How to Revoke Certificates

Requirements for the certificate process Certificate enrollment is the process that is used for requesting and receiving a certificate from a CA. For the certificate process to function correctly, you must Configure permissions to establish which security principals have Enroll permissions for specific templates. Appoint a certificate manager who reviews each certificate request and issues or denies the request. There are various methods for enrolling certificates. You can either process the...

Your instructor will demonstrate how to migrate to new certificates

*****************************illegal for non trainer use ****************************** Introduction Sometimes, a user might want to migrate to using a new certificate or a new key for EFS after a period of time. For example, a user might want to use a new certificate when the user has been using EFS in a standalone environment and subsequently becomes a member of a domain. You can determine a user's certificate by looking in the registry under EFS CurrentKeys CertificateHash. The value of the...

Your instructor will demonstrate how to create a password reset disk

Windows 2000 was the first client operating system that supported EFS. One potential problem with EFS in a standalone environment is the Windows 2000 requirement for a DRA. The default DRA in Windows 2000 is the local administrator account. Anyone who can log on as an administrator can decrypt all the files on the computer. As mentioned earlier, Windows XP and Windows Server 2003 do not require a DRA for encryption, thereby reducing the number of users who can access an encrypted file. Windows...

Differences Between Administrative Templates and Security Templates

Is a file representation of a security configuration Controls what configuration choices the administrator sees Is easily edited with the Security Templates snap-in No special editing tool exists, so these templates are edited with a text editor Only contains certain specific security settings. Settings cannot be added to security templates Contain certain registry settings by default, but can be modified to allow configuration of any registry setting through GPOs Each template is a single...

Efs

Provides file-level encryption for files created on NTFS volumes Ensures that sensitive or confidential data is more secure and cannot be easily read or decrypted by another user Uses a public private key pair system that is universally unique to a specific security principal to encrypt a file ***************************** illegal for non trainer use ****************************** Introduction Authentication and secure file systems are useful security measures in an organization, but if an...

Guidelines for Planning an IAS Infrastructure

Determine the role of IAS as a RADIUS server Determine the availability requirements *****************************illegal for non trainer use ****************************** Introduction Remote Authentication Dial-In User Service (RADIUS) is a widely deployed protocol enabling centralized authentication, authorization, and accounting for network access. The Internet Authentication Service (IAS) in Windows Server 2003 is the Microsoft implementation of a RADIUS Server and Proxy. Planning and...

Lesson Implementing EFS File Sharing

How to Share Encrypted Files Among Multiple Users Effects of Moving or Copying Encrypted Files Between Locations This lesson introduces students to EFS file sharing. Using encrypted files is a great way to protect your data while still sharing it with other authorized users on your computer or file servers. Describe the purpose of EFS file sharing. Demonstrate the procedure for enabling file sharing. Ensure that the security principal that will be used for file sharing has a EFS certificate so...

Troubleshooting Steps for IAS Authentication

To troubleshoot some common problems, verify that The wireless AP can reach the IAS servers Each IAS server wireless AP pair is configured with a common shared secret The IAS servers can reach a global catalog server and an Active Directory domain controller * The computer accounts of the IAS servers are members of the RAS and IAS Servers group for the appropriate domains The user account has not been locked out by remote access account lockout *****************************illegal for...

In this practice you will configure the LAT on ISA Server

In this practice, you will add new address ranges to the Local Address Table. You must be logged on with an account that is a member of Domain Admins. Your organization has opened two new branch locations and has plans to open three more locations in the near future. Each branch office will use the ISA Server computer at the headquarters to provide access to the Internet. Each branch office administrator has been instructed to use a reserved private IP address range for the computers at that...

Loopback with Merge

***************************** illegal for non-trainer use ****************************** Introduction The Group Policy objects that apply to the user or computer depend on where both the user and the computer objects are located in the Active Directory directory service. However, in some cases, users may need policies applied to them based on the location of the computer object alone. For example, you might want the desktop configuration to be the same regardless of who logs on. You can use the...

Group Scopes

Each group in Windows Server 2003 has a scope attribute, which determines which security principals can be members of the group and where you can use that group in a multi-domain or multi-forest environment. Types of group scopes Windows Server 2003 supports the following group scopes Local Groups. Reside on member servers and client computers. Use a local group to grant access to local resources on the computer where they reside. Local groups are generally used in a non-domain environment....

Lesson Managing Certificates

This lesson introduces students to data and key recovery, the file formats that a PKI uses to export and import certificates, and the key archival and recovery process. Students will also learn about the guidelines for securing the key archival and recovery process. Key Recovery Overview The Windows XP and Windows Server 2003 operating systems support key recovery and data recovery. Tell students to use data recovery when they want to recover data, but not when they want to access the...

Tools for Troubleshooting Authentication Problems

Displays Kerberos ticket information Allows you to view and purge the ticket cache Lets you view and delete Kerberos tickets granted to the current logon session Creates, lists, and deletes stored user names and passwords or credentials ***************************** illegal for non trainer use ****************************** Introduction Determining the cause of an authentication failure, with the exception of a bad password, can sometimes be difficult. For example, it might be difficult to...

