70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security - PowerPoint PPT Presentation

Loading...

PPT – 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security PowerPoint presentation | free to view - id: 4563b6-NGYxY



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security

Description:

... security Plan wireless network security Define ... all newly certified wireless equipment as of ... load off of administrator It is not ... – PowerPoint PPT presentation

Number of Views:1313
Avg rating:3.0/5.0
Slides: 47
Provided by: dbha7
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security


1
70-293 MCSE Guide to Planning a Microsoft
Windows Server 2003 Network, Enhanced Chapter
13 Planning Server and Network Security
2
Objectives
  • Describe three types of security
  • Plan security configurations for server roles
  • Plan network protocol security
  • Plan wireless network security
  • Define the default security settings used by
    Windows Server 2003
  • Plan a secure baseline for client computers and
    servers
  • Create a plan for software updates
  • Ensure secure administrative access

3
Types of Security
  • Three commonly used categories are
  • Physical security
  • Network security
  • Data security

4
Physical Security
  • Physical security is controlling physical access
    to the computing devices on your network
  • Who has a key to the server room?
  • Prevents users and hackers from physically
    accessing network resources that they have no
    legitimate need to touch
  • After physical security is in place,
    software-based security is more effective

5
Network Security
  • Network security refers to accessing
    network-based resources through a computer
    network
  • Tools available for enforcing network security
    are Authentication, IPSec and Firewalls
  • Authentication verifies the identity of users
    before giving them access to resources
  • IPSec encrypts data packets in transit on the
    network
  • Firewalls control data movement based on IP
    addresses and port numbers
  • For enhanced security, most organizations use a
    demilitarized zone (DMZ)

6
Network Security (continued)
7
Network Security (continued)
8
Data Security
  • Data security mechanisms to ensure only
    authorized users access sensitive data
  • Tools for enforcing data security include
  • NTFS permissions used to control access to files
    and folders stored on network servers
  • Share permissions used to control access to a
    particular network share
  • Auditing allows you to track which users have
    performed, or attempted to perform, certain
    actions
  • EFS encrypts files that are stored on NTFS
    partitions

9
Encrypting File System
  • EFS (encrypting file system) encrypts files that
    are stored on NTFS partitions
  • When files are stored encrypted, only the user
    who encrypted them, other designated users, or a
    designated recovery agent can decrypt and read
    them
  • Certificates used by EFS can be created
    automatically, through an internal CA or a third
    party CA

10
Activity 13-1 Using EFS to Protect Files
  • The purpose of this activity is to use EFS to
    protect files

11
Planning Security Configuration for Server Roles
  • General rules for server security are
  • Disable unnecessary services
  • Limit access to the minimum required for users to
    perform their jobs
  • Use separate administrator accounts for different
    staff
  • Allow packets to necessary TCP and UDP ports only

12
Securing Domain Controllers
  • Some ways to secure domain controllers are
  • Place domain controller behind firewall
  • If VPN is being used, place the VPN in a DMZ
  • Use RADIUS
  • NetBIOS ports should be blocked by a firewall
  • NetBIOS can be disabled on the network connection
    that is connected to the Internet

13
Securing Web Servers
  • Some ways to secure web servers are
  • Web servers should be in a DMZ
  • Web sites that authenticate users or collect
    sensitive information should run on TCP port 443
    using SSL
  • install the operating system, IIS, and the Web
    site data on separate hard drive partitions
  • remove any demonstration scripts that installed
    by default on the Web server
  • disable the ability to run scripts by disabling
    ASP processing and the processing of all other
    script types

14
Activity 13-2 Disabling Script Processing in IIS
  • The purpose of this activity is to disable
    processing of scripts in IIS

15
Securing Database Servers
  • When securing database servers
  • If concerned with protecting the data while it is
    in transit on the network between the client and
    the server, use IPSec
  • If database is used as part of a Web-based
    application, it is quite common to place the Web
    server in the DMZ and the SQL server on the
    internal, private network
  • A database that holds sensitive information
    should never be on the same server as the Web
    site
  • If the database runs on a separate server, then
    the hacker must still find the database

