Transcript systemroot
Securing Internet Access
Designing an Internet Acceptable Use Policy
Securing Access to the Internet by Private Network
Users
Restricting Access to Content on the Internet
Auditing Internet Access
Designing an Internet Acceptable Use
Policy
Policy elements
Implementing the policy
Internet Acceptable Use Policy
Draft an Internet acceptable use policy before
securing Internet access for private network users.
An Internet acceptable use policy defines acceptable
employee Internet use.
Private network users must understand the rules
when they use corporate resources to access the
Internet.
Define the policy before designing the network
infrastructure and services that enforce and monitor
the policy.
Policy Elements
Describe the available services.
Define specific user responsibility.
Define authorized Internet use.
Define unauthorized Internet use.
Define who owns resources stored on the
organization's computers.
Define the consequences of performing unauthorized
access.
Provide for new technologies.
Implementing the Policy
Create a document outlining the newly defined
Internet acceptable use policy.
Include in the document a contract that employees
must sign before gaining Internet access.
Have the organization's legal representatives review
the contract and the policy to ensure the contract is
legally binding.
Making the Decision: Designing an
Internet Acceptable Use Policy
Develop a fair Internet acceptable use policy.
Determine which protocols will be allowed for
Internet access.
Verify authorized usage and identify unauthorized
usage.
Enforce the Internet acceptable use policy.
Applying the Decision: Designing an
Internet Acceptable Use Policy for Wide
World Importers
The Internet acceptable use policy needs to describe
the consequences of violating the policy.
Wide World Importers needs to develop a fair
Internet acceptable use policy accepted by both
management and employees.
Securing Access to the Internet by Private
Network Users
Identifying risks when private network users connect
to the Internet
Restricting Internet access to specific computers
Restricting Internet access to specific users
Restricting Internet access to specific protocols
Identifying Risks when Private Network
Users Connect to the Internet
Introducing viruses
Deploy a virus scanning solution for all client computers,
servers, and entry points to the network.
Installing unauthorized software
Control software installation through a central network
authority.
Restrict users to writing data to their hard disks only in
common shared areas and their personal profile directories.
Exposing Private Network Addressing
Attempting to Bypass the Established
Security
Making the Decision: Reducing Risks
when Providing Internet Connectivity
Reduce the risk of viruses.
Prevent the installation of unauthorized software.
Prevent Internet users from revealing the private
network addressing scheme.
Prevent users from bypassing network security when
accessing the Internet.
Applying the Decision: Reducing Risks at
Wide World Importers
Wide World Importers must include the following
tasks in its network security plan:
Install virus scanning software at multiple locations on the
network.
Preconfigure Microsoft Internet Explorer to ensure that
security settings are set to restrict download of specific
content.
Configure the external firewall with Network Address
Translation (NAT) service to prevent exposure of the private
network addressing scheme on the Internet.
Restricting Internet Access to Specific
Computers
Configure client computers.
Configure the firewall to limit the computers that can
connect to the Internet.
Configure Internet permissions for network servers.
Servers Requiring Access to the Internet
Through an External Firewall
Making the Decision: Designing Firewall
Packet Filters to Allow Internet Access
Determine which computers are required to respond
directly to incoming requests.
Determine which computers are required to initiate
data exchange with computers on the Internet.
Determine if the computers that require access to the
Internet have a static IP address or a Dynamic Host
Configuration Protocol (DHCP)-assigned IP address.
Determine which protocols the computers use when
accessing the Internet.
Applying the Decision: Designing Wide
World Importers' Firewall Packet Filters
Applying the Decision: Designing Wide
World Importers' Firewall Packet Filters
(Cont.)
Restricting Internet Access to Specific
Users
Microsoft Proxy Server 2.0 Services
Web Proxy service
Windows Socket (WinSock) Proxy service
Socks Proxy service
Authenticating Proxy Server Requests
Proxy Server 2.0 supports three methods of
authenticating users:
Anonymous access
Basic authentication
Integrated Windows Authentication
The Proxy Server update must be downloaded to
configure the software to authenticate with Active
Directory directory service.
Making the Decision: Restricting Which
Users Can Access the Internet
Allow all users to access the Internet.
Simplify the process of granting users access to
Internet protocols.
Distinguish users connecting to the proxy service.
Specify which users can use the Web Proxy service.
Specify which users can use the WinSock Proxy
service.
Applying the Decision: Restricting Internet
Access at Wide World Importers
Applying the Decision: Restricting Internet
Access at Wide World Importers (Cont.)
