70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network2 Objectives Describe three types of security Plan security configurations for server roles Plan network protocol security Plan wireless network security Define the default security settings used by Windows Server 2003 Plan a secure baseline for client computers and servers Create a plan for software updates Ensure secure administrative access

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network3 Types of Security Three commonly used categories are: Physical security Network security Data security

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network4 Physical Security Physical security is controlling physical access to the computing devices on your network Who has a key to the server room? Prevents users and hackers from physically accessing network resources that they have no legitimate need to touch After physical security is in place, software-based security is more effective

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network5 Network Security Network security refers to accessing network-based resources through a computer network Tools available for enforcing network security are: Authentication, IPSec and Firewalls Authentication verifies the identity of users before giving them access to resources IPSec encrypts data packets in transit on the network Firewalls control data movement based on IP addresses and port numbers For enhanced security, most organizations use a demilitarized zone (DMZ)

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network6 Network Security (continued)

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network7 Network Security (continued)

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network8 Data Security Data security: mechanisms to ensure only authorized users access sensitive data Tools for enforcing data security include: NTFS permissions: used to control access to files and folders stored on network servers Share permissions: used to control access to a particular network share Auditing: allows you to track which users have performed, or attempted to perform, certain actions EFS: encrypts files that are stored on NTFS partitions

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network9 Encrypting File System EFS (encrypting file system) encrypts files that are stored on NTFS partitions When files are stored encrypted, only the user who encrypted them, other designated users, or a designated recovery agent can decrypt and read them Certificates used by EFS can be created automatically, through an internal CA or a third party CA

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network10 Activity 13-1: Using EFS to Protect Files The purpose of this activity is to use EFS to protect files

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network11 Planning Security Configuration for Server Roles General rules for server security are: Disable unnecessary services Limit access to the minimum required for users to perform their jobs Use separate administrator accounts for different staff Allow packets to necessary TCP and UDP ports only

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network12 Securing Domain Controllers Some ways to secure domain controllers are: Place domain controller behind firewall If VPN is being used, place the VPN in a DMZ Use RADIUS NetBIOS ports should be blocked by a firewall NetBIOS can be disabled on the network connection that is connected to the Internet

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network13 Securing Web Servers Some ways to secure web servers are: Web servers should be in a DMZ Web sites that authenticate users or collect sensitive information should run on TCP port 443 using SSL install the operating system, IIS, and the Web site data on separate hard drive partitions remove any demonstration scripts that installed by default on the Web server disable the ability to run scripts by disabling ASP processing and the processing of all other script types

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network14 Activity 13-2: Disabling Script Processing in IIS The purpose of this activity is to disable processing of scripts in IIS

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network15 Securing Database Servers When securing database servers: If concerned with protecting the data while it is in transit on the network between the client and the server, use IPSec If database is used as part of a Web-based application, it is quite common to place the Web server in the DMZ and the SQL server on the internal, private network A database that holds sensitive information should never be on the same server as the Web site If the database runs on a separate server, then the hacker must still find the database

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network16 Securing Mail Servers The only protection you can give a mail server is a firewall Mail servers that communicate with the Internet should be placed in the DMZ The best way for clients to access is from a server on the internal network Configure a second server on the internal network that forwards all mail to the mail server in the DMZ

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network17 Securing Mail Servers (continued)

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network18 Planning Network Protocol Security A VPN connection can be used to secure IPX, AppleTalk, and TCP/IP network traffic If TCP/IP is used, traffic can also be secured with IPSec or with SSL

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network19 Using VPNs to Secure Network Traffic A VPN is used to secure network traffic for remote users All network traffic between the client computer and the VPN server is encrypted A VPN can ensure that user access to confidential company information is not monitored by an ISP or hackers VPNs can also be used internally on the network to protect network traffic to certain areas of the network

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network20 Using IPSec to Secure Network Traffic IPSec is ideal for securing network traffic because: It is very flexible to configure because rules can be configured to protect only certain traffic In addition to performing encryption, IPSec authenticates both computers in the conversation to prevent imposters Applications do not have to be aware of IPSec to use it - any IP-based application can use it The major drawback to IPSec is that it does not move through NAT very well

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network21 Securing Web-based Applications Key points concerning SSL (Secure Sockets Layer): It is often used to secure Web-based applications Requires that a certificate be installed on the server to which it is being connected It is a well-recognized, standard protocol It is not platform specific in any way

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network22 Planning Wireless Network Security Concepts regarding wireless security include: Wired Equivalent Protocol Authorized MAC addresses Using VPNs to secure wireless access 802.1X Microsoft-specific mechanisms for configuring wireless networks

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network23 Wired Equivalent Protocol Wired Equivalent Privacy (WEP) is a protocol built into the standards for wireless connectivity WEP governs how data can be encrypted while in transit on the wireless network WEP is seriously flawed when dealing with motivated hackers WiFi Protected Access (WPA), is replacing WEP and fixes most of its flaws WPA will be a standard in all newly certified wireless equipment as of January 2004

