1 / 35

Windows Server 2003 Security

Windows Server 2003 Security Donald E. Hester CISSP, CISA, MCT, MCSE, MCSA, MCDST, Security+, CTT+, MV Maze & Associates San Diego City College Los Medanos College What we are looking at today Priority Shift Access was a top priority Open-by-default

Faraday
Télécharger la présentation

Windows Server 2003 Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Windows Server 2003 Security Donald E. Hester CISSP, CISA, MCT, MCSE, MCSA, MCDST, Security+, CTT+, MV Maze & Associates San Diego City College Los Medanos College

  2. What we are looking at today

  3. Priority Shift • Access was a top priority • Open-by-default • Start with everything open and then start locking down as needed • Control is now a top priority • Closed-by-default • Start with everything closed and open only what is needed

  4. Security Enhancements

  5. Server 2003 Defaults • IIS – Internet Information Services • IIS is not installed by default • When you install IIS 6 it is locked down • More startup services are disabled in 2003 • Everyone Group • No longer has full control it has read and execute • No longer includes anonymous users

  6. Server 2003 Defaults • Accounts with null passwords are console-bound • Software restriction policies • Hash rule • Path rule • Certificate rule • Internet Zone rule • Protected EAP (PEAP) • Detailed security auditing

  7. File System • NTFS • Permissions & auditing • EFS - Encrypted File System (multiple users) • VSS - Volume Shadow Copy (Server 2003) • Quotas • ABE (Server 2003 SP1) • Future developments WinFS • Won’t be in Longhorn

  8. ABE (Access-Based Enumeration)

  9. Internet Connection Firewall Windows Firewall

  10. Boot-time Security Global configuration Audit logging Scope restrictions Command-line support Program-based exceptions Multiple Profiles Unattended setup support Enhanced multicast and broadcast support IPv6 support New Group Policy Support ICF vs. Windows Firewall

  11. PSSU (Post-Setup Security Updates) • Service Pack 1 enhancement • Protects the computer until it can update • Uses Windows Firewall

  12. DEP (Data Execution Prevention) • Prevent malicious software rather than error out and potentially crashing the system • Hardware-enforced DEP • Protects memory locations • The no-execute page-protection (NX) processor feature as defined by AMD. • The Execute Disable Bit (XD) feature as defined by Intel. • Software-enforced DEP • Protects system binaries and exception-handling • Software built with SafeSEH

  13. TCP/IP protection • Enhancements: • Smart TCP port allocation • SYN attack protection is enabled by default • New SYN attack notification IP Helper APIs • Winsock self-healing

  14. RAS client placed in Quarantine RAS client meets Quarantine policies • RAS client fails policy check • Quarantine timeout Reached RAS client disconnected RAS client gets full access to network What Is Network Access Quarantine? Remote access client authenticates

  15. Forest (root) Trusts in Windows Server 2003 Forest 1 Forest 2 Tree/Root Trust Forest Trust Parent/ChildTrust Forest (root) Domain D Domain E Domain A Domain B Domain P Domain Q Shortcut Trust External Trust Realm Trust Domain F Domain C Kerberos Realm

  16. Coming Soon: IE 7 • Information Security Magazine (Jan 2006)

  17. Server Hardening

  18. Server Hardening • Appropriate settings for a secure baseline • Settings for applications and services • Operating system components • Permissions and rights • Administrative procedures • Physical access

  19. Server Hardening - Templates • Predefined Security Templates • Security Guide Templates • Industrial Templates • SANS • CIAC • NSA • DoD • Custom Templates

  20. Template Deployment • Test before deployment • Periodic analysis • Security Configuration and Analysis snap-in • Scripting (Secedit.exe) • Deployment Methods • Group Policy (Active Directory) • Security Configuration and Analysis snap-in • Scripting (Secedit.exe)

  21. Server Hardening • Security Configuration Wizard (SCW) • Comes with Service Pack 1 (Server 2003) • Disables unneeded services • Blocks unused ports • Allows further address or security restrictions for ports that are left open • Prohibits unnecessary Internet Information Services (IIS) Web extensions, if applicable • Reduces protocol exposure to server message block (SMB), NTLM, LanMan, and Lightweight Directory Access Protocol (LDAP) • Defines a high signal-to-noise audit policy • Best for servers with multiple roles

  22. Security Configuration Wizard • Supports • Rollback • Analysis • Remote configuration • Command-line support • Active Directory integration • Policy editing • Export to Group Policy

  23. Security Tools

  24. Updates • Manual • Requires user intervention – labor intensive • Windows Updates • Automatic process fine for small deployments • SUS • Updates approved critical patches for multiple machines at an administrator appointed time (replaced with WSUS) • WSUS • Same as SUS but includes support for other patches such as Office and critical drivers

  25. PKI • Some uses • EFS, Authentication, Smart Card, IPSec, Servers • Auto enrollment • Command line tools (Certreq.exe, Certutil.exe) • Key recovery (DRA or KRA) • Delta CRL

  26. Available Tools - GPMC • New User Interface • Backup and restore • Import and export • Group Policy Modeling • Resultant Set of Policy (RSoP)

  27. Available Tools - MBSA • Microsoft Baseline Security Analyzer (v2)

  28. Available Tools - MSAT • Microsoft Security Assessment Tool

  29. Available Tools – Windows Defender • Microsoft Anti-Spyware – Windows Defender • Spyware detection • Scheduled scanning and removal • Straightforward operation and thorough removal technology

  30. Available Tools • Security Resource Kit • Various tools to enumerate access control lists, list drivers, list services, dump event logs, parse logs, determine authentication method, and much more • Security Guide • Templates • Various test scripts

  31. 3rd Party Tools • Winternals http://www.winternals.com/ • Sysinternals http://www.systernals.com/ • CERT http://www.cert.org/ • SANS http://www.sans.org/

  32. Resources • Windows Server 2003 Security Guide • http://go.microsoft.com/fwlink/?LinkId=14846 • WindowSecurity.com • SecWish@microsoft.com (Feedback email) • Microsoft Windows Security Resource Kit (2nd Ed.) ISBN 0-7356-2174-8 • Service Pack 1 Overview • http://www.microsoft.com/technet/prodtechnol/windowsserver2003/servicepack/overview.mspx

  33. Resources • Microsoft Security Assessment Tool (MSAT) • https://www.securityguidance.com/ • Microsoft Security • http://www.microsoft.com/security/default.mspx • Microsoft Baseline Security Analyzer (MBSA) • http://www.microsoft.com/technet/security/tools/mbsahome.mspx • Microsoft Anti-Spyware (beta) Defender • http://www.microsoft.com/athome/security/spyware/software/default.mspx

  34. Resources • RootKit Revealer • http://www.sysinternals.com/Utilities/RootkitRevealer.html • Strider GhostBuster Project (Rootkit detector) • http://research.microsoft.com/rootkit/ • Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP • http://go.microsoft.com/fwlink/?LinkId=15160

  35. Contact Info • Donald E. Hester • DonaldH@MazeAssociates.com • https://www.linkedin.com/in/donaldehester

More Related