6421A_14 Windows Server Update Service

8/14/2019 6421A_14 Windows Server Update Service

1/35

Module 14: Configuring

Server SecurityCompliance


2/35

Module Overview

Securing a Windows Infrastructure

Using Security Templates to Secure Servers

Configuring an Audit Policy

Overview of Windows Server Update Services

Managing WSUS


3/35

Lesson 1: Securing a Windows Infrastructure

Challenges of Securing a Windows Infrastructure

Applying Defense-in-Depth to Increase Security

Core Server Security Practices

What Is the Security Configuration Wizard?

What Is Windows Firewall? Demonstration: Using the Security Configuration Wizard toSecure Server Roles


4/35

Challenges of Securing a Windows Infrastructure

Challenges of securing a Windows infrastructureinclude:

Implementing and managing secure configurationof servers

Protecting against malicious software threatsand intrusions

Implementing effective identity and access control


5/35

Applying Defense-in-Depth to Increase Security

Defense-in-depth provides multiple layers of defense toprotect a networking environment

Defense-in-depth provides multiple layers of defense toprotect a networking environment

Security documents,user education

Policies, Procedures, &Awareness

Policies, Procedures, &Awareness

Physical Security

Physical Security

OS hardening,authentication

Firewalls

Guards, locks

Network segments,

IPsec

Applicationhardening, antivirus

ACLs, encryption,

EFS

Perimeter

Internal Network

Host

Application

Data


6/35

Core Server Security Practices

Apply the latest service pack and all availablesecurity updates

Use the Security Configuration Wizard to scan andimplement server security

Use Group Policy and security templates toharden servers

Restrict scope of access for service accounts

Restrict who can log on locally to servers

Restrict physical and network access to servers


7/35

What Is the Security Configuration Wizard?

SCW provides guided attack-surface reduction

Disables unnecessary servicesand IIS Web extensions

Uses IPsec to block unusedports and secure ports thatare left open

Reduces protocol exposure

Configures audit settings

SCW supports:

Rollback

Analysis

Remote configuration

Command-line support

Active Directory integration

Policy editing


8/35

What Is Windows Firewall?

Windows Firewallis a stateful host-based application thatprovides the following features:

Filters both incoming and outgoing network traffic

Integrates both firewall filtering and IPsecprotection settings

Can be managed by the Control Panel tool or by themore advanced Windows Firewall with Advanced SecurityMMC console

Provides Group Policy support

Enabled by default in new installs


9/35

Demonstration: Using the Security ConfigurationWizard to Secure Server Roles

In this demonstration, you will see how to implement

security using the Security Configuration Wizard


10/35

Lesson 2: Using Security Templates to Secure Servers

What Is a Security Policy?

What Are Security Templates?

Demonstration: Configuring Security Template Settings

What Is the Security Configuration and Analysis Tool?

Demonstration: Analyzing Security Policy Using theSecurity Configuration and Analysis Tool


11/35

What Is a Security Policy?

Local Security Policiesinclude:

Account Policies

Local Policies

Windows Firewall withAdvanced Security

Public Key Policies

Software Restriction Policies

IP Security Policies onLocal Computer

Active Directory SecurityPolicies include:

Event Log

Restricted Groups

System Services

Registry

File System

Wired and WirelessNetwork Policies

Network Access protection

IP Security Policies onActive Directory

A Security Policyis a combination of security settings to be

applied to a computer

A Security Policyis a combination of security settings to be

applied to a computer


12/35

What Are Security Templates?

Security Templates:

Deployment Considerations:

Create templates based upon server role

Deploy to individual computers using the SECEDIT command

Deploy to groups of computers using Group Policy

Created and modified using the Security Templates MMC snap-in

Default security templates stored in%SystemRoot%\Security\Templates

Custom security templates are stored in local user profile folder

Asecurity template is a collection of configured security

settings used to apply a security policy

Asecurity template is a collection of configured security

settings used to apply a security policy


13/35

Demonstration: Configuring Security TemplateSettings

In this demonstration, you will see how to:

Add the Security Templates snap-in and configure acustom security template for the DHCP server role

Import a security template into Active Directory


14/35

What Is the Security Configuration and Analysis Tool?

D i A l i S i P li U i


15/35

Demonstration: Analyzing Security Policy Usingthe Security Configuration and Analysis Tool

In this demonstration, you will see how to use the

Security Configuration and Analysis Tool to analyzeand configure local security policy settings


16/35

Lesson 3: Configuring an Audit Policy

What Is Auditing?

What Is an Audit Policy?

