Task № 2.

For 1 lesson:
1. What is Availability?
Availability – is the concept authorized subjects are granted timely and
uninterrupted access to objects.
2. What is SLA?
A service-level agreement (SLA) is a commitment between a service provider
and a client. Particular aspects of the service – quality, availability,
responsibilities – are agreed between the service provider and the service user.
[1] The most common component of an SLA is that the services should be
provided to the customer as agreed upon in the contract
3. How to calculate SLA?
Index SLA = (time, when information asset is available)/365*24
4. How many hours datacenter was not available?
0,997
0,999
5. Internet channel was not available in May for 3 hours, in October for 5
hours, In December for 12 hours. What is index of availability?

For 2 lesson.
We will speak about baseline.

Lets prepare together baseline for Windows Server 2012 in user account
policy

Computer Configuration\Windows Settings\Security Settings\Account

Policies\Password Policy

If individual groups require distinct password policies, these groups should

be separated into another domain or forest, based on additional
requirements.

For information about setting security policies, see How to Configure

Security Policy Settings.

The following topics provide a discussion of password policy

implementation and best practices considerations, policy location, default
values for the server type or GPO, relevant differences in operating system
versions, security considerations (including the possible vulnerabilities of
each setting), countermeasures that you can take, and the potential impact
for each setting.

Enforce password history

Possible values
User-specified number from 0 through 24

Not defined

Best practices
Set Enforce password history to 24. This will help mitigate vulnerabilities
that are caused by password reuse.

Set Maximum password age to 60 days. Try to expire the passwords

between major business cycles to prevent work loss.

Configure Minimum password age so that you do not allow passwords to be

changed immediately.

Maximum password age

Possible values
User-specified number of days between 0 and 999

Not defined

Best practices
Set Maximum password age to 60 days, depending on your environment.
This way, an attacker has a limited amount of time in which to compromise
a user's password and have access to your network resources.

Minimum password age

Possible values
User-specified number of days between 0 and 998

Not defined

Best practices
Set Minimum password age to a value of 1 day. Setting the number of days
to 0 allows immediate password changes, which is not recommended.
If an administrator sets a password for a user and wants that user to change
the administrator-defined password, the administrator must select the User
must change password at next logon check box. Otherwise, the user will not
be able to change the password until the number of days specified by.

Minimum password length

Reference
The Minimum password length policy setting determines the least number of
characters that can make up a password for a user account. You can set a
value of between 1 and 14 characters, or you can establish that no password
is required by setting the number of characters to 0.

This policy setting is supported on versions of Windows that are designated

in the Applies To list at the beginning of this topic.

Possible values
User-specified number of characters between 0 and 14

Not defined

Best practices
Set Minimum password length value to 14. If the number of characters is set
to 0, no password is required. In most environments, a fourteen-character
password is recommended because it is long enough to provide adequate
security and still short enough for users to easily remember. This value will
help provide adequate defense against a brute force attack. Adding
complexity requirements will help reduce the possibility of a dictionary
attack. For more information, see Password must meet complexity
requirements.

Permitting short passwords reduces security because short passwords can be

easily broken with tools that perform dictionary or brute force attacks
against the passwords. Requiring very long passwords can result in mistyped
passwords that might cause an account lockout and subsequently increase
the volume of Help Desk calls.

In addition, requiring extremely long passwords can actually decrease the

security of an organization because users might be more likely to write down
their passwords to avoid forgetting them. However, if users are taught that
they can use passphrases (sentences such as "I want to drink a $5
milkshake"), they should be much more likely to remember.
Password must meet complexity requirements

Passwords may not contain the user's samAccountName (Account Name)

value or entire displayName (Full Name value). Both checks are not case
sensitive.

The samAccountName is checked in its entirety only to determine whether it

is part of the password. If the samAccountName is less than three characters
long, this check is skipped.

The displayName is parsed for delimiters: commas, periods, dashes or

hyphens, underscores, spaces, pound signs, and tabs. If any of these
delimiters are found, the displayName is split and all parsed sections
(tokens) are confirmed to not be included in the password. Tokens that are
less than three characters are ignored, and substrings of the tokens are not
checked. For example, the name "Erin M. Hagens" is split into three tokens:
"Erin", "M", and "Hagens". Because the second token is only one character
long, it is ignored. Therefore, this user could not have a password that
included either "erin" or "hagens" as a substring anywhere in the password.

The password contains characters from three of the following categories:

Uppercase letters of European languages (A through Z, with diacritic marks,

Greek and Cyrillic characters)

Lowercase letters of European languages (a through z, sharp-s, with diacritic

marks, Greek and Cyrillic characters)

Base 10 digits (0 through 9)

Nonalphanumeric characters: ~!@#$%^&*_-+=`|(){}[]:;"'<>,.?/

Any Unicode character that is categorized as an alphabetic character but is

not uppercase or lowercase. This includes Unicode characters from Asian
languages.

Store passwords using reversible encryption

Reference
The Store password using reversible encryption policy setting provides
support for applications that use protocols that require the user's password
for authentication. Storing encrypted passwords in a way that is reversible
 means that the encrypted passwords can be decrypted. A knowledgeable
attacker who is able to break this encryption can then log on to network
resources by using the compromised account. For this reason, never enable
Store password using reversible encryption for all users in the domain unless
application requirements outweigh the need to protect password information.

If you use the Challenge Handshake Authentication Protocol (CHAP)

through remote access or Internet Authentication Services (IAS), you must
enable this policy setting. CHAP is an authentication protocol that is used by
remote access and network connections. Digest Authentication in Internet
Information Services (IIS) also requires that you enable this policy setting.

This policy setting is supported on versions of Windows that are designated

in the Applies To list at the beginning of this topic.

Possible values
Enabled

Disabled

Not defined

Best practices
Set the value for Store password using reversible encryption to Disabled. If
you use CHAP through remote access or IAS, or Digest Authentication in
IIS, you must set this value to Enabled. This presents a security risk when
you apply the setting by using Group Policy on a user-by-user basis because
it requires opening the appropriate user account object in Active Directory
Users and Computers.

Firewall

Yes (default)
1. Practical task № 1.
Prepare security baseline for antimalware software policy, which includes scanning
schedule, rules for updating and checking usb devices and other requirements.

2. Prepare firewall security baseline for protection corporate lan from this
picture.