Module 12. Providing Security-Enhanced Internet Access to Network
Download
Report
Transcript Module 12. Providing Security-Enhanced Internet Access to Network
Module 12: Providing
Secure Internet Access
to Network Users
Overview
Protecting Internal Network Resources
Planning Internet Usage Policies
Managing Internet Access Through Proxy Server
Configuration
Managing Internet Access Through Client-side
Configuration
As organizations capitalize on the marketing and
resource potential of the Internet, an increasing number
of employees require Internet access as part of their job
functions. By providing access from a private network
to the Internet, you introduce some inherent security
risks, including the possibility of virus attacks and
exposing internal addressing schemes.
To best secure a Microsoft® Windows® 2000 network,
restrict Internet access to a specific subset of network
users, computers, or protocols. You can manage
Internet access through both client-side and Proxy
Server configurations.
At the end of this module, you will be able to:
Design a strategy for protecting private network
resources from the public network.
Plan which users, computers, and protocols are allowed
access to the Internet.
Design the Microsoft Proxy Server 2.0 requirements for
maintaining security when local network users access
the Internet.
Design the client-side requirements for maintaining
security when local network users access the Internet.
Protecting Internal Network Resources
Protecting the Internal Network from Exposure to
Viruses
Minimizing Risks Associated with Modem Usage
Protecting Internal Network Addresses
Protecting DNS Namespaces
When providing Internet access from your private
network, it is important to review the inherent security
risks to your network resources. For example, private
network users may inadvertently introduce viruses from
the Internet to the local network. Desktop modems are a
security risk because they may allow users to connect
to the Internet, bypassing the firewall. By exposing the
internal network address and Domain Name System
(DNS) namespaces, an attacker on the Internet may be
able to access private network resources. To address all
of these risks, your network security plan must include
vigilant management of Internet usage and careful
design of network namespaces.
In this lesson you will learn about the following topics:
Protecting the internal network form exposure to
viruses.
Minimizing risks associated with modem usage.
Protecting internal network addresses.
Protecting DNS namespaces.
Protecting the Internal Network from Exposure to
Viruses
Virus Inspection
Internet
Firewall
Proxy
Server
Perimeter Servers
Exchange
Server
Client
When accessing the Internet, network users may
inadvertently introduce viruses to the private network.
Viruses can be introduced to the local network through
downloaded files, e-mail attachments, and even by
certain Web page content such as Java and ActiveX®
controls.
To protect against exposure to viruses, develop a virusprotection plan that includes:
Implementing virus-scanning software at all perimeter
servers.
Implementing virus-scanning software at all client
systems.
Implementing virus-scanning plug-ins for applications.
Minimizing Risks Associated with Modem Usage
ISP
Internet
Firewall
Modem
LAN
Dial-Up User
Recognizing Problems with Modem Usage
Using Security Templates to Prevent Modem Deployment
One common method of providing Internet access is to
provide modems to designated employees. Although
modems offer a quick solution, they bypass network
security and management policies by providing an
alternate pathway between the local area network (LAN)
and the Internet.
Recognizing Problems with Modem Usage
Problems with using modems to access the Internet
from inside the private network include:
Bypasses perimeter security.
Requires individual configuration of browsers and dial-up
connections.
Complicates management of protocols and content.
Bypasses perimeter security.
Direct dial-up access to an Internet service provider
(ISP) can bypass any perimeter security configured for
outgoing Internet traffic.
Requires individual configuration of browsers and dial-up
connections.
Internet access by modems requires that each client's
profile be configured with an ISP-specific dial-up
network configuration. In addition, the user's browser
may require customization for use with the ISP.
Complicates management of protocols and content.
Modems at the individual desktop systems allow other
computers to dial up for network access. Unless each
Windows 2000-based computer is deployed as a
Remote Authentication Dial-In User Service (RADIUS)
client, centralized administration of remote access
policies is not possible. In addition, specific network
protocols and Internet content cannot be centrally
managed as they pass through a firewall.
Using Security Templates to Prevent Modem Deployment
To prevent users from deploying modems to connect to
the Internet, create a security template that disables the
Remote Access Connection Manager. If you want to
prevent users from hosting dial-up connections to the
internal network, ensure that Routing and Remote
Access is disabled.
Deploy the security template by using Group Policy at
the domain level so that it affects all Windows 2000based computers.
