11 securing a network infrastructure chapter 7. chapter 7: securing a network infrastructure2...

11

SECURING A NETWORK INFRASTRUCTURE

Chapter 7

Chapter 7: SECURING A NETWORK INFRASTRUCTURE 2

OVERVIEW

List the criteria for selecting operating systems for network servers and workstations.

List the default security settings for the Microsoft Windows Server 2003 and Microsoft Windows XP Professional operating systems.

Describe the problems inherent in keeping the software on a large network installation updated.

Use Microsoft Baseline Security Analyzer (MBSA).


OVERVIEW (continued)

Use Microsoft Software Update Services (SUS).

Describe the security problems inherent in wireless networking.

List the mechanisms that Windows-based IEEE 802.11 WLANs can use to authenticate clients and encrypt transmitted data.

Determine the security requirements of your remote access installation.

Control remote access with user account properties.

Create remote access policies.


SELECTING COMPUTERS AND OPERATING SYSTEMS

Purchase and use of computer systems should be governed by policies.

Policies should dictate which operating systems are used for different purposes.

Policies should dictate which hardware is purchased for different purposes.


UNDERSTANDING COMPUTER ROLES

Server Role

Desktop workstation role

Portable workstation role


UNDERSTANDING THE SERVER ROLE

Servers can perform a number of different roles.

Each role places different demands on the underlying hardware and operating system software.

Some roles require additional hardware: a server that is used for backups requires a connection to a tape drive or some other storage device.

Server systems often include fault-tolerant measures.


UNDERSTANDING THE DESKTOP WORKSTATION’S ROLE

Workstation hardware is generally less powerful than server hardware.

Workstation hardware typically does not include fault-tolerant measures.

Some applications, such as computer-aided design (CAD), video and sound editing, and geographic mapping, require very high-performance hardware.


UNDERSTANDING THE PORTABLE WORKSTATION’S ROLE

Portable workstations can include laptops, notebooks, PDAs, and tablet PCs.

Portable workstations have different hardware and configuration requirements from desktop workstations.

Some users may have a desktop workstation and one or more portable workstations.

Portable workstations create additional security concerns since they can be moved both within and outside of the physical security perimeter.


CREATING HARDWARE SPECIFICATIONS

Server hardware specifications

Desktop hardware specifications

Portable hardware specifications


SERVER HARDWARE SPECIFICATIONS

Create a hardware specification based on the applications that the server will host.

Use company information such as expected increases in personnel or customer activity when creating the specification.

Factor a reasonable growth margin into the specification.

Consider the ease of future upgrades to preserve investment.


DESKTOP HARDWARE SPECIFICATIONS

Specify a base hardware configuration that supports most users.

Create additional specifications as needed to accommodate special requirements.

Where possible, use a small number of standard configurations.

Standardized hardware provides many advantages in terms of support.


PORTABLE HARDWARE SPECIFICATIONS

Different types of portable hardware have different hardware requirements.

Many portable computing devices use proprietary technologies.

As with desktop workstations, keep the number of standard configurations to a minimum.


SELECTING OPERATING SYSTEMS

When selecting operating systems, you must consider the following: Application compatibility The operating system

you select must support the application software needed by the organization.

Support issues Familiarity with operating systems decreases training costs and improves technical support service.

Security features In highly secure environments, operating systems with advanced security features should be chosen.

Cost Operating system software represents a significant investment, and the availability of funds for software purchases must be considered.


CHOOSING WORKSTATION OPERATING SYSTEMS


CHOOSING SERVER OPERATING SYSTEMS


IDENTIFYING CLIENT AND SERVER DEFAULT SECURITY SETTINGS

Operating systems install with a default set of security settings.

These settings should be evaluated to determine whether they satisfy security requirements.

Windows Server 2003 is designed to be more secure in a default installation than are previous versions of Windows.


EVALUATING SECURITY SETTINGS

File System permissions

Share permissions

Registry permissions

Active Directory permissions

Account Policy settings

Audit policies


FILE SYSTEM PERMISSIONS

file or folder’s ownership, permissions, and file system attributes

NNTTFFSS FFoollddeerr PPeerrmmiissssiioonn EEnnaabblleess tthhee UUsseerr oorr GGrroouupp TToo

Full Control Change file/folder permissions, take ownership of files/folders,and delete subfolders and files, plus perform the actionspermitted by all of the other NTFS permissions.

