Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] - نسخه متنی

Roberta Bragg

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Windows Server 2003 Security: A Technical Reference

By Table of Contents | Index

If you''''re a working Windows administrator, security is your #1 challenge. Now there''''s a single-source reference you can rely on for authoritative, independent help with every Windows Server security feature, tool, and option: Windows Server 2003 SecurityRenowned Windows security expert Roberta Bragg has brought together information that was formerly scattered through dozens of books and hundreds of online sources. She goes beyond facts and procedures, sharing powerful insights drawn from decades in IT administration and security. You''''ll find expert implementation tips and realistic best practices for every Windows environment, from workgroup servers to global domain architectures. Learn how to: Reflect the core principles of information security throughout your plans and processes Establish effective authentication and passwords Restrict access to servers, application software, and data Make the most of the Encrypting File System (EFS) Use Active Directory''''s security features and secure Active Directory itself Develop, implement, and troubleshoot group policies Deploy a secure Public Key Infrastructure (PKI) Secure remote access using VPNs via IPSec, SSL, SMB signing, LDAP signing, and more Audit and monitor your systems, detect intrusions, and respond appropriately Maintain security and protect business continuity on an ongoing basis"Once again, Roberta Bragg proves why she is a leading authority in the security field! It''''s clear that Roberta has had a great deal of experience in real-world security design and implementation. I''''m grateful that this book provides clarity on what is often a baffling subject!"James I. Conrad, MCSE 2003, Server+, Certified Ethical Hacker James@accusource.net"Full of relevant and insightful information. Certain to be a staple reference book for anyone dealing with Windows Server 2003 security. Roberta Bragg''''s Windows Server 2003 Security is a MUST read for anyone administering Windows Server 2003."Philip Cox, Consultant, SystemExperts Corporation phil.cox@systemexperts.com"Few people in the security world understand and appreciate every aspect of network security like Roberta Bragg. She is as formidable a security mind as I have ever met, and this is augmented by her ability to communicate the concepts clearly, concisely, and with a rapier wit. I have enjoyed working with Roberta more than I have on any of the other 20 some odd books to which I have contributed. She is a giant in the field of network security."Bob Reinsch bob.reinsch@fosstraining.com"Windows Server 2003 Security explains why you should do things and then tells you how to do it! It is a comprehensive guide to Windows security that provides the information you need to secure your systems. Read it and apply the information."Richard Siddaway, MCSE rsiddaw@hotmail.com"Ms. Bragg''''s latest book is both easy to read and technically accurate. It will be a valuable resource for network administrators and anyone else dealing with Windows Server 2003 security."Michael VonTungeln, MCSE, CTT mvontung@yahoo.com"I subscribe to a number of newsletters that Roberta Bragg writes and I have ''''always'''' found her writing to be perfectly focused on issues I ''''need'''' to know in my workplace when dealing with my users. Her concise writing style and simple solutions bring me back to her columns time after time. When I heard she had written a guide on Windows 2003 security, I ''''had'''' to have it.Following her guidance on deployment, her advice on avoiding common pitfalls, and her easy to follow guidelines on how to lock down my network and user environments (those darned users!) has me (and my clients) much more comfortable with our Win2k3 Server deployments. From AD to GPO''''s to EFS, this book covers it all."Robert Laposta, MCP, MCSA, MCSE, Io Network Services, Sierra Vista AZrob.laposta@cox.net"Roberta Bragg has developed a ''''must have'''' manual for administrators who manage Microsoft Windows 2003 servers in their organizations. The best practices for strengthening security controls are well organized with practical examples shared throughout the book. If you work with Windows 2003, you need this great resource."Harry L. Waldron, CPCU, CCP, AAI, Microsoft MVP - Windows Security Information Technology Consultant harrywaldronmvp@yahoo.com"Roberta Bragg''''s Windows Server 2003 Security offers more than just lucid coverage of how things work, but also offers sound advice on how to make them work better."Chris Quirk; MVP Windows shell/user cquirke@mvps.org"This book is an invaluable resource for anyone concerned about the security of Windows Server 2003. Despite the amount and complexity of the material presented, Roberta delivers very readable and clear coverage on most of the security-related aspects of Microsoft''''s flagship operative system. Highly recommended reading!"Valery Pryamikov, Security MVP, Harper Security Consulting valery.pryamikov@harper.no"As long as you have something to do with Windows 2003, I have four words for you: ''''Order your copy now.''''"Bernard Cheah, Microsoft IIS MVP, Infra Architect, Intel Corp. bernard@mvps.org"Roberta Bragg has developed a ''''must have'''' manual for administrators who manage Microsoft Windows 2003 servers in their organizations. The best practices for strengthening security controls are well organized, with practical examples shared throughout the book. If you work with Windows 2003, you need this great resource."Harry L. Waldron CPCU, CCP, AAI Microsoft MVPWindows Security Information Technology Consultant
توضیحات
افزودن یادداشت جدید







