Presentation on theme: "Planning and Administering Windows Server® 2008 Servers"— Presentation transcript:
1 Planning and Administering Windows Server® 2008 Servers Course 6430AModule 5: Managing Windows Server 2008 SecurityPresentation: 40 minutesLab: 80 minutesPlanning and Administering Windows Server® 2008 ServersThis module helps students to plan and implement Windows Server 2008 security.After completing this module, students will be able to:Plan a defense-in-depth strategy for Windows Server 2008 security.Implement host-level security for Windows Server 2008.Implement network security for Windows Server 2008 servers.Required materialsTo teach this module, you need the Microsoft Office PowerPoint® file 6430A_05.ppt.Important It is recommended that you use PowerPoint 2002 or a later version to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, all the features of the slides might not be displayed correctly.Preparation tasksTo prepare for this module:Read all of the materials for this module.Practice performing the demonstrations and the lab exercises.Work through the Module Review and Takeaways section and determine how you will use thissection to reinforce student learning and promote knowledge transfer to on-the-job performance.Make sure that students are aware that there are additional information and resources for the module on the Course Companion CD.
2 Module 5: Managing Windows Server 2008 Security Course 6430AModule 5: Managing Windows Server 2008 SecurityModule 5: Managing Windows Server 2008 SecurityPlanning a Defense-in-Depth StrategyImplementing Host-Level Security for Windows Server 2008Implementing Network Security for Windows Server 2008Explain to students that this module outlines the defense-in-depth approach to IT security, but it does not cover every aspect of this approach in detail.Reiterate to students that this course is aimed at server administrators.This is not a “how-to” course; therefore, it has a significant number of planning exercises with less focus on “hands-on” exercises than some courses.The course content and exercises direct students toward making decisions and providing guidance to others.A server administrator is often a person that is moving from a technical specialist role to a decision-making role.This course reflects the decision making tasks that a server administrator undertakes.Server administrators often act as an escalation point and sit between the technical specialist role and architect role.Students should expect to undertake many of the actions that are required of a server administrator during this course, including:Planning tasks.Relating business requirements to technical capabilities.Use the questions in the student notes for each topic to interact with the students and determine their level of understanding, and then use this information to pitch the course at a level that is appropriate to the audience.
3 Lesson: Planning a Defense-in-Depth Strategy Course 6430ALesson: Planning a Defense-in-Depth StrategyModule 5: Managing Windows Server 2008 SecurityCharacteristics of a Defense-in-Depth StrategyLayers in a Defense-in-Depth StrategyIntroduce the lesson as an overview of the requirements and considerations for a defense-in- depth strategy.
4 Characteristics of a Defense in Depth Strategy Course 6430ACharacteristics of a Defense in Depth StrategyModule 5: Managing Windows Server 2008 SecurityA robust defense-in-depth strategy includes:A security risk management frameworkIdentity and access management policiesNetwork protectionUpdate managementEducationIncident responseContinual reassessment and optimizationüüRemind students that security is always changing, so a good security strategy must re-assess and adapt as new threats are identified.Reinforce each bullet point with examples, pay particular note to education, as users are often the weak link in the “security chain.”Reference (TechNet) - ms- help://MS.TechNet.2007JUL.1033/itsolutions/tnoffline/itsolutions/msit/security/mssecbp.ht mOrüüüüü
5 Layers in a Defense-in-Depth Strategy Course 6430ALayers in a Defense-in-Depth StrategyModule 5: Managing Windows Server 2008 SecurityPolicies and proceduresPhysical securityPerimeter defensesNetwork defensesQuestion students about the different devices or methods used to secure each level.Emphasize that policies and procedures should encompass all the requirements at each level. A good set of policies should be understood by employees, because it tells them what they should do to help secure the network.Reference -Host defensesApplication defensesData defenses
6 Lesson: Implementing Host-Level Security for Windows Server 2008 Course 6430ALesson: Implementing Host-Level Security for Windows Server 2008Module 5: Managing Windows Server 2008 SecurityAssigning Administrative PermissionsWindows Server 2008 Firewall ConfigurationImplementing Security PoliciesImplementing Security TemplatesConverting Security Configuration Wizard Settings to Security TemplatesEmphasize to students that this lesson will focus on the host-layer aspects of security.
7 Assigning Administrative Permissions Course 6430AAssigning Administrative PermissionsModule 5: Managing Windows Server 2008 SecurityPrinciple of least privilegeIdentify administrative permissions or privileges requiredGrant only those permissions or privilegesGranting privilegesFactors affecting decisionRelinquishing rightsAsk students why the principle of least privilege for user accounts is important.Ask students what accounts might require administrative privileges – don’t forget service accounts.