Lesson Planning a Remote Access Strategy

Guidelines for Determining Hardware Requirements for Remote Access Components and Features Provided by an ISP Guidelines for Deploying Remote Access Servers Techniques for Creating Routing Entries on VPN Clients Attributes for Remote Access Connection Conditions Guidelines for Creating Highly Available Remote Access Solutions ***************************** ILLEGAL FOR NON-TRAINER USE ****************************** Introduction In this lesson, you will learn how to plan a remote access strategy...

Techniques for Creating Routing Entries on VPN Clients

Create a default route on the VPN or dial-up client The client adds a default route to its routing table The new default route points to the new connection You can configure the client's routing table with specific routes that direct packets to the organization's network over the VPN connection While connected to the intranet, the client can obtain Internet access using the existing default route over the connection to the ISP ***************************** illegal for non-trainer use...

Is the implementation of an organizations security policy

Security mechanisms in a trusted computing base A trusted computing base is the total combination of protection mechanisms in a computer system. It includes detailed security requirements for all elements of an organization's computing environment. The computing base is considered trusted because it provides the most secure computing environment that an organization can provide, given the knowledge and abilities that the organization possesses. A trusted computing base is the implementation of...

ISA Server Packet Filtering and Routing

Allow or block IP packets that are destined for the ISA Server computer Block packets that originate from your internal network Route all traffic between the Internet and your internal network ***************************** illegal FOR NON-TRAINER USE ****************************** Introduction You can control the flow of IP packets to and from the external network interface of an ISA Server computer by using packet filtering and IP routing. IP packet filtering By using packet filtering, you can...

Considerations for Choosing a Remote Access Authentication Protocol

Requires passwords that are stored by using reversible encryption Is compatible with Macintosh and UNIX-based remote Does not require that passwords be stored by using reversible encryption Encrypts data Data is encrypted by using separate session keys for Most secure remote authentication protocol Enables multifactor authentication A token-based authentication method that uses EAP ***************************** ILLEGAL FOR NON TRAINER USE ******************************...

Data Encryption for Remote Access

Data is encrypted only on the link between the VPN client and the VPN server Encrypts the data between the source host and the destination host Is set through the remote access policies that determine the parameter of PPTP and L2TP connections on the server ***************************** ILLEGAL FOR NON TRAINER USE ****************************** Introduction When implementing remote access, always protect your data by encrypting it between the VPN client and the VPN server. There is always a...

Update Management Life Cycle

Review each computer to ensure that each update was deployed correctly and that all procedures ran correctly The update management life cycle involves six phases. The steps are analyzing, planning, testing, deploying, monitoring, and reviewing. As an ongoing process, you need to ensure that you are up to date on updates. In some cases, a new update will be released that you will need to install on all your servers. In other cases, a new server brought online will need to be patched...

Practice Enabling File Sharing in EFS

Add another user to the EFS recovery field in Windows Explorer In this practice, you will encrypt a file by using EFS and add another user to the EFS recovery field in Windows Explorer. You are a user in your organization. You need to add the certificates of other users to a file that you encrypted so that they can decrypt the file when needed. You will then copy the file to a server location to see the effects on EFS for an account that is sensitive and is not trusted for delegation. 1. Log...

ISA Server Modes

Improves network performance and saves bandwidth by storing frequently accessed Web objects closer to the user Routes requests from clients to a cache server that holds the cached objects Secures network traffic by configuring rules that control communication between an internal network and the Internet Allows you to publish internal servers, which enables you to share data on its network with partners or customers Enables you to combine the firewall and cache services on a single host computer...

Your instructor will demonstrate how to configure RAS lockout

*****************************illegal for non trainer use ****************************** Introduction To prevent dictionary attacks on password-based remote server accounts, you can use remote access account lockout to minimize the possibility of a successful attack. Procedure You can configure remote access account lockout by configuring the registry Note It is important to note that RAS account lockout is not related to the account lockout policy for domain or local user accounts. To enable...

Components of a naming convention

GG for global group, UN for universal group, DLG for domain local group ***************************** illegal for non-trainer use ****************************** Introduction Using a non-intuitive naming convention for groups could potentially lead to a security compromise in your organization. For example, if you named three global groups Groupl, Group2, and Group3, a resource owner might not know which group contains the users who need access to the resource. Without an intuitive naming...

What Is EFS How EFS Works

*****************************illegal for non trainer use ****************************** Introduction An intruder who has physical access to a computer can install a new operating system, bypass the security of the existing operating system, and expose sensitive data. You can add another layer of security to existing file system security by encrypting these files with Encrypting File System (EFS). When the files are encrypted, the data is protected even if an intruder has full access to the...

Configuring a VPN Server and VPN Connection

In this exercise, you will configure the 2823_Member1 virtual machine as a VPN server. You will then configure the 2823_Server1 virtual machine to connect to the VPN. Ensure the 2823_DC1, 2823_Member1, 2823_Server1, and 2823_Client1 virtual machines are started. Perform tasks from the 2823_Client1 virtual machine as the user Don Hall unless otherwise directed. Don Hall's username is donh cohovineyard.com and his password is P ssw0rd. Don Hall does not have any administrative rights. Perform all...

