HARDENING SERVERS

1
HARDENING SERVERS

• Chapter 8

2
OVERVIEW

• Understand the functions of group policies.
• Use the Group Policy Object Editor console.
• Create a secure baseline installation for member
  servers.
• Configure security for various server roles.

3
OVERVIEW (continued)

• Use security templates.
• Use the Security Configuration And Analysis
  snap-in to compare a computers security settings
  with a security template, and apply a template to
  the computer.
• Understand the functions of the Secedit.exe
  command line program.

4
USING GROUP POLICIES

• Link collections of configuration settings to
  Active Directory domains, organizational units
  (OUs), sites, and computers.
• Install software packages, deploy startup and
  shutdown scripts, specify configuration
  parameters for registry-based operating system
  and application software, configure security
  options, and redirect local folders to
  alternative locations on the network.

5
UNDERSTANDING GROUP POLICY OBJECTS (GPOs)

• Using Local GPOs
• Using Domain GPOs
• Using Organizational Unit GPOs
• Using Site GPOs

6
USING LOCAL GPOS

• A local GPO exists on every computer running
  Windows.
• A local GPO can only be applied to that computer.

7
USING DOMAIN GPOS

• GPOs associated with a domain affect every object
  in that domain.
• Every domain has a Default Domain Policy GPO
  associated with it.
• The Default Domain Policy GPO can be edited if
  necessary, or additional GPOs can be created.

8
USING ORGANIZATIONAL UNIT GPOs

• GPOs can be assigned to an OU at any level in
  the Active Directory structure.
• GPOs assigned to an OU affect every object in
  that OU.
• The system-created Domain Controllers OU is
  assigned the Default Domain Controllers GPO.

9
USING SITE GPOs

• GPOs assigned to a site affect every object in
  that site.
• Site GPOs allow a configuration to be applied on
  a location-by-location basis.
• Site GPOs enable you to control replication
  traffic that passes over the WAN links.

10
GROUP POLICY APPLICATION

• Policies are applied in the following order
  local, site, domain, and OU.
• Settings from an earlier policy can be
  overwritten by settings in a later policy.
• Policies do not need to be set at every level.

11
GROUP POLICY INHERITANCE

• Objects lower in the Active Directory tree
  inherit group policy settings assigned at a
  higher level.
• A policy setting can be one of three states
  enabled, disabled, or undefined.
• An enabled or disabled setting overrides the
  earlier setting. An undefined setting leaves the
  earlier setting unchanged.

12
WORKING WITH GROUP POLICY OBJECTS
13
CREATING A BASELINE FOR MEMBER SERVERS

• Any server that is running Windows Server 2003
  but is not a domain controller is considered a
  member server.
• Develop a member server baseline policy that is
  adequate for most of the systems in use.
• On a server-by-server basis, evaluate the default
  settings, and decide which, if any, need to be
  modified.

14
CREATING A BASELINE POLICY
15
UNDERSTANDING CONTAINER OBJECTS

• GPOs can only be assigned to actual OUs, not
  system-created containers like Computers.
• System-created containers cannot be deleted.
• Container objects cannot be created.

16
SETTING AUDIT POLICIES
17
SETTING EVENT LOG POLICIES
18
CONFIGURING SERVICES
19
CONFIGURING SECURITY OPTIONS
20
CREATING ROLE-SPECIFIC SERVER CONFIGURATIONS

• Specific server types such as domain controllers,
  infrastructure servers, file and print servers,
  and application servers have different security
  requirements than member servers.
• Create role-specific GPOs and combine with
  baseline policies to achieve the required level
  of security.

21
SECURING DOMAIN CONTROLLERS

• Isolating Domain Controllers
• Setting Audit and Event Log Policies
• Assigning User Rights
• Configuring Services

22
ISOLATING DOMAIN CONTROLLERS

• Domain controllers should be kept in a physically
  secure location.
• Network configurations should be as limiting as
  possible.
• Where practical, additional services or
  applications should not be run on domain
  controllers.

23
SETTING AUDIT AND EVENT LOG POLICIES

• Domain controller computer objects are
  automatically placed in the Domain Controllers
  organizational unit.
• The Domain Controllers OU has a GPO linked to it
  that configures security settings specific to the
  domain controller role.
• Additional GPOs can be applied to the Domain
  Controllers OU to further configure security
  settings.

24
ASSIGNING USER RIGHTS

• The Default Domain Controllers GPO contains a
  basic set of user rights assignments.
• These assignments provide users and
  administrators with an appropriate set of rights
  to perform their tasks.
• The Domain Controller containers can be
  configured to provide more or fewer rights as
  required.

25
CONFIGURING SERVICES

• In addition to the services required by a member
  server, domain controllers require the following
  services to be automatically started
• Distributed File System
• File Replication Service
• Intersite Messaging
• Kerberos Key Distribution Center
• Remote Procedure Call (RPC) Locator

26
SECURING INFRASTRUCTURE SERVERS

• Systems that run DNS, Dynamic Host Configuration
  Protocol (DHCP), and Windows Internet Name
  Service (WINS) server services are considered
  infrastructure servers.
• These servers often also perform other roles such
  as file and print server or application server.
• Depending on the infrastructure role, additional
  services may need to be configured in the GPO
  applied to the servers.

