Auditing User Account Activity

It is not enough for us to set up policies, regulations, and requirements. All of this is worthless if we don't have a way to monitor whether the policies and requirements that we created are being followed. Auditing is our way of making sure that our users and even administrators and engineers are abiding by and sticking to these policies. In addition, with auditing enabled, you will be able to gather information after a security incident occurs.You will be to tell which computers were...

Design a Client Authentication Strategy

You are the network administrator for a medical research facility running Windows Server 2003.Your firm is beginning a joint research operation with a major university, and many of your users will need to access files and folders on the university's network. The university that you are collaborating with is operating using a UNIX Kerberos environment with UNIX clients at each desktop. Your company's resources should also be accessible by the university staff. How can you accomplish this with...

Streaming Media Server

The last specific server role we'll look at is the streaming media server. In the role of a streaming media server, Windows Server 2003 uses Windows Media Services to stream audio and video to internal (network) or external (Internet) clients. Windows Media servers proxy, cache, and redistribute content. Windows Media Services is not available on Windows Server 2003 64-bit versions, nor is it available in the Windows Server 2003 Web Edition. As with all other server roles, examining default...

P

Packet filtering, IP. see IP packet filtering packet filtering, L2TP PPTP, 438 Padding field, 262 Padding Length, 262 pagefile, 466 Authentication password authentication, 640 Password Authentication Protocol (PAP), 653 Password Complexity policy, 477-478 Password must meet complexity requirements setting, 475 password policies for authentication strategy, 166 configuration of, 496 designing, 462 settings, 474-476 password security, 474-480 478-480 important points about, 496 password...

Creating a Strategy for the Encryption and Decryption of Files and Folders

An encryption strategy for files and folders includes an assessment of vital data, an assessment of the environment, policies for using EFS, and procedures for recovering encrypted files. Obviously, not all files are sensitive enough to warrant encryption. In most cases, files protected with two layers of security user authentication and ACLs will be safe. However, files that contain sensitive data such as social security numbers, credit card data, medical or health data, or corporate trade...

Securing Common Administrative Tools

All the security in the world can't help if the tools at the administrator's disposal are not properly secured.These tools are designed to allow you to make major modifications to and troubleshoot your network if these tools fall into the wrong hands, they can be used to damage and interrupt business productivity in your organization. Inappropriate use of network management tools (either by administrator themselves or by attackers gaining access to them) can reveal administrative credentials...

Analyzing Auditing Data

Once we've configured our auditing policy, we need to be able to analyze it and make sense of it all. Windows provides a central repository where auditing and other events are stored for later analysis and troubleshooting. This repository is the Event Viewer, which you can get to either by right-clicking My Computer and going to Manage, or simply by going to Start Run and typing Eventvwr. The Event Viewer has several different logs, based on what kinds of services are configured on the server...

Designing IP Filtering

When designing IP filtering, there are a few design suggestions that will make your task easier.These are delineated in Table 5.12 and describe recommendations for both filter lists and filter actions. Table 5.12 Filter List and Filter Actions Recommendations Use general filters if you want to cover many computers with one list. Use Any IP Address or a subnet IP rather than using specific computers' IP addresses. Segment your network and define filters that allow you to group and secure traffic...

Segmented Namespace

You can split your namespace between internal and external DNS servers.Your external DNS is the root domain, and your internal space is a subdomain of the external space. For example, if your external namespace is somecompany.com, your internal namespace can be defined as corp.somecompany.com.The internal namespace is managed by internal DNS servers behind a firewall, and resolution from external DNS servers to a corporate address occurs from the external DNS server to the internal DNS server...

Remote Access Account Lockout

Another new feature in Windows Server 2003 is the ability to specify how many times a remote access connection can provide an incorrect password or other logon credential before the connection attempt is denied remote access. This is especially critical for VPN connections, since malicious users on the Internet can try to access your network's resources by perpetrating a password attack against a remote user account. With remote access account lockout enabled, such an attack would be stopped...

NTLM Authentication

Instead of Kerberos, Windows operating systems prior Windows 2000 use NT LAN Manager (NTLM) to provide network authentication. In a Windows Server 2003 environment, NTLM will be used to communicate between two computers when one or both of them is running NT4 or earlier, as well as communications between computers that are not part of an Active Directory domain. For example, NTLM authentication would be used in the following situations Workstations or stand-alone servers that are part of a...

Registry

The Registry Policy in any security template allows the administrator to define access permissions related to Registry keys and to set auditing on system access control lists (SACLs).To access the settings, double-click on the object name in the right pane of the MMC, or right-click and select Properties from the menu. Figure 2.4 shows the object named user .default Properties dialog. The Registry contains many different keys, and some keys have subkeys, much like the folder structure in...

Configuring System for Startup and Recovery Options

In this exercise, we'll step through configuring startup recovery options for the local computer. 1. Click Start Control Panel System. 2. In the System Properties dialog, click the Advanced tab. 3. In the Startup and Recovery section, click Settings. 4. In the System startup section, select Time to display recovery options when needed. Set the time, in seconds, to the length of time you want recovery options to be displayed. 5. In the System failure section, notice that Write an event to the...

