Designing Strategies for Security Management · 2019. 2. 20. · .....Designing Strategies for Security Management 61 Account Operators, Backup Operators, and many others. Administrators

Designing Strategies forSecurity Management

Terms you’ll need to understand:✓ Remote desktop administration✓ Telnet✓ Emergency Management Services✓ Software Update Services (SUS)✓ Systems Management Server (SMS)✓ Disaster recovery plan (DRP)

Techniques you’ll need to master:✓ Designing security for network management✓ Designing a security update infrastructure

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

3

03 0789730162 CH03 4/12/04 2:35 PM Page 59

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 360

Your network has enough enemies, including viruses, well-intentioned users,and not so well-intentioned attackers. You must ensure that you don’tbecome your own worst enemy! You need to understand the risks associatedwith managing your network and mitigate those risks with whatever toolsyou have available. In addition, you need to keep your network up to datewith the latest security patches. This process needs to be as automatic as pos-sible in your situation.

In this chapter, we discuss the tools that you can use to manage the risk ofmanaging the network. These include simple tools such as the Run as com-mand as well as more complex tools used to monitor and manage servers andservices. We also discuss the new tools in Windows Server 2003 that aid youin assessing the current patch level of computers in your network and inkeeping computers up to date with security patches from the Microsoft Website.

Designing Security for NetworkManagementYou need to understand the power of the Administrator account as well asother accounts that provide rights on the network. In the right hands, theseare tools you use to manage a network. In the wrong hands, they are weaponsthat attackers can use against you. As you manage your network, take carethat these accounts do not fall into the wrong hands. In addition, you needto understand the tools and services available to enhance and monitor thesecurity of your network. Designing security for network managementincludes the following components:

➤ Managing the risk of managing networks

➤ Designing the administration of servers

➤ Designing security for Emergency Management Services

Managing the Risk of Managing NetworksWindows Server 2003 controls access to Active Directory and the ability tomanage it using security groups. Some groups are designed to give a personrights to manage an aspect of the network, solely because they are associat-ed with that group. These groups include Administrators, Server Operators,

03 0789730162 CH03 4/12/04 2:35 PM Page 60

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Designing Strategies for Security Management 61

Account Operators, Backup Operators, and many others. Administratorswho are members of these groups must understand the power that the groupmembership gives them and use it wisely.

We now discuss the tools that Windows Server 2003 provides to assist anadministrator in the safe management of the network. These tools includethe following:

➤ The Run as command

➤ Restricted groups

➤ Security auditing

The Run as CommandEven if you are an administrator, you need to log on every morning with thesame type of user account that everyone else uses. You don’t need an admin-istrative account to check your email and browse the Web. You should onlyuse an administrative account if you are doing something on the networkthat requires the use of an administrative account. This practice protects thenetwork because the less you use an administrative logon, the less chancethere is for a Trojan horse virus or some type of worm to pick it up and sendit to an attacker. Also, if you walk away from a computer that you are loggedon to with an administrative account, another person could use the comput-er and “play Administrator” for a while!

Although your users should only have one account, you and your otheradministrators need to have at least two accounts. You should use a normaluser account until it is necessary to use the administrative account and, atthat time, you can use the Run as command to perform a secondary logon.

You can use the Run as command either through the GUI or at the commandline. To use the Run as command with a GUI tool, simply right-click the tool,click Run as, and then log on with the account that you want to use to runthat tool. You might need to hold down the Shift key while you right-click,depending on the tool that you choose. Figure 3.1 shows the Run as com-mand on the Start menu. Figure 3.2 shows the secondary logon screen forthe Run as command. When the tool is closed, the system reverts back to theprimary logon account.

03 0789730162 CH03 4/12/04 2:35 PM Page 61

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 362

Figure 3.1 You can right-click the tool to use the Run as command.

Figure 3.2 The Run as command provides a secondary logon for that tool only.

To use the Run as command from a command prompt, type the following syn-tax:Runas /user:domain\account name “mmc %windir%\system32\tool.msc”

where domain is the name of your domain, account name is the name of theaccount with which you want to run the tool, and tool is the name of the toolthat you want to run.

