Microsoft Official Course

Module 12

Designing and Implementing

Network Protection
Module Overview

Overview of Network Security Design

Identifying and Mitigating Common Network
Security Threats
Designing and Implementing a Windows Firewall
Strategy
• Designing and Implementing a NAP Infrastructure
Lesson 1: Overview of Network Security Design

Key Principles of Network Security

What Is the Defense-in-Depth Model?
The Process of Designing Security
• Network Security Policies and Procedures
Key Principles of Network Security

• Defense-in-depth
• Provides multiple layers of protection
• Least privilege
• Grants the least permissions necessary to perform a task

• Minimized attack surface

• Reduces the number of vulnerable points on the
network
• Educated users
• Ensure that your users understand why security is
important, and how they can make security a part of the
way that they work
What Is the Defense-in-Depth Model?

Security layer Description

Policies, procedures,
Written security policies and security education
and awareness
Controls physical access to servers and client
Physical security
computers
Firewalls, perimeter networks, and intrusion
Perimeter
detection

Networks IPsec, SSL, PKI

Host Security patches, critical updates, service packs

Application Security patches, updates, service packs

Data NTFS permissions, share permissions

The Process of Designing Security

1. Create a security design team

2. Perform threat modelling
3. Perform risk management
4. Design security measures for network elements
5. Detect and react.
6. Manage and review network security
continuously
Network Security Policies and Procedures

• Security policies describe what you must

implement to secure a network:
• Enforce administrative policies through management
• Enforce technical policies with operating systems and
applications
• Enforce physical policies with physical controls such as
doors and locks
• Security procedures provide detailed steps that
describe how to implement policies
Lesson 2: Identifying and Mitigating Common
Network Security Threats

Overview of Network Attacks

Combating Common Network Vulnerabilities
Guidelines for Modeling and Countering Network
Threats
The STRIDE Threat Model
Risk Assessment and Impact
The MOF Risk Management Process
• Guidelines for Creating a Risk Management Plan
Overview of Network Attacks

• Why Do Network Attacks Occur?

• Stages in a Network Attack
• Common Network Attacks
Combating Common Network Vulnerabilities

• Account passwords
• Ensure that passwords are not too simple
• Do not allow users to share passwords

• Audit settings
• Enable auditing to detect that an attack has occurred
• User rights
• Restrict user rights to the minimum required

• Applications and services

• Keep applications and services up-to-date and only run
those applications and services that you need
Guidelines for Modeling and Countering
Network Threats

Use the following guidelines when modeling

threats to your network:
• Encourage creative thinking among team
members
• Ensure that you have all the information
• Manage discussions about the validity of a threat
• Include specialized network security testers
• Use caution when including team members who
may have conflicts of interest
The STRIDE Threat Model

The STRIDE model describes the following six threat

categories and suggested countermeasures:
• Spoofing
• Tampering
• Repudiation
• Information disclosure
• Denial of service
• Elevation of privilege
Risk Assessment and Impact

• Prioritize security risks

• Determine the appropriate level of security
• Justify costs
• Document all potential security issues
• Avoid overlooking critical network security issues
• Create metrics
The MOF Risk Management Process

• Identify risks
• Analyze and prioritize risks
• Plan and schedule how to mitigate risks
• Track and report specific risks
• Control risks
• Learn from risks
Guidelines for Creating a Risk Management Plan

For a successful risk management plan, consider

the following:
• Obtain approval and support from top
management
• Determine the scope of the risk management plan
• Implement actions at appropriate time
• Update the risk management plan as changes
occur
• Use the risk management plan to assign
ownership and allocate resources
Lesson 3: Designing and Implementing a
Windows Firewall Strategy

Scenarios Addressed by Windows Firewall

IPsec Benefits and Usage
Connection Security Rules
Authentication Options and Methods
Best Practices for Designing Network Security Rules
• Demonstration: Configuring Connection Security
Rules
Scenarios Addressed by Windows Firewall

Implement Windows Firewall to:

• Protect servers from internal threats
• Prevent malware from propagating
• Authenticate communications
• Encrypt traffic
IPsec Benefits and Usage

Benefits of IPsec include:

• Offering mutual authentication
• Forcing both parties to identify themselves
• Enabling confidentiality through IP traffic encryption
Recommended uses for IPsec include:
• Packet filtering
• Authenticating and encrypting host-to-host traffic
• Authenticating and encrypting traffic to servers
• L2TP/IPsec for VPN connections
• Site-to-site tunneling
• Enforcing logical networks
Connection Security Rules

The configurable rules are:

• Isolation
• Authentication Exemption
• Server-to-Server
• Tunnel
• Custom
Authentication Options and Methods

