Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] - نسخه متنی

Roberta Bragg

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Windows Server 2003 Security: A Technical Reference

By Table of Contents | Index

If you''''re a working Windows administrator, security is your #1 challenge. Now there''''s a single-source reference you can rely on for authoritative, independent help with every Windows Server security feature, tool, and option: Windows Server 2003 SecurityRenowned Windows security expert Roberta Bragg has brought together information that was formerly scattered through dozens of books and hundreds of online sources. She goes beyond facts and procedures, sharing powerful insights drawn from decades in IT administration and security. You''''ll find expert implementation tips and realistic best practices for every Windows environment, from workgroup servers to global domain architectures. Learn how to: Reflect the core principles of information security throughout your plans and processes Establish effective authentication and passwords Restrict access to servers, application software, and data Make the most of the Encrypting File System (EFS) Use Active Directory''''s security features and secure Active Directory itself Develop, implement, and troubleshoot group policies Deploy a secure Public Key Infrastructure (PKI) Secure remote access using VPNs via IPSec, SSL, SMB signing, LDAP signing, and more Audit and monitor your systems, detect intrusions, and respond appropriately Maintain security and protect business continuity on an ongoing basis"Once again, Roberta Bragg proves why she is a leading authority in the security field! It''''s clear that Roberta has had a great deal of experience in real-world security design and implementation. I''''m grateful that this book provides clarity on what is often a baffling subject!"James I. Conrad, MCSE 2003, Server+, Certified Ethical Hacker James@accusource.net"Full of relevant and insightful information. Certain to be a staple reference book for anyone dealing with Windows Server 2003 security. Roberta Bragg''''s Windows Server 2003 Security is a MUST read for anyone administering Windows Server 2003."Philip Cox, Consultant, SystemExperts Corporation phil.cox@systemexperts.com"Few people in the security world understand and appreciate every aspect of network security like Roberta Bragg. She is as formidable a security mind as I have ever met, and this is augmented by her ability to communicate the concepts clearly, concisely, and with a rapier wit. I have enjoyed working with Roberta more than I have on any of the other 20 some odd books to which I have contributed. She is a giant in the field of network security."Bob Reinsch bob.reinsch@fosstraining.com"Windows Server 2003 Security explains why you should do things and then tells you how to do it! It is a comprehensive guide to Windows security that provides the information you need to secure your systems. Read it and apply the information."Richard Siddaway, MCSE rsiddaw@hotmail.com"Ms. Bragg''''s latest book is both easy to read and technically accurate. It will be a valuable resource for network administrators and anyone else dealing with Windows Server 2003 security."Michael VonTungeln, MCSE, CTT mvontung@yahoo.com"I subscribe to a number of newsletters that Roberta Bragg writes and I have ''''always'''' found her writing to be perfectly focused on issues I ''''need'''' to know in my workplace when dealing with my users. Her concise writing style and simple solutions bring me back to her columns time after time. When I heard she had written a guide on Windows 2003 security, I ''''had'''' to have it.Following her guidance on deployment, her advice on avoiding common pitfalls, and her easy to follow guidelines on how to lock down my network and user environments (those darned users!) has me (and my clients) much more comfortable with our Win2k3 Server deployments. From AD to GPO''''s to EFS, this book covers it all."Robert Laposta, MCP, MCSA, MCSE, Io Network Services, Sierra Vista AZrob.laposta@cox.net"Roberta Bragg has developed a ''''must have'''' manual for administrators who manage Microsoft Windows 2003 servers in their organizations. The best practices for strengthening security controls are well organized with practical examples shared throughout the book. If you work with Windows 2003, you need this great resource."Harry L. Waldron, CPCU, CCP, AAI, Microsoft MVP - Windows Security Information Technology Consultant harrywaldronmvp@yahoo.com"Roberta Bragg''''s Windows Server 2003 Security offers more than just lucid coverage of how things work, but also offers sound advice on how to make them work better."Chris Quirk; MVP Windows shell/user cquirke@mvps.org"This book is an invaluable resource for anyone concerned about the security of Windows Server 2003. Despite the amount and complexity of the material presented, Roberta delivers very readable and clear coverage on most of the security-related aspects of Microsoft''''s flagship operative system. Highly recommended reading!"Valery Pryamikov, Security MVP, Harper Security Consulting valery.pryamikov@harper.no"As long as you have something to do with Windows 2003, I have four words for you: ''''Order your copy now.''''"Bernard Cheah, Microsoft IIS MVP, Infra Architect, Intel Corp. bernard@mvps.org"Roberta Bragg has developed a ''''must have'''' manual for administrators who manage Microsoft Windows 2003 servers in their organizations. The best practices for strengthening security controls are well organized, with practical examples shared throughout the book. If you work with Windows 2003, you need this great resource."Harry L. Waldron CPCU, CCP, AAI Microsoft MVPWindows Security Information Technology Consultant
توضیحات
افزودن یادداشت جدید







