Presentation is loading. Please wait.

Presentation is loading. Please wait.

Principles for securing a corporate network, with a look at the some of the Microsoft technologies available Nick Clark.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Principles for securing a corporate network, with a look at the some of the Microsoft technologies available Nick Clark."— Presentation transcript:

1 Principles for securing a corporate network, with a look at the some of the Microsoft technologies available Nick Clark

2  Outline a generic corporate network  Identify possible weaknesses  Discuss risk and impact  Discuss main security technologies (Least Privilege & Group Policy, ISA Server, PKI)  Offer some solutions to the weaknesses  Practical: IPsec and domain isolation 2

3  Corporate = lots of computers & users (1000’s)  Multiple sites (and perhaps domains)  Many servers (25 or more)  One or more connections in and out:  Internet  Remote Access  Wireless  Site links  Result: we have lots of networks to look after, and we have lots risks 3

4 4 Hackers Virus Loss of Info Hacker Theft Unknowns War Driving Hackers & Unknowns Virus Users

5  What risks for different attack vectors?  What’s the chance it could happen?  What’s would be the impact to the business?  Need to find solutions that reduces the risk which doesn’t affect the business too much 5

6 Take the risk factor and propose how likely it is to happen Then decide what the impact would be to the business if the worst happened Multiply the results and you get an idea of the priorities RiskImpactResult Viruses326AntiVir Hackers133Firewalls Spyware212Least Priv 6  Consider the risk of a successful hack  Not likely but what if it did happen?  Bring down the network  Steal corporate information / licenses  Bad advertising if it gets public

7  External factors:  Hacking, Virus Attack, DoS, Spyware, Theft  Internal factors:  Users  Need to consider each vector on it’s own  Then analyse what could happen and what we can do to prevent it 7

8  Biggest cause of security problems  Dangers:  Unrecoverable deletion of files  Primary vector for virus and spyware infection  Access to privileged / unsuitable material  Installation of illegal or unlicensed software  Wasted time fixing / rebuilding computers messed up by users with too many rights 8

9  Least Privilege - only the rights to do what you’re allowed to do  Running in the User context users cannot change settings or install software on PCs  Presents problems when using poorly designed software, or mobile users with laptops (fix by granting specific rights on pc after analysing with sysinternals utilities) sysinternals utilities  Handle politics of users wanting rights by demonstrating no need for admin rights 9

10  Allows us to enforce highly granular settings on users and computers  Makes it possible to make changes to every or a just sub-set of computers or users with very little effort  Can deploy software to computers with it and configure the software too (e.g. MS Office)  Can make custom policies for changing settings which aren’t already available to be changed, e.g. deep networking settings  Can relax security some settings without giving users full control of their computers, e.g. network connections 10

11  Decide what we want to apply, and where we want to apply it, e.g. change desktop background for all PCs…  Run Group Policy Management Console from a DC or an administrative workstation. Need gpmc.msigpmc.msi 11

12  Create a new GPO in the Group Policy Objects folder, then right-click the new object to edit it  Choose the settings you want then close the GPO  Finally apply the GPO to the Organisational Unit of your choice, e.g. Computers container for computer settings, or Users container for user settings  Since we are working with a tree structure of OUs, we have to consider Inheritance.  Domain  Staff  Computers  Users  Students  Computers  Users 12 Applied here all computers will get the settings Applied here all Staff computers will get the settings Applied here all Student computers will get the settings and we can apply user settings too without having to make a second GPO (not best-practice though)

13  Can apply security settings to GPOs so that only certain security groups receive the settings  We can Deny or Allow settings to be applied based on group membership  For example if in Admins group deny applying the policy, otherwise enforce the policy for all users  On a Windows 2003 or later domain we can filter also based on WMI rules  For example we can apply Vista settings only to PCs that actually have Vista installed, and therefore keep all Vista and XP PCs in the same OU 13

