Title: 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security
1 70-293 MCSE Guide to Planning a Microsoft
Windows Server 2003 Network, Enhanced Chapter
13 Planning Server and Network Security
2Objectives
- Describe three types of security
- Plan security configurations for server roles
- Plan network protocol security
- Plan wireless network security
- Define the default security settings used by
Windows Server 2003 - Plan a secure baseline for client computers and
servers - Create a plan for software updates
- Ensure secure administrative access
3Types of Security
- Three commonly used categories are
- Physical security
- Network security
- Data security
4Physical Security
- Physical security is controlling physical access
to the computing devices on your network - Who has a key to the server room?
- Prevents users and hackers from physically
accessing network resources that they have no
legitimate need to touch - After physical security is in place,
software-based security is more effective
5Network Security
- Network security refers to accessing
network-based resources through a computer
network - Tools available for enforcing network security
are Authentication, IPSec and Firewalls - Authentication verifies the identity of users
before giving them access to resources - IPSec encrypts data packets in transit on the
network - Firewalls control data movement based on IP
addresses and port numbers - For enhanced security, most organizations use a
demilitarized zone (DMZ)
6Network Security (continued)
7Network Security (continued)
8Data Security
- Data security mechanisms to ensure only
authorized users access sensitive data - Tools for enforcing data security include
- NTFS permissions used to control access to files
and folders stored on network servers - Share permissions used to control access to a
particular network share - Auditing allows you to track which users have
performed, or attempted to perform, certain
actions - EFS encrypts files that are stored on NTFS
partitions
9Encrypting File System
- EFS (encrypting file system) encrypts files that
are stored on NTFS partitions - When files are stored encrypted, only the user
who encrypted them, other designated users, or a
designated recovery agent can decrypt and read
them - Certificates used by EFS can be created
automatically, through an internal CA or a third
party CA
10Activity 13-1 Using EFS to Protect Files
- The purpose of this activity is to use EFS to
protect files
11Planning Security Configuration for Server Roles
- General rules for server security are
- Disable unnecessary services
- Limit access to the minimum required for users to
perform their jobs - Use separate administrator accounts for different
staff - Allow packets to necessary TCP and UDP ports only
12Securing Domain Controllers
- Some ways to secure domain controllers are
- Place domain controller behind firewall
- If VPN is being used, place the VPN in a DMZ
- Use RADIUS
- NetBIOS ports should be blocked by a firewall
- NetBIOS can be disabled on the network connection
that is connected to the Internet
13Securing Web Servers
- Some ways to secure web servers are
- Web servers should be in a DMZ
- Web sites that authenticate users or collect
sensitive information should run on TCP port 443
using SSL - install the operating system, IIS, and the Web
site data on separate hard drive partitions - remove any demonstration scripts that installed
by default on the Web server - disable the ability to run scripts by disabling
ASP processing and the processing of all other
script types
14Activity 13-2 Disabling Script Processing in IIS
- The purpose of this activity is to disable
processing of scripts in IIS
15Securing Database Servers
- When securing database servers
- If concerned with protecting the data while it is
in transit on the network between the client and
the server, use IPSec - If database is used as part of a Web-based
application, it is quite common to place the Web
server in the DMZ and the SQL server on the
internal, private network - A database that holds sensitive information
should never be on the same server as the Web
site - If the database runs on a separate server, then
the hacker must still find the database
16Securing Mail Servers
- The only protection you can give a mail server is
a firewall - Mail servers that communicate with the Internet
should be placed in the DMZ - The best way for clients to access e-mail is from
a server on the internal network - Configure a second e-mail server on the internal
network that forwards all mail to the mail server
in the DMZ
17Securing Mail Servers (continued)
18Planning Network Protocol Security
- A VPN connection can be used to secure IPX,
AppleTalk, and TCP/IP network traffic - If TCP/IP is used, traffic can also be secured
with IPSec or with SSL
19Using VPNs to Secure Network Traffic
- A VPN is used to secure network traffic for
remote users - All network traffic between the client computer
and the VPN server is encrypted - A VPN can ensure that user access to confidential
company information is not monitored by an ISP or
hackers - VPNs can also be used internally on the network
to protect network traffic to certain areas of
the network
20Using IPSec to Secure Network Traffic
- IPSec is ideal for securing network traffic
because - It is very flexible to configure because rules
can be configured to protect only certain traffic - In addition to performing encryption, IPSec
authenticates both computers in the conversation
to prevent imposters - Applications do not have to be aware of IPSec to
use it - any IP-based application can use it - The major drawback to IPSec is that it does not
move through NAT very well
21Securing Web-based Applications
- Key points concerning SSL (Secure Sockets Layer)
- It is often used to secure Web-based applications
- Requires that a certificate be installed on the
server to which it is being connected - It is a well-recognized, standard protocol
- It is not platform specific in any way
22Planning Wireless Network Security
- Concepts regarding wireless security include
- Wired Equivalent Protocol
- Authorized MAC addresses
- Using VPNs to secure wireless access
- 802.1X
- Microsoft-specific mechanisms for configuring
wireless networks
23Wired Equivalent Protocol
- Wired Equivalent Privacy (WEP) is a protocol
built into the 802.11 standards for wireless
connectivity - WEP governs how data can be encrypted while in
transit on the wireless network - WEP is seriously flawed when dealing with
motivated hackers - WiFi Protected Access (WPA), is replacing WEP and
fixes most of its flaws - WPA will be a standard in all newly certified
