Title: Windows XP Security II
1Windows XP Security II
- Laurie Walters
- lwalters_at_psu.edu
2XP Security II Seminar Objectives
- System Security II
- Software Update Services (SUS) Patching
- Automatic Updates on Standalone Machines
- Installing SUSAdmin
- Configuring SUSAdmin
- Approving Updates
- Installing SUSClient
- Configuring SUSClient to update from server via
AD OU Group Policy - Simple File Sharing
- Simple File Sharing Overview
- Setting Up SFS Shares
- SFS Is Not Secure
- Disabling SFS
3XP Security II Seminar Objectives
- System Security II (Continued)
- NTFS Permissions
- Definitions
- Changing Default Permissions
- NTFS Rules Additive Permissions and Deny
Permissions - Removing Access to Common Executables
- Windows Security Templates Policies
- Creating a New Security Template
- Defining Your Security Settings
- Using the Security Configuration and Analysis
Tool - Applying Security Templates
- Security Policies
4XP Security II Seminar Objectives
- Network Security
- IPSEC filtering
- IP Security Overview
- Starting IPSec Service
- Installing an IPSec Policy
- Creating a Custom IPSec Policy
- Application Security
- Services to Shut Off
- Disabling Un-necessary Services
- Use Secure Services
- Specific XP Services to Disable
5XP Security II Seminar Objectives
- Application Security
- Remote Desktop / Remote Assistance
- Remote Assistance Overview
- Disabling Remote Assistance
- Setting Up Remote Desktop
- Changing Default Remote Desktop Port
- Disabling Remote Desktop
- Using HFNetChk and Baseline Security Analyzer
- HFNetChk Overview
- Microsoft Baseline Security Analyzer Overview
- Reading Logs
- System LogFile Locations
- IIS LogFile Locations
- Conclusion
6XP Security II Seminar Objectives
- System Security II
- Software Update Services (SUS) Patching
- Simple File Sharing
- NTFS Permissions
- Windows Security Templates Policies
- IPSEC filtering
- Application Security
- Services to Shut Off
- Remote Desktop / Remote Assistance
- Using HFNetChk and Baseline Security Analyzer
- Reading Logs
7Windows XP Security II
- System Security II
- Software Update Services (SUS) Patching
- Automatic Updates on Standalone workstations
- Installing SUSAdmin
- Configuring SUSAdmin
- Synchronizing SUS
- Approving Updates
- Installing SUSClient
- Configuring SUSClient to update from server via
AD OU Group Policy - Simple File Sharing
- NTFS Permissions
- Windows Security Policies
- Network Security
- Application Security
8Automatic Updates on Standalone Workstations
9Installing SUSAdmin
- SUS has two portions
- Server (SUSAdmin)
- Client (Automatic Updates Client)
- SUSAdmin can only be installed on Windows 2000 or
2003 Server - It is recommended that SUSAdmin be installed on
Standalone Server (Not domain controller or
application server) - Install Server Software from http//download.mic
rosoft.com/download/0/b/9/0b97f864-2408-4748-ad96-
3691e2451006/SUS10SP1.exe - Read SUS Deployment Whitepaper
http//www.microsoft.com/windowsserversystem/sus/s
usdeployment.mspx
10(No Transcript)
11Configuring SUSAdmin
- On SUSAdmin Server, open following URL
- http//localhost/SUSAdmin
- Welcome screen will appear. Click on Set
Options in left frame. - Choose whether to maintain the updates on a MS
Windows Update Server or save the updates to a
local folder. - If updates saved to local folder, choose
Locales (Languages) for install packages. Only
use minimum necessary languages to reduce
download time of updates - It is recommended that you use SSL for SUS.
Instructions on enabling SSL for SUS can be found
in the MS SUS Whitepaper on page 25.
12Synchronizing SUS
- Click on Synchronize Server on left frame.
- On right side of page, click on Synchronization
Schedule - Choose when synchronization should occur (weekly,
daily, etc). - Recommended setting daily
- Click on Synchronize now
- Catalog Download Progress will appear. It will
appear to hang on 100 with a cancel button
below. Do not cancel! - Next, it will start downloading the actual updates
13Approving Updates
- Click on Approve Updates in left hand pane.
