480 likes | 1.19k Vues
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network Chapter 4: Securing the Network Management Process Exam Objectives 2.3 Design security for network management 2.3.1 Manage the risk of managing networks
E N D
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network Chapter 4:Securing the Network Management Process
Exam Objectives • 2.3 Design security for network management • 2.3.1 Manage the risk of managing networks • 2.3.2 Design the administration of servers by using common administration tools • 2.3.3 Design security for Emergency Management Services • 2.4 Design a security update infrastructure 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
Exam Objectives (continued) • 2.4.1 Design a Software Update Services (SUS) infrastructure • 2.4.2 Design Group Policy to deploy software updates • 2.4.3 Design a strategy for identifying computers that are not at the current patch level • 2.2.2 Design forest and domain trust models • 2.2.3 Design security that meets interoperability requirements 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
Introduction • Network management process: • Vulnerable to attack • Use technical and policy measures to secure • Create a patch management strategy • Design trust relationships for large-scale networks • Use the domain and forest trust model in Windows Server 2003 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
Securing the NetworkManagement Process • Physical network: • Restrict access to the network perimeter • Create a file-and-folder permission structure • Secure user accounts • Tools and utilities used to administer network have potential for misuse: • Set security guidelines and policies • Implement role-based administration 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
Managing the Risks of Network Administration • Don’t grant all administrators the same level of administrative rights • Network administrators are vulnerable to social engineering attacks 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
Security Policies for Administrators and IT Personnel • Network management policy: • Specify ways to manage the enterprise network in a secure manner • Includes: • Detailed explanation of tools for managing network • List of users or user groups who can manage network • Appropriate procedures for managing network resources 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
Security Policies for Administrators and IT Personnel (continued) • Security policy: • Ensure that administrators manage network resources securely • Ensure that administrators are protected against attackers when they use their administrative privileges • Technical security: • Use GPO to limit administrative access 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
Delegating Authority Securely • Take great care in selecting administrators: • Perform background or reference checks • Educate in security policies • Use the “least privilege” concept • Create and maintain an audit policy • Structure delegation strategy based on roles 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
Exercise 4.01Creating an Organizational Unit and Delegating Control to a Local Administrator • Use Active Directory Users and Computers to create an OU • Use the Delegation of Control Wizard 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
Using the Delegation of Control Wizard 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
Designing the Network Management Policy • Determine how your network will be managed: • Centralized • Decentralized • Outsourced 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
Securing Common Administrative Tools • Combination of: • People • Technology • Policy 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
Securing the Microsoft Management Console • You can: • Use restricted/permitted snap-ins • Restrict users from entering author mode • Restrict users to explicitly permitted list of snap-ins 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
Securing Terminal Server and Remote Desktop for Administration • Change the Terminal Services port • Windows Server 2003 includes enhancements to: • Security Policy Editor • 128-bit encryption • FIPS compliance • Remote Desktop Users group • Software restriction policies • Single-session policy 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
Securing Remote Assistance • Settings: • Solicited Remote Assistance • Offer Remote Assistance 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
Securing Telnet • Disabled by default • Enable only for a real need 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
Designing Security forEmergency Management Services • Manage a server via an out-of-band connection • Manage or troubleshoot a server when: • It is not fully functional • Operating system has not fully loaded • It is in a “headless” configuration • Server must be equipped with special firmware • Security measures rely on choice of terminal concentrator 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
Designing Security forEmergency Management Services (continued) • Security considerations: • Secure access to physical servers • Choose service processors • Create a separate network for administration 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
Designing a Security UpdateInfrastructure • Software Update Services: • Maintain an internally controlled Windows Update site • Analyze and approve security patches • Apply to networked computers in a consistent manner 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
Designing a SoftwareUpdate Service Infrastructure • Using a SUS: • Controls which patches are visible to users • Automates download and installation process • Canoptimize bandwidth 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
SUS Limitations • Can only deploy critical updates and service packs that are downloaded from Microsoft • Not software updates or updated device drivers • Cannot create .EXE or .MSI files 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
SUS Limitations (continued) • Only supports: • Windows 2000 Professional • Windows 2000 Server, all versions • Windows XP Home • Windows XP Professional • Windows Server 2003, all versions • No good way to “push” installations to clients 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
Synchronizing Child SUS Servers 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
Using Group Policy toDeploy Software Updates • Use GPOs to deploy: • Software • Updates • Patches • Customize who gets which updates 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
Configuring Software Installation Policies 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
Design a Strategy for Identifying Computers That Are Not at the Current Patch Level • Perform an audit • Ensure that machines are receiving patches • Identify machines on the network that do not possess the most up-to-date patch information 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
Design a Strategy for Identifying Computers That Are Not at the Current Patch Level (continued) • Tools: • Microsoft Baseline Security Analyzer (MBSA) • Microsoft System Management Server (SMS) • HP OpenView • NetIQ Security Manager • Gravity Storm Software Service Pack Manager 2000 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
Microsoft Baseline Security Analyzer 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
Designing Trust RelationshipsBetween Domains and Forests • Trust: • Allows users in different domains or forests to access resources in other domains or forests • Transitive trust: • Domain A trusts Domain B • Domain B trusts Domain C • Therefore, Domain A trusts Domain C 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
Designing Trust RelationshipsBetween Domains and Forests (continued) • Types of trust: • One-way trust • Two-way trust • Transitive trust • Nontransitive trust 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
The One-Way Trust Relationship • One-way: incoming • One-way: outgoing 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
The Two-Way Trust Relationship 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
Trust Transitivity in Domains 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
Trust Transitivity in Domains (continued) • By default, in Windows 2000 and Windows Server 2003: • Trusts are transitive • User in any domain can access any resource in any other domain in the same forest • Transitive trusts flow between domains into forests 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
Transitivity of Forest Trusts 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
Designing Forest and Domain Trust Models • Default trust relationships • Two-way transitive trusts • External trusts • Nontransitive trusts with a domain that exists outside your Windows Server 2003 forest • Realm trusts • Trust relationships with an external Kerberos realm 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
Designing Forest and Domain Trust Models (continued) • Shortcut Trusts • One-way or two-way transitive trusts • Used to optimize the authentication process if many users from one domain need to log on to another domain in the forest structure 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
Selecting the Scope of Authentication for Users • Authenticated Users • Authentication firewall 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
Realm Trusts 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
Using a Shortcut Trust 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
Designing Security for Interoperability • If using Windows NT 4.0 or earlier: • Trust relationships must be manually established • When supporting down-level clients: • Be aware of the concept of domain and forest functional levels • Domain functional levels: • Windows 2000 mixed • Windows 2000 native • Windows Server 2003 interim • Windows Server 2003 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
Domain Functional Levels Within Windows Server 2003 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
Controllers Supported by Different Forest Functional Levels 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
Windows Server 2003 Domain and Forest Functionality • At the domain level, the Windows Server 2003 functional level provides: • Domain controller rename tool • SID history • Converting groups • InetOrg Person • lastLogonTimestamp attribute 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
Windows Server 2003 Domain and Forest Functionality (continued) • The forest functional level provides: • Domain rename • Forest trusts • InetOrg Person • Defunct schema object • Linked value replication • Dynamic auxiliary classes • Global catalog replication 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
Summary • Secure networks from abuse of administrative tools: • Technical controls • Policy controls • Administrative controls • Tools such as SUS and GPO help keep software up-to-date • Domain and forest trust models have been updated for Windows Server 2003 70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network