Managing Security

   

The Windows Server 2003 family was designed to make it easier both to manage security and to protect the network from outside threats. Software restriction policies protect your computing environment from untrusted software by allowing you to specify the software that's permitted to run. And when updates are released, a new infrastructure is available for administrators to acquire and centrally manage software updates.

Security Templates

Security templates let you create security policy for your network. A single point of entry where the full range of system security can be taken into account, security templates do not introduce new security parameters; they simply organize all existing security attributes into one place to ease security administration. Importing a security template to a Group Policy object (GPO) eases domain administration by configuring security for a domain or an organizational unit (OU) at once. Security templates can be used to define the following:

  • Account policies

  • Password policy

  • Account lockout policy

  • Kerberos policy

  • Local policies

  • Audit policy

  • User rights assignment

  • Security options

  • Event log: application, system, and security event log settings

  • Restricted groups: membership of security-sensitive groups

  • System services: startup and permissions for system services

  • Registry: permissions for registry keys

  • File system: permissions for folders and files

Each template is saved as a text-based .inf file. This enables you to copy, paste, import, or export some or all of the template attributes. With the exceptions of IP Security (IPSec) and public key policies, all security attributes can be contained in a security template. In each Windows Server 2003 family or Windows XP operating system is a set of predefined templates that supply various levels of security to suit your organization. Several predefined templates can help you secure your system based on your needs. These templates are for

  • Reapplying default settings.

  • Implementing a highly secure environment.

  • Implementing a less secure but more compatible environment.

  • Securing the system root.

You can create a new security template with your own preferences or use one of the predefined security templates. For example, the security template Setup security.inf allows you to reapply default security settings; this template is created during setup for each computer and must be applied locally. Before making any changes to your security settings, you should understand the implications of those changes by testing them in a lab environment.

Software Restriction Policies

Software restriction policies address the need to regulate unknown or untrusted software. With the rise in the use of networks, the Internet, and e-mail for business computing, users find themselves exposed to new software in a variety of ways. Users must constantly make decisions about running unknown software. Viruses, like Trojan horses, often intentionally misrepresent themselves to trick users into running them. It's difficult for users to make safe choices about which software they should run.

With software restriction policies, you can protect your computing environment from untrusted software by identifying and specifying which software is allowed to run. You can define a default security level of unrestricted or disallowed for a GPO so that software is either allowed or not allowed to run by default. You can make exceptions to this default security level by creating rules for specific software. For example, if your default security level is set to dis ­allowed, you can create rules that allow specific software to run.

Software restriction policies consist of the default security level and all the rules that are applied to a GPO. Software restriction policies can be applied across a domain, to local computers, or to individual users. Software restriction policies provide a number of ways to identify software, and they provide a policy-based infrastructure to enforce decisions about whether the identified software can run. With software restriction policies, when users execute programs, they must adhere to the guidelines set up by administrators.

With software restriction policies, you can

  • Control the ability of programs to run on your system. For example, if you are concerned about users receiving viruses through e-mail, you can apply a policy setting that does not allow certain file types to run in the e-mail attachment directory of your e-mail program.

  • Permit users to run only specific files on multiuser computers. For example, if you have multiple users on your computers, you can set up software restriction policies in such a way that users do not have access to any software but those specific files that are necessary for their work.

  • Decide who can add trusted publishers to your computer.

  • Control whether software restriction policies affect all users or just certain users on a computer.

  • Prevent any files from running on your local computer, organizational unit, site, or domain. For example, if your system has a known virus, you can use software restriction policies to stop a computer from opening the file that contains the virus.

    Note

    Software restriction policies should not be used as a replacement for antivirus software.


Windows Update

Millions of users each week use Windows Update as a way to keep their Windows systems up-to-date. Windows Update allows users to connect to http://www.windowsupdate.com, where their computers are evaluated to determine which updates need to be applied to keep their systems up-to-date, as well as to determine any critical updates that will keep their systems safe and secure. Windows Update also extends these services with Critical Update Notification and Automatic Updates.

