Presentation is loading. Please wait.

Presentation is loading. Please wait.

Implementing Server Security on Windows 2000 and Windows Server 2003

Published byAbigail Hubbard Modified over 8 years ago

Similar presentations

Presentation on theme: "Implementing Server Security on Windows 2000 and Windows Server 2003"— Presentation transcript:

1 Implementing Server Security on Windows 2000 and Windows Server 2003
Dave Sayers Technology Specialist Microsoft UK

2 Session Prerequisites
Hands-on experience with Windows 2000 Server or Windows Server 2003 Experience with Windows management tools Knowledge of Active Directory and Group Policy concepts Level

3 Introduction to Securing Servers
Core Server Security Active Directory Security Hardening Member Servers Hardening Servers for Specific Roles Hardening Stand-Alone Servers

4 Security Challenges for Small and Medium-Sized Businesses
Servers with a Variety of Roles Limited Resources to Implement Secure Solutions Internal or Accidental Threat Older Systems in Use Physical Access Negates Many Security Measures Lack of Security Expertise Legal Consequences

5 Fundamental Security Trade-Offs
Usability Low Cost

6 Core Server Security Introduction to Securing Servers
Active Directory Security Hardening Member Servers Hardening Servers for Specific Roles Hardening Stand-Alone Servers

7 Core Server Security Practices
Restrict physical and network access to servers Restrict Privileged Users Use Group Policy to harden servers Apply the latest service pack and all available security patches

8 Active Directory Security
Introduction to Securing Servers Core Server Security Active Directory Security Hardening Member Servers Hardening Servers for Specific Roles Hardening Stand-Alone Servers

9 Process for Securing Active Directory
Establish Secure AD Boundaries Deploy Secure Domain Controllers Establish Secure Domain and Domain Controller Policies Establish Secure Administrative Practices Secure DNS Establish Secure Domain Controller Operations Establish Active Directory Security Monitoring Establish a Recovery Plan for Active Directory Attacks

10 Security Boundaries Forest is a security boundary in Active Directory
A domain is an administrative boundary Autonomy and isolation via additional forest AD domains different than NT4.0 domains Share config, schema, GC Certain assumptions about trust between KDCs Domains do not provide complete isolation from malicious service admins Any person with physical access to a domain controller can elevate themselves to service admin Restrict physical access to DCs in a manner equivalent to restricting who gets to be a service admin

11 Deploy Secure DCs Build in a secure location
Deploy only to secure locations Ensure process is secure and repeatable – for example Install Windows 2003 Server with the latest hot fixes Disable LM Hash Disable unnecessary services Run virus-scanning software on the server Select secure domain controller promotion settings Protect LDAP traffic between domain controllers and administrative workstations Create a reserve file to enable recovery from potential disk-space denial-of-service attacks

12 Secure Policies Domain Policy Domain Controller Policies
Password Policies Account Lockout Kerberos Policies Domain Controller Policies User Rights Policy Auditing Security Options Event Log Settings

13 Secure Administrative Practices
Limit the number of service administrators Separate Admin accounts and User accounts Hide the Administrator account Create a controlled OU subtree (block inheritance) Smart card Logon Controlled Administrative workstations

14 Secure DNS Use secure dynamic updates Ensure DNS Admins are trusted
Use forwarders instead of secondary zones Restrict zone transfer

15 Establish Secure DC Operations
Publish Backup Policies Store DC backup media in a secure location Never disable virus scanner on DCs or administrative workstations Exclude SYSVOL and AD database locations Hotfixes and Service Packs

16 Monitoring Monitor for all security sensitive changes Schema
Audit additions, defunctions and modifications to the schema Configuration NC Creation of domains Modification of LDAP Policies Modification of dsheuristics attribute Domain NC Domain wide policy implemented Migration of SIDhistory

17 Recovery Plan Use NTDSutil to remove breached DC
Reset Service Admin Passwords Change all user account passwords Review audit trail Review membership of all service administrator groups Review installed software on DCs and Admin workstations

18 Group Policy Management Console
Group Policy Results Reporting after policy has applied Group Policy Modeling Allows What-If Scenarios Backup/Restore capabilities Import/Export capabilities Testing

19 Using GPMC

20 Active Directory Security
Additional Features : Object ACLs DSQuotas SID Filtering Gotchas Watch out for Drag and Drop functionality in Active Directory Users & Computers

21 Selective Authentication
Restricts connections across a trust to certain users/groups Require ‘Allowed to authenticate’ permission on resource server Property of the trust Requires Windows 2003 Native Mode forest But external domain can be Windows 2000 Also referred to as “Authentication Firewall” Useful to restrict amount of collaboration

22 Creating a Forest Trust with Selective Authentication

23 Establishing a Role-Based OU Hierarchy
Domain Policy Domain Domain Engineering Member Server Baseline Policy Member Servers Domain Controllers Domain Controller Policy Print Server Policy File Server Policy IIS Server Policy Print Servers File Servers Web Servers Operations Admin Web Service Admin An OU hierarchy based on server roles: Simplifies security management issues Applies security policy settings to servers and other objects in each OU

24 Administrative Best Practices
Distinguish between service and data administrative roles Take steps to secure administrative accounts Delegate the minimum permissions required

25 Hardening Member Servers
Introduction to Securing Servers Core Server Security Active Directory Security Hardening Member Servers Hardening Servers for Specific Roles Hardening Stand-Alone Servers