Restricting Internet Access to Specific
Protocols
Determining Necessary
Protocols
Determining Risks of
Using Each Protocol
Defining Allowed and
Disallowed Protocols
Restricting Protocol Access in the Web
Proxy
Set permissions separately for the Web (HTTP),
Secure (HTTPS), Gopher, and FTP Read services to
allow only authorized groups to use the protocol.
For each protocol, define which groups can access
the protocol.
Partial permissions to the protocols cannot be
assigned.
Restricting Protocol Access in the WinSock
Proxy
Set permissions for individual protocols in the
WinSock Proxy on a per protocol basis.
An additional option exists to grant unlimited access
to all protocols supported by the Proxy Server.
WinSock Proxy supports the most popular protocols.
WinSock Proxy also provides access to newer
protocols by adding the protocol definitions to the
WinSock Proxy.
To use the WinSock Proxy service in Proxy Server 2.0,
install the WinSock Proxy client at the client
computer.
Making the Decision: Determining Which
Protocols Can Access the Internet
Determine which protocols are required.
Determine who requires protocol access.
Define allowed protocols.
Add new protocols.
Allow access to the WinSock Proxy.
Applying the Decision: Determining Which
Protocols Can Access the Internet at Wide
World Importers
Wide World Importers must include the following
permissions in its Web Proxy and WinSock Proxy
configurations:
Configure the Web Proxy to grant access permissions to the
Internet Access local group and the IT Access local group for
the Web (HTTP), Secure (HTTPS), and FTP Read protocols.
Configure the WinSock Proxy to grant unlimited access to
the IT Access local group.
Configure the WinSock Proxy to grant access permission to
the Internet Access group for the File Transfer Protocol
(FTP) and Network News Transfer Protocol (NNTP).
Restricting Access to Content on the
Internet
Preventing access to specific Web sites
Using the Internet Explorer Administration Kit (IEAK)
to preconfigure settings
Managing content downloads
Preventing access to specific types of content
Preventing Access to Specific Web Sites
Making the Decision:
Preventing Access to Specific Web Sites
Identify Web sites that will always be unauthorized
for access.
Include the domain names in the domain filter list.
Applying the Decision: Preventing Access
to Specific Web Sites at Wide World
Importers
Configure a domain filter for nwtraders.tld to prevent
the Proxy Server from allowing access to any Web
sites for nwtraders.tld.
Ensure that the filter prevents access to any Web site
within nwtraders.tld.
The IEAK
Allows administrators to preconfigure Internet
Explorer settings before deploying Internet Explorer
and to update deployments
Can be downloaded by searching www.microsoft.com
for "IEAK"
Consists of the IEAK Profile Manager and the Internet
Explorer Customization Wizard
The IEAK Profile Manager
Profile Manager allows administrators to modify
existing installations by storing the modified
configuration setting in a .ins file.
Internet Explorer clients will detect the .ins file and
apply those settings when Internet Explorer is
configured to Automatically Detect Settings.
Internet Explorer Customization Wizard
Allows administrators to define custom settings for all
security settings in Internet Explorer
Allows configuration of the following security-related
options:
Enable Automatic Configuration
Proxy Settings
Define Certification Authorities
Define Security Zones
Enable Content Rating
Making the Decision:
Using the IEAK to Preconfigure Settings
Determine the desired configuration of Internet
Explorer.
Define an installation package that applies the
standard configuration.
Determine how modifications will be deployed.
Prevent modification of the standard configuration.
Applying the Decision: Using the IEAK to
Preconfigure Settings for Wide World
Importers
Wide World Importers currently supports both Internet Explorer
and Netscape Navigator. Migrating to a pure Internet Explorer
environment and using the IEAK will reduce the cost of
deploying the latest version of Internet Explorer and ensure that
consistent security settings are deployed.
The IEAK will work in the Wide World Importers network
because the IEAK supports Microsoft Windows 95, Microsoft
Windows 98, Microsoft Windows NT, and Microsoft Windows
2000.
Use the IEAK Profile Manager to create a modified .ins file and
post it on an accessible share on the network.
If Internet Explorer is configured to autodetect Proxy settings,
the .ins file will be read from the network location and used to
apply any modifications.
Internet Explorer Security Zones
Internet Explorer allows administrators to manage
what content can be downloaded from Web sites.
Each security zone is configured with a security
setting that defines what content can be downloaded
from Web sites in the security zone.
Additional zones cannot be added to the predefined
zones included with Internet Explorer.
Predefined Security Zones
Internet Explorer Security Zone Level
ActiveX Controls and plug-ins
Deploying Internet Explorer Settings
Use a mix of IEAK and Group Policy to ensure that
correct settings are applied to all Internet Explorer
clients.
Modify settings from a central location by defining
configuration (.ins) files.
Secure Internet Explorer by using Group Policy to
prevent the display of configuration property pages.
