP firewall configuration

27 How MBSA Works Windows Download Center MBSA Computer MSSecure.xml

28 MBSA Scan Options MBSA has three scan options: MBSA graphical user interface (GUI) MBSA standard command-line interface (mbsacli.exe) HFNetChk scan (mbsacli.exe /hf) MBSA graphical user interface (GUI) MBSA standard command-line interface (mbsacli.exe) HFNetChk scan (mbsacli.exe /hf)

29 Practice: Microsoft Baseline Security Analyzer In this practice, you will: Install MBSA Scan a computer by using MBSA

30 Lab: Securing Windows Server 2003 In this lab, you will: Use the Security Configuration Wizard Configure a Group Policy object for member servers Scan a range of computers by using MBSA

31 Course Evaluation

Download ppt "Module 14: Securing Windows Server 2003. Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline."

Similar presentations

Planning and Administering Windows Server® 2008 Servers

Planning and Administering Windows Server® 2008 Servers
Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.

Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Windows Server 2003 SP1. Windows Server™ 2003 Service Pack 1 Technical Overview Jill Steinberg: Added TM Jill Steinberg: Added TM.

Windows Server 2003 SP1. Windows Server™ 2003 Service Pack 1 Technical Overview Jill Steinberg: Added TM Jill Steinberg: Added TM.
Paula Kiernan Senior Consultant Ward Solutions

Paula Kiernan Senior Consultant Ward Solutions
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Windows 2003 SP1 Member Server in ASU Active Directory WNUG/CCC February 2, 2006 Sharon Bushart CLAS Information Technology.

Windows 2003 SP1 Member Server in ASU Active Directory WNUG/CCC February 2, 2006 Sharon Bushart CLAS Information Technology.
Implementing Application and Data Security Presenter Name Job Title Company.

Implementing Application and Data Security Presenter Name Job Title Company.
Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.

Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.
Implementing Server Security on Windows 2000 and Windows Server 2003 Steve Lamb Technical Security Advisor

Implementing Server Security on Windows 2000 and Windows Server 2003 Steve Lamb Technical Security Advisor
Patching MIT SUS Services IS&T Network Infrastructure Services Team.

Patching MIT SUS Services IS&T Network Infrastructure Services Team.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
Secure SQL Server configuration Pat Larkin Ward Solutions

Secure SQL Server configuration Pat Larkin Ward Solutions
Installing and Configuring a Secure Web Server COEN 351 David Papay.

Installing and Configuring a Secure Web Server COEN 351 David Papay.
Module 8: Implementing Administrative Templates and Audit Policy.

Module 8: Implementing Administrative Templates and Audit Policy.
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
2851A_C01. Microsoft Windows XP Service Pack 2 Security Technologies Bruce Cowper IT Pro Advisor Microsoft Canada.

2851A_C01. Microsoft Windows XP Service Pack 2 Security Technologies Bruce Cowper IT Pro Advisor Microsoft Canada.

Similar presentations

Ads by Google