War Chalking

War chalking is much like war driving. What is done with war chalking, though, is that somebody actually gets out of the car and puts a special symbol on your sidewalk, driveway, garage, or the middle of the street indicating that an unsecured wireless network is nearby. War chalking gets its name from two sources. First is the practice of war dialing, in which a user uses a modem and dials all the numbers that it can find in the area to look for a modem that answers. Once a modem is found, the...

Configuring an IPSec Rule

You can create customized IPSec policies, each with its own set of rules. Each policy can host more than one rule, and it is important to understand how these rules work because these rules govern how and when a policy is invoked. Any number of rules can be active simultaneously. You can create or modify existing rules to meet your requirements. Filters are applied in the order of most-specific filters first. A rule consists of the following components Tunnel endpoint A tunnel endpoint defines...

Configure the Exit Module to Publish to Active Directory

On the CA computer, choose Start > All Programs > Administrative Tools > Certification Authority. 2. Right-click the CA and then choose Properties from the shortcut menu. 5. Verify that the Allow Certificates To Be Published In Active Directory check box is enabled. If it isn't, check it. Click OK to close the Certificate Publication Properties dialog box and click OK again to close the CA Properties dialog box.

Software Update Services Keeping Servers and Clients Upto Date

You can find the Software Update Services software at www.microsoft.com windowsserversystem sus default.mspx. This software will help you manage and distribute critical Windows updates and fixes. What this software relieves you of is the responsibility of having to constantly check for new updates or download those updates when they become available. SUS does this automatically. And only one server requires access to the Internet the rest of your servers and workstations can be on an isolated...

Implementing and Configuring Auditing

A part of any security strategy is determining the events to be audited on your network. Auditing should identify successful and unsuccessful attacks. Moreover, auditing should identify events that pose a threat to your network or sensitive resources. There may also be legal, contractual, or regulatory reasons driving your auditing strategy. When you implement auditing in Windows Server 2003, those events are recorded in the Security Log. The more events you select to audit, the more event...

Virus Attacks

A virus is a piece of code that replicates itself by attaching itself to other programs or files. When these files run, the code is invoked and begins replicating itself. Some of the first computer viruses were found in 1981 on an Apple II computer. Nearly every platform now has viruses that can exploit its vulnerabilities. Microsoft platforms seem to be the focus of many virus creators because they represent such a large target and of other virus creators because they hold ill will toward...

Securing Files and Folders with the Encrypting File System EFS

Now that you're confident that your e-mail is not being read by everyone on the Internet and everyone internally in the company, let's move on. You can use the Encrypting File System (EFS) to encrypt all the folders and files that you have to protect from prying eyes. You can use EFS to encrypt files stored on Windows 2003 NTFS-formatted drives. EFS uses key pairs in combination with a symmetric key to perform encryption and decryption. Using EFS is simple from the user perspective. Certificate...

Working with Security Templates

You create and modify security templates using the Security Template snap-in of the MMC. The way to access the templates is to create a new MMC and add the security template to the new MMC. Follow these steps 1. Choose Start > Run to open the Run dialog box. 2. In the Open box, enter mmc.exe to run a new MMC. 3. Choose File > Add Remove Snap-In to open the Add Remove Snap-In dialog box. 4. Click the Add button to open the Add Standalone Snap-In dialog box, shown in Figure 1.1, and select...

Using Event Logs

This section looks at the particular logs available to you, how they work, and how to interpret the information they provide. IIS writes its events to a text file in the systemroot system32 logfiles folder. Each website that is run by IIS has its own folder under which the log files are generated. The default website's folder name is W3SVC1. If you installed a second website, its folder name is W3SVC2. The default log format is the W3C Extended Log File Format. These log files generate the...

Audit Policies

Auditing is both a proactive and reactive security measure. It informs administrators of events that might be potentially dangerous and leaves a trail of accountability that can be referenced in the future. By default, all auditing is turned off if you want to use this feature, you'll need to turn it on. The easiest way to do this is through a security template that is applied to all your servers. Before you can configure a template for auditing, you must first plan your audit policy. The...

Answers to Assessment Test

You can think of a template as having predetermined settings that can be applied to multiple objects, either at the same time or at different times. You can use a template to build a Group Policy. Only answer A matches the purpose and use of a template. For more information, see Chapter 1. 2. C, D. When you take a long step back from Windows Server 2003 you'll find that there are really two parts to a GPO one for the computer and the other for the user. For more information, see Chapter 1....

Configuring the Automatic Certificate Request Group Policy

In this exercise, you will configure the default domain Group Policy to allow the automatic enrollment of Computer certificates. 1. Choose Start > Administrative Tools > Active Directory Users And Computers to open Active Directory Users And Computers. 2. Right-click your domain and choose Properties from the shortcut menu. 4. Click the Default Domain Policy and then click the Edit button. 5. Expand the Computer Configuration folder, the Windows Settings folder, the Security Settings...