Authentication options:
• Request authentication for inbound and outbound
connections
• Require authentication for inbound connections and
request authentication for outbound connections
• Require authentication for inbound and outbound
connections
Authentication methods:
• Computer and user (Kerberos V5 protocol)
• Computer (Kerberos V5 protocol)
• User (Kerberos V5 protocol)
• Computer certificate
• Only accept health certificates
Best Practices for Designing Network Security
Rules
Some of the considerations for designing connection
security rules are:
• Compatible connection security rules must exist on both hosts to
create an IPsec connection
• When a connection security rule is in place, other rules can be
enforced based on the user or computer
• Use Kerberos V5 authentication to allow both user and computer
authentication
• Avoid applying IPsec rules and connection security rules to the
same computer
• Test thoroughly before implementation to ensure that all computers
are configured properly
• Use IPsec only where required as part of your security plan
• Use Group Policy to deploy rules to a large number of computers
• Use Windows PowerShell or Netsh to create scripts that manage
firewall rules
Demonstration: Configuring Connection Security
Rules

In this demonstration, you will see how to:

• Enable ICMP Traffic on LON-SVR1
• Create a Server-to-Server Rule on Connecting
Servers
• Create a server to server rule on LON-CL1
• Test the Rule
Lesson 4: Designing and Implementing a NAP
Infrastructure

Systems Health Agents and System Health

Validators
Considerations for Defining your NAP Policy
Considerations for Defining Your SHV Settings
Managing Unsupported Operating Systems
Considerations for Defining Your Network Policies
Considerations for Selecting an Enforcement
Method
Remediation Server Groups
• Demonstration: Implementing NAP
Systems Health Agents and System Health
Validators

SHAs:
• Are present on client computers
• Publish health status
• Include Windows SHA
• Can be obtained from third-parties
SHVs:
• Are the server-side complement to an SHA
• Compare client health to required status
Considerations for Defining your NAP Policy

SHV checks:
• Firewall settings
• Antivirus settings
• Spyware protection settings
• Automatic updates settings
• Security updates settings
Health policies:
• Client passes all SHV checks
• Client fails all SHV checks
• Client passes one or more SHV checks
• Client fails one or more SHV checks
• Client reported as transitional by one or more SHVs
• Client reported as infected by one or more SHVs
• Client reported as unknown by one or more SHVs
Considerations for Defining Your SHV Settings

To define your NAP policy, you must consider:

• Firewall settings
• Antivirus settings
• Spyware protection settings
• Automatic updates settings
• Security updates settings
Managing Unsupported Operating Systems

Unsupported platforms:
• Are reported as non-NAP capable
• Can be prevented from accessing your network
• Can be placed on a restricted network
• Can be allowed full access
Considerations for Defining Your Network
Policies

Before configuring NAP-related setting in your

network policies, consider the following:
• Do you want to isolate non-compliant computers
and prevent them from connecting to any aspect
of your network infrastructure?
• Do you want to allow non-compliant computers to
connect unrestricted as do compliant computers –
but for a limited time?
• Do you want non-compliant computers to connect
to a remediation network so they can become
compliant? Should clients be able to auto-
remediate?
Considerations for Selecting an Enforcement
Method

You can select one of four NAP enforcement

methods:
• IPsec
• 802.1X
• VPN
• DHCP
Remediation Server Groups

Depending on your health policy requirements,

consider placing the following servers in your
remediation network:
• Antivirus signature servers
• WSUS
• System Center Configuration Manager component
servers
• Domain controllers
• DNS servers
• DHCP servers
• Troubleshooting servers
• Other services
Demonstration: Implementing NAP

In this demonstration, you will see how to:

• Install the NPS server role
• Configure NPS as an NAP health policy server
• Configure health policies
• Configure network policies for compliant
computers
• Configure network policies for noncompliant
computers
• Configure the DHCP server role for NAP
• Configure client NAP settings
• Test NAP
Lab: Designing and Implementing Network
Protection
Exercise 1: Designing a Windows Firewall Solution
Exercise 2: Implementing a Windows Firewall solution
Exercise 3: Designing a NAP Solution
• Exercise 4: Implementing NAP with VPN Enforcement
Virtual machines
20413A-LON-DC1
20413A-LON-RTR
20413A-LON-SVR1
20413A-LON-CL1
20413A-LON-CL2

Logon Information
User Name Adatum\Administrator
Password Pa$$w0rd

Estimated Time: 75 minutes

Lab Scenario

A. Datum Corporation has recently experienced

problems with malware being introduced to the
network at the Paris location. Malware has been
introduced as a result of computers not being
compliant with corporate security and
maintenance policies. None of the lapses has been
a result of attackers attempting to bypass security
guidelines.
Lab Review

What was your approach to the firewall design

exercise?
• What was your approach to the NAP design
exercise?
Module Review and Takeaways

Review Questions
• Real-world Issues and Scenarios
Course Evaluation