Planning and Administering Windows Server ® 2008 Servers
Mar 26, 2015
Planning and Administering Windows
Server® 2008 Servers
Module 5: Managing Windows Server 2008 Security
• Planning a Defense-in-Depth Strategy
• Implementing Host-Level Security for Windows Server 2008
• Implementing Network Security for Windows Server 2008
Lesson: Planning a Defense-in-Depth Strategy
• Characteristics of a Defense-in-Depth Strategy
• Layers in a Defense-in-Depth Strategy
Characteristics of a Defense in Depth Strategy
A robust defense-in-depth strategy includes:A robust defense-in-depth strategy includes:
A security risk management framework
Identity and access management policies
Network protection
Update management
Education
Incident response
Continual reassessment and optimization
A security risk management framework
Identity and access management policies
Network protection
Update management
Education
Incident response
Continual reassessment and optimization
Layers in a Defense-in-Depth Strategy
Policies and proceduresPolicies and procedures
Physical securityPhysical security
Perimeter defensesPerimeter defenses
Network defensesNetwork defenses
Host defensesHost defenses
Application defensesApplication defenses
Data defensesData defenses
Lesson: Implementing Host-Level Security for Windows Server 2008
• Assigning Administrative Permissions
• Windows Server 2008 Firewall Configuration
• Implementing Security Policies
• Implementing Security Templates
• Converting Security Configuration Wizard Settings to Security Templates
Assigning Administrative Permissions
• Principle of least privilege Identify administrative permissions or
privileges required Grant only those permissions or privileges
• Granting privileges Factors affecting decision Relinquishing rights
• Principle of least privilege Identify administrative permissions or
privileges required Grant only those permissions or privileges
• Granting privileges Factors affecting decision Relinquishing rights
Windows Server 2008 Firewall Configuration
• Direction
• Port
• Program
• Protocol
• Source IP address
• Destination IP address
• Connection security rule
• Direction
• Port
• Program
• Protocol
• Source IP address
• Destination IP address
• Connection security rule
Implementing Security Policies
Security Configuration Wizard template settings include:
• Server roles
• Client features
• Additional services
• Firewall rules
• Authentication options
• Audit policy
Security Configuration Wizard template settings include:
• Server roles
• Client features
• Additional services
• Firewall rules
• Authentication options
• Audit policy
Implementing Security Templates
• Built-in templates Configure default security settings or
recommended values
• Built-in templates Configure default security settings or
recommended values
• Microsoft templates Download additional templates with
security guides
• Microsoft templates Download additional templates with
security guides
• Custom templates Security Templates MMC snap-in Security Configuration and Analysis MMC
snap-in
• Custom templates Security Templates MMC snap-in Security Configuration and Analysis MMC
snap-in
Converting Security Configuration Wizard Settings to Security Templates
Convert SCW security policies directly to GPOsConvert SCW security policies directly to GPOs
Scwcmd.exe transform /p:SCWpolicyname.xml /g:GPOnameScwcmd.exe transform /p:SCWpolicyname.xml /g:GPOname
Lesson: Implementing Network Security for Windows Server 2008
• Windows Server 2008 Server Locations
• Options for Network Security
• Recommendations for Implementing Windows Server 2008 Server Core
Windows Server 2008 Server Locations
• Perimeter network
• Bastion host
• Internal
• Segmented networks
• Perimeter network
• Bastion host
• Internal
• Segmented networksSegmented networks
Segmented networks
Perimeter Network
Perimeter Network
InternalInternal
Bastion hostBastion host
Options for Network Security
Requirement Security Measures
Secure Network Access
• Physical security
• 802.1x authentication
• Network segmentation
• Firewalls
• Network Access Protection (NAP)
Secure Network Traffic
• Network segmentation
• Firewalls
• IPSec
Server Core enables you to install roles without additional services or the GUI
Server Core enables you to install roles without additional services or the GUI
Recommendations for Implementing Windows Server 2008 Server Core
• AD DS
• AD LDS
• DHCP
• DNS
• File Server
• Print Server
• IIS
• Streaming Media
• AD DS
• AD LDS
• DHCP
• DNS
• File Server
• Print Server
• IIS
• Streaming Media
ExtranetExtranet
Perimeter network
Perimeter network
Lab: Managing Windows Server 2008 Security
• Exercise 1: Planning a Windows Server 2008 Security Configuration
• Exercise 2: Implementing File Server Security
Logon information
Virtual machine6430A-NYC-DC1-05
6430A-NYC-SVR1-05
User name Woodgrovebank\Administrator
Password Pa$$w0rd
Estimated time: 45 minutes
Module Review and Takeaways
• Review Questions
• Best Practices
• Tools