Logon Event

Logon events are generated when a user logs on to or off of a computer. Every time a user logs on or off, whether on a workstation or server, an event is generated. A variety of event IDs are associated with logon events.Table 9.5 shows a partial list of these event IDs. An explanation of how some of these IDs may be interpreted follows the table. Table 9.5 Logon Event IDs and Descriptions Table 9.5 Logon Event IDs and Descriptions A user successfully logged on to a computer. Logon failure. A...

Defining a Security Group Naming Policy

The next step is to define a standard for naming security groups. It can be confusing and cause administrative errors when naming conventions are either not specified or not used. Errors are not just an inconvenience to users who might be accidentally moved or changed from a legitimate group. Errors can also place users in incorrect groups, granting them inappropriate access to sensitive information. If an unauthorized user gains legitimate access (via a group membership error) to payroll...

Exam Objectives Frequently Asked Questions

The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the Exam Objectives presented in this chapter, and to assist you with real-life implementation of these concepts. You will also gain access to thousands of other FAQs at ITFAQnet.com. Q Can we use anonymous access for FTP sites, or is it restricted to Web sites only A Anonymous access is available on both FTP sites and Web sites. Q What default Windows access group...

Highly Secure hisecinf

This security template is used for setting very high security between computers for network communications. It secures network traffic and protocols used to communicate between computers. Computers configured to use the hisec*.inf template cannot communicate with down-level computers, such as those running Windows 98 or Windows NT. This template enhances the security settings of the secure*.inf template and adds further restrictions via encryption and signing requirements for authentication and...

Selecting a Remote Access Protocol

For each remote access method, there are a number of different protocols that you can select for your client workstations to connect with. While you obviously want to use the best encryption possible, you need to keep in mind any technical constraints created by your network clients, since not all operating systems can support all protocols. Password Authentication Protocol (PAP) Shiva Password Authentication Protocol (SPAP) Both of these protocols are supported by Windows Server 2003 for...

Designing a Client Authentication Strategy

Any network security design needs a client logon strategy that addresses the following three topics authentication, authorization, and accounting (you'll sometimes see the last one referred to as Auditing).This AAA Model is an Internet standard for controlling various types of network access by end users. Put simply, authentication is concerned with determining that a user is who he or she claims to be. Authorization focuses on what a user is permitted to do once he or she has passed the...

Account Logon Event

An account logon event is generated on DCs for domain account activity, and on local computers for local account activity. Account logon events are created when a user's credentials are authenticated. When domain credentials are used, the account logon events are only generated in the DCs' event logs. If the credentials presented are local credentials (Security Accounts Manager (SAM) database), the account logon events are generated in the server's security log.You can choose to audit...

Securing Emergency Management Services

Emergency Management Services is a new feature in Windows Server 2003, and provides native support for server operation and management that can be performed remotely without a local keyboard, mouse, or monitor. It can be used on x-86 and Itanium-based systems. Emergency Management Services uses a terminal text mode rather than a graphical user interface (GUI).This provides the ability to manage computers that are not fully functional or not fully initialized. It also provides interoperability...

Add a Recovery Agent for the Local Computer

In this exercise, we'll add a recovery agent for the local computer. 1. Click Start Run, type mmc in the Open text box, and then click OK. 2. On the File menu, select Add Remove Snap-in, and then click Add. 3. In the Add Standalone Snap-in dialog, scroll down until you locate Group Policy Object Editor and then click Add. 4. In the Select Group Policy Object screen, verify that Local Computer is the selected Group Policy Object and then click Finish. 5. Click Close to close the Add Standalone...

Configuring File Recovery Agents

Data recovery is important when employees leave the company or lose their private keys. If you ever lose your file encryption certificate and your private key through disk failure or some other reason, the designated recovery agent can recover the data. This is why it's critical to export, save, and archive recovery agent credentials. This also provides the ability for a company to recover an employee's data after he or she has left the company. EFS recovery policy specifies the data recovery...

Privilege Use Event

Privilege use events are logged every time a user uses any privileges. For example, you might want to monitor the use of the privilege Create, delete, and manage user accounts or Create, delete, and manage groups. By monitoring the use of privileges, you can see when these privileges are used and by whom. For example, if Lisa has permission to create, delete, and manage user accounts and you notice that she has used this privilege about once per month on average, you'd suspect something was...

Summary of Exam Objectives

Along with designing security to keep the network safe from intrusion, it's equally important to provide security for the files and folders on the network. Creating a robust security plan entails securing network resources at each access point. In this case, after users are authenticated (or in the event that a malicious user gains network access), files and folders can be secured via access control, encryption, and through backup and recovery activities. Protecting sensitive and valuable...

Isolation and Autonomy

When designing your Active Directory delegation strategy, you have to first understand your organization's delegation requirements. These requirements will generally fall under the following two categories Isolation Isolation allows for exclusive and independent access to data and services in a particular subset of the directory. This design allows administra tors to isolate themselves and not share administrative rights with any other administrators in the forest. They have full and exclusive...

