DOCSLIB.ORG

Windows Server 2003 Security Guide

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Windows Server 2003 Security Guide Microsoft Solutions for Security and Compliance Windows Server 2003 Security Guide April 26, 2006 © 2006 Microsoft Corporation. This work is licensed under the Creative Commons Attribution-Non Commercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.5/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA. Table of Contents iii Contents Chapter 1: Introduction to the Windows Server 2003 Security Guide ............. 1 Overview....................................................................................................1 Executive Summary .....................................................................................1 Who Should Read This Guide.........................................................................2 Scope of this Guide......................................................................................2 Chapter Summaries .....................................................................................3 Chapter 1: Introduction to the Windows Server 2003 Security Guide .............4 Chapter 2: Windows Server 2003 Hardening Mechanisms ............................4 Chapter 3: The Domain Policy..................................................................4 Chapter 4: The Member Server Baseline Policy ...........................................4 Chapter 5: The Domain Controller Baseline Policy .......................................5 Chapter 6: The Infrastructure Server Role .................................................5 Chapter 7: The File Server Role................................................................5 Chapter 8: The Print Server Role ..............................................................5 Chapter 9: The Web Server Role ..............................................................5 Chapter 10: The IAS Server Role..............................................................6 Chapter 11: The Certificate Services Server Role ........................................6 Chapter 12: The Bastion Hosts Role..........................................................6 Chapter 13: Conclusion...........................................................................6 Appendix A: Security Tools and Formats....................................................7 Appendix B: Key Settings to Consider .......................................................7 Appendix C: Security Template Setting Summary .......................................7 Appendix D: Testing the Windows Server 2003 Security Guide .....................7 Tools and Templates...............................................................................7 Skills and Readiness ....................................................................................8 Software Requirements ................................................................................8 Style Conventions........................................................................................8 Summary ...................................................................................................9 More Information ...................................................................................9 Chapter 2: Windows Server 2003 Hardening Mechanisms ............................ 11 Overview..................................................................................................11 Hardening with the Security Configuration Wizard ..........................................11 Creating and Testing Policies .................................................................12 Deploying Policies ................................................................................13 iv Windows Server 2003 Security Guide Apply the Policy with the SCW GUI....................................................13 Apply the Policy with the Scwcmd Command-line Tool..........................13 Convert the SCW Policy to a Group Policy Object.................................14 Hardening Servers with Active Directory Group Policy .....................................14 Active Directory Boundaries...................................................................14 Security Boundaries ........................................................................15 Administrative Boundaries ...............................................................15 Active Directory and Group Policy...........................................................17 Delegating Administration and Applying Group Policy ...........................17 Administrative Groups .....................................................................18 Group Policy Application ..................................................................19 Time Configuration .........................................................................19 Security Template Management........................................................20 Successful GPO Application Events ....................................................21 Sever Role Organizational Units ........................................................21 OU, GPO, and Group Design ..................................................................25 Process Overview ......................................................................................25 Create the Active Directory Environment .................................................26 Configure Time Synchronization .............................................................26 Configure the Domain Policy ..................................................................27 Create the Baseline Policies Manually Using SCW ......................................28 Test the Baseline Policies Using SCW ......................................................30 Convert the Baseline Policies to GPOs .....................................................30 Create the Role Policies Using SCW.........................................................31 Test the Role Policies Using SCW............................................................31 Convert the Role Policies to GPOs ...........................................................32 Summary .................................................................................................32 More Information .................................................................................33 Chapter 3: The Domain Policy ....................................................................... 