Your instructor will demonstrate how to create a DRA

*****************************illegal for non trainer use ****************************** Introduction Developing an effective data recovery plan is important when you are implementing EFS in an organization. An effective data recovery strategy will help to ensure that you can access encrypted data without the private encryption key, for example if an employee who has encrypted data leaves the organization, or when users lose their private keys. DRA function Implementing a data recovery strategy...

Microsoft Windows XP Security Guide Templates

Enterprise Client - Desktop.inf Enterprise Client - Laptop.inf High Security - Desktop.inf High Security - Laptop.inf Legacy Enterprise - Account.inf Legacy Enterprise Client - Desktop.inf Legacy Enterprise Client - Laptop.inf Legacy High Security - Account.inf Legacy High Security - Desktop.inf Legacy High Security - Laptop.inf *****************************illegal for non trainer use ****************************** Windows XP is one of the client operating systems that you can use with Windows...

Troubleshooting Tools

Provides information about the state of the authentication displays the signal strength on the General tab displays IP address configuration on the Support tab Provides detailed information about the EAP authentication process Allows you to view details about access points and wireless clients ***************************** illegal for non-trainer use ****************************** Introduction The tools for troubleshooting wireless connections include the Network Connections folder, tracing,...

Microsoft Certified Professional Program

Elective exam for the following track 70-299 Implementing and Administering Security in a Microsoft Windows Server 2003 Network Microsoft Learning offers a variety of certification credentials for developers and IT professionals. The Microsoft Certified Professional program is the leading certification program for validating your experience and skills, keeping you competitive in today's changing business environment. This course helps students to prepare for Exam 70-299 Implementing and...

Lesson Introduction to PKI and Certification Authorities

Accounts That Use PKI-Enabled Applications Differences between the Types of Certification Authorities This section describes the instructional methods for teaching this lesson. This lesson provides students with introductory information about a PKI, including certificates and certification authorities (CAs). The lesson defines what a PKI is and what students can accomplish by deploying a PKI. The lesson presents the components of a PKI and the management tools that are included with Windows...

The MSRC Vulnerability Rating System

Could allow the propagation of an Internet worm without user action Could result In a compromise of the confidentiality and integrity of a user's data and processing resources Is mitigated to a significant degree by factors such as default configuration, auditing, or difficulty of exploitation Is extremely difficult to exploit, or whose impact is minimal The Microsoft Security Response Center (MSRC) categorizes the severity level of the vulnerabilities in the security bulletins it releases to...

Your instructor will demonstrate how to

CMAK is installed through Add or Remove Programs in Control Panel. To install CMAK, perform the following steps 1. In Control Panel, double-click Add or Remove Programs, and then click Add Remove Windows Components. 2. Select Management and Monitoring Tools, and then click Details. 3. Select Connection Manager Administration Kit, click OK, and then click Next. 4. When the installation is complete, click Finish. To configure CMAK for VPN client configurations, perform the following steps 1....

Lesson Secure Data Transmission Methods

How WEP Ensures Data Confidentiality How WPA Ensures Data Confidentiality IPSec Modes for Cryptographic Features Authentication Methods Used with IPSec Practice Identifying Protocols and Their Capabilities This section describes the instructional methods for teaching this lesson. Tell students why it is important to secure data transmission. This page is intended to give examples of vulnerabilities. To provide more elaborate information about attacks, draw upon your own experiences. Explain the...

Your instructor will demonstrate how to restrict DNS zone transfers

***************************** illegal for non-trainer use ****************************** Introduction Because of the important role that zones play in DNS, they should be available from more than one DNS server on the network to provide adequate availability and fault tolerance when resolving name queries. However, DNS zone information is prone to attacks by malicious users. Attackers can use DNS zone information to start mapping your infrastructure or to manipulate the data to redirect users...

How EFS Works

When a user encrypts a file for the first time, EFS looks for a certificate for EFS in the local certificate store If a certificate is available, EFS generates a random number (FEK) for the file to be encrypted EFS then takes the public key of the user's certificate and encrypts the FEK using the RSA public-key-based encryption algorithm EFS then stores the FEK in the DDF field in the header of the file that is being encrypted ***************************** illegal for non trainer use...

Query format

MDDHHMMSS.0-8)) As organizations grow and evolve, security groups can become obsolete. Obsolete security groups provide users with permissions they may no longer need, which can lead to security vulnerability. Although account groups for very small teams might not change frequently, large account groups experience almost continuous turnover in membership. If an account group's membership has not changed at all for some time, the group might be obsolete. It is important to constantly monitor...

Guidelines for Determining Hardware Requirements for Remote Access

A dial-up remote access server must have a modem or a multiport adapter, and it must have access to an analog telephone line or lines For interfaces on the public network, use IPSec accelerator network cards Increase the available processing power to increase throughput If you do not need to handle more than 1,000 concurrent calls from remote access users, 512 MB of RAM is adequate Determining hardware requirements for dial-up networking The first part of designing a VPN solution is to...

Guidelines for Configuring IIS Logging

Store the logs on a non-system striped or striped and mirrored disk volume to improve server performance Allow for sufficient disk space for the log file Specify the directory into which log files are saved and when new log files should be started Set proper access control on the log file directory to protect logged data Create the new log files more frequently to keep them smaller and more manageable *****************************illegal for non trainer use ******************************...