- All available updates that have been downloaded
will be listed with one of the following status - New (recently downloaded and not approved)
- Approved (approved and available for download by
client computers) - Not Approved (Declined by SUS administrator and
will not be made available for client computers) - Updated (A change has been made to an update)
- Temporarily Unavailable (Update package or a
dependency is not available) - Check the box next to the updates you have
previously examined in a test environment and
want to approve for distribution to your client
computers.
14Installing SUSClient
- Client can be downloaded from http//www.microsof
t.com/windows2000/downloads/recommended/susclient/
default.asp - Client can be installed on
- Windows 2000 Professional with Service Pack (SP)
2 (already included with W2K SP3) - Windows 2000 Server with SP2
- Windows 2000 Advanced Server with SP2
- Windows XP Professional (already included with XP
SP1) - Windows XP Home Edition
15Configuring SUSClient to update via AD OU Group
Policy
- Type dsa.msc on an Active Directory Domain
Controller. - Right click the OU or domain where you want to
create the policy - Choose properties
- Click the Group Policy tab and click new
- Type a name for the policy and click edit.
- Double click either Computer or User
Configuration (Settings) and right-click on
Administrative Templates - Choose Add/Remove Templates, and then click Add
- If you dont already see wuau in the list of
current policy templates, click the add button at
the bottom of the screen. - Navigate to \Systemroot\Windir\inf\WUAU.adm
- Click Open
16(No Transcript)
17Configuring SUSClient to update via AD OU Group
Policy (Cont.)
- In Group Policy Editor, Click on Computer
Configuration in left hand pane. - Click next to Administrative Templates to
expand it. - Click Next to Windows Components
- Click on Windows Update
- Configure options in right hand pane
- Configure Automatic Updates
- Specify intranet Microsoft update service
location - Reschedule Automatic Updates scheduled
installations - No auto-restart for scheduled Automatic Updates
installations - SUS can be set up via Registry entries if you
arent using Active Directory. Please see page
61 of the SUS Whitepaper for installation
instructions.
18Windows XP Security II
- System Security II
- Software Update Services (SUS) Patching
- Simple File Sharing
- Simple File Sharing Overview
- Setting Up SFS Shares
- SFS Is Not Secure
- Disabling SFS
- NTFS Permissions
- Windows Security Templates and Policies
- Network Security
- Application Security
19XP Simple File Sharing
- With Windows XP, Microsoft introduced a new
feature called Simple File Sharing - By default with Simple File Sharing, no files or
folders on the hard drive are shared with other
network users. - Simple File Sharing enabled by default in
- XP Home This feature cannot be disabled in XP
Home Edition. - XP Pro Only enabled in workstation / standalone
mode. It may be disabled in this mode. When an
XP Pro machine is joined to a domain, this
feature is automatically disabled, and uses
standard NTFS permissions instead.
20Setting Up Shares Using Simple File Sharing
- To share a folder with simple file sharing
enabled, right click on folder and choose
properties and select the sharing tab. - To share files/folders with other users on the
same machine, drag the desired items to the
Shared Documents folder - To share file(s) or folder(s) with other network
users, (use the network setup wizard) and then
give share a name. There is a check box to
Allow network users to change my files This
is not recommended!!!
21XP Simple File Sharing Is Not Very Secure!
- Simple File Sharing does not use passwords or
access restrictions. - Everything that is shared is accessible by
everyone on the network. - If Allow network users to change my files is
checked, others have write privileges to the
folder without any access controls. - This is a good way for viruses to spread!
- If any folders or files are shared, it is
recommended that you do not use simple file
sharing.
22Simple File Sharing Enabled
23Disabling XP Simple File Sharing
- To disable simple file sharing, open up Windows
Explorer or My Computer folder. Under the Tools
Menu, Select Folder Options. Choose the View
Tab. Scroll down to Use Simple File Sharing
and uncheck the box.
