Book description
Covering best practice implementation over a wide range of Windows® environments, this second edition is completely up to date for Windows® 7 and Servers® 2008.
Table of contents
- Copyright
- Foreword
- Preface
- About the Author
- Acknowledgements
- Introduction
- 1. Information and Information Security
- 2. Using an Isms to Counter the Threats
- 3. An Introduction To ISO27001
- 4. Identify Your Information Assets
- 5. Conducting A Risk Assessment
-
6. An Overview of Microsoft Technologies
- Microsoft® Windows Server® 2008
- Microsoft® Windows® 7
- Microsoft® Forefront™
- Microsoft® Systems Center
- Microsoft® Windows Server® Update Services
- Microsoft® Baseline Security Analyzer
- Microsoft Security Risk Management Guide
- Microsoft® Threat Analysis and Modeling Enterprise Edition
- Microsoft® CAT.NET
- Microsoft® Source Code Analyzer for SQL Injection
-
7. Implementing ISO27001 in a Microsoft Environment
- Section 4 Information security management system
- Section A.5 Security policy
- Section A.6 Organisational security
- Section A.7 Asset management
- Section A.8 Human resource security
- Section A.9 Physical and environmental security
- Section A.10 Communications and operations management
- Section A.11 Access control
- Section A.12 Information systems acquisition development and maintenance
- Section A.13 Information security incident management
- Section A.14 Business continuity management
- Section A.15 Compliance
- 8. Securing the Windows® Environment
- 9. Securing the Microsoft® Windows Server® Platform
- 10. Auditing and Monitoring
- 11. Securing Your Servers
-
1. Overview of Security Settings for Windows Server® 2008 Servers and Domain Controllers
- Service pack and hotfixes
- Account and audit policies
- Event log settings
-
Security settings
- Allow anonymous SID/Name translation
- Do not allow anonymous enumeration of SAM accounts
- Do not allow anonymous enumeration of SAM accounts and shares
- Administrator account status
- Guest account status
- Limit local account use of blank passwords to console only
- Rename administrator account
- Rename guest account
- Audit the access of global system objects
- Audit the use of back-up and restore privileges
- Shut down system immediately if unable to log security events
- Allowed to format and eject removable media
- Prevent users from installing print drivers
- Restrict CD-ROM access to locally logged-on users only
- Restrict floppy disk access to locally logged-on users only
- Unsigned device driver behavior
- Allow server operators to schedule tasks
- LDAP server signing requirements
- Refuse Machine account password changes
- Digitally encrypt or sign secure channel data (always)
- Digitally encrypt secure channel data
- Digitally sign secure channel data
- Disable Machine account password changes
- Maximum Machine account password age
- Require strong (Windows® 2000 or later) session key
- Do not display last user name for interactive logon
- Do not require Ctrl+Alt+Del
- Message text for users attempting to log on
- Message title for users attempting to log on
- Number of previous logons to cache
- Require domain controller authentication to unlock workstation
- Require smart cards
- Smart card removal behavior
- Amount of idle time required before disconnecting session for Microsoft® Network Server
- Digitally sign communications for Microsoft® Network Server (always)
- Digitally sign communications for Microsoft® Network Server (if client agrees)
- Do not allow storage of credentials or .NET passports for network authentication
- Let Everyone permissions apply to anonymous users
- Named pipes that can be accessed anonymously
- Remotely accessible registry paths
- Restrict anonymous access to named shares and pipes
- Shares that can be accessed anonymously
- Sharing and security model for local accounts
- Do not store LAN Manager hash value on next password change
- LAN Manager authentication level
- LDAP client signing requirements
- Minimum session security for NTLM SSP-based (including secure RPC) clients
- Allow automatic administrative logon as part of recovery console
- Allow floppy copy and access to all drives and all folders for recovery console
- Allow system to be shut down without having to log on
- Clear virtual memory page file
- Default owner for objects created by members of the Administrators group
- Require case insensitivity for non-Windows® subsystems
- Strengthen default permissions of internal system objects
- Optional subsystems
- Use certificate rules on Windows® executables for software restriction policies
- (AFD DynamicBacklogGrowthDelta) Number of connections to create when additional connections are necessary for Winsock applications (10 recommended)
- (AFD EnableDynamicBacklog) Enable dynamic backlog for Winsock applications (recommended)
