MCITP Guide to Microsoft Windows Server 2008 Server Administration
advertisement
MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646) Chapter 13 Securing Windows Server 2008 Learning Objectives • Understand the security enhancements included in Windows Server 2008 • Understand how Windows Server 2008 uses group policies • Understand and configure security policies • Implement Active Directory Rights Management Services • Manage security using the Security Templates and Security Configuration and Analysis snap-ins MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 2 Learning Objectives (cont’d.) • • • • • • Configure security policies for client computers Use the cipher command for encryption Use BitLocker Drive Encryption Configure Network Address Translation Configure Windows Firewall Implement Network Access Protection MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 3 Security Enhancements in Windows Server 2008 • Reduced attack surface of the kernel through Server Core • Expanded group policy • Windows Firewall • Network Access Protection • Security Configuration Wizard • User Account Control • BitLocker Drive Encryption MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 4 Security Enhancements in Windows Server 2008 (cont’d.) • Demilitarized zone (DMZ) – Portion of a network that is between two networks • New categories of group policy management – Power management – Assigning printers by location (particularly for mobile users) – Delegation of printer driver installation – Security settings – Internet Explorer settings • Over 700 new policy settings MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 5 Security Enhancements in Windows Server 2008 (cont’d.) • User Account Control (UAC) – Keep the user running in the standard user mode – More fully insulate the kernel • Administrator Approval Mode • BitLocker Drive Encryption – Prevents an intruder from bypassing ACL file and folder protections MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 6 Introduction to Group Policy • Group policy – Standardize the working environment of clients and servers by setting policies in Active Directory • Set for many environments • Defining characteristics of group policy – Can be set for a site, domain, OU, or local computer – Cannot be set for non-OU folder containers MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 7 Introduction to Group Policy (cont’d.) • Defining characteristics of group policy (cont’d.) – – – – Settings are stored in group policy objects (GPO) GPOs can be local and nonlocal Can be set up to affect user accounts and computers When group policy is updated: • Old policies are removed or updated for all clients MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 8 Securing Windows Server 2008 Using Security Policies • Security policies – – – – – Account Policies Audit Policy User Rights Security Options IP Security Policies • Activity 13-1: Using the Group Policy Management Snap-In – Objective: Learn how to use the Group Policy Management MMC snap-in MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 9 Establishing Account Policies • Account policies – Security measures set up in a group policy that applies to all accounts or to all accounts in a container – Active Directory required • Password Security – First line of defense in Windows Server 2008 – Settings • Expiration period • Minimum length • Other password security options that you can configure MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 10 Establishing Account Policies (cont’d.) • Activity 13-2: Configuring Password Security – Objective: Configure the password security in the default domain security policy Figure 13-3 Viewing security settings for the default domain policy Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 11 Account Lockout • Bar access to an account after a number of unsuccessful tries • Can be set to release – After a specified period of time – By intervention from the server administrator • Parameters – Account lockout duration – Account lockout threshold – Reset account lockout count after MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 12 Account Lockout (cont’d.) • Activity 13-3: Configuring Account Lockout Policy – Objective: Configure account lockout policy in the default domain security policy MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 13 Account Lockout (cont’d.) Figure 13-6 Configuring account lockout duration Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 14 Account Lockout (cont’d.) • Kerberos security – Use of tickets exchanged between the client and the server or Active Directory • Designate Windows Server 2008 as a Kerberos key distribution center • Service ticket – Good for the duration of a logon session – Enables the computer to access network services beginning with the Logon service MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 15 Account Lockout (cont’d.) • Advanced Encryption Standard (AES) encryption – Deployed by the U.S. federal government – More secure than DES • Windows NT LAN Manager version 2 (NTLMv2) – Default authentication – Should change to Kerberos if possible • Options for configuring Kerberos – Enforce user logon restrictions – Maximum lifetime for service ticket MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 16 Account Lockout (cont’d.) • Options for configuring Kerberos (cont’d.) – Maximum lifetime for user ticket – Maximum lifetime for user ticket renewal – Maximum tolerance for computer clock synchronization • Activity 13-4: Configuring Kerberos Security – Objective: Configure Kerberos in the default domain security policy MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 17 Figure 13-7 Configuring Kerberos Policy Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 18 Establishing Audit Policies • Specify account auditing – Track activity associated with accounts • Examples of events an organization can audit – – – – – – Account logon (and logoff) events Account management Directory service access Logon (and logoff) events at the local computer Object access Policy change MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 19 Establishing Audit Policies (cont’d.) • Examples of events an organization can audit (cont’d.) – Privilege use – Process tracking – System events • Activity 13-5: Configuring Auditing – Objective: Configure an audit policy MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 20 Establishing Audit Policies (cont’d.) Figure 13-8 Configuring account logon auditing Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 21 Configuring User Rights • Ability to access a server – Most basic right • More advanced rights • General categories of rights – Privileges • Relate to the ability to manage server or Active Directory functions – Logon rights • Related to accessing accounts, computers, and services MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 22 Configuring User Rights (cont’d.) • Activity 13-6: Configuring User Rights – Objective: Learn how to configure user rights MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 23 Configuring Security Options • Over 78 specialized security options • Categories: – – – – – – – – Accounts Audit DCOM Devices Domain controller Interactive logon Microsoft network client Network access MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) – – – – – – – Network security Recovery console Shutdown System cryptography System objects System settings User Account Control 24 Configuring Security Options (cont’d.) • Activity 13-7: Configuring Security Options – Objective: Examine the Security Options and configure an option MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 25 Figure 13-11 Accessing the Security Options Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 26 Using IP Security Policies • IP Security (IPsec) – IP-based secure communications and encryption standards – Computers first exchange certificates – Next, data is encrypted at the NIC of the sending computer as it is formatted into an IP packet • Use Default Domain Policy to manage Information Policies for a domain MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 27 Using IP Security Policies (cont’d.) • Roles – Client (Respond Only) – Secure Server (Require Security) – Server (Request Security) • Activity 13-8: Configuring IPsec in the Default Domain Policy – Objective: Configure IPsec group policy elements MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 28 Active Directory Rights Management Services • Active Directory Rights Management Services (AD RMS) server role – Complements client applications that can take advantage of Rights Management Services safeguards • Rights Management Services (RMS) – Security rights that provide security for documents, spreadsheets, e-mail, etc. – Uses security capabilities such as encryption, user authentication, and security certificates MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 29 Managing Security Using the Security Templates and Security and Configuration Analysis Snap-Ins • Security Templates MMC snap-in – – – – – – – Account policies Local policies Event log tracking policies Group restrictions Service access security Registry security File system security MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 30 Managing Security Using the Security Templates and Security and Configuration Analysis Snap-Ins (cont’d.) • Activity 13-9: Using the Security Templates Snap-In – Objective: Learn to use the Security Templates snapin • Activity 13-10: Using the Security Configuration and Analysis Snap-In – Objective: Explore the features of the Security Configuration and Analysis snap-in MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 31 Figure 13-17 Log file contents Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 32 Configuring Client Security Using Policies in Windows Server 2008 • Customize desktop and other settings for client computers • Configure policies on Windows Server 2008 server • When the client logs on, policies are applied MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 33 Manually Configuring Policies for Clients • Manually configure policies that apply to clients – To accomplish specific purposes • Use the Group Policy Object Editor snap-in – Or customized snap-in • Activity 13-11: Configuring Policies to Apply to Clients – Objective: Learn how to configure a group policy to apply to Windows Server 2008 clients MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 34 Table 13-1 Options for configuring administrative templates settings under User Configuration MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 35 Publishing and Assigning Software • Publishing applications – Setting up software through a group policy – Application is available for users to install from a central application distribution server • Assigning applications – Application automatically represented on user’s desktop • Activity 13-12: Configuring Software Installation – Objective: Learn where to set up software installation in a group policy MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 36 Resultant Set of Policy • Make implementation and troubleshooting of group policies simpler for administrator • Query existing policies – Provide reports and the results of policy changes • Supports two modes: planning and logging • Activity 13-13: Using the Resultant Set of Policy Tool – Objective: Learn how to use the Resultant Set of Policy tool MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 37 Using the cipher Command • Use cipher command – Encrypt files and folders – Use parameters listed in Table 13-2 • Activity 13-14: Using the cipher Command – Objective: Use the cipher command in the Command Prompt window MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 38 Using BitLocker Drive Encryption • BitLocker Drive Encryption – Uses Trusted Platform Module security specification – Hardware device used to secure information on a different hardware device • Security chip manufacturers – Broadcom, Infineon, STMicroelectonics • Can also be used with a USB flash drive containing a personal identification number (PIN) • Activity 13-15: Installing BitLocker Drive Encryption – Objective: Set up BitLocker Drive Encryption MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 39 Configuring NAT • NAT functions – Automatically assign its own IP addresses on an internal network – Computers on external networks cannot identify internal network computers’ true IP addresses • Uses a pool of private addresses for its internal network • Acts like a firewall – Outside world sees only one address MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 40 Configuring NAT (cont’d.) • Activity 13-16: Configuring NAT – Objective: Configure NAT for the VPN you set up in Chapter 10 Figure 13-24 Selecting NAT Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 41 Windows Firewall • Improvements compared with previous version – Protects incoming and outgoing communications – Merges firewall filters with IPsec settings to avoid settings conflicts – Includes the Windows Firewall with Advanced Security MMC snap-in – Has firewall exceptions or rules for several kinds of managed objects • Configure exceptions and advanced features – Exceptions • Programs allowed through the firewall in both directions MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 42 Windows Firewall (cont’d.) • Use Control Panel for configuration • Activity 13-17: Configuring Windows Firewall via Control Panel – Objective: Configure Windows Firewall from Control Panel • Activity 13-18: Configuring Windows Firewall Using the Snap-In – Objective: Use the Windows Firewall with Advanced Security MMC snap-in MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 43 Figure 13-27 Managing Windows Firewall from Server Manager Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 44 Network Access Protection • Network Access Protection (NAP) – New feature of Windows Server 2008 • Keeps network healthy – Identifies clients that do not comply with security policies – Limits access by noncompliant computers – Automatically updates or configures a noncompliant computer – Continuously checks to ensure that computers remain in compliance MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 45 IPsec • When used with NAP, IPsec ensures that noncompliant computers are quarantined • Health Registration Authority (HRA) – Network clients contact HRA server and submit Statement of Health (SoH) • HRA server configured through a Network Policy Server (NPS) MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 46 VPN • NAP works through VPN – Enforces remote access policy configured for VPN • When client attempts to connect – Checked against the remote access policy configured in the NPS server – If the client properly verifies, access is granted MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 47 DHCP • DHCP with NAP – Secure the DHCP process – Configured through a Network Policy Server – Issues different information depending on compliance • Remediation server – Provides updates and security policy changes to the client – Brings client into compliance • DHCP issues noncompliant computer IP address of remediation server MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 48 TS Gateway • Ensures secure access and communication when Terminal Services used • Uses the HRA server to ensure client compliant with the health and security policies on a network • Does not enable communications with remediation server MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 49 802.1X • 802.1X – Wired and wireless authentication approach offered by the IEEE • Port-based form of authentication – Network port allows unauthenticated communications only until a client has been verified as NAP compliant – Non-authenticated communications blocked MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 50 802.1X (cont’d.) • Activity 13-19: Using Network Policy Server to Configure NAP – Objective: Learn about using Network Policy Server for NAP configuration MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 51 Figure 13-28 Connection method options Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 52 Summary • Many new or enhanced security features in Windows Server 2008 • Group policy – Standardize security across a domain, OU, site, or local server • Use audit policies to track how resources are accessed • Security options – Specialized policies for accounts, auditing, devices, domain controllers, logon, clients, network security, system shutdown, system settings, and others MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 53 Summary (cont’d.) • Use Resultant Set of Policy – Plan and troubleshoot group policy settings • BitLocker Drive Encryption – Security measure for protecting entire hard drives • Network Access Protection – Keeps a network healthy MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) 54
