Yuri Diogenes started working on IT field as computer operator back in 1993 using MS-DOS 5.5 and Windows 3.1. In 1998 moved to a Microsoft Partner where he was instructor for computer classes and also wrote internal training materials such as Windows NT 4 and Networking Essentials. His initial experience with security started in 1998 when he had to setup the Internet security connectivity using Microsoft Proxy 2.0 and Cisco routers. In 2001 Yuri released his first book (in Portuguese) about Cisco CCNA Certification. In 2003 Yuri accepted the offer to be a Professor in a University in Brazil where he taught operating system and computer networks classes. In December 2003 he moved to United States to work for Microsoft as a contractor in the Customer Service and Support for Latin America messaging division. In 2004 he moved to Dell Computers in Round Rock, Texas to work as Server Advisor in the Network Operating System (NOS) Team, dealing primarily with Windows, Exchange and ISA (2000/2004). Yuri returned to MS as a full time employee in 2006 to work again on the Customer Service and Support for Latin America, but at this time to be dedicated to the platform division. There I was responsible to primarily support Windows Networking and ISA Server (200/2004/2006) for enterprise customers from Latin America. In 2007 he joined the Customer Services and Support Security Team as a Security Support Engineer where he was dedicated to work with Edge protection (ISA Server and then TMG). In 2010 Yuri co-wrote the Forefront Administrator's Companion book and also three other Forefront books in partnership with Tom Shinder. During this time Yuri also wrote articles for his own blog (blogs.technet.com/yuridiogenes), TechNet Magazine, ISSA Journal and other Security magazines in Brazil. Nowadays Yuri Diogenes works as a Senior Technical Writer for the Server and Cloud division Information Experience Team where he writes articles about Cloud Infrastructure with security functionalities baked in. On his currently role he also deliver presentations at public events such as TechED US, Europe, Brazil and internal Microsoft conferences such as TechReady. Currently Yuri is also working on his Master degree in Cybersecurity Intelligence & Forensics at UTICA while also writing the second edition of his Security+ book (in Portuguese). Yuri holds several industry certifications, including CISSP, E|CEH, E|CSA, CompTIA, Security+, CompTIA Cloud Essentials Certified, CompTIA Network+, CASP, MCSE, MCTS, MCT and many other Microsoft certifications. You can follow Yuri Diogenes on Twitter @yuridiogenes
Windows Server 2012 Security from End to Edge and Beyond shows you how to architect, design, plan, and deploy Microsoft security technologies for Windows 8/Server 2012 in the enterprise. The book covers security technologies that apply to both client and server and enables you to identify and deploy Windows 8 security features in your systems based on different business and deployment scenarios. The book is a single source for learning how to secure Windows 8 in many systems, including core, endpoint, and anywhere access. Authors Tom Shinder and Yuri Diogenes, both Microsoft employees, bring you insider knowledge of the Windows 8 platform, discussing how to deploy Windows security technologies effectively in both the traditional datacenter and in new cloud-based solutions. With this book, you will understand the conceptual underpinnings of Windows 8 security and how to deploy these features in a test lab and in pilot and production environments. The book's revolutionary "e;Test Lab Guide"e; approach lets you test every subject in a predefined test lab environment. This, combined with conceptual and deployment guidance, enables you to understand the technologies and move from lab to production faster than ever before. Critical material is also presented in key concepts and scenario-based approaches to evaluation, planning, deployment, and management. Videos illustrating the functionality in the Test Lab can be downloaded from the authors' blog http://blogs.technet.com.b.security_talk/. Each chapter wraps up with a bullet list summary of key concepts discussed in the chapter. - Provides practical examples of how to design and deploy a world-class security infrastructure to protect both Windows 8 and non-Microsoft assets on your system- Written by two Microsoft employees who provide an inside look at the security features of Windows 8- Test Lab Guides enable you to test everything before deploying live to your system
Planning Server Role in Windows Server 2012
Contents
Server Role and Security Considerations
Using Security Configuration Wizard to Harden the Server
Using Server Manager to Add a New Role or Feature
Using Security Compliance Manager to Hardening Servers
Chapter Points
Server Roles and Security Considerations
Using Server Manager to Add a new Role
Using Security Compliance Manager to Hardening Servers
Server Role and Security Considerations
For many years, security professionals were very focused on hardening servers and workstations to reduce the attack surface. This is without doubt a very important item to be included on your checklist. However, before hardening the server, you need to understand the role of that server in your overall infrastructure. You should ask yourself the questions below before you start any implementation:
What role will this server play on your network (e.g., file server or domain controller)?
