Fundamentals of Network Security

Module 1: Explaining Security Threats and Vulnerabilities
Contents Overview Assessment Assessment Lab A: Explaining Security Threats and Vulnerabilities 1 12 20 21 Lesson: Explaining How Assets Are Attacked 2 Lesson: Communicating the Impact of Risks13
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2002 Microsoft Corporation. All rights reserved. Microsoft, MS-DOS, Windows, Windows NT, <plus other relevant MS trademarks, listed alphabetically. The publications specialist replaces this example list with the list of trademarks provided by the copy editor. Microsoft, MS-DOS, Windows, and Windows NT are listed first, followed by all other Microsoft trademarks listed in alphabetical order.> are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. <The publications specialist inserts mention of specific, contractually obligated to, third-party trademarks, provided by the copy editor> The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Beta Materials Do not use for purposes other than Beta testing
Overview
Explaining How Assets Are Attacked Communicating the Impact of Risks
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction This module shows how common attacks on networks occur and explains the associated threats and vulnerabilities of each attack. The module also explains the relationship of risk to threats and vulnerabilities and provides guidelines for telling others in your organization about the impact of risks to network assets. After completing this module, you will be able to:
Objectives
Explain the types of attacks that occur against assets that are protected by network security personnel. Describe the threats and vulnerabilities that are associated with each type of attack. Communicate the potential impact of risks to network assets to management, peers, and network users.
Lesson: Explaining How Assets Are Attacked

Why Network Security Is Necessary Multimedia: How Assets Are Attacked What Are Threats, Vulnerabilities, and Attacks? Discussion: How Assets Are Attacked Common Attackers Attacker Motivation Threats to Network Security Common Vulnerabilities
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction This lesson begins by explaining why network security is necessary. It then describes common attacks against computer networks and the associated threats and vulnerabilities. Finally, the lesson explains who attacks networks and what motivates attackers. After completing this lesson, you will be able to:
Lesson objectives
Explain the types of attacks that occur against assets that are protected by network security personnel. Describe who attacks networks. Explain what motivates attackers. Describe threats to and vulnerabilities of computer networks.

Why Network Security Is Necessary

Organizations must protect their assets to survive and prosper Common assets that network security personnel protect: Hardware Documentation Software Data An organizations reputation Network security personnel play an important role in protecting these assets from accidents, mistakes, deliberate attacks, and natural disasters
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points An asset is anything in your organization that has tangible or intangible value, whether it is a resource or a competitive advantage. Organizations must protect their assets to survive and prosper. Network security personnel play an important role in protecting assets from accidents, mistakes, deliberate attacks, and natural disasters. The following table shows examples of the assets that they protect.
Asset Hardware Documentation Software Data Examples Desktop and laptop computers, routers, switches, and backup media Security policies and procedures, network diagrams, and building plans Software installation CDs, operating system images, and custom software code Trade secrets, employee information, and customer information
Because employees, customers, partners, and the public rely on these assets, protecting them means that you protect another important assetyour organizations good name and reputation. There is no single comprehensive security solution that can protect everything. Most network security solutions are a broad, complex mix of hardware, software, and other components. Education is the key to an effective security solution. Network security personnel who are committed to learning and teaching others about the dangers that threaten networks are the base on which a security solution is built.
Multimedia: How Assets Are Attacked

Multimedia
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Instructions To start this activity, open the Web page on the Student Materials CD, click Multimedia, and then click the title of the activity. Spend about 15 minutes exploring this interactive multimedia piece. Identify common:

Attacks on networks Threats to networks Vulnerabilities of networks
The information in this multimedia piece, combined with your personal experience with network attacks, will prepare you for the upcoming discussion.
What Are Threats, Vulnerabilities, and Attacks?

Term
Threat
Description
Any activity that represents possible danger to your information
Example
Attackers routinely scan systems on the Internet looking for open ports
A weakness in your security You misconfigured your firewall Vulnerability that could be exploited by a and left a vital port open threat Attack A deliberate attempt to bypass security controls on a computer An attacker bypasses your firewall and enters your network
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points The following table describes threats, vulnerabilities, and attacks and provides some examples and reasons.
Term Description
Threat
A threat is any activity that represents possible danger to assets. Threats tend to be more constant than vulnerabilities because the basic activities that represent possible danger to your assets do not change much. Common threats include:
People looking for ways to steal, modify, or destroy your data, systems, or equipment Disasters that can cause destruction of data, systems, or equipment
Vulnerability
A vulnerability is any weakness in your security that may be exploited by a threat. Common reasons for vulnerabilities include:
New types of hardware and software that introduce new vulnerabilities are developed and implemented regularly People are busy and make mistakes Network security in many organizations is reactive instead of proactive

