Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] - نسخه متنی

Roberta Bragg

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Windows Server 2003 Security: A Technical Reference

By Table of Contents | Index

If you''''re a working Windows administrator, security is your #1 challenge. Now there''''s a single-source reference you can rely on for authoritative, independent help with every Windows Server security feature, tool, and option: Windows Server 2003 SecurityRenowned Windows security expert Roberta Bragg has brought together information that was formerly scattered through dozens of books and hundreds of online sources. She goes beyond facts and procedures, sharing powerful insights drawn from decades in IT administration and security. You''''ll find expert implementation tips and realistic best practices for every Windows environment, from workgroup servers to global domain architectures. Learn how to: Reflect the core principles of information security throughout your plans and processes Establish effective authentication and passwords Restrict access to servers, application software, and data Make the most of the Encrypting File System (EFS) Use Active Directory''''s security features and secure Active Directory itself Develop, implement, and troubleshoot group policies Deploy a secure Public Key Infrastructure (PKI) Secure remote access using VPNs via IPSec, SSL, SMB signing, LDAP signing, and more Audit and monitor your systems, detect intrusions, and respond appropriately Maintain security and protect business continuity on an ongoing basis"Once again, Roberta Bragg proves why she is a leading authority in the security field! It''''s clear that Roberta has had a great deal of experience in real-world security design and implementation. I''''m grateful that this book provides clarity on what is often a baffling subject!"James I. Conrad, MCSE 2003, Server+, Certified Ethical Hacker James@accusource.net"Full of relevant and insightful information. Certain to be a staple reference book for anyone dealing with Windows Server 2003 security. Roberta Bragg''''s Windows Server 2003 Security is a MUST read for anyone administering Windows Server 2003."Philip Cox, Consultant, SystemExperts Corporation phil.cox@systemexperts.com"Few people in the security world understand and appreciate every aspect of network security like Roberta Bragg. She is as formidable a security mind as I have ever met, and this is augmented by her ability to communicate the concepts clearly, concisely, and with a rapier wit. I have enjoyed working with Roberta more than I have on any of the other 20 some odd books to which I have contributed. She is a giant in the field of network security."Bob Reinsch bob.reinsch@fosstraining.com"Windows Server 2003 Security explains why you should do things and then tells you how to do it! It is a comprehensive guide to Windows security that provides the information you need to secure your systems. Read it and apply the information."Richard Siddaway, MCSE rsiddaw@hotmail.com"Ms. Bragg''''s latest book is both easy to read and technically accurate. It will be a valuable resource for network administrators and anyone else dealing with Windows Server 2003 security."Michael VonTungeln, MCSE, CTT mvontung@yahoo.com"I subscribe to a number of newsletters that Roberta Bragg writes and I have ''''always'''' found her writing to be perfectly focused on issues I ''''need'''' to know in my workplace when dealing with my users. Her concise writing style and simple solutions bring me back to her columns time after time. When I heard she had written a guide on Windows 2003 security, I ''''had'''' to have it.Following her guidance on deployment, her advice on avoiding common pitfalls, and her easy to follow guidelines on how to lock down my network and user environments (those darned users!) has me (and my clients) much more comfortable with our Win2k3 Server deployments. From AD to GPO''''s to EFS, this book covers it all."Robert Laposta, MCP, MCSA, MCSE, Io Network Services, Sierra Vista AZrob.laposta@cox.net"Roberta Bragg has developed a ''''must have'''' manual for administrators who manage Microsoft Windows 2003 servers in their organizations. The best practices for strengthening security controls are well organized with practical examples shared throughout the book. If you work with Windows 2003, you need this great resource."Harry L. Waldron, CPCU, CCP, AAI, Microsoft MVP - Windows Security Information Technology Consultant harrywaldronmvp@yahoo.com"Roberta Bragg''''s Windows Server 2003 Security offers more than just lucid coverage of how things work, but also offers sound advice on how to make them work better."Chris Quirk; MVP Windows shell/user cquirke@mvps.org"This book is an invaluable resource for anyone concerned about the security of Windows Server 2003. Despite the amount and complexity of the material presented, Roberta delivers very readable and clear coverage on most of the security-related aspects of Microsoft''''s flagship operative system. Highly recommended reading!"Valery Pryamikov, Security MVP, Harper Security Consulting valery.pryamikov@harper.no"As long as you have something to do with Windows 2003, I have four words for you: ''''Order your copy now.''''"Bernard Cheah, Microsoft IIS MVP, Infra Architect, Intel Corp. bernard@mvps.org"Roberta Bragg has developed a ''''must have'''' manual for administrators who manage Microsoft Windows 2003 servers in their organizations. The best practices for strengthening security controls are well organized, with practical examples shared throughout the book. If you work with Windows 2003, you need this great resource."Harry L. Waldron CPCU, CCP, AAI Microsoft MVPWindows Security Information Technology Consultant
توضیحات
افزودن یادداشت جدید







Controlling Access to Web Folders Using WebDAV


Web-based Distributing Authoring and Versioning (WebDAV) is an extension to the HTTP/1.1 standard, which allows clients to remotely publish, lock, and manage resources on the web. Before you discount this technique as just another way to update websites, and thus an area of concern only for those responsible for website security, think again.

