Designing a Designing a SecuritySecurity

InfrastructureInfrastructure

ChapterThirteen

Exam Objectives in this Chapter: Plan a security update infrastructure. Tools

might include Microsoft Baseline Security Analyzer and Microsoft Software Update Services.

Plan security for wireless networks. Plan secure network administration

methods. Create a plan to offer Remote Assistance to

client computers. Plan for remote administration by using Terminal

Services.

Lessons in this Chapter: Planning a Security Update Infrastructure Securing a Wireless Network Providing Secure Network Administration

Before You Begin This chapter assumes a basic understanding of

security implementation in the Microsoft Windows Server 2003 family and of how to use group policies to apply settings to large numbers of computers, as covered throughout this book.

To perform the practice exercises in this chapter, you must have installed and configured Windows Server 2003 using the procedure described in “About This Book.”

Planning a Security Update Infrastructure Understanding Software Update Practices

A service packservice pack is a collection of patches and updates that have been tested as a single unit. Service packs are a distinct improvement over the previous system, in which operating system updates were released as a series of individual patches, each addressing a separate issue.

A hotfix is a small patch designed to address a specific issue. While Microsoft only for computers experiencing a particular problem.

Using Windows Update Windows Update for XP

Update for Networks Consideration for Networks:

Bandwidth With Windows Update, updates become available for

installation right away. On a network many computers would be ready for downloads at the same time consuming large amounts of bandwith.

Testing It is possible for a particular update to cause

problems. This could result in the loss of productivity and the

added burden on technical support personnel

Updating a Network Network administrators should not

immediately install every update that appears. It is important to test the update releases first.

A network security update infrastructuresecurity update infrastructure is a series of policies that are designed to help the network administrator perform the following tasks:

A network security update infrastructure performs the following tasks

Determine which computers need to be updated

Test update releases on multiple system configurations

Determine when updates are released Deploy update releases on large fleets

SUS

Using Microsoft Baseline Security Analyzer Microsoft Baseline Security Analyzer

(MBSA) is a graphical tool that can check for common security lapses on a single computer or multiple computers running various versions of the Windows operating system.

Microsoft Baseline Security Analyzer (MBSA) Scan your system

Microsoft Baseline Security Analyzer (MBSA) Produces its results

Using Microsoft Baseline Security Analyzer The security faults that MBSA can detect are as

follows: Missing security updatesMissing security updates

MBSA replaces an earlier Microsoft update checking utility called Hfnetchk.exe, which operates from the command line and only checks computers for missing updates.

Account vulnerabilitiesAccount vulnerabilities Guest account is activated If there are more than two accounts with Administrator

privileges; If anonymous users have too much access; If the computer is configured to use the Autologon feature.

MBSA Detection continued: Improper passwordsImproper passwords

if they are configured to expire, are blank, or are too simple.

File system vulnerabilitiesFile system vulnerabilities whether all the disk drives on the computer are using the

NTFS file system. IIS and SQL vulnerabilitiesIIS and SQL vulnerabilities

If the computer is running Microsoft Internet Information Services (IIS) or Microsoft SQL Server, MBSA examines these applications for a variety of security weaknesses.

May be downloaded from Microsoft at:

http://download.microsoft.com/download/8/e/e/8ee73487-4d36-4f7f-92f2-2bdc5c5385b3/mbsasetup.msi

Testing Security Updates You must test them to make sure they are

compatible with all your system configurations.

Using Microsoft Software Update Services Microsoft Software Update Services (SUS)

is a free product that notifies administrators when new security updates are available, downloads the updates, and then deploys them to the computers on the network

SUS consists of the following components: Synchronization server Intranet Windows Update server Automatic updates

Using Microsoft Software Update Services

Synchronization server The administrator can allow the downloads to occur

as needed; schedule them to occur at specific times (such as off-peak traffic hours); or trigger them manually.

Once SUS downloads the updates, it stores them on the server.

Using Microsoft Software Update Services

Intranet Windows Update server When updates are ready for deployment, SUS

functions as the Windows Update server for the computers on the network, except that this server is on the intranet and does not require the clients to access the Internet.

Using Microsoft Software Update Services

Automatic updates Automatic Updates is a Windows operating system

feature that enables computers to download and install software updates with no user intervention.

Exam Tip Be sure to understand the differences

between the functions of (MBSA) Microsoft Baseline Security Analyzer and (SUS) Microsoft Software Update Services

Practice: Using Microsoft Baseline Security Analyzer

Exercise 1: Downloading and Installing MBSA Exercise 2: Performing a Security Analysis

Page 13-9

Securing a Wireless Network Understanding Wireless Networking Standards.

In 1999, the Institute of Electrical and Electronics Engineers (IEEE) released the first standard in the 802.11 working group, called “Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications,” defining a new series of technologies for the WLAN physical layer.

For the wireless networking industry, the key document in this series of standards was IEEE 802.11b, “Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications—Amendment 2: higher-speed Physical Layer (PHY) extension in the 2.4 GHz band.”

