![Page 1: Designing a Security Infrastructure Chapter Thirteen](https://reader036.vdocuments.mx/reader036/viewer/2022081511/5697bfc51a28abf838ca68e2/html5/thumbnails/1.jpg)
Designing a Designing a SecuritySecurity
InfrastructureInfrastructure
ChapterThirteen
![Page 2: Designing a Security Infrastructure Chapter Thirteen](https://reader036.vdocuments.mx/reader036/viewer/2022081511/5697bfc51a28abf838ca68e2/html5/thumbnails/2.jpg)
Exam Objectives in this Chapter: Plan a security update infrastructure. Tools
might include Microsoft Baseline Security Analyzer and Microsoft Software Update Services.
Plan security for wireless networks. Plan secure network administration
methods. Create a plan to offer Remote Assistance to
client computers. Plan for remote administration by using Terminal
Services.
![Page 3: Designing a Security Infrastructure Chapter Thirteen](https://reader036.vdocuments.mx/reader036/viewer/2022081511/5697bfc51a28abf838ca68e2/html5/thumbnails/3.jpg)
Lessons in this Chapter: Planning a Security Update Infrastructure Securing a Wireless Network Providing Secure Network Administration
![Page 4: Designing a Security Infrastructure Chapter Thirteen](https://reader036.vdocuments.mx/reader036/viewer/2022081511/5697bfc51a28abf838ca68e2/html5/thumbnails/4.jpg)
Before You Begin This chapter assumes a basic understanding of
security implementation in the Microsoft Windows Server 2003 family and of how to use group policies to apply settings to large numbers of computers, as covered throughout this book.
To perform the practice exercises in this chapter, you must have installed and configured Windows Server 2003 using the procedure described in “About This Book.”
![Page 5: Designing a Security Infrastructure Chapter Thirteen](https://reader036.vdocuments.mx/reader036/viewer/2022081511/5697bfc51a28abf838ca68e2/html5/thumbnails/5.jpg)
Planning a Security Update Infrastructure Understanding Software Update Practices
A service packservice pack is a collection of patches and updates that have been tested as a single unit. Service packs are a distinct improvement over the previous system, in which operating system updates were released as a series of individual patches, each addressing a separate issue.
A hotfix is a small patch designed to address a specific issue. While Microsoft only for computers experiencing a particular problem.
![Page 6: Designing a Security Infrastructure Chapter Thirteen](https://reader036.vdocuments.mx/reader036/viewer/2022081511/5697bfc51a28abf838ca68e2/html5/thumbnails/6.jpg)
Using Windows Update Windows Update for XP
![Page 7: Designing a Security Infrastructure Chapter Thirteen](https://reader036.vdocuments.mx/reader036/viewer/2022081511/5697bfc51a28abf838ca68e2/html5/thumbnails/7.jpg)
Update for Networks Consideration for Networks:
Bandwidth With Windows Update, updates become available for
installation right away. On a network many computers would be ready for downloads at the same time consuming large amounts of bandwith.
Testing It is possible for a particular update to cause
problems. This could result in the loss of productivity and the
added burden on technical support personnel
![Page 8: Designing a Security Infrastructure Chapter Thirteen](https://reader036.vdocuments.mx/reader036/viewer/2022081511/5697bfc51a28abf838ca68e2/html5/thumbnails/8.jpg)
Updating a Network Network administrators should not
immediately install every update that appears. It is important to test the update releases first.
A network security update infrastructuresecurity update infrastructure is a series of policies that are designed to help the network administrator perform the following tasks:
![Page 9: Designing a Security Infrastructure Chapter Thirteen](https://reader036.vdocuments.mx/reader036/viewer/2022081511/5697bfc51a28abf838ca68e2/html5/thumbnails/9.jpg)
A network security update infrastructure performs the following tasks
Determine which computers need to be updated
Test update releases on multiple system configurations
Determine when updates are released Deploy update releases on large fleets
![Page 10: Designing a Security Infrastructure Chapter Thirteen](https://reader036.vdocuments.mx/reader036/viewer/2022081511/5697bfc51a28abf838ca68e2/html5/thumbnails/10.jpg)
SUS
![Page 11: Designing a Security Infrastructure Chapter Thirteen](https://reader036.vdocuments.mx/reader036/viewer/2022081511/5697bfc51a28abf838ca68e2/html5/thumbnails/11.jpg)
Using Microsoft Baseline Security Analyzer Microsoft Baseline Security Analyzer
(MBSA) is a graphical tool that can check for common security lapses on a single computer or multiple computers running various versions of the Windows operating system.
