Microsoft Windows Server - PowerPoint PPT Presentation

1 / 14
About This Presentation
Title:

Microsoft Windows Server

Description:

Most security breaches in corporate environments ... Password protect the screensaver ... For best results, choose the blank screensaver or logon screensaver. ... – PowerPoint PPT presentation

Number of Views:89
Avg rating:3.0/5.0
Slides: 15
Provided by: mte7
Category:

less

Transcript and Presenter's Notes

Title: Microsoft Windows Server


1
Microsoft Windows Server
2
Securing the Server
  • Provide Physical Security for the machineMost
    security breaches in corporate environments occur
    from the inside. Culprits can be well meaning
    "power users" who configure their co-workers PCs,
    to disgruntled employees, or they can be full
    blown corporate spies that are working at your
    company. It may not be practical to physically
    secure every workstation in your environment, but
    your servers need to be in a locked room with
    monitored access. Consider placing surveillance
    cameras in your server rooms and keeping the
    tapes for 30 days. For desktops, install a lock
    on the CPU case, keep it locked, and store the
    key safely away from the computer at a secure
    location. (i.e. a locked cabinet in the server
    room)

3
Securing The Server
  • Password protect the screensaverOnce again this
    is a basic security step that is often
    circumvented by users. Make sure all of your
    workstations and servers have this feature
    enabled to prevent an internal threat from taking
    advantage of an unlocked console. For best
    results, choose the blank screensaver or logon
    screensaver. Avoid the OpenGL and graphic
    intensive program that eat CPU cycles and memory.
    Make sure the wait setting is appropriate for
    your business. If you can get your users in the
    habit of manually locking their workstations when
    they walk away from their desks, you can probably
    get away with an idle time of 15 minutes or more.
    You can keep users from changing this setting via
    Group Policy.  
  • Use NTFS on all partitionsFAT and FAT32 File
    systems don't support file level security and
    give hackers a big wide open door to your system.
    Make sure all of your system partitions are
    formatted using NTFS.
  • Always run Anti-Virus softwareAgain, this is
    something that is considered a basic tenet of
    security, but you would be surprised at how many
    companies don't run Anti-Virus software, or run
    it but don't update it. Today's AV software does
    more than just check for known viruses, many scan
    for other types of malicious code as well.

4
Securing The Server
  • Create 2 accounts for AdministratorsCreate one
    regular user account for your Administrators for
    reading mail and other common tasks, and a
    separate account (with a more aggressive password
    policy) for tasks requiring administrator
    privileges. Have your Administrators use the "Run
    As" command available with Windows 200x to enable
    the access they need. This prevents malicious
    code from spreading through your network with
    admin privileges. 

5
Securing The Server
  • Rename the Administrator AccountMany hackers
    will argue that this won't stop them, because
    they will use the SID to find the name of the
    account and hack that. Our view is, why make it
    easy for them. Renaming the Administrator account
    will stop some amateur hackers cold, and will
    annoy the more determined ones. Remember that
    hackers won't know what the inherit or group
    permissions are for an account, so they'll try to
    hack any local account they find and then try to
    hack other accounts as they go to improve their
    access. If you rename the account, try not to use
    the word 'Admin" in its name. Pick something that
    won't sound like it has rights to anything.
  • Consider creating a dummy Administrator
    accountAnother strategy is to create a local
    account named "Administrator", then giving that
    account no privileges and impossible to guess 10
    digit complex password. This should keep the
    script kiddies busy for a while. If you create a
    dummy Administrative account, enabled auditing so
    you'll know when it is being tampered with.

6
Securing The Server
  • Replace the "Everyone" Group with "Authenticated
    Users" on file shares"Everyone" in the context
    of Windows 200x security, means anyone who gains
    access to your network can access the data. Never
    assign the "Everyone" Group to have access to a
    file share on your network, use "Authenticated
    Users" instead. This is especially important for
    printers, who have the "Everyone" Group assigned
    by default.
  • Password SecurityA good password policy is
    essential to your network security, but is often
    overlooked. In large organizations there is a
    huge temptation for lazy administrators to create
    all local Administrator accounts (or worse, a
    common domain level administrator account) that
    uses a variation of the company name, computer
    name, or advertising tag line. i.e.
    companyname1, win2kcompanyname, etc. Even
    worse are new user accounts with simple passwords
    such as "welcome", "letmein", "new2you", that
    aren't required to changed the password after the
    first logon. Use complex passwords that are
    changed at least every 60 -90 days. Passwords
    should contain at least eight characters, and
    preferably nine (recent security information
    reports that many cracking programs are using the
    eight character standard as a starting point).
    Also, each password must follow the standards set
    for strong passwords .

7
Securing The Server
  • Disable the Guest AccountWindows 200x finally
    disables the guest account by default, but if you
    didn't build the image yourself, always double
    check to make sure the guest account is not
    enabled. For additional security assign a complex
    password to the account anyway, and restrict its
    logon 24x7. 
  • Limit the number of unnecessary
    accountsEliminate any duplicate user accounts,
    test accounts, shared accounts, general
    department accounts, etc., Use group policies to
    assign permissions as needed, and audit your
    accounts regularly. These generic accounts are
    famous for having weak passwords (and lots of
    access) and are at the top of every hacker's list
    of accounts to crack first. This can be a big
    problem at larger companies with understaffed IT
    departments.