Important: Place all servers that will host Routing and
Remote Access in the same organizational unit (OU).
Then apply Group Policy to enable Routing and Remote
Access for these servers.
Protecting Internal Network Addresses
Internet
131.107.2.200
192.168.10.3
Firewall
192.168.10.1
192.168.10.2
Using Private Network Addressing
Concealing Internal Network Addresses
When internal network users access the Internet,
packets originating from the internal network contain
the source Internet Protocol (IP) address of the user's
computer. If your IP address is an externally available IP
address, revealing the internal network addressing
scheme introduces risk. An attacker on the public
network may use this information in an attempt to
circumvent firewall security. In this attack, known as IP
spoofing, an attacker sends packets with source
addresses from the internal network.
Using Private Network Addressing
To help prevent IP spoofing, your network security plan
must ensure that all clients on the internal network are
configured with addresses from the following range
reserved exclusively for private network usage in RFC
1918:
10.0.0.1 through 10.255.255.254
172.16.0.1 through 172.31.255.254
192.168.0.1 through 192.168.255.254
Note: The IP address range of 169.254.0.0/16 is
sometimes implemented on the internal network. The
Internet Assigned Numbers Authority (IANA) has
reserved this address for Automatic Private IP
Addressing (APIPA)..
By assigning these addresses on the internal network,
you ensure that:
Internal networks do not use an address range that is
currently implemented on the Internet.
Access cannot be gained to the private network even if
the source addresses are exposed on the Internet,
because Internet routing tables will not contain defined
routes.
Firewalls can recognize and drop packets that originate
on the Internet network adapter with a forged internal
source address.
Concealing Internal Network Addresses
Network address translation (NAT) conceals the internal
address scheme by intercepting network traffic and
replacing outgoing packets with a common source
address. Alternatively, using a proxy server with an
external network adapter on the Internet will also protect
internal addressing because all Internet-destined
packets will appear to originate at the proxy server.
Protecting DNS Namespaces
External
DNS Server
External DNS Servers
Internal
DNS Server
Internal DNS Servers
Only include externally available
resources
May include records referencing
external resources
Never include Active Directory–
related SRV records
Use internal network addressing
Never make available to the
public network
Never expose internal network
IP addresses
To prevent your network from becoming vulnerable to IP
spoofing attacks, configure your DNS servers to
conceal internal DNS resource records and Active
Directory™ directory service-related SRV (service)
resource records from Internet users. To conceal DNS
namespaces, you will need to maintain two DNS
servers-an externally accessible DNS server and an
internally accessible DNS server.
External DNS Server Configuration
Configure the externally accessible DNS server so that it:
Only includes resource records for externally available
resources.
Never includes Active Directory-related SRV resource
records.
Never includes resource records that might expose the
internal network addressing scheme.
Internal DNS Server Configuration
Configure the internally accessible DNS server so that it:
May include resource records that reference externally
accessible resources (depending on your Active
Directory naming design).
Uses internal addressing schemes to reference all
resource records for resources located within a
screened subnet.
Is never accessible from the public network. If
communication is required between the external and
internal DNS servers, restrict channels to only those
DNS servers.
Planning Internet Usage Policies
Selecting Protocols for Internet Access
Selecting Users for Internet Access
Selecting Computers for Internet Access
Educating Users on Acceptable Internet Usage
Before configuring and enforcing measures to secure
Internet access, you must define what you consider to
be safe and appropriate use of the Internet. With Proxy
Server and a firewall solution, it is possible to manage
precisely which protocols, users, and computers can
access the Internet. Part of your security plan must
include clearly communicating your security policies to
all Internet users.
In this lesson you will learn about the following topics:
Selecting protocols for Internet access
Selecting users for Internet access
Selecting computers for Internet access
Educating users on acceptable Internet usage
Selecting Protocols for Internet Access
Proxy Server
FTP
HTTP
HTTPS
Internet
FTP
HTTP
HTTPS
Telnet
Finger
Firewall
Determining Necessary Protocols
Determining Risks of Using Each Protocol
Defining Allowed and Disallowed Protocols
Proxy Client
Although Hypertext Transfer Protocol (HTTP) is the
most common application protocol on the Internet, your
organization may be using several other application
protocols (such as File Transfer Protocol [FTP] and
Telnet) to access Internet resources. By determining
current protocol usage and reviewing whether it meets
your acceptable usage policies, you can design firewall
filters to effectively manage protocol usage.
