70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
Description:
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network ... Can use certificate authority (CA) certificates. Uses CryptoAPI architecture ... – PowerPoint PPT presentation
Title: 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
1 70-298 MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
Chapter 9Securing Network Resources
2 Exam Objectives
4.2 Design an access control strategy for files and folders
4.2.4 Analyze auditing requirements
4.3.2 Analyze auditing requirements
4.3 Design an access control strategy for the registry
4.3.1 Design a permission structure for registry objects
3 Exam Objectives (continued)
4.2.1 Design a strategy for the encryption and decryption of files and folders
4.2.3 Design security for a backup and recovery strategy
4 Introduction
Windows permissions are discretionary
Design a permission scheme that provides sufficient access for end users to do their jobs
But not unnecessary permissions that might affect the security of the overall network
Default permission structure
Change defaults to meet the organizations needs
5 Introduction (continued)
Common risks to file shares
Data corruption caused by viruses
Security breaches arising from incorrectly assigned permissions
Best practices for securing Windows Registry
Encrypted File System (EFS)
Design a secure backup and recovery strategy for network resources
6 Designing an Access ControlStrategy for Files and Folders
Fundamental element of data security
Controlling access to information
Steps
Authorizing users to gain access to network
Controlling what data users can access
Objects are managed via access control lists (ACLs), which designate
Which users and groups can access objects
In what manner users and groups can access objects
7 Designing an Access ControlStrategy for Files and Folders
Format disk volumes with the NTFS file format
Provides the ability to control access to files at a very granular level
Enables the ability to audit access to files
8 Analyzing Risks to Data
Physical loss of data
Data corruption
Data modification or corruption from viruses and other attacks
Security breaches due to incorrectly configured permissions
Auditing practices
9 Reviewing Access Controland Access Control Lists
Access control
Defines which users, groups, and computers can access particular network resources
Comprised of
Permissions
User rights
Object auditing
10 Reviewing Access Controland Access Control Lists (continued)
Access Control Lists
Control access to resources
Types
Discretionary (DACL)
System (SACL)
11 Reviewing Access Controland Access Control Lists (continued)
Access Control Entry
Entry in an ACL
Contains a security ID (SID) for a user or group
Contains access mask that specifies which actions are
Granted
Denied
Audited
12 Access Control List with Access Control Entries 13 Access Mask Compared with Access Request 14 Groups
Security groups
Created to manage access and other security-related functions
Contain
User accounts
Computer accounts
Other group accounts
15 Groups (continued)
Security groups
Scopes include
Local
Domain local
Global
Universal
16 Groups (continued)
Distribution groups
Used for mailing lists only
No security function
Account groups
Members are user accounts or computer accounts that require the same permissions for a resource
Resource groups
Security group added to the ACL of a resource that has been granted (or denied) specific permissions
17 Access to Resources
Methods for controlling access
User/ACL
Account group/ACL
Account group/resource group
Role-based authorization
18 Benefits and Limitations of User/ACL Method 19 Benefits and Limitations of the Account Group/ACL Method 20 Benefits and Limitations of the AG/RG Method 21 Benefit and Limitations of Role-Based Authorization Method 22 Selecting Domain Local Groups or Local Groups as Resource Groups
Domain local groups
Can be accessed anywhere on the domain
Many groups must be defined
More difficult to retire groups
May overflow access token buffer size if users belong to over 120 groups
Local groups
Must create groups on many different computers
23 Working with Security Groups
Tasks
Defining a security group creation policy
Defining a security group request process
Defining a security group naming policy
Defining a security group nesting policy
Defining a security group retirement policy
Delegating security group maintenance
Delegating resource group maintenance
24 Defining a Security Group Request Process
Requests should include
Group owner
Purpose and scope of group
Proposed membership
Relationship to other groups
Expected lifetime of group
25 Defining a Security Group Naming Policy
Include groups scope, purpose, and owner in name and description
Conform to hierarchy structure
Name and description combined should be less than 256 characters
Use abbreviations if practical
Helpful to use the business organization as a basis for naming conventions
26 Nested Group Hierarchy 27 Exercise 9.01LDAP Query For Obsolete Groups
Identify obsolete groups
Membership has not changed for a period of time
Use Active Directory Users and Computers
Good practice
Disable a group for a specified period of time
Deleting groups is a permanent step
Recovering from the inadvertent removal of a group could be time consuming
28 Delegating Security Group Maintenance
In large organizations
Task of maintaining security groups is typically divided up
Delegated to members of the organization who are not in the IT Department
