340 likes | 440 Views
Chapter 10. Windows System Security. Objectives. In this chapter, you will: Understand the concerns with default Windows configurations Use preventive security controls to protect user accounts, passwords, groups, data, and software Understand detective controls available to Windows systems
E N D
Chapter 10 Windows System Security
Objectives In this chapter, you will: • Understand the concerns with default Windows configurations • Use preventive security controls to protect user accounts, passwords, groups, data, and software • Understand detective controls available to Windows systems • Outline the corrective controls necessary to recover from a security incident
Default Windows Configurations • Install Windows • Follow hardening checklists to improve security • www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/chklist
Preventive System Security • Physical security • Enable BIOS passwords • Require each user to logon • Restrict access to the floppy or other drives • Lock screen when away
Preventive System Security • Vulnerability management • Receive security advisories from trusted source • Apply patches or workarounds in a timely manner • Windows Updates • Windows Update Catalog • Automatic Updates • Software Update Services • Test systems to ensure patches are applied
Preventive System Security • Remove unnecessary software • Disable unused services • Remove unused applications using Add or Remove Programs applet
Preventive System Security • User management • Active Directory domains • Domain controller – authenticates users and replicates necessary AD information • Domain – a single security boundary of network objects on a Windows network • Tree – a set of domains connected by one or more trusts • Forest – a group of trees that are connected by one or more trusts • Organizational unit (OU) – another container used within a domain to further group and organize network objects
Preventive System Security • User management • Windows NT 4.0 domains • PDC – primary domain controller • BDC – backup domain controller • Domain • Local users • Guest • Administrator
Preventive System Security • Password management • SAM database (%systemroot%\system32\config) • User names • Encrypted passwords • SIDs • Other user attributes • Passfilt.dll • Syskey • Group policies
Preventive System Security • Group management • Create groups to effectively manage rights • Review user membership regularly
Preventive System Security • Authentication Mechanisms • NTLMv2 • Certificates • Smart cards • Biometrics • Kerberos
Preventive System Security • NTFS security • File/directory permissions • Read • Write • List Folder Contents • Read & Execute • Modify • Full Control • Special
Preventive System Security • EFS – Encrypting File Systems • NTFS – Windows NT file system • DESX • FEK – File encryption key • Recovery Agents
Preventive System Security • Windows shares • Read • Change • Full control • Interaction between NTFS permissions and shares
Preventive System Security • Registry • Full control • Read • Special
Preventive System Security • Web server (IIS) • Use the IIS Lockdown tool • Install URLScan • Use nonprivileged account • Protect files with NTFS permissions • Require passwords for sensitive information • Enable logging • Require the use of SSL
Preventive System Security • Remote administration tools • Remote Desktop for Administration • Windows Terminal Services • Strictly control these features
Preventive System Security • Policy verification • Security Configuration and Analysis • Analyze settings and compare against template • Change and set settings • Modifying security templates
Detective System Security • Antivirus • Update signatures weekly (at minimum) • Scan files weekly • Activate real-time virus detection
Detective System Security • Auditing and Logging • Application log file – records events raised by applications or programs installed on the system • Security log file – records valid and invalid logon attempts and instances where users exercise rights to access files, directories, or resources • System – records events raised by the operating systems such as component failures
Detective System Security • Events • Information – indicates the successful operation of an application, driver, or service • Warning – indicates events that may cause future problems • Error – indicates a significant problem with an application, driver, or service • Failure Audit – indicates a case where a user tries to access a resource and fails • Success Audit – indicates a case where a user tries to access a resource and succeeds
Corrective System Security • Backups • Keep original installation media • Use bundled tool Windows Backup with ASR • Use commercial tools ArcserveIT, NetBackup, or NetWorker • Properly store backup media • Test backups periodically
Summary • Windows, right out of the box, may not have all of the necessary security controls in place. It is important that administrators go through a checklist to harden systems before installing them. • Windows Update, Windows Update Catalog, Automatic Updates, and SUS offer administrators a variety of choices to help continually address Windows software vulnerabilities. • Disabling unused services and uninstalling unnecessary software available on systems reduces the doors available to abusers.
Summary • AD, domains, and Local Users and Groups tools can be used to effectively manage the user accounts and groups allowed access to the Windows server. • Windows supports a variety of authentication mechanisms to supplement or replace the weaker and more traditional user account and password authentication mechanisms. • NTFS is a crucial component in protecting data files. Access control lists and the EFS add an important layer of security in protecting data stored on Windows servers. • Windows shares should be used sparingly to share data across the network. • Like access to files and directories, access to the Registry should be tightly controlled.
Summary • Security Configuration and Analysis can be used to effectively assess and manage the access polices on the Windows 2000 or Windows Server 2003. • Remote Desktop for Administration is a new feature in Windows Server 2003 that allows administrators to remotely manage servers. Because this service has the potential for damage, access to the tool should be tightly controlled. • Antivirus tools are crucial in preventing malicious software. There are numerous vendors that offer effective tools.
Summary • Auditing is an important way to determine whether malicious activity has occurred on the server. • The Security Configuration and Analysis tool can be used to configure the necessary auditing and log retention options. • Effective backups provide crucial corrective security controls in recovering from damaging system activity.