70 298 mcse guide to designing security for a microsoft windows server 2003 network l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network PowerPoint Presentation
Download Presentation
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

Loading in 2 Seconds...

play fullscreen
1 / 47

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network - PowerPoint PPT Presentation


  • 611 Views
  • Uploaded on

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network Chapter 4: Securing the Network Management Process Exam Objectives 2.3 Design security for network management 2.3.1 Manage the risk of managing networks

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about '70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network' - adamdaniel


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
70 298 mcse guide to designing security for a microsoft windows server 2003 network

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

Chapter 4:Securing the Network Management Process

exam objectives
Exam Objectives
  • 2.3 Design security for network management
  • 2.3.1 Manage the risk of managing networks
  • 2.3.2 Design the administration of servers by using common administration tools
  • 2.3.3 Design security for Emergency Management Services
  • 2.4 Design a security update infrastructure

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

exam objectives continued
Exam Objectives (continued)
  • 2.4.1 Design a Software Update Services (SUS) infrastructure
  • 2.4.2 Design Group Policy to deploy software updates
  • 2.4.3 Design a strategy for identifying computers that are not at the current patch level
  • 2.2.2 Design forest and domain trust models
  • 2.2.3 Design security that meets interoperability requirements

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

introduction
Introduction
  • Network management process:
    • Vulnerable to attack
    • Use technical and policy measures to secure
  • Create a patch management strategy
  • Design trust relationships for large-scale networks
  • Use the domain and forest trust model in Windows Server 2003

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

securing the network management process
Securing the NetworkManagement Process
  • Physical network:
    • Restrict access to the network perimeter
  • Create a file-and-folder permission structure
  • Secure user accounts
  • Tools and utilities used to administer network have potential for misuse:
    • Set security guidelines and policies
    • Implement role-based administration

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

managing the risks of network administration
Managing the Risks of Network Administration
  • Don’t grant all administrators the same level of administrative rights
  • Network administrators are vulnerable to social engineering attacks

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

security policies for administrators and it personnel
Security Policies for Administrators and IT Personnel
  • Network management policy:
    • Specify ways to manage the enterprise network in a secure manner
    • Includes:
      • Detailed explanation of tools for managing network
      • List of users or user groups who can manage network
      • Appropriate procedures for managing network resources

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

security policies for administrators and it personnel continued
Security Policies for Administrators and IT Personnel (continued)
  • Security policy:
    • Ensure that administrators manage network resources securely
    • Ensure that administrators are protected against attackers when they use their administrative privileges
  • Technical security:
    • Use GPO to limit administrative access

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

delegating authority securely
Delegating Authority Securely
  • Take great care in selecting administrators:
    • Perform background or reference checks
    • Educate in security policies
  • Use the “least privilege” concept
  • Create and maintain an audit policy
  • Structure delegation strategy based on roles

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

exercise 4 01 creating an organizational unit and delegating control to a local administrator
Exercise 4.01Creating an Organizational Unit and Delegating Control to a Local Administrator
  • Use Active Directory Users and Computers to create an OU
  • Use the Delegation of Control Wizard

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

using the delegation of control wizard
Using the Delegation of Control Wizard

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

designing the network management policy
Designing the Network Management Policy
  • Determine how your network will be managed:
    • Centralized
    • Decentralized
    • Outsourced

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

securing common administrative tools
Securing Common Administrative Tools
  • Combination of:
    • People
    • Technology
    • Policy

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

securing the microsoft management console
Securing the Microsoft Management Console
  • You can:
    • Use restricted/permitted snap-ins
    • Restrict users from entering author mode
    • Restrict users to explicitly permitted list of snap-ins

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

securing terminal server and remote desktop for administration
Securing Terminal Server and Remote Desktop for Administration
  • Change the Terminal Services port
  • Windows Server 2003 includes enhancements to:
    • Security Policy Editor
    • 128-bit encryption
    • FIPS compliance
    • Remote Desktop Users group
    • Software restriction policies
    • Single-session policy

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

securing remote assistance
Securing Remote Assistance
  • Settings:
    • Solicited Remote Assistance
    • Offer Remote Assistance

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

securing telnet
Securing Telnet
  • Disabled by default
  • Enable only for a real need

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

designing security for emergency management services
Designing Security forEmergency Management Services
  • Manage a server via an out-of-band connection
  • Manage or troubleshoot a server when:
    • It is not fully functional
    • Operating system has not fully loaded
    • It is in a “headless” configuration
  • Server must be equipped with special firmware
  • Security measures rely on choice of terminal concentrator

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

designing security for emergency management services continued
Designing Security forEmergency Management Services (continued)
  • Security considerations:
    • Secure access to physical servers
    • Choose service processors
    • Create a separate network for administration

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

designing a security update infrastructure
Designing a Security UpdateInfrastructure
  • Software Update Services:
    • Maintain an internally controlled Windows Update site
    • Analyze and approve security patches
    • Apply to networked computers in a consistent manner

