Upload
samuel-watkins
View
226
Download
0
Tags:
Embed Size (px)
Citation preview
Designing a Designing a SecuritySecurity
InfrastructureInfrastructure
ChapterThirteen
Exam Objectives in this Chapter: Plan a security update infrastructure. Tools
might include Microsoft Baseline Security Analyzer and Microsoft Software Update Services.
Plan security for wireless networks. Plan secure network administration
methods. Create a plan to offer Remote Assistance to
client computers. Plan for remote administration by using Terminal
Services.
Lessons in this Chapter: Planning a Security Update Infrastructure Securing a Wireless Network Providing Secure Network Administration
Before You Begin This chapter assumes a basic understanding of
security implementation in the Microsoft Windows Server 2003 family and of how to use group policies to apply settings to large numbers of computers, as covered throughout this book.
To perform the practice exercises in this chapter, you must have installed and configured Windows Server 2003 using the procedure described in “About This Book.”
Planning a Security Update Infrastructure Understanding Software Update Practices
A service packservice pack is a collection of patches and updates that have been tested as a single unit. Service packs are a distinct improvement over the previous system, in which operating system updates were released as a series of individual patches, each addressing a separate issue.
A hotfix is a small patch designed to address a specific issue. While Microsoft only for computers experiencing a particular problem.
Using Windows Update Windows Update for XP
Update for Networks Consideration for Networks:
Bandwidth With Windows Update, updates become available for
installation right away. On a network many computers would be ready for downloads at the same time consuming large amounts of bandwith.
Testing It is possible for a particular update to cause
problems. This could result in the loss of productivity and the
added burden on technical support personnel
Updating a Network Network administrators should not
immediately install every update that appears. It is important to test the update releases first.
A network security update infrastructuresecurity update infrastructure is a series of policies that are designed to help the network administrator perform the following tasks:
A network security update infrastructure performs the following tasks
Determine which computers need to be updated
Test update releases on multiple system configurations
Determine when updates are released Deploy update releases on large fleets
SUS
Using Microsoft Baseline Security Analyzer Microsoft Baseline Security Analyzer
(MBSA) is a graphical tool that can check for common security lapses on a single computer or multiple computers running various versions of the Windows operating system.
Microsoft Baseline Security Analyzer (MBSA) Scan your system
Microsoft Baseline Security Analyzer (MBSA) Produces its results
Using Microsoft Baseline Security Analyzer The security faults that MBSA can detect are as
follows: Missing security updatesMissing security updates
MBSA replaces an earlier Microsoft update checking utility called Hfnetchk.exe, which operates from the command line and only checks computers for missing updates.
Account vulnerabilitiesAccount vulnerabilities Guest account is activated If there are more than two accounts with Administrator
privileges; If anonymous users have too much access; If the computer is configured to use the Autologon feature.
MBSA Detection continued: Improper passwordsImproper passwords
if they are configured to expire, are blank, or are too simple.
File system vulnerabilitiesFile system vulnerabilities whether all the disk drives on the computer are using the
NTFS file system. IIS and SQL vulnerabilitiesIIS and SQL vulnerabilities
If the computer is running Microsoft Internet Information Services (IIS) or Microsoft SQL Server, MBSA examines these applications for a variety of security weaknesses.
May be downloaded from Microsoft at:
http://download.microsoft.com/download/8/e/e/8ee73487-4d36-4f7f-92f2-2bdc5c5385b3/mbsasetup.msi
Testing Security Updates You must test them to make sure they are
compatible with all your system configurations.
Using Microsoft Software Update Services Microsoft Software Update Services (SUS)
is a free product that notifies administrators when new security updates are available, downloads the updates, and then deploys them to the computers on the network
SUS consists of the following components: Synchronization server Intranet Windows Update server Automatic updates
Using Microsoft Software Update Services
Synchronization server The administrator can allow the downloads to occur
as needed; schedule them to occur at specific times (such as off-peak traffic hours); or trigger them manually.
Once SUS downloads the updates, it stores them on the server.
Using Microsoft Software Update Services
Intranet Windows Update server When updates are ready for deployment, SUS
functions as the Windows Update server for the computers on the network, except that this server is on the intranet and does not require the clients to access the Internet.
Using Microsoft Software Update Services
Automatic updates Automatic Updates is a Windows operating system
feature that enables computers to download and install software updates with no user intervention.
Exam Tip Be sure to understand the differences
between the functions of (MBSA) Microsoft Baseline Security Analyzer and (SUS) Microsoft Software Update Services
Practice: Using Microsoft Baseline Security Analyzer
Exercise 1: Downloading and Installing MBSA Exercise 2: Performing a Security Analysis
Page 13-9
Securing a Wireless Network Understanding Wireless Networking Standards.
In 1999, the Institute of Electrical and Electronics Engineers (IEEE) released the first standard in the 802.11 working group, called “Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications,” defining a new series of technologies for the WLAN physical layer.
For the wireless networking industry, the key document in this series of standards was IEEE 802.11b, “Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications—Amendment 2: higher-speed Physical Layer (PHY) extension in the 2.4 GHz band.”
