So Windows Server 8 is out in beta now and there are a lot of new features and functionality. We’ll be covering them off over the next few weeks starting with some small but signifigant changes in regards to file services.
First up is Dynamic Access Control which provides for a more flexible and granular control over data classification, access policies, audit policies and RMS. Windows Server 8 support for modeling the effective access to a file/folder along with:
- Support for multiple auditing policies
- Automatic classification mechanisms for file servers to allow administrators to easily customize automatic classification
- Access Denied Remediation to support any file type launched from explorer
More importantly is support for SMB level encryption. Currently SMB traffic is not encrypted and if you need it to be you must deploy IPSec and is all or nothing. With SMB encryption it can be enabled per server
Continue reading Windows Server 8–File Sharing
Microsoft has a great wiki that outlines all the AV exclusions required for all the different Enterprise products you may have deployed in your organization. It covers everything from AD to SQL, Failover Cluster Service to IIS, ISA and more. You can find the Windows Anti Virus Exclusions list here.
Also included in the list is the System Center suite of products, with the exception of Service Manager. While I am sure Microsoft will get around to updating the wiki you can use the list of files, folders and processes below to create an exclusion list for Service Manager.
Service Manager Folders
The following folder should be excluded from real time AV scanning…
%ProgramFiles%\Microsoft System Center\Service Manager 2010\Health Service State\*
Service Manager Processes
The following processes should be excluded from real time AV scanning…
%programfiles%\Microsoft System Center\Service Manager 2010\HealthService.exe
%programfiles%\Microsoft System Center\Service Manager 2010\MonitoringHost.exe
%programfiles%\Microsoft System Center\Service Manager 2010\Microsoft.Mom.Sdk.ServiceHost.exe
%programfiles%\Microsoft System Center\Service Manager 2010\Microsoft.Mom.ConfigServiceHost.exe
Many admins prefer to use a command line interface (CLI) to perform the management of servers and services. If you know the commands it can be much faster than using a GUI. WSUS is one of those servers that can be managed via a command line.
The tool used to manage a WSUS server via the command line is WSUSUtil.exe and it can perform a number of tasks with the following switches.
Every once in a while Microsoft does something that causes admins all over to sigh FINALLY, Access Based Enumeration (ABE) is one such feature. New to Windows Server 2003 is the ability to install a small add-on that delivers what Novell and *Nix admins have had forever; the ability to hide files or folders that the user has no rights to access.
When enabled, ABE will hide the folders and files underneath a share when the user who is mapped to the share has no permissions to read them. This is a security friendly and end user friendly feature, if you don’t have permissions to see it you shouldn’t and if you don’t need to see it you won’t! Here is a typical shared folder with a few folders beneath it. The user does not have permissions to the Microsoft folder however it still appears.
Continue reading Access Based Enumeration
Encrypted File System (EFS) is a feature built into Windows 2000, XP and 2003 that allows users to securely encrypt files and folders. You can increase this level of security in Windows XP and 2003 by implementing a more secure encryption algorithm.
By default, Windows 2000, XP and Server 2003 use the DESX algorithm to encrypt data in EFS. Windows XP and 2003 systems allow you to upgrade EFS and use the 3DES encryption algorithm instead of DESX. This can be accomplished in two ways, via Group Policy or a registry edit. When enabling 3DES using Group Policy both IPSec and EFS will use the 3DES algorithm. If you do not want to use Group Policy, or do not want to modify the IPSec configuration, you can enable this in the registry instead. Open up the registry and drill down to; this will cause both EFS and IPsec to use
Continue reading Implement 3DES Excryption for EFS
Windows Sharepoint Services and its bigger brother Sharepoint Portal Server are powerful tools, but like any website there are a number of authentication methods you can apply to secure your Sharepoint site(s).
WSS and SPS use the authentication method you specify in the IIS virtual server properties for the top level site and all its subsites. There are a number of authentication methods available including:
- Anonymous authentication
- Basic authentication
- Integrated Windows authentication
- Certificate-based authentication
WSS and SPS support all these authentication methods and you can modify the default authentication methods for virtual servers hosting Sharepoint sites. You also have the ability to enable Secure Sockets Layer (SSL) to further secure your sites or the Sharepoint administration site. By default Sharepoint uses Integrated Windows authentication and this is perfectly fine for internal use, however if you wish to allow access to external users, enabling Basic authentication and SSL
Continue reading Configure Authentication for Sharepoint Sites
Encrypted File System (EFS) is a secure way to encrypt files and folders on your workstation (or server). EFS is pretty much uncrackable due to the way files are encrypted. EFS encryption keys are generated on the fly to encrypt the file.
The File Encryption Key (FEK) is encrypted along with the EFS public key and is combined with the file adding an called the Data Decryption Field (DDF). To decrypt the FEK, you must have the matching EFS private key from the public/private pair. Once FEK is decrypted it is used to decrypt the file. Using Cipher.exe, you can quickly export your key, which you can put on a USB drive or a floppy for safe keeping. Run the following command to begin the export.
You will be prompted with a warning message, click OK to proceed. Enter a name for the backup
Continue reading Backup EFS Certificates with Cipher
If you are going to buy one book on Windows security this year, look no further. Protect Your Windows Network: From Perimeter To Data is full of valuable information written by two experts with years of real-world experience. It is the book for Windows administrators looking to protect their networks!
This book is not your typical “hardening” guide full of step-by-step tutorials and registry tweaks for you to follow. In reality, these tweaks usually break things and because every network is different, they don’t always apply. This book takes a different approach and is written in a relaxed tone and often feels like you are having a discussion with the authors rather than reading a book. The book begins with a basic introduction network attacks, and disects an attack based on common SQL Injection type attacks.
From there the book begins discussing the how’s and why’s of network security
Continue reading Book: Protect Your Windows Network: From Perimeter to Data
You can improve SSL performacne by enabling kernel-mode Secure Sockets Layer (SSL). Kernel-mode SSL improves performance by allowing encryption and decryption to take place in the kernel where processing is done faster.
Windows Server 2003 Service Pack 1 allows you run SSL in kernel mode instead of the default, user mode. By running SSL in Kernel mode, SSL is allowed to operate in the core address space (aka the kernel) of Windows 2003 which will increase performace by reducing the amount of transistions between user and kernel modes. Now before you jump in and make the change, there are a few things you need to be aware of! Kernel mode SSL does not support:
- Client certificates
- RC2 ciphers
- PCT 1.0 protocol is not supported
- Bulk encryption offload
- ISAPI GetServerVariable calls for certificate information
Also you should know that any configuration changes you make to the server certificate(s)
Continue reading Using Kernel Mode SSL
In Securing Wifi with IAS Pt.1 – Server Configuration we configured a Windows Server 2003 with RADIUS in an effort to secure a wireless LAN (WLAN). This part will cover the client configuration.
The first part is dependant on your Wireless Access Point (WAP). You will need to edit the security settings and configure it to use RADIUS, select the encryption algorithm (AES), enter the IP address of the Radius server and the enter the shared key you set in the RADIUS Client configuration. Please refer to your WAPs manual. Open the Network Connection Properties window and click the Wireless Networks tab. Select your SSID from the Preferred Networks and press the Properties button.
Under the Association tab, select WPA as the Authentication type and AES as the Data Encryption type.
Switch to the Authentication tab and choose Protected EAP
Continue reading Securing Wifi with IAS Pt.2 – Client Configuration