Securing Internet Access

Designing an Internet Acceptable Use Policy Securing Access to the Internet by Private

Network Users Restricting Access to Content on the Internet Auditing Internet Access

Designing an Internet Acceptable Use Policy

Policy elements Implementing the policy

Internet Acceptable Use Policy

Draft an Internet acceptable use policy before securing Internet access for private network users.

An Internet acceptable use policy defines acceptable employee Internet use.

Private network users must understand the rules when they use corporate resources to access the Internet.

Define the policy before designing the network infrastructure and services that enforce and monitor the policy.

Policy Elements

Describe the available services. Define specific user responsibility. Define authorized Internet use. Define unauthorized Internet use. Define who owns resources stored on the

organization's computers. Define the consequences of performing

unauthorized access. Provide for new technologies.

Implementing the Policy

Create a document outlining the newly defined Internet acceptable use policy.

Include in the document a contract that employees must sign before gaining Internet access.

Have the organization's legal representatives review the contract and the policy to ensure the contract is legally binding.

Making the Decision: Designing an Internet Acceptable Use Policy

Develop a fair Internet acceptable use policy. Determine which protocols will be allowed for

Internet access. Verify authorized usage and identify

unauthorized usage. Enforce the Internet acceptable use policy.

Applying the Decision: Designing an Internet Acceptable Use Policy for Wide World Importers The Internet acceptable use policy needs to

describe the consequences of violating the policy.

Wide World Importers needs to develop a fair Internet acceptable use policy accepted by both management and employees.

Securing Access to the Internet by Private Network Users

Identifying risks when private network users connect to the Internet

Restricting Internet access to specific computers

Restricting Internet access to specific users Restricting Internet access to specific protocols

Identifying Risks when Private Network Users Connect to the Internet

Introducing viruses Deploy a virus scanning solution for all client

computers, servers, and entry points to the network. Installing unauthorized software

Control software installation through a central network authority.

Restrict users to writing data to their hard disks only in common shared areas and their personal profile directories.

Exposing Private Network Addressing

Attempting to Bypass the Established Security

Making the Decision: Reducing Risks when Providing Internet Connectivity

Reduce the risk of viruses. Prevent the installation of unauthorized

software. Prevent Internet users from revealing the

private network addressing scheme. Prevent users from bypassing network security

when accessing the Internet.

Applying the Decision: Reducing Risks at Wide World Importers

Wide World Importers must include the following tasks in its network security plan:

Install virus scanning software at multiple locations on the network.

Preconfigure Microsoft Internet Explorer to ensure that security settings are set to restrict download of specific content.

Configure the external firewall with Network Address Translation (NAT) service to prevent exposure of the private network addressing scheme on the Internet.

Restricting Internet Access to Specific Computers

Configure client computers. Configure the firewall to limit the computers

that can connect to the Internet. Configure Internet permissions for network

servers.

Servers Requiring Access to the Internet Through an External Firewall

Making the Decision: Designing Firewall Packet Filters to Allow Internet Access

Determine which computers are required to respond directly to incoming requests.

Determine which computers are required to initiate data exchange with computers on the Internet.

Determine if the computers that require access to the Internet have a static IP address or a Dynamic Host Configuration Protocol (DHCP)-assigned IP address.

Determine which protocols the computers use when accessing the Internet.

Applying the Decision: Designing Wide World Importers' Firewall Packet Filters

Applying the Decision: Designing Wide World Importers' Firewall Packet Filters (Cont.)

Restricting Internet Access to Specific Users

Microsoft Proxy Server 2.0 Services

Web Proxy service Windows Socket (WinSock) Proxy service Socks Proxy service

Authenticating Proxy Server Requests

Proxy Server 2.0 supports three methods of authenticating users:

Anonymous access Basic authentication Integrated Windows Authentication

The Proxy Server update must be downloaded to configure the software to authenticate with Active Directory directory service.

Making the Decision: Restricting Which Users Can Access the Internet

Allow all users to access the Internet. Simplify the process of granting users access

to Internet protocols. Distinguish users connecting to the proxy

service. Specify which users can use the Web Proxy

service. Specify which users can use the WinSock

Proxy service.

Applying the Decision: Restricting Internet Access at Wide World Importers

Applying the Decision: Restricting Internet Access at Wide World Importers (Cont.)

Restricting Internet Access to Specific Protocols

Determining Necessary Protocols

Determining Risks of Using Each Protocol

Defining Allowed and Disallowed Protocols

Restricting Protocol Access in the Web Proxy

Set permissions separately for the Web (HTTP), Secure (HTTPS), Gopher, and FTP Read services to allow only authorized groups to use the protocol.

