|
|
 |
Windows 2000 Security Study Guide - 70-220 |
 |
Tutorial Quick Links:
Before You Proceed
The Business Side of the Story
The Security Strategies
The Windows 2000 Specific Technologies
Further Readings
Before You Proceed
The 70-220 exam involves security issues related to Active Directory and Network Infrastructure. It is essential for you to first master the material covered in exam 215, 216 and 217 before attempting this exam. The exam has its focus on the "paper aspect" of security. That is, "planning and design". No need to worry about the step-by-step technical implementation. You need basic business sense in order to deal with the cases. Knowledge on project management will be helpful too.
The Business Side of the Story
Security Planning - Business Considerations
- Security planning involves tradeoffs: risk vs cost
- Different costs:
- Monetary cost
- Employee time
- Company morale
- Internal politics
- Factors to consider:
- Company priorities
- Legal considerations
- Growth strategies
- Profit and loss factors
Company Models
- Regional Model - likely issues: dial up access, WAN links
- National Model - likely issues: VPN, WAN links, Web site
- International Model - likely issues: VPN, Web site
- Subsidiary Model - likely issues: dial up access, VPN client, outgoing internet access
- Branch Office Model - likely issues: dial up access, VPN client, WAN links, outgoing internet access
Security Planning - Technical Considerations
- Ease of implementation
- Ease of maintenance
- Ease of administration
- Ease of upgrade
- Cost of implementation
- IT administrative structure
- Performance factors
Security planning process steps
- Information gathering
- Identification of needs and problems
- Analysis of the existing administrative structures
- Analysis of the technical requirements
- Design of the new solutions
- Implementation
- Assessment and evaluation
- Revision
Technical Requirements - Relevant Factors
- Company size
- User distribution
- Resource distribution
- Connectivity
- Net available bandwidth
- Performance requirements
- Methods for accessing resources
- Network roles and responsibilities
- Technical support structure
- Existing network structure
- Planned network structure
Security Related Costs in the context of TCO
- An Inventory of all the COSTS:
- Equipment and Setup Costs
- Operating Costs
- Training Costs
- Cycle Costs
- Average Expenses
- Costs of Loss due to security problems
IT Management Issues
Administration Models:
Centralized - limited by the number of objects in Active Directory
Decentralized - more leverage to individual sites
Buy or Make:
Outsourcing - readily expertise available, but less control
In-House - longer implementation time, but more control
The Broad Security Strategies
Life cycle for implementing secure networking
- Requirements definition
- Solution proposal
- Design planning
- Proof of concept
- Implementation
- Operations and monitoring
- Optimization and maintenance
- Retirement
Elements of Secure Networking
- Data Integrity against tampering of your data (via digital signature)
- Data Confidentiality against eavesdropping (via encryption)
- Single Sign-on - one username and password for accessing all authorized network resources (via Kerberos)
- Access Control (via assigning or denying permissions)
- Physical Security
- User Awareness (via education)
Types of Cryptography
- Secret key encryption - both parties use the same shared secret key
- Public key encryption - different but corresponding keys
- Digital signatures - use encrypted message digests
Security Risks - Means of Intrusion
- Identity interception
- Impersonation
- Replay attack
- Masquerading
- Data interception
- Repudiation
- Denial of service attacks
- Trojan horse
Protecting Against Outside Intrusion
- Locks on doors to server closets
- Use of secure media
- Firewalls
- Strict access control
- Limited assignment of administrative privileges
- File level encryption
- Regular Auditing
Protecting Against Internal Threats
- Strong password policies
- Encryption of network traffic
- Limited assignment of administrative privileges
User Classifications
Based on usage needs:
- Everyone
- all people accessing your network
- users cannot easily be identified
- users accessing Web site should be included
- Staff
- all people who work for your organization
- can be easily identified
- may be in local or remote locations
- Users
- people who use applications to accomplish business functions
- often organized into OUs
- Partners
- people from the outside who have a unique relationship with your company
- use network resources that are externalized
- limited access
User Classifications
Based on locations:
- Local
- access from the premises of the company
- "physically attached" via LAN or wireless technologies
- exclude the general public or members of the trusted partners
- Primary security considerations:
- the administration of user accounts, groups, policies, and permissions
- ways for securing computers, files, folders, and network print resources
- Remote
- requires the use of the Windows 2000 Routing and Remote Access Service secure access via the internet - use virtual private network VPN
- secure dial-up networking - use modems, connection protocols (such as PPP) and authentication protocols (such as MS-CHAP)
Security Strategies for the Computers
- For Laptops
- Use password-protected screen savers
- Lock the computer while away
- Use Security templates to restrict access to the registry hives
- Use EFS!!!
- For workstations
- Use password-protected screen savers
- Lock the computer while away
- Use Security templates to restrict access to the registry hives
- For Kiosk computers
- Disable all guest account and anonymous access.
