Presentation is loading. Please wait.

Presentation is loading. Please wait.

Implementing Server Security on Windows 2000 and Windows Server 2003 Fabrizio Grossi.

Published byGeorgiana Bruce Modified over 9 years ago

Similar presentations

Presentation on theme: "Implementing Server Security on Windows 2000 and Windows Server 2003 Fabrizio Grossi."— Presentation transcript:

1

2 Implementing Server Security on Windows 2000 and Windows Server 2003 Fabrizio Grossi

3 Agenda  Introduction to Securing Servers  Core Server Security  Active Directory Security  Hardening Member Servers  Hardening Domain Controllers  Hardening Servers for Specific Roles  Hardening Stand-Alone Servers

4 Security Considerations for Small and Medium-Size Businesses Servers with a variety of roles Internal or accidental threat Limited resources to implement secure solutions Lack of security expertise Older systems in use Legal Consequences Physical access negates many security procedures

5 Server Security Principles  Confidentiality ensures protection of information access  Integrity ensures that information has not been modified  Availability ensures ready access to information Confidentiality IntegrityAvailability Security Principles

6 Defense in Depth  Using a layered approach:  Increases an attacker’s risk of detection  Reduces an attacker’s chance of success Policies, Procedures, & Awareness OS hardening, patch management, authentication, HIDS Firewalls, VPN quarantine Guards, locks, tracking devices Network segments, IPSec, NIDS Application hardening, antivirus ACL, encryption User education Physical Security Perimeter Internal Network Host Application Data

7 Agenda  Introduction to Securing Servers  Core Server Security  Active Directory Security  Hardening Member Servers  Hardening Domain Controllers  Hardening Servers for Specific Roles  Hardening Stand-Alone Servers

8 Core Server Security Practices Apply the latest Service Pack and all available security patches Use Group Policy to harden servers - Disable services that are not required - Implement secure password policies - Disable LAN Manager and NTLMv1 authentication Restrict physical and network access to servers

9 Recommendations for Hardening Servers  Rename the built-in Administrator and Guest accounts  Restrict access for built-in and non- operating system service accounts  Do not configure a service to log on using a domain account  Use NTFS to secure files and folders

10 Agenda  Introduction to Securing Servers  Core Server Security  Active Directory Security  Hardening Member Servers  Hardening Domain Controllers  Hardening Servers for Specific Roles  Hardening Stand-Alone Servers

11 Establishing a Role-Based OU Hierarchy  An OU hierarchy based on server roles:  Simplifies security management issues  Applies security policy settings to servers and other objects in each OU Domain Policy Domain Domain Engineering Member Server Baseline Policy Member Servers Domain Controllers Domain Controller Policy Print Server Policy File Server Policy IIS Server Policy Print Servers File Servers Web Servers Operations Admin Web Service Admin

12 Administrative Best Practices Establish secure directory service and data administration practices Delegate the minimum permissions required Distinguish between service and data administrative roles

13 Agenda  Introduction to Securing Servers  Core Server Security  Active Directory Security  Hardening Member Servers  Hardening Domain Controllers  Hardening Servers for Specific Roles  Hardening Stand-Alone Servers

14 Infrastructure Servers File & Print Servers IIS Servers Certificate Services Servers Bastion Hosts Server Hardening Overview  Apply baseline security settings to all member servers  Apply additional settings for specific server roles  Use GPResult to ensure that settings are applied correctly Securing Active Directory Apply Member Server Baseline Policy RADIUS (IAS) Servers Hardening Procedures Apply Incremental Role-Based Security Settings

15 Member Server Baseline Security Template  Modify and apply the Member Server Baseline security template to all member servers  Settings in Member Server Baseline security template:  Audit Policy  User Rights Assignment  Security Options  Event Log  System Services

16 Best Practices for Using Security Templates Review and modify security templates before using them Use security configuration and analysis tools to review template settings before applying them Test templates thoroughly before deploying them Store security templates in a secure location

17 Agenda  Introduction to Securing Servers  Core Server Security  Active Directory Security  Hardening Member Servers  Hardening Domain Controllers  Hardening Servers for Specific Roles  Hardening Stand-Alone Servers

18 Configuring Security for Domain Controllers Secure the domain controller build environment Establish domain controller build practices that provide security Maintain physical security

19 Best Practices for Hardening Domain Controllers Use appropriate security methods to control physical access to domain controllers Implement appropriate auditing and event log settings Use Group Policy to apply the Domain Controller security template to all domain controllers Disable services that are not required

20 Agenda  Introduction to Securing Servers  Core Server Security  Active Directory Security  Hardening Member Servers  Hardening Domain Controllers  Hardening Servers for Specific Roles  Hardening Stand-Alone Servers

21 Using Security Templates for Specific Server Roles  Servers that perform specific roles can be organized by OU under the Member Servers OU  First, apply the Member Server Baseline template to the Member Servers OU  Then, apply the appropriate role-based security template to each OU under the Member Servers OU  Customize security templates for servers that perform multiple roles