One method of determining the necessary protocols is
to temporarily allow all protocols to be used for
outgoing Internet access and log usage during that
period. Review the logs to:
Determine necessary protocols.
Determine security risks associated with each protocol.
Define allowed and disallowed protocols.
Determine necessary protocols.
Logging will determine exactly which protocols have
been used to access the Internet and the frequency of
their usage. It is also useful to know exactly who is
using each protocol. Some protocols may not require
access by all users.
Determine security risks associated with each protocol.
Many protocols have known security risks, such as the
use of clear-text authentication that can reveal user
accounts and passwords to an attacker. When using
these protocols, establish specific guidelines for their
use. For example, if Telnet is required, ensure that users
do not have the same Telnet and internal network
passwords.
Define allowed and disallowed protocols.
Enforce protocol usage with Proxy Server and your
firewall by defining each protocol by transport protocol
and port usage. Use Proxy Server to limit which security
groups can use each defined protocol when accessing
the Internet.
Selecting Users for Internet Access
Proxy Rules
Marketing
NetMeeting
Authenticated Users
Authenticated Users
HTTP
HTTPS
Marketing
User1
User2
Internet
Determine Which Groups Can
Use Each Protocol
Configure Proxy Server to Only
Forward Requests by Members
of Approved Groups
Proxy Server
User2
Your Internet access configuration does not need to
include all users of the private network. By using
software that is able to interact with Active Directory,
you can configure protocol access based on user
identity.
Proxy Server can be configured to only allow specific
security groups to use specific protocols. Whenever a
request to use a protocol is made to Proxy Server,
Proxy Server will determine whether the user's access
token contains a security identifier (SID) that is allowed
to use the requested protocol. If a matching SID is
found, the request is granted. Otherwise, the request is
denied.
For example, if you determine that only specific users
need to use Microsoft NetMeeting® over the Internet,
you can create a security group that only contains those
users. You could then configure Proxy Server to only
allow users from that group to use NetMeeting protocols
when accessing the Internet.
Selecting Computers for Internet Access
Computer
Protocol
Proxy
Mail
Others
any
SMTP
none
Proxy
Server
Internet
Firewall
Prevent Client Computers from
Communicating Directly Through
the Firewall
Manage Internet Access from the
Proxy Server
Proxy Client
In addition to restricting which users and protocols will
be allowed to access the Internet, you can combine
Proxy Server with a firewall to define which computers
can access the Internet. To prevent internal clients from
bypassing security, configure the firewall to allow only
specific internal computers, such as Proxy Server, to
pass traffic to the Internet. This allows you to manage
Internet access at a single point.
The following questions will help determine which computers can pass
traffic through the firewall:
Does the internal computer need to communicate directly with hosts on the
Internet?
Some computers require direct access to hosts on the Internet. For example,
a Mail server needs to communicate with external Mail servers by using
Simple Mail Transfer Protocol (SMTP) to transfer messages.
Does the internal computer use specific protocols when communicating with a
host on the Internet?
A Mail server only requires permission to use SMTP to communicate with
other Mail servers. Set the firewall to allow the Mail server to connect to other
Mail servers only if the destination port is Transmission Control Protocol
(TCP) port 25. Conversely, a proxy server must use several different
protocols and requires less restrictive settings at the firewall.
Tip: In certain smaller networks, Proxy Server can be used as a firewall to
separate the internal network from the public network. When combined with
Routing and Remote Access, you can create specific packet filters to restrict
which internal computers can connect directly to the Internet.
Educating Users on Acceptable Internet Usage
An Acceptable Usage Policy Document:
Clearly defines who can access the Internet
Clearly defines responsibilities of Internet users
Clearly defines disciplinary actions
The actions of internal network users, whether
intentional or unintentional, are the biggest single threat
to network security. By educating users on acceptable
Internet usage, you clearly define expectations and
consequences.
A detailed acceptable usage policy clearly defines:
Who is allowed to access the Internet. Requests may be examined on
a case?by-case basis.
User responsibilities.
Responsibilities of internal network users include:
•Defining password usage guidelines, such as never using corporate
passwords for Internet sites.
