70-298: MCSE Guide To Designing Security For A Microsoft Windows Server 2003 Network

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
Chapter 9: Securing Network Resources
Exam Objectives
4.2 Design an access control strategy for files and folders 4.2.4 Analyze auditing requirements 4.3.2 Analyze auditing requirements 4.3 Design an access control strategy for the registry 4.3.1 Design a permission structure for registry objects
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network 2
Exam Objectives (continued)

4.2.1 Design a strategy for the encryption and decryption of files and folders 4.2.3 Design security for a backup and recovery strategy
Introduction
Windows permissions are discretionary:
Design a permission scheme that provides sufficient access for end users to do their jobs But not unnecessary permissions that might affect the security of the overall network
Default permission structure

Change defaults to meet the organizations needs
Introduction (continued)
Common risks to file shares:
Data corruption caused by viruses Security breaches arising from incorrectly assigned permissions
Best practices for securing Windows Registry Encrypted File System (EFS) Design a secure backup and recovery strategy for network resources
Designing an Access Control Strategy for Files and Folders

Fundamental element of data security:
Controlling access to information Steps:
Authorizing users to gain access to network Controlling what data users can access
Objects are managed via access control lists (ACLs), which designate:
Which users and groups can access objects In what manner users and groups can access objects
Designing an Access Control Strategy for Files and Folders

Format disk volumes with the NTFS file format:
Provides the ability to control access to files at a very granular level Enables the ability to audit access to files
Analyzing Risks to Data

Physical loss of data Data corruption Data modification or corruption from viruses and other attacks Security breaches due to incorrectly configured permissions Auditing practices
Reviewing Access Control and Access Control Lists

Access control:
Defines which users, groups, and computers can access particular network resources Comprised of:
Permissions User rights Object auditing
Reviewing Access Control and Access Control Lists (continued)

Access Control Lists:
Control access to resources Types:
Discretionary (DACL) System (SACL)
10
Reviewing Access Control and Access Control Lists (continued)

Access Control Entry:
Entry in an ACL Contains a security ID (SID) for a user or group Contains access mask that specifies which actions are:
Granted Denied Audited
11
Access Control List with Access Control Entries
12
Access Mask Compared with Access Request
13
Groups
Security groups:
Created to manage access and other security-related functions Contain:
User accounts Computer accounts Other group accounts
14
Groups (continued)
Security groups
Scopes include:
Local Domain local Global Universal
15
Groups (continued)
Distribution groups:
Used for mailing lists only No security function
Account groups:
Members are user accounts or computer accounts that require the same permissions for a resource
Resource groups:
Security group added to the ACL of a resource that has been granted (or denied) specific permissions
Access to Resources
Methods for controlling access:
User/ACL Account group/ACL Account group/resource group Role-based authorization
17
Benefits and Limitations of User/ACL Method
18
Benefits and Limitations of the Account Group/ACL Method
19
Benefits and Limitations of the AG/RG Method
20
Benefit and Limitations of Role-Based Authorization Method
21
Selecting Domain Local Groups or Local Groups as Resource Groups

Domain local groups:
Can be accessed anywhere on the domain Many groups must be defined More difficult to retire groups May overflow access token buffer size if users belong to over 120 groups
Local groups:
Must create groups on many different computers
Working with Security Groups

Tasks:
Defining a security group creation policy Defining a security group request process Defining a security group naming policy Defining a security group nesting policy Defining a security group retirement policy Delegating security group maintenance Delegating resource group maintenance
23
Defining a Security Group Request Process

Requests should include:
Group owner Purpose and scope of group Proposed membership Relationship to other groups Expected lifetime of group
24
Defining a Security Group Naming Policy

Include groups scope, purpose, and owner in name and description Conform to hierarchy structure Name and description combined should be less than 256 characters Use abbreviations if practical Helpful to use the business organization as a basis for naming conventions
Nested Group Hierarchy
26
Exercise 9.01 LDAP Query For Obsolete Groups

Identify obsolete groups
Membership has not changed for a period of time
Use Active Directory Users and Computers Good practice:

Disable a group for a specified period of time Deleting groups is a permanent step Recovering from the inadvertent removal of a group could be time consuming
Delegating Security Group Maintenance

In large organizations:
Task of maintaining security groups is typically divided up Delegated to members of the organization who are not in the IT Department
Resource owner should manage ACLs on the resource
28
Delegating Account and Resource Group Maintenance

Those to whom delegation is granted must be reliable and highly trusted employees Should be given clear guidelines to help them maintain a secure environment Control and monitor who is a member of the group to whom youve delegated control
29
Delegating Account and Resource Group Maintenance (continued)

Methods:
Delegation of Control Wizard Authorization Manager snap-in in the MMC Access Control List Editor
30
Analyzing Auditing Requirements

Identify types of attacks the system might be vulnerable to Identify audit events that would help determine if the system were successfully or unsuccessfully attacked Important to monitor both unsuccessful and successful events
31
Analyzing Auditing Requirements (continued)

Audit:
Logon events Account logon events Directory Service access events Privilege use events Object access events System events Process tracking events Policy change events
32
Design an Access Control Strategy for the Registry

Registry is given a high level of security by default
Only administrators can access the entire Registry
Apply security to the Registry via Group Policy

Computer must be joined to a domain
Use settings provided in predefined security templates:

securedc.inf Can apply a portion of the template rather than the whole thing
33
Designing the Encrypted File System

EFS:
Used to encrypt files and folders on an NTFS formatted volume Transparent to a user Notably slow the first time it is used Uses keys for encrypting and decrypting data Can use certificate authority (CA) certificates Uses CryptoAPI architecture
34
Designing the Encrypted File System (continued)

