www.yorktech.com
Download
Report
Transcript www.yorktech.com
1
Chapter 7
SECURING
A NETWORK
INFRASTRUCTURE
Chapter 7: SECURING A NETWORK INFRASTRUCTURE
OVERVIEW
List the criteria for selecting operating systems for
network servers and workstations.
List the default security settings for the Microsoft
Windows Server 2003 and Microsoft Windows XP
Professional operating systems.
Describe the problems inherent in keeping the
software on a large network installation updated.
Use Microsoft Baseline Security Analyzer (MBSA).
2
Chapter 7: SECURING A NETWORK INFRASTRUCTURE
3
OVERVIEW (continued)
Use Microsoft Software Update Services (SUS).
Describe the security problems inherent in wireless
networking.
List the mechanisms that Windows-based IEEE
802.11 WLANs can use to authenticate clients and
encrypt transmitted data.
Determine the security requirements of your remote
access installation.
Control remote access with user account properties.
Create remote access policies.
Chapter 7: SECURING A NETWORK INFRASTRUCTURE
4
SELECTING COMPUTERS AND OPERATING
SYSTEMS
Purchase and use of computer systems should be
governed by policies.
Policies should dictate which operating systems are
used for different purposes.
Policies should dictate which hardware is purchased
for different purposes.
Chapter 7: SECURING A NETWORK INFRASTRUCTURE
UNDERSTANDING COMPUTER ROLES
Server Role
Desktop workstation role
Portable workstation role
5
Chapter 7: SECURING A NETWORK INFRASTRUCTURE
UNDERSTANDING THE SERVER ROLE
Servers can perform a number of different roles.
Each role places different demands on the
underlying hardware and operating system
software.
Some roles require additional hardware: a server
that is used for backups requires a connection to a
tape drive or some other storage device.
Server systems often include fault-tolerant
measures.
6
Chapter 7: SECURING A NETWORK INFRASTRUCTURE
7
UNDERSTANDING THE DESKTOP
WORKSTATION’S ROLE
Workstation hardware is generally less powerful
than server hardware.
Workstation hardware typically does not include
fault-tolerant measures.
Some applications, such as computer-aided design
(CAD), video and sound editing, and geographic
mapping, require very high-performance hardware.
Chapter 7: SECURING A NETWORK INFRASTRUCTURE
UNDERSTANDING THE PORTABLE
WORKSTATION’S ROLE
Portable workstations can include laptops,
notebooks, PDAs, and tablet PCs.
Portable workstations have different hardware
and configuration requirements from desktop
workstations.
Some users may have a desktop workstation and
one or more portable workstations.
Portable workstations create additional security
concerns since they can be moved both within and
outside of the physical security perimeter.
8
Chapter 7: SECURING A NETWORK INFRASTRUCTURE
CREATING HARDWARE SPECIFICATIONS
Server hardware specifications
Desktop hardware specifications
Portable hardware specifications
9
Chapter 7: SECURING A NETWORK INFRASTRUCTURE
SERVER HARDWARE SPECIFICATIONS
Create a hardware specification based on the
applications that the server will host.
Use company information such as expected
increases in personnel or customer activity when
creating the specification.
Factor a reasonable growth margin into the
specification.
Consider the ease of future upgrades to preserve
investment.
10
Chapter 7: SECURING A NETWORK INFRASTRUCTURE
11
DESKTOP HARDWARE SPECIFICATIONS
Specify a base hardware configuration that supports
most users.
Create additional specifications as needed to
accommodate special requirements.
Where possible, use a small number of standard
configurations.
Standardized hardware provides many advantages
in terms of support.
Chapter 7: SECURING A NETWORK INFRASTRUCTURE
12
PORTABLE HARDWARE SPECIFICATIONS
Different types of portable hardware have different
hardware requirements.
Many portable computing devices use proprietary
technologies.
As with desktop workstations, keep the number of
standard configurations to a minimum.
Chapter 7: SECURING A NETWORK INFRASTRUCTURE
13
SELECTING OPERATING SYSTEMS
When selecting operating systems, you must consider
the following:
Application compatibility The operating system you select
must support the application software needed by the
organization.
