You are previewing Securing Windows Server 2003.
O'Reilly logo
Securing Windows Server 2003

Book Description

With the success of computer viruses like Slammer, security issues are now a top priority for Windows system administrators, right alongside day-to-day tasks such as setting up accounts and managing performance. If you use Windows 2003 Server at a small to medium-sized organization, or use Microsoft's Small Business Server, this thorough yet concise tutorial offers the hands-on advice you need for securing your network. Modern network operating systems include bundled services that range from traditional file and print sharing and Internet services to authentication, directory and remote access services each a potential security vulnerability as well as a capability. Securing Windows Server 2003 shows you how to put Windows security tools to work, and how to run the server's subsystems to protect users and resources. But that's just the beginning. Network security needs to be well thought-out, not treated as a fire drill when a threat occurs. This book focuses primarily on ways to plan and implement a secure operating environment. Microsoft security veteran Mike Danseglio uses real-world examples to show you how various security concepts relate to your own system, including:

  • File System Security

  • Group Policy and security templates

  • Running secure code

  • Authentication

  • IP security

  • Public Key Certificates and Public Key Infrastructure

  • Smart Card technology

  • DHCP and DNS security

  • Internet Information Services security

  • Active Directory security

  • Remote access security

  • Security audits

  • Sending secure email, and more

Many chapters include a debate, in which fictional protagonists discuss the pros and cons of a particular strategy or solution. These debates provide an objective look at competing methodologies, so you can select the solutions that best fit your network. Read this book cover to cover to create and implement a security plan, or use individual chapters as stand-alone lessons. Either way, Securing Windows Server 2003 will guide you safely through the morass of security threats.

