70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

70-293: MCSE Guide to Planning a Microsoft Windows

Server 2003 Network, Enhanced

Chapter 13: Planning Server and Network

Security

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network

2

Objectives

• Describe three types of security

• Plan security configurations for server roles

• Plan network protocol security

• Plan wireless network security

• Define the default security settings used by Windows Server 2003

• Plan a secure baseline for client computers and servers

• Create a plan for software updates

• Ensure secure administrative access


3

Types of Security

• Three commonly used categories are:• Physical security

• Network security

• Data security


4

Physical Security

• Physical security is controlling physical access to the computing devices on your network • Who has a key to the server room?

• Prevents users and hackers from physically accessing network resources that they have no legitimate need to touch

• After physical security is in place, software-based security is more effective


5

Network Security• Network security refers to accessing network-based

resources through a computer network• Tools available for enforcing network security are:

Authentication, IPSec and Firewalls• Authentication verifies the identity of users before giving

them access to resources

• IPSec encrypts data packets in transit on the network

• Firewalls control data movement based on IP addresses and port numbers

• For enhanced security, most organizations use a demilitarized zone (DMZ)


6

Network Security (continued)


7

Network Security (continued)


8

Data Security

• Data security: mechanisms to ensure only authorized users access sensitive data

• Tools for enforcing data security include:• NTFS permissions: used to control access to files and

folders stored on network servers

• Share permissions: used to control access to a particular network share

• Auditing: allows you to track which users have performed, or attempted to perform, certain actions

• EFS: encrypts files that are stored on NTFS partitions


9

Encrypting File System

• EFS (encrypting file system) encrypts files that are stored on NTFS partitions

• When files are stored encrypted, only the user who encrypted them, other designated users, or a designated recovery agent can decrypt and read them

• Certificates used by EFS can be created automatically, through an internal CA or a third party CA


10

Activity 13-1: Using EFS to Protect Files

• The purpose of this activity is to use EFS to protect files


11

Planning Security Configuration for Server Roles

• General rules for server security are:• Disable unnecessary services

• Limit access to the minimum required for users to perform their jobs

• Use separate administrator accounts for different staff

• Allow packets to necessary TCP and UDP ports only


12

Securing Domain Controllers

• Some ways to secure domain controllers are: • Place domain controller behind firewall

• If VPN is being used, place the VPN in a DMZ

• Use RADIUS

• NetBIOS ports should be blocked by a firewall

• NetBIOS can be disabled on the network connection that is connected to the Internet


13

Securing Web Servers

• Some ways to secure web servers are:• Web servers should be in a DMZ

• Web sites that authenticate users or collect sensitive information should run on TCP port 443 using SSL

• install the operating system, IIS, and the Web site data on separate hard drive partitions

• remove any demonstration scripts that installed by default on the Web server

• disable the ability to run scripts by disabling ASP processing and the processing of all other script types


14

Activity 13-2: Disabling Script Processing in IIS

• The purpose of this activity is to disable processing of scripts in IIS


15

Securing Database Servers

• When securing database servers:• If concerned with protecting the data while it is in transit

on the network between the client and the server, use IPSec

• If database is used as part of a Web-based application, it is quite common to place the Web server in the DMZ and the SQL server on the internal, private network

• A database that holds sensitive information should never be on the same server as the Web site

• If the database runs on a separate server, then the hacker must still find the database


16

Securing Mail Servers• The only protection you can give a mail server is a

firewall• Mail servers that communicate with the Internet

should be placed in the DMZ• The best way for clients to access e-mail is from a

server on the internal network• Configure a second e-mail server on the internal

network that forwards all mail to the mail server in the DMZ


17

Securing Mail Servers (continued)


18

Planning Network Protocol Security

• A VPN connection can be used to secure IPX, AppleTalk, and TCP/IP network traffic

• If TCP/IP is used, traffic can also be secured with IPSec or with SSL


19

Using VPNs to Secure Network Traffic

• A VPN is used to secure network traffic for remote users• All network traffic between the client computer and the

VPN server is encrypted

• A VPN can ensure that user access to confidential company information is not monitored by an ISP or hackers

• VPNs can also be used internally on the network to protect network traffic to certain areas of the network


20

Using IPSec to Secure Network Traffic

• IPSec is ideal for securing network traffic because:• It is very flexible to configure because rules can be

configured to protect only certain traffic

• In addition to performing encryption, IPSec authenticates both computers in the conversation to prevent imposters

• Applications do not have to be aware of IPSec to use it - any IP-based application can use it

• The major drawback to IPSec is that it does not move through NAT very well


21

Securing Web-based Applications

• Key points concerning SSL (Secure Sockets Layer):• It is often used to secure Web-based applications

• Requires that a certificate be installed on the server to which it is being connected

• It is a well-recognized, standard protocol

• It is not platform specific in any way


22

Planning Wireless Network Security

• Concepts regarding wireless security include: • Wired Equivalent Protocol

• Authorized MAC addresses

• Using VPNs to secure wireless access

• 802.1X

• Microsoft-specific mechanisms for configuring wireless networks


23

Wired Equivalent Protocol

• Wired Equivalent Privacy (WEP) is a protocol built into the 802.11 standards for wireless connectivity

• WEP governs how data can be encrypted while in transit on the wireless network

• WEP is seriously flawed when dealing with motivated hackers

• WiFi Protected Access (WPA), is replacing WEP and fixes most of its flaws

• WPA will be a standard in all newly certified wireless equipment as of January 2004