35 Overview..................................................................................................35 Domain Policy ...........................................................................................35 Domain Policy Overview........................................................................36 Account Policies ........................................................................................36 Password Policy.........................................................................................36 Password Policy Settings .......................................................................37 Enforce password history .................................................................38 Maximum password age ..................................................................38 Table of Contents v Minimum password age ...................................................................39 Minimum password length ...............................................................39 Password must meet complexity requirements....................................40 Store password using reversible encryption ........................................41 How to Prevent Users from Changing a Password Except When Required.............................................................................................41 Account Lockout Policy ...............................................................................42 Account Lockout Policy Settings .............................................................42 Account lockout duration .................................................................42 Account lockout threshold................................................................43 Reset account lockout counter after...................................................44 Kerberos Policies .......................................................................................44 Security Options........................................................................................44 Security Options Settings ......................................................................45 Microsoft network server: Disconnect clients when logon hours expire ...........................................................................................45 Network Access: Allow anonymous SID/NAME translation.....................45 Network Security: Force Logoff when Logon Hours expire .....................46 Summary .................................................................................................46 More Information .................................................................................47 Chapter 4: The Member Server Baseline Policy ............................................. 49 Overview..................................................................................................49 Windows Server 2003 Baseline Policy ...........................................................52 Audit Policy ..............................................................................................52 Audit account logon events....................................................................54
Load more

Recommended publications
  • Shorten Device Boot Time for Automotive IVI and Navigation Systems
    Shorten Device Boot Time for Automotive IVI and Navigation Systems Jim Huang ( 黃敬群 ) <[email protected]> Dr. Shi-wu Lo <[email protected]> May 28, 2013 / Automotive Linux Summit (Spring) Rights to copy © Copyright 2013 0xlab http://0xlab.org/ [email protected] Attribution – ShareAlike 3.0 Corrections, suggestions, contributions and translations You are free are welcome! to copy, distribute, display, and perform the work to make derivative works Latest update: May 28, 2013 to make commercial use of the work Under the following conditions Attribution. You must give the original author credit. Share Alike. If you alter, transform, or build upon this work, you may distribute the resulting work only under a license identical to this one. For any reuse or distribution, you must make clear to others the license terms of this work. Any of these conditions can be waived if you get permission from the copyright holder. Your fair use and other rights are in no way affected by the above. License text: http://creativecommons.org/licenses/by-sa/3.0/legalcode Goal of This Presentation • Propose a practical approach of the mixture of ARM hibernation (suspend to disk) and Linux user-space checkpointing – to shorten device boot time • An intrusive technique for Android/Linux – minimal init script and root file system changes are required • Boot time is one of the key factors for Automotive IVI – mentioned by “Linux Powered Clusters” and “Silver Bullet of Virtualization (Pitfalls, Challenges and Concerns) Continued” at ALS 2013 – highlighted by “Boot Time Optimizations” at ALS 2012 About this presentation • joint development efforts of the following entities – 0xlab team - http://0xlab.org/ – OSLab, National Chung Cheng University of Taiwan, led by Dr.
    [Show full text]
  • By Sebastiano Vigna and Todd M. Lewis Copyright C 1993-1998 Sebastiano Vigna Copyright C 1999-2021 Todd M
    ne A nice editor Version 3.3.1 by Sebastiano Vigna and Todd M. Lewis Copyright c 1993-1998 Sebastiano Vigna Copyright c 1999-2021 Todd M. Lewis and Sebastiano Vigna Permission is granted to make and distribute verbatim copies of this manual provided the copyright notice and this permission notice are preserved on all copies. Permission is granted to copy and distribute modified versions of this manual under the conditions for verbatim copying, provided that the entire resulting derived work is distributed under the terms of a permission notice identical to this one. Permission is granted to copy and distribute translations of this manual into another language, under the above conditions for modified versions, except that this permission notice may be stated in a translation approved by the Free Software Foundation. Chapter 1: Introduction 1 1 Introduction ne is a full screen text editor for UN*X (or, more precisely, for POSIX: see Chapter 7 [Motivations and Design], page 65). I came to the decision to write such an editor after getting completely sick of vi, both from a feature and user interface point of view. I needed an editor that I could use through a telnet connection or a phone line and that wouldn’t fire off a full-blown LITHP1 operating system just to do some editing. A concise overview of the main features follows: • three user interfaces: control keystrokes, command line, and menus; keystrokes and menus are completely configurable; • syntax highlighting; • full support for UTF-8 files, including multiple-column characters; • 64-bit
    [Show full text]
  • Illustrated Tutorial: Creating a Bootable USB Flash Drive for Windows XP
    Illustrated tutorial: Creating a bootable Version 1.0 February 15, 2007 USB flash drive for Windows XP By Greg Shultz The ability to boot Windows XP from a USB Flash Drive (UFD) offers endless possibilities. For example, you might make an easy-to-use troubleshooting tool for booting and analyzing seemingly dead PCs. Or you could transport your favorite applications back and forth from home to work without having to install them on both PCs. However, before you can create a bootable UFD, you must clear a few hurdles. You saw that one coming didn’t you? The first hurdle is having a PC in which the BIOS will allow you to configure the USB port to act as a bootable device. The second hurdle is having a UFD that that will work as a bootable device and that’s large enough and fast enough to boot an operating system such as Windows XP. The third hurdle is finding a way to condense and install Windows XP on a UFD. If you have a PC that was manufactured in the last several years, chances are that its BIOS will allow you to configure the USB port to act as a bootable device. If you have a good qual- ity UFD that’s at least 512 KB and that was manufactured in the last couple of years, you’ve probably cleared the second hurdle. And once you’ve cleared those first two hur- dles, the third one is a piece of cake. All you have to do is download and run some free soft- ware to create the bootable UFD.