Table of Contents

  1. Securing Windows Server 2003
    1. Preface
      1. What’s in This Book?
      2. Audience
      3. About This Book
      4. Assumptions This Book Makes
      5. Conventions Used in This Book
      6. Comments and Questions
      7. Acknowledgments
    2. 1. Introduction to Windows Server 2003 Security
      1. What Is Security?
      2. What Is Windows Server 2003?
      3. Security Design in Windows Server 2003
      4. Security Features in the Windows Server 2003 Family
        1. Security Enhancements in Windows XP and the Windows Server 2003 Family
        2. Security Enhancements in Windows Server 2003, Standard Server Edition
        3. Security Enhancements in Windows Server 2003, Enterprise Server Edition
      5. Summary
    3. 2. Basics of Computer Security
      1. Why Computer Security Is Important
        1. Creating a Security Policy Is a Political Problem
        2. What’s in a Good Security Policy?
      2. Security Enforcement Mechanisms
        1. Technology-Based Security
        2. Administration-Based Security
      3. POLA: The Principle of Least Access
      4. Key-Based Cryptography
        1. Hashing
        2. Shared Secret Key Cryptography
        3. Public Key Cryptography
      5. Authorization and Authentication
      6. Password Basics
        1. What’s a Strong Password?
        2. Enforcing Strong Passwords
      7. Network Security
        1. Boundary Security
        2. Data Encryption
      8. Keeping Your Eyes Open
      9. Summary
    4. 3. Physical Security
      1. Identifying Physical Security Vulnerabilities
        1. Your People
        2. Your Office
        3. Your Laptops
        4. Your Data Center
        5. Your Servers
        6. Your Wiring Closets
        7. Your Network Cables
      2. Protecting Physical Assets
        1. Securing the Office
        2. Securing Laptops
        3. Securing the Data Center
        4. Securing Servers
        5. Securing the Wiring Closet
        6. Securing Network Transmissions
      3. Holistic Security: Best Practices
      4. Summary
    5. 4. File System Security
      1. Protecting Files with NTFS File Permissions
        1. How File Permissions Work
        2. How to Configure File Permissions
          1. Example: setting up a secure file share
          2. Example: implementing local file security for a shared computer
      2. Protecting Data with the Encrypting File System
        1. How EFS Works
        2. Benefits of the Encrypting File System
        3. Drawbacks of the Encrypting File System
        4. Using the Encrypting File System Correctly
        5. Example: Ensuring New Files are Encrypted
        6. Example: Managing the Private Key to Ensure Maximum Protection
        7. Example: Using cipher.exe to Remove Old Unencrypted Data
          1. Identifying the EFS recovery agent
        8. Example: Storing Shared Encrypted Files on a Windows Server 2003 File Server
        9. Configuring EFS with Group Policy
      3. Protecting System Information with Syskey
        1. How Syskey Works
        2. Protecting a Portable Computer
          1. Configure Syskey mode 2
          2. Encrypt data directories
          3. Run cipher /w
      4. Summary
    6. 5. Group Policy and Security Templates
      1. What Is Group Policy?
      2. How Group Policy Works
      3. How Do Security Templates Work?
      4. Using Group Policy to Enforce Security
        1. Controlling Password Policies with Group Policy
          1. Example problem: Woodgrove Bank password policy
          2. Example implementation: controlling password policy
        2. Configuring the Desktop with Group Policy
          1. Example problem: Woodgrove tellers
          2. Example implementation: controlling desktop resources
        3. Configuring Auditing with Group Policy
          1. Example problem: security auditing for servers
          2. Example implementation: controlling auditing
      5. Using Security Templates to Deploy Secure Configurations
        1. Using Built-in Templates
          1. Example problem: the human resources department
          2. Example implementation: controlling network communications security
        2. Analyzing Your Security Configuration
          1. Creating a Security Configuration and Analysis console
          2. Creating a new security database
          3. Importing security templates
          4. Analyzing the security settings
        3. Creating Your Own Security Template
        4. Deploying the Security Template with Group Policy
        5. Using Security Templates Effectively
          1. Example problem: Woodgrove server file security
          2. Example implementation: controlling security settings
      6. Summary
    7. 6. Running Secure Code
      1. Identifying Secure Code
        1. How Code Is Signed
        2. The Dangers of Unsigned Code
        3. Enforcing the Use of Secure Code
      2. Driver Signing
        1. Configuring Driver Signing
        2. Example: Warning When Installing Unsigned Drivers
      3. Software Restriction Policies
        1. Configuring Software Restriction Policy
          1. Creating a new hash rule
          2. Creating a certificate rule
        2. Example: Allowing an Application to Run on Computers
        3. Example: Allowing Applications with a Specific Extension to Execute
        4. Best Practices for Software Restrictions
      4. Summary
    8. 7. Authentication
      1. LAN Manager and NTLM
