1 / 47

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network Chapter 4: Securing the Network Management Process Exam Objectives 2.3 Design security for network management 2.3.1 Manage the risk of managing networks

adamdaniel
Télécharger la présentation

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network Chapter 4:Securing the Network Management Process

  2. Exam Objectives • 2.3 Design security for network management • 2.3.1 Manage the risk of managing networks • 2.3.2 Design the administration of servers by using common administration tools • 2.3.3 Design security for Emergency Management Services • 2.4 Design a security update infrastructure 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  3. Exam Objectives (continued) • 2.4.1 Design a Software Update Services (SUS) infrastructure • 2.4.2 Design Group Policy to deploy software updates • 2.4.3 Design a strategy for identifying computers that are not at the current patch level • 2.2.2 Design forest and domain trust models • 2.2.3 Design security that meets interoperability requirements 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  4. Introduction • Network management process: • Vulnerable to attack • Use technical and policy measures to secure • Create a patch management strategy • Design trust relationships for large-scale networks • Use the domain and forest trust model in Windows Server 2003 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  5. Securing the NetworkManagement Process • Physical network: • Restrict access to the network perimeter • Create a file-and-folder permission structure • Secure user accounts • Tools and utilities used to administer network have potential for misuse: • Set security guidelines and policies • Implement role-based administration 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  6. Managing the Risks of Network Administration • Don’t grant all administrators the same level of administrative rights • Network administrators are vulnerable to social engineering attacks 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  7. Security Policies for Administrators and IT Personnel • Network management policy: • Specify ways to manage the enterprise network in a secure manner • Includes: • Detailed explanation of tools for managing network • List of users or user groups who can manage network • Appropriate procedures for managing network resources 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  8. Security Policies for Administrators and IT Personnel (continued) • Security policy: • Ensure that administrators manage network resources securely • Ensure that administrators are protected against attackers when they use their administrative privileges • Technical security: • Use GPO to limit administrative access 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  9. Delegating Authority Securely • Take great care in selecting administrators: • Perform background or reference checks • Educate in security policies • Use the “least privilege” concept • Create and maintain an audit policy • Structure delegation strategy based on roles 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  10. Exercise 4.01Creating an Organizational Unit and Delegating Control to a Local Administrator • Use Active Directory Users and Computers to create an OU • Use the Delegation of Control Wizard 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  11. Using the Delegation of Control Wizard 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  12. Designing the Network Management Policy • Determine how your network will be managed: • Centralized • Decentralized • Outsourced 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  13. Securing Common Administrative Tools • Combination of: • People • Technology • Policy 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  14. Securing the Microsoft Management Console • You can: • Use restricted/permitted snap-ins • Restrict users from entering author mode • Restrict users to explicitly permitted list of snap-ins 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  15. Securing Terminal Server and Remote Desktop for Administration • Change the Terminal Services port • Windows Server 2003 includes enhancements to: • Security Policy Editor • 128-bit encryption • FIPS compliance • Remote Desktop Users group • Software restriction policies • Single-session policy 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  16. Securing Remote Assistance • Settings: • Solicited Remote Assistance • Offer Remote Assistance 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  17. Securing Telnet • Disabled by default • Enable only for a real need 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  18. Designing Security forEmergency Management Services • Manage a server via an out-of-band connection • Manage or troubleshoot a server when: • It is not fully functional • Operating system has not fully loaded • It is in a “headless” configuration • Server must be equipped with special firmware • Security measures rely on choice of terminal concentrator 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  19. Designing Security forEmergency Management Services (continued) • Security considerations: • Secure access to physical servers • Choose service processors • Create a separate network for administration 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  20. Designing a Security UpdateInfrastructure • Software Update Services: • Maintain an internally controlled Windows Update site • Analyze and approve security patches • Apply to networked computers in a consistent manner 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  21. Designing