CH 12

Securing Windows Server 2008

Objectives

• Understand the security enhancements included in Windows Server 2008

• Understand how Windows Server 2008 uses group policies

• Understand and configure security policies

Security Enhancements in Windows Server 2008

1. Reduced attack surface of the kernel through Server Core

2. Expanded group policy3. Windows Firewall4. Network Access Protection5. Security Configuration Wizard6. User Account Control7. BitLocker Drive Encryption

Server Core• the kernel is a computer program that

manages input/output requests from software and translates them into data processing instructions for the central processing unit and other electronic components of a computer

• Server Core eliminates most of the GUI portion of the operating system. This makes the Windows kernel much smaller, presenting a minimal attack surface

• Server Core can be a good solution particularly for a server that handles critical network operations, such as DNS and DHCP

Expanded group policy

• Group policy is a way to bring consistent security and other management to Windows Server 2008 and to clients connecting to a server– Power management– Assigning printers by location (particularly for mobile

users)– Delegation of printer driver installation– Security settings (such as who can access storage

devices and who can install devices)– Internet Explorer settings

Expanded group policy

• The use of group policy in Windows Server 2008 enables you to standardize the working environment of clients and servers by setting policies in Active Directory

• Group policies are secured so that they cannot be changed by individual users

Expanded group policy

• The characteristics of group policy are:– Group policy can be set for a site, domain, OU, or local

computer– Group policy settings are stored in group policy objects

• A group policy object (GPO) is an Active Directory object that contains group policy settings (a set of group policies) for a site, domain, OU, or local computer.

• Each GPO has a unique name and globally unique identifier (GUID).

• When Active Directory is installed, one local GPO is created for every Windows Server 2008 server

Expanded group policy

• characteristics of group policy are (cont.):– GPOs can be local and nonlocal—The local GPO

applies to the local computer. Nonlocal GPOs apply to sites, domains, and OUs

– Group policy can be set up to affect user accounts and computers

– When group policy is updated, old policies are removed or updated for all clients

Types of security policies

• Account Policies• Audit Policy• User Rights• Security Options

Using the Group Policy Management Snap-In

1. Click Start and click Run.2. Type mmc in the Open text box and click OK.3. In the Console1 window, click File and click Add/Remove Snap-in.4. Click the second Group Policy Management selection under

Snap-in, as shown in Figure 10-2,and click Add.5. In the Welcome to the Group Policy Wizard, click the Browse

button.6. Click Default Domain Policy in the Browse for a Group Policy

Object box. Click OK.7. Click Finish in the Select Group Policy Object dialog box.8. Click OK in the Add or Remove Snap-ins dialog box.9. Click Default Domain Policy in the tree in the left pane.

Using the Group Policy Management Snap-In

10. In the middle pane, double-click Computer Configuration.11. Double-click the Policies folder in the middle pane. What folders are listed for Policies?12. Double-click Windows Settings in the middle pane. What is listed within the Windows Settings folder?13. Double-click Security Settings in the middle pane.14. Click User Configuration in the tree in the left pane.15. Double-click the Policies folder in the middle pane.16. Double-click Windows Settings in the middle pane. What is listed within the Windows Settings folder?17. Close the Console1 window.18. Click Yes to save the console settings.19. Type Default Domain Policy plus your initials, such as JR. Click Save.

Establishing Account Policies

• Account policies are security measures set up in a group policy that applies to all accounts

• The account policy options that you can configure affect three main areas:– Password security– Account lockout– Kerberos security: a computer network

authentication protocol which works on the basis of 'tickets' to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed it primarily at a client–server model and it provides mutual authentication—both the user and the server verify each other's identity

Password security• The specific password security options that you can configure are as

follows:– Enforce password history—Enables you to require users to choose new

passwords when they make a password change, because the system can remember the previously used passwords

– Maximum password age—Permits you to set the maximum time allowed until a password expires

– Minimum password age—Permits you to specify that a password must be used for a minimum amount of time before it can be changed

– Minimum password length—Enables you to require that passwords are a minimum length

