Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] - نسخه متنی

Roberta Bragg

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Windows Server 2003 Security: A Technical Reference

By Table of Contents | Index

If you''''re a working Windows administrator, security is your #1 challenge. Now there''''s a single-source reference you can rely on for authoritative, independent help with every Windows Server security feature, tool, and option: Windows Server 2003 SecurityRenowned Windows security expert Roberta Bragg has brought together information that was formerly scattered through dozens of books and hundreds of online sources. She goes beyond facts and procedures, sharing powerful insights drawn from decades in IT administration and security. You''''ll find expert implementation tips and realistic best practices for every Windows environment, from workgroup servers to global domain architectures. Learn how to: Reflect the core principles of information security throughout your plans and processes Establish effective authentication and passwords Restrict access to servers, application software, and data Make the most of the Encrypting File System (EFS) Use Active Directory''''s security features and secure Active Directory itself Develop, implement, and troubleshoot group policies Deploy a secure Public Key Infrastructure (PKI) Secure remote access using VPNs via IPSec, SSL, SMB signing, LDAP signing, and more Audit and monitor your systems, detect intrusions, and respond appropriately Maintain security and protect business continuity on an ongoing basis"Once again, Roberta Bragg proves why she is a leading authority in the security field! It''''s clear that Roberta has had a great deal of experience in real-world security design and implementation. I''''m grateful that this book provides clarity on what is often a baffling subject!"James I. Conrad, MCSE 2003, Server+, Certified Ethical Hacker James@accusource.net"Full of relevant and insightful information. Certain to be a staple reference book for anyone dealing with Windows Server 2003 security. Roberta Bragg''''s Windows Server 2003 Security is a MUST read for anyone administering Windows Server 2003."Philip Cox, Consultant, SystemExperts Corporation phil.cox@systemexperts.com"Few people in the security world understand and appreciate every aspect of network security like Roberta Bragg. She is as formidable a security mind as I have ever met, and this is augmented by her ability to communicate the concepts clearly, concisely, and with a rapier wit. I have enjoyed working with Roberta more than I have on any of the other 20 some odd books to which I have contributed. She is a giant in the field of network security."Bob Reinsch bob.reinsch@fosstraining.com"Windows Server 2003 Security explains why you should do things and then tells you how to do it! It is a comprehensive guide to Windows security that provides the information you need to secure your systems. Read it and apply the information."Richard Siddaway, MCSE rsiddaw@hotmail.com"Ms. Bragg''''s latest book is both easy to read and technically accurate. It will be a valuable resource for network administrators and anyone else dealing with Windows Server 2003 security."Michael VonTungeln, MCSE, CTT mvontung@yahoo.com"I subscribe to a number of newsletters that Roberta Bragg writes and I have ''''always'''' found her writing to be perfectly focused on issues I ''''need'''' to know in my workplace when dealing with my users. Her concise writing style and simple solutions bring me back to her columns time after time. When I heard she had written a guide on Windows 2003 security, I ''''had'''' to have it.Following her guidance on deployment, her advice on avoiding common pitfalls, and her easy to follow guidelines on how to lock down my network and user environments (those darned users!) has me (and my clients) much more comfortable with our Win2k3 Server deployments. From AD to GPO''''s to EFS, this book covers it all."Robert Laposta, MCP, MCSA, MCSE, Io Network Services, Sierra Vista AZrob.laposta@cox.net"Roberta Bragg has developed a ''''must have'''' manual for administrators who manage Microsoft Windows 2003 servers in their organizations. The best practices for strengthening security controls are well organized with practical examples shared throughout the book. If you work with Windows 2003, you need this great resource."Harry L. Waldron, CPCU, CCP, AAI, Microsoft MVP - Windows Security Information Technology Consultant harrywaldronmvp@yahoo.com"Roberta Bragg''''s Windows Server 2003 Security offers more than just lucid coverage of how things work, but also offers sound advice on how to make them work better."Chris Quirk; MVP Windows shell/user cquirke@mvps.org"This book is an invaluable resource for anyone concerned about the security of Windows Server 2003. Despite the amount and complexity of the material presented, Roberta delivers very readable and clear coverage on most of the security-related aspects of Microsoft''''s flagship operative system. Highly recommended reading!"Valery Pryamikov, Security MVP, Harper Security Consulting valery.pryamikov@harper.no"As long as you have something to do with Windows 2003, I have four words for you: ''''Order your copy now.''''"Bernard Cheah, Microsoft IIS MVP, Infra Architect, Intel Corp. bernard@mvps.org"Roberta Bragg has developed a ''''must have'''' manual for administrators who manage Microsoft Windows 2003 servers in their organizations. The best practices for strengthening security controls are well organized, with practical examples shared throughout the book. If you work with Windows 2003, you need this great resource."Harry L. Waldron CPCU, CCP, AAI Microsoft MVPWindows Security Information Technology Consultant
توضیحات
افزودن یادداشت جدید