        1. A Brief History of LM and NTLM
        2. How NTLM Works
          1. Logging on
          2. Security token
          3. Accessing resources
        3. NTLM Pros and Cons
        4. Configuring LM
          1. Disabling hash storage
          2. Disabling NTLM variants
      2. Kerberos
        1. A Brief History of Kerberos
        2. How Kerberos Works
          1. Kerberos operational theory
            1. Logging on
            2. Accessing resources
            3. Proxy authentication
          2. Microsoft’s Kerberos implementation
        3. Configuring Kerberos
        4. Kerberos Pros and Cons
        5. Kerberos Interoperability
      3. Summary
    9. 8. IP Security
      1. What Is IP Security?
        1. Benefits of IPSec
        2. Drawbacks of IPSec
      2. How Does IPSec Work?
        1. IPSec Components
        2. IPSec Component Interaction
      3. Microsoft’s Implementation of IPSec in Windows Server 2003
        1. Microsoft IPSec Components
        2. Deployment of IPSec to Windows Computers
      4. Using IPSec Correctly
        1. Example: Woodgrove Bank Corporate Accounts Payable
          1. Client IPSec configuration through Group Policy
          2. Server IPSec configuration through Group Policy
        2. Verifying IPSec Operation
          1. Verifying IPSec operation with IP Security Monitor
          2. Verifying IPSec operation with other tools
            1. IPSecCmd.
            2. Netsh.
            3. Other basic techniques.
        3. Example: Restricting a Server to Highly Secure IPSec Communication
          1. Creating a policy to use perfect forward secrecy
          2. Configure IPSec to not allow any traffic to bypass its filter rules
        4. Example: Using IPSec with a Non-Microsoft Client
          1. Configuring IPSec for certificate-based authentication
      5. Summary
    10. 9. Certificates and Public Key Infrastructure
      1. What Are Certificates?
        1. Certificate Concepts
        2. Benefits of Public Key Certificates
        3. Where Do Certificates Come From?
      2. What Do I Do with Certificates?
        1. Distributing Certificates
          1. Exporting a certificate without the private key
          2. Importing a received certificate
          3. Importing a certificate revocation list
        2. Backing Up the Certificate and Private Key
          1. Archiving a certificate and private key
          2. Restoring an archived private key
      3. What Is a Certification Authority?
        1. How a Certification Authority Works
          1. Server configuration
          2. Subject requesting a certificate
          3. Processing the request
          4. Publishing a certificate
          5. Server publishing a certificate revocation list
      4. Deciding Between Public and Private Certification Authorities
        1. Public Certification Authorities
        2. Private Certification Authorities
      5. Implementing a Public PKI
        1. Deploy Root CA Certificate to All Clients as Trusted Root
        2. Obtain and Deploy Client Certificates
          1. Considerations for client certificate deployment
          2. Common ways to deploy certificates
      6. Planning Your Private Certification Hierarchy
        1. Hierarchy Depth
        2. Desired Certificate Configuration
        3. Issuing Certificates Automatically
        4. Certificate Revocation Architecture
          1. Delta certificate revocation lists
          2. CRL distribution points
        5. Hardware Plans
          1. Cryptographic hardware for certification authorities
      7. Implementing a Private Certification Hierarchy
        1. Create a PKI Deployment Plan
        2. Construct Certificate Policy and Certificate Practice Statement
        3. Install the Root Certification Authority
          1. Configuring the root CA’s CDP list
          2. Protecting the private key without an HSM
          3. Publish offline root CA’s CRL
        4. Install Intermediate and Issuing CAs
        5. Configure Certificate Templates for Desired Certificates
        6. Configure the Issuing CA
        7. Configure Autoenrollment for Windows XP
          1. Optional: enroll intermediate network devices for certificates using MSCEP
          2. Other enrollment methods
        8. Test Desired Applications
      8. Maintaining Your Hierarchy
        1. Certificate Issuance
        2. Configuring CA Auditing
        3. Renewing CA Certificates
        4. Revoking Issued Certificates
        5. Publishing CRL for Offline Root CA
        6. Backing Up Your CA
      9. Summary
    11. 10. Smart Card Technology
      1. What Are Smart Cards?
        1. How Smart Cards Work
        2. Requirements for Using Smart Cards
      2. Using Smart Cards
        1. Secure Logon
        2. General Purpose Cryptography
        3. Distributing Smart Cards
        4. Implementing Smart Cards in Your Organization
          1. PKI first
          2. Enrolling users
          3. Preparing to issue cards
          4. Issuing cards to users
      3. Summary
    12. 11. DHCP and DNS Security
      1. DHCP
        1. What Is DHCP?
          1. How DHCP works
          2. DHCP security
        2. Using DHCP Securely
          1. Configuring DHCP for proper administration
          2. Monitoring DHCP for DOS attack
          3. Auditing DHCP
          4. Analyzing DHCP logs
          5. Monitoring the network for unauthorized DHCP servers
          6. Eliminating DHCP