8 Windows Server 2008 Firewall Configuration Course 6430AWindows Server 2008 Firewall ConfigurationModule 5: Managing Windows Server 2008 SecurityDirectionPortProgramProtocolSource IP addressDestination IP addressConnection security ruleRun through each of the configuration options and give examples to students.Explain that rules can be configured to override other rules (such as block rules).You may want to recap some common port numbers with students.Discuss firewall best practice of blocking all traffic (inbound and outbound) and allowing only known protocols or ports.Discuss with students the tools available to configure Windows Firewall:Windows Firewall with Advanced Security MMC snap-inSCWGroup Policy
9 Implementing Security Policies Course 6430AImplementing Security PoliciesModule 5: Managing Windows Server 2008 SecuritySecurity Configuration Wizard template settings include:Server rolesClient featuresAdditional servicesFirewall rulesAuthentication optionsAudit policyRemind students that network servers must also function as network clients, for example, using DNS or DHCP.Explain to students that a single security template does not have to include all these settings, and that you can include other template settings when you create a new template.You may want to elaborate further on what audit settings are available and when you would use them. Explain to students that too much auditing can be as much a problem as too little auditing.The next two slides discuss how to implement these templates after you create them.Remind students that these templates should be documented and tested before being applied to a production server.
10 Implementing Security Templates Course 6430AImplementing Security TemplatesModule 5: Managing Windows Server 2008 SecurityBuilt-in templatesConfigure default security settings or recommended valuesDescribe to students the importance of uniformity and consistency of security configurations.Microsoft templatesDownload additional templates with security guidesCustom templatesSecurity Templates MMC snap-inSecurity Configuration and Analysis MMC snap-in
11 Module 5: Managing Windows Server 2008 Security Course 6430AConverting Security Configuration Wizard Settings to Security TemplatesModule 5: Managing Windows Server 2008 SecurityConvert SCW security policies directly to GPOsScwcmd.exe transform /p:SCWpolicyname.xml /g:GPOnamePoint out to students that this conversion creates a new GPO in the domain.Also point out to the students that there are no sample templates provided in Window Server The following is a link to the security templates provided with the Windows Server Security Guide.
12 Lesson: Implementing Network Security for Windows Server 2008 Course 6430ALesson: Implementing Network Security for Windows Server 2008Module 5: Managing Windows Server 2008 SecurityWindows Server 2008 Server LocationsOptions for Network SecurityRecommendations for Implementing Windows Server Server CoreThis lesson focuses on some aspects of network security for Windows Server 2008.
13 Windows Server 2008 Server Locations Course 6430AWindows Server 2008 Server LocationsModule 5: Managing Windows Server 2008 SecurityBastion hostAsk students, or suggest, server types for each location.Discuss with students whether the perimeter network (also known as DMZ, demilitarized zone, and screened subnet) and bastion host will include domain members. Typically, best practice security policies restrict the deployment of computers that are domain members into a perimeter network, but there may be exceptions. In some enterprise networks with large perimeter networks, there may be a separate forest deployed to the perimeter network.The following slide will expand on the use of segmented networks.InternalPerimeter NetworkPerimeter networkBastion hostInternalSegmented networksSegmented networks
14 Options for Network Security Course 6430AOptions for Network SecurityModule 5: Managing Windows Server 2008 SecurityRequirementSecurity MeasuresSecure Network AccessPhysical security802.1x authenticationNetwork segmentationFirewallsNetwork Access Protection (NAP)Secure Network TrafficIPSecDiscuss the requirements and implementation of 802.1x, such as machine certificate or MAC address based authentication.Ask delegates how network segmentation, firewalls, or the use of TCP/IP filtering could be used to protect servers holding confidential data.
15 Recommendations for Implementing Windows Server 2008 Server Core Course 6430ARecommendations for Implementing Windows Server 2008 Server CoreModule 5: Managing Windows Server 2008 SecurityServer Core enables you to install roles without additional services or the GUIAsk students why Server Core installations can be more secure.Ask students how Server Core installations can be managed – remind them that remote management tools will require matching firewall rules.Ask students if they can think of other locations or uses where Server Core could be beneficial.ExtranetAD DSAD LDSDHCPDNSFile ServerPrint ServerIISStreaming MediaPerimeter network
16 Lab: Managing Windows Server 2008 Security Course 6430ALab: Managing Windows Server 2008 SecurityModule 5: Managing Windows Server 2008 SecurityExercise 1: Planning a Windows Server 2008 Security ConfigurationExercise 2: Implementing File Server SecurityIn this lab, students will plan a Windows Server 2008 security configuration.Exercise 1In this exercise, students will plan firewall rules and audit policy requirements.Exercise 2In this exercise, students will implement a security policy by using the SCW and Group Policy.Before the students begin the lab, read the scenario associated with each exercise to the class. This will reinforce the broad issue that the students are troubleshooting and will help to facilitate the lab discussion at the end of the module. Remind the students to complete the discussion questions after the last lab exercise.Note: The lab exercise answer keys are provided on the Course Companion CD. To access the answer key, click the link located at the bottom of the relevant lab exercise page.Logon informationVirtual machine6430A-NYC-DC1-056430A-NYC-SVR1-05User nameWoodgrovebank\AdministratorPasswordPa$$w0rdEstimated time: 45 minutes
17 Module Review and Takeaways Course 6430AModule Review and TakeawaysModule 5: Managing Windows Server 2008 SecurityReview QuestionsBest PracticesToolsReview QuestionsPoint the students to the appropriate section in the course so that they are able to answer the questions presented in this section.Best PracticesHelp the students understand the best practices presented in this section. Ask students to consider these best practices in the context of their own business situations.ToolsPoint out the location from which each key tool can be installed. Let students review the function and usage of each tool on their own. Remind students that they can use this as a master list to help them gather all the tools required to facilitate their application support work.