Tải bản đầy đủ - 0 (trang)
Chapter 7. Windows Security and Patch Management

Chapter 7. Windows Security and Patch Management

Tải bản đầy đủ - 0trang

today'sautomatedattacks.Itcanbeproblematictoensure

thattheseolderplatformsaresupportedcorrectlyandare

protectedadequatelyfromaconstantsecuritythreat.

Insomemarketsandprofessions,youmustdealwithlegal

procedures,protections,andconsequences.Forinstance,in

themedicalprofession,theHealthInsurancePortabilityand

AccountabilityAct(HIPAA)haspresentedsomechallenges

regardingdataprivacyandsafekeepingthataremakinglife

more"interesting"(intheancient-Chinese-cursesenseof

theterm)forITpersonnel.Suchlegislationandregulation

canalteryoursecuritypolicyinspecificsituations.

Theremightbealackofphysicalsecurityatthesite,which

makesanycomputer-basedsecurityconfigurationsyouplan

tomakeeffective.Afterall,ifsomeonecanmakeoffwith

yourdomaincontroller,allbetsareoff.

Theremightbealackofsecurityexpertiseamongthe

technicalemployeesatyourcompany.Constructingand

thenimplementingasecuritypolicyisachallengingtask

thatrequirespatienceandknowledge.Lackingthesetwo

qualitiescanmakeforapainfulprocess.Ofcourse,this

chapterwillhelpwiththelatter.

Theremightbethreats—internal,external,oreven

accidental—thatcoulddamageyoursystemsorharmthe

valuabledatacontainedtherein.Takeahurricane,for

example.Whathappenswhenlootersgrabthebackuptape

fromtheregionalbankwhosewallshavecollapsedduring

thestorm?Whatkindsofbadthingsmightthosethievesdo

withthatinformation?

Finally,themostcommonscenario,therearelimited

resources—intermsofbothmoneyandlabor—toimplement

securesolutions.

Ofcourse,notalloftheseconditionsapplytoallbusinesses,

butit'sverylikelythateachisanobstaclethatmost



organizationsruninto.Inthischapter,I'llprovidecost-effective

waystoaddresssomeoftheseobstacles.



7.1.1.PrinciplesofServerSecurity

ServersecurityoperatesofftheCIAprinciple,whichisdepicted

inFigure7-1.

Figure7-1.TheCIAprincipleofserversecurity



CIAstandsforconfidentiality,integrity,andavailability.

Confidentialityistheconceptthatinformationaccessis

protectedandrestrictedtoonlythosewhoshouldhaveaccess.

Integrityistheconceptthatinformationisprotectedfrombeing

tamperedwithorotherwisemodifiedwithoutprior

authorization.Andavailabilityreferstoensuringthataccessto

theinformationisavailableatalltimes,oratleastasoftenas

possible.

KeepingtheCIAframeworkinmind,youcantakeanumberof

differentsecurityapproachesattheserverlevel.Oneofthe

mostsuccessfulmethodsofpreservingconfidentiality,integrity,

andavailabilityisthelayeredapproach,whichbothreducesan

attacker'schanceofsuccessandincreaseshisriskofdetection.

Thelayeredapproachcomprisessevenlayers,eachwithitsown

methodsandmechanismsforprotection:



Datalevel

Thedatalevelguardsagainstmaliciousactivityperformed

ontheactualdata.Protectionatthedatalevelincludes

ACLsandencryptingfilesystems.Safeguardsatthislevel

covertheconfidentialityandintegritylevelsoftheCIA

triangle.



Applicationlevel

Application-levelsecurityprotectsindividualprogramsfrom

attack.Securityatthislevelcanincludehardeningthe

applicationsthemselves,installingsecuritypatchesfromthe

vendors,andactivatingantivirussoftwareandperforming

regularscans.Safeguardsatthislevelcovertheintegrity

andavailabilitylevelsoftheCIAtriangle.



Hostlevel

Protectionatthehostlevelsecuresthecomputerandits

operatingsystemfromattack,whichnearlyeliminatesthe

potentialforattackonthedataandapplicationlevels.

