This handy problem-solver teaches you how to perform important security tasks in the Windows Server 2003 OS using very specific recipes. Each recipe features a brief description of the problem, a step-by-step solution, and then a discussion of the technology at work. Also features a detailed explanation of Microsoft's scripting support.
Full Description In the last few years, security has become a hot-button issue for IT organizations of all sizes. Accordingly, many of the security features that were either optional or suspect in Windows 2000 have become solid, effective fixtures in Windows Server 2003-making it the most secure operating system Microsoft has ever produced. That is, if you know how to configure it properly.
The Windows Server 2003 Security Cookbook wants to make sure that you do know how. Picking up right where its predecessor, the Windows Server Cookbook, left off, this desktop companion is focused solely on Windows Server security. It teaches you how to perform important security tasks in the Windows Server 2003 OS using specific and adaptable recipes. Each recipe features a brief description of the problem, a step-by-step solution, and then a discussion of the technology at work. Whenever possible, the authors even tell you where to look for further information on a recipe.
The book is written in a highly modular format, with each chapter devoted to one or more technologies that Windows Server 2003 provides. This approach allows you to look up a task or scenario that you want to accomplish, find that page, and read that particular recipe only. Topics include:
System preparation and administration
Protecting the computer at the TCP/IP level
Applying security options to Active Directory
Improving security on domain controllers
Securing DHCP controllers
Encrypting and signing network traffic using IPSec
Patch management
If you're an intermediate or advanced system administrator who wants to feel secure when deploying Windows Server 2003 and its related services, then you don't want to be without the Windows Server 2003 Security Cookbook.
Table of Contents
Preface
1. Getting Started
What Is Security?
Approach to the Book
Where to Find the Tools
Group Policy Notes
Programming Notes
Replaceable Text
Reporting Security Issues to Microsoft
Where to Find More Information
2. System Preparation and Administration
2.0 Introduction
2.1 Creating a Reference Installation
2.2 Renaming the Domain Administrator Account
2.3 Renaming the Local Administrator Accounts
2.4 Disabling the Local Administrator Accounts
2.5 Renaming the Guest Account
2.6 Logging in as a Non-administrator
2.7 Configuring Internet Explorer Enhanced Security Configuration
2.8 Preventing Automatic Installation of New Hardware Drivers
2.9 Protecting Against Modified Device Drivers
2.10 Encrypting the SAM
2.11 Locking the Console
2.12 Enabling Screensaver Locking
3. TCP/IP
3.0 Introduction
3.1 Displaying the Status of TCP Ports
3.2 Disabling NetBIOS over TCP/IP
3.3 Disabling File and Printer Sharing for Microsoft Networks
3.4 Enabling SYN Flood Protection
3.5 Disabling Source Routing
3.6 Disabling Router Discovery
3.7 Configuring TCP/IP Filtering
3.8 Enabling and Configuring Windows Firewall
4. Encrypting File System
4.0 Introduction
4.1 Enabling EFS Without a Recovery Agent
4.2 Configuring a Recovery Agent
4.3 Configuring Server-Based EFS
4.4 Encrypting a File
4.5 Encrypting a Folder
4.6 Enabling EFS Context Menus
4.7 Viewing Users and Recovery Agents
4.8 Moving or Copying an Encrypted File or Folder
4.9 Changing Encryption Algorithms
4.10 Encrypting Offline Files
4.11 Sharing Encrypted Files
4.12 Backing Up EFS Keys
4.13 Using a Recovery Agent
4.14 Removing Unused Data
5. Active Directory
5.0 Introduction
5.1 Enabling SSL/TLS
5.2 Encrypting LDAP Traffic with SSL or TLS; Digital Signing
5.3 Using the Delegation of Control Wizard
5.4 Customizing the Delegation of Control Wizard
5.5 Using the Default ACL for an Objectclass
5.6 Enabling List Object Access Mode
5.7 Modifying the ACL on Administrator Accounts
5.8 Viewing and Purging Your Kerberos Tickets
5.9 Resetting the Directory Service Restore ModeAdministrator Password
5.10 Implementing Role-Based Access Control
5.11 Displaying Delegated Rights
5.12 Removing Delegated Rights
6. Group Policy
6.0 Introduction
6.1 Creating a GPO
6.2 Copying a GPO
6.3 Deleting a GPO
6.4 Modifying the Settings of a GPO
6.5 Creating a GPO Link to an OU
6.6 Blocking Inheritance of GPOs on an OU
6.7 Forcing a GPO Application
