Presentation is loading. Please wait.

Presentation is loading. Please wait.

Implementing Server Security on Windows 2000 and Windows Server 2003 Steve Lamb Technical Security Advisor

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Implementing Server Security on Windows 2000 and Windows Server 2003 Steve Lamb Technical Security Advisor"— Presentation transcript:

1 Implementing Server Security on Windows 2000 and Windows Server 2003 Steve Lamb Technical Security Advisor http://blogs.msdn.com/steve_lamb stephlam@microsoft.com

2 Agenda Prescriptive Guidance Introduction to Server Security Securing Active Directory Hardening Member Servers Hardening Domain Controllers Hardening Servers for Specific Roles Hardening Stand-Alone Servers

3 Security Guidance Centre http://www.microsoft.com/security/guidance/defa ult.mspx

4

5

6

7 Prescriptive Guidance - Server Security http://www.microsoft.com/technet/Security/topics/serversecurity.mspx

8 W2K3 Security Guide Free download from W2K3 Security Guide Free download from Copy templates from the “Security Templates” directory to “\windows\security\templates”

9 Security Configuration Guide - Templates Access the “Security Templates” via the Microsoft Management Console

10

11 Agenda Prescriptive Guidance Introduction to Server Security Securing Active Directory Hardening Member Servers Hardening Domain Controllers Hardening Servers for Specific Roles Hardening Stand-Alone Servers

12 Security Considerations Servers with a variety of roles Internal or accidental threat Limited resources to implement secure solutions Lack of security expertise Older systems in use Physical access negates many security procedures Legal Consequences

13 Defense in Depth Using a layered approach Increases an attacker’s risk of detection Reduces an attacker’s chance of success Policies, Procedures, & Awareness OS hardening, patch management, authentication, HIDS Firewalls, VPN quarantine Guards, locks, tracking devices Network segments, IPSec, NIDS Application hardening, antivirus ACL, encryption User education Physical Security Perimeter Internal Network Host Application Data

14 Agenda Prescriptive Guidance Introduction to Server Security Securing Active Directory Hardening Member Servers Hardening Domain Controllers Hardening Servers for Specific Roles Hardening Stand-Alone Servers

15 Active Directory Components ForestDomain Organizational Unit Site User account Security group Group Policy Security Templates

16 Planning Active Directory Security Analyze the environment Intranet datacenter Branch office Extranet datacenter Perform threat analysis Identify threats to Active Directory Identify types of threats Identify sources of threats Implement a deterrent to each identified threat Establish contingency plans

17 Establishing Secure Active Directory Boundaries Specify security and administrative boundaries Select an Active Directory structure based on delegation requirements Establish secure collaboration with other forests

18 Establishing a Role-Based OU Hierarchy An OU hierarchy based on server roles: Simplifies security management issues Applies security policy settings to servers and other objects in each OU Domain Policy Domain Domain Engineering Member Server Baseline Policy Member Servers Domain Controllers Domain Controller Policy Print Server Policy File Server Policy IIS Server Policy Print Servers File Servers Web Servers Operations Admin Web Service Admin

19 Agenda Prescriptive Guidance Introduction to Server Security Securing Active Directory Hardening Member Servers Hardening Domain Controllers Hardening Servers for Specific Roles Hardening Stand-Alone Servers

20 Infrastructure Servers File & Print Servers IIS Servers Certificate Services Servers Bastion Hosts Server Hardening Overview Apply baseline security settings to all member servers Apply additional settings for specific server roles Use GPResult to ensure that settings are applied correctly “Windows Server 2003 Security Guide” on microsoft.com Securing Active Directory Apply Member Server Baseline Policy RADIUS (IAS) Servers Hardening Procedures Apply Incremental Role-Based Security Settings

21 Member Server Baseline Security Template Modify and apply the Member Server Baseline security template to all member servers Settings in Member Server Baseline security template: Audit Policy User Rights Assignment Security Options Event Log System Services Use Group Policy to apply these security templates

22 Security Configuration Guide - templates

23 Best Practices for Using Security Templates Review and modify security templates before using them Use security configuration and analysis tools to review template settings before applying them Test templates thoroughly before deploying them Store security templates in a secure location

24 Additional Recommendations for Hardening Member Servers Rename the built-in Administrator and Guest accounts Restrict access for built-in and non-operating system service accounts Do not configure a service to log on using a domain account unless absolutely required Use NTFS to secure files and folders Be aware that Error Reporting to Microsoft in in clear text.

