Module 14: Configuring

Server Security
Compliance
Module Overview
• Securing a Windows Infrastructure

• Using Security Templates to Secure Servers

• Configuring an Audit Policy

• Overview of Windows Server Update Services

• Managing WSUS
Lesson 1: Securing a Windows Infrastructure
• Challenges of Securing a Windows Infrastructure

• Applying Defense-in-Depth to Increase Security

• Core Server Security Practices

• What Is the Security Configuration Wizard?

• What Is Windows Firewall?

• Demonstration: Using the Security Configuration Wizard to

Secure Server Roles
Challenges of Securing a Windows Infrastructure

Challenges of securing a Windows infrastructure

include:

• Implementing and managing secure configuration

of servers
• Protecting against malicious software threats
and intrusions
• Implementing effective identity and access control
Applying Defense-in-Depth to Increase Security

Defense-in-depth provides multiple layers of defense to

protect a networking environment

Data ACLs, encryption,

EFS
Application Application
hardening, antivirus
Host OS hardening,
authentication
Internal Network Network segments,
IPsec
Perimeter Firewalls

Physical Security Guards, locks

Policies, Procedures, &
Awareness Security documents,
user education
Core Server Security Practices

Apply the latest service pack and all available

 security updates

Use the Security Configuration Wizard to scan and

 implement server security

Use Group Policy and security templates to

 harden servers

 Restrict scope of access for service accounts

 Restrict who can log on locally to servers

 Restrict physical and network access to servers

What Is the Security Configuration Wizard?

SCW provides guided attack- SCW supports:

surface reduction

• Disables unnecessary services • Rollback

and IIS Web extensions
• Uses IPsec to block unused
ports and secure ports that
are left open
• Reduces protocol exposure
• Configures audit settings
• Analysis
• Remote configuration
• Command-line support
• Active Directory integration
• Policy editing
What Is Windows Firewall?

Windows Firewall is a stateful host-based application that

provides the following features:

• Filters both incoming and outgoing network traffic

• Integrates both firewall filtering and IPsec
protection settings
• Can be managed by the Control Panel tool or by the
more advanced Windows Firewall with Advanced Security
MMC console
• Provides Group Policy support
• Enabled by default in new installs
Demonstration: Using the Security Configuration
Wizard to Secure Server Roles

In this demonstration, you will see how to implement

security using the Security Configuration Wizard
Lesson 2: Using Security Templates to Secure Servers
• What Is a Security Policy?

• What Are Security Templates?

• Demonstration: Configuring Security Template Settings

• What Is the Security Configuration and Analysis Tool?

• Demonstration: Analyzing Security Policy Using the

Security Configuration and Analysis Tool
 What Is a Security Policy?

A Security Policy is a combination of security settings to be

applied to a computer

Local Security Policies Active Directory Security

include: Policies include:

• Event Log
• Account Policies • Restricted Groups
• Local Policies • System Services
• Windows Firewall with • Registry
Advanced Security
• File System
• Public Key Policies
• Wired and Wireless
• Software Restriction Policies Network Policies
• IP Security Policies on • Network Access protection
Local Computer
• IP Security Policies on
Active Directory
What Are Security Templates?

A security template is a collection of configured security

settings used to apply a security policy

Security Templates:

• Created and modified using the Security Templates MMC snap-in

• Default security templates stored in
%SystemRoot%\Security\Templates
• Custom security templates are stored in local user profile folder

Deployment Considerations:

• Create templates based upon server role

• Deploy to individual computers using the SECEDIT command
• Deploy to groups of computers using Group Policy
Demonstration: Configuring Security Template
Settings
In this demonstration, you will see how to:
• Add the Security Templates snap-in and configure a
custom security template for the DHCP server role
• Import a security template into Active Directory
What Is the Security Configuration and Analysis Tool?
Demonstration: Analyzing Security Policy Using
the Security Configuration and Analysis Tool

In this demonstration, you will see how to use the

Security Configuration and Analysis Tool to analyze
and configure local security policy settings
Lesson 3: Configuring an Audit Policy
• What Is Auditing?

• What Is an Audit Policy?

• Types of Events to Audit

• Demonstration: How to Configure Auditing

What Is Auditing?

