book

ISO27001 in a Windows® Environment: The best practice handbook for a Microsoft® Windows® environment, Second Edition

Name: ISO27001 in a Windows® Environment: The best practice handbook for a Microsoft® Windows® environment, Second Edition
Author: Brian Honan
ISBN: 9781849280495

by Brian Honan

April 2010

Intermediate to advanced

310 pages

3h 35m

English

IT Governance Publishing

Read now

Unlock full access

Copyright
Foreword
Preface
About the Author
Acknowledgements
Introduction
1. Information and Information Security
Information security conceptsOther information security conceptsThe importance of information security
2. Using an Isms to Counter the Threats
System security versus information securityThe structure of an ISMSInformation security policyAcceptable usage policyRemote access policyInformation management policyComputer malware prevention and protection policyPassword policyManaging exceptions to the policy
3. An Introduction To ISO27001
The ISO27000 standards familyHistory of ISO27001What is in the ISO27001 standard?The plan, do, check and act cycle (PDCA)PlanDoCheckActWhat are the benefits of ISO27001?
4. Identify Your Information Assets
Define the scope of the ISMSIdentifying your information security assetsInformation asset classificationThe value of information assets

5. Conducting A Risk Assessment
What is risk?VulnerabilityThreats to informationTheftLossIntrusionCorruptionDenial of serviceNatural threatsManaging risksRisk acceptanceRisk mitigationRisk avoidanceRisk transferRisk deferenceThe different types of risk analysisQuantitative risk analysisThe advantages of quantitative risk analysisThe disadvantages of quantitative risk managementQualitative risk managementThe advantages of qualitative risk managementThe disadvantages of qualitative risk managementThe quantitative versus qualitative approachRisk management toolsMicrosoft Security Risk Management Guide
6. An Overview of Microsoft Technologies
Microsoft® Windows Server® 2008Security features of Microsoft® Windows Server® 2008Read-only domain controllerBitLocker™ drive encryptionServer CoreNetwork Access ProtectionRouting and Remote Access serviceWindows® Firewall with Advanced SecurityActive Directory® Certificate ServicesActive Directory® Rights Management ServicesGroup PoliciesMicrosoft® Windows® 7Windows® Backup and Restore CenterAutomatic BackupComplete BackupBitLocker™DirectAccessAppLocker™Windows® FirewallWindows® DefenderUser Account ControlWindows® Security CenterMicrosoft® Forefront™Microsoft® Systems CenterMicrosoft® Windows Server® Update ServicesMicrosoft® Baseline Security AnalyzerMicrosoft Security Risk Management GuideMicrosoft® Threat Analysis and Modeling Enterprise EditionMicrosoft® CAT.NETMicrosoft® Source Code Analyzer for SQL Injection
7. Implementing ISO27001 in a Microsoft Environment
Section 4 Information security management systemSection A.5 Security policySection A.6 Organisational securitySection A.7 Asset managementSection A.8 Human resource securitySection A.9 Physical and environmental securitySection A.10 Communications and operations managementSection A.11 Access controlSection A.12 Information systems acquisition development and maintenanceSection A.13 Information security incident managementSection A.14 Business continuity managementSection A.15 Compliance
8. Securing the Windows® Environment
Windows Server® 2008 architectureStructured naming conventionDomain nameWindows® server naming conventionsClient workstation namesPrinter namesDomain user accounts naming standardsUser accountsWindows Server® 2008 domain administrator accountService-desk administrationGuest accountEveryone group
9. Securing the Microsoft® Windows Server® Platform
Domain controllersRead-only domain controllerMember serversStandard serversSensitive serversRecommended settings
10. Auditing and Monitoring
Configuring auditing of file and resource accessEvent log settingsEvents to recordLocal logon attempt failuresDomain logon account failuresAccount misuseAccount lockoutTerminal servicesCreation of a user accountUser account password changeUser account status changeModification of security groupsModification of security logPolicy changeProcess tracking
11. Securing Your Servers
Setting file system permissionsConfiguring registry permissionsProtecting files and directories
1. Overview of Security Settings for Windows Server® 2008 Servers and Domain Controllers
Service pack and hotfixesCurrent service pack installedSoftware patchesAccount and audit policiesAccount policiesMinimum password lengthMaximum password ageMinimum password agePassword complexityPassword historyStore passwords using reversible encryptionAudit policyAccount lockout policyEvent log settingsApplication log settingsSecurity log settingsSystem log settingsSecurity settingsAllow anonymous SID/Name translationDo not allow anonymous enumeration of SAM accountsDo not allow anonymous enumeration of SAM accounts and sharesAdministrator account statusGuest account statusLimit local account use of blank passwords to console onlyRename administrator accountRename guest accountAudit the access of global system objectsAudit the use of back-up and restore privilegesShut down system immediately if unable to log security eventsAllowed to format and eject removable mediaPrevent users from installing print driversRestrict CD-ROM access to locally logged-on users onlyRestrict floppy disk access to locally logged-on users onlyUnsigned device driver behaviorAllow server operators to schedule tasksLDAP server signing requirementsRefuse Machine account password changesDigitally encrypt or sign secure channel data (always)Digitally encrypt secure channel dataDigitally sign secure channel dataDisable Machine account password changesMaximum Machine account password ageRequire strong (Windows® 2000 or later) session keyDo not display last user name for interactive logonDo not require Ctrl+Alt+DelMessage text for users attempting to log onMessage title for users attempting to log onNumber of previous logons to cacheRequire domain controller authentication to unlock workstationRequire smart cardsSmart card removal behaviorAmount of idle time required before disconnecting session for Microsoft® Network ServerDigitally sign communications for Microsoft® Network Server (always)Digitally sign