24Disabling Simple File Sharing
25Simple File Sharing Disabled
26Security (NTFS Permissions) Tab Appears After
Disabling SFS
27Windows XP Security II
- System Security II
- Software Update Services (SUS) Patching
- Simple File Sharing
- NTFS Permissions
- Definitions
- Changing Default Permissions
- NTFS Rules Additive Permissions and Deny
Permissions - Removing Access to common executables
- Windows Security Templates Policies
- Network Security
- Application Security
28NT File ACLs (Permissions) For Shared Files
- NTFS uses DACLs (Discretionary Access Control
Lists) to determine authorization - An individual object in an Access Control Lists
us known as an Access Control Entry (ACE). - Generically, a collection of ACLs can be
referred to as permissions - Microsoft default for permissions has been
Usability over security - For security purposes it is prudent to restrict
access to everyone and anonymous users where
possible.
29Changing Default NTFS Permissions
- After applying service pack, replace Everyone
with Full Control to Administrators on pertinent
files/folders - Folders created by OS generally have correct
permissions. Any folders created by you will
inherit root folder permissions by default which
is Everyone has Full Control - Note Always add administrator(s) with full
control before taking away full control for
everyone. - Add Authenticated Users give them desirable
permissions - E.g. RWXD or RX
30NTFS ACL Rule 1 ACL Permissions Are Additive
- Example Your account is a member of two groups
Backup Operators and Users. - The Users group is not listed in the group of
people allowed access to the folder. However,
the Backup Operators group has permissions listed
as RWXD. - Result You have RWXD permissions for this
folder.
31NTFS ACL Rule 2 Deny Explicitly Overwrites Any
Allow Permissions
- Example Your account is again a member of two
groups Backup Operators and Users - The Users group has an explicit deny flag set for
the folder. The Backup Operators Group is set to
RWXD. - Result You will not be able to access this
folder!
32Remove Access to Known Command Line Executables
From Everyone
- Grant ACLs for authenticated users only for the
following C\Winnt\System32 executables - Cmd.exe
- Command.com
- Ftp.exe
- Regedit.exe
- Regedt32.exe
- Telnet.exe
- Tftp.exe
33Windows XP Security II
- System Security II
- Simple File Sharing
- NTFS Permissions
- Windows Security Templates Policies
- Security Policies Overview
- Account / Password Policies
- Auditing Policies
- User Rights Assignment
- Security Policies
- Network Security
- Application Security
34Security Policies
- Control Panel ? Classic View ? Administrative
Tools ? Local Security Policy - Policies Include
- Account Policies, Local Policies, Security
Options, Public Key Policies, Software
Restriction, IPSEC
35Security Templates
- Template A predefined stencil of computer
settings which can be quickly and/or
automatically applied. - Microsoft has predefined some computer security
templates - Designed to lock down settings and make the
computers more secure. - They are located at SystemRoot\Security\Templat
es and are kept as .ini files. - You can directly edit the .ini files in notepad
if you wish - You can use the MS templates, but it is suggested
that you create a new template and define the
security settings - Then use the Security Configuration and Analysis
tool to compare your settings to MS recommended
settings.
36Creating a New Security Template
- Go to the Start Menu and choose Run. Type mmc
in the box and press enter. - Under the file menu, select Add/Remove Snap-in
and select the add button when it appears - Click the Security Templates from the Add
Standalone Snap-in Window - Click ok and the close button
- The Security Templates button will now appear in
the left pane of the MMC console window. - Right click on the location of the templates and
select New Template Next, type in the name of
your template and a description.
37Creating a New Security Template
38Defining your Security Settings
- Click on the Sign next to the name of your
newly created security template and navigate
through the entries. - Change the security settings you see fit.
- Once you have done so, right click on the name of
your security template and choose Save As to
save your settings to a file. - Extensive information about security settings
will be discussed in following section of seminar.
