Diogenes / Littlejohn Shinder / Shinder | Windows Server 2012 Security from End to Edge and Beyond | E-Book | www.sack.de
E-Book

E-Book, Englisch, 542 Seiten

Diogenes / Littlejohn Shinder / Shinder Windows Server 2012 Security from End to Edge and Beyond

Architecting, Designing, Planning, and Deploying Windows Server 2012 Security Solutions
1. Auflage 2013
ISBN: 978-1-59749-981-1
Verlag: Elsevier Science & Techn.
Format: EPUB
 Kopierschutz: 6 - ePub Watermark

Architecting, Designing, Planning, and Deploying Windows Server 2012 Security Solutions

E-Book, Englisch, 542 Seiten

ISBN: 978-1-59749-981-1
Verlag: Elsevier Science & Techn.
Format: EPUB
 Kopierschutz: 6 - ePub Watermark

Windows Server 2012 Security from End to Edge and Beyond shows you how to architect, design, plan, and deploy Microsoft security technologies for Windows 8/Server 2012 in the enterprise. The book covers security technologies that apply to both client and server and enables you to identify and deploy Windows 8 security features in your systems based on different business and deployment scenarios. The book is a single source for learning how to secure Windows 8 in many systems, including core, endpoint, and anywhere access. Authors Tom Shinder and Yuri Diogenes, both Microsoft employees, bring you insider knowledge of the Windows 8 platform, discussing how to deploy Windows security technologies effectively in both the traditional datacenter and in new cloud-based solutions. With this book, you will understand the conceptual underpinnings of Windows 8 security and how to deploy these features in a test lab and in pilot and production environments. The book's revolutionary 'Test Lab Guide' approach lets you test every subject in a predefined test lab environment. This, combined with conceptual and deployment guidance, enables you to understand the technologies and move from lab to production faster than ever before. Critical material is also presented in key concepts and scenario-based approaches to evaluation, planning, deployment, and management. Videos illustrating the functionality in the Test Lab can be downloaded from the authors' blog http://blogs.technet.com.b.security_talk/. Each chapter wraps up with a bullet list summary of key concepts discussed in the chapter. - Provides practical examples of how to design and deploy a world-class security infrastructure to protect both Windows 8 and non-Microsoft assets on your system - Written by two Microsoft employees who provide an inside look at the security features of Windows 8 - Test Lab Guides enable you to test everything before deploying live to your system

Yuri Diogenes started working on IT field as computer operator back in 1993 using MS-DOS 5.5 and Windows 3.1. In 1998 moved to a Microsoft Partner where he was instructor for computer classes and also wrote internal training materials such as Windows NT 4 and Networking Essentials. His initial experience with security started in 1998 when he had to setup the Internet security connectivity using Microsoft Proxy 2.0 and Cisco routers. In 2001 Yuri released his first book (in Portuguese) about Cisco CCNA Certification. In 2003 Yuri accepted the offer to be a Professor in a University in Brazil where he taught operating system and computer networks classes. In December 2003 he moved to United States to work for Microsoft as a contractor in the Customer Service and Support for Latin America messaging division. In 2004 he moved to Dell Computers in Round Rock, Texas to work as Server Advisor in the Network Operating System (NOS) Team, dealing primarily with Windows, Exchange and ISA (2000/2004). Yuri returned to MS as a full time employee in 2006 to work again on the Customer Service and Support for Latin America, but at this time to be dedicated to the platform division. There I was responsible to primarily support Windows Networking and ISA Server (200/2004/2006) for enterprise customers from Latin America. In 2007 he joined the Customer Services and Support Security Team as a Security Support Engineer where he was dedicated to work with Edge protection (ISA Server and then TMG). In 2010 Yuri co-wrote the Forefront Administrator's Companion book and also three other Forefront books in partnership with Tom Shinder. During this time Yuri also wrote articles for his own blog (blogs.technet.com/yuridiogenes), TechNet Magazine, ISSA Journal and other Security magazines in Brazil. Nowadays Yuri Diogenes works as a Senior Technical Writer for the Server and Cloud division Information Experience Team where he writes articles about Cloud Infrastructure with security functionalities baked in. On his currently role he also deliver presentations at public events such as TechED US, Europe, Brazil and internal Microsoft conferences such as TechReady. Currently Yuri is also working on his Master degree in Cybersecurity Intelligence & Forensics at UTICA while also writing the second edition of his Security+ book (in Portuguese). Yuri holds several industry certifications, including CISSP, E|CEH, E|CSA, CompTIA, Security+, CompTIA Cloud Essentials Certified, CompTIA Network+, CASP, MCSE, MCTS, MCT and many other Microsoft certifications. You can follow Yuri Diogenes on Twitter @yuridiogenes
Diogenes / Littlejohn Shinder / Shinder Windows Server 2012 Security from End to Edge and Beyond jetzt bestellen!

Autoren/Hrsg.

Diogenes, Yuri
Littlejohn Shinder, Debra
Shinder, Thomas W

Weitere Infos & Material

Chapter 2

Planning Server Role in Windows Server 2012


Contents

Chapter Points


 Server Roles and Security Considerations

 Using Server Manager to Add a new Role

 Using Security Compliance Manager to Hardening Servers

Server Role and Security Considerations


For many years, security professionals were very focused on hardening servers and workstations to reduce the attack surface. This is without doubt a very important item to be included on your checklist. However, before hardening the server, you need to understand the role of that server in your overall infrastructure. You should ask yourself the questions below before you start any implementation:

 What role will this server play on your network (e.g., file server or domain controller)?

 Who (groups, users) will have access to this server?

 Do you have a template for this type of server role?

 What are the services that must be running on this server?

 Which protocols and ports should be open on the firewall to support the server workloads?