Installing an Issuing Enterprise CA

In this exercise, you will install an issuing CA using the intermediate CA installed in Exercise 9.3 as the provider of the certificate for your new CA. The intermediate CA will be much like your root CA in that it will be a stand-alone offline CA too. 1. On the new issuing CA, choose Start > Control Panel to open Control Panel. 2. Click Add Or Remove Windows Components in the left pane. 3. Select the Certificate Services check box. Click Yes when you see the message stating that you cannot...

Registry and File System Permissions

You use the Registry node to configure both access control entries and auditing values for specific Registry keys. To modify the Registry settings, first select the Registry node in the left pane. Some templates may not display anything in the right pane, but those that can modify the Registry entries will display a list of Registry settings in the right pane. The hisecdc template does not show the registry settings (see Figure 1.12). Use the compatws template, for example, to show the registry...

Answers to Review Questions

When you install SQL Server 2000 using Windows Authentication Mode, the security context of the user is used for validation to a DC before allowing setup to continue. Kerberos becomes the default authentication protocol, and the directories and Registry keys are secured in this mode as well. 2. A. Security Account Delegation, or Delegation Authentication, is the ability of one server to request a ticket on behalf of a user or service account when that user is currently connected to the local...

The Sybex Test Engine

These are a collection of multiple-choice questions that will help you prepare for your exam. There are three sets of questions Two bonus exams designed to simulate the actual live exam All the questions from the Study Guide, presented in a test engine for your review Here is a sample screen from the Sybex MCSE test engine Here is a sample screen from the Sybex MCSE test engine

Authenticating with Client Certificate Mapping

Client certificate mapping is the process of mapping certificates on client computers to Active Directory accounts. Certificates are used in many applications, including data encryption, signing of data, and providing authentication. A certificate includes an encrypted set of authentication credentials, which includes the digital signature from the issuing certificate authority CA . As you saw in Chapter 6, Deploying, Managing, and Configuring SSL Certificates, the process of obtaining a...

Back Up the CA

Choose Start gt Administrative Tools gt Certification Authority. 2. Right-click the CA and choose All Tasks gt Backup CA to start the Certification Authority Backup Wizard. 3. Click Next to open the Items To Back Up screen. 4. Select the Private Key And CA Certificate check box and then select the Certificate Database and Certificate Database Log check box. 5. In the Back Up To This Location field, enter the drive and path for the location where the backup will be stored. The wizard creates...

Restricted Groups

You use the Restricted Groups node to define who should and should not belong to a specific group. When a template with a restricted Group Policy is applied to a system, the Security Configuration Tool Set adds and deletes members from specified groups to ensure that the actual group membership coincides with the settings defined in the template. For example, you might want to add the Enterprise Admins to all Domain Admins security groups or to add the Domain Admins group to all Local...

Installing the Directory Services Client

In this exercise, you will install the Directory Services client on a Windows 98 computer and configure it to use NTLM version 2. For this exercise, you need a Windows 98 system and the Windows 2000 Server CD. This exercise assumes that Windows 98 is already installed and on the network and that the latest version of Internet Explorer is also installed. For Windows 95, you need to follow all these steps, plus install the Distributed File System DFS client, WinSock 2.0 Update, and the Microsoft...

Chapter Managing Client Computer and Server Certificates and Efs Figure The EFS process

User enables the encryption attribute 5. Recovery Agent s gt Public Key encrypts FEK 2. Symmetric encryption using the FEK Once the encrypted file is stored on the hard drive, the only user who can open the file and read its contents is the user who stored the file using their public key to encrypt the FEK or an account that has the recovery agent's certificate. In both cases, the private key from the certificate is required to decrypt the file using these steps 1. The user attempts to open...

Configuring and Publishing a Certificate from a Stand Alone CA

In this exercise, you will configure the CA and set up certificate enrollment to properly publish certificate information in Active Directory. This requires that the stand-alone CA is online and 1. On the CA computer, choose Start gt Run to open the Run dialog box. In the Open box, enter cmd and press Enter to open the command console. 2. At the prompt, enter certutil -setreg exit publishcertflags exitpub_activedirectory and press Enter. 3. Choose Start gt All Programs gt Administrative Tools...

Anonymous Authentication

Web authentication takes place when the browser tries to access web server content. If Anonymous authentication is enabled and the proper file permissions are in place, all connections are allowed. This is the most common setting for web servers after all, can you imagine having to log in on every website that you visit That would drive everyone over the edge. So if you want others to have access to web servers that host public information, always configure those servers to use Anonymous...

