8/14/2019 6421A_14 Windows Server Update Service
1/35
Module 14: Configuring
Server SecurityCompliance
8/14/2019 6421A_14 Windows Server Update Service
2/35
Module Overview
Securing a Windows Infrastructure
Using Security Templates to Secure Servers
Configuring an Audit Policy
Overview of Windows Server Update Services
Managing WSUS
8/14/2019 6421A_14 Windows Server Update Service
3/35
Lesson 1: Securing a Windows Infrastructure
Challenges of Securing a Windows Infrastructure
Applying Defense-in-Depth to Increase Security
Core Server Security Practices
What Is the Security Configuration Wizard?
What Is Windows Firewall? Demonstration: Using the Security Configuration Wizard toSecure Server Roles
8/14/2019 6421A_14 Windows Server Update Service
4/35
Challenges of Securing a Windows Infrastructure
Challenges of securing a Windows infrastructureinclude:
Implementing and managing secure configurationof servers
Protecting against malicious software threatsand intrusions
Implementing effective identity and access control
8/14/2019 6421A_14 Windows Server Update Service
5/35
Applying Defense-in-Depth to Increase Security
Defense-in-depth provides multiple layers of defense toprotect a networking environment
Defense-in-depth provides multiple layers of defense toprotect a networking environment
Security documents,user education
Policies, Procedures, &Awareness
Policies, Procedures, &Awareness
Physical Security
Physical Security
OS hardening,authentication
Firewalls
Guards, locks
Network segments,
IPsec
Applicationhardening, antivirus
ACLs, encryption,
EFS
Perimeter
Internal Network
Host
Application
Data
8/14/2019 6421A_14 Windows Server Update Service
6/35
Core Server Security Practices
Apply the latest service pack and all availablesecurity updates
Use the Security Configuration Wizard to scan andimplement server security
Use Group Policy and security templates toharden servers
Restrict scope of access for service accounts
Restrict who can log on locally to servers
Restrict physical and network access to servers
8/14/2019 6421A_14 Windows Server Update Service
7/35
What Is the Security Configuration Wizard?
SCW provides guided attack-surface reduction
Disables unnecessary servicesand IIS Web extensions
Uses IPsec to block unusedports and secure ports thatare left open
Reduces protocol exposure
Configures audit settings
SCW supports:
Rollback
Analysis
Remote configuration
Command-line support
Active Directory integration
Policy editing
8/14/2019 6421A_14 Windows Server Update Service
8/35
What Is Windows Firewall?
Windows Firewallis a stateful host-based application thatprovides the following features:
Filters both incoming and outgoing network traffic
Integrates both firewall filtering and IPsecprotection settings
Can be managed by the Control Panel tool or by themore advanced Windows Firewall with Advanced SecurityMMC console
Provides Group Policy support
Enabled by default in new installs
8/14/2019 6421A_14 Windows Server Update Service
9/35
Demonstration: Using the Security ConfigurationWizard to Secure Server Roles
In this demonstration, you will see how to implement
security using the Security Configuration Wizard
8/14/2019 6421A_14 Windows Server Update Service
10/35
Lesson 2: Using Security Templates to Secure Servers
What Is a Security Policy?
What Are Security Templates?
Demonstration: Configuring Security Template Settings
What Is the Security Configuration and Analysis Tool?
Demonstration: Analyzing Security Policy Using theSecurity Configuration and Analysis Tool
8/14/2019 6421A_14 Windows Server Update Service
11/35
What Is a Security Policy?
Local Security Policiesinclude:
Account Policies
Local Policies
Windows Firewall withAdvanced Security
Public Key Policies
Software Restriction Policies
IP Security Policies onLocal Computer
Active Directory SecurityPolicies include:
Event Log
Restricted Groups
System Services
Registry
File System
Wired and WirelessNetwork Policies
Network Access protection
IP Security Policies onActive Directory
A Security Policyis a combination of security settings to be
applied to a computer
A Security Policyis a combination of security settings to be
applied to a computer
8/14/2019 6421A_14 Windows Server Update Service
12/35
What Are Security Templates?
Security Templates:
Deployment Considerations:
Create templates based upon server role
Deploy to individual computers using the SECEDIT command
Deploy to groups of computers using Group Policy
Created and modified using the Security Templates MMC snap-in
Default security templates stored in%SystemRoot%\Security\Templates
Custom security templates are stored in local user profile folder
Asecurity template is a collection of configured security
settings used to apply a security policy
Asecurity template is a collection of configured security
settings used to apply a security policy
8/14/2019 6421A_14 Windows Server Update Service
13/35
Demonstration: Configuring Security TemplateSettings
In this demonstration, you will see how to:
Add the Security Templates snap-in and configure acustom security template for the DHCP server role
Import a security template into Active Directory
8/14/2019 6421A_14 Windows Server Update Service
14/35
What Is the Security Configuration and Analysis Tool?
D i A l i S i P li U i
8/14/2019 6421A_14 Windows Server Update Service
15/35
Demonstration: Analyzing Security Policy Usingthe Security Configuration and Analysis Tool
In this demonstration, you will see how to use the
Security Configuration and Analysis Tool to analyzeand configure local security policy settings
8/14/2019 6421A_14 Windows Server Update Service
16/35
Lesson 3: Configuring an Audit Policy
What Is Auditing?
What Is an Audit Policy?
Types of Events to Audit
Demonstration: How to Configure Auditing
8/14/2019 6421A_14 Windows Server Update Service
17/35
What Is Auditing?