wireless equipment as of January 2004
24Authorized MAC Addresses
- If you try to communicate with the AP using a
wireless card with a MAC address that is not on
the list, the AP ignores you - This prevents access to resources on your
network, but is very awkward to implement - Each AP must be configured with the MAC address
of each wireless network card - Packet sniffers can view MAC addresses and
exploit them
25Using VPNs to Secure Wireless Access
- One easy way to secure a wireless network is to
require VPN authentication before allowing access
to the main network - All packets that can be viewed by hackers with
wireless connections are encrypted by the VPN
26The 802.1X Protocol
- The protocol 802.1X is an authentication protocol
defined by the IEEE to authenticate wireless users
27The 802.1X Protocol (continued)
28Configuring Wireless Networks
- Many wireless configuration settings are managed
by the OS, and can be managed using Group Policy - In a group policy, you can define Wireless
Network (802.11) policies where you can
configure - The type of wireless networks to access
- Whether Windows should be used to configure the
wireless networks for a client - Whether to connect to non preferred networks
29Activity 13-3 Creating a Policy for Wireless
Workstations
- The purpose of this activity is to create a
policy to configure wireless workstations
30Default Security Settings
- Windows Server 2003 features
- It is more secure than Windows Server 2000
- Only the Administrators group is given Full
Control to the file system - A minimum of services is installed
31Default Security Settings (continued)
- Windows Server 2003 features (continued)
- IIS is not installed by default
- If IIS is installed after the server installation
is complete, script processing must be enabled - Default security settings for Windows 2003 are
configured during installation by applying a
security template - A security template is a group of security
settings that can be applied to server or client
computers
32Activity 13-4 Viewing Default Security Settings
- The purpose of this activity is to view the
default security settings in Setup security.inf
33Configuring Client Computers
- Client computers should be divided into
categories where specific configuration options
and a security template can be developed - When defining a security template, start by
copying one of the predefined templates - The Security Configuration and Analysis snap-in
can analyze and configure client computers from a
GUI
34Configuring Servers
- Servers should be categorized and grouped to
assist in applying security settings - Servers are more likely to hold sensitive data
than workstations, their settings are likely to
be more restrictive for - Password policies
- Account lockout policy
- Users performing local logons
- Auditing, limiting services
- Restricting file
- Registry permissions
35Activity 13-5 Analyzing Security
- The purpose of this activity is to compare the
default security level of your server to the
hisecws.inf template
36Software Updates
- Systems must be fully patched because viruses
take advantage of known flaws in operating
systems and applications for which there are
patches available - To help administrators keep systems patched,
Microsoft has released a number of tools - Windows Update
- Automatic Updates
- Software Update Services
- Microsoft Baseline Security Analyzer
- Hfnetchk
37Windows Update
- Windows Update is a Web site that administrators
and users can visit to find out which updates are
available for their systems - Windows Update
- Automatically checks for the files that are
needed - Downloads them
- Installs them
38Automatic Updates
- Automatic Updates is a service that runs on
Windows clients and servers that makes the
process of downloading and installing hotfixes
automatic - Automatic Updates is a significant improvement
over Windows Update because it is automatic and
configurable - This takes a significant load off of
administrator - It is not very efficient because all downloads
are from the Internet
39Activity 13-6 Configuring Automatic Updates
- The purpose of this activity is to configure
Automatic Updates to download and install patches
automatically
40Software Update Services (SUS)
- SUS is a service available for Windows 2000 and
Windows Server 2003 - Automatically downloads the latest hotfixes and
service packs from the Windows Update Web site - Client computers on your network then can
download the hotfixes and service packs from a
local server on the network instead of the
Internet - Internet traffic is reduced
41Microsoft Baseline Security Analyzer
- The Microsoft Baseline Security Analyzer (MBSA)
is a tool that verifies security updates on a
wide variety of Microsoft operating systems and
applications - MBSA can scan a single machine or an entire group
of computers on the network
42Hfnetchk
- Hfnetchk is an older command-line utility for
verifying patch levels on Windows clients and
servers - It is no longer offered by Microsoft as a
stand-alone utility - The functionality of Hfnetchk is now only
available in MBSA
43Securing Administrative Access
- Administrators should maintain two accounts
- One for day-to-day work with limited permission
(like an average user) - One with elevated privileges and permissions that
are required for administration of the network - Most network administrators find it cumbersome to
log on and off of the network as they switch
between tasks Windows Server 2003 allows
administrators to run individual applications as
a different user
44Summary
- Three types of security are physical security,
network security and data security - EFS (encrypting file system) encrypts files that
are stored on NTFS partitions - Securing all servers includes the following
- Disabling unnecessary services
- Limiting access to the minimum required for users
to perform their jobs - Using separate administrator accounts for
different staff, and allow packets to necessary
TCP and UDP ports only
45Summary (continued)
- Domain controllers should not be exposed to
traffic from the Internet and should not be
located in a DMZ - Web servers that are accessible from the Internet
should be located in a DMZ - Database servers should be on the internal
network - Mail servers must be accessible from the Internet
and should be located in a DMZ - A VPN can be used to secure network traffic for
IP, IPX, and AppleTalk packets
46Summary (continued)
- Common standards for wireless networks are
802.11b and 802.11g - Default security settings for Windows Server 2003
are much more secure than Windows 2000 Server - Software updates can be managed using
- Windows Update
- Automatic Updates
- SUS
- MBSA