340 likes | 531 Views
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features. Objectives. Identify the various elements and techniques that can be used to secure a Windows Server 2003 system
E N D
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, EnhancedChapter 14:Windows Server 2003 Security Features
Objectives • Identify the various elements and techniques that can be used to secure a Windows Server 2003 system • Use Security Configuration and Analysis tools to configure and review security settings • Audit access to resources and review Security log settings Guide to MCSE 70-290, Enhanced
Securing Your Windows 2003 System • Five broad categories of security-related features: • Authentication • Access control • Encryption • Security policies • Service packs and hot fixes Guide to MCSE 70-290, Enhanced
Authentication • Most basic level is requiring a user id and password to log on to some system • In a domain environment, authentication is centralized on the network while in a workgroup environment, authentication is local • In a domain environment, a single authentication can provide access to multiple domains and forests • Additional authentication methods can apply to other services (e.g., IIS) Guide to MCSE 70-290, Enhanced
Access Control • Access control is used to secure resources such as files, folders, and printers • Common types of access control are NTSF and shared folder permissions, printer permissions, Active Directory object permissions • The “principle of least privilege” implies that users should only have the access that they really need Guide to MCSE 70-290, Enhanced
Encryption • Confidential files can be encrypted using the Encrypting File System (EFS) for local files stored on NTFS volumes • EFS uses a combination of public and private keys • The IPSec protocol can encrypt the contents of packets sent across a TCP/IP network • There are two IPSec modes: transport and tunnel • IPSec is used to make it difficult for hackers to intercept sensitive network data Guide to MCSE 70-290, Enhanced
Security Policies • Security policy settings can be configured from the Local Security Policy and Group Policy Object Editor MMC snap-ins • Security policies control a range of security settings • Windows Server 2003 includes tools that analyze policy settings compared to pre-configured security templates • Security Configuration and Analysis MMC snap-in • Command-line SECEDIT utility Guide to MCSE 70-290, Enhanced
Service Packs and Hot Fixes • Many critical updates and patches are related to security issues • Hot fixes address a specific identified issue • A service pack is a cumulative collection of hot fixes and updates • Service packs and hot fixes can be downloaded and installed from Microsoft • Software Update Services can assist in automating and managing the distribution of updates Guide to MCSE 70-290, Enhanced
Using Security Configuration Manager Tools • Windows Server 2003 provides tools specifically designed to help configure and manage security settings (Security Configuration Manager tools) • These tools plus Group Policies can be used to set up a Security Policy template which is administered centrally Guide to MCSE 70-290, Enhanced
Using Security Configuration Manager Tools (continued) • The Security Configuration and Analysis tool will compare a security template to existing settings • The Security Configuration Manager tools include these components: • Security templates • Security settings in Group Policy objects • Security Configuration and Analysis tool • SECEDIT command-line tool Guide to MCSE 70-290, Enhanced
Security Templates • Templates help ensure consistency and ease maintenance across multiple machines • Templates are text-based files • Should not be edited or changed using a text-based editor • There are a number of pre-defined templates for various settings Guide to MCSE 70-290, Enhanced
Security Templates (continued) Guide to MCSE 70-290, Enhanced
Analyzing the Pre-configured Security Templates • Network computers can be categorized as: • Workstations • Servers • Domain controllers • Pre-configured templates are applicable to a specific category of computer • Only Windows Server 2003, Windows XP, and Windows 2000 can use security templates Guide to MCSE 70-290, Enhanced
The Default Template • The Setup Security.inf template contains default security settings applied when Windows Server 2003 is installed • Contents depend upon the original configuration of computer (fresh install, upgrade, etc.) • Allows an administrator to return to original settings easily • Should not be applied using Group Policy Guide to MCSE 70-290, Enhanced
Incremental Templates • Modify security configurations incrementally • Can only be applied on top of default security settings because they do not specify baseline configurations • Templates include: compatws.inf, securews.inf, securedc.inf, hisecws.inf, hisecdc.inf, iesacls.inf, dc security.inf, rootsec.inf • Custom templates can also be created Guide to MCSE 70-290, Enhanced