Attack
An attack is a deliberate attempt to bypass security controls on a computer. New attacks are always being created to exploit vulnerabilities. As each attack is publicized, countermeasures that render the attack ineffective are usually publicized.
Discussion: How Assets Are Attacked

What do you need to know about attackers? Who are they? What motivates them? What are the worst things that can happen to your network? What have you heard about in the news? What is your personal experience? What vulnerabilities expose your network to attacks?
1 1 2 2 3 3
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Instructions In the constantly changing world of network security, network security specialists must commit to continuous learning. In training, as at work, this means not only learning on your own but also learning from your colleagues. Draw from your experience and from what you learned in the interactive multimedia piece to discuss these questions with your colleagues:

What do you need to know about attackers? What are the worst things that can happen to your network? What vulnerabilities expose your network to attacks?
Common Attackers
Authorized network users Industrial or political spies Criminals Terrorists Unknown attackers Skilled, intermediate, and novice attackers Remember that: Internal attackers can cause more damage than external attackers Novice, intermediate, and advanced attackers all pose significant threats threats to to networks networks
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points The term attacker refers to anyone who deliberately attempts to bypass security controls to gain access to someone elses computer or network. Key things to know about attackers include:
Novice, intermediate, and advanced attackers all pose significant threats to networks. Attackers vary from novice to advanced programmers. The least skilled attackers, who are often called script kiddies or packet monkeys, typically use existing programs rather than write their own attack tools. Even so, novice and intermediate programmers can pose as great a threat to security as advanced programmers. They can crash your system, denying access to users and costing your organization time and resources to recover. Also, an attackers persistence is often more devastating than his or her skill. Internal attackers can cause more damage than external attackers. Many attacks originate from within an organization. An inexperienced user may accidentally initiate a dangerous action. Other internal attacks may be intentionalpeople who are curious or upset and trying to cause a security incident. Internal attacks are common and potentially more damaging than external attacks because internal attackers have legitimate access to physical and network assets, which makes it easier for them to elevate their access to obtain data that they are not authorized to have. You may never know much about external attackers. We often know little to nothing about external attackers. For example, attackers who write viruses and Trojan horses may never be known unless their actions attract extensive media attention. Virus writing takes little skill; in fact, there are programs that can help attackers create viruses. Often these attacks are simply malicious mischief, but an attacker can use the power of malicious software (sometimes called malware) to create dangerous attacks.
Note The media uses the term hacker to refer to anyone who breaks into systems. For many long-time computer users, however, hacker refers to someone with excellent programming skills and creativity and the term cracker indicates someone who breaks into systems with malicious intent.
Attacker Motivation
Personal advancement or satisfaction Monetary gain Publicity Notoriety among peers Terrorism Vigilantism or activism for a cause Espionage
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points A Chinese proverb says Know your enemy as you know yourself, and you can fight a hundred battles with no danger of defeat. Network security personnel face many attackers whose motivations are unknown. However, there are some common motivations. The following table explains why some people attack networks and provides examples of each type of motivation. Motivation
Personal advancement or satisfaction

Examples Jealous coworker who steals ideas from someone else Fired employee who seeks revenge on a former employer Person who likes the feeling of outsmarting others, controlling somebody else, or working outside of societys normal boundaries Person who steals credit card numbers or identities and sells them Organized criminal who sets up a computer racket Novice programmer who wants to show peers what he or she can do Intermediate programmer who seeks to gain a reputation as an advanced programmer Person who wants his or her attack to be famous Someone who wants to bring negative publicity to an organization that they do not like Someone who wants to intimidate or coerce an organization, society, or government, often for political or ideological reasons Person who feels compelled to scrutinize security weakness for the public good Someone who is spying for another organization or government to gain resources or advantage
Monetary gain Notoriety among peers Publicity

Terrorism Vigilantism or activism Espionage
Additional reading
For more information about attacker motivation, see: The Art of War by Sun Tzu, published by Metro Books. Beta Materials Do not use for purposes other than Beta testing

Hacking Exposed Windows 2000 by Joel Scambray and Stuart McClure, published by McGraw-Hill Osborne Media.
10
Threats to Network Security

