1 / 37

Implementing Server Security on Windows 2000 and Windows Server 2003

Implementing Server Security on Windows 2000 and Windows Server 2003. Steve Lamb Technical Security Advisor http://blogs.msdn.com/steve_lamb stephlam@microsoft.com. Agenda. Prescriptive Guidance Introduction to Server Security Securing Active Directory Hardening Member Servers

blake
Télécharger la présentation

Implementing Server Security on Windows 2000 and Windows Server 2003

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Implementing Server Security on Windows 2000 and Windows Server 2003 Steve Lamb Technical Security Advisor http://blogs.msdn.com/steve_lamb stephlam@microsoft.com

  2. Agenda • Prescriptive Guidance • Introduction to Server Security • Securing Active Directory • Hardening Member Servers • Hardening Domain Controllers • Hardening Servers for Specific Roles • Hardening Stand-Alone Servers

  3. Security Guidance Centre • http://www.microsoft.com/security/guidance/default.mspx

  4. Prescriptive Guidance- Server Security http://www.microsoft.com/technet/Security/topics/serversecurity.mspx

  5. W2K3 Security GuideFree download from <http://go.microsoft.com/fwlink/?linkid=14846> Copy templates from the “Security Templates” directory to “\windows\security\templates”

  6. Security Configuration Guide - Templates Access the “Security Templates” via the Microsoft Management Console

  7. Agenda • Prescriptive Guidance • Introduction to Server Security • Securing Active Directory • Hardening Member Servers • Hardening Domain Controllers • Hardening Servers for Specific Roles • Hardening Stand-Alone Servers

  8. Security Considerations Limited resources to implement secure solutions Servers with a variety of roles Internal or accidental threat Lack of security expertise Physical access negates many security procedures Older systems in use Legal Consequences

  9. Defense in Depth • Using a layered approach • Increases an attacker’s risk of detection • Reduces an attacker’s chance of success Policies, Procedures, & Awareness Physical Security ACL, encryption Data Application Application hardening, antivirus OS hardening, patch management, authentication, HIDS Host Internal Network Network segments, IPSec, NIDS Firewalls, VPN quarantine Perimeter Guards, locks, tracking devices User education

  10. Agenda • Prescriptive Guidance • Introduction to Server Security • Securing Active Directory • Hardening Member Servers • Hardening Domain Controllers • Hardening Servers for Specific Roles • Hardening Stand-Alone Servers

  11. Active Directory Components • Forest • Domain • Organizational Unit • Site • User account • Security group • Group Policy • Security Templates

  12. Planning Active Directory Security • Analyze the environment • Intranet datacenter • Branch office • Extranet datacenter • Perform threat analysis • Identify threats to Active Directory • Identify types of threats • Identify sources of threats • Implement a deterrent to each identified threat • Establish contingency plans

  13. Specify security and administrative boundaries Select an Active Directory structure based on delegation requirements Establishing Secure Active Directory Boundaries Establish secure collaboration with other forests

  14. Domain Policy Domain Engineering Domain Member Servers Domain Controllers Member Server Baseline Policy Domain Controller Policy Operations Admin Print Server Policy Print Servers Operations Admin File Server Policy File Servers Web Service Admin IIS Server Policy Web Servers Establishing a Role-Based OU Hierarchy • An OU hierarchy based on server roles: • Simplifies securitymanagement issues • Applies security policy settings to servers and other objects in each OU

  15. Agenda • Prescriptive Guidance • Introduction to Server Security • Securing Active Directory • Hardening Member Servers • Hardening Domain Controllers • Hardening Servers for Specific Roles • Hardening Stand-Alone Servers

  16. Infrastructure Servers File & Print Servers IIS Servers Certificate Services Servers Bastion Hosts Apply Incremental Role-Based Security Settings Server Hardening Overview • Apply baseline security settings to all member servers • Apply additional settings for specific server roles • Use GPResult to ensure that settings are applied correctly • “Windows Server 2003 Security Guide” on microsoft.com Apply Member Server Baseline Policy Securing Active Directory Hardening Procedures RADIUS (IAS) Servers

  17. Member Server Baseline Security Template • Modify and apply the Member Server Baseline security template to all member servers • Settings in Member Server Baseline security template: • Audit Policy • User Rights Assignment • Security Options • Event Log • System Services • Use Group Policy to apply these security templates

  18. Security Configuration Guide- templates

  19. Best Practices for Using Security Templates Review and modify security templates before using them Use security configuration and analysis tools to review template settings before applying them Test templates thoroughly before deploying them Store security templates in a secure location

  20. Additional Recommendations for Hardening Member Servers • Rename the built-in Administrator and Guest accounts • Restrict access for built-in and non-operating system service accounts • Do not configure a service to log on using a domain account unless absolutely required • Use NTFS to secure files and folders • Be aware that Error Reporting to Microsoft in in clear text.