For example, Runas /user:bfe.vtc.com\administrator “mmc%windir%\system32\

dsa.msc” will run Active Directory Users and Computers in the bfe.comdomain by the account name of Administrator.

03 0789730162 CH03 4/12/04 2:35 PM Page 62


After you enter this syntax correctly, you are then asked the password of theaccount with which you want to run the program. Figure 3.3 shows the com-mand line with the entered command and the system’s response. After youenter the correct password, the system opens the tool. When the tool isclosed, the system reverts back to your primary logon account.

Figure 3.3 You can use the Run as command from a command-line interface.

You can check the %windir%\system32 folder on your servers for files with .mscextensions. All files with .msc extensions can be used with the Run as menu option.You can even create shortcuts on the desktop or in your administrative tools usingthe same command.

We are only using the default name “Administrator” for the administrative accountfor this training example. You should always change the default names of adminis-trative accounts.

Restricted GroupsMembership in a security group can give someone permissions and rightsthat she would not have if she was not in that security group, especially if thatgroup is a member of another group that has more rights. This is the way thesystem is supposed to work. But, what if someone is a member of a groupthat gives her administrative access and you are not aware that she is a mem-ber? In this case, your own system is working against you.

You might be thinking, “But I can just check all of the groups and make cer-tain that I know who the members are.” Well, that’s true, but there might bemore groups to keep track of than you think. You have to consider that everyworkstation and member server has its own local groups as well! Wouldn’t itbe nice to just lock those groups down with some type of template? Well,now you can!

03 0789730162 CH03 4/12/04 2:35 PM Page 63

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 364

Restricted Groups is a computer security policy that should be used primarilywith workstations and member servers. In other words, it is rarely used ondomain controllers. It allows you to define who can be a member in a par-ticular security group on a computer and what other groups that group canbe a member of as well. After you define who can be a member of that group,anybody else who currently is a member is removed from membership assoon as the security policy is refreshed. This way, it’s impossible for you tomiss anybody. You can also copy the template that you create and use it onsubsequent workstations and member servers.

You can create the template and apply the settings for Restricted Groups ona member server running Windows 2000 Server or Windows Server 2003 intwo ways. You can either create the template in the local security settings foreach of the computers that you choose or you can create a Group Policy androll it out to all of the computers in an organizational unit (OU) or hierar-chy of OUs. For Windows 2000 Professional and Windows XP Professionalclients, you can use Group Policy to enforce Restricted Groups.

As we mentioned previously, you should refrain from using RestrictedGroups at the domain level; however, it is possible to use this tool to providea “reality check” if you suspect that someone has obtained fraudulent accessto administrative rights through membership in a security group.

To configure Restricted Groups on one member server, perform the follow-ing steps:

1. Open the Local Security Policy through Administrative Tools.

2. Expand the Security Settings option.

3. Right-click Restricted Groups.

4. Click Add Group.

5. Type the name of the group that you need to manage.

6. Add the members that you want to be in the group and the groups ofwhich that group can be a member.

7. Click OK or Apply.

When you click OK or Apply, only the members that you have designatedare still members of the groups for which you have set Restricted Groups.Any other members are removed from group membership. This takes effectthe next time they log on to the server locally.

To configure Restricted Groups with Group Policy, perform the followingsteps:

03 0789730162 CH03 4/12/04 2:35 PM Page 64


1. Open the Group Policy Management Console and Group PolicyObject Editor tools to create and configure a new Group Policy or editan existing one.

2. Expand Computer Configuration.

3. Right-click Restricted Groups.

4. Click Add Group.

5. Type the name of the group that you need to manage.

6. Add the members that you want to be in the group and the groups ofwhich that group can be a member.

7. Click OK or Apply.

When the Group Policy is linked to a container, the Restricted Groups set-tings become effective for all computers in that container. You can force thepolicy to apply as soon as you link it, using the gpupdate command, or you cansimply wait until the policy is refreshed automatically by the system.

When a Group Policy is linked to a container, you must ensure that no other poli-cies that could change the results of the Group Policy are linked to the same con-tainer. Remember, the last one to “flip those switches” wins!

Security AuditingA wise person once said “You don’t get what you expect, you get what youinspect.” You need to have a system in place that aids you in monitoring thesecurity of your network. This includes an audit policy that determines whatis to be audited and a person or persons responsible for regularly checkingthe security log to look for anything that doesn’t seem to fit.

