Documente Academic
Documente Profesional
Documente Cultură
Chapter 11
Securing Windows Server 2008
2/23/2019 1
Objectives
2/23/2019 2
Objectives (continued)
2/23/2019 3
Security Enhancements in Windows
Server 2008
2/23/2019 4
Security Enhancements in Windows
Server 2008 (continued)
• Server Core is a good solution for a Web or other
server in the demilitarized zone of a network
• Demilitarized zone (DMZ)
– A portion of a network that is between two networks,
such as between a private network and the Internet
• New group policy categories include:
– Power management
– Assigning printers by location
– Delegation of printer driver installation
– Security settings
– Internet Explorer settings
2/23/2019 5
Security Enhancements in Windows
Server 2008 (continued)
• Group policy is a way to bring consistent security
and other management to Windows Server 2008
– And to clients connecting to a server
• User Account Control (UAC)
– Designed to keep the user running in the standard
user mode as a way to:
• More fully insulate the kernel
• Keep operating system and desktop files stabilized
• BitLocker Drive Encryption
– Prevents an intruder from bypassing ACL file and
folder protections
2/23/2019 6
Introduction to Group Policy
2/23/2019 8
2/23/2019 9
Securing Windows Server 2008 Using
Security Policies
• Security policies are a subset of individual policies
– Within a larger group policy for a site, domain, OU, or
local computer
• Security policies include:
– Account Policies
– Audit Policy
– User Rights
– Security Options
– IP Security Policies
2/23/2019 10
Establishing Account Policies
• Account policies
– Security measures set up in a group policy that
applies to all accounts or to all accounts in a
container when Active Directory is installed
• Password security
– One option is to set a password expiration period,
requiring users to change passwords at regular
intervals
– Some organizations require that all passwords have a
minimum length
2/23/2019 11
Establishing Account Policies
(continued)
2/23/2019 12
Account Lockout
2/23/2019 13
Account Lockout (continued)
2/23/2019 14
Account Lockout (continued)
• Kerberos security
– Involves the use of tickets that are exchanged
between the client who requests logon and network
services access
• And the server or Active Directory that grants access
• Enhancements on Windows Server 2008 and
Windows Vista
– The use of Advanced Encryption Standard (AES)
encryption
– When Active Directory is installed, the account
policies enable Kerberos
2/23/2019 15
Account Lockout (continued)
2/23/2019 16
Establishing Audit Policies
2/23/2019 18
Configuring User Rights (continued)
2/23/2019 19
Configuring User Rights (continued)
2/23/2019 20
Configuring Security Options
2/23/2019 21
Using IP Security Policies
2/23/2019 22
Using IP Security Policies (continued)
2/23/2019 23
Active Directory Rights Management
Services
• Active Directory Rights Management Services
(AD RMS)
– A server role to complement the client applications
that can take advantage of Rights Management
Services safeguards
• Rights Management Services (RMS)
– Security rights developed by Microsoft to provide
security for documents, spreadsheets, e-mail, and
other types of files created by applications
– Uses security capabilities such as encryption, user
authentication, and security certificates to help
safeguard information
2/23/2019 24
Active Directory Rights Management
Services (continued)
2/23/2019 26
Configuring Client Security Using
Policies in Windows Server 2008
• Customizing settings used by clients offers several
advantages
– Enhanced security and providing a consistent working
environment in an organization
• The settings are customized by configuring policies
on the Windows Server 2008 servers that the clients
access
– When the client logs on to the server or the network,
the policies are applied to the client
2/23/2019 27
Manually Configuring Policies for
Clients
• You can manually configure one or more policies
that apply to clients
– By using the Group Policy Object Editor snap-in
– Or by using a customized snap-in, such as the Default
Domain Policy console
2/23/2019 28
Publishing and Assigning Software
2/23/2019 30
Using the cipher Command
2/23/2019 31
Using the cipher Command
(continued)
2/23/2019 32
Using BitLocker Drive Encryption
2/23/2019 33
Using BitLocker Drive Encryption
(continued)
• When used to protect a hard drive
– TPM verifies that the computer to which the hard drive
is connected has authority to access that hard drive
• If a computer is not equipped with a TPM chip
– BitLocker Drive Encryption can be used with a USB
flash drive that contains a personal identification
number (PIN)
• BitLocker Drive Encryption encrypts the entire drive,
including the operating system, programs, and data
files
2/23/2019 34
Configuring NAT
2/23/2019 35
Configuring NAT (continued)
2/23/2019 38
Network Access Protection
2/23/2019 40
Summary
2/23/2019 42
Summary (continued)
2/23/2019 43