Title: HARDENING SERVERS
1HARDENING SERVERS
2OVERVIEW
- Understand the functions of group policies.
- Use the Group Policy Object Editor console.
- Create a secure baseline installation for member
servers. - Configure security for various server roles.
3OVERVIEW (continued)
- Use security templates.
- Use the Security Configuration And Analysis
snap-in to compare a computers security settings
with a security template, and apply a template to
the computer. - Understand the functions of the Secedit.exe
command line program.
4USING GROUP POLICIES
- Link collections of configuration settings to
Active Directory domains, organizational units
(OUs), sites, and computers. - Install software packages, deploy startup and
shutdown scripts, specify configuration
parameters for registry-based operating system
and application software, configure security
options, and redirect local folders to
alternative locations on the network.
5UNDERSTANDING GROUP POLICY OBJECTS (GPOs)
- Using Local GPOs
- Using Domain GPOs
- Using Organizational Unit GPOs
- Using Site GPOs
6USING LOCAL GPOS
- A local GPO exists on every computer running
Windows. - A local GPO can only be applied to that computer.
7USING DOMAIN GPOS
- GPOs associated with a domain affect every object
in that domain. - Every domain has a Default Domain Policy GPO
associated with it. - The Default Domain Policy GPO can be edited if
necessary, or additional GPOs can be created.
8USING ORGANIZATIONAL UNIT GPOs
- GPOs can be assigned to an OU at any level in
the Active Directory structure. - GPOs assigned to an OU affect every object in
that OU. - The system-created Domain Controllers OU is
assigned the Default Domain Controllers GPO.
9USING SITE GPOs
- GPOs assigned to a site affect every object in
that site. - Site GPOs allow a configuration to be applied on
a location-by-location basis. - Site GPOs enable you to control replication
traffic that passes over the WAN links.
10GROUP POLICY APPLICATION
- Policies are applied in the following order
local, site, domain, and OU. - Settings from an earlier policy can be
overwritten by settings in a later policy. - Policies do not need to be set at every level.
11GROUP POLICY INHERITANCE
- Objects lower in the Active Directory tree
inherit group policy settings assigned at a
higher level. - A policy setting can be one of three states
enabled, disabled, or undefined. - An enabled or disabled setting overrides the
earlier setting. An undefined setting leaves the
earlier setting unchanged.
12WORKING WITH GROUP POLICY OBJECTS
13CREATING A BASELINE FOR MEMBER SERVERS
- Any server that is running Windows Server 2003
but is not a domain controller is considered a
member server. - Develop a member server baseline policy that is
adequate for most of the systems in use. - On a server-by-server basis, evaluate the default
settings, and decide which, if any, need to be
modified.
14CREATING A BASELINE POLICY
15UNDERSTANDING CONTAINER OBJECTS
- GPOs can only be assigned to actual OUs, not
system-created containers like Computers. - System-created containers cannot be deleted.
- Container objects cannot be created.
16SETTING AUDIT POLICIES
17SETTING EVENT LOG POLICIES
18CONFIGURING SERVICES
19CONFIGURING SECURITY OPTIONS
20CREATING ROLE-SPECIFIC SERVER CONFIGURATIONS
- Specific server types such as domain controllers,
infrastructure servers, file and print servers,
and application servers have different security
requirements than member servers. - Create role-specific GPOs and combine with
baseline policies to achieve the required level
of security.
21SECURING DOMAIN CONTROLLERS
- Isolating Domain Controllers
- Setting Audit and Event Log Policies
- Assigning User Rights
- Configuring Services
22ISOLATING DOMAIN CONTROLLERS
- Domain controllers should be kept in a physically
secure location. - Network configurations should be as limiting as
possible. - Where practical, additional services or
applications should not be run on domain
controllers.
23SETTING AUDIT AND EVENT LOG POLICIES
- Domain controller computer objects are
automatically placed in the Domain Controllers
organizational unit. - The Domain Controllers OU has a GPO linked to it
that configures security settings specific to the
domain controller role. - Additional GPOs can be applied to the Domain
Controllers OU to further configure security
settings.
24ASSIGNING USER RIGHTS
- The Default Domain Controllers GPO contains a
basic set of user rights assignments. - These assignments provide users and
administrators with an appropriate set of rights
to perform their tasks. - The Domain Controller containers can be
configured to provide more or fewer rights as
required.
25CONFIGURING SERVICES
- In addition to the services required by a member
server, domain controllers require the following
services to be automatically started - Distributed File System
- File Replication Service
- Intersite Messaging
- Kerberos Key Distribution Center
- Remote Procedure Call (RPC) Locator
26SECURING INFRASTRUCTURE SERVERS
- Systems that run DNS, Dynamic Host Configuration
Protocol (DHCP), and Windows Internet Name
Service (WINS) server services are considered
infrastructure servers. - These servers often also perform other roles such
as file and print server or application server. - Depending on the infrastructure role, additional
services may need to be configured in the GPO
applied to the servers.
