70 298 mcse guide to designing security for a microsoft windows server 2003 network
Download
1 / 47

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network - PowerPoint PPT Presentation

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network Chapter 4: Securing the Network Management Process Exam Objectives 2.3 Design security for network management 2.3.1 Manage the risk of managing networks

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha

Download Presentation

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

Chapter 4:Securing the Network Management Process


Exam Objectives

  • 2.3 Design security for network management

  • 2.3.1 Manage the risk of managing networks

  • 2.3.2 Design the administration of servers by using common administration tools

  • 2.3.3 Design security for Emergency Management Services

  • 2.4 Design a security update infrastructure

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Exam Objectives (continued)

  • 2.4.1 Design a Software Update Services (SUS) infrastructure

  • 2.4.2 Design Group Policy to deploy software updates

  • 2.4.3 Design a strategy for identifying computers that are not at the current patch level

  • 2.2.2 Design forest and domain trust models

  • 2.2.3 Design security that meets interoperability requirements

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Introduction

  • Network management process:

    • Vulnerable to attack

    • Use technical and policy measures to secure

  • Create a patch management strategy

  • Design trust relationships for large-scale networks

  • Use the domain and forest trust model in Windows Server 2003

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Securing the NetworkManagement Process

  • Physical network:

    • Restrict access to the network perimeter

  • Create a file-and-folder permission structure

  • Secure user accounts

  • Tools and utilities used to administer network have potential for misuse:

    • Set security guidelines and policies

    • Implement role-based administration

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Managing the Risks of Network Administration

  • Don’t grant all administrators the same level of administrative rights

  • Network administrators are vulnerable to social engineering attacks

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Security Policies for Administrators and IT Personnel

  • Network management policy:

    • Specify ways to manage the enterprise network in a secure manner

    • Includes:

      • Detailed explanation of tools for managing network

      • List of users or user groups who can manage network

      • Appropriate procedures for managing network resources

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Security Policies for Administrators and IT Personnel (continued)

  • Security policy:

    • Ensure that administrators manage network resources securely

    • Ensure that administrators are protected against attackers when they use their administrative privileges

  • Technical security:

    • Use GPO to limit administrative access

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Delegating Authority Securely

  • Take great care in selecting administrators:

    • Perform background or reference checks

    • Educate in security policies

  • Use the “least privilege” concept

  • Create and maintain an audit policy

  • Structure delegation strategy based on roles

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Exercise 4.01Creating an Organizational Unit and Delegating Control to a Local Administrator

  • Use Active Directory Users and Computers to create an OU

  • Use the Delegation of Control Wizard

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Using the Delegation of Control Wizard

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Designing the Network Management Policy

  • Determine how your network will be managed:

    • Centralized

    • Decentralized

    • Outsourced

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Securing Common Administrative Tools

  • Combination of:

    • People

    • Technology

    • Policy

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Securing the Microsoft Management Console

  • You can:

    • Use restricted/permitted snap-ins

    • Restrict users from entering author mode

    • Restrict users to explicitly permitted list of snap-ins

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Securing Terminal Server and Remote Desktop for Administration

  • Change the Terminal Services port

  • Windows Server 2003 includes enhancements to:

    • Security Policy Editor

    • 128-bit encryption

    • FIPS compliance

    • Remote Desktop Users group

    • Software restriction policies

    • Single-session policy

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Securing Remote Assistance

  • Settings:

    • Solicited Remote Assistance

    • Offer Remote Assistance

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Securing Telnet

  • Disabled by default

  • Enable only for a real need

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Designing Security forEmergency Management Services

  • Manage a server via an out-of-band connection

  • Manage or troubleshoot a server when:

    • It is not fully functional

    • Operating system has not fully loaded

    • It is in a “headless” configuration

  • Server must be equipped with special firmware

  • Security measures rely on choice of terminal concentrator

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Designing Security forEmergency Management Services (continued)

  • Security considerations:

    • Secure access to physical servers

    • Choose service processors

    • Create a separate network for administration

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Designing a Security UpdateInfrastructure

  • Software Update Services:

    • Maintain an internally controlled Windows Update site

    • Analyze and approve security patches

    • Apply to networked computers in a consistent manner

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Designing a SoftwareUpdate Service Infrastructure

