Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] - نسخه متنی

Roberta Bragg

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Windows Server 2003 Security: A Technical Reference

By Table of Contents | Index

If you''''re a working Windows administrator, security is your #1 challenge. Now there''''s a single-source reference you can rely on for authoritative, independent help with every Windows Server security feature, tool, and option: Windows Server 2003 SecurityRenowned Windows security expert Roberta Bragg has brought together information that was formerly scattered through dozens of books and hundreds of online sources. She goes beyond facts and procedures, sharing powerful insights drawn from decades in IT administration and security. You''''ll find expert implementation tips and realistic best practices for every Windows environment, from workgroup servers to global domain architectures. Learn how to: Reflect the core principles of information security throughout your plans and processes Establish effective authentication and passwords Restrict access to servers, application software, and data Make the most of the Encrypting File System (EFS) Use Active Directory''''s security features and secure Active Directory itself Develop, implement, and troubleshoot group policies Deploy a secure Public Key Infrastructure (PKI) Secure remote access using VPNs via IPSec, SSL, SMB signing, LDAP signing, and more Audit and monitor your systems, detect intrusions, and respond appropriately Maintain security and protect business continuity on an ongoing basis"Once again, Roberta Bragg proves why she is a leading authority in the security field! It''''s clear that Roberta has had a great deal of experience in real-world security design and implementation. I''''m grateful that this book provides clarity on what is often a baffling subject!"James I. Conrad, MCSE 2003, Server+, Certified Ethical Hacker James@accusource.net"Full of relevant and insightful information. Certain to be a staple reference book for anyone dealing with Windows Server 2003 security. Roberta Bragg''''s Windows Server 2003 Security is a MUST read for anyone administering Windows Server 2003."Philip Cox, Consultant, SystemExperts Corporation phil.cox@systemexperts.com"Few people in the security world understand and appreciate every aspect of network security like Roberta Bragg. She is as formidable a security mind as I have ever met, and this is augmented by her ability to communicate the concepts clearly, concisely, and with a rapier wit. I have enjoyed working with Roberta more than I have on any of the other 20 some odd books to which I have contributed. She is a giant in the field of network security."Bob Reinsch bob.reinsch@fosstraining.com"Windows Server 2003 Security explains why you should do things and then tells you how to do it! It is a comprehensive guide to Windows security that provides the information you need to secure your systems. Read it and apply the information."Richard Siddaway, MCSE rsiddaw@hotmail.com"Ms. Bragg''''s latest book is both easy to read and technically accurate. It will be a valuable resource for network administrators and anyone else dealing with Windows Server 2003 security."Michael VonTungeln, MCSE, CTT mvontung@yahoo.com"I subscribe to a number of newsletters that Roberta Bragg writes and I have ''''always'''' found her writing to be perfectly focused on issues I ''''need'''' to know in my workplace when dealing with my users. Her concise writing style and simple solutions bring me back to her columns time after time. When I heard she had written a guide on Windows 2003 security, I ''''had'''' to have it.Following her guidance on deployment, her advice on avoiding common pitfalls, and her easy to follow guidelines on how to lock down my network and user environments (those darned users!) has me (and my clients) much more comfortable with our Win2k3 Server deployments. From AD to GPO''''s to EFS, this book covers it all."Robert Laposta, MCP, MCSA, MCSE, Io Network Services, Sierra Vista AZrob.laposta@cox.net"Roberta Bragg has developed a ''''must have'''' manual for administrators who manage Microsoft Windows 2003 servers in their organizations. The best practices for strengthening security controls are well organized with practical examples shared throughout the book. If you work with Windows 2003, you need this great resource."Harry L. Waldron, CPCU, CCP, AAI, Microsoft MVP - Windows Security Information Technology Consultant harrywaldronmvp@yahoo.com"Roberta Bragg''''s Windows Server 2003 Security offers more than just lucid coverage of how things work, but also offers sound advice on how to make them work better."Chris Quirk; MVP Windows shell/user cquirke@mvps.org"This book is an invaluable resource for anyone concerned about the security of Windows Server 2003. Despite the amount and complexity of the material presented, Roberta delivers very readable and clear coverage on most of the security-related aspects of Microsoft''''s flagship operative system. Highly recommended reading!"Valery Pryamikov, Security MVP, Harper Security Consulting valery.pryamikov@harper.no"As long as you have something to do with Windows 2003, I have four words for you: ''''Order your copy now.''''"Bernard Cheah, Microsoft IIS MVP, Infra Architect, Intel Corp. bernard@mvps.org"Roberta Bragg has developed a ''''must have'''' manual for administrators who manage Microsoft Windows 2003 servers in their organizations. The best practices for strengthening security controls are well organized, with practical examples shared throughout the book. If you work with Windows 2003, you need this great resource."Harry L. Waldron CPCU, CCP, AAI Microsoft MVPWindows Security Information Technology Consultant
توضیحات
افزودن یادداشت جدید