Target Networks Examples Internet, intranet, extranets Credit card numbers, trade secrets, customer information Threats Unauthorized access Prevention of access to network services Theft Destruction Eavesdropping Theft Destruction
Data
Physical Computers, hubs, components routers
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points A threat is any activity that represents possible danger to your information. Common threats include:

Unauthorized network access or prevention of access to network services Theft, destruction, or eavesdropping of data Theft or destruction of physical components
When we think of threats, we tend to focus on deliberate attacks on networks. However, many other activities pose threats to network security, such as natural disasters, mistakes, and accidents. You can protect a server from every attacker in the world, but accidents or disasters may still occur. For example, an administrator may trip and drop a domain controller down the stairs, or an earthquake may destroy your server room. Additional reading For more information about threats to network security, see the white paper, Security Threats, at: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/be stprac/bpent/sec1/secthret.asp.
11
Common Vulnerabilities
Source Example vulnerabilities Sharing passwords or using weak passwords Not understanding or ignoring security policies Opening e-mail, visiting Web sites, or downloading software that contains malicious code Being manipulated into violating security policies Misconfiguring services and not patching preinstalled software Not adequately securing network access accounts Not adequately securing physical access to hardware Ignoring security policies Using operating systems and applications that have design flaws that make them accessible to manipulation by attackers
Users
Network administrators Software
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points A vulnerability is a weakness in your network security that can be exploited by a threat. Network users often pose the biggest vulnerability. However, when network administrators make mistakes or ignore security policies, the consequences tend to be much more severe to network security. The following table shows examples of vulnerabilities that are created by users, network administrators, and software.
Source Users

Examples
Sharing passwords or using weak passwords Not understanding or ignoring security policies Opening e-mail messages, visiting Web sites, or downloading software that contains malicious code Being manipulated by attackers into violating security policies Misconfiguring services and not installing software patches Not adequately securing network access accounts Not adequately securing physical access to hardware Ignoring security policies Using operating systems and applications that have design flaws that make them accessible to manipulation by attackers
Network administrators

Software
Additional reading
For more information about common vulnerabilities to network security, see Appendix D, Security Vulnerabilities, in the white paper, Security Threats, at: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/be stprac/bpent/sec1/secthret.asp.
12
Assessment
This lesson explained how assets are attacked, described common security threats and vulnerabilities, and discussed who attacks networks and why
*****************************ILLEGAL FOR NON-TRAINER USE****************************** 1. For each statement, circle true or false: T F T F A novice attacker poses a significant threat to network security. The activities of authorized users pose little threat to networks.
T F A threat is a deliberate attempt to bypass security controls on a computer.
13
Lesson: Communicating the Impact of Risks

Risk Terminology The Relationship of Risks to Threats and Vulnerabilities How Organizations Mitigate Risk Considerations for Identifying Risks Guidelines for Communicating the Impact of Risks
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Many organizations perform formal risk management to identify, control, and mitigate the impact of uncertain events. Although you may not be involved in the formal risk management process, as a network security administrator you should understand what a risk is and how risks differ from threats and vulnerabilities. You may be asked to support formal risk management by identifying risks and communicating their impact to others in your organization. After completing this lesson, you will be able to:

Lesson objectives
Explain what a network security risk is. Explain the relationship between risks, threats, and vulnerabilities. Identify network security risks. Communicate the potential impact of network security risks to management, network administrators, and network users.
14
Risk Terminology
Term Description
Exposure to loss or possible injury. In network security, a risk is any chance that your organizations assets will be damagedcausing damage to the organizations reputation, the spread of misinformation, or the loss of trust, privacy, time, productivity, money, or competitive advantage The complete formal process used to identify, control, and mitigate the impact of uncertain events typically performed by network security designers and architects A less formal process of pointing out risks performed by network security personnel as part of their day-to-day jobs to help minimize risk
Risk
Risk Management Risk Identification
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Before you can communicate risks to others, you must understand what risks are. A risk is the exposure to loss or possible injury. Common terms include:
Risk: In network security, a risk is any chance that your organizations assets will be damaged, causing damage to the organizations reputation, the spread of misinformation, or the loss of trust, privacy, time, productivity, money, or competitive advantage. Risk management: The process that high-level managers and network security designers and architects to through to identify, control, mitigate, and minimize risks. It is impossible to eliminate risk, so the goal of risk management is to minimize risk. Typically, upper management, network security designers, and architects perform risk management. Risk identification: A less formal process of recognizing risks, which is performed by network security personnel as part of their day-to-day jobs to minimize risk.
15
The Relationship of Risks to Threats and Vulnerabilities

