Module Overview
• Securing a Windows Infrastructure
• Using Security Templates to Secure Servers
• Configuring an Audit Policy
• Overview of Windows Server Update Services
• Managing WSUS
Lesson 1: Securing a Windows Infrastructure
• Challenges of Securing a Windows Infrastructure
• Applying Defense-in-Depth to Increase Security
• Core Server Security Practices
• What Is the Security Configuration Wizard?
• What Is Windows Firewall?
• Demonstration: Using the Security Configuration Wizard to Secure Server Roles
Challenges of Securing a Windows Infrastructure
Challenges of securing a Windows infrastructure include:
• Implementing and managing secure configuration of servers
• Protecting against malicious software threats and intrusions
• Implementing effective identity and access control
Applying Defense-in-Depth to Increase Security
Defense-in-depth provides multiple layers of defense to protect a networking environmentDefense-in-depth provides multiple layers of defense to protect a networking environment
Security documents, user education
Policies, Procedures, & AwarenessPolicies, Procedures, & Awareness
Physical SecurityPhysical Security
OS hardening, authentication
Firewalls
Guards, locks
Network segments, IPsec
Application hardening, antivirus
ACLs, encryption, EFS
Perimeter
Internal Network
Host
Application
Data
Core Server Security Practices
Apply the latest service pack and all available security updates
Use the Security Configuration Wizard to scan and implement server security
Use Group Policy and security templates to harden servers
Restrict scope of access for service accounts
Restrict who can log on locally to servers
Restrict physical and network access to servers
What Is the Security Configuration Wizard?
SCW provides guided attack-surface reduction
• Disables unnecessary services and IIS Web extensions
• Uses IPsec to block unused ports and secure ports that are left open
• Reduces protocol exposure
• Configures audit settings
SCW supports:
• Rollback
• Analysis
• Remote configuration
• Command-line support
• Active Directory integration
• Policy editing
What Is Windows Firewall?
Windows Firewall is a stateful host-based application that provides the following features:
• Filters both incoming and outgoing network traffic
• Integrates both firewall filtering and IPsec protection settings
• Can be managed by the Control Panel tool or by the more advanced Windows Firewall with Advanced Security MMC console
• Provides Group Policy support
• Enabled by default in new installs
Demonstration: Using the Security Configuration Wizard to Secure Server Roles
In this demonstration, you will see how to implement security using the Security Configuration Wizard
Lesson 2: Using Security Templates to Secure Servers
• What Is a Security Policy?
• What Are Security Templates?
• Demonstration: Configuring Security Template Settings
• What Is the Security Configuration and Analysis Tool?
• Demonstration: Analyzing Security Policy Using the Security Configuration and Analysis Tool
What Is a Security Policy?
Local Security Policies include:
• Account Policies
• Local Policies
• Windows Firewall with Advanced Security
• Public Key Policies
• Software Restriction Policies
• IP Security Policies on Local Computer
Active Directory Security Policies include:
• Event Log
• Restricted Groups
• System Services
• Registry
• File System
• Wired and Wireless Network Policies
• Network Access protection
• IP Security Policies on Active Directory
A Security Policy is a combination of security settings to be applied to a computerA Security Policy is a combination of security settings to be applied to a computer
What Are Security Templates?
Security Templates:
Deployment Considerations:
• Create templates based upon server role
• Deploy to individual computers using the SECEDIT command
• Deploy to groups of computers using Group Policy
• Created and modified using the Security Templates MMC snap-in
• Default security templates stored in %SystemRoot%\Security\Templates
• Custom security templates are stored in local user profile folder
A security template is a collection of configured security settings used to apply a security policyA security template is a collection of configured security settings used to apply a security policy
Demonstration: Configuring Security Template Settings
In this demonstration, you will see how to:
• Add the Security Templates snap-in and configure a custom security template for the DHCP server role
• Import a security template into Active Directory
What Is the Security Configuration and Analysis Tool?
Template SettingTemplate Setting Actual SettingActual SettingSetting That Does Not Match TemplateSetting That Does Not Match Template
Demonstration: Analyzing Security Policy Using the Security Configuration and Analysis Tool
In this demonstration, you will see how to use the Security Configuration and Analysis Tool to analyze and configure local security policy settings
Lesson 3: Configuring an Audit Policy
• What Is Auditing?
• What Is an Audit Policy?
