O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Windows Server 2003 Security Cookbook

Book Description

In the last few years, security has become a hot-button issue for IT organizations of all sizes. Accordingly, many of the security features that were either optional or suspect in Windows 2000 have become solid, effective fixtures in Windows Server 2003-making it the most secure operating system Microsoft has ever produced. That is, if you know how to configure it properly.

The Windows Server 2003 Security Cookbook wants to make sure that you do know how. Picking up right where its predecessor, the Windows Server Cookbook, left off, this desktop companion is focused solely on Windows Server security. It teaches you how to perform important security tasks in the Windows Server 2003 OS using specific and adaptable recipes. Each recipe features a brief description of the problem, a step-by-step solution, and then a discussion of the technology at work. Whenever possible, the authors even tell you where to look for further information on a recipe.

The book is written in a highly modular format, with each chapter devoted to one or more technologies that Windows Server 2003 provides. This approach allows you to look up a task or scenario that you want to accomplish, find that page, and read that particular recipe only. Topics include:

  • System preparation and administration
  • Protecting the computer at the TCP/IP level
  • Applying security options to Active Directory
  • Improving security on domain controllers
  • Securing DHCP controllers
  • Encrypting and signing network traffic using IPSec
  • Patch management

If you're an intermediate or advanced system administrator who wants to feel secure when deploying Windows Server 2003 and its related services, then you don't want to be without the Windows Server 2003 Security Cookbook.