Risk is a broader term than threat or vulnerability To mitigate risk, an organization must identify risks and and their associated threats and vulnerabilities Example: Risk: Your organizations competitor may steal a trade secret and get a product to market before you Associated threat: Attackers routinely scan systems on the Internet and look for open ports Associated vulnerability: Network administrators could misconfigure a firewall and leave a vital port open
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Risk is a broad term that refers to the uncertain and damaging events that can happen to your organization or business. Risks have associated threats and vulnerabilities. Managing risk is a task that is typically performed by high-level management and network security planners. Most network security personnel spend their time minimizing the impact of threats, watching for attacks, reducing the number of vulnerabilities, and responding to security incidents. However, if you understand the relationship of risks, threats, and vulnerabilities, you will be able to support risk management efforts, when necessary. You will also be better able to see the big picture of why network security personnel do what they do in their day-to-day jobs.
16
How Organizations Mitigate Risks

Web Web Site Site
Public Private Secret
Determine Determine the value of of assets what what is is most most important? important?
Trade Trade Secrets Secrets
5
Take Take action action to to reduce reduce threats threats and and vulnerabilities vulnerabilities 1 1 2 2 3 3 4 4
2
Determine Determine the the risks risks to to assets assets
4
Prioritize Prioritize actions actions to to be be taken taken
3
Identify Identify threats threats and and vulnerabilities vulnerabilities
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Risk management and mitigation plans vary from organization to organization, but many basic steps in the process remain the same. To mitigate risks, many organizations follow a process similar to this: 1. Determine what matters most to the organization All assets do not require the same level of protection, so they are typically categorized into groups such as public, private, and secret, and then listed in order of priority to the organization. 2. Determine the risks to assets In this step, an organization determines unexpected events, the damage they can cause, and the likelihood that they will occur. As many risks as possible are listed. 3. Identify threats and vulnerabilities In this step, threats and vulnerabilities that are associated with each risk are identified. What parts of the network are vulnerable and where do the biggest threats come from? As many threats and vulnerabilities as possible are listed for each risk. 4. Prioritize actions to be taken There is a limit to the value of implementing protection. In fact, sometimes the cost of mitigating a risk is not worthwhile. An organization must use its knowledge about the value of assets, risks, threats, and vulnerabilities to create a feasible mitigation plan. For the most important items, an organization may take multiple actions to try to prevent the risks from happening. For less important items, it may take minimal or even no actions. 5. Reduce the threats and vulnerabilities Network security personnel are most intimately involved with this step. Understanding threats and eliminating or minimizing vulnerabilities helps mitigate risks. This process is ongoing because there are always new risks, threats, and vulnerabilities to consider and also threats and vulnerabilities that were overlooked. Additional reading For more information about risk management, see Module 4, Analyzing Security Risks, in Course 2830, Designing a Secure Network.
17
Considerations for Identifying Risks

Prioritize risks your response to a risk should be in proportion to both its likelihood and the potential damage it could cause
More More likely likely to to occur occur
Focus Focus here here first first
Causes Causes more more damage damage Less Less likely likely to to occur occur
Causes Causes less less damage damage
Focus on minimizing risk it cannot be eliminated Know that your role will vary depending on your organizations circumstances and resources
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Your role in managing and mitigating risk will vary, depending on your organization. However, anyone working in network security can identify risks and bring them to the attention of those performing risk management. When identifying risks, do these things:
Prioritize risks Focus first on things that will cause the most damage to your network or organization and that are most likely to occur. Focus on minimizing risk. Because risk cannot be eliminated, focus on minimizing it. Know that your role will vary. Every risk plan is different because every organization has a different set of circumstances, budget, and work force to apply to the task of minimizing risk.
18
Guidelines for Communicating the Impact of Risks

