Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] - نسخه متنی

Roberta Bragg

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Windows Server 2003 Security: A Technical Reference

By Table of Contents | Index

If you''''re a working Windows administrator, security is your #1 challenge. Now there''''s a single-source reference you can rely on for authoritative, independent help with every Windows Server security feature, tool, and option: Windows Server 2003 SecurityRenowned Windows security expert Roberta Bragg has brought together information that was formerly scattered through dozens of books and hundreds of online sources. She goes beyond facts and procedures, sharing powerful insights drawn from decades in IT administration and security. You''''ll find expert implementation tips and realistic best practices for every Windows environment, from workgroup servers to global domain architectures. Learn how to: Reflect the core principles of information security throughout your plans and processes Establish effective authentication and passwords Restrict access to servers, application software, and data Make the most of the Encrypting File System (EFS) Use Active Directory''''s security features and secure Active Directory itself Develop, implement, and troubleshoot group policies Deploy a secure Public Key Infrastructure (PKI) Secure remote access using VPNs via IPSec, SSL, SMB signing, LDAP signing, and more Audit and monitor your systems, detect intrusions, and respond appropriately Maintain security and protect business continuity on an ongoing basis"Once again, Roberta Bragg proves why she is a leading authority in the security field! It''''s clear that Roberta has had a great deal of experience in real-world security design and implementation. I''''m grateful that this book provides clarity on what is often a baffling subject!"James I. Conrad, MCSE 2003, Server+, Certified Ethical Hacker James@accusource.net"Full of relevant and insightful information. Certain to be a staple reference book for anyone dealing with Windows Server 2003 security. Roberta Bragg''''s Windows Server 2003 Security is a MUST read for anyone administering Windows Server 2003."Philip Cox, Consultant, SystemExperts Corporation phil.cox@systemexperts.com"Few people in the security world understand and appreciate every aspect of network security like Roberta Bragg. She is as formidable a security mind as I have ever met, and this is augmented by her ability to communicate the concepts clearly, concisely, and with a rapier wit. I have enjoyed working with Roberta more than I have on any of the other 20 some odd books to which I have contributed. She is a giant in the field of network security."Bob Reinsch bob.reinsch@fosstraining.com"Windows Server 2003 Security explains why you should do things and then tells you how to do it! It is a comprehensive guide to Windows security that provides the information you need to secure your systems. Read it and apply the information."Richard Siddaway, MCSE rsiddaw@hotmail.com"Ms. Bragg''''s latest book is both easy to read and technically accurate. It will be a valuable resource for network administrators and anyone else dealing with Windows Server 2003 security."Michael VonTungeln, MCSE, CTT mvontung@yahoo.com"I subscribe to a number of newsletters that Roberta Bragg writes and I have ''''always'''' found her writing to be perfectly focused on issues I ''''need'''' to know in my workplace when dealing with my users. Her concise writing style and simple solutions bring me back to her columns time after time. When I heard she had written a guide on Windows 2003 security, I ''''had'''' to have it.Following her guidance on deployment, her advice on avoiding common pitfalls, and her easy to follow guidelines on how to lock down my network and user environments (those darned users!) has me (and my clients) much more comfortable with our Win2k3 Server deployments. From AD to GPO''''s to EFS, this book covers it all."Robert Laposta, MCP, MCSA, MCSE, Io Network Services, Sierra Vista AZrob.laposta@cox.net"Roberta Bragg has developed a ''''must have'''' manual for administrators who manage Microsoft Windows 2003 servers in their organizations. The best practices for strengthening security controls are well organized with practical examples shared throughout the book. If you work with Windows 2003, you need this great resource."Harry L. Waldron, CPCU, CCP, AAI, Microsoft MVP - Windows Security Information Technology Consultant harrywaldronmvp@yahoo.com"Roberta Bragg''''s Windows Server 2003 Security offers more than just lucid coverage of how things work, but also offers sound advice on how to make them work better."Chris Quirk; MVP Windows shell/user cquirke@mvps.org"This book is an invaluable resource for anyone concerned about the security of Windows Server 2003. Despite the amount and complexity of the material presented, Roberta delivers very readable and clear coverage on most of the security-related aspects of Microsoft''''s flagship operative system. Highly recommended reading!"Valery Pryamikov, Security MVP, Harper Security Consulting valery.pryamikov@harper.no"As long as you have something to do with Windows 2003, I have four words for you: ''''Order your copy now.''''"Bernard Cheah, Microsoft IIS MVP, Infra Architect, Intel Corp. bernard@mvps.org"Roberta Bragg has developed a ''''must have'''' manual for administrators who manage Microsoft Windows 2003 servers in their organizations. The best practices for strengthening security controls are well organized, with practical examples shared throughout the book. If you work with Windows 2003, you need this great resource."Harry L. Waldron CPCU, CCP, AAI Microsoft MVPWindows Security Information Technology Consultant
توضیحات
افزودن یادداشت جدید