- Use ACLs to prohibit changes to files
- Use registry ACLs to restrict access to computer registry
- Use restrictive password
- Use account lockout policy
- Deploy extensive system auditing.
- Rename the local administrator and guest accounts.
- Use C2 certification security options.
For servers
- Limit physical access to servers
- Limit the use of the Administrator accounts
- Avoid logging on as Administrator for routine tasks, use the runas command instead
- Proper auditing - keep in mind, do not audit too much, or performance will be degraded
The Matching of Risks and Strategies
| Risk |
Corresponding Security Strategies |
| Data interception can occur in:
Printer access
File access
Share access
Internet access
Dial-up access
|
Secure printer access
Data encryption
|
| Identity interception can occur in:
Printer access
File access
Share access
Internet access
Dial-up access
|
Enforce the use of strong passwords
Smart cards authentication
|
| Data manipulation can occur in:
File access
Share access
Internet access
Dial-up access
|
NTFS
EFS
L2TP with IPSec
VPN
|
| IP Masquerading can occur in:
Printer access
File access
Share access
Internet access
Dial-up access
|
Kerberos authentication
Smart cards authentication
Certificates
|
| Replay attacks can occur in:
Printer access
File access
Share access
Internet access
Dial-up access
|
Kerberos authentication
Smart cards authentication
Certificates
|
Denial of service attacks:
Originate from the internet
|
Firewall
DMZ
|
Types of Remote Connections and Their Drawbacks
Dial-up - slow
Digital subscriber line DSL - may be vulnerable if file and print sharing is on
Cable Modem - may be vulnerable if file and print sharing is on
The Windows 2000 Specific Technologies
Common Authentication Methods
- Certificate-based authentication
- Kerberos
- Clear-text passwords (not recommended)
- Digest authentication
- Smart card authentication
- NTLM authentication (backward compatibility)
- Remote Authentication Dial-In User Service
- Secure Sockets Layer
Elements of Strong Password Policy
- Length must be greater than X characters (8 is the recommended minimum)
- Require upper and lower case, numbers, and symbols
- Password uniqueness
- Password cannot contain user ID
- Passwords cannot be repeated
- Password must be changed at first logon
Preconfigured Security Templates
- Compatible: for running older programs, not secure
- Secure: secure areas of Windows 2000 that are not secured by the default settings.
- High secure: requires all network communication to be digitally signed and encrypted, very secure but poor compatibility
Considerations for the Configuration of the Security Policy Template
- Account Policies
- Local Policies
- Event Log
- Restricted Groups
- System Services
- Registry
- File System
IP Monitoring
- SNMP is used for network management.
- SNMP agent is installed on the hosts to be monitored.
- Agents report back to the SNMP management console.
- Full blown SNMP Management console is available separately. SMS is an example.
- You use Network Monitor to capture and analyze frames.
- Capture filter is available in Network Monitor to ease the analysis process.
- Components of a frame:
- Source address of sender
- Destination address of recipient
- Protocol headers
- Payload
- Network Monitor that comes with Windows 2000 can only capture frames destined to or send from this particular computer.
- System Monitor can be used to generate statistics.
- You do NOT use System Monitor to capture frames.
Encryption Options
- No encryption
- Everything in plain text
- Should NEVER be used
- Basic
- Uses 40-bit Microsoft Point-to-Point Encryption (MPPE) key.
- Good for servers working as VPN
- You may use PPTP or L2TP
- L2TP uses 56-bit key, which is more secure.
- Strong
- Uses a 56-bit Data Encryption Standard DES key
- Safest among the available choices
- Legal in the U.S
IPSec
- Defined by IETF
- Operates at layer 3 of the OSI model
- Encrypts and decrypts message for online transmission
- Supported by Windows 2000
- NOT supported by many pre-Windows 2000 clients
- Secret key cryptography uses single preshared key
- Public key cryptography uses key pair with one for encryption and the other for decryption
- Security Association is established with ISAKMP/Oakley.
- IPSec policy has a collection of rules and key exchange settings concluded in a domain security policy or an individual computer's security policy.
- IPSec policy can be created with the IPSec Management MMC snap-in
- Use IPSECMON.EXE to monitor and troubleshoot IPSec
- Use Network Monitor V2.0's parser for IPSec to capture IPSec related information transferred over a network interface
- L2TP + IPSec is usually the best combination for VPN of pure Windows 2000 computers
DNS - Active Directory Integrated Zone
- The best zone type to use
- Offer security for zone transfer
- Use Active Directory replication to transfer zone data
- Zone transfer based on changes
DHCP Configuration
- The Windows 2000 DHCP server itself must have a static IP address.
- The Windows 2000 DHCP server itself must be authorized in Active Directory in order to distribute IP addresses.
- The DHCP service must be set with at least one DHCP scope to function.
