This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
Server 2008 implements a new feature helping to reduce the attack surface of the supported server roles by installing only a subset of the binary files that a server requires to operate. It requires only about 1 GB of space on the server's hard disk drive to install. Above mentioned roles managed via command prompt, remotely by using Remote Desktop, or using MMC or command-line tools that support remote use. This approach also reduces the size of the server installation, diminishes attack surface.
Create Role Policies:
After installing the appropriate server roles ( DHCP, DNS for example) Security Configuration Wizard is used to configure security settings such as Selecting Additional Services, Handling unspecified Services, Network Security rules, Registry Settings.
Following step is converting SCW policy into GPO using promp scwcmd transform /p:<PathToPolicy.xml> /g:<GPODisplayName> command. Next through Group Policy Management Console (GPMC) we link the newly created GPO to the appropriate OUs.
Domain Policy Settings:
Following security settings are applied to the domain via Computer Configuration node in the Group Policy Object Editor:
Password Policy Settings - helps reduce the likelihood of a successful
Account Lockout Policy Settings - prevents logon after a certain number of
failed logon attempts occur within a specified period.
User Rights Assignment Settings:
These rights used to perform a specific administrative task or tasks without giving full administrative control to that user or group (set following settings via GPO or direct configuration using MMC):
User Account Control: reduces the exposure and attack surface of the operating system by requiring that all users run in standard user mode, even if they have logged on
with administrative credentials.
Server Message Block Signing Policies: prevents server authenticated connections from being maliciously downgraded to a guest session or to an anonymous session.
Audit policy: to monitor security-related activity enable consider using following policies:
Logon/Logoff - makes it possible to determine which users have accessed or attempted to access your organization's computers.
Object Access - entry is generated each time that a user accesses an specified object .
Detailed Tracking - provides tracking in case of a program activation, process exit, handle duplication, and indirect object access.
Policy Change - monitors every incident of a change to user rights assignment policies, Windows Firewall policies, Trust policies, or changes to the Audit policy itself.
Account Management - tracks attempts to create new users or groups, rename users or groups, enable or disable user accounts, change account passwords, and enable auditing for Account Management events.
Hardening Active Directory:
Installed files - running hash against them to later check integrity.
Uninstalling / Disabling not used services.
Implementing Firewall rules - hiding default ports.
Hide service banners where applicable.
Carefully configuring role dependencies.
Delegate local administration of RODCs.
Limit secure information stored on RODCs.
Combine the DNS role service and the Domain Controller role service.
Restrict administrator group members and administration scope.
Prevent service administrators from bypassing password policies.
Configure fine-grained password policies.
Require multifactor authentication for users with elevated privileges.
Manage service administrators in a controlled OU structure.
Manage group membership for service administrator accounts.
Encrypt data stored on local drives using BitLocker™ Drive Encryption.
Backup BitLocker and TPM recovery information in Active Directory.
Protect the computer startup key using Syskey.
Encrypt Data on Local Drives Using BitLocker Drive Encryption.
Backup BitLocker and TPM Recovery Information in Active Directory
NIS role service:
Configure the computer to run Server for - NIS in master mode.
Require users to change their Windows passwords.
Configuring Password Synchronization Ensure the Windows and UNIX password policies are consistent.
Specify a computer-specific password encryption key.
Explicitly list users allowed or blocked from password synchronization.
Block password synchronization of disabled UNIX user accounts.
Avoid synchronizing passwords for user accounts with elevated privileges.
Do not use the default port number and encryption key.
Hardening DHCP Services:
Server 2008 implements new features for increased security: Network Access Protection (NAP). In order to require DHCP clients to prove their system and security health state before they can receive an IP address to gain access to your intranet. Consider following setting:
Use DHCPv6 Functionality.
Eliminate computers running rogue DHCP services.
Add DHCP reservation and exclusion ranges for IP addresses.
Use NAP to enforce computer configuration health.
Restrict DHCP security group membership.
Configure DNS record ownership to help prevent stale DNS records.
Hardening DNS Services:
Server 2008 innovation: Support for READ-ONLY domain controllers (RODCs).
