Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 7 HARDENING SERVERS.

Published byGerard Patterson Modified over 8 years ago

Similar presentations

Presentation on theme: "Chapter 7 HARDENING SERVERS."— Presentation transcript:

1 Chapter 7 HARDENING SERVERS

2 DEFAULT SECURITY TEMPLATES
Chapter 7: Hardening Servers DEFAULT SECURITY TEMPLATES Set up Security.inf and DC Security.inf Compatws.inf Securews.inf and Securedc.inf Hisecws.inf and Hisecdc.inf Rootsec.inf Iesacls.inf

3 DESIGNING SECURITY TEMPLATES
Chapter 7: Hardening Servers DESIGNING SECURITY TEMPLATES Create a custom security template for each role, not each computer Base custom templates on a default template Never modify default security templates Apply multiple security templates to computers with multiple roles

4 SECURITY TEMPLATE SETTINGS
Chapter 7: Hardening Servers SECURITY TEMPLATE SETTINGS Account policies Local policies Event logs Group memberships Services Registry permissions File and folder permissions

5 SETTING NOT AVAILABLE IN SECURITY TEMPLATES
Chapter 7: Hardening Servers SETTING NOT AVAILABLE IN SECURITY TEMPLATES Configuration of Automatic Updates Which Microsoft Windows components and applications are installed IPSec policies Software restrictions Wireless network policies EFS settings Certification Authority (CA) settings

6 CONFIGURING EARLIER VERSIONS OF WINDOWS
Chapter 7: Hardening Servers CONFIGURING EARLIER VERSIONS OF WINDOWS Support Group Policy: Windows Server 2003 Windows 2000 Server Windows 2000 Professional Windows XP Professional Support System Policy: Windows NT 4.0 Windows 95 Windows 98 Windows Me

7 Chapter 7: Hardening Servers
SYSTEM POLICY EDITOR

8 DEPLOYING SECURITY CONFIGURATION WITH GROUP POLICY
Chapter 7: Hardening Servers DEPLOYING SECURITY CONFIGURATION WITH GROUP POLICY Import templates into Group Policy Leverage inheritance Filter Group Policy objects (GPOs) with security groups Use Windows Management Instrumentation (WMI) filtering only where necessary

9 SERVER HARDENING BEST PRACTICES
Chapter 7: Hardening Servers SERVER HARDENING BEST PRACTICES Use the Configure Your Server Wizard Disable unnecessary services Develop a process for updating all software Change default port numbers Use network and host-based firewalls

10 SERVER HARDENING BEST PRACTICES (CONT.)
Chapter 7: Hardening Servers SERVER HARDENING BEST PRACTICES (CONT.) Require IPSec Place Internet servers in perimeter networks Use physical security Restrict removable media Backup application-specific information

11 SERVER HARDENING BEST PRACTICES (CONT.)
Chapter 7: Hardening Servers SERVER HARDENING BEST PRACTICES (CONT.) Audit backups and restores Rename default user accounts Develop security requirements for application-specific user databases Monitor each server role for failures Read security guides at

12 HARDENING DOMAIN CONTROLLERS
Chapter 7: Hardening Servers HARDENING DOMAIN CONTROLLERS A compromised domain controller can lead to compromises of domain members Domain controllers can be identified with a DNS query Avoid storing application data in Active Directory Create a separate security group for users with privileges to backup domain controllers Use source-IP filtering to block domain requests from external networks

13 REQUIRE DOMAIN CONTROLLER SERVICES
Chapter 7: Hardening Servers REQUIRE DOMAIN CONTROLLER SERVICES File Replication Service Intersite Messaging Kerberos Key Distribution Center Netlogon Remote Procedure Call (RPC) Locator Windows Management Instrumentation Windows Time

14 Chapter 7: Hardening Servers
HARDENING DNS SERVERS When DNS servers are compromised, attackers can use them to: Identify internal network resources Launch man-in-the-middle attacks Perform a denial-of-service (DoS) attack

