11
SECURING A NETWORK INFRASTRUCTURE
Chapter 7
Chapter 7: SECURING A NETWORK INFRASTRUCTURE 2
OVERVIEW
List the criteria for selecting operating systems for network servers and workstations.
List the default security settings for the Microsoft Windows Server 2003 and Microsoft Windows XP Professional operating systems.
Describe the problems inherent in keeping the software on a large network installation updated.
Use Microsoft Baseline Security Analyzer (MBSA).
Chapter 7: SECURING A NETWORK INFRASTRUCTURE 3
OVERVIEW (continued)
Use Microsoft Software Update Services (SUS).
Describe the security problems inherent in wireless networking.
List the mechanisms that Windows-based IEEE 802.11 WLANs can use to authenticate clients and encrypt transmitted data.
Determine the security requirements of your remote access installation.
Control remote access with user account properties.
Create remote access policies.
Chapter 7: SECURING A NETWORK INFRASTRUCTURE 4
SELECTING COMPUTERS AND OPERATING SYSTEMS
Purchase and use of computer systems should be governed by policies.
Policies should dictate which operating systems are used for different purposes.
Policies should dictate which hardware is purchased for different purposes.
Chapter 7: SECURING A NETWORK INFRASTRUCTURE 5
UNDERSTANDING COMPUTER ROLES
Server Role
Desktop workstation role
Portable workstation role
Chapter 7: SECURING A NETWORK INFRASTRUCTURE 6
UNDERSTANDING THE SERVER ROLE
Servers can perform a number of different roles.
Each role places different demands on the underlying hardware and operating system software.
Some roles require additional hardware: a server that is used for backups requires a connection to a tape drive or some other storage device.
Server systems often include fault-tolerant measures.
Chapter 7: SECURING A NETWORK INFRASTRUCTURE 7
UNDERSTANDING THE DESKTOP WORKSTATION’S ROLE
Workstation hardware is generally less powerful than server hardware.
Workstation hardware typically does not include fault-tolerant measures.
Some applications, such as computer-aided design (CAD), video and sound editing, and geographic mapping, require very high-performance hardware.
Chapter 7: SECURING A NETWORK INFRASTRUCTURE 8
UNDERSTANDING THE PORTABLE WORKSTATION’S ROLE
Portable workstations can include laptops, notebooks, PDAs, and tablet PCs.
Portable workstations have different hardware and configuration requirements from desktop workstations.
Some users may have a desktop workstation and one or more portable workstations.
Portable workstations create additional security concerns since they can be moved both within and outside of the physical security perimeter.
Chapter 7: SECURING A NETWORK INFRASTRUCTURE 9
CREATING HARDWARE SPECIFICATIONS
Server hardware specifications
Desktop hardware specifications
Portable hardware specifications
Chapter 7: SECURING A NETWORK INFRASTRUCTURE 10
SERVER HARDWARE SPECIFICATIONS
Create a hardware specification based on the applications that the server will host.
Use company information such as expected increases in personnel or customer activity when creating the specification.
Factor a reasonable growth margin into the specification.
Consider the ease of future upgrades to preserve investment.
Chapter 7: SECURING A NETWORK INFRASTRUCTURE 11
DESKTOP HARDWARE SPECIFICATIONS
Specify a base hardware configuration that supports most users.
Create additional specifications as needed to accommodate special requirements.
Where possible, use a small number of standard configurations.
Standardized hardware provides many advantages in terms of support.
Chapter 7: SECURING A NETWORK INFRASTRUCTURE 12
PORTABLE HARDWARE SPECIFICATIONS
Different types of portable hardware have different hardware requirements.
Many portable computing devices use proprietary technologies.
As with desktop workstations, keep the number of standard configurations to a minimum.
Chapter 7: SECURING A NETWORK INFRASTRUCTURE 13
SELECTING OPERATING SYSTEMS
When selecting operating systems, you must consider the following: Application compatibility The operating system
you select must support the application software needed by the organization.