When talking to
Users
Emphasize
The consequences of their actions at a personal level Your availability to help when they have questions How much more damage an attacker can do if he or she can get access to an administrator account How much effort they can save themselves by following security policies and procedures correctly the first time That the consequences of not following security policies are much more severe for administrators than for other employees How failure to act can cost the organization money How security breaches can cause drops in revenue, productivity, and morale Priorities which things must be done, which can wait, and why
Network administrators
Managers
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points When you tell others about the impact of risks, try to see the impact from their viewpoint, and then explain it to them in terms that they can relate to. Whether you are convincing others to change behavior to minimize a risk or asking for funding to minimize a risk, you will not succeed unless you make the impact relevant to your listener. This table provides examples of what to say to different network users.
When talking to Users Say something like I know that strong passwords are hard to remember, but if you dont use one, it could take an attacker 5 minutes to get in and steal your research. If you open that attachment when you are logged on as an administrator, the virus can write to any file that you can write to. That could bring down the entire network. I know that $8,000 is a lot of money, but this risk is likely to happen and could cause widespread damage. If we dont fix it now, the cost of responding to an attack could be as much as $40,000, which does not include the sales we lose when the Web site is down.
Network administrators Managers
19
Practice: Communicating the Impact of Risks

Discussion
1 2 3
Read the scenario Identify risks Discuss how you would share the impact of each risk with a user, a network administrator, and a manager
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Instructions Read this scenario, identify risks, and then discuss how you would communicate the risks to a network user, a network administrator, and a manager. You are a network administrator for a medium-sized manufacturing company. The company recently updated its computer systems, including replacing its mainframe computers with desktop computers. The manufacturing process was heavily automated with computer controlled systems. The company also installed a business-to-business extranet site so that partners can place and track their orders, and suppliers can submit their invoices. What risk or risks do you see? ________________________________________________________________ ________________________________________________________________ How would you communicate the risks to your network users, such as manufacturing employees? ________________________________________________________________ ________________________________________________________________ How would you communicate the risks to a fellow network administrator? ________________________________________________________________ ________________________________________________________________ How would you discuss the risks with a manager? ________________________________________________________________ ________________________________________________________________
Scenario
20
Assessment
This lesson explained the relationship between risks and threats and vulnerabilities, showed how organizations mitigate risk, and provided guidelines for identifying risks and telling others about them.
*****************************ILLEGAL FOR NON-TRAINER USE****************************** 1. You are responsible for communicating network security risks to people in your organization. Match the person to the statement that is the most appropriate for the role.
People you work with Network user Statements about risks A security breach will cause us to lose $15,000 per day in revenue and $20,000 per day in productivity The password policy will help protect you from attackers accessing your work If you give too many people administrative rights, you may compromise the entire domain structure
Network administrator
Manager
21
Lab A: Explaining Security Threats and Vulnerabilities

Exercise 1: Identifying Risks to a Network Exercise 2: Articulating the Potential Impact of a Successful Attack
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Objectives After completing this lab, you will be able to:

Prerequisites
Before working on this lab, you must have:

Scenario Estimated time to complete this lab: 30 minutes
22
Module 2: Preparing to Secure Assets
Contents Overview Assessment: Identifying How Assets Are Secured 1
Lesson: Identifying How Assets Are Secured 2 10
Lesson: Resolving Ethical Dilemmas When Securing Assets 11 Lab A: Preparing to Secure Assets 21
Beta materials Do not use for purposes other than Beta testing
Overview
Identifying How Assets Are Secured Resolving Ethical Dilemmas When Securing Assets
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction This module provides an overview of what network security personnel do to secure an organizations assets. The module also provides guidelines for resolving ethical dilemmas that network security personnel encounter when they secure network assets. After completing this module, you will be able to:

Objectives
Identify what network security personnel do to secure assets. Resolve ethical dilemmas when securing assets.
Lesson: Identifying How Assets Are Secured

Who Is Responsible for Network Security? What Do Network Security Personnel Do to Secure Assets? Why Network Security Fails What Do Network Security Personnel Do When Security Fails?
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Lesson objectives This lesson explains what network security personnel do to secure an organizations assets. After completing this lesson, you will be able to:

Identify who is responsible for network security. Describe why network security fails. Explain what network security personnel do to secure assets.
Who Is Responsible for Network Security?