Following security measures can be considered:
Protect DNS zones in unsecured locations by using read-only domain controllers
Combine the DNS and AD DS server roles on the same server.
Configure zones to use secure dynamic updates.
Restrict zone transfers to specific server computers running DNS.
Deploy separate server computers for internal and external DNS resolution.
Configure the firewall to protect the internal DNS namespace.
Enable recursion to only the appropriate DNS servers.
Configure DNS to ignore non-authoritative resource records.
Configure root hints for the internal DNS namespace.
Hardening Web server:
Set the authentication mechanism.
Remove unused IIS components.
Configure a unique binding.
Move root directories to a separate data partition.
Configuring user account permissions.
Enable Secure Sockets Layer (SSL).
Hardening File Services:
Digitally sign communications via Computer Configuration\Windows Settings\Security Settings\LocalPolicies\Security Options.
Consider using encryption for drives and files using two methods Microsoft BitLocker™ Drive Encryption.
Encrypting File System (EFS).
Hardening Print Services:
Digitally sign communications - To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol provides SMB packet digital signing.
Consider Using the Point and Print feature Point and Print Restrictions Group Policy setting has been updated in Windows via Userconfiguration\Administrative Templates\Control Panel\Printers.
Server 2008 and Windows Vista to help you manage the improved security
Control printer share access
CREATOR OWNER Manage documents
Administrator Print, Manage printers, Manage documents
Relocate the default Print Spooler file - for elevated security or performance requirements
Hardening Network Policy and Access Services that responsible for virtual private network (VPN), a dialup network, 802.1X-protected wired and wireless access:
Restrict traffic based on the services offered.
Prohibit Legacy RADIUS requests, protect RADIUS shared secrets.
Explicitly specify RADIUS clients to prevent potential rogue RADIUS clients from communicating with NPS.
Configure firewall rules on intervening firewalls and to protect computers that run NPS
Use IPsec to secure communication between NPS and RADIUS clients.
Enable the Message-Authenticator attribute when not using EAP authentication.
Use the PEAP or EAP-TLS authentication protocol to authenticate client computers
Routing Role Service
Place computers that run the Routing role service in perimeter networks.
Configure the firewall rules on intervening firewalls.
Limit routing connections to known end points.
Make computers that run the Routing role service members of an extranet forest.
Use secured tunnels to secure communication between routers.
Require multifactor authentication for authenticating routers.
Use the PEAP or EAP-TLS authentication protocol to authenticate routers.
Hardening Terminal Services supporting RDP:
Configure the network level authentication.
Enable Single Sign-On for Terminal Services.
Enable secure use of saved credentials with Windows Vista RDP clients.
Change the default RDP port.
Use smart cards with Terminal Services.
Use the NTFS file system.
Use TS Easy Print exclusively.
Partition user data on a dedicated disk.
Create specialized OUs for terminal servers.
Set Group Policy settings for the terminal servers.
Set Group Policy settings for the remote desktops.
Restrict users to specific programs.
Limit terminal server security auditing.
Additional important security configurations:
Renaming Administrative accounts ( preventing easy detection)
Disabling guest account option
Specifying access rights to Application, Security and System logs.
Disabling driver/program installation by users
Disabling access to Windows binary files and registry
Disable floppy disk drive access.
Disable CD-ROM drive access
Disable USB drive access
Set logon prompts
Digital signing of data
Disable Scrip execution
Disable Access to use all Windows Update features
Enable Remove programs on Settings menu
Remove Network Connections from Start Menu
Remove Search link from Start Menu
Remove Run menu from Start Menu
Add Logoff to the Start Menu
Remove and prevent access to Shut Down, Restart, Sleep, and Hibernate cmds.
Remove Add or Remove Programs
Prohibit access to the Control Panel
Prevent addition of printers
Remove Properties from the Documents icon context menu
Remove Properties from the Computer icon context menu
Remove Properties from the Recycle Bin context menu
Prevent access to the command prompt
Prevent access to registry editing tools
Run only specified Windows applications