- You can, in the scope, have certain IP addresses excluded from the range.
- You should adjust the lease time to fit your organization needs.
- You can set the scope options to provide other addresses (such as WINS server addresses, DNS server addresses…..etc) for the clients to use.
- You can use User classes to differentiate the settings for different groups of computers on the same scope.
- For redundancy, always have at least two DHCP servers on the network
- You must manually avoid any addressing conflicts between multiple DHCP servers.
Dial-In Access
- User can use modem to connect to the server.
- PPP is the ideal protocol for dial in.
- PPP supports multi-protocols.
- RRAS can obtain dynamic IP addresses from DHCP and then assign to the dial in clients.
- To configure security for dial in connections, you can use:
- Caller ID
- Call back to a number specified by the user
- Call back to a predefined number
RADIUS
- Without RADIUS, you need to configure every single RAS server for authentication.
- With RADIUS, a centralized authentication server can be used to authenticate all the dial in requests.
- For a large network with lots of RAS servers, use the RADIUS solution.
- For a large network that needs centralized accounting for RAS, use the RADIUS solution.
- IAS stands for Internet Authentication Service and is the central component acting as the host for RADIUS.
- IAS is responsible for the following centralized activities:
- Authentication
- Auditing
- Accounting
Authentication Protocols supported by RADIUS
- Challenge Handshake Authentication Protocol (CHAP)
- Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)
- Password Authentication Protocol (PAP)
- Shiva Password Authentication Protocol (SPAP)
- Extensible Authentication Protocol (EAP) which is for use for SmartCards.
- PAP is not secure as it uses clear text.
- MS-CHAP is almost always the choice for dial in windows clients.
| Dial-up Client OS |
Security Features |
| Windows 2000 |
Bandwidth Allocation Protocol (BAP)
Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)
Challenge Handshake Authentication Protocol (CHAP)
Shiva Password Authentication Protocol (SPAP)
Password Authentication Protocol (PAP)
Microsoft Challenge Handshake Authentication Protocol 2 (MS- CHAP v2)
Extensible Authentication Protocol (EAP)
|
| Windows NT 4.0 with Service Pack 4+ |
Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)
Challenge Handshake Authentication Protocol (CHAP)
Shiva Password Authentication Protocol (SPAP)
Password Authentication Protocol (PAP)
Microsoft Challenge Handshake Authentication Protocol 2 (MS- CHAP v2)
|
| Windows 98 with SP1 |
Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)
Challenge Handshake Authentication Protocol (CHAP)
Shiva Password Authentication Protocol (SPAP)
Password Authentication Protocol (PAP)
Microsoft Challenge Handshake Authentication Protocol 2 (MS- CHAP v2)
|
| Windows 95 with Security Upgrade |
Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)
Challenge Handshake Authentication Protocol (CHAP)
Shiva Password Authentication Protocol (SPAP)
Password Authentication Protocol (PAP)
|
Virtual Private Networks (VPN)
- Use the internet for private connection.
- If you have MULTIPLE SITES to connect, use VPN instead of dedicated point to point links.
- The minimum requirement to implement VPN for a network is a single VPN server.
- Two choices of Tunneling Protocols:
- PPTP is supported by pre-Windows 2000 clients.
- L2TP is supported only by Windows 2000.
- L2TP itself does not encrypt the payload.
- Use IPSec together with L2TP for securing the VPN connections.
- Clients should use the virtual VPN adaptor to connect to the VPN server.
Choices for Dial-up or VPN Remote Access Permissions
Allow Access
Deny Access
Control via RAP
Certificate Authority (CA)
- Responsible for issuing certificates.
- One way of authentication and identification on the network.
- 4 types of certificate authorities in a Windows 2000 network:
- Enterprise root CA
- Enterprise subordinate CA
- Stand-alone root CA
- Stand-alone subordinate CA
- If you do not have Active Directory, use a Stand Alone Root CA for your internal needs.
- If you have a big organization, use at least one Root CA plus other subordinate CAs to share the load and administration tasks for your internal needs.
- If you are doing business on the internet, establish a relationship with a third party CA and use the certificates issued by that third party CA.
- You can revoke the certificates you publish.
- Certificates should be set with expiration date.
- The more frequent a certificate will expire, the more secure it is for the network.
Security Across Networks
In a LAN - Create own Enterprise CA
In WAN - Use L2TP/IPSec to implement a site-to-site VPN connection
Across a Public Network - for maximum compatibility, use IPSec in tunnel mode, and optionally encrypt the data
Remote Installation Service (RIS)
Distribute images of built systems via a central server
The key: ensure that your security settings transfer completely
When creating installation scripts, carefully plan for the assess rights to be granted to your users
Placement and Inheritance of Security Policies
You need to determine the method to best and most efficiently pass down your policies without sacrificing security.
