460 likes | 621 Views
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security. Objectives. Describe three types of security Plan security configurations for server roles Plan network protocol security Plan wireless network security
E N D
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, EnhancedChapter 13: Planning Server and Network Security
Objectives • Describe three types of security • Plan security configurations for server roles • Plan network protocol security • Plan wireless network security • Define the default security settings used by Windows Server 2003 • Plan a secure baseline for client computers and servers • Create a plan for software updates • Ensure secure administrative access 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Types of Security • Three commonly used categories are: • Physical security • Network security • Data security 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Physical Security • Physical security is controlling physical access to the computing devices on your network • Who has a key to the server room? • Prevents users and hackers from physically accessing network resources that they have no legitimate need to touch • After physical security is in place, software-based security is more effective 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Network Security • Network security refers to accessing network-based resources through a computer network • Tools available for enforcing network security are: Authentication, IPSec and Firewalls • Authentication verifies the identity of users before giving them access to resources • IPSec encrypts data packets in transit on the network • Firewalls control data movement based on IP addresses and port numbers • For enhanced security, most organizations use a demilitarized zone (DMZ) 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Network Security (continued) 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Network Security (continued) 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Data Security • Data security: mechanisms to ensure only authorized users access sensitive data • Tools for enforcing data security include: • NTFS permissions: used to control access to files and folders stored on network servers • Share permissions: used to control access to a particular network share • Auditing: allows you to track which users have performed, or attempted to perform, certain actions • EFS: encrypts files that are stored on NTFS partitions 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Encrypting File System • EFS (encrypting file system) encrypts files that are stored on NTFS partitions • When files are stored encrypted, only the user who encrypted them, other designated users, or a designated recovery agent can decrypt and read them • Certificates used by EFS can be created automatically, through an internal CA or a third party CA 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Activity 13-1: Using EFS to Protect Files • The purpose of this activity is to use EFS to protect files 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Planning Security Configuration for Server Roles • General rules for server security are: • Disable unnecessary services • Limit access to the minimum required for users to perform their jobs • Use separate administrator accounts for different staff • Allow packets to necessary TCP and UDP ports only 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Securing Domain Controllers • Some ways to secure domain controllers are: • Place domain controller behind firewall • If VPN is being used, place the VPN in a DMZ • Use RADIUS • NetBIOS ports should be blocked by a firewall • NetBIOS can be disabled on the network connection that is connected to the Internet 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Securing Web Servers • Some ways to secure web servers are: • Web servers should be in a DMZ • Web sites that authenticate users or collect sensitive information should run on TCP port 443 using SSL • install the operating system, IIS, and the Web site data on separate hard drive partitions • remove any demonstration scripts that installed by default on the Web server • disable the ability to run scripts by disabling ASP processing and the processing of all other script types 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Activity 13-2: Disabling Script Processing in IIS • The purpose of this activity is to disable processing of scripts in IIS 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Securing Database Servers • When securing database servers: • If concerned with protecting the data while it is in transit on the network between the client and the server, use IPSec • If database is used as part of a Web-based application, it is quite common to place the Web server in the DMZ and the SQL server on the internal, private network • A database that holds sensitive information should never be on the same server as the Web site • If the database runs on a separate server, then the hacker must still find the database 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Securing Mail Servers • The only protection you can give a mail server is a firewall • Mail servers that communicate with the Internet should be placed in the DMZ • The best way for clients to access e-mail is from a server on the internal network • Configure a second e-mail server on the internal network that forwards all mail to the mail server in the DMZ 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Securing Mail Servers (continued) 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Planning Network Protocol Security • A VPN connection can be used to secure IPX, AppleTalk, and TCP/IP network traffic • If TCP/IP is used, traffic can also be secured with IPSec or with SSL 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Using VPNs to Secure Network Traffic • A VPN is used to secure network traffic for remote users • All network traffic between the client computer and the VPN server is encrypted • A VPN can ensure that user access to confidential company information is not monitored by an ISP or hackers • VPNs can also be used internally on the network to protect network traffic to certain areas of the network 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Using IPSec to Secure Network Traffic • IPSec is ideal for securing network traffic because: • It is very flexible to configure because rules can be configured to protect only certain traffic • In addition to performing encryption, IPSec authenticates both computers in the conversation to prevent imposters • Applications do not have to be aware of IPSec to use it - any IP-based application can use it • The major drawback to IPSec is that it does not move through NAT very well 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Securing Web-based Applications • Key points concerning SSL (Secure Sockets Layer): • It is often used to secure Web-based applications • Requires that a certificate be installed on the server to which it is being connected • It is a well-recognized, standard protocol • It is not platform specific in any way 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Planning Wireless Network Security • Concepts regarding wireless security include: • Wired Equivalent Protocol • Authorized MAC addresses • Using VPNs to secure wireless access • 802.1X • Microsoft-specific mechanisms for configuring wireless networks 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Wired Equivalent Protocol • Wired Equivalent Privacy (WEP) is a protocol built into the 802.11 standards for wireless connectivity • WEP governs how data can be encrypted while in transit on the wireless network • WEP is seriously flawed when dealing with motivated hackers • WiFi Protected Access (WPA), is replacing WEP and fixes most of its flaws • WPA will be a standard in all newly certified wireless equipment as of January 2004 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Authorized MAC Addresses • If you try to communicate with the AP using a wireless card with a MAC address that is not on the list, the AP ignores you • This prevents access to resources on your network, but is very awkward to implement • Each AP must be configured with the MAC address of each wireless network card • Packet sniffers can view MAC addresses and exploit them 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Using VPNs to Secure Wireless Access • One easy way to secure a wireless network is to require VPN authentication before allowing access to the main network • All packets that can be viewed by hackers with wireless connections are encrypted by the VPN 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
