Windows 2003 SP1 Member Server in ASU Active Directory WNUG/CCC February 2, 2006 Sharon Bushart CLAS...
-
date post
19-Dec-2015 -
Category
Documents
-
view
213 -
download
0
Transcript of Windows 2003 SP1 Member Server in ASU Active Directory WNUG/CCC February 2, 2006 Sharon Bushart CLAS...
Windows 2003 SP1 Windows 2003 SP1 Member ServerMember Server
ininASU Active DirectoryASU Active Directory
WNUG/CCCWNUG/CCCFebruary 2, 2006February 2, 2006
Sharon BushartSharon BushartCLAS Information TechnologyCLAS Information Technology
AgendaAgenda
DiscussionDiscussion Share knowledge / experienceShare knowledge / experience Tools / UtilitiesTools / Utilities ResourcesResources Presentation will be posted on WNUG web pagePresentation will be posted on WNUG web page
http://www.asu.edu/it/ag/wnug/http://www.asu.edu/it/ag/wnug/
GoalsGoals
Best Practices documentsBest Practices documents W2K3 SP1 Best Practices v2.docW2K3 SP1 Best Practices v2.doc
FAQsFAQs Tip sheetsTip sheets ChecklistsChecklists
CLAS ITCLAS ITBehavioral Sciences ComputingBehavioral Sciences Computing
2 Schools with another in Fall 20062 Schools with another in Fall 2006 3 Departments, 5 Units/Centers3 Departments, 5 Units/Centers 14 Buildings14 Buildings 1200 client systems1200 client systems 20 servers20 servers
PreparationPreparation
System is NOT on networkSystem is NOT on network Register IP Address & DNS nameRegister IP Address & DNS name License product keyLicense product key Download service pack, hot fixes, etcDownload service pack, hot fixes, etc Hardware driversHardware drivers Antivirus software plus latest sdatAntivirus software plus latest sdat DocumentationDocumentation
Local Admin AccountsLocal Admin Accounts
Create new account(s)Create new account(s) Add new account(s) to local admin groupAdd new account(s) to local admin group Logon with new admin accountLogon with new admin account Rename default admin and guest accountsRename default admin and guest accounts Disable default admin accountDisable default admin account Do not include AD groups in local admin group – Do not include AD groups in local admin group –
use Run As insteaduse Run As instead
Install …Install …
Hardware driversHardware drivers Anti-Virus software with latest sdatAnti-Virus software with latest sdat Tools, UtilitiesTools, Utilities Windows Automatic updateWindows Automatic update
Notify but do not automatically download or installNotify but do not automatically download or install
Drive ManagementDrive Management
FirewallFirewall
System is still NOT on networkSystem is still NOT on network Firewall should be ONFirewall should be ON Open only the ports that are necessaryOpen only the ports that are necessary Port informationPort information
http://www.iana.org/http://www.iana.org/ http://www.securitystats.com/tools/portsearch.phphttp://www.securitystats.com/tools/portsearch.php http://support.microsoft.com/default.aspx?scid=kb;en-us;832017http://support.microsoft.com/default.aspx?scid=kb;en-us;832017
• Service Overview & Network Port Requirements for the Windows Service Overview & Network Port Requirements for the Windows Server System (10/31/05)Server System (10/31/05)
MacsMacs• http://www.opendoor.com/doorstop/ports.htmlhttp://www.opendoor.com/doorstop/ports.html
Firewall – Service & PortsFirewall – Service & Ports
DescriptionDescription PortPort
AD Authentication (TCP)AD Authentication (TCP) 10251025
DNS (TCP & UDP)DNS (TCP & UDP) 5353
Kerberos (TCP & UDP)Kerberos (TCP & UDP) 8888
LDAP (TCP & UDP)LDAP (TCP & UDP) 389389
File Sharing (TCP & UDP)File Sharing (TCP & UDP) 445445
Network Time Protocol (TCP & UDP)Network Time Protocol (TCP & UDP) 123123
NetBIOS (TCP)NetBIOS (TCP) 139139
Security PolicySecurity Policy
Include access rights, security options, account Include access rights, security options, account lockout, etc…lockout, etc…
Two methods for changingTwo methods for changing Local Security PolicyLocal Security Policy
• Administrative Tools | Local Security PolicyAdministrative Tools | Local Security Policy Group Policy Object EditorGroup Policy Object Editor
Security Policy – AuditSecurity Policy – Audit
Audit Policy Description Default MemSvr Account logon events S S/F
Account management NA S/F
Directory service access NA
Logon events S S/F
Object access NA
Policy change NA S/F
Privilege use NA
Process tracking NA
System events NA S/F
Security Policy – AuditSecurity Policy – Audit
Microsoft Articles on Audit Policy: Microsoft Articles on Audit Policy: 174074 = Security Event Descriptions174074 = Security Event Descriptions 274176 = Service Account Logon Events274176 = Service Account Logon Events
Events & Error Message CenterEvents & Error Message Center http://www.microsoft.com/technet/support/ee/ee_advanced.aspxhttp://www.microsoft.com/technet/support/ee/ee_advanced.aspx
GPO Editor: Computer Configurations\Windows Settings\Security GPO Editor: Computer Configurations\Windows Settings\Security Settings\Local Policies\Audit PolicySettings\Local Policies\Audit Policy
Security Policy – User RightsSecurity Policy – User Rights
Access this computer from NetworkAccess this computer from Network Remove EveryoneRemove Everyone Add appropriate OU groupsAdd appropriate OU groups Remove Authenticated UsersRemove Authenticated Users
Allow log on locallyAllow log on locally Administrators onlyAdministrators only
GPO Editor: Computer Configurations\Windows Settings\Security GPO Editor: Computer Configurations\Windows Settings\Security Settings\Local Policies\User Rights AssignmentSettings\Local Policies\User Rights Assignment
Security Policy – Security OptionsSecurity Policy – Security Options
Do Not Display Last User NameDo Not Display Last User Name Disabled Disabled Enabled Enabled
Message Text for Users attempting to log onMessage Text for Users attempting to log on WARNING! You are accessing a computer protected by federal WARNING! You are accessing a computer protected by federal
and state law and ASU policies. By using this system you agree and state law and ASU policies. By using this system you agree to comply with these laws and policies, including ACD 125 to comply with these laws and policies, including ACD 125 (Computer, Internet and Electronic Communications Policy) and (Computer, Internet and Electronic Communications Policy) and you consent to system monitoring for law enforcement, you consent to system monitoring for law enforcement, administrative and other purposes. Unauthorized use of this administrative and other purposes. Unauthorized use of this computer system may subject you to criminal prosecution, civil computer system may subject you to criminal prosecution, civil liability and University sanctions.liability and University sanctions.
