Transcript NW_Week08 - carrieclasses

Week # 8 – Implement Security in Windows 2008
• Overview of IPsec
• Configuring Connection Security Rules
• Monitoring IPsec Activity
• Troubleshooting IPsec
• Securing a Windows Infrastructure
• Using Security Templates to Secure Servers
• Overview of Windows Server Update Services
• Managing WSUS
1
Benefits of IPsec
IPsec is a suite of protocols that allows secure, encrypted
communication between two computers over an unsecured
network
• IPsec has two goals: to protect IP packets and to defend against
network attacks
• Configuring IPsec on sending and receiving computers enables the
two computers to send secured data to each other
• IPsec secures network traffic by using encryption and data signing
• An IPsec policy defines the type of traffic that IPsec examines,
how that traffic is secured and encrypted, and how IPsec peers
are authenticated
2
Configure IPsec and IPsec Applications
To configure IPsec, you can use:
• Windows Firewall with Advanced Security MMC
(used for Windows Server 2008 and Windows Vista)
• IP Security Policy MMC (Used for mixed environments
and to configure policies that apply to all Windows versions)
• Netsh command-line tool
Recommended uses of IPsec include:
• Authenticating and encrypting host-to-host traffic
• Authenticating and encrypting traffic to servers
• L2TP/IPsec for VPN connections
• Site-to-site tunneling
• Enforcing logical networks
3
What Are Connection Security Rules?
Connection security rules involve:
• Authenticating two computers before they
begin communications
• Securing information being sent between
two computers
• Using key exchange, authentication, data integrity,
and data encryption (optionally)
How firewall rules and connection rules are related:
• Firewall rules allow traffic through, but do not
secure that traffic
• Connection security rules can secure the traffic,
but creating a connection security rule does not
allow traffic through the firewall
4
Choosing a Connection Security Rule Type
Rule Type
Isolation
Description
Restricts connections based on authentication criteria
that you define
• Exempts specific computers, or a group or range of
IP addresses, from being required to authenticate
Authentication
Exemption
• Grants access to those infrastructure computers with
Server-to-Server
Authenticates two specific computers, two groups of
computers, two subnets, or a specific computer and a
group of computers or subnet
Tunnel
Provides secure communications between two peer
computers through tunnel endpoints (VPN or L2TP
IPsec tunnels)
Custom
Enables you to create a rule with special settings
which this computer must communicate before
authentication occurs
5
What Are Endpoints?
ESP Transport Mode
Data
IP HDR
IP HDR
ESP
HDR
Encrypted
Data
ESP
TRLR
ESP
Auth
ESP Tunnel Mode
IP HDR
New
IP HDR
ESP
HDR
Data
Encrypted
IP Packet
ESP
TRLR
ESP
Auth
6
Choosing Authentication Requirements
Option
Request Authentication for inbound
and outbound connections
Description
Ask that all inbound/outbound traffic
be authenticated, but allow the
connection if authentication fails
• Require inbound be authenticated or
Require authentication for inbound
it will be blocked
connections and request authentication
• Outbound can be authenticated but
for outbound connections
will be allowed if authentication fails
Require authentication for inbound and
outbound connections
Require that all inbound/outbound
traffic be authenticated or the traffic
will be blocked
7
Authentication Methods
Method
Key Points
Default
Use the authentication method configured on the IPsec
Settings tab
Computer and User
(Kerberos V5)
You can request or require both the user and computer
authenticate before communications can continue; domain
membership required
Computer
(Kerberos V5)
User (Kerberos V5)
Request or require the computer to authenticate using
Kerberos V5
Domain membership required
Request or require the user to authenticate using Kerberos
V5; domain membership required
• Request or require a valid computer certificate, requires
Computer
certificate
at least one CA
• Only accept health certificates: Request or require a valid
health certificate to authenticate, requires IPsec NAP
Advanced
Configure any available method; you can specify methods
for First and Second Authentication
8
Determining a Usage Profile
Security Settings can change dynamically with the network
location type
Windows supports three network types, and programs can use
these locations to automatically apply the appropriate
configuration options:
• Domain: selected when the computer is a domain member
• Private: networks trusted by the user (home or small
office network)
• Public: default for newly detected networks, usually the most
restrictive settings are assigned because of the security risks
present on public networks
The network location type is most useful on portable
computers which are likely to move from network to network
9
Tools Used to Monitor IPsec
Tool
Key Points
• Used in Windows XP and higher
IP Security Monitor
• MMC snap-in
• Administrators can monitor local and remote IPsec
policy usage
• Only available in Windows 2000
IPsecmon
• Command-line tool
• Reduced level of information available for
troubleshooting
Windows Firewall
with Advanced
Security MMC
Detailed IKE tracing
using Netsh
New in Windows Vista and Windows Server 2008
• Trace file found in: systemroot\debug\oakley.log
• Enabled in Windows XP and Windows 2000 through
Registry modification
10
Using IP Security Monitor to Monitor IPsec
Options for using the IP Security Monitor:
• Modify IPsec data refresh interval to update information in the
console at a set interval
• Allow DNS name resolution for IP addresses to provide additional
information about computers connecting with IPsec
• Computers can monitored remotely:
• To enable remote management editing, the
HKLM\system\currentcontrolset\services\policyagent key
must have a value of 1
• To Discover the Active security policy on a computer, examine
the Active Policy Node in the IP Security Monitoring MMC
• Main Mode Monitoring monitors initial IKE and SA:
• Information about the Internet Key Exchange
• Quick Mode Monitoring monitors subsequent key exchanges
related to IPsec:
• Information about the IPsec driver
11
Using Windows Firewall with Advanced Security
to Monitor IPsec
The Windows Firewall in Windows Vista and Windows Server
2008 incorporates IPsec
• Use the Connection Security Rules
and Security Associations nodes to
monitor IPsec connections
• The Connection Security Rules and
Security Associations nodes will not
monitor policies defined in the
IP Security Policy snap-in
• Items that can be monitored include:
• Security Associations
• Main Mode
• Quick Mode
12
IPsec Troubleshooting Process
1
Stop the IPsec Policy Agent and use the ping command to
verify communications
2
Verify firewall settings
3
Start the IPsec Policy Agent and use IP Security Monitor
to determine if a security association exists
4
Verify that the policies are assigned
5
Review the policies and ensure they are compatible
6
Use IP Security Monitor to ensure that any changes
are applied
13
Troubleshooting IKE

