Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] - نسخه متنی

Roberta Bragg

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Windows Server 2003 Security: A Technical Reference

By Table of Contents | Index

If you''''re a working Windows administrator, security is your #1 challenge. Now there''''s a single-source reference you can rely on for authoritative, independent help with every Windows Server security feature, tool, and option: Windows Server 2003 SecurityRenowned Windows security expert Roberta Bragg has brought together information that was formerly scattered through dozens of books and hundreds of online sources. She goes beyond facts and procedures, sharing powerful insights drawn from decades in IT administration and security. You''''ll find expert implementation tips and realistic best practices for every Windows environment, from workgroup servers to global domain architectures. Learn how to: Reflect the core principles of information security throughout your plans and processes Establish effective authentication and passwords Restrict access to servers, application software, and data Make the most of the Encrypting File System (EFS) Use Active Directory''''s security features and secure Active Directory itself Develop, implement, and troubleshoot group policies Deploy a secure Public Key Infrastructure (PKI) Secure remote access using VPNs via IPSec, SSL, SMB signing, LDAP signing, and more Audit and monitor your systems, detect intrusions, and respond appropriately Maintain security and protect business continuity on an ongoing basis"Once again, Roberta Bragg proves why she is a leading authority in the security field! It''''s clear that Roberta has had a great deal of experience in real-world security design and implementation. I''''m grateful that this book provides clarity on what is often a baffling subject!"James I. Conrad, MCSE 2003, Server+, Certified Ethical Hacker James@accusource.net"Full of relevant and insightful information. Certain to be a staple reference book for anyone dealing with Windows Server 2003 security. Roberta Bragg''''s Windows Server 2003 Security is a MUST read for anyone administering Windows Server 2003."Philip Cox, Consultant, SystemExperts Corporation phil.cox@systemexperts.com"Few people in the security world understand and appreciate every aspect of network security like Roberta Bragg. She is as formidable a security mind as I have ever met, and this is augmented by her ability to communicate the concepts clearly, concisely, and with a rapier wit. I have enjoyed working with Roberta more than I have on any of the other 20 some odd books to which I have contributed. She is a giant in the field of network security."Bob Reinsch bob.reinsch@fosstraining.com"Windows Server 2003 Security explains why you should do things and then tells you how to do it! It is a comprehensive guide to Windows security that provides the information you need to secure your systems. Read it and apply the information."Richard Siddaway, MCSE rsiddaw@hotmail.com"Ms. Bragg''''s latest book is both easy to read and technically accurate. It will be a valuable resource for network administrators and anyone else dealing with Windows Server 2003 security."Michael VonTungeln, MCSE, CTT mvontung@yahoo.com"I subscribe to a number of newsletters that Roberta Bragg writes and I have ''''always'''' found her writing to be perfectly focused on issues I ''''need'''' to know in my workplace when dealing with my users. Her concise writing style and simple solutions bring me back to her columns time after time. When I heard she had written a guide on Windows 2003 security, I ''''had'''' to have it.Following her guidance on deployment, her advice on avoiding common pitfalls, and her easy to follow guidelines on how to lock down my network and user environments (those darned users!) has me (and my clients) much more comfortable with our Win2k3 Server deployments. From AD to GPO''''s to EFS, this book covers it all."Robert Laposta, MCP, MCSA, MCSE, Io Network Services, Sierra Vista AZrob.laposta@cox.net"Roberta Bragg has developed a ''''must have'''' manual for administrators who manage Microsoft Windows 2003 servers in their organizations. The best practices for strengthening security controls are well organized with practical examples shared throughout the book. If you work with Windows 2003, you need this great resource."Harry L. Waldron, CPCU, CCP, AAI, Microsoft MVP - Windows Security Information Technology Consultant harrywaldronmvp@yahoo.com"Roberta Bragg''''s Windows Server 2003 Security offers more than just lucid coverage of how things work, but also offers sound advice on how to make them work better."Chris Quirk; MVP Windows shell/user cquirke@mvps.org"This book is an invaluable resource for anyone concerned about the security of Windows Server 2003. Despite the amount and complexity of the material presented, Roberta delivers very readable and clear coverage on most of the security-related aspects of Microsoft''''s flagship operative system. Highly recommended reading!"Valery Pryamikov, Security MVP, Harper Security Consulting valery.pryamikov@harper.no"As long as you have something to do with Windows 2003, I have four words for you: ''''Order your copy now.''''"Bernard Cheah, Microsoft IIS MVP, Infra Architect, Intel Corp. bernard@mvps.org"Roberta Bragg has developed a ''''must have'''' manual for administrators who manage Microsoft Windows 2003 servers in their organizations. The best practices for strengthening security controls are well organized, with practical examples shared throughout the book. If you work with Windows 2003, you need this great resource."Harry L. Waldron CPCU, CCP, AAI Microsoft MVPWindows Security Information Technology Consultant
توضیحات
افزودن یادداشت جدید







Apply Security Templates


Security templates have no effect upon the operating system unless they are applied. This can be done by using Group Policy, by using Security Configuration and Analysis, or by using the secedit command.

