Presentation is loading. Please wait.

Presentation is loading. Please wait.

Understand Server Protection LESSON 4.3 98-367 Security Fundamentals.

Published byHilda Black Modified over 8 years ago

Similar presentations

Presentation on theme: "Understand Server Protection LESSON 4.3 98-367 Security Fundamentals."— Presentation transcript:

1 Understand Server Protection LESSON 4.3 98-367 Security Fundamentals

2 LESSON 4.3 Lesson Overview In this lesson, you will learn:  Separation of services  Hardening  Keeping servers updated  Secure dynamic DNS updates  Disabling unsecure authentication protocols  Read-only domain controllers  Separate management VLAN  Microsoft ® Baseline Security Analyzer

3 98-367 Security Fundamentals LESSON 4.3 Anticipatory Set Introducing the Security Compliance Toolkit Series Vlad Pigin, Senior Program Manager and Shruti Kala, Product Manager Run time: 6:37

4 98-367 Security Fundamentals LESSON 4.3 Service Oriented Architecture  The key to separation is to define a virtual platform that is equally relevant to a number of real platforms.  The objective of the virtual platform is to enable the separation of services from the implementation and allow components built on various implementation platforms to offer services with no implementation dependencies.  The SOA platform becomes essentially a blueprint that covers the development and implementation platforms.  Provides guidance on the development and implementation of applications  Common architectural style—different applications can all share the same structure, and the relationships between the parts of the structure are the same.

5 98-367 Security Fundamentals LESSON 4.3 Service Oriented Architecture (continued) Example platform components of a virtual platform include:  Host environment  Consumer environment  Middleware  Integration and assembly environment  Development environment  Asset management  Publishing & discovery  Service level management  Security infrastructure  Monitoring & measurement  Diagnostics & failure  Consumer/Subscriber management  Web service protocols  Identity management  Certification  Deployment & versioning

6 98-367 Security Fundamentals LESSON 4.3 Baseline Server Hardening  Requirements to ensure that the server hardening processes achieve their security goals: o The base install of all operating system and post-operating system software comes from a trusted source. o Servers are connected only to a completely trusted network during the install and hardening processes. o The base install includes all current service packs and is reasonably current with regard to post-service pack updates. o After the base install finishes, you must update the target servers.

7 98-367 Security Fundamentals LESSON 4.3 Baseline Server Hardening (Security Goals)  Use a strong password on administrator accounts.  Rename the administrator account.  Disable the guest account.  Set account lockout policy.  Remove all unnecessary file shares.  Set appropriate ACLs on all necessary file shares.  Install antivirus software and updates.

8 98-367 Security Fundamentals LESSON 4.3 Windows Server Update Services (WSUS)  Provides a management infrastructure: o Microsoft Update: The Microsoft website that distributes updates to Microsoft products. o WSUS server: The server component that is installed on a computer running a supported operating system inside the corporate firewall. Enables administrators to manage and distribute updates through an administrative console, which can be used to manage any WSUS server in any domain with which it has a trust relationship.

9 98-367 Security Fundamentals LESSON 4.3 WSUS (continued)  At least one WSUS server in the network must connect to Microsoft Update to get available updates.  The administrator can decide how many WSUS servers should connect directly to Microsoft Update. o These servers can then distribute updates to other downstream WSUS servers.  Automatic Updates o The client computer component built into Windows ® operating systems. o Enables both server and client computers to receive updates either from Microsoft Update or from a WSUS server.

10 98-367 Security Fundamentals LESSON 4.3 Software Updates Consist of Two Parts: 1. Update files: The actual files that are installed on client computers 2. Update metadata: Information needed to perform the installation, which includes: o Update properties: Title, description, Knowledge Base article, Microsoft Security Response Center number. o Applicability rules: Used by Automatic Updates to determine whether or not the update is needed on a particular computer. o Installation information: Command-line options to apply when installing the updates.