Chapter Securing Network Resources

You have been asked to design an access control strategy for your firm and it must be done as soon as possible. The company currently has about 85 employees, each of whom has a desktop or laptop computer. There are four servers functioning in various roles. The departments are Finance, Administration, Customer Service,Trucking, Warehouse Operations, Purchasing, and IT.Your company plans to expand operations in the next one to two years, adding about 28 new employees in that period of time.There...

Certificate Enrollment and Renewal

To encrypt files, EFS requires a certificate. EFS will use your current EFS certificate to encrypt files. If one is not available, EFS will search your personal store for an appropriate certificate. If one still cannot be located, EFS will enroll you for an EFS certificate with an online Windows Server 2003 CA that supports EFS templates. If EFS still cannot get a certificate for you, it will create a self-signed certificate. A self-signed certificate will also be used if you are logged in on...

Secedit import

The secedit import switch allows you to import a security template into a database to apply the template settings to a system or to be analyzed against a system. As with the other commands, there are a set of required and optional switches that determine the type and scope of the import.These switches are delineated in Table 2.9. Table 2.9 secedit.exe Import Switch Parameters This argument specifies which database file to be used to perform the security configuration. It is a required argument....

Common Server Roles

Although every organization is a bit different, there are common roles that servers play in most organizations. In this section, we'll briefly review common server roles and how these roles are impacted by security considerations. Microsoft Windows Server 2003 identifies these types of servers In the next section, we'll review the security considerations for computers in these different roles.You'll learn how to assess the appropriate level of security for the server as well as how to apply...

Combining and Nesting Groups

When designed properly, nesting or combining groups can greatly reduce administrative overhead and reduce network traffic. However, like anything else, if configured without proper planning, it can be very complicated and hard to troubleshoot. Here are some tips you should keep in mind while designing a nesting strategy Try to keep the number of nested groups to a maximum of two or three levels. This can keep it within a manageable scope for assigning permissions and troubleshooting any issues....

What Motivates External Attackers

Just as you need to know why a company is designing a security infrastructure, it's also helpful to know the reasons why total strangers seem compelled to make your life as a network administrator that much more difficult. Network attackers, usually referred to colloquially as hackers, attempt to break in to corporate networks for any number of reasons, and sometimes knowing the reason why they are doing so can assist you in defusing the threat and tracking down the perpetrator. The most...

Secedit generaterollback

The secedit command-line tool also has a generaterollback switch. This switch allows you to generate a rollback template with respect to a configuration template. When you apply a configuration template ( cfg filename) to a computer, the generaterollback option allows you to create a rollback template that will reset the security settings to the values in place before you applied the configuration template. If you generate a rollback template and decide you want to go back to your original...

Certificate Storage

User certificates that contain the public keys are stored in the Personal certificate store for the certificate owner's user account. A certificate provides assurance that the public key is bound or attached to a specific entity (typically a user or computer) that owns the private key. Certificates are stored in plain-text. Since they are public information and are digitally signed, they are protected from tampering. Private keys, however, must be kept secure so that only the owner of the...

Configuring Routing and Remote Access Services

On a member server, click Start Administrative Tools Routing and Remote Access. 2. Right-click your server, and choose Configure and Enable Routing and Remote Access as shown in Figure 7.1. Figure 7.1 Configuring Routing and Remote Access Figure 7.1 Configuring Routing and Remote Access When the Routing and Remote Access Server Setup Wizard appears, click Next to get past the initial screen. On the Configuration screen, select Custom Configuration and click Next. See Figure 7.2. Figure 7.2...

T

Objects right, 470 tampering with data, 14 Task Scheduler, 465 TCP ports, 290-291 technical constraints analysis existing infrastructure capabilities, 32-34 overview of, 31-32, 40-41 technology limitations, identifying, 34 technical policies, 4 technology limitations, 34 Telnet, 208 templates, baseline, 129-132 templates, security. see security templates terminal concentrators, 607 Terminal Servers 201-204 to remotely manage IPSec, 283 securing, 147 summary of services for, 129 template for,...

Chapter Securing Internet Information Services

One of the new reliability features in IIS 6.0 is the introduction of HTTP.Sys. HTTP.Sys is the new kernel mode driver for IIS 6.0. HTTP.Sys is engineered to increase the performance of IIS dramatically.You have been researching HTTP.Sys functionality.Your research indicates that one of the following about HTTP.Sys is true. What is HTTP.Sys is capable of A. Create virtual directories for Web sites B. Implementing flexible caching D. Provides health detection data to IIS 0 B. HTTP.Sys does...

Backing Up Certificates with Private Keys

In this exercise, we'll use the Certificates snap-in in the MMC to export a certificate with private keys to a floppy disk. You'll also see how to remove private keys during the export process, if desired. 1. Click Start Run, type mmc in the Open text box, and then click OK. 2. In the MMC, click File Add Remove Snap-in. Then, in the Add Remove Snap-in dialog, click Add. 3. In the Add Standalone Snap-in dialog, scroll down to locate Certificates. Select Certificates and then click Add. 4. In the...