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

designing a software update service infrastructure
Designing a SoftwareUpdate Service Infrastructure
  • Using a SUS:
    • Controls which patches are visible to users
    • Automates download and installation process
    • Canoptimize bandwidth

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

sus limitations
SUS Limitations
  • Can only deploy critical updates and service packs that are downloaded from Microsoft
    • Not software updates or updated device drivers
    • Cannot create .EXE or .MSI files

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

sus limitations continued
SUS Limitations (continued)
  • Only supports:
    • Windows 2000 Professional
    • Windows 2000 Server, all versions
    • Windows XP Home
    • Windows XP Professional
    • Windows Server 2003, all versions
  • No good way to “push” installations to clients

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

synchronizing child sus servers
Synchronizing Child SUS Servers

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

using group policy to deploy software updates
Using Group Policy toDeploy Software Updates
  • Use GPOs to deploy:
    • Software
    • Updates
    • Patches
  • Customize who gets which updates

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

configuring software installation policies
Configuring Software Installation Policies

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

design a strategy for identifying computers that are not at the current patch level
Design a Strategy for Identifying Computers That Are Not at the Current Patch Level
  • Perform an audit
    • Ensure that machines are receiving patches
    • Identify machines on the network that do not possess the most up-to-date patch information

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

design a strategy for identifying computers that are not at the current patch level continued
Design a Strategy for Identifying Computers That Are Not at the Current Patch Level (continued)
  • Tools:
    • Microsoft Baseline Security Analyzer (MBSA)
    • Microsoft System Management Server (SMS)
    • HP OpenView
    • NetIQ Security Manager
    • Gravity Storm Software Service Pack Manager 2000

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

microsoft baseline security analyzer
Microsoft Baseline Security Analyzer

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

designing trust relationships between domains and forests
Designing Trust RelationshipsBetween Domains and Forests
  • Trust:
    • Allows users in different domains or forests to access resources in other domains or forests
  • Transitive trust:
    • Domain A trusts Domain B
    • Domain B trusts Domain C
    • Therefore, Domain A trusts Domain C

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

designing trust relationships between domains and forests continued
Designing Trust RelationshipsBetween Domains and Forests (continued)
  • Types of trust:
    • One-way trust
    • Two-way trust
    • Transitive trust
    • Nontransitive trust

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

the one way trust relationship
The One-Way Trust Relationship
  • One-way: incoming
  • One-way: outgoing

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

the two way trust relationship
The Two-Way Trust Relationship

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

trust transitivity in domains
Trust Transitivity in Domains

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

trust transitivity in domains continued
Trust Transitivity in Domains (continued)
  • By default, in Windows 2000 and Windows Server 2003:
    • Trusts are transitive
    • User in any domain can access any resource in any other domain in the same forest
    • Transitive trusts flow between domains into forests

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

transitivity of forest trusts
Transitivity of Forest Trusts

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

designing forest and domain trust models
Designing Forest and Domain Trust Models
  • Default trust relationships
    • Two-way transitive trusts
  • External trusts
    • Nontransitive trusts with a domain that exists outside your Windows Server 2003 forest
  • Realm trusts
    • Trust relationships with an external Kerberos realm

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

designing forest and domain trust models continued
Designing Forest and Domain Trust Models (continued)
  • Shortcut Trusts
    • One-way or two-way transitive trusts
    • Used to optimize the authentication process if many users from one domain need to log on to another domain in the forest structure

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

selecting the scope of authentication for users
Selecting the Scope of Authentication for Users
  • Authenticated Users
  • Authentication firewall

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

realm trusts
Realm Trusts

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

using a shortcut trust
Using a Shortcut Trust

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

designing security for interoperability
Designing Security for Interoperability
  • If using Windows NT 4.0 or earlier:
    • Trust relationships must be manually established
  • When supporting down-level clients:
    • Be aware of the concept of domain and forest functional levels
    • Domain functional levels:
      • Windows 2000 mixed
      • Windows 2000 native
      • Windows Server 2003 interim
      • Windows Server 2003

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

domain functional levels within windows server 2003
Domain Functional Levels Within Windows Server 2003

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

controllers supported by different forest functional levels
Controllers Supported by Different Forest Functional Levels

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

windows server 2003 domain and forest functionality
Windows Server 2003 Domain and Forest Functionality
  • At the domain level, the Windows Server 2003 functional level provides:
    • Domain controller rename tool
    • SID history
    • Converting groups
    • InetOrg Person
    • lastLogonTimestamp attribute

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

windows server 2003 domain and forest functionality continued
Windows Server 2003 Domain and Forest Functionality (continued)
  • The forest functional level provides:
    • Domain rename
    • Forest trusts
    • InetOrg Person
    • Defunct schema object
    • Linked value replication
    • Dynamic auxiliary classes
    • Global catalog replication

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

summary
Summary
  • Secure networks from abuse of administrative tools:
    • Technical controls
    • Policy controls
    • Administrative controls
  • Tools such as SUS and GPO help keep software up-to-date
  • Domain and forest trust models have been updated for Windows Server 2003

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network