24

Authorized MAC Addresses

• If you try to communicate with the AP using a wireless card with a MAC address that is not on the list, the AP ignores you

• This prevents access to resources on your network, but is very awkward to implement • Each AP must be configured with the MAC address of each

wireless network card

• Packet sniffers can view MAC addresses and exploit them


25

Using VPNs to Secure Wireless Access

• One easy way to secure a wireless network is to require VPN authentication before allowing access to the main network

• All packets that can be viewed by hackers with wireless connections are encrypted by the VPN


26

The 802.1X Protocol

• The protocol 802.1X is an authentication protocol defined by the IEEE to authenticate wireless users


27

The 802.1X Protocol (continued)


28

Configuring Wireless Networks

• Many wireless configuration settings are managed by the OS, and can be managed using Group Policy

• In a group policy, you can define Wireless Network (802.11) policies where you can configure:• The type of wireless networks to access

• Whether Windows should be used to configure the wireless networks for a client

• Whether to connect to non preferred networks


29

Activity 13-3: Creating a Policy for Wireless Workstations

• The purpose of this activity is to create a policy to configure wireless workstations


30

Default Security Settings

• Windows Server 2003 features:• It is more secure than Windows Server 2000

• Only the Administrators group is given Full Control to the file system

• A minimum of services is installed


31

Default Security Settings (continued)

• Windows Server 2003 features (continued):• IIS is not installed by default

• If IIS is installed after the server installation is complete, script processing must be enabled

• Default security settings for Windows 2003 are configured during installation by applying a security template

• A security template is a group of security settings that can be applied to server or client computers


32

Activity 13-4: Viewing Default Security Settings

• The purpose of this activity is to view the default security settings in Setup security.inf


33

Configuring Client Computers

• Client computers should be divided into categories where specific configuration options and a security template can be developed

• When defining a security template, start by copying one of the predefined templates

• The Security Configuration and Analysis snap-in can analyze and configure client computers from a GUI


34

Configuring Servers• Servers should be categorized and grouped to assist in

applying security settings• Servers are more likely to hold sensitive data than

workstations, their settings are likely to be more restrictive for:• Password policies

• Account lockout policy

• Users performing local logons

• Auditing, limiting services

• Restricting file

• Registry permissions


35

Activity 13-5: Analyzing Security

• The purpose of this activity is to compare the default security level of your server to the hisecws.inf template


36

Software Updates

• Systems must be fully patched because viruses take advantage of known flaws in operating systems and applications for which there are patches available

• To help administrators keep systems patched, Microsoft has released a number of tools:• Windows Update

• Automatic Updates

• Software Update Services

• Microsoft Baseline Security Analyzer

• Hfnetchk


37

Windows Update

• Windows Update is a Web site that administrators and users can visit to find out which updates are available for their systems

• Windows Update• Automatically checks for the files that are needed

• Downloads them

• Installs them


38

Automatic Updates

• Automatic Updates is a service that runs on Windows clients and servers that makes the process of downloading and installing hotfixes automatic

• Automatic Updates is a significant improvement over Windows Update because it is automatic and configurable• This takes a significant load off of administrator

• It is not very efficient because all downloads are from the Internet


39

Activity 13-6: Configuring Automatic Updates

• The purpose of this activity is to configure Automatic Updates to download and install patches automatically


40

Software Update Services (SUS)

• SUS is a service available for Windows 2000 and Windows Server 2003

• Automatically downloads the latest hotfixes and service packs from the Windows Update Web site

• Client computers on your network then can download the hotfixes and service packs from a local server on the network instead of the Internet• Internet traffic is reduced


41

Microsoft Baseline Security Analyzer

• The Microsoft Baseline Security Analyzer (MBSA) is a tool that verifies security updates on a wide variety of Microsoft operating systems and applications

• MBSA can scan a single machine or an entire group of computers on the network


42

Hfnetchk

• Hfnetchk is an older command-line utility for verifying patch levels on Windows clients and servers

• It is no longer offered by Microsoft as a stand-alone utility

• The functionality of Hfnetchk is now only available in MBSA


43

Securing Administrative Access

• Administrators should maintain two accounts:• One for day-to-day work with limited permission (like an

average user)

• One with elevated privileges and permissions that are required for administration of the network

• Most network administrators find it cumbersome to log on and off of the network as they switch between tasks; Windows Server 2003 allows administrators to run individual applications as a different user


44

Summary

• Three types of security are: physical security, network security and data security

• EFS (encrypting file system) encrypts files that are stored on NTFS partitions

• Securing all servers includes the following: • Disabling unnecessary services

• Limiting access to the minimum required for users to perform their jobs

• Using separate administrator accounts for different staff, and allow packets to necessary TCP and UDP ports only


45

Summary (continued)

• Domain controllers should not be exposed to traffic from the Internet and should not be located in a DMZ

• Web servers that are accessible from the Internet should be located in a DMZ

• Database servers should be on the internal network• Mail servers must be accessible from the Internet and

should be located in a DMZ• A VPN can be used to secure network traffic for IP,

IPX, and AppleTalk packets


46

Summary (continued)

• Common standards for wireless networks are 802.11b and 802.11g

• Default security settings for Windows Server 2003 are much more secure than Windows 2000 Server

• Software updates can be managed using:• Windows Update

• Automatic Updates

• SUS

• MBSA

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

Documents

network security slide

enforcing network security

planning server

enhanced security

microsoft windows server

enforcing data security

mcse guide

network resources