app 8.8

winterishere

winsec3e_ppt_ch11.pptx

Home >Information Systems homework help >app 8.8

Security Strategies in Windows Platforms and Applications

Lesson 11

Hardening the Microsoft Windows Operating System

www.jblearning.com

Cover image © Sharpshot/Dreamstime.com

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Learning Objective(s)

Apply system hardening techniques in Microsoft Windows.

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Key Concepts

General hardening concepts and strategies

Hardening servers, clients, networks, and more

Security awareness

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Understanding the Hardening Process and Mind-set

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Employ strategies to secure Windows computers

Install only what you need

Use Security Compliance Toolkit (SCT)

Manually disable and remove programs/services

Strategies to Secure Windows Computers

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

The process of making configuration changes and deploying controls to reduce the attack surface is called hardening.

Disable/remove programs with vulnerabilities

Establish controls on running programs

Install Only What You Need

When installing Windows Server, select which programs to install

Customize a server by defining one or more roles

Role is a predefined set of services, programs, and configuration settings that enables a computer to fulfill specific requirements

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Security Compliance Toolkit (SCT)

A set of tools from Microsoft to help manage Windows security baselines

Provides guidance to administrators that makes it easier to ensure policies adhere to policy best practices

Includes two tools to help manage baseline input and GPOs

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Policy Analyzer Selection Window

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Windows Security Configuration Wizard—Select Server Roles Policy Analyzer

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Manually Disabling and Removing Programs and Services

Back up the Windows Registry before making any changes

Make changes on a test computer whenever possible

Evaluate each computer

Identify remaining programs and services you don’t need

Remove unneeded programs

Use the Windows Services maintenance utility to start, stop, and change services settings

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Uninstalling a Program in Windows

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Windows Services Maintenance

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Windows Services Properties

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Hardening Microsoft Windows Operating System Authentication

Disallow older authentication methods

Remove or disable any unused or inactive user accounts

Protect Administrator account

Establish and enforce strong account policies

Password policy

Account policy

Kerberos policy

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Hardening the Network Infrastructure

Identify network server and client services that require access to ports

Modify firewall settings to open those ports; close all other ports

To manage firewall settings, use:

Windows Defender Firewall with Advanced Security

Local Group Policy Editor

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Windows Defender Firewall with Advanced Security

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Group Policy Management Editor—Windows Defender Firewall with Advanced Security

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Securing Directory Information and Operations

Active Directory (AD)

Limit the number of administrators with access to AD

Ensure that administrators use separate Administrator user accounts

Administrators should have one account for AD administration and at least one other account for other administration tasks

Create an AD security group

Require that AD administrators do their AD work only from dedicated terminal servers instead of workstations

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Securing Information and Operations (Cont.)

Directory Service Restore Mode (DSRM)

Change password from the default password after installation

Periodically change the DSRM password

Protect the DSRM password for each domain controller and change it every six months

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Hardening Microsoft Windows OS Administration

After creating other user accounts with Administrator privileges, disable default Administrator account

Enable strong passwords

Set Administrator passwords to expire on a regular basis

Create and maintain baselines

Create full backup of each system before and after hardening

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Hardening Microsoft Windows OS Administration (Cont.)

Create individual backups of policies each time they change

Ensure Windows systems are updated to latest patch

Ensure Windows Update is configured to automatically download and install latest updates from Microsoft

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Group Policy Management Console—Backup GPO

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Windows Update

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Windows Update Advanced Options

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Hardening Server Computers

Ensure server computers don’t do anything they’re not supposed to do, such as run unneeded services

Harden services they are supposed to provide

After installing a server, run Security Compliance Toolkit to disable unneeded roles and services

Use nmap utility to identify open ports

Enable IPSec for server-to-server communications

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Hardening Workstation Computers

Use malware protection

Mitigate vulnerabilities

Disable programs and services not used

Review firewall settings

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Hardening Data Access and Controls

Minimize number of user accounts on computers

Carefully control access to accounts with Administrator rights

Use Windows Group Policy to establish access control lists (ACLs)

Avoid allowing anonymous or guest user accounts to access sensitive data

Protect data at rest with Windows Encrypting File System (EFS) or Windows BitLocker

Ensure data backups are encrypted

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Hardening Communications and Remote Access

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Network access control (NAC)

Authentication servers

VPN and encryption

Hardening PKI

Public key infrastructure (PKI): The hardware, software, policies, and procedures to manage all aspects of digital certificates

Makes environments more secure

Ensure all computers that participate are hardened

Harden certificate authority (CA) servers

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Hardening PKI (Cont.)

Ensure CAs are physically secure and only accessible by authorized administrators

Backup CA keys and store them in a safe location

Use GPOs to distribute root CA certificates

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Security Awareness Reminders

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Physical posters and banners in conspicuous locations, such as in break rooms and cafeterias, and around printers, fax machines, or shredders

Email newsletters, social media contact, and security policy updates

Periodic website reminders

Social media messages

Daily or weekly tip programs

Contests with security themes

Security events on specific dates, such as November 30, International Computer Security Awareness Day

Lunch-and-learn meetings about topics of interest to employees personally—such as identity theft or cyberbullying—as well as topics of interest to your organization

Visible modeling of good security behaviors by your organization’s leaders

Posters and banners

Newsletters

Website reminders

Social media messages

Daily or weekly tip programs

Contests

Security events

Lunch-and-learn meetings

Leadership

Best Practices

Install only the Windows Server Core option when you don’t need extra functionality.

Select the minimum number of roles in Windows Server.

Run SCT immediately after installation of Windows Server.

Update and patch systems; configure for automatic Windows updates.

Install and run Microsoft Baseline Security Analyzer (MBSA) and at least one vulnerability scanner.

Create one or more user accounts with Administrator rights.

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Best Practices (Cont.)

Disable the Administrator and Guest user accounts.

Disable all unneeded services.

Close all ports not required by services or applications.

Create GPOs for all security settings, including firewall rules.

Use AD to distribute all configuration changes using GPOs.

Create a backup of each GPO.

Scan all computers for open ports and vulnerabilities.

Limit physical access to all critical servers.

Create an initial baseline backup.

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Best Practices (Cont.)

Change the AD DSRM password periodically, at least every six months.

Install anti-malware software on each computer.

Ensure all anti-malware software and data are current.

Use NAC software or devices to control remote computer connections.

Use remote authentication methods to authorize remote computers and users.

Require secure VPNs to access internal network resources.

Use IPSec with digital certificates to authenticate computer-to-computer connections in the datacenter.

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Best Practices (Cont.)

Require security awareness training prior to issuing access credentials.

Require periodic recurrent security awareness training to retain access credentials.

Provide continuing security awareness.

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Summary

General hardening concepts and strategies

Hardening servers, clients, networks, and more

Security awareness

Page ‹#›

Security Strategies in Windows Platforms and Applications