Presentation is loading. Please wait.

Presentation is loading. Please wait.

Paula Kiernan Senior Consultant Ward Solutions

Published byRuby Neal Modified over 9 years ago

Similar presentations

Presentation on theme: "Paula Kiernan Senior Consultant Ward Solutions"— Presentation transcript:

1 Paula Kiernan Senior Consultant Ward Solutions
Securing Your Servers Paula Kiernan Senior Consultant Ward Solutions

2 Session Overview Defense in Depth Malware Defense for Servers
Malware Outbreak Control and Recovery Hardening Servers

3 Policies, procedures, and awareness
Defense-in-Depth Using a layered approach: Increases an attacker’s risk of detection Reduces an attacker’s chance of success Security policies, procedures, and education Policies, procedures, and awareness Strong passwords, ACLs, encryption, EFS, backup and restore strategy Data Guards, locks, tracking devices Physical security Application hardening Application OS hardening, authentication, update management, antivirus updates, auditing Host Network segments, IPSec, NIDS Internal network Firewalls, boarder routers, VPNs with quarantine procedures Perimeter

4 Server Security Best Practices
Apply the latest Service Pack and all available security patches Keep anti-virus software up-to-date There are several core server security practices. You can think of these fundamental practices as a baseline to which you can add advanced server security practices. An example of adding advanced server security practices to existing core practices is the defense-in-depth security strategy recommended by Microsoft. Defense in depth recognizes that security is most effective when computers and data are protected by more than one layer of security. Core server security practices include: Applying the latest service pack and all available security patches. Service packs increase operating system security and stability. Most attacks against servers exploit vulnerabilities that have been previously reported and fixed in a service pack or in an operating system security patch. Computers that do not have the latest service pack and security patches installed are vulnerable. Using Group Policy to harden servers. You can use Group Policy to: Disable services that are not required. Any service or application is a potential point of attack. Therefore, disable or remove all unneeded services and executable files to reduce the attack surface. Implement secure password policies. You can strengthen the password and account lockout policy settings for a domain controller, member server, or stand-alone server by applying the settings in an appropriate security template. Disable LAN Manager and NTLMv1 authentication and storage of LAN Manager hashes. Implementing this practice may prevent access by legacy clients, so it is necessary to ensure that you can configure these settings without disabling functionality that you require. Restricting physical and network access to servers. Store servers in a locked room. Use cardkey locks or cipher-locks on the entrances to the locked room. Prevent domain controllers from booting to an alternate operating system. Allow only trusted personnel to have access to servers. Establish security practices for service administrators and data administrators to ensure that only personnel that require access to servers have that access. Assign only the permissions and user rights necessary to each user in your organization. This is not an exclusive list; however, it represents some of the most common fundamental server security practices. You may already be using many, if not most, of these core security practices on the servers on your network. Restrict physical and network access to servers Use Group Policy to harden servers

5 Protecting Servers: What Are the Challenges?
Challenges to protecting servers include: Maintaining reliability and performance Maintaining security updates Maintaining antivirus updates Applying specialized defense solutions based upon server role Securing servers with multiple roles

6 Session Overview Defense in Depth Malware Defense for Servers
Malware Outbreak Control and Recovery Hardening Servers

7 What Is Server-Based Malware Defense?
Basic steps to defend servers against malware include: ü Reduce the attack surface ü Apply security updates ü Enable a host-based firewall ü Analyze using configuration scanners ü Analyze port information

8 Implementing Server-Based Host Protection Software
Considerations when implementing server-based antivirus software include: CPU utilization during scanning Application reliability Management overhead Application interoperability

9 Implementing Security Patch Management
Use the appropriate patch management tools for your environment: Windows Update Office Update WSUS / SUS SMS MBSA

10 Protecting Servers: Best Practices
Consider each server role implemented in your organization to implement specific host protection solutions ü Stage all updates through a test environment before releasing into production ü Deploy regular security and antivirus updates as required ü Implement a self-managed host protection solution to decrease management costs ü

11 Session Overview Defense in Depth Malware Defense for Servers
Malware Outbreak Control and Recovery Hardening Servers

12 How to Confirm the Malware Outbreak
The process for infection confirmation includes: Reporting unusual activity Gathering the basic information Evaluating the data Gathering the details Responding to unusual activity False alarm? Hoax? Known infection? New infection?

