Module 7

Planning Server and Network Security

Module Overview

• Overview of Defense-in-Depth

• Planning for Windows Firewall with Advanced Security

• Planning Protection Against Viruses and Malware

• Managing Remote Access

• Planning for (NAP)

Lesson 1: Overview of Defense-in-Depth

• What Is Defense-in-Depth?

• How to Use Defense-in-Depth to Identify Risks

• How to Use Defense-in-Depth to Mitigate Risks

• Discussion: Security Implementation

What Is Defense-in-Depth?

Layer Description

Data • Includes files and databases

Application • Includes client applications and server applications

Host • Contains individual computers, including the operating system

Internal network • Contains LAN, WAN, and wireless

Perimeter • Ensures connectivity to the Internet and to business partners

Physical security • Prevents unauthorized personnel from accessing the network assets

Policies, procedures, and awareness

• Creates awareness among users and staff accessing resources with computers in a network

How to Use Defense-in-Depth to Identify Risks

Layer Examples of Risks

Data • Unauthorized viewing or changing of data

Application • Loss of application functionality

Host • Operating system weakness

Internal network • Packet sniffing and unauthorized use of wireless networks

Perimeter • Attacks from anonymous Internet users

Physical security • A user with direct physical access to a computer modifying it or accessing data

Polices, procedures, and awareness

• Users and IT staff not following policies due to lack of understanding

How to Use Defense-in-Depth to Mitigate Risks

Layer Mitigation Examples

Data • Access Control List (ACL) encryption,

Encrypting File System (EFS), and Digital Rights Management (DRM)

Application • Application hardening and antivirus software

Host • Operating system hardening,

authentication, update management, and Network Access Protection (NAP)

Internal network • Network segmentation, Internet Protocol security (IPsec), and intrusion detection

Perimeter • Firewalls and VPNs

Physical security • Locks and tracking devices

Polices, procedures, and awareness • User education

Discussion: Security Implementation

• What security measures do you use in your organization?

Lesson 2: Planning for Windows Firewall with Advanced Security

• Considerations for Types of Rules

• Considerations for Rule Configuration Options

• Considerations for Connection Security Rules

• What Is Server and Domain Isolation?

• Considerations for Applying Rules

• Demonstration: Windows Firewall Rules Configuration Options

Considerations for Types of Rules

Considerations

• Block all inbound connections by default

• Create inbound rules to allow access to local applications

• Use outbound rules to prevent communication with specific software

• To increase security, prevent outbound connections by default

• Use connection security rules to secure communication between computers

Considerations for Rule Configuration Options

Considerations

• Simplify configuration by using program-based rules

• Use port-based rules when you cannot create program-based rules

• Select the proper profile for rules

• Train roaming users to select the correct profile for a new network

• Use the scope option to limit rules to specific IP addresses

• Use the interface types option to apply rules only to wireless networks or remote access connections

Considerations for Connection Security Rules

Considerations

• Compatible connection security rules must exist on both hosts

• Connection security rules apply to all network traffic between hosts

• Connection security rules enable firewall rules based on user or computer

• Kerberos authentication is required for user or computer-based rules

• Do not use connection security rules and IPsec policies at the same time

• Test thoroughly before implementation

• Use IPsec only where required as part of your security plan

What Is Server and Domain Isolation?

Systems that use IPsec to segment and isolate parts of the network

Domain isolation:

• Restricts communication to computers that are members of the domain

Server isolation:

• Restricts communication to computers that are part of the same workgroup

Considerations for Applying Rules

Considerations

• Some applications automatically create firewall rules

• Back up firewall configuration before making changes

• Use Windows Firewall with Advanced Security to make changes only for a small number of computers

• Use Group Policy to deploy rules to a large number of computers

• Use netsh and Windows PowerShell™ to manage firewall rules with scripts

Demonstration: Windows Firewall Rules Configuration Options

In this demonstration, you will see how to:

• Create and configure Windows Firewall rules

Lesson 3: Planning Protection Against Viruses and Malware

• How Viruses and Malware Enter the Network

• Considerations for Using Windows Defender

• Considerations for Antivirus Protection

• Security Features of Internet Explorer® 8

• What Is User Account Control (UAC)?

• Using the Security Configuration Wizard (SCW)

How Viruses and Malware Enter the Network

Methods

• E-mail attachments

• Program installation

• Web pages

• Portable computers

• Portable storage

Considerations for Using Windows Defender

Considerations

• Enable real-time protection

• Ensure that updates are being applied

• Use scheduled and manual scans to remove malware missed by real-time protection

• Use definition-based actions for each alert level

• Join Spynet with a basic membership

• Use Software Explorer to control startup programs

Considerations for Antivirus Protection

Considerations

• Select antivirus software that can be centrally managed

• Update antivirus definitions at least once per day

• Carefully test heuristic-based scanning

• Use quarantine instead of removal for infected files

Security Features of Internet Explorer 8

Features

• Enhanced Security Configuration (ESC)

• Improved security for ActiveX controls

• XSS Filter to block cross-site scripting

• SmartScreen filter for phishing and malware

• Protected Mode

What Is User Account Control (UAC)?

