System objects, including files and folders, have access control lists (ACLs) comprised of access control entries (ACE) that grant or deny users or groups specific permissions.
Users can be added directly to ACLs, although this is not a scalable solution and should typically not be used except in specific scenarios where you want to severely limit access (by adding a single user rather than an entire group ).
User account groups can be added to ACLs, and this method affords the ability to manage permissions through group membership.
User account groups can be added to resource groups, which are groups on the resource itself (such as a file, folder, or printer). Account groups can be added to resource groups, which are then added to ACLs and assigned specific permissions. This is highly scalable, appropriate for large organizations, but is not recommended if permissions change frequently.
Role-based access requires the use of Windows Server 2003 and applications must support this framework. This method provides very granular setting of permissions based on defined roles within an application.
Auditing allows you to monitor access to files, folders, accounts, and objects. You can also audit the use of privileges to ensure that accounts and permissions are being used as intended.
You can restrict Registry access by using group policy, security templates, or editing the Registry.
Files and folders can be encrypted and decrypted on a folder or file basis using EFS in Windows Server 2003.
EFS relies on the CryptoAPI for encryption services.
Files that are encrypted can only be decrypted by the original encryptor, users who have been granted permission to access the encrypted file, or the recovery agent.
Sharing encrypted files is a new feature of Windows Server 2003 EFS as is the ability to encrypt Web-based files, also a new feature in Windows Server 2003.
EFS uses a users certificate, requests a certificate from a CA, or generates a certificate for use with the encrypted file.
A recovery agent is used to recover an encrypted file in the event a users credentials are lost or a user leaves the company.
Additional recovery agents and other recovery settings can be configured via recovery policy in the Group Policy Editor snap-in in the Microsoft Management Console (MMC).
The cipher.exe command-line utility can be used to encrypt and decrypt files and folders as well as to perform other EFS- related functions such as creating a recovery agent.
Its important that a recovery agents credentials and the users private key be removed from the system for security purposes. These can be restored to a system to decrypt a file if needed.
Importing and exporting certificates and keys can be done via the Certificate snap-in to the MMC.
Backup and recovery planning are essential elements of security.
If a system fails or is compromised in some manner, it must be restored using current backups .
Backups should be well planned to provide adequate security for data. Depending on the frequency of data modification, backups can be scheduled in real-time, hourly, daily, or weekly.
Backups can be daily, copy, normal, incremental, or differential.
Backups can be to local resources or offsite resources, and media typically is either tape or disk.
Backup media should be secured since it contains a copy of all corporate data.
Backup sets should be created and at least one set should always be kept offsite in the event of a problem with the site itself such as flooding or fire.
Recovery plans must include all aspects of bringing the system back online, including restoring the system itself and restoring data to the system.
Windows Server 2003 includes several built-in tools that can be used, including Emergency Management Services, the Recovery Console, Automated System Recovery backup sets, and the ability to specify what a system will do in the event of an error or Stop.