16
Securing Mail Servers
  • The only protection you can give a mail server is
    a firewall
  • Mail servers that communicate with the Internet
    should be placed in the DMZ
  • The best way for clients to access e-mail is from
    a server on the internal network
  • Configure a second e-mail server on the internal
    network that forwards all mail to the mail server
    in the DMZ

17
Securing Mail Servers (continued)
18
Planning Network Protocol Security
  • A VPN connection can be used to secure IPX,
    AppleTalk, and TCP/IP network traffic
  • If TCP/IP is used, traffic can also be secured
    with IPSec or with SSL

19
Using VPNs to Secure Network Traffic
  • A VPN is used to secure network traffic for
    remote users
  • All network traffic between the client computer
    and the VPN server is encrypted
  • A VPN can ensure that user access to confidential
    company information is not monitored by an ISP or
    hackers
  • VPNs can also be used internally on the network
    to protect network traffic to certain areas of
    the network

20
Using IPSec to Secure Network Traffic
  • IPSec is ideal for securing network traffic
    because
  • It is very flexible to configure because rules
    can be configured to protect only certain traffic
  • In addition to performing encryption, IPSec
    authenticates both computers in the conversation
    to prevent imposters
  • Applications do not have to be aware of IPSec to
    use it - any IP-based application can use it
  • The major drawback to IPSec is that it does not
    move through NAT very well

21
Securing Web-based Applications
  • Key points concerning SSL (Secure Sockets Layer)
  • It is often used to secure Web-based applications
  • Requires that a certificate be installed on the
    server to which it is being connected
  • It is a well-recognized, standard protocol
  • It is not platform specific in any way

22
Planning Wireless Network Security
  • Concepts regarding wireless security include
  • Wired Equivalent Protocol
  • Authorized MAC addresses
  • Using VPNs to secure wireless access
  • 802.1X
  • Microsoft-specific mechanisms for configuring
    wireless networks

23
Wired Equivalent Protocol
  • Wired Equivalent Privacy (WEP) is a protocol
    built into the 802.11 standards for wireless
    connectivity
  • WEP governs how data can be encrypted while in
    transit on the wireless network
  • WEP is seriously flawed when dealing with
    motivated hackers
  • WiFi Protected Access (WPA), is replacing WEP and
    fixes most of its flaws
  • WPA will be a standard in all newly certified
    wireless equipment as of January 2004

24
Authorized MAC Addresses
  • If you try to communicate with the AP using a
    wireless card with a MAC address that is not on
    the list, the AP ignores you
  • This prevents access to resources on your
    network, but is very awkward to implement
  • Each AP must be configured with the MAC address
    of each wireless network card
  • Packet sniffers can view MAC addresses and
    exploit them

25
Using VPNs to Secure Wireless Access
  • One easy way to secure a wireless network is to
    require VPN authentication before allowing access
    to the main network
  • All packets that can be viewed by hackers with
    wireless connections are encrypted by the VPN

26
The 802.1X Protocol
  • The protocol 802.1X is an authentication protocol
    defined by the IEEE to authenticate wireless users

27
The 802.1X Protocol (continued)
28
Configuring Wireless Networks
  • Many wireless configuration settings are managed
    by the OS, and can be managed using Group Policy
  • In a group policy, you can define Wireless
    Network (802.11) policies where you can
    configure
  • The type of wireless networks to access
  • Whether Windows should be used to configure the
    wireless networks for a client
  • Whether to connect to non preferred networks

29
Activity 13-3 Creating a Policy for Wireless
Workstations
  • The purpose of this activity is to create a
    policy to configure wireless workstations

30
Default Security Settings
  • Windows Server 2003 features
  • It is more secure than Windows Server 2000
  • Only the Administrators group is given Full
    Control to the file system
  • A minimum of services is installed

31
Default Security Settings (continued)
  • Windows Server 2003 features (continued)
  • IIS is not installed by default
  • If IIS is installed after the server installation
    is complete, script processing must be enabled
  • Default security settings for Windows 2003 are
    configured during installation by applying a
    security template
  • A security template is a group of security
    settings that can be applied to server or client
    computers

32
Activity 13-4 Viewing Default Security Settings
  • The purpose of this activity is to view the
    default security settings in Setup security.inf