      2. DNS
        1. What Is DNS?
          1. Requirements for DNS
          2. DNS zone storage
            1. Standard DNS zones
            2. Active Directory-integrated DNS zones
          3. DNS security concerns
        2. Using DNS Securely
          1. Setting permissions for DNS administration
          2. Setting permissions on DNS objects
          3. Enabling secure dynamic updates
          4. Restricting zone transfers
          5. Restricting recursive queries
          6. Auditing DNS
      3. DNS and DHCP Together
        1. DHCP Service Account
        2. Automatic Record Updating
      4. Summary
    13. 12. Internet Information Services Security
      1. What Is IIS?
      2. How Does IIS Work?
        1. IIS Processing
        2. IIS Security
      3. Using IIS Securely
        1. Installing IIS
        2. Configuring the Services You Need
        3. Using Secure Sockets Layer
        4. Using IP Address Restrictions
        5. Using Port Numbers
        6. Using File Permissions
        7. Configuring Authentication
        8. Allow Only Needed Functionality
        9. Review Web Server Logs
        10. Using Port Filtering
        11. Dedicating IIS Servers
      4. Summary
    14. 13. Active Directory Security
      1. What Is Active Directory?
        1. Benefits of Active Directory
          1. Extensible database
          2. Multimaster domain
          3. Object support
          4. Software deployment with GPOs
        2. Security Benefits of Active Directory
          1. Kerberos
          2. Trusts
          3. Smart card support
          4. Group Policy Objects
          5. Delegation
      2. Structural Components of Active Directory
        1. Domains
        2. Trees
        3. Forests
        4. Organizational Units
        5. Sites
      3. Domain Controllers
      4. Default Security Through GPOs
        1. Default Domain Policy
        2. Default Domain Controller Policy
        3. Default Security for Upgrades
      5. Providing Security for Domains
        1. Users, Groups, and Computers
          1. Clean up stale accounts
          2. Protect user accounts
          3. Use proper group nesting
          4. Protect service accounts
        2. Administrative Groups
        3. Administrator Accounts
        4. Object Security and ACLs
        5. Example: Configuring Domain User Accountsto Access Resources
          1. Configuring correct user group nesting structures
        6. Account Policies
          1. Account Policies at the OU level
        7. Trusts
      6. Providing Security for Forests
        1. Forestwide Components
        2. Forestwide Groups
        3. Forest Trusts
        4. SID Filtering
      7. Providing Security for Active Directory Objects
        1. Example: Delegating Control for Helpdesk Admins
          1. Delegating control
        2. Example: Auditing Management of AD
          1. Configuring auditing for DCs
          2. Viewing Security Log in Event Viewer
      8. Providing Security for Domain Controllers
        1. Physical Access
        2. Network Access
        3. Domain Controller Communications
          1. Open firewall ports on trusted network
          2. IPSec for DC communication and replication
          3. Domain controller communication across untrusted network with IPSec tunnel
        4. Locating Domain Controllers in Active Directory
        5. Roles and Responsibilities
      9. Summary
    15. 14. Remote Access Security
      1. What Is Remote Access?
      2. Controlling Access
        1. Remote Access Policies
          1. Written remote access security policies
        2. RADIUS and IAS
      3. Authentication and Encryption Protocols
        1. Authentication Protocols
        2. Encryption Protocols
      4. Virtual Private Networks
        1. Operating Theory
        2. VPN Protocols
          1. Point-to-Point Tunneling Protocol (PPTP)
          2. Layer 2 Tunneling Protocol (L2TP)
        3. Making VPNs More Secure
      5. Example Implementations for Remote Access
        1. Setting Up Remote Access Authentication for Dial-in Users
        2. Setting Up a VPN Server
      6. Summary
    16. 15. Auditing and Ongoing Security
      1. Security Policies and Procedures
        1. Benefits of Establishing Security Policies and Procedures
        2. Creating Security Policies
        3. Creating Procedures
      2. Auditing
        1. How Auditing Works
        2. Configuring Auditing
          1. Configuring auditing for domain controllers
          2. Configuring the Event Log and audit failure behavior
          3. Auditing account management
          4. Setting up a honey pot
      3. Operating System Updates
        1. Windows Update
        2. Microsoft Software Update Services
          1. Installing and configuring SUS server
          2. Configuring SUS clients
        3. Using MBSA to Determine Current Security Status
      4. Summary
    17. A. Sending Secure Email
      1. What Is Secure Email?
      2. How Does Secure Email Work?
        1. Digitally Signed Messages
        2. Encrypted Messages
      3. Considerations for Secure Email
      4. Secure Email Implementation
        1. Using a Commercial Certification Authority
        2. Using Your Own Certification Authority
          1. Issuing certificates
          2. Configuring clients to trust you
        3. Configuring Your Email Client
        4. Non-Microsoft Secure Email
      5. Summary
    18. Index
    19. Colophon