![Page 12: Designing a Security Infrastructure Chapter Thirteen](https://reader036.vdocuments.mx/reader036/viewer/2022081511/5697bfc51a28abf838ca68e2/html5/thumbnails/12.jpg)
Microsoft Baseline Security Analyzer (MBSA) Scan your system
![Page 13: Designing a Security Infrastructure Chapter Thirteen](https://reader036.vdocuments.mx/reader036/viewer/2022081511/5697bfc51a28abf838ca68e2/html5/thumbnails/13.jpg)
Microsoft Baseline Security Analyzer (MBSA) Produces its results
![Page 14: Designing a Security Infrastructure Chapter Thirteen](https://reader036.vdocuments.mx/reader036/viewer/2022081511/5697bfc51a28abf838ca68e2/html5/thumbnails/14.jpg)
Using Microsoft Baseline Security Analyzer The security faults that MBSA can detect are as
follows: Missing security updatesMissing security updates
MBSA replaces an earlier Microsoft update checking utility called Hfnetchk.exe, which operates from the command line and only checks computers for missing updates.
Account vulnerabilitiesAccount vulnerabilities Guest account is activated If there are more than two accounts with Administrator
privileges; If anonymous users have too much access; If the computer is configured to use the Autologon feature.
![Page 15: Designing a Security Infrastructure Chapter Thirteen](https://reader036.vdocuments.mx/reader036/viewer/2022081511/5697bfc51a28abf838ca68e2/html5/thumbnails/15.jpg)
MBSA Detection continued: Improper passwordsImproper passwords
if they are configured to expire, are blank, or are too simple.
File system vulnerabilitiesFile system vulnerabilities whether all the disk drives on the computer are using the
NTFS file system. IIS and SQL vulnerabilitiesIIS and SQL vulnerabilities
If the computer is running Microsoft Internet Information Services (IIS) or Microsoft SQL Server, MBSA examines these applications for a variety of security weaknesses.
May be downloaded from Microsoft at:
http://download.microsoft.com/download/8/e/e/8ee73487-4d36-4f7f-92f2-2bdc5c5385b3/mbsasetup.msi
![Page 16: Designing a Security Infrastructure Chapter Thirteen](https://reader036.vdocuments.mx/reader036/viewer/2022081511/5697bfc51a28abf838ca68e2/html5/thumbnails/16.jpg)
Testing Security Updates You must test them to make sure they are
compatible with all your system configurations.
![Page 17: Designing a Security Infrastructure Chapter Thirteen](https://reader036.vdocuments.mx/reader036/viewer/2022081511/5697bfc51a28abf838ca68e2/html5/thumbnails/17.jpg)
Using Microsoft Software Update Services Microsoft Software Update Services (SUS)
is a free product that notifies administrators when new security updates are available, downloads the updates, and then deploys them to the computers on the network
SUS consists of the following components: Synchronization server Intranet Windows Update server Automatic updates
![Page 18: Designing a Security Infrastructure Chapter Thirteen](https://reader036.vdocuments.mx/reader036/viewer/2022081511/5697bfc51a28abf838ca68e2/html5/thumbnails/18.jpg)
Using Microsoft Software Update Services
Synchronization server The administrator can allow the downloads to occur
as needed; schedule them to occur at specific times (such as off-peak traffic hours); or trigger them manually.
Once SUS downloads the updates, it stores them on the server.
![Page 19: Designing a Security Infrastructure Chapter Thirteen](https://reader036.vdocuments.mx/reader036/viewer/2022081511/5697bfc51a28abf838ca68e2/html5/thumbnails/19.jpg)
Using Microsoft Software Update Services
Intranet Windows Update server When updates are ready for deployment, SUS
functions as the Windows Update server for the computers on the network, except that this server is on the intranet and does not require the clients to access the Internet.