Security Policy – Security OptionsSecurity Policy – Security Options(continued)(continued)
Do not allow anonymous enumeration of SAM Do not allow anonymous enumeration of SAM accounts/sharesaccounts/shares Disabled Disabled Enabled Enabled
LAN Manager authentication levelLAN Manager authentication level Send LM & LTLM – use NTLMv2 session if negotiatedSend LM & LTLM – use NTLMv2 session if negotiated
GPO Editor: Computer Configurations\Windows Settings\Security GPO Editor: Computer Configurations\Windows Settings\Security Settings\Local Policies\Security RightsSettings\Local Policies\Security Rights
Security TestSecurity Test
Microsoft Baseline AnalyzerMicrosoft Baseline Analyzer http://www.microsoft.com/technet/security/tools/mbsahome.mspxhttp://www.microsoft.com/technet/security/tools/mbsahome.mspx
Security Configuration WizardSecurity Configuration Wizard Included with SP1Included with SP1 Configures server based on roleConfigures server based on role
Review output & adjust if necessaryReview output & adjust if necessary Connect server to networkConnect server to network Windows UpdateWindows Update Anti-Virus UpdateAnti-Virus Update
Microsoft ToolsMicrosoft Tools
Administration Tool PackAdministration Tool Pack http://technet2.microsoft.com/WindowsServer/en/Library/http://technet2.microsoft.com/WindowsServer/en/Library/
57adeda2-3e00-4d5e-9b01-cf2bf256912d1033.mspx57adeda2-3e00-4d5e-9b01-cf2bf256912d1033.mspx
Group Policy Management ConsoleGroup Policy Management Console http://www.microsoft.com/windowsserver2003/gpmc/default.mspxhttp://www.microsoft.com/windowsserver2003/gpmc/default.mspx
Port ReporterPort Reporter http://support.microsoft.comhttp://support.microsoft.com/?id=837243/?id=837243
PortQryPortQry http://support.microsoft.com/default.aspx?kbid=832919http://support.microsoft.com/default.aspx?kbid=832919
Microsoft DocumentsMicrosoft Documents Windows Server 2003 Security GuideWindows Server 2003 Security Guide
http://www.microsoft.com/technet/security/prodtech/http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/sgch00.mspxwindowsserver2003/w2003hg/sgch00.mspx
Threats & Countermeasures: Security Settings in Windows Server Threats & Countermeasures: Security Settings in Windows Server 2003 & Windows XP2003 & Windows XP
http://www.microsoft.com/technet/security/topics/serversecurity/tcg/http://www.microsoft.com/technet/security/topics/serversecurity/tcg/tcgch00.mspxtcgch00.mspx
Security Risk Management GuideSecurity Risk Management Guide http://www.microsoft.com/technet/security/topics/http://www.microsoft.com/technet/security/topics/
policiesandprocedures/secrisk/default.mspxpoliciesandprocedures/secrisk/default.mspx Other documentsOther documents
Administrator Accounts Security Planning GuideAdministrator Accounts Security Planning Guide Services & Service Accounts SecurityServices & Service Accounts Security
Reference MaterialReference Material
Microsoft TechNetMicrosoft TechNet http://technet.microsoft.com/default.aspxhttp://technet.microsoft.com/default.aspx http://www.microsoft.com/technet/security/default.mspxhttp://www.microsoft.com/technet/security/default.mspx http://www.microsoft.com/technet/security/current.aspxhttp://www.microsoft.com/technet/security/current.aspx
Center for Internet SecurityCenter for Internet Security http://www.cisecurity.org/http://www.cisecurity.org/
SANSSANS httphttp://sans.org/://sans.org/
Trial and ErrorTrial and Error DocumentationDocumentation
Contact InformationContact Information
Sharon BushartSharon Bushart
[email protected]@asu.edu
5-82495-8249