Certification Authority Designs

Certificate Authority Hierarchy

Designing a CA hierarchy is the first step that you perform when you design a PKI. It is also the most critical step because without CAs, you cannot deploy the certificates that are required for PKI-enabled applications. A CA issues certificates, uses certificate templates, and provides an enrollment target for all certificate-based functions. The CA hierarchy that you design must meet all business requirements of your organization. There are several types of CA hierarchy designs. A CA...

Implement EFS for Roaming User Profiles

In this exercise, you will configure a server to allow users to encrypt files that are stored on a file server. Ensure the 2823_DC1, 2823_Member1 and 2823_Client1 virtual machines are started. Perform tasks from the 2823_Client1 virtual machine as the user Don Hall unless otherwise directed. Don Hall's username is donh cohovineyard.com and his password is P ssw0rd. Don Hall does not have any administrative rights. Perform all administrative tasks by using the RUNAS command or the secondary...

Prevent any file from running on a local computer organizational unit site or domain

*****************************illegal for non trainer use ****************************** Introduction Software restriction policies are new options for managing user environments in Windows Server 2003. You use software restriction policies to control what applications are allowed to run on user workstations and to prevent dangerous or unwanted applications from running on those workstations. Note You can use software restriction policies to manage only the clients that run Windows XP and...

In this exercise you will create a network traffic map

In this classroom discussion, you will create a network traffic map. Read the scenario below, and then as a class create a network traffic map. Your organization has implemented a new security policy. The security policy states that all servers must be protected with IPSec filters that allow only the protocols and ports that are needed by the server to be exposed. The chief security officer has assigned you the task of evaluating which ports and protocols need to be secured on a branch office...

Who can issue certificate templates

Only enterprise CAs can issue certificates based on certificate templates Certificate templates are the sets of rules and settings that define the Format and content of a certificate based on the certificate's intended use. Process of creating and submitting a valid certificate request. Security principals that are allowed to read, enroll, or autoenroll for the certificate. Permissions to read, enroll, autoenroll, or modify certificate templates by using DACLs. Certificate templates are...

Wireless Network Standards

A group of specifications for WLANs developed by IEEE Defines the physical and MAC portion of the data link layer Transmission speeds up to 54 megabits per second (Mbps) Works well in densely populated areas Good range but susceptible to radio signal interference Enhancement to and compatible with 802.11b 54 Mbps, but at shorter ranges than 802.11b Authenticates clients before it lets them on the network Requires greater hardware and infrastructure investment *****************************...

Considerations for Choosing a Tunneling Protocol

L2TP IPSec advantages and disadvantages Windows 2000, Windows XP, Windows Server 2003, Windows NT Workstation 4.0, Windows ME, or Windows 98 Windows 2000, Windows XP, or Windows Server 2003 May require a certificate infrastructure May require a certificate infrastructure or a PSK Provides data encryption, data confidentiality, data origin authentication, and replay protection To locate PPTP-based VPN clients behind a NAT, the NAT should include an editor that can translate PPTP To locate L2TP...

Self Signed Certificates

In the case of a standalone computer, there is no enterprise CA, so the computer generates a self-signed certificate for use with EFS How do self-signed certificates work Since it is the local computer that generates and signs the certificate for use with EFS, the certification path is the same as a root CA * Even though the certificate is not trusted, it can still be used with EFS * *****************************illegal for non trainer use ****************************** Introduction When a user...

Practice Installing CMAK

In this practice, you will install the Connection Manager Administration Kit. You are the administrator for your organization. Your company wants to implement quarantine control for your remote access users. To prepare for the quarantine service, you will install the Connection Manager Administration Kit. 1. Log on to Memberl as an Administrator with the password P ssw0rd. 3. Double-click Add or Remove Programs, and then click Add Remove Windows Components. 4. Select Management and Monitoring...

Planning a Secure Member Server Baseline

In this exercise, you will examine a network environment. You will review the existing infrastructure and security requirements and determine the OU structure and security templates required to implement a secure member server baseline. Ensure the 2823_DC1 and 2823_Client1 virtual machines are started. Read the scenario and complete the planning worksheet. Use the information in the planning worksheet to implement your member server baseline strategy. Perform tasks from the 2823_Client1 virtual...

Options for Account Lockout Policies and Logon Restrictions

Determines how many logon attempts can be made before the account is locked out Determines how many minutes a locked out account will remain disabled before being automatically enabled Determines the number of minutes that must elapse after a failed logon attempt before the counter is reset to 0 bad logon attempts Enforce user account logon restrictions Ensures that the requesting account is still valid and was not disabled since the Kerberos ticket was issued illegal for non trainer use...

Your instructor will demonstrate how to configure an enrollment agent

Procedure Obtaining an Enrollment Agent certificate By default, only members of the Domain Admins group and the Enterprise Admins group have the appropriate permissions to enroll smart card certificates for other users. To enable a user to act as an enrollment agent, a user with permission to enroll certificates for other users must obtain an Enrollment Agent certificate. Then the enrollment agent needs to acquire and install the Enrollment Agent certificate. To obtain an Enrollment Agent...

