book

Securing Windows Server 2003

Name: Securing Windows Server 2003
Author: Mike Danseglio
ISBN: 9780596006853

by Mike Danseglio

November 2004

Intermediate to advanced

448 pages

13h 56m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Securing Windows Server 2003
Preface
What’s in This Book?
Audience
About This Book
Assumptions This Book Makes
Conventions Used in This Book
Comments and Questions
Acknowledgments
1. Introduction to Windows Server 2003 Security
What Is Security?
What Is Windows Server 2003?

Security Design in Windows Server 2003
Security Features in the Windows Server 2003 Family
Security Enhancements in Windows XP and the Windows Server 2003 FamilySecurity Enhancements in Windows Server 2003, Standard Server EditionSecurity Enhancements in Windows Server 2003, Enterprise Server Edition
Summary
2. Basics of Computer Security
Why Computer Security Is ImportantCreating a Security Policy Is a Political ProblemWhat’s in a Good Security Policy?
Security Enforcement Mechanisms
Technology-Based SecurityAdministration-Based Security
POLA: The Principle of Least Access
Key-Based Cryptography
HashingShared Secret Key CryptographyPublic Key Cryptography
Authorization and Authentication
Password Basics
What’s a Strong Password?Enforcing Strong Passwords
Network Security
Boundary SecurityData Encryption
Keeping Your Eyes Open
Summary
3. Physical Security
Identifying Physical Security VulnerabilitiesYour PeopleYour OfficeYour LaptopsYour Data CenterYour ServersYour Wiring ClosetsYour Network Cables
Protecting Physical Assets
Securing the OfficeSecuring LaptopsSecuring the Data CenterSecuring ServersSecuring the Wiring ClosetSecuring Network Transmissions
Holistic Security: Best Practices
Summary
4. File System Security
Protecting Files with NTFS File PermissionsHow File Permissions WorkHow to Configure File PermissionsExample: setting up a secure file shareExample: implementing local file security for a shared computer
Protecting Data with the Encrypting File System
How EFS WorksBenefits of the Encrypting File SystemDrawbacks of the Encrypting File SystemUsing the Encrypting File System CorrectlyExample: Ensuring New Files are EncryptedExample: Managing the Private Key to Ensure Maximum ProtectionExample: Using cipher.exe to Remove Old Unencrypted DataIdentifying the EFS recovery agentExample: Storing Shared Encrypted Files on a Windows Server 2003 File ServerConfiguring EFS with Group Policy
Protecting System Information with Syskey
How Syskey WorksProtecting a Portable ComputerConfigure Syskey mode 2Encrypt data directoriesRun cipher /w
Summary
5. Group Policy and Security Templates
What Is Group Policy?
How Group Policy Works
How Do Security Templates Work?
Using Group Policy to Enforce Security
Controlling Password Policies with Group PolicyExample problem: Woodgrove Bank password policyExample implementation: controlling password policyConfiguring the Desktop with Group PolicyExample problem: Woodgrove tellersExample implementation: controlling desktop resourcesConfiguring Auditing with Group PolicyExample problem: security auditing for serversExample implementation: controlling auditing
Using Security Templates to Deploy Secure Configurations
Using Built-in TemplatesExample problem: the human resources departmentExample implementation: controlling network communications securityAnalyzing Your Security ConfigurationCreating a Security Configuration and Analysis consoleCreating a new security databaseImporting security templatesAnalyzing the security settingsCreating Your Own Security TemplateDeploying the Security Template with Group PolicyUsing Security Templates EffectivelyExample problem: Woodgrove server file securityExample implementation: controlling security settings
Summary
6. Running Secure Code
Identifying Secure CodeHow Code Is SignedThe Dangers of Unsigned CodeEnforcing the Use of Secure Code
Driver Signing
Configuring Driver SigningExample: Warning When Installing Unsigned Drivers
Software Restriction Policies
Configuring Software Restriction PolicyCreating a new hash ruleCreating a certificate ruleExample: Allowing an Application to Run on ComputersExample: Allowing Applications with a Specific Extension to ExecuteBest Practices for Software Restrictions
Summary
7. Authentication
LAN Manager and NTLMA Brief History of LM and NTLMHow NTLM WorksLogging onSecurity tokenAccessing resourcesNTLM Pros and ConsConfiguring LMDisabling hash storageDisabling NTLM variants
Kerberos
A Brief History of KerberosHow Kerberos WorksKerberos operational theoryLogging onAccessing resourcesProxy authenticationMicrosoft’s Kerberos implementationConfiguring KerberosKerberos Pros and ConsKerberos Interoperability
