Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] - نسخه متنی

Roberta Bragg

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Windows Server 2003 Security: A Technical Reference

By Table of Contents | Index

If you''''re a working Windows administrator, security is your #1 challenge. Now there''''s a single-source reference you can rely on for authoritative, independent help with every Windows Server security feature, tool, and option: Windows Server 2003 SecurityRenowned Windows security expert Roberta Bragg has brought together information that was formerly scattered through dozens of books and hundreds of online sources. She goes beyond facts and procedures, sharing powerful insights drawn from decades in IT administration and security. You''''ll find expert implementation tips and realistic best practices for every Windows environment, from workgroup servers to global domain architectures. Learn how to: Reflect the core principles of information security throughout your plans and processes Establish effective authentication and passwords Restrict access to servers, application software, and data Make the most of the Encrypting File System (EFS) Use Active Directory''''s security features and secure Active Directory itself Develop, implement, and troubleshoot group policies Deploy a secure Public Key Infrastructure (PKI) Secure remote access using VPNs via IPSec, SSL, SMB signing, LDAP signing, and more Audit and monitor your systems, detect intrusions, and respond appropriately Maintain security and protect business continuity on an ongoing basis"Once again, Roberta Bragg proves why she is a leading authority in the security field! It''''s clear that Roberta has had a great deal of experience in real-world security design and implementation. I''''m grateful that this book provides clarity on what is often a baffling subject!"James I. Conrad, MCSE 2003, Server+, Certified Ethical Hacker James@accusource.net"Full of relevant and insightful information. Certain to be a staple reference book for anyone dealing with Windows Server 2003 security. Roberta Bragg''''s Windows Server 2003 Security is a MUST read for anyone administering Windows Server 2003."Philip Cox, Consultant, SystemExperts Corporation phil.cox@systemexperts.com"Few people in the security world understand and appreciate every aspect of network security like Roberta Bragg. She is as formidable a security mind as I have ever met, and this is augmented by her ability to communicate the concepts clearly, concisely, and with a rapier wit. I have enjoyed working with Roberta more than I have on any of the other 20 some odd books to which I have contributed. She is a giant in the field of network security."Bob Reinsch bob.reinsch@fosstraining.com"Windows Server 2003 Security explains why you should do things and then tells you how to do it! It is a comprehensive guide to Windows security that provides the information you need to secure your systems. Read it and apply the information."Richard Siddaway, MCSE rsiddaw@hotmail.com"Ms. Bragg''''s latest book is both easy to read and technically accurate. It will be a valuable resource for network administrators and anyone else dealing with Windows Server 2003 security."Michael VonTungeln, MCSE, CTT mvontung@yahoo.com"I subscribe to a number of newsletters that Roberta Bragg writes and I have ''''always'''' found her writing to be perfectly focused on issues I ''''need'''' to know in my workplace when dealing with my users. Her concise writing style and simple solutions bring me back to her columns time after time. When I heard she had written a guide on Windows 2003 security, I ''''had'''' to have it.Following her guidance on deployment, her advice on avoiding common pitfalls, and her easy to follow guidelines on how to lock down my network and user environments (those darned users!) has me (and my clients) much more comfortable with our Win2k3 Server deployments. From AD to GPO''''s to EFS, this book covers it all."Robert Laposta, MCP, MCSA, MCSE, Io Network Services, Sierra Vista AZrob.laposta@cox.net"Roberta Bragg has developed a ''''must have'''' manual for administrators who manage Microsoft Windows 2003 servers in their organizations. The best practices for strengthening security controls are well organized with practical examples shared throughout the book. If you work with Windows 2003, you need this great resource."Harry L. Waldron, CPCU, CCP, AAI, Microsoft MVP - Windows Security Information Technology Consultant harrywaldronmvp@yahoo.com"Roberta Bragg''''s Windows Server 2003 Security offers more than just lucid coverage of how things work, but also offers sound advice on how to make them work better."Chris Quirk; MVP Windows shell/user cquirke@mvps.org"This book is an invaluable resource for anyone concerned about the security of Windows Server 2003. Despite the amount and complexity of the material presented, Roberta delivers very readable and clear coverage on most of the security-related aspects of Microsoft''''s flagship operative system. Highly recommended reading!"Valery Pryamikov, Security MVP, Harper Security Consulting valery.pryamikov@harper.no"As long as you have something to do with Windows 2003, I have four words for you: ''''Order your copy now.''''"Bernard Cheah, Microsoft IIS MVP, Infra Architect, Intel Corp. bernard@mvps.org"Roberta Bragg has developed a ''''must have'''' manual for administrators who manage Microsoft Windows 2003 servers in their organizations. The best practices for strengthening security controls are well organized, with practical examples shared throughout the book. If you work with Windows 2003, you need this great resource."Harry L. Waldron CPCU, CCP, AAI Microsoft MVPWindows Security Information Technology Consultant
توضیحات
افزودن یادداشت جدید







Use Custom Templates to Configure Key Archival for EFS


Chapter 6, "EFS Basics," detailed the basics of EFS and warned of the problems that damaged and missing private EFS keys can cause. One way to mitigate this risk is to use PKI to replace the use of self-signed EFS certificates with CA-provided EFS certificates and to provide multiple recovery agents. This can be implemented in either a Win- dows 2000 CA PKI or a Windows Server 2003 PKI. However, in a Windows Server 2003 forest in Windows Server 2003 functional mode, a Windows Server 2003 Enterprise Edition Enterprise CA can also be used to establish key archival. The following steps must be taken:


1.