Table of Contents

  1. Dedication
  2. Preface
    1. Audience
    2. About This Book
    3. What’s in This Book?
    4. Assumptions This Book Makes
    5. Conventions Used in This Book
    6. Using Code Examples
    7. Safari Enabled
    8. Comments and Questions
    9. Acknowledgments
  3. 1. Getting Started
    1. 1.1. What Is Security?
    2. 1.2. Approach to the Book
    3. 1.3. Where to Find the Tools
    4. 1.4. Group Policy Notes
    5. 1.5. Programming Notes
    6. 1.6. Replaceable Text
    7. 1.7. Reporting Security Issues to Microsoft
    8. 1.8. Where to Find More Information
  4. 2. System Preparation and Administration
    1. 2.1. Introduction
    2. 2.1. Creating a Reference Installation
    3. 2.2. Renaming the Domain Administrator Account
    4. 2.3. Renaming the Local Administrator Accounts
    5. 2.4. Disabling the Local Administrator Accounts
    6. 2.5. Renaming the Guest Account
    7. 2.6. Logging in as a Non-Administrator
    8. 2.7. Configuring Internet Explorer Enhanced Security Configuration
    9. 2.8. Preventing Automatic Installation of New Hardware Drivers
    10. 2.9. Protecting Against Modified Device Drivers
    11. 2.10. Encrypting the SAM
    12. 2.11. Locking the Console
    13. 2.12. Enabling Screensaver Locking
  5. 3. TCP/IP
    1. 3.1. Introduction
    2. 3.1. Displaying the Status of TCP Ports
    3. 3.2. Disabling NetBIOS over TCP/IP
    4. 3.3. Disabling File and Printer Sharing for MicrosoftNetworks
    5. 3.4. Enabling SYN Flood Protection
    6. 3.5. Disabling Source Routing
    7. 3.6. Disabling Router Discovery
    8. 3.7. Configuring TCP/IP Filtering
    9. 3.8. Enabling and Configuring Windows Firewall
  6. 4. Encrypting File System
    1. 4.1. Introduction
    2. 4.1. Enabling EFS Without a Recovery Agent
    3. 4.2. Configuring a Recovery Agent
    4. 4.3. Configuring Server-Based EFS
    5. 4.4. Encrypting a File
    6. 4.5. Encrypting a Folder
    7. 4.6. Enabling EFS Context Menus
    8. 4.7. Viewing Users and Recovery Agents
    9. 4.8. Moving or Copying an Encrypted File or Folder
    10. 4.9. Changing Encryption Algorithms
    11. 4.10. Encrypting Offline Files
    12. 4.11. Sharing Encrypted Files
    13. 4.12. Backing Up EFS Keys
    14. 4.13. Using a Recovery Agent
    15. 4.14. Removing Unused Data
  7. 5. Active Directory
    1. 5.1. Introduction
    2. 5.1. Enabling SSL/TLS
    3. 5.2. Encrypting LDAP Traffic with SSL or TLS; Digital Signing
    4. 5.3. Using the Delegation of Control Wizard
    5. 5.4. Customizing the Delegation of Control Wizard
    6. 5.5. Using the Default ACL for an Objectclass
    7. 5.6. Enabling List Object Access Mode
    8. 5.7. Modifying the ACL on Administrator Accounts
    9. 5.8. Viewing and Purging Your Kerberos Tickets
    10. 5.9. Resetting the Directory Service Restore ModeAdministrator Password
    11. 5.10. Implementing Role-Based Access Control
    12. 5.11. Displaying Delegated Rights
    13. 5.12. Removing Delegated Rights
  8. 6. Group Policy
    1. 6.1. Introduction
    2. 6.1. Creating a GPO
    3. 6.2. Copying a GPO
    4. 6.3. Deleting a GPO
    5. 6.4. Modifying the Settings of a GPO
    6. 6.5. Creating a GPO Link to an OU
    7. 6.6. Blocking Inheritance of GPOs on an OU
    8. 6.7. Forcing a GPO Application
    9. 6.8. Applying a Security Filter to a GPO
    10. 6.9. Refreshing GPO Settings on a Computer
    11. 6.10. Configuring the Group Policy Refresh Interval
    12. 6.11. Installing Applications with a GPO
    13. 6.12. Assigning Logon/Logoff and Startup/ShutdownScripts in a GPO
    14. 6.13. Configuring Password Policies
    15. 6.14. Configuring Account Lockout Policies
    16. 6.15. Configuring Kerberos Policies
    17. 6.16. Configuring User Rights Assignment
    18. 6.17. Configuring Security Options
    19. 6.18. Configuring Time Synchronization Settings
    20. 6.19. Using Restricted Groups
    21. 6.20. Configuring Service Parameters
    22. 6.21. Configuring Registry Permissions
    23. 6.22. Configuring File Permissions
  9. 7. Security Templates
    1. 7.1. Introduction
    2. 7.1. Using Default Security Templates
    3. 7.2. Creating a Security Template
    4. 7.3. Changing Account Policies
    5. 7.4. Changing Local Policies
    6. 7.5. Changing Event Log Settings
    7. 7.6. Making Group Membership Changes
    8. 7.7. Disabling Unwanted System Services
    9. 7.8. Modifying Registry Permissions
    10. 7.9. Modifying Filesystem Permissions
    11. 7.10. Exporting Security Templates
    12. 7.11. Importing Security Templates
    13. 7.12. Verifying Template Application
    14. 7.13. Analyzing a Security Configuration
    15. 7.14. Testing Template Compatibility
  10. 8. Domain Controllers
    1. 8.1. Introduction