•Listing acceptable tasks.
•Listing all unacceptable tasks, such as disclosure of company
information, and limits on e-mail attachment size.
•Defining ownership of all data stored on company property.
An explanation of disciplinary actions if a user breaks the acceptable
usage guidelines.
It is recommended that your organization's legal
department review the acceptable usage document to
ensure that all inclusions in the document are legally
binding for your jurisdiction. Ensure that both
management and individual users sign the document,
thereby stating that they accept all guidelines.
Managing Internet Access Through Proxy Server
Configuration
Planning Microsoft Proxy Server Services
Configuring Proxy Server Authentication
Restricting Access to Specific Internet Sites
Configuring Internet Access by Groups
Auditing Proxy Server Usage
After you have determined which protocols, computers,
and users may access the Internet, there are two
general methods of enforcing your acceptable usage
policy. One is to configure restrictions at the server, and
the other is to configure restrictions at the client
computers. Both methods need to be part of a
comprehensive security policy.
Server-side configuration includes careful planning of
proxy services, such as Proxy Server. Planning issues
include limiting access to authenticated users, blocking
objectionable Internet sites, using groups to simplify
management of Internet access, and auditing Internet
usage at the Proxy Server.
In this lesson you will learn about the following topics:
Planning Microsoft Proxy Server services
Configuring Proxy Server authentication
Restricting access to specific Internet sites
Configuring Internet access by groups
Auditing Proxy Server usage
Planning Microsoft Proxy Server Services
Application-level
Security
Implemented through the
Web proxy service
Circuit-level
Security
Implemented through the
WinSock proxy and the SOCKS
proxy
Packet-level
Security
Implemented through dynamic
packet filtering
A common tool for managing Internet access in a
Windows 2000 network is Microsoft Proxy Server. Proxy
Server secures Internet access based on user or group
membership information stored in Active Directory.
Proxy Server provides three different levels of
protection as users access resources on the public
network:
Application-level security
Circuit-level security
Packet-level security
Your security configuration will require a mix of all three
levels of protection to secure internal clients when they
access public networks.
Configuring Proxy Server Authentication
Anonymous Access
Basic Authentication
Integrated Windows Authentication
In addition to application-level, circuit-level, and packetlevel security, Proxy Server provides the ability to allow
only authenticated users to access specific services.
There are three methods of authentication supported by
Proxy Server: anonymous access, basic authentication,
and Integrated Windows authentication.
Note: When creating custom templates, select functionbased names for the templates. Function-based names
allow users to easily select the proper certificates based
on the tasks that the user is performing at that time.
Anonymous Access
No user credentials are required to use Proxy Server
services. If the IIS World Wide Web Publishing Service
is configured to only allow anonymous access, any
permissions configured for protocols are ignored
because the identities of individual users are not
determined. To force users to authenticate with Proxy
Server, you must disable anonymous access.
Basic Authentication
With basic authentication, a user provides his or her
user name and password when prompted to
authenticate with Proxy Server. The user name and
password are transmitted to the Proxy Server in clear
text and can be considered a security risk.
Tip: If you are using basic authentication with thirdparty clients, consider using supplementary encryption,
such as Secure Sockets Layer (SSL) to ensure that
encryption takes the place of the authentication
credentials.
Integrated Windows Authentication
Integrated Windows authentication provides a
transparent logon procedure for clients. The user is not
prompted for his or her credentials. The credentials are
obtained from the user's access token that was
generated when the user logged on. Remember that
your clients must support whatever authentication
method you implement. For example, if you are using an
Internet browser other than Microsoft Internet Explorer,
you will not be able to implement Integrated Windows
authentication.
Note: To allow Proxy Server to run on Windows 2000
and authenticate accounts against Windows 2000,
download the Proxy Server update at
www.iana.org/assignments/port-numbers
Restricting Access to Specific Internet Sites
Domain Filter List:
2
3
131.107.30.14
(nwtraders.msft)
131.107.46.20
(contoso.msft)
Proxy
Server
1. Client attempts to connect to
www.nwtraders.msft
2. Proxy Server checks URL
against domain filter list
3. Client is informed that access to
the site has been prohibited
1
Access Prohibited!
