A+ Certification Guide

Chapter 17

Security

Chapter # 17Objectives

Security Fundamentals– Understand the mindset you should have when securing a computer.– Understand file systems, authentication, and how to protect against

malware. Data and Physical Security

– Describe encryption types, the Local Security Policy, backups, and password management

Securing Wireless Networks– Explain wireless encryption and maximizing security on wireless

devices. Access Control Purposes and Principles

– Explain User Access Control (UAC), NTFS permissions, and auditing. Data Destruction /Disposal Techniques Installing, Configuring, and Troubleshooting Security Features

• Demonstrate how to secure the BIOS, configure a firewall, and set up a secure wireless connection.

Establishing a Security Plan

Probability

Impact

Low Medium High

Low

Medium

High

Security Fundamentals Secure Versus Insecure File Systems

– FAT16/ FAT32• No File/Folder encryption• No support for User and Group permissions• Local login by anyone provides local access to the entire

logical drive contents• Windows Vista cannot use FAT

– NTFS• Designed for security• Encrypting File Systems (EFS)-capable• Employs User permissions

– Each user is limited to his own documents by default.

Authentication Technologies Authentication demands that a user verify his right to access data Relies on

– Something the user knows• For example, a password or Personal Identification

Number (PIN)– Something the user has

• For example, a smart card or other security token– Something the user is

• For example, the biometric reading of a fingerprint or retina scan

– Something the user does• For example, a signature

Username/Password/PIN Authentication

Can be verified locally by the local system– PC username/password– Access codes on a door lock

Can be verified remotely by a server– Login can be matched to local PC or to a whole domain of PCs.

Passwords should be complex– 6 to 8 characters minimum

• Use of extra characters increases difficulty of discovery– Mix of uppercase/lowercase, numbers, and symbols– Passphrase

• First letters of words in phrase become password characters– Mitigates brute force dictionary attacks by hackers

Password Management

Options available in the local security policy for managing passwords

– Change passwords periodically (Local Policies, Security Options).

– Be informed in advance that passwords are about to expire (Account Policies, Password Policy).

– Enforce a minimum password length (Account Policies, Password Policy).

– Require complex passwords (Account Policies, Password Policy).

– Prevent old passwords from being reused continually (Account Policies, Password Policy).

– Wait a certain number of minutes after a specified number of unsuccessful logins has taken place before users can log in again (Account Policies, Account Lockout Policy).

What a User Has or Is

Things a user might have: A key SmartCard

Things a user might be: Fingerprint

– Effective when combined with username/password– Can be fooled with tape or bubblegum

Retinal Scan

Database of fingerprints and retinal scans must be securely maintained to prevent unauthorized access and replication.

Software Firewalls

Program designed to examines data packets– Criteria in headers are monitored:

• Destination source IP addresses• Application ports and data• Protocols

– Can filter packets coming in or going out:• Windows XP and Vista use a one-way firewall.

– Allows ping out, but not in.– Vista can be modified for two-way use.

Hardware firewalls are dedicated devices with specially designed operating systems

Troubleshooting Software Firewalls

Your firewall is configured to block all connections:– Clear No Exceptions check box.

Your firewall does not have an exception set up for the program:

– Click Unblock to permit access. You might have two firewalls (Windows Firewall and a

third-party firewall). You did not open the correct TCP or UDP ports for a

program.

Data and Physical Security

Data Access Local Security Policy

– In Control Panel Administrative Tools Local Security Policy

Policies that can be enabled/configured:– Enable Auditing.– Shutdown: Clear Virtual Memory Pagefile.– Take ownership of files/objects in system.– Enable/Disable Ctrl+Alt+Del for login purposes.

Data Access Local Security Policy

From Administrative tools Local Security Policy– The following features can be enabled/disabled:

• Enable Auditing.• Shutdown: Clear Virtual Memory Pagefile.• Take ownership of files or other objects.• Turn on Ctrl+Alt+Del.

Data Encryption Encrypting File System (EFS)

– Supported by operating systems that can read NTFS drives:

Data can be opened only by• User who encrypted them• Administrator• EFS Key holder

Caution: Should Windows not boot properly and the user attempts to attach a drive to and access the files via another system, the files will be encrypted and inaccessible.

– Export the user’s EFS certificate key, and keep in safe place should it ever be needed.

BitLocker Encryption:– Full disk encryption software on Windows Vista.– Keys must be stored remotely.

Data Backups

Backups are necessary because

– Mechanical devices eventually fail. Backups can be subject to hacking/tampering.

– Backup data drive/media should be password-protected.

Data Migration: Direct connection is best. Network connections offer opportunity for data retrieval by

unauthorized parties.– The Files and Settings Transfer Wizard offers password-

protected transfer of files across the network connection.

PC Vulnerabilities - Terms Social Engineering Trojan horse

– Programs that claim to be useful utilities but actually install harmful programs on your computer, including spyware, remote access, and root kits.

Root kits– A concealment method used by many types of malware to prevent detection

by normal antivirus and antimalware programs.

Spyware– Software that spies on system activities and transmits details of web searches

or other activities to remote computers.