WARNING: On the Other Hand…

If a security template is incorrectly configured and then applied, it can make a computer inoperable. If it is imported into a Group Policy Object, it can make many machines inoperable.

Use an Active Directory Design to Secure Computer Roles


An appropriate Active Directory design to fulfill your needs is beyond the scope of this book. However, the following Active Directory design supports the security architecture defined by server roles. It allows the majority of security settings appropriate for securing various servers to be applied periodically and efficiently across multiple servers. It utilizes the templates provided with the "Windows Server 2003 Security Guide" and allows for its extension via the creation of additional templates.

Active Directory planning information, including design tips and best practices, is presented in the Windows Server 2003 Development Kit. This set can be purchased or searched online. Specifically, Active Directory design is addressed in the "Designing and Deploying Active Directory and Security Services" book at http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=6cde6ee7-5df1-4394-92ed-2147c3a9ebbe.

In this design, two top-level OUs are created; one for servers and one for workstations. Underneath these OUs, sub-OUs are created, one for each computer role. This allows the development of unique security designs for each role and their implementation, as much as possible, through GPOs linked to the appropriate OU. Figure 11-9 displays the design. In the figure, two top-level OUs are labeled WorkstationOU and ServerOU. The workstationOU has a sub-OU for Windows 2000 Professional and one for Windows XP.

Figure 11-9. Designing OUs for Role Management.

The computer accounts for each type of workstation and server can then be added to the appropriate OUs. Each OU as well as the domain must have an appropriate GPO created and linked to its container. A security template can be designed for and then imported into the appropriate OU. Templates created by Microsoft or third parties can be used, or custom templates can be created. Be sure an appropriate template is available for each OU.

Table 11-7 is a hypothetical design that lists each OU, template type, and a number of unique templates that might be created if these specific roles exist. Each template is given a name, but those that begin with an asterisk (*) are not provided by Microsoft. You can create templates with any name you choose.

Table 11-7. Security Templates/OU matching

Active Directory Location

Computer Role

Template Name

ServerOU

Server

High Security
Member Server Baseline.inf

WorkstationOU

Workstation

*High Security
Workstation.inf

W2KProfOU

Windows 2000 Professional

*W2kprof.inf

XPOU

Windows XP Professional

*XP.inf

Infrastructure

DHCP, DNS

High Security Infrastructure Server.inf

File Server

File server

High Security File Server.inf

Print Server

Print server

High Security Print Server.inf

Domain Controllers

Domain controller

High Security Domain Controller.inf

To apply this design, the templates must be created, and then they must be imported into the Group Policy Object that is linked to the appropriate OU. Before taking this action, be sure to back up the GPO. To import the settings, perform these steps:


1.

Open the Active Directory Users and Computers console.

2.

Right-click the OU and select Properties.

3.

Select the Group Policy tab.

4.

Select the GPO that the security template will be imported into, and click the Edit button.

5.

Expand the GPO and right-click Windows Settings, Security Settings, then select Import Settings.

6.

Select, or browse to and select, the appropriate template file and click OK.


Alternatively, if GPMC has been installed, right-click the GPO in the GPO section of the GPMC and then select Import Settings, as shown in Figure 11-10. In either case, the Import Settings Wizard will run and allow you to select and apply the desired security template. When GPMC is used, you are prompted to back up the GPO before importing the settings.

Figure 11-10. Importing a security template into a GPO.

[View full size image]

Using the Security Configuration and Analysis Tool


Security Configuration and Analysis is a MMC snap-in tool that can be used to apply security templates to a single computer or to compare a specific security template to the computer's current settings. A command-line version of the tool, secedit, is also available. This tool fits both in the standalone and Active Directory approach to security configuration.

In an Active Directory Environment, the tool can be used in a test lab to configure systems and test new templates. Instead of applying a new template to many machines at once, with potentially harmful results, the template can be tested on a single machine. It can also be used in the production environment to test the security status of specific computers.

Where no Active Directory environment exists, or where some computers are not joined to the domain, Security Configuration and Analysis can be used to apply standard security settings to a single computer in an automated fashion. The secedit command-line tool can be used in a script to apply settings on a single computer or potentially many computers. Both tools can be used to audit current security settings against an approved template.

The best way to apply security templates to domain member computers is to use Group Policy and Active Directory. If you correctly configure the GPOs, settings will be applied, and security settings will be refreshed at regular intervals. However, Windows 2000, Windows XP Professional, or Windows Server 2003 computers that are not members of a domain can still benefit from the use of security templates and the baselining process. The Security Configuration and Analysis console or its command-line version, secedit, can be used to apply the templates. The following procedures tell you how.