Support issues Familiarity with operating systems
decreases training costs and improves technical support
service.
Security features In highly secure environments,
operating systems with advanced security features should
be chosen.
Cost Operating system software represents a significant
investment, and the availability of funds for software
purchases must be considered.
Chapter 7: SECURING A NETWORK INFRASTRUCTURE
CHOOSING WORKSTATION OPERATING
SYSTEMS
14
Chapter 7: SECURING A NETWORK INFRASTRUCTURE
CHOOSING SERVER OPERATING SYSTEMS
15
Chapter 7: SECURING A NETWORK INFRASTRUCTURE
IDENTIFYING CLIENT AND SERVER DEFAULT
SECURITY SETTINGS
Operating systems install with a default set of
security settings.
These settings should be evaluated to determine
whether they satisfy security requirements.
Windows Server 2003 is designed to be more
secure in a default installation than are previous
versions of Windows.
16
Chapter 7: SECURING A NETWORK INFRASTRUCTURE
EVALUATING SECURITY SETTINGS
File System permissions
Share permissions
Registry permissions
Active Directory permissions
Account Policy settings
Audit policies
17
Chapter 7: SECURING A NETWORK INFRASTRUCTURE
18
FILE SYSTEM PERMISSIONS
NTFS Folder Permission
Enables the User or Group To
Full Control
Change file/folder permissions, take ownership of files/folders,
and delete subfolders and files, plus perform the actions
permitted by all of the other NTFS permissions.
Modify
Modify or delete a file/folder, plus perform all actions permitted
by the Write permission and the Read & Execute permission.
Read & Execute
Run applications; browse through folders to reach other files
and folders, even if the user does not have permission to access
those files/folders; and perform all actions permitted by the
Read permission and the List Folder Contents permission.
List Folder Contents
See the names of files and subfolders in a folder.
Read
Read a file; see the files and subfolders in a folder; and view a
file or folder’s ownership, permissions, and file system attributes
(such as Read-only, Hidden, Archive, and System).
Write
Overwrite a file, create new files and subfolders within a folder,
change a file or folder’s attributes, and view the file or folder’s
ownership and permissions.
Chapter 7: SECURING A NETWORK INFRASTRUCTURE
SHARE PERMISSIONS
Shared Folder
Permission
Read
Enables the User or Group To
View file names and subfolder names, view data
in files, traverse to subfolders, and run programs.
Change
Add files and subfolders to the shared folder,
change data in files, delete subfolders and files,
plus perform all actions permitted by the Read
permission.
Full Control
Change file permissions (NTFS only), take
ownership of files (NTFS only), and perform all
tasks permitted by the Change permission.
19
Chapter 7: SECURING A NETWORK INFRASTRUCTURE
REGISTRY PERMISSIONS
20
Chapter 7: SECURING A NETWORK INFRASTRUCTURE
21
ACTIVE DIRECTORY PERMISSIONS
Active Directory has over 25 standard permissions and
67 special permissions.
The following default permission assignments are made to
cover most requirements:
Enterprise Admins Receives the Full Control permission
for the entire forest
Domain Admins and Administrators Receives a
selection of permissions that enables him or her to
perform Active Directory object maintenance tasks
within their domain
Authenticated Users Receives the Read permission for
the entire domain, plus a small selection of very specific
Modify permissions
Chapter 7: SECURING A NETWORK INFRASTRUCTURE
ACCOUNT POLICY SETTINGS
22
Chapter 7: SECURING A NETWORK INFRASTRUCTURE
AUDIT POLICIES
23
Chapter 7: SECURING A NETWORK INFRASTRUCTURE
PLANNING A SECURITY UPDATE
INFRASTRUCTURE
Understanding software update practices
Using Windows Update
Updating a network
24
Chapter 7: SECURING A NETWORK INFRASTRUCTURE
25
UNDERSTANDING SOFTWARE UPDATE
PRACTICES
Microsoft distributes software updates in two forms:
Service pack A collection of patches and updates
that have been tested as a single unit
Hotfix A small patch designed to address a
specific issue
Microsoft recommends that service packs are
installed on all applicable systems. Hotfixes should
only be applied to systems that are experiencing a
specific problem.
