O'Reilly - Windows Server 2003 Security Cookbook

• Windows Server 2003 Security Cookbook
• Table of Contents
• Copyright
  • Dedication
• Preface
  • Audience
  • About This Book
  • What's in This Book?
  • Assumptions This Book Makes
  • Conventions Used in This Book
  • Using Code Examples
  • Safari Enabled
  • Comments and Questions
  • Acknowledgments
• Chapter 1.  Getting Started
  • Section 1.1.  What Is Security?
  • Section 1.2.  Approach to the Book
  • Section 1.3.  Where to Find the Tools
  • Section 1.4.  Group Policy Notes
  • Section 1.5.  Programming Notes
  • Section 1.6.  Replaceable Text
  • Section 1.7.  Reporting Security Issues to Microsoft
  • Section 1.8.  Where to Find More Information
• Chapter 2.  System Preparation and Administration
  • Section 2.1.  Introduction
  • Recipe 2.1. Creating a Reference Installation
  • Recipe 2.2. Renaming the Domain Administrator Account
  • Recipe 2.3. Renaming the Local Administrator Accounts
  • Recipe 2.4. Disabling the Local Administrator Accounts
  • Recipe 2.5. Renaming the Guest Account
  • Recipe 2.6. Logging in as a Non-Administrator
  • Recipe 2.7. Configuring Internet Explorer Enhanced Security Configuration
  • Recipe 2.8. Preventing Automatic Installation of New Hardware Drivers
  • Recipe 2.9. Protecting Against Modified Device Drivers
  • Recipe 2.10. Encrypting the SAM
  • Recipe 2.11. Locking the Console
  • Recipe 2.12. Enabling Screensaver Locking
• Chapter 3.  TCP/IP
  • Section 3.1.  Introduction
  • Recipe 3.1. Displaying the Status of TCP Ports
  • Recipe 3.2. Disabling NetBIOS over TCP/IP
  • Recipe 3.3. Disabling File and Printer Sharing for MicrosoftNetworks
  • Recipe 3.4. Enabling SYN Flood Protection
  • Recipe 3.5. Disabling Source Routing
  • Recipe 3.6. Disabling Router Discovery
  • Recipe 3.7. Configuring TCP/IP Filtering
  • Recipe 3.8. Enabling and Configuring Windows Firewall
• Chapter 4.  Encrypting File System
  • Section 4.1.  Introduction
  • Recipe 4.1. Enabling EFS Without a Recovery Agent
  • Recipe 4.2. Configuring a Recovery Agent
  • Recipe 4.3. Configuring Server-Based EFS
  • Recipe 4.4. Encrypting a File
  • Recipe 4.5. Encrypting a Folder
  • Recipe 4.6. Enabling EFS Context Menus
  • Recipe 4.7. Viewing Users and Recovery Agents
  • Recipe 4.8. Moving or Copying an Encrypted File or Folder
  • Recipe 4.9. Changing Encryption Algorithms
  • Recipe 4.10. Encrypting Offline Files
  • Recipe 4.11. Sharing Encrypted Files
  • Recipe 4.12. Backing Up EFS Keys
  • Recipe 4.13. Using a Recovery Agent
  • Recipe 4.14. Removing Unused Data
• Chapter 5.  Active Directory
  • Section 5.1.  Introduction
  • Recipe 5.1. Enabling SSL/TLS
  • Recipe 5.2. Encrypting LDAP Traffic with SSL or TLS; Digital Signing
  • Recipe 5.3. Using the Delegation of Control Wizard
  • Recipe 5.4. Customizing the Delegation of Control Wizard
  • Recipe 5.5. Using the Default ACL for an Objectclass
  • Recipe 5.6. Enabling List Object Access Mode
  • Recipe 5.7. Modifying the ACL on Administrator Accounts
  • Recipe 5.8. Viewing and Purging Your Kerberos Tickets
  • Recipe 5.9. Resetting the Directory Service Restore ModeAdministrator Password
  • Recipe 5.10. Implementing Role-Based Access Control
  • Recipe 5.11. Displaying Delegated Rights
  • Recipe 5.12. Removing Delegated Rights
• Chapter 6.  Group Policy
  • Section 6.1.  Introduction
  • Recipe 6.1. Creating a GPO
  • Recipe 6.2. Copying a GPO
  • Recipe 6.3. Deleting a GPO
  • Recipe 6.4. Modifying the Settings of a GPO
  • Recipe 6.5. Creating a GPO Link to an OU
  • Recipe 6.6. Blocking Inheritance of GPOs on an OU
  • Recipe 6.7. Forcing a GPO Application
  • Recipe 6.8. Applying a Security Filter to a GPO
  • Recipe 6.9. Refreshing GPO Settings on a Computer
  • Recipe 6.10. Configuring the Group Policy Refresh Interval
  • Recipe 6.11. Installing Applications with a GPO
