Security Design in a Windows 2003 EnvironmentCIS 288 Securing Servers Based on Function Objectives • When you complete this lesson you will be able to: – Define a baseline security template for all systems – Design security for servers that have specific roles – Create a plan to modify baseline security templates according to role . • Windows Server 2003 contains several administrative security tools that together form a comprehensive interface for managing a secure environment . • To assist in managing large networks. Windows Server 2003 includes predefined security templates.Defining a Baseline Security Template • Securing servers is critical in today’s environment where corporations run their businesses via electronic networks. 5.inf file via group policy 4. Always test security templates 2. as this will expose your DC’s to serious security risks. Thoroughly document all changes you make to each template .Best Practices for Security Templates • Best practices as they relate to these security templates.inf file 3. Never apply the compatible template to DCs. 1. Do not apply the Setup security. Always save modifications to templates as a different filename to preserve the original security template 6. Never edit the Setup security. inf) Highly secure (hisec*.Windows Server 2003 Predefined Security Templates • The templates included in Windows server 2003 are: – – – – – – – Default security (setup security.inf) Secure (secure*.inf) No terminal server user SID (notssid.inf) Compatible (compact *.inf) .inf) System root security (rootsec.inf) Domain controller default security (DC security. Instead. • Each template has settings related to various areas of security • These areas are: – Account policies – Local policies – Event log – Restricted groups – System services – Registry – File system .Configuring Security Templates • It’s important not to modify the predefined templates provided in Windows Server 2003. select a template and save it with a different name to create a duplicate copy. Configuring Security for DownLevel . – You can also use the Security Extension to Group Policy to edit individual security settings on a GPO. – You can also use scripting to apply these security template settings.Deploying Security Templates • There are three options for applying security templates on a large number of computers: – The first option is to use Secure Templates to create a template and then apply it to the appropriate GPO. . Begin with Setup security. Test security on the network. 2. Apply the predefined templates to servers based on roles in a test environment. Specific sections can be applied via the secedit command-line tool. you might want to use the GPUpdate command-line tool to force refresh of Group Policy so you can see results immediately. If you modified security settings via extensions in Group Policy.Design Security for Servers that have Specific Roles • It is recommended that you follow these steps in creating a secure environment for your network: 1. 4. If needed. . 3. apply sections of the template to computers that might have been upgraded or modified.inf. .Design Security for Servers that have Specific Roles • Common Server Roles – – – – – – – – – – – File server Print server Application server Mail server Terminal server Remote access/ VPN server Domain controller DHCP server DNS server Wins server Streaming Media Server. – Always perform tasks on the servers with the least possible privileges. – Secure the data on the computers using strong access control lists and the syskey utility. – Keep all software patches up to date. – Maintain up-to-date virus protection on all systems. – Require the use of strong passwords via the Password Policy settings.Server Security Best Practices • Best Practices: – Keep DCs in an access-controlled location. – Restrict user and machine access to groups that have loose security settings. . – Restrict the downloading and installation of programs that do not come from known. trusted sources. Configuring Security for Domain Controllers • DCs are the heart of any Windows-based network • The most common threats to DCs are those that attempt to gain access to the security database on a DC. • The Active Directory database on a DC is a virtual gold mine for hackers . it must be authenticated. a computer account is established. The three GPO settings that deal specifically with digitally signing authentication traffic are: – Digitally encrypt or sign secure channel data (always) Digitally encrypt secure channel data (when possible) – Digitally sign secure channel data (when possible) . • Three settings can be used to determine whether signed and encrypted authentication is used. In order to communicate with the DC.Digitally Signing Authentication Traffic • When a computer is joined to a domain. Configuring Security for POP3 Mail Servers . Modifying Baseline Security Templates According to Role . Modifying Baseline Security Templates According to Role . Modifying Baseline Security Templates According to Role . Summary • Baseline security templates • Securing servers that have specific roles .