Using Multiple Templates with Security Configuration and Analysis

A great way to apply security using Group Policy is to incorporate a design using multiple policies, each of which may utilize a different template. The use of a baseline hardening template and an incremental role-specific template is one such design. The same sort of security design can be planned for standalone computers; however, you must pay attention to the order of template application. Applying multiple templates using Security Configuration and Analysis may seem simple, but it can become complicated. Three factors play a role: the current security status of the machine, the order of template application, and whether or not the database is cleared before a new template is applied. When the tool is first run, it creates a database whose settings are based on your selection of a preconfigured security template. Alternatively, you can select and use a previously created database. If an old database is cleared when the new template is added, only the settings in the new template are applied. However, if the old template settings were previously applied to the machine, clearing the template from the database does not remove these settings. If the database is not cleared, adding an additional template means the following:

If the new template setting is not defined and the old template setting is defined, the setting remains the way it is in the old template.

If a setting in the new template is defined and the setting is not defined in the old template, the setting changes to the setting in the new template.

If a setting is defined in both the old template and the new template, the new template setting is applied.


Apply the Template

The process for applying a template is simple. In the following example, a custom adaptation of the Enterprise Client Member Server Baselinetemplate is applied. The template is named baselineB.inf. A good practice is to create a rollback template, which can be used in case the template causes a problem. In the following example, the command line used to create the rollback template baselineBrollback.inf is given and the syntax is explained in Table 11-8. You do not have to create a rollback template; however, doing so provides you with a quick way to reverse the settings made by applying the template.

Table 11-8. secedit Syntax

Setting

Description

Analyze

Compares settings in a database template to those set on the machine. This setting can be used to audit security settings.

Configure

Applies security settings from a template.

Import

Imports a template into a database. This command can be used with the configure or analyze command.

Export

Exports a template from a database. Apply two or more templates to the same computer, and then use this command to export the combined settings into a new template.

Validate

Validates syntax of a template.

Generate rollback

Makes a reverse template, that is, a template that removes most of the settings applied with a template. (File and registry permissions settings made in a template cannot be rolled back.)

Db

Specifies the name of the database file to create or to use.

Cfg

Specifies the name of the template to use.

Overwrite

Overwrites any existing template in the file with another. If this switch is not used, and a template has been added to the database, the combined settings in both templates will be applied.

Log

Specifies a log file to record errors. If no log file is specified, the system uses WINDOWS\Security\Logs\Scesrv.log.

Quiet

Specifies that no data should appear on the screen, and no comments on progress should be provided to the user.

Areas

Applies only the settings as listed in a specific area of the template. Other settings are ignored.

Merged policy

Merges and exports domain and local policy.

RBK

Specifies the name of the security template to be created.

Use secedit to Apply Security Templates

secedit is a command-line version of the Security Configuration and Analysis snap-in. It also provides the ability to create rollback templates, which, when applied, reverse settings established by another template. Basic secedit commands are defined in Table 11-8.

To configure the machine using the XYZ template, use the following command:


secedit /configure /db xyz.sdb /cfg xyz.inf /log xyz.log

To create a rollback template for the XYZ template, use the following command:


secedit /generaterollback /cfg xyz.inf /rbk xyzrollback.inf /log xyzrollback.log


1.

Create the rollback template baselineBrollback.inf by using secedit: secedit /genereaterollback /cfg baselineB.inf /rbk baselineBrollback.inf /log baselineBrollback.log

2.

Add the Security Configuration and Analysis snap-in to an MMC, as shown in Figure 11-11.

Figure 11-11. The Security Configuration and Analysis snap-in must be added to an MMC.

3.

Right-click the Security Configuration and Analysis container in the console and select Open database. (You do not have a database yet; creating one is the first step.)

4.

In the File Name box, enter the name for the new database and click Open.

5.

The Import Template box is opened to the default security template path, as shown in Figure 11-12. Select a template, or browse to a new location and select a template.

Figure 11-12. To create the database, you must import a template. From the Import template box, browse to the location for your template, select it, and click Open.

6.

Right-click Security Configuration and Analysis and select Configure Computer.

7.

Click OK when asked to confirm the location of the error log.

8.

Wait for the configuration to complete and close the console.



Test Before Applying


A small business consultant in my community, we'll call him John, called me on a Thursday night. John's customer is a branch office of a large multinational organization. Users at the branch office were not able to access resources on file servers. John had determined that the users were not able to connect to the file servers to retrieve files, but they could do so locally. John had administrative privileges in the domain.

I asked John to use GPMC to look at the GPOs that had been applied to the file server. Sure enough, one of the GPOs had removed all groups except the Administrators group from the user right Access This Computer From The Network. John called the company's support group, and the GPO was changed. Later, he found out what had happened.

It seems that a new administrator imported a new custom template to a new GPO and then linked the GPO to the OU for file servers. After John's call, the GPO was unlinked from the OU, and things returned to normal. If the new administrator had tested the template by applying it to a test server, the problem could have been avoided. Furthermore, if he had created a rollback template, he could have immediately rolled back the settings to those prior to the application of his new template.


/ 194