Types of Events to Audit

Demonstration: How to Configure Auditing


17/35

What Is Auditing?

Auditing tracks user and operating system activities, and recordsselected events in security logs, such as:

What occurred?

Who did it?

When?

What was the result?

Enable auditing to:

Create a baseline

Detect threats and attacks

Determine damages Prevent further damage

Audit access to objects, management of accounts, and userslogging on and off


18/35

What Is an Audit Policy?

An audit policy determines the security events that will bereported to the network administrator

Set up an audit policy to:

Track success or failure of events

Minimize unauthorized use of resources

Maintain a record of activity

Security events are stored in security logs


19/35

Types of Events to Audit

Account Logon

Account Management

Directory Service Access

Directory Service Changes

Directory Service Replication

Detailed Directory Service Replication

Logon

Object Access

Policy Change

Privilege Use

Process Tracking

System


20/35

Demonstration: How to Configure Auditing


Enable auditing for various events

Enable object access auditing

Lesson 4 O e ie of Windo s Se e Update


21/35

Lesson 4: Overview of Windows Server UpdateServices

What Is Windows Server Update Services?

Windows Server Update Services Process

Server Requirements for WSUS

Automatic Updates Configuration

Demonstration: Installing and Configuring WSUS


22/35

What Is Windows Server Update Services?

AutomaticUpdates

Server running

Windows ServerUpdate Services

AutomaticUpdates

LAN

Microsoft Update Web site

Internet

Test Clients


23/35

Windows Server Update Services Process

UpdateManagement

Phase 1: Assess

Set up a production environment that will support updatemanagement for both routine and emergency scenarios

Phase 3: Evaluate and Plan

Test updates in an environment that resembles, but isseparate from, the production environment

Determine the tasks necessary to deploy updates intoproduction, plan the update releases, build the releases, andthen conduct acceptance testing of the releases

Phase 4: Deploy

Approve and scheduleupdate installations

Review the processafter the deployment iscomplete

Phase 4: Deploy

Approve and scheduleupdate installations

Review the processafter the deployment iscomplete

Phase 2: Identify

Discover new updates ina convenient manner

Determine whetherupdates are relevant tothe productionenvironment

Identify

Evaluateand Plan

Deploy

Assess


24/35

Server Requirements for WSUS

Software requirements:

Windows Server 2003 SP1 orWindows Server 2008

IIS 6.0 or later

Windows Installer 3.1 or later Microsoft .NET Framework 2.0

SQL Server 2005 SP1 or later (optional)

Microsoft Report Viewer Redistributable 2005


25/35

Automatic Updates Configuration

Configure Automatic Updates by using Group PolicyComputer Configuration/Administrative Templates/Windows Components/Windows Update

Requires updated wuau.adm administrative template

Requires:

Windows Vista

Windows Server 2008

Windows Server 2003

Windows XP Professional SP2

Windows 2000 Professional SP4,Windows 2000 Server/Advanced Server SP3 or SP4


26/35

Demonstration: Installing and Configuring WSUS


Install WSUS

Configure Automatic Update client settings using GroupPolicy


27/35

Lesson 5: Managing WSUS

WSUS Administration

Managing Computer Groups

Approving Updates

Demonstration: Managing WSUS


28/35

WSUS Administration


29/35

Managing Computer Groups

Computers are automatically added

Default computer groups

All Computers

Unassigned Computers

Client-side targeting


30/35

Approving Updates

Approval options include:

Install

Decline

Unapprove

Removal

Automate approval is also supported


31/35

Demonstration: Managing WSUS


Add a computer to WSUS

Approve an update


32/35

Lab: Configuring Server Security Compliance

Exercise 1: Configuring and Analyzing Security

Exercise 2: Analyzing Security Templates

Exercise 3: Configuring Windows Software UpdateServices

Logon information

Virtual machine NYC-DC1, NYC-SVR1,and NYC-CL2

User name Administrator

Password Pa$$w0rd

Estimated time: 90 minutes


33/35

Lab Review

What recourse do you have if the desired result is not metwhen applying changes using the Security Configuration

Wizard to secure server infrastructure?

How can you verify compatibility with existing settingsbefore you apply a template to a GPO for deployment orapply the template to a local computer?

After installing the WSUS server software, a wizardappears to help you with the configuration of WSUSproperties. How can you change any incorrectly assignedproperties after the wizard has been completed?


34/35

Module Review and Takeaways

Review Questions

Best Practices


35/35

Course Evaluation

Documents

6421A_14 Windows Server Update Service