70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network - PowerPoint PPT Presentation

adamdaniel
70 298 mcse guide to designing security for a microsoft windows server 2003 network l.
Skip this Video
Loading SlideShow in 5 Seconds..
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network PowerPoint Presentation
Download Presentation
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

play fullscreen
1 / 47
Download Presentation
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
633 Views
Download Presentation

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network Chapter 4:Securing the Network Management Process

  2. Exam Objectives • 2.3 Design security for network management • 2.3.1 Manage the risk of managing networks • 2.3.2 Design the administration of servers by using common administration tools • 2.3.3 Design security for Emergency Management Services • 2.4 Design a security update infrastructure 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  3. Exam Objectives (continued) • 2.4.1 Design a Software Update Services (SUS) infrastructure • 2.4.2 Design Group Policy to deploy software updates • 2.4.3 Design a strategy for identifying computers that are not at the current patch level • 2.2.2 Design forest and domain trust models • 2.2.3 Design security that meets interoperability requirements 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  4. Introduction • Network management process: • Vulnerable to attack • Use technical and policy measures to secure • Create a patch management strategy • Design trust relationships for large-scale networks • Use the domain and forest trust model in Windows Server 2003 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  5. Securing the NetworkManagement Process • Physical network: • Restrict access to the network perimeter • Create a file-and-folder permission structure • Secure user accounts • Tools and utilities used to administer network have potential for misuse: • Set security guidelines and policies • Implement role-based administration 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  6. Managing the Risks of Network Administration • Don’t grant all administrators the same level of administrative rights • Network administrators are vulnerable to social engineering attacks 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  7. Security Policies for Administrators and IT Personnel • Network management policy: • Specify ways to manage the enterprise network in a secure manner • Includes: • Detailed explanation of tools for managing network • List of users or user groups who can manage network • Appropriate procedures for managing network resources 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  8. Security Policies for Administrators and IT Personnel (continued) • Security policy: • Ensure that administrators manage network resources securely • Ensure that administrators are protected against attackers when they use their administrative privileges • Technical security: • Use GPO to limit administrative access 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  9. Delegating Authority Securely • Take great care in selecting administrators: • Perform background or reference checks • Educate in security policies • Use the “least privilege” concept • Create and maintain an audit policy • Structure delegation strategy based on roles 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  10. Exercise 4.01Creating an Organizational Unit and Delegating Control to a Local Administrator • Use Active Directory Users and Computers to create an OU • Use the Delegation of Control Wizard 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  11. Using the Delegation of Control Wizard 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  12. Designing the Network Management Policy • Determine how your network will be managed: • Centralized • Decentralized • Outsourced 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  13. Securing Common Administrative Tools • Combination of: • People • Technology • Policy 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  14. Securing the Microsoft Management Console • You can: • Use restricted/permitted snap-ins • Restrict users from entering author mode • Restrict users to explicitly permitted list of snap-ins 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  15. Securing Terminal Server and Remote Desktop for Administration • Change the Terminal Services port • Windows Server 2003 includes enhancements to: • Security Policy Editor • 128-bit encryption • FIPS compliance • Remote Desktop Users group • Software restriction policies • Single-session policy 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  16. Securing Remote Assistance • Settings: • Solicited Remote Assistance • Offer Remote Assistance 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  17. Securing Telnet • Disabled by default • Enable only for a real need 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  18. Designing Security forEmergency Management Services • Manage a server via an out-of-band connection • Manage or troubleshoot a server when: • It is not fully functional • Operating system has not fully loaded • It is in a “headless” configuration • Server must be equipped with special firmware • Security measures rely on choice of terminal concentrator 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  19. Designing Security forEmergency Management Services (continued) • Security considerations: • Secure access to physical servers • Choose service processors • Create a separate network for administration 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  20. Designing a Security UpdateInfrastructure • Software Update Services: • Maintain an internally controlled Windows Update site • Analyze and approve