Resource owner should manage ACLs on the resource
29 Delegating Account andResource Group Maintenance
Those to whom delegation is granted must be reliable and highly trusted employees
Should be given clear guidelines to help them maintain a secure environment
Control and monitor who is a member of the group to whom youve delegated control
30 Delegating Account andResource Group Maintenance (continued)
Methods
Delegation of Control Wizard
Authorization Manager snap-in in the MMC
Access Control List Editor
31 Analyzing Auditing Requirements
Identify types of attacks the system might be vulnerable to
Identify audit events that would help determine if the system were successfully or unsuccessfully attacked
Important to monitor both unsuccessful and successful events
32 Analyzing Auditing Requirements (continued)
Audit
Logon events
Account logon events
Directory Service access events
Privilege use events
Object access events
System events
Process tracking events
Policy change events
33 Design an AccessControl Strategy for the Registry
Registry is given a high level of security by default
Only administrators can access the entire Registry
Apply security to the Registry via Group Policy
Computer must be joined to a domain
Use settings provided in predefined security templates
securedc.inf
Can apply a portion of the template rather than the whole thing
34 Designing the Encrypted File System
EFS
Used to encrypt files and folders on an NTFS formatted volume
Transparent to a user
Notably slow the first time it is used
Uses keys for encrypting and decrypting data
Can use certificate authority (CA) certificates
Uses CryptoAPI architecture
35 Designing the Encrypted File System (continued)
Recovery agent
User accounts are issued recovery agent certificates with public keys and private keys
Used for EFS data recovery operations
Can be multiple recovery agent accounts for an EFS file
Be aware of the EFS behaviors
36 Designing the Encrypted File System (continued)
EFS best practices
Encrypt entire folders rather than individual files
Manage private keys to maintain file security
Provide the security and reliability of data at all times
New features in Windows Server 2003
Stronger encryption algorithms with larger keys
Multiple users can share encrypted files
Offline files can be encrypted through EFS
Web folders and files can now be encrypted
37 Exercise 9.05Implementing EFS on the Local Computer 38 EFS
Certificate storage
Certificate enrollment and renewal
Use cipher.exe
39 Structure of an Encrypted File 40 Creating a Strategy for the Encryption and Decryption of Files and Folders
Increase user awareness
Department should identify which files or types of files are most sensitive
Secure recovery agent certificates
Configure file recovery agents
EFS requires an Encrypted Data Recovery Agent policy be defined before it can be used
41 Creating a Strategy for the Encryption and Decryption of Files and Folders (continued)
Recover files
Back up keys
Use Certificates snap-in in the MMC
Disable EFS
Third-party encryption options
Third-party data encryption program
Third-party certificates with EFS
42 Designing Security fora Backup and Recovery Strategy
Backing up and restoring data is a failsafe option
Can enhance security in an organization
43 Securing the Backup and Restore Process
Growing trends
Offsite storage locations
Disk-based systems
Co-location
Data stored both on site and mirrored at another site
44 Safeguarding Your Systems 45 Designing a Secure Backup Process
Includes
Planning the backup process
Storing backup media
Assigning (and monitoring) backup and restore rights
Best practices for backups
Create an Automated System Recovery backup set
Update the ASR every time significant changes occur
Use the Automated System Recovery Wizard
46 Disaster Recovery Best Practices
Disaster recovery includes
Creating backups
Creating recovery options
Using repair and recovery tools
Include an assessment of the most likely risks to the business and its data
47 In-Band and Out-of-Band Management
In-band
Refers to two computers that can connect using normal network services
Available only when a computer is fully initialized and functioning properly
Out-of-band
Refers to a connection that can be made when a remote computer is not working properly
48 Securing Emergency Management Services
Console redirection
Computer receives keyboard input from a remote computer
Responds with output to the remote computers monitor
PowerShow.com is a leading presentation sharing website. It has millions of presentations already uploaded and available with 1,000s more being uploaded by its users every day. Whatever your area of interest, here you’ll be able to find and view presentations you’ll love and possibly download. And, best of all, it is completely free and easy to use.
You might even have a presentation you’d like to share with others. If so, just upload it to PowerShow.com. We’ll convert it to an HTML5 slideshow that includes all the media types you’ve already added: audio, video, music, pictures, animations and transition effects. Then you can share it with your target audience as well as PowerShow.com’s millions of monthly visitors. And, again, it’s all free.
About the Developers
PowerShow.com is brought to you by CrystalGraphics, the award-winning developer and market-leading publisher of rich-media enhancement products for presentations. Our product offerings include millions of PowerPoint templates, diagrams, animated 3D characters and more.