70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Download
1 / 46

Chapter 13 - PowerPoint PPT Presentation


  • 182 Views
  • Uploaded on

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network Chapter 13: Planning Server and Network Security. Objectives. Describe three types of security Plan security configurations for server roles Plan network protocol security Plan wireless network security

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Chapter 13' - LeeJohn


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Slide1 l.jpg

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 NetworkChapter 13: Planning Server and Network Security


Objectives l.jpg
Objectives 2003 Network

  • Describe three types of security

  • Plan security configurations for server roles

  • Plan network protocol security

  • Plan wireless network security

  • Define the default security settings used by Windows Server 2003

  • Plan a secure baseline for client computers and servers

  • Create a plan for software updates

  • Ensure secure administrative access

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network


Types of security l.jpg
Types of Security 2003 Network

  • Three commonly used categories are:

    • Physical security

    • Network security

    • Data security

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network


Physical security l.jpg
Physical Security 2003 Network

  • Physical security is controlling physical access to the computing devices on your network

    • Who has a key to the server room?

  • Prevents users and hackers from physically accessing network resources that they have no legitimate need to touch

  • After physical security is in place, software-based security is more effective

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network


Network security l.jpg
Network Security 2003 Network

  • Network security refers to accessing network-based resources through a computer network

  • Tools available for enforcing network security are: Authentication, IPSec and Firewalls

    • Authentication verifies the identity of users before giving them access to resources

    • IPSec encrypts data packets in transit on the network

    • Firewalls control data movement based on IP addresses and port numbers

  • For enhanced security, most organizations use a demilitarized zone (DMZ)

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network


Network security continued l.jpg
Network Security (continued) 2003 Network

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network


Network security continued7 l.jpg
Network Security (continued) 2003 Network

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network


Data security l.jpg
Data Security 2003 Network

  • Data security: mechanisms to ensure only authorized users access sensitive data

  • Tools for enforcing data security include:

    • NTFS permissions: used to control access to files and folders stored on network servers

    • Share permissions: used to control access to a particular network share

    • Auditing: allows you to track which users have performed, or attempted to perform, certain actions

    • EFS: encrypts files that are stored on NTFS partitions

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network


Encrypting file system l.jpg
Encrypting File System 2003 Network

  • EFS (encrypting file system) encrypts files that are stored on NTFS partitions

  • When files are stored encrypted, only the user who encrypted them, other designated users, or a designated recovery agent can decrypt and read them

  • Certificates used by EFS can be created automatically, through an internal CA or a third party CA

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network


Activity 13 1 using efs to protect files l.jpg
Activity 13-1: Using EFS to Protect Files 2003 Network

  • The purpose of this activity is to use EFS to protect files

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network


Planning security configuration for server roles l.jpg
Planning Security Configuration for Server Roles 2003 Network

  • General rules for server security are:

    • Disable unnecessary services

    • Limit access to the minimum required for users to perform their jobs

    • Use separate administrator accounts for different staff

    • Allow packets to necessary TCP and UDP ports only

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network


Securing domain controllers l.jpg
Securing Domain Controllers 2003 Network

  • Some ways to secure domain controllers are:

    • Place domain controller behind firewall

    • If VPN is being used, place the VPN in a DMZ

    • Use RADIUS

    • NetBIOS ports should be blocked by a firewall

    • NetBIOS can be disabled on the network connection that is connected to the Internet

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network


Securing web servers l.jpg
Securing Web Servers 2003 Network

  • Some ways to secure web servers are:

    • Web servers should be in a DMZ

    • Web sites that authenticate users or collect sensitive information should run on TCP port 443 using SSL

    • install the operating system, IIS, and the Web site data on separate hard drive partitions

    • remove any demonstration scripts that installed by default on the Web server

    • disable the ability to run scripts by disabling ASP processing and the processing of all other script types

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network


Activity 13 2 disabling script processing in iis l.jpg
Activity 13-2: Disabling Script Processing in IIS 2003 Network

  • The purpose of this activity is to disable processing of scripts in IIS

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network


Securing database servers l.jpg
Securing Database Servers 2003 Network

  • When securing database servers:

    • If concerned with protecting the data while it is in transit on the network between the client and the server, use IPSec

    • If database is used as part of a Web-based application, it is quite common to place the Web server in the DMZ and the SQL server on the internal, private network

    • A database that holds sensitive information should never be on the same server as the Web site

      • If the database runs on a separate server, then the hacker must still find the database

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network


Securing mail servers l.jpg
Securing Mail Servers 2003 Network

  • The only protection you can give a mail server is a firewall

  • Mail servers that communicate with the Internet should be placed in the DMZ

  • The best way for clients to access e-mail is from a server on the internal network

