module 9 configuring server security compliance. module overview securing a windows infrastructure...
TRANSCRIPT
Module 9
Configuring Server Security Compliance
Module Overview
• Securing a Windows Infrastructure
• Overview of EFS
• Configuring an Audit Policy
• Overview of Windows Server® Update Services (WSUS)
• Managing WSUS
Applying Defense-in-Depth to Increase Security
Defense-in-depth provides multiple layers of defense to protect a networking environmentDefense-in-depth provides multiple layers of defense to protect a networking environment
Security documents, user education
Policies, Procedures, & Awareness
Policies, Procedures, & Awareness
Physical SecurityPhysical Security
OS hardening, authentication
Firewalls
Guards, locks
Network segments, IPsec
Application hardening, antivirus
ACLs, encryption, EFS
Perimeter
Internal Network
Host
Application
Data
Core Server Security Practices
Apply the latest service pack and all available security updates
Use the Security Configuration Wizard to scan and implement server security
Use Group Policy and security templates to harden servers
Restrict scope of access for service accounts
Restrict who can log on locally to servers
Restrict physical and network access to servers
What Is Encrypting File System?
EFS:
•File contents are protected by a symmetrical key
•The symmetrical key is protected by asymmetrical encryption
•Enabled in the properties of a file
•Requires a user certificate
•Can be used on shared files
•Can be configured with a recovery agent in case user certificates are lost
Encrypting File System (EFS) is a system for encrypting filesEncrypting File System (EFS) is a system for encrypting files
What Is BitLocker Drive Encryption?
BitLocker Drive Encryption:
•Helps protect data on the operating system drive
•Helps protect the operating system from modification
•Access to the operating system drive is controlled by encryption keys
BitLocker is a system that encrypts the entire operating system drive and potentially data volumesBitLocker is a system that encrypts the entire operating system drive and potentially data volumes
Troubleshooting EFS
Check the following items:
• Unable to Encrypt
• The volume is NTFS
• User has Write access to file
• Roaming user profiles generally required to encryptremote files
• Unable to Decrypt
• File location is trusted for delegation
• Roaming profile is available
• User account cannot be delegated
• Certificate or Private Key problems
Determine if the problem occurs when encrypting or decrypting files, and whether the files are local or remoteDetermine if the problem occurs when encrypting or decrypting files, and whether the files are local or remote
What Is Auditing?
• Auditing tracks user and operating system activities, and records selected events in security logs, such as:
• What occurred?
• Who did it?
• When?
• What was the result?
• Enable auditing to:
• Create a baseline
• Detect threats and attacks
• Determine damages
• Prevent further damage
• Audit access to objects, management of accounts, and users logging on and off
Types of Events to Audit (Audit Policy)
• Account Logon
• Account Management
• Directory Service Access
• Directory Service Changes
• Directory Service Replication
• Detailed Directory Service Replication
• Logon
• Object Access
• Policy Change
• Privilege Use
• Process Tracking
• System
Troubleshooting Audit Policy
View Security Log in Event Viewer
After you configure auditing, it may not work for the following reasons:
• A site, a domain, or an organizational unit policy setting overrides the audit policy that you configured
• A GPO that overrides the audit policy setting has a higher priority
• The site, the domain, or the organizational unit policy setting that contains the audit policy setting has not replicated to other computers
Object Access Auditing
• Understand how inheritance affects file and folder auditing
• Test an audit rule for a file or folder
• Open and close the file or folder
• View the security log to ensure Event ID 4663 is logged
Lesson: Overview of Windows Server Update Services (WSUS)
• What Is Windows Server Update Services?
