HARDENING SERVERS - PowerPoint PPT Presentation

1 / 49
About This Presentation
Title:

HARDENING SERVERS

Description:

Create a secure baseline installation for member servers. ... Settings from an earlier policy can be overwritten. by settings in a later policy. ... – PowerPoint PPT presentation

Number of Views:298
Avg rating:3.0/5.0
Slides: 50
Provided by: york5
Category:

less

Transcript and Presenter's Notes

Title: HARDENING SERVERS


1
HARDENING SERVERS
  • Chapter 8

2
OVERVIEW
  • Understand the functions of group policies.
  • Use the Group Policy Object Editor console.
  • Create a secure baseline installation for member
    servers.
  • Configure security for various server roles.

3
OVERVIEW (continued)
  • Use security templates.
  • Use the Security Configuration And Analysis
    snap-in to compare a computers security settings
    with a security template, and apply a template to
    the computer.
  • Understand the functions of the Secedit.exe
    command line program.

4
USING GROUP POLICIES
  • Link collections of configuration settings to
    Active Directory domains, organizational units
    (OUs), sites, and computers.
  • Install software packages, deploy startup and
    shutdown scripts, specify configuration
    parameters for registry-based operating system
    and application software, configure security
    options, and redirect local folders to
    alternative locations on the network.

5
UNDERSTANDING GROUP POLICY OBJECTS (GPOs)
  • Using Local GPOs
  • Using Domain GPOs
  • Using Organizational Unit GPOs
  • Using Site GPOs

6
USING LOCAL GPOS
  • A local GPO exists on every computer running
    Windows.
  • A local GPO can only be applied to that computer.

7
USING DOMAIN GPOS
  • GPOs associated with a domain affect every object
    in that domain.
  • Every domain has a Default Domain Policy GPO
    associated with it.
  • The Default Domain Policy GPO can be edited if
    necessary, or additional GPOs can be created.

8
USING ORGANIZATIONAL UNIT GPOs
  • GPOs can be assigned to an OU at any level in
    the Active Directory structure.
  • GPOs assigned to an OU affect every object in
    that OU.
  • The system-created Domain Controllers OU is
    assigned the Default Domain Controllers GPO.

9
USING SITE GPOs
  • GPOs assigned to a site affect every object in
    that site.
  • Site GPOs allow a configuration to be applied on
    a location-by-location basis.
  • Site GPOs enable you to control replication
    traffic that passes over the WAN links.

10
GROUP POLICY APPLICATION
  • Policies are applied in the following order
    local, site, domain, and OU.
  • Settings from an earlier policy can be
    overwritten by settings in a later policy.
  • Policies do not need to be set at every level.

11
GROUP POLICY INHERITANCE
  • Objects lower in the Active Directory tree
    inherit group policy settings assigned at a
    higher level.
  • A policy setting can be one of three states
    enabled, disabled, or undefined.
  • An enabled or disabled setting overrides the
    earlier setting. An undefined setting leaves the
    earlier setting unchanged.

12
WORKING WITH GROUP POLICY OBJECTS
13
CREATING A BASELINE FOR MEMBER SERVERS
  • Any server that is running Windows Server 2003
    but is not a domain controller is considered a
    member server.
  • Develop a member server baseline policy that is
    adequate for most of the systems in use.
  • On a server-by-server basis, evaluate the default
    settings, and decide which, if any, need to be
    modified.

14
CREATING A BASELINE POLICY
15
UNDERSTANDING CONTAINER OBJECTS
  • GPOs can only be assigned to actual OUs, not
    system-created containers like Computers.
  • System-created containers cannot be deleted.
  • Container objects cannot be created.

16
SETTING AUDIT POLICIES
17
SETTING EVENT LOG POLICIES
18
CONFIGURING SERVICES
19
CONFIGURING SECURITY OPTIONS
20
CREATING ROLE-SPECIFIC SERVER CONFIGURATIONS
  • Specific server types such as domain controllers,
    infrastructure servers, file and print servers,
    and application servers have different security
    requirements than member servers.
  • Create role-specific GPOs and combine with
    baseline policies to achieve the required level
    of security.

21
SECURING DOMAIN CONTROLLERS
  • Isolating Domain Controllers
  • Setting Audit and Event Log Policies
  • Assigning User Rights
  • Configuring Services

22
ISOLATING DOMAIN CONTROLLERS
  • Domain controllers should be kept in a physically
    secure location.
  • Network configurations should be as limiting as
    possible.
  • Where practical, additional services or
    applications should not be run on domain
    controllers.

23
SETTING AUDIT AND EVENT LOG POLICIES
  • Domain controller computer objects are
    automatically placed in the Domain Controllers
    organizational unit.
  • The Domain Controllers OU has a GPO linked to it
    that configures security settings specific to the
    domain controller role.
  • Additional GPOs can be applied to the Domain
    Controllers OU to further configure security
    settings.

24
ASSIGNING USER RIGHTS
  • The Default Domain Controllers GPO contains a
    basic set of user rights assignments.
  • These assignments provide users and
    administrators with an appropriate set of rights
    to perform their tasks.
  • The Domain Controller containers can be
    configured to provide more or fewer rights as
    required.

25
CONFIGURING SERVICES
  • In addition to the services required by a member
    server, domain controllers require the following
    services to be automatically started
  • Distributed File System
  • File Replication Service
  • Intersite Messaging
  • Kerberos Key Distribution Center
  • Remote Procedure Call (RPC) Locator

26
SECURING INFRASTRUCTURE SERVERS
  • Systems that run DNS, Dynamic Host Configuration
    Protocol (DHCP), and Windows Internet Name
    Service (WINS) server services are considered
    infrastructure servers.
  • These servers often also perform other roles such
    as file and print server or application server.
  • Depending on the infrastructure role, additional
    services may need to be configured in the GPO
    applied to the servers.