    [Show full text]
  • Efficient, Dos-Resistant, Secure Key Exchange
    Efficient, DoS-Resistant, Secure Key Exchange for Internet Protocols∗ William Aiello Steven M. Bellovin Matt Blaze AT&T Labs Research AT&T Labs Research AT&T Labs Research [email protected] [email protected] [email protected] Ran Canetti John Ioannidis Angelos D. Keromytis IBM T.J. Watson Research Center AT&T Labs Research Columbia University [email protected] [email protected] [email protected] Omer Reingold AT&T Labs Research [email protected] Categories and Subject Descriptors While it might be possible to “patch” the IKE protocol to fix C.2.0 [Security and Protection]: Key Agreement Protocols some of these problems, it may be perferable to construct a new protocol that more narrorwly addresses the requirements “from the ground up.” We set out to engineer a new key exchange protocol General Terms specifically for Internet security applications. We call our new pro- Security, Reliability, Standardization tocol “JFK,” which stands for “Just Fast Keying.” Keywords 1.1 Design Goals We seek a protocol with the following characteristics: Cryptography, Denial of Service Attacks Security: No one other than the participants may have access to ABSTRACT the generated key. We describe JFK, a new key exchange protocol, primarily designed PFS: It must approach Perfect Forward Secrecy. for use in the IP Security Architecture. It is simple, efficient, and secure; we sketch a proof of the latter property. JFK also has a Privacy: It must preserve the privacy of the initiator and/or re- number of novel engineering parameters that permit a variety of sponder, insofar as possible.
    [Show full text]
  • Configuring DNS
    Configuring DNS The Domain Name System (DNS) is a distributed database in which you can map hostnames to IP addresses through the DNS protocol from a DNS server. Each unique IP address can have an associated hostname. The Cisco IOS software maintains a cache of hostname-to-address mappings for use by the connect, telnet, and ping EXEC commands, and related Telnet support operations. This cache speeds the process of converting names to addresses. Note You can specify IPv4 and IPv6 addresses while performing various tasks in this feature. The resource record type AAAA is used to map a domain name to an IPv6 address. The IP6.ARPA domain is defined to look up a record given an IPv6 address. • Finding Feature Information, page 1 • Prerequisites for Configuring DNS, page 2 • Information About DNS, page 2 • How to Configure DNS, page 4 • Configuration Examples for DNS, page 13 • Additional References, page 14 • Feature Information for DNS, page 15 Finding Feature Information Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
    [Show full text]
  • Testing-Prepare.Pdf
    Prepare Update your system so you can connect to the staging server to perform testing – required for all users EXCEPT “new users.” If you are not certain how to complete the steps listed in Prepare, you should abort testing efforts. Breaking your “hosts” file may prevent applications that use the Internet, such as your Web browser, from functioning properly. Also note that this will make non-CMS www.ndsu.edu sites unavailable while you are testing until you perform the clean-up steps on page 11 of this packet. Windows XP 1. Close all browser windows 2. Open My Computer 3. Browse to Local Disk (C:) > WINDOWS > system32 > drivers > etc 4. Double-click hosts 5. In the Open With dialog window, select Notepad and click OK 6. At the end of the file, AFTER 127.0.0.1 localhost, add a new line with the following entry 134.129.111.243 www.ndsu.edu workspaces.ndsu.edu An example of what the file should look like follows these directions Note that if you usually sign in somewhere other than “workspaces.ndsu.edu” you should add that address to the end of this list, for example like 134.129.111.243 www.ndsu.edu workspaces.ndsu.edu english.ndsu.edu 7. Save the file Remember to complete the clean-up steps on page 11 of this packet when you are done testing Windows Vista 1. Close all browser windows 2. Click the Start menu > All Programs > Accessories > and RIGHT-CLICK Notepad 3. Choose Run as administrator 4. In the User Account Control dialog, click Continue or if you are not an administrator, provide a password for an administrator account and click OK 5.