For each protocol, define which groups can access the protocol.

Partial permissions to the protocols cannot be assigned.

Restricting Protocol Access in the WinSock Proxy

Set permissions for individual protocols in the WinSock Proxy on a per protocol basis.

An additional option exists to grant unlimited access to all protocols supported by the Proxy Server.

WinSock Proxy supports the most popular protocols. WinSock Proxy also provides access to newer

protocols by adding the protocol definitions to the WinSock Proxy.

To use the WinSock Proxy service in Proxy Server 2.0, install the WinSock Proxy client at the client computer.

Making the Decision: Determining Which Protocols Can Access the Internet

Determine which protocols are required. Determine who requires protocol access. Define allowed protocols. Add new protocols. Allow access to the WinSock Proxy.

Applying the Decision: Determining Which Protocols Can Access the Internet at Wide World Importers Wide World Importers must include the following

permissions in its Web Proxy and WinSock Proxy configurations:

Configure the Web Proxy to grant access permissions to the Internet Access local group and the IT Access local group for the Web (HTTP), Secure (HTTPS), and FTP Read protocols.

Configure the WinSock Proxy to grant unlimited access to the IT Access local group.

Configure the WinSock Proxy to grant access permission to the Internet Access group for the File Transfer Protocol (FTP) and Network News Transfer Protocol (NNTP).

Restricting Access to Content on the Internet

Preventing access to specific Web sites Using the Internet Explorer Administration Kit

(IEAK) to preconfigure settings Managing content downloads Preventing access to specific types of content

Preventing Access to Specific Web Sites

Making the Decision: Preventing Access to Specific Web Sites

Identify Web sites that will always be unauthorized for access.

Include the domain names in the domain filter list.

Applying the Decision: Preventing Access to Specific Web Sites at Wide World Importers Configure a domain filter for nwtraders.tld to

prevent the Proxy Server from allowing access to any Web sites for nwtraders.tld.

Ensure that the filter prevents access to any Web site within nwtraders.tld.

The IEAK

Allows administrators to preconfigure Internet Explorer settings before deploying Internet Explorer and to update deployments

Can be downloaded by searching www.microsoft.com for "IEAK"

Consists of the IEAK Profile Manager and the Internet Explorer Customization Wizard

The IEAK Profile Manager

Profile Manager allows administrators to modify existing installations by storing the modified configuration setting in a .ins file.

Internet Explorer clients will detect the .ins file and apply those settings when Internet Explorer is configured to Automatically Detect Settings.

Internet Explorer Customization Wizard

Allows administrators to define custom settings for all security settings in Internet Explorer

Allows configuration of the following security-related options:

Enable Automatic Configuration Proxy Settings Define Certification Authorities Define Security Zones Enable Content Rating

Making the Decision: Using the IEAK to Preconfigure Settings

Determine the desired configuration of Internet Explorer.

Define an installation package that applies the standard configuration.

Determine how modifications will be deployed. Prevent modification of the standard

configuration.

Applying the Decision: Using the IEAK to Preconfigure Settings for Wide World Importers Wide World Importers currently supports both Internet

Explorer and Netscape Navigator. Migrating to a pure Internet Explorer environment and using the IEAK will reduce the cost of deploying the latest version of Internet Explorer and ensure that consistent security settings are deployed.

The IEAK will work in the Wide World Importers network because the IEAK supports Microsoft Windows 95, Microsoft Windows 98, Microsoft Windows NT, and Microsoft Windows 2000.

Use the IEAK Profile Manager to create a modified .ins file and post it on an accessible share on the network.

If Internet Explorer is configured to autodetect Proxy settings, the .ins file will be read from the network location and used to apply any modifications.

Internet Explorer Security Zones

Internet Explorer allows administrators to manage what content can be downloaded from Web sites.

Each security zone is configured with a security setting that defines what content can be downloaded from Web sites in the security zone.

Additional zones cannot be added to the predefined zones included with Internet Explorer.

Predefined Security Zones

Internet Explorer Security Zone Level

ActiveX Controls and plug-ins

Deploying Internet Explorer Settings

Use a mix of IEAK and Group Policy to ensure that correct settings are applied to all Internet Explorer clients.

Modify settings from a central location by defining configuration (.ins) files.

Secure Internet Explorer by using Group Policy to prevent the display of configuration property pages.

