Windows Server 2008 Security

Page 1

Securing Windows Server 2008 Servers

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

1

Learning Objectives • Understand the basics of hardening a server • Use the Security Configuration Wizard (SCW) to create a security policy • Use Microsoft Baseline Security Analyzer (MBSA) for compliance auditing • Design Windows Server Update Services (WSUS) for different scenarios • Understand firewall usage in a perimeter network

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

2

Hardening a System • Making the system more secure – From the default configuration

• Areas to consider for system security – Reduce the attack surface – Regularly audit security – Keep the system up to date

• Baseline server security concept – Starting point for locking down the server • Still allowing the server to operate MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

3

Hardening a System (cont’d.) • Baseline implementation – Use Windows Deployment Services (WDS) • Captures a server image

– Other tools • Security Configuration Wizard and Group Policy – Compliance auditing used to determine if server has changed from baseline

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

4

Reducing the Attack Surface • Install and enable needed services and protocols • Nonessential items – Install and make available when needed – Example: File Transport Protocol (FTP)

• Challenge – Identifying needed services and protocols

• Tools to help – Server Manager – Secure Configuration Wizard MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

5

Secure Computing Strategy • SD3+C – Microsoft’s software secure development lifecycle strategy • Secure by design • Secure by default • Secure in deployment and communications

– Windows XP SP2: Windows firewall enabled by default • Caused some usability problems

– End result • Systems start in a more secure state MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

6

Server Core • Includes basic services and protocols – For system to operate and support different Windows Server 2008 roles

• Basic implementation reduces the attack surface – No graphical user interface (GUI) – Less susceptible to a wide variety of attacks

• Supported server roles – Active Directory Domain Services – Active Directory Lightweight Directory Services – DNS MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

7

Server Core (cont’d.) • Supported server roles (cont’d.) – – – – – –

DHCP Web Server (IIS) Windows Media Server Hyper-V File Services Print Services

• Windows Server 2008 R2 Server Core – Adds Active Directory Certificate Services role – Includes the .NET Framework MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

8

Server Manager • Valuable tool when adding roles and services • Add Roles and Add Features wizards – Provide security tool assisting administrator • Add only needed services and protocols

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

9

Security Configuration Wizard • Security Configuration Wizard (SCW) – Another security layer for Windows Server 2008 – Complements Server Manager

• Create a security policy applied to any system – Reduces the attack surface

• Uses roles – Identify required services, features, settings

• Creates a configuration database – Contains all possible server roles, client features, options, services, Windows firewall settings MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

10

Figure 7-1 The Security Configuration Viewer displays components of the Security Configuration Database Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

11

Security Configuration Wizard (cont’d.) • SCW security policy – Saved as an extensible markup language (XML) file • Deployed to individual servers one at a time • Deployed to multiple servers using Group Policy

– Used to perform tasks • • • •

Configure services Configure network security settings: firewall rules Configure registry settings Configure an audit policy

• Installed by default on Windows Server 2008 – Available via the Administrative Tools menu MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

12

Security Configuration Wizard (cont’d.) • Activity 7-1: Running SCW

Figure 7-2 Viewing server role details in the Security Configuration Database Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

13

Figure 7-3 Identifying roles installed on a server Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

14

Figure 7-4 Viewing the services that will be changed by SCW Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

15

Figure 7-5 Reviewing the audit policy created by SCW Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

16

Creating GPOs from Security Policies • Create a Group Policy object (GPO) – Using scwcmd commands • • • • • •

Analyze Configure Register Rollback Transform View

– Example: • scwcmd Transform /p:PolicyFilePath /g:GPOName MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

17

Creating GPOs from Security Policies (cont’d.) • Activity 7-2: Creating a GPO from an SCW Security Policy

Figure 7-6 Viewing the GPO created from the SCW security policy Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

18

Compliance Auditing • Ensures systems start securely • Regularly check systems for changes – Verify systems still comply with predefined security settings – Report identifies configuration changes

• Two primary tools – Microsoft Baseline Security Analyzer (MBSA) – Security Configuration Wizard command-line tool (scwcmd)

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

19

Using MBSA • Free download – http://www.microsoft.com/downloads • Search “MBSA”

• MBSA version 2.1 – Supports Windows Vista, Windows Server 2008 clients

• MBSA version 2.1.1: minor upgrade – Supports Windows 7, Windows Server 2008 R2 clients – Backward compatible to same clients as MBSA 2.1 MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

20

Using MBSA (cont’d.) • Scans clients – Windows 2000, Windows XP, Windows Vista, Windows 7

• Scans servers – Windows 2000 Server, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2

• Scanning production environment systems – Configure systems to allow the scans – Server service, Remote Registry service, File and Print Sharing service • Running on remote computer MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

21

Using MBSA (cont’d.) • Scanning production environment systems (cont’d.) – Windows Update Agent must be installed – Automatic Updates server must not be disabled – Ports opened though firewall