  • Recipe 6.12. Assigning Logon/Logoff and Startup/ShutdownScripts in a GPO
  • Recipe 6.13. Configuring Password Policies
  • Recipe 6.14. Configuring Account Lockout Policies
  • Recipe 6.15. Configuring Kerberos Policies
  • Recipe 6.16. Configuring User Rights Assignment
  • Recipe 6.17. Configuring Security Options
  • Recipe 6.18. Configuring Time Synchronization Settings
  • Recipe 6.19. Using Restricted Groups
  • Recipe 6.20. Configuring Service Parameters
  • Recipe 6.21. Configuring Registry Permissions
  • Recipe 6.22. Configuring File Permissions
• Chapter 7.  Security Templates
  • Section 7.1.  Introduction
  • Recipe 7.1. Using Default Security Templates
  • Recipe 7.2. Creating a Security Template
  • Recipe 7.3. Changing Account Policies
  • Recipe 7.4. Changing Local Policies
  • Recipe 7.5. Changing Event Log Settings
  • Recipe 7.6. Making Group Membership Changes
  • Recipe 7.7. Disabling Unwanted System Services
  • Recipe 7.8. Modifying Registry Permissions
  • Recipe 7.9. Modifying Filesystem Permissions
  • Recipe 7.10. Exporting Security Templates
  • Recipe 7.11. Importing Security Templates
  • Recipe 7.12. Verifying Template Application
  • Recipe 7.13. Analyzing a Security Configuration
  • Recipe 7.14. Testing Template Compatibility
• Chapter 8.  Domain Controllers
  • Section 8.1.  Introduction
  • Recipe 8.1. Disabling LM Hash Storage
  • Recipe 8.2. Removing Stored LM Hashes
  • Recipe 8.3. Requiring NTLM Authentication
  • Recipe 8.4. Using Syskey to Thwart Offline Attacks
  • Recipe 8.5. Signing LDAP Communications
  • Recipe 8.6. Hardening Domain Controllers with SecurityTemplates
• Chapter 9.  User and Computer Accounts
  • Section 9.1.  Introduction
  • Recipe 9.1. Enabling and Disabling a User
  • Recipe 9.2. Finding Disabled Users
  • Recipe 9.3. Unlocking a User
  • Recipe 9.4. Troubleshooting Account Lockout Problems
  • Recipe 9.5. Viewing and Modifying the Account Lockout andPassword Policies
  • Recipe 9.6. Setting a User's Account to Expire
  • Recipe 9.7. Setting a User's Password
  • Recipe 9.8. Forcing a User Password Change at Next Logon
  • Recipe 9.9. Preventing a User's Password from Expiring
  • Recipe 9.10. Setting a User's Account Options
  • Recipe 9.11. Finding a User's Last Logon Time
  • Recipe 9.12. Restricting a User's Logon Hours and Workstations
  • Recipe 9.13. Resetting a Computer Account
  • Recipe 9.14. Finding Inactive or Unused Computer Accounts
  • Recipe 9.15. Trusting a Computer Account for Delegation
• Chapter 10.  Rights and Permissions
  • Section 10.1.  Introduction
  • Recipe 10.1. Using Standard File Permissions
  • Recipe 10.2. Using Special File Permissions
  • Recipe 10.3. Determining File Permission Inheritance
  • Recipe 10.4. Using Deny Permission
  • Recipe 10.5. Determining Effective Permissions
  • Recipe 10.6. Determining File Ownership
  • Recipe 10.7. Modifying File Ownership
  • Recipe 10.8. Restoring Default Permissions
  • Recipe 10.9. Hardening Registry Permissions
  • Recipe 10.10. Restricting Remote Access to the Registry
• Chapter 11.  Dynamic Host Configuration Protocol
  • Section 11.1.  Introduction
  • Recipe 11.1. Authorizing a DHCP Server
  • Recipe 11.2. Detecting Rogue DHCP Servers
  • Recipe 11.3. Restricting DHCP Administrators
  • Recipe 11.4. Disabling NetBIOS over TCP/IP Name Resolution
  • Recipe 11.5. Enabling Dynamic DNS Updates from the DHCP Server
  • Recipe 11.6. Running DHCP Server on a Domain Controller
• Chapter 12.  Domain Name System
  • Section 12.1.  Introduction
  • Recipe 12.1. Securing DNS Using the Separate NamespacesApproach
  • Recipe 12.2. Securing DNS Using the Split-Brain Approach
  • Recipe 12.3. Restricting DNS Administration Using theDNSAdmins Group
  • Recipe 12.4. Hiding Your Internal IP Addressing Scheme
  • Recipe 12.5. Blocking Unwanted DNS Traffic Through aFirewall
  • Recipe 12.6. Restricting DNS Traffic Through a Firewall UsingForwarders
