CIS 288 WEEK 10, PART 1: Securing Network Resources Slide 1 Introduction Welcome to week 10 of C-I-S 288: Security

Design in a Windows 2003 Environment. In the previous lesson we discussed securing active directory. In this week we will discuss securing network resources. Next Slide:

Slide 2

Objectives

When you complete this lesson you will be able to: Design an access control strategy for files and folders; Analyze auditing requirements; Design an access control strategy for the registry; Design a permission structure for registry objects; Design a strategy for the encryption and decryption of files and folders; and Design security for a backup and recovery strategy. Next Slide:

Slide 3

Designing an Access Control strategy for Files and Folders

One of the fundamental elements of data security is controlling access to information. The first step is authorizing users to gain access to the network. The second step is controlling what data those users can access via the use of access control mechanisms built into Windows Server 2003. Objects, including files and folders, can be managed via their access control lists that designate which users and groups can access the object and in what manner. To use access control functions in Windows Server 2003, you need to format disk volumes with the N-T-F-S file format, which provides the ability to control access to files at a very granular level and enables the ability to audit access to those files.

Next Slide:

Slide 4

Analyzing Risks to Data

One of the first steps in securing network resources is assessing the risks to your data. Every company is different and the risks will vary from one organization to another. However, there are common elements that should be reviewed and analyzed as part of a comprehensive security plan. These include: Physical loss of data; data corruption; Data modification from viruses and other attacks; Security breaches due to incorrectly configured permissions; and auditing practices. Next Slide:

Slide 5

Reviewing Access Control and Access control Lists

When designing a resource strategy, you must determine how to grant and manage appropriate access to users, groups, and computers. This entails designing a strategy that will provide a systematic way of applying and managing access to resources. We will briefly discuss two methods: Access control and resource authorization methods. Access control defines which users, groups, and computers can access particular network resources. Once a user is authenticated, access settings determine what that user can do on the network. Access control is comprised of permissions, user rights, and object auditing. In Windows Server 2003, there are essentially four methods for controlling access to resources: User A-C-L, Account group A-C-L, Account group Resource Group, and Role-

based authorization. Next Slide:

Slide 6

Analyzing Auditing Requiremen ts

As part of designing network resource security, you should analyze your requirements for auditing to determine what level of auditing is appropriate for your organization. You can begin by identifying the types of attacks your system might be vulnerable to, and identify those audit events that would help determine if the system was successfully or unsuccessfully attacked. Remember, you can audit both successful and unsuccessful events, and determining which events are most meaningful is the key to defining auditing requirements that will protect your system. Knowing your business patterns will help you spot patterns in the audit events. If your business is typically a Monday through Friday eight to five type of business, activity outside these hours could indicate a problem. There are a number of events that could be managed, but the following list is a good starting point: Logon events; account logon events; directory service access events; privilege use events; object access events; system events; process tracking events; and policy change events. Next Slide:

Slide 7

Design an Access Control Strategy for the Registry

The registry is the heart of the Windows Server 2003 operating system and contains sensitive data about the files and folders, the applications, and the computer state. If a malicious user gains access to the Registry, he or she could do serious damage to the computer. Access to the Registry should be controlled and monitored to ensure the Registry is protected from intentional and unintentional harm. The only users who are granted full access to the entire Registry are administrators. Other users are generally given full access to the keys related to their own user accounts located in H-Key-Current-user. While permissions can be modified for the Registry using the Registry Editor, it makes sense in a larger organization to apply security to the Registry via Group Policy.

Slide 8

Next Slide: Design a By default, when you install a clean version of Windows Permission Server 2003, the Setup Security-dot-I-N-F security template Structure for is applied. This template sets up strong security for the Registry computer on which it is installed, including setting Objects appropriate Registry access permissions. This is also true for computers running Windows X-P. However, this will not be the case on all computers, especially computers running Windows N-T four-point-zero or Windows ninetyeight. Perhaps the easiest way to manage Registry settings is to use the settings provided in the predefined security templates in Windows Server 2003. Sections of the predefined templates can be imported and used to apply permissions to the Registry according to the computers configuration. To import just a portion of a security template, you can use either the command-line tool, sec-edit-dot-E-X-E, or the Group Policy Object Editor snap-in, or the Security Configuration and Analysis snap-in in the M-M-C. Using the sec-edit-dot-E-X-E command, you can specify which database the settings will be imported into. An alternative to using the sec-edit-dot-E-X-E command line is the Group Policy Object Editor snap-in in the M-MC.

Finally, you can use the Security Configuration and analysis snap-in, also in the M-M-C, to open or create a database for use on a single computer, in an O-U or across a domain. Once you have opened or created a database, you can import settings from security templates. In most cases, the default Registry settings in the predefined security templates will provide the appropriate level of permissions for the Registry. Next Slide:

Slide 9

Creating a Strategy for the Encryption and Decryption of Files and Folders

An encryption strategy for files and folders includes an assessment of vital data, an assessment of the environment, policies for using E-F-S, and procedures for recovering encrypted files. Obviously, not all files are sensitive enough to warrant encryption. In most cases, files protected with two layers of security will be safe. However, files that contain sensitive data such as social security numbers, credit card data, medical or health data, or corporate trade secrets should be protected with E-F-S. Next Slide:

Slide 10

Designing Security for a Backup and Recovery Strategy

Youve probably heard horror stories about companies that failed to back up their data and suffered the consequences. For many individuals, the loss of data is an inconvenience, although rarely a serious one. For companies whose businesses depend on the data stored on network computers, the consequences can be severe. Backing up and restoring data is your failsafe option, when all else fails, you rely on backups to restore your systems and network to their operational states. Currently sixty to seventy percent of a companys data storage management efforts are associated with backup and recovery functions, according to Phil Goodwin, a senior program director at the Meta Group, an I-T industry research and consulting firm. Most companies today use tape backup systems for both current backup and archival backups.

The solution you select for your company will depend on a number of variables, including your companys size, relative importance of computers, data and the network in your business, your budget, and your companys risks relative to the costs of data loss. A solid backup and recovery plan is your best insurance against downtime and catastrophic data loss for the enterprise. Next Slide:

Slide 11

Summary

We have reached the end of this lesson. Lets take a look at what we have covered. The first half of this lesson briefly discussed the access control strategy for files and folders. One of the fundamental elements of data security is controlling access to information. The first step is authorizing users to gain access to the network. The second step is controlling what data those users can access via the use of access control mechanisms built into Windows Server 2003. The second half this lesson focused on access control strategy for the registry. The registry is the heart of the Windows Server 2003 operating system and contains sensitive data about the files and folders, the applications, and the computer state. The only users who are granted full access to the entire Registry are administrators. While permissions can be modified for the Registry using the Registry Editor, it makes sense in a larger organization to apply security to the Registry via Group Policy.