    2. 8.1. Disabling LM Hash Storage
    3. 8.2. Removing Stored LM Hashes
    4. 8.3. Requiring NTLM Authentication
    5. 8.4. Using Syskey to Thwart Offline Attacks
    6. 8.5. Signing LDAP Communications
    7. 8.6. Hardening Domain Controllers with SecurityTemplates
  11. 9. User and Computer Accounts
    1. 9.1. Introduction
    2. 9.1. Enabling and Disabling a User
    3. 9.2. Finding Disabled Users
    4. 9.3. Unlocking a User
    5. 9.4. Troubleshooting Account Lockout Problems
    6. 9.5. Viewing and Modifying the Account Lockout andPassword Policies
    7. 9.6. Setting a User’s Account to Expire
    8. 9.7. Setting a User’s Password
    9. 9.8. Forcing a User Password Change at Next Logon
    10. 9.9. Preventing a User’s Password from Expiring
    11. 9.10. Setting a User’s Account Options
    12. 9.11. Finding a User’s Last Logon Time
    13. 9.12. Restricting a User’s Logon Hours and Workstations
    14. 9.13. Resetting a Computer Account
    15. 9.14. Finding Inactive or Unused Computer Accounts
    16. 9.15. Trusting a Computer Account for Delegation
  12. 10. Rights and Permissions
    1. 10.1. Introduction
    2. 10.1. Using Standard File Permissions
    3. 10.2. Using Special File Permissions
    4. 10.3. Determining File Permission Inheritance
    5. 10.4. Using Deny Permission
    6. 10.5. Determining Effective Permissions
    7. 10.6. Determining File Ownership
    8. 10.7. Modifying File Ownership
    9. 10.8. Restoring Default Permissions
    10. 10.9. Hardening Registry Permissions
    11. 10.10. Restricting Remote Access to the Registry
  13. 11. Dynamic Host Configuration Protocol
    1. 11.1. Introduction
    2. 11.1. Authorizing a DHCP Server
    3. 11.2. Detecting Rogue DHCP Servers
    4. 11.3. Restricting DHCP Administrators
    5. 11.4. Disabling NetBIOS over TCP/IP Name Resolution
    6. 11.5. Enabling Dynamic DNS Updates from the DHCP Server
    7. 11.6. Running DHCP Server on a Domain Controller
  14. 12. Domain Name System
    1. 12.1. Introduction
    2. 12.1. Securing DNS Using the Separate NamespacesApproach
    3. 12.2. Securing DNS Using the Split-Brain Approach
    4. 12.3. Restricting DNS Administration Using theDNSAdmins Group
    5. 12.4. Hiding Your Internal IP Addressing Scheme
    6. 12.5. Blocking Unwanted DNS Traffic Through aFirewall
    7. 12.6. Restricting DNS Traffic Through a Firewall UsingForwarders
    8. 12.7. Preventing DoS Attacks by Disabling Recursion
    9. 12.8. Hardening DNS by Converting Standard Zones to Active Directory Integrated
    10. 12.9. Protecting DNS Zones by Requiring Only SecureDynamic Updates
    11. 12.10. Hardening DNS Clients by Requiring Them to UseSecure Dynamic Updates
    12. 12.11. Protecting DNS Zones by Disabling DynamicUpdates
    13. 12.12. Hardening DNS Clients by Preventing Them fromAttempting Dynamic Updates
    14. 12.13. Preventing Unauthorized Zone Transfers
    15. 12.14. Restricting Zone Transfers to Legitimate DNS Servers
    16. 12.15. Preventing Cache Pollution on DNS Servers
    17. 12.16. Monitoring Suspicious DNS Requests UsingDebug Logging
    18. 12.17. Securing Resource Records When Usingthe DnsUpdateProxy Group
    19. 12.18. Preventing DNS Session Sniffing and Hijacking
  15. 13. File and Print Servers
    1. 13.1. Introduction
    2. 13.1. Creating a Hidden File Share
    3. 13.2. Deleting a File Share
    4. 13.3. Securing Shared Folders and Files
    5. 13.4. Preventing Shared File Caching
    6. 13.5. Determining Access Levels for a File Share
    7. 13.6. Listing All File Shares
    8. 13.7. Restricting Printing Permissions
    9. 13.8. Hardening the Print Spooler
    10. 13.9. Moving the Print Spool Folder
    11. 13.10. Disabling Internet Printing
    12. 13.11. Removing Internet Printing
  16. 14. IPsec
    1. 14.1. Introduction
    2. 14.1. Using a Default IPsec Policy
    3. 14.2. Creating an IPsec Policy
    4. 14.3. Creating a Blocking Rule
    5. 14.4. Creating a Permit Rule
    6. 14.5. Configuring IPsec Boot Mode
    7. 14.6. Configuring Authentication Methods
    8. 14.7. Configuring Connection Types
    9. 14.8. Configuring Key Exchange
    10. 14.9. Configuring Session Cryptography
    11. 14.10. Configuring IP Filter Lists
    12. 14.11. Configuring IP Filter Actions
    13. 14.12. Configuring Security Methods
    14. 14.13. Activating an IPsec Rule
    15. 14.14. Deactivating an IPsec Rule
    16. 14.15. Assigning and Unassigning IPsec Policies
    17. 14.16. Viewing IPsec Statistics with System Monitor
    18. 14.17. Verifying IPsec Traffic
    19. 14.18. Using IPsec Monitor to Verify IPsec
    20. 14.19. Troubleshooting IPsec Connections
  17. 15. Internet Information Services
    1. 15.1. Introduction
    2. 15.1. Configuring Listening Port
