HARDENING SERVERS - PowerPoint PPT Presentation

1 / 23
About This Presentation
Title:

HARDENING SERVERS

Description:

SERVER HARDENING BEST PRACTICES. Use the Configure Your Server Wizard ... Dynamic Host Configuration Protocol (DHCP) servers running Windows 2000 and ... – PowerPoint PPT presentation

Number of Views:2002
Avg rating:3.0/5.0
Slides: 24
Provided by: york5
Category:

less

Transcript and Presenter's Notes

Title: HARDENING SERVERS


1
HARDENING SERVERS
  • Chapter 7

2
DEFAULT SECURITY TEMPLATES
  • Set up Security.inf and DC Security.inf
  • Compatws.inf
  • Securews.inf and Securedc.inf
  • Hisecws.inf and Hisecdc.inf
  • Rootsec.inf
  • Iesacls.inf

3
DESIGNING SECURITY TEMPLATES
  • Create a custom security template for each role,
    not each computer
  • Base custom templates on a default template
  • Never modify default security templates
  • Apply multiple security templates to computers
    with multiple roles

4
SECURITY TEMPLATE SETTINGS
  • Account policies
  • Local policies
  • Event logs
  • Group memberships
  • Services
  • Registry permissions
  • File and folder permissions

5
SETTING NOT AVAILABLE IN SECURITY TEMPLATES
  • Configuration of Automatic Updates
  • Which Microsoft Windows components and
    applications are installed
  • IPSec policies
  • Software restrictions
  • Wireless network policies
  • EFS settings
  • Certification Authority (CA) settings

6
CONFIGURING EARLIER VERSIONS OF WINDOWS
  • Support Group Policy
  • Windows Server 2003
  • Windows 2000 Server
  • Windows 2000 Professional
  • Windows XP Professional
  • Support System Policy
  • Windows NT 4.0
  • Windows 95
  • Windows 98
  • Windows Me

7
SYSTEM POLICY EDITOR
8
DEPLOYING SECURITY CONFIGURATION WITH GROUP POLICY
  • Import templates into Group Policy
  • Leverage inheritance
  • Filter Group Policy objects (GPOs) with security
    groups
  • Use Windows Management Instrumentation (WMI)
    filtering only where necessary

9
SERVER HARDENING BEST PRACTICES
  • Use the Configure Your Server Wizard
  • Disable unnecessary services
  • Develop a process for updating all software
  • Change default port numbers
  • Use network and host-based firewalls

10
SERVER HARDENING BEST PRACTICES (CONT.)
  • Require IPSec
  • Place Internet servers in perimeter networks
  • Use physical security
  • Restrict removable media
  • Backup application-specific information

11
SERVER HARDENING BEST PRACTICES (CONT.)
  • Audit backups and restores
  • Rename default user accounts
  • Develop security requirements for
    application-specific user databases
  • Monitor each server role for failures
  • Read security guides at http//www.microsoft.com

12
HARDENING DOMAIN CONTROLLERS
  • A compromised domain controller can lead to
    compromises of domain members
  • Domain controllers can be identified with a DNS
    query
  • Avoid storing application data in Active
    Directory
  • Create a separate security group for users with
    privileges to backup domain controllers
  • Use source-IP filtering to block domain requests
    from external networks

13
REQUIRE DOMAIN CONTROLLER SERVICES
  • File Replication Service
  • Intersite Messaging
  • Kerberos Key Distribution Center
  • Netlogon
  • Remote Procedure Call (RPC) Locator
  • Windows Management Instrumentation
  • Windows Time

14
HARDENING DNS SERVERS
  • When DNS servers are compromised, attackers can
    use them to
  • Identify internal network resources
  • Launch man-in-the-middle attacks
  • Perform a denial-of-service (DoS) attack

15
BEST PRACTICES FOR HARDENING DNS SERVERS
  • Use Active Directoryintegrated zones. If not
    Active Directory integrated
  • Restrict permissions on zone files
  • Use IPSec to protect zone transfers
  • Disable recursion where possible
  • Use separate internal and Internet servers
  • Remove root hints on internal servers
  • Allow only secure DNS updates if possible

16
HARDENING DHCP SERVERS
  • Dynamic Host Configuration Protocol (DHCP)
    servers running Windows 2000 and later must be
    authorized in a domain
  • DHCP servers can automatically update DNS
  • Protect DHCP servers with 802.1X authentication

17
HARDENING FILE SERVERS
  • Carefully audit share permission and NTFS file
    system permissions
  • Use source-IP filtering to block requests from
    external networks
  • Audit access to critical and confidential files

18
HARDENING IAS SERVERS
  • Enable Remote Authentication Dial-In User Service
    (RADIUS) message authenticators
  • Use quarantine control
  • Enable logging
  • Audit logs frequently

19
HARDENING EXCHANGE SERVER COMPUTERS
  • Encrypt mail traffic with Transport Layer
    Security (TLS)
  • Use Secure Sockets Layer (SSL) to protect Outlook
    Web Access (OWA)
  • Enable Security events logging
  • Audit for open relays to protect against spam

20
HARDENING EXCHANGE SERVER COMPUTERS (CONT.)
  • Use antispam software
  • Use antivirus software
  • Require strong passwords
  • Audit with MBSA

21
HARDENING SQL SERVER COMPUTERS
  • Use Windows authentication when possible
  • Use delegated authentication
  • Configure granular authentication in SQL Server
    databases
  • Audit SQL authentication requests
  • Disable SQL communication protocols except
    TCP/IP, and require encryption
  • Change the default port number

22
HARDENING SQL SERVER COMPUTERS (CONT.)
  • Audit custom applications for vulnerability to
    SQL injection attacks
  • Audit databases for unencrypted confidential
    contents
  • User names and passwords
  • Credit-card numbers
  • Social Security numbers

23
SUMMARY
  • Create security templates for every server role
    in your organization
  • Apply security templates by using GPOs
  • Techniques such as disabling unnecessary services
    and enabling host-based firewalls can be used to
    harden any type of server
  • Server roles each have role-specific
    considerations, including
  • Services that should be enabled
  • Ports that must be allowed
  • Logging that should be enabled
Write a Comment
User Comments (0)
About PowerShow.com