Security Threats to Infrastructure Servers

An unauthorized or rogue DHCP server could assign incorrect IP addresses Monitor for unauthorized DHCP servers An attacker could modify the server configuration Restrict administrative access on the DHCP server to limited users An attacker could hijack NetBIOS names of critical servers Restrict access to the WINS admins group An attacker with administrative access could modify WINS server settings Use static entries for mission-critical servers The following table describes the security threats...

Options for Creating a Kerberos Ticket Policy

Determines the amount of time a user ticket is available before it expires Determines the amount of time a service ticket is available before it expires Maximum lifetime for user ticket renewal Determines the number of days for which a user's TGT can be renewed Introduction You should establish reasonable lifetimes for Kerberos tickets in your organization. Reasonable Kerberos ticket lifetimes must be short enough to prevent attackers from cracking the cryptography that protects the ticket's...

Security Threats to File and Print Servers

An attacker can access and modify confidential information that is stored on the server This attack prevents users from accessing file and print services File sharing uses NetBIOS, so the file server will probably have NetBIOS enabled. This can significantly increase the attack surface of the computer File and print servers are exposed to the same vulnerabilities that all member servers are exposed to. The following table lists the security threats to file and print servers. An attacker can...

Best Practices for Implementing x Authentication

Choose appropriate certificates or passwords Choose a client configuration strategy Determine traffic encryption requirements Determine software settings required for 802.1x WLANs Use the following best practices when implementing wireless LAN security Choose appropriate certificates or passwords. Microsoft offers native support for several types of authentication protocols for use with 802.1x. Most commonly, organizations select either passwords or certificate-based credentials. The...

Lab A Implementing Perimeter Network Security Using ISA Server

Exercise 1 Planning a Perimeter Network Exercise 2 Implementing a Perimeter Exercise 3 Securing an ISA Server 2000 illegal FOR NON-TRAINER USE After completing this lab, you will be able to Implement a perimeter network. Secure an ISA Server 2000 computer. Note This lab focuses on the concepts in this module and as a result may not comply with Microsoft security recommendations. Before working on this lab, you must have the following virtual machines Important Shut down all virtual machines...

How to Back Up and Export IAS Configuration

Ensures that the essential directories containing log files and configuration parameters are backed up Imports and exports the configuration of an individual IAS server to restore it in the event of a catastrophic server failure Ensuring rapid recovery of your RADIUS service in the event of a disaster requires appropriate planning prior to the event. An IAS installation can be backed up using a backup program or manually imported or exported using the netsh command. Using the backup program...

Installing and Configuring a Chained SUS Server

In this exercise, you will configure an SUS server located at Coho Vineyard to download approved patches from an SUS server located at Coho Winery. Ensure the 2823_DC1, 2823_DC2, 2823_Web1 and 2823_Client1 virtual machines are started. Read the scenario and complete the planning worksheet. Use the information in the planning worksheet to implement your client computer strategy. Perform tasks from the 2823_Client1 virtual machine as the user Don Hall unless otherwise directed. Don Hall's...

Methods for Deploying Security Templates

Allows you to deploy security templates to multiple computers that have the same needs Allows an administrator to analyze and configure security settings one computer at a time Allows you to automate security configuration application and analysis from the command line in the form of a batch file or task scheduler illegal for non trainer use Introduction When you are configuring security settings for your organization by using security templates, you must determine the most efficient way of...

Implementing a Perimeter Network

In this exercise, you will configure ISA Server 2000 to implement the proposed perimeter network. Ensure the 2823_DC1, 2823_ISA1 and 2823_Client1 virtual machines are started. Perform tasks from the 2823_Client1 virtual machine as the user Don Hall unless otherwise directed. Don Hall's username is donh cohovineyard.com and his password is P ssw0rd. Don Hall does not have any administrative rights. Perform all administrative tasks by using the RUNAS command or the secondary logon service. When...

Planning a Perimeter Network

In this exercise, you will evaluate the existing implementation of a perimeter network and plan a new implementation. Ensure the 2823_DC1 and 2823_Client1 virtual machines are started. Perform tasks from the 2823_Client1 virtual machine as the user Don Hall unless otherwise directed. Don Hall's username is donh cohovineyard.com and his password is P ssw0rd. Don Hall does not have any administrative rights. Perform all administrative tasks by using the RUNAS command or the secondary logon...

Benefits of ISA Server

Provides faster Web access for users Reduces bandwidth costs by reducing network traffic from the Internet Protects networks from unauthorized access by inspecting network traffic at several layers Controls access centrally to ensure and enforce corporate policies Extends security and management functionality with non-Microsoft solutions Fast Web access with a high-performance cache ISA Server is a key member of the Microsoft .NET Enterprise Server family. The products in the .NET Enterprise...

Trust Types Associated with Server Operating Systems

Forest trusts, one-way or two-way external trusts Windows Server 2003 and Windows 2000 forests Windows Server 2003 and Windows NT 4.0 forests Windows Server 2003 and servers running other operating systems illegal for non trainer use Introduction The version of the server operating system you are running determines which authentication protocols you can use across a trust. Certain operating systems have the capability to use only certain authentication protocols. For example, Windows 95 can use...