Deploying Secure Domain Controllers


One of the best ways to ensure secure domain controllers is to install them securely configured to start and to deploy them in a secure manner. The DC is secured before it is placed into production. Many of these security steps can be incorporated into an automated installation process.


Best Practices for DC Deployment


Five distinct sets of steps must be completed to bring up a DC securely:

Practice secure preparation steps

Use a secure installation procedure

Secure the server post installation, but prior to dcpromo

Use a secure dcpromo process and secure the server during dcpromo

Secure the server post dcpromo

Preparation


Before a domain controller is established on the network, prepare for its installation. Some steps are done before the first DC in the forest is established and then maintained, while others need to be prepared before each new DC is installed. Prior to installing the first domain controller, do the following:

Secure DNS
Active Directory depends on DNS. Securing DNS is paramount. Steps for securing DNS are detailed in Chapter 11.

Secure the Network Infrastructure.
Although the DC itself should be hardened, it should always be operated in a secure environment. Routers, network segments, and switches should all be secure. An excellent source of information on network infrastructure security can be found in Hardening Network Infrastructure by Wes Noonan (McGraw-Hill Osborne Media, 2004).

Prepare a secure physical location
Specifics may vary from a locked cabinet in a small branch office to a data center. The objective is to secure from theft, restrict access, and prevent the addition of rogue applications, drivers, services, or configuration.

Secure the computer itself
Hardening the server hardware includes removing or securing removable drives, establishing a boot policy, and removing access to unnecessary ports, such as unused USB or serial ports.

Prepare the server post installation but prior to dcpromo.

Establish policy and procedures for domain controller installation
Prior to establishing the first DC of the production network, policy and procedures should be written. If those responsible for writing policies and procedures are unfamiliar with Active Directory, a test network should be provided along with proper education and training.


Policies and Procedures for Domain Controller Installation

Policies and procedures for domain controller installation should include the following:

Specifying who has the authority to install the DC.

Specifying that if the server can't be physically secured from console access during installation, it should not be left unattended.

Specifying where domain controller installation can be done, such as doing as much as possible outside the production network.

Providing automated processes for as many phases of installation as possible.

Developing a procedure for secure installation of DCs at remote locations. Some organizations install the DC and then ship them. Specify a secure shipping method to prevent theft of the DC during shipping.

Specifying that only service administrators do DC installations.


Here are the sound steps to include in policies and procedures:

Provide multiple physical drives so that Active Directory components can be on separate drives, and the AD database can be separate from the Windows Server 2003 operating system. Taking these actions improves performance and availability and protects AD from potential directory traversal attacks and disk-filling DoS attacks. In a directory traversal attack, an attacker gains access to one directory on a disk, then uses tools and commands in an attempt to access other folders. Thus, access to a mundane folder with no sensitive items might be leveraged into access to more sensitive ones, such as AD. By placing components on different physical disks, you can thwart these attacks.