Enabling Audit Policy on a Local Machine

Click Start Programs Administrative Tools Local Security Policy. 2. In the left pane of the console, expand Local Policies and click Audit Policy. Your screen should look similar to Figure 6.27. Figure 6.27 Local Audit Policy Settings Figure 6.27 Local Audit Policy Settings Security Settings n ra Account Policies i C Password Policy H-C Account Lockout Policy R -TQ Local Policies (J) Audit Policy hoi Audit account logon events Success hoi Audit account management No auditing oi Audit directory...

Designing Security for IIS

IIS provides many services in Windows Server 2003. It supports Web, FTP, SMTP, and NNTP services. Web sites can be configured as Internet sites, intranet sites, or extranet sites. Some contents of intranet sites need to be available as content for extranet sites. Therefore, it is a tedious task to design security to address every one of these implementations. Let's detail some of the most common security implementations. The most common Web sites are public Internet sites. These have to be...

Using the Resultant Set of Policy MMC Snapin

The RSoP tool is very useful for seeing the result of group policy before it's applied across the enterprise. This exercise will help you become familiar with this tool. 1. Open the MMC via Start Run, type in mmc, and then click OK. 2. Load the RSoP by clicking File and then Add Remove Snap-in. In the Add Remove Snap-in dialog, click Add. 3. In the Add Standalone Snap-in dialog, scroll down to locate Resultant Set of Policy. Click to select it and then click Add. Click Close to close this...

Designing User Authentication for IIS

Microsoft has done a great job of redesigning IIS to be more reliable and robust. Perhaps the most significant modification is the emphasis on the worker process model. This concept was initially embedded into IIS 4.0 as Running an application in a separate memory space. Let's investigate these modifications in detail. IIS separates all user code from its WWW service.The user application (different Web sites) functions as a separate Internet Server Application Programming Interface (ISAPI)...

Security Breaches

Another risk to data is the risk of a security breach. Throughout this book, we've discussed various risks to security. One of the end goals of hackers is data (the other being system control). Security can be breached in a number of ways, but in this chapter, we're focusing on how to secure data. In Windows Server 2003, this is accomplished through managing users' ability to log on to the network and then through managing users' access to data once they've been authenticated. Strong...

Permissions

Permissions define the type of access given to a user, group, or computer. Permissions can be granted to any user, group, or computer. To use groups and manage permissions efficiently, administrators should use the practice often referred to as AGDLP. This acronym is used to remember how permissions should be granted. Add user accounts (A) to global groups (G), add global groups to domain local groups (DL), and then add domain local groups to the security properties of the resource for which...

IPSec Best Practices

Microsoft outlines several best practices related to implementing IPSec. Establish an IPSec deployment plan As we discussed earlier, planning is a critical part of the process in developing security plans. Create and test IPSec policies for each deployment scenario Before deploying IPSec, all scenarios should be tested in a lab environment. Do not use pre-shared keys These are stored in plain text and provide relatively weak authentication. Pre-shared keys should be used only for testing. In a...

Predicting Threats to Your Network

Predicting network threats and analyzing the risks they present to your infrastructure is one of the cornerstones of the network security design process. Understanding the types of threats that your network will face will assist you in designing appropriate countermeasures, and in obtaining the necessary money and resources to create a secure network framework. Members of an organization's management structure will likely be resistant to spending money on a threat that they don't understand...

Common Threats to DNS

There are a number of common threats to DNS that must be considered and mitigated when planning security for the enterprise.Table 5.14 shows the common threats and how hackers can exploit these threats. We'll look at ways to mitigate these threats in a moment. Common DNS Threats Description of Threat Footprinting Footprinting is a process where DNS zone information is obtained by a hacker. Once the hacker has the zone data, that person can gather DNS domain names, computer names, and IP...

IPSec Rules

IPSec policies are applied based on rules. A rule provides the ability to create secure communication based on the source, destination, and type of IP traffic. Each rule contains a list of IP filters and a set of security actions to take. Each policy can contain one or more rules, all of which can be active simultaneously.The < Dynamic> Default Response rule is discussed later in this section, as it is present in all IPSec policies and cannot be deleted, although it can be deactivated. Each...

D

Control Lists daily backup, 592 data analysis for different types of, 25-26 EFS encryption and, 557-558 identifying valuable information, 245 permission structure for, 491-495 practices for safeguarding, 591 data access control groups, working with, 521-534 overview of, 508-509 resource access, 516-521 reviewing access ACLs, 511-516 risk analysis, 509-511 Data Administrators, 487, 497 Data Encryption Standard (DES), 253 Data Encryption Standard Extended (DESX), 558 data modification as attack...

Secedit configure

The first switch shown in the secedit help file is the configure switch. It is used to configure a system with security settings stored in a database. The parameters are described in Table 2.6. Table 2.6 secedit.exe configure Switch Parameters Parameter Description db filename This argument specifies which database file to use to perform the security configuration. It is a required argument. cfg filename This argument specifies a security template to import into the database prior to...