  • Recipe 12.7. Preventing DoS Attacks by Disabling Recursion
  • Recipe 12.8. Hardening DNS by Converting Standard Zones to Active Directory Integrated
  • Recipe 12.9. Protecting DNS Zones by Requiring Only SecureDynamic Updates
  • Recipe 12.10. Hardening DNS Clients by Requiring Them to UseSecure Dynamic Updates
  • Recipe 12.11. Protecting DNS Zones by Disabling DynamicUpdates
  • Recipe 12.12. Hardening DNS Clients by Preventing Them fromAttempting Dynamic Updates
  • Recipe 12.13. Preventing Unauthorized Zone Transfers
  • Recipe 12.14. Restricting Zone Transfers to Legitimate DNS Servers
  • Recipe 12.15. Preventing Cache Pollution on DNS Servers
  • Recipe 12.16. Monitoring Suspicious DNS Requests UsingDebug Logging
  • Recipe 12.17. Securing Resource Records When Usingthe DnsUpdateProxy Group
  • Recipe 12.18. Preventing DNS Session Sniffing and Hijacking
• Chapter 13.  File and Print Servers
  • Section 13.1.  Introduction
  • Recipe 13.1. Creating a Hidden File Share
  • Recipe 13.2. Deleting a File Share
  • Recipe 13.3. Securing Shared Folders and Files
  • Recipe 13.4. Preventing Shared File Caching
  • Recipe 13.5. Determining Access Levels for a File Share
  • Recipe 13.6. Listing All File Shares
  • Recipe 13.7. Restricting Printing Permissions
  • Recipe 13.8. Hardening the Print Spooler
  • Recipe 13.9. Moving the Print Spool Folder
  • Recipe 13.10. Disabling Internet Printing
  • Recipe 13.11. Removing Internet Printing
• Chapter 14.  IPsec
  • Section 14.1.  Introduction
  • Recipe 14.1. Using a Default IPsec Policy
  • Recipe 14.2. Creating an IPsec Policy
  • Recipe 14.3. Creating a Blocking Rule
  • Recipe 14.4. Creating a Permit Rule
  • Recipe 14.5. Configuring IPsec Boot Mode
  • Recipe 14.6. Configuring Authentication Methods
  • Recipe 14.7. Configuring Connection Types
  • Recipe 14.8. Configuring Key Exchange
  • Recipe 14.9. Configuring Session Cryptography
  • Recipe 14.10. Configuring IP Filter Lists
  • Recipe 14.11. Configuring IP Filter Actions
  • Recipe 14.12. Configuring Security Methods
  • Recipe 14.13. Activating an IPsec Rule
  • Recipe 14.14. Deactivating an IPsec Rule
  • Recipe 14.15. Assigning and Unassigning IPsec Policies
  • Recipe 14.16. Viewing IPsec Statistics with System Monitor
  • Recipe 14.17. Verifying IPsec Traffic
  • Recipe 14.18. Using IPsec Monitor to Verify IPsec
  • Recipe 14.19. Troubleshooting IPsec Connections
• Chapter 15.  Internet Information Services
  • Section 15.1.  Introduction
  • Recipe 15.1. Configuring Listening Port
  • Recipe 15.2. Removing Unused Components
  • Recipe 15.3. Configuring HTTP Authentication
  • Recipe 15.4. Configuring FTP Authentication
  • Recipe 15.5. Changing the User Context for AnonymousAccess
  • Recipe 15.6. Disabling Anonymous Access
  • Recipe 15.7. Restricting Client Access by ACL
  • Recipe 15.8. Restricting Client Access by IP Address or DNSName
  • Recipe 15.9. Installing Server Certificates
  • Recipe 15.10. Enabling Secure Sockets Layer
  • Recipe 15.11. Enabling Client Certificate Authentication
  • Recipe 15.12. Requiring Client Certificate Authentication
  • Recipe 15.13. Configuring Trusted Certification Authorities
  • Recipe 15.14. Configuring One-to-One Client Certificate Mapping
  • Recipe 15.15. Configuring Many-to-One Client CertificateMapping
• Chapter 16.  RRAS and IAS
  • Section 16.1.  Introduction
  • Recipe 16.1. Configuring the Routing and Remote Access Server
  • Recipe 16.2. Allowing Authentication Protocols
  • Recipe 16.3. Requiring Smart Card Authentication
  • Recipe 16.4. Using Preshared Keys
  • Recipe 16.5. Configuring RRAS to Use IAS
  • Recipe 16.6. Installing Internet Authentication Service
  • Recipe 16.7. Configuring IAS Auditing
  • Recipe 16.8. Configuring Local IAS Logging
  • Recipe 16.9. Configuring SQL IAS Logging
  • Recipe 16.10. Creating a Remote Access Policy