Auditing Security Controls: Policy Compliance, Vulnerability Assessment, and Pen Testing


Determining security policy and implementing the technical controls that support it is not a trivial task. Keeping controls in place is harder. There are many reasons for this:

Security policy can change. Although this is not usually a rapid process, when a change is made, it can mean that a lot of configuration changes or procedural changes are needed. Security policy changes can result from legislative changes, internal or external audits, a better understanding of the technology or the risks inherent in its use for a specific purpose, or even management's acceptance of a proposed change from you.

Required changes to operating systems and applications (patches and upgrades) may reset configurations, return settings to their defaults, or require additional controls to be added.

New applications and OSs require additional controls or impact current systems. Controls may be weakened because these new implementations will not work with current controls in place. Replacement OSs and applications may not have the controls made available by others. New OSs and applications may also lack appropriate controls or may just be unfamiliar to staff and therefore require more work.

Tests and troubleshooting efforts may "temporarily" remove or change controls. (Someone may forget to change them back.)

Administrators authorized to make changes to technical controls make mistakes. Configuring security controls can be complicated, and sometimes vendor documentation and the language in the user interface can be confusing. For example, many security controls contain double negatives, such as when you "Enable" the "Disable …" setting in order to disable the setting. If you "Disable" the setting, you actually "Enable" what you may want to "Disable."

Many security controls rely on complex technologies to deploy, implement, or maintain them. The result is that a problem with these technologies, such as network communications, DNS, or Group Policy, means that the security control is not deployed or does not produce the desired result.


Keeping controls in place requires diligence, training, proper procedures, service, and application monitoring. To ensure that controls are in place, plan to periodically test for policy compliance, perform vulnerability assessment, and perform pen tests. Although all these things may come under the heading of proper network maintenance and appear to be part of your job description, be sure to acquire written authority, especially if you are scanning systems on your network or attempting to hack into systems. Also, be sure to thoroughly understand any tool that you use. Some vulnerability testing programs, scanners, and other tools may have adverse affects on systems simply by being used. For example, some control equipment for factory equipment or for use by utilities is now being managed over TCP/IP. Some simple scans of these products can cause them to fail, shutting down business-critical operations or interfering with critical infrastructure.

Auditing Security Configuration Using Security Configuration and Analysis


This book emphasizes the use of Group Policy to implement security settings across the Windows network. Optional ways of securing standalone systems using local Group Policy controls and/or Security Configuration and Analysis have also been discussed. To ensure that changes to these settings have not occurred, audit current settings against required settings. Manual inspection is possible, but a far easier way to audit policy settings is available: the "analyze" function of the Security Configuration and Analysis console.

To use the tool, you must have a security template prepared that matches the official security policy for the computer you are testing. Such templates may have been created if you used this method to define security when creating role-based security models. If this is not the case, you can still create a security template for use in analysis. It's not a good idea to use a template stored on a production server as this may be out of date or altered in some way. Instead, use a copy of the security template originally produced and stored in a safe place. In either case, make sure that the template used does match your policy by manually checking the template settings against your organization's current security policy. After you have the template, you can perform an analysis:


1.

