Solidifying SERVERS.


48 views
Uploaded on:
Description
Windows Server 2003. Windows 2000 Server. Windows 2000 Professional. Windows XP Professional ... Windows 95. Windows 98. Windows Me. Part 7: Hardening Servers. 7 ...
Transcripts
Slide 1

Section 7 HARDENING SERVERS

Slide 2

Chapter 7: Hardening Servers DEFAULT SECURITY TEMPLATES Set up Security.inf and DC Security.inf Compatws.inf Securews.inf and Securedc.inf Hisecws.inf and Hisecdc.inf Rootsec.inf Iesacls.inf

Slide 3

Chapter 7: Hardening Servers DESIGNING SECURITY TEMPLATES Create a custom security format for every part, not every PC Base custom layouts on a default layout Never alter default security formats Apply various security layouts to PCs with numerous parts

Slide 4

Chapter 7: Hardening Servers SECURITY TEMPLATE SETTINGS Account approaches Local strategies Event logs Group participations Services Registry authorizations File and organizer consents

Slide 5

Chapter 7: Hardening Servers SETTING NOT AVAILABLE IN SECURITY TEMPLATES Configuration of Automatic Updates Which Microsoft Windows segments and applications are introduced IPSec arrangements Software limitations Wireless system approaches EFS settings Certification Authority (CA) settings

Slide 6

Chapter 7: Hardening Servers CONFIGURING EARLIER VERSIONS OF WINDOWS Support Group Policy: Windows Server 2003 Windows 2000 Server Windows 2000 Professional Windows XP Professional Support System Policy: Windows NT 4.0 Windows 95 Windows 98 Windows Me

Slide 7

Chapter 7: Hardening Servers SYSTEM POLICY EDITOR

Slide 8

Chapter 7: Hardening Servers DEPLOYING SECURITY CONFIGURATION WITH GROUP POLICY Import formats into Group Policy Leverage legacy Filter Group Policy objects (GPOs) with security bunches Use Windows Management Instrumentation (WMI) sifting just where vital

Slide 9

Chapter 7: Hardening Servers SERVER HARDENING BEST PRACTICES Use the Configure Your Server Wizard Disable pointless administrations Develop a procedure for redesigning all product Change default port numbers Use system and host-based firewalls

Slide 10

Chapter 7: Hardening Servers SERVER HARDENING BEST PRACTICES (CONT.) Require IPSec Place Internet servers in border systems Use physical security Restrict removable media Backup application-particular data

Slide 11

Chapter 7: Hardening Servers SERVER HARDENING BEST PRACTICES (CONT.) Audit reinforcements and reestablishes Rename default client accounts Develop security necessities for application-particular client databases Monitor every server part for disappointments Read security guides at http://www.microsoft.com

Slide 12

Chapter 7: Hardening Servers HARDENING DOMAIN CONTROLLERS A traded off space controller can prompt bargains of area individuals Domain controllers can be related to a DNS inquiry Avoid putting away application information in Active Directory Create a different security bunch for clients with benefits to reinforcement area controllers Use source-IP separating to piece area demands from outer systems

Slide 13

Chapter 7: Hardening Servers REQUIRE DOMAIN CONTROLLER SERVICES File Replication Service Intersite Messaging Kerberos Key Distribution Center Netlogon Remote Procedure Call (RPC) Locator Windows Management Instrumentation Windows Time

Slide 14

Chapter 7: Hardening Servers HARDENING DNS SERVERS When DNS servers are traded off, aggressors can utilize them to: Identify inward system assets Launch man-in-the-center assaults Perform a disavowal of-administration (DoS) assault

Slide 15

Chapter 7: Hardening Servers BEST PRACTICES FOR HARDENING DNS SERVERS Use Active Directory–integrated zones. If not Active Directory coordinated: Restrict consents on zone records Use IPSec to ensure zone exchanges Disable recursion where conceivable Use separate inside and Internet servers Remove root indications on interior servers Allow just secure DNS upgrades if conceivable

Slide 16

Chapter 7: Hardening Servers HARDENING DHCP SERVERS Dynamic Host Configuration Protocol (DHCP) servers running Windows 2000 and later should be approved in an area DHCP servers can naturally overhaul DNS Protect DHCP servers with 802.1X confirmation

Slide 17

Chapter 7: Hardening Servers HARDENING FILE SERVERS Carefully review offer authorization and NTFS document framework authorizations Use source-IP sifting to piece demands from outside systems Audit access to basic and private documents

Slide 18

Chapter 7: Hardening Servers HARDENING IAS SERVERS Enable Remote Authentication Dial-In User Service (RADIUS) message authenticators Use isolate control Enable logging Audit logs habitually

Slide 19

Chapter 7: Hardening Servers HARDENING EXCHANGE SERVER COMPUTERS Encrypt mail movement with Transport Layer Security (TLS) Use Secure Sockets Layer (SSL) to secure Outlook Web Access (OWA) Enable Security occasions logging Audit for open transfers to ensure against spam

Slide 20

Chapter 7: Hardening Servers HARDENING EXCHANGE SERVER COMPUTERS (CONT.) Use antispam programming Use antivirus programming Require solid passwords Audit with MBSA

Slide 21

Chapter 7: Hardening Servers HARDENING SQL SERVER COMPUTERS Use Windows verification when conceivable Use assigned validation Configure granular confirmation in SQL Server databases Audit SQL verification demands Disable SQL correspondence conventions aside from TCP/IP, and require encryption Change the default port number

Slide 22

Chapter 7: Hardening Servers HARDENING SQL SERVER COMPUTERS (CONT.) Audit custom applications for weakness to SQL infusion assaults Audit databases for decoded classified substance: User names and passwords Credit-card numbers Social Security numbers

Slide 23

Chapter 7: Hardening Servers SUMMARY Create security layouts for each server part in your association Apply security formats by utilizing GPOs Techniques, for example, handicapping pointless administrations and empowering host-based firewalls can be utilized to solidify any kind of Server parts each have part particular contemplations, including: Services that ought to be empowered Ports that must be permitted Logging that ought to be empowered

Recommended
View more...