Module 8: Increasing Security for Windows Servers Security is an essential consideration for networking with Windows Server 2008. In this module, you will learn how to implement various methods to increase security. Windows Firewall with Advanced Security is one of the features in Windows Server 2008 that is used to increase security. You can also use Windows Server Update Services to ensure that approved security updates are applied to servers in a timely way. Lessons Windows Security Overview Configuring Windows Firewall with Advanced Security Deploying Updates with Windows Server Update Services Lab : Increasing Security for Windows Servers Deploying a Windows Firewall Rule Implementing WSUS After completing this module, students will be able to: Describe a process for increasing the security of Windows Server 2008. Configure Windows Firewall with Advanced Security. Describe Windows Server Update Services and how to use it.

1. Module 8
Increasing Security for
Windows Servers

2. Module Overview
• Windows Security Overview
• Configuring Windows Firewall with Advanced Security
• Deploying Updates with Windows Server Update Services

3. Lesson 1: Windows Security Overview
• Discussion: Identifying Security Risks and Costs
• Applying Defense-In-Depth to Increase Security
• Best Practices for Increasing Security

4. Discussion: Identifying Security Risks and Costs
What are some of the risks and
associated costs to Windows-
based networks?
5 min

5. Applying Defense-In-Depth to Increase Security
Defense-in-depth provides multiple layers of defense to
protect a networking environment
Security documents, user
education
Policies, Procedures, & Awareness
Physical Security
OS hardening,
authentication
Firewalls
Guards, locks
Network segments,
IPsec
Application hardening,
antivirus
ACLs, encryption, EFS
Perimeter
Internal Network
Host
Application
Data

6. Best Practices for Increasing Security
Some best practices for increasing security are:
Windows Server 2008
Apply all available security updates quickly
Follow the principle of least privilege
Restrict console login
Restrict physical access

7. Lesson 2: Configuring Windows Firewall with
Advanced Security
• What Is Windows Firewall with Advanced Security?
• Discussion: Why Is a Host-Based Firewall Important?
• Firewall Profiles
• Demonstration: How to Configure Firewall Profiles
• Deploying Windows Firewall Rules

8. What Is Windows Firewall with Advanced Firewall?
Inbound rules
Outbound rules
Connection security rules
Windows Firewall with Advanced Security is a host-based
firewall the protects individual servers
Control inbound communication initiated from the network
All inbound requests are blocked by default
Control outbound communication initiated by the host
All outbound requests are allowed by default
Configure IPsec for encryption and authentication

9. Discussion: Why Is a Host-Based Firewall Important?
Why is it important to use a host-
based firewall like Windows
Firewall with Advanced Security?
5 min

10. Firewall Profiles
The firewall profiles are:
Domain
Public
Private
Firewall profiles are a set of configuration settings that apply to
a particular network type
Windows Server 2008 R2 introduces the ability to have multiple
active firewall profiles

11. Demonstration: How to Configure Firewall Profiles
In this demonstration you will see how to configure
firewall profiles

12. Deploying Windows Firewall Rules
You can deploy Windows Firewall rules:
• Manually
• By exporting and importing firewall rules
• By using Group Policy

13. Lesson 3: Deploying Updates with Windows
Server Update Services
• What Is Windows Server Update Services?
• Windows Server Update Process
• Server Requirements for WSUS
• Configuring Automatic Updates
• WSUS Administration
• What Are Computer Groups?
• Approving Updates

14. What Is Windows Server Update Services?
Automatic
Updates
Server running
Windows Server
Update Services
Automatic
Updates
LAN
Internet
Test Clients

15. Windows Server Update Services Process
Update
Management
Phase 1: Assess
• Set up a production environment that will support update
management for both routine and emergency scenarios
Phase 3: Evaluate and Plan
• Test updates in an environment that resembles, but is
separate from, the production environment
• Determine the tasks necessary to deploy updates into
production, plan the update releases, build the releases,
and then conduct acceptance testing of the releases
Phase 4: Deploy
•Approve and schedule
update installations
•Review the process
after the deployment is
complete
Phase 4: Deploy
• Approve and
schedule update
installations
• Review the process
after the deployment
is complete
Phase 2: Identify
• Discover new updates
in a convenient
manner
• Determine whether
updates are relevant
to the production
environment
Identify
Evaluate
and Plan
Deploy
Assess

16. Server Requirements for WSUS
Software requirements:
Hardware requirements are similar to the Windows
operating system
IIS 6.0 or later
Microsoft .NET Framework 2.0 or later
Microsoft Management Console 3.0
Microsoft Report Viewer Redistributable 2008
SQL Server 2008, SQL Server 2005 SP2, or
Windows Internal Database

17. Configuring Automatic Updates
WSUS Server Client Server
Client computers must be configured to use the WSUS
server as a source for updates
Group Policy is used to configure the client servers
Other Group Policy settings related to Auto:
Update frequency
Update installation schedule
Whether automatic restarts are allowed
Default computer group in WSUS

18. WSUS Administration

19. What Are Computer Groups?
Computer groups are a way to organize WSUS clients
Create custom computer groups to control update
application
Default computer groups:
All Computers
Unassigned Computers

20. Approving Updates
Updates can be approved automatically but it is not
recommended
Updates should be tested before they are approved
for production
Updates can be declined if they are not required
Updates can be removed if they cause problems

21. Lab: Increasing Security for Windows Servers
• Exercise 1: Deploying a Windows Firewall Rule
• Exercise 2: Implementing WSUS
Logon information
Virtual machine
NYC-DC1,
NYC-SVR1
User name Administrator
Password Pa$$w0rd
Estimated time: 45 minutes

22. Lab Scenario
• Your organization has implemented new software for
monitoring client computers and servers. This software
is already installed on the computers, but your central
monitoring console is unable to initiate communication with
the software. The installation routine for the software did
not open the necessary port in Windows Firewall.
• You need to deploy a Windows Firewall rule that allows all
computers in the organization to respond to communication
attempts from the centralized monitoring console that runs
on port 10005. Documentation from the product vendor
indicates that you can test this port by using a Web browser
to view an XML file.
• In the past management of updates for clients and servers
in your organization has been ad hoc. Some servers have
not had updates applied while other are applying updates
immediately. This has resulted in an insecure environment.
You are implementing WSUS to begin implementing a
controlled process for applying updates to clients and
servers.

23. Lab Review
• Why was it appropriate to deploy the firewall rule by using
Group Policy?
• Is the use of wuauclt.exe typically required when
implementing WSUS?

24. Module Review and Takeaways
• Review Questions
• Tools