Recovery agent:
User accounts are issued recovery agent certificates with public keys and private keys Used for EFS data recovery operations Can be multiple recovery agent accounts for an EFS file
Be aware of the EFS behaviors
35
Designing the Encrypted File System (continued)

EFS best practices:
Encrypt entire folders rather than individual files Manage private keys to maintain file security Provide the security and reliability of data at all times
New features in Windows Server 2003:

Stronger encryption algorithms with larger keys Multiple users can share encrypted files Offline files can be encrypted through EFS Web folders and files can now be encrypted
36
Exercise 9.05 Implementing EFS on the Local Computer
37
EFS
Certificate storage Certificate enrollment and renewal Use cipher.exe
38
Structure of an Encrypted File
39
Creating a Strategy for the Encryption and Decryption of Files and Folders
Increase user awareness
Department should identify which files or types of files are most sensitive
Secure recovery agent certificates Configure file recovery agents

EFS requires an Encrypted Data Recovery Agent policy be defined before it can be used
Creating a Strategy for the Encryption and Decryption of Files and Folders (continued)
Recover files Back up keys
Use Certificates snap-in in the MMC
Disable EFS Third-party encryption options:

Third-party data encryption program Third-party certificates with EFS
Designing Security for a Backup and Recovery Strategy

Backing up and restoring data is a failsafe option
Can enhance security in an organization
42
Securing the Backup and Restore Process

Growing trends:
Offsite storage locations Disk-based systems Co-location
Data stored both on site and mirrored at another site
43
Safeguarding Your Systems
44
Designing a Secure Backup Process

Includes:
Planning the backup process Storing backup media Assigning (and monitoring) backup and restore rights
Best practices for backups Create an Automated System Recovery backup set
Update the ASR every time significant changes occur Use the Automated System Recovery Wizard
Disaster Recovery Best Practices

Disaster recovery includes:
Creating backups Creating recovery options Using repair and recovery tools
Include an assessment of the most likely risks to the business and its data
46
In-Band and Out-of-Band Management

In-band:
Refers to two computers that can connect using normal network services Available only when a computer is fully initialized and functioning properly
Out-of-band:
Refers to a connection that can be made when a remote computer is not working properly
47
Securing Emergency Management Services

Console redirection:
Computer receives keyboard input from a remote computer Responds with output to the remote computers monitor
Special Administration Console (SAC)

Primary Emergency Management Services commandline environment Not secured by a password and logon requirements Physical access must be restricted
Securing Emergency Management Services (continued)

!Special Administration Console (!SAC)
Abbreviated version of SAC
Enable Emergency Management Services Configure headless servers Use terminal concentrators Use uninterruptible power supplies
49
Securing the Remote Management Process

Develop a remote management plan Ensure out-of-band security Employ best practices for securing Emergency Management Services Secure the Recovery Console Specify startup options for computers
50
Summary
User access can be managed via one of several different frameworks, including:
User/ACL Account group/ACL Account group/resource group Role-based permissions
Auditing events provides an additional measure of security and visibility Registry access is controlled via Group Policy
Summary (continued)
EFS protects files and folders with encryption Last line of defense on any system:
Backup and recovery capabilities
52

70-298: MCSE Guide To Designing Security For A Microsoft Windows Server 2003 Network

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

70-298: MCSE Guide To Designing Security For A Microsoft Windows Server 2003 Network

Uploaded by

Copyright:

Available Formats

70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network

Chapter 9: Securing Network Resources

Exam Objectives (continued)

Default permission structure

Designing an Access Control Strategy for Files and Folders

Designing an Access Control Strategy for Files and Folders

Analyzing Risks to Data

Reviewing Access Control and Access Control Lists

Reviewing Access Control and Access Control Lists (continued)

Reviewing Access Control and Access Control Lists (continued)

Access Control List with Access Control Entries

Access Mask Compared with Access Request

Benefits and Limitations of User/ACL Method

Benefits and Limitations of the Account Group/ACL Method

Benefits and Limitations of the AG/RG Method

Benefit and Limitations of Role-Based Authorization Method

Selecting Domain Local Groups or Local Groups as Resource Groups

Working with Security Groups

Defining a Security Group Request Process

Defining a Security Group Naming Policy

Nested Group Hierarchy

Exercise 9.01 LDAP Query For Obsolete Groups

Use Active Directory Users and Computers Good practice:

Delegating Security Group Maintenance

Resource owner should manage ACLs on the resource

Delegating Account and Resource Group Maintenance

Delegating Account and Resource Group Maintenance (continued)

Analyzing Auditing Requirements

Analyzing Auditing Requirements (continued)

Design an Access Control Strategy for the Registry

Apply security to the Registry via Group Policy

Use settings provided in predefined security templates:

Designing the Encrypted File System

Designing the Encrypted File System (continued)

Be aware of the EFS behaviors

Designing the Encrypted File System (continued)

New features in Windows Server 2003:

Exercise 9.05 Implementing EFS on the Local Computer

Structure of an Encrypted File

Secure recovery agent certificates Configure file recovery agents

Disable EFS Third-party encryption options:

Designing Security for a Backup and Recovery Strategy

Securing the Backup and Restore Process

Safeguarding Your Systems

Designing a Secure Backup Process

Disaster Recovery Best Practices

In-Band and Out-of-Band Management

Securing Emergency Management Services

Special Administration Console (SAC)

Securing Emergency Management Services (continued)

Securing the Remote Management Process

You might also like