Create or modify security templates that meet the DC security baselinepotential settings were described previously, and potential preconfigured secure DC baselines can be downloaded from Microsoft.

Prepare a separate build network for installations if network install is your choice. Otherwise, prepare custom bootable CD-ROMs with changes made.

Modify default security settings by modifying default security templates used by server install and dcpromo. Make sure these modified templates are available to the system during install by modifying the defaults and ensuring that they are located on the installation media where the system expects to find them during install.


Server Installation

Before a server becomes a DC, the Windows operating system must be installed. The following steps will provide a more secure base on which to create a DC:


1.

Do a base minimal install. Do not install IIS, indexing services, or any extra services. Do not install additional administrative tools, such as support tools or resource kit tools. (When these tools are available, they may prove useful to an attacker.) Do not connect the server to the production network during or after installation to avoid the risk that it may be compromised or infected by a virus, Trojan, or worm. Do not connect the server to the Internet for the same reason.

2.

Apply all service packs and updates according the latest security bulletins. Even if this DC will receive updates automatically from SUS or other patching services on your network, it should be placed on the network as secure and up-to-date as it can be. Discovering update needs and getting a system updated, even automatically, can take time, during which the system might be compromised. (If you must put the server on the network to complete updates, enable the built-in firewall. Remember to disable the firewall before dcpromo.)

3.

Check root volume permissions. These should be set via security templates during installation, but check them anyways and adjust as required by your security policy.


After Server Installation But Before dcpromo

After the server is installed, scan for viruses and create a reserve file.

Virus scanning should always be done before dcpromo to ensure that the server is virus-free. Then, the virus scanner should be turned off.

Create a reserve file to enable recovery in the case of disk space attacks. A reserve file is a file created on the same drive as the ntds.dit (the AD directory) file. The reserve file does not contain useful data; it just takes up room on the disk. If these attacks include adding objects to the Active Directory, even though the administrator deletes the unneeded objects, it will take a while before their tombstones are gone, thus the size of the AD is not reduced. This is only one type of disk space attack. A disk space attack can fill up the disk and cripple AD, but it won't overwrite the reserve file. The administrator can recover AD by removing the reserve file and thus giving AD room to operate while the unneeded objects' tombstones are still present.

TIP: Don't Let Virus Scanners Scan SYSVOL

After dcpromo, virus scanners should be modified to prevent the scanning of SYSVOL and other folders that are replicated by the file-replication service. Many anti-virus products modify file settings when scanning files. This modification on folders that are replicated can trigger replication. A large amount of file replication can severely affect the performance on the network.

During dcpromo

The dcpromo process promotes an ordinary server and makes it a DC. Here are the guidelines to follow for dcpromo:

Disable pre-Windows 2000 compatibility. Pre-Windows 2000 compatibility needs to be enabled if legacy applications that require anonymous access to AD are present, such as RRAS or RAS on NT 4.0 or SQL Server 6.0 applications. It also provides access to many files, folders, Active Directory objects, and registry keys to members of the group. For example, it provides read permission on the domain root and on all user, computer, and group objects when enabled. The group Everyone is added to the Pre-Windows 2000 Compatibility group. In Windows Server 2003, this does not include the anonymous SID; it does, however, provide access to every authenticated user and the Guest account. This access is far too broad.

Place database and SYSVOL on same physical drive but separate from the system volume. The system volume is a common place where large print jobs are spoofed, thus filling up the folder. If AD is on the same drive, it may be crippled because the drive may be filled by other activity, and AD will not have room enough to operate. (If the DC will not be a print server, disable the print service.)

Improve performance by placing log files and the paging file on their own dedicated physical drive(s)not the system drive.


After Installation

After the DC is installed, additional steps should be taken:

Configure virus protection to skip virus checking on any drives that are or will be configured for the File-Replication Service. (Otherwise, every replication will trigger excessive virus checking.) Turn virus checking back on.

Prepare for secure replication and other communications.