Remote access– Programs that enable unauthorized control of your system; can be used to set

up networks of compromised computers known as botnets.

Adware– Software that displays pop-up ads and banners related to your web searches

and activities.

Grayware – General term for dialers, joke programs, adware, and spyware programs.

Social Engineering Vulnerabilities

Pretexting Phishing Trojan horse Baiting Tailgaiting Shoulder surfing

Protection Against Viruses and Malware

Computer protection needs specialized software to perform

Real-time protection to block infection Automatic periodic scans for known/suspected threats Automatic updating on a frequent (usually daily) basis Renewable subscriptions to obtain updated threat

signatures Links to virus and threat encyclopedias Inoculation of system files Permissions-based access to the Internet Scanning of downloaded files and sent/received emails

Securing Wireless Networks Air is insecure data in transit must be encrypted. Both the access point and the end host must use the same

encryption.

– Common encryption types

• WEP

– Not considered very secure

• WPA

– Secure but should still be protected further by using strong passwords

– TKIP (Temporal Key Integrity Protocol)

• WPA2

– AES (Advanced Encryption Standard)

– Preferred when available

– Availability is determined by all hosts being able to support a common standard

Security: DHCP Versus Static Addressing

Two methods toprovide addresses: Static: Manual entry of IP address information

– Static IP addressing best for servers and devices that must be regularly contacted for their services

– More time-consuming– More secure

Dynamic: Allocating addresses automatically using a server program designed for that purpose

– Best for the network hosts– Should adjust the number of IP addresses that can be

assigned• Prevents unwanted use of your network from a

drive by users

SSID – Security Set Identifier

Default is easily seen by unwanted intruders:– Often means there is no administrative password in place

• Most Wireless Access Points (WAP) use a generic password.

• Must be changed to ensure protection of the WAP.– Can be confusing if more than one WAP of the same

manufacturer/model is in the same locality Change name:

– Do not use: Family name, company name, location Disable the SSID Broadcast:

– This prevents the access point from announcing its presence– Caution: XP will look for previously known networks by seeking

for them using the SSID. Hckers can use this.

Additional WAP Firewall Features

MAC Address is burned into Network Card– Can be allowed or denied access to Wireless Access Point

(WAP)• Blocks casual Internet surfers from using your network.• Serious hackers can get around this.

Network Address Translation– Hides the internal network numbers from external users

Access Logs– A list of traffic denied or permitted

Traffic Filtering– IP addresses, websites or ports can be specifically filtered.

Support for Virtual Private Networking (VPN)

Securing Wired Networks

Access Control Purposes and Principles

Control access to the following operating system user accounts:– User – Only has control over created folders/files– Administrator – Has full control– Guest – Disabled by default

User Access Control (UAC) – Automatically makes all accounts standard users– Prompts administrator when system changes are made– Reduces risk of malware using the administrator account– Can be turned off if necessary:

• Control Panel User Accounts Family Safety User Accounts

– System must be restarted .

Groups and Permissions

Groups allow control of resources through grouping users together who need the same access levels to files and objects on the system.

– Installed groups include Administrators, Users, Power Users, and Guest

– Permissions that can be assigned to Groups/Users:• Full Control• Modify: Change file or folder contents• Read & Execute• List Folder Contents• Read• Write: Add a new file or folder

– Each permission can either be allowed or denied.

Permission Inheritance

Folder inherit permissions from parent folder by default– If you change the parent permissions, it changes the subfolder

permission. If you move a folder, it retains its permissions. If you copy a folder, it inherits permissions of the folder above it in

the hierarchy. Printer permissions are managed from the Security tab.

Hardware Recycling and Deconstruction

What do you do with an old PC that is no longer needed?

– Hard disks should be destroyed.• Many data recovery programs can read deleted

files.– An exception is when the disk is intended for a

second life as a donated computer.• Remove data with DOD 5220.22-M-compliant

program.– CDs, DVDs, and floppy disks should be physically

destroyed.

Security Features

BIOS Security– Boot Sector virus protection– Boot Sequence– BIOS Setup password– BIOS HDD password

Reflection

A well-trusted and loyal employee asked to use a color printer instead of the black-and-white laser printer for some documents he is preparing for an A+ presentation this afternoon. His permission set allows him to print only to the black-and-white laser printer.

What do you do?

What Have You Learned?

– What is malware?– Why is WEP considered insecure?– Name three things that must be known/configured

for the WAP and client to connect securely?– What is the encryption available to NTFS file

systems?– How is a passphrase superior to most passwords?

Chapter # 17 Summary

Security Fundamentals– Understand file systems, authentication, and how to protect against

malware. Securing Wireless Networks

– Explain wireless encryption and maximizing security on wireless devices.

Data and Physical Security– Describe encryption types, the Local Security Policy, backups, and

password management Access Control Purposes and Principles

– Explain User Access Control (UAC), NTFS permissions, and auditing. Installing, Configuring, and Troubleshooting Security Features

– Demonstrate how to secure the BIOS, configure a firewall, and set up a secure wireless connection.

Next: Chapter 18