350 likes | 492 Views
Module 14: Configuring Server Security Compliance. Module Overview. Securing a Windows Infrastructure Using Security Templates to Secure Servers Configuring an Audit Policy Overview of Windows Server Update Services Managing WSUS. Lesson 1: Securing a Windows Infrastructure.
E N D
Module Overview • Securing a Windows Infrastructure • Using Security Templates to Secure Servers • Configuring an Audit Policy • Overview of Windows Server Update Services • Managing WSUS
Lesson 1: Securing a Windows Infrastructure • Challenges of Securing a Windows Infrastructure • Applying Defense-in-Depth to Increase Security • Core Server Security Practices • What Is the Security Configuration Wizard? • What Is Windows Firewall? • Demonstration: Using the Security Configuration Wizard to Secure Server Roles
Challenges of Securing a Windows Infrastructure Challenges of securing a Windows infrastructure include: • Implementing and managing secure configuration of servers • Protecting against malicious software threats and intrusions • Implementing effective identity and access control
Applying Defense-in-Depth to Increase Security Defense-in-depth provides multiple layers of defense to protect a networking environment Policies, Procedures, & Awareness Physical Security Data ACLs, encryption, EFS Application Application hardening, antivirus Host OS hardening, authentication Internal Network Network segments, IPsec Perimeter Firewalls Guards, locks Security documents, user education
Core Server Security Practices Apply the latest service pack and all available security updates ü Use the Security Configuration Wizard to scan and implement server security ü Use Group Policy and security templates to harden servers ü Restrict scope of access for service accounts ü Restrict who can log on locally to servers ü Restrict physical and network access to servers ü
What Is the Security Configuration Wizard? SCW provides guided attack-surface reduction SCW supports: • Disables unnecessary services and IIS Web extensions • Uses IPsec to block unused ports and secure ports that are left open • Reduces protocol exposure • Configures audit settings • Rollback • Analysis • Remote configuration • Command-line support • Active Directory integration • Policy editing
What Is Windows Firewall? Windows Firewall is a stateful host-based application that provides the following features: • Filters both incoming and outgoing network traffic • Integrates both firewall filtering and IPsec protection settings • Can be managed by the Control Panel tool or by the more advanced Windows Firewall with Advanced Security MMC console • Provides Group Policy support • Enabled by default in new installs
Demonstration: Using the Security Configuration Wizard to Secure Server Roles In this demonstration, you will see how to implement security using the Security Configuration Wizard
Lesson 2: Using Security Templates to Secure Servers • What Is a Security Policy? • What Are Security Templates? • Demonstration: Configuring Security Template Settings • What Is the Security Configuration and Analysis Tool? • Demonstration: Analyzing Security Policy Using the Security Configuration and Analysis Tool
What Is a Security Policy? A Security Policy is a combination of security settings to be applied to a computer Local Security Policies include: Active Directory Security Policies include: • Account Policies • Local Policies • Windows Firewall with Advanced Security • Public Key Policies • Software Restriction Policies • IP Security Policies on Local Computer • Event Log • Restricted Groups • System Services • Registry • File System • Wired and Wireless Network Policies • Network Access protection • IP Security Policies on Active Directory
What Are Security Templates? A security template is a collection of configured security settings used to apply a security policy Security Templates: • Created and modified using the Security Templates MMC snap-in • Default security templates stored in %SystemRoot%\Security\Templates • Custom security templates are stored in local user profile folder Deployment Considerations: • Create templates based upon server role • Deploy to individual computers using the SECEDIT command • Deploy to groups of computers using Group Policy
Demonstration: Configuring Security Template Settings In this demonstration, you will see how to: • Add the Security Templates snap-in and configure a custom security template for the DHCP server role • Import a security template into Active Directory
Demonstration: Analyzing Security Policy Using the Security Configuration and Analysis Tool In this demonstration, you will see how to use the Security Configuration and Analysis Tool to analyze and configure local security policy settings
Lesson 3: Configuring an Audit Policy • What Is Auditing? • What Is an Audit Policy? • Types of Events to Audit • Demonstration: How to Configure Auditing
What Is Auditing? • Auditing tracks user and operating system activities, and records selected events in security logs, such as: • What occurred? • Who did it? • When? • What was the result? • Enable auditing to: • Create a baseline • Detect threats and attacks • Determine damages • Prevent further damage • Audit access to objects, management of accounts, and users logging on and off
What Is an Audit Policy? • An audit policy determines the security events that will be reported to the network administrator • Set up an audit policy to: • Track success or failure of events • Minimize unauthorized use of resources • Maintain a record of activity • Security events are stored in security logs
Types of Events to Audit • Account Logon • Account Management • Directory Service Access • Directory Service Changes • Directory Service Replication • Detailed Directory Service Replication • Logon • Object Access • Policy Change • Privilege Use • Process Tracking • System
Demonstration: How to Configure Auditing In this demonstration, you will see how to: • Enable auditing for various events • Enable object access auditing
Lesson 4: Overview of Windows Server Update Services • What Is Windows Server Update Services? • Windows Server Update Services Process • Server Requirements for WSUS • Automatic Updates Configuration • Demonstration: Installing and Configuring WSUS
What Is Windows Server Update Services? Microsoft Update Web site Automatic Updates Server running Windows Server Update Services Test Clients LAN Internet Automatic Updates
Windows Server Update Services Process Assess Deploy Identify Update Management Evaluate and Plan
Server Requirements for WSUS Software requirements: • Windows Server 2003 SP1 or Windows Server 2008 • IIS 6.0 or later • Windows Installer 3.1 or later • Microsoft .NET Framework 2.0 • SQL Server 2005 SP1 or later (optional) • Microsoft Report Viewer Redistributable 2005
Automatic Updates Configuration • Configure Automatic Updates by using Group PolicyComputer Configuration/Administrative Templates/Windows Components/Windows Update • Requires updated wuau.adm administrative template • Requires: • Windows Vista • Windows Server 2008 • Windows Server 2003 • Windows XP Professional SP2 • Windows 2000 Professional SP4, Windows 2000 Server/Advanced Server SP3 or SP4
Demonstration: Installing and Configuring WSUS In this demonstration, you will see how to: • Install WSUS • Configure Automatic Update client settings using Group Policy
Lesson 5: Managing WSUS • WSUS Administration • Managing Computer Groups • Approving Updates • Demonstration: Managing WSUS
Managing Computer Groups • Computers are automatically added • Default computer groups • All Computers • Unassigned Computers • Client-side targeting
Approving Updates • Approval options include: • Install • Decline • Unapprove • Removal • Automate approval is also supported
Demonstration: Managing WSUS In this demonstration, you will see how to: • Add a computer to WSUS • Approve an update
Lab: Configuring Server Security Compliance • Exercise 1: Configuring and Analyzing Security • Exercise 2: Analyzing Security Templates • Exercise 3: Configuring Windows Software Update Services Logon information Estimated time: 90 minutes
Lab Review • What recourse do you have if the desired result is not met when applying changes using the Security Configuration Wizard to secure server infrastructure? • How can you verify compatibility with existing settings before you apply a template to a GPO for deployment or apply the template to a local computer? • After installing the WSUS server software, a wizard appears to help you with the configuration of WSUS properties. How can you change any incorrectly assigned properties after the wizard has been completed?
Module Review and Takeaways • Review Questions • Best Practices