• MBSA FAQ resource – http://technet.microsoft.com/cc184922.aspx

• Tasks – Scan a single computer – Scan multiple computers – View security reports • After performing scan MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

22

Figure 7-7 Starting MBSA Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

23

Using MBSA (cont’d.) • Scanning a single computer – Identify computer by name or by IP address

• MBSA checks: – – – – –

Windows administrative vulnerabilities Weak passwords IIS administrative vulnerabilities SQL administrative vulnerabilities Security updates

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

24

Figure 7-8 Preparing to scan a computer with MBSA Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

25

Using MBSA (cont’d.) • Provides a report of issues • When scan started with Security Updates selected – First downloads catalog file from Microsoft’s Web site • Identifies all current updates

– Then checks the installed updates against catalog file • Determines if system up to date

• When MBSA installed – MBSACLI command-line utility installed • Used to run MBSA from the command line • Checks systems without Internet connectivity MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

26

Figure 7-9 Viewing the MBSA report Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

27

Using MBSA (cont’d.) • Activity 7-3: Installing and Running MBSA • Activity 7-4: Running MBSACLI

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

28

Using MBSA (cont’d.)

Figure 7-10 Viewing available reports in the MBSA report viewer Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

29

Using scwcmd for Compliance Policies • SCW GUI version – Cannot perform compliance auditing on a system

• Must use scwcmd – Includes the analyze command

• Security policy viewed as the baseline – Compared against current configuration

• Example: – scwcmd analyze /p:PolicyPathandName

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

30

Enabling Auditing • Auditing tracks users actions – Records details in the Windows Security log • Both success and failure attempts recorded

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

31

Enabling Auditing (cont’d.)

Figure 7-11 Viewing the Default Domain Controllers audit policy Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

32

Enabling Auditing (cont’d.) • Audit Policy settings: – – – – – – – – –

Audit account logon events Audit account management Audit directory service access Audit logon events Audit object access Audit policy change Audit privilege use Audit process tracking Audit system events

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

33

Enabling Auditing (cont’d.) • AD DS Auditing – Significant addition to Windows Server 2008 – Extends details included in auditable events for directory service access – Advanced logging feature • Referred to as a global audit policy • Not enabled by default

– Basic directory service access auditing • Enabled by default

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

34

Enabling Auditing (cont’d.) • Global audit policy enabled – AD DS Auditing logs additional details • • • •

Directory service access Directory service changes Directory service replication Detailed directory service replication

• Enabling directory service access auditing – Two-step process • Audit policy enabled • Auditing enabled for Active Directory objects

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

35

Figure 7-12 Enabling auditing Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

36

Enabling Auditing (cont’d.) • Activity 7-5: Enabling Directory Services Auditing

Figure 7-13 Viewing a basic directory service access auditing entry Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

37

Figure 7-14 Viewing advanced directory service auditing events Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

38

Keeping Systems Up to Date • Operating systems today – Can contain billions of lines of code • Bugs and vulnerabilities eventually discovered

• Must keep systems up to date • Software never perfect • Only way to keep a server secure: – Keep it patched

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

39

Windows Update, Microsoft Update, and Automatic Updates • Microsoft update programs – Windows Update – Microsoft Update • Adds application updates

• Easier to opt in for Microsoft Update: – With operating systems other than Windows Server 2008 server

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

40

Figure 7-15 Enabling Windows Update in Windows Server 2008 Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

41

Figure 7-16 Enabling Windows Update and Microsoft Update in Windows 7 Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

42

Windows Server Update Services • Windows Server Update Services (WSUS) – Used as a central location to download and approve updates • Within a domain environment

• Domain clients download updates – Directly from the WSUS server • Instead of using the Windows Update site

• WSUS server configured to periodically synchronize with the Microsoft Update site – Can also be manually triggered MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

43

Figure 7-17 Using WSUS in a network Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

44

Windows Server Update Services (cont’d.) • Primary benefits – Reduced Internet bandwidth – Administrative control

• Current version: 3.0 – WSUS 3.0 SP1 • Released for Windows Server 2008

– WSUS 3.0 SP2 (recommended) • Supports Windows Server 2008 and Windows 7 clients

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

45

WSUS Capabilities • Deploys operating system and applications updates • Clients – Windows 2000 Workstation SP4, Windows XP, Windows Vista, Windows 7

• Servers – Windows Server 2000 SP4, Windows Server 2003 SP2 or later, Windows Small Business Server (2003, 2005, or 2008), Windows Server 2008 SP1, Windows Server 2008 R2

• Windows 2000 clients not supported MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

46

WSUS Capabilities (cont’d.) • Can download Microsoft Update for applications and server products • Microsoft Applications – Microsoft Office, Microsoft Works, Microsoft Live, Silverlight, more

• Microsoft Server Products – Microsoft Exchange, Microsoft SQL Server, Internet Security and Acceleration Server, Windows Small Business Server, more

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

47

WSUS Capabilities (cont’d.) • WSUS classifications – – – – – – – – –

Updates Critical Updates Security Updates Definition Updates Service Packs Update Rollups Drivers Feature Packs Tools

