文档介绍:深入企业网络安全的防御架构
This Presentation Is NOT…
不是网络基本概教学
须具备网络的知识与技术
须具备网络链接设备的知识与技术
不是Windows操作系统教学
须熟悉任何版本Windows操作系统操作
须具备最新Windows操作系统知识与技术
不是Windwos基本设定教学
不是解决信息安全以外的其它问题
This Presentation Is About…
主机与服务防御
档案与资源防御
应用程序防御
网络防御
纵深防御观念-Defense in Depth
建议分层防御
增加入侵者被侦测机会
降低被入侵成功机会
Policies, Procedures, & Awareness
OS hardening, update management, authentication, HIDS
Firewalls, VPN quarantine
Guards, locks, tracking devices
Network segments, IPSec, NIDS
Application hardening, antivirus
ACL, encryption
User education
Physical Security
Perimeter
work
Host
Application
Data
Secure in Deployment
Windows Server 2003 Security Guide
Configuration automation
Monitoring infrastructure
Prescriptive guidance
Secure by Design
Code reviews
IIS re-architecture
Threat models
$200M investment
Secure by Default
60% less attack surface area by pared to Windows NT SP3
Services off by default
Services run at lower privilege
Communications
Communities
Architecture webcasts
Conferences
为什么预设设定是不够安全的
Hardening must be in response to the environment
One-size does not fit all
Breaks existing applications
Bad user experience
Default configuration generally appropriate for works
Windows Server 2003安全指南:设计目标
Provide actionable, authoritative, guidelines for
End users
System Administrators
Security Administrators
Guidelines are
Proven in real world testing
Relevant and plish real security
Accurate
强化强化服务器安全
Apply to Relevant Servers in anization
Securing Domain
Infrastructure
MSBP
Domain Controllers
Infrastructure Servers
File & Print Servers
Information
Servers
PKI Servers
RADIUS Servers
Bastion Servers
Applied through
Incremental
Group Policy
H
a
r
d
e
n
i
n
g
P
r
o
c
e
d
u
r
e
s
网域架构
建立安全边界
Security starts at the domain infrastructure
Forest vs. Domain
True Security Boundary =Forest
Domain is a Management Boundary of Well-Meaning Administrators
Administrative distinctions
Enterprise Administrators are just that
Delegate ani