70 298 mcse guide to designing security for a microsoft windows server 2003 network
Download
1 / 47

- PowerPoint PPT Presentation


  • 606 Views
  • Uploaded on

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network Chapter 4: Securing the Network Management Process Exam Objectives 2.3 Design security for network management 2.3.1 Manage the risk of managing networks

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about '' - adamdaniel


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
70 298 mcse guide to designing security for a microsoft windows server 2003 network l.jpg

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

Chapter 4:Securing the Network Management Process


Exam objectives l.jpg
Exam Objectives Windows Server 2003 Network

  • 2.3 Design security for network management

  • 2.3.1 Manage the risk of managing networks

  • 2.3.2 Design the administration of servers by using common administration tools

  • 2.3.3 Design security for Emergency Management Services

  • 2.4 Design a security update infrastructure

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Exam objectives continued l.jpg
Exam Objectives (continued) Windows Server 2003 Network

  • 2.4.1 Design a Software Update Services (SUS) infrastructure

  • 2.4.2 Design Group Policy to deploy software updates

  • 2.4.3 Design a strategy for identifying computers that are not at the current patch level

  • 2.2.2 Design forest and domain trust models

  • 2.2.3 Design security that meets interoperability requirements

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Introduction l.jpg
Introduction Windows Server 2003 Network

  • Network management process:

    • Vulnerable to attack

    • Use technical and policy measures to secure

  • Create a patch management strategy

  • Design trust relationships for large-scale networks

  • Use the domain and forest trust model in Windows Server 2003

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Securing the network management process l.jpg
Securing the Network Windows Server 2003 NetworkManagement Process

  • Physical network:

    • Restrict access to the network perimeter

  • Create a file-and-folder permission structure

  • Secure user accounts

  • Tools and utilities used to administer network have potential for misuse:

    • Set security guidelines and policies

    • Implement role-based administration

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Managing the risks of network administration l.jpg
Managing the Risks of Network Administration Windows Server 2003 Network

  • Don’t grant all administrators the same level of administrative rights

  • Network administrators are vulnerable to social engineering attacks

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Security policies for administrators and it personnel l.jpg
Security Policies for Administrators and IT Personnel Windows Server 2003 Network

  • Network management policy:

    • Specify ways to manage the enterprise network in a secure manner

    • Includes:

      • Detailed explanation of tools for managing network

      • List of users or user groups who can manage network

      • Appropriate procedures for managing network resources

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Security policies for administrators and it personnel continued l.jpg
Security Policies for Administrators and IT Personnel (continued)

  • Security policy:

    • Ensure that administrators manage network resources securely

    • Ensure that administrators are protected against attackers when they use their administrative privileges

  • Technical security:

    • Use GPO to limit administrative access

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Delegating authority securely l.jpg
Delegating Authority Securely (continued)

  • Take great care in selecting administrators:

    • Perform background or reference checks

    • Educate in security policies

  • Use the “least privilege” concept

  • Create and maintain an audit policy

  • Structure delegation strategy based on roles

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Exercise 4 01 creating an organizational unit and delegating control to a local administrator l.jpg
Exercise 4.01 (continued)Creating an Organizational Unit and Delegating Control to a Local Administrator

  • Use Active Directory Users and Computers to create an OU

  • Use the Delegation of Control Wizard

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Using the delegation of control wizard l.jpg
Using the Delegation of Control Wizard (continued)

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Designing the network management policy l.jpg
Designing the Network Management Policy (continued)

  • Determine how your network will be managed:

    • Centralized

    • Decentralized

    • Outsourced

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Securing common administrative tools l.jpg
Securing Common Administrative Tools (continued)

  • Combination of:

    • People

    • Technology

    • Policy

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Securing the microsoft management console l.jpg
Securing the Microsoft Management Console (continued)

  • You can:

    • Use restricted/permitted snap-ins

    • Restrict users from entering author mode

    • Restrict users to explicitly permitted list of snap-ins

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Securing terminal server and remote desktop for administration l.jpg
Securing Terminal Server and Remote Desktop for Administration

  • Change the Terminal Services port

  • Windows Server 2003 includes enhancements to:

    • Security Policy Editor

    • 128-bit encryption

    • FIPS compliance

    • Remote Desktop Users group

    • Software restriction policies

    • Single-session policy

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Securing remote assistance l.jpg
Securing Remote Assistance Administration

  • Settings:

    • Solicited Remote Assistance

    • Offer Remote Assistance

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Securing telnet l.jpg
Securing Telnet Administration

  • Disabled by default

  • Enable only for a real need

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Designing security for emergency management services l.jpg
Designing Security for AdministrationEmergency Management Services

  • Manage a server via an out-of-band connection

  • Manage or troubleshoot a server when:

    • It is not fully functional

    • Operating system has not fully loaded

    • It is in a “headless” configuration

  • Server must be equipped with special firmware

  • Security measures rely on choice of terminal concentrator

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Designing security for emergency management services continued l.jpg
Designing Security for AdministrationEmergency Management Services (continued)

  • Security considerations:

    • Secure access to physical servers

    • Choose service processors

    • Create a separate network for administration

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Designing a security update infrastructure l.jpg
Designing a Security Update AdministrationInfrastructure

  • Software Update Services:

    • Maintain an internally controlled Windows Update site

    • Analyze and approve security patches

    • Apply to networked computers in a consistent manner

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Designing a software update service infrastructure l.jpg
Designing a Software AdministrationUpdate Service Infrastructure

  • Using a SUS:

    • Controls which patches are visible to users

    • Automates download and installation process

    • Canoptimize bandwidth

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Sus limitations l.jpg
SUS Limitations Administration