13 How to Respond to a Malware Outbreak
Outbreak control mechanism tasks include: Disconnect the compromised systems from the network Isolate the network(s) containing the infected hosts Disconnect the network from all external networks Research outbreak control and cleanup techniques Examples of recovery goals include: Minimal disruption to the organization’s business Fastest possible recovery time The capture of information to support prosecution The capture of information to allow for additional security measures to be developed Prevention of further attacks of this type

14 How to Analyze the Malware Outbreak
The following analysis tasks help you to understand the nature of the outbreak: Checking for active processes and services Checking the startup folders Checking for scheduled applications Analyzing the local registry Checking for corrupted files Checking users and groups Checking for shared folders Checking for open network ports Checking and exporting system event logs Running MSCONFIG

15 How to Recover from a Malware Outbreak
Use the following process to recover from a virus outbreak: Restore missing or corrupt data 1 Remove or clean infected files 2 Confirm that your computer systems are free of malware 3 Reconnect your computer systems to the network 4

16 How to Perform a Postrecovery Analysis
Postrecovery analysis steps include the following: Postattack review meeting Postattack updates

17 Session Overview Defense in Depth Malware Defense for Servers
Malware Outbreak Control and Recovery Hardening Servers

18 Hardening Servers Core Server Hardening Tasks
Active Directory Security Hardening Servers with Specific Roles Hardening Application Servers

19 Core Server Hardening Tasks
Apply the latest Service Pack and all available security patches Keep anti-virus software up-to-date There are several core server security practices. You can think of these fundamental practices as a baseline to which you can add advanced server security practices. An example of adding advanced server security practices to existing core practices is the defense-in-depth security strategy recommended by Microsoft. Defense in depth recognizes that security is most effective when computers and data are protected by more than one layer of security. Core server security practices include: Applying the latest service pack and all available security patches. Service packs increase operating system security and stability. Most attacks against servers exploit vulnerabilities that have been previously reported and fixed in a service pack or in an operating system security patch. Computers that do not have the latest service pack and security patches installed are vulnerable. Using Group Policy to harden servers. You can use Group Policy to: Disable services that are not required. Any service or application is a potential point of attack. Therefore, disable or remove all unneeded services and executable files to reduce the attack surface. Implement secure password policies. You can strengthen the password and account lockout policy settings for a domain controller, member server, or stand-alone server by applying the settings in an appropriate security template. Disable LAN Manager and NTLMv1 authentication and storage of LAN Manager hashes. Implementing this practice may prevent access by legacy clients, so it is necessary to ensure that you can configure these settings without disabling functionality that you require. Restricting physical and network access to servers. Store servers in a locked room. Use cardkey locks or cipher-locks on the entrances to the locked room. Prevent domain controllers from booting to an alternate operating system. Allow only trusted personnel to have access to servers. Establish security practices for service administrators and data administrators to ensure that only personnel that require access to servers have that access. Assign only the permissions and user rights necessary to each user in your organization. This is not an exclusive list; however, it represents some of the most common fundamental server security practices. You may already be using many, if not most, of these core security practices on the servers on your network. Restrict physical and network access to servers Use Group Policy to harden servers - Disable services that are not required - Implement secure password policies - Disable LAN Manager and NTLMv1 authentication

20 Additional Recommendations for Securing Servers
Rename the built-in Administrator and Guest accounts Restrict access for built-in and non-operating system service accounts Do not configure a service to log on using a domain account Use NTFS to secure files and folders Educate IT staff on secure password practices

21 Active Directory Security
Identify the Active Directory security boundary - Forest - Site - Domain - Organizational Unit Base the Active Directory design on Group Policy and delegation requirements

22 Using Group Policy Strengthen the settings in the Default Domain Policy Ensure that password and account policies meet your organization’s security requirements There are several core server security practices. You can think of these fundamental practices as a baseline to which you can add advanced server security practices. An example of adding advanced server security practices to existing core practices is the defense-in-depth security strategy recommended by Microsoft. Defense in depth recognizes that security is most effective when computers and data are protected by more than one layer of security. Core server security practices include: Applying the latest service pack and all available security patches. Service packs increase operating system security and stability. Most attacks against servers exploit vulnerabilities that have been previously reported and fixed in a service pack or in an operating system security patch. Computers that do not have the latest service pack and security patches installed are vulnerable. Using Group Policy to harden servers. You can use Group Policy to: Disable services that are not required. Any service or application is a potential point of attack. Therefore, disable or remove all unneeded services and executable files to reduce the attack surface. Implement secure password policies. You can strengthen the password and account lockout policy settings for a domain controller, member server, or stand-alone server by applying the settings in an appropriate security template. Disable LAN Manager and NTLMv1 authentication and storage of LAN Manager hashes. Implementing this practice may prevent access by legacy clients, so it is necessary to ensure that you can configure these settings without disabling functionality that you require. Restricting physical and network access to servers. Store servers in a locked room. Use cardkey locks or cipher-locks on the entrances to the locked room. Prevent domain controllers from booting to an alternate operating system. Allow only trusted personnel to have access to servers. Establish security practices for service administrators and data administrators to ensure that only personnel that require access to servers have that access. Assign only the permissions and user rights necessary to each user in your organization. This is not an exclusive list; however, it represents some of the most common fundamental server security practices. You may already be using many, if not most, of these core security practices on the servers on your network. Review audit settings on important Active Directory objects