27CONFIGURING DNS SECURITY
- Use Active Directory integrated zones where
possible. - Ensure that the MicrosoftDNS container object is
kept secure. - If using file-based zones, ensure that the
systemroot\System32\Dns folder is kept secure.
28CONFIGURING DHCP SECURITY
- Implement more than one DHCP server using the
8020 rule. - Implement DHCP servers on fault-tolerance or
clustered hardware configurations. - Monitor DHCP server activity and associated
network traffic closely. - If you suspect a security issue or are in a
high-security environment, enable DHCP Audit
Logging.
29SECURING FILE AND PRINT SERVERS
- File and print servers generally require a
minimal set of services. - In addition to the baseline configuration, you
would also - Enable the Print Spooler service.
- Disable the Microsoft Network Server Digitally
Sign Communications (Always) security policy.
30CONFIGURING PERMISSIONS USING A GPO
- Using a GPO, you can
- Specify the files or folders for which you want
to configure file system permissions - Specify the permissions you want assigned to the
selected files or folders - Specify if you want the permissions to be
inherited by subfolders
31SECURING APPLICATION SERVERS
- Evaluate each application and the services and
security settings it requires. - Examine user access requirements and implement
security measures accordingly. - Where possible, utilize security elements of the
application, such as user authentication,
internal permissions, and so on.
32DEPLOYING ROLE-SPECIFIC GPOs
- Baseline GPOs should be created for all servers.
- Role-specific GPOs should be created as
necessary. - Both baseline and role-specific GPOs can be used
in combination.
33COMBINING GPO POLICIES
- Apply the baseline GPO to one OU.
- Apply the role-specific GPO to the subsequent OU
containing servers performing that role. - Settings in the role-specific GPO can
- Modify settings configured in the baseline
- Configure settings not defined in the baseline
- Leave baseline settings for specific parameters
unchanged
34APPLYING MULTIPLE GPOs
35CREATING AN OU HIERARCHY
36USING SECURITY TEMPLATES
- Security templates are a collection of
configuration settings stored as a text file. - Allows configuration files to be saved and
deployed as needed.
37UNDERSTANDING SECURITY TEMPLATES
- Security templates consist of policies and
settings that allow you to make configurations
consistent across servers. - Can be used to configure a range of settings,
including account policies, Event Log policies,
system services, registry permissions, and file
system permissions. - The .inf files can be edited directly using a
text editor.
38USING THE SECURITY TEMPLATES CONSOLE
39USING THE SUPPLIED SECURITY TEMPLATES
- Nine security templates are supplied by default.
- The security templates can be edited as
necessary. - New templates can be created as needed by copying
existing templates.
40DEPLOYING SECURITY TEMPLATES
- Security templates can be deployed via
- Group Policy
- Security Configuration And Analysis Tool
- Secedit.exe
41USING GROUP POLICIES
- Security templates can be imported into Group
Policy objects for - Domains
- Sites
- Organizational units
42GROUP POLICY DEPLOYMENT CAUTIONS
- Configuration parameters imported into the group
policy object for a specific container are
inherited by all the objects in that container,
including other containers. - Complex templates with many configuration
settings can create a large amount of network
traffic when they are refreshed.
43DEPLOYING SECURITY TEMPLATES USING GROUP POLICIES
44USING THE SECURITY CONFIGURATION AND ANALYSIS TOOL
45ANALYZING A SYSTEM
46CHANGING SECURITY SETTINGS
- Once analysis is complete, you can make changes
in the following ways - Apply the database settings to the computer.
- Modify the database settings.
- Create a new template.
- Modify the computers settings manually.
47USING SECEDIT.EXE
- Command prompt utility that can perform the same
functions as the Security Configuration And
Analysis snap-in - Allows security configurations to be edited and
updated through a script or batch file - Allows you to apply only part of a security
template to a computer
48CHAPTER SUMMARY
- A Group Policy object (GPO) is a collection of
configuration parameters you can use to secure a
Windows Server 2003 installation. - Audit and Event Log policies enable you to
specify what types of information a computer
logs, how much information the computer retains
in the logs, and how the computer behaves when
the logs are full. - The domain controller role is the only one with
its own default GPO assigned by Windows
Server 2003. - An Active Directory object can receive policy
settings from multiple GPOs, and apply them in a
particular order. - Organizational unit objects inherit policy
settings from the GPOs applied to their parent
objects.
49CHAPTER SUMMARY (continued)
- A security template is a collection of
configuration settings stored as a text file with
an .inf extension. - Windows Server 2003 includes a number of
predefined templates that enable you to restore
the default security parameters created when
Windows is installed. - You can use the Security Configuration and
Analysis snap-in to deploy security templates on
the local computer. - Secedit.exe is a command line tool that performs
the same functions as the Security Configuration
And Analysis snap-in and can apply specific parts
of templates to the computer.