– Passwords must meet complexity requirements—Enables you to create a filter of customized password requirements that each account password must follow

– Store password using reversible encryption—Enables passwords to be stored in reversible encrypted format (similar to clear-text passwords) and used when applications or application processes must employ user passwords

Configuring Password Security1. Click Start, click All Programs, click Administrative Tools, and click Default Domain Policyplus your initials (if you used them in Activity slide 10 ).2. Maximize the console windows, if necessary.3. If necessary open the following in the tree in the left pane: Computer Configuration,

Policies, Windows Settings, and Security Settings.4. Click Account Policies in the tree in the left pane.5. Double-click Password Policy in the middle pane.6. Double-click Enforce password history in the middle pane.7. Ensure that Define this policy setting is checked. The default setting is 24 passwords

remembered, which is the maximum. Assume you work for a company that has a policy to set this number at 15. Enter 15 in the box,. Click OK.

8. Double-click Maximum password age and ensure that Define this policy setting is checked. Change the days text box to 60 and click OK.

9. Double-click Minimum password length. Be sure that Define this policy setting is checked and set the characters text box to 8. Click OK. The Default Domain Security Settings window should now look similar to the one in Figure next slide.

10. Leave the Default Domain Policy console window open for the next activity.

Account Lockout

• The operating system can employ account lockout to bar access to an account (including the true account owner) after a number of unsuccessful tries. The lockout can be set to release after a specified period of time or by intervention from the server administrator.

Account Lockout

• The following are the account lockout parameters that you can configure in the account lockout policy:1. Account lockout duration—Permits you to specify in minutes

how long the system will keep an account locked out after reaching the specified number of unsuccessful logon attempts

2. Account lockout threshold—Enables you to set a limit to the number of unsuccessful attempts to log on to an account

3. Reset account lockout count after—Enables you to specify the number of minutes to wait after a single unsuccessful logon attempt before the unsuccessful logon counter is reinitialized to 0

Account Lockout Configuration

1. Open the Default Domain Policy console you created in Activity slide 10, if it is not already open.

2. Click Account Lockout Policy in the tree under Computer Configuration, Policies, Windows Settings, Security Settings, and Account Policies.

3. Double-click Account lockout duration in the right pane.4. Check the box for Define this policy setting, if it is not already

checked. Enter 40 in the minutes text box and click OK5. You should see the Suggested Value Changes box. What changes are suggested?6. Click OK in the Suggested Value Changes box. In the middle

pane, notice that your change plus the suggested changes have been implemented.

Establishing Audit Policies

• After accounts are set up, you can specify account auditing to track activity associated with those accounts. For example, some organizations need to track security changes to accounts, while others want to track failed logon attempts

• Each audited event causes a record to be made in the Security event log

Establishing Audit Policies

• Examples of events that an organization can audit are as follows:– Account logon (and logoff) events– Account management– Directory service access– Logon (and logoff) events at the local computer– Object access– Policy change– Privilege use– Process tracking– System events

Configuring Auditing1. Open the Default Domain Policy console, if it is not already

open.2. Click Local Policies in the tree under Computer

Configuration, Policies, Windows Settings, and Security Settings.

3. Double-click Audit Policy in the middle pane.4. Double-click Audit account logon events in the middle pane.5. Click the box for Define these policy settings.6. Ensure that both the Success and Failure boxes are checked7. Click Apply to have these take effect immediately and then

click OK. If you were concerned about tracking changes to group policy,

what would you audit?

Configuring User Rights

• User rights enable an account or group to perform predefined tasks. The most basic right is the ability to access a server.

• Some examples of privileges include the following:– Add workstations to domain– Back up files and directories– Change the system time– Create permanent shared objects– Generate security audits– Load and unload device drivers

Configuring User Rights1. Open the Default Domain Policy console, if it is not already open.2. Click User Rights Assignment in the tree under Computer Configuration, Policies,

Windows Settings, Security Settings, and Local Policies.3. Scroll through the middle pane to view the rights that can be configured, 4. Double-click Allow log on locally.5. Check the box for Define these policy settings.6. Click Add User or Group.7. Click the Browse button in the Add User or Group box.8. Click the Advanced button in the Select Users, Computers, or Groups dialog box.9. Click the Find Now button in the Select Users, Computers, or Groups dialog box.10. Hold down the Ctrl key and click Administrator, Administrators, and Server

Operators. Ensure that Account Operators is not selected. If it is selected, continue holding down the Ctrl key and click Account Operators to deselect it. Click OK.