You can configure Proxy Server to deny access to
specific domain names or Web sites by using domain
filters. For example, to prohibit access to Web sites
within the nwtraders.msft domain, list the domain name
in the domain filter list. If a client were to request access
to any Web site in the nwtraders.msft domain, Proxy
Server would check the Uniform Resource Locator
(URL) against the domain filter list and prohibit access
to the site.
In addition, there are several third-party products that
plug in to Proxy Server that enable advanced Internet
filtering. For more details about these products, see
www.microsoft.com/proxy.
Note: Proxy Server converts fully qualified domain
names (FQDNs) in the filter list to IP addresses before
applying the filter. By tracking IP addresses in addition
to FQDNs, the filter prevents users from entering the IP
address of a restricted site to bypass the filter.
Controlling Internet Access by Groups
Use Proxy Server to Grant Protocol Access Based on
User Groups
Create Protocol Definitions If a Protocol Definition Does
Not Exist
Proxy Server allows network administrators to
designate groups, rather than individual users, that can
use specific protocols. For example, you could
configure Proxy Server so that only members of the
Research group can use the Network News Transport
Protocol (NNTP) to access newsgroups on the Internet.
Note: By default, permissions are not filtered. This
means that any Proxy Clients will be able to use any
protocol without restrictions.
You can use Proxy Server to create new definitions of
protocols based on protocol and port definitions. This
allows you to define both incoming and outgoing rules
for the new protocol. For example, if a new protocol
were developed that required clients to connect to the
host server on TCP port 8888, you could create a
protocol filter that allowed any client port to connect to
TCP port 8888. You would then restrict this protocol
filter to a specific Active Directory group.
Auditing Proxy Server Usage
Proxy Server
Log
Write Auditing Logs to Text
Files or ODBC-Compliant
Databases
Analyze Logs to Determine
Current Usage
Client Computer
Name: 01/01/2000
ed08 briank ….
robd…. edzach
Client 01/01/2000
User Name:
01/01/2000Name:
gregb …
Destination
http://www.contoso.msft
01/01/2000 andys ….
Destination
01/01/2000Port:
lorrinb ….80
Log Date:
01/01/2000
01/01/2000
dont …
Log Time:
17:15
01/01/2000 patricel ….
Object Name: default.htm
01/01/2000 jackc ….
Object Source: Cache
01/01/2000 paulho …
Protocol
Name: HTTP
Result Code: 200
Service Name: CERNProxy
Proxy Server generates detailed service logs that record
who is accessing the Internet, the protocols used, and
the sites visited. The Web proxy, WinSock proxy, and
SOCKS proxy services generate separate service logs.
The separate logs allow detailed analysis to be
performed on a service-by-service basis.
Note: By default, Proxy Server records data to text files
stored in the systemroot\system32\Msplogs directory.
Log events may also be stored in an Open Database
Connectivity (ODBC)-compliant database such as
Microsoft SQL Server™.
Network administrators must perform regular auditing of
the log files to ensure that all users are following Internetacceptable usage. For example, if you fear that a specific
protocol has security weaknesses, you can query the
logs to determine whether any internal clients have used
the protocol. The use of an ODBC-compliant database for
the log files will aid in performing queries against the
collected data.
Inspection of the logs can determine whether additional
protocols need to be included in exclusion lists or if
protocol usage needs to be limited to a specific security
group due to misuse.
Note: There are several third-party products available to
analyze Proxy Server logs. For more information, see
www.microsoft.com/proxy.
Managing Internet Access Through Client-side
Configuration
Defining Security Zones for Internet Access
Assigning Security Levels to Internet Zones
Controlling Types of Content Accessed on the Internet
Automatically Configuring Proxy Clients
Standardizing Deployment of Browsers with the IEAK
In addition to server-side configuration, it is possible to
manage and enforce your acceptable usage policies at
the client computer. Client-side configuration includes
defining Internet zones and associating those zones
with enforceable security levels. You can control the
type of Internet content accessible to clients and
enforce these configurations by automatically
configuring the clients and customizing the Internet
browsers with the Internet Explorer Administration Kit
(IEAK).
In this lesson you will learn about the following topics:
Defining security zones for Internet access
Assigning security levels to Internet zones
Controlling types of content accessed on the Internet
Automatically configuring Proxy Clients
Standardizing deployment of browsers with the IEAK
Defining Security Zones for Internet Access
Security Zones:
Assign a unique security
level to each zone to
define the allowed level
of browser access
Internet Explorer divides online content into distinct
security zones. Each zone can have a unique security
level assigned to it that will define the level of browser
access granted to clients.