Protectionatthislevelincludeshardeningtheoperating

systemitself(whichistheprimaryfocusofthischapter),

managingsecuritypatches,authentication,authorization,

andaccounting,andhost-basedintrusiondetection

systems.Safeguardsatthislevelcovertheintegrityand

availabilitylevelsoftheCIAtriangle.



Internalnetworklevel

Theorganization'snetworkisthenextlevel,whichprotects

againstintrudersenteringattheperimeterandsniffing

traffic,lookingforkeystoaccessinglevelshigherthanthis

one.Protectionatthislevelincludessegmentingyour



networkintosubnets,usingIPSecurity(IPSec),and

installingnetworkintrusiondetectionsystems.Safeguards

atthislevelincludeallfacetsoftheCIAtriangle:

confidentiality,integrity,andavailability.



Perimeterlevel

Theperimeteriswheretheinternalnetworkconnectsto

otherexternalnetworks,includingthosetootherbranches

ofthesamecorporationandconnectionstotheInternet.

Perimeter-levelprotectionsmightincludefirewallsand

quarantiningvirtualprivatenetwork(VPN)anddial-up

access.SafeguardsatthislevelincludeallfacetsoftheCIA

triangle:confidentiality,integrity,andavailability.



Physicalsecuritylevel

Thephysicalsecuritylevelinvolvesprotectingthereal

estateinwhichthebusinesspractices.Guards,locks,and

trackingdevicesallcompriseprotectionatthislevel.

Safeguardsatthislevelcovertheconfidentialityand

integritylevelsoftheCIAtriangle.



Policies,procedures,andawarenesslevel

Thislevelinvolveseducatingusersastobestpracticesand

acceptableandunacceptablemethodsofdealingwith

informationtechnology.Safeguardsatthislevelcaninclude

allfacetsoftheCIAtriangle:confidentiality,integrity,and

availability.



Chapter7.WindowsSecurityandPatch

Management

EntirebooksaredevotedtoWindowssecurity—howtosecure

Windowsclients,servers,headlessmachines,terminals,web

servers,andmore.Inthischapter,however,I'vechosento

highlightsomeoftheusefultoolsformanagingandautomating

securityonWindowsServer2008.I'vealsoincludedsome

referencestosecuritypolicysettingsthatmostorganizations

willfindhelpful.

Intheinterestoffulldisclosure,ImustsayIhavenotincluded

anexhaustivereferencetoeverysecuritysettingtobefoundin

Windows.Somanyoptionsareuniquetodifferentenvironments

thatI'vefoundthebeststrategyforthisparticularbookisto

giveabroadoverviewofsecuritypolicymanagementtools,

alongwithsomegeneralsettingsthatcanincreasesecurity

greatly,andthenletyouexploretheWindowssecurityfeatures

yourself.



7.1.UnderstandingSecurity

Considerations

Mostsmall-andmedium-sizebusinesseshaveseveralissuesto

keepinmindwhensecuringtheirconfigurations.Someofthese

mightincludethefollowing:

Theorganizationcomprisesmultipleservers,andmany

havedistinctandindependentroles.Itisdifficulttobe

consistentandstrictenoughwithasecuritypolicywhen

multiplemachinesareperformingdifferentfunctions,each

withitsownsecurityrequirements.

Olderoperatingsystemsandapplicationsareinuse.Older

programsandsystemsoftenuseprogrammingand

communicationtechniquesthat,althoughsecureenough

whentheyweredeveloped,canbeexploitedeasilyby



today'sautomatedattacks.Itcanbeproblematictoensure

thattheseolderplatformsaresupportedcorrectlyandare

protectedadequatelyfromaconstantsecuritythreat.

Insomemarketsandprofessions,youmustdealwithlegal

procedures,protections,andconsequences.Forinstance,in

themedicalprofession,theHealthInsurancePortabilityand

AccountabilityAct(HIPAA)haspresentedsomechallenges

regardingdataprivacyandsafekeepingthataremakinglife

more"interesting"(intheancient-Chinese-cursesenseof

theterm)forITpersonnel.Suchlegislationandregulation

canalteryoursecuritypolicyinspecificsituations.

Theremightbealackofphysicalsecurityatthesite,which

makesanycomputer-basedsecurityconfigurationsyouplan

tomakeeffective.Afterall,ifsomeonecanmakeoffwith

yourdomaincontroller,allbetsareoff.

