Professional Documents
Culture Documents
Microsoft Official Course: Designing and Implementing Network Protection
Microsoft Official Course: Designing and Implementing Network Protection
Module 12
• Defense-in-depth
• Provides multiple layers of protection
• Least privilege
• Grants the least permissions necessary to perform a task
Policies, procedures,
Written security policies and security education
and awareness
Controls physical access to servers and client
Physical security
computers
Firewalls, perimeter networks, and intrusion
Perimeter
detection
• Account passwords
• Ensure that passwords are not too simple
• Do not allow users to share passwords
• Audit settings
• Enable auditing to detect that an attack has occurred
• User rights
• Restrict user rights to the minimum required
• Identify risks
• Analyze and prioritize risks
• Plan and schedule how to mitigate risks
• Track and report specific risks
• Control risks
• Learn from risks
Guidelines for Creating a Risk Management Plan
Authentication options:
• Request authentication for inbound and outbound
connections
• Require authentication for inbound connections and
request authentication for outbound connections
• Require authentication for inbound and outbound
connections
Authentication methods:
• Computer and user (Kerberos V5 protocol)
• Computer (Kerberos V5 protocol)
• User (Kerberos V5 protocol)
• Computer certificate
• Only accept health certificates
Best Practices for Designing Network Security
Rules
Some of the considerations for designing connection
security rules are:
• Compatible connection security rules must exist on both hosts to
create an IPsec connection
• When a connection security rule is in place, other rules can be
enforced based on the user or computer
• Use Kerberos V5 authentication to allow both user and computer
authentication
• Avoid applying IPsec rules and connection security rules to the
same computer
• Test thoroughly before implementation to ensure that all computers
are configured properly
• Use IPsec only where required as part of your security plan
• Use Group Policy to deploy rules to a large number of computers
• Use Windows PowerShell or Netsh to create scripts that manage
firewall rules
Demonstration: Configuring Connection Security
Rules
SHAs:
• Are present on client computers
• Publish health status
• Include Windows SHA
• Can be obtained from third-parties
SHVs:
• Are the server-side complement to an SHA
• Compare client health to required status
Considerations for Defining your NAP Policy
SHV checks:
• Firewall settings
• Antivirus settings
• Spyware protection settings
• Automatic updates settings
• Security updates settings
Health policies:
• Client passes all SHV checks
• Client fails all SHV checks
• Client passes one or more SHV checks
• Client fails one or more SHV checks
• Client reported as transitional by one or more SHVs
• Client reported as infected by one or more SHVs
• Client reported as unknown by one or more SHVs
Considerations for Defining Your SHV Settings
Unsupported platforms:
• Are reported as non-NAP capable
• Can be prevented from accessing your network
• Can be placed on a restricted network
• Can be allowed full access
Considerations for Defining Your Network
Policies
Logon Information
User Name Adatum\Administrator
Password Pa$$w0rd
Review Questions
• Real-world Issues and Scenarios
Course Evaluation