6.8 Applying a Security Filter to a GPO
6.9 Refreshing GPO Settings on a Computer
6.10 Configuring the Group Policy Refresh Interval
6.11 Installing Applications with a GPO
6.12 Assigning Logon/Logoff and Startup/Shutdown Scripts in a GPO
6.13 Configuring Password Policies
6.14 Configuring Account Lockout Policies
6.15 Configuring Kerberos Policies
6.16 Configuring User Rights Assignment
6.17 Configuring Security Options
6.18 Configuring Time Synchronization Settings
6.19 Using Restricted Groups
6.20 Configuring Service Parameters
6.21 Configuring Registry Permissions
6.22 Configuring File Permissions
7. Security Templates
7.0 Introduction
7.1 Using Default Security Templates
7.2 Creating a Security Template
7.3 Changing Account Policies
7.4 Changing Local Policies
7.5 Changing Event Log Settings
7.6 Making Group Membership Changes
7.7 Disabling Unwanted System Services
7.8 Modifying Registry Permissions
7.9 Modifying Filesystem Permissions
7.10 Exporting Security Templates
7.11 Importing Security Templates
7.12 Verifying Template Application
7.13 Analyzing a Security Configuration
7.14 Testing Template Compatibility
8. Domain Controllers
8.0 Introduction
8.1 Disabling LM Hash Storage
8.2 Removing Stored LM Hashes
8.3 Requiring NTLM Authentication
8.4 Using Syskey to Thwart Offline Attacks
8.5 Signing LDAP Communications
8.6 Hardening Domain Controllers with Security Templates
9. User and Computer Accounts
9.0 Introduction
9.1 Enabling and Disabling a User
9.2 Finding Disabled Users
9.3 Unlocking a User
9.4 Troubleshooting Account Lockout Problems
9.5 Viewing and Modifying the Account Lockout and Password Policies
9.6 Setting a User's Account to Expire
9.7 Setting a User's Password
9.8 Forcing a User Password Change at Next Logon
9.9 Preventing a User's Password from Expiring
9.10 Setting a User's Account Options
9.11 Finding a User's Last Logon Time
9.12 Restricting a User's Logon Hours and Workstations
9.13 Resetting a Computer Account
9.14 Finding Inactive or Unused Computer Accounts
9.15 Trusting a Computer Account for Delegation
10. Rights and Permissions
10.0 Introduction
10.1 Using Standard File Permissions
10.2 Using Special File Permissions
10.3 Determining File Permission Inheritance
10.4 Using Deny Permission
10.5 Determining Effective Permissions
10.6 Determining File Ownership
10.7 Modifying File Ownership
10.8 Restoring Default Permissions
10.9 Hardening Registry Permissions
10.10 Restricting Remote Access to the Registry
11. Dynamic Host Configuration Protocol
11.0 Introduction
11.1 Authorizing a DHCP Server
11.2 Detecting Rogue DHCP Servers
11.3 Restricting DHCP Administrators
11.4 Disabling NetBIOS over TCP/IP Name Resolution
11.5 Enabling Dynamic DNS Updates from the DHCP Server
11.6 Running DHCP Server on a Domain Controller
12. Domain Name System
12.0 Introduction
12.1 Securing DNS Using the Separate Namespaces Approach
12.2 Securing DNS Using the Split-Brain Approach
12.3 Restricting DNS Administration Using the DNSAdmins Group
12.4 Hiding Your Internal IP Addressing Scheme
12.5 Blocking Unwanted DNS Traffic Through a Firewall
12.6 Restricting DNS Traffic Through a Firewall Using Forwarders
12.7 Preventing DoS Attacks by Disabling Recursion
12.8 Hardening DNS by Converting Standard Zones to ActiveDirectory Integrated
12.9 Protecting DNS Zones by Requiring Only Secure Dynamic Updates
12.10 Hardening DNS Clients by Requiring Them to Use Secure Dynamic Updates
12.11 Protecting DNS Zones by Disabling Dynamic Updates
12.12 Hardening DNS Clients by Preventing Them from Attempting Dynamic Updates
12.13 Preventing Unauthorized Zone Transfers
12.14 Restricting Zone Transfers to Legitimate DNS Servers
12.15 Preventing Cache Pollution on DNS Servers
12.16 Monitoring Suspicious DNS Requests Using Debug Logging
12.17 Securing Resource Records when Using the DnsUpdateProxy Group
12.18 Preventing DNS Session Sniffing and Hijacking
13. File and Print Servers
13.0 Introduction
13.1 Creating a Hidden File Share
13.2 Deleting a File Share
13.3 Securing Shared Folders and Files
13.4 Preventing Shared File Caching
13.5 Determining Access Levels for a File Share
13.6 Listing All File Shares
13.7 Restricting Printing Permissions
13.8 Hardening the Print Spooler
13.9 Moving the Print Spool Folder
13.10 Disabling Internet Printing
13.11 Removing Internet Printing
14. IPsec
14.0 Introduction
14.1 Using a Default IPsec Policy
14.2 Creating an IPsec Policy
14.3 Creating a Blocking Rule
14.4 Creating a Permit Rule