802.11 Standards The 802.11a standard

“Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications: Amendment 1: High-speed Physical Layer in the 5 GHz band” defines a medium with speeds running up toup to 54 Mbps54 Mbps,

The 802.11b standard Defines a physical layer specification that enables

WLANs to run at speeds up to 11 megabits per up to 11 megabits per secondsecond (Mbps), slightly faster than a standard Ethernet network.

The 802.11g standard “Wireless LAN Medium Access Control (MAC) and

Physical Layer (PHY) specifications—Amendment 4: Further Higher Data Rate Extension in the 2.4 GHz Band,” calls for higher transmission speeds using the same 2.4 GHz frequencies as 802.11b.

Wireless Networking Topologies Two basic topologies:

ad hoc and infrastructure

An ad hoc network consists of two or more wireless devices communicating directly with each other.

The signals generated by WLAN network interface adapters are omnidirectional.

This range is called a basic service areabasic service area (BSA). When two wireless devices come within range of

each other, they are able to connect and communicate, immediately forming a two-node network.

Wireless devices within the same basic service area are called a basic service setbasic service set (BSS).

An Ad Hoc Network Two ranges coming together

Note The ad hoc topology is most often used on

home networks, or for very small businessthat have no cabled network components at all.

An Infrastructure Network Uses a wireless device called an access

point as a bridge between wireless devices and a standard cabled network.

An access pointaccess point is a small unit that connects to an Ethernet network (or other cabled network) by cable, but that also contains an 802.11b-compliant wireless transceiver.

Infrastructure Network

Access point

Understanding Wireless Network Security Unauthorized access

An unauthorized user with a wireless workstation connects to the network and accesses network resources

Data interception A user running a protocol analyzer with a

wireless network interface adapter may be able to capture all the packets transmitted between the other wireless devices and the access point.

Controlling Wireless Access Using Group Policies In the Group Policy Object Editor console,

you can create a policy in the Computer Configuration\Windows Settings\Security Settings\Wireless Network (IEEE 802.11) Policies subheading that enables you to specify whether wireless-equipped computers can connect to ad hoc networks only, infrastructure networks only, or both

The New Wireless Network Policy Properties dialog box

The New Preferred Setting Properties dialog box

Authenticating Users Open System Authentication

Open System authentication is the default authentication method used by IEEE 802.11 devices, and it actually provides no authentication at all.

Shared Key Authentication Shared Key authentication is a system by

which wireless devices authenticate each other using a secret key that both possess.

Messages are exchanged between the requester and the responder outlined on page 17 – 18.

IEEE 802.1X Authentication Most IEEE 802.1X implementations function as

clients of a server running a Remote Authentication Dial-In User Service (RADIUS), such as the Internet Authentication Service (IAS) included with Windows Server 2003.

Two Authentication Protocols Extensible Authentication Protocol-

Transport Level Security (EAP-TLS) It can carry a variety of authentication

mechanisms within a given packet framework. Protected EAP-Microsoft Challenge

Handshake Authentication Protocol, version 2 (PEAP-MS-CHAP v2) PEAP is a variation on EAP that is designed for

use on wireless networks that do not have a PKI in place.

Encrypting Wireless Traffic To prevent data transmitted over a wireless

network from being compromised through unauthorized packet captures, the IEEE 802.11 standard defines an encryption mechanism called Wired Equivalent PrivacyWired Equivalent Privacy (WEP).

The degree of protection that WEP provides is governed by configurable parameters thatcontrol the length of the keys used to encrypt the data and the frequency with which the systems generate new keys.

Exam Tip Be sure you are familiar with the security

hazards inherent in wireless networking,and with the mechanisms that Windows operating systems can use to authenticate wireless clients and encrypt their traffic

Providing Secure Network Administration Reasons for Using Remote Assistance:

Technical support Troubleshooting Training

Offering Remote Assistance Using Control Panel

Setup in Systems Properties

Using Group Policies

Creating an Invitation Offer Assistance:

Securing Remote Assistance Invitations

No person can connect to another computer using Remote Assistance unless that person has received an invitation from the client

Interactive connectivity You cannot use Remote Assistance to connect to an

unattended computer. Client-side control

ESC to end the secession. Remote control configuration

The group policies also enable administrators to grant specific users expert status, so that no one else can use Remote Access to connect to a client computer, even with the client’s permission.

Firewalls Remote Assistance uses Transmission Control Protocol (TCP)

port number 3389 for all its network communications.

Using Remote Desktop

Exam Tip Be sure that you understand the

differences between Remote Assistance and Remote Desktop, and that you understand the applications for which each is used.

Activating Remote Desktop Because Remote Desktop requires a

standard logon, it is inherently more secure than Remote Assistance, and needs no special security measures, such as invitations and session passwords

Using the Remote Desktop Client Both Windows Server

2003 and Windows XP include the client program needed to connect to a host computer using Remote Desktop.

Practice: Configuring Remote Assistance

Exercise 1: Activating Remote Assistance Using Control Panel

Page 13-27 Exercise 2: Activating Remote Assistance Using

Group Policies Exercise 3: Creating an Invitation

Page 13-28

Summary Case Scenario Exercise

Page 13-31 Troubleshooting Lab

Page 13-32 Exam Highlights

Key Points Key Terms

Page 13-33