Add the Security Configuration and Analysis snap-in to an MMC console. Start by clicking Start, Run, enter mmc, and click the OK button.

2.

Select the File menu, and then select Add/Remove Snap-in.

3.

Click the Add button.

4.

Select Security Configuration and Analysis, click Add, and then click Close.

5.

Click OK.

6.

Expand the Security Configuration and Analysis node.

7.

Right-click the Security Configuration and Analysis node and select Open database.

8.

Enter a name for the database and click Open.

9.

Browse to the security template file and then click Open.

10.

Right-click the Security Configuration and Analysis node and select Analyze computer now.

11.

Browse to a location to record an error log, and then click OK. By default, the log is saved to the My Documents\Security\Logs\name_of_database.log file.

12.

Click OK.

13.

When the analysis has completed, expand the Security Configuration and Analysis node and view the detail pane. If there are differences between the database setting (your security policy as entered into the security template selected in step 9) and the computer setting, a white x in a red circle will identify it, as shown in Figure 18-23.

Figure 18-23. Any variances from policy will show up as a white x within a red circle.

[View full size image]


You can also use the secedit command to perform an analysis, but to review the report, you have to load the results in the Security Configuration and Analysis tool. To do an analysis, use this command:

secedit /analyze /db filenameofdatabaseforanalysis.sdb [/cfg securitytemplatename] [
/overwrite] [/log nameforlogfile] [/quiet]

In the command, the /overwrite switch will overwrite any existing file by the same name, and the /quiet switch will not echo any information to the screen. If you have already created a database file by importing a security template using Security Configuration and Analysis, and it includes the correct security template, you can leave off the /cfg switch.

TIP: Batch Analysis

Both Security Configuration and Analysis and the secedit command listed here will analyze only one computer at a time. You can create a script to use the secedit command on multiple computers and collect the results to a single location, such as a desktop PC, where it can later be analyzed and archived as proof of compliance or to create a list of systems that need to be updated.

Auditing Security Configuration for Specific Computers and Users


The use of Group Policy makes it possible to extend security configuration across the network to many Windows systems and to direct specific security settings for specific types of computers and users. You cannot assume that just because the settings are correctly defined, they are being correctly applied. Many things, such as network connectivity or Active Directory replication problems, can interfere. To audit these settings, you must inventory the applied settings on specific computers and for specific users. To do so, you can use RSoP in logging mode. This utility can reach out across the network and remotely examine the security settings for a specific user/computer combination.

To do RSoP logging, follow these steps:


1.

Add the RSoP snap-in to an MMC console.

2.

Click the Action Menu, select Generate Resultant Set of Policy, and then click Next.

3.

On the Mode Selection page, select Logging mode, as shown in Figure 18-24, and click Next.

Figure 18-24. Select logging to create a report on the current settings.

4.

Select a computer. The computer must be reachable.

5.

Select whether to display computer and user settings or just user settings and click Next.

6.

Select the user to display, as shown in Figure 18-25, or select not to display user results (display computer only) and click Next.

Figure 18-25. Select the user.

7.

Review the selection and click Next.

8.

When the wizard completes, click Finish.

9.

Expand the report and review it. Note that only the items that are enabled are reported on.

10.

Double-click the policy part to view its details, as shown in Figure 18-26, and compare with the required security policy on the computer for the selected user.

Figure 18-26. Examine RSoP results in the detail pane.

[View full size image]

11.

To save the results for review later, name and save the console. If desired, additional RSoP snap-ins can be added to the console and used to produce reports on additional combinations of computers and users. Reports may also be refreshed.