39Opening the Security Configuration and Analysis
Tool
- Open the MMC and add the Security Configuration
and Analysis Snap-In exactly as you added the
Security Templates Snap-In. - Right Click on the Security Configuration and
Analysis in the left pane. Choose Open
Database and type in a filename for a new
database you will be creating to compare your
security settings in. - Next, you will see an import template dialog
box. Choose the name of the template you want to
compare your settings to (e.g. HISECWS). Click
on Open.
40Using the Security Configuration and Analysis Tool
- Right-click on the tool and choose Analyze
Computer Now It will put a check mark next to
any of your settings that it deems sufficiently
match the MS predefined template and an X next to
those that do not. - To apply all settings from a MS template to your
computer, right-click on the Tool and Click
Configure Computer Now. Warning, this applies
MS settings over yours, which is Non-reversible!
Use Caution!
41Applying Security Templates
- Security templates should be applied both for
domain settings and local settings (in case the
domain is not available). - You can apply the templates manually to the local
system or though the secedit command (you can
use a batch file at logon to automatically apply
the desired template). - You can also apply domain security settings for
domain to automatically be applied to all
computers the domain.
42Importing a template into Active Directory
- You can set templates for Organizational Units in
the following manner on an AD Domain Controller - Open Administrative Tools in the Control Panel
and select Active Directory Users and Computers - Right-click on the Organizational Unit that
requires the security policy. Select properties - Click on the Group Policy Tab. Select New and
type in the name of the new policy you will be
adding - Click on the Edit button and the Group Policy
Object Editor will appear - Click the next to Computer Configuration.
Then, Click the to expand the Windows Settings - Right click on Security Settings and choose
Import Policy - Select the template that you wish to be applied
to the OU and click on Open to import the policy.
43Local Security Settings
44Account / Password Policies
- Password History (X passwords remembered)
- Default 0, Recommended 5
- Maximum Password Age (X days)
- Default 42 days, Recommended ?
- Minimum Password Age
- Default 0 days, Recommended ?
- Password Length
- Default 0, Recommended 7
45Password Policies (cont.)
- Password Must Meet Complexity Requirements
- ¾ of the following lower case, upper case,
numbers, symbols AND passwords cannot contain
user name or any part of full name. - Default Disabled, Recommended Enabled
- Store passwords using reversible encryption for
all users in the domain - Default Disabled
46Account Lockout Policy
- Account Lockout Duration
- Recommended 15 minutes or longer
- Account Lockout Threshold
- Recommended 5 attempts or lower
- Reset Account After
- Recommended 15 minutes or longer
47Auditing Policies
- By default, nothing is audited in XP!
- Audit Account Logon Events Records response of
a domain controller to authenticate a network
user. - Recommended Success / Failure
- Audit Account Management Audits account changes
such as renaming, enabling/disabling, password
changes, creation, deletion, etc. - Recommended Success / Failure
48Auditing Policies (Cont.)
- Audit directory service access logs events of
standard active directory objects - Recommended Failure
- Audit Logon Events Records user authentication
for local machine or domain controllers - Recommended Success / Failure
- Audit Object Access Allows setting of auditing
on files or directories (you must set each
directory/file separately). - Recommended Varies
49Auditing Policies (Cont.)
- Audit Policy Change Audits additions,
deletions, and changes made to local and domain
security policies - Recommended Success / Failure
- Audit Privilege Use Audits special privileges
assigned to a user, privileged services that are
called, and privileged object operation - Recommended Failure (Auditing success will fill
up logs very quickly!)
50Auditing Policies (Cont.)
- Audit Process Tracking Audits processes
(creation, exits, and resources) - Recommended Failure or None
- Audit System Events Audits events going on
within the physical system that can affect
security or logging (shutdowns, reboots, clearing
of logs) - Recommended Failure (can fill up logs VERY
quickly)
51Auditing Recap
- Audit success, failure of
- Logon events
- Account management
- Policy change
- Object Access
- Audit failure of
- Privilege use
- Process tracking
- System events
52User Rights Assignment
- Access this computer from the network
- Default includes everyone in Windows NT
- You can remove Everyone and add desired users
- Other User Rights Assignment options include who
is allowed to - Back up files,
- Increase quotas,
- Log on locally,
- Shut down the system,
- Take ownership of files of other users
53User Rights Assignment (Cont.)