Use Secure Sockets Layer


Secure Sockets Layer (SSL) was devised by Netscape Communications Corporation as a communications protocol that could provide identification of a secure web server and the ability to encrypt communications between a web browser client and a web server. For many years, its main use was just that: to provide secure communications for secure web servers, primarily for e-commerce. Today, however, SSL is used to protect Outlook Web Access (OWA) email access and communications between Microsoft SQL Server and Internet Information Server, between Microsoft Internet Security and Acceleration (ISA) server and IIS, and between ISA and browser clients. It is also used to protect other types of web-based applications, such as web services and even entries on a web form, and it is being offered in dedicated SSL VPN servers. Transport Layer Security (TLS), an industry standard implementation of SSL that works in a similar fashion, is the basis for protection in many Internet-based operations. It is, for example, implemented as an EAPtype. This section describes the basic SSL process and provides straightforward implementation instructions for using SSL with IIS.

In many implementations, SSL implementation consists of installing a certificate on the web server and then requiring SSL at specific web sites that are based on the server. The web applications specify where SSL should be required.

How SSL Works


SSL uses a combination of public key and symmetric key encryption. Symmetric key encryption is used to encrypt the data because it is faster, while public key encryption is used to protect the pre-master key (material used to generate the symmetric session key) and to authenticate the server to the client.. The pre-master key is generated by the client, encrypted using the server's public key, and passed to the server during the SSL handshake. An SSL certificate and associated private key are installed on the server. It is also possible to require client authentication, in which case the client must have an SSL certificate and associated private key. When a connection is requested to the SSL protected server, the following steps make up the SSL handshake or connection:


1.

The client sends the server information that the server will need to communicate with the client. This information includes the client's SSL version number, encryption settings, and other information. For example, if the client is only authorized to use SSL 3.0, it would communicate this information to the server, and if the server only has an SSL 2.0 version certificate, the connection will be terminated.

2.

The server sends the client the information the client will need to communicate with the server, such as a copy of the server's certificate. If the client is attempting to access a resource that requires client authentication, the server will request the client certificate at this time.

3.

The client uses the server information to authenticate the server. The following information is checked:

Is today's date within the validity date of the certificate?

Is the issuing CA a trusted CA (does the Distinguished Name (DN) of the issuing CA match the DN of a CA on the client's list of trusted CAs)?

Does the issuing CA validate the issuer's digital signature? (The public key from the CA's certificate, found in its list of trusted CAs, is used to validate the CA's digital signature on the server certificate that is presented.)

Does the domain name of the certificate match the domain name of the server? (Validation of this step is not part of the SSL protocol, but can be used to prevent a man-in-the-middle attack because it verifies that the server is on the network address specified by the domain name in the server certificate.)

4.

Authentication can fail and the session can be dropped during any of the tests in step 3. However, if the server cannot be authenticated, the client is warned and, depending on the implementation, the user may be able to accept the certificate even if the authentication process finds a problem with it. The normal browser to web server SSL negotiation process gives the user this option. If the server can be authenticated (or is accepted by the user), the session handshake proceeds.

5.

The client creates the pre-master secret for the session and encrypts it using the server's public key (obtained with the certificate in step 2). The client sends this encrypted pre-master secret to the server.

6.

If the server has requested the client's certificate, the client signs some bit of data only known to the server and the client, and sends that, along with its certificate, to the server.

7.

If required, the server attempts to authenticate the client. It follows a similar process as that outlined in step 3. However, because a user does not monitor the process, an authentication failure cannot be simply accepted, and the session handshake will be terminated. If the client can be authenticated, the session continues.

8.

The server uses its private key to decrypt the pre-master key sent by the client. This pre-master key material generates the master secret.

9.

The client uses the pre-master key material and the same algorithm as the server to generate the master secret.

10.

Client and server use the master secret they have generated (which is the same) to generate the session key. The session key will be used to encrypt the data sent between the server and the client and to verify the integrity of the data.

11.

The client informs the server that all future messages will be encrypted.

12.

The client sends an encrypted message telling the server that the client part of the handshake is done.

13.

The server informs the client that it will encrypt all future messages using the session key.

14.

The server sends an encrypted messages telling the client that the server part of the handshake is done.

15.

The session begins. All data sent between the client and the server is encrypted using the session key. Because each party has its own session key, and this key is identical, each is able to decrypt the messages sent by the other.