  • Recipe 16.11. Configuring Connection Time
• Chapter 17.  Terminal Services and Remote Desktop
  • Section 17.1.  Introduction
  • Recipe 17.1. Choosing a Security Mode
  • Recipe 17.2. Configuring Session Encryption
  • Recipe 17.3. Limiting Client Sessions
  • Recipe 17.4. Requiring a Password for Connection
  • Recipe 17.5. Securing RPC Administration Traffic
  • Recipe 17.6. Allowing Silent Session Monitoring
  • Recipe 17.7. Monitoring Sessions
  • Recipe 17.8. Enabling Remote Desktop
  • Recipe 17.9. Configuring Access to Remote Desktop
• Chapter 18.  Public Key Infrastructure and Certificates
  • Section 18.1.  Introduction
  • Recipe 18.1. Installing an Offline Root CA
  • Recipe 18.2. Installing an Enterprise Subordinate CA
  • Recipe 18.3. Installing a Standalone Subordinate CA
  • Recipe 18.4. Publishing a CRL from an Online CA
  • Recipe 18.5. Publishing a CRL from an Offline CA
  • Recipe 18.6. Restricting Access to the CA
  • Recipe 18.7. Auditing CA Operations
  • Recipe 18.8. Configuring Certificate Templates
  • Recipe 18.9. Authorizing the CA to Issue Certificates
  • Recipe 18.10. Archiving Private Keys
  • Recipe 18.11. Sending Enrollment Notifications via Email
  • Recipe 18.12. Requesting Certificates Automatically
  • Recipe 18.13. Approving and Denying Certificate Requests
  • Recipe 18.14. Retrieving Issued Certificates
  • Recipe 18.15. Renewing Certificates
  • Recipe 18.16. Revoking Certificates
  • Recipe 18.17. Configuring a Trusted Certificate
  • Recipe 18.18. Identifying Local Certificates and Private Keys
  • Recipe 18.19. Backing Up Certificates and Private Keys
  • Recipe 18.20. Restoring Certificates and Private Keys
• Chapter 19.  Auditing
  • Section 19.1.  Introduction
  • Recipe 19.1. Auditing Account Logon Events
  • Recipe 19.2. Auditing Account Management Events
  • Recipe 19.3. Auditing Directory Service Events
  • Recipe 19.4. Auditing File Access
  • Recipe 19.5. Auditing File Share Configuration Events
  • Recipe 19.6. Auditing Web Server Access
  • Recipe 19.7. Auditing Policy Change Events
  • Recipe 19.8. Auditing Privilege Use Events
  • Recipe 19.9. Auditing Process Tracking Events
  • Recipe 19.10. Auditing System Events
  • Recipe 19.11. Shutting Down Windows When Unable to LogEvents
• Chapter 20.  Event Logs
  • Section 20.1.  Introduction
  • Recipe 20.1. Viewing Events
  • Recipe 20.2. Setting the Maximum Size of an Event Log
  • Recipe 20.3. Setting the Event Log Retention Policy
  • Recipe 20.4. Clearing the Events in an Event Log
  • Recipe 20.5. Restricting Access to an Event Log
  • Recipe 20.6. Searching the Event Logs on Multiple Servers
  • Recipe 20.7. Archiving an Event Log
  • Recipe 20.8. Finding More Information About an Event
  • Recipe 20.9. Triggering an Action when an Event Occurs
  • Recipe 20.10. Consolidating Event Logs
• Chapter 21.  Patch Management
  • Section 21.1.  Introduction
  • Recipe 21.1. Installing a Root Update Server
  • Recipe 21.2. Installing a Subordinate Update Server
  • Recipe 21.3. Installing a Nonstoring Update Server
  • Recipe 21.4. Installing an Update Server on a NondedicatedServer
  • Recipe 21.5. Configuring Computers to Use the InternalUpdate Server
  • Recipe 21.6. Refreshing the Update Server
  • Recipe 21.7. Configuring the Computer Update Type andSchedule
  • Recipe 21.8. Creating a Test Group
  • Recipe 21.9. Approving and Declining Updates
  • Recipe 21.10. Automatically Approving Critical Updates
  • Recipe 21.11. Removing Updates
  • Recipe 21.12. Forcing an Update Scan
  • Recipe 21.13. Manually Applying Updates
  • Recipe 21.14. Disabling Windows Update
  • Recipe 21.15. Checking Status of Update Application
  • Recipe 21.16. Verifying Update Application with MBSA
• About the Author
• Colophon
• Index
  • SYMBOL
  • A
  • B
  • C
  • D
  • E
  • F
  • G
  • H
  • I
  • K
  • L
  • M
  • N
  • O
  • P
  • R
  • S
  • T
  • U
  • V
  • W
  • Z