26 Server Hardening Overview
Infrastructure Servers File and Print Servers Securing Active Directory Apply Member Server Baseline Settings IIS Servers Apply Incremental Role-Based Security Settings RADIUS (IAS) Servers Certificate Services Servers Bastion Hosts

27 Member Server Baseline Security Template
Modify and apply the Member Server Baseline security template to all member servers Settings in the Member Server Baseline security template: Audit Policy User Rights Assignment Security Options Event Log System Services

28 Common Server Settings
Limit use of blank passwords to console only Shut down system immediately if unable to log security events Restrict media access Require LDAP Signing Always digitally encrypt or sign secure channel data Previous logons to cache Digitally sign communications LAN Manager Authentication level Clear Virtual Memory pagefile

29 Configuring Security Templates

30 Best Practices for Using Security Templates
Review and modify security templates before using them Use Security Configuration and Analysis tool to review template settings before applying them Test templates thoroughly before deploying them Store security templates in a secure location Use GPMC – Import/Export and RSoP

31 Hardening Servers for Specific Roles
Introduction to Securing Servers Core Server Security Active Directory Security Hardening Member Servers Hardening Servers for Specific Roles Hardening Stand-Alone Servers

32 Hardening File Servers
Apply the security settings in the File Server security template Manually configure additional settings on each file server: Disable DFS and FRS if not required Secure all shared files and folders by using NTFS and share permissions Enable auditing of critical files Restrict ports by using IPSec filters

33 Hardening Print Servers
Apply the security settings in the Print Server security template Manually configure additional settings on each print server: Ensure that the Print Spooler service is enabled Set permissions on the printers Restrict ports by using IPSec filters

34 Hardening IIS Servers (Part 1)
Apply the security settings in the IIS Server security template If possible, upgrade Web servers to Windows Server 2003 and IIS 6.0 Install and run the IIS Lockdown Wizard and configure URLScan to help secure IIS 4.x and 5.x installations

35 Hardening IIS Servers (Part 2)
Enable only essential IIS components Install IIS and store Web content on a dedicated disk volume Configure NTFS permissions for all folders that contain Web content Take care with write permissions Use Logging Use IPSec filters to allow only TCP Port 80 and Port 443

36 Best Practices for Hardening Servers for Specific Roles
Secure service accounts and well-known user accounts Enable only services required by role Enable service logging to capture relevant information Use IPSec filtering to block all ports except the specific ports needed, based on server role Modify security templates as needed for servers with multiple roles

37 Hardening Stand-Alone Servers
Introduction to Securing Servers Core Server Security Active Directory Security Hardening Member Servers Hardening Servers for Specific Roles Hardening Stand-Alone Servers

38 Applying Security Templates on Stand-Alone Servers
You must manually apply security settings to each stand-alone server You may need to create a customized security template for each stand-alone server Use the Security Configuration and Analysis tool, Secedit, or GPEdit.msc to apply security template settings on stand-alone servers

39 Best Practices for Hardening Stand-Alone Servers
Create a customized security template for each type of stand-alone server Enable only services required by role Enable service logging to capture relevant information Use IPSec filters to restrict ports based on server role

40 Session Summary Introduction to Securing Servers Core Server Security
Active Directory Security Hardening Member Servers Hardening Servers for Specific Roles Hardening Stand-Alone Servers

41 Additional Security Software Restriction Policies Security Settings

42 What Is Software Restriction Policy?
A policy-driven mechanism that identifies and controls software on a client computer Can be used to fight viruses and to ensure that only approved software can be run on computers Two components: A default rule for which programs can run An inventory of exceptions to the default rule

43 How Software Restriction Policy Works
Use Group Policy Editor to define the policy for the site, domain, or OU 1 Policy is downloaded and applied to a computer 2 Policy is enforced by the operating system when software is run 3

44 Four Rules for Identifying Software
Hash Rule Compares the MD5 or SHA1 hash of a file to the one attempting to run Use when you want to allow or prohibit a certain version of a file from being run Certificate Rule Checks for digital signature on application (for example, Authenticode) Use when you want to restrict both Win32 applications and ActiveX content Path Rule Compares path of file being run to an allowed path list Use when you have a folder with many files for the same application Essential when SRPs are strict Internet Zone Rule Controls how Internet Zones can be accessed Use in high-security environments to control access to Web applications

45 Next Steps Find additional security training events:
Sign up for security communications: default.mspx Order the Security Guidance Kit: default.mspx Get additional security tools and content:

46 © 2003 Microsoft Limited. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Download ppt "Implementing Server Security on Windows 2000 and Windows Server 2003"

Similar presentations

Auditing Microsoft Active Directory

Auditing Microsoft Active Directory
Welcome to the GIG Event 1. MICROSOFT ACTIVE DIRECTORY SERVICES Presenter: Avinesh MCP, MCTS 2.

Welcome to the GIG Event 1. MICROSOFT ACTIVE DIRECTORY SERVICES Presenter: Avinesh MCP, MCTS 2.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Paula Kiernan Senior Consultant Ward Solutions

Paula Kiernan Senior Consultant Ward Solutions
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features.
12.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

12.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.
Administering Active Directory

Administering Active Directory
Implementing Server Security on Windows 2000 and Windows Server 2003 Steve Lamb Technical Security Advisor

Implementing Server Security on Windows 2000 and Windows Server 2003 Steve Lamb Technical Security Advisor
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.
Understanding Active Directory

Understanding Active Directory

Similar presentations

Ads by Google