Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing the Infrastructure Windows Server 2003 SP1 and Windows XP SP2 Ken Schaefer System Engineer, MVP Avanade.

Published byIra Fisher Modified over 8 years ago

Similar presentations

Presentation on theme: "Securing the Infrastructure Windows Server 2003 SP1 and Windows XP SP2 Ken Schaefer System Engineer, MVP Avanade."— Presentation transcript:

1

2 Securing the Infrastructure Windows Server 2003 SP1 and Windows XP SP2 Ken Schaefer System Engineer, MVP Avanade

3 Sorry No funny jokes or pictures But there will be good technical content

4 Agenda Why we are releasing Windows Server 2003 SP1 Goals for Windows Server 2003 SP1 Key security enhancements and functions of SP1 Windows 2003 & Windows XP SP2 Firewall Other enhancements Additional resources to ramp up on Windows Server 2003 SP1 Summary

5 Why are we releasing WS03 SP1? To reduce customer pain around security of our operating systems, and to provide a more robust and secure OS to customers To provide some new security enhancements –Setup Protection SECOOBE –Windows Firewall –Role-based Security Configuration Wizard To increase adoption of Windows Server 2003 – some customers wait for SP1 before deploying

6 WS03 Customer Pains & SP1 Why? –Patch management too complex –Time to exploit decreasing –Exploits are more sophisticated = Current approach is not sufficient 151151 180180 331331 Blaster Welchia/ Nachi Nimda 2525 SQL Slammer Days between patch and exploit How? –Role based approach will give flexibility to our customers in terms of time to test/deploy –Proactive instead of reactive engineering i.e. Windows Firewall and AD policy for Windows Firewall rule sets = A step in the journey to more secure computing platforms, applications, and devices.

7 What are the goals of SP1? Enhanced Security –Reduced attack surface –New security enhancements Stronger defaults and privilege reduction on services (RPC & DCOM) Support for No Execute (NX) hardware (Intel & AMD) Windows Firewall enabled by default for new installs –Includes boot time protection Provide a Security Configuration Wizard to assist IT Admins –Role-based configuration and lockdown RAS/VPN Quarantine –Client inspection, Fix-up, Isolation IIS 6.0 metabase auditing IE security enhancements Enhanced Reliability Enhanced Performance –10%+ improvement in TPC, TPC-H, SAP, SSL, etc.

8 SP1 Features and Enhancements Post-Setup Security Updates (PSSU) Security Configuration Wizard Relevant XP SP2 enhancements –RPC, DCOM lockdown –Windows Firewall configuration Terminal Services Improvements Base 64-bit extension system x86-64 is reality

9 WS03SP1 Post-Setup Security Updates (1) A new feature designed to protect servers between first boot and application of most recent security updates Opens on first admin login if Windows Firewall was not explicitly enabled/disabled using unattend script or GPO Blocks inbound connections until customer clicks “Finish” on PSSU dialog box

10 WS03SP1 Post-Setup Security Updates (2) Offers links to Windows Update Creates an opportunity to configure Automatic Updates Re-opens if not completed before first restart Forced closure (ALT+F4) makes no change to the firewall, system runs tests to display PSSU again at next log on

11 WS03SP1 Post-Setup Security Updates (3) Applies To: –Windows server admins who are concerned that new Windows Server 2003 servers may not be fully protected before application of updates –Admins who perform new installs of Windows Server 2003 with a Service Pack Does Not Apply When: –OS install with an unattend script enabling or disabling Windows Firewall –Windows Firewall is enabled or disabled through GP before PSSU is displayed –Performing OS updates to existing Windows Server 2003 server, or upgrading existing Windows 2000 server to Windows Server 2003 SP1

12 Post-Setup Security Updates

13 Security Configuration Wizard Guided Attack Surface Reduction for Windows Servers –Security Coverage Roles-Based Metaphor Disables Unnecessary Services Disables Unnecessary IIS Web Extensions Blocks unused Ports, including multi-homed scenarios Helps Secure Ports that are left open by using IPSEC Reduces protocol exposure (LDAP, NTLM, SMB) Configures Audit Setting with high Signal to Noise ratio Security for mere mortals –Roles-based makes answering questions easy –Automated versus Paper-Based Guidance –Fully tested and supported by Microsoft

