Windows 2003 SP1 Windows 2003 SP1 Member ServerMember Server

ininASU Active DirectoryASU Active Directory

WNUG/CCCWNUG/CCCFebruary 2, 2006February 2, 2006

Sharon BushartSharon BushartCLAS Information TechnologyCLAS Information Technology

AgendaAgenda

DiscussionDiscussion Share knowledge / experienceShare knowledge / experience Tools / UtilitiesTools / Utilities ResourcesResources Presentation will be posted on WNUG web pagePresentation will be posted on WNUG web page

http://www.asu.edu/it/ag/wnug/http://www.asu.edu/it/ag/wnug/

GoalsGoals

Best Practices documentsBest Practices documents W2K3 SP1 Best Practices v2.docW2K3 SP1 Best Practices v2.doc

FAQsFAQs Tip sheetsTip sheets ChecklistsChecklists

CLAS ITCLAS ITBehavioral Sciences ComputingBehavioral Sciences Computing

2 Schools with another in Fall 20062 Schools with another in Fall 2006 3 Departments, 5 Units/Centers3 Departments, 5 Units/Centers 14 Buildings14 Buildings 1200 client systems1200 client systems 20 servers20 servers

PreparationPreparation

System is NOT on networkSystem is NOT on network Register IP Address & DNS nameRegister IP Address & DNS name License product keyLicense product key Download service pack, hot fixes, etcDownload service pack, hot fixes, etc Hardware driversHardware drivers Antivirus software plus latest sdatAntivirus software plus latest sdat DocumentationDocumentation

Local Admin AccountsLocal Admin Accounts

Create new account(s)Create new account(s) Add new account(s) to local admin groupAdd new account(s) to local admin group Logon with new admin accountLogon with new admin account Rename default admin and guest accountsRename default admin and guest accounts Disable default admin accountDisable default admin account Do not include AD groups in local admin group – Do not include AD groups in local admin group –

use Run As insteaduse Run As instead

Install …Install …

Hardware driversHardware drivers Anti-Virus software with latest sdatAnti-Virus software with latest sdat Tools, UtilitiesTools, Utilities Windows Automatic updateWindows Automatic update

Notify but do not automatically download or installNotify but do not automatically download or install

Drive ManagementDrive Management

FirewallFirewall

System is still NOT on networkSystem is still NOT on network Firewall should be ONFirewall should be ON Open only the ports that are necessaryOpen only the ports that are necessary Port informationPort information

http://www.iana.org/http://www.iana.org/ http://www.securitystats.com/tools/portsearch.phphttp://www.securitystats.com/tools/portsearch.php http://support.microsoft.com/default.aspx?scid=kb;en-us;832017http://support.microsoft.com/default.aspx?scid=kb;en-us;832017

• Service Overview & Network Port Requirements for the Windows Service Overview & Network Port Requirements for the Windows Server System (10/31/05)Server System (10/31/05)

MacsMacs• http://www.opendoor.com/doorstop/ports.htmlhttp://www.opendoor.com/doorstop/ports.html

FirewallFirewall

Firewall (continued)Firewall (continued)

Firewall (continued)Firewall (continued)

Add Port Information

Logging Options

Firewall – Default ServicesFirewall – Default Services

Firewall – Add ServiceFirewall – Add Service

Firewall – Service & PortsFirewall – Service & Ports

DescriptionDescription PortPort

AD Authentication (TCP)AD Authentication (TCP) 10251025

DNS (TCP & UDP)DNS (TCP & UDP) 5353

Kerberos (TCP & UDP)Kerberos (TCP & UDP) 8888

LDAP (TCP & UDP)LDAP (TCP & UDP) 389389

File Sharing (TCP & UDP)File Sharing (TCP & UDP) 445445

Network Time Protocol (TCP & UDP)Network Time Protocol (TCP & UDP) 123123

NetBIOS (TCP)NetBIOS (TCP) 139139

Firewall – Service & PortsFirewall – Service & PortsExampleExample

TCP/IPTCP/IP

TCP/IP - DNSTCP/IP - DNS

Add DNS Servers

Append DNS suffixes

Uncheck Register …

TCP/IP - WINSTCP/IP - WINS

Add WINS Servers

Depends on clients

Default Share PermissionDefault Share Permission

Revised Share PermissionRevised Share Permission

NTFS PermissionsNTFS Permissions

Security PolicySecurity Policy

Include access rights, security options, account Include access rights, security options, account lockout, etc…lockout, etc…

Two methods for changingTwo methods for changing Local Security PolicyLocal Security Policy

• Administrative Tools | Local Security PolicyAdministrative Tools | Local Security Policy Group Policy Object EditorGroup Policy Object Editor

Security Policy – AuditSecurity Policy – Audit

Audit Policy Description Default MemSvr Account logon events S S/F

Account management NA S/F

Directory service access NA  

Logon events S S/F

Object access NA  

Policy change NA S/F

Privilege use NA  

Process tracking NA  

System events NA S/F

Security Policy – AuditSecurity Policy – Audit

Microsoft Articles on Audit Policy: Microsoft Articles on Audit Policy: 174074 = Security Event Descriptions174074 = Security Event Descriptions 274176 = Service Account Logon Events274176 = Service Account Logon Events

Events & Error Message CenterEvents & Error Message Center http://www.microsoft.com/technet/support/ee/ee_advanced.aspxhttp://www.microsoft.com/technet/support/ee/ee_advanced.aspx

