70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security

1
70-293 MCSE Guide to Planning a Microsoft
Windows Server 2003 Network, Enhanced Chapter
13 Planning Server and Network Security
2
Objectives

• Describe three types of security
• Plan security configurations for server roles
• Plan network protocol security
• Plan wireless network security
• Define the default security settings used by
  Windows Server 2003
• Plan a secure baseline for client computers and
  servers
• Create a plan for software updates
• Ensure secure administrative access

3
Types of Security

• Three commonly used categories are
• Physical security
• Network security
• Data security

4
Physical Security

• Physical security is controlling physical access
  to the computing devices on your network
• Who has a key to the server room?
• Prevents users and hackers from physically
  accessing network resources that they have no
  legitimate need to touch
• After physical security is in place,
  software-based security is more effective

5
Network Security

• Network security refers to accessing
  network-based resources through a computer
  network
• Tools available for enforcing network security
  are Authentication, IPSec and Firewalls
• Authentication verifies the identity of users
  before giving them access to resources
• IPSec encrypts data packets in transit on the
  network
• Firewalls control data movement based on IP
  addresses and port numbers
• For enhanced security, most organizations use a
  demilitarized zone (DMZ)

6
Network Security (continued)
7
Network Security (continued)
8
Data Security

• Data security mechanisms to ensure only
  authorized users access sensitive data
• Tools for enforcing data security include
• NTFS permissions used to control access to files
  and folders stored on network servers
• Share permissions used to control access to a
  particular network share
• Auditing allows you to track which users have
  performed, or attempted to perform, certain
  actions
• EFS encrypts files that are stored on NTFS
  partitions

9
Encrypting File System

• EFS (encrypting file system) encrypts files that
  are stored on NTFS partitions
• When files are stored encrypted, only the user
  who encrypted them, other designated users, or a
  designated recovery agent can decrypt and read
  them
• Certificates used by EFS can be created
  automatically, through an internal CA or a third
  party CA

10
Activity 13-1 Using EFS to Protect Files

• The purpose of this activity is to use EFS to
  protect files

11
Planning Security Configuration for Server Roles

• General rules for server security are
• Disable unnecessary services
• Limit access to the minimum required for users to
  perform their jobs
• Use separate administrator accounts for different
  staff
• Allow packets to necessary TCP and UDP ports only

12
Securing Domain Controllers

• Some ways to secure domain controllers are
• Place domain controller behind firewall
• If VPN is being used, place the VPN in a DMZ
• Use RADIUS
• NetBIOS ports should be blocked by a firewall
• NetBIOS can be disabled on the network connection
  that is connected to the Internet

13
Securing Web Servers

• Some ways to secure web servers are
• Web servers should be in a DMZ
• Web sites that authenticate users or collect
  sensitive information should run on TCP port 443
  using SSL
• install the operating system, IIS, and the Web
  site data on separate hard drive partitions
• remove any demonstration scripts that installed
  by default on the Web server
• disable the ability to run scripts by disabling
  ASP processing and the processing of all other
  script types

14
Activity 13-2 Disabling Script Processing in IIS

• The purpose of this activity is to disable
  processing of scripts in IIS

15
Securing Database Servers

• When securing database servers
• If concerned with protecting the data while it is
  in transit on the network between the client and
  the server, use IPSec
• If database is used as part of a Web-based
  application, it is quite common to place the Web
  server in the DMZ and the SQL server on the
  internal, private network
• A database that holds sensitive information
  should never be on the same server as the Web
  site
• If the database runs on a separate server, then
  the hacker must still find the database

16
Securing Mail Servers

• The only protection you can give a mail server is
  a firewall
• Mail servers that communicate with the Internet
  should be placed in the DMZ
• The best way for clients to access e-mail is from
  a server on the internal network
• Configure a second e-mail server on the internal
  network that forwards all mail to the mail server
  in the DMZ

17
Securing Mail Servers (continued)
18
Planning Network Protocol Security

• A VPN connection can be used to secure IPX,
  AppleTalk, and TCP/IP network traffic
• If TCP/IP is used, traffic can also be secured
  with IPSec or with SSL

19
Using VPNs to Secure Network Traffic

• A VPN is used to secure network traffic for
  remote users
• All network traffic between the client computer
  and the VPN server is encrypted
• A VPN can ensure that user access to confidential
  company information is not monitored by an ISP or
  hackers
• VPNs can also be used internally on the network
  to protect network traffic to certain areas of
  the network

20
Using IPSec to Secure Network Traffic

• IPSec is ideal for securing network traffic
  because
• It is very flexible to configure because rules
  can be configured to protect only certain traffic
• In addition to performing encryption, IPSec
  authenticates both computers in the conversation
  to prevent imposters
• Applications do not have to be aware of IPSec to
  use it - any IP-based application can use it
• The major drawback to IPSec is that it does not
  move through NAT very well

21
Securing Web-based Applications

• Key points concerning SSL (Secure Sockets Layer)
• It is often used to secure Web-based applications
• Requires that a certificate be installed on the
  server to which it is being connected
• It is a well-recognized, standard protocol
• It is not platform specific in any way

22
Planning Wireless Network Security

• Concepts regarding wireless security include
• Wired Equivalent Protocol
• Authorized MAC addresses
• Using VPNs to secure wireless access
• 802.1X
• Microsoft-specific mechanisms for configuring
  wireless networks

23
Wired Equivalent Protocol

• Wired Equivalent Privacy (WEP) is a protocol
  built into the 802.11 standards for wireless
  connectivity
• WEP governs how data can be encrypted while in
  transit on the wireless network
• WEP is seriously flawed when dealing with
  motivated hackers
• WiFi Protected Access (WPA), is replacing WEP and
  fixes most of its flaws
• WPA will be a standard in all newly certified
  wireless equipment as of January 2004