![Page 20: Designing a Security Infrastructure Chapter Thirteen](https://reader036.vdocuments.mx/reader036/viewer/2022081511/5697bfc51a28abf838ca68e2/html5/thumbnails/20.jpg)
Using Microsoft Software Update Services
Automatic updates Automatic Updates is a Windows operating system
feature that enables computers to download and install software updates with no user intervention.
![Page 21: Designing a Security Infrastructure Chapter Thirteen](https://reader036.vdocuments.mx/reader036/viewer/2022081511/5697bfc51a28abf838ca68e2/html5/thumbnails/21.jpg)
Exam Tip Be sure to understand the differences
between the functions of (MBSA) Microsoft Baseline Security Analyzer and (SUS) Microsoft Software Update Services
![Page 22: Designing a Security Infrastructure Chapter Thirteen](https://reader036.vdocuments.mx/reader036/viewer/2022081511/5697bfc51a28abf838ca68e2/html5/thumbnails/22.jpg)
Practice: Using Microsoft Baseline Security Analyzer
Exercise 1: Downloading and Installing MBSA Exercise 2: Performing a Security Analysis
Page 13-9
![Page 23: Designing a Security Infrastructure Chapter Thirteen](https://reader036.vdocuments.mx/reader036/viewer/2022081511/5697bfc51a28abf838ca68e2/html5/thumbnails/23.jpg)
Securing a Wireless Network Understanding Wireless Networking Standards.
In 1999, the Institute of Electrical and Electronics Engineers (IEEE) released the first standard in the 802.11 working group, called “Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications,” defining a new series of technologies for the WLAN physical layer.
For the wireless networking industry, the key document in this series of standards was IEEE 802.11b, “Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications—Amendment 2: higher-speed Physical Layer (PHY) extension in the 2.4 GHz band.”
![Page 24: Designing a Security Infrastructure Chapter Thirteen](https://reader036.vdocuments.mx/reader036/viewer/2022081511/5697bfc51a28abf838ca68e2/html5/thumbnails/24.jpg)
802.11 Standards The 802.11a standard
“Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications: Amendment 1: High-speed Physical Layer in the 5 GHz band” defines a medium with speeds running up toup to 54 Mbps54 Mbps,
The 802.11b standard Defines a physical layer specification that enables
WLANs to run at speeds up to 11 megabits per up to 11 megabits per secondsecond (Mbps), slightly faster than a standard Ethernet network.
The 802.11g standard “Wireless LAN Medium Access Control (MAC) and
Physical Layer (PHY) specifications—Amendment 4: Further Higher Data Rate Extension in the 2.4 GHz Band,” calls for higher transmission speeds using the same 2.4 GHz frequencies as 802.11b.
![Page 25: Designing a Security Infrastructure Chapter Thirteen](https://reader036.vdocuments.mx/reader036/viewer/2022081511/5697bfc51a28abf838ca68e2/html5/thumbnails/25.jpg)
Wireless Networking Topologies Two basic topologies:
ad hoc and infrastructure
An ad hoc network consists of two or more wireless devices communicating directly with each other.
The signals generated by WLAN network interface adapters are omnidirectional.
This range is called a basic service areabasic service area (BSA). When two wireless devices come within range of
each other, they are able to connect and communicate, immediately forming a two-node network.
Wireless devices within the same basic service area are called a basic service setbasic service set (BSS).
![Page 26: Designing a Security Infrastructure Chapter Thirteen](https://reader036.vdocuments.mx/reader036/viewer/2022081511/5697bfc51a28abf838ca68e2/html5/thumbnails/26.jpg)
An Ad Hoc Network Two ranges coming together
![Page 27: Designing a Security Infrastructure Chapter Thirteen](https://reader036.vdocuments.mx/reader036/viewer/2022081511/5697bfc51a28abf838ca68e2/html5/thumbnails/27.jpg)
Note The ad hoc topology is most often used on
home networks, or for very small businessthat have no cabled network components at all.
![Page 28: Designing a Security Infrastructure Chapter Thirteen](https://reader036.vdocuments.mx/reader036/viewer/2022081511/5697bfc51a28abf838ca68e2/html5/thumbnails/28.jpg)
An Infrastructure Network Uses a wireless device called an access
point as a bridge between wireless devices and a standard cabled network.