25 Agenda Prescriptive Guidance Introduction to Server Security Securing Active Directory Hardening Member Servers Hardening Domain Controllers Hardening Servers for Specific Roles Hardening Stand-Alone Servers

26 Deploying Secure Domain Controllers Secure the domain controller build environment Establish secure domain controller build practices Maintain physical security

27 Recommendations for Hardening Domain Controllers REMEMBER: Domain controllers hold your “security keys” Disable services that are not required Remove unnecessary user rights to domain controllers Strengthen domain controller policy settings Use Syskey to alter how the Windows master secret is stored in Active Directory

28 Best Practices for Hardening Domain Controllers Use appropriate security methods to control physical access to domain controllers Use Syskey to alter how the Windows master secret is stored in Active Directory Use Group Policy to apply the Domain Controller security template to all DCs

29 Agenda Prescriptive Guidance Introduction to Server Security Securing Active Directory Hardening Member Servers Hardening Domain Controllers Hardening Servers for Specific Roles Hardening Stand-Alone Servers

30 Using Security Templates for Specific Server Roles Servers that perform specific roles can be organized by OU under the Member Servers OU First, apply the Member Server Baseline template to the Member Servers OU Then, apply the appropriate role-based security template to each OU under the Member Servers OU Customize security templates for servers that perform multiple roles

31 Specific Roles Infrastructure Server (WINS\DHCP) Configure DHCP Logging Protect against DHCP Denial of Service attacks File Server Consider disabling DFS and FRS if they are not required Secure shared files and folders by using NTFS and share permissions Print Server Ensure that the Print Spooler service is enabled Ensure that SMB signing is disabled

32 Security Configuration Wizard Guided Attack Surface Reduction for Windows Servers Security Coverage Roles-Based Metaphor Disables Unnecessary Services Disables Unnecessary IIS Web Extensions Blocks unused Ports, including multi-homed scenarios Helps Secure Ports that are left open using IPSEC Reduces protocol exposure (LDAP, NTLM, SMB) Configures Audit Setting with high Signal to Noise Security for mere mortals Roles-based makes answering questions easy Automated versus Paper-Based Guidance Fully tested and supported by Microsoft

33 SCW Operational Coverage Rollback, when applied policies disrupt service expectation Analysis, to check that machines are in compliance with policies Remotability for configuration and analysis operations Command Line Support for remote config and analysis en-masse Active Directory Integratation for Group Policy-based deployment Editing of previously created policies, when machines are repurposed XSL Views of Knowledge base, policies and analysis results

34 Hardening IIS6 Web Servers Apply the security settings in the IIS Server security template Manually configure each IIS server IIS Lockdown is built into IIS 6 Some functionality of URLScan is built into IIS 6, however URLScan can be installed on IIS6 Enable only essential IIS components IIS 6 is NOT installed on Windows Server 2003 by default Configure NTFS permissions for all folders that contain Web content Store Web content on a dedicated disk volume If possible, do not enable both the Execute and Write permissions on the same Web site Use IPSec filters to allow only ports 80 and 443

35 Best Practices for Hardening Servers for Specific Roles Secure well-know user accounts Enable only services required by role Enable service logging to capture relevant information Use IPSec filtering to block specific ports based on server role Modify templates as needed for servers with multiple roles

36 Event Information What’s Next? Technical Roadshow Post Event Website www.microsoft.com/uk/techroadshow/postevents Available from Monday 18 th April Please complete your Evaluation Form!

37 © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. http://www.microsoft.com/TwC

Download ppt "Implementing Server Security on Windows 2000 and Windows Server 2003 Steve Lamb Technical Security Advisor"

Similar presentations

Planning and Administering Windows Server® 2008 Servers

Planning and Administering Windows Server® 2008 Servers
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.

Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Module 5: Creating and Configuring Group Policy

Module 5: Creating and Configuring Group Policy
Paula Kiernan Senior Consultant Ward Solutions

Paula Kiernan Senior Consultant Ward Solutions
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure Chapter 2: Developing the Active Directory.

70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure Chapter 2: Developing the Active Directory.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features.
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
Installing and Configuring a Secure Web Server COEN 351 David Papay.

Installing and Configuring a Secure Web Server COEN 351 David Papay.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.

Similar presentations

Ads by Google