Designing a Security Infrastructure Chapter Thirteen
Exam Objectives in this Chapter: Plan a security update infrastructure. Tools might include Microsoft Baseline Security Analyzer and Microsoft Software Update Services. Plan security for wireless networks. Plan secure network administration methods. Create a plan to offer Remote Assistance to client computers. Plan for remote administration by using Terminal Services.
Lessons in this Chapter: Planning a Security Update Infrastructure Securing a Wireless Network Providing Secure Network Administration
Before You Begin This chapter assumes a basic understanding of security implementation in the Microsoft Windows Server 2003 family and of how to use group policies to apply settings to large numbers of computers, as covered throughout this book. To perform the practice exercises in this chapter, you must have installed and configured Windows Server 2003 using the procedure described in “About This Book.”
Planning a Security Update Infrastructure Understanding Software Update Practices service pack A service pack is a collection of patches and updates that have been tested as a single unit. Service packs are a distinct improvement over the previous system, in which operating system updates were released as a series of individual patches, each addressing a separate issue. A hotfix is a small patch designed to address a specific issue. While Microsoft only for computers experiencing a particular problem.
Using Windows Update Windows Update for XP
Update for Networks Consideration for Networks: Bandwidth With Windows Update, updates become available for installation right away. On a network many computers would be ready for downloads at the same time consuming large amounts of bandwith. Testing It is possible for a particular update to cause problems. This could result in the loss of productivity and the added burden on technical support personnel
Updating a Network Network administrators should not immediately install every update that appears. It is important to test the update releases first. security update infrastructure A network security update infrastructure is a series of policies that are designed to help the network administrator perform the following tasks:
A network security update infrastructure performs the following tasks Determine which computers need to be updated Test update releases on multiple system configurations Determine when updates are released Deploy update releases on large fleets
SUS
Using Microsoft Baseline Security Analyzer Microsoft Baseline Security Analyzer (MBSA) is a graphical tool that can check for common security lapses on a single computer or multiple computers running various versions of the Windows operating system.
Microsoft Baseline Security Analyzer (MBSA) Scan your system
Microsoft Baseline Security Analyzer (MBSA) Produces its results
Using Microsoft Baseline Security Analyzer The security faults that MBSA can detect are as follows: Missing security updates Missing security updates MBSA replaces an earlier Microsoft update checking utility called Hfnetchk.exe, which operates from the command line and only checks computers for missing updates. Account vulnerabilities Account vulnerabilities Guest account is activated If there are more than two accounts with Administrator privileges; If anonymous users have too much access; If the computer is configured to use the Autologon feature.
MBSA Detection continued: Improper passwords Improper passwords if they are configured to expire, are blank, or are too simple. File system vulnerabilities File system vulnerabilities whether all the disk drives on the computer are using the NTFS file system. IIS and SQL vulnerabilities IIS and SQL vulnerabilities If the computer is running Microsoft Internet Information Services (IIS) or Microsoft SQL Server, MBSA examines these applications for a variety of security weaknesses. May be downloaded from Microsoft at: 4d36-4f7f-92f2-2bdc5c5385b3/mbsasetup.msi
Testing Security Updates You must test them to make sure they are compatible with all your system configurations.
Using Microsoft Software Update Services Microsoft Software Update Services (SUS) is a free product that notifies administrators when new security updates are available, downloads the updates, and then deploys them to the computers on the network SUS consists of the following components: Synchronization server Intranet Windows Update server Automatic updates
Using Microsoft Software Update Services Synchronization server The administrator can allow the downloads to occur as needed; schedule them to occur at specific times (such as off-peak traffic hours); or trigger them manually. Once SUS downloads the updates, it stores them on the server.
Using Microsoft Software Update Services Intranet Windows Update server When updates are ready for deployment, SUS functions as the Windows Update server for the computers on the network, except that this server is on the intranet and does not require the clients to access the Internet.
Using Microsoft Software Update Services Automatic updates Automatic Updates is a Windows operating system feature that enables computers to download and install software updates with no user intervention.
Exam Tip Be sure to understand the differences between the functions of (MBSA) Microsoft Baseline Security Analyzer and (SUS) Microsoft Software Update Services
Practice: Using Microsoft Baseline Security Analyzer Exercise 1: Downloading and Installing MBSA Exercise 2: Performing a Security Analysis Page 13-9
Securing a Wireless Network Understanding Wireless Networking Standards. In 1999, the Institute of Electrical and Electronics Engineers (IEEE) released the first standard in the working group, called “Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications,” defining a new series of technologies for the WLAN physical layer. For the wireless networking industry, the key document in this series of standards was IEEE b, “Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications—Amendment 2: higher-speed Physical Layer (PHY) extension in the 2.4 GHz band.”