How to Use Ntbackup


The ntbackup tool can be used for all basic backup processes, including the following:

Immediate or scheduled backup of files to disk, tape, or optical disc

System state backup, the backup of important system files and configuration data

Restore from backup

Restore systems state data

Automated Systems Recovery


Automated Systems Recovery (ASR) is detailed in the section "Automated Systems Recovery" later in this chapter. ntbackup can be used via the backup GUI or at the command line. Backup can be scheduled or scripted. Backup over the network can be configured, but the system state backup must be done locally.

Many excellent third-party products extend the functionality of ntbackup, and you should be sure that the companies that create them understand how Windows Server 2003 operates to ensure that they are able to back up and restore critical system data.

Back Up Files and Folders


To back up files without having the Read, Modify, Full Control, or Owner permission, a user must be a member of either the Administrators or Backup Operators groups or be granted the Backup Files and Folders permission. A member of the Backup Operators group in the domain can back up files on any computer in the domain. Backup rights can be granted to other custom groups, and users with the following rights can also backup a file: Read, Read and Execute, Modify, or Full Control. Administrators and members of the Backup Operators group also have the right to restore backed up data. You can restrict access to specific backups by using the Allow only the owner and the administrator access to the backup data option in the Backup Job Information dialog box before the backup is made.

To do an immediate complete backup of all information on the computer follow these steps:


1.

Open the ntbackup utilityStart, All Programs, Accessories, System Tools, Backup, and then click Next.

2.

Click Backup files and settings.

3.

Click Next.

4.

Select All information on this computer and click Next.

5.

Or, select Let me choose what to backup, expand the directory in the left-hand pane, and select the folders or use the detail pane to select files to back up, as shown in Figure 17-1.

Figure 17-1. Select the folders to back up.

6.

Select the backup type if multiple ways to back up are available, such as tape and disk. (If you back up to disk, make sure the disk can be accessed if there is a system failure such as a writeable CD-ROM, or plan to transfer the backup to an offline disk that can be.)

7.

If the backup type is file, select the location to store the backup.

8.

Enter a name for the backup and, if the backup is to disk, read the warning that you will need a floppy disk for system recovery information, and then click Next.

9.

Click Finish to start the backup.


For additional options, such as scheduling a backup, you must start Backup in Advanced mode. To do so, follow these steps:


1.

Go to Start, All Programs, Accessories, System Tools, Backup and do not click Next.

2.

On the Welcome page, click Advanced Mode and click Next.

3.

Click the Backup Wizard (Advanced) button and click Next to start the wizard. You can also use the Backup tab, as shown in Figure 17-2, to perform a simple immediate backup. If you also attempt to add a new job on the Schedule Jobs page, the advanced wizard will run and allow you to use these selections or change them.

Figure 17-2. In advanced mode, files and folders are selected from the Backup tab.

Volume Shadow Copy Service" for more information.)

14.

Select whether to Append this backup to the existing backups or Replace the existing backups, as shown in Figure 17-3, and then click Next.

Figure 17-3. Select backup options.

15.

Chose to run the backup Now or Later. If Later is selected, enter a job name for the backup and use the Set Schedule button, as shown in Figure 17-4, to enter a schedule for the job. If required, select a schedule for running the backup, and then click Next.

Figure 17-4. Restore from incremental backups requires the use of all incremental backups.

16.

Enter an account, password, and password confirmation to run the backup, click OK, and then click Finish.

17.

If running the backup now, a Backup Progress dialog appears and provides information on the estimated time of completion of the backup and its progress.

18.

When backup is complete, click Report to view the report log. Backup logs are stored in the profile of the user doing the backup (at Local Settings, Application Data, Microsoft, Windows NT, ntbackup, data, bacupxx.log, where the xx is a two-digit number).