Theremightbealackofsecurityexpertiseamongthe

technicalemployeesatyourcompany.Constructingand

thenimplementingasecuritypolicyisachallengingtask

thatrequirespatienceandknowledge.Lackingthesetwo

qualitiescanmakeforapainfulprocess.Ofcourse,this

chapterwillhelpwiththelatter.

Theremightbethreats—internal,external,oreven

accidental—thatcoulddamageyoursystemsorharmthe

valuabledatacontainedtherein.Takeahurricane,for

example.Whathappenswhenlootersgrabthebackuptape

fromtheregionalbankwhosewallshavecollapsedduring

thestorm?Whatkindsofbadthingsmightthosethievesdo

withthatinformation?

Finally,themostcommonscenario,therearelimited

resources—intermsofbothmoneyandlabor—toimplement

securesolutions.

Ofcourse,notalloftheseconditionsapplytoallbusinesses,

butit'sverylikelythateachisanobstaclethatmost



organizationsruninto.Inthischapter,I'llprovidecost-effective

waystoaddresssomeoftheseobstacles.



7.1.1.PrinciplesofServerSecurity

ServersecurityoperatesofftheCIAprinciple,whichisdepicted

inFigure7-1.

Figure7-1.TheCIAprincipleofserversecurity



CIAstandsforconfidentiality,integrity,andavailability.

Confidentialityistheconceptthatinformationaccessis

protectedandrestrictedtoonlythosewhoshouldhaveaccess.

Integrityistheconceptthatinformationisprotectedfrombeing

tamperedwithorotherwisemodifiedwithoutprior

authorization.Andavailabilityreferstoensuringthataccessto

theinformationisavailableatalltimes,oratleastasoftenas

possible.

KeepingtheCIAframeworkinmind,youcantakeanumberof

differentsecurityapproachesattheserverlevel.Oneofthe

mostsuccessfulmethodsofpreservingconfidentiality,integrity,

andavailabilityisthelayeredapproach,whichbothreducesan

attacker'schanceofsuccessandincreaseshisriskofdetection.

Thelayeredapproachcomprisessevenlayers,eachwithitsown

methodsandmechanismsforprotection:



Datalevel

Thedatalevelguardsagainstmaliciousactivityperformed

ontheactualdata.Protectionatthedatalevelincludes

ACLsandencryptingfilesystems.Safeguardsatthislevel

covertheconfidentialityandintegritylevelsoftheCIA

triangle.



Applicationlevel

Application-levelsecurityprotectsindividualprogramsfrom

attack.Securityatthislevelcanincludehardeningthe

applicationsthemselves,installingsecuritypatchesfromthe

vendors,andactivatingantivirussoftwareandperforming

regularscans.Safeguardsatthislevelcovertheintegrity

andavailabilitylevelsoftheCIAtriangle.



Hostlevel

Protectionatthehostlevelsecuresthecomputerandits

operatingsystemfromattack,whichnearlyeliminatesthe

potentialforattackonthedataandapplicationlevels.

Protectionatthislevelincludeshardeningtheoperating

systemitself(whichistheprimaryfocusofthischapter),

managingsecuritypatches,authentication,authorization,

andaccounting,andhost-basedintrusiondetection

systems.Safeguardsatthislevelcovertheintegrityand

availabilitylevelsoftheCIAtriangle.



Internalnetworklevel

Theorganization'snetworkisthenextlevel,whichprotects

againstintrudersenteringattheperimeterandsniffing

traffic,lookingforkeystoaccessinglevelshigherthanthis

one.Protectionatthislevelincludessegmentingyour



networkintosubnets,usingIPSecurity(IPSec),and

installingnetworkintrusiondetectionsystems.Safeguards

atthislevelincludeallfacetsoftheCIAtriangle:

confidentiality,integrity,andavailability.



Perimeterlevel

Theperimeteriswheretheinternalnetworkconnectsto

otherexternalnetworks,includingthosetootherbranches

ofthesamecorporationandconnectionstotheInternet.