• Types of Events to Audit
• Demonstration: How to Configure Auditing
What Is Auditing?
• Auditing tracks user and operating system activities, and records selected events in security logs, such as:
• What occurred?
• Who did it?
• When?
• What was the result?
• Enable auditing to:
• Create a baseline
• Detect threats and attacks
• Determine damages
• Prevent further damage
• Audit access to objects, management of accounts, and users logging on and off
What Is an Audit Policy?
• An audit policy determines the security events that will be reported to the network administrator
• Set up an audit policy to:
• Track success or failure of events
• Minimize unauthorized use of resources
• Maintain a record of activity
• Security events are stored in security logs
Types of Events to Audit
• Account Logon
• Account Management
• Directory Service Access
• Directory Service Changes
• Directory Service Replication
• Detailed Directory Service Replication
• Logon
• Object Access
• Policy Change
• Privilege Use
• Process Tracking
• System
Demonstration: How to Configure Auditing
In this demonstration, you will see how to:
• Enable auditing for various events
• Enable object access auditing
Lesson 4: Overview of Windows Server Update Services
• What Is Windows Server Update Services?
• Windows Server Update Services Process
• Server Requirements for WSUS
• Automatic Updates Configuration
• Demonstration: Installing and Configuring WSUS
What Is Windows Server Update Services?
Automatic Updates
Server running Windows Server Update Services
Automatic Updates
LAN
Microsoft Update Web site
Internet
Test Clients
Windows Server Update Services Process
Update Management
Phase 1: Assess
• Set up a production environment that will support update management for both routine and emergency scenarios
Phase 3: Evaluate and Plan
• Test updates in an environment that resembles, but is separate from, the production environment
• Determine the tasks necessary to deploy updates into production, plan the update releases, build the releases, and then conduct acceptance testing of the releases
Phase 4: Deploy
• Approve and schedule update installations
• Review the process after the deployment is complete
Phase 4: Deploy
• Approve and schedule update installations
• Review the process after the deployment is complete
Phase 2: Identify
• Discover new updates in a convenient manner
• Determine whether updates are relevant to the production environment
Identify
Evaluate and Plan
Deploy
Assess
Server Requirements for WSUS
Software requirements:
• Windows Server 2003 SP1 or Windows Server 2008
• IIS 6.0 or later
• Windows Installer 3.1 or later
• Microsoft .NET Framework 2.0
• SQL Server 2005 SP1 or later (optional)
• Microsoft Report Viewer Redistributable 2005
Automatic Updates Configuration
• Configure Automatic Updates by using Group PolicyComputer Configuration/Administrative Templates/Windows Components/Windows Update
• Requires updated wuau.adm administrative template
• Requires:
• Windows Vista
• Windows Server 2008
• Windows Server 2003
• Windows XP Professional SP2
• Windows 2000 Professional SP4, Windows 2000 Server/Advanced Server SP3 or SP4
Demonstration: Installing and Configuring WSUS
In this demonstration, you will see how to:
• Install WSUS
• Configure Automatic Update client settings using Group Policy
Lesson 5: Managing WSUS
• WSUS Administration
• Managing Computer Groups
• Approving Updates
• Demonstration: Managing WSUS
Managing Computer Groups
• Computers are automatically added
• Default computer groups
• All Computers
• Unassigned Computers
• Client-side targeting
Approving Updates
• Approval options include:
• Install
• Decline
• Unapprove
• Removal
• Automate approval is also supported
Demonstration: Managing WSUS
In this demonstration, you will see how to:
• Add a computer to WSUS
• Approve an update
Lab: Configuring Server Security Compliance
• Exercise 1: Configuring and Analyzing Security
• Exercise 2: Analyzing Security Templates
• Exercise 3: Configuring Windows Software Update Services
Logon information
Virtual machine NYC-DC1, NYC-SVR1, and NYC-CL2
User name Administrator
Password Pa$$w0rd
Estimated time: 90 minutes
Lab Review
• What recourse do you have if the desired result is not met when applying changes using the Security Configuration Wizard to secure server infrastructure?
• How can you verify compatibility with existing settings before you apply a template to a GPO for deployment or apply the template to a local computer?
• After installing the WSUS server software, a wizard appears to help you with the configuration of WSUS properties. How can you change any incorrectly assigned properties after the wizard has been completed?