An access pointaccess point is a small unit that connects to an Ethernet network (or other cabled network) by cable, but that also contains an 802.11b-compliant wireless transceiver.
![Page 29: Designing a Security Infrastructure Chapter Thirteen](https://reader036.vdocuments.mx/reader036/viewer/2022081511/5697bfc51a28abf838ca68e2/html5/thumbnails/29.jpg)
Infrastructure Network
Access point
![Page 30: Designing a Security Infrastructure Chapter Thirteen](https://reader036.vdocuments.mx/reader036/viewer/2022081511/5697bfc51a28abf838ca68e2/html5/thumbnails/30.jpg)
Understanding Wireless Network Security Unauthorized access
An unauthorized user with a wireless workstation connects to the network and accesses network resources
Data interception A user running a protocol analyzer with a
wireless network interface adapter may be able to capture all the packets transmitted between the other wireless devices and the access point.
![Page 31: Designing a Security Infrastructure Chapter Thirteen](https://reader036.vdocuments.mx/reader036/viewer/2022081511/5697bfc51a28abf838ca68e2/html5/thumbnails/31.jpg)
Controlling Wireless Access Using Group Policies In the Group Policy Object Editor console,
you can create a policy in the Computer Configuration\Windows Settings\Security Settings\Wireless Network (IEEE 802.11) Policies subheading that enables you to specify whether wireless-equipped computers can connect to ad hoc networks only, infrastructure networks only, or both
![Page 32: Designing a Security Infrastructure Chapter Thirteen](https://reader036.vdocuments.mx/reader036/viewer/2022081511/5697bfc51a28abf838ca68e2/html5/thumbnails/32.jpg)
The New Wireless Network Policy Properties dialog box
![Page 33: Designing a Security Infrastructure Chapter Thirteen](https://reader036.vdocuments.mx/reader036/viewer/2022081511/5697bfc51a28abf838ca68e2/html5/thumbnails/33.jpg)
The New Preferred Setting Properties dialog box
![Page 34: Designing a Security Infrastructure Chapter Thirteen](https://reader036.vdocuments.mx/reader036/viewer/2022081511/5697bfc51a28abf838ca68e2/html5/thumbnails/34.jpg)
Authenticating Users Open System Authentication
Open System authentication is the default authentication method used by IEEE 802.11 devices, and it actually provides no authentication at all.
Shared Key Authentication Shared Key authentication is a system by
which wireless devices authenticate each other using a secret key that both possess.
Messages are exchanged between the requester and the responder outlined on page 17 – 18.
![Page 35: Designing a Security Infrastructure Chapter Thirteen](https://reader036.vdocuments.mx/reader036/viewer/2022081511/5697bfc51a28abf838ca68e2/html5/thumbnails/35.jpg)
IEEE 802.1X Authentication Most IEEE 802.1X implementations function as
clients of a server running a Remote Authentication Dial-In User Service (RADIUS), such as the Internet Authentication Service (IAS) included with Windows Server 2003.
![Page 36: Designing a Security Infrastructure Chapter Thirteen](https://reader036.vdocuments.mx/reader036/viewer/2022081511/5697bfc51a28abf838ca68e2/html5/thumbnails/36.jpg)
Two Authentication Protocols Extensible Authentication Protocol-
Transport Level Security (EAP-TLS) It can carry a variety of authentication
mechanisms within a given packet framework. Protected EAP-Microsoft Challenge
Handshake Authentication Protocol, version 2 (PEAP-MS-CHAP v2) PEAP is a variation on EAP that is designed for
use on wireless networks that do not have a PKI in place.
![Page 37: Designing a Security Infrastructure Chapter Thirteen](https://reader036.vdocuments.mx/reader036/viewer/2022081511/5697bfc51a28abf838ca68e2/html5/thumbnails/37.jpg)
Encrypting Wireless Traffic To prevent data transmitted over a wireless
network from being compromised through unauthorized packet captures, the IEEE 802.11 standard defines an encryption mechanism called Wired Equivalent PrivacyWired Equivalent Privacy (WEP).
The degree of protection that WEP provides is governed by configurable parameters thatcontrol the length of the keys used to encrypt the data and the frequency with which the systems generate new keys.