Random hardening templates applied to servers without defining the server’s role will cause more problems than benefits. While the server might be very secure because many services were disabled and permissions and privileges were removed; the server might not be capable of providing the services that the users need. When this happens, you just broke one of the three security pillars: .

The lack of server role planning and using the wrong approach to hardening the server can lead you to other problems also. You must verify if the hardening that you are doing on the server is supported by the vendor. You cannot just come up with a series of scripts that were found on the Internet, apply them to the server, and believe that is the right way to do things because there is something called a . All vendors will have different supportability statements regarding how they support to have their product hardened.

Note

For a real example of a hardening that broke a system and was done in a nonsupported manner, read this post http://blogs.technet.com/b/yuridiogenes/archive/2008/09/11/hardening-isa-server-in-a-supported-manner.aspx.

In Windows Server 2012, the recommended way to harden a server is by either use Security Configuration Wizard or Security Compliance Manager. The Security Configuration Wizard (SCW) enables you to create, edit, apply, or roll back a security policy on a particular server. You can use Group Policy to apply the security policy to multiple target servers that perform the same role. Security Compliance Manager (SCM) will be presented later in this chapter.

Using Security Configuration Wizard to Harden the Server


To apply a security policy to a server using SCW follow, read the scenario below and follow the steps:

Scenario

Tom just received a request to prepare a new file server for EndtoEdge.com International. He noticed that the company does not have a template for this type of role yet, so he decided to use this new server to do that. He gathered all the necessary information regarding who will access the server, which services should be available for those users and he is ready to deploy the server. The core requirements are

 Clients must be able to access the files while working offline.

 This server belongs to an OU (Organizational Unit) that has policy to install applications remotely.

 Administrators must be able to access this server remotely using RDP.

 Administrators must be able to administer this server using remote administrative tools (including Windows Firewall administration and Event Viewer).

 It is on the roadmap to install a new Network Interface Card (NIC) on this server to enable NLB and administrators must be able to manage that remotely.

 All successfully activities must be audited.

Important

before running the Security Configuration Wizard to configure the server’s role, you need to install the role first using Server Manager. SCW will not install a role automatically; it will only perform the necessary hardening process on top of the installed role.

Implementation steps: follow the steps below to create a new template and apply on the File Server.

1. In the Server Manager, click Tools and then click Security Configuration Wizard as shown in Figure 2.1.

Figure 2.1 Launching Security Configuration Wizard.

2. The Security Configuration Wizard will open, click Next on the Welcome to the Security Configuration Wizard page.

3. On the Configuration Action page, select the option Create a new security policy as shown in Figure 2.2 and click Next.

Figure 2.2 Creating a new security policy.

4. On the Select Server page, type the name of the server that will be used as baseline to create this security policy in the Server field as shown in Figure 2.3 (by default it will choose the local server’s name) and click Next.

Figure 2.3 Selecting the server to be used as baseline for this security policy.

5. Depending on the configuration of the server, a gauge will appear in the Processing Security Configuration Database page for a moment. Once it is finished, it will allow you to view the configuration by selecting the option View Configuration Database. Click View Configuration Database to see more details. The SCW Viewer will appear, and a Windows Security Warning dialog box will ask if you want to enable the ActiveX Control, click Yes.

6. Expand Server Roles option and scroll down until you see File Server role. Expand it and read the description as shown in Figure 2.4.

Figure 2.4 Explanation of the role, the services required, and the firewall rules.

Note

The XML files used to build these pages are located at %Systemroot%\Security\Msscw\KBs.

7. This description allows you to have an idea about what services must be running and also which Firewall rules should be enabled in order to allow this role to work properly. After reviewing those details close this window. On the Processing Security Configuration Database page, click Next.

8. On the Role-Based Service Configuration page, click Next.

9. On the Select Server Roles page, review the role selection that was done automatically by the wizard. You may select additional roles or unselect roles that are not applicable for this server. For this particular example, the selections showed in Figure 2.5 are the ones applicable for a File Server. Once you finish reviewing the selection and making possible changes, click Next.

Figure 2.5 Selecting the roles that will be installed by this server.

10. On the Select Client Features page, review the feature selection that was done automatically by the wizard. You may select additional features or unselect features that are not applicable for this server. For this particular example, the selections showed in Figure 2.6 are the ones applicable for a File Server. Once you finish reviewing the selection and making possible changes, click Next.

Figure 2.6 Selecting the client features that will be used by this server.

11. On the Select Administration and Other Options page, you can select additional options that this server might be using. Here is the time where you should review your checklist to understand the server’s requirement and if it needs one of those options enabled in order to work properly. The table below shows the requirements for this particular scenario and which options should be enabled on this page:

12. On the Select Administration and Other Options page, click the View drop down box and select the category (according to the table above). Once you select the correct category, make the correct selection according to the option column of the table able. Figure 2.7 shows the category Remote Administration and the selections according to the Options column. Once you finish...

Ihre Fragen, Wünsche oder Anmerkungen
Vorname*
Nachname*
Ihre E-Mail-Adresse*
Kundennr.
Ihre Nachricht*
Lediglich mit * gekennzeichnete Felder sind Pflichtfelder.
Wenn Sie die im Kontaktformular eingegebenen Daten durch Klick auf den nachfolgenden Button übersenden, erklären Sie sich damit einverstanden, dass wir Ihr Angaben für die Beantwortung Ihrer Anfrage verwenden. Selbstverständlich werden Ihre Daten vertraulich behandelt und nicht an Dritte weitergegeben. Sie können der Verwendung Ihrer Daten jederzeit widersprechen. Das Datenhandling bei Sack Fachmedien erklären wir Ihnen in unserer Datenschutzerklärung.