a SoftwareUpdate Service Infrastructure • Using a SUS: • Controls which patches are visible to users • Automates download and installation process • Canoptimize bandwidth 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  22. SUS Limitations • Can only deploy critical updates and service packs that are downloaded from Microsoft • Not software updates or updated device drivers • Cannot create .EXE or .MSI files 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  23. SUS Limitations (continued) • Only supports: • Windows 2000 Professional • Windows 2000 Server, all versions • Windows XP Home • Windows XP Professional • Windows Server 2003, all versions • No good way to “push” installations to clients 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  24. Synchronizing Child SUS Servers 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  25. Using Group Policy toDeploy Software Updates • Use GPOs to deploy: • Software • Updates • Patches • Customize who gets which updates 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  26. Configuring Software Installation Policies 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  27. Design a Strategy for Identifying Computers That Are Not at the Current Patch Level • Perform an audit • Ensure that machines are receiving patches • Identify machines on the network that do not possess the most up-to-date patch information 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  28. Design a Strategy for Identifying Computers That Are Not at the Current Patch Level (continued) • Tools: • Microsoft Baseline Security Analyzer (MBSA) • Microsoft System Management Server (SMS) • HP OpenView • NetIQ Security Manager • Gravity Storm Software Service Pack Manager 2000 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  29. Microsoft Baseline Security Analyzer 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  30. Designing Trust RelationshipsBetween Domains and Forests • Trust: • Allows users in different domains or forests to access resources in other domains or forests • Transitive trust: • Domain A trusts Domain B • Domain B trusts Domain C • Therefore, Domain A trusts Domain C 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  31. Designing Trust RelationshipsBetween Domains and Forests (continued) • Types of trust: • One-way trust • Two-way trust • Transitive trust • Nontransitive trust 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  32. The One-Way Trust Relationship • One-way: incoming • One-way: outgoing 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  33. The Two-Way Trust Relationship 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  34. Trust Transitivity in Domains 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  35. Trust Transitivity in Domains (continued) • By default, in Windows 2000 and Windows Server 2003: • Trusts are transitive • User in any domain can access any resource in any other domain in the same forest • Transitive trusts flow between domains into forests 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  36. Transitivity of Forest Trusts 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  37. Designing Forest and Domain Trust Models • Default trust relationships • Two-way transitive trusts • External trusts • Nontransitive trusts with a domain that exists outside your Windows Server 2003 forest • Realm trusts • Trust relationships with an external Kerberos realm 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  38. Designing Forest and Domain Trust Models (continued) • Shortcut Trusts • One-way or two-way transitive trusts • Used to optimize the authentication process if many users from one domain need to log on to another domain in the forest structure 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  39. Selecting the Scope of Authentication for Users • Authenticated Users • Authentication firewall 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  40. Realm Trusts 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  41. Using a Shortcut Trust 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  42. Designing Security for Interoperability • If using Windows NT 4.0 or earlier: • Trust relationships must be manually established • When supporting down-level clients: • Be aware of the concept of domain and forest functional levels • Domain functional levels: • Windows 2000 mixed • Windows 2000 native • Windows Server 2003 interim • Windows Server 2003 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  43. Domain Functional Levels Within Windows Server 2003 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  44. Controllers Supported by Different Forest Functional Levels 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  45. Windows Server 2003 Domain and Forest Functionality • At the domain level, the Windows Server 2003 functional level provides: • Domain controller rename tool • SID history • Converting groups • InetOrg Person • lastLogonTimestamp attribute 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  46. Windows Server 2003 Domain and Forest Functionality (continued) • The forest functional level provides: • Domain rename • Forest trusts • InetOrg Person • Defunct schema object • Linked value replication • Dynamic auxiliary classes • Global catalog replication 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

  47. Summary • Secure networks from abuse of administrative tools: • Technical controls • Policy controls • Administrative controls • Tools such as SUS and GPO help keep software up-to-date • Domain and forest trust models have been updated for Windows Server 2003 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

More Related