Chapter 7: SECURING A NETWORK INFRASTRUCTURE
USING WINDOWS UPDATE
26
Chapter 7: SECURING A NETWORK INFRASTRUCTURE
27
UPDATING A NETWORK
Updating PCs on a network presents many
challenges to the administrator.
A network security update infrastructure is a series
of policies that are designed to help the
administrator manage software and security
updates on the network.
The security update infrastructure should specify
procedures for the identification, testing, and
deployment of software updates.
Chapter 7: SECURING A NETWORK INFRASTRUCTURE
USING MBSA
28
Chapter 7: SECURING A NETWORK INFRASTRUCTURE
TESTING SECURITY UPDATES
All updates, including those related to security,
should be tested before they are implemented.
If possible, use a test system with a configuration
similar to that of the system on which the update
will be applied.
If a test system is not available, updates should
be deployed progressively, and systems with the
updates should be closely monitored.
29
Chapter 7: SECURING A NETWORK INFRASTRUCTURE
USING MICROSOFT SOFTWARE UPDATE
SERVICES
30
Chapter 7: SECURING A NETWORK INFRASTRUCTURE
SECURING A WIRELESS NETWORK
Wireless networks are becoming increasingly
popular as related hardware becomes more
affordable, and companies begin to realize the
flexibility that wireless networks offer.
Wireless networks present more and different
security challenges than their wired counterparts.
31
Chapter 7: SECURING A NETWORK INFRASTRUCTURE
32
UNDERSTANDING WIRELESS NETWORKING
STANDARDS
Wireless networking standards are developed and
ratified by the Institute of Electrical and Electronics
Engineers (IEEE).
Three standard have been defined:
802.11b The current standard. Offers speeds up
to 11 Mbps.
802.11a In development. Uses different frequency
ranges than 802.11b. Offers speeds up to 54 Mbps.
802.11g Uses the same frequency ranges
as 802.11b. Offers speeds up to 54 Mbps.
Chapter 7: SECURING A NETWORK INFRASTRUCTURE
WIRELESS NETWORKING TOPOLOGIES
33
Chapter 7: SECURING A NETWORK INFRASTRUCTURE
34
UNDERSTANDING WIRELESS NETWORK
SECURITY
Wireless networking presents security risks that are
not present when using traditional wired networks.
Logical security becomes of paramount concern, as
physical security measures are not necessarily
preventative.
Two main concerns when using wireless networks
are unauthorized access and data interception.
Chapter 7: SECURING A NETWORK INFRASTRUCTURE
CONTROLLING WIRELESS ACCESS USING
GROUP POLICIES
35
Chapter 7: SECURING A NETWORK INFRASTRUCTURE
AUTHENTICATING USERS
Open system authentication
Shared key authentication
IEEE 802.1x authentication
36
Chapter 7: SECURING A NETWORK INFRASTRUCTURE
37
OPEN SYSTEM AUTHENTICATION
The default authentication method used by IEEE
802.11 devices.
Despite the name, it offers no actual authentication.
A device configured to use Open System
authentication will not refuse authentication to
another device.
Chapter 7: SECURING A NETWORK INFRASTRUCTURE
38
SHARED KEY AUTHENTICATION
Devices authenticate each other using a secret key
that both possess.
The key is shared before authentication using a
secure channel.
All the computers in the same BSS must possess
the same key.
Chapter 7: SECURING A NETWORK INFRASTRUCTURE
39
IEEE 802.1X AUTHENTICATION
The IEEE 802.1x standard defines a method
of authenticating and authorizing users on any
802 LAN.
Most IEEE 802.1x implementations use Remote
Authentication Dial-In User Service (RADIUS)
servers.