What Is a Network Traffic

The best way to begin implementing a secure data transmission method is to build a network traffic map. A network traffic map is a simple table that lists all the services that are needed on a computer and the port and protocols associated with those services. For example, the network map for a Domain Name Service DNS server specifies that the DNS Server service should be running on the server. By creating a network traffic map, you can determine exactly what types of traffic are needed on a...

Best Practices for Securing an SUS Server

Apply Windows security best practices illegal for non-trainer use Introduction Update management is a critical part of a secure infrastructure. Therefore, all components of your update management infrastructure must be secured. You can secure SUS by using a combination of IIS security and operating system security best practices. Best practices Use the following best practices to help secure your update management Apply Windows security best practices. Apply all standard security best practices...

Exercise Implementing IPSec Data Transmission Security for Domain Members

illegal for non-trainer use Objectives After completing this lab, you will be able to plan, deploy, and troubleshoot data transmission security, which includes Evaluating a data transmission security policy and selecting technologies to support policy requirements. Implementing SMB signing, LDAP signing, and other security technologies. Implementing an IPSec policy for domain members. Note This lab focuses on the concepts in this module and as a result may not comply with Microsoft security...

WPA encryption process

The client initiates a connection with the wireless access point 2 I The client creates a checksum of the data using MIC and attaches it on the end of the data frame 3 I The packet is encrypted with the RC4 or AES algorithm and 4 I The wireless access point receives the packet and decrypts it 5 I The wireless access point verifies the MIC and sends the illegal for non trainer use Introduction The Institute of Electrical amp Electronics Engineers IEEE 802.11i wireless networking standard...

WEP encryption process

1 The client initiates a connection with the wireless access point 2 The client creates a checksum of the data using the CRC-32 algorithm and attaches it to the end of the data frame 3 The packet is encrypted with the RC4 algorithm and transmitted on the wireless network 4 The wireless access point receives the packet and decrypts it with the secret key 5 The wireless access point verifies the CRC-32 and sends the packet on the LAN illegal for non trainer use Introduction The WEP protocol was...

Configuring Active Directory for Wireless Networks

In this exercise, you will configure groups in Active Directory to hold user and computer objects that are permitted to access the WLAN. Ensure the 2823_DC1 and 2823_Client1 virtual machines are started. Perform tasks from the 2823_Client1 virtual machine as the user Don Hall unless otherwise directed. Don Hall's username is donh cohovineyard.com and his password is P ssw0rd. Don Hall does not have any administrative rights. Perform all administrative tasks by using the RUNAS command or the...

Applications That Use a PKI

Best Application Security Pki

There are a variety of applications that have the ability to use a PKI. A Windows Server 2003 PKI supports the following types of PKI-enabled Digital signatures. A piece of code that can be attached to a digital message to ensure that the content of the message was not modified in transit. A digital signature will also validate the sender of a message. Smart card logon. Implements two-factor authentication. This ensures that a user must have something a smart card and know something a password...

Builtin Groups

Designed to manage shared resources and delegate specific domain-wide administrative roles Pre-Windows 2000 Compatible Access Built-in groups and associated rights Windows Server 2003 provides many built-in groups, which are automatically created when you install an Active Directory domain. You can use built-in groups to manage access to shared resources and to delegate specific domain-wide administrative roles. For example, you could put the user account of a junior administrator into the...

Your instructor will demonstrate how to create custom IPSec security policies

illegal for non-trainer use Introduction Windows Server 2003 provides predefined IPSec policies to apply to servers and clients to provide a blanket IPSec policy to those computers. Although the predefined policies can provide a secure data transmission, they are not as secure as an IPSec policy tailored to the services needed for a specific computer. Based on the network map for a computer, you can build a custom IPSec policy that exposes those ports, protocols, and services to other...

Tools for Verifying That a Policy Is Applied

Logging mode queries View all IPSec policies that are assigned to a specific client Planning mode queries View all IPSec policies that are assigned to members of a Group Policy container Open the command prompt and type netsh ipsec static show gpoassignedpolicy To view the current policy, navigate to the Active Policy node in the console illegal for non-trainer use Introduction Windows Server 2003 includes several tools that enable you to view the IPSec Resultant Set of Policy RSoP is an...

What Is WebDAV Server

In Windows XP and Windows Server 2003, EFS supports sharing a single file among multiple users on your network. Using encrypted files is a great way to protect your data while still sharing it with other authorized users on your computer or file servers. After completing this lesson, you will be able to Describe the purpose of EFS file sharing. Share encrypted files with other users. Determine how a file is encrypted and stored on a remote file server. Determine the effects of copying and...

Administering an SUS Server

In this exercise, you will perform basic administrative tasks on the new SUS server, such as reviewing and approving updates and reviewing the approval log. Ensure the 2823_DC1, 2823_Web1 and 2823_Client1 virtual machines are started. Read the scenario and complete the planning worksheet. Use the information in the planning worksheet to implement your client computer strategy. Perform tasks from the 2823_Client1 virtual machine as the user Don Hall unless otherwise directed. Don Hall's username...

Revoking a Certificate

In this exercise, you will revoke the certificate of a user who has changed jobs. Ensure the 2823_DC1, 2823_Web1 and 2823_Client1 virtual machines are started. Perform tasks from the 2823_Client1 virtual machine as the user Don Hall unless otherwise directed. Don Hall's username is donh cohovineyard.com and his password is P ssw0rd. Don Hall does not have any administrative rights. Perform all administrative tasks by using the RUNAS command or the secondary logon service. When performing...