Making the Decision:
Managing Content Downloads
Allow download of safe content from trusted sites.
Allow unrestricted access to content on the private
network.
Prevent download of harmful content from all
Internet sites.
Apply security settings that match the Internet
acceptable use policy for the organization.
Ensure consistent security settings on all client
computers.
Applying the Decision: Managing Content
Downloads at Wide World Importers
Wide World Importers wants to place restrictions that
make it difficult to download software from the
Internet.
Configure the Internet zone to use the High security setting
to prevent users from downloading most harmful content
from the Internet.
Combine the High security setting with deployment of a
security template to limit users to creating files in their
personal folders and common shared files locations.
Ensure that the users are not members of the Power Users
group on the local computer.
Preventing Access to Specific Types of
Content
Using Plug-Ins to Block Content
Restrict access to Web sites that contain
unauthorized content by using plug-ins that allow
content scanning at the Proxy Server.
The Proxy Server will not load the inappropriate
materials and will inform the user that the content is
blocked.
A list of plug-ins for content scanning is available at
www.microsoft.com/proxy/.
Using Internet Explorer Content Advisor
The Content Advisor controls what content can be displayed in
the browser windows by using the Recreational Software
Advisory Council on the Internet (RSACi) rating system.
RSACi classifies Internet content in four categories, based on
language, nudity, sex, and violence.
When the Content Advisor is enabled, Internet Explorer scans
the HTML source code for RSACi ratings contained in HTML
metatags.
Define what action to take if a site is unrated.
Blocking access to unrated sites might deny access to
inoffensive sites as well.
Prevent users from changing the content ratings by either
Locking the Content Advisor settings with a supervisor password
Preventing access to the Content tab in the Internet Explorer
Properties dialog box
Making the Decision: Preventing Access to
Specific Types of Content
Define the organization's policy on obscene content.
Define what content must be blocked.
Define what actions to take when an unrated Web
site is accessed.
Prevent users from changing content settings.
Ensure that all settings for Internet Explorer
installations are consistent.
Applying the Decision: Preventing Access
to Internet Content for Wide World
Importers
Define restrictions in the Content Advisor to prevent
access to sites that contain nudity, sex, and violence.
Enable content ratings for all Internet Explorer clients
to ensure consistent application of the restrictions.
Configure the settings using the IEAK so that the
required settings are configured as the default
settings.
Configure the IEAK to ensure that Internet Explorer
clients are configured to autoconfigure settings and
will download any modified content settings.
Use Group Policy to prevent access to the Content
tab of the Internet Explorer Properties dialog box.
Auditing Internet Access
Proxy Server 2.0
Audit logs
Logging configuration: regular or verbose
Logging fields
Designing Proxy Server Auditing
Audit Logs
The log data allows administrators to review all Internet access.
Written text files are stored in the
systemroot\system32\MSPlogs folder, where systemroot is the
folder where Windows 2000 is installed.
New log files can be created every day, week, or month.
Proxy Server maintains the following logs:
Web Proxy log (W3yymmdd.log)
WinSock Proxy log (Wsyymmdd.log)
Socks Proxy log (Spyymmdd.log)
Logging can be configured to use either regular or verbose
logging.
ODBC–Compliant Database Logging
Advantage: Open Database Connectivity (ODBC)
logging has improved search and management
capabilities to review the logged data.
Disadvantage: ODBC logging uses more processor
time than text-based logging.
Before implementing ODBC logging, determine
whether the Proxy Server has any processor resource
issues.
Log Reviews
Ensure that reviewing the logs is one of the Proxy
Server administrator’s regular assignments.
Unless the logs are reviewed, there is no way to
ensure that the Proxy Server is functioning as
expected.
If ODBC logging is used, the database product
provides query mechanisms to find data related to a
specific user or protocol.
If text logging is used, consider purchasing a thirdparty product that provides reporting options for textbased log files.
Making the Decision: Implementing
Internet Access Logging
Examine Internet usage from the private network.
Conserve disk space related to logging at the Proxy
Server.
Ensure that all information of a proxied session can
be analyzed.
Applying the Decision: Implementing
Logging at Wide World Importers
Wide World Importers must enable logging of the
Web Proxy and WinSock Proxy services.
Log to an ODBC data source such as SQL Server to view the
logs.
Configure the Proxy Server to use verbose logging.
Chapter Summary
Determining contents of the policy
Identifying risks when private network users connect
to the Internet
Restricting Internet access to specific computers
Restricting Internet access to specific users
Restricting Internet access to specific protocols
Preventing access to specific Web sites
Using the IEAK to preconfigure settings
Managing content downloads
Preventing access to specific types of content
Designing Proxy Server auditing