Identify connectivity issues related with IPsec
and IKE

Identify firewall and port issues

View the Oakley.log file for potential issues

Determine Main mode exchange issues
Common Security Event log codes:
• Success:
• 541 - IKE Main Mode or Quick Mode established
• 542 - IKE Quick Mode was deleted
• 543 - IKE Main Mode was deleted
• Failure:
• 547 – Quick Mode Audit failures
14
Applying Defense-in-Depth to Increase Security
Defense-in-depth provides multiple layers of defense to
protect a networking environment
Data
Application
Host
Internal Network
Perimeter
Physical Security
Policies, Procedures, & Awareness
ACLs, encryption, EFS
Application hardening, antivirus
OS hardening, authentication
Network segments, IPsec
Firewalls
Guards, locks
Security documents, user
education
15
Core Server Security Practices

Apply the latest service pack and all available
security updates

Use the Security Configuration Wizard to scan and
implement server security

Use Group Policy and security templates to
harden servers

Restrict scope of access for service accounts

Restrict who can log on locally to servers

Restrict physical and network access to servers
16
What Is the Security Configuration Wizard?
SCW provides guided attacksurface reduction
SCW supports:
• Disables unnecessary services
and IIS Web extensions
• Rollback
• Uses IPsec to block unused
ports and secure ports that
are left open
• Remote configuration
• Analysis
• Command-line support
• Reduces protocol exposure
• Active Directory integration
• Configures audit settings
• Policy editing
17
What Is Windows Firewall?
Windows Firewall is a stateful host-based application that
provides the following features:
• Filters both incoming and outgoing network traffic
• Integrates both firewall filtering and IPsec
protection settings
• Can be managed by the Control Panel tool or by the
more advanced Windows Firewall with Advanced Security
MMC console
• Provides Group Policy support
• Enabled by default in new installs
18
What Is a Security Policy?
A Security Policy is a combination of security settings to be
applied to a computer
Local Security Policies
include:
Active Directory Security
Policies include:
• Event Log
• Account Policies
• Restricted Groups
• Local Policies
• System Services
• Windows Firewall with
Advanced Security
• Registry
• Public Key Policies
• File System
• Software Restriction Policies
• Wired and Wireless
Network Policies
• IP Security Policies on
Local Computer
• Network Access protection
• IP Security Policies on
Active Directory
19
What Are Security Templates?
A security template is a collection of configured security
settings used to apply a security policy
Security Templates:
• Created and modified using the Security Templates MMC snap-in
• Default security templates stored in
%SystemRoot%\Security\Templates
• Custom security templates are stored in local user profile folder
Deployment Considerations:
• Create templates based upon server role
• Deploy to individual computers using the SECEDIT command
• Deploy to groups of computers using Group Policy
20
What Is the Security Configuration and Analysis Tool?
Setting
Setting That
That Does
Does
Not
Not Match
Match Template
Template
Template
Template Setting
Setting
Actual
Actual Setting
Setting
21
What Is Windows Server Update Services?
Microsoft Update Web site
Automatic
Updates
Server running
Windows Server
Update Services
Test Clients
LAN
Internet
Automatic
Updates
22
Windows Server Update Services Process
Phase 1: Assess
• Set up a production environment that will support update
management for both routine and emergency scenarios
Assess
Phase 4: Deploy
Phase 2: Identify
• Approve and
schedule update
installations
• Review the process
Deploy
Update
Management
• Discover new updates
Identify
after the deployment
is complete
in a convenient
manner
• Determine whether
updates are relevant
to the production
environment
Evaluate
and Plan
Phase 3: Evaluate and Plan
• Test updates in an environment that resembles, but is
separate from, the production environment
• Determine the tasks necessary to deploy updates into
production, plan the update releases, build the releases,
and then conduct acceptance testing of the releases
23
Server Requirements for WSUS
Software requirements:
• Windows Server 2003 SP1 or
Windows Server 2008
• IIS 6.0 or later
• Windows Installer 3.1 or later
• Microsoft .NET Framework 2.0
• SQL Server 2005 SP1 or later (optional)
• Microsoft Report Viewer Redistributable 2005
24
Automatic Updates Configuration
• Configure Automatic Updates by using Group Policy
Computer Configuration/Administrative Templates/
Windows Components/Windows Update
• Requires updated wuau.adm administrative template
• Requires:
• Windows Vista
• Windows Server 2008
• Windows Server 2003
• Windows XP Professional SP2
• Windows 2000 Professional SP4,
Windows 2000 Server/Advanced Server SP3 or SP4
25
WSUS Administration
26
Managing Computer Groups
• Computers are automatically added
• Default computer groups
• All Computers
• Unassigned Computers
• Client-side targeting
27
Approving Updates
• Approval options include:
• Install
• Decline
• Unapprove
• Removal
• Automate approval is also supported
28