70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network - PowerPoint PPT Presentation

1 / 52
About This Presentation
Title:

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

Description:

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network ... Can use certificate authority (CA) certificates. Uses CryptoAPI architecture ... – PowerPoint PPT presentation

Number of Views:105
Avg rating:3.0/5.0
Slides: 53
Provided by: conest
Category:

less

Transcript and Presenter's Notes

Title: 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network


1
70-298 MCSE Guide to Designing Security for a
Microsoft Windows Server 2003 Network
  • Chapter 9Securing Network Resources

2
Exam Objectives
  • 4.2 Design an access control strategy for files
    and folders
  • 4.2.4 Analyze auditing requirements
  • 4.3.2 Analyze auditing requirements
  • 4.3 Design an access control strategy for the
    registry
  • 4.3.1 Design a permission structure for registry
    objects

3
Exam Objectives (continued)
  • 4.2.1 Design a strategy for the encryption and
    decryption of files and folders
  • 4.2.3 Design security for a backup and recovery
    strategy

4
Introduction
  • Windows permissions are discretionary
  • Design a permission scheme that provides
    sufficient access for end users to do their jobs
  • But not unnecessary permissions that might affect
    the security of the overall network
  • Default permission structure
  • Change defaults to meet the organizations needs

5
Introduction (continued)
  • Common risks to file shares
  • Data corruption caused by viruses
  • Security breaches arising from incorrectly
    assigned permissions
  • Best practices for securing Windows Registry
  • Encrypted File System (EFS)
  • Design a secure backup and recovery strategy for
    network resources

6
Designing an Access ControlStrategy for Files
and Folders
  • Fundamental element of data security
  • Controlling access to information
  • Steps
  • Authorizing users to gain access to network
  • Controlling what data users can access
  • Objects are managed via access control lists
    (ACLs), which designate
  • Which users and groups can access objects
  • In what manner users and groups can access objects

7
Designing an Access ControlStrategy for Files
and Folders
  • Format disk volumes with the NTFS file format
  • Provides the ability to control access to files
    at a very granular level
  • Enables the ability to audit access to files

8
Analyzing Risks to Data
  • Physical loss of data
  • Data corruption
  • Data modification or corruption from viruses and
    other attacks
  • Security breaches due to incorrectly configured
    permissions
  • Auditing practices

9
Reviewing Access Controland Access Control Lists
  • Access control
  • Defines which users, groups, and computers can
    access particular network resources
  • Comprised of
  • Permissions
  • User rights
  • Object auditing

10
Reviewing Access Controland Access Control Lists
(continued)
  • Access Control Lists
  • Control access to resources
  • Types
  • Discretionary (DACL)
  • System (SACL)

11
Reviewing Access Controland Access Control Lists
(continued)
  • Access Control Entry
  • Entry in an ACL
  • Contains a security ID (SID) for a user or group
  • Contains access mask that specifies which actions
    are
  • Granted
  • Denied
  • Audited

12
Access Control List with Access Control Entries
13
Access Mask Compared with Access Request
14
Groups
  • Security groups
  • Created to manage access and other
    security-related functions
  • Contain
  • User accounts
  • Computer accounts
  • Other group accounts

15
Groups (continued)
  • Security groups
  • Scopes include
  • Local
  • Domain local
  • Global
  • Universal

16
Groups (continued)
  • Distribution groups
  • Used for mailing lists only
  • No security function
  • Account groups
  • Members are user accounts or computer accounts
    that require the same permissions for a resource
  • Resource groups
  • Security group added to the ACL of a resource
    that has been granted (or denied) specific
    permissions

17
Access to Resources
  • Methods for controlling access
  • User/ACL
  • Account group/ACL
  • Account group/resource group
  • Role-based authorization

18
Benefits and Limitations of User/ACL Method
19
Benefits and Limitations of the Account Group/ACL
Method
20
Benefits and Limitations of the AG/RG Method
21
Benefit and Limitations of Role-Based
Authorization Method
22
Selecting Domain Local Groups or Local Groups as
Resource Groups
  • Domain local groups
  • Can be accessed anywhere on the domain
  • Many groups must be defined
  • More difficult to retire groups
  • May overflow access token buffer size if users
    belong to over 120 groups
  • Local groups
  • Must create groups on many different computers

23
Working with Security Groups
  • Tasks
  • Defining a security group creation policy
  • Defining a security group request process
  • Defining a security group naming policy
  • Defining a security group nesting policy
  • Defining a security group retirement policy
  • Delegating security group maintenance
  • Delegating resource group maintenance

24
Defining a Security Group Request Process
  • Requests should include
  • Group owner
  • Purpose and scope of group
  • Proposed membership
  • Relationship to other groups
  • Expected lifetime of group

25
Defining a Security Group Naming Policy
  • Include groups scope, purpose, and owner in name
    and description
  • Conform to hierarchy structure
  • Name and description combined should be less than
    256 characters
  • Use abbreviations if practical
  • Helpful to use the business organization as a
    basis for naming conventions

26
Nested Group Hierarchy
27
Exercise 9.01LDAP Query For Obsolete Groups
  • Identify obsolete groups
  • Membership has not changed for a period of time
  • Use Active Directory Users and Computers
  • Good practice
  • Disable a group for a specified period of time
  • Deleting groups is a permanent step
  • Recovering from the inadvertent removal of a
    group could be time consuming

28
Delegating Security Group Maintenance
  • In large organizations
  • Task of maintaining security groups is typically
    divided up
  • Delegated to members of the organization who are
    not in the IT Department
  • Resource owner should manage ACLs on the resource

