1 Objectives Windows Firewalls with Advanced Security Bit
Download
Report
Transcript 1 Objectives Windows Firewalls with Advanced Security Bit
Objectives
• Windows Firewalls with Advanced Security
• Bit-Lock
• Update and maintain your clients using Windows
Server Update Service
• Microsoft Baseline Security Analyzer
1
Security Configuration Wizard
• Security Configuration Wizard (SCW)
– Wizard for hardening your network servers
– Available in Administrative Tools
• Security policies can be created for:
–
–
–
–
Role-based service configuration
Network security
Registry settings
Audit policy
2
Windows Firewall
• Allows users to turn the firewall off or on
• By default, Windows Firewall is turned on and
allows exceptions for programs and ports
• Allows you to create exceptions for inbound traffic
• Exception
– Instruction to open a port briefly, allow a program or
service to pass information, and then close the port
3
4
5
Windows Firewall with Advanced Security
• Used to manage Windows Firewall based on port,
services, applications, and protocols
6
Windows Firewall with Advanced Security
• Available Nodes:
–
–
–
–
Inbound rules
Outbound rules
Connection security rules (IPSec configuration)
Monitoring
• Available network profiles
– Public (E.g. WiFi hot spots, non-company networks)
• Most hardened
– Private (internal network behind of firewall)
• Less hardened
– Domain
• Deploying Windows Firewall Settings via Group Policy
– WFAS allows you to import or export firewall policies 7
BitLocker
• Provides hard drive–based encryption of servers
and Windows Vista computers
• Encrypts entire Windows system volume of a
computer running Windows Server 2008
• Designed to enhance protection against data theft
or exposure on computers that are lost or stolen
8
BitLocker Authentication Modes
• Four authentication modes used by BitLocker
– BitLocker with a TPM
• Not prevent boot
– BitLocker with Universal Serial Bus (USB) flash
drive in place of TPM
• Protect boot. Key on a flash drive
– BitLocker with a TPM and a personal identification
number (PIN)
• Protect boot with PIN. Multifactor authentication
– BitLocker with a TPM and a USB flash drive
• Protect boot and Multifactor authentication
9
Installing BitLocker
• Hard drive that supports BitLocker needs to be
configured before installing BitLocker
– Download BitLocker Drive Preparation Tool from
www.microsoft.com.
– BitLocker requires at least 1.5 GB of unallocated or
available drive space
• System volume is responsible for maintaining the
unencrypted boot information
• Boot volume will contain the OS files and be encrypted
by BitLocker
• Turn on BitLocker from Control Panel BitLocker
Drive Encryption
• Group Policy to allow turn on Bitlocker without TPM
– Computer Configuration\Administrative Template\
10
Installing BitLocker (Continue)
• Control Panel
BitLocker Drive
Encryption
• Group Policy to turn on
BitLocker without TPM
– Computer Configuration
Administrative Templates
Windows Components
BitLocker Drive Encryption 11
Updating Windows Server 2008
• Windows Update (in Control Panel)
– Suite of tools and services for applying updates to systems
– Responsible for download and install updates from Microsoft
– Requires access to the Internet
12
Windows Server Update Services
• Benefits:
–
–
–
–
–
Centralizes the updating tasks for client and server
Minimizes effects on the WAN connection
Improves network security and reliability
Improves installation of relevant updates
Targets updates to specific computers and groups
• Basic requirements before installing WSUS 3.0 SP1
– Microsoft Internet Information Services (IIS) 7.0
– Microsoft Report Viewer Redistributable 2005
– Minimum of 6 GB of free space for storing downloaded
updates
– WSUS requires a database to keep records of updates
• Internal DB or SQL Sever 2005 SP1 or later
• Windows authentication (SQL authentication is not supported)
13
Working with WSUS
– WSUS Administrative console allows you to:
• Generate reports Daily/Weekly reports via email & email
when updates are synchronized.
• Manage updates
• Monitor the computer through the console
– WSUSutil.exe: a command-line tool managing WSUS
14
15
Windows Server Update Services
• Configuring clients
– To use the WSUS server for updates
– Clients must be Windows 2000 SP3 or later
– By default, client checks for update every 17 – 22 hrs.
• Approving and deploying updates
– Using the Update Services console, you can control
• Which updates are applied
• Which computers receive the updates
• When the updates are distributed
16
Microsoft Baseline Security Analyzer 2.1
• A tool to analyze your current security posture
• MBSA scans for missing security updates for the
following products
–
–
–
–
Windows 2000 SP4 and later
Microsoft Office XP and later
Microsoft Exchange Server 2000 and later
Microsoft SQL Server 2000 SP4 and later
• MBSA
– Free download from Microsoft
– Can be used on a local computer or to connect to one or
more remote computers on your network
• Options for running MBSA on remote computers
– Domain name and IP address range
17
Microsoft Baseline Security Analyzer (Continue)
• When MBSA scans a computer, it creates a report that is
organized into the following areas
–
–
–
–
–
–
Security Assessment
Security Update Scan Results
Windows Scan Results
Internet Information Services (IIS) Scan Results
SQL Server Scan Results
Desktop Application Scan Results
• Scanning a computer with MBSA
– You can perform MBSA scans using:
• The GUI-based tool
• The mbsacli.exe command- line tool
– Requires Internet connectivity
– Can scan computer, remote computer, or groups of remote
18
computers.