Scanning for Known Vulnerabilities


In the correctly configured and properly patched network, scanning for known vulnerabilities is a waste of time. After all, correct configuration and patching implies an appreciation of known vulnerabilities and an effort to mitigate them. In reality, you cannot know with certainty that mitigation efforts have actually been implemented. Even if you perform each mitigation step yourself, you must use software to do so, and the software itself may have errors or may not work correctly in some circumstances. The very fact that you must apply patches to correct software bugs should prevent you from trusting any software-based effort to correct them.

Assessing Vulnerabilities with Microsoft Baseline Security Analyzer (MBSA)

Therefore, you must audit system configuration looking for known vulnerabilities. Microsoft Baseline Security Analyzer can perform basic vulnerability checking and is available for free at http://www.microsoft.com/technet/security/tools/mbsahome.mspx. This tool checks for major, well-known configuration vulnerabilities of Windows Server 2003, Windows 2000, Windows XP, and Windows NT 4.0. It also looks at IIS, SQL Server, Windows Media Player, and Exchange. Its primary purpose is to look for missing patches. Because patches are a response to vulnerability, a missing patch means the computer is vulnerable. Many fine third-party products go much further, providing extensive reporting capabilities that seek out evidence of the existence of known vulnerabilities. So, although MBSA's orientation is to provide information on which patches you need to add, many third-party products emphasize the specific vulnerability you need to protect the system against. To be fair, MBSA reports point to Microsoft documentation that describes what the patch protects you from, and many third-party products point to the Microsoft patch that will mitigate the vulnerability. By default, MBSA accesses an online database of patches that is kept up-to-date by Microsoft. If you use Microsoft Software Update Server (SUS) to provide patches tested and approved by your organization, you can point MBSA to the SUS server, and it will use its database of approved patches instead. If you do so, the audit will not report on missing patches that you have not yet approved for distribution to systems on your network. MBSA can be used to remotely scan multiple Windows systems, but there is a downside. MBSA is an agentless scannerthat is, no client-side software must be installed on clients in order to scan them. This means that MBSA requires that File and Printer Sharing be enabled on the client as well as the Remote Registry Service. Many security experts argue that these things should be disabled in order to protect the computer from possible compromise. Microsoft, however, has indicated that it believes having the ability to scan for missing patches far outweighs the risk posed by shutting down these remote access channels. You can mitigate your exposure by configuring IPSec to block access to these channels from all sources while allowing the computer used by MBSA to use them.

To use MBSA to scan computer(s), follow these steps:


1.

Click Start, Programs, Microsoft Baseline Security Analyzer.

2.

Click Scan a computer or Scan more than one computer.

3.

If you select to Scan a computer, pick the computer by name or IP address, name the report, select options, as shown in Figure 18-27, and click Start scan.

Figure 18-27. Select reporting options before starting the scan.

[View full size image]

4.

When the scan is complete, view the report and use its results to improve security on the system.

5.

If you select to Scan more than one computer, select the computers by entering a domain name or an IP address range and select options, as shown in Figure 18-28, then click Start scan.

Figure 18-28. Scanning multiple computers requires entry of a domain name or IP address range.

[View full size image]

TIP: Review MBSA Screens for TIPs

When MBSA runs, it checks the version of its engine and checks for more up-to-date patches. Note that in Figure 18-28, MBSA is advising that a more recent version of MBSA is available. New versions of MBSA must be downloaded manually.

6.

The scanning process may take a while if many computers need to be scanned. You can stop the scanning process by clicking the Stop button. A progress report bar and a record of how many IP addresses have been checked or scanned are displayed. Scanning problems are also reported, as shown in Figure 18-29.

Figure 18-29. Scanning problems are reported at the end of a multiple computer scan.

[View full size image]

7.

When the scan is complete, select a report to review and review reports one at a time.