  • Configure a second e-mail server on the internal network that forwards all mail to the mail server in the DMZ

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network


Securing mail servers continued l.jpg
Securing Mail Servers (continued) 2003 Network

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network


Planning network protocol security l.jpg
Planning Network Protocol Security 2003 Network

  • A VPN connection can be used to secure IPX, AppleTalk, and TCP/IP network traffic

  • If TCP/IP is used, traffic can also be secured with IPSec or with SSL

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network


Using vpns to secure network traffic l.jpg
Using VPNs to Secure Network Traffic 2003 Network

  • A VPN is used to secure network traffic for remote users

    • All network traffic between the client computer and the VPN server is encrypted

    • A VPN can ensure that user access to confidential company information is not monitored by an ISP or hackers

  • VPNs can also be used internally on the network to protect network traffic to certain areas of the network

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network


Using ipsec to secure network traffic l.jpg
Using IPSec to Secure Network Traffic 2003 Network

  • IPSec is ideal for securing network traffic because:

    • It is very flexible to configure because rules can be configured to protect only certain traffic

    • In addition to performing encryption, IPSec authenticates both computers in the conversation to prevent imposters

    • Applications do not have to be aware of IPSec to use it - any IP-based application can use it

  • The major drawback to IPSec is that it does not move through NAT very well

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network


Securing web based applications l.jpg
Securing Web-based Applications 2003 Network

  • Key points concerning SSL (Secure Sockets Layer):

    • It is often used to secure Web-based applications

    • Requires that a certificate be installed on the server to which it is being connected

    • It is a well-recognized, standard protocol

    • It is not platform specific in any way

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network


Planning wireless network security l.jpg
Planning Wireless Network Security 2003 Network

  • Concepts regarding wireless security include:

    • Wired Equivalent Protocol

    • Authorized MAC addresses

    • Using VPNs to secure wireless access

    • 802.1X

    • Microsoft-specific mechanisms for configuring wireless networks

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network


Wired equivalent protocol l.jpg
Wired Equivalent Protocol 2003 Network

  • Wired Equivalent Privacy (WEP) is a protocol built into the 802.11 standards for wireless connectivity

  • WEP governs how data can be encrypted while in transit on the wireless network

  • WEP is seriously flawed when dealing with motivated hackers

  • WiFi Protected Access (WPA), is replacing WEP and fixes most of its flaws

  • WPA will be a standard in all newly certified wireless equipment as of January 2004

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network


Authorized mac addresses l.jpg
Authorized MAC Addresses 2003 Network

  • If you try to communicate with the AP using a wireless card with a MAC address that is not on the list, the AP ignores you

  • This prevents access to resources on your network, but is very awkward to implement

    • Each AP must be configured with the MAC address of each wireless network card

  • Packet sniffers can view MAC addresses and exploit them

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network


Using vpns to secure wireless access l.jpg
Using VPNs to Secure Wireless Access 2003 Network

  • One easy way to secure a wireless network is to require VPN authentication before allowing access to the main network

  • All packets that can be viewed by hackers with wireless connections are encrypted by the VPN

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network


The 802 1x protocol l.jpg
The 802.1X Protocol 2003 Network

  • The protocol 802.1X is an authentication protocol defined by the IEEE to authenticate wireless users

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network


The 802 1x protocol continued l.jpg
The 802.1X Protocol (continued) 2003 Network

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network


Configuring wireless networks l.jpg
Configuring Wireless Networks 2003 Network

  • Many wireless configuration settings are managed by the OS, and can be managed using Group Policy

  • In a group policy, you can define Wireless Network (802.11) policies where you can configure:

    • The type of wireless networks to access

    • Whether Windows should be used to configure the wireless networks for a client

    • Whether to connect to non preferred networks

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network


Activity 13 3 creating a policy for wireless workstations l.jpg
Activity 13-3: Creating a Policy for Wireless Workstations 2003 Network

  • The purpose of this activity is to create a policy to configure wireless workstations

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network


Default security settings l.jpg
Default Security Settings 2003 Network

  • Windows Server 2003 features:

    • It is more secure than Windows Server 2000

    • Only the Administrators group is given Full Control to the file system

    • A minimum of services is installed

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network


Default security settings continued l.jpg
Default Security Settings (continued) 2003 Network

  • Windows Server 2003 features (continued):

    • IIS is not installed by default

      • If IIS is installed after the server installation is complete, script processing must be enabled

    • Default security settings for Windows 2003 are configured during installation by applying a security template

      • A security template is a group of security settings that can be applied to server or client computers

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network


Activity 13 4 viewing default security settings l.jpg
Activity 13-4: Viewing Default Security Settings 2003 Network