14  Microsoft’s strongest firewall technology  Used to protect networks from the wild internet  Acts as a proxy to enhance internet speeds for users, and as a reverse-proxy to accelerate web-server publishing out to the internet  Layer 7 firewall – filters based on application usage and user rights, not just on IP addresses and packet filtering rules  Extendible into arrays so we can use additional servers to improve performance  ISA servers are basically hardened servers with multiple network interfaces that sit in between the internet and the corporate network  Can also be used as a VPN server so users can connect to the network when on the road 14

15 ISA Server Web Server Internal User Internet User  Publish a web server to the internet and internal users (e.g. outlook web access)  Allow access to internet for internal users, protecting users from internet by filtering websites and logging usage  Can filter based on user groups or other factors (requires agent installed on workstations) 15

16  Extension to authentication methods using certificates  All computers and users are issued private certificates by a certificate authority server (CA)  The associated AD objects for the computers and users include the public certificates  When authentication takes place between computers the authentication process is verified against the public/private certificates  With certificates users can sign or encrypt email messages and log-in to systems without needing passwords  Permits use of WPA wireless encryption – computer is authenticated with the certificate and a large encryption key is issued to the computer to get in via WiFi 16

17  Create a Stand-alone Root Certificate Authority  Holds the master certificate, kept switched off  Perfect for virtual server - store the whole server on CD in a safe  Create an Enterprise Intermediate Certificate Authority  Signed by Stand-alone Root CA  Stores all information in Active Directory  Able to automatically issue certificates to computers and users  We can get certificates manually: https:// /certsrv  Need to set domain level group policies to force automatic certificate enrolment  PKI’s require careful planning and backing up – see link  With a PKI in place we can start enabling certificate based authentication and/or two-factor sign-on for users 17

18  Excellent method of implementing super high security with very little expense or complicated planning  Uses advanced group policy and IPsec encryption to save money on expensive switches and cabling  See following webcasts: http://blogs.technet.com/jhoward/archive/2006/02/14/419491.aspx http://blogs.technet.com/jhoward/archive/2006/02/14/419491.aspx  Case study: http://www.microsoft.com/casestudies/casestudy.aspx?casestudyid=49593 http://www.microsoft.com/casestudies/casestudy.aspx?casestudyid=49593 18

19 19 ISA SERVER GROUP POLICY & PKI GROUP POLICY & PKI IPSEC PKI + WPA

20 ? nick.clark@uwe.ac.uk 20 Links for Practical: TechNet Virtual Lab: Security with Group Policy Event: http://tinyurl.com/2ctl36 TechNet Virtual Lab: Group Policy Security Templates and IPSec Event: http://tinyurl.com/2gllb2

Download ppt "Principles for securing a corporate network, with a look at the some of the Microsoft technologies available Nick Clark."

Similar presentations

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Module 5: Creating and Configuring Group Policy

Module 5: Creating and Configuring Group Policy
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
Network and Server Basics. 6/1/20152 Learning Objectives After viewing this presentation, you will be able to: Understand the benefits of a client/server.

Network and Server Basics. 6/1/20152 Learning Objectives After viewing this presentation, you will be able to: Understand the benefits of a client/server.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
MIS 431 - Chapter 91 Ch. 9 – Implement and Use Group Policy MIS 431 – created Spring 2006.

MIS Chapter 91 Ch. 9 – Implement and Use Group Policy MIS 431 – created Spring 2006.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.

Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.
Virtual Private Network (VPN) © N. Ganesan, Ph.D..

Virtual Private Network (VPN) © N. Ganesan, Ph.D..
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 IT Essentials PC Hardware and Software 4.1 Instructional Resource Chapter.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 IT Essentials PC Hardware and Software 4.1 Instructional Resource Chapter.
Clinic Security and Policy Enforcement in Windows Server 2008.

Clinic Security and Policy Enforcement in Windows Server 2008.
9.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

9.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

Similar presentations

Ads by Google