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

48

Figure 7-18 Viewing the WSUS products Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

49

Figure 7-19 Viewing the WSUS classifications Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

50

Reviewing WSUS Server Terminology • Single WSUS server – Can download updates • Can deploy them to all network clients

• Can design a more complex WSUS hierarchy – Using multiple WSUS servers

• WSUS server configurations – Upstream WSUS server – Downstream WSUS server

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

51

Figure 7-20 Using upstream and downstream servers Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

52

Reviewing WSUS Server Terminology (cont’d.) • WSUS modes – Autonomous mode – Replica mode

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

53

Using WSUS with Branch Offices • Can deploy more than one WSUS server – Reduces bandwidth used between sites

• Must choose either: – Centralized management – Decentralized management

• Possible to configure WSUS branch office servers – To work independently

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

54

Figure 7-21 Using WSUS server for centralized management with branch offices Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

55

Figure 7-22 Configuring a replica WSUS server Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

56

Figure 7-23 Configuring downstream WSUS servers in autonomous mode Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

57

Figure 7-24 Configuring independent WSUS servers Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

58

Using WSUS with Disconnected Networks • Networks isolated from other networks – Security reasons

• Arrangement adds a lot of security to the network • Challenging to keep systems updated – None of them can be connected to the Internet

• Solution: – WSUS includes ability to export and import updates: • To and from media

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

59

Figure 7-25 Distributing updates via media to isolated networks Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

60

WSUS Requirements • Hardware – At least 1 GHz CPU, 1 GHz CPU, 10 Mbps network adapter, 30 GB of storage space – Hard disk formatted with NTFS

• Server roles – Web Server (IIS) role and the Application Server role

• Downloaded files – Microsoft Report Viewer Redistributable 2008 file and the WSUS 3.0 SP2 file

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

61

Installing WSUS • Three steps – Return the server to a known state – Install WSUS prerequisites – Install WSUS

• Activity 7-6: Reconfiguring DC1 to Host Only AD DS, DNS, and File Services • Activity 7-7: Installing WSUS Prerequisites

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

62

Figure 7-26 Selecting Application Development Role Services Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

63

Installing WSUS (cont’d.) • Activity 7-8: Installing WSUS

Figure 7-27 Viewing options in the WSUS console Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

64

Configuring Clients to Use WSUS with Group Policy • Create or modify a Group Policy object (GPO) – Configures clients automatically

• Two primary Group Policy settings – Configure Automatic Updates – Configure WSUS server address

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

65

Figure 7-28 Configuring the address of the WSUS server for clients Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

66

Configuring Clients to Use WSUS with Group Policy (cont’d.) • Activity 7-9: Using a GPO to configure WSUS for Clients

Figure 7-29 Configuring automatic updates for clients Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

67

Perimeter Networks • Network added as a buffer – Between an internal protected network and an external unprotected network

• Referred to as a demilitarized zone (DMZ) • Trust zones – Trusted – Semi-trusted – Untrusted

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

68

Figure 7-30 Perimeter network Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

69

Firewall Rules • Firewall configuration – Use rules allowing or denying traffic • Based on different criteria

• Categories or rule sets – Network rules – System policy rules – Firewall publishing rules

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

70

Firewall Rules (cont’d.) • Sampling of firewall rules – Deny all traffic unless explicitly allowed by another rule – Block all incoming traffic with an internal source IP address – Block all outgoing traffic with a public source IP address – Allow outgoing DNS traffic for name resolution • Allow the return traffic

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

71

Firewall Rules (cont’d.) • Sampling of firewall rules (cont’d.) – Allow outgoing HTTP and HTTPS traffic to Internet Web servers • Allow the return traffic

– If Web server in the DMZ • Allow HTTP and HTTPS traffic to the Web server

– Allow incoming and outgoing Simple Mail Transport Protocol (SMTP) traffic to and from an SMTP server

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

72

Microsoft Firewall Products • Dedicated firewall applications installed on a server – Microsoft’s Internet Security and Acceleration Server – Forefront Threat Management Gateway

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

73

Summary • Hardening the system increases server security – Key steps: • Reducing the attack surface, performing compliance auditing, keeping the system up to date

• Security Configuration Wizard (SCW) – Used to create a security policy as an XML file • Based on server roles

• Scwcmd – Command-line equivalent of SCW – Used for compliance auditing MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

74

Summary (cont’d.) • Compliance auditing – Used to check systems for compliance with security policies or security requirements – Tools: Scwcmd and MBSA • MBSACLI: command-line equivalent of MBSA

• Auditing – Can log events in the Security log • Viewable in the Event Viewer

• Windows Server Update Services (WSUS) – Central location to download updates from the Microsoft Update site for an organization MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

75

Summary (cont’d.) • Downstream servers – Configured either in autonomous mode or replica mode

• WSUS servers usable in an isolated network – Without Internet access

• Perimeter network – Placed between a private internal network and public – Referred to as a demilitarized zone (DMZ) – Normally includes two firewalls MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

76

Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.