Windows Server 2003 Security Cookbook

Security Solutions and Scripts for System Administrators

Larger Cover

Security Solutions and Scripts for System Administrators

By Mike Danseglio, Robbie Allen

Publisher: O'Reilly Media

Released: December 2005

Pages: 528

In the last few years, security has become a hot-button issue for IT organizations of all sizes. Accordingly, many of the security features that were either optional or suspect in Windows 2000 have become solid, effective fixtures in Windows Server 2003-making it the most secure operating system Microsoft has ever produced. That is, if you know how to configure it properly.

The Windows Server 2003 Security Cookbook wants to make sure that you do know how. Picking up right where its predecessor, the Windows Server Cookbook, left off, this desktop companion is focused solely on Windows Server security. It teaches you how to perform important security tasks in the Windows Server 2003 OS using specific and adaptable recipes. Each recipe features a brief description of the problem, a step-by-step solution, and then a discussion of the technology at work. Whenever possible, the authors even tell you where to look for further information on a recipe.

The book is written in a highly modular format, with each chapter devoted to one or more technologies that Windows Server 2003 provides. This approach allows you to look up a task or scenario that you want to accomplish, find that page, and read that particular recipe only. Topics include:

System preparation and administration
Protecting the computer at the TCP/IP level
Applying security options to Active Directory
Improving security on domain controllers
Securing DHCP controllers
Encrypting and signing network traffic using IPSec
Patch management

If you're an intermediate or advanced system administrator who wants to feel secure when deploying Windows Server 2003 and its related services, then you don't want to be without the Windows Server 2003 Security Cookbook.