Windows Server 2003 provides the tools for auditing logons, resourceaccess, account management, and more. Your audit policy determines what iswritten to the security log. The security log can then be read, archived, andprinted with Event Viewer. Figure 3.4 shows the settings for Audit Policy inthe Microsoft Management Console (MMC) named Default DomainSecurity Settings. Table 3.1 defines each of the settings that you could use inyour audit policy. You can audit each of these settings for success, failure, orsuccess and failure. Figure 3.5 shows an example of a security log in EventViewer.

03 0789730162 CH03 4/12/04 2:35 PM Page 65

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 366

Figure 3.4 The settings in your audit policy determine what is written to the security log.

Table 3.1 Audit Policy Settings

Policy Definition

Audit Account Logon Events Is set on a domain controller. Audits domain controller’sauthentication of a logon from another computer.

Audit Account Management Audits activity that is generally associated with adminis-trators, such as creating or renaming users or groups,or changing passwords.

Audit Directory Service Access Audits objects in Active Directory that have their systemaccess control list (SACL) set for auditing.

Audit Logon Events Audits the local logon to a computer regardless of therole of the computer.

Audit Object Access Audits the access of resource objects, such as a file,folder, printer, Registry key, and so on that have thesystem access control list (SACL) set for auditing.

Audit Policy Change Audits changes to user rights assignment policies, auditpolicies, or trust policies.

Audit Privilege Use Audits each instance of a user exercising a user right.

Audit Process Tracking Audits events usually associated with applications,rather than users, such as program activation and han-dle duplication.

Audit System Events Audits a user’s restarting or shutting down of the sys-tem or any event that affects system security or thesecurity log.

03 0789730162 CH03 4/12/04 2:35 PM Page 66


Figure 3.5 You can view the results of a security audit in Event Viewer.

Designing the Administration of ServersManaging an enterprise can be a cumbersome task, but Windows Server2003 provides many tools to assist you in the efficient and safe managementof your network, no matter how large it is. The tools with which you needto be familiar are as follows:

➤ Microsoft Management Consoles (MMCs)

➤ Remote Desktop Administration

➤ Telnet

➤ Remote Assistance

Microsoft Management ConsolesUsing Microsoft Management Consoles (MMCs), you can create your owncustom “toolboxes” that keep the tools you use most frequently all in oneplace. You can then share these toolboxes with other administrators whomyou trust, or you can create another toolbox that has only the tools that theyneed. You can simply share the completed MMC in a folder to which theother administrator has access, and he can then use the MMC as well. Shareit with Read permission so that the administrator who receives the MMCcannot change the file without also changing the name and the ownership of

03 0789730162 CH03 4/12/04 2:35 PM Page 67

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 368

the file. To use the MMC tools, you must register the proper dynamic linklibraries (DLLs). You can easily register most DLLs by entering adminpak.msiat a command prompt and following the Windows Server 2003 Admin-istrative Tools Installation Wizard.

An MMC itself has no administration capability; it’s only a toolbox that con-tains the real tools called snap-ins. These snap-ins are produced by Microsoftand many other vendors. They include most of the tools that you need toconfigure, manage, and monitor your network. Many of these tools can beused on the local computer or on a remote computer connected to the man-agement console. Figure 3.6 shows an MMC that has been customized tohold tools for two different computers.

Figure 3.6 You can build MMCs that hold tools for multiple computers.

Remote Desktop AdministrationRemote Desktop Connection replaces the Remote Administration Mode forTerminal Services used in Windows 2000 Server. It provides a new interfacethat allows you to safely manage any computer that is configured to allowusers to connect remotely. You can access Remote Desktop Connection byclicking Start, All Programs, Accessories, Communications, RemoteDesktop Connection. You can then connect to the computer by entering thecomputer name and the password for that computer.

03 0789730162 CH03 4/12/04 2:35 PM Page 68


You can control the resolution and other aspects of the “user experience” onthe Remote Desktop Connection settings. Figure 3.7 shows the RemoteDesktop Connection dialog box. These options allow you to configure yourremote session based on the allowed bandwidth and other restrictions.Figure 3.8 shows the custom settings that you can configure on theExperience tab. You should use Remote Desktop Connection when you aremaking a connection to only one other computer or server.