23 Security Templates Security Templates can be used to harden servers
Security Templates are implemented using Security Configuration and Analysis Tool secedit Group Policy Windows Server 2003 Security Guide supplies default templates windowsserver2003/w2003hg/sgch00.mspx

24 Security Template Best Practices
Review and modify security templates before using them Use security configuration and analysis tools to review template settings before applying them Test templates thoroughly before deploying them Store security templates in a secure location

25 Demonstration: Using Security Templates
Implementing Security Templates

26 Hardening Servers with Specific Roles
Infrastructure Servers File & Print Servers IIS Servers Certificate Services Servers Bastion Hosts Apply Incremental Role-Based Security Settings Apply Member Server Baseline Policy Securing Active Directory Hardening Procedures RADIUS (IAS) Servers Apply baseline security settings to all member servers Apply additional settings for specific server roles Use GPResult to ensure that settings are applied correctly

27 Best Practices for Hardening Servers for Specific Roles
Secure well-known user accounts Enable only services required by role Hardening servers for specific roles includes applying the appropriate security templates and manually configuring server settings for the role. Most of the recommended security settings are applied to role-based servers through the Member Server Baseline security template and, incrementally, through a role-based security template. Consider the following best practices when hardening servers for specific roles: Secure well-known user accounts. Rename the built-in Administrator and Guest accounts and change their descriptions and passwords to prevent their malicious use. Enable only services required by role. All services not required by the server to fulfill its assigned role should be disabled. Enable service logging to capture relevant information. Consider enabling logging for critical services that are required by the server role. For example, enable DHCP logging for a DHCP server. Use IPSec filtering to block specific ports based on server role. For more information about the specific ports that should be blocked on a server for a specific role, see the appropriate chapter in the Windows Server 2003 Security Guide. Modify templates as needed for servers with multiple roles. Servers that perform multiple roles will require a customized template that specifically configures the server’s security settings to enable it to perform multiple roles. You may need to start with the preconfigured template for one of the roles the server performs and then modify the template so that services and other security settings required by the additional role are correctly configured in the template. Enable service logging to capture relevant information Use IPSec filtering to block specific ports based on server role Modify templates as needed for servers with multiple roles

28 Hardening Application Servers
Application servers that typically have specialized protection requirements include: Application Example Web servers Internet Information Services (IIS) Messaging servers Microsoft Exchange 2003 Database servers Microsoft SQL Server 2000

29 Application Server Best Practices
Configure security on the base operating system Apply operating system and application service packs and patches Student Notes: Keep in mind that application security depends on other layers in your defense-in-depth strategy. Here are the most important elements of a defense that should be applied to all application servers: Configure the operating system for security Apply baseline security settings to all member servers by using the Member Server Baseline security template provided in the Windows Server 2003 Security Guide. Then apply the incremental templates that are relevant to the specific server role. The Windows Server 2003 Security Guide can be found at Apply operating system and application patches. Service packs increase operating system security and stability. Most attacks against servers exploit vulnerabilities that have been previously reported and fixed in a service pack or in an operating system security patch. Computers that do not have the latest service pack and security patches installed are vulnerable. Install only required services. By reducing the number of services that run on a server, you can decrease the exposure of the server to security attacks. Assign only the permissions that are needed to perform required tasks. All administrators should be granted the fewest permissions possible that will still make it possible for them to perform their administrative tasks. Applications service accounts should have only the privilege they need. For example, if they can run as Network Service instead of Local System, they should do so. Think about other elements of defense in depth. A defense-in-depth security strategy uses multiple layers of defense. If one layer is compromised, it does not mean that your entire system will be compromised. Once you have these practices in place, move to the next layers of defense for the security of specific application servers, such Exchange Server, SQL Server, and Small Business Server. Install or enable only those services that are required Assign only those permissions needed to perform required tasks Application accounts should be assigned minimal permissions Apply defense-in-depth principles to increase protection

