Presentation is loading. Please wait.

Presentation is loading. Please wait.

Module 8: Manage and Configure Security. Best Practices for Securing the Microsoft® Windows® Small Business Server 2008 Environment Windows Server Update.

Published byMarjory Spencer Modified over 9 years ago

Similar presentations

Presentation on theme: "Module 8: Manage and Configure Security. Best Practices for Securing the Microsoft® Windows® Small Business Server 2008 Environment Windows Server Update."— Presentation transcript:

1 Module 8: Manage and Configure Security

2 Best Practices for Securing the Microsoft® Windows® Small Business Server 2008 Environment Windows Server Update Services (WSUS) Microsoft Small Business Server Best Practices Analyzer 2008 Creating and Managing Shared Folders on the Network Configuring Windows Firewall with Advanced Security

3 Lesson 1: Best Practices for Securing the Windows Small Business Server 2008 Environment Implementing the best technological defenses Active security management processes Features and technologies in Windows Server 2008

4 Windows Small Business Server was Designed as an Integrated Solution with Security in Mind Active Directory® Server Mail Server Web Services Server File Server Database Server Print Server Catch-all Server Small Business Server

5 Small- and Medium-sized Business (SMB) Security Check List Do not use the server as a workstation Set passphrase policies Limit external access Install a third-party trusted certificate Open only needed ports Limit internet access Review third-party software before installation Educate end-users Adjust Schannel protocol Hardening guidelines What other guidelines can you recommend?

6 Additional Technological Defenses Antivirus Antispyware Web content filtering Attachment blocking Application level security controls Encryption SMB technological security protection check list Why should an SMB consider these technological defenses?

7 Security for SMB Use Microsoft updates? Conduct security audits and reviews? Conduct monitoring? Write and maintain security policies? Have standards and procedures? Why should SMBs: Active security management process

8 Windows Server ® 2008 Security and Protection User account control (UAC) Encrypting file system (EFS) Windows BitLocker Drive Encryption Smart cards ForeFront security Internet protocol security (IPsec) Security products and features to maintain the Small Business Server network

9 User Account Control (UAC) Architecture Explorer.exe Standard user logon Administrator in admin approval mode Standard user access token Standard user access token Full administrator access token

10 New Functionality in Encrypting File System (EFS) Windows Server 2008 and Windows Vista EFS supports storage of private keys on smart cards Non-cached mode Cached mode Key caching User does not have a valid EFS encryption key on the computer, and smart cards are required for EFS by policy settings User has a valid EFS encryption key that resides on the smart card used for logon Smart card single sign-on (SSO) triggered by

11 Windows BitLocker Drive Encryption Encrypts the entire Windows operating system volume on the hard disk Verifies the integrity of early boot components and boot configuration data Combines two data-protection procedures: Data and system files Hibernation file Page file, and temporary files Offline data protection TPM-only mode PIN or USB startup key Authentication mode

12 Internet Protocol Security (IPsec) Transparency of IPsec to users and applications Defense-in-depth against vulnerabilities in upper-layer protocols and applications Restricted access to servers Customizable security configuration Integrated firewall and IPsec configuration in Windows Server 2008 Centralized IPsec policy administration through Active Directory Support for Public Key Infrastructure (PKI) standards Support for IETF standards Support for automatic cryptographic key management IPsec in Windows provides the following benefits

13 Smart Cards Provide multi-factor authentication in combination with another method of authentication Client authentication Code signing Securing e-mail Key components of the public key infrastructure are integrated into the Windows platform and provide:

14 SBS Setting to Harden Network Security

15 Lesson 2: Windows Server Update Service Manage Windows Server Update Services

16 Centralized vs. Decentralized Updates Microsoft Update Windows ® Server Update Services 3.0 The bandwidth challenge

17 Windows Server Update Services 3.0 WSUS 3.0 Management Tasks

18 Configure WSUS Updates in the SBS Console Microsoft update Configure server updates Configure client updates Configure schedule Configure included computers Software update settings - options Deploy or decline optional updates View deployment report Tasks Default Client Schedule: Every day at 3.00 AM