Applying Security Templates • Security templates can be applied to local machine or a domain • For local machine • Open Local Security Setting MMC snap-in and import a policy • For domain • Use Group Policy Objects • Security settings from GPOs override local settings Guide to MCSE 70-290, Enhanced
Applying Security Templates (continued) Guide to MCSE 70-290, Enhanced
Security Configuration and Analysis • The Security Configuration and Analysis snap-in permits the comparison of current system settings to those configured in templates • The comparison identifies changes and potential weaknesses • Multiple templates can be compared at once • Multiple templates can be combined and saved • Changes can be made directly within the snap-in by selecting the desired configuration Guide to MCSE 70-290, Enhanced
Security Configuration and Analysis (continued) Guide to MCSE 70-290, Enhanced
SECEDIT Command-Line Tool • SECEDIT is a command-line tool used to create and apply security templates and analyze settings • Can be used where Group Policy cannot be applied • Six main switches • Analyze • Configure • Export • Import • Validate • GenerateRollback Guide to MCSE 70-290, Enhanced
Auditing Access to Resources and Analyzing Security Logs • Auditing is used to track events on a network • An audit policy defines which events should be recorded • and whether successes and/or failures should be recorded • Audited events are written into a security log which can be viewed with Event Viewer Guide to MCSE 70-290, Enhanced
Configuring Auditing • The role of a computer on the network influences how an audit policy is configured • For member servers or workstations • Audit policies are implemented using GPOs assigned to the domain or OUs • For domain controllers • Audit policies are implemented via the Default Domain Controllers Policy applied to Domain Controllers OU • For standalone workstations and servers • Audit policies defined using Local Security Policy tool Guide to MCSE 70-290, Enhanced
Requirements and Configuring an Audit Policy • Requirements • You must have proper permissions (Administrators Group or Manage auditing and security log user right) • Auditing files and folders can only be done on NTFS volumes • Configuring an audit policy • Configure auditing on events to be monitored and if logging occurs on success and/or failure • Configure auditing on specific resource objects such as files, folders, printers, and Active Directory objects Guide to MCSE 70-290, Enhanced
Configuring an Audit Policy (continued) Guide to MCSE 70-290, Enhanced
Auditing Object Access • When files and folders reside on an NTFS volume, you can monitor attempted and successful accesses of these objects • Caution -- this can result in a large number of events being logged • Object auditing is configured through the Advanced Security Settings on the resource • Auditing is also possible for Active Directory objects Guide to MCSE 70-290, Enhanced
Auditing Object Access (continued) Guide to MCSE 70-290, Enhanced
Best Practices • Plan carefully before implementing an audit policy • General guidelines: • Only audit events that provide truly useful information • Review entries in the security log regularly • Audit sensitive and confidential information • Audit the Everyone group – it includes unauthenticated users • Audit the assignment of user rights • Audit the Administrators group Guide to MCSE 70-290, Enhanced
Analyzing Security Logs • For each event defined in an audit policy, an entry is written in the Security log if that event occurs • Use Event Viewer to examine the Security log • The log provides a summary of the date and time of each event, and the user performing the action • More details by double-clicking the entry • Event Viewer provides find and filter options to assist in managing the Security log Guide to MCSE 70-290, Enhanced
Analyzing Security Logs (continued) Guide to MCSE 70-290, Enhanced
Analyzing Security Logs (continued) Guide to MCSE 70-290, Enhanced
Configuring Event Viewer • There are a number of configurable settings that determine the size, number of entries, and overwrite policy in a security log • Default initial security log size is 16 MB in Windows Server 2003 (up from 512 KB in 2000) • Settings are configured from the Properties of the Security log in Event Viewer Guide to MCSE 70-290, Enhanced
Configuring Event Viewer (continued) Guide to MCSE 70-290, Enhanced
Summary • Windows Server 2003 offers security-related features in five categories: authentication, access control, encryption, security policies, and service packs and hot fixes • Windows Server 2003 offers a package of Security Configuration Manager tools: • Security templates, security settings in GPOs, Security Configuration and Analysis tool, SECEDIT command-line tool Guide to MCSE 70-290, Enhanced
Summary (continued) • Auditing is used to log specific events within a Windows Server 2003 configuration • An audit policy defines the events to be monitored • Specific resources and objects can be configured for auditing access attempts • A Security log contains record of audited events • Event Viewer is used to display and manage Security logs Guide to MCSE 70-290, Enhanced