- (AFDMaximumDynamicBacklog) Maximum number of ‘quasi-free’ connections for Winsock applications
- (AFD MinimumDynamicBacklog) Minimum number of free connections for Winsock applications (20 recommended for systems under attack, 10 otherwise)
- (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)
- (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to denial of service)
- (EnableICMPRedirect) Allow ICMP redirects to override OSPF-generated routes
- (EnablePMTUDiscovery) Allow automatic detection of MTU size (possible denial of service by an attacker using a small MTU)
- (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name-release requests except from WINS servers
- (PerformRouterDiscovery) Allow IRDP to detect and configure DefaultGateway addresses (could lead to denial of service)
- (SynAttackProtect) Syn attack protection level (protects against denial of service)
- (TCPMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a connection request is not acknowledged
- (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (three recommended, five is default)
- (TCPMaxPortsExhausted) How many dropped connect requests to initiate SYN attack protection (five is recommended)
- Disable autorun for all drives
- Enable safe DLL search mode
- Enable the server to stop generating 8.3 file names
- How often keep-alive packets are send in milliseconds
- Percentage threshold at which the security event log will generate an alert
- The time in seconds before the screensaver grace period expires
-
Service settings
- Permissions on services
- Alerter
- Clipbook
- Fax service
- File replication
- FTP publishing service
- Help and support
- HTTP SSL
- IIS admin service
- Indexing service
- License logging server
- Messenger
- Microsoft® POP3 service
- NetMeeting remote desktop management service
- Network connections
- Network news transport protocol (NNTP)
- Print spooler
- Remote access connection manager
- Remote access auto-connection manager
- Remote administration service
- Remote desktop help session manager
- Remote installation
- Remote procedure call (RPC) locator
- Remote registry service
- Remote server manager
- Remote server monitor
- Remote storage notification
- Remote storage server
- Simple mail transfer protocol
- Simple network management protocol (SNMP) service
- Simple network management protocol (SNMP) traps
- Telephony
- Telnet
- Terminal services
- Trivial FTP service
- Wireless configuration
- World Wide Web publishing rights
-
User rights
- Access this computer from the network
- Act as part of the operating system
- Add workstations to the domain
- Adjust memory quota for a process
- Allow to log on locally
- Allow to log on through terminal services
- Back up files and directories
- Bypass traverse tracking
- Change the system time
- Create a pagefile
- Create a token object
- Create global objects
- Create permanent shared objects
- Debug programs
- Deny access to this computer from the network (minimum)
- Deny logon as a batch job
- Deny logon as a service
- Deny logon locally
- Deny logon through terminal services (minimum)
- Enable computer and user accounts to be trusted for delegation
- Force shutdown from a remote system
- Generate security audits
- Impersonate client after authentication
- Increase scheduling priority
- Load and unload device drivers
- Lock pages in memory
- Log on as a batch job
- Log on as a service
- Manage audit and security logs
- Modify firmware environment values
- Perform volume maintenance tasks
- Profile system performance
- Replace a process level token
- Restore files and directories
- Shut down the system
- Synchronise directory service data
- Take ownership of file or other object
- File system permissions
- Registry permissions
- File and registry auditing
- 2. Bibliography, Reference and Further Reading
- ITG Resources
Product information
- Title: ISO27001 in a Windows® Environment: The best practice handbook for a Microsoft® Windows® environment, Second Edition
- Author(s):
- Release date: April 2010
- Publisher(s): IT Governance Publishing
- ISBN: 9781849280495
You might also like
book
ISO27000 and Information Security: A Combined Glossary
Get to grips with key ISO27000 and information security vocabulary with this indispensable, concise pocket guide! …
video
GenAI Essentials for Everyone - Overview
Our team of experts has hand-selected and organized the most crucial concepts and practical applications of …
article
Have ChatGPT Ask You Questions
ChatGPT Shortcuts shows future prompt engineers how to harness the full potential of the state-of-the-art AI …
book
Windows Server® 2012 Unleashed
This is the most comprehensive and realistic guide to Windows Server 2012 planning, design, prototyping, implementation, …