communications for Microsoft® Network Server (if client agrees)Do not allow storage of credentials or .NET passports for network authenticationLet Everyone permissions apply to anonymous usersNamed pipes that can be accessed anonymouslyRemotely accessible registry pathsRestrict anonymous access to named shares and pipesShares that can be accessed anonymouslySharing and security model for local accountsDo not store LAN Manager hash value on next password changeLAN Manager authentication levelLDAP client signing requirementsMinimum session security for NTLM SSP-based (including secure RPC) clientsAllow automatic administrative logon as part of recovery consoleAllow floppy copy and access to all drives and all folders for recovery consoleAllow system to be shut down without having to log onClear virtual memory page fileDefault owner for objects created by members of the Administrators groupRequire case insensitivity for non-Windows® subsystemsStrengthen default permissions of internal system objectsOptional subsystemsUse certificate rules on Windows® executables for software restriction policies(AFD DynamicBacklogGrowthDelta) Number of connections to create when additional connections are necessary for Winsock applications (10 recommended)(AFD EnableDynamicBacklog) Enable dynamic backlog for Winsock applications (recommended)(AFDMaximumDynamicBacklog) Maximum number of ‘quasi-free’ connections for Winsock applications(AFD MinimumDynamicBacklog) Minimum number of free connections for Winsock applications (20 recommended for systems under attack, 10 otherwise)(DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)(EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to denial of service)(EnableICMPRedirect) Allow ICMP redirects to override OSPF-generated routes(EnablePMTUDiscovery) Allow automatic detection of MTU size (possible denial of service by an attacker using a small MTU)(NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name-release requests except from WINS servers(PerformRouterDiscovery) Allow IRDP to detect and configure DefaultGateway addresses (could lead to denial of service)(SynAttackProtect) Syn attack protection level (protects against denial of service)(TCPMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a connection request is not acknowledged(TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (three recommended, five is default)(TCPMaxPortsExhausted) How many dropped connect requests to initiate SYN attack protection (five is recommended)Disable autorun for all drivesEnable safe DLL search modeEnable the server to stop generating 8.3 file namesHow often keep-alive packets are send in millisecondsPercentage threshold at which the security event log will generate an alertThe time in seconds before the screensaver grace period expiresService settingsPermissions on servicesAlerterClipbookFax serviceFile replicationFTP publishing serviceHelp and supportHTTP SSLIIS admin serviceIndexing serviceLicense logging serverMessengerMicrosoft® POP3 serviceNetMeeting remote desktop management serviceNetwork connectionsNetwork news transport protocol (NNTP)Print spoolerRemote access connection managerRemote access auto-connection managerRemote administration serviceRemote desktop help session managerRemote installationRemote procedure call (RPC) locatorRemote registry serviceRemote server managerRemote server monitorRemote storage notificationRemote storage serverSimple mail transfer protocolSimple network management protocol (SNMP) serviceSimple network management protocol (SNMP) trapsTelephonyTelnetTerminal servicesTrivial FTP serviceWireless configurationWorld Wide Web publishing rightsUser rightsAccess this computer from the networkAct as part of the operating systemAdd workstations to the domainAdjust memory quota for a processAllow to log on locallyAllow to log on through terminal servicesBack up files and directoriesBypass traverse trackingChange the system timeCreate a pagefileCreate a token objectCreate global objectsCreate permanent shared objectsDebug programsDeny access to this computer from the network (minimum)Deny logon as a batch jobDeny logon as a serviceDeny logon locallyDeny logon through terminal services (minimum)Enable computer and user accounts to be trusted for delegationForce shutdown from a remote systemGenerate security auditsImpersonate client after authenticationIncrease scheduling priorityLoad and unload device driversLock pages in memoryLog on as a batch jobLog on as a serviceManage audit and security logsModify firmware environment valuesPerform volume maintenance tasksProfile system performanceReplace a process level tokenRestore files and directoriesShut down the systemSynchronise directory service dataTake ownership of file or other objectFile system permissionsRegistry permissionsFile and registry auditing
2. Bibliography, Reference and Further Reading
ISO27001 resourcesMicrosoft resourcesMicrosoft productsOther resources
ITG Resources
Other WebsitesPocket GuidesToolkitsBest Practice ReportsTraining and ConsultancyNewsletter

Content preview from ISO27001 in a Windows® Environment: The best practice handbook for a Microsoft® Windows® environment, Second Edition

Chapter 10. Auditing and Monitoring

Microsoft^® Windows Server^® 2008 provides a comprehensive range of auditing and logging features. If configured correctly, these features will enable you to trace all user activity on your systems in the event you need to investigate technical or security incidents.

The following sections outline some recommendations on how best to audit your Windows Server^® 2008 environment.

The recommendations below are based on the guides provided by Microsoft, The Center for Internet Security, The SANS Institute and the US National Institute of Standards and Technology. Please refer to Appendix 2 for more details on these resources.

Table 52. Configuring registry auditing

Parameter	Settings
%SystemDrive%	Failures
HKLM\Software	Failures ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781849280495Purchase book

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

ISO27001 in a Windows® Environment: The best practice handbook for a Microsoft® Windows® environment, Second Edition

by Brian Honan

Chapter 10. Auditing and Monitoring

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.