14 SCW Operational Coverage Supports approximately 60 server roles OOB Rollback, when applied policies disrupt service expectation Analysis, to check that machines are in compliance with policies Remotability for configuration and analysis operations Command Line Support for remote config and analysis en-masse Active Directory Integration for Group Policy-based deployment Editing of previously created policies, when machines are repurposed XSL Views of Knowledge base, policies and analysis results

15 Security Configuration Wizard

16 RPC and DCOM Enhancements Dovetails with Windows XP SP2 New RPC registry keys –Allow server applications to restrict access to the interface, typically through a security call back –Optionally deny all remote anonymous access –Enables application developers to more closely control access Additional DCOM access control restrictions –Strengthening of DCOM authentication security model –Overall reduction of risk of a successful network attack RPC and DCOM ports handled as a special case by Windows Firewall

17 Windows Firewall Goals and customer benefit –Provide by default better protection from network attacks –Focus on role-based server configuration What we’re doing –Windows Firewall (formerly ICF) will be on by default in almost all configurations –More configuration options Group policy, command line, unattended setup Better user interface –Boot time protection –Restrict anonymous connections to DCOM/RPC interfaces Application impact –In-bound network connections will not be permitted by default –Listening ports only open as long as the application is running

18 Windows Firewall and AD Firewall Policy Deployment

19 Administering Windows XP SP2 Recommended Enterprise Settings (1) Guidelines only, review all settings prior to deployment!! Windows Firewall: Protect all network connections –Enabled Windows Firewall: Do not allow exceptions –Not configured Windows Firewall: Define program exceptions –Set to the names of applications and services used by the computers running Windows XP SP2 on your network for managed, server, listener, or peer applications. (e.g. SMS)

20 Administering Windows XP SP2 Recommended Enterprise Settings (2) Windows Firewall: Allow local program exceptions –Enabled Windows Firewall: Allow remote administration exception –Disabled, unless the Windows XP SP2-based computers are configured remotely using MMC snap-in or monitored remotely using WMI. Windows Firewall: Allow file and print sharing exception –Enabled only if the computers running Windows XP SP2 are sharing local folders and printers.

21 Administering Windows XP SP2 Recommended Enterprise Settings (3) Windows Firewall: Allow ICMP exceptions –Enabled only to allow diagnostic or management capabilities that are based on ICMP traffic. Windows Firewall: Allow Remote Desktop exception –Enabled only if you use Remote Desktop to connect to Windows XP SP2-based computers. Windows Firewall: Allow UPnP framework exception –Enabled only if you use UPnP devices on your network. Windows Firewall: Prohibit notifications –Disabled

22 Administering Windows XP SP2 Recommended Enterprise Settings (4) Windows Firewall: Allow logging –Not configured Windows Firewall: Prohibit unicast response to multicast or broadcast requests –Disabled – may break Wake On LAN Windows Firewall: Define port exceptions –Set to the TCP and UDP ports used by the Windows XP SP2 computers on your network for managed, server, listener, or peer applications that cannot be specified by filename. (Add SMS and similar ports here) Windows Firewall: Allow local port exceptions –Enabled (pending corporate policy)

23 Administering Windows XP SP2 3rd Party firewalls scenarios Disable Windows Firewall Disable Windows Firewall via accidental installation –Unattend.txt or Netfw.inf –Deploy registry settings to disable WF HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windo wsFirewall\DomainProfile\EnableFirewall=0 (DWORD data type) HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windo wsFirewall\StandardProfile\EnableFirewall=0 (DWORD data type) Configure GPOs accordingly

24 Terminal Services Improvements Fallback Printer Driver –Addresses Client to Server Printing issues when driver mismatch occurs –Heuristic that does name matching on printer driver strings provided from TS client –Will do a best guess and then substitute for a lowest common denominator PCL or PS driver PCL and - "HP DeskJet 500“ Color PCL - "HP DeskJet 500C“ PS - "HP LaserJet 4/4M PS" Color PS - "HP Color LaserJet 5/5M PS“ Licensing Server Improvements

25 SP1 Terminal Services

26 Key value –Core OS functionality & performance benefits (64-bit) –Runs most existing 32-bit apps with increased performance –Provides evolutionary path to 64-bit applications Single code-base based on WS03 SP1 –AMD Opteron/Athlon 64 & Intel Xeon EM64T supported with one product –Basis for Windows XP Professional, x64 Edition Compatibility –WS03 SP1 level compatibility –Application kernel mode code and drivers must be 64-bit Windows Server 2003 x64 Editions WorkloadPerformance and Scale 32-bit Databaseup 17% 32-bit Business AppsSAP 10% more users NetworkingRecord 7Gbit/sec xfer File111% higher user capacity Active Directory2x higher throughput Terminal Services50% more Users