Support issues Familiarity with operating systems decreases training costs and improves technical support service.
Security features In highly secure environments, operating systems with advanced security features should be chosen.
Cost Operating system software represents a significant investment, and the availability of funds for software purchases must be considered.
Chapter 7: SECURING A NETWORK INFRASTRUCTURE 14
CHOOSING WORKSTATION OPERATING SYSTEMS
Chapter 7: SECURING A NETWORK INFRASTRUCTURE 15
CHOOSING SERVER OPERATING SYSTEMS
Chapter 7: SECURING A NETWORK INFRASTRUCTURE 16
IDENTIFYING CLIENT AND SERVER DEFAULT SECURITY SETTINGS
Operating systems install with a default set of security settings.
These settings should be evaluated to determine whether they satisfy security requirements.
Windows Server 2003 is designed to be more secure in a default installation than are previous versions of Windows.
Chapter 7: SECURING A NETWORK INFRASTRUCTURE 17
EVALUATING SECURITY SETTINGS
File System permissions
Share permissions
Registry permissions
Active Directory permissions
Account Policy settings
Audit policies
Chapter 7: SECURING A NETWORK INFRASTRUCTURE 18
FILE SYSTEM PERMISSIONS
file or folder’s ownership, permissions, and file system attributes
NNTTFFSS FFoollddeerr PPeerrmmiissssiioonn EEnnaabblleess tthhee UUsseerr oorr GGrroouupp TToo
Full Control Change file/folder permissions, take ownership of files/folders,and delete subfolders and files, plus perform the actionspermitted by all of the other NTFS permissions.
Modify Modify or delete a file/folder, plus perform all actions permittedby the Write permission and the Read & Execute permission.
Read & ExecuteRun applications; browse through folders to reach other filesand folders, even if the user does not have permission to accessthose files/folders; and perform all actions permitted by theRead permission and the List Folder Contents permission.
List Folder ContentsSee the names of files and subfolders in a folder.
Read Read a file; see the files and subfolders in a folder; and view a
(such as Read-only, Hidden, Archive, and System).
Write Overwrite a file, create new files and subfolders within a folder,change a file or folder’s attributes, and view the file or folder’s
ownership and permissions.
Chapter 7: SECURING A NETWORK INFRASTRUCTURE 19
SHARE PERMISSIONS
SShhaarreedd FFoollddeerrPPeerrmmiissssiioonn EEnnaabblleess tthhee UUsseerr oorr GGrroouupp TToo
Read View file names and subfolder names, view datain files, traverse to subfolders, and run programs.
Change Add files and subfolders to the shared folder,change data in files, delete subfolders and files,plus perform all actions permitted by the Read
permission.
Full ControlChange file permissions (NTFS only), takeownership of files (NTFS only), and perform alltasks permitted by the Change permission.
Chapter 7: SECURING A NETWORK INFRASTRUCTURE 20
REGISTRY PERMISSIONS
Chapter 7: SECURING A NETWORK INFRASTRUCTURE 21
ACTIVE DIRECTORY PERMISSIONS
Active Directory has over 25 standard permissions and 67 special permissions.
The following default permission assignments are made to cover most requirements: Enterprise Admins Receives the Full Control
permission for the entire forest Domain Admins and Administrators Receives
a selection of permissions that enables him or her to perform Active Directory object maintenance tasks within their domain
Authenticated Users Receives the Read permission for the entire domain, plus a small selection of very specific Modify permissions
Chapter 7: SECURING A NETWORK INFRASTRUCTURE 22
ACCOUNT POLICY SETTINGS
Chapter 7: SECURING A NETWORK INFRASTRUCTURE 23
AUDIT POLICIES
Chapter 7: SECURING A NETWORK INFRASTRUCTURE 24
PLANNING A SECURITY UPDATE INFRASTRUCTURE
Understanding software update practices
Using Windows Update
Updating a network
Chapter 7: SECURING A NETWORK INFRASTRUCTURE 25
UNDERSTANDING SOFTWARE UPDATE PRACTICES
Microsoft distributes software updates in two forms: Service pack A collection of patches and
updates that have been tested as a single unit
Hotfix A small patch designed to address a specific issue
Microsoft recommends that service packs are installed on all applicable systems. Hotfixes should only be applied to systems that are experiencing a specific problem.