11 98-367 Security Fundamentals LESSON 4.3 Secure Dynamic Update  DNS update security is available only for zones that are integrated into Active Directory ®.  By default, dynamic update security for DNS servers and clients can be handled as follows: o DNS clients attempt to use unsecured dynamic update first. If an unsecured update is refused, clients try to use secure update. o Clients use a default update policy that permits them to attempt to overwrite a previously registered resource record, unless they are specifically blocked by update security.

12 98-367 Security Fundamentals LESSON 4.3 Enable or Disable a Network Protocol or Component  Network performance is enhanced and network traffic is reduced when only the required protocols and clients are enabled.  If a computer encounters a problem with a network or dial-up connection, it attempts to establish connectivity by using every network protocol that is installed and enabled.  By enabling only the protocols that the computer can use, the operating system does not attempt to connect by using protocols it cannot use, and returns status information to you more efficiently.  Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

13 98-367 Security Fundamentals LESSON 4.3 Enable or Disable a Network Protocol or Component (continued) 1. Right-click the connection for which you want to enable or disable a network protocol or component, and then click Properties. 2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue. 3. Do one of the following: o For a local area connection, on the General tab, in This connection uses the following items, select the check box next to the component you want to enable it, or clear to disable it. o If a dial-up or VPN connection, on the Networking tab, in This connection uses the following items, select the check box next to the component you want to enable it, or clear to disable it. o If this is an incoming connection, on the Networking tab, in Network components, select the check box next to the component you want to enable it, or clear the check box to disable it.

14 98-367 Security Fundamentals LESSON 4.3 Read-Only Domain Controllers (RODC)  A new type of domain controller in the Windows Server ® 2008 operating system.  Hosts read-only partitions of the Active Directory database.  Makes it possible for organizations to deploy a domain controller in scenarios where physical security cannot be guaranteed: o Branch office locations. o Where local storage of all domain passwords is considered a primary threat.

15 98-367 Security Fundamentals LESSON 4.3 ROCD (continued)  Has reduced management requirements that are provided by such features as unidirectional replication.  Well suited for a site that should not have a user who is a member of the Domain Administrators group.

16 98-367 Security Fundamentals LESSON 4.3 Separate Management VLAN  Network segmentation is the physical isolation of network traffic that flows between communicating systems.  The physical network is divided into distinct parts (segments) such as subnets (performed by a router) or VLANs (switch).  Microsoft NAP supports a variety of policy enforcement methods that work in conjunction with a number of network technologies including IPsec, DHCP, and 802.1x.

17 98-367 Security Fundamentals LESSON 4.3 Microsoft NAP Protection Enforcement Methods EnforcementHealthy HostUnhealthy Host IPsecFull Access: Can communicate with any trusted peer in any location over any network(s) Healthy peers reject connection requests from unhealthy systems; remediation to restricted VLAN or other policy possible 802.1xFull accessRestricted VLAN VPNFull accessRestricted VLAN DHCPFull IP address given, full access Restricted set of routes

18 98-367 Security Fundamentals LESSON 4.3 Microsoft Baseline Security Analyzer (MBSA)  An easy-to-use tool that helps small- and medium-sized businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance.  Detects common security misconfigurations and missing security updates on your computer systems.  Ensures consistency with other Microsoft management products including Microsoft Update (MU), Windows Server Update Services (WSUS), Systems Management Server (SMS), System Center Configuration Manager (SCCM) 2007, and Small Business Server (SBS).

19 98-367 Security Fundamentals LESSON 4.3

Download ppt "Understand Server Protection LESSON 4.3 98-367 Security Fundamentals."

Similar presentations

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
Module 3 Windows Server 2008 Branch Office Scenario.

Module 3 Windows Server 2008 Branch Office Scenario.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Administering Active Directory

Administering Active Directory
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.

Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.
Virtual Private Network (VPN) © N. Ganesan, Ph.D..

Virtual Private Network (VPN) © N. Ganesan, Ph.D..
Understanding Active Directory

Understanding Active Directory
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Similar presentations

Ads by Google