- Sites:
- Represents a physical location in a LAN or WAN
- Can vary in their geographical scope from regional, to national, to international.
- By breaking a network into multiple smaller sites, there will be increased network efficiency, and will be able to avoid authentication over WAN
- Domains:
- Every Windows 2000 network can be based on one or more domains.
- The security boundary
- You may break up a domain:
- geographically
- by department
- by function
- by product
- The key: only keep people that need to access the same data or exchange data in the same domain
- Organizational Units:
- Good for delegating a limited subset of your security administration duties
- If multiple domains are too much for your organization, deploy multiple OUs under a domain instead
- People with different data access needs should be kept in separate OUs
Conflicts
OU policies override domain and site policies.
Domain policies override site policies.
A user policy in the profile will override any of the other policies.
Group Policy Filtering
- Group policy can be filtered by security group membership.
- Policies apply only to the users who have Read permission for that GPO.
- You can filter the scope of the GPO by creating security groups and assigning Read permissions selectively
- You can block the inheritance of policies be propagated from the higher sites
- You can force child containers to inherit policies from their higher-level container objects
Remote User Profile Components
- Dial-In Constraints:
- Day and time allowed
- Idle Disconnect Time
- Maximum Session Length
- Dial-In Number
- Dial-In media
- IP Properties - Define remote access policy filtering
- Multilink - Define Bandwidth Allocation Protocol (BAP) policies
- Authentication:
- Specify the EAP type
- By default, MS-CHAP and MS-CHAPv2 are enabled.
- Encryption:
- Basic - dial-up and PPTP-based connections: use Microsoft Point-to-Point Encryption with a 40-bit key
- Basic - L2TP over IPSec-based connections, use 56-bit DES encryption
- Strong - dial-up and PPTP-based connections, use MPPE with a 56-bit key
- Strong - L2TP over IPSec-based connections, use 56-bit DES encryption.
- Strongest - dial-up and PPTP-based connections, use MPPE with a 128-bit key
- Strongest - L2TP over IPSec-based connections, use 3DES encryption
- Advanced - Specify the RADIUS attributes
Remote Access Policies (RAP)
- Stored locally in the IAS.MDB file of the RAS server.
- A fancy way to define who has remote access to the network as well as what the characteristics of that connection will be.
- Conditions for accepting or rejecting connections can be based on:
- Day
- Time
- Group membership
- Type of services
Network Address Translation (NAT)
- Good for large network that needs to conceal the internal IP structure.
- Allows computers on a small network to share a single Internet connection.
- Also for hiding the internal IP addressing scheme.
- If PERFORMANCE is NOT a concern, use NAT rather than Proxy Server.
- If COST is a concern, use NAT rather than Proxy Server.
Proxy Server / ISA Server
- Provides NAT functions.
- Also provides caching function to enhance performance.
- Proxy Array provides redundancy and load balancing for Proxy Servers.
- If PERFORMANCE is also a concern, use Proxy Server.
- Can provide traffic filtering on incoming traffic.
- Can control outgoing access.
- Its next version - ISA Server provides much better firewall functionalities.
Further Readings
Understand enterprise security issues, counter-measures, technologies, and best practices - Click here
Limit your organization's vulnerability with a comprehensive security strategy - Click here
Understand principles of smart cards and plan for deployment - Click here
Microsoft ISA Server Features: Security - Click here
The Common Criteria: Providing a Reliable Security Standard - Click here
Get and Stay Secure - Click here
Windows 2000 Security Services Features - Click here
Microsoft Windows 2000 Public Key Infrastructure - Click here
Encrypting File System for Windows 2000 - Click here
Designing Authentication for a Windows 2000 Network - Click here
Internet Information Services 5 Security Overview - Click here
This study guide is developed in the year 2002 by Yu Chak Tin Michael
Michael's personal web site is located at: http://michaelyu.freeservers.com.
You may contact him at: ycthk@yahoo.com
|
|
|
|
 |
|
 CareerAcademy
Certification training videos with private instructors. Topics
cover Microsoft MCSE, CompTIA, CISSP & Cisco exams. Courses also come with official practice exams with 7x24 mentors.
more products...
Netwind Learning
Free Demo. Certification Training for A+, MCSE, MCTS Microsoft.NET, Cisco CCNA, CCNP, CCVP, CCSP, Java, Oracle, Linux, PMP and 100's of other courses.
more products...
EDULEARN
Certification Training on CD-ROMs & Videos: Microsoft MCSE Training, A+ Certification, Windows 2003, & Free demos. MCSE certification training includes videos and labs.
more products...
CBT Nuggets
Our products offer classroom training at home. We offer CBTs for Microsoft, Cisco, CompTIA, INFOSEC, LPI, Java, CIW, Citrix, CWNA, CISSP, CEH, Oracle, and other certifications.
Free Videos
more products...
|
|