24
Authorized MAC Addresses

• If you try to communicate with the AP using a
  wireless card with a MAC address that is not on
  the list, the AP ignores you
• This prevents access to resources on your
  network, but is very awkward to implement
• Each AP must be configured with the MAC address
  of each wireless network card
• Packet sniffers can view MAC addresses and
  exploit them

25
Using VPNs to Secure Wireless Access

• One easy way to secure a wireless network is to
  require VPN authentication before allowing access
  to the main network
• All packets that can be viewed by hackers with
  wireless connections are encrypted by the VPN

26
The 802.1X Protocol

• The protocol 802.1X is an authentication protocol
  defined by the IEEE to authenticate wireless users

27
The 802.1X Protocol (continued)
28
Configuring Wireless Networks

• Many wireless configuration settings are managed
  by the OS, and can be managed using Group Policy
• In a group policy, you can define Wireless
  Network (802.11) policies where you can
  configure
• The type of wireless networks to access
• Whether Windows should be used to configure the
  wireless networks for a client
• Whether to connect to non preferred networks

29
Activity 13-3 Creating a Policy for Wireless
Workstations

• The purpose of this activity is to create a
  policy to configure wireless workstations

30
Default Security Settings

• Windows Server 2003 features
• It is more secure than Windows Server 2000
• Only the Administrators group is given Full
  Control to the file system
• A minimum of services is installed

31
Default Security Settings (continued)

• Windows Server 2003 features (continued)
• IIS is not installed by default
• If IIS is installed after the server installation
  is complete, script processing must be enabled
• Default security settings for Windows 2003 are
  configured during installation by applying a
  security template
• A security template is a group of security
  settings that can be applied to server or client
  computers

32
Activity 13-4 Viewing Default Security Settings

• The purpose of this activity is to view the
  default security settings in Setup security.inf

33
Configuring Client Computers

• Client computers should be divided into
  categories where specific configuration options
  and a security template can be developed
• When defining a security template, start by
  copying one of the predefined templates
• The Security Configuration and Analysis snap-in
  can analyze and configure client computers from a
  GUI

34
Configuring Servers

• Servers should be categorized and grouped to
  assist in applying security settings
• Servers are more likely to hold sensitive data
  than workstations, their settings are likely to
  be more restrictive for
• Password policies
• Account lockout policy
• Users performing local logons
• Auditing, limiting services
• Restricting file
• Registry permissions

35
Activity 13-5 Analyzing Security

• The purpose of this activity is to compare the
  default security level of your server to the
  hisecws.inf template

36
Software Updates

• Systems must be fully patched because viruses
  take advantage of known flaws in operating
  systems and applications for which there are
  patches available
• To help administrators keep systems patched,
  Microsoft has released a number of tools
• Windows Update
• Automatic Updates
• Software Update Services
• Microsoft Baseline Security Analyzer
• Hfnetchk

37
Windows Update

• Windows Update is a Web site that administrators
  and users can visit to find out which updates are
  available for their systems
• Windows Update
• Automatically checks for the files that are
  needed
• Downloads them
• Installs them

38
Automatic Updates

• Automatic Updates is a service that runs on
  Windows clients and servers that makes the
  process of downloading and installing hotfixes
  automatic
• Automatic Updates is a significant improvement
  over Windows Update because it is automatic and
  configurable
• This takes a significant load off of
  administrator
• It is not very efficient because all downloads
  are from the Internet

39
Activity 13-6 Configuring Automatic Updates

• The purpose of this activity is to configure
  Automatic Updates to download and install patches
  automatically

40
Software Update Services (SUS)

• SUS is a service available for Windows 2000 and
  Windows Server 2003
• Automatically downloads the latest hotfixes and
  service packs from the Windows Update Web site
• Client computers on your network then can
  download the hotfixes and service packs from a
  local server on the network instead of the
  Internet
• Internet traffic is reduced

41
Microsoft Baseline Security Analyzer

• The Microsoft Baseline Security Analyzer (MBSA)
  is a tool that verifies security updates on a
  wide variety of Microsoft operating systems and
  applications
• MBSA can scan a single machine or an entire group
  of computers on the network

42
Hfnetchk

• Hfnetchk is an older command-line utility for
  verifying patch levels on Windows clients and
  servers
• It is no longer offered by Microsoft as a
  stand-alone utility
• The functionality of Hfnetchk is now only
  available in MBSA

43
Securing Administrative Access

• Administrators should maintain two accounts
• One for day-to-day work with limited permission
  (like an average user)
• One with elevated privileges and permissions that
  are required for administration of the network
• Most network administrators find it cumbersome to
  log on and off of the network as they switch
  between tasks Windows Server 2003 allows
  administrators to run individual applications as
  a different user

44
Summary

• Three types of security are physical security,
  network security and data security
• EFS (encrypting file system) encrypts files that
  are stored on NTFS partitions
• Securing all servers includes the following
• Disabling unnecessary services
• Limiting access to the minimum required for users
  to perform their jobs
• Using separate administrator accounts for
  different staff, and allow packets to necessary
  TCP and UDP ports only

45
Summary (continued)

• Domain controllers should not be exposed to
  traffic from the Internet and should not be
  located in a DMZ
• Web servers that are accessible from the Internet
  should be located in a DMZ
• Database servers should be on the internal
  network
• Mail servers must be accessible from the Internet
  and should be located in a DMZ
• A VPN can be used to secure network traffic for
  IP, IPX, and AppleTalk packets

46
Summary (continued)

• Common standards for wireless networks are
  802.11b and 802.11g
• Default security settings for Windows Server 2003
  are much more secure than Windows 2000 Server
• Software updates can be managed using
• Windows Update
• Automatic Updates
• SUS
• MBSA