The predefined security zones included in Internet Explorer are:
My Computer zone. Includes everything that is located on the local
computer system, on hard disks, and on removable media. It does
not include cached Java classes or any content of the Temporary
Internet Files folder.
Local Intranet zone. Includes all sites that are located within the
private network, including all network segments that are protected
by an organization's firewall.
Internet zone. Contains all sites on the Internet that are not included
in the Trusted sites or Restricted sites zone.
Trusted sites zone. Contains a listing of all sites on the Internet that
you consider trusted for content download. This zone typically
contains business partner sites.
Restricted sites zone. Contains all Internet sites to which you allow
client access, but want to restrict the content that can be
downloaded.
You can add specific URLs to the zones so that
consistent Internet access is enforced across the
organization. By default, the Local Intranet zone will
include all sites that bypass the Proxy Server and all
universal naming convention (UNC) paths.
Assigning Security Levels to Internet Zones
Default Security Levels
Customized Security Levels
By assigning security levels to Internet zones, you can
group and control access to sites based on your
assigned level of trust. When opening a Web page with
Internet Explorer, the zone from which the Web page
was loaded is determined and Internet Explorer applies
the security level assigned to that zone.
Default Security Levels
You can assign these default security levels:
Low. This security level allows most content to download and run
without the user being prompted. Minimal safeguards are
implemented. Only apply this security setting to sites that you
completely trust.
Medium-low. This security level allows the user to download and
run most types of content without providing prompts. Unsigned
ActiveX controls will not be downloaded.
Medium. This security level prompts the user before downloading
any potentially unsafe content and is appropriate for most Internet
content.
High. This security level provides the safest access to the Internet
but is less functional. This setting disables most of the less secure
features of Internet Explorer, including downloading any Java or
ActiveX controls.
Customized Security Levels
You can implement custom levels of security to specify
access control to potentially harmful content on the
Internet. For example, you could allow the downloading
of signed ActiveX controls, but prevent the acceptance
of cookies (files containing information about a user
that are sent to a Web server each time a request is
made).
Controlling Types of Content Accessed on the
Internet
Level
4
3
2
1
0
Language Rating
Crude, vulgar language, or extreme hate speech
Strong language or hate speech
Moderate expletives or profanity
Mild expletives
None of the above
RSACi ranks Internet content
into five levels of suitability
based on violence, nudity,
sex, and language
Inappropriate content can be
screened by the Internet
Explorer Content Advisor
You may choose to include descriptions of acceptable
Internet content in your acceptable usage guidelines.
The Internet Explorer Content Advisor, included with
Microsoft Internet Explorer 5.0, controls the types of
content that network users can access.
Internet Explorer is installed with the Recreational
Software Advisory Council on the Internet (RSACi)
system. Each RSACi category groups Internet content
into five levels of appropriateness based on language,
nudity, sex, and violence.
Note: For more information about specific content
allowed at each RSACi rating level, see the Internet
Content Rating Association Web page at www.icra.org.
When the Internet Explorer Content Advisor is enabled,
Internet Explorer screens Web content by reading
RSACi ratings contained in hidden Hypertext Markup
Language (HTML) tags called meta tags. You can
configure Internet Explorer to deny access to unrated
Web sites.
Content Advisor settings can be distributed, maintained,
and enforced by using the IEAK and the IEAK Profile
Manager. You can preconfigure Internet Explorer with a
secured supervisor password that restricts the ability to
change or disable Content Advisor settings.
Automatically Configuring Proxy Clients
Use Auto-configure to Reduce
Potential for Misconfiguration
Do Not Use Default Ports
Require Proxy Server to Prevent
Clients from Connecting Directly
to the Internet
To enforce proxy security with minimal configuration,
you will need to set up auto-configuration of all Proxy
Clients. This reduces the potential for misconfiguration
while ensuring that all clients use the designated Proxy
Server to access the Internet.
When installing Proxy Server, you can configure the
client installation files with preconfigured settings.
These preconfigured settings are applied when the
Proxy Client software is installed on a client computer.