Specifically, Windows Update provides the following:

  • Microsoft Windows Update Services Catalog site.

    Administrators can download specific patches and drivers for distribution via SMS or other management tools. For more information, see http://windowsupdate.microsoft.com/catalog/.

  • Windows Update Consumer site.

    Designed primarily for consumers or users in a lightly managed network environment, this Windows Update site delivers updates to individual computers accessing the Web site. This feature can be turned off or managed via Group Policy. For more information, see http://windowsupdate.microsoft.com/.

  • Auto Update.

    Administrators can automatically download and install critical updates such as security patches, high-impact bug fixes, and new drivers when no driver is installed for a device. Auto Update helps IT managers better manage the deployment and installation of critical software updates, and it consolidates multiple reboots into a single one. Compatible with corporate hosted software update servers, as explained in the following section, Auto Update provides administrators with greater control of updates. Automatic updates can be configured automatically over the Internet or administered in-house.

  • Dynamic Update.

    Dynamic Update is designed to deliver emergency fixes to address any issues at setup time, such as new drivers that are required but not available on the CD.

  • Driver services.

    Windows Server 2003 helps administrators get the latest certified drivers to users through Web sites and enables integration with device manager and Plug and Play services.

Software Update Services

Because many corporations do not want their systems or users going to an external source for updates without first testing the updates, Microsoft is providing a version of Windows Update for installation inside your corporate firewall. Microsoft Software Update Services (SUS) allows customers to install a service on an internal Windows 2000 “based or Windows Server 2003 “based server that can download all critical updates as they are posted to Windows Update. Administrators can also receive e-mail notification when new critical updates have been posted.

SUS, which is currently available as an add-on to Windows 2000 Server, allows administrators to quickly and easily deploy the most critical updates to their servers as well as to desktop computers running Windows 2000 Professional or Windows XP Professional. This solution includes the following features:

  • Microsoft Software Update Services.

    This is the server component installed on a computer running Windows 2000 Server or ­Windows Server 2003 inside your corporate firewall. It synchronizes with the Windows Update site to deliver all critical updates for Windows 2000 and Windows XP. The synchronization can be automatic or completed manually by the administrator. When the updates are downloaded, you can test the updates in your environment and then decide which updates to approve for installation throughout your organization.

  • Automatic Updates client.

    This is the client component for installation on all of your Windows 2000 “based or Windows Server 2003 “based servers as well as computers running Windows 2000 Professional or Windows XP Professional. This enables your servers and client computers to connect to a server running SUS and receive any updates. You can control which server each client should connect to as well as schedule when the client should perform all installations of critical updates ”either manually or via Group Policy and Active Directory.

  • Staged deployment.

    This is achieved by having multiple servers run SUS. You can have one server in your test lab, where you can publish the updates. If these clients install the updates correctly, you can configure your other servers running SUS to publish their updates. In this way, you can ensure that new changes do not break your standard desktop operating environment.

  • Server-to-server synchronization.

    Because you might need multiple servers running SUS inside your corporation in order to bring the updates closer to your desktops and servers for downloading, SUS allows you to point to another server running SUS instead of Windows Update, allowing these critical software updates to be distributed around your enterprise.

SUS is focused on getting critical updates for Windows 2000, Windows XP, and Windows Server 2003 inside your corporate firewall as quickly as possible. Many customers today can keep their systems secure by using electronic software distribution solutions ”such as Systems Management Server (SMS) ”for complete software management, including responding to security and virus issues. These customers should continue using these solutions. Security-patch improvements allow SMS customers to know, through inventory, which computers require updates and then deploy those updates quickly and easily.

For more information about Software Update Services, see the Software Update Services Web site at http://www.microsoft.com/windows2000/windows ­update/sus/.


   
Top


Introducing Microsoft Windows Server 2003
Introducing Microsoft Windows Server(TM) 2003
ISBN: 0735615705
EAN: 2147483647
Year: 2005
Pages: 153

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net