One of the most common backup strategies is to make a normal backup on a Sunday, and then either incremental or differential backups every day of the week. If a restore is necessary and incremental backups were made, the normal backup from Sunday and all the incremental backups must be applied to perform a restore. If a restore is necessary and differential backups were made, the Sunday backup and the last differential backup are necessary. This difference is illustrated in Figures 17-4 and 17-5. The backup tapes used for incremental or differential backups are rotated each week, but the normal Sunday backups are usually kept for 30 days, and an end-of-month tape is kept for a year. Tapes that are reused should be periodically replaced with new tapes. Check the manufacturer's instructions to determine the correct replacement timeframe.

Figure 17-5. Restore from differential backups requires the use of only the last differential backup.

NOTE: Incremental or Differential?

Differential backup is often selected because of its conveniencefewer tapes are necessary for a restore. However, if change is volatile, it may take too long to back up all changes every day. In this case, incremental backups are better.

Default Backup options are set from the Tools, Options pages of Backup. The menus are displayed when ntbackup is started in Advanced mode. Table 17-2 lists the advanced backup options.

Table 17-2. Advanced Backup Options

Option

Description

Disable volume Shadow Copy

A volume Shadow Copy is not made.

Backup type

Determines how data is backed up.

Back up data that has been moved to remote storage

If remote storage has been set up, files that have not been used for some time may have been moved to remote storage. They ordinarily would not be backed up.

Verify data after backup

Checks to see that backed up data is the same as original data.

Compress backup data

Saves space on the backup media.

Backup system protected files with the system state.

Backs up system files in the systemroot directory in addition to the boot files included with the system state data. Adds substantially to the size of backup but is a good idea after system files have been changed or new drivers added.

System State Backup


In addition to backing up applications and files, you must ensure that system state data is backed up. System state backup backs up critical system files and configuration data. These files are necessary to recover a server and must be restored in a certain order. Do not attempt to use a normal file backup to manage system state backup. The following items are always backed up when a system state backup is made:

Registry

COM+ Class Registration database

Boot files

System files that are under Windows File Protection


In addition, the components in Table 17-3 are backed up if the requisite service or application is installed.

Table 17-3. Optional Components Backed Up

Component

Is Backed Up If

Certificate services database

The server is a certification authority.

IIS metadirectory

If IIS is installed.

Active Directory database (ndts.dit)

If the server is a domain controller.

SYSVOL directory

If the server is a domain controller.

Cluster service information

If the server is within a cluster.

To make a system state backup, follow these steps:


1.

Open the ntbackup backup utility.

2.

Click Advanced Mode.

3.

Select Backup Wizard (Advanced) and click Next.

4.

Select Only back up the System State data, as shown in Figure 17-6, and then click Next.

Figure 17-6. The main difference in the advanced backup wizard and the standard wizard is the opportunity to select a system state backup.

5.

If necessary, select a backup destination and provide a name for the backup, and then click Next.

6.

To make an immediate backup of the system state, click Finish. Otherwise, click the Advanced button and follow the previous backup instructions to complete the backup.


The system state data is critical, sensitive information that might allow an attacker to compromise the system. Always ensure the safe storage of the system state data.

NOTE: Skipped File During System State Backup May Be Ok

After backing up the system state, an error may report that some files were skipped. Examine the backup report. If the backup report includes only the error: Warning: unable to open "C:\windows\sysvol\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory", the integrity of the backup is OK according to Microsoft (see KB article 822132). It seems that this file should not be backed up, but under some circumstances, backup may attempt to do so.

Backup Defaults and Configuration Options


It is not necessary to use the backup wizard; instead, many options can be set manually. Select individual tabs to configure the backup:

Welcome tab
Choose the Backup Wizard (Advanced), Restore Wizard, or ASR Wizard.

Backup tab
Select the files to back up. Back up system state data. Select the Tools menu, then select options to open the backup Property pages.

General tab
Change defaults, as shown in Figure 17-7.

Figure 17-7. Change defaults on the General tab.

Backup Type tab
Change default backup type, as shown in Figure 17-8. (Backup types were detailed in Table 17-1.)

Figure 17-8. Change backup types on the Backup Type tab.

Backup Log tab
Change how much information is added to the log, as shown in Figure 17-9.

Figure 17-9. Select the amount of detail for the backup tab.

Exclude Files tab
Remove files listed to not be backed up. Add files to skip, as shown in Figure 17-10. Excluded files include those that run the volume copy shadow service, pagefile.sys, and so on.

