Module 7 Planning Server and Network Security. Module Overview Overview of Defense-in-Depth Planning...
-
Upload
adelia-fowler -
Category
Documents
-
view
215 -
download
0
Transcript of Module 7 Planning Server and Network Security. Module Overview Overview of Defense-in-Depth Planning...
Module 7
Planning Server and Network Security
Module Overview
• Overview of Defense-in-Depth
• Planning for Windows Firewall with Advanced Security
• Planning Protection Against Viruses and Malware
• Managing Remote Access
• Planning for (NAP)
Lesson 1: Overview of Defense-in-Depth
• What Is Defense-in-Depth?
• How to Use Defense-in-Depth to Identify Risks
• How to Use Defense-in-Depth to Mitigate Risks
• Discussion: Security Implementation
What Is Defense-in-Depth?
Layer Description
Data • Includes files and databases
Application • Includes client applications and server applications
Host • Contains individual computers, including the operating system
Internal network • Contains LAN, WAN, and wireless
Perimeter • Ensures connectivity to the Internet and to business partners
Physical security • Prevents unauthorized personnel from accessing the network assets
Policies, procedures, and awareness
• Creates awareness among users and staff accessing resources with computers in a network
How to Use Defense-in-Depth to Identify Risks
Layer Examples of Risks
Data • Unauthorized viewing or changing of data
Application • Loss of application functionality
Host • Operating system weakness
Internal network • Packet sniffing and unauthorized use of wireless networks
Perimeter • Attacks from anonymous Internet users
Physical security • A user with direct physical access to a computer modifying it or accessing data
Polices, procedures, and awareness
• Users and IT staff not following policies due to lack of understanding
How to Use Defense-in-Depth to Mitigate Risks
Layer Mitigation Examples
Data • Access Control List (ACL) encryption,
Encrypting File System (EFS), and Digital Rights Management (DRM)
Application • Application hardening and antivirus software
Host • Operating system hardening,
authentication, update management, and Network Access Protection (NAP)
Internal network • Network segmentation, Internet Protocol security (IPsec), and intrusion detection
Perimeter • Firewalls and VPNs
Physical security • Locks and tracking devices
Polices, procedures, and awareness • User education
Discussion: Security Implementation
• What security measures do you use in your organization?
Lesson 2: Planning for Windows Firewall with Advanced Security
• Considerations for Types of Rules
• Considerations for Rule Configuration Options
• Considerations for Connection Security Rules
• What Is Server and Domain Isolation?
• Considerations for Applying Rules
• Demonstration: Windows Firewall Rules Configuration Options
Considerations for Types of Rules
Considerations
• Block all inbound connections by default
• Create inbound rules to allow access to local applications
• Use outbound rules to prevent communication with specific software
• To increase security, prevent outbound connections by default
• Use connection security rules to secure communication between computers
Considerations for Rule Configuration Options
Considerations
• Simplify configuration by using program-based rules
• Use port-based rules when you cannot create program-based rules
• Select the proper profile for rules
• Train roaming users to select the correct profile for a new network
• Use the scope option to limit rules to specific IP addresses
• Use the interface types option to apply rules only to wireless networks or remote access connections
Considerations for Connection Security Rules
Considerations
• Compatible connection security rules must exist on both hosts
• Connection security rules apply to all network traffic between hosts
• Connection security rules enable firewall rules based on user or computer
• Kerberos authentication is required for user or computer-based rules
• Do not use connection security rules and IPsec policies at the same time
• Test thoroughly before implementation
• Use IPsec only where required as part of your security plan
What Is Server and Domain Isolation?
Systems that use IPsec to segment and isolate parts of the network
Domain isolation:
• Restricts communication to computers that are members of the domain
Server isolation:
• Restricts communication to computers that are part of the same workgroup
Considerations for Applying Rules
Considerations
• Some applications automatically create firewall rules
• Back up firewall configuration before making changes
• Use Windows Firewall with Advanced Security to make changes only for a small number of computers
• Use Group Policy to deploy rules to a large number of computers
• Use netsh and Windows PowerShell™ to manage firewall rules with scripts
Demonstration: Windows Firewall Rules Configuration Options
In this demonstration, you will see how to:
• Create and configure Windows Firewall rules
Lesson 3: Planning Protection Against Viruses and Malware
• How Viruses and Malware Enter the Network
• Considerations for Using Windows Defender
• Considerations for Antivirus Protection
• Security Features of Internet Explorer® 8
• What Is User Account Control (UAC)?
• Using the Security Configuration Wizard (SCW)
How Viruses and Malware Enter the Network
Methods
• E-mail attachments
• Program installation
• Web pages
• Portable computers
• Portable storage
Considerations for Using Windows Defender
Considerations
• Enable real-time protection
• Ensure that updates are being applied
• Use scheduled and manual scans to remove malware missed by real-time protection
• Use definition-based actions for each alert level
• Join Spynet with a basic membership
• Use Software Explorer to control startup programs
Considerations for Antivirus Protection
Considerations
• Select antivirus software that can be centrally managed
• Update antivirus definitions at least once per day
• Carefully test heuristic-based scanning
• Use quarantine instead of removal for infected files
Security Features of Internet Explorer 8
Features
• Enhanced Security Configuration (ESC)
• Improved security for ActiveX controls
• XSS Filter to block cross-site scripting
• SmartScreen filter for phishing and malware
• Protected Mode
What Is User Account Control (UAC)?