27 How To Get Involved Share your ideas with the Windows Server development team at: http://www.windowsserverfeedback.com You can also participate in: –Online surveys about product feature priorities –Product focus groups –TechBeta

28 Summary Windows Server 2003 SP1 exists to encourage adoption of Windows Server 2003, migration from NT4 and 2000 Security-focused service pack, also includes performance, feature and reliability improvements Exciting roadmap – complement to XP SP2, precursor to Windows Server 2003 R2 and Longhorn What you can do: –Review the reference material on the following slides –Test the available Release Candidate 2 (RC2) version –Provide your ideas on how we can make further improvements in this area

29 More Information: Windows Server 2003 SP1 Release Candidate 2: http://www.microsoft.com/windowsserver2003/downloads/servicepacks/sp1/default.mspx Windows XP SP2 on Microsoft TechNet: http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/winxpsp2.mspx MBSA v2 Beta (use Beta GuestID: MBSA20): http://beta.microsoft.com http://www.microsoft.com/technet/security/tools/mbsahome.mspx Windows Update Services Beta http://www.microsoft.com/windowsserversystem/wus/default.mspx Technet Security Centre for IT Pros: http://www.microsoft.com/technet/security/default.mspx Microsoft IT practices: http://www.microsoft.com/itshowcase

30

31 Evaluation: Prescriptive Guidance Overall how satisfied where you with the event?9 Rate the session: Windows 2003 SP19

32 Ken Schaefer ken@adOpenStatic.com

Download ppt "Securing the Infrastructure Windows Server 2003 SP1 and Windows XP SP2 Ken Schaefer System Engineer, MVP Avanade."

Similar presentations

Desktop Value - Introducing Windows XP Service Pack 2 with Advanced Security Technologies Presenter: James K. Murray Title: Information Technologies Consultant.

Desktop Value - Introducing Windows XP Service Pack 2 with Advanced Security Technologies Presenter: James K. Murray Title: Information Technologies Consultant.
Microsoft Windows XP SP2 Urs P. Küderli Strategic Security Advisor Microsoft Schweiz GmbH.

Microsoft Windows XP SP2 Urs P. Küderli Strategic Security Advisor Microsoft Schweiz GmbH.
Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.

Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Windows Server 2003 SP1. Windows Server™ 2003 Service Pack 1 Technical Overview Jill Steinberg: Added TM Jill Steinberg: Added TM.

Windows Server 2003 SP1. Windows Server™ 2003 Service Pack 1 Technical Overview Jill Steinberg: Added TM Jill Steinberg: Added TM.
NETOP REMOTE CONTROL What’s new in version 9.5? DECEMBER 09 NETOP REMOTE CONTROL1.

NETOP REMOTE CONTROL What’s new in version 9.5? DECEMBER 09 NETOP REMOTE CONTROL1.
Windows XP Service Pack 2 Deployment Dave Lee West Campus.

Windows XP Service Pack 2 Deployment Dave Lee West Campus.
Understand Virtualized Clients 10753 Windows Operating System Fundamentals LESSON 2.4.

Understand Virtualized Clients Windows Operating System Fundamentals LESSON 2.4.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Windows XP Service Pack 2 Alex Balcanquall Senior Consultant Microsoft Services Organisation.

Windows XP Service Pack 2 Alex Balcanquall Senior Consultant Microsoft Services Organisation.
Changes in Windows XP Service Pack 2

Changes in Windows XP Service Pack 2
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 10: Server Administration.
IT:Network:Applications VIRTUAL DESKTOP INFRASTRUCTURE.

IT:Network:Applications VIRTUAL DESKTOP INFRASTRUCTURE.
Information for Developers Windows XP Service Pack 2 Information for Developers.

Information for Developers Windows XP Service Pack 2 Information for Developers.
Implementing Server Security on Windows 2000 and Windows Server 2003 Steve Lamb Technical Security Advisor

Implementing Server Security on Windows 2000 and Windows Server 2003 Steve Lamb Technical Security Advisor
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 2 Installing Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 2 Installing Windows Server 2008.
SP2 Mikael Nystrom. Agenda Översikt Installation.

SP2 Mikael Nystrom. Agenda Översikt Installation.

Similar presentations

Ads by Google