![Page 38: Designing a Security Infrastructure Chapter Thirteen](https://reader036.vdocuments.mx/reader036/viewer/2022081511/5697bfc51a28abf838ca68e2/html5/thumbnails/38.jpg)
Exam Tip Be sure you are familiar with the security
hazards inherent in wireless networking,and with the mechanisms that Windows operating systems can use to authenticate wireless clients and encrypt their traffic
![Page 39: Designing a Security Infrastructure Chapter Thirteen](https://reader036.vdocuments.mx/reader036/viewer/2022081511/5697bfc51a28abf838ca68e2/html5/thumbnails/39.jpg)
Providing Secure Network Administration Reasons for Using Remote Assistance:
Technical support Troubleshooting Training
![Page 40: Designing a Security Infrastructure Chapter Thirteen](https://reader036.vdocuments.mx/reader036/viewer/2022081511/5697bfc51a28abf838ca68e2/html5/thumbnails/40.jpg)
Offering Remote Assistance Using Control Panel
Setup in Systems Properties
Using Group Policies
![Page 41: Designing a Security Infrastructure Chapter Thirteen](https://reader036.vdocuments.mx/reader036/viewer/2022081511/5697bfc51a28abf838ca68e2/html5/thumbnails/41.jpg)
Creating an Invitation Offer Assistance:
![Page 42: Designing a Security Infrastructure Chapter Thirteen](https://reader036.vdocuments.mx/reader036/viewer/2022081511/5697bfc51a28abf838ca68e2/html5/thumbnails/42.jpg)
Securing Remote Assistance Invitations
No person can connect to another computer using Remote Assistance unless that person has received an invitation from the client
Interactive connectivity You cannot use Remote Assistance to connect to an
unattended computer. Client-side control
ESC to end the secession. Remote control configuration
The group policies also enable administrators to grant specific users expert status, so that no one else can use Remote Access to connect to a client computer, even with the client’s permission.
Firewalls Remote Assistance uses Transmission Control Protocol (TCP)
port number 3389 for all its network communications.
![Page 43: Designing a Security Infrastructure Chapter Thirteen](https://reader036.vdocuments.mx/reader036/viewer/2022081511/5697bfc51a28abf838ca68e2/html5/thumbnails/43.jpg)
Using Remote Desktop
![Page 44: Designing a Security Infrastructure Chapter Thirteen](https://reader036.vdocuments.mx/reader036/viewer/2022081511/5697bfc51a28abf838ca68e2/html5/thumbnails/44.jpg)
Exam Tip Be sure that you understand the
differences between Remote Assistance and Remote Desktop, and that you understand the applications for which each is used.
![Page 45: Designing a Security Infrastructure Chapter Thirteen](https://reader036.vdocuments.mx/reader036/viewer/2022081511/5697bfc51a28abf838ca68e2/html5/thumbnails/45.jpg)
Activating Remote Desktop Because Remote Desktop requires a
standard logon, it is inherently more secure than Remote Assistance, and needs no special security measures, such as invitations and session passwords
![Page 46: Designing a Security Infrastructure Chapter Thirteen](https://reader036.vdocuments.mx/reader036/viewer/2022081511/5697bfc51a28abf838ca68e2/html5/thumbnails/46.jpg)
Using the Remote Desktop Client Both Windows Server
2003 and Windows XP include the client program needed to connect to a host computer using Remote Desktop.
![Page 47: Designing a Security Infrastructure Chapter Thirteen](https://reader036.vdocuments.mx/reader036/viewer/2022081511/5697bfc51a28abf838ca68e2/html5/thumbnails/47.jpg)
Practice: Configuring Remote Assistance
Exercise 1: Activating Remote Assistance Using Control Panel
Page 13-27 Exercise 2: Activating Remote Assistance Using
Group Policies Exercise 3: Creating an Invitation
Page 13-28
![Page 48: Designing a Security Infrastructure Chapter Thirteen](https://reader036.vdocuments.mx/reader036/viewer/2022081511/5697bfc51a28abf838ca68e2/html5/thumbnails/48.jpg)
Summary Case Scenario Exercise
Page 13-31 Troubleshooting Lab
Page 13-32 Exam Highlights
Key Points Key Terms
Page 13-33