Lesson Planning and Implementing a Software Restriction Policy

Purpose of Software Restriction Policies Best Practices for Planning and Implementing a Software Restriction Policy This section describes the instructional methods for teaching this lesson. Tell students that they can use software restriction policies to identify software and to control its ability to run on their local computers. Explain to students that they can use rules to make exceptions to the default security level for software restriction policies. Tell students that they can use...

File Sharing on Remote Servers

File sharing is accomplished through delegation The remote server must be trusted for delegation in Active Directory if users are going to store encrypted files on it - If the user has a roaming user profile, the profile is downloaded to the server and the server impersonates the client while encrypting the file or folder The server will generate a new profile for the user and request or generate a self-signed certificate to encrypt the file or folder illegal for non-trainer use illegal for...

What Is Network Quarantine Service

Routing And Remote Access Service

Provides protection when users in your organization accidentally reconfigure key settings and do not restore them before connecting to your network A set of network restrictions that are configured in IAS and implemented by the remote access server for each connection Quarantine-capable remote access clients Because typical remote access connections only validate the credentials of remote access users, a remote access client that connects to a private network can access network resources even...

Your instructor will demonstrate how to configure Group Policy for smart cards

illegal for non-trainer use Procedure To configure the Group Policy settings for smart cards, perform the following 1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers. 2. Click the container in which you want to configure the Group Policy settings. To configure the settings for the entire domain, click the domain container. 3. Right-click the domain container and then click Properties. 4. Click the Group Policy tab, and then...

Configuring Certificate Templates and Certificate Autoenrollment

In this exercise, you will configure certificate templates for users and computers who will access the WLAN. Ensure the 2823_DC1 and 2823_Client1 virtual machines are started. Perform tasks from the 2823_Client1 virtual machine as the user Don Hall unless otherwise directed. Don Hall's username is donh cohovineyard.com and his password is P ssw0rd. Don Hall does not have any administrative rights. Perform all administrative tasks by using the RUNAS command or the secondary logon service. When...

Tools for Verifying That a Policy Is Applied IP Security Monitor Console

illegal for non-trainer use Introduction This lesson provides the knowledge required to troubleshoot IPSec Objectives After completing this lesson, you will be able to Describe the tools for troubleshooting IPSec communications. Describe the purpose and function of the Event Viewer. Disable auditing of IKE events in the Security log. Verify a computer's IPSec configuration by using Resultant Set of Policy RSoP , NETSH, and IPSecurity Monitor. Describe the purpose and function of the IP...

Differences Between the Types of Certification Authorities

Can use Certificate Request Wizard and Web pages Issued or denied by a certificate manager Issued or denied based on the DACLofthe certificate template Windows Server 2003 supports two different types of CAs standalone CAs and enterprise CAs. Both CA types can issue certificates to users and computers. However, there are some differences between the two CA types. The following table lists the differences between a standalone CA and an enterprise CA. Is typically used for offline CAs, but can be...

Lesson Introduction to Multifactor Authentication

Scenarios for Multifactor Authentication Benefits of Using Smart Cards for Multifactor Authentication Components of a Smart Card Infrastructure Multimedia How Smart Cards Change Kerberos Authentication This section describes the instructional methods for teaching this lesson. For many companies, single-factor authentication does not provide the required security. These companies are implementing multifactor authentication to enhance network security. In this lesson, students will learn about...

Windows Server Authentication Methods for Earlier Operating Systems

Use LM and NTLM but never use NTLMv2 Use LM and NTLM. Will use NlLMv2 if supported Use LM and NTLM. Will use NlLMv2 if supported Introduction Different operating systems have the ability to use different authentication protocols. As a general rule, the older the operating system, the less secure the authentication protocol it can use. By default, computers running Windows Server 2003 can accept all types of authentication protocols, including LM, NTLMv2, and Kerberos, to ensure compatibility...

How to Create a Wireless Network Policy

Your instructor will demonstrate how to create a wireless network policy illegal for non-trainer use Introduction Wireless network settings can be configured locally, by users on client computers, or centrally. To enhance the deployment and administration of wireless networks, use Group Policy to create, modify, and assign wireless network policies centrally, for Active Directory clients. When you define wireless network policies by using Group Policy, you can specify whether clients can use...

In this practice you will configure DNS update credentials on a server

In this practice, you will log on as Administrator and configure DNS update credentials on dc1.cohovineyard.com to prevent the overwriting of DNS records by malicious users. You are the security administrator for your organization. Your chief technical officer is concerned that, because all DNS zones are Active Directory integrated, a malicious user could overwrite the DNS records of critical computers in the organization. To prevent this kind of attack, you must enable a low-privileged account...

Lesson Implementing EFS in a Standalone Microsoft Windows XP Environment

Best Practices for Implementing EFS in a Standalone Environment How to Encrypt and Decrypt Files Using Windows Explorer How to Create Data Recovery Agents Guidelines for Managing Plaintext Data How to Create a Password Reset Disk How to Disable EFS on a Standalone Computer illegal for non trainer use Introduction On standalone computers, EFS does not provide the same capabilities or benefits as it does on computers that are part of a domain. For example, you cannot use Group Policy objects GPOs...