Move the domain controller into a secured place in the data center.



Best Practices for Branch Office Builds and Rebuilds


Installing a DC at a branch office can be a challenge. If, however, you must build or rebuild a DC at a branch office, the following guidelines will make the process more secure:

Do not leave unattended.

Use automated method.

Locate in a lockable room.

Restrict access during install.

Provide for restricted access after install.

Do not let computers remain connected to the network or Internet during installation and configuration of server.

Avoid dcpromo replication over the WAN by using the dcpromo /adv command. You need to bring with you a backup copy of Active Directory and use that during installation. During the installation process, select "from these restored backup files" instead of "over the network from a domain controller". dcpromo will be able to use the provided files to get up and running. Once completed, normal replication over the WAN will bring the DC up to the current Active Directory status.

Automate Domain Controller Installation


Where possible, automate domain controller installation. This has more benefits than just speeding up the task and removing some of its labor. When procedures are automated, they are done the same exact way every time. When procedures are done manually, mistakes and omissions can happen. It's also true that because installations can take a while, systems may be left open with administrator privileges for some time before anyone returns to start the next stage of the process. Automated installation, when done correctly and tested, will complete the process without any gaps. Several possibilities for configuring automated installation exist. Remote Installation Services (RIS), sysprep, and third-party products all do a good job. The basic process consists of preparing the automated installation media or process, starting the installation, and moving the DC into production. To prepare and utilize an automated install, follow these steps:


1.

Create a clean server install. Modify server default templates as previously discussed.

2.

Configure security (apply templates and other configuration).

3.

Prepare an answer file so that questions that normally would require user input will be entered automatically.

4.

Prepare an answer file for dcpromo and use the dcpromo.exe /answer:answerfilename command to run dcpromo. This command should be run when the server first restarts so as to reduce the potential for introduction of unauthorized files. To make this happen, place this command under the registry key:


Hklm\software\microsoft\windows\currentversion\runonce

Or, if using Sysprep, modify the [GuiRunOnce] section of the sysprep.inf answer file before running sysprep. The setting should look like this:


[GuiRunOnce]
Command0 = "dcpromo /answer:ansfile.txt"

5.

Prepare so that the latest service packs and updates are installed automatically as well.

6.

Create the image using sysprep, RIS, or third-party tools.

7.

Deploy image to target computer.

8.

Configure computer-specific settings.

9.

If this is the first DC in the domain, and security settings were not defined during install or dcpromo or if more are required, define users and administrative rights in domain. Create user groups, give rights, create OUs, and so on. Add any additional GPO and link to domain container and OUs.

10.

Ship or move to place in production. If it is necessary to ship, use a trusted shipping methodone that requires signatures.


Secure Replication


Active Directory changes are replicated between all domain controllers in a domain and between the Global catalog servers in each domain in the forest. By default, all replication is encrypted and authenticated. Securing replication is part securing the domain controllers, part adding security to the data transfer, and part improving the security of the networks over which it may pass. Govern the private network with sound network security practices, and this will do much to ensure the security of AD replicated data. When replication data must pass over untrusted networks, additional steps should be taken. Possibilities are using SMTP as a replication protocol and using IPSec or a VPN.

SMTP-Based Replication

Normal Active Directory replication uses RPC over TCP/IP. SMTP can be also be used for replication but requires certificates and can be used only to replicate schema, configuration, and application directory partitions. SMTP cannot be used to replicate domain directory partitions. Hence, if a DC for a domain resides in one site, it may be possible to use only SMTP replication, but where DCs of a domain are spread across multiple sites, RPC over TCP/IP must also be used. Using SMTP can improve security because RPC ports do not need to be opened on firewalls and because using SMTP requires certificate-based authentication.

Using IPSec or a VPN

An extra layer of security can be achieved by using an IPSec Policy for domain replication or, where data must traverse networks such as the Internet, a VPN connection between the two sites should be established and used for replication.


/ 194