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network24 Authorized MAC Addresses If you try to communicate with the AP using a wireless card with a MAC address that is not on the list, the AP ignores you This prevents access to resources on your network, but is very awkward to implement Each AP must be configured with the MAC address of each wireless network card Packet sniffers can view MAC addresses and exploit them

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network25 Using VPNs to Secure Wireless Access One easy way to secure a wireless network is to require VPN authentication before allowing access to the main network All packets that can be viewed by hackers with wireless connections are encrypted by the VPN

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network26 The 802.1X Protocol The protocol 802.1X is an authentication protocol defined by the IEEE to authenticate wireless users

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network27 The 802.1X Protocol (continued)

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network28 Configuring Wireless Networks Many wireless configuration settings are managed by the OS, and can be managed using Group Policy In a group policy, you can define Wireless Network (802.11) policies where you can configure: The type of wireless networks to access Whether Windows should be used to configure the wireless networks for a client Whether to connect to non preferred networks

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network29 Activity 13-3: Creating a Policy for Wireless Workstations The purpose of this activity is to create a policy to configure wireless workstations

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network30 Default Security Settings Windows Server 2003 features: It is more secure than Windows Server 2000 Only the Administrators group is given Full Control to the file system A minimum of services is installed

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network31 Default Security Settings (continued) Windows Server 2003 features (continued): IIS is not installed by default If IIS is installed after the server installation is complete, script processing must be enabled Default security settings for Windows 2003 are configured during installation by applying a security template A security template is a group of security settings that can be applied to server or client computers

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network32 Activity 13-4: Viewing Default Security Settings The purpose of this activity is to view the default security settings in Setup security.inf

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network33 Configuring Client Computers Client computers should be divided into categories where specific configuration options and a security template can be developed When defining a security template, start by copying one of the predefined templates The Security Configuration and Analysis snap-in can analyze and configure client computers from a GUI

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network34 Configuring Servers Servers should be categorized and grouped to assist in applying security settings Servers are more likely to hold sensitive data than workstations, their settings are likely to be more restrictive for: Password policies Account lockout policy Users performing local logons Auditing, limiting services Restricting file Registry permissions

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network35 Activity 13-5: Analyzing Security The purpose of this activity is to compare the default security level of your server to the hisecws.inf template

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network36 Software Updates Systems must be fully patched because viruses take advantage of known flaws in operating systems and applications for which there are patches available To help administrators keep systems patched, Microsoft has released a number of tools: Windows Update Automatic Updates Software Update Services Microsoft Baseline Security Analyzer Hfnetchk

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network37 Windows Update Windows Update is a Web site that administrators and users can visit to find out which updates are available for their systems Windows Update Automatically checks for the files that are needed Downloads them Installs them

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network38 Automatic Updates Automatic Updates is a service that runs on Windows clients and servers that makes the process of downloading and installing hotfixes automatic Automatic Updates is a significant improvement over Windows Update because it is automatic and configurable This takes a significant load off of administrator It is not very efficient because all downloads are from the Internet

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network39 Activity 13-6: Configuring Automatic Updates The purpose of this activity is to configure Automatic Updates to download and install patches automatically

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network40 Software Update Services (SUS) SUS is a service available for Windows 2000 and Windows Server 2003 Automatically downloads the latest hotfixes and service packs from the Windows Update Web site Client computers on your network then can download the hotfixes and service packs from a local server on the network instead of the Internet Internet traffic is reduced

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network41 Microsoft Baseline Security Analyzer The Microsoft Baseline Security Analyzer (MBSA) is a tool that verifies security updates on a wide variety of Microsoft operating systems and applications MBSA can scan a single machine or an entire group of computers on the network

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network42 Hfnetchk Hfnetchk is an older command-line utility for verifying patch levels on Windows clients and servers It is no longer offered by Microsoft as a stand-alone utility The functionality of Hfnetchk is now only available in MBSA

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network43 Securing Administrative Access Administrators should maintain two accounts: One for day-to-day work with limited permission (like an average user) One with elevated privileges and permissions that are required for administration of the network Most network administrators find it cumbersome to log on and off of the network as they switch between tasks; Windows Server 2003 allows administrators to run individual applications as a different user

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network44 Summary Three types of security are: physical security, network security and data security EFS (encrypting file system) encrypts files that are stored on NTFS partitions Securing all servers includes the following: Disabling unnecessary services Limiting access to the minimum required for users to perform their jobs Using separate administrator accounts for different staff, and allow packets to necessary TCP and UDP ports only

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network45 Summary (continued) Domain controllers should not be exposed to traffic from the Internet and should not be located in a DMZ Web servers that are accessible from the Internet should be located in a DMZ Database servers should be on the internal network Mail servers must be accessible from the Internet and should be located in a DMZ A VPN can be used to secure network traffic for IP, IPX, and AppleTalk packets

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network46 Summary (continued) Common standards for wireless networks are b and g Default security settings for Windows Server 2003 are much more secure than Windows 2000 Server Software updates can be managed using: Windows Update Automatic Updates SUS MBSA