WebDAV can be used to transfer data to and from a web folder for which the user is given permissions. The data does not have to be HTML files or web-executable scripts and programs. It can be Word files, text files, or any kind of file.

WebDAV folders allow properly permissioned users to copy and move files around in the WebDAV directory.

If permissioned, users can retrieve and modify file properties.

Multiple users can read a file concurrently, but only one user can modify a file at a time. (Files can be locked and unlocked.)

Web folders can easily be created on any IIS server. The permissions assigned to these folders determine who can transfer data files to them.


Since these are the very things that server message block (SMB) shares allow users to do on a remote server, WebDAV should loom as large on your security horizon as SMB-based shares. (And perhaps it should be considered as a valid substitute for SMB-based shares, if properly secured.) Table 5-6 presents the similarities and differences between WebDAV publishing and SMB-based sharing.

Table 5-6. WebDAV Versus SMB Shares

Item

WebDAV

SMB Shares

Service

Requires IIS.

Requires File and Printer Sharing enabled, Server service.

Who can access data and what they can do

Depends on permission assigned.

Depends on permissions assigned.

Default permissions

Read.

Everyone Read.

Effect of underlying NTFS permissions

Most restrictive wins.

Most restrictive wins.

Created

A virtual directory must be created on a website.

A folder on the file server must be shared.

Authentication

Anonymous and Windows Integrated available on website by default.

Windows authentication required.

Authentication

Available at folder level settings.

Available at computer and domain level.

Clients

Windows 2000 and Windows XP; Internet Explorer 5.0 and 6.0; Microsoft Office 2000, 2003, and Office XP.

All Windows and DOS clients with networking.

Connection

Windows XP and 2000: Add directory to list of network places or command line. Internet Explorer 5.0 and 6.0. Open target directory as web folder.

Map drives, browse to drives, net share command.

Drag and drop?

Drag and drop file publishing.

Drag and drop file copies.

Command line

Set up connection using net use and UNC-formatted location. Uses WebDAV redirector.

Set up connection using net use and UNC-formatted location. Uses SMB.

WebDAV is not new to Windows Server 2003, but in Windows Server 2003, implementation changes mean that from Windows XP or Windows Server 2003, a user can use simple UNC-based connections to copy files to WebDAV folders and use browser-based publication. For example, connecting to a WebDAV folder is now similar to connecting to a share. If the name of a WebDAV folder is HR Feedback and it resides on the server IAM, a user can connect using the net use command. Windows will also look for the virtual directory hr Feedback using HTTP and make a new network connection:


net use \\iam\HR Feedback
net use * http://IAM/HR Feedback

WebDAV cannot be used by default to provide access to data on Windows Server 2003 because IIS is not installed by default. Even if IIS is installed, WebDAV is not enabled by default. To use WebDAV, IIS must be installed, and WebDAV must be enabled. However, once enabled, clients can connect to and use WebDAV folders across a firewall if port 80 is open to the server. Unlike SMB ports, there is no special WebDAV port, so you cannot provide access to a website and block access to WebDAV shared data by setting firewall ports. Since port 80 is often open to allow access to a web server, and WebDAV uses HTTP, clients can connect to and publish and manipulate files on servers where connections to SMB shares are blocked. This is important to remember. For years, the security community has advised against allowing access to SMB shares over the Internet (and has not been successful in convincing companies and individuals to do so). Now, if WebDAV publishing is enabled, and access to the website is allowed, a connection is possible via the Internet right through the firewall. It is for this reason that you must develop a policy concerning when WebDAV is allowed, if it is allowed on Internet-accessible web servers, and how permissions and web server authentication will be configured to ensure the least risk of intrusion.

WebDAV permissions are not meant to replace NTFS permissions; they are meant to be used with NTFS permissions. Like share permission, WebDAV permissions combine with underlying NTFS permissions, and the most restrictive permission is the one that will be used. However, unlike share permissions, WebDAV permissions affect every user. You cannot give Read permission to one group of users and not to another. However, you can use the underlying NTFS permissions to implicitly or explicitly deny groups of users that you don't wish to read the files. Table 5-7 lists and describes the WebDAV permissions.

Table 5-7. WebDAV Permissions Are Virtual Directory Permissions

Permissions

Description

Read

View directory and file content and properties.