Making the Decision: Managing Content Downloads

Allow download of safe content from trusted sites.

Allow unrestricted access to content on the private network.

Prevent download of harmful content from all Internet sites.

Apply security settings that match the Internet acceptable use policy for the organization.

Ensure consistent security settings on all client computers.

Applying the Decision: Managing Content Downloads at Wide World Importers

Wide World Importers wants to place restrictions that make it difficult to download software from the Internet.

Configure the Internet zone to use the High security setting to prevent users from downloading most harmful content from the Internet.

Combine the High security setting with deployment of a security template to limit users to creating files in their personal folders and common shared files locations.

Ensure that the users are not members of the Power Users group on the local computer.

Preventing Access to Specific Types of Content

Using Plug-Ins to Block Content

Restrict access to Web sites that contain unauthorized content by using plug-ins that allow content scanning at the Proxy Server.

The Proxy Server will not load the inappropriate materials and will inform the user that the content is blocked.

A list of plug-ins for content scanning is available at www.microsoft.com/proxy/.

Using Internet Explorer Content Advisor The Content Advisor controls what content can be displayed in

the browser windows by using the Recreational Software Advisory Council on the Internet (RSACi) rating system.

RSACi classifies Internet content in four categories, based on language, nudity, sex, and violence.

When the Content Advisor is enabled, Internet Explorer scans the HTML source code for RSACi ratings contained in HTML metatags.

Define what action to take if a site is unrated. Blocking access to unrated sites might deny access to

inoffensive sites as well. Prevent users from changing the content ratings by either

Locking the Content Advisor settings with a supervisor password Preventing access to the Content tab in the Internet Explorer

Properties dialog box

Making the Decision: Preventing Access to Specific Types of Content

Define the organization's policy on obscene content.

Define what content must be blocked. Define what actions to take when an unrated

Web site is accessed. Prevent users from changing content settings. Ensure that all settings for Internet Explorer

installations are consistent.

Applying the Decision: Preventing Access to Internet Content for Wide World Importers Define restrictions in the Content Advisor to prevent

access to sites that contain nudity, sex, and violence. Enable content ratings for all Internet Explorer clients

to ensure consistent application of the restrictions. Configure the settings using the IEAK so that the

required settings are configured as the default settings.

Configure the IEAK to ensure that Internet Explorer clients are configured to autoconfigure settings and will download any modified content settings.

Use Group Policy to prevent access to the Content tab of the Internet Explorer Properties dialog box.

Auditing Internet Access

Proxy Server 2.0 Audit logs Logging configuration: regular or verbose Logging fields

Designing Proxy Server Auditing

Audit Logs

The log data allows administrators to review all Internet access.

Written text files are stored in the systemroot\system32\MSPlogs folder, where systemroot is the folder where Windows 2000 is installed.

New log files can be created every day, week, or month. Proxy Server maintains the following logs:

Web Proxy log (W3yymmdd.log) WinSock Proxy log (Wsyymmdd.log) Socks Proxy log (Spyymmdd.log)

Logging can be configured to use either regular or verbose logging.

ODBC–Compliant Database Logging

Advantage: Open Database Connectivity (ODBC) logging has improved search and management capabilities to review the logged data.

Disadvantage: ODBC logging uses more processor time than text-based logging.

Before implementing ODBC logging, determine whether the Proxy Server has any processor resource issues.

Log Reviews

Ensure that reviewing the logs is one of the Proxy Server administrator’s regular assignments.

Unless the logs are reviewed, there is no way to ensure that the Proxy Server is functioning as expected.

If ODBC logging is used, the database product provides query mechanisms to find data related to a specific user or protocol.

If text logging is used, consider purchasing a third-party product that provides reporting options for text-based log files.

Making the Decision: Implementing Internet Access Logging

Examine Internet usage from the private network.

Conserve disk space related to logging at the Proxy Server.

Ensure that all information of a proxied session can be analyzed.

Applying the Decision: Implementing Logging at Wide World Importers

Wide World Importers must enable logging of the Web Proxy and WinSock Proxy services.

Log to an ODBC data source such as SQL Server to view the logs.

Configure the Proxy Server to use verbose logging.

Chapter Summary

Determining contents of the policy Identifying risks when private network users

connect to the Internet Restricting Internet access to specific computers Restricting Internet access to specific users Restricting Internet access to specific protocols Preventing access to specific Web sites Using the IEAK to preconfigure settings Managing content downloads Preventing access to specific types of content Designing Proxy Server auditing