You must also be a member of the Remote Desktop Users security group to useRemote Desktop Connection. The administrator is a member of this group bydefault and can add other members.

Figure 3.7 You can configure options for Remote Desktop Connection.

To make multiple simultaneous connections, use the Remote Desktops snap-in. This tool enables you to manage many servers as if you were sitting infront of each one of them. You can control each of the connections andencrypt the connection over the Remote Desktop Protocol (RDP). You canquickly switch between several remote desktops. Figure 3.9 shows an MMCwith the Remote Desktops snap-in installed.

03 0789730162 CH03 4/12/04 2:35 PM Page 69

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 370

Figure 3.8 You can configure custom settings on the Experience tab.

Figure 3.9 You can control multiple remote connections from one interface with the RemoteDesktops snap-in.

TelnetIn general, you use Remote Desktop Connection or the Remote Desktopssnap-in to connect with any computers that are running Microsoft operatingsystems. This provides the most secure method of remote administration.

03 0789730162 CH03 4/12/04 2:35 PM Page 70


For other servers and network devices on your network, you can use Telnet.The Telnet application is part of the TCP/IP suite, and any network that isusing TCP/IP can use it. The Telnet client is built in to Windows Server2003 and provides a command-line interface to another server and limitedfunctionality to configure the server (see Figure 3.10). Telnet does not pro-vide security—all passwords and data are transmitted in clear text. If you useTelnet, you need to ensure that no sensitive information is being transmitted.

Figure 3.10 You can configure servers and network devices on a command-line interface withTelnet.

Telnet is not recommended for remote administration of Microsoft computersbecause all data and commands are transmitted in clear text.

To access a computer or network device with Telnet, perform the followingsteps:

1. Click Start.

2. Click Run.

3. Type telnet.

4. Type open.

5. Type the name of the host with which you want a connection.

6. Type ? for help with further commands.

The list of commands that are available are based on the type of host towhich you have connected. All commands are alphanumeric. In other words,you can’t use your mouse or any type of GUI with Telnet. Table 3.2 listssome Telnet commands and the actions that they perform.

03 0789730162 CH03 4/12/04 2:35 PM Page 71

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 372

Table 3.2 Telnet Commands

Telnet Command Action Performed

Open hostname Establishes session with host

Close Closes connection

Display Shows current settings for client

Send Gives additional commands as defined by the type of host

Set Allows you to configure options when used with additional argu-ments, depending on the client

Unset Turns off options that were previously set

Status Determines connection status

? Shows Help menu based on host

Quit Closes Telnet client

Remote AssistanceClients can request your assistance using the Remote Assistance tools, pro-vided by Windows XP Professional, and you can respond to their requestsand assist them through your Window Server 2003 network. After you areconnected, you can view the client’s computer and chat online. You can eventake control of their mouse and keyboard with their permission. You can alsoupload files to them or download their files to your computer or central serv-er. Remote Assistance communication can be based on Windows Messengeror Microsoft Outlook. Figure 3.11 shows the Remote Assistance console ona Windows XP Professional client.

Figure 3.11 Clients can request your assistance using the Remote Assistance console.

03 0789730162 CH03 4/12/04 2:35 PM Page 72


Designing Security for EmergencyManagement ServicesAt this level, it almost goes without saying that you need to maintain redun-dant drives, power supplies, and server components. You also need to createbackups of all data and configurations and keep copies offsite. This type ofmanagement activity is the day-to-day operations that help to keep the net-work operating smoothly, but what if something goes wrong?

Unfortunately, disasters, such as fires, floods, hurricanes, tornados, andearthquakes, do happen from time to time. Your Emergency ManagementServices design needs to include a disaster recovery plan (DRP) that takes theseinto account. Your DRP should focus on the disasters that are most commonfor your area. For example, you probably won’t be concerned about earth-quakes if you are located in Florida, and you wouldn’t worry much abouthurricanes in South Dakota.