Perimeter-levelprotectionsmightincludefirewallsand

quarantiningvirtualprivatenetwork(VPN)anddial-up

access.SafeguardsatthislevelincludeallfacetsoftheCIA

triangle:confidentiality,integrity,andavailability.



Physicalsecuritylevel

Thephysicalsecuritylevelinvolvesprotectingthereal

estateinwhichthebusinesspractices.Guards,locks,and

trackingdevicesallcompriseprotectionatthislevel.

Safeguardsatthislevelcovertheconfidentialityand

integritylevelsoftheCIAtriangle.



Policies,procedures,andawarenesslevel

Thislevelinvolveseducatingusersastobestpracticesand

acceptableandunacceptablemethodsofdealingwith

informationtechnology.Safeguardsatthislevelcaninclude

allfacetsoftheCIAtriangle:confidentiality,integrity,and

availability.



7.2.LockingDownWindows

Multiusersystemsaresecurityholesinandofthemselves.The

simplestsystems—thoseusedbyonlyoneperson—arethe

easiestonestosecurebecausethere'smuchlessdiversityand

varianceofusageonthepartofonepersonthanthereisonthe

partofmany.Unfortunately,mostofourITenvironments

requiremultipleuseraccounts,sothefollowingsectionfocuses

onsomeprudentwaystolockdownWindowssystems,

includingWindowsServer2008machinesandassociatedclient

workstationoperatingsystems.



7.2.1.PasswordPolicies

Longpasswordsaremoresecure,period.Asyoumightsuspect,

therearemorepermutationsandcombinationstotrywhenone

isattemptingtocrackamachineviabruteforce,andcommon

Englishwords,onwhichadictionaryattackcanbebased,are

generallyshorterthaneightcharactersinlength.Bythesame

token,passwordsthathavenotbeenchangedinalongtime

arealsoinsecure.Althoughmostusersgrudginglychangetheir

passwordsonaregularbasiswhenencouragedby

administrators,someaccounts—namelytheAdministratorand

Guestaccounts—oftenhavethesamepasswordforlife,which

makesthemaneasytargetforattack.

Tocounterthesethreats,considersettingsomebasic

requirementsforpasswords.Tosettheserestrictionson

individualworkstationsandWindowsServer2008member

servers,followthesesteps:

1. OpentheMMCandnavigatetotheLocalSecurityPolicy

snap-in.YouusuallyaccessthisbyselectingStart All

Programs AdministrativeTools.

2. Navigatedownthetree,throughSecuritySettings,to

AccountPolicies.

3. ClickPasswordPolicy.



4. Enablethe"Passwordsmustmeetcomplexityrequirements"

setting.

5. Changethe"Minimumpasswordlength"toadecentlength.

Irecommendeightcharacters.(ImustnoteherethatI

preferpasswordslongerthan14characters,butIpredict

thatyouwillencounterserioususerresistancetosucha

move.)

6. Changethe"Maximumpasswordage"settingtoa

conservativesetting.Irecommend90days.

YoucanaccomplishthesamethroughGPifyouhavea

WindowsdomainbyselectinganappropriateGPOandloading

theGroupPolicyObjectEditor,asexplainedinChapter6.Keep

inmindthatchangestothedomainpasswordpolicywillaffect

allmachineswithinthescopeoftheGP.Theconfigurationtree

withintheGroupPolicyObjectEditorremainsthesame.



7.2.1.1.Granularpasswordpolicies

NewtoWindowsServer2008istheabilitytodefinedifferent

passwordpoliciesfordifferentusers.Nolongerdoyouhaveto

setupdistinctdomainswhenyouneeddifferentpassword

policiestoapplytospecificusers;withWindowsServer2008,

youcanapplyspecificpasswordpoliciestousers'accountsin

globalsecuritygroups.

Tousethisnewfeature,thereareafewprerequisitessoftwarewise.Theyinclude:

ThedomainfunctionallevelmustbeWindowsServer2008.

Youmustbeadomainadministratortosetapassword

policy.Youcandelegatethis,however.

Youmustfullyconfigurethepasswordsettingsobject,or

PSO.

WhatisaPSO?Thepasswordsettingsobjectresidesinthe



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 7. Windows Security and Patch Management

Tải bản đầy đủ ngay(0 tr)

×