Summary
8. IP Security
What Is IP Security?Benefits of IPSecDrawbacks of IPSec
How Does IPSec Work?
IPSec ComponentsIPSec Component Interaction
Microsoft’s Implementation of IPSec in Windows Server 2003
Microsoft IPSec ComponentsDeployment of IPSec to Windows Computers
Using IPSec Correctly
Example: Woodgrove Bank Corporate Accounts PayableClient IPSec configuration through Group PolicyServer IPSec configuration through Group PolicyVerifying IPSec OperationVerifying IPSec operation with IP Security MonitorVerifying IPSec operation with other toolsIPSecCmd.Netsh.Other basic techniques.Example: Restricting a Server to Highly Secure IPSec CommunicationCreating a policy to use perfect forward secrecyConfigure IPSec to not allow any traffic to bypass its filter rulesExample: Using IPSec with a Non-Microsoft ClientConfiguring IPSec for certificate-based authentication
Summary
9. Certificates and Public Key Infrastructure
What Are Certificates?Certificate ConceptsBenefits of Public Key CertificatesWhere Do Certificates Come From?
What Do I Do with Certificates?
Distributing CertificatesExporting a certificate without the private keyImporting a received certificateImporting a certificate revocation listBacking Up the Certificate and Private KeyArchiving a certificate and private keyRestoring an archived private key
What Is a Certification Authority?
How a Certification Authority WorksServer configurationSubject requesting a certificateProcessing the requestPublishing a certificateServer publishing a certificate revocation list
Deciding Between Public and Private Certification Authorities
Public Certification AuthoritiesPrivate Certification Authorities
Implementing a Public PKI
Deploy Root CA Certificate to All Clients as Trusted RootObtain and Deploy Client CertificatesConsiderations for client certificate deploymentCommon ways to deploy certificates
Planning Your Private Certification Hierarchy
Hierarchy DepthDesired Certificate ConfigurationIssuing Certificates AutomaticallyCertificate Revocation ArchitectureDelta certificate revocation listsCRL distribution pointsHardware PlansCryptographic hardware for certification authorities
Implementing a Private Certification Hierarchy
Create a PKI Deployment PlanConstruct Certificate Policy and Certificate Practice StatementInstall the Root Certification AuthorityConfiguring the root CA’s CDP listProtecting the private key without an HSMPublish offline root CA’s CRLInstall Intermediate and Issuing CAsConfigure Certificate Templates for Desired CertificatesConfigure the Issuing CAConfigure Autoenrollment for Windows XPOptional: enroll intermediate network devices for certificates using MSCEPOther enrollment methodsTest Desired Applications
Maintaining Your Hierarchy
Certificate IssuanceConfiguring CA AuditingRenewing CA CertificatesRevoking Issued CertificatesPublishing CRL for Offline Root CABacking Up Your CA
Summary
10. Smart Card Technology
What Are Smart Cards?How Smart Cards WorkRequirements for Using Smart Cards
Using Smart Cards
Secure LogonGeneral Purpose CryptographyDistributing Smart CardsImplementing Smart Cards in Your OrganizationPKI firstEnrolling usersPreparing to issue cardsIssuing cards to users
Summary
11. DHCP and DNS Security
DHCPWhat Is DHCP?How DHCP worksDHCP securityUsing DHCP SecurelyConfiguring DHCP for proper administrationMonitoring DHCP for DOS attackAuditing DHCPAnalyzing DHCP logsMonitoring the network for unauthorized DHCP serversEliminating DHCP
DNS
What Is DNS?Requirements for DNSDNS zone storageStandard DNS zonesActive Directory-integrated DNS zonesDNS security concernsUsing DNS SecurelySetting permissions for DNS administrationSetting permissions on DNS objectsEnabling secure dynamic updatesRestricting zone transfersRestricting recursive queriesAuditing DNS
DNS and DHCP Together
DHCP Service AccountAutomatic Record Updating
Summary
12. Internet Information Services Security
What Is IIS?
How Does IIS Work?
IIS ProcessingIIS Security
Using IIS Securely
Installing IISConfiguring the Services You NeedUsing Secure Sockets LayerUsing IP Address RestrictionsUsing Port NumbersUsing File PermissionsConfiguring AuthenticationAllow Only Needed FunctionalityReview Web Server LogsUsing Port FilteringDedicating IIS Servers
Summary
13. Active Directory Security
What Is Active Directory?Benefits of Active DirectoryExtensible databaseMultimaster domainObject supportSoftware deployment with GPOsSecurity Benefits of Active DirectoryKerberosTrustsSmart card supportGroup Policy ObjectsDelegation