Figure 17-10. Remove or add files to the "not to be backed up" list.

Restore and Manage Media tab
Restore files and folders from backup.

Schedule Job tab
Change or add schedules.


Command-Line Backup


ntbackup can be used to back up at the command line or within a script. You cannot restore files from backup using the ntbackup command. Any option that is not specified in the command line defaults to those set in the backup program. The general form for the command is

Ntbackup backup logical_disk_path_and_file_name /J name_of_the_job /F or_
/Tand_the_filename_or_tape_name_to_put_backup_on

Any options left off the command default to those configured in the backup program.

To create a normal backup named Backup job 2 that backs up the system state data to the D:\systemstate.bkf file, use


Ntbackup backup systemstate /M normal /J "backup job 2" /F "D:\systemstate.bkf"

To set advanced options such as verifying data, using hardware compression or volume shadow copy, use the following syntax. For an explanation, see Table 17-4:


ntbackup backup /V:{yes|no} /HC:{on|off} /SNAP:{on|off}

Table 17-4. ntbackup Advanced Options

Value

Option

Description

/V:

Yes | No

Verify data or do not verify data

/HC:

On | Off

Use hardware compression or not

/SNAP:

On | Off

Use volume shadow copy or not

A complete ntbackup command syntax is located in the local Windows Server 2003 help files.

Here's a sample command that would create the backup job "Backup 1", back up data on drive E:\ to the file D:\mybackup.bkf, and verify the data:


ntbackup backup E:\ /J "Backup 1" /F "D:\mybackup.bkrf" /V:yes

TIP: An Easy Way to Write Backup Commands

To quickly and accurately create a backup command, create a scheduled backup job and then open the Scheduled Tasks control panel. The full command line is displayed in the control panelcopy this command into a batch file and modify if necessary.

Restore Files and Folders


The backup program can also be used to restore files and folders from a backup. To restore individual files or folders, follow these steps:


1.

Open the Backup program from Start, All Programs, Accessories, System Tools, Backup.

2.

Click Advanced Mode.

3.

Click the Restore Wizard (Advanced) button and click Next.

4.

Select Items to restore and click Next.

5.

If you want to use the default restore settings, click Finish and skip to step 10; if not, click the Advanced button and continue.

6.

Select the destination for the restored files and folders. Choices are the original location, an alternate location, or a single folder; click Next. If an alternate location is selected, the Browse button and an alternate location text box will be added to the page for your use.

7.

Select whether to leave or replace existing files, as shown in Figure 7-11, and then click Next.

8.

Select advanced restore options, as shown in Figure 7-12, and then click Next.

Figure 17-11. Select what to do with any existing files.

Figure 17-12. Select advanced restore options.

9.

Click Finish to start the restore.

10.

Click the Report button to view a report of the restore.


Alternatively, the Restore and Manage Media tab can be used to restore files and folders:


1.

Click the Restore and Manage Media tab.

2.

Click the media to restore, and click the check boxes next to the drives, folders, and/or files to restore.

3.

Use the Restore files to: drop-down box to specify the location to restore the files, either to the Original location (where files were located when they were backed up), to an Alternate location, or to a Single folder, as shown in Figure 17-13.

Figure 17-13. Use the Restore and Manage Media tab to restore files and folders.

[View full size image]

4.

If you select Alternate location or Single folder, enter the location where the data should be restored or browse to that location and click OK.

5.

To change restore options, click the Tools menu, click Options, and then click the Restore tab, as shown in Figure 17-14. After selecting restore options, click OK.

Figure 17-14. Select the restore options.

6.

Click Start Restore.

7.

A popup dialog can be used to select advanced options, as shown in Figure 17-15. If advanced options are required, click Advanced and set options, and then click OK.

Figure 17-15. Select the advanced restore options.

8.

Click OK to start restore.

9.

A Restore Progress dialog appears, which tracks the restore progress. When it is complete, click Report to view the report or click OK to close the window.


Restore System State Backup


When you restore system state data, you can restore it to the same location or to an alternative location. If you restore to a different location, some data will not be restored. Specifically, only registry files, SYSVOL directory files, cluster database information, and system boot files are restored. When restoring the system state data to the original location, the current system state data is erased, and the backup is restored. This is the opposite of the default for file backup, which does not overwrite existing files unless the default has been changed.Active Directory Restore."


/ 194