CIS 288 WEEK 2: Securing Servers Based on Function Slide 1 Introduction Welcome to week 2 of C-I-S 288: Security Design

in a Windows 2003 Environment. In the previous lesson we discussed the design of a secure network framework. In this week we will discuss securing servers based on function. Next Slide: Slide 2 Objectives When you complete this lesson you will be able to: Define a baseline security template for all systems; Design security for servers that have specific roles; And Create a plan to modify baseline security templates according to role. Next Slide: Slide 3 Defining a Baseline Security Template Securing servers is critical in todays environment where corporations run their businesses via electronic networks. To assist in managing large networks, Windows Server 2003 includes predefined security templates. These templates allow the network administrator to use or modify predefined settings that can be applied to any number of similar computers in a network. The task of securing servers is both simplified and enhanced, since templates reduce the likelihood of error or omission when designing security for the enterprise. Windows Server 2003 contains several administrative security tools that together form a comprehensive interface for managing a secure environment. Collectively, these tools are called the Security Configuration Tool Set or the Security Configuration Manager, and have the following elements: Security Configuration and Analysis snap-in, Security Templates snap-in, Command-line tool Sec-Editdot-E-X-E, Security Extensions to Group Policy, and H-FNet-C-H-K-dot-E-X-E and M-B-S-A. Next Slide:

Slide 4

Best Practices for Security Templates

Windows Server 2003 provides a number of predefined security templates. Before working with the templates, its a good idea to review best practices as they relate to these security templates. They include 6 different steps: Always test security templates; Never edit the Setup security-dot-inf file; Do not apply the Setup security-dot-inf file via group policy; Never apply the compatible template to D-Cs, as this will expose your D-Cs to serious security risks. Always save modifications to templates as a different filename to preserve the original security template; And Thoroughly document all changes you make to each template. Next Slide: Windows Server 2003 provides several different security templates, each of which applies a different group of security policy settings for distinct security needs. The release of Windows Server 2003 represents a departure from the way Microsoft has implemented security in the past. These predefined templates can be modified, although the default settings are more secure than were the default settings in previous Windows Server products. The templates included in Windows server 2003 are: Default security; Domain controller default security; Compatible; Secure; Highly secure; system root security; and No terminal server user S-I-D. Each security template is designed with the assumptions that it will be applied to computers that use the default security settings. Next Slide:

Slide 5

Windows Server 2003 Predefined Security Templates

Slide 6

Configuring Security Templates

Now that weve listed the predefined security templates in Windows Server 2003, you can learn how to configure these templates to set Registry and file system permissions, account and auditing policies, user rights and more. Its important not to modify the predefined templates provided in Windows Server 2003. Instead, select a template and save it with a different name to create a duplicate copy. Then, modify the copy of the template to ensure that the original file is always available both as a backup and as a method of comparing baselines to modified settings. Each template has settings related to various areas of security. When you look at the security templates you open in the M-M-C, you can see a listing that could be expanded. If you examined the tree, you saw that each template had the same elements, although the specific settings for each template differ. These areas are account policies, local policies, event log, restricted groups, system services, Registry, and file system. Each one of these areas represents different security settings. It is to your advantage to go through each one of these sections to familiarize yourself with their functions.

Slide 7

Next Slide: Configuring A down-level client is a computer that is running an Security for operating system that was released prior to the current Down-Level version. Although a computer running Windows 2000 is now considered a down-level client, Windows 2000 computers are closely compatible with Windows Server 2003. If you have down-level clients, you must be careful when using the secure-dot-inf and H-I-Sec-dot-inf templates. Depending on the operating system is use, the clients might not be able to use the N-T-L-M version 2 authentication tool. Microsoft released Active Directory Client Services extensions for Windows 95 , 98 and Windows N-T fourpoint-zero S-P-6-A around the same time it released Windows 2000. These extensions enable Active Directory interaction with these down-level clients. The extensions provide some, but not all, Active Directory services. The features are summarized on the table shown on this slide.

Slide 8

Deploying Security Templates

Next Slide: Now that we briefly discussed the various predefined security templates; we will focus on how these templates can be deployed across the network from one to tenthousand computers. Security settings can be analyzed and configured via the Security Configuration and Analysis snap-in, but this will only allow you to apply security settings to the local computer. If you configure security for a domain or O-U using the Security configuration and Analysis snap-in, youd have to configure each client individually. This might not be a major problem in a five or ten computer network, but it becomes unwieldy in a larger network. In this case, there are three options for applying security templates on a large number of computers. The first option is to use Secure Templates to create a template and then apply it to the appropriate G-P-O. You can also use the Security Extension to Group Policy to edit individual security settings on a G-PO. You can also use scripting to apply these security template settings. Next Slide: The baseline security established on a Windows server 2003 system is generated from the Setup security-dot-inf template. Although this sets a known starting point, its important to apply additional security templates based on the role of the computer. In this section, were going to discuss the types of server roles and which predefined templates might be most appropriate. It is recommended that you follow these steps in creating a secure environment for your network: Begin with Setup security-dot-inf. If needed, apply sections of the template to computers that might have been upgraded or modified. Specific sections can be applied via the secedit command-line tool. Apply the predefined templates to servers based on roles in a test environment. Test security on the network. And If you modified security settings via extensions in Group Policy, you might want to use the G-P-Update command-line tool to force refresh of Group Policy so you can see results immediately. Next Slide:

Slide 9

Design Security for Servers that have Specific Roles

Slide 10

Design Security for Servers that have Specific Roles

Although every organization is a bit different, there are common roles that servers play in most organizations. Microsoft Windows Server 2003 identifies these types of servers: File server, print server, application server, mail server, terminal server, remote access/ V-P-N server, Domain controller, D-H-C-P server, D-N-S server, Wins server, and Streaming Media Server. Next we will discuss security considerations for computers in these different roles. Next Slide:

Slide 11

Server Security Best Practices

We will now discuss best practices as it relates to server security. They include: Keep D-Cs in an access-controlled location; Always perform tasks on the servers with the least possible privileges; Restrict user and machine access to groups that have loose security settings; Secure the data on the computers using strong access control lists and the syskey utility; Require the use of strong passwords via the Password Policy settings; Restrict the downloading and installation of programs that do not come from known, trusted sources; Maintain up-to-date virus protection on all systems; And keep all software patches up to date. When you first install Windows Server 2003, you will choose what role or function it will play. If you want to add or change roles after the operating system has been installed, you can use the Configure Your Server Wizard. Next Slide:

Slide 12

Configuring Security for Domain Controllers

D-Cs, or Domain controllers, are the heart of any Windows-based network. As their name implies, they control activities on the domain. Their roles can be limited to just one function, or the D-C can be configured to have several related functions. This decision is typically based on the size of the network and the number of users and processes that will access the D-C. The most common threats to D-Cs are those that attempt to gain access to the security database on a D-C. The D-C contains all user accounts and passwords, so accessing this computer provides a hacker almost unlimited access to the network. The Active Directory database on a D-C is a virtual gold mine for hackers. Another method hackers have is by taking removable media from a sensitive server to a computer on which they have full administrative rights.

Slide 13

Digitally Signing Authenticati on Traffic

Next Slide: When a computer is joined to a domain, a computer account is established. In order to communicate with the D-C, it must be authenticated. Three settings can be used to determine whether signed and encrypted authentication is used. The three G-P-O settings that deal specifically with digitally signing authentication traffic are: Digitally encrypt or sign secure channel data always; Digitally encrypt secure channel data when possible; and digitally sign secure channel data when possible. These can be accessed via the three D-C security templates in the Local Policies Security Options section of each template. Next Slide:

Slide 14

Configuring Security for POP3 Mail Servers

If you want to provide POP three and S-M-T-P access to users and applications, youll need to set your server up as a mail server. As with other server roles, this is done via the Configure Your Server Wizard located in Administrative tools. POP servers are often targeted by hackers because these servers provide access to e-mail user accounts and passwords. There are two major considerations for POP three servers: determine the proper level of security, and determine the authentication methods to be used. It is important to familiarize yourself with not only securing Mail servers, but also all the other types of servers which were mentioned earlier in this lesson. Shown on this slide is a summary of services for server roles.

Slide 15

Modifying Baseline Security Templates According to Role

Next Slide: The tables shown on the next three slides show the server roles and security templates that can be applied to each role. As you plan your server security, youll need to logically group your servers based on roles. Since each organization might implement server roles somewhat differently, the data in the table is simply one model. In many cases these predefined templates will meet a wide array of security needs for many different types of firms. Although you can modify security settings without using the templates, the templates provide an excellent tool for managing security settings by providing a consistent framework in which to work. The key is planning testing, evaluating, and documenting changes before implementing them in the enterprise.

Slide 16

Modifying Baseline Security Templates According to Role

Next Slide: On this slide the server roles that are shown are: application servers, mail servers, infrastructure servers, and file, print and member servers. Next Slide:

Slide 17

Modifying Baseline Security Templates According to Role Summary

On this slide the server roles that are shown are: terminal server, remote access server, and streaming Media Server. Next Slide:

Slide 18

We have reached the end of this lesson. Lets take a look at what we have covered. The first half of this lesson was focused on baseline security templates. Windows Server 2003 provides several different security templates, each of which applies a different group of security policy settings for distinct security needs. The release of Windows Server 2003 represents a departure from the way Microsoft has implemented security in the past. These predefined templates can be modified, although the default settings are more secure than were the default settings in previous Windows Server products. The templates included in Windows server 2003 are: Default security; Domain controller default security; Compatible; Secure; Highly secure; system root security; and No terminal server user S-I-D. The second half of this lesson focused on securing servers that have specific roles. Microsoft Windows Server 2003 identifies these types of servers: File server, print server, application server, mail server, terminal server, remote access/ V-P-N server, Domain controller, D-H-C-P server, D-N-S server, Wins server, and Streaming Media Server. Each one of these server roles have assigned templates and different ways of modifying these templates to make the servers more secure. The tables that were shown at the end of this lesson depict each of these server roles.