  • Can only deploy critical updates and service packs that are downloaded from Microsoft

    • Not software updates or updated device drivers

    • Cannot create .EXE or .MSI files

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Sus limitations continued l.jpg
SUS Limitations (continued) Administration

  • Only supports:

    • Windows 2000 Professional

    • Windows 2000 Server, all versions

    • Windows XP Home

    • Windows XP Professional

    • Windows Server 2003, all versions

  • No good way to “push” installations to clients

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Synchronizing child sus servers l.jpg
Synchronizing Child SUS Servers Administration

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Using group policy to deploy software updates l.jpg
Using Group Policy to AdministrationDeploy Software Updates

  • Use GPOs to deploy:

    • Software

    • Updates

    • Patches

  • Customize who gets which updates

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Configuring software installation policies l.jpg
Configuring Software Installation Policies Administration

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Design a strategy for identifying computers that are not at the current patch level l.jpg
Design a Strategy for Identifying Computers That Are Not at the Current Patch Level

  • Perform an audit

    • Ensure that machines are receiving patches

    • Identify machines on the network that do not possess the most up-to-date patch information

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Design a strategy for identifying computers that are not at the current patch level continued l.jpg
Design a Strategy for Identifying Computers That Are Not at the Current Patch Level (continued)

  • Tools:

    • Microsoft Baseline Security Analyzer (MBSA)

    • Microsoft System Management Server (SMS)

    • HP OpenView

    • NetIQ Security Manager

    • Gravity Storm Software Service Pack Manager 2000

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Microsoft baseline security analyzer l.jpg
Microsoft Baseline Security Analyzer the Current Patch Level (continued)

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Designing trust relationships between domains and forests l.jpg
Designing Trust Relationships the Current Patch Level (continued)Between Domains and Forests

  • Trust:

    • Allows users in different domains or forests to access resources in other domains or forests

  • Transitive trust:

    • Domain A trusts Domain B

    • Domain B trusts Domain C

    • Therefore, Domain A trusts Domain C

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Designing trust relationships between domains and forests continued l.jpg
Designing Trust Relationships the Current Patch Level (continued)Between Domains and Forests (continued)

  • Types of trust:

    • One-way trust

    • Two-way trust

    • Transitive trust

    • Nontransitive trust

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


The one way trust relationship l.jpg
The One-Way Trust Relationship the Current Patch Level (continued)

  • One-way: incoming

  • One-way: outgoing

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


The two way trust relationship l.jpg
The Two-Way Trust Relationship the Current Patch Level (continued)

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Trust transitivity in domains l.jpg
Trust Transitivity in Domains the Current Patch Level (continued)

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Trust transitivity in domains continued l.jpg
Trust Transitivity in Domains (continued) the Current Patch Level (continued)

  • By default, in Windows 2000 and Windows Server 2003:

    • Trusts are transitive

    • User in any domain can access any resource in any other domain in the same forest

    • Transitive trusts flow between domains into forests

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Transitivity of forest trusts l.jpg
Transitivity of Forest Trusts the Current Patch Level (continued)

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Designing forest and domain trust models l.jpg
Designing Forest and Domain Trust Models the Current Patch Level (continued)

  • Default trust relationships

    • Two-way transitive trusts

  • External trusts

    • Nontransitive trusts with a domain that exists outside your Windows Server 2003 forest

  • Realm trusts

    • Trust relationships with an external Kerberos realm

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Designing forest and domain trust models continued l.jpg
Designing Forest and Domain Trust Models (continued) the Current Patch Level (continued)

  • Shortcut Trusts

    • One-way or two-way transitive trusts

    • Used to optimize the authentication process if many users from one domain need to log on to another domain in the forest structure

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Selecting the scope of authentication for users l.jpg
Selecting the Scope of Authentication for Users the Current Patch Level (continued)

  • Authenticated Users

  • Authentication firewall

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Realm trusts l.jpg
Realm Trusts the Current Patch Level (continued)

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Using a shortcut trust l.jpg
Using a Shortcut Trust the Current Patch Level (continued)

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Designing security for interoperability l.jpg
Designing Security for Interoperability the Current Patch Level (continued)

  • If using Windows NT 4.0 or earlier:

    • Trust relationships must be manually established

  • When supporting down-level clients:

    • Be aware of the concept of domain and forest functional levels

    • Domain functional levels:

      • Windows 2000 mixed

      • Windows 2000 native

      • Windows Server 2003 interim

      • Windows Server 2003

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Domain functional levels within windows server 2003 l.jpg
Domain Functional Levels Within Windows Server 2003 the Current Patch Level (continued)

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Controllers supported by different forest functional levels l.jpg
Controllers Supported by Different Forest Functional Levels the Current Patch Level (continued)

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Windows server 2003 domain and forest functionality l.jpg
Windows Server 2003 Domain and Forest Functionality the Current Patch Level (continued)

  • At the domain level, the Windows Server 2003 functional level provides:

    • Domain controller rename tool

    • SID history

    • Converting groups

    • InetOrg Person

    • lastLogonTimestamp attribute

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Windows server 2003 domain and forest functionality continued l.jpg
Windows Server 2003 Domain and Forest Functionality (continued)

  • The forest functional level provides:

    • Domain rename

    • Forest trusts

    • InetOrg Person

    • Defunct schema object

    • Linked value replication

    • Dynamic auxiliary classes

    • Global catalog replication

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


Summary l.jpg
Summary (continued)

  • Secure networks from abuse of administrative tools:

    • Technical controls

    • Policy controls

    • Administrative controls

  • Tools such as SUS and GPO help keep software up-to-date

  • Domain and forest trust models have been updated for Windows Server 2003

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


ad