15 BEST PRACTICES FOR HARDENING DNS SERVERS
Chapter 7: Hardening Servers BEST PRACTICES FOR HARDENING DNS SERVERS Use Active Directory–integrated zones. If not Active Directory integrated: Restrict permissions on zone files Use IPSec to protect zone transfers Disable recursion where possible Use separate internal and Internet servers Remove root hints on internal servers Allow only secure DNS updates if possible

16 HARDENING DHCP SERVERS
Chapter 7: Hardening Servers HARDENING DHCP SERVERS Dynamic Host Configuration Protocol (DHCP) servers running Windows 2000 and later must be authorized in a domain DHCP servers can automatically update DNS Protect DHCP servers with 802.1X authentication

17 HARDENING FILE SERVERS
Chapter 7: Hardening Servers HARDENING FILE SERVERS Carefully audit share permission and NTFS file system permissions Use source-IP filtering to block requests from external networks Audit access to critical and confidential files

18 Chapter 7: Hardening Servers
HARDENING IAS SERVERS Enable Remote Authentication Dial-In User Service (RADIUS) message authenticators Use quarantine control Enable logging Audit logs frequently

19 HARDENING EXCHANGE SERVER COMPUTERS
Chapter 7: Hardening Servers HARDENING EXCHANGE SERVER COMPUTERS Encrypt mail traffic with Transport Layer Security (TLS) Use Secure Sockets Layer (SSL) to protect Outlook Web Access (OWA) Enable Security events logging Audit for open relays to protect against spam

20 HARDENING EXCHANGE SERVER COMPUTERS (CONT.)
Chapter 7: Hardening Servers HARDENING EXCHANGE SERVER COMPUTERS (CONT.) Use antispam software Use antivirus software Require strong passwords Audit with MBSA

21 HARDENING SQL SERVER COMPUTERS
Chapter 7: Hardening Servers HARDENING SQL SERVER COMPUTERS Use Windows authentication when possible Use delegated authentication Configure granular authentication in SQL Server databases Audit SQL authentication requests Disable SQL communication protocols except TCP/IP, and require encryption Change the default port number

22 HARDENING SQL SERVER COMPUTERS (CONT.)
Chapter 7: Hardening Servers HARDENING SQL SERVER COMPUTERS (CONT.) Audit custom applications for vulnerability to SQL injection attacks Audit databases for unencrypted confidential contents: User names and passwords Credit-card numbers Social Security numbers

23 Chapter 7: Hardening Servers
SUMMARY Create security templates for every server role in your organization Apply security templates by using GPOs Techniques such as disabling unnecessary services and enabling host-based firewalls can be used to harden any type of server Server roles each have role-specific considerations, including: Services that should be enabled Ports that must be allowed Logging that should be enabled

Download ppt "Chapter 7 HARDENING SERVERS."

Similar presentations

MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 7: Troubleshoot Security Settings and Local Security.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 7: Troubleshoot Security Settings and Local Security.
Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.

Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Paula Kiernan Senior Consultant Ward Solutions

Paula Kiernan Senior Consultant Ward Solutions
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
Implementing Application and Data Security Fred Baumhardt Senior Consultant – Security and Architecture Microsoft Consulting Services - UK.

Implementing Application and Data Security Fred Baumhardt Senior Consultant – Security and Architecture Microsoft Consulting Services - UK.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
© 2003 Microsoft Limited. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied,

© 2003 Microsoft Limited. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied,
Implementing Application and Data Security Presenter Name Job Title Company.

Implementing Application and Data Security Presenter Name Job Title Company.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features.
Hands-On Microsoft Windows Server 2003 Administration Chapter 4 Managing Group Policy.

Hands-On Microsoft Windows Server 2003 Administration Chapter 4 Managing Group Policy.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.
Implementing Server Security on Windows 2000 and Windows Server 2003 Steve Lamb Technical Security Advisor

Implementing Server Security on Windows 2000 and Windows Server 2003 Steve Lamb Technical Security Advisor
5.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.

5.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Installing and Configuring a Secure Web Server COEN 351 David Papay.

Installing and Configuring a Secure Web Server COEN 351 David Papay.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
Module 8: Implementing Administrative Templates and Audit Policy.

Module 8: Implementing Administrative Templates and Audit Policy.

Similar presentations

Ads by Google