RADIUS typically uses one of the following two
authentication protocols:
Extensible Authentication Protocol-Transport Level
Security (EAP-TLS)
Protected EAP-Microsoft Challenge Handshake
Authentication Protocol version 2 (PEAP-MS-CHAP v2)
Chapter 7: SECURING A NETWORK INFRASTRUCTURE
40
ENCRYPTING WIRELESS TRAFFIC
The IEEE 802.11 standard uses an encryption
mechanism called Wired Equivalent Privacy (WEP)
to secure data while in transit.
WEP uses the RC4 cryptographic algorithm
developed by RSA Security, Inc.
WEP allows the key length, as well as the frequency
with which the systems generate new keys, to be
configured.
Chapter 7: SECURING A NETWORK INFRASTRUCTURE
SECURING REMOTE ACCESS
Determining security requirements
Controlling access using dial-in properties
Planning authentication
Using remote access policies
41
Chapter 7: SECURING A NETWORK INFRASTRUCTURE
42
DETERMINING SECURITY REQUIREMENTS
Which users require remote access?
Do users require different levels of remote access?
Do users need access to the entire network?
What applications must users run?
Chapter 7: SECURING A NETWORK INFRASTRUCTURE
CONTROLLING ACCESS USING DIAL-IN
PROPERTIES
43
Chapter 7: SECURING A NETWORK INFRASTRUCTURE
PLANNING AUTHENTICATION
44
Chapter 7: SECURING A NETWORK INFRASTRUCTURE
45
USING RADIUS
Windows Server 2003 with IAS can be a RADIUS
server or a RADIUS proxy.
When configured as a RADIUS server, the computer
receiving the authentication request will process
and authorize the connection request.
When configured as a RADIUS proxy, the authenti-
cation request is forwarded to the configured
RADIUS server.
Chapter 7: SECURING A NETWORK INFRASTRUCTURE
SELECTING AN AUTHENTICATION PROTOCOL
46
Chapter 7: SECURING A NETWORK INFRASTRUCTURE
47
USING REMOTE ACCESS POLICIES
Sets of conditions that users must meet before
RRAS authorizes them to access the server or the
network
Can be configured to limit user access based on
group memberships, day and time restrictions, and
many other criteria
Can specify what authentication protocol, and what
type of encryption clients must use
Policies can be created based on type of connection,
such as dial-up, VPN, or wireless
Chapter 7: SECURING A NETWORK INFRASTRUCTURE
48
REMOTE ACCESS POLICY COMPONENTS
Conditions
Specific attributes that the policy uses to grant or
deny authorization to a user. If more than one
condition is defined, the user must meet all the
conditions before the server can grant access.
Remote access permission
Defines whether the user is allowed to connect to the
system through a remote access connection.
Remote access profile
A set of attributes applied to a client once it has been
authenticated and authorized.
Chapter 7: SECURING A NETWORK INFRASTRUCTURE
CREATING REMOTE ACCESS POLICIES
49
Chapter 7: SECURING A NETWORK INFRASTRUCTURE
CHAPTER SUMMARY
When selecting operating systems for servers, you can
choose the platform best suited to the server’s role. When
selecting workstation operating systems, standardization
takes precedence over specialization.
When you install Windows Server 2003 or Windows XP
Professional, the operating system Setup program
configures a number of security settings with default
values that you can either keep or modify.
Microsoft releases updates for its operating systems and
applications. Major updates are called service packs.
Individual updates are called hotfixes.
MBSA is a tool that scans computers on a network and
examines them for security vulnerabilities.
50
Chapter 7: SECURING A NETWORK INFRASTRUCTURE
51
CHAPTER SUMMARY (continued)
SUS is a tool that streamlines the approval and
implementation of software updates.
Most wireless LANs today are based on the 802.11
standards published by the IEEE. WLANs present additional
security risks over wired networks.
To secure a wireless network, you must authenticate the
clients before they are granted network access, and encrypt
all packets transmitted over the wireless link.
To determine the security requirements you need for your
remote access server, determine which users need access
and what type of access they need.
Remote access policies are sets of conditions that must be
met by remote clients attempting to connect to the Routing
and Remote Access server.