- Bypass Traverse Checking Allows access to files
and folders regardless of users permission to
parent folder for users included in list. - This setting basically nullifies Inherit parent
permissions - E.g. if you remove Everyone, then anyone not in
one of the listed groups will access files based
on parent inheritance, not individual file
permissions.
54Security Options Accounts
- Only those that should be changed are listed
here. - Guest Account Status
- Should be set to disabled. If it is not, please
change this policy status to disabled - Administrator Account Status
- May be disabled
- Rename Guest Account
- Recommended!
- Rename Administrator Account
- Recommended!
- Limit Local use of blank passwords to console
logon - Do not change this to disabled!!!
55Security Options Devices
- Restrict access of CD Rom and Floppy to locally
logged on User Recommended especially if running
Remote Desktop or IIS is installed (e.g. A
windows setup disk is left in the cd drive).
56Security Options Interactive Logon
- Do Not Display Last User Name in Logon Screen
Change to enabled (Users must know username and
pw). - Message text/title for users attempting to log on
57Security Options Network Access
- Do not allow anonymous enumeration of SAM
Accounts, Do not allow anonymous enumeration of
SAM account and Shares Should be set to enabled - If not enabled, local/domain accounts can be
enumerated via the NetBIOS protocol - Scripts / Lophtcrack can then be used to
determine passwords associated with userid - Let Everyone permissions apply to anonymous user
should be disabled - Remotely accessible registry paths if possible,
remove ALL paths.
58Security Options Network Security
- Force logoff when logon hours expire should be
enabled.
59Security Options Shutdown
- Allow system to be shut down without users having
to log on disable this option. - Clear Virtual Memory Pagefile when Shutting Down
Enable this option
60Windows XP Security II
- System Security II
- Network Security
- IPSEC filtering
- IP Security Overview
- Starting IPSec service
- Installing IPSec Policy
- Creating a Custom IPSec Policy
- Application Security
61IP Security Filtering
- IP filtering using IPSEC allows the computer
administrator to create a list of connections
allowed or disallowed based on a number of rules
such as port number, source, or destination. - For example, you can block all NetBios traffic
external to PSU but allow connections from the
Penn State address space.
62Starting the IPSEC Service
- In the Control Panel, open Administrative Tools
and then Services. Make sure that IPSEC Policy
Agent is Started and Set to Automatic.
63Installing IPSEC Policy
- Next, open the Control Panel ? Administrative
Tools ? Local Security Policy. Right click on
IP Security Policies on local machine. From
the menu that appears, choose All Tasks.
Select Import Policies and browse to the
location of the IPSEC policy. - The policy should now appear in the list on the
right hand side. Right click the new policy and
select Assign.
64Installing An IPSec Policy
65Creating a Custom IPSEC Policy
- Open up the XP Help and Support button and click
on Add or edit IPSec filters - This help guide will walk you step by step
through configuring custom IPSEC filters.
66Common Breaches of System Security
- Most breaches are a result of this aspect!
- Open Network Shares
- Incorrect ACLS
- No Auditing / Logging
- Weak Passwords (Lophtcrack)
- Policies not set correctly
67XP Security II Seminar Objectives
- System Security II
- Simple File Sharing
- NTFS Permissions
- Windows Security Policies
- Network Security
- IPSEC filtering
- Application Security
- Services to Shut Off
- Remote Desktop / Remote Assistance
- Using HFNetChk and Baseline Security Analyzer
- Reading Logs
68Windows XP Security II
- System Security II
- Network Security
- Application Security
- Services to Shut Off
- Disabling un-necessary services
- Use Secure Services
- Specific XP Services to disable
- Remote Desktop / Remote Assistance
- Using HFNetChk and Baseline Security Analyzer
- Reading Logs
69Application Security
- Check for patches for all software (Application
patches should be applied before system is placed
on network) - Adding remote access software increases risk of
breaches - Backdoors
- Warez servers
- SMTP servers
- Admin tools for dDos attacks
- Scanners/automated scripts disguised as innocent
files - OS files removed
70Services
- Disable any that you are not using
- SMTP
- RAS (including VNC, Timbuktu, Terminal Services)
- HTTPD (IIS) Caution - May be installed with
Network Monitoring Tools in 2000/XP - FTP/tFTP
- Telnetd
- Service Distribution Do NOT install all services
on one machine! - Do Not install on PDC/ BDC
71Use Secure Services
- Plugins for Email (Kerberos, PGP)
- SSh vs. Telnet
- HTTPS vs. HTTP
- Scp vs. FTP
- Use Secure services wherever possible.