• Auditing tracks user and operating system activities, and records

selected events in security logs, such as:
• What occurred?
• Who did it?
• When?
• What was the result?

• Enable auditing to:

• Create a baseline
• Detect threats and attacks
• Determine damages
• Prevent further damage

• Audit access to objects, management of accounts, and users

logging on and off
What Is an Audit Policy?

• An audit policy determines the security events that will be

reported to the network administrator
• Set up an audit policy to:
• Track success or failure of events
• Minimize unauthorized use of resources
• Maintain a record of activity
• Security events are stored in security logs
Types of Events to Audit

• Account Logon
• Account Management
• Directory Service Access
• Directory Service Changes
• Directory Service Replication
• Detailed Directory Service Replication
• Logon
• Object Access
• Policy Change
• Privilege Use
• Process Tracking
• System
Demonstration: How to Configure Auditing
In this demonstration, you will see how to:
• Enable auditing for various events

• Enable object access auditing

Lesson 4: Overview of Windows Server Update
Services
• What Is Windows Server Update Services?

• Windows Server Update Services Process

• Server Requirements for WSUS

• Automatic Updates Configuration

• Demonstration: Installing and Configuring WSUS

What Is Windows Server Update Services?

Microsoft Update Web site

Automatic
Updates
Server running
Windows Server
Update Services
Test Clients

LAN

Internet
Automatic
Updates
 Windows Server Update Services Process
Phase 1: Assess
• Set up a production environment that will support update
management for both routine and emergency scenarios

Assess

Phase 4: Deploy Phase 2: Identify

• Approve and schedule • Discover new updates in
update installations Update a convenient manner
Deploy Identify
• Review the process Management • Determine whether
after the deployment is updates are relevant to
complete the production
environment

Evaluate
and Plan

Phase 3: Evaluate and Plan

• Test updates in an environment that resembles, but is
separate from, the production environment
• Determine the tasks necessary to deploy updates into
production, plan the update releases, build the releases, and
then conduct acceptance testing of the releases
Server Requirements for WSUS

Software requirements:

• Windows Server 2003 SP1 or

Windows Server 2008
• IIS 6.0 or later
• Windows Installer 3.1 or later
• Microsoft .NET Framework 2.0
• SQL Server 2005 SP1 or later (optional)
• Microsoft Report Viewer Redistributable 2005
Automatic Updates Configuration

• Configure Automatic Updates by using Group Policy

Computer Configuration/Administrative Templates/
Windows Components/Windows Update
• Requires updated wuau.adm administrative template
• Requires:
• Windows Vista
• Windows Server 2008
• Windows Server 2003
• Windows XP Professional SP2
• Windows 2000 Professional SP4,
Windows 2000 Server/Advanced Server SP3 or SP4
Demonstration: Installing and Configuring WSUS
In this demonstration, you will see how to:
• Install WSUS

• Configure Automatic Update client settings using Group

Policy
Lesson 5: Managing WSUS
• WSUS Administration

• Managing Computer Groups

• Approving Updates

• Demonstration: Managing WSUS

WSUS Administration
Managing Computer Groups

• Computers are automatically added

• Default computer groups
• All Computers
• Unassigned Computers
• Client-side targeting
Approving Updates

• Approval options include:

• Install
• Decline
• Unapprove
• Removal
• Automate approval is also supported
Demonstration: Managing WSUS
In this demonstration, you will see how to:
• Add a computer to WSUS

• Approve an update
Lab: Configuring Server Security Compliance
• Exercise 1: Configuring and Analyzing Security

• Exercise 2: Analyzing Security Templates

• Exercise 3: Configuring Windows Software Update

Services

Logon information
Virtual machine NYC-DC1, NYC-SVR1,
and NYC-CL2
User name Administrator
Password Pa$$w0rd

Estimated time: 90 minutes

Lab Review
• What recourse do you have if the desired result is not met
when applying changes using the Security Configuration
Wizard to secure server infrastructure?
• How can you verify compatibility with existing settings
before you apply a template to a GPO for deployment or
apply the template to a local computer?
• After installing the WSUS server software, a wizard
appears to help you with the configuration of WSUS
properties. How can you change any incorrectly assigned
properties after the wizard has been completed?
Module Review and Takeaways
• Review Questions

• Best Practices
Course Evaluation