In the event of a disaster of this magnitude, the main goal is to get the com-puters back up to the point that your company can do business before you goout of business permanently! Your DRP should address a plan to rebuild thenetwork to a functioning state as quickly as possible, even if your wholebuilding is destroyed. The details of this plan will, of course, vary, depend-ing on the size and complexity of the company, but the main thing you needis a place to work. The types of alternative sites that you should consider inyour DRP are as follows:

➤ Hot site

➤ Warm site

➤ Cold site

Hot SitesA hot site is a location that is up and running 24/7 with everything that youneed to function. Its main advantage is that, in the event of a disaster, you canmove into the hot site and resume normal business operations in a matter ofhours. Another advantage is that it is possible to do a “dry run” and test thehot site.

The hot site should be close enough to be practical for employees, yet farenough away so as not to be taken down by the same disaster that took downyour main site. You can maintain the hot site, or you can pay another com-pany to provide the service. The main disadvantage of a hot site is the largecost associated with it. Typically, the potential loss of money is not enoughto justify the cost of a hot site, so they are only used in organizations in which

03 0789730162 CH03 4/12/04 2:35 PM Page 73

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 374

people’s lives are at stake, such as highly sensitive governmental institutionsor hospital networks.

Warm SitesA warm site is a location that provides the space, electrical outlets, and com-munications lines that will be needed in the event of a disaster. It is not cus-tomized for one organization and might be used by many organizations inthe event of a natural disaster. Typically, no computers are in place becauseit is assumed that the company will provide the computers when, and if, thetime comes to use the site. The main advantage of this type of site is that itcosts considerably less to maintain than a hot site. The main disadvantage ofthis type of site is that it is much more difficult to test your DRP from timeto time.

Cold SitesA cold site is a location that basically has four walls, a ceiling, and a bathroom!Typically, it’s a prearranged agreement with another party to use their spaceif a disaster happens. There is very little planning involved in a cold site. Themain advantage is that it costs very little. Two parties in different areas mighteven agree to let each other use a part of their building in the event of a dis-aster, so there is no cost to either party. The main disadvantage of a cold siteis that it does not fully provide a quick transition back to normal businessoperations.

Designing a Security UpdateInfrastructureMany of the latest attacks to computers and servers with Microsoft operat-ing systems have succeeded in spite of the fact that the patches to preventthese attacks were available on the Microsoft Web site prior to the attack.The attacker succeeded because the administrator had not yet installed thelatest patches. Your design strategy should include a system to automate theinstallation of patches that are critical to the security of your network. Youshould be familiar with the tools that Microsoft provides with WindowsServer 2003. Designing a security update infrastucture includes

➤ Designing a Software Update Services (SUS) infrastructure

➤ Designing Group Policy to deploy software updates

➤ Designing a strategy for identifying computers that are not up to thecurrent patch level

03 0789730162 CH03 4/12/04 2:35 PM Page 74


Designing a Software Update ServicesInfrastructureSoftware Update Services (SUS) is new to Windows Server 2003 but is back-ward compatible to Windows 2000 servers running Service Pack 2 or high-er. It is downloadable from the Microsoft Web site at www.microsoft.com/windows2000/windowsupdate/sus/default.asp. You should download and installthe SUS101SP1.exe file.

Your server needs to meet the following minimum hardware requirements tobecome a SUS server:

➤ Pentium III 700MHz or higher

➤ 512MB RAM

➤ 6GB hard disk space

➤ Windows 2000 Server with SP2 or later or Windows Server 2003

➤ IIS 5.0 or later

➤ Internet Explorer 6.0 or later

You can use SUS to update clients running Windows 2000 Professional andWindows XP Professional with the latest service packs. SUS enables anadministrator to automatically download, test, approve, and install the latestcritical updates and service packs from the Microsoft Windows Update Website. Figure 3.12 shows the SUS administration site. You need to be familiarwith the features of SUS, as identified by Microsoft, including the following:

➤ Built-in security

➤ Selective content approval

➤ Content synchronization options

➤ Server-to-server synchronization

➤ Multilanguage support

➤ Remote administration via Hypertext Transfer Protocol (HTTP) orHypertext Transfer Protocol Secure (HTTPS)

➤ Update status logging

03 0789730162 CH03 4/12/04 2:35 PM Page 75

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 376

Figure 3.12 You can manage SUS through a secure Web site.