27
CONFIGURING DNS SECURITY

• Use Active Directory integrated zones where
  possible.
• Ensure that the MicrosoftDNS container object is
  kept secure.
• If using file-based zones, ensure that the
  systemroot\System32\Dns folder is kept secure.

28
CONFIGURING DHCP SECURITY

• Implement more than one DHCP server using the
  8020 rule.
• Implement DHCP servers on fault-tolerance or
  clustered hardware configurations.
• Monitor DHCP server activity and associated
  network traffic closely.
• If you suspect a security issue or are in a
  high-security environment, enable DHCP Audit
  Logging.

29
SECURING FILE AND PRINT SERVERS

• File and print servers generally require a
  minimal set of services.
• In addition to the baseline configuration, you
  would also
• Enable the Print Spooler service.
• Disable the Microsoft Network Server Digitally
  Sign Communications (Always) security policy.

30
CONFIGURING PERMISSIONS USING A GPO

• Using a GPO, you can
• Specify the files or folders for which you want
  to configure file system permissions
• Specify the permissions you want assigned to the
  selected files or folders
• Specify if you want the permissions to be
  inherited by subfolders

31
SECURING APPLICATION SERVERS

• Evaluate each application and the services and
  security settings it requires.
• Examine user access requirements and implement
  security measures accordingly.
• Where possible, utilize security elements of the
  application, such as user authentication,
  internal permissions, and so on.

32
DEPLOYING ROLE-SPECIFIC GPOs

• Baseline GPOs should be created for all servers.
• Role-specific GPOs should be created as
  necessary.
• Both baseline and role-specific GPOs can be used
  in combination.

33
COMBINING GPO POLICIES

• Apply the baseline GPO to one OU.
• Apply the role-specific GPO to the subsequent OU
  containing servers performing that role.
• Settings in the role-specific GPO can
• Modify settings configured in the baseline
• Configure settings not defined in the baseline
• Leave baseline settings for specific parameters
  unchanged

34
APPLYING MULTIPLE GPOs
35
CREATING AN OU HIERARCHY
36
USING SECURITY TEMPLATES

• Security templates are a collection of
  configuration settings stored as a text file.
• Allows configuration files to be saved and
  deployed as needed.

37
UNDERSTANDING SECURITY TEMPLATES

• Security templates consist of policies and
  settings that allow you to make configurations
  consistent across servers.
• Can be used to configure a range of settings,
  including account policies, Event Log policies,
  system services, registry permissions, and file
  system permissions.
• The .inf files can be edited directly using a
  text editor.

38
USING THE SECURITY TEMPLATES CONSOLE
39
USING THE SUPPLIED SECURITY TEMPLATES

• Nine security templates are supplied by default.
• The security templates can be edited as
  necessary.
• New templates can be created as needed by copying
  existing templates.

40
DEPLOYING SECURITY TEMPLATES

• Security templates can be deployed via
• Group Policy
• Security Configuration And Analysis Tool
• Secedit.exe

41
USING GROUP POLICIES

• Security templates can be imported into Group
  Policy objects for
• Domains
• Sites
• Organizational units

42
GROUP POLICY DEPLOYMENT CAUTIONS

• Configuration parameters imported into the group
  policy object for a specific container are
  inherited by all the objects in that container,
  including other containers.
• Complex templates with many configuration
  settings can create a large amount of network
  traffic when they are refreshed.

43
DEPLOYING SECURITY TEMPLATES USING GROUP POLICIES
44
USING THE SECURITY CONFIGURATION AND ANALYSIS TOOL
45
ANALYZING A SYSTEM
46
CHANGING SECURITY SETTINGS

• Once analysis is complete, you can make changes
  in the following ways
• Apply the database settings to the computer.
• Modify the database settings.
• Create a new template.
• Modify the computers settings manually.

47
USING SECEDIT.EXE

• Command prompt utility that can perform the same
  functions as the Security Configuration And
  Analysis snap-in
• Allows security configurations to be edited and
  updated through a script or batch file
• Allows you to apply only part of a security
  template to a computer

48
CHAPTER SUMMARY

• A Group Policy object (GPO) is a collection of
  configuration parameters you can use to secure a
  Windows Server 2003 installation.
• Audit and Event Log policies enable you to
  specify what types of information a computer
  logs, how much information the computer retains
  in the logs, and how the computer behaves when
  the logs are full.
• The domain controller role is the only one with
  its own default GPO assigned by Windows
  Server 2003.
• An Active Directory object can receive policy
  settings from multiple GPOs, and apply them in a
  particular order.
• Organizational unit objects inherit policy
  settings from the GPOs applied to their parent
  objects.

49
CHAPTER SUMMARY (continued)

• A security template is a collection of
  configuration settings stored as a text file with
  an .inf extension.
• Windows Server 2003 includes a number of
  predefined templates that enable you to restore
  the default security parameters created when
  Windows is installed.
• You can use the Security Configuration and
  Analysis snap-in to deploy security templates on
  the local computer.
• Secedit.exe is a command line tool that performs
  the same functions as the Security Configuration
  And Analysis snap-in and can apply specific parts
  of templates to the computer.