Configuring User Rights11. Click OK in the Select Users, Computers, or Groups dialog box.12. Click OK in the Add User or Group box. What now appears in the text box on the Allow log on locally Properties dialog box?13. Notice that your changes are reflected in the text box. Click OK in the Allow log

on locally Properties dialog box.14. Double-click Shut down the system. Check Define these policy settings.15. Click Add User or Group.16. Click the Browse button in the Add User or Group box.17. Click the Advanced button in the Select Users, Computers, or Groups dialog box.18. Click Find Now in the Select Users, Computers, or Groups dialog box.19. Double-click Administrators.20. Click OK in the Select Users, Computers, or Groups dialog box.21. Click OK in the Add User or Group box.22. Click OK in the Shut down the system Properties box.

(NAP)Network Access Protection

• NAP is a comprehensive set of security features that monitors and manages a server and its clients.

• The philosophy of NAP is that a network is only as secure as its least secure member. – For this reason, NAP monitors clients and servers to

ensure that the desired level of security is maintained on all of them.

– For example, if a client computer does not have recent security updates from Microsoft, NAP can limit the client’s network access and can even automaticallyenable updating on the client

(SCW )Security Configuration Wizard

• The Security Configuration Wizard (SCW) steps you through analyzing and configuring security settings on a server

• SCW examines the roles a server plays– And then tries to adjust security to match these

roles

Security Configuration Wizard (SCW)

• Through the SCW, you can:– Disable unnecessary services and software– Close network communication ports and other

communication resources that aren’t in use– Examine shared files and folders to help manage

network access through access protocols– Configure firewall rules

User Account Control (UAC)

• designed to keep the user running in the standard user mode

• software and device drivers could be installedfrom an account running in standard user mode.

Although the operating system allows this (with the right permissions), the installation still requires authorization from the server administrator

BitLocker Drive Encryption

• If a drive is protected using BitLocker Drive Encryption, no one can access information without proper authentication

• even if the drive has been stolen. The data on the drive is encrypted and protected against tampering

Installing BitLocker Drive Encryption

1. Click Start, point to Administrative Tools, and click Server Manager.2. Click Add Features in the Features Summary section.3. Click BitLocker Drive Encryption and click Next.4. Click Install.5. Click Close.6. Click Yes to restart the computer.7. Log back on. (You might see the Add Features Wizard again when you reboot

and need to click Close and then close Server Manager.)8. Control Panel now has a new configuration utility for configuring BitLocker Drive

Encryption. Because your computer might not be equipped with a TPM chip or you might not have a flash drive with a PIN, you will only view where to configure these. Click Start and click Control Panel.

9. In the Control Panel Home view, click Security and look for BitLocker Drive Encryption. In the Classic view, look for the BitLocker Drive Encryption applet

Windows Firewall

• In server 2008 Windows Firewall now protects incoming and outgoing communications, instead of just incoming communications

Configure security through Firewall1. Click Start and click Control Panel.2. In the Control Panel Home view, click Security and click Allow a

program through Windows Firewall. In Classic View, double-click Windows Firewall and click Allow a program through Windows Firewall.

3. Scroll through the programs or ports that can be marked as exceptions4. Click Add program to view programs that can be added to the

exceptions (the programs listed will depend on what is installed on your computer). Click Cancel.

5. Click Add port. Notice that you can add TCP or UDP ports. Be cautious about adding ports because attackers use open ports as a way into your system. You can find a listing of TCP and UDP ports at www.iana.org/assignments/port-numbers. Click Cancel.

6. Click the Advanced tab in the Windows Firewall Settings dialog box.