MBSA reports are HTML-based files. It is not possible to examine a cross section of reports; they must be viewed one at a time. You can use a command-line version of the product to produce a text-based file. The text-based file will only include information on missing patches and not vulnerability assessment information. You can then import the files, one for each computer, into an Access or SQL Server database and use database queries to obtain information. For example, if you discover that patches are not being installed on some subset of computers, you can troubleshoot the patching problems by determining if the computers have anything in common, such as operating system and service pack level, computer role, location, and so on. You can also use a query to develop a list of computers that have not received specific patches and then use the list to get the job done.

To obtain a text file report on all the computers in the chicago.local domain and put it in the file scan1.txt, use this command:


Mbsacli /hf -d chicago.local -o tab -f scan1.txt

The /hf switch specifies that the HFNetChk syntax will be used. HFNetChk is the original tool developed by Shavlik (www.shavlik.com) for Microsoft. The /d indicates that a domain will be used for the search. The o specifies the output format, and the tab indicates a tab-delimited file. By asking for this type of format, the file will be easy to import into Access. The f specifies the file name. More information on command syntax and instructions on how to use mbsacli and Access to audit patch management are included in the article "Auditing Patch Management" published in Microsoft Certified Professional Magazine at http://mcpmag.com/columns/article.asp?EditorialsID=531.

Toward a More Comprehensive Vulnerability Scan

MBSA is not a full-featured vulnerability scanner. It is a useful tool for auditing patch management and for finding some of the more egregious errors in configurationthe errors that make Windows systems vulnerable to attack. A number of products perform a more comprehensive test. Some of these products, such as NMAP (http://www.insecure.org/), look for vulnerabilities on other operating systems and can provide you with an enterprise-wide picture. You should obtain a product that can be used to scan for vulnerabilities and that can be regularly updated. Keep the following points in mind when evaluating the results of a vulnerability scan:

Does the product offer advice on mitigation? In other words, does it tell you what to do to correct the error or reduce the chance that the vulnerability will be used to compromise your network?

Does the product do an in-depth analysis? For example, instead of reporting that a specific service (such as IIS) creates a vulnerability for your network, does the tool examine your implementation of IIS by looking at the mitigation you may have already put into place, such as IIS hardening?

Can you customize the product? You may want to add your own items that should be checked but that are not in the scanner's database.

Is the scanner updatable? New vulnerabilities are discovered all the time. Can the scanner's database be updated?

Is the scanner well known in the industry? Experienced scanner users may become important resources.

Can the scanner be configured to restrict it to scanning only specific computers? It's important to be able to focus the scan on a certain area of the network or to exclude specific computers, such as those that a scan might damage.


Penetration Testing


Hardening and non-invasive scanning can go a long way in protecting your network. Taking these steps can protect systems from attackers if the mitigation you apply really does perform as advertised. If you use the advice and information provided by known authorities, you can be reasonably sure that what you have done will mitigate vulnerability. However, you cannot be 100 percent sure that

In every case, on every machine, the "fix" is correctly applied.

Audits and scans are correctly reporting the status of systems.

Every system is properly evaluated.

Some new vulnerability or new way to attack your systems was not recently developed and thus mitigation is unknown.

You and your advisors know everything there is to know and everything there is to do.


These issues, of course, have no real solution. You will never be 100 percent secure, nor 100 percent sure that you have dealt with every issue. Still, you have to try every approach. Another way to detect flaws in your defenses is to perform (or have a third-party organization perform) a penetration test (pen test). Pen tests are active tests; they attack systems. Their goal is to compromise systems. Therefore, to get good results, make sure pen tests are performed by someone with no interest in proving that your organization's security is good. This is not to say that an authorized employee should not perform a pen test, but simply that she should not be the only one performing a test. Pen tests are now part of many audits performed by information security auditing firms. There are also many information security companies that also perform these tests. Carefully consider the experience and background of the organization and the individuals it uses to perform these tests.

WARNING: Do Not Perform Pen Tests without Written Authority

There is no way to determine "intent" when examining the results of an attack on a computer system. If you perform a penetration test, you are attacking a computer system. If you do not have written permission to test security in this way, you could easily find yourself accused of a crime.


/ 194