Built-in SecurityThis one speaks for itself! You can’t enhance security if your enhancement cre-ates holes. The administrative pages of SUS are Web-based through IIS and arerestricted to local administrators on the computer that hosts the updates. Thesynchronization always validates the digital certificates on any downloads to theupdate server. Any files that are not from Microsoft are automatically deleted.

Selective Content ApprovalUpdates are first downloaded to the server by running SUS synchronization.These, however, are not automatically available to the computers that havebeen configured to receive updates from that server. Instead, you can approvethe updates before they are made available for download. This allows you totest the packages before deploying them.

Content Synchronization OptionsYou receive the latest critical updates and service packs from Microsoftthrough the process of synchronization. You can set a schedule for automaticsynchronization at preset times. Alternatively, you can use the SynchronizeNow button to manually synchronize the server.

Server-to-Server SynchronizationYou can point your server to another server running Microsoft SUS insteadof to the Windows update server. This creates a single point of entry forupdates into the network, without requiring that each SUS server download

03 0789730162 CH03 4/12/04 2:35 PM Page 76


updates from the external Microsoft source. In this way, updates can be moreeasily distributed across the enterprise.

Multilanguage SupportSUS supports the publishing of updates to multiple operating system lan-guage versions. You can configure the list of languages for which you want todownload updates. You only need to download the languages that you willuse. This greatly increases the speed of synchronization.

Remote Administration via HTTP or HTTPSThe SUS administrative interface is Web-based. This allows you to manageit remotely as if you were sitting in front of the server itself. Remote admin-istration requires Internet Explorer (IE) 5.5 or later.

Update Status LoggingYou can specify the address of a Web server to which the Automatic Updatesclient should send statistics about updates that have been downloaded andinstalled. These statistics are sent using HTTP. You can access them in theIIS log file of the Web server.

Designing Group Policy to Deploy SoftwareUpdatesNow that you’ve got the latest critical updates for your servers and clientssynchronized into your SUS server, how do you get them into the clients andservers themselves? There is a hard way and an easier way. The hard way isto go to each client and manually change the Automatic Update settingswithin the properties of My Computer.

The easier way is to use Group Policy to change all of the computers that youneed to change—simultaneously. You should configure the Group Policy toset the computers to the correct SUS server and then link the policy to thecontainer in which the computer objects are located. You can configure thosecomputers to automatically download and install the software or to notify theclients and let them make the decision to download and install it. Figures 3.13and 3.14 show the Group Policy settings for SUS updates. To configure aGroup Policy for SUS, perform the following steps:

1. Open the Group Policy Management Console (GPMC) or GroupPolicy tool.

2. Expand Computer Configuration in the properties of the policy.

3. Expand Administrative Templates.

03 0789730162 CH03 4/12/04 2:35 PM Page 77

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 378

4. Expand Windows Update.

5. Right-click Configure Automatic Updates to configure the settings foreach computer.

6. Right-click Specify Intranet Microsoft Update Service Location toconfigure the server from which to receive the updates.

Figure 3.13 You can configure how and when clients receive updates.

Figure 3.14 You can configure the server from which the client receives the updates.

03 0789730162 CH03 4/12/04 2:35 PM Page 78


Designing a Strategy for IdentifyingComputers That Are Not Up to the CurrentPatch LevelTo provide a complete security plan, you need to make certain that all of yourcomputers have the latest patches and security updates installed. You havemany tools to choose from to assist you in scanning computers for the latestupdates. These are available from Microsoft and other third parties. TheMicrosoft tools with which you should be familiar include the following:

➤ Microsoft Baseline Security Analyzer

➤ Systems Management Server (SMS) and the SUS Feature Pack

Microsoft Baseline Security AnalyzerYou can use Microsoft Baseline Security Analyzer (MBSA) to scan for security-related updates on multiple computers. MBSA Version 1.1.1 includes both aGUI tool and a command-line interface tool. You can use these tools to per-form scans of Windows systems on your network. MBSA runs on Windows2000, Windows XP, and Windows Server 2003 systems. You can performscans of all Windows NT-based clients, including Windows NTWorkstation and all later clients. You can also scan for updates to applica-tions running on the clients, including Internet Explorer and Office applica-tions, such as Office 2000 and later. The computer being scanned must berunning IE 5.01 or later and XML parser software. Parser software can bedownloaded from the Microsoft Web site at www.microsoft.com/downloads.