72XP Services
- Accessed from Control Panels ? Classic View ?
Administrative Tools ? Services - If not needed, stop and set to manual
- Remote Registry
- Remote Desktop
- Remote Access Auto Connection Manager
- NetMeeting Remote Desktop Sharing
- SSDP (Universal Plug and Play)
- TCP Port 5000
- UDP Port 1900
73Windows XP Security II
- System Security II
- Network Security
- Application Security
- Services to Shut Off
- Remote Desktop / Remote Assistance
- Remote Assistance Overview
- Disabling Remote Assistance
- Remote Desktop Overview
- Setting Up Remote Desktop
- Changing Default Remote Desktop Port
- Disabling Remote Desktop
- Using HFNetChk and Baseline Security Analyzer
- Reading Logs
74Remote Assistance
- Designed to allow others to take control of your
computer to assist in troubleshooting and even
fix problems. - Turn this off until it is needed!
- Control Panel ? Classic View ? System ? Remote
tab ? Settings button - Administrators group can connect to the computer
by default.
75Disabling Remote Assistance
- To disable uncheck one of the following
- Allow Remote Assistance invitations to be sent
from this computer - Under Advanced button, Allow this computer to be
controlled remotely
76Remote Desktop
- Other computers can access your windows session
by remotely logging in to your computer with a
valid username and password - This feature is based on Terminal Services
session data is sent encrypted. - (E.g. you can leave your machine logged in at
work and then log on to Remote Desktop at home to
control your computer). - Logging on remotely locks screen locally
77Setting Up Remote Desktop
- On host computer, navigate to the Control Panel
and choose the System icon. Click on the Remote
tab. - Check the box for Allow Users to connect remotely
to this computer. - Click on the settings button to change which
users have remote access.
78Setting Up Remote Desktop
- To open Remote Desktop Client
- On connecting computer if XP, navigate to the
Start Menu ? Accessories ? Communications ?
Remote Desktop Connection - On a non-XP Windows machine, insert the XP CD
into the CD Rom drive. When the Welcome page
appears, click Perform additional tasks, and then
choose Set up Remote Desktop Connection - You will need to enter the IP address of machine
you are connecting to, and your username and
password on that machine.
79Remote Desktop Connection
- Click the options button to expand so additional
options (username and password, domain, display
options, etc are shown).
80Changing Remote Desktop Port
- By default, Remote Desktop (and Terminal
Services) runs on port 3389. - You can add security by obscurity by changing
the default port. - You need to
- Make a simple registry change on the host
computer (see) - http//support.microsoft.com/default.aspx?scidkb
EN-US306759 - Add portnumber after IP address on connector for
client.
81Entering Remote Desktop Port in Client
- In example, 10.0.0.1 is theoretical IP Address
and 8337 is port that Remote Desktop was changed
to.
82Disabling Remote Desktop
- If not needed, do not run this feature.