Configuring Security for Domain Controllers

DCs are the heart of any Windows-based network. As their name implies, they control activities on the domain.Their roles can be limited to just one function, or the DC can be configured to have several related functions.This decision is typically based on the size of the network and the number of users and processes that will access the DC.The larger the network, the more specialized DCs tend to become. Regardless of the specific configuration, it's critical that the DCs be well protected,...

Rip

Figure 7.4 Setting Up a New Routing Protocol Figure 7.4 Setting Up a New Routing Protocol After selecting RIP Version 2 for Internet Protocol as in Figure 7.5, you will be able to configure it from the main screen. There are several security measures that you as an administrator can take to make RIP broadcasts less vulnerable to sniffing or other types of threats. If RIP version 2 is used, simple passwords can be set up such that any router receiving an RIP transmission checks to see if the...

Adjust Memory Quotas for a Process

This privilege allows its bearer to modify the maximum memory used by a process, and is given by default to administrators. This right can be potentially misused if given to the wrong user account, and can create a DoS attack against your network by setting the memory requirements for a certain process low enough to prevent it from running properly. An attacker can use this the other way around as well, by setting the memory utilization for a process very high so that it consumes all the...

Common Threats to Domain Controllers

The most common threats to DCs are those that attempt to gain access to the security database on a DC. The DC contains all user accounts and passwords, so accessing this computer provides a hacker almost unlimited access to the network. Typical assaults include Gaining physical access to the server to copy the security database onto removable media for later analysis. Gaining access to the security database to modify user rights to provide administrative access to unauthorized user(s). Gain...

DNS Resource Records

A DNS RR contains information about resources in the domain. There are different types of RRs that provide names, IP addresses, and other information related to host-names. Default settings for DNS RR might be adequate for your organization. To harden security, DNS can be integrated with Active Directory to use Active Directory security features when hosted on a DC. If DNS is integrated with Active Directory, managing the DACLs on the DNS RRs will provide additional security. Again, work with...

Test Day Tip

The Windows Server 2003 interim domain functional level is a special level that's available if you're upgrading a Windows NT 4.0 PDC to become the first domain controller in a new Windows Server 2003 domain. When you upgrade the domain functional level of your Windows Server 2003 domain, new administrative and security features will be available for your use. Just as when you set Windows 2000 to either mixed or native mode, specifying the domain functional level is a one-way operation it cannot...

Digitally Signing Authentication Traffic

When a computer is joined to a domain, a computer account is established. In order to communicate with the DC, it must be authenticated. Three settings can be used to determine whether signed and encrypted authentication is used. The three GPO settings that deal specifically with digitally signing authentication traffic are Domain member Digitally encrypt or sign secure channel data (always) Domain member Digitally encrypt secure channel data (when possible) Domain member Digitally sign secure...

IPSec Driver Modes

In understanding how policies work, it's important to understand that the IPSec driver operates in three modes computer startup, operational, and diagnostic. Computer startup mode is used when the computer is starting up. Operational mode is used when the computer is up and running in normal operational mode. Diagnostic mode is used for troubleshooting. The IPSec driver is loaded at startup along with other system services and drivers. Computer startup mode is used until the IPSec Policy Agent...

Defining a Baseline Security Template

Securing servers is critical in today's environment where corporations run their businesses via electronic networks. To assist in managing large networks, Windows Server 2003 includes predefined security templates. These templates allow the network administrator to use or modify predefined settings that can be applied to any number of similar computers in a network. The task of securing servers is both simplified and enhanced, since templates reduce the likelihood of error or omission when...

Securing Terminal Servers

Terminal Server is used for two primary functions one is to allow remote users to connect to applications and files without running them on their own computers. The second use is remote administration of other computers. In Windows Server 2003, you no longer need to use Terminal Server for remote administration. Instead, you can use the Remote Desktop for Administration (RDA), formerly Terminal Services in Remote Administration mode. RDA is installed by default on computers running Windows...

Exporting and Importing IPSec Policy

Once you've defined domain-based IPSec policy, you might want to import or export them. In order to back up or restore IPSec policy objects in the IP Security Policies container in Active Directory, you need to use the IP Security Policy Management snap-in in the MMC.You can also use the netsh.exe command-line utility with the IPSec context to perform these actions. As shown in Figure 5.9, you can import or export IPSec policy for the local computer for the domain. In this case, the IP Security...

Chapter Designing a Secure Public Key Infrastructure

NoMoreHackers Inc. is implementing a PKI implementation.You have been asked to work as a consultant to design the PKI blueprint for the company.You have met with the CIO and the senior management to gather the requirements. You are confident of creating a sophisticated PKI architecture for the company. What will be your first step in the process A. Determine the location of the CAs. C. Determine which CA trust hierarchy we will use. D. Design the head office CA first, and then proceed to the...