  • The purpose of this activity is to view the default security settings in Setup security.inf

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network


Configuring client computers l.jpg
Configuring Client Computers 2003 Network

  • Client computers should be divided into categories where specific configuration options and a security template can be developed

  • When defining a security template, start by copying one of the predefined templates

  • The Security Configuration and Analysis snap-in can analyze and configure client computers from a GUI

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network


Configuring servers l.jpg
Configuring Servers 2003 Network

  • Servers should be categorized and grouped to assist in applying security settings

  • Servers are more likely to hold sensitive data than workstations, their settings are likely to be more restrictive for:

    • Password policies

    • Account lockout policy

    • Users performing local logons

    • Auditing, limiting services

    • Restricting file

    • Registry permissions

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network


Activity 13 5 analyzing security l.jpg
Activity 13-5: Analyzing Security 2003 Network

  • The purpose of this activity is to compare the default security level of your server to the hisecws.inf template

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network


Software updates l.jpg
Software Updates 2003 Network

  • Systems must be fully patched because viruses take advantage of known flaws in operating systems and applications for which there are patches available

  • To help administrators keep systems patched, Microsoft has released a number of tools:

    • Windows Update

    • Automatic Updates

    • Software Update Services

    • Microsoft Baseline Security Analyzer

    • Hfnetchk

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network


Windows update l.jpg
Windows Update 2003 Network

  • Windows Update is a Web site that administrators and users can visit to find out which updates are available for their systems

  • Windows Update

    • Automatically checks for the files that are needed

    • Downloads them

    • Installs them

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network


Automatic updates l.jpg
Automatic Updates 2003 Network

  • Automatic Updates is a service that runs on Windows clients and servers that makes the process of downloading and installing hotfixes automatic

  • Automatic Updates is a significant improvement over Windows Update because it is automatic and configurable

    • This takes a significant load off of administrator

    • It is not very efficient because all downloads are from the Internet

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network


Activity 13 6 configuring automatic updates l.jpg
Activity 13-6: Configuring Automatic Updates 2003 Network

  • The purpose of this activity is to configure Automatic Updates to download and install patches automatically

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network


Software update services sus l.jpg
Software Update Services (SUS) 2003 Network

  • SUS is a service available for Windows 2000 and Windows Server 2003

  • Automatically downloads the latest hotfixes and service packs from the Windows Update Web site

  • Client computers on your network then can download the hotfixes and service packs from a local server on the network instead of the Internet

    • Internet traffic is reduced

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network


Microsoft baseline security analyzer l.jpg
Microsoft Baseline Security Analyzer 2003 Network

  • The Microsoft Baseline Security Analyzer (MBSA) is a tool that verifies security updates on a wide variety of Microsoft operating systems and applications

  • MBSA can scan a single machine or an entire group of computers on the network

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network


Hfnetchk l.jpg
Hfnetchk 2003 Network

  • Hfnetchk is an older command-line utility for verifying patch levels on Windows clients and servers

  • It is no longer offered by Microsoft as a stand-alone utility

  • The functionality of Hfnetchk is now only available in MBSA

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network


Securing administrative access l.jpg
Securing Administrative Access 2003 Network

  • Administrators should maintain two accounts:

    • One for day-to-day work with limited permission (like an average user)

    • One with elevated privileges and permissions that are required for administration of the network

  • Most network administrators find it cumbersome to log on and off of the network as they switch between tasks; Windows Server 2003 allows administrators to run individual applications as a different user

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network


Summary l.jpg
Summary 2003 Network

  • Three types of security are: physical security, network security and data security

  • EFS (encrypting file system) encrypts files that are stored on NTFS partitions

  • Securing all servers includes the following:

    • Disabling unnecessary services

    • Limiting access to the minimum required for users to perform their jobs

    • Using separate administrator accounts for different staff, and allow packets to necessary TCP and UDP ports only

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network


Summary continued l.jpg
Summary (continued) 2003 Network

  • Domain controllers should not be exposed to traffic from the Internet and should not be located in a DMZ

  • Web servers that are accessible from the Internet should be located in a DMZ

  • Database servers should be on the internal network

  • Mail servers must be accessible from the Internet and should be located in a DMZ

  • A VPN can be used to secure network traffic for IP, IPX, and AppleTalk packets

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network


Summary continued46 l.jpg
Summary (continued) 2003 Network

  • Common standards for wireless networks are 802.11b and 802.11g

  • Default security settings for Windows Server 2003 are much more secure than Windows 2000 Server

  • Software updates can be managed using:

    • Windows Update

    • Automatic Updates

    • SUS

    • MBSA

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network


ad