- Control Panel ? Classic View ? System ? Remote
tab ? Settings button - Uncheck Allow others to connect remotely to this
computer - All Remote Access Services should log all traffic
83Windows XP Security II
- System Security II
- Network Security
- Application Security
- Services to Shut Off
- Remote Desktop / Remote Assistance
- Using HFNetChk and Baseline Security Analyzer
- HFNetchk Overview
- Microsoft Baseline Security Analyzer Overview
- Reading Logs
84HFNetchk
- Command Line utility which tells you if you are
up to date on patches. - Every time you run HFNetchk, it will attempt to
connect to Microsoft to download an up to date
XML document which indicates what patches should
be on your machine. - If the network is unavailable, it will use
configuration already saved to your hard disk. - You can download HFNetchk from
http//support.microsoft.com/default.aspx?scidkb
en-us303215
85Baseline Security Analyzer
- http//www.microsoft.com/technet/treeview/default.
asp?url/technet/security/tools/Tools/MBSAhome.asp
- Checks for hotfixes and security
misconfigurations on systems. - Scan by machine name or IP Address(es) Can scan
multiple computers at a time.
86Windows XP Security II
- System Security II
- Network Security
- Application Security
- Services to Shut Off
- Remote Desktop / Remote Assistance
- Using HFNetChk and Baseline Security Analyzer
- Reading Logs
- System Logfile locations
- IIS Logfile location
87Reading Logs
- Event Viewer (eventvwr)
- System
- Application
- Security
- IIS Logs (c\winnt\system32\logfiles)
- W3SVC1, etc.
- If you do not look through logs you may not
notice anything is going on!
88XP Security II Seminar Objectives
- System Security II
- Software Update Services (SUS) Patching
- Automatic Updates on Standalone Machines
- Installing SUSAdmin
- Configuring SUSAdmin
- Approving Updates
- Installing SUSClient
- Configuring SUSClient to update from server via
AD OU Group Policy - Simple File Sharing
- Simple File Sharing Overview
- Setting Up SFS Shares
- SFS Is Not Secure
- Disabling SFS
89XP Security II Seminar Objectives
- System Security II (Continued)
- NTFS Permissions
- Definitions
- Changing Default Permissions
- NTFS Rules Additive Permissions and Deny
Permissions - Removing Access to Common Executables
- Windows Security Templates Policies
- Creating a New Security Template
- Defining Your Security Settings
- Using the Security Configuration and Analysis
Tool - Applying Security Templates
- Security Policies
90XP Security II Seminar Objectives
- Network Security
- IPSEC filtering
- IP Security Overview
- Starting IPSec Service
- Installing an IPSec Policy
- Creating a Custom IPSec Policy
- Application Security
- Services to Shut Off
- Disabling Un-necessary Services
- Use Secure Services
- Specific XP Services to Disable
91XP Security II Seminar Objectives
- Application Security
- Remote Desktop / Remote Assistance
- Remote Assistance Overview
- Disabling Remote Assistance
- Setting Up Remote Desktop
- Changing Default Remote Desktop Port
- Disabling Remote Desktop
- Using HFNetChk and Baseline Security Analyzer
- HFNetChk Overview
- Microsoft Baseline Security Analyzer Overview
- Reading Logs
- System LogFile Locations
- IIS LogFile Locations
- Conclusion
92Windows Is a Popular OS to Hack
- Millions of lines of code
- All aspects add to increase security
- ACLS, Services and Applications run among most
important - Frequent patching and examination of logs is a
must - Also consider other means to secure
- Apply ideas to workstations in department as well
- Spend extra time setting up a machine when you
have time rather than rebuilding when downtime is
highly inconvenient
93Appendix 1 File and Folder Permissions
94Appendix 2 PSU Security Policies
- Located at http//sos.its.psu.edu/policy.html
95Appendix 3 Additional Resources
- SANS guidelines
- //common/docs/SANS
- NSA Guide to Securing W2K
- nsa2.www.conxion.com/win2k/download.htm
- Microsoft Windows 2000 Server Security Guide
- http//www.microsoft.com/technet/security/prodtech
/windows/windows2000/staysecure/Default.asp - Microsoft SUS Whitepaper
- http//www.microsoft.com/windowsserversystem/sus/s
usdeployment.mspx
96Note
- Powerpoint slides to this and other seminars,
links to utilities, patches, and suggestions for
securing Windows operating systems and
applications can be found at http//www.personal.
psu.edu/lxm30/windows/windows.html