19 Update Levels Approve all security and critical updates and all service packs for installation High Approve all security and critical updates for installation Medium (recommended) Approve all security updates for installation Low Do not automatically approve updates None

20 Demonstration: Windows Server Update Services In this demonstration you will learn how to configure Windows Server Update Services in the SBS Console

21 Lesson 3: Windows Small Business Server 2008 Best Practices Analyzer Key features of the Windows Small Business Server 2008 Best Practices Analyzer 2008

22 What is the SBS Best Practices Analyzer? (BPA) Exchange Server Windows Small Business Server Windows SharePoint Services Windows Server Update Services Windows Live OneCare ForeFront Server Security Technologies scanned

23 Demonstration: SBS 2008 Best Practices Analyzer In this demonstration you will learn how to configure a scan using the Windows Small Business Server 2008 Best Practices Analyzer

24 Lesson 4: Creating and Managing Shared Folders on the Network Configure a shared folder controlling user access permissions Configure blocking unwanted content in the shared folder

25 File Sharing Essentials Uses NTFS permissions Uses share permissions Standard file sharing C$, D$ and other drive shares ADMIN$ IPC$ Special administrative shares

26 Configure Share Permissions Full ControlChangeRead

27 Configure NTFS Permissions Full controlModifyRead & executeList folder contentsReadWriteSpecial permissions

28 Add a New Shared Folder Task Shared Folder LocationNTFS PermissionsShare ProtocolsQuota PolicyFile Screen Policy Review Settings and Create Share Confirmation

29 Add a New Shared Folder Task Access-based enumeration (ABE) SMB settings User-level Share-level SMB permissions Server message block protocol

30 Add a New Shared Folder Task Hard quotas Soft quotas Notification Reporting Configuring quotas What is File Server Resource Manager (FSRM)?

31 Add a New Shared Folder Task Block audio and video files Block executable files Block image files Block e-mail files Monitor executable and system files File screen policy

32 Additional Considerations Granting a user Full Control NTFS permission on a shared resource enables that user to take ownership of the folder or volume, unless the user is restricted in some other way To manage folder and volume access by using NTFS permissions exclusively, set share permissions to Full Control for Everyone NTFS permissions affect both local and remote access. NTFS permissions apply regardless of protocol. Share permissions, by contrast, apply only to shared network resources. Share permissions do not restrict access of any local user or terminal server user.

33 Additional Considerations By default, the Everyone group does not include the Anonymous group, so permissions applied to the Everyone group do not affect the Anonymous group Access permissions of folders or volumes that are shared for administrative purposes may not be modified, such as C$ and ADMIN$

34 Demonstration: Adding a Shared Folder In this demonstration you will learn how to add a shared folder using the Shared Folder Wizard

35 Lesson 5: Configuring Windows Firewall with Advanced Security Configure Windows Firewall with Advanced Security settings and rules for network security

36 Network Location-aware Host Firewall Connectivity Connections Category Network awareness APIs Domain Public Private Network location types

37 WFAS Order of Rules Evaluation Group policy 1 Group policy 2 Group policy 3 Order of Evaluation Local rule merge is configurable via Group Policy Default rules come from the highest precedence GPO

38 Why Should SMBs use IPsec to Protect Network Traffic? Protects IT assets Computers and data Malware (viruses, Trojan horses, spyware) To comply with government regulations Finance (Sarbanes-Oxley) Health (HIPAA) Privacy regulations (state privacy regulations) Protects intellectual property

39 Connection Security and IPsec Source authentication Data integrity Data confidentiality

40 IPSec Authentication Methods Preshared Keys Digital certificates Kerberos version 5 protocol

41 IPsec Modes Secures existing packets L2TP+Ipsec VPN uses transport mode between a client and a VPN server Transport mode Secure site-to-site communication over an untrusted network Tunnel mode

42 IPsec Methods Used for integrity SHA1 or MD5 digital signature across the entire packet AH (Authentication Header) Used for confidentiality DES or 3DES Can specify SHA1 or MD5 digital signature in ESP ESP (Encapsulated Security Payload) There are no dependencies between modes and methods. Both transport mode and tunnel mode security associations can use AH, ESP, or AH and ESP together.