Netsh Commands

The netsh.exe command can be used to work with IPSec policies and it is referred to throughout this chapter. Let's take a minute to review the netsh.exe command. netsh.exe is a command-line utility that can be used instead of the console-based management provided by the IP Security Policy Management and IP Security Monitor snap-ins in the MMC. The netsh command has many different uses in Windows Server 2003. Each type of use is called a context. For example, you can use the DHCP context to...

Figure ktpass Command Line Descriptions

Set account for des-only encryption (default do) Keytab to read digest options for key generation KRB5_NT_PRINCIPAL The general ptype-- recommended KRB5_NT_SRV_INST user service instance KRB5_NT_SRV_HST host service instance Default query DC for kvno. Use kvno 1 for Win2K compat. - + Answer +Answer answers YES to prompts. -Answer answers NO. - Target Which DC to use. Default detect Default query DC for kvno. Use kvno 1 for Win2K compat. - + Answer +Answer answers YES to prompts. -Answer answers...

DNS Zones

DNS zone data can be secured by using secure dynamic updates and security features found in Active Directory when DNS is integrated with Active Directory. There are four major components to securing DNS zones configure secure dynamic updates, manage DACLs on DNS zones stored in Active Directory, restrict zone transfers, and understand the pros and cons of zone delegation. Configure secure dynamic updates DNS in Windows Server 2003 is configured not to use dynamic updates, by default. While this...

External Trusts

You'll create an external trust to form a nontransitive trust with a domain that exists outside your Windows Server 2003 forest. External trusts can be one-way or two-way and should be employed when users need access to resources located in a Windows NT 4.0 domain or in an individual domain located within a separate Windows 2000 or Server 2003 forest with which you haven't established a forest trust.You'll use an external trust instead of a forest trust if the trusting domain is running Windows...

Increasing User Awareness

There are two aspects to user awareness identifying sensitive files and using EFS appropriately.As an IT administrator, there's a good chance you (or your department) are not fully aware of which files are most sensitive for various departments. Each department should identify which files or types of files are most sensitive. This is a good opportunity for you to educate users on what EFS is and what its capabilities are (and are not).Then, users can make intelligent decisions about which...

DNS Server Service

There are a number of ways the DNS Server Service can be configured to reduce the risk of and exposure to attack. The first step is to examine the configuration of the DNS Server Service to review settings that affect security. The second step is to manage the discretionary access lists (DACLs) on DNS servers that are running on domain controllers (DCs). Finally, implementing the NTFS file system on DNS servers running any operating system that supports NTFS protects the files on the server....

Creating a Kerberos Policy

Windows 2000 and Windows Server 2003 both offer support for Kerberos, which is a strong network authentication protocol that relies heavily on cryptography. Windows Server 2003 allows you to configure a Kerberos policy in Group Policy. In this section, we'll discuss some of the configurable settings Enforce user logon restrictions If you enable this setting, you force every session to validate a ticket using the V5 Key Distribution Center, or KDC, against the User Rights policy of every...

Designing Trust Relationships Between Domains and Forests

Transitive Trust

A trust creates the framework that governs domain-to-domain or forest-to-forest relationships. A trust allows users in different domains or forests to access resources in other domains or forests based on the trust that is established. Just as in previous versions of the Windows Server operating system, Windows Server 2003 trusts allow network administrators to establish relationships between domains and forests so that, for example, users from Domain A can access resources in Domain B. Unlike...

Securing Remote Access Servers

Remote Access Servers (RAS) are used to provide access to the network for users who are not physically located in the same place as the network. The most typical scenario, as you can imagine, is with users who travel. Clearly, the first step in securing a RAS is to carefully determine who requires remote access. Granting remote access only to users who require it will greatly enhance security. If you're using the server as a router as well (often referred to as Routing and Remote Access Server,...

Viewing Registry Access Permissions

In this exercise, we'll step through reviewing Registry access permissions. We will not make any changes to the Registry settings, but you should still use care. You should also choose to Cancel out of screens or dialogs instead of clicking OK. If you were making changes that you wanted to keep (on the job), you would click OK instead. Most needed changes can be made without directly editing the Registry, and best practices dictate that any time you can avoid directly editing the Registry, you...

Designing a Permission Structure for Data

Designing a permission structure for data can be a challenging task and should be thought out carefully, because rectifying it later and making changes can be a complicated and very time-consuming task. For this reason, a well thought out design plan should rely on Microsoft recommended best practices for permission structure. The Microsoft strategy for this kind of structure is known as the AGDLP, which is a strategy you should be familiar with from the core 4 requirements. The AGDLP calls for...

Define a Baseline Security Template for All Systems

You are the network administrator for a small network that has 40 computers on a network.You have two Windows Server 2003 computers, one of which is a DC and the other is providing remote access to users who travel throughout the United States. The computer running the remote access services also runs DHCP, DNS, and WINS for your firm. There are two file and application servers running Windows 2000, and you have client computers running Windows XP, Windows 2000, and Windows 98.Your applications...

Managing the Risks of Network Administration

When a company experiences period of growth and expansion, it often adds more IT staff in addition to infrastructure such as servers and networking equipment.There will probably be situations in which administrators are hired to do specific tasks, or they could be less experienced administrators who aren't strong in all aspects of the network management process. For this reason, you don't want to grant all your administrators the same level of administrative rights, because if an administrator...