Chapter 1 Getting Started
1. What Is Security?
2. Approach to the Book
3. Where to Find the Tools
4. Group Policy Notes
5. Programming Notes
6. Replaceable Text
7. Reporting Security Issues to Microsoft
8. Where to Find More Information
Chapter 2 System Preparation and Administration
1. Introduction
2. Creating a Reference Installation
3. Renaming the Domain Administrator Account
4. Renaming the Local Administrator Accounts
5. Disabling the Local Administrator Accounts
6. Renaming the Guest Account
7. Logging in as a Non-Administrator
8. Configuring Internet Explorer Enhanced Security Configuration
9. Preventing Automatic Installation of New Hardware Drivers
10. Protecting Against Modified Device Drivers
11. Encrypting the SAM
12. Locking the Console
13. Enabling Screensaver Locking
Chapter 3 TCP/IP
1. Introduction
2. Displaying the Status of TCP Ports
3. Disabling NetBIOS over TCP/IP
4. Disabling File and Printer Sharing for MicrosoftNetworks
5. Enabling SYN Flood Protection
6. Disabling Source Routing
7. Disabling Router Discovery
8. Configuring TCP/IP Filtering
9. Enabling and Configuring Windows Firewall
Chapter 4 Encrypting File System
1. Introduction
2. Enabling EFS Without a Recovery Agent
3. Configuring a Recovery Agent
4. Configuring Server-Based EFS
5. Encrypting a File
6. Encrypting a Folder
7. Enabling EFS Context Menus
8. Viewing Users and Recovery Agents
9. Moving or Copying an Encrypted File or Folder
10. Changing Encryption Algorithms
11. Encrypting Offline Files
12. Sharing Encrypted Files
13. Backing Up EFS Keys
14. Using a Recovery Agent
15. Removing Unused Data
Chapter 5 Active Directory
1. Introduction
2. Enabling SSL/TLS
3. Encrypting LDAP Traffic with SSL or TLS; Digital Signing
4. Using the Delegation of Control Wizard
5. Customizing the Delegation of Control Wizard
6. Using the Default ACL for an Objectclass
7. Enabling List Object Access Mode
8. Modifying the ACL on Administrator Accounts
9. Viewing and Purging Your Kerberos Tickets
10. Resetting the Directory Service Restore ModeAdministrator Password
11. Implementing Role-Based Access Control
12. Displaying Delegated Rights
13. Removing Delegated Rights
Chapter 6 Group Policy
1. Introduction
2. Creating a GPO
3. Copying a GPO
4. Deleting a GPO
5. Modifying the Settings of a GPO
6. Creating a GPO Link to an OU
7. Blocking Inheritance of GPOs on an OU
8. Forcing a GPO Application
9. Applying a Security Filter to a GPO
10. Refreshing GPO Settings on a Computer
11. Configuring the Group Policy Refresh Interval
12. Installing Applications with a GPO
13. Assigning Logon/Logoff and Startup/ShutdownScripts in a GPO
14. Configuring Password Policies
15. Configuring Account Lockout Policies
16. Configuring Kerberos Policies
17. Configuring User Rights Assignment
18. Configuring Security Options
19. Configuring Time Synchronization Settings
20. Using Restricted Groups
21. Configuring Service Parameters
22. Configuring Registry Permissions
23. Configuring File Permissions
Chapter 7 Security Templates
1. Introduction
2. Using Default Security Templates
3. Creating a Security Template
4. Changing Account Policies
5. Changing Local Policies
6. Changing Event Log Settings
7. Making Group Membership Changes
8. Disabling Unwanted System Services
9. Modifying Registry Permissions
10. Modifying Filesystem Permissions
11. Exporting Security Templates
12. Importing Security Templates
13. Verifying Template Application
14. Analyzing a Security Configuration
15. Testing Template Compatibility
Chapter 8 Domain Controllers
1. Introduction
2. Disabling LM Hash Storage
3. Removing Stored LM Hashes
4. Requiring NTLM Authentication
5. Using Syskey to Thwart Offline Attacks
6. Signing LDAP Communications
7. Hardening Domain Controllers with SecurityTemplates
Chapter 9 User and Computer Accounts
1. Introduction
2. Enabling and Disabling a User
3. Finding Disabled Users
4. Unlocking a User
5. Troubleshooting Account Lockout Problems
6. Viewing and Modifying the Account Lockout andPassword Policies
7. Setting a User's Account to Expire
8. Setting a User's Password
9. Forcing a User Password Change at Next Logon
10. Preventing a User's Password from Expiring
11. Setting a User's Account Options
12. Finding a User's Last Logon Time
13. Restricting a User's Logon Hours and Workstations
14. Resetting a Computer Account
15. Finding Inactive or Unused Computer Accounts
16. Trusting a Computer Account for Delegation
Chapter 10 Rights and Permissions
1. Introduction
2. Using Standard File Permissions
3. Using Special File Permissions
4. Determining File Permission Inheritance
5. Using Deny Permission
6. Determining Effective Permissions
7. Determining File Ownership
8. Modifying File Ownership
9. Restoring Default Permissions
10. Hardening Registry Permissions
11. Restricting Remote Access to the Registry
Chapter 11 Dynamic Host Configuration Protocol
1. Introduction
2. Authorizing a DHCP Server
3. Detecting Rogue DHCP Servers
4. Restricting DHCP Administrators
5. Disabling NetBIOS over TCP/IP Name Resolution
6. Enabling Dynamic DNS Updates from the DHCP Server
7. Running DHCP Server on a Domain Controller
Chapter 12 Domain Name System
1. Introduction
2. Securing DNS Using the Separate NamespacesApproach
3. Securing DNS Using the Split-Brain Approach
4. Restricting DNS Administration Using theDNSAdmins Group
5. Hiding Your Internal IP Addressing Scheme
6. Blocking Unwanted DNS Traffic Through aFirewall
7. Restricting DNS Traffic Through a Firewall UsingForwarders
8. Preventing DoS Attacks by Disabling Recursion
