Solidifying SERVERS - PowerPoint PPT Presentation

chapter 7 l.
Skip this Video
Loading SlideShow in 5 Seconds..
Solidifying SERVERS PowerPoint Presentation
Solidifying SERVERS

play fullscreen
1 / 23
Download Presentation
Download Presentation

Solidifying SERVERS

Presentation Transcript


  2. Chapter 7: Hardening Servers DEFAULT SECURITY TEMPLATES • Set up Security.inf and DC Security.inf • Compatws.inf • Securews.inf and Securedc.inf • Hisecws.inf and Hisecdc.inf • Rootsec.inf • Iesacls.inf

  3. Chapter 7: Hardening Servers DESIGNING SECURITY TEMPLATES • Create a custom security template for each role, not each computer • Base custom templates on a default template • Never modify default security templates • Apply multiple security templates to computers with multiple roles

  4. Chapter 7: Hardening Servers SECURITY TEMPLATE SETTINGS • Account policies • Local policies • Event logs • Group memberships • Services • Registry permissions • File and folder permissions

  5. Chapter 7: Hardening Servers SETTING NOT AVAILABLE IN SECURITY TEMPLATES • Configuration of Automatic Updates • Which Microsoft Windows components and applications are installed • IPSec policies • Software restrictions • Wireless network policies • EFS settings • Certification Authority (CA) settings

  6. Chapter 7: Hardening Servers CONFIGURING EARLIER VERSIONS OF WINDOWS • Support Group Policy: • Windows Server 2003 • Windows 2000 Server • Windows 2000 Professional • Windows XP Professional • Support System Policy: • Windows NT 4.0 • Windows 95 • Windows 98 • Windows Me

  7. Chapter 7: Hardening Servers SYSTEM POLICY EDITOR

  8. Chapter 7: Hardening Servers DEPLOYING SECURITY CONFIGURATION WITH GROUP POLICY • Import templates into Group Policy • Leverage inheritance • Filter Group Policy objects (GPOs) with security groups • Use Windows Management Instrumentation (WMI) filtering only where necessary

  9. Chapter 7: Hardening Servers SERVER HARDENING BEST PRACTICES • Use the Configure Your Server Wizard • Disable unnecessary services • Develop a process for updating all software • Change default port numbers • Use network and host-based firewalls

  10. Chapter 7: Hardening Servers SERVER HARDENING BEST PRACTICES (CONT.) • Require IPSec • Place Internet servers in perimeter networks • Use physical security • Restrict removable media • Backup application-specific information

  11. Chapter 7: Hardening Servers SERVER HARDENING BEST PRACTICES (CONT.) • Audit backups and restores • Rename default user accounts • Develop security requirements for application-specific user databases • Monitor each server role for failures • Read security guides at

  12. Chapter 7: Hardening Servers HARDENING DOMAIN CONTROLLERS • A compromised domain controller can lead to compromises of domain members • Domain controllers can be identified with a DNS query • Avoid storing application data in Active Directory • Create a separate security group for users with privileges to backup domain controllers • Use source-IP filtering to block domain requests from external networks

  13. Chapter 7: Hardening Servers REQUIRE DOMAIN CONTROLLER SERVICES • File Replication Service • Intersite Messaging • Kerberos Key Distribution Center • Netlogon • Remote Procedure Call (RPC) Locator • Windows Management Instrumentation • Windows Time

  14. Chapter 7: Hardening Servers HARDENING DNS SERVERS • When DNS servers are compromised, attackers can use them to: • Identify internal network resources • Launch man-in-the-middle attacks • Perform a denial-of-service (DoS) attack

  15. Chapter 7: Hardening Servers BEST PRACTICES FOR HARDENING DNS SERVERS • Use Active Directory–integrated zones. If not Active Directory integrated: • Restrict permissions on zone files • Use IPSec to protect zone transfers • Disable recursion where possible • Use separate internal and Internet servers • Remove root hints on internal servers • Allow only secure DNS updates if possible

  16. Chapter 7: Hardening Servers HARDENING DHCP SERVERS • Dynamic Host Configuration Protocol (DHCP) servers running Windows 2000 and later must be authorized in a domain • DHCP servers can automatically update DNS • Protect DHCP servers with 802.1X authentication

  17. Chapter 7: Hardening Servers HARDENING FILE SERVERS • Carefully audit share permission and NTFS file system permissions • Use source-IP filtering to block requests from external networks • Audit access to critical and confidential files

  18. Chapter 7: Hardening Servers HARDENING IAS SERVERS • Enable Remote Authentication Dial-In User Service (RADIUS) message authenticators • Use quarantine control • Enable logging • Audit logs frequently

  19. Chapter 7: Hardening Servers HARDENING EXCHANGE SERVER COMPUTERS • Encrypt mail traffic with Transport Layer Security (TLS) • Use Secure Sockets Layer (SSL) to protect Outlook Web Access (OWA) • Enable Security events logging • Audit for open relays to protect against spam

  20. Chapter 7: Hardening Servers HARDENING EXCHANGE SERVER COMPUTERS (CONT.) • Use antispam software • Use antivirus software • Require strong passwords • Audit with MBSA

  21. Chapter 7: Hardening Servers HARDENING SQL SERVER COMPUTERS • Use Windows authentication when possible • Use delegated authentication • Configure granular authentication in SQL Server databases • Audit SQL authentication requests • Disable SQL communication protocols except TCP/IP, and require encryption • Change the default port number

  22. Chapter 7: Hardening Servers HARDENING SQL SERVER COMPUTERS (CONT.) • Audit custom applications for vulnerability to SQL injection attacks • Audit databases for unencrypted confidential contents: • User names and passwords • Credit-card numbers • Social Security numbers

  23. Chapter 7: Hardening Servers SUMMARY • Create security templates for every server role in your organization • Apply security templates by using GPOs • Techniques such as disabling unnecessary services and enabling host-based firewalls can be used to harden any type of server • Server roles each have role-specific considerations, including: • Services that should be enabled • Ports that must be allowed • Logging that should be enabled