How to Teach This Module

This section contains information that will help you to teach this module. Important This module has assessment items for each lesson, located on the Student Materials compact disc. You can use them as pre-assessments to help students identify areas of difficulty, or you can use them as post-assessments to validate learning. Consider using these questions to reinforce learning at the end of the day. You can also use them at the beginning of the day as a review for the content that you taught on...

How NTLM Authentication Works

User Password Hash User Password Hash User Password Hash User Password Hash As mentioned earlier, NTLM includes three methods of challenge-response authentication LM, NTLMvl, and NTLMv2. The authentication process for all the methods is the same, but they differ in the level of encryption. The following steps demonstrate the flow of events that occur when a client authenticates to a domain controller using any of the NTLM protocols. The client and server negotiate an authentication protocol....

Guidelines for Troubleshooting Common Issues with EFS

Troubleshooting EFS can be a complex task for an administrator. There is a lot of information that you need to gather before you can troubleshoot EFS problems in an organization. For example, you need to determine the versions of operating systems that are in use in the organization, the algorithms that are supported by the operating systems, whether any DRAs are in place, whether EFS is disabled, and how Group Policy is configured to implement EFS. This lesson will explore some basic...

Creating and Implementing Custom Security Templates

In this exercise, you will create custom security templates for any additional security settings you identified in Exercise 1. Ensure the 2823_DC1 and 2823_Client1 virtual machines are started. Perform tasks from the 2823_Client1 virtual machine as the user Don Hall unless otherwise directed. Don Hall's username is donh cohovineyard.com and his password is P ssw0rd. Don Hall does not have any administrative rights. Perform all administrative tasks by using the RUNAS command or the secondary...

Lesson Planning and Configuring a Secure Baseline for Domain Controllers

Security Threats to Domain Controllers What Is a Domain Controller Baseline Policy What Are Active Directory Database and Log files What is Ntdsutil.exe How to Move Active Directory Database and Log Files How to Resize Active Directory Event Log Files What Is SYSKEY illegal for non trainer use Introduction A domain controller is a computer running a Microsoft Windows Server operating system that stores a replica of the directory. A domain controller also manages the changes to directory...

How to Enroll a User for a Smart Card Certificate

illegal for non-trainer use Before you can deploy smart cards in your organization, you must have a PKI in place. Next, you need to identify applications to enable for use with smart cards. You also need to plan how to implement and support a smart card infrastructure before you can take advantage of the security benefits of smart cards. After completing this lesson, you will be able to Describe where and why smart cards should be used in your organization. Apply guidelines for selecting...

Your instructor will demonstrate how to determine if EFS is being used on a computer

illegal for non trainer use Introduction It may be useful as an administrator to periodically determine which computers in your organization have implemented EFS. For example, if you have not implemented a formal data recovery policy but find that 80 of your users are implementing EFS, you might decide to implement recovery procedures. Although there is no way to determine if files are currently encrypted, there are registry keys that are present if EFS has ever been implemented. Procedure To...

Lesson Planning and Configuring a Secure Baseline for IIS Servers

What Is an IIS Server Baseline Policy the User Rights Assignment for IIS Servers Guidelines for Configuring IIS Logging Guidelines for Configuring Additional Settings in IIS This section describes the instructional methods for teaching this lesson. Tell students that because an IIS server is exposed to the public, it is prone to security attacks. Explain that IIS servers are also Application servers, so in addition to securing the server, the code that is run on the server must be secure....

Components and Features Provided by an ISP

Standard-based network access servers NASs Providing access from various geographical access points that will integrate with Windows Server 2003 Routing of access requests to the enterprise Sending authentication requests to a RADIUS server when used with a RADIUS proxy Delivering the latest access numbers either to the enterprise or directly to the client Outsourcing part or all of a remote access solution through a wholesale contract with an Internet service provider ISP can provide some...

What Is Event Viewer

Verify that security auditing is enabled Viewing IPSec-related events in Event Viewer If you suspect that there are errors in the key exchange process, the Event Viewer is the best tool to view the actions that have taken place. These events can confirm that the key exchange is occurring correctly. Auditing for IKE is supported in Windows 2000, Windows XP, and the Windows Server 2003 family. IKE uses the Logon Events category. In the Windows Server 2003 family, you can also enable auditing for...

IPSec Troubleshooting Tools

Search for all matches for filters of a specific traffic type IP Security Policy Management snap-in Create, modify, and activate IPSec policies Active Directory Users and Computers and Group Policy Troubleshoot policy precedence issues Determine which policies are assigned but not applied to clients View details of the SA establishment process The following table describes the IPSec troubleshooting tools. IP Security Policy Management snap-in Active Directory Users and Computers and Group...

Authentication Authorization and Least Privilege

Authentication the process of verifying the identity of something Authorization the process of determining whether something or someone has permission to access a resource Ben Smith has permission to access this resource Least privilege provide users with the minimum privileges needed to accomplish the tasks they are authorized to perform Network security is based on three fundamental concepts authentication, authorization, and the principle of least privilege. Authentication is the process of...