Auditing Server Applications and Services


Server applications and services may post events to the Application and System log or to special log files specific to them. Although much of this information may be more helpful for troubleshooting network, OS, or application operation, rather than auditing, some security-specific data may be present, especially if the application or service is configured to do so. A good rule of thumb is to expect that some configuration may need to be done in order to produce audit information and take a good look at documentation and administration tools. Fortunately, Microsoft and others are cognizant of audit requirements and are building opportunities for event collection as well as providing more documentation on them. Information is provided here for more common services.

Network Services Auditing


Network services such as DNS, WINS, and DHCP typically generate a range of events that are logged to the DNS, application, and system logs.

DNS

Several types of logging can be configured, including debug logging, event logging, and object events. Debug logging for DNS is set from the DNS server Debug Logging tab of the Property pages of the DNS server, as shown in Figure 18-13. Click to select Log packets for debugging and then select a packet direction, a transport protocol, and other options. Set up file location and maximum size. Note that debug logging is not turned on by default and may produce enough events to seriously impair performance.

Figure 18-13. Set Debug Logging for DNS in the server Property pages.

Event logging is configured on the Event Logging tab of the server Property pages and provides information on errors, errors and warnings, or all events, as shown in Figure 18-14. It can also be turned off. Event logging records events in the DNS event log. You can also set auditing on the Property pages of specific DNS objects, such as zones and individual records, to record events related to zones and DNS registration.

Figure 18-14. Set Event Logging for DNS in the server Property pages.

DHCP

DHCP audit logging is enabled on the General Property page, as shown in Figure 18-15. Logs are saved at %windir%\System32\dhcp and this can be edited on the Advanced Property page, as shown in Figure 18-16. The DHCP service checks the file system to make sure that there is adequate space for the audit log file after every 50 events it writes to the log file and when the date changes on the server. Log entries include general service information such as start, stop, and authorization, as well as information on the MAC address of the client and the IP address of the client when noting lease assignments and releases. This information provides a history of lease assignments and can aid in tracing which machine had which IP address at a specific time.

Figure 18-15. Configure audit logging from the General Property page.

Figure 18-16. Configure log location from the Advanced Property page.

Several registry entries located at HKLM\SYSTEM\CurrentControlSet\ Services\DHCPServer\Parameters control audit logging. Pay attention to their defaults or configure them to suit you. If not set correctly, or if disk space is not adequate, audit logging will stop. If you are trying to keep an audit trail of IP address assignment, monitor for warning event log messages and monitor disk space availability. Registry parameters are shown in Table 18-7.

Table 18-7. Registry Parameters

Parameter

Description

Type

Default

ActivityLogFlag

When set to 0, audit logging is not used. When set to 1, it is.

REG_DWORD

0

DhcpLogDiskSpace CheckInterval

Indicates how many events are recorded in the log before a disk space check is made.

REG_DWORD

0x32

(50)

DhcpLogFilePath

The loation for the audit logs. If this entry is changed, DHCP will move the logs.

REG_SZ

%Windir

%\system

32\dhcp

DhcpLogFiles MaxSize

The maximum combined file size (DHCP generates a new log file for each day of the week) for one week's worth of audit logs. The default is 7 MB. If the size is exceeded, DHCP stops writing log file entries until space becomes available. (The logs are deleted or archived.)

REG_DWORD

0x7 (7 MB)

DhcpLogMinSpace OnDisk

The minimum remaining space on the disk required in order for DHCP logging to continue. If this space is not available, logging stops.

REG_DWORD

0x14 (20 MB)

WINS

WINS records error and informational messages to the system log. The level of information recorded is managed by settings on the Advanced Property page of WINS. To change them, select the log detailed events box on the page. When set, in addition to errors, WINS will also log warning and informational messages.

IPSec Auditing


Success or failure of IKE negotiations will be recorded in the Security Event Log if Audit Logon Events is set for Success and Failure. More detailed IKE logging can be configured, and events will be recorded in the %systemroot%\Debug\oakley.log file. A registry entry can be used, or logging can be controlled dynamically by using netsh.

To dynamically turn on IKE logging, use this command:


netsh ipsec dynamic set config ikelogging 1

To stop logging, use this command:


netsh ipsec dynamic set config ikelogging 0

The IKE logging registry key is located at HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Oakley\.