Systems Management Server and SUS Feature PackSystems Management Server (SMS) and the SUS feature pack enable you tomanage security updates throughout any size company. The SUS featurepack streamlines the security patch management process for you. The SMSsoftware can be used to customize installations.

The Security Update Inventory Tool in SMS uses the MBSA program toscan all of the clients and servers and then creates a detailed Web-basedinventory report. Then, you can use the software distribution features builtin to SMS to distribute the required software to the clients and servers. Thewizards built in to the tool ensure that only the updates that are missing areinstalled. No redundant or unnecessary updates are performed.

03 0789730162 CH03 4/12/04 2:35 PM Page 79

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 380

Exam Prep QuestionsAnswer the questions for the following case study based on the informationprovided in the case study.

Case 1: WPX Inc.WPX Inc. is a medium-size company with a main office in Atlanta and 12remote offices in the Southeast United States. WPX has six administratorswho manage the main office and the 12 branch offices with varying levels ofauthority and control. The company is concerned about the local security ofthe network and the number of administrative accounts required to managethe network. WPX is also considering options for emergency managementand a DRP.

WPX has a constant need for remote management of the branch offices,which all contain at least one server. In addition, the company is consideringoptions in regard to a DRP for the Atlanta office. Finally, WPX is concernedthat its clients might not have all of the latest critical updates for security. Itwants a system that can analyze the current status of its clients, install thesoftware needed, and keep the clients up to date. You have been hired as aconsultant to assist WPX.

Question 1

Which of these types of accounts should an administrator use to log on to thenetwork and check her email?

❍ A. Administrative account

❍ B. Default Administrator account

❍ C. Email address

❍ D. Regular user account

Answer D is correct. Microsoft recommends that administrators use a regu-lar user account when they are not doing administrative work. She shouldnot use her administrative account unless she is actually doing administrativeactivity; therefore, answer A is incorrect. The name of the Administratoraccount should be changed; therefore, answer B is incorrect. She cannot useher email address to log on; therefore, answer C is incorrect.

03 0789730162 CH03 4/12/04 2:35 PM Page 80


Question 2

Which tools should you use to control the membership of the administrativegroups? (Choose two.)

❑ A. Restricted Groups

❑ B. Active Directory Users and Computers

❑ C. Active Directory Sites and Services

❑ D. Group Policies

Answers A and B are correct. Restricted Groups and Active Directory Usersand Computers can be used to control the membership of administrativegroups. Active Directory Sites and Services is used to control the physicalaspects of Active Directory; therefore, answer C is incorrect. Group Policiesare used to control security and access to resources; therefore, answer D isincorrect.

Question 3

Which of the following should you use for remote administration of multipleWindows Server 2003 servers in the same session?

❍ A. Remote Desktop Connection

❍ B. Remote Desktops snap-in

❍ C. Telnet

❍ D. File Transfer Protocol

Answer B is correct. The Remote Desktops snap-in is the only tool listedthat allows multiple remote administration sessions. Remote DesktopConnection allows only one session at a time; therefore, answer A is incor-rect. Telnet is a command-line-based administration tool that is not secure;therefore, answer C is incorrect. File Transfer Protocol is not used to man-age computers; therefore, answer D is incorrect.

03 0789730162 CH03 4/12/04 2:35 PM Page 81

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 382

Question 4

Which tools are available as a snap-in to be used with a Microsoft ManagementConsole? (Choose two.)

❑ A. Computer Management

❑ B. My Computer

❑ C. Windows Explorer

❑ D. Active Directory Users and Computers

Answers A and D are correct. Computer Management and Active DirectoryUsers and Computers are both available as a Remote Desktops snap-in. MyComputer is a tool specific to one computer and not available as a snap-in;therefore, answer B is incorrect. Windows Explorer is specific to one com-puter and not available as a snap-in; therefore, answer C is incorrect.

Question 5

Which tools should you use to set the actions and objects that will be audited?(Choose two.)