9. Hardening DNS by Converting Standard Zones to Active Directory Integrated
10. Protecting DNS Zones by Requiring Only SecureDynamic Updates
11. Hardening DNS Clients by Requiring Them to UseSecure Dynamic Updates
12. Protecting DNS Zones by Disabling DynamicUpdates
13. Hardening DNS Clients by Preventing Them fromAttempting Dynamic Updates
14. Preventing Unauthorized Zone Transfers
15. Restricting Zone Transfers to Legitimate DNS Servers
16. Preventing Cache Pollution on DNS Servers
17. Monitoring Suspicious DNS Requests UsingDebug Logging
18. Securing Resource Records When Usingthe DnsUpdateProxy Group
19. Preventing DNS Session Sniffing and Hijacking
Chapter 13 File and Print Servers
1. Introduction
2. Creating a Hidden File Share
3. Deleting a File Share
4. Securing Shared Folders and Files
5. Preventing Shared File Caching
6. Determining Access Levels for a File Share
7. Listing All File Shares
8. Restricting Printing Permissions
9. Hardening the Print Spooler
10. Moving the Print Spool Folder
11. Disabling Internet Printing
12. Removing Internet Printing
Chapter 14 IPsec
1. Introduction
2. Using a Default IPsec Policy
3. Creating an IPsec Policy
4. Creating a Blocking Rule
5. Creating a Permit Rule
6. Configuring IPsec Boot Mode
7. Configuring Authentication Methods
8. Configuring Connection Types
9. Configuring Key Exchange
10. Configuring Session Cryptography
11. Configuring IP Filter Lists
12. Configuring IP Filter Actions
13. Configuring Security Methods
14. Activating an IPsec Rule
15. Deactivating an IPsec Rule
16. Assigning and Unassigning IPsec Policies
17. Viewing IPsec Statistics with System Monitor
18. Verifying IPsec Traffic
19. Using IPsec Monitor to Verify IPsec
20. Troubleshooting IPsec Connections
Chapter 15 Internet Information Services
1. Introduction
2. Configuring Listening Port
3. Removing Unused Components
4. Configuring HTTP Authentication
5. Configuring FTP Authentication
6. Changing the User Context for AnonymousAccess
7. Disabling Anonymous Access
8. Restricting Client Access by ACL
9. Restricting Client Access by IP Address or DNSName
10. Installing Server Certificates
11. Enabling Secure Sockets Layer
12. Enabling Client Certificate Authentication
13. Requiring Client Certificate Authentication
14. Configuring Trusted Certification Authorities
15. Configuring One-to-One Client Certificate Mapping
16. Configuring Many-to-One Client CertificateMapping
Chapter 16 RRAS and IAS
1. Introduction
2. Configuring the Routing and Remote Access Server
3. Allowing Authentication Protocols
4. Requiring Smart Card Authentication
5. Using Preshared Keys
6. Configuring RRAS to Use IAS
7. Installing Internet Authentication Service
8. Configuring IAS Auditing
9. Configuring Local IAS Logging
10. Configuring SQL IAS Logging
11. Creating a Remote Access Policy
12. Configuring Connection Time
Chapter 17 Terminal Services and Remote Desktop
1. Introduction
2. Choosing a Security Mode
3. Configuring Session Encryption
4. Limiting Client Sessions
5. Requiring a Password for Connection
6. Securing RPC Administration Traffic
7. Allowing Silent Session Monitoring
8. Monitoring Sessions
9. Enabling Remote Desktop
10. Configuring Access to Remote Desktop
Chapter 18 Public Key Infrastructure and Certificates
1. Introduction
2. Installing an Offline Root CA
3. Installing an Enterprise Subordinate CA
4. Installing a Standalone Subordinate CA
5. Publishing a CRL from an Online CA
6. Publishing a CRL from an Offline CA
7. Restricting Access to the CA
8. Auditing CA Operations
9. Configuring Certificate Templates
10. Authorizing the CA to Issue Certificates
11. Archiving Private Keys
12. Sending Enrollment Notifications via Email
13. Requesting Certificates Automatically
14. Approving and Denying Certificate Requests
15. Retrieving Issued Certificates
16. Renewing Certificates
17. Revoking Certificates
18. Configuring a Trusted Certificate
19. Identifying Local Certificates and Private Keys
20. Backing Up Certificates and Private Keys
21. Restoring Certificates and Private Keys
Chapter 19 Auditing
1. Introduction
2. Auditing Account Logon Events
3. Auditing Account Management Events
4. Auditing Directory Service Events
5. Auditing File Access
6. Auditing File Share Configuration Events
7. Auditing Web Server Access
8. Auditing Policy Change Events
9. Auditing Privilege Use Events
10. Auditing Process Tracking Events
11. Auditing System Events
12. Shutting Down Windows When Unable to LogEvents
Chapter 20 Event Logs
1. Introduction
2. Viewing Events
3. Setting the Maximum Size of an Event Log
4. Setting the Event Log Retention Policy
5. Clearing the Events in an Event Log
6. Restricting Access to an Event Log
7. Searching the Event Logs on Multiple Servers
8. Archiving an Event Log
9. Finding More Information About an Event
10. Triggering an Action when an Event Occurs
11. Consolidating Event Logs
Chapter 21 Patch Management
1. Introduction
2. Installing a Root Update Server
3. Installing a Subordinate Update Server
4. Installing a Nonstoring Update Server
5. Installing an Update Server on a NondedicatedServer
6. Configuring Computers to Use the InternalUpdate Server
7. Refreshing the Update Server
8. Configuring the Computer Update Type andSchedule
9. Creating a Test Group
10. Approving and Declining Updates
11. Automatically Approving Critical Updates
12. Removing Updates
13. Forcing an Update Scan
14. Manually Applying Updates
15. Disabling Windows Update
16. Checking Status of Update Application
17. Verifying Update Application with MBSA