To enable logging, add the REG_DWORD value EnableLogging, set it to 1, and then use the command net stop policyagent followed by net start policyagent. Using the registry key is the only way to enable IKE logging for Windows XP and Windows 2000. To stop logging, remove the value or set it to 0, and then stop and start the policy agent service.

Certification Authority Auditing


Auditing for the certification authority is set on the Auditing Property page of the CA, as shown in Figure 18-17. Object auditing must be turned on in the Audit Policy for the server in order for events to be collected. Check all boxes to prepare an audit trail of changes to settings, backup, certificate issuance and revoking, and key archival.

Figure 18-17. Configure CA auditing on the Auditing Property page.

If role-based administration is enforced, only someone with the auditor role can change these settings. The auditor role is created by creating a Windows custom group and assigning it the user right Manage auditing and security log. User accounts added to this group will assume the CA auditor role. For more information on CA role-based administration and role separation, refer to Chapter 12, "PKI Basics."

VPN Auditing


Routing and Remote Access Service (RRAS) logging consists of event logging and authentication and accounting logging. Event logging is configured on the Logging page of the server properties in the Routing and Remote Access console, as shown in Figure 18-18. Event logging is primarily meant to assist troubleshooting connections but can be useful for recording remote access activity for auditing purpose. Authentication and accounting information is recorded locally if Windows authentication and/or Windows accounting is enabled. Events are logged to the %windir%\system32\logfiles folder and can be used to track remote access usage and connection attempts.

Figure 18-18. Configure event logging for RRAS.

Authentication and accounting logging is configured by expanding the Remote Access Logging node of the server, as shown in Figure 18-19. Double-click the logging method (Local File or SQL Server) in the detail pane to select options. Figure 18-20 displays the Settings page for Local File properties, while the Log File page is displayed in Figure 18-21. If Windows authentication is not configured, the Remote Access Logging folder is not displayed.

Figure 18-19. Configure authentication and accounting logging.

[View full size image]

Figure 18-20. Specify log configuration for authentication and accounting logging.

Figure 18-21. Configure log file information and schedule for creating a new log file.

When Internet Authentication Service (IAS) is used to coordinate remote access authentication and accounting, authentication and accounting events can be centrally logged for those RRAS servers that use it. Configure logging using the Remote Access Logging folder from the IAS console.

In addition to manual review of the logs, you can use the netsh command to collect log information from a specific time period and dump the information to a file. For example, the command netsh ras diagnostics show logs type=file destination=c:\ras hours=4 verbose= enabled creates the ras file in the temp directory that includes events from the tracing logs, modem logs, connection manager logs, IP Security log, remote access event logs, and security event logs. Figure 18-22 displays the first part of this report.

Figure 18-22. Use netsh to compile a report of relevant remote access information.

[View full size image]

Authorization Manager Auditing


Authorization Manager auditing can be configured to provide information on runtime events and authorization store changes at the authorization store, application, and scope levels. The level of auditing available depends on whether the authorization store is based on Active Directory or XML. Table 18-8 provides the details. The two levels of auditing are

Application runtime
Success and failure as defined by policy in the authorization store on items such as client contexts and access checks.

Authorization store change
An audit record is produced if the authorization store is modified. For all events, success or failure is recorded.


Table 18-8. Authorization Manager Auditing

XML

Active Directory

Authorization store

Runtime and store change

Runtime and store change

Application

Runtime

Runtime and store change

Scope

None

Store change

Net Logon Debug Logging


If Net Logon debug logging is enabled, an intruder can more easily be tracked on the network. Net Logon debug logging is turned on by using the nltest /dbflag:flag at a command prompt. The flag is a hexadecimal number that represents the level of logging required. Flags for Net Logon debug logging are documented in KB article 109626, "Enable Debug Logging for the Net Logon Service" (http://support.microsoft.com/default.aspx?scid=kb;en-us;109626). You can combine the flags with control bits to get the data you want. Because debug logging produces a plethora of events, you may want to limit events produced by requesting timestamps (control bit ox20000000) and just the logon processing events (flag ox00000004). The command to enter then is


nltest /dbflag:0x20000004

Once enabled, events are logged to %windir%\debug\netlogon.log.

TIP: Examine the Use of Net Logon Debug Logging

An article on using Net Logon debug logging to track intruders on a Windows network is available online at the United States Department of Energy Information Bridge site (http://www.osti.gov/dublincore/gpo/servlets/purl/821123-32MRSo/native/). The article was written by Christina S. Davis, Principal Network Engineer at Westinghouse Savannah River Company. Sample logs and their interpretations are published in the article.


/ 194