Your SlideShare is downloading. ×
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Windows Server Security Charles H. Leggett EITS - Office of Information Security University of Georgia
  • 2. Ground Rules
    • We won’t talk about each individual setting, service, script, tweak, hack, etc. We could spend days …
    • This is a Windows Server Security overview. Feel free to ask questions and be sure to study up on anything that you don’t understand.
    • Remember to context our discussion as opinion and recommendation. Everyone’s shop is different.
  • 3. Server Security Principles Source: NIST – Guide to General Server Security (
  • 4. Stay Informed
    • Stay on top of latest patches, Service Packs, vulnerabilities/exploits, and news:
    • Remember to stay up on each of the services and applications that you have installed as well (IIS, Apache, PHP, etc.)
  • 5. Microsoft Updates
    • Not just Windows Updates anymore…
      • Exchange Server
      • SQL Server
      • Microsoft Office
      • … and more.
    • Turn on Automatic Updates
  • 6. Windows Server Update Services
    • With your own WSUS server you can:
      • Cache updates locally
      • Control which updates to deploy
      • Schedule installations for off peak hours
      • Manage groups of workstations with different policies
      • Allow for patch testing before general release
  • 7. Backup and Restore
    • Keep yourself out of trouble!
    • Create Backups
    • Test Restores
    • Encrypt Backups if Possible
    • Store Backups Off Site
  • 8. NTFS Filesystem
    • Always use NTFS during OS install and hard drive partitioning.
    • NTFS Allows:
      • Permissions
      • Auditing
      • Encryption (EFS)
      • Compression
      • Transaction-Oriented Processing
      • Max Volume Size of 16,000 GB
  • 9. NTFS Discretionary Access Control Lists (DACLs) Inheritance Deny Overrides Allow Standard Access Control Entries (ACEs) Individual Access Control Entries (ACEs)
  • 10.
    • Remember Simplicity:
      • Less complexity means less chance of errors and confusion.
    • Remember Least Privilege:
      • Grant users the least access necessary to do their job
    • Remember AGULP:
      • Create a unique A ccount for each user
      • Add users with common needs to G lobal groups
      • Add global groups to U niversal groups if the need spans multiple domains
      • Add global and universal groups to domain L ocal groups on the computers with resources that need to be secured.
      • Assign P ermissions for these local groups to the resources that need to be secured.
    When Assigning NTFS Permissions
  • 11. Shared Folder Permissions
    • Share Permissions are an additional level of access control when files are shared over a network
    • Be sure to check the permissions of your hidden and administrative shares:
      • C$, ADMIN$, and IPC$
    • Routinely audit for unexpected shares!
      • “ net share” command
  • 12. Security Templates
    • Configuration file that contains Security Settings which can be applied to a system.
    • Don’t start from scratch!
    • Many Preconfigured Templates are available from:
      • Microsoft
      • Center for Internet Security (CIS)
      • SANS Institute
      • National Institute of Standards and Technology (NIST)
      • National Security Agency (NSA), ...
  • 13. Security Templates MMC Snap-In
  • 14. Security Configuration & Analysis MMC Snap-In
  • 15. Apply a Security Template with SCA
    • Applies settings to Local Security Policy
    • Be careful:
      • There is no “undo”
      • Test settings first
      • Take a backup before
    • That’s great for one computer but, what about the rest of them …
  • 16. Apply Security Template to Group Policy Object
    • Can be Applied at any level in the domain.
    • What if the Local Security Policy and the Group Policy Object settings conflict?
  • 17. Group Policy Inheritance
  • 18. Authentication Protocols Protocol Initial Support Kerberos Windows 2000 NTLMv2 Windows NT 4.0 SP4/ Windows 9x (w/ ADCE) NTLM Windows NT LM MS-DOS
  • 19.
    • Kerberos is the preferred authentication protocol for Windows 2000 and above machines that are members of an Active Directory domain.
    • NTLM is still used in the following situations:
      • The client is authenticating to a server using an IP Address.
      • The client is authenticating to a server that belongs to a different Active Directory forest, or doesn't belong to a domain.
      • No Active Directory domain exists (commonly referred to as "workgroup" or "peer-to-peer").
      • Where a firewall would otherwise restrict the ports required by Kerberos (of which there are quite a few).
    Source: Wikipedia (
  • 20.
    • Limit to Kerberos and NTLMv2 if possible
    • Falling back to NTLM and LM may be needed for Backwards Compatibility but, check!
      • Legacy Clients (Windows 9x, Windows NT, etc .)
      • Windows Embedded Devices
      • Network Attached Storage
      • Print Servers
    Source: Wikipedia (
  • 21.  
  • 22.
    • There are others but the two worth mentioning are:
    • Send LM and NTLM – use NTLMv2 session security if negotiated
      • Balances security and usability
      • Kerberos first, NTLMv2 second, NTLM third, LM last
    • Send NTLMv2 response only efuse LM & NTLM
      • Most secure
      • Use only Kerberos and NTLMv2 and reject everything else
    • Also, enable “Network security: Do not store LAN Manager hash value on next password change”
    Network Security: LAN Manager authentication level
  • 23.
    • Turn Windows Firewall ON.
    • Grant Exceptions
    • Manage Scope
    • But, then I can’t ping.
    • Enable Logging
    • Manage with a GPO to be sure firewall state remains consistent
    Windows Firewall
  • 24.  
  • 25.  
  • 26. Have Laptops?
  • 27.
    • You should know what to expect to see in your logs. What is normal?
    • Lookup Event IDs that you are not familiar with.
      • Google: “Windows Event ID XXXX”.
    • Security Event Logs are not enabled by default!
    Windows Event Logs
  • 28. Security Event Log Source: SANS Security 401.5 Windows Security – Recommended Settings
  • 29.
    • Modify log size
      • 4GB theoretical max
      • 300MB actual max (see KB183097)
    • Log Retention Policy should meet operational and compliance needs.
    Event Log Size and Retention
  • 30.
    • Configure System Access Control Lists (SACLs) for:
      • NTFS Files
      • NTFS Folders
      • Registry Keys
      • Printers
    • SACLs can be applied with Security Templates
    One more step for “Audit Object Access”
  • 31.
    • Windows has no built-in log consolidation but, analysis is simplified if you have a centralized copy of all of your logs. Consider:
      • Microsoft Operations Manager (MOM)
      • Syslog: Snare, Kiwi, Splunk, etc.
      • Scripted log dumps and syncs.
    • Remember not all logs are Event Logs.
      • C:WINDOWSpfirewall.log
    • Use NTP to sync clocks on all devices!
    Log Monitoring and Consolidation
  • 32.
    • The more skilled the attack, the more subtle the changes.
    • Consider using a Host Based Intrusion Detection System.
    • Be prepared to act if you become suspicious:
      • SANS Intrusion Discovery Cheat Sheet (
    Change Detection and Analysis
  • 33. More Resources
    • Microsoft Baseline Security Analyzer (MBSA)
    • Microsoft Security Assessment Tool (MSAT)
      • A risk assessment questionnaire
    • Security Configuration Wizard (SCW)
      • “ an attack-surface reduction tool”
      • Can create Security Templates
    • Microsoft Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP
      • “ guide provides you with a reference to all security settings that provide countermeasures for specific threats”
  • 34. Campus Resources
    • Active Directory
    • Windows Server Update Services (WSUS)
    • UGA Routable Private IP Addresses (172.1[6-8].x.x)
    • UGANET Wiki
    • CheckIT on
  • 35. Thank You! Charles H. Leggett EITS - Office of Information Security University of Georgia