Auditing tracks user and operating system activities, and recordsselected events in security logs, such as:
What occurred?
Who did it?
When?
What was the result?
Enable auditing to:
Create a baseline
Detect threats and attacks
Determine damages Prevent further damage
Audit access to objects, management of accounts, and userslogging on and off
8/14/2019 6421A_14 Windows Server Update Service
18/35
What Is an Audit Policy?
An audit policy determines the security events that will bereported to the network administrator
Set up an audit policy to:
Track success or failure of events
Minimize unauthorized use of resources
Maintain a record of activity
Security events are stored in security logs
8/14/2019 6421A_14 Windows Server Update Service
19/35
Types of Events to Audit
Account Logon
Account Management
Directory Service Access
Directory Service Changes
Directory Service Replication
Detailed Directory Service Replication
Logon
Object Access
Policy Change
Privilege Use
Process Tracking
System
8/14/2019 6421A_14 Windows Server Update Service
20/35
Demonstration: How to Configure Auditing
In this demonstration, you will see how to:
Enable auditing for various events
Enable object access auditing
Lesson 4 O e ie of Windo s Se e Update
8/14/2019 6421A_14 Windows Server Update Service
21/35
Lesson 4: Overview of Windows Server UpdateServices
What Is Windows Server Update Services?
Windows Server Update Services Process
Server Requirements for WSUS
Automatic Updates Configuration
Demonstration: Installing and Configuring WSUS
8/14/2019 6421A_14 Windows Server Update Service
22/35
What Is Windows Server Update Services?
AutomaticUpdates
Server running
Windows ServerUpdate Services
AutomaticUpdates
LAN
Microsoft Update Web site
Internet
Test Clients
8/14/2019 6421A_14 Windows Server Update Service
23/35
Windows Server Update Services Process
UpdateManagement
Phase 1: Assess
Set up a production environment that will support updatemanagement for both routine and emergency scenarios
Phase 3: Evaluate and Plan
Test updates in an environment that resembles, but isseparate from, the production environment
Determine the tasks necessary to deploy updates intoproduction, plan the update releases, build the releases, andthen conduct acceptance testing of the releases
Phase 4: Deploy
Approve and scheduleupdate installations
Review the processafter the deployment iscomplete
Phase 4: Deploy
Approve and scheduleupdate installations
Review the processafter the deployment iscomplete
Phase 2: Identify
Discover new updates ina convenient manner
Determine whetherupdates are relevant tothe productionenvironment
Identify
Evaluateand Plan
Deploy
Assess
8/14/2019 6421A_14 Windows Server Update Service
24/35
Server Requirements for WSUS
Software requirements:
Windows Server 2003 SP1 orWindows Server 2008
IIS 6.0 or later
Windows Installer 3.1 or later Microsoft .NET Framework 2.0
SQL Server 2005 SP1 or later (optional)
Microsoft Report Viewer Redistributable 2005
8/14/2019 6421A_14 Windows Server Update Service
25/35
Automatic Updates Configuration
Configure Automatic Updates by using Group PolicyComputer Configuration/Administrative Templates/Windows Components/Windows Update
Requires updated wuau.adm administrative template
Requires:
Windows Vista
Windows Server 2008
Windows Server 2003
Windows XP Professional SP2
Windows 2000 Professional SP4,Windows 2000 Server/Advanced Server SP3 or SP4
8/14/2019 6421A_14 Windows Server Update Service
26/35
Demonstration: Installing and Configuring WSUS
In this demonstration, you will see how to:
Install WSUS
Configure Automatic Update client settings using GroupPolicy
8/14/2019 6421A_14 Windows Server Update Service
27/35
Lesson 5: Managing WSUS
WSUS Administration
Managing Computer Groups
Approving Updates
Demonstration: Managing WSUS
8/14/2019 6421A_14 Windows Server Update Service
28/35
WSUS Administration
8/14/2019 6421A_14 Windows Server Update Service
29/35
Managing Computer Groups
Computers are automatically added
Default computer groups
All Computers
Unassigned Computers
Client-side targeting
8/14/2019 6421A_14 Windows Server Update Service
30/35
Approving Updates
Approval options include:
Install
Decline
Unapprove
Removal
Automate approval is also supported
8/14/2019 6421A_14 Windows Server Update Service
31/35
Demonstration: Managing WSUS
In this demonstration, you will see how to:
Add a computer to WSUS
Approve an update
8/14/2019 6421A_14 Windows Server Update Service
32/35
Lab: Configuring Server Security Compliance
Exercise 1: Configuring and Analyzing Security
Exercise 2: Analyzing Security Templates
Exercise 3: Configuring Windows Software UpdateServices
Logon information
Virtual machine NYC-DC1, NYC-SVR1,and NYC-CL2
User name Administrator
Password Pa$$w0rd
Estimated time: 90 minutes
8/14/2019 6421A_14 Windows Server Update Service
33/35
Lab Review
What recourse do you have if the desired result is not metwhen applying changes using the Security Configuration
Wizard to secure server infrastructure?
How can you verify compatibility with existing settingsbefore you apply a template to a GPO for deployment orapply the template to a local computer?
After installing the WSUS server software, a wizardappears to help you with the configuration of WSUSproperties. How can you change any incorrectly assignedproperties after the wizard has been completed?
8/14/2019 6421A_14 Windows Server Update Service
34/35
Module Review and Takeaways
Review Questions
Best Practices
8/14/2019 6421A_14 Windows Server Update Service
35/35
Course Evaluation