• Obtaining Updates
• Windows Server Update Services Process
• WSUS Deployment Considerations
• Server Requirements for WSUS
• Installing WSUS
• WSUS Group Policy Settings
• Automatic Updates Configuration
Obtaining Updates
WSUSWSUS
WSUSWSUS
Windows Update
Windows Update
WSUSWSUS
WSUSWSUS
Windows Server Update Services Process
Update Management
Phase 1: Assess
• Set up a production environment that will support update management for both routine and emergency scenarios
Phase 3: Evaluate and Plan
• Test updates in an environment that resembles, but is separate from, the production environment
• Determine the tasks necessary to deploy updates into production, plan the update releases, build the releases, and then conduct acceptance testing of the releases
Phase 4: Deploy
• Approve and schedule update installations
• Review the process after the deployment is complete
Phase 4: Deploy
• Approve and schedule update installations
• Review the process after the deployment is complete
Phase 2: Identify
• Discover new updates in a convenient manner
• Determine whether updates are relevant to the production environment
Identify
Evaluate and Plan
Deploy
Assess
Server Requirements for WSUS
Software requirements:
• Windows Server 2003 SP1 or Windows Server 2008
• IIS 6.0 or later
• Windows Installer 3.1 or later
• Microsoft .NET Framework 2.0
• SQL Server 2005 SP1 or later (optional)
• Microsoft Report Viewer Redistributable 2005
• Windows Server 2003 SP1 or Windows Server 2008
• IIS 6.0 or later
• Windows Installer 3.1 or later
• Microsoft .NET Framework 2.0
• SQL Server 2005 SP1 or later (optional)
• Microsoft Report Viewer Redistributable 2005
Installing WSUS
Considerations for installing the WSUS Server:
• Select Update Source
• Select the software used to manage the WSUS database
• Select the Web site that WSUS will use to point client computers to WSUS
• Select Update Source
• Select the software used to manage the WSUS database
• Select the Web site that WSUS will use to point client computers to WSUS
The WSUS Administration Console:
• The WSUS 3.0 administration console can be used to manage any WSUS server that has a trust relationship with the administration console computer
• The WSUS 3.0 administration console can be used to manage any WSUS server that has a trust relationship with the administration console computer
WSUS Group Policy Settings
Group Policy can specify:Group Policy can specify:
• Which WSUS server to use
• Whether update notifications are displayed
• Frequency of checking for updates
• Auto-restart behavior
• WSUS computer group membership
• Whether computers should wake up to apply updates
• Which WSUS server to use
• Whether update notifications are displayed
• Frequency of checking for updates
• Auto-restart behavior
• WSUS computer group membership
• Whether computers should wake up to apply updates
Automatic Updates Configuration
• Configure Automatic Updates by using Group PolicyComputer Configuration/Administrative Templates/Windows Components/Windows Update
• Requires updated wuau.adm administrative template
• Requires:
• Windows Vista
• Windows Server 2008
• Windows Server 2003
• Windows XP Professional SP2
• Windows 2000 Professional SP4, Windows 2000 Server/Advanced Server SP3 or SP4
• Configure Automatic Updates by using Group PolicyComputer Configuration/Administrative Templates/Windows Components/Windows Update
• Requires updated wuau.adm administrative template
• Requires:
• Windows Vista
• Windows Server 2008
• Windows Server 2003
• Windows XP Professional SP2
• Windows 2000 Professional SP4, Windows 2000 Server/Advanced Server SP3 or SP4
WSUS Administration
Command-line tools for managing updates:
• Wuauclt.exe – controls the Windows Update Agent
• Wsusutil.exe – management of WSUS
• Wuauclt.exe – controls the Windows Update Agent
• Wsusutil.exe – management of WSUS
Approving Updates
• Approval options include:
• Install
• Decline
• Unapprove
• Removal
• Automate approval is also supported
• Approval options include:
• Install
• Decline
• Unapprove
• Removal
• Automate approval is also supported
Server Core Security Updates
To enable Windows Update on Server Core:
• Cscript c:\Windows\system32\scregedit.wsf /au /4• Cscript c:\Windows\system32\scregedit.wsf /au /4
To manually install updates onto Server Core:
• Wsua.exe <update>.msu /quiet• Wsua.exe <update>.msu /quiet
To manually remove updates from Server Core:
• In <update>.xml, replace Install with Remove and save the file.
• pkgmgr /n:<update>.xml
• In <update>.xml, replace Install with Remove and save the file.
• pkgmgr /n:<update>.xml