Modify Modify or delete a file/folder, plus perform all actions permittedby the Write permission and the Read & Execute permission.

Read & ExecuteRun applications; browse through folders to reach other filesand folders, even if the user does not have permission to accessthose files/folders; and perform all actions permitted by theRead permission and the List Folder Contents permission.

List Folder ContentsSee the names of files and subfolders in a folder.

Read Read a file; see the files and subfolders in a folder; and view a

(such as Read-only, Hidden, Archive, and System).

Write Overwrite a file, create new files and subfolders within a folder,change a file or folder’s attributes, and view the file or folder’s

ownership and permissions.


SHARE PERMISSIONS

SShhaarreedd FFoollddeerrPPeerrmmiissssiioonn EEnnaabblleess tthhee UUsseerr oorr GGrroouupp TToo

Read View file names and subfolder names, view datain files, traverse to subfolders, and run programs.

Change Add files and subfolders to the shared folder,change data in files, delete subfolders and files,plus perform all actions permitted by the Read

permission.

Full ControlChange file permissions (NTFS only), takeownership of files (NTFS only), and perform alltasks permitted by the Change permission.


REGISTRY PERMISSIONS


ACTIVE DIRECTORY PERMISSIONS

Active Directory has over 25 standard permissions and 67 special permissions.

The following default permission assignments are made to cover most requirements: Enterprise Admins Receives the Full Control

permission for the entire forest Domain Admins and Administrators Receives

a selection of permissions that enables him or her to perform Active Directory object maintenance tasks within their domain

Authenticated Users Receives the Read permission for the entire domain, plus a small selection of very specific Modify permissions


ACCOUNT POLICY SETTINGS


AUDIT POLICIES


PLANNING A SECURITY UPDATE INFRASTRUCTURE

Understanding software update practices

Using Windows Update

Updating a network


UNDERSTANDING SOFTWARE UPDATE PRACTICES

Microsoft distributes software updates in two forms: Service pack A collection of patches and

updates that have been tested as a single unit

Hotfix A small patch designed to address a specific issue

Microsoft recommends that service packs are installed on all applicable systems. Hotfixes should only be applied to systems that are experiencing a specific problem.


USING WINDOWS UPDATE


UPDATING A NETWORK

Updating PCs on a network presents many challenges to the administrator.

A network security update infrastructure is a series of policies that are designed to help the administrator manage software and security updates on the network.

The security update infrastructure should specify procedures for the identification, testing, and deployment of software updates.


USING MBSA


TESTING SECURITY UPDATES

All updates, including those related to security, should be tested before they are implemented.

If possible, use a test system with a configuration similar to that of the system on which the update will be applied.

If a test system is not available, updates should be deployed progressively, and systems with the updates should be closely monitored.


USING MICROSOFT SOFTWARE UPDATE SERVICES


SECURING A WIRELESS NETWORK

Wireless networks are becoming increasingly popular as related hardware becomes more affordable, and companies begin to realize the flexibility that wireless networks offer.

Wireless networks present more and different security challenges than their wired counterparts.


UNDERSTANDING WIRELESS NETWORKING STANDARDS

Wireless networking standards are developed and ratified by the Institute of Electrical and Electronics Engineers (IEEE).

Three standard have been defined: 802.11b The current standard. Offers speeds

up to 11 Mbps.

802.11a In development. Uses different frequency ranges than 802.11b. Offers speeds up to 54 Mbps.

802.11g Uses the same frequency ranges as 802.11b. Offers speeds up to 54 Mbps.


WIRELESS NETWORKING TOPOLOGIES


UNDERSTANDING WIRELESS NETWORK SECURITY

Wireless networking presents security risks that are not present when using traditional wired networks.

Logical security becomes of paramount concern, as physical security measures are not necessarily preventative.

Two main concerns when using wireless networks are unauthorized access and data interception.