Colophon

Title:

Windows Server 2003 Security Cookbook

By:

Mike Danseglio, Robbie Allen

Publisher:

O'Reilly Media

Formats:

Print
Ebook
Safari Books Online

Print:

December 2005

Ebook:

February 2009

Pages:

528

Print ISBN:

978-0-596-00753-9

| ISBN 10:

0-596-00753-1

Ebook ISBN:

978-0-596-10466-5

| ISBN 10:

0-596-10466-9

Mike Danseglio

Mike Danseglio is a program manager in the Security Solutions group at Microsoft Corporation, and has worked in the areas of security and technology for the last decade. He holds several technical certifications including MCSE and CISSP. Mike's work includes developing and teaching extensive security training on topics such as cryptography, security technology, and attacks and countermeasures. Among his recent projects are writing security documentation for Windows XP and the Windows Server 2003 family, as well as working on a host of white papers and articles. Mike also works on security feature development for Microsoft Windows.

View Mike Danseglio's full profile page.
Robbie Allen

Robbie Allen is a Technical Leader at Cisco Systems where he has been involved in the deployment of Active Directory, DNS, DHCP, and several Network Management solutions. He enjoys working on Unix and Windows, and his favorite programming language is Perl. Robbie was named a Windows Server MVP in 2004 and 2005 for his contributions to the Windows community and publication of several popular O'Reilly books. Robbie is currently studying at MIT in the System Design and Management program.

View Robbie Allen's full profile page.

Description

Table of Contents

Product Details

About the Author

Recommended for You

Chapter 1 Getting Started

What Is Security?

Approach to the Book

Where to Find the Tools

Group Policy Notes

Programming Notes

Replaceable Text

Reporting Security Issues to Microsoft

Where to Find More Information

Chapter 2 System Preparation and Administration

Introduction

Creating a Reference Installation

Renaming the Domain Administrator Account

Renaming the Local Administrator Accounts

Disabling the Local Administrator Accounts

Renaming the Guest Account

Logging in as a Non-Administrator

Configuring Internet Explorer Enhanced Security Configuration

Preventing Automatic Installation of New Hardware Drivers

Protecting Against Modified Device Drivers

Encrypting the SAM

Locking the Console

Enabling Screensaver Locking

Chapter 3 TCP/IP

Introduction

Displaying the Status of TCP Ports

Disabling NetBIOS over TCP/IP

Disabling File and Printer Sharing for MicrosoftNetworks

Enabling SYN Flood Protection

Disabling Source Routing

Disabling Router Discovery

Configuring TCP/IP Filtering

Enabling and Configuring Windows Firewall

Chapter 4 Encrypting File System

Introduction

Enabling EFS Without a Recovery Agent

Configuring a Recovery Agent

Configuring Server-Based EFS

Encrypting a File

Encrypting a Folder

Enabling EFS Context Menus

Viewing Users and Recovery Agents

Moving or Copying an Encrypted File or Folder

Changing Encryption Algorithms

Encrypting Offline Files

Sharing Encrypted Files

Backing Up EFS Keys

Using a Recovery Agent

Removing Unused Data

Chapter 5 Active Directory

Introduction

Enabling SSL/TLS

Encrypting LDAP Traffic with SSL or TLS; Digital Signing

Using the Delegation of Control Wizard

Customizing the Delegation of Control Wizard

Using the Default ACL for an Objectclass

Enabling List Object Access Mode

Modifying the ACL on Administrator Accounts

Viewing and Purging Your Kerberos Tickets

Resetting the Directory Service Restore ModeAdministrator Password

Implementing Role-Based Access Control

Displaying Delegated Rights

Removing Delegated Rights

Chapter 6 Group Policy

Introduction

Creating a GPO

Copying a GPO

Deleting a GPO

Modifying the Settings of a GPO

Creating a GPO Link to an OU

Blocking Inheritance of GPOs on an OU

Forcing a GPO Application

Applying a Security Filter to a GPO

Refreshing GPO Settings on a Computer

Configuring the Group Policy Refresh Interval

Installing Applications with a GPO

Assigning Logon/Logoff and Startup/ShutdownScripts in a GPO

Configuring Password Policies

Configuring Account Lockout Policies

Configuring Kerberos Policies