security patches • Apply to networked computers in a consistent manner 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  21. Designing a SoftwareUpdate Service Infrastructure • Using a SUS: • Controls which patches are visible to users • Automates download and installation process • Canoptimize bandwidth 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  22. SUS Limitations • Can only deploy critical updates and service packs that are downloaded from Microsoft • Not software updates or updated device drivers • Cannot create .EXE or .MSI files 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  23. SUS Limitations (continued) • Only supports: • Windows 2000 Professional • Windows 2000 Server, all versions • Windows XP Home • Windows XP Professional • Windows Server 2003, all versions • No good way to “push” installations to clients 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  24. Synchronizing Child SUS Servers 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  25. Using Group Policy toDeploy Software Updates • Use GPOs to deploy: • Software • Updates • Patches • Customize who gets which updates 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  26. Configuring Software Installation Policies 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  27. Design a Strategy for Identifying Computers That Are Not at the Current Patch Level • Perform an audit • Ensure that machines are receiving patches • Identify machines on the network that do not possess the most up-to-date patch information 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  28. Design a Strategy for Identifying Computers That Are Not at the Current Patch Level (continued) • Tools: • Microsoft Baseline Security Analyzer (MBSA) • Microsoft System Management Server (SMS) • HP OpenView • NetIQ Security Manager • Gravity Storm Software Service Pack Manager 2000 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  29. Microsoft Baseline Security Analyzer 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  30. Designing Trust RelationshipsBetween Domains and Forests • Trust: • Allows users in different domains or forests to access resources in other domains or forests • Transitive trust: • Domain A trusts Domain B • Domain B trusts Domain C • Therefore, Domain A trusts Domain C 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  31. Designing Trust RelationshipsBetween Domains and Forests (continued) • Types of trust: • One-way trust • Two-way trust • Transitive trust • Nontransitive trust 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  32. The One-Way Trust Relationship • One-way: incoming • One-way: outgoing 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  33. The Two-Way Trust Relationship 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  34. Trust Transitivity in Domains 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  35. Trust Transitivity in Domains (continued) • By default, in Windows 2000 and Windows Server 2003: • Trusts are transitive • User in any domain can access any resource in any other domain in the same forest • Transitive trusts flow between domains into forests 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  36. Transitivity of Forest Trusts 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  37. Designing Forest and Domain Trust Models • Default trust relationships • Two-way transitive trusts • External trusts • Nontransitive trusts with a domain that exists outside your Windows Server 2003 forest • Realm trusts • Trust relationships with an external Kerberos realm 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  38. Designing Forest and Domain Trust Models (continued) • Shortcut Trusts • One-way or two-way transitive trusts • Used to optimize the authentication process if many users from one domain need to log on to another domain in the forest structure 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  39. Selecting the Scope of Authentication for Users • Authenticated Users • Authentication firewall 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  40. Realm Trusts 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  41. Using a Shortcut Trust 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  42. Designing Security for Interoperability • If using Windows NT 4.0 or earlier: • Trust relationships must be manually established • When supporting down-level clients: • Be aware of the concept of domain and forest functional levels • Domain functional levels: • Windows 2000 mixed • Windows 2000 native • Windows Server 2003 interim • Windows Server 2003 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  43. Domain Functional Levels Within Windows Server 2003 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  44. Controllers Supported by Different Forest Functional Levels 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  45. Windows Server 2003 Domain and Forest Functionality • At the domain level, the Windows Server 2003 functional level provides: • Domain controller rename tool • SID history • Converting groups • InetOrg Person • lastLogonTimestamp attribute 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  46. Windows Server 2003 Domain and Forest Functionality (continued) • The forest functional level provides: • Domain rename • Forest trusts • InetOrg Person • Defunct schema object • Linked value replication • Dynamic auxiliary classes • Global catalog replication 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  47. Summary • Secure networks from abuse of administrative tools: • Technical controls • Policy controls • Administrative controls • Tools such as SUS and GPO help keep software up-to-date • Domain and forest trust models have been updated for Windows Server 2003 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network