Who (groups, users) will have access to this server?
Do you have a template for this type of server role?
What are the services that must be running on this server?
Which protocols and ports should be open on the firewall to support the server workloads?
Random hardening templates applied to servers without defining the server’s role will cause more problems than benefits. While the server might be very secure because many services were disabled and permissions and privileges were removed; the server might not be capable of providing the services that the users need. When this happens, you just broke one of the three security pillars: availability.
The lack of server role planning and using the wrong approach to hardening the server can lead you to other problems also. You must verify if the hardening that you are doing on the server is supported by the vendor. You cannot just come up with a series of scripts that were found on the Internet, apply them to the server, and believe that is the right way to do things because there is something called a supportability statement. All vendors will have different supportability statements regarding how they support to have their product hardened.
Note
For a real example of a hardening that broke a system and was done in a nonsupported manner, read this post http://blogs.technet.com/b/yuridiogenes/archive/2008/09/11/hardening-isa-server-in-a-supported-manner.aspx.
In Windows Server 2012, the recommended way to harden a server is by either use Security Configuration Wizard or Security Compliance Manager. The Security Configuration Wizard (SCW) enables you to create, edit, apply, or roll back a security policy on a particular server. You can use Group Policy to apply the security policy to multiple target servers that perform the same role. Security Compliance Manager (SCM) will be presented later in this chapter.
Using Security Configuration Wizard to Harden the Server
To apply a security policy to a server using SCW follow, read the scenario below and follow the steps:
Scenario
Tom just received a request to prepare a new file server for EndtoEdge.com International. He noticed that the company does not have a template for this type of role yet, so he decided to use this new server to do that. He gathered all the necessary information regarding who will access the server, which services should be available for those users and he is ready to deploy the server. The core requirements are
Clients must be able to access the files while working offline.
This server belongs to an OU (Organizational Unit) that has policy to install applications remotely.
Administrators must be able to access this server remotely using RDP.
Administrators must be able to administer this server using remote administrative tools (including Windows Firewall administration and Event Viewer).
It is on the roadmap to install a new Network Interface Card (NIC) on this server to enable NLB and administrators must be able to manage that remotely.
All successfully activities must be audited.
Important
before running the Security Configuration Wizard to configure the server’s role, you need to install the role first using Server Manager. SCW will not install a role automatically; it will only perform the necessary hardening process on top of the installed role.
Implementation steps: follow the steps below to create a new template and apply on the File Server.
1. In the Server Manager, click Tools and then click Security Configuration Wizard as shown in Figure 2.1.
Figure 2.1 Launching Security Configuration Wizard.
2. The Security Configuration Wizard will open, click Next on the Welcome to the Security Configuration Wizard page.
3. On the Configuration Action page, select the option Create a new security policy as shown in Figure 2.2 and click Next.
Figure 2.2 Creating a new security policy.
4. On the Select Server page, type the name of the server that will be used as baseline to create this security policy in the Server field as shown in Figure 2.3 (by default it will choose the local server’s name) and click Next.
Figure 2.3 Selecting the server to be used as baseline for this security policy.
5. Depending on the configuration of the server, a gauge will appear in the Processing Security Configuration Database page for a moment. Once it is finished, it will allow you to view the configuration by selecting the option View Configuration Database. Click View Configuration Database to see more details. The SCW Viewer will appear, and a Windows Security Warning dialog box will ask if you want to enable the ActiveX Control, click Yes.
6. Expand Server Roles option and scroll down until you see File Server role. Expand it and read the description as shown in Figure 2.4.