Chapter 7: SECURING A NETWORK INFRASTRUCTURE 26
USING WINDOWS UPDATE
Chapter 7: SECURING A NETWORK INFRASTRUCTURE 27
UPDATING A NETWORK
Updating PCs on a network presents many challenges to the administrator.
A network security update infrastructure is a series of policies that are designed to help the administrator manage software and security updates on the network.
The security update infrastructure should specify procedures for the identification, testing, and deployment of software updates.
Chapter 7: SECURING A NETWORK INFRASTRUCTURE 28
USING MBSA
Chapter 7: SECURING A NETWORK INFRASTRUCTURE 29
TESTING SECURITY UPDATES
All updates, including those related to security, should be tested before they are implemented.
If possible, use a test system with a configuration similar to that of the system on which the update will be applied.
If a test system is not available, updates should be deployed progressively, and systems with the updates should be closely monitored.
Chapter 7: SECURING A NETWORK INFRASTRUCTURE 30
USING MICROSOFT SOFTWARE UPDATE SERVICES
Chapter 7: SECURING A NETWORK INFRASTRUCTURE 31
SECURING A WIRELESS NETWORK
Wireless networks are becoming increasingly popular as related hardware becomes more affordable, and companies begin to realize the flexibility that wireless networks offer.
Wireless networks present more and different security challenges than their wired counterparts.
Chapter 7: SECURING A NETWORK INFRASTRUCTURE 32
UNDERSTANDING WIRELESS NETWORKING STANDARDS
Wireless networking standards are developed and ratified by the Institute of Electrical and Electronics Engineers (IEEE).
Three standard have been defined: 802.11b The current standard. Offers speeds
up to 11 Mbps.
802.11a In development. Uses different frequency ranges than 802.11b. Offers speeds up to 54 Mbps.
802.11g Uses the same frequency ranges as 802.11b. Offers speeds up to 54 Mbps.
Chapter 7: SECURING A NETWORK INFRASTRUCTURE 33
WIRELESS NETWORKING TOPOLOGIES
Chapter 7: SECURING A NETWORK INFRASTRUCTURE 34
UNDERSTANDING WIRELESS NETWORK SECURITY
Wireless networking presents security risks that are not present when using traditional wired networks.
Logical security becomes of paramount concern, as physical security measures are not necessarily preventative.
Two main concerns when using wireless networks are unauthorized access and data interception.
Chapter 7: SECURING A NETWORK INFRASTRUCTURE 35
CONTROLLING WIRELESS ACCESS USING GROUP POLICIES
Chapter 7: SECURING A NETWORK INFRASTRUCTURE 36
AUTHENTICATING USERS
Open system authentication
Shared key authentication
IEEE 802.1x authentication
Chapter 7: SECURING A NETWORK INFRASTRUCTURE 37
OPEN SYSTEM AUTHENTICATION
The default authentication method used by IEEE 802.11 devices.
Despite the name, it offers no actual authentication.
A device configured to use Open System authentication will not refuse authentication to another device.
Chapter 7: SECURING A NETWORK INFRASTRUCTURE 38
SHARED KEY AUTHENTICATION
Devices authenticate each other using a secret key that both possess.
The key is shared before authentication using a secure channel.
All the computers in the same BSS must possess the same key.
Chapter 7: SECURING A NETWORK INFRASTRUCTURE 39
IEEE 802.1X AUTHENTICATION
The IEEE 802.1x standard defines a method of authenticating and authorizing users on any 802 LAN.
Most IEEE 802.1x implementations use Remote Authentication Dial-In User Service (RADIUS) servers.
