hardening windows servers.
Hi,
Can someone suggest security guidelines to hardening Windows servers - Exchange, SQL, File and Print, IIS?
Can someone suggest security guidelines to hardening Windows servers - Exchange, SQL, File and Print, IIS?
Here's some more sources:
http://www.nsa.gov/ia/miti
http://web.nvd.nist.gov/vi
Some excellent training is provided by SANS.
http://www.sans.org/window
Operating System and Applications Hardening:
How your anti-virus scanners can fail you
AppLocker whitelisting
EMET, ASLR, SEHOP, DEP (EMET 4.0)
Windows OS and Applications Hardening tools
The Group Policy Management Console (GPMC)
INF and XML Security templates
How to manage Group Policy
WMI filtering and GPO preferences
Custom ADM/ADMX templates
Hardening Adobe Reader
Hardening Java
Hardening Internet Explorer
Hardening Google Chrome
Hardening Microsoft Office
Virtual Desktop Infrastructure (pros and cons)
High-Value Targets & Restricting Admin Compromise:
What makes something a high-value target?
Users in the local administrators group
Secretly limiting the power of administrative users
Limiting privileges, logon rights and permissions
Token abuse and pass-the-hash attack mitigations
Group Policy control of Windows security
User Account Control (UAC)
Delegating IT power more safely
Organizational units for role-based controls
Active Directory permissions for delegation
Active Directory auditing and logging
Painless (or Less Painful) Patch Management
PKI, BitLocker and Secure Boot:
Why must I have a PKI?
Examples: Smart Cards, VPNs, Wireless, SSL, S/MIME, etc.
How to install the Windows PKI
Root vs. subordinate certification authorities
Should you be your own root CA?
Detecting malicious trusted CA changes
How to manage your PKI
Group policy deployment of certificates
How to revoke certificates
Automatic private key backup
Deploying smart cards
Best practices for private keys
BitLocker drive encryption
BitLocker for USB drives
UEFI Secure Boot
TPM chip options for BitLocker
BitLocker emergency recovery
IPSec, Windows Firewall, DNS, and Wireless:
Isn't IPSec just for VPNs? No!
IPSec for TCP port permissions
How to create IPSec policies
Windows Firewall and IPSec integration
Group Policy for IPSec and firewall rules
NETSH and PowerShell rules scripting
DNSSEC response validation
DNS secure dynamic updates
DNS sinkholes for malware
Wireless attack vulnerabilities
Configuring RADIUS policies (NPS)
Wi-Fi Protected Access (WPA2)
Secure access to wireless networks
Secure access to Ethernet networks
Smart cards for wireless and Ethernet
Server Hardening & Dynamic Access Control:
A recipe for hardening most servers
Dangerous protocols: SSL, RDP, IPv6, SMB
SMBv3 encryption and downgrade attacks
Pre-forensics and incident response preparation
Service accounts and recovery
Scheduling elevated tasks safely
Protocol stack hardening
Kerberos armoring and restricting NTLM
Server Core vs. Server Minimal/Full
DMZ cross-forest Active Directory trusts
Dynamic Access Control (DAC)
DAC for data loss prevention
DAC for complying with regulations
Automatic File Classification Infrastructure
PowerShell Scripting:
Getting comfortable in your shell
PowerShell remoting
Running cmdlets and scripts
Writing your own functions
Writing your own scripts
Flow control within scripts
Managing the event logs
Managing Active Directory
Windows Management Instrumentation (WMI)
Accessing COM Objects
Security and execution policy
http://www.nsa.gov/ia/miti
http://web.nvd.nist.gov/vi
Some excellent training is provided by SANS.
http://www.sans.org/window
Operating System and Applications Hardening:
How your anti-virus scanners can fail you
AppLocker whitelisting
EMET, ASLR, SEHOP, DEP (EMET 4.0)
Windows OS and Applications Hardening tools
The Group Policy Management Console (GPMC)
INF and XML Security templates
How to manage Group Policy
WMI filtering and GPO preferences
Custom ADM/ADMX templates
Hardening Adobe Reader
Hardening Java
Hardening Internet Explorer
Hardening Google Chrome
Hardening Microsoft Office
Virtual Desktop Infrastructure (pros and cons)
High-Value Targets & Restricting Admin Compromise:
What makes something a high-value target?
Users in the local administrators group
Secretly limiting the power of administrative users
Limiting privileges, logon rights and permissions
Token abuse and pass-the-hash attack mitigations
Group Policy control of Windows security
User Account Control (UAC)
Delegating IT power more safely
Organizational units for role-based controls
Active Directory permissions for delegation
Active Directory auditing and logging
Painless (or Less Painful) Patch Management
PKI, BitLocker and Secure Boot:
Why must I have a PKI?
Examples: Smart Cards, VPNs, Wireless, SSL, S/MIME, etc.
How to install the Windows PKI
Root vs. subordinate certification authorities
Should you be your own root CA?
Detecting malicious trusted CA changes
How to manage your PKI
Group policy deployment of certificates
How to revoke certificates
Automatic private key backup
Deploying smart cards
Best practices for private keys
BitLocker drive encryption
BitLocker for USB drives
UEFI Secure Boot
TPM chip options for BitLocker
BitLocker emergency recovery
IPSec, Windows Firewall, DNS, and Wireless:
Isn't IPSec just for VPNs? No!
IPSec for TCP port permissions
How to create IPSec policies
Windows Firewall and IPSec integration
Group Policy for IPSec and firewall rules
NETSH and PowerShell rules scripting
DNSSEC response validation
DNS secure dynamic updates
DNS sinkholes for malware
Wireless attack vulnerabilities
Configuring RADIUS policies (NPS)
Wi-Fi Protected Access (WPA2)
Secure access to wireless networks
Secure access to Ethernet networks
Smart cards for wireless and Ethernet
Server Hardening & Dynamic Access Control:
A recipe for hardening most servers
Dangerous protocols: SSL, RDP, IPv6, SMB
SMBv3 encryption and downgrade attacks
Pre-forensics and incident response preparation
Service accounts and recovery
Scheduling elevated tasks safely
Protocol stack hardening
Kerberos armoring and restricting NTLM
Server Core vs. Server Minimal/Full
DMZ cross-forest Active Directory trusts
Dynamic Access Control (DAC)
DAC for data loss prevention
DAC for complying with regulations
Automatic File Classification Infrastructure
PowerShell Scripting:
Getting comfortable in your shell
PowerShell remoting
Running cmdlets and scripts
Writing your own functions
Writing your own scripts
Flow control within scripts
Managing the event logs
Managing Active Directory
Windows Management Instrumentation (WMI)
Accessing COM Objects
Security and execution policy
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks. I will look into it and do more research on them.
http://usgcb.nist.gov/ You can find good guides and reasoning for the settings there:
http://usgcb.nist.gov/usgcb/documentation/windows_settings_comparison.xls
http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf
2008 : http://web.nvd.nist.gov/view/ncp/repository?tier=&product=&category=Operating+System&authority=&keyword=2008
IIS : http://web.nvd.nist.gov/view/ncp/repository?tier=&product=Microsoft+Internet+Information+Services+7.0 (these will lead to zip files)
-rich