29
Delegating Account andResource Group Maintenance
  • Those to whom delegation is granted must be
    reliable and highly trusted employees
  • Should be given clear guidelines to help them
    maintain a secure environment
  • Control and monitor who is a member of the group
    to whom youve delegated control

30
Delegating Account andResource Group Maintenance
(continued)
  • Methods
  • Delegation of Control Wizard
  • Authorization Manager snap-in in the MMC
  • Access Control List Editor

31
Analyzing Auditing Requirements
  • Identify types of attacks the system might be
    vulnerable to
  • Identify audit events that would help determine
    if the system were successfully or unsuccessfully
    attacked
  • Important to monitor both unsuccessful and
    successful events

32
Analyzing Auditing Requirements (continued)
  • Audit
  • Logon events
  • Account logon events
  • Directory Service access events
  • Privilege use events
  • Object access events
  • System events
  • Process tracking events
  • Policy change events

33
Design an AccessControl Strategy for the Registry
  • Registry is given a high level of security by
    default
  • Only administrators can access the entire
    Registry
  • Apply security to the Registry via Group Policy
  • Computer must be joined to a domain
  • Use settings provided in predefined security
    templates
  • securedc.inf
  • Can apply a portion of the template rather than
    the whole thing

34
Designing the Encrypted File System
  • EFS
  • Used to encrypt files and folders on an NTFS
    formatted volume
  • Transparent to a user
  • Notably slow the first time it is used
  • Uses keys for encrypting and decrypting data
  • Can use certificate authority (CA) certificates
  • Uses CryptoAPI architecture

35
Designing the Encrypted File System (continued)
  • Recovery agent
  • User accounts are issued recovery agent
    certificates with public keys and private keys
  • Used for EFS data recovery operations
  • Can be multiple recovery agent accounts for an
    EFS file
  • Be aware of the EFS behaviors

36
Designing the Encrypted File System (continued)
  • EFS best practices
  • Encrypt entire folders rather than individual
    files
  • Manage private keys to maintain file security
  • Provide the security and reliability of data at
    all times
  • New features in Windows Server 2003
  • Stronger encryption algorithms with larger keys
  • Multiple users can share encrypted files
  • Offline files can be encrypted through EFS
  • Web folders and files can now be encrypted

37
Exercise 9.05Implementing EFS on the Local
Computer
38
EFS
  • Certificate storage
  • Certificate enrollment and renewal
  • Use cipher.exe

39
Structure of an Encrypted File
40
Creating a Strategy for the Encryption and
Decryption of Files and Folders
  • Increase user awareness
  • Department should identify which files or types
    of files are most sensitive
  • Secure recovery agent certificates
  • Configure file recovery agents
  • EFS requires an Encrypted Data Recovery Agent
    policy be defined before it can be used

41
Creating a Strategy for the Encryption and
Decryption of Files and Folders (continued)
  • Recover files
  • Back up keys
  • Use Certificates snap-in in the MMC
  • Disable EFS
  • Third-party encryption options
  • Third-party data encryption program
  • Third-party certificates with EFS

42
Designing Security fora Backup and Recovery
Strategy
  • Backing up and restoring data is a failsafe
    option
  • Can enhance security in an organization

43
Securing the Backup and Restore Process
  • Growing trends
  • Offsite storage locations
  • Disk-based systems
  • Co-location
  • Data stored both on site and mirrored at another
    site

44
Safeguarding Your Systems
45
Designing a Secure Backup Process
  • Includes
  • Planning the backup process
  • Storing backup media
  • Assigning (and monitoring) backup and restore
    rights
  • Best practices for backups
  • Create an Automated System Recovery backup set
  • Update the ASR every time significant changes
    occur
  • Use the Automated System Recovery Wizard

46
Disaster Recovery Best Practices
  • Disaster recovery includes
  • Creating backups
  • Creating recovery options
  • Using repair and recovery tools
  • Include an assessment of the most likely risks to
    the business and its data

47
In-Band and Out-of-Band Management
  • In-band
  • Refers to two computers that can connect using
    normal network services
  • Available only when a computer is fully
    initialized and functioning properly
  • Out-of-band
  • Refers to a connection that can be made when a
    remote computer is not working properly

48
Securing Emergency Management Services
  • Console redirection
  • Computer receives keyboard input from a remote
    computer
  • Responds with output to the remote computers
    monitor
  • Special Administration Console (SAC)
  • Primary Emergency Management Services
    command-line environment
  • Not secured by a password and logon requirements
  • Physical access must be restricted

49
Securing Emergency Management Services (continued)
  • !Special Administration Console (!SAC)
  • Abbreviated version of SAC
  • Enable Emergency Management Services
  • Configure headless servers
  • Use terminal concentrators
  • Use uninterruptible power supplies

50
Securing the Remote Management Process
  • Develop a remote management plan
  • Ensure out-of-band security
  • Employ best practices for securing Emergency
    Management Services
  • Secure the Recovery Console
  • Specify startup options for computers

51
Summary
  • User access can be managed via one of several
    different frameworks, including
  • User/ACL
  • Account group/ACL
  • Account group/resource group
  • Role-based permissions
  • Auditing events provides an additional measure of
    security and visibility
  • Registry access is controlled via Group Policy

52
Summary (continued)
  • EFS protects files and folders with encryption
  • Last line of defense on any system
  • Backup and recovery capabilities
Write a Comment
User Comments (0)
About PowerShow.com