27
CONFIGURING DNS SECURITY
  • Use Active Directory integrated zones where
    possible.
  • Ensure that the MicrosoftDNS container object is
    kept secure.
  • If using file-based zones, ensure that the
    systemroot\System32\Dns folder is kept secure.

28
CONFIGURING DHCP SECURITY
  • Implement more than one DHCP server using the
    8020 rule.
  • Implement DHCP servers on fault-tolerance or
    clustered hardware configurations.
  • Monitor DHCP server activity and associated
    network traffic closely.
  • If you suspect a security issue or are in a
    high-security environment, enable DHCP Audit
    Logging.

29
SECURING FILE AND PRINT SERVERS
  • File and print servers generally require a
    minimal set of services.
  • In addition to the baseline configuration, you
    would also
  • Enable the Print Spooler service.
  • Disable the Microsoft Network Server Digitally
    Sign Communications (Always) security policy.

30
CONFIGURING PERMISSIONS USING A GPO
  • Using a GPO, you can
  • Specify the files or folders for which you want
    to configure file system permissions
  • Specify the permissions you want assigned to the
    selected files or folders
  • Specify if you want the permissions to be
    inherited by subfolders

31
SECURING APPLICATION SERVERS
  • Evaluate each application and the services and
    security settings it requires.
  • Examine user access requirements and implement
    security measures accordingly.
  • Where possible, utilize security elements of the
    application, such as user authentication,
    internal permissions, and so on.

32
DEPLOYING ROLE-SPECIFIC GPOs
  • Baseline GPOs should be created for all servers.
  • Role-specific GPOs should be created as
    necessary.
  • Both baseline and role-specific GPOs can be used
    in combination.

33
COMBINING GPO POLICIES
  • Apply the baseline GPO to one OU.
  • Apply the role-specific GPO to the subsequent OU
    containing servers performing that role.
  • Settings in the role-specific GPO can
  • Modify settings configured in the baseline
  • Configure settings not defined in the baseline
  • Leave baseline settings for specific parameters
    unchanged

34
APPLYING MULTIPLE GPOs
35
CREATING AN OU HIERARCHY
36
USING SECURITY TEMPLATES
  • Security templates are a collection of
    configuration settings stored as a text file.
  • Allows configuration files to be saved and
    deployed as needed.

37
UNDERSTANDING SECURITY TEMPLATES
  • Security templates consist of policies and
    settings that allow you to make configurations
    consistent across servers.
  • Can be used to configure a range of settings,
    including account policies, Event Log policies,
    system services, registry permissions, and file
    system permissions.
  • The .inf files can be edited directly using a
    text editor.

38
USING THE SECURITY TEMPLATES CONSOLE
39
USING THE SUPPLIED SECURITY TEMPLATES
  • Nine security templates are supplied by default.
  • The security templates can be edited as
    necessary.
  • New templates can be created as needed by copying
    existing templates.

40
DEPLOYING SECURITY TEMPLATES
  • Security templates can be deployed via
  • Group Policy
  • Security Configuration And Analysis Tool
  • Secedit.exe

41
USING GROUP POLICIES
  • Security templates can be imported into Group
    Policy objects for
  • Domains
  • Sites
  • Organizational units

42
GROUP POLICY DEPLOYMENT CAUTIONS
  • Configuration parameters imported into the group
    policy object for a specific container are
    inherited by all the objects in that container,
    including other containers.
  • Complex templates with many configuration
    settings can create a large amount of network
    traffic when they are refreshed.

43
DEPLOYING SECURITY TEMPLATES USING GROUP POLICIES
44
USING THE SECURITY CONFIGURATION AND ANALYSIS TOOL
45
ANALYZING A SYSTEM
46
CHANGING SECURITY SETTINGS
  • Once analysis is complete, you can make changes
    in the following ways
  • Apply the database settings to the computer.
  • Modify the database settings.
  • Create a new template.
  • Modify the computers settings manually.

47
USING SECEDIT.EXE
  • Command prompt utility that can perform the same
    functions as the Security Configuration And
    Analysis snap-in
  • Allows security configurations to be edited and
    updated through a script or batch file
  • Allows you to apply only part of a security
    template to a computer

48
CHAPTER SUMMARY
  • A Group Policy object (GPO) is a collection of
    configuration parameters you can use to secure a
    Windows Server 2003 installation.
  • Audit and Event Log policies enable you to
    specify what types of information a computer
    logs, how much information the computer retains
    in the logs, and how the computer behaves when
    the logs are full.
  • The domain controller role is the only one with
    its own default GPO assigned by Windows
    Server 2003.
  • An Active Directory object can receive policy
    settings from multiple GPOs, and apply them in a
    particular order.
  • Organizational unit objects inherit policy
    settings from the GPOs applied to their parent
    objects.

49
CHAPTER SUMMARY (continued)
  • A security template is a collection of
    configuration settings stored as a text file with
    an .inf extension.
  • Windows Server 2003 includes a number of
    predefined templates that enable you to restore
    the default security parameters created when
    Windows is installed.
  • You can use the Security Configuration and
    Analysis snap-in to deploy security templates on
    the local computer.
  • Secedit.exe is a command line tool that performs
    the same functions as the Security Configuration
    And Analysis snap-in and can apply specific parts
    of templates to the computer.
Write a Comment
User Comments (0)
About PowerShow.com