❑ A. Security log

❑ B. Group Policy Object Editor

❑ C. Windows Explorer

❑ D. Active Directory Domains and Trusts

Answer B and C are correct. You should use the Group Policy Object Editorto set the actions of the audit (success or failure) and the Windows Explorertool to set the objects to be audited. The security log is a tool used to viewthe results of an audit, not to set it up; therefore, answer A is incorrect. ActiveDirectory Domains and Trusts is a tool used to manage trusts betweendomains; therefore, answer D is incorrect.

03 0789730162 CH03 4/12/04 2:35 PM Page 82


Question 6

Which audit policy is set on a domain controller to audit its authentication ofusers on other computers in the domain?

❍ A. Audit Logons

❍ B. Audit Account Logons

❍ C. Audit Privilege Use

❍ D. Audit Process Tracking

Answer B is correct. Audit Account Logons can only be set on a domain con-troller. It audits that computer’s authentication of another computer to thedomain. Audit Logons is set on the local computer to audit local logons;therefore, answer A is incorrect. Audit Privilege Use is set to monitor a user’sexercise of user rights; therefore, answer C is incorrect. Audit ProcessTracking is set to monitor an application’s use of system resources; therefore,answer D is incorrect.

Question 7

You decide to lease a space for emergency purposes approximately 100 milesfrom the Atlanta office. This space will be equipped and maintained with thepower and communications needs for the network in the event a natural disas-ter or fire destroys the Atlanta office. It will not currently be equipped with anycomputers. Which type of alternative site have you chosen?

❍ A. Hot site

❍ B. Cold site

❍ C. Spare site

❍ D. Warm site

Answer D is correct. Because the site will not contain the actual servers andother hardware, but will be equipped with the right power and communica-tions connections, it should be referred to as a warm site. A hot site isequipped with computers and is ready to move in within hours; therefore,answer A is incorrect. A cold site is a location that has no planned resourcesat all; therefore, answer B is incorrect. A spare site is not a term that is usedin this context; therefore, answer C is incorrect.

03 0789730162 CH03 4/12/04 2:35 PM Page 83

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 384

Question 8

Which tools should you use to synchronize a server with the Microsoft WindowsUpdate Web site and receive the latest critical updates and service packs?(Choose two.)

❑ A. Windows Update

❑ B. Group Policy

❑ C. Active Directory Users and Computers

❑ D. Software Update Services

Answers A and D are correct. Windows Update is used to synchronize anindividual computer with the latest updates on the Microsoft Web site.Software Update Services can be used in a hierarchical arrangement to testand distribute the latest Microsoft updates. Group Policies are used to con-trol security and access to resources; therefore, answer B is incorrect. ActiveDirectory Users and Computers is used to control the logical aspects ofActive Directory; therefore, answer C is incorrect.

Question 9

Which tool should you use to scan clients and servers to determine whetherthey have the latest updates installed?

❍ A. Microsoft Baseline Security Analyzer (MBSA)

❍ B. Software Update Services (SUS)

❍ C. Group Policy Management Console

❍ D. Computer Management

Answer A is correct. MBSA can be used to scan computers for the latest secu-rity updates and other security weaknesses. SUS is used to install the latestupdates, but does not scan the computer; therefore, answer B is incorrect.The Group Policy Management Console is used to create and manageGroup Policies; therefore, answer C is incorrect. Computer Managementdoes not scan the computer for the latest updates; therefore, answer D isincorrect.

03 0789730162 CH03 4/12/04 2:35 PM Page 84


Question 10

Which of these clients can be configured with Group Policy to use SoftwareUpdate Services? Choose all that apply.

❑ A. Windows 98

❑ B. Windows XP Home Edition

❑ C. Windows XP Professional

❑ D. Windows 2000 Professional

Answers C and D are correct. Windows XP Professional and Windows 2000Professional are the only clients listed that can be configured with GroupPolicy. Group Policy cannot be used to control Windows 98; therefore,answer A is incorrect. Windows XP Home Edition does not support GroupPolicy; therefore, answer B is incorrect.

03 0789730162 CH03 4/12/04 2:35 PM Page 85

03 0789730162 CH03 4/12/04 2:35 PM Page 86

Documents

Designing Strategies for Security Management · 2019. 2. 20. · .....Designing Strategies for Security Management 61 Account Operators, Backup Operators, and many others. Administrators