    3. 15.2. Removing Unused Components
    4. 15.3. Configuring HTTP Authentication
    5. 15.4. Configuring FTP Authentication
    6. 15.5. Changing the User Context for AnonymousAccess
    7. 15.6. Disabling Anonymous Access
    8. 15.7. Restricting Client Access by ACL
    9. 15.8. Restricting Client Access by IP Address or DNSName
    10. 15.9. Installing Server Certificates
    11. 15.10. Enabling Secure Sockets Layer
    12. 15.11. Enabling Client Certificate Authentication
    13. 15.12. Requiring Client Certificate Authentication
    14. 15.13. Configuring Trusted Certification Authorities
    15. 15.14. Configuring One-to-One Client Certificate Mapping
    16. 15.15. Configuring Many-to-One Client CertificateMapping
  18. 16. RRAS and IAS
    1. 16.1. Introduction
    2. 16.1. Configuring the Routing and Remote Access Server
    3. 16.2. Allowing Authentication Protocols
    4. 16.3. Requiring Smart Card Authentication
    5. 16.4. Using Preshared Keys
    6. 16.5. Configuring RRAS to Use IAS
    7. 16.6. Installing Internet Authentication Service
    8. 16.7. Configuring IAS Auditing
    9. 16.8. Configuring Local IAS Logging
    10. 16.9. Configuring SQL IAS Logging
    11. 16.10. Creating a Remote Access Policy
    12. 16.11. Configuring Connection Time
  19. 17. Terminal Services and Remote Desktop
    1. 17.1. Introduction
    2. 17.1. Choosing a Security Mode
    3. 17.2. Configuring Session Encryption
    4. 17.3. Limiting Client Sessions
    5. 17.4. Requiring a Password for Connection
    6. 17.5. Securing RPC Administration Traffic
    7. 17.6. Allowing Silent Session Monitoring
    8. 17.7. Monitoring Sessions
    9. 17.8. Enabling Remote Desktop
    10. 17.9. Configuring Access to Remote Desktop
  20. 18. Public Key Infrastructure and Certificates
    1. 18.1. Introduction
    2. 18.1. Installing an Offline Root CA
    3. 18.2. Installing an Enterprise Subordinate CA
    4. 18.3. Installing a Standalone Subordinate CA
    5. 18.4. Publishing a CRL from an Online CA
    6. 18.5. Publishing a CRL from an Offline CA
    7. 18.6. Restricting Access to the CA
    8. 18.7. Auditing CA Operations
    9. 18.8. Configuring Certificate Templates
    10. 18.9. Authorizing the CA to Issue Certificates
    11. 18.10. Archiving Private Keys
    12. 18.11. Sending Enrollment Notifications via Email
    13. 18.12. Requesting Certificates Automatically
    14. 18.13. Approving and Denying Certificate Requests
    15. 18.14. Retrieving Issued Certificates
    16. 18.15. Renewing Certificates
    17. 18.16. Revoking Certificates
    18. 18.17. Configuring a Trusted Certificate
    19. 18.18. Identifying Local Certificates and Private Keys
    20. 18.19. Backing Up Certificates and Private Keys
    21. 18.20. Restoring Certificates and Private Keys
  21. 19. Auditing
    1. 19.1. Introduction
    2. 19.1. Auditing Account Logon Events
    3. 19.2. Auditing Account Management Events
    4. 19.3. Auditing Directory Service Events
    5. 19.4. Auditing File Access
    6. 19.5. Auditing File Share Configuration Events
    7. 19.6. Auditing Web Server Access
    8. 19.7. Auditing Policy Change Events
    9. 19.8. Auditing Privilege Use Events
    10. 19.9. Auditing Process Tracking Events
    11. 19.10. Auditing System Events
    12. 19.11. Shutting Down Windows When Unable to LogEvents
  22. 20. Event Logs
    1. 20.1. Introduction
    2. 20.1. Viewing Events
    3. 20.2. Setting the Maximum Size of an Event Log
    4. 20.3. Setting the Event Log Retention Policy
    5. 20.4. Clearing the Events in an Event Log
    6. 20.5. Restricting Access to an Event Log
    7. 20.6. Searching the Event Logs on Multiple Servers
    8. 20.7. Archiving an Event Log
    9. 20.8. Finding More Information About an Event
    10. 20.9. Triggering an Action when an Event Occurs
    11. 20.10. Consolidating Event Logs
  23. 21. Patch Management
    1. 21.1. Introduction
    2. 21.1. Installing a Root Update Server
    3. 21.2. Installing a Subordinate Update Server
    4. 21.3. Installing a Nonstoring Update Server
    5. 21.4. Installing an Update Server on a NondedicatedServer
    6. 21.5. Configuring Computers to Use the InternalUpdate Server
    7. 21.6. Refreshing the Update Server
    8. 21.7. Configuring the Computer Update Type andSchedule
    9. 21.8. Creating a Test Group
    10. 21.9. Approving and Declining Updates
    11. 21.10. Automatically Approving Critical Updates
    12. 21.11. Removing Updates
    13. 21.12. Forcing an Update Scan
    14. 21.13. Manually Applying Updates
    15. 21.14. Disabling Windows Update
    16. 21.15. Checking Status of Update Application
    17. 21.16. Verifying Update Application with MBSA
  24. About the Authors
  25. Colophon
  26. Copyright