22 Hardening Infrastructure Servers  Apply the security settings in the Infrastructure Server security template  Manually configure additional settings on each infrastructure server  Configure DHCP logging  Protect against DHCP DoS attacks  Use Active Directory-integrated DNS for Active Directory zones  Secure service accounts  Allow only those ports needed for server applications by using IPSec filters

23 Hardening File Servers  Apply the security settings in the File Server security template  Manually configure additional settings on each file server  Disable DFS and FRS if they are not required  Secure shared files and folders by using NTFS and share permissions  Enable auditing of critical files  Secure service accounts  Allow only specific ports by using IPSec filters

24 Hardening Print Servers  Apply the security settings in the Print Server security template  Manually configure additional settings on each print server  Ensure that the Print Spooler service is enabled  Secure well-known accounts  Secure service accounts  Allow only specific ports by using IPSec filters

25 Hardening IIS Servers  Apply the security settings in the IIS Server security template  Manually configure each IIS server   Install the IIS Lockdown and configure URLScan on all IIS 5.0 installations   Enable only essential IIS components   Configure NTFS permissions for all folders that contain Web content   Install IIS and store Web content on a dedicated disk volume   If possible, do not enable both the Execute and Write permissions on the same Web site   On IIS 5.0 servers, run applications using Medium or High Application Protection   Use IPSec filters to allow only ports 80 and 443

26 Best Practices for Hardening Servers for Specific Roles Secure well-known user accounts Enable only services required by role Enable service logging to capture relevant information Use IPSec filtering to block specific ports based on server role Modify templates as needed for servers with multiple roles

27 Agenda  Introduction to Securing Servers  Core Server Security  Active Directory Security  Hardening Member Servers  Hardening Domain Controllers  Hardening Servers for Specific Roles  Hardening Stand-Alone Servers

28 Hardening Stand-Alone Servers  Must manually apply security settings to each stand-alone server instead of using Group Policy  May need to create a customized security template for each stand-alone server  Use Security Configuration and Analysis tool or Secedit to apply security template settings  Security Configuration And Analysis  Allows the comparison and application of various security templates  Secedit  Command-line version of the Security Configuration and Analysis tool that allows scripted application of security templates

29 How to Use Secedit to Harden Stand-Alone Servers 1. Configure a custom security template with the desired security settings for the stand-alone server 2. Open a command prompt on the stand-alone server 3. Create a settings database from the custom security template by typing: secedit /import /db c:\security.sdb /cfg security template name 4. Apply the settings in the database to the stand- alone server by typing: secedit /configure /db c:\security.sdb

30 Best Practices for Hardening Stand-Alone Servers Use the Security Configuration and Analysis tool to apply templates to stand-alone servers Configure service settings according to server role requirements Enable service logging to capture relevant information Use IPSec for port filtering based on server role

31 Next Steps 1. Stay informed about security  Sign up for security bulletins http://www.microsoft.com/security/security_bulletins/alerts2.asp  Get the latest Microsoft security guidance: http://www.microsoft.com/technet/security/bestprac/ 2. Get additional security training  Find online and in-person training seminars: http://www.microsoft.com/seminar/events/security.mspx  Find a local CTEC for hands-on training: http://www.microsoft.com/learning/

32 For More Information  Microsoft Security Site (all audiences)  http://www.microsoft.com/security  TechNet Security Site (IT professionals)  http://www.microsoft.com/technet/security  MSDN Security Site (developers)  http://msdn.microsoft.com/security

33

Download ppt "Implementing Server Security on Windows 2000 and Windows Server 2003 Fabrizio Grossi."

Similar presentations

Planning and Administering Windows Server® 2008 Servers

Planning and Administering Windows Server® 2008 Servers
Establishing an OU Hierarchy for Managing and Securing Clients Base design on business and IT needs Split hierarchy Separate user and computer OUs Simplifies.

Establishing an OU Hierarchy for Managing and Securing Clients Base design on business and IT needs Split hierarchy Separate user and computer OUs Simplifies.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 7: Troubleshoot Security Settings and Local Security.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 7: Troubleshoot Security Settings and Local Security.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Paula Kiernan Senior Consultant Ward Solutions

Paula Kiernan Senior Consultant Ward Solutions
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
© 2003 Microsoft Limited. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied,

© 2003 Microsoft Limited. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied,
Implementing Application and Data Security Presenter Name Job Title Company.

Implementing Application and Data Security Presenter Name Job Title Company.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.
Implementing Server Security on Windows 2000 and Windows Server 2003 Steve Lamb Technical Security Advisor

Implementing Server Security on Windows 2000 and Windows Server 2003 Steve Lamb Technical Security Advisor
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Secure SQL Server configuration Pat Larkin Ward Solutions

Secure SQL Server configuration Pat Larkin Ward Solutions
Installing and Configuring a Secure Web Server COEN 351 David Papay.

Installing and Configuring a Secure Web Server COEN 351 David Papay.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.

Similar presentations

Ads by Google