UAC provides an easy way to elevate credentials only when required

• Admin Approval Mode requires administrators to allow applications with administrative permissions.

• Admin Approval Mode does not apply to built-in Administrator accounts.

• UAC can be configured by Local Security Policy or Group Policy.

Using the Security Configuration Wizard (SCW)

Considerations

• Register templates for all installed applications

• Create a standard policy for specific server types

• Apply common settings by using Group Policy

• Disable unknown services only if computers are configured identically

• Roll back a security policy if there are unexpected results

• Test new policies before applying them to multiple computers

Lesson 4: Planning Remote Access

• Considerations for (VPN) Protocols

• Considerations for Network Policies

• Considerations for Network Policy Server (NPS)

Considerations for VPN Protocols

VPN Protocols

• Point-to-Point Tunneling Protocol (PPTP)

• Layer 2 Tunneling Protocol (L2TP)/IPsec

• Secure Socket Tunneling Protocol (SSTP)

Recommendations

• Use PPTP for best compatibility with operating systems

• Use L2TP/IPsec to increase security

• Use SSTP to increase security and provide best compatibility with firewalls and proxy servers

Considerations for Network Policies

Considerations

• Each Routing and Remote Access Server (RRAS) server has an independent set of network policies

• Use different polices on each RRAS server to meet the needs of different groups

• The default network policies prevent access

• Simplify management by using groups to control access

• Only the first matched network policy applies

• Increase security by implementing additional conditions

• Identify the authentication methods that meet your needs

• Use constraints to control a remote access connection

• Apply IP filters to control which internal resources can be accessed

Considerations for Network Policy Server (NPS)

• To centralize authentication, use RADIUS server functionality

• To centralize logging, use RADIUS server functionality

• Use connection request policies to control RADIUS proxy functionality

• To forward requests to independently managed RADIUS servers, use the RADIUS proxy functionality

• RADIUS can be used to authenticate non-RRAS applications

Lesson 5: Planning for NAP

• What Is NAP?

• Status Monitored by Windows System Health Validator (SHV)

• Considerations for Designing (DHCP) Enforcement

• Considerations for Designing VPN Enforcement

• Considerations for Designing 802.1X Enforcement

• Considerations for Designing IPsec Enforcement

What Is NAP?

Enforces client health before allowing access to the network

Can allow access to remediation servers

Has various enforcement mechanisms

Controls network access for noncompliant computers

Does not block intruders or malicious users

Status Monitored by Windows System Health Validator (SHV)

Considerations for Designing DHCP Enforcement

Noncompliant computers are:

Given 0.0.0.0 as a default gateway

Given 255.255.255.255 as a subnet mask

Given static host routes to remediation servers

Some considerations for DHCP enforcement:

Must use Windows Server 2008 DHCP server

IPv6 is not supported for NAP and Windows Server 2008 DHCP server

Health status is sent as part of the lease request

Can be circumvented by using a static IP address

Considerations for Designing VPN Enforcement

Noncompliant computers are:

• Limited by IP packet filters

Considerations for VPN enforcement:

Must use NAP-integrated RRAS

Health status is sent as part of the authentication process

Best suited for remote connections where a VPN is already used

Considerations for Designing 802.1X Enforcement

Noncompliant computers are:

• Limited by packet filters enforced by the switch

• Limited by a virtual local area network (VLAN) enforced by the switch

Considerations for 802.1X Enforcement:

More secure than DHCP enforcement

Switches must support 802.1X

Health status is sent as part of the authentication process

Considerations for Designing IPsec Enforcement

Noncompliant computers are:

• Limited by IPsec polices

Considerations for IPsec Enforcement:

• Offers the highest level of security

• Can provide encryption of data

• Requires no additional hardware

• Can be used for both IPv4 or IPv6

• Requires a Certification Authority (CA) and Health Registration Authority (HRA)

Lab: Planning Server and Network Security

• Exercise 1: Creating a Plan for Server and Network Security

• Exercise 2: Implementing Windows Firewall Rules

• Exercise 3: Implementing a VPN Server

• Exercise 4: Implementing NAP with DHCP Enforcement

Estimated time: 60 minutes

Logon information

Virtual machine6430B-SEA-DC1

6430B-SEA-CL1

User name Adatum\Administrator

Password Pa$$w0rd

Lab Scenario

• Adatum has two security-related tasks that need to be planned out. A new Web-based application is being implemented for the finance department and requires a security plan. Also, as part of a security review, a plan needs to be developed for preventing malware on the A. Datum network.

• You have been tasked with creating a plan for the new finance application and creating a plan for preventing malware on the network. Your IT manager has provided you with a list of requirements that must be met by your plan.

Module Review and Takeaways

• Review Questions