UAC provides an easy way to elevate credentials only when required
• Admin Approval Mode requires administrators to allow applications with administrative permissions.
• Admin Approval Mode does not apply to built-in Administrator accounts.
• UAC can be configured by Local Security Policy or Group Policy.
Using the Security Configuration Wizard (SCW)
Considerations
• Register templates for all installed applications
• Create a standard policy for specific server types
• Apply common settings by using Group Policy
• Disable unknown services only if computers are configured identically
• Roll back a security policy if there are unexpected results
• Test new policies before applying them to multiple computers
Lesson 4: Planning Remote Access
• Considerations for (VPN) Protocols
• Considerations for Network Policies
• Considerations for Network Policy Server (NPS)
Considerations for VPN Protocols
VPN Protocols
• Point-to-Point Tunneling Protocol (PPTP)
• Layer 2 Tunneling Protocol (L2TP)/IPsec
• Secure Socket Tunneling Protocol (SSTP)
Recommendations
• Use PPTP for best compatibility with operating systems
• Use L2TP/IPsec to increase security
• Use SSTP to increase security and provide best compatibility with firewalls and proxy servers
Considerations for Network Policies
Considerations
• Each Routing and Remote Access Server (RRAS) server has an independent set of network policies
• Use different polices on each RRAS server to meet the needs of different groups
• The default network policies prevent access
• Simplify management by using groups to control access
• Only the first matched network policy applies
• Increase security by implementing additional conditions
• Identify the authentication methods that meet your needs
• Use constraints to control a remote access connection
• Apply IP filters to control which internal resources can be accessed
Considerations for Network Policy Server (NPS)
• To centralize authentication, use RADIUS server functionality
• To centralize logging, use RADIUS server functionality
• Use connection request policies to control RADIUS proxy functionality
• To forward requests to independently managed RADIUS servers, use the RADIUS proxy functionality
• RADIUS can be used to authenticate non-RRAS applications
Lesson 5: Planning for NAP
• What Is NAP?
• Status Monitored by Windows System Health Validator (SHV)
• Considerations for Designing (DHCP) Enforcement
• Considerations for Designing VPN Enforcement
• Considerations for Designing 802.1X Enforcement
• Considerations for Designing IPsec Enforcement
What Is NAP?
Enforces client health before allowing access to the network
Can allow access to remediation servers
Has various enforcement mechanisms
Controls network access for noncompliant computers
Does not block intruders or malicious users
Status Monitored by Windows System Health Validator (SHV)
Considerations for Designing DHCP Enforcement
Noncompliant computers are:
Given 0.0.0.0 as a default gateway
Given 255.255.255.255 as a subnet mask
Given static host routes to remediation servers
Some considerations for DHCP enforcement:
Must use Windows Server 2008 DHCP server
IPv6 is not supported for NAP and Windows Server 2008 DHCP server
Health status is sent as part of the lease request
Can be circumvented by using a static IP address
Considerations for Designing VPN Enforcement
Noncompliant computers are:
• Limited by IP packet filters
Considerations for VPN enforcement:
Must use NAP-integrated RRAS
Health status is sent as part of the authentication process
Best suited for remote connections where a VPN is already used
Considerations for Designing 802.1X Enforcement
Noncompliant computers are:
• Limited by packet filters enforced by the switch
• Limited by a virtual local area network (VLAN) enforced by the switch
Considerations for 802.1X Enforcement:
More secure than DHCP enforcement
Switches must support 802.1X
Health status is sent as part of the authentication process
Considerations for Designing IPsec Enforcement
Noncompliant computers are:
• Limited by IPsec polices
Considerations for IPsec Enforcement:
• Offers the highest level of security
• Can provide encryption of data
• Requires no additional hardware
• Can be used for both IPv4 or IPv6
• Requires a Certification Authority (CA) and Health Registration Authority (HRA)
Lab: Planning Server and Network Security
• Exercise 1: Creating a Plan for Server and Network Security
• Exercise 2: Implementing Windows Firewall Rules
• Exercise 3: Implementing a VPN Server
• Exercise 4: Implementing NAP with DHCP Enforcement
Estimated time: 60 minutes
Logon information
Virtual machine6430B-SEA-DC1
6430B-SEA-CL1
User name Adatum\Administrator
Password Pa$$w0rd
Lab Scenario
• Adatum has two security-related tasks that need to be planned out. A new Web-based application is being implemented for the finance department and requires a security plan. Also, as part of a security review, a plan needs to be developed for preventing malware on the A. Datum network.
• You have been tasked with creating a plan for the new finance application and creating a plan for preventing malware on the network. Your IT manager has provided you with a list of requirements that must be met by your plan.
Module Review and Takeaways
• Review Questions