30 Securing IIS Servers Apply the security settings in the IIS Server Security Template Install the IIS Lockdown and configure URLScan on all IIS 5.0 installations Enable only essential IIS components Configure NTFS permissions for all folders that contain Web content Install IIS and store Web content on a dedicated disk volume If possible, do not enable both the Execute and Write permissions on the same Web site On IIS 5.0 servers, run applications using Medium or High Application Protection Use IPSec filters to allow only ports 80 and 443 Hardening IIS (Internet Information Services) servers includes applying the appropriate security settings to these servers. Most of the recommended security settings are applied to IIS servers through the Member Server Baseline security template and, incrementally, through the IIS Server security template. Consider applying the following additional security settings to harden IIS servers. These settings must be manually configured on each IIS server. Install the IIS Lockdown and configure URLScan on IIS 5.0 installations to help secure these servers. If possible, upgrade all Web servers to Windows Server 2003 and IIS 6.0. Enable only essential IIS components. Specifically, ensure that only desired application extensions are enabled. As a security measure, IIS is not installed on Windows Server 2003 by default. When installed, much of its functionality is disabled until specifically enabled. You must manually enable each service that your IIS installation requires. Configure NTFS permissions for all folders that contain Web content. Apply the minimum permissions required to enable the necessary Web site functionality. Install IIS and store Web content on a dedicated disk volume separate from the system volume. This reduces the likelihood that an attacker will be able to access and modify operating system files on the server. If possible, do not enable both the Execute and Write permissions on the same website. This permission combination could enable an attacker to put malicious content on the server and then execute that content. On IIS 5.0 servers, run application using Medium or High Application Protection to avoid running applications in the system context of the Inetinfo process. Use IPSec filters to block all inbound communications except on TCP ports 80 and 443

31 Hardening the Messaging Environment
To harden your Exchange messaging environment, deploy the following: Environment Configuration Server environment Domain, Domain Controller, and Member Server Baseline Policy templates Windows Server 2003 Security Guide at Messaging environment Exchange Domain Controller Baseline Policy template Exchange Server 2003 Security Hardening Guide at exchange/2003/library/exsecure.mspx

32 Securing Exchange Servers
Limit Exchange Server functionality to clients that are strictly required ü Remain current with the latest updates for both Exchange Server 2003 and the operating system ü Use ISA Server 2004 to regulate access for HTTP, RPC over HTTPS, POP3, and IMAP4 traffic ü Use SSL/TLS and forms-based authentication for Outlook Web Access ü

33 Validating Exchange Server Configuration Settings
ExBPA can examine your Exchange servers to: Generate a list of issues, such as misconfigurations or unsupported or non-recommended options ü ü Judge the general health of a system ü Help troubleshoot specific problems

34 Demonstration: Analyzing Configuration Settings on Exchange Server 2003
Analyze Exchange Server using MBSA and the ExBPA Tool

35 Basic SQL Server Security Configuration
Apply service packs and patches Use MBSA to detect missing SQL updates Disable unused services MSSQLSERVER (required) SQLSERVERAGENT MSSQLServerADHelper Microsoft Search Microsoft DTC Student Notes: Because there are many ways to attack a database, it is important to use the defense-in-depth strategy to mitigate threats. External attacks can exploit configuration weaknesses that expose the database server. An insecure Web application can also be used to exploit the database. Internal threats must be considered as well. An internal threat could be the rogue administrator with network access or a database user tricked into running malicious code. Mitigate these threats by: Using the MBSA to detect the necessary Windows and SQL Server updates that may be missing. During a SQL Service installation, the following four Windows services are installed: MSSQLSERVER (or MSSQL$InstanceName for a named instance). This is the SQL Server database engine and is the only mandatory service. SQLSERVERAGENT (or SQLAgent$InstanceName for a named instance). With this support service, you can schedule commands and notify operators when errors occur. MSSQLServerADHelper. This provides Active Directory integration services, including database instance registration. Microsoft Search. This provides full text search capabilities. This service must always run under the local system account. Only the MSSQLSERVER database engine is required. The remaining services provide additional functionality and are required only in specific scenarios. Disable these services if they are not required. Note:   If you do not use distributed transactions through the Microsoft DTC, disable the service. Additional Information: For more information about applying service packs, hot fixes, and security patches, see For more information about basic security configurations, see

