Presentation is loading. Please wait.

Presentation is loading. Please wait.

Windows Server 2003 Security Donald E. Hester CISSP, CISA, MCT, MCSE, MCSA, MCDST, Security+, CTT+, MV Maze & Associates San Diego City College Los Medanos.

Similar presentations

Presentation on theme: "Windows Server 2003 Security Donald E. Hester CISSP, CISA, MCT, MCSE, MCSA, MCDST, Security+, CTT+, MV Maze & Associates San Diego City College Los Medanos."— Presentation transcript:

1 Windows Server 2003 Security Donald E. Hester CISSP, CISA, MCT, MCSE, MCSA, MCDST, Security+, CTT+, MV Maze & Associates San Diego City College Los Medanos College

2 What we are looking at today

3 Priority Shift  Access was a top priority Open-by-default Start with everything open and then start locking down as needed  Control is now a top priority Closed-by-default Start with everything closed and open only what is needed

4 Security Enhancements

5 Server 2003 Defaults  IIS – Internet Information Services IIS is not installed by default When you install IIS 6 it is locked down  More startup services are disabled in 2003  Everyone Group No longer has full control it has read and execute No longer includes anonymous users

6 Server 2003 Defaults  Accounts with null passwords are console-bound  Software restriction policies Hash rule Path rule Certificate rule Internet Zone rule  Protected EAP (PEAP)  Detailed security auditing

7 File System  NTFS Permissions & auditing EFS - Encrypted File System (multiple users) VSS - Volume Shadow Copy (Server 2003) Quotas ABE (Server 2003 SP1)  Future developments WinFS Won’t be in Longhorn

8 ABE (Access-Based Enumeration)

9 Internet Connection FirewallWindows Firewall

10 ICF vs. Windows Firewall  Boot-time Security  Global configuration  Audit logging  Scope restrictions  Command-line support  Program-based exceptions  Multiple Profiles  Unattended setup support  Enhanced multicast and broadcast support  IPv6 support  New Group Policy Support

11 PSSU (Post-Setup Security Updates)  Service Pack 1 enhancement  Protects the computer until it can update  Uses Windows Firewall

12 DEP (Data Execution Prevention)  Prevent malicious software rather than error out and potentially crashing the system  Hardware-enforced DEP Protects memory locations The no-execute page-protection (NX) processor feature as defined by AMD. The Execute Disable Bit (XD) feature as defined by Intel.  Software-enforced DEP Protects system binaries and exception-handling Software built with SafeSEH

13 TCP/IP protection  Enhancements: Smart TCP port allocation SYN attack protection is enabled by default New SYN attack notification IP Helper APIs Winsock self-healing

14 What Is Network Access Quarantine? RAS client meets Quarantine policies RAS client gets full access to network RAS client disconnected 1.RAS client fails policy check 2.Quarantine timeout Reached RAS client placed in Quarantine Remote access client authenticates

15 Trusts in Windows Server 2003 Forest (root) Tree/Root Trust Tree/Root Trust Forest Trust Forest Trust Shortcut Trust External Trust External Trust Kerberos Realm Realm Trust Realm Trust Domain D Forest 1 Domain BDomain ADomain E Domain F Forest (root) Domain P Domain Q Parent/Child Trust Forest 2 Domain C

16 Coming Soon: IE 7  Information Security Magazine (Jan 2006)

17 Server Hardening

18  Appropriate settings for a secure baseline Settings for applications and services Operating system components Permissions and rights Administrative procedures Physical access

19 Server Hardening - Templates  Predefined Security Templates  Security Guide Templates  Industrial Templates SANS CIAC NSA DoD  Custom Templates

20 Template Deployment  Test before deployment  Periodic analysis Security Configuration and Analysis snap-in Scripting (Secedit.exe)  Deployment Methods Group Policy (Active Directory) Security Configuration and Analysis snap-in Scripting (Secedit.exe)

21 Server Hardening  Security Configuration Wizard (SCW) Comes with Service Pack 1 (Server 2003) Disables unneeded services Blocks unused ports Allows further address or security restrictions for ports that are left open Prohibits unnecessary Internet Information Services (IIS) Web extensions, if applicable Reduces protocol exposure to server message block (SMB), NTLM, LanMan, and Lightweight Directory Access Protocol (LDAP) Defines a high signal-to-noise audit policy Best for servers with multiple roles

22 Security Configuration Wizard  Supports Rollback Analysis Remote configuration Command-line support Active Directory integration Policy editing Export to Group Policy

23 Security Tools

24 Updates  Manual Requires user intervention – labor intensive  Windows Updates Automatic process fine for small deployments  SUS Updates approved critical patches for multiple machines at an administrator appointed time (replaced with WSUS)  WSUS Same as SUS but includes support for other patches such as Office and critical drivers

25 PKI  Some uses EFS, Authentication, Smart Card, IPSec, Servers  Auto enrollment  Command line tools (Certreq.exe, Certutil.exe)  Key recovery (DRA or KRA)  Delta CRL

26 Available Tools - GPMC  New User Interface  Backup and restore  Import and export  Group Policy Modeling  Resultant Set of Policy (RSoP)

27 Available Tools - MBSA  Microsoft Baseline Security Analyzer (v2)

28 Available Tools - MSAT  Microsoft Security Assessment Tool

29 Available Tools – Windows Defender  Microsoft Anti-Spyware – Windows Defender Spyware detection Scheduled scanning and removal Straightforward operation and thorough removal technology

30 Available Tools  Security Resource Kit Various tools to enumerate access control lists, list drivers, list services, dump event logs, parse logs, determine authentication method, and much more  Security Guide Templates Various test scripts

31 3 rd Party Tools  Winternals  Sysinternals  CERT  SANS

32 Resources  Windows Server 2003 Security Guide   (Feedback email)  Microsoft Windows Security Resource Kit (2 nd Ed.) ISBN 0-7356-2174-8  Service Pack 1 Overview erver2003/servicepack/overview.mspx erver2003/servicepack/overview.mspx

33 Resources  Microsoft Security Assessment Tool (MSAT)   Microsoft Security   Microsoft Baseline Security Analyzer (MBSA)  sahome.mspx sahome.mspx  Microsoft Anti-Spyware (beta) Defender  software/default.mspx software/default.mspx

34 Resources  RootKit Revealer  er.html er.html  Strider GhostBuster Project (Rootkit detector)   Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP 

35 Contact Info  Donald E. Hester

Download ppt "Windows Server 2003 Security Donald E. Hester CISSP, CISA, MCT, MCSE, MCSA, MCDST, Security+, CTT+, MV Maze & Associates San Diego City College Los Medanos."

Similar presentations

Ads by Google