CONTROLLING WIRELESS ACCESS USING GROUP POLICIES


AUTHENTICATING USERS

Open system authentication

Shared key authentication

IEEE 802.1x authentication


OPEN SYSTEM AUTHENTICATION

The default authentication method used by IEEE 802.11 devices.

Despite the name, it offers no actual authentication.

A device configured to use Open System authentication will not refuse authentication to another device.


SHARED KEY AUTHENTICATION

Devices authenticate each other using a secret key that both possess.

The key is shared before authentication using a secure channel.

All the computers in the same BSS must possess the same key.


IEEE 802.1X AUTHENTICATION

The IEEE 802.1x standard defines a method of authenticating and authorizing users on any 802 LAN.

Most IEEE 802.1x implementations use Remote Authentication Dial-In User Service (RADIUS) servers.

RADIUS typically uses one of the following two authentication protocols: Extensible Authentication Protocol-Transport

Level Security (EAP-TLS) Protected EAP-Microsoft Challenge Handshake

Authentication Protocol version 2 (PEAP-MS-CHAP v2)


ENCRYPTING WIRELESS TRAFFIC

The IEEE 802.11 standard uses an encryption mechanism called Wired Equivalent Privacy (WEP) to secure data while in transit.

WEP uses the RC4 cryptographic algorithm developed by RSA Security, Inc.

WEP allows the key length, as well as the frequency with which the systems generate new keys, to be configured.


SECURING REMOTE ACCESS

Determining security requirements

Controlling access using dial-in properties

Planning authentication

Using remote access policies


DETERMINING SECURITY REQUIREMENTS

Which users require remote access?

Do users require different levels of remote access?

Do users need access to the entire network?

What applications must users run?


CONTROLLING ACCESS USING DIAL-IN PROPERTIES


PLANNING AUTHENTICATION


USING RADIUS

Windows Server 2003 with IAS can be a RADIUS server or a RADIUS proxy.

When configured as a RADIUS server, the computer receiving the authentication request will process and authorize the connection request.

When configured as a RADIUS proxy, the authenti-cation request is forwarded to the configured RADIUS server.


SELECTING AN AUTHENTICATION PROTOCOL


USING REMOTE ACCESS POLICIES

Sets of conditions that users must meet before RRAS authorizes them to access the server or the network

Can be configured to limit user access based on group memberships, day and time restrictions, and many other criteria

Can specify what authentication protocol, and what type of encryption clients must use

Policies can be created based on type of connection, such as dial-up, VPN, or wireless


REMOTE ACCESS POLICY COMPONENTS

Conditions Specific attributes that the policy uses to grant or

deny authorization to a user. If more than one condition is defined, the user must meet all the conditions before the server can grant access.

Remote access permission Defines whether the user is allowed to connect to

the system through a remote access connection.

Remote access profile A set of attributes applied to a client once it has

been authenticated and authorized.


CREATING REMOTE ACCESS POLICIES


CHAPTER SUMMARY

When selecting operating systems for servers, you can choose the platform best suited to the server’s role. When selecting workstation operating systems, standardization takes precedence over specialization.

When you install Windows Server 2003 or Windows XP Professional, the operating system Setup program configures a number of security settings with default values that you can either keep or modify.

Microsoft releases updates for its operating systems and applications. Major updates are called service packs. Individual updates are called hotfixes.

MBSA is a tool that scans computers on a network and examines them for security vulnerabilities.


CHAPTER SUMMARY (continued)

SUS is a tool that streamlines the approval and implementation of software updates.

Most wireless LANs today are based on the 802.11 standards published by the IEEE. WLANs present additional security risks over wired networks.

To secure a wireless network, you must authenticate the clients before they are granted network access, and encrypt all packets transmitted over the wireless link.

To determine the security requirements you need for your remote access server, determine which users need access and what type of access they need.

Remote access policies are sets of conditions that must be met by remote clients attempting to connect to the Routing and Remote Access server.

11 securing a network infrastructure chapter 7. chapter 7: securing a network infrastructure2...

Documents

different hardware

additional hardware

underlying hardware

highperformance hardware

base hardware configuration

network servers

server systems

large network installation