Standards The a standard up to54 Mbps “Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications: Amendment 1: High-speed Physical Layer in the 5 GHz band” defines a medium with speeds running up to 54 Mbps, The b standard up to 11 megabits per second Defines a physical layer specification that enables WLANs to run at speeds up to 11 megabits per second (Mbps), slightly faster than a standard Ethernet network. The g standard “Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications—Amendment 4: Further Higher Data Rate Extension in the 2.4 GHz Band,” calls for higher transmission speeds using the same 2.4 GHz frequencies as b.
Wireless Networking Topologies Two basic topologies: ad hoc and infrastructure An ad hoc network consists of two or more wireless devices communicating directly with each other. The signals generated by WLAN network interface adapters are omnidirectional. basic service area This range is called a basic service area (BSA). When two wireless devices come within range of each other, they are able to connect and communicate, immediately forming a two-node network. basic service set Wireless devices within the same basic service area are called a basic service set (BSS).
An Ad Hoc Network Two ranges coming together
Note The ad hoc topology is most often used on home networks, or for very small business that have no cabled network components at all.
An Infrastructure Network Uses a wireless device called an access point as a bridge between wireless devices and a standard cabled network. access point An access point is a small unit that connects to an Ethernet network (or other cabled network) by cable, but that also contains an b-compliant wireless transceiver.
Infrastructure Network Access point
Understanding Wireless Network Security Unauthorized access An unauthorized user with a wireless workstation connects to the network and accesses network resources Data interception A user running a protocol analyzer with a wireless network interface adapter may be able to capture all the packets transmitted between the other wireless devices and the access point.
Controlling Wireless Access Using Group Policies In the Group Policy Object Editor console, you can create a policy in the Computer Configuration\Windows Settings\Security Settings\Wireless Network (IEEE ) Policies subheading that enables you to specify whether wireless-equipped computers can connect to ad hoc networks only, infrastructure networks only, or both
The New Wireless Network Policy Properties dialog box
The New Preferred Setting Properties dialog box
Authenticating Users Open System Authentication Open System authentication is the default authentication method used by IEEE devices, and it actually provides no authentication at all. Shared Key Authentication Shared Key authentication is a system by which wireless devices authenticate each other using a secret key that both possess. Messages are exchanged between the requester and the responder outlined on page 17 – 18.
IEEE 802.1X Authentication Most IEEE 802.1X implementations function as clients of a server running a Remote Authentication Dial-In User Service (RADIUS), such as the Internet Authentication Service (IAS) included with Windows Server 2003.
Two Authentication Protocols Extensible Authentication Protocol- Transport Level Security (EAP-TLS) It can carry a variety of authentication mechanisms within a given packet framework. Protected EAP-Microsoft Challenge Handshake Authentication Protocol, version 2 (PEAP-MS-CHAP v2) PEAP is a variation on EAP that is designed for use on wireless networks that do not have a PKI in place.
Encrypting Wireless Traffic Wired Equivalent Privacy To prevent data transmitted over a wireless network from being compromised through unauthorized packet captures, the IEEE standard defines an encryption mechanism called Wired Equivalent Privacy (WEP). The degree of protection that WEP provides is governed by configurable parameters that control the length of the keys used to encrypt the data and the frequency with which the systems generate new keys.
Exam Tip Be sure you are familiar with the security hazards inherent in wireless networking, and with the mechanisms that Windows operating systems can use to authenticate wireless clients and encrypt their traffic
Providing Secure Network Administration Reasons for Using Remote Assistance: Technical support Troubleshooting Training
Offering Remote Assistance Using Control Panel Setup in Systems Properties Using Group Policies
Creating an Invitation Offer Assistance:
Securing Remote Assistance Invitations No person can connect to another computer using Remote Assistance unless that person has received an invitation from the client Interactive connectivity You cannot use Remote Assistance to connect to an unattended computer. Client-side control ESC to end the secession. Remote control configuration The group policies also enable administrators to grant specific users expert status, so that no one else can use Remote Access to connect to a client computer, even with the client’s permission. Firewalls Remote Assistance uses Transmission Control Protocol (TCP) port number 3389 for all its network communications.
Using Remote Desktop
Exam Tip Be sure that you understand the differences between Remote Assistance and Remote Desktop, and that you understand the applications for which each is used.
Activating Remote Desktop Because Remote Desktop requires a standard logon, it is inherently more secure than Remote Assistance, and needs no special security measures, such as invitations and session passwords
Using the Remote Desktop Client Both Windows Server 2003 and Windows XP include the client program needed to connect to a host computer using Remote Desktop.
Practice: Configuring Remote Assistance Exercise 1: Activating Remote Assistance Using Control Panel Page Exercise 2: Activating Remote Assistance Using Group Policies Exercise 3: Creating an Invitation Page 13-28
Summary Case Scenario Exercise Page Troubleshooting Lab Page Exam Highlights Key Points Key Terms Page 13-33