33
Configuring Client Computers
  • Client computers should be divided into
    categories where specific configuration options
    and a security template can be developed
  • When defining a security template, start by
    copying one of the predefined templates
  • The Security Configuration and Analysis snap-in
    can analyze and configure client computers from a
    GUI

34
Configuring Servers
  • Servers should be categorized and grouped to
    assist in applying security settings
  • Servers are more likely to hold sensitive data
    than workstations, their settings are likely to
    be more restrictive for
  • Password policies
  • Account lockout policy
  • Users performing local logons
  • Auditing, limiting services
  • Restricting file
  • Registry permissions

35
Activity 13-5 Analyzing Security
  • The purpose of this activity is to compare the
    default security level of your server to the
    hisecws.inf template

36
Software Updates
  • Systems must be fully patched because viruses
    take advantage of known flaws in operating
    systems and applications for which there are
    patches available
  • To help administrators keep systems patched,
    Microsoft has released a number of tools
  • Windows Update
  • Automatic Updates
  • Software Update Services
  • Microsoft Baseline Security Analyzer
  • Hfnetchk

37
Windows Update
  • Windows Update is a Web site that administrators
    and users can visit to find out which updates are
    available for their systems
  • Windows Update
  • Automatically checks for the files that are
    needed
  • Downloads them
  • Installs them

38
Automatic Updates
  • Automatic Updates is a service that runs on
    Windows clients and servers that makes the
    process of downloading and installing hotfixes
    automatic
  • Automatic Updates is a significant improvement
    over Windows Update because it is automatic and
    configurable
  • This takes a significant load off of
    administrator
  • It is not very efficient because all downloads
    are from the Internet

39
Activity 13-6 Configuring Automatic Updates
  • The purpose of this activity is to configure
    Automatic Updates to download and install patches
    automatically

40
Software Update Services (SUS)
  • SUS is a service available for Windows 2000 and
    Windows Server 2003
  • Automatically downloads the latest hotfixes and
    service packs from the Windows Update Web site
  • Client computers on your network then can
    download the hotfixes and service packs from a
    local server on the network instead of the
    Internet
  • Internet traffic is reduced

41
Microsoft Baseline Security Analyzer
  • The Microsoft Baseline Security Analyzer (MBSA)
    is a tool that verifies security updates on a
    wide variety of Microsoft operating systems and
    applications
  • MBSA can scan a single machine or an entire group
    of computers on the network

42
Hfnetchk
  • Hfnetchk is an older command-line utility for
    verifying patch levels on Windows clients and
    servers
  • It is no longer offered by Microsoft as a
    stand-alone utility
  • The functionality of Hfnetchk is now only
    available in MBSA

43
Securing Administrative Access
  • Administrators should maintain two accounts
  • One for day-to-day work with limited permission
    (like an average user)
  • One with elevated privileges and permissions that
    are required for administration of the network
  • Most network administrators find it cumbersome to
    log on and off of the network as they switch
    between tasks Windows Server 2003 allows
    administrators to run individual applications as
    a different user

44
Summary
  • Three types of security are physical security,
    network security and data security
  • EFS (encrypting file system) encrypts files that
    are stored on NTFS partitions
  • Securing all servers includes the following
  • Disabling unnecessary services
  • Limiting access to the minimum required for users
    to perform their jobs
  • Using separate administrator accounts for
    different staff, and allow packets to necessary
    TCP and UDP ports only

45
Summary (continued)
  • Domain controllers should not be exposed to
    traffic from the Internet and should not be
    located in a DMZ
  • Web servers that are accessible from the Internet
    should be located in a DMZ
  • Database servers should be on the internal
    network
  • Mail servers must be accessible from the Internet
    and should be located in a DMZ
  • A VPN can be used to secure network traffic for
    IP, IPX, and AppleTalk packets

46
Summary (continued)
  • Common standards for wireless networks are
    802.11b and 802.11g
  • Default security settings for Windows Server 2003
    are much more secure than Windows 2000 Server
  • Software updates can be managed using
  • Windows Update
  • Automatic Updates
  • SUS
  • MBSA
About PowerShow.com