  • Using a SUS:

    • Controls which patches are visible to users

    • Automates download and installation process

    • Canoptimize bandwidth

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


SUS Limitations

  • Can only deploy critical updates and service packs that are downloaded from Microsoft

    • Not software updates or updated device drivers

    • Cannot create .EXE or .MSI files

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


SUS Limitations (continued)

  • Only supports:

    • Windows 2000 Professional

    • Windows 2000 Server, all versions

    • Windows XP Home

    • Windows XP Professional

    • Windows Server 2003, all versions

  • No good way to “push” installations to clients

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Synchronizing Child SUS Servers

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Using Group Policy toDeploy Software Updates

  • Use GPOs to deploy:

    • Software

    • Updates

    • Patches

  • Customize who gets which updates

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Configuring Software Installation Policies

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Design a Strategy for Identifying Computers That Are Not at the Current Patch Level

  • Perform an audit

    • Ensure that machines are receiving patches

    • Identify machines on the network that do not possess the most up-to-date patch information

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Design a Strategy for Identifying Computers That Are Not at the Current Patch Level (continued)

  • Tools:

    • Microsoft Baseline Security Analyzer (MBSA)

    • Microsoft System Management Server (SMS)

    • HP OpenView

    • NetIQ Security Manager

    • Gravity Storm Software Service Pack Manager 2000

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Microsoft Baseline Security Analyzer

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Designing Trust RelationshipsBetween Domains and Forests

  • Trust:

    • Allows users in different domains or forests to access resources in other domains or forests

  • Transitive trust:

    • Domain A trusts Domain B

    • Domain B trusts Domain C

    • Therefore, Domain A trusts Domain C

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Designing Trust RelationshipsBetween Domains and Forests (continued)

  • Types of trust:

    • One-way trust

    • Two-way trust

    • Transitive trust

    • Nontransitive trust

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


The One-Way Trust Relationship

  • One-way: incoming

  • One-way: outgoing

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


The Two-Way Trust Relationship

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Trust Transitivity in Domains

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Trust Transitivity in Domains (continued)

  • By default, in Windows 2000 and Windows Server 2003:

    • Trusts are transitive

    • User in any domain can access any resource in any other domain in the same forest

    • Transitive trusts flow between domains into forests

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Transitivity of Forest Trusts

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Designing Forest and Domain Trust Models

  • Default trust relationships

    • Two-way transitive trusts

  • External trusts

    • Nontransitive trusts with a domain that exists outside your Windows Server 2003 forest

  • Realm trusts

    • Trust relationships with an external Kerberos realm

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Designing Forest and Domain Trust Models (continued)

  • Shortcut Trusts

    • One-way or two-way transitive trusts

    • Used to optimize the authentication process if many users from one domain need to log on to another domain in the forest structure

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Selecting the Scope of Authentication for Users

  • Authenticated Users

  • Authentication firewall

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Realm Trusts

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Using a Shortcut Trust

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Designing Security for Interoperability

  • If using Windows NT 4.0 or earlier:

    • Trust relationships must be manually established

  • When supporting down-level clients:

    • Be aware of the concept of domain and forest functional levels

    • Domain functional levels:

      • Windows 2000 mixed

      • Windows 2000 native

      • Windows Server 2003 interim

      • Windows Server 2003

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Domain Functional Levels Within Windows Server 2003

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Controllers Supported by Different Forest Functional Levels

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Windows Server 2003 Domain and Forest Functionality

  • At the domain level, the Windows Server 2003 functional level provides:

    • Domain controller rename tool

    • SID history

    • Converting groups

    • InetOrg Person

    • lastLogonTimestamp attribute

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Windows Server 2003 Domain and Forest Functionality (continued)

  • The forest functional level provides:

    • Domain rename

    • Forest trusts

    • InetOrg Person

    • Defunct schema object

    • Linked value replication

    • Dynamic auxiliary classes

    • Global catalog replication

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Summary

  • Secure networks from abuse of administrative tools:

    • Technical controls

    • Policy controls

    • Administrative controls

  • Tools such as SUS and GPO help keep software up-to-date

  • Domain and forest trust models have been updated for Windows Server 2003

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


ad
  • Login