Figure 2.4 Explanation of the role, the services required, and the firewall rules.
Note
The XML files used to build these pages are located at %Systemroot%/Security/Msscw/KBs.
7. This description allows you to have an idea about what services must be running and also which Firewall rules should be enabled in order to allow this role to work properly. After reviewing those details close this window. On the Processing Security Configuration Database page, click Next.
8. On the Role-Based Service Configuration page, click Next.
9. On the Select Server Roles page, review the role selection that was done automatically by the wizard. You may select additional roles or unselect roles that are not applicable for this server. For this particular example, the selections showed in Figure 2.5 are the ones applicable for a File Server. Once you finish reviewing the selection and making possible changes, click Next.
Figure 2.5 Selecting the roles that will be installed by this server.
10. On the Select Client Features page, review the feature selection that was done automatically by the wizard. You may select additional features or unselect features that are not applicable for this server. For this particular example, the selections showed in Figure 2.6 are the ones applicable for a File Server. Once you finish reviewing the selection and making possible changes, click Next.
Figure 2.6 Selecting the client features that will be used by this server.
11. On the Select Administration and Other Options page, you can select additional options that this server might be using. Here is the time where you should review your checklist to understand the server’s requirement and if it needs one of those options enabled in order to work properly. The table below shows the requirements for this particular scenario and which options should be enabled on this page:
12. On the Select Administration and Other Options page, click the View drop down box and select the category (according to the table above). Once you select the correct category, make the correct selection according to the option column of the table able. Figure 2.7 shows the category Remote Administration and the selections according to the Options column. Once you finish...
Erscheint lt. Verlag | 18.4.2013 |
---|---|
Sprache | englisch |
Themenwelt | Informatik ► Betriebssysteme / Server ► Windows |
Informatik ► Betriebssysteme / Server ► Windows Server | |
Informatik ► Netzwerke ► Sicherheit / Firewall | |
ISBN-10 | 1-59749-981-1 / 1597499811 |
ISBN-13 | 978-1-59749-981-1 / 9781597499811 |
Haben Sie eine Frage zum Produkt? |
Größe: 52,4 MB
Kopierschutz: Adobe-DRM
Adobe-DRM ist ein Kopierschutz, der das eBook vor Mißbrauch schützen soll. Dabei wird das eBook bereits beim Download auf Ihre persönliche Adobe-ID autorisiert. Lesen können Sie das eBook dann nur auf den Geräten, welche ebenfalls auf Ihre Adobe-ID registriert sind.
Details zum Adobe-DRM
Dateiformat: PDF (Portable Document Format)
Mit einem festen Seitenlayout eignet sich die PDF besonders für Fachbücher mit Spalten, Tabellen und Abbildungen. Eine PDF kann auf fast allen Geräten angezeigt werden, ist aber für kleine Displays (Smartphone, eReader) nur eingeschränkt geeignet.
Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen eine
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen eine
Geräteliste und zusätzliche Hinweise
Zusätzliches Feature: Online Lesen
Dieses eBook können Sie zusätzlich zum Download auch online im Webbrowser lesen.
Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.
Größe: 10,2 MB
Kopierschutz: Adobe-DRM
Adobe-DRM ist ein Kopierschutz, der das eBook vor Mißbrauch schützen soll. Dabei wird das eBook bereits beim Download auf Ihre persönliche Adobe-ID autorisiert. Lesen können Sie das eBook dann nur auf den Geräten, welche ebenfalls auf Ihre Adobe-ID registriert sind.
Details zum Adobe-DRM
Dateiformat: EPUB (Electronic Publication)
EPUB ist ein offener Standard für eBooks und eignet sich besonders zur Darstellung von Belletristik und Sachbüchern. Der Fließtext wird dynamisch an die Display- und Schriftgröße angepasst. Auch für mobile Lesegeräte ist EPUB daher gut geeignet.
Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen eine
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen eine
Geräteliste und zusätzliche Hinweise
Zusätzliches Feature: Online Lesen
Dieses eBook können Sie zusätzlich zum Download auch online im Webbrowser lesen.
Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.
aus dem Bereich