Increasing Security for Windows Servers

w w t . w c e n h c o r o . p o c . n i

Module Overview
Windows Security Overview Configuring Windows Firewall with Advanced Security
w w t . w c e n h c o r o . p o c . n i

Deploying Updates with Windows Server Update Services

Windows Security Overview

Discussion: Identifying Security is!s and Costs Applying Defense"In"Depth to Increase Security
w w t . w c e n h c o r o . p o c . n i

#est $ractices for Increasing Security

Discussion: Identifying Security and Costs

What are some of the risks and associated costs to Windows-based networks?

is!s

w w t . w c e n h c o r o . p o c . n i

% &in

Applying Defense"In"Depth to Increase Security

Defense-in-depth provides multiple layers of defense to protect a networking environment

w w t . w c e n h c o r o . p o c . n i

)ata #pplication (ost "nternal !etwork Perimeter Physical Security

#%&s, encryption, 'FS #pplication hardening, anti$irus OS hardening, authentication !etwork segments, "Psec Firewalls uards, locks Security documents, user education

Policies, Procedures, & Awareness

#est $ractices for Increasing Security

So&e 'est practices for increasing security are: Apply all availa'le security updates +uic!ly Follow the principle of least privilege estrict console login estrict physical access

w w t . w c e n h c o r o . p o c . n i

Windows Server ())*

Configuring Windows Firewall with Advanced Security

What Is Windows Firewall with Advanced Security, Discussion: Why Is a -ost"#ased Firewall I&portant,
w w t . w c e n h c o r o . p o c . n i

Firewall $rofiles De&onstration: -ow to Configure Firewall $rofiles Deploying Windows Firewall ules

What Is Windows Firewall with Advanced Firewall,

Windows Firewall with Advanced Security is a host"'ased firewall the protects individual servers In'ound rules Control in'ound co&&unication initiated fro& the networ! All in'ound re+uests are 'loc!ed 'y default Out'ound rules Control out'ound co&&unication initiated 'y the host All out'ound re+uests are allowed 'y default Connection security rules Configure I$sec for encryption and authentication

w w t . w c e n h c o r o . p o c . n i

Discussion: Why Is a -ost"#ased Firewall I&portant,

Why is it important to use a hostbased firewall like Windows Firewall with Advanced Security?

w w t . w c e n h c o r o . p o c . n i

% &in

Firewall $rofiles
Firewall profiles are a set of configuration settings that apply to a particular networ! type

w w t . w c e n h c o r o . p o c . n i

.he firewall profiles are: Do&ain $u'lic $rivate Windows Server ())* ( introduces the a'ility to have &ultiple active firewall profiles

De&onstration: -ow to Configure Firewall $rofiles

"n this demonstration you will see how to configure firewall profiles
w w t . w c e n h c o r o . p o c . n i

Deploying Windows Firewall

/ou can deploy Windows Firewall rules: Manually

ules

w w t . w c e n h c o r o . p o c . n i

#y using 1roup $olicy #y e0porting and i&porting firewall rules

Deploying Updates with Windows Server Update Services

What Is Windows Server Update Services, Windows Server Update $rocess
w w t . w c e n h c o r o . p o c . n i

Server e+uire&ents for WSUS Configuring Auto&atic Updates WSUS Ad&inistration What Are Co&puter 1roups, Approving Updates

What Is Windows Server Update Services,

Automatic Updates

w w t . w c e n h c o r o . p o c . n i

est !lients

Server running Windows Server Update Services

LAN
Internet Automatic Updates

Windows Server Update Services $rocess

#hase $% Assess Set up a production environment that will support update management for both routine and emergency scenarios

Assess

#hase (% )eploy

#hase *% Identify

w w t . w c e n h c o r o . p o c . n i

Approve Approve and and schedule schedule update installations update installations Review Review the the process process after the deployment is after the deployment complete is complete

)eploy

Update "anagement

Identify

Discover new updates in a convenient manner Determine whether updates are relevant to the production environment

'valuate and #lan

#hase &% 'valuate and #lan Test updates in an environment that resembles, but is separate from, the production environment Determine the tasks necessary to deploy updates into production, plan the update releases, build the releases, and then conduct acceptance testing of the releases

Server e+uire&ents for WSUS

Software re+uire&ents: IIS 23) or later Microsoft 345. Fra&ewor! (3) or later Microsoft Manage&ent Console 63) Microsoft eport 7iewer edistri'uta'le ())* S89 Server ())*: S89 Server ())% S$(: or Windows Internal Data'ase -ardware re+uire&ents are si&ilar to the Windows operating syste&

w w t . w c e n h c o r o . p o c . n i

Configuring Auto&atic Updates

Client co&puters &ust 'e configured to use the WSUS server as a source for updates 1roup $olicy is used to configure the client servers Other 1roup $olicy settings related to Auto: Update fre+uency Update installation schedule Whether auto&atic restarts are allowed Default co&puter group in WSUS
WSUS Server !lient Server

w w t . w c e n h c o r o . p o c . n i

w w t . w c e n h c o r o . p o c . n i

WSUS Ad&inistration

What Are Co&puter 1roups,

Co&puter groups are a way to organi;e WSUS clients Default co&puter groups: All Co&puters Unassigned Co&puters Create custo& co&puter groups to control update application

w w t . w c e n h c o r o . p o c . n i

Approving Updates
Updates can 'e approved auto&atically 'ut it is not reco&&ended

w w t . w c e n h c o r o . p o c . n i

Updates should 'e tested 'efore they are approved for production Updates can 'e declined if they are not re+uired

Updates can 'e re&oved if they cause pro'le&s

9a': Increasing Security for Windows Servers

50ercise <: Deploying a Windows Firewall ule 50ercise (: I&ple&enting WSUS
w w t . w c e n h c o r o . p o c . n i

9ogon infor&ation

7irtual &achine User na&e $assword

5sti&ated ti&e: >% &inutes

4/C"DC<: 4/C"S7 < Ad&inistrator $a==w)rd

9a' Scenario
/our organi;ation has i&ple&ented new software for &onitoring client co&puters and servers3 .his software is already installed on the co&puters: 'ut your central &onitoring console is una'le to initiate co&&unication with the software3 .he installation routine for the software did not open the necessary port in Windows Firewall3 /ou need to deploy a Windows Firewall rule that allows all co&puters in the organi;ation to respond to co&&unication atte&pts fro& the centrali;ed &onitoring console that runs on port <)))%3 Docu&entation fro& the product vendor indicates that you can test this port 'y using a We' 'rowser to view an ?M9 file3 In the past &anage&ent of updates for clients and servers in your organi;ation has 'een ad hoc3 So&e servers have not had updates applied while other are applying updates i&&ediately3 .his has resulted in an insecure environ&ent3 /ou are i&ple&enting WSUS to 'egin i&ple&enting a controlled process for applying updates to clients and servers3

w w t . w c e n h c o r o . p o c . n i

9a'

eview

Why was it appropriate to deploy the firewall rule 'y using 1roup $olicy, Is the use of wuauclt3e0e typically re+uired when i&ple&enting WSUS,
w w t . w c e n h c o r o . p o c . n i