The 5Step Security Checkup for Education

About This Presentation

Title:

The 5Step Security Checkup for Education

Description:

The 5-Step Security Checkup for Education. Barbara Chung. Security Advisor, Education ... The keys to the kingdom, using them inappropriately can forfeit ... – PowerPoint PPT presentation

Number of Views:31

Avg rating:3.0/5.0

Slides: 29

Provided by: bdurt

Category:

more less

Transcript and Presenter's Notes

Title: The 5Step Security Checkup for Education

1
The 5-Step Security Checkup for Education

Barbara Chung
Security Advisor, Education
Microsoft Corporation

2
Agenda

Secure Administrative Accounts
Implement Zones of Trust
Build a Baseline
Patch
Agile Processes

3
1 Secure Administrative Rights

The keys to the kingdom, using them
inappropriately can forfeit everything else you
do for security
Two general types of problems
Attackers who obtain admin credentials
Users who have been granted admin credentials,
but may not understand the implications of using
them carelessly or incorrectly

4
1 Secure Administrative Rights

Forest is the security boundary, not the domain.
You must trust ALL domain admins
Admin accounts not email-enabled, not used as
desktop accounts, use restricted to trusted
machines

5
Administrative Accounts

Administrator
Created accounts assigned to admin groups
Accounts that use
EFS Data Recovery certificates
Enrollment Agent certificates
Key Recovery Agent certificates

6
Administrative Groups

in Builtin container for example, Account
Operators, Server Operators
in User container for example, Domain Admins,
Group Policy Creator/Owners
Anything that you create and assign admin
privileges

7
Administrative GroupsDefault Domain Groups

Enterprise Admins
Domain Admins
Schema Admins
Group Policy Creator Owners
Administrators group
Administrator account
DS Restore Mode Administrator

8
Admin Account Types

Local admin accounts
Domain admin accounts
Forest admin accounts

9
Principle of Least Privilege

Always grant minimum privileges required to
complete the current task
Requires some work, but helps to understand your
organization
Dont do it logging on as Domain Admin to
troubleshoot a workstation with suspected
security problems

10
Best Practices

Separate domain administrator and enterprise
administrator roles.
Separate user and administrator accounts.
Use the Secondary Logon service.
Run a separate Terminal Services session for
administration.
Rename the default Administrator account.
Create a decoy Administrator account.
Create a secondary Administrator account and
disable the built-in Administrator account.

11
Best Practices, cont

Enable Account Lockout for Remote Administrator
Logons. (passprop.exe)
Create a strong Administrator password.
Automate scanning for weak passwords.
Use administrative credentials on trusted
computers only.
Audit accounts and passwords on a regular basis.
Prohibit account delegation.
Control the administrative logon process

12
References

The Administrator Accounts Security Planning
Guide http//www.microsoft.com/technet/security/t
opics/serversecurity/administratoraccounts/default
.mspx
The Services and Service Accounts Security
Planning Guide http//www.microsoft.com/downloads/
details.aspx?familyidF4069A30-01D7-43E8-8B30-3799
DB2D9C2Fdisplaylangen

13
2 Zoning

The concept is simple enforce zones of trust
on/within the network
Blue Zone. controlled risk
Orange Zone. reduced risk
Red Zone.. High risk
Why?
Youre clear about what youre going to manage
for security (not EVERYTHING)
Time Opportunity

14
2 Zoning

Firewalls
802.1x use it to control access to the
wired/wireless network
IPSec control end-to-end communication

15
Zoning802.1x at the Border

Standards-based, services and clients built into
newer versions of Windows, but you can
mix-and-match
Components Authentication directory or
directories, RADIUS services, network device
(switch, WAP), client software

16
2 IPSec Domain and Server Isolation

Protect trusted assets from unmanaged, rogue and
guest PCs
Complement to other security mechanisms
(firewall, antivirus, IDS)
Restrict communication to domain-managed computers

17
IPsec Domain And Server Isolation

Two scenarios
Domain isolation
Server isolation
Protects corporate hosts or servers from
unmanaged, rogue, and guest PCs
Allows communication between hosts to be
restricted between domain-managed computers

18
IPsec Domain And Server Isolation (2)

Provides ability to identify and control
communications with critical client or server PCs
Complements other host security mechanisms
Complements network access protections

19
Domain Isolation

Allows host to host communication to be limited
to domain members (managed computers)
Requires IPsec authentication and protection for
any communication with domain members (managed
computers)
Managed computers can initiate communication with
managed and unmanaged computers
Unmanaged computers cannot initiate communication
with managed computers

20
Scenario Domain isolation
21
Server Isolation

Requires IPsec authentication and protection for
communications from hosts to specific servers
Managed computers can initiate communication with
specific servers
Unmanaged computers cannot initiate communication
with specific servers
Group-specific server isolation
Only managed computers that are members of a
specific security group can initiate
communication with specific servers

22
Scenario Server Isolation
23
Additional resources

Microsoft Windows Server 2003 site at
http//www.microsoft.com/ipsec/
How to isolate servers by using Internet
Protocol security Support WebCast (see Knowledge
Base article 889383)

24
2) Zoning