Establishing Renewal and Auditing

We need to protect the public key and private key pairs of the enterprise. If these keys are compromised, the security of the enterprise is in serious jeopardy. Intruders can cause malicious harm to the resources by getting unauthorized access. A disgruntled employee could act as an intruder to sabotage the IT system. This intruder can log on to the CA server and issue fraudulent certificates to unauthorized users. What will you do as the CA administrator to avoid this scenario It is best...

Using the Configure Your Server Wizard

Select a test server to work with that will not disrupt normal operations. Log onto your system using the Administrative account. 1. Click Start, select Administrative Tools, and then select Configure Your Server Wizard. 2. The Welcome screen is displayed. If you are unclear about server roles, you can click the link provided to the Configure Your Server wizard help file on server roles. 3. Click Next to begin. Clicking Help on any screen will open the Configuring Roles for Your Server Help...

Configuring an Ltp Rras Server to Accept Certificates

Open the RRAS configuration utility, right-click the server, and choose Properties. 2. On the Security tab, click the Authentication Methods button as in Figure 7.24. Figure 7.24 Security Tab of the Answering Router's Properties Sheet S TAR BELLI EDS NEE local Properties The authentication provider validates credentials foi lemote access clients and demand-dial routers. The authentication provider validates credentials foi lemote access clients and demand-dial routers. The accounting...

Using the cipher Command to Add Data Recovery Agent

Click Start Run, type cmd, and then click OK. 2. Type this command at the prompt and then press Enter to execute the command If you do not specify a filename when using the cipher lr command, files named .CER and .PFX will be created essentially, no filename, just the extension . Instead, use a filename such as the testdra we used earlier. Once you've added the DRA to the EFS policy, you can right-click on the DRA and edit the properties, such as giving it a user-friendly name and a...

Restricting User Access to Operating System Features

As we mentioned previously when talking about hardening client operating systems, sometimes the default installation of an operating system gives the users more control over their desktop than you, the administrator, would really like. Windows Server 2003 makes it a relatively simple matter to lock down operating system features using Group Policy Objects GPOs .You can restrict access to items such as the command prompt, the run line, and Control Panel.You can prevent users from mapping or...

Windows Server Predefined Security Templates

Windows Server 2003 provides several different security templates, each of which applies a different group of security policy settings for distinct security needs.The release of Windows Server 2003 represents a departure from the way Microsoft has implemented security in the past. With this release, security is set to the fewest possible permissions. It is up to you, the network administrator, to modify settings as needed. However, before you make any changes, research and test the results to...

Hardening Client Operating Systems

When you receive a new workstation from a major manufacturer, you'll often find that the operating system has been installed in an insecure fashion. Often, a vendor will create a default operating system installation designed to make a new computer easy to use and navigate for an inexperienced user however, this can have major ramifications in terms of the security of a newly installed computer.You'll often find new operating systems installed with any number of development tools and utilities,...

Creating an Account Lockout Policy

An Account Lockout policy offers you an additional level of control and security by controlling how, when, and why an account can be locked out. The idea behind account lockout is to protect your network against someone trying to crack your passwords by continuously trying to guess them, or by running a password cracker against your account database. Account lockout settings can deter a hacker by locking the account and preventing any further attempts to guess passwords. However, sometimes the...

Recovering Network Services After an Attack

Once you've collected all of the incident tracking or forensics information you want, you can now turn to restoring a compromised machine to a healthy state. As with the rest of the Incident Recovery plan, you should document and test these steps beforehand as much as possible so that actual recovery times are as quick as possible, minimizing any downtime for your users. Unfortunately, once a system has been compromised, in many ways you can't trust any of the information that's stored on it...

Assigning IPSec Policy

Once IPSec policies have been created, the list is available to assign to any level of the Active Directory hierarchy, but only one policy can be assigned at any given level in Active Directory. IPSec policy applied to an OU takes precedence over domain-level policy for members of the OU, which is why servers should be placed into OUs.You should also apply IPSec policy to the highest OU possible to avoid dealing with potential IPSec policy conflict and to ease security administration. A child...

Defining a Security Group Retirement Policy

When you create your security group policies, another important element is defining when a group should be retired and how this will be accomplished. Obsolete groups can create security holes and administrative clutter. There are two aspects to this task identifying and deleting obsolete security groups. Obsolete groups can often be spotted by the lack of changes to the group.Typical groups will have changes to membership over time. Any group that has not changed for a period of time might be...

Reapplying Default Security Settings

Since beginning at a known starting point is critical to securing the network, you might choose to reapply default security settings. One important point to note is that even reapplying the security settings via the Setup security.inf file, settings that are not defined in the template will persist. Security settings persist when The setting is for a file system object. The setting is for a Registry object. The setting has not been defined previously for the computer. Although there are a...