Create a EFS Key Recovery Agent custom template.

2.

Create a new Windows group, EFS Key Recovery Agents.

3.

Give the new group Read and Enroll permissions on the template.

4.

Add users to the new Windows group and have them request Key Recovery Agent Certificates.

5.

Enable Key archival on the CA and add the Key Recovery Agent Certificates.

6.

Create a new EFS template that allows key archival.

7.

Give those users who are allowed EFS permission the Read and Enroll permissions on the new template.

8.

Replace or issue new EFS certificates.


Steps 2 and 4 are not described because they represent common administrative tasks. Step 3 is performed during template creation, and step 8 is managed by setting Autoenroll and Supercede permissions while configuring the custom EFS template.

Create Key Recovery Agent Template and Add to the CA


The first step is to create a custom template:


1.

Open the Certificate Templates console by right-clicking the Certificate Templates node in the Certification Authority console and clicking Manage.

2.

Right-click the Key Recovery Agent certificate and select Duplicate template.

3.

Name the certificate template EFS Key Recovery Agent or some other descriptive name.

4.

Click OK.

5.

Double-click the template to open it.

6.

Select the Issuance Requirements Page and select CA certificate manager approval, as shown in Figure 13-30.

Figure 13-30. Make sure that the Key Recovery Agent Certificate is NOT automatically published.

7.

Select the Security page and use the Add button to add the EFS Key Recovery Agent Group, as shown in Figure 13-31.

Figure 13-31. Add the Recovery Agent group to the certificate template.

8.

Click OK to return to the console.

9.

Select the EFS Recovery Agent group and give it Enroll and Autoenroll permissions.

10.

From the CA console, right-click the Certificate Templates node, select New, and then Certificate Template to Issue.

11.

In the Enable Certificate Templates box, as shown in Figure 13-32, select EFS Key Recovery Agent and click OK.

Figure 13-32. Add the EFS Key Recovery Agent certificate to the CA.

[View full size image]


Issue Key Recovery Agent Certificates


Before Key archival can be enabled, at least one Key Recovery Agent Certificate must be issued, and a new EFS template must be created that allows key archival:


1.

Add the users who have been granted key recovery permission to the new Windows group. A good practice is to create accounts for use as key recovery agents. These accounts are only used to obtain the key recovery certificate

2.

Log on using an account that has been given key recovery rights.

3.

Open a Certificates console by adding the snap-in to an MMC.

4.

Right-click the Personal\Certificates store and select All tasks. Request a new Certificate.

5.

Click Next on the Request a New Certificate Wizard welcome page.

6.

Select the EFS Key Recovery Agent certificate.

7.

Enter a friendly name, click Next, and then click Finish.

8.

Open the Certification Authority console.

9.

Right-click the Pending Requests, and select the certificate just requested.

10.

Right-click this certificate and click Issue.


Create Key Archival EFS Certificate


Certificates must also be set with the key archival extension. To do so, create a custom template:


1.

Open the Certificate Templates console by right-clicking the Certificate Templates node in the Certification Authority console and clicking Manage.

2.

Right-click the Basic EFS certificate and select Duplicate template.

3.

On the General page, name the certificate template EFS Archival or some other descriptive name.

4.

On the Request Handling page, select Archive Subject's Encryption Private Key, as shown in Figure 13-33, and then click OK.

Figure 13-33. The certificate won't be marked as good until the process is complete.

5.

On the Superceded Templates page, select Supercede and select the EFS certificate.

6.

Select the Security page, add those groups who will be allowed to use EFS, and then give them Read and Enroll permissions on the template.

7.

Click OK to return to the console.

8.

From the CA console, right-click the Certificate Templates node and select New, then Certificate Template to Issue.

9.

In the Enable Certificate Templates box, select EFS Archival and click OK.


Enable Key Archival on the CA


Key archival is not enabled by default. To enable it, do the following:


1.

Open the Certificate Authorities console.

2.

Right-click the CA and select Properties.

3.

Select the Recovery Agent page.

4.

Select Archive the Key.

5.

Enter 1 for the Number of Recovery Agents.

6.

In the Key Recovery Agents Certificates box, as shown in Figure 13-34, select an account that has been issued a certificate.

Figure 13-34. Select the Key Recovery Agent certificate.

7.

Select the agent and click OK. The certificate will be x'd, as shown in Figure 13-35. After certificate services are restarted, the x will disappear, as shown in Figure 13-36, to indicate that it is accepted and that key archival has been configured. (On the screen, the x is red and the unx'd certificate is green.)

Figure 13-35. The certificate won't be marked as good until the process is complete.

Figure 13-36. After certificate services are stopped and started, the certificate will be approved.



/ 194