The 802.1X Protocol • The protocol 802.1X is an authentication protocol defined by the IEEE to authenticate wireless users 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
The 802.1X Protocol (continued) 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Configuring Wireless Networks • Many wireless configuration settings are managed by the OS, and can be managed using Group Policy • In a group policy, you can define Wireless Network (802.11) policies where you can configure: • The type of wireless networks to access • Whether Windows should be used to configure the wireless networks for a client • Whether to connect to non preferred networks 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Activity 13-3: Creating a Policy for Wireless Workstations • The purpose of this activity is to create a policy to configure wireless workstations 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Default Security Settings • Windows Server 2003 features: • It is more secure than Windows Server 2000 • Only the Administrators group is given Full Control to the file system • A minimum of services is installed 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Default Security Settings (continued) • Windows Server 2003 features (continued): • IIS is not installed by default • If IIS is installed after the server installation is complete, script processing must be enabled • Default security settings for Windows 2003 are configured during installation by applying a security template • A security template is a group of security settings that can be applied to server or client computers 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Activity 13-4: Viewing Default Security Settings • The purpose of this activity is to view the default security settings in Setup security.inf 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Configuring Client Computers • Client computers should be divided into categories where specific configuration options and a security template can be developed • When defining a security template, start by copying one of the predefined templates • The Security Configuration and Analysis snap-in can analyze and configure client computers from a GUI 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Configuring Servers • Servers should be categorized and grouped to assist in applying security settings • Servers are more likely to hold sensitive data than workstations, their settings are likely to be more restrictive for: • Password policies • Account lockout policy • Users performing local logons • Auditing, limiting services • Restricting file • Registry permissions 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Activity 13-5: Analyzing Security • The purpose of this activity is to compare the default security level of your server to the hisecws.inf template 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Software Updates • Systems must be fully patched because viruses take advantage of known flaws in operating systems and applications for which there are patches available • To help administrators keep systems patched, Microsoft has released a number of tools: • Windows Update • Automatic Updates • Software Update Services • Microsoft Baseline Security Analyzer • Hfnetchk 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Windows Update • Windows Update is a Web site that administrators and users can visit to find out which updates are available for their systems • Windows Update • Automatically checks for the files that are needed • Downloads them • Installs them 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Automatic Updates • Automatic Updates is a service that runs on Windows clients and servers that makes the process of downloading and installing hotfixes automatic • Automatic Updates is a significant improvement over Windows Update because it is automatic and configurable • This takes a significant load off of administrator • It is not very efficient because all downloads are from the Internet 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Activity 13-6: Configuring Automatic Updates • The purpose of this activity is to configure Automatic Updates to download and install patches automatically 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Software Update Services (SUS) • SUS is a service available for Windows 2000 and Windows Server 2003 • Automatically downloads the latest hotfixes and service packs from the Windows Update Web site • Client computers on your network then can download the hotfixes and service packs from a local server on the network instead of the Internet • Internet traffic is reduced 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Microsoft Baseline Security Analyzer • The Microsoft Baseline Security Analyzer (MBSA) is a tool that verifies security updates on a wide variety of Microsoft operating systems and applications • MBSA can scan a single machine or an entire group of computers on the network 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Hfnetchk • Hfnetchk is an older command-line utility for verifying patch levels on Windows clients and servers • It is no longer offered by Microsoft as a stand-alone utility • The functionality of Hfnetchk is now only available in MBSA 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Securing Administrative Access • Administrators should maintain two accounts: • One for day-to-day work with limited permission (like an average user) • One with elevated privileges and permissions that are required for administration of the network • Most network administrators find it cumbersome to log on and off of the network as they switch between tasks; Windows Server 2003 allows administrators to run individual applications as a different user 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Summary • Three types of security are: physical security, network security and data security • EFS (encrypting file system) encrypts files that are stored on NTFS partitions • Securing all servers includes the following: • Disabling unnecessary services • Limiting access to the minimum required for users to perform their jobs • Using separate administrator accounts for different staff, and allow packets to necessary TCP and UDP ports only 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Summary (continued) • Domain controllers should not be exposed to traffic from the Internet and should not be located in a DMZ • Web servers that are accessible from the Internet should be located in a DMZ • Database servers should be on the internal network • Mail servers must be accessible from the Internet and should be located in a DMZ • A VPN can be used to secure network traffic for IP, IPX, and AppleTalk packets 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Summary (continued) • Common standards for wireless networks are 802.11b and 802.11g • Default security settings for Windows Server 2003 are much more secure than Windows 2000 Server • Software updates can be managed using: • Windows Update • Automatic Updates • SUS • MBSA 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network