Enforcing SSL on IIS

In this exercise, you will configure IIS 6 so that any browser connections to the website on which the SSL certificate has been installed must use SSL. 1. On your web server, run the IIS MMC snap-in. Choose Start gt Administrative Tools gt Internet Information Services IIS Manager to start the console. 2. Right-click the website on which you want to install the certificate and choose Properties from the shortcut menu to open the Properties dialog box for the website. 3. Click the Directory...

Nt Lan Manager NTLM

NTLM is used by down-level operating systems such as Windows 95, Windows 98, and Windows NT 4. NTLM is also used by Windows 2000, Windows Server 2003, and Windows XP Professional when logging in to a Windows NT 4 domain and when logging in to the local computer accounts database not Active Directory domains . There are three versions of NTLM LAN Manager LM This form of NTLM is available in Windows 2000, Windows Server 2003, and Windows XP Professional so that computers running these operating...

Configuring Authentication Protocols to Support Mixed Windows Client Computer Environments

As we just mentioned, only two protocols are available when logging on to the domain. You can use Kerberos if you have an Active Directory domain environment, or you can use NTLM. As we discussed, only Windows 2000, Windows Server 2003, and Windows XP Professional can use Kerberos. Even if you are using only Windows 2000, Windows Server 2003, and Windows XP Professional, you need to use NTLM to avoid significant problems such as with clustering and RIS. As with any change, test it to the best...

Disabling LM and NTLM version

In this exercise, you will disable LM and NTLM version 1 so that any clients attempting to use these authentication protocols will be ignored 1. Choose Start gt Administrative Tools gt Active Directory Users And Computers. 2. If necessary, expand the MMC Microsoft Management Console , right-click the domain name, choose Properties from the shortcut menu to open the Properties dialog box for the domain, and then click the Group Policy tab. 3. Select Default Domain Policy and then click Edit to...

MAC Filtering

Yes, a Media Access Control MAC address is not exactly friendly and easy to use. Anyone who has done MAC filtering with other devices knows how difficult it is to configure. Just entering the MAC 12 hexadecimal numbers can be a pain all its own. It is easy to read the wrong number or mistype it. A MAC address is unique to the network device. At least it is supposed to be unique. Assuming that it is unique and that you can identify a single network device from its MAC address, this may have some...

Preserving the Chain of Evidence

If you intend to pursue criminal prosecution, the evidence that an investigator may need might reside in a Word document, on a spreadsheet, or in some other file. Evidence may also reside on erased files, file slack that area of a sector that is hosting a file but is not filled with any data , or even in a Windows swap file, all of which are volatile and easily changeable if not properly accessed. Sometimes, simply booting up a computer can alter and even destroy data fragments that can...

Installing an Intermediate CA

In this exercise, you will install an intermediate CA using the root CA installed in Exercise 9.1 as the basis of your new CA. The intermediate CA will be much like your root CA in that it will 1. Choose Start gt Control Panel to open the Control Panel. Select Add Or Remove Programs. 2. Click Add Or Remove Windows Components in the left pane. 3. Select the Certificate Services check box. Click Yes when you see the message stating that you cannot change the computer name or its domain...

Setting the Three Inbound Filters

Click the Inbound Filters button and then click New to open the Add IP Filter dialog box. 2. Select the Destination Network check box and then enter the IP address and the subnet mask for the external interface. 3. In the Protocol drop-down list box, select Other. In the Protocol Number box, type 47, and then click OK to close the Add IP Filter dialog box. 4. In the Inbound Filters window, click New. 5. Select the Destination Network check box and enter the IP address and the subnet mask for...

Figure The Registry node in the Security Templates console

Jll Console 1 - Console Root Secui rty Ete Action Ben Favorites Hndow Help jsifiLj2 j i_j Console Root B Security Ternpiates B QH C WINDOW5 security templates 0 H3 compatws E Ja DC security B jj hiseede a w Account Pdides S J Local Policies Event Log C3 Restricted Groups Ql System Services File System a rj hiseews a iesads bTJ rootses a- secLredc i i securews lii 3 setup security There are no items to show n this view.

Passport Authentication

Passport authentication is a significant step for IIS 6 administration. Microsoft Passport provides another authentication method for IIS. However, with Passport, the administrators of the website do not have to maintain account information, and the users of the website do not have to remember a specific account name and password for the site. It is convenient for both the web administrator and the user. While there is increased convenience, there is also increased risk because web...

Configuring the Trusted Root Certification Authorities List Using Group Policy

In this exercise, you will add an offline root CA's certificate to the Trusted Root Certifications Authorities list using Active Directory Group Policies. 1. Choose Start gt Administrative Tools gt Active Directory Users And Computers to open Active Directory Users And Computers. 2. Right-click your domain and choose Properties from the shortcut menu. 4. Click the Default Domain Policy and then click the Edit button. 5. Expand the Computer Configuration folder, the Windows Settings folder, the...