RADIUS typically uses one of the following two authentication protocols: Extensible Authentication Protocol-Transport
Level Security (EAP-TLS) Protected EAP-Microsoft Challenge Handshake
Authentication Protocol version 2 (PEAP-MS-CHAP v2)
Chapter 7: SECURING A NETWORK INFRASTRUCTURE 40
ENCRYPTING WIRELESS TRAFFIC
The IEEE 802.11 standard uses an encryption mechanism called Wired Equivalent Privacy (WEP) to secure data while in transit.
WEP uses the RC4 cryptographic algorithm developed by RSA Security, Inc.
WEP allows the key length, as well as the frequency with which the systems generate new keys, to be configured.
Chapter 7: SECURING A NETWORK INFRASTRUCTURE 41
SECURING REMOTE ACCESS
Determining security requirements
Controlling access using dial-in properties
Planning authentication
Using remote access policies
Chapter 7: SECURING A NETWORK INFRASTRUCTURE 42
DETERMINING SECURITY REQUIREMENTS
Which users require remote access?
Do users require different levels of remote access?
Do users need access to the entire network?
What applications must users run?
Chapter 7: SECURING A NETWORK INFRASTRUCTURE 43
CONTROLLING ACCESS USING DIAL-IN PROPERTIES
Chapter 7: SECURING A NETWORK INFRASTRUCTURE 44
PLANNING AUTHENTICATION
Chapter 7: SECURING A NETWORK INFRASTRUCTURE 45
USING RADIUS
Windows Server 2003 with IAS can be a RADIUS server or a RADIUS proxy.
When configured as a RADIUS server, the computer receiving the authentication request will process and authorize the connection request.
When configured as a RADIUS proxy, the authenti-cation request is forwarded to the configured RADIUS server.
Chapter 7: SECURING A NETWORK INFRASTRUCTURE 46
SELECTING AN AUTHENTICATION PROTOCOL
Chapter 7: SECURING A NETWORK INFRASTRUCTURE 47
USING REMOTE ACCESS POLICIES
Sets of conditions that users must meet before RRAS authorizes them to access the server or the network
Can be configured to limit user access based on group memberships, day and time restrictions, and many other criteria
Can specify what authentication protocol, and what type of encryption clients must use
Policies can be created based on type of connection, such as dial-up, VPN, or wireless
Chapter 7: SECURING A NETWORK INFRASTRUCTURE 48
REMOTE ACCESS POLICY COMPONENTS
Conditions Specific attributes that the policy uses to grant or
deny authorization to a user. If more than one condition is defined, the user must meet all the conditions before the server can grant access.
Remote access permission Defines whether the user is allowed to connect to
the system through a remote access connection.
Remote access profile A set of attributes applied to a client once it has
been authenticated and authorized.
Chapter 7: SECURING A NETWORK INFRASTRUCTURE 49
CREATING REMOTE ACCESS POLICIES
Chapter 7: SECURING A NETWORK INFRASTRUCTURE 50
CHAPTER SUMMARY
When selecting operating systems for servers, you can choose the platform best suited to the server’s role. When selecting workstation operating systems, standardization takes precedence over specialization.
When you install Windows Server 2003 or Windows XP Professional, the operating system Setup program configures a number of security settings with default values that you can either keep or modify.
Microsoft releases updates for its operating systems and applications. Major updates are called service packs. Individual updates are called hotfixes.
MBSA is a tool that scans computers on a network and examines them for security vulnerabilities.
Chapter 7: SECURING A NETWORK INFRASTRUCTURE 51
CHAPTER SUMMARY (continued)
SUS is a tool that streamlines the approval and implementation of software updates.
Most wireless LANs today are based on the 802.11 standards published by the IEEE. WLANs present additional security risks over wired networks.
To secure a wireless network, you must authenticate the clients before they are granted network access, and encrypt all packets transmitted over the wireless link.
To determine the security requirements you need for your remote access server, determine which users need access and what type of access they need.
Remote access policies are sets of conditions that must be met by remote clients attempting to connect to the Routing and Remote Access server.