    [Show full text]
  • Network Access Control and Cloud Security
    Network Access Control and Cloud Security Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 [email protected] Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-17/ Washington University in St. Louis http://www.cse.wustl.edu/~jain/cse571-17/ ©2017 Raj Jain 16-1 Overview 1. Network Access Control (NAC) 2. RADIUS 3. Extensible Authentication Protocol (EAP) 4. EAP over LAN (EAPOL) 5. 802.1X 6. Cloud Security These slides are based partly on Lawrie Brown’s slides supplied with William Stallings’s book “Cryptography and Network Security: Principles and Practice,” 7th Ed, 2017. Washington University in St. Louis http://www.cse.wustl.edu/~jain/cse571-17/ ©2017 Raj Jain 16-2 Network Access Control (NAC) AAA: Authentication: Is the user legit? Supplicant Authenticator Authentication Server Authorization: What is he allowed to do? Accounting: Keep track of usage Components: Supplicant: User Authenticator: Network edge device Authentication Server: Remote Access Server (RAS) or Policy Server Backend policy and access control Washington University in St. Louis http://www.cse.wustl.edu/~jain/cse571-17/ ©2017 Raj Jain 16-3 Network Access Enforcement Methods IEEE 802.1X used in Ethernet, WiFi Firewall DHCP Management VPN VLANs Washington University in St. Louis http://www.cse.wustl.edu/~jain/cse571-17/ ©2017 Raj Jain 16-4 RADIUS Remote Authentication Dial-In User Service Central point for Authorization, Accounting, and Auditing data ⇒ AAA server Network Access servers get authentication info from RADIUS servers Allows RADIUS Proxy Servers ⇒ ISP roaming alliances Uses UDP: In case of server failure, the request must be re-sent to backup ⇒ Application level retransmission required TCP takes too long to indicate failure Proxy RADIUS RADIUS Network Remote Access User Customer Access ISP Net Server Network Server Ref: http://en.wikipedia.org/wiki/RADIUS Washington University in St.
    [Show full text]
  • With ANSIBLE Sessions
    SANOG32 bdNOG9 02-10 August, 2018 Dhaka, Bangladesh NETWORK Imtiaz Rahman AUTOMATION (NetDevOps) SBAC Bank Limited [email protected] https://imtiazrahman.com with ANSIBLE Sessions • Session 1: o 14:30 PM – 16:00 PM (Theory with example) • Session 2: o 16:30 PM – 18:00 PM (Configuration and hands on LAB) Today’s Talk 1. Devops/NetDevOps ? 6. Ansible Language Basics 2. Why automation ? 7. Ansible encryption decryption 3. Tools for automation 8. How to run 4. Why Ansible ? 9. Demo 5. Ansible introduction 10. Configuration & Hands on LAB DevOps >devops ? DevOps >devops != DevOps DevOps integrates developers and operations teams In order to improve collaboration and productivity by automating infrastructure, automating workflows and continuously measuring application performance Dev + Ops = DevOps NetDevOps NetDevOps = Networking + DevOps infrastructure as code Why automation ? Avoid Avoid repeated Faster Identical typographical task deployment configuration error (Typos) Tools for automation What is ANSIBLE? • Open source IT automation tool • Red hat Enterprise Linux, CentOS, Debian, OS X, Ubuntu etc. • Need python Why ANSIBLE? • Simple • Push model • Agentless Why ANSIBLE? Puppet SSL Puppet Puppet master Client/agent Ansible Agentless Controller SSH node Managed with ansible node’s How it works 1 2 3 4 Run playbook SSH SSH Laptop/Desktop/ Copy python Run Module Delete Module Server module on device from device Return result 5 What can be done?? • Configuration Management • Provisioning VMs or IaaS instances • Software Testing • Continuous
    [Show full text]
  • Windows Server 2012 Refresh: How to Manage the Migration
    WINDOWS SERVER 2012 REFRESH: HOW TO MANAGE THE MIGRATION A guide to overcoming the challenges during the transition from Windows Server 2003 to Windows Server 2012 TABLE OF CONTENTS 5 Performing an application inventory 8 Upgrading Active Directory 9 Considering a hardware refresh 12 A move to virtualization 13 Certification, compliance and security 2 “Let’s face it. It’s the applications you’re running that are driving use of Windows Server 2003. Those are the things that are the beginning and end of what the Windows migration is all about.” AL GILLIN Program Vice President for Servers and System Software at IDC 3 INTRODUCTION With support ending for Windows Server 2003 in July 2015, companies need to ensure that their servers will adequately support the latest server OS and critical applications. By upgrading to Windows Server 2012, companies can increase their parallel computing capabilities and gain improved control over power consumption. Upgrading to the latest version of Windows Server brings the opportunity for businesses to lower their operating costs. “It’s an expensive proposition to continue supporting those old operating systems,” said Al Gillin, program vice president for servers and system software at IDC. Running one operating system rather than varieties of Server 2008, 2008 R2 and Server 2003R2 will make IT data centers more efficient. “If you have four different versions in place like that, that makes it more difficult for you to run your infrastructure,” Gillin said. When preparing for a Windows Server migration, companies should test all applications using a software tool such as Dell ChangeBASE before going live in the new OS.