Tip: Do not configure the Proxy Server to use the
default port (port 80) for client connections. Instead, use
a random port from 1024 through 9999, such as 8000.
In a Proxy Server environment, select the Automatically
detect settings option to ensure that Web browsers
direct all requests to the Proxy Server. This option also
ensures that updates to the default configuration are
transferred to clients the next time that they start
Internet Explorer.
Standardizing Deployment of Browsers with the IEAK
Use IEAK to Design Customized Browsers
with Preset Proxy and Security Zone Settings
Implement Updates to Profile Data by Editing
the .ins File
By default, Internet Explorer allows users to select a
proxy server and to increase and decrease security
zone settings. The IEAK enables you to create
customized browsers with preset options, including
security zone and proxy settings that cannot be
modified.
The IEAK is composed of the IEAK Profile Manager and
the Internet Explorer Customization wizard. The IEAK
Profile Manager records specific profile data in an .ins
file stored on a network server. When changes to the
browser configuration are detected in the .ins file, both
the registry and any necessary local files are updated at
the client computer. Updates can occur on a
predetermined schedule or the next time the browser is
started.
For Internet Explorer to detect and apply configuration
changes from the .ins file, you must configure Internet
Explorer with the Automatically detect settings option.
This setting can also be configured in the Internet
Explorer Customization wizard.
Note: You can download the IEAK at
www.microsoft.com/ windows/ieak/ .
Lab A: Securing the Internal Network When
Accessing the Internet
Objectives
After completing this lab, you will be able to:
Plan and manage which protocols, computers, and
users are allowed to access the Internet.
Protect network resources by hiding internal addressing
schemes.
Prerequisites
Before working on this lab, you must have:
Knowledge of the design decisions required to address
security threats introduced by the Internet.
Knowledge of Proxy Server and DNS namespaces.
Northwind Traders is a well-established, but relatively
low-technology, Denver trading company specializing
in catalog sales. In this lab, you will design a solution
to secure Northwind Traders' network as the
organization allows Internet access from within its
private network.
You will work with a partner to complete the exercises.
Each exercise describes a particular aspect of the
design.
Review the scenario, and read the goals and any criteria
for each exercise. Answer any questions and give your
reasons for your answers. Be prepared to discuss your
responses and explain how you reached your
conclusions.
Exercise 1: Identifying Threats Introduced from the Internet
In this exercise, you will identify security threats that
are introduced as Northwind Traders opens its LAN and
allows Internet access from within its private network.
Scenario
Before providing Internet access from the internal
network, most employees used modems on their
desktops for accessing the Internet. Several of these
modems are still installed.
There are currently no restrictions on the type of
network protocols available to access the Internet.
Northwind Traders has recently suffered three separate
virus attacks that can be traced to Internet access.
Exercise 2: Managing Access to the Internet
In this exercise, you will design a plan that addresses
security threats introduced when Northwind Traders
began accessing the Internet from within its private
network. To design the plan, you will restrict which
protocols, computers, and users can access the
Internet.
Your task is to use your firewall and Proxy Servers to
secure the network by managing employee access to
the Internet. You will limit exactly what type of content
can be accessed from the internal network. You also
want full auditing of all Internet access for an
acceptable usage policy that has been established. You
must accomplish your work without exposing the
internal structure or compromising the internal network.
Scenario
All modems at user desktop computers have been
removed from the Northwind Traders network. The
following diagram shows the network infrastructure
recommended by a network consultant. This network
infrastructure will allow internal clients to securely
access the Internet.
Criteria
The following criteria need to be satisfied for the internal clients accessing
the Internet:
You need to plan which protocols, computers, and users are allowed to
access the Internet.
You need to provide Internet access to employees in the corporate office
without compromising internal network resources.
You have been directed to allow Internet access only to full-time employees.
You will allow only Proxy Servers to navigate outside of the private network.
All other internal access (unless explicitly defined) will be disallowed.
Northwind Traders is using nwtraders.msft on both the internal and external
networks. You must design DNS to protect all internal addresses in DNS.
You need to restrict the Mail server to provide SMTP services only for internal
network users.
You must implement virus protection to protect against further virus attacks
within the internal network.
Review
Protecting Internal Network Resources
Planning Internet Usage Policies
Managing Internet Access Through Proxy Server
Configuration
Managing Internet Access Through Client-side
Configuration