Structural Components of Active Directory
DomainsTreesForestsOrganizational UnitsSites
Domain Controllers
Default Security Through GPOs
Default Domain PolicyDefault Domain Controller PolicyDefault Security for Upgrades
Providing Security for Domains
Users, Groups, and ComputersClean up stale accountsProtect user accountsUse proper group nestingProtect service accountsAdministrative GroupsAdministrator AccountsObject Security and ACLsExample: Configuring Domain User Accountsto Access ResourcesConfiguring correct user group nesting structuresAccount PoliciesAccount Policies at the OU levelTrusts
Providing Security for Forests
Forestwide ComponentsForestwide GroupsForest TrustsSID Filtering
Providing Security for Active Directory Objects
Example: Delegating Control for Helpdesk AdminsDelegating controlExample: Auditing Management of ADConfiguring auditing for DCsViewing Security Log in Event Viewer
Providing Security for Domain Controllers
Physical AccessNetwork AccessDomain Controller CommunicationsOpen firewall ports on trusted networkIPSec for DC communication and replicationDomain controller communication across untrusted network with IPSec tunnelLocating Domain Controllers in Active DirectoryRoles and Responsibilities
Summary
14. Remote Access Security
What Is Remote Access?
Controlling Access
Remote Access PoliciesWritten remote access security policiesRADIUS and IAS
Authentication and Encryption Protocols
Authentication ProtocolsEncryption Protocols
Virtual Private Networks
Operating TheoryVPN ProtocolsPoint-to-Point Tunneling Protocol (PPTP)Layer 2 Tunneling Protocol (L2TP)Making VPNs More Secure
Example Implementations for Remote Access
Setting Up Remote Access Authentication for Dial-in UsersSetting Up a VPN Server
Summary
15. Auditing and Ongoing Security
Security Policies and ProceduresBenefits of Establishing Security Policies and ProceduresCreating Security PoliciesCreating Procedures
Auditing
How Auditing WorksConfiguring AuditingConfiguring auditing for domain controllersConfiguring the Event Log and audit failure behaviorAuditing account managementSetting up a honey pot
Operating System Updates
Windows UpdateMicrosoft Software Update ServicesInstalling and configuring SUS serverConfiguring SUS clientsUsing MBSA to Determine Current Security Status
Summary
A. Sending Secure Email
What Is Secure Email?
How Does Secure Email Work?
Digitally Signed MessagesEncrypted Messages
Considerations for Secure Email
Secure Email Implementation
Using a Commercial Certification AuthorityUsing Your Own Certification AuthorityIssuing certificatesConfiguring clients to trust youConfiguring Your Email ClientNon-Microsoft Secure Email
Summary
Index
Colophon

Content preview from Securing Windows Server 2003

Providing Security for Domains

Now that we have a good understanding of Active Directory, the infrastructure components, default security, and how to apply security, we are going to investigate each component individually, including how to provide security for it. We start with the domain. The domain has many areas that need to be secured to ensure that an attacker has few areas to focus on. Some of these focus areas could fall under domain controllers, since the objects are stored there, but these are really domainwide considerations, not just domain controller considerations.

Users, Groups, and Computers

As we have seen in earlier chapters, the SID is the mechanism used by the operating system to control and manage the security principals. Remember, the security principals include user, group, and computer accounts. You will want to protect all security principals above all other objects, because it is the security principals that are given access to resources. If an attacker can access a resource as an account that has elevated privileges or administrative privileges, there is almost no way to stop him from doing as he pleases with that resource.

The following simple rules will help you protect user, group, and computer accounts.

Clean up stale accounts

If an account (especially a user or computer account) has not been used in a while, be sure to have a process to remove it from the Active Directory. The new feature to run Saved Queries in the Active Directory will help you quickly ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Microsoft® Windows® 2000 Security Handbook

Publisher Resources

ISBN: 0596006853Catalog Page Errata

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Securing Windows Server 2003

by Mike Danseglio

Providing Security for Domains