36 Database Server Security Considerations
Network Operating System SQL Server Patches and Updates Shares Services Accounts Auditing and Logging Files and Directories Registry Protocols Ports SQL Server Security Database Objects Logins, Users, and Roles Student Notes: Securing SQL Server involves defense in depth. In addition to configuring SQL Server, you must also consider: Applying patches to the operating system and SQL Server. Doing this can prevent many known types of attacks against SQL Server. SQL Server SQL Server Security. A number of SQL Server security settings can be controlled through Enterprise Manager. These include the authentication mode, the auditing level, and the accounts used to run the SQL Server service. For improved security, use Windows authentication. Also, enable SQL Server logon auditing and ensure that the SQL Server service runs using a least-privileged account. Logins, Users, and Roles. SQL Server 2000 manages access control using logins, databases, users, and roles. Users (and applications) are granted access to SQL Server by way of a SQL server login. The login is associated with a database user, and the database user is placed in one or more roles. The permissions granted to the role determine the tables the login can access and the types of operations the login can perform. This approach is used to create least-privileged database accounts that have the minimum set of permissions necessary to allow them to perform their legitimate functionality. Database Objects. The ability to access SQL Server database objects, such as built-in stored procedures, extended stored procedures, and cmdExec jobs, should be reviewed. Also, any sample databases should be deleted. Operating System Shares. Remove all unnecessary file shares, including the default administration shares if they are not required. Secure any remaining shares with restricted NTFS permissions. Although shares may not be directly exposed to the Internet, a defense-in-depth strategy with limited and secured shares reduces risk if a server is compromised. Auditing and Logging. Auditing is a vital aid in identifying intruders and attacks in progress and in diagnosing attack footprints. Configure a minimum level of auditing for the database server by using a combination of Windows and SQL Server auditing features. Services. Disable unnecessary and unused services to quickly and easily reduce the attack surface area. Services are prime vulnerability points for attackers who can exploit the privileges and capabilities of the service to access the server and potentially other computers. By default, database servers generally do not need all services enabled. Files and Directories. Use NTFS file system permissions to protect program, database, and log files from unauthorized access. When you use access control lists (ACLs) in conjunction with Windows auditing, you can detect when suspicious or unauthorized activity occurs. Accounts. Restrict the number of Windows accounts that are accessible from the database server to the necessary set of service and user accounts. In all cases, use least-privileged accounts with strong passwords. A least-privileged account used to run SQL Server limits the capabilities of an attacker who compromises SQL Server and manages to execute operating system commands. Registry. SQL Server maintains a number of security-related settings, including the configured authentication mode in the registry. Restrict and control access to the registry to prevent the unauthorized update of configuration settings, for example, to loosen security on the database server. Network Ports. Unused ports are closed at the firewall, but it is required that servers behind the firewall also block or restrict ports based on their usage. For a dedicated SQL Server, block all ports except for the necessary SQL Server port and the ports required for authentication. Protocols. Limit the range of protocols that client computers can use to connect to the database server, and make sure you can secure those protocols.

37 Session Summary Understanding malware will help you to implement an effective defense against malware attacks ü ü Use a defense-in-depth approach to defend against malware Harden operating systems and applications by applying security updates, installing and maintaining an antivirus software strategy, and restricting computers using Group Policy ü Stage all updates through a test server before implementing into production, in order to minimize disruption ü An efficient response and recovery plan will ensure that if a malware attack occurs, your organization can quickly recover with minimal disruption ü

38 Next Steps Find additional security training events:
Sign up for security communications: default.mspx Order the Security Guidance Kit: default.mspx Get additional security tools and content:

39 Questions and Answers

Download ppt "Paula Kiernan Senior Consultant Ward Solutions"

Similar presentations

Security Update Server Registration, Active scanning and Windows patching.

Security Update Server Registration, Active scanning and Windows patching.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Malware Response Infrastructure Planning and Design Published: February 2011 Updated: November 2011.

Malware Response Infrastructure Planning and Design Published: February 2011 Updated: November 2011.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
Implementing Application and Data Security Fred Baumhardt Senior Consultant – Security and Architecture Microsoft Consulting Services - UK.

Implementing Application and Data Security Fred Baumhardt Senior Consultant – Security and Architecture Microsoft Consulting Services - UK.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
© 2003 Microsoft Limited. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied,

© 2003 Microsoft Limited. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied,
Implementing Application and Data Security Presenter Name Job Title Company.

Implementing Application and Data Security Presenter Name Job Title Company.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.

Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.
Implementing Server Security on Windows 2000 and Windows Server 2003 Steve Lamb Technical Security Advisor

Implementing Server Security on Windows 2000 and Windows Server 2003 Steve Lamb Technical Security Advisor
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
Secure SQL Server configuration Pat Larkin Ward Solutions

Secure SQL Server configuration Pat Larkin Ward Solutions
Installing and Configuring a Secure Web Server COEN 351 David Papay.

Installing and Configuring a Secure Web Server COEN 351 David Papay.
Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.

Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.

Similar presentations

Ads by Google