Implementing SSL in IIS


The first step in implementing SSL in IIS is to obtain an SSL certificate either by purchasing one from a third party or by obtaining one from Windows certificate services. Windows certificate services is not installed by default and should not be installed without proper planning. If certificate services is available, however, consider if an SSL certificate produced internally is a proper choice. For example, SSL used by your commercial web site should use a public CA certificate to ensure that the certificate can be validated by any customer on the Internet. To obtain a certificate, follow these steps:


1.

Open Internet Services Manager, right-click the web site that the certificate will be used for, and click Properties.

2.

Select the Directory Security tab, as shown in Figure 15-15, select Server Certificate, and click Next.

Figure 15-15. To request a certificate, run the wizard by clicking the Server Certificate button.

3.

In the wizard, click Create a new certificate, as shown in Figure 15-16, and click Next.

Figure 15-16. Create a new certificate.

4.

Click Prepare the request now, but send later, and then click Next. (If the certificate will be supplied by your Enterprise CA, you can choose to submit the request online.)

5.

Accept the name for the certificate (taken from the web site name, as shown in Figure 15-17, or enter a new name). Change the key strength (recommended) and, if necessary, change the CSP, and then click Next.

Figure 15-17. Modify name, key strength, and CSP.

6.

Enter or accept the organization name and OU and click Next.

7.

Enter the common name, as shown in Figure 15-18 (this should be the FQDN of the web server that will be using the certificate if the web server will be available on the Internet, but it can be the NetBIOS name if the computer will only be available on your intranet), and then click Next.

Figure 15-18. The common name should be the FQDN of the server.

8.

Enter the city, state, and country information. Click Next.

9.

Browse to a location to save the certificate request file, click Next twice, and click Finish. A certificate request will be saved in a file called certreq.txt. You can view the file in Notepad, as shown in Figure 15-19.

Figure 15-19. Viewing the certificate request contents.

[View full size image]


After obtaining the certificate request file, you must submit it to a CA to obtain the certificate. If you are using a third-party CA, follow the instructions that it has given you. If using a Microsoft Windows CA, use the following instructions to obtain the certificate:


1.

Use Internet Explorer to browse to the CA's web site. For example, if you will do so at the CA console, use http://localhost/certsrv.

2.

Click Request a Certificate.

3.

Click Advanced Certificate Request.

4.

Click Submit a certificate request by using a base-64-encoded CMC or PKCS # 10 file, or submit a renewal request by using a base-64-Encoded PCKS #7 file, as shown in Figure 15-20.

Figure 15-20. Select the advance certificate request using a file.

[View full size image]

5.

Click Browse for a file to insert and browse to the saved file, then click Read to enter the information in the text box, or instead of using the browse option, open the file in Notepad,select its entire contents, and cut and paste the information in the text box on the screen, as shown in Figure 15-21. When the browse option is selected, the pages accessed must all be identified individually or as part of a trusted site in IE. If the pages are not trusted and you attempt to use the browse option, the browser's security settings will warn that they are preventing the web page from accessing the local disk. You should decide whether you want to follow the instructions to allow this to happen. To do so, you add this site to the trusted sites for the browser.

Figure 15-21. Security settings may prevent file access.

[View full size image]

6.

Use the Certificate Template drop-down list to select Web Server, as shown in Figure 15-22, and then click Submit to submit the request.

Figure 15-22. Use the cut and paste method to obtain the certificate request.

[View full size image]

7.

If the CA requires the certificate be approved, a warning will be issued. If you have authority, use the CA console to approve the request. You will need to return later using IE to check the pending request and download the certificate.

8.

If the certificate is issued, choose one of the encoding schemes (DER or base 64) and click Next.

9.

Select Download certificate and browse to a location to store the certificate file.


When the certificate is received, it must be installed on the server:


1.

Open the Directory Security page of the web site and click Server Certificate.

2.

Click Process the pending request and install the certificate, as shown in Figure 15-23, and then click Next.

Figure 15-23. Process the request.

3.

Browse to the certificate file.

4.

Specify the SSL port to use or accept the default 443, and then click Next.

5.

Review the information, click OK, and then click Finish.


Finally, installing the certificate makes it SSL available on the web server. In other words, both HTTP and HTTPS communications can occur. To ensure that all communications use SSL, you must require it:


1.

From the Directory Security Property page of the web site, click the Edit button.

2.

Click Require secure channel (SSL), as shown in Figure 15-24.

Figure 15-24. To ensure that all communications use SSL, you must require its usage.

3.

If all clients are capable of using 128-bit encryption, click Require 128-bit encryption.

4.

If you also will require client certificates, click that statement.

5.

Click OK to close the page.



/ 194