GPO Editor: Computer Configurations\Windows Settings\Security GPO Editor: Computer Configurations\Windows Settings\Security Settings\Local Policies\Audit PolicySettings\Local Policies\Audit Policy

Security Policy – User RightsSecurity Policy – User Rights

Access this computer from NetworkAccess this computer from Network Remove EveryoneRemove Everyone Add appropriate OU groupsAdd appropriate OU groups Remove Authenticated UsersRemove Authenticated Users

Allow log on locallyAllow log on locally Administrators onlyAdministrators only

GPO Editor: Computer Configurations\Windows Settings\Security GPO Editor: Computer Configurations\Windows Settings\Security Settings\Local Policies\User Rights AssignmentSettings\Local Policies\User Rights Assignment

Security Policy – Security OptionsSecurity Policy – Security Options

Do Not Display Last User NameDo Not Display Last User Name Disabled Disabled Enabled Enabled

Message Text for Users attempting to log onMessage Text for Users attempting to log on WARNING! You are accessing a computer protected by federal WARNING! You are accessing a computer protected by federal

and state law and ASU policies. By using this system you agree and state law and ASU policies. By using this system you agree to comply with these laws and policies, including ACD 125 to comply with these laws and policies, including ACD 125 (Computer, Internet and Electronic Communications Policy) and (Computer, Internet and Electronic Communications Policy) and you consent to system monitoring for law enforcement, you consent to system monitoring for law enforcement, administrative and other purposes. Unauthorized use of this administrative and other purposes. Unauthorized use of this computer system may subject you to criminal prosecution, civil computer system may subject you to criminal prosecution, civil liability and University sanctions.liability and University sanctions.

Security Policy – Security OptionsSecurity Policy – Security Options(continued)(continued)

Do not allow anonymous enumeration of SAM Do not allow anonymous enumeration of SAM accounts/sharesaccounts/shares Disabled Disabled Enabled Enabled

LAN Manager authentication levelLAN Manager authentication level Send LM & LTLM – use NTLMv2 session if negotiatedSend LM & LTLM – use NTLMv2 session if negotiated

GPO Editor: Computer Configurations\Windows Settings\Security GPO Editor: Computer Configurations\Windows Settings\Security Settings\Local Policies\Security RightsSettings\Local Policies\Security Rights

Security TestSecurity Test

Microsoft Baseline AnalyzerMicrosoft Baseline Analyzer http://www.microsoft.com/technet/security/tools/mbsahome.mspxhttp://www.microsoft.com/technet/security/tools/mbsahome.mspx

Security Configuration WizardSecurity Configuration Wizard Included with SP1Included with SP1 Configures server based on roleConfigures server based on role

Review output & adjust if necessaryReview output & adjust if necessary Connect server to networkConnect server to network Windows UpdateWindows Update Anti-Virus UpdateAnti-Virus Update

Microsoft ToolsMicrosoft Tools

Administration Tool PackAdministration Tool Pack http://technet2.microsoft.com/WindowsServer/en/Library/http://technet2.microsoft.com/WindowsServer/en/Library/

57adeda2-3e00-4d5e-9b01-cf2bf256912d1033.mspx57adeda2-3e00-4d5e-9b01-cf2bf256912d1033.mspx

Group Policy Management ConsoleGroup Policy Management Console http://www.microsoft.com/windowsserver2003/gpmc/default.mspxhttp://www.microsoft.com/windowsserver2003/gpmc/default.mspx

Port ReporterPort Reporter http://support.microsoft.comhttp://support.microsoft.com/?id=837243/?id=837243

PortQryPortQry http://support.microsoft.com/default.aspx?kbid=832919http://support.microsoft.com/default.aspx?kbid=832919

Microsoft DocumentsMicrosoft Documents Windows Server 2003 Security GuideWindows Server 2003 Security Guide

http://www.microsoft.com/technet/security/prodtech/http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/sgch00.mspxwindowsserver2003/w2003hg/sgch00.mspx

Threats & Countermeasures: Security Settings in Windows Server Threats & Countermeasures: Security Settings in Windows Server 2003 & Windows XP2003 & Windows XP

http://www.microsoft.com/technet/security/topics/serversecurity/tcg/http://www.microsoft.com/technet/security/topics/serversecurity/tcg/tcgch00.mspxtcgch00.mspx

Security Risk Management GuideSecurity Risk Management Guide http://www.microsoft.com/technet/security/topics/http://www.microsoft.com/technet/security/topics/

policiesandprocedures/secrisk/default.mspxpoliciesandprocedures/secrisk/default.mspx Other documentsOther documents

Administrator Accounts Security Planning GuideAdministrator Accounts Security Planning Guide Services & Service Accounts SecurityServices & Service Accounts Security

Reference MaterialReference Material

Microsoft TechNetMicrosoft TechNet http://technet.microsoft.com/default.aspxhttp://technet.microsoft.com/default.aspx http://www.microsoft.com/technet/security/default.mspxhttp://www.microsoft.com/technet/security/default.mspx http://www.microsoft.com/technet/security/current.aspxhttp://www.microsoft.com/technet/security/current.aspx

Center for Internet SecurityCenter for Internet Security http://www.cisecurity.org/http://www.cisecurity.org/

SANSSANS httphttp://sans.org/://sans.org/

Trial and ErrorTrial and Error DocumentationDocumentation

Contact InformationContact Information

Sharon BushartSharon Bushart

sbushart@asu.edusbushart@asu.edu

5-82495-8249