8
Securing The Server
  • Secure your Backup tapesIt's amazing how many
    organizations implement excellent platform
    security, and then don't encrypt and/or lock up
    their backup tapes containing the same data. It's
    also a good idea to keep your Emergency Repair
    Disks locked up and stored away from your servers.

9
Securing The Server
  • Use the Security Configuration Toolset included
    with Windows 200x to configure policies.Microsoft
    provides a Security Configuration Toolset which
    provides plug in templates for the MMC that allow
    you to easily configure your policies based on
    the level of security you require. The template
    includes a long list of configurable options
    (many of which appear on this checklist) and also
    includes a useful security analysis tool. If your
    workstation is not part of a domain, you can
    still enable policies by using the Poledit.exe
    file from the Windows 200x Server CD-ROM.
  • Don't allow unmonitored modems in your
    environmentOne of the easiest hacks in the world
    is finding a company's phone number prefix and
    suffix range and war-dialing for a modem that
    picks up. After weeding through the fax machines,
    you can either look for an unsecured workstation
    with RAS enabled, or one with Symantec's PC
    Anywhere loaded on it. If either one is
    configured incorrectly, you can easily gain
    access to the local machine and work up from
    there. If you have a digital phone system, get a
    list of every analog line that comes into your
    workplace and find out where it goes! Every PC
    hooked to a modem is a security risk. Make sure
    they're configured correctly and audited
    regularly.

10
Securing The Server
  • Shut down unnecessary servicesUnnecessary
    services take up system resources and can open
    holes into your operating system. IIS, RAS, and
    Terminal Services have security and configuration
    issues of their own, and should be implemented
    carefully if required. There are also several
    malicious programs that can run quietly as
    services without anyone knowing. You should be
    aware of all the services that all run on your
    servers and audit them periodically. What
    services are deemed unnecessary may vary based on
    the function of your server and/or workstations.
    Please test your specific configuration in a lab
    environment before enabling it in your production
    network.

11
Securing The Server
  • Shut down unnecessary portsThis is a judgment
    call based on your needs and risks. Workstations
    aren't normally at risk behind a firewall, but
    never assume your servers are safe!  A hackers
    first attempt at rattling the doors and windows
    usually involves using a port scanner. You can
    find out a list of open ports on your local
    system by opening the file located at
    systemroot\drivers\etc\services. You can
    configure your ports via the TCP/IP Security
    console located in the TCP/IP properties (Control
    Panel gt Network and Dial Up Connections gt Local
    Area Connection gt Internet Protocol (TCP/IP) gt
    Properties gt Advanced gt Options gt TCP/IP
    Filtering) To allow only TCP and ICMP
    connections, configure the UDP and IP Protocol
    check boxes to "Permit Only" and leave the fields
    blank.

12
Securing The Server
  • Enable AuditingThe most basic form of Intrusion
    Detection for Windows 200x is to enable auditing.
    This will alert you to changes in account
    policies, attempted password hacks, unauthorized
    file access, etc.,  Most users are unaware of the
    types of doors they have unknowingly left open on
    their local workstation, and these risks are
    often discovered only after a serious security
    breach has occurred. At the very minimum,
    consider auditing the following events

13
Securing the Server
  • Set permissions on the security event logThe
    event log files are not protected by default, so
    permissions should be set on the event log files
    to allow access to Administrator and System
    accounts only. 
  • Store all sensitive documents on file
    serversAlthough most new workstations come with
    some very large drives, you should consider
    storing all of a users data (documents,
    spreadsheets, project files, etc.,) on a secured
    server, where the data is backed up regularly.
    Modify the parameters for the "My Documents"
    folder to always point to the users network share
    on a secured server. For laptop users, enable the
    "Make available offline" capabilities to
    synchronize the folder's content.
  • Prevent the last logged-in user name from being
    displayedWhen you press Ctrl-Alt-Del, a login
    dialog box appears which displays the name of the
    last user who logged in to the computer, and
    makes it easier to discover a user name that can
    later be used in a password-guessing attack. This
    can be disabled using the security templates
    provided on the installation CD, or via Group
    Policy snap in. For more information, see
    Microsoft KB Article Q310125

14
Securing the Server
  • Check Microsoft's web site for the latest
    hotfixesNobody writes 30 million lines of code
    and is going to have it perfect the first time,
    so updating service packs and hotfixes can go a
    long way to plug security holes. The problem is
    that hotfixes aren't regression-tested as
    thoroughly as service packs and can come with
    bugs of their own. You should always test them on
    a comparable, non production system before
    deploying them. Check Microsoft's TechNet
    Security Page frequently for the latest hotfixes
    and decide which ones you need to roll out.
Write a Comment
User Comments (0)
About PowerShow.com