14.5 Configuring IPsec Boot Mode
14.6 Configuring Authentication Methods
14.7 Configuring Connection Types
14.8 Configuring Key Exchange
14.9 Configuring Session Cryptography
14.10 Configuring IP Filter Lists
14.11 Configuring IP Filter Actions
14.12 Configuring Security Methods
14.13 Activating an IPsec Rule
14.14 Deactivating an IPsec Rule
14.15 Assigning and Unassigning IPsec Policies
14.16 Viewing IPsec Statistics with System Monitor
14.17 Verifying IPsec Traffic
14.18 Using IPsec Monitor to Verify IPsec
14.19 Troubleshooting IPsec Connections
15. Internet Information Services
15.0 Introduction
15.1 Configuring Listening Port
15.2 Removing Unused Components
15.3 Configuring HTTP Authentication
15.4 Configuring FTP Authentication
15.5 Changing the User Context for Anonymous Access
15.6 Disabling Anonymous Access
15.7 Restricting Client Access by ACL
15.8 Restricting Client Access by IP Address or DNS Name
15.9 Installing Server Certificates
15.10 Enabling Secure Sockets Layer
15.11 Enabling Client Certificate Authentication
15.12 Requiring Client Certificate Authentication
15.13 Configuring Trusted Certification Authorities
15.14 Configuring One-to-One Client Certificate Mapping
15.15 Configuring Many-to-One Client Certificate Mapping
16. RRAS and IAS
16.0 Introduction
16.1 Configuring the Routing and Remote Access Server
16.2 Allowing Authentication Protocols
16.3 Requiring Smart Card Authentication
16.4 Using Preshared Keys
16.5 Configuring RRAS to Use IAS
16.6 Installing Internet Authentication Service
16.7 Configuring IAS Auditing
16.8 Configuring Local IAS Logging
16.9 Configuring SQL IAS Logging
16.10 Creating a Remote Access Policy
16.11 Configuring Connection Time
17. Terminal Services and Remote Desktop
17.0 Introduction
17.1 Choosing a Security Mode
17.2 Configuring Session Encryption
17.3 Limiting Client Sessions
17.4 Requiring a Password for Connection
17.5 Securing RPC Administration Traffic
17.6 Allowing Silent Session Monitoring
17.7 Monitoring Sessions
17.8 Enabling Remote Desktop
17.9 Configuring Access to Remote Desktop
18. Public Key Infrastructure and Certificates
18.0 Introduction
18.1 Installing an Offline Root CA
18.2 Installing an Enterprise Subordinate CA
18.3 Installing a Standalone Subordinate CA
18.4 Publishing a CRL from an Online CA
18.5 Publishing a CRL from an Offline CA
18.6 Restricting Access to the CA
18.7 Auditing CA Operations
18.8 Configuring Certificate Templates
18.9 Authorizing the CA to Issue Certificates
18.10 Archiving Private Keys
18.11 Sending Enrollment Notifications via Email
18.12 Requesting Certificates Automatically
18.13 Approving and Denying Certificate Requests
18.14 Retrieving Issued Certificates
18.15 Renewing Certificates
18.16 Revoking Certificates
18.17 Configuring a Trusted Certificate
18.18 Identifying Local Certificates and Private Keys
18.19 Backing Up Certificates and Private Keys
18.20 Restoring Certificates and Private Keys
19. Auditing
19.0 Introduction
19.1 Auditing Account Logon Events
19.2 Auditing Account Management Events
19.3 Auditing Directory Service Events
19.4 Auditing File Access
19.5 Auditing File Share Configuration Events
19.6 Auditing Web Server Access
19.7 Auditing Policy Change Events
19.8 Auditing Privilege Use Events
19.9 Auditing Process Tracking Events
19.10 Auditing System Events
19.11 Shutting Down Windows When Unable to Log Events
20. Event Logs
20.0 Introduction
20.1 Viewing Events
20.2 Setting the Maximum Size of an Event Log
20.3 Setting the Event Log Retention Policy
20.4 Clearing the Events in an Event Log
20.5 Restricting Access to an Event Log
20.6 Searching the Event Logs on Multiple Servers
20.7 Archiving an Event Log
20.8 Finding More Information About an Event
20.9 Triggering an Action when an Event Occurs
20.10 Consolidating Event Logs
21. Patch Management
21.0 Introduction
21.1 Installing a Root Update Server
21.2 Installing a Subordinate Update Server
21.3 Installing a Nonstoring Update Server
21.4 Installing an Update Server on a Nondedicated Server
21.5 Configuring Computers to Use the Internal Update Server
21.6 Refreshing the Update Server
21.7 Configuring the Computer Update Type and Schedule
21.8 Creating a Test Group
21.9 Approving and Declining Updates
21.10 Automatically Approving Critical Updates
21.11 Removing Updates
21.12 Forcing an Update Scan
21.13 Manually Applying Updates
21.14 Disabling Windows Update
21.15 Checking Status of Update Application
21.16 Verifying Update Application with MBSA
Index