    [Show full text]
  • Cygwin User's Guide
    Cygwin User’s Guide Cygwin User’s Guide ii Copyright © Cygwin authors Permission is granted to make and distribute verbatim copies of this documentation provided the copyright notice and this per- mission notice are preserved on all copies. Permission is granted to copy and distribute modified versions of this documentation under the conditions for verbatim copying, provided that the entire resulting derived work is distributed under the terms of a permission notice identical to this one. Permission is granted to copy and distribute translations of this documentation into another language, under the above conditions for modified versions, except that this permission notice may be stated in a translation approved by the Free Software Foundation. Cygwin User’s Guide iii Contents 1 Cygwin Overview 1 1.1 What is it? . .1 1.2 Quick Start Guide for those more experienced with Windows . .1 1.3 Quick Start Guide for those more experienced with UNIX . .1 1.4 Are the Cygwin tools free software? . .2 1.5 A brief history of the Cygwin project . .2 1.6 Highlights of Cygwin Functionality . .3 1.6.1 Introduction . .3 1.6.2 Permissions and Security . .3 1.6.3 File Access . .3 1.6.4 Text Mode vs. Binary Mode . .4 1.6.5 ANSI C Library . .4 1.6.6 Process Creation . .5 1.6.6.1 Problems with process creation . .5 1.6.7 Signals . .6 1.6.8 Sockets . .6 1.6.9 Select . .7 1.7 What’s new and what changed in Cygwin . .7 1.7.1 What’s new and what changed in 3.2 .
    [Show full text]
  • Pipe and Filter Architectural Style Group Number: 5 Group Members: Fan Zhao 20571694 Yu Gan 20563500 Yuxiao Yu 20594369
    Pipe and Filter Architectural Style Group Number: 5 Group Members: Fan Zhao 20571694 Yu Gan 20563500 Yuxiao Yu 20594369 1. Have its own vocabulary for its components and connectors? (define) The Pipe and Filter is an architectural pattern for stream processing. It consists of one or more components called filters. These filters will transform or filter ​ ​ data and then pass it on via connectors called pipes. These filters, which merely ​ ​ consume and produce data, can be seen as functions like sorting and counting. All of these filters can work at the same time. Also, every pipe connected to a filter has its own role in the function of the filter. When data is sent from the producer (pump), it ​ ​ goes through the pipes and filters, and arrives the destination (sink). The pump can ​ ​ be a static text file or a keyboard input. The sink can be a file, a database or a computer screen. 2. Impose specific topological constraints? (diagram) Figure 1 shows a basic structure of Pipe and Filter architecture style. In this example, there are five filters and eight pipes. Each filter will get input from one or more pipes and pass it via pipes. The combination of several filters and pipes can be regarded as a “big” filter. Figure 2 is an specific example using Pipe and Filter architecture style. This example demonstrates a simple process of making sandwiches. To begin with, the first 4 filters can work simultaneously for preparation. Once they are done, the 5th filter can get the output and combine them together. Next, a following filter will add sauce to it and pass it to customer through a pipe.
    [Show full text]
  • Digital Filter Graphical User Interface
    University of Southern Maine USM Digital Commons Thinking Matters Symposium Archive Student Scholarship Spring 2018 Digital Filter Graphical User Interface Tony Finn University of Southern Maine Follow this and additional works at: https://digitalcommons.usm.maine.edu/thinking_matters Recommended Citation Finn, Tony, "Digital Filter Graphical User Interface" (2018). Thinking Matters Symposium Archive. 135. https://digitalcommons.usm.maine.edu/thinking_matters/135 This Poster Session is brought to you for free and open access by the Student Scholarship at USM Digital Commons. It has been accepted for inclusion in Thinking Matters Symposium Archive by an authorized administrator of USM Digital Commons. For more information, please contact [email protected]. By Tony Finn Digital Filter Graphical User Interface EGN 402 Fall 2017 Problem Statements - Digital FIR (finite impulse response) filter design Results requires tedious computations, with each requiring Illustrated in Figure 3 is the final design of the user interface, truncation of an impulse response (seen in Figure 1.) one will find buttons to change design type and filter type as - In order to obtain the desired effects from a filter, one well as clickable buttons to give the user feedback or an output. may need to try multiple filters, so many computations - Play Original Audio: emits the input audio as is; unfiltered. would be necessary. - Play Filtered Audio: emits the input audio with the designed Therefore the desire to simplify the digital filter design filter applied. process is necessary to provide users an easier, more intuitive method for design. - Return Filtered Audio: returns the filtered audio. - Print Filter: returns the filter specifications.
    [Show full text]