Configuring Anonymous Authentication in IIS

In this exercise, you will configure an IIS 6 web server to use Anonymous authentication 1. On the IIS server, choose Start gt Administrative Tools gt Internet Information Services IIS Manager to open Internet Services Manager. 2. Expand Server to expose the sites, if necessary, and then right-click any site on which you want to use Anonymous authentication. For example, the Default Web Site will work just fine. Right-click the site and then choose Properties from the shortcut menu to open the...

Viewing Published Certificates and CRLs in Active Directory

In this exercise, you will go through the steps to properly view the published certificates and CRLs in Active Directory. 1. Choose Start gt Administrative Tools gt Active Directory Sites And Services to open the AD Sites And Services window. 2. Choose View gt Show Services Node. Expand the Services folder, expand the Public Key Services folder, and then click AIA to view the certificates that have their AIA information in Active Directory the root CA, the intermediate CA, and the enterprise CA...

Understanding Windows Events

When Windows Server 2003 boots up, logging begins automatically in several logs. A log is a file that holds event information for later review. Auditing is the process of extrapolating events from a log file to ascertain what has happened on the network. An event is a significant occurrence in the system or in an application that should be recorded for later review. Events can be recorded in the following logs Application The Application Log is the location where applications record their...

Using Multiple DNS Names

Let's say you are the network administrator for a company that uses Outlook Web Access so that many people can access their e-mail from outside the office without having to install Outlook or configure Outlook Express. The problem is that you have heard that many people in the company have been told to use https owa.companyname.com exchange to access their e-mail, and others have been told to use https email.companyname.com exchange. Because the certificate was purchased for the email....

User Rights Assignment

You use the User Rights Assignment node to assign user and or group rights to perform activities on the network see Figure 1.10 . To configure user rights, select the User Rights Assignment node and then double-click the right that you want to configure in the right pane. Select the Define The Policy Settings In The Template check box, and then add the users and or groups to the setting. Click OK to display the new settings next to the right in the Computer Setting column in the right pane. In...

Add a Certificate with Trust List Signing Capabilities

To add the Trust List Signing certificate template, follow the steps in Exercise 9.6. Then follow these steps 1. Choose Start gt Run to open the Run dialog box, enter MMC in the Open box, and press Enter. 2. Choose File gt Add Remove Snap-In. 3. Click the Add button. Select the Certificates snap-in from the list and click Add. 4. Click the My User Account radio button and click Finish. 5. Click Close in the Add Standalone Snap-In window. Click OK in the Add Remove Snap-In window. 6. Expand the...

Enabling SMB Signing

SMB signing places a digital security signature into each SMB message, which is then verified by both the client and the server to deter impersonation and man-in-the-middle attacks. SMB signing will impose a 10 to15 percent overhead hit on each server and cli-J tote ent due to the additional processing required for each packet. Additional band width is not required, however, to implement SMB signing. SMB signing must be enabled on both the client and the server before it can be used. It is not...

Common IPSec Event Log Entries

IPSec utilizes the Windows 2000 and Windows Server 2003 event logs to record events as they occur. These events can be used to assist in troubleshooting IPSec. In particular, there are events in the system log and events in the application log that are very valuable in troubleshooting IPSec see Table 4.1 . Identifies that an IPSec policy is in use on the computer. Also provides the source of the IPSec policy local or domain and the polling interval. Also shows when a change to an IPSec policy...

Configuring GPO for Automated Certificate Distribution for Domain Controllers

Policy Template Screen

In this exercise, you will set up the Group Policy Object GPO for the Domain Controllers organizational unit to distribute certificates to the domain controllers. 1. On an Active Directory domain controller, open the Active Directory Users And Computers MMC snap-in by choosing Start gt Administrative Tools gt Active Directory Users And Computers. 2. Right-click Domain Controllers and choose Properties from the shortcut menu to open the Default Domain Controller policy. Click the Group Policy...

You secure FTP and Telnet traffic using IPSec You secure HTTP traffic using SSL

If your Unix clients need to use their native NFS Network File System for file services, you can design a secure resource topology in Windows by installing Services for Unix. In this scenario, the Unix clients authenticate to their own NIS Network Information Service server. In order for them to access files on the Windows server, you need to map the user identifier UID and group identifier GID from the NIS server to an account in AD. This mapping assigns the Unix account an SID from the domain...

Using Scripts to Deploy Templates

You can also use the command-line version of the Security Configuration and Analysis tool secedit.exe to deploy security templates. Specifically, you use secedit configure to apply a stored template to one or more computers. Here are the switches and what they mean db filename Use this switch, which is required, to specify the location of the database file that you want to use. The database referred to here is one that is created using the Security Configuration and Analysis tool SCA . We'll...