Write

Change directory and file content and properties. Modify files, change properties, publish files to folder.

Directory Browsing (called Browse in the wizard)

View a list of the contents.

Script Source Access

If enabled, users can read source code for scripts. If disabled, they cannot.

Execute:

None, Scripts Only:

Scripts and Executables

Noneno scripts or executables can be run. Scripts

Onlyrun only scripts on the server. Scripts and

Executablesboth scripts and executables can be run. (Only one execute permission can be assigned.)

Enabling Script Source Access is a bad idea because users can read and possibly modify scripts. (If Script Source Access is enabled and either Write or Read is also assigned, users can access source files. If Write is assigned, then users can modify scripts.) It is always a good practice to place scripts and executable files in a separate folder on a website, and then set appropriate permissions. For example, set Execute permission in a folder that contains scripts and executable that users should be allowed to run, set Read permissions on folders used to make stored files available for reading, and set Write permission on folders used for file publishing. Never set both Execute and Write permissions on the same folder, because a malicious user could then publish a script to the folder and run it. Scripts may also contain sensitive information such as passwords and therefore should not be readable by all users.

Appropriate file and WebDav combinations are as follows:

Read, Write, and Directory Browsing enabledClients can see a list of resources, modify them, publish their own resources, and manipulate files.

Write enabled and Read and Directory Browsing disabledClients can publish information but cannot list or read anything published.

Read and Write enabled and Directory Browsing disabledClients can open and read the files they know the names of, and publish files to the folder, but they cannot list the contents of the folder.


The Write access permission does not provide clients with the ability to modify script-mapped files. Script-mapped files are Active Server Pages (ASP) and others. To modify these files, both the Write and Script source access must be assigned.

To create a publishing directory, enable WebDAV, create a directory to share and assign NTFS permissions, create a virtual directory on IIS, and configure virtual directory permissions.

Enable WebDAV


When IIS is installed, WebDAV is not enabled. To enable WebDAV, do the following:


1.

Open the Internet Information Services (IIS) Manager and note that WebDAV is not enabled, as shown in Figure 5-23.

Figure 5-23. WebDAV is not enabled by default.

[View full size image]

2.

Select the task Allow all Web service extensions for a specific application and then select WebDAV from the drop-down box.

3.

Click OK to enable WebDAV.


Create a Folder to Share and Set NTFS Permissions


Create a file system folder where files to be shared will be placed. Set appropriate NTFS permissions on the folder. For example, if the folder will be a repository where accountants may store and modify files, NTFS permissions should give the Accountants group Modify permission. Full Control would not be required.

Create a Virtual Directory


The next step is to create a virtual directory on the web server that points to the created folder:


1.

Open the Internet Information Services (IIS) Manager.

2.

Right-click on the website and select New, Virtual Directory, and then click Next.

3.

Enter an alias (name for the WebDAV folder) for the directory.

4.

Use the Browse button to browse to and select the folder created earlier, and then click Next.

5.

Assign virtual directory permissions, as shown in Figure 5-24. In this example, Read (read contents of a file) and Write (access and change source of script and publish files) were selected. (If scripts or Common Gateway Interface files must be executed, the Read and Execute permissions need to be applied. In this case, the stated purpose is to store and access files. It is always a poor practice to allow Write and Execute permissions on web folders because a malicious script might be written to the folder and then executed.)

Figure 5-24. Assign virtual directory permissions.

6.

Click Next and then click Finish.


Configure Virtual Directory Security


The wizard does not allow completion of security configuration. Immediately after creating the virtual directory and before allowing client access, care should be taken to apply further security:


1.

Right-click on the new virtual directory and select Properties.

2.

On the Virtual Directory page, as shown in Figure 5-25, note that indexing and log visits are selected by default. Confirm that permission settings here match what is required on the site. If searching is required, make sure that the indexing service is running.

Figure 5-25. Confirm permission settings on the virtual directory.

3.

Select the Directory Security page, and then click the Edit button to edit Authentication and access control.

4.

Select to disable the Enable Anonymous Access feature. Ensure that Integrated Windows authentication is checked, as shown in Figure 5-26, or that the appropriate authentication mechanism for your organization is selected.

Figure 5-26. Disable anonymous access to WebDAV folders.


Client Side Configuration


Once WebDAV has been configured, enable and start the Web Client service on the client to take full advantage of the benefits. The Web Client service is disabled by default.

WebDAV may already be in use in your organization. To make sure it doesn't become part of the data misuse in your organization, follow these best practices:

Ensure WebDAV directories reside on NTFS-formatted volumes.

Assign NTFS permissions on files and folders in the WebDAV directory.

Use web folder permissions.

Insist on Windows Authentication on intranet.

Use but protect basic authentication on the Internet with SSL.



/ 194