802.11 Standards The 802.11a standard
“Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications: Amendment 1: High-speed Physical Layer in the 5 GHz band” defines a medium with speeds running up toup to 54 Mbps54 Mbps,
The 802.11b standard Defines a physical layer specification that enables
WLANs to run at speeds up to 11 megabits per up to 11 megabits per secondsecond (Mbps), slightly faster than a standard Ethernet network.
The 802.11g standard “Wireless LAN Medium Access Control (MAC) and
Physical Layer (PHY) specifications—Amendment 4: Further Higher Data Rate Extension in the 2.4 GHz Band,” calls for higher transmission speeds using the same 2.4 GHz frequencies as 802.11b.
Wireless Networking Topologies Two basic topologies:
ad hoc and infrastructure
An ad hoc network consists of two or more wireless devices communicating directly with each other.
The signals generated by WLAN network interface adapters are omnidirectional.
This range is called a basic service areabasic service area (BSA). When two wireless devices come within range of
each other, they are able to connect and communicate, immediately forming a two-node network.
Wireless devices within the same basic service area are called a basic service setbasic service set (BSS).
An Ad Hoc Network Two ranges coming together
Note The ad hoc topology is most often used on
home networks, or for very small businessthat have no cabled network components at all.
An Infrastructure Network Uses a wireless device called an access
point as a bridge between wireless devices and a standard cabled network.
An access pointaccess point is a small unit that connects to an Ethernet network (or other cabled network) by cable, but that also contains an 802.11b-compliant wireless transceiver.
Infrastructure Network
Access point
Understanding Wireless Network Security Unauthorized access
An unauthorized user with a wireless workstation connects to the network and accesses network resources
Data interception A user running a protocol analyzer with a
wireless network interface adapter may be able to capture all the packets transmitted between the other wireless devices and the access point.
Controlling Wireless Access Using Group Policies In the Group Policy Object Editor console,
you can create a policy in the Computer Configuration\Windows Settings\Security Settings\Wireless Network (IEEE 802.11) Policies subheading that enables you to specify whether wireless-equipped computers can connect to ad hoc networks only, infrastructure networks only, or both
The New Wireless Network Policy Properties dialog box
The New Preferred Setting Properties dialog box
Authenticating Users Open System Authentication
Open System authentication is the default authentication method used by IEEE 802.11 devices, and it actually provides no authentication at all.
Shared Key Authentication Shared Key authentication is a system by
which wireless devices authenticate each other using a secret key that both possess.
Messages are exchanged between the requester and the responder outlined on page 17 – 18.
IEEE 802.1X Authentication Most IEEE 802.1X implementations function as
clients of a server running a Remote Authentication Dial-In User Service (RADIUS), such as the Internet Authentication Service (IAS) included with Windows Server 2003.
Two Authentication Protocols Extensible Authentication Protocol-
Transport Level Security (EAP-TLS) It can carry a variety of authentication
mechanisms within a given packet framework. Protected EAP-Microsoft Challenge
Handshake Authentication Protocol, version 2 (PEAP-MS-CHAP v2) PEAP is a variation on EAP that is designed for
use on wireless networks that do not have a PKI in place.
Encrypting Wireless Traffic To prevent data transmitted over a wireless
network from being compromised through unauthorized packet captures, the IEEE 802.11 standard defines an encryption mechanism called Wired Equivalent PrivacyWired Equivalent Privacy (WEP).
The degree of protection that WEP provides is governed by configurable parameters thatcontrol the length of the keys used to encrypt the data and the frequency with which the systems generate new keys.
Exam Tip Be sure you are familiar with the security
hazards inherent in wireless networking,and with the mechanisms that Windows operating systems can use to authenticate wireless clients and encrypt their traffic
Providing Secure Network Administration Reasons for Using Remote Assistance:
Technical support Troubleshooting Training
Offering Remote Assistance Using Control Panel
Setup in Systems Properties
Using Group Policies
Creating an Invitation Offer Assistance:
Securing Remote Assistance Invitations
No person can connect to another computer using Remote Assistance unless that person has received an invitation from the client
Interactive connectivity You cannot use Remote Assistance to connect to an
unattended computer. Client-side control
ESC to end the secession. Remote control configuration
The group policies also enable administrators to grant specific users expert status, so that no one else can use Remote Access to connect to a client computer, even with the client’s permission.
Firewalls Remote Assistance uses Transmission Control Protocol (TCP)
port number 3389 for all its network communications.
Using Remote Desktop
Exam Tip Be sure that you understand the
differences between Remote Assistance and Remote Desktop, and that you understand the applications for which each is used.
Activating Remote Desktop Because Remote Desktop requires a
standard logon, it is inherently more secure than Remote Assistance, and needs no special security measures, such as invitations and session passwords
Using the Remote Desktop Client Both Windows Server
2003 and Windows XP include the client program needed to connect to a host computer using Remote Desktop.
Practice: Configuring Remote Assistance
Exercise 1: Activating Remote Assistance Using Control Panel
Page 13-27 Exercise 2: Activating Remote Assistance Using
Group Policies Exercise 3: Creating an Invitation
Page 13-28
Summary Case Scenario Exercise
Page 13-31 Troubleshooting Lab
Page 13-32 Exam Highlights
Key Points Key Terms
Page 13-33