  21. Agenda • Prescriptive Guidance • Introduction to Server Security • Securing Active Directory • Hardening Member Servers • Hardening Domain Controllers • Hardening Servers for Specific Roles • Hardening Stand-Alone Servers

  22. Deploying Secure Domain Controllers Secure the domain controller build environment Establish secure domain controller build practices Maintain physical security

  23. Recommendations for Hardening Domain Controllers • REMEMBER: Domain controllers hold your “security keys” • Disable services that are not required • Remove unnecessary user rights to domain controllers • Strengthen domain controller policy settings • Use Syskey to alter how the Windows master secret is stored in Active Directory

  24. Best Practices for Hardening Domain Controllers Use appropriate security methods to control physical access to domain controllers Use Syskey to alter how the Windows master secret is stored in Active Directory Use Group Policy to apply the Domain Controller security template to all DCs

  25. Agenda • Prescriptive Guidance • Introduction to Server Security • Securing Active Directory • Hardening Member Servers • Hardening Domain Controllers • Hardening Servers for Specific Roles • Hardening Stand-Alone Servers

  26. Using Security Templates for Specific Server Roles • Servers that perform specific roles can be organized by OU under the Member Servers OU • First, apply the Member Server Baseline template to the Member Servers OU • Then, apply the appropriate role-based security template to each OU under the Member Servers OU • Customize security templates for servers that perform multiple roles

  27. Specific Roles • Infrastructure Server (WINS\DHCP) • Configure DHCP Logging • Protect against DHCP Denial of Service attacks • File Server • Consider disabling DFS and FRS if they are not required • Secure shared files and folders by using NTFS and share permissions • Print Server • Ensure that the Print Spooler service is enabled • Ensure that SMB signing is disabled

  28. Security Configuration Wizard • Guided Attack Surface Reduction for Windows Servers • Security Coverage • Roles-Based Metaphor • Disables Unnecessary Services • Disables Unnecessary IIS Web Extensions • Blocks unused Ports, including multi-homed scenarios • Helps Secure Ports that are left open using IPSEC • Reduces protocol exposure (LDAP, NTLM, SMB) • Configures Audit Setting with high Signal to Noise • Security for mere mortals • Roles-based makes answering questions easy • Automated versus Paper-Based Guidance • Fully tested and supported by Microsoft

  29. SCW Operational Coverage • Rollback, when applied policies disrupt service expectation • Analysis, to check that machines are in compliance with policies • Remotability for configuration and analysis operations • Command Line Support for remote config and analysis en-masse • Active Directory Integratation for Group Policy-based deployment • Editing of previously created policies, when machines are repurposed • XSL Views of Knowledge base, policies and analysis results

  30. Hardening IIS6 Web Servers • Apply the security settings in the IIS Server security template • Manually configure each IIS server • IIS Lockdown is built into IIS 6 • Some functionality of URLScan is built into IIS 6, however URLScan can be installed on IIS6 • Enable only essential IIS components • IIS 6 is NOT installed on Windows Server 2003 by default • Configure NTFS permissions for all folders that contain Web content • Store Web content on a dedicated disk volume • If possible, do not enable both the Execute and Write permissions on the same Web site • Use IPSec filters to allow only ports 80 and 443

  31. Best Practices for Hardening Servers for Specific Roles Secure well-know user accounts Enable only services required by role Enable service logging to capture relevant information Use IPSec filtering to block specific ports based on server role Modify templates as needed for servers with multiple roles

  32. Event InformationWhat’s Next? Technical Roadshow Post Event Website www.microsoft.com/uk/techroadshow/postevents Available from Monday 18th April Please complete your Evaluation Form!

  33. http://www.microsoft.com/TwC © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

More Related