Configuring Security for Down Level Clients

We've touched on several considerations related to down-level clients throughout our discussion of the various security templates. Now, let's pull this information together to understand specifically how to deal with down-level clients. A down-level client is a computer that is running an operating system that was released prior to the current version in this case, Windows Server 2003. Although a computer running Windows 2000 is now considered a down-level client, Windows 2000 computers are...

Using the Syskey Utility

From the Windows desktop, click Start Run, then type syskey and click OK. You'll see the screen shown in Figure 10.1. Figure 10.1 Enabling Syskey Encryption Figure 10.1 Enabling Syskey Encryption 2. Click Encryption Enabled, and then click Update. 3. Choose from the security options shown in Figure 10.2. The different options available to you are as follows System Generated Password, Store Startup Key Locally This encrypts the SAM or directory services information using a random key that's...

Using cipherexe

Cipher.exe is a command-line utility that can be used to display or alter encryption on folders and files in the NTFS file system. If it is used without any switches, the cipher command will display the encryption state of the current folder and all files within the folder. A number of switches can be used with the cipher command, as summarized in Table 9.7. We'll go through a few of the commands, including the r to generate a new recovery agent, which is used in a later exercise. The syntax...

Understanding the Elements of a Remote Access Policy

Remote access policies consist of the following elements conditions, permissions, and profiles. We'll discuss each of these elements in turn, and list how each can be used to control remote access attempts by your network clients. Remote access conditions consist of one or more attributes that can be compared against a connection attempt by a remote user. A remote access policy can specify one or more of these attributes that should be checked before allowing access. If a policy specifies...

Exam Objectives Fast Track

Designing Security for Communication between Networks RRAS is used to configure Windows Server 2003 as a router for internetwork communications. The route can be configured with either a dedicated connection or with a demand dial connection, and the design and implementation of a routing protocol is a key to good security. RIP version 2, OSPF, and static routes can be made secure if implemented properly. This can include using password-based router authentication, route filtering, and peer...

And Extensible Authentication Protocol

The 802.1X standard uses EAP for message exchange during the authentication process, to protect the contents of the authentication process. Remember that EAP is an extension of the PPP protocol that provides arbitrary authentication mechanisms to be used for the validation of a connection. Thus, with EAP, arbitrary authentication mechanisms such as certificates, smart cards, or passwords can be used to authenticate the wireless connection. There are three authentication methods available using...

Using Group Policy to Deploy Software Updates

Group Policy is another great way you can deploy software in general and patches and updates in particular. Using GPOs, you can even customize who gets which updates and can thereby exert more granular control over the software distribution process, allowing you to prioritize updates based on importance. As we discussed in the last section, this is something that SUS will not allow you to do. For example, let's say that a security patch has just been released that addresses a particularly...

Secedit analyze

The analyze switch causes secedit to analyze security for whichever element is selected.The parameters for the analyze switch are shown in Table 2.8.This switch allows you to analyze current database settings against other settings typically baseline settings and store the results in a log file.You can view the results in the Security Configuration and Analysis snap-in. The result will show you the difference between the current settings and the baseline settings, allowing you to see and...

Self Test

A Quick Answer Key follows the Self Test questions. For complete questions, answers, and explanations to the Self Test questions in this chapter as well as the other chapters in this book, see the Self Test Appendix. 1. Your forest is structured according to the illustration in Figure 4.15.You have a group of developers in the east.fixed-wing.airplanes.com domain who need to access files in the domain on a regular basis. The users are complaining that accessing the files in the development...

Impersonate a Client After Authentication

This right allows a service or program to impersonate the user after logon, which means that the service or program can use the credentials that the user used to log in to perform an action, rather than the credentials the service or the program used to launch itself. This is a great security enforcer that was not available with Windows 2000 SP3 and earlier, but was introduced with SP4, and of course is available by default in Windows Server 2003. Prior to Windows 2000 SP4, any service or...

Secedit export

The secedit command also allows you to export security settings contained in a specified database.Table 2.10 shows the required and optional parameters for the export function.This function is typically used for two primary purposes. First, if you want to preserve the current settings on a system, you can export them. This can be useful if you want to experiment with various settings but want to bring the system back to its original known state. It's also commonly used to export customized...

Setting Registry Access Permissions via Group Policy

In this exercise, we'll step through how to set Registry permissions via Group Policy. For the purposes of this exercise, we'll select the default domain policy. However, in practice, you might apply these settings to an OU, a site, or a domain. 1. Click Start Run, type mmc in the Open text box, and then click OK to launch the Microsoft MMC. 2. Click File Add Remove Snap-in. 3. In the Add Remove Snap-in dialog, click Add. Scroll through the list until you locate Group Policy Object Editor....

Secedit refreshpolicy Replaced by gpupdate

In Windows 2000, the secedit command used the refreshpolicy switch to refresh local Group Policy settings and Group Policy settings stored in the Active Directory. This command is replaced in Windows Server 2003 by the command gpupdate.exe.This command-line tool does what the refreshpolicy switch in the secedit command did in Windows 2000.Table 2.12 shows the parameters for the gpupdate command. If you'd like to view help options for the gpupdate command, use the following command line string...