43 Basic Firewall Policy Design Programs designed for Windows Server 2008 and Windows Vista client computers already support default firewall behavior When a server program is installed that must accept unsolicited inbound network traffic, the installation program likely creates or enables the appropriate rules on the server The predefined rules that are already built into Windows Server 2008 and Windows Vista can be configured in a GPO By default, in new installations, Windows Firewall is turned on in Windows Vista, Windows Server 2008 and SBS 2008 Default behavior

44 Domain Isolation Policy Design Isolated domain LOB Server critical client data Boundary Zone SBS Distrusted non-domain members Authenticated IPsec connections Non-IPSec connections Trusted non- domain members

45 Domain Isolation Protects the Small Business Server domain from unmanaged, rogue, and guest PCs Provides ability to identify and control communications with critical client or server PCs Allows host to facilitate communication that is limited to domain members (managed computers) Requires IPsec authentication and protection for any communication with domain members (managed computers) Managed computers can initiate communication with managed and unmanaged computers Unmanaged computers cannot initiate communication with managed computers

46 Lab: Securing the Windows Small Business Server using Best Practices Exercise 1: Configure Distribution of Updates and Hotfixes Using Microsoft Windows Server Update Services Exercise 2: Create a Shared Folder Exercise 3: Design an Isolation Policy Exercise 4: Configure Windows Firewall Settings Logon information Virtual machine SBS 2008 Server Vista Office User nameGregory Password Pa$$w0rd Estimated time: 60 minutes

47 Lab Scenario You will configure patch management in the SBS 2008 Server to download at a schedule time and configure distribution options for domain joined clients You need to configure a new volume and provision shared folders, configure permission, and enable file screening for shared folders. You will then test access to the shared folders. A.Datum would like you to design a secure domain isolation policy that complies with government regulations You need to configure the Windows Firewall rules to request authentication for inbound network traffic, and test the isolation policy

48 Lab Review When configuring WSUS for SBS, where are the updates stored? Can individual client computers be excluded from receiving updates? What tool should be used to create a new shared folder? What files can be configured using the file screen policy? What authentication methods are available when configuring an IPsec policy?

49 Module Summary In this module, you have learned about: Security components that are installed by default in Microsoft Windows Small Business Server 2008, as well as security features available in Windows Server 2008 and available for download from TechNet (SBS 2008 BPA), which will allow the implementation of important security elements into the IT infrastructure. Group policies that define user and computer configurations for groups of users and computers, and enforce these settings on and off the network. Accessing and using these features to manage specific aspects of the overall security design. Managing the protection of the server using a host firewall and IPSec combination.

50 Module Review and Takeaways Review questions Common issues and troubleshooting tips Real-world issues and scenarios Best practices Tools

Download ppt "Module 8: Manage and Configure Security. Best Practices for Securing the Microsoft® Windows® Small Business Server 2008 Environment Windows Server Update."

Similar presentations

Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.

Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Configuring Windows Vista Security Lesson 8. Skills Matrix Technology SkillObjective DomainObjective # Setting Up Users Configure and troubleshoot parental.

Configuring Windows Vista Security Lesson 8. Skills Matrix Technology SkillObjective DomainObjective # Setting Up Users Configure and troubleshoot parental.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Module 3 Windows Server 2008 Branch Office Scenario.

Module 3 Windows Server 2008 Branch Office Scenario.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.

Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.

Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
Microsoft ® Official Course Module 9 Configuring Applications.

Microsoft ® Official Course Module 9 Configuring Applications.
Microsoft ® Official Course Module 8 Deploying and Managing Certificates.

Microsoft ® Official Course Module 8 Deploying and Managing Certificates.
Clinic Security and Policy Enforcement in Windows Server 2008.

Clinic Security and Policy Enforcement in Windows Server 2008.
Securing Windows Servers Using Group Policy Objects

Securing Windows Servers Using Group Policy Objects
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

Similar presentations

Ads by Google