Parties
Network security personnel Users
Primary responsibility
Designing and implementing network security Learning and following security policies; acting responsibly Managing budgets for network security projects and supporting user education efforts Authorizing spending on network security Providing secure physical locations for computing equipment Participating in the development and enforcement of security policies Providing legal input in the creation and enforcement of security policies Providing an independent review of security procedures
Application developers Developing secure code Management Executive sponsor Facilities security staff Human Resources Legal Auditors
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Network security personnel are responsible for designing and implementing network security. In large organizations, the roles of designing and implementing network security are divided. One person or group designs network security and another person or group implements the design. Good designers and implementers ensure that a breach of security causes only a slight disturbance in the normal work flow of network users. Network security personnel need help from many peopleincluding all network usersto make a computer network secure. Network security personnel often work as part of a network security team. Depending on the organization, the network security team may include representatives from any or all of the groups mentioned on the slide. Regardless of the organizations size, divide job responsibilities among multiple security personnel so that you create a system of checks and balances to ensure that security is implemented correctly and without compromises. For example, if one security administrator is responsible for applying patches, another administrator is responsible for verifying that the patches have been installed. Or, multiple administrators may take turns reviewing audit logs to ensure that a disgruntled administrator is not violating security policies. Network security personnel sometimes work with third parties that have expertise or responsibility in network security, for example, government agencies, law enforcement, software vendors, and external auditors. Additional reading For information about working with developers to help write secure code, see the book, Writing Secure Code, by Michael Howard and David LeBlanc.
What Do Network Security Personnel Do to Secure Assets?

Manage operational security Implement and monitor network perimeters
Module Module 12 12 Module Module 11 11
Implement secure computer baselines Use authentication and access control

Module Module 4 4
Module Module 3 3
Securing assets
Modules Modules 5-6 5-6 Modules Modules 7-8 7-8
http://www...
Module Module 10 10
Use encryption to protect data
Secure data transmission
Module Module 9 9
1 1
2 2
3 3
Manage directory services and DNS security
Protect applications
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points To secure a computer network, network security personnel:
Implement secure computer baselines. As a network security administrator, you create a secure standard installation procedure, eliminate unnecessary software components, and keep the system updated with the latest security patches. You also make preparations to ensure the physical security of computers. Law #3 of The Ten Immutable Laws of Security states that if an attacker has unrestricted physical access to your computer, then it is not your computer anymore. Use authentication and access control. Authentication determines who is allowed to use the network. Access control determines what actions authenticated users are allowed to perform. As part of managing the authentication and access control mechanisms, you ensure that unused accounts are disabled, that accounts have only the minimum permissions required for users to do their jobs, and that all accounts have appropriate passwords. You also audit the network to ensure that these controls are in place. User encryption to protect data. You can implement systems to scramble data to make it unreadable to anyone except the intended recipient. You can also provide systems to digitally sign communication, so that the digital seal will be broken if the message has been tampered with in any way. Protect applications. Ensure that all applications are configured properly, including applications for the Internet, e-mail, File Transfer Protocol (FTP), and databases. To configure applications properly, you must know the default configurations, keep up to date on security bulletins, use lockdown applications where available, and apply patches. Manage directory services and DNS security. Although directory services provide a method for authenticating users, they require adequate security to protect them from attacks. Restrict access to directory services to appropriate personnel. For added security, you can also configure DNS in Windows 2000 to require authentication and encryption.

Secure data transmission. Secure network devices and cables, use IPSec to encrypt data when it is being transmitted, enable encryption on wireless devices, and secure remote access. Implement and monitor network perimeters. Use firewalls to block dangerous packet traffic, use network address translation to restrict access to the internal networks, and implement intrusion detection software on both the hosts and network perimeters to identify and stop known attacks. Manage operational security. Create and update policies and procedures and educate network users about how to keep the network secure. Develop a comprehensive plan to audit for adherence to these policies and procedures.
The tradeoffs that are involved in network security are sometimes referred to as the CIA trianglesecurity personnel must make decisions to balance confidentiality, integrity, and availability. For example, if you emphasize confidentiality and integrity of the system, you must decrease the availability of the system. If you increase integrity and system availability, you must decrease confidentiality. Additional reading For more information about what network security personnel do to secure assets, see The Ten Immutable Laws of Security on the TechNet page of the Microsoft Web site at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/s ecurity/essays/10imlaws.asp.
Why Network Security Fails

Perfect security is not possible the only completely secure system is one that nobody can use Defending networks is difficult, and the more complex a network is, the more difficult it is to defend
Parties Characteristics
Can attack with very low cost Only need to understand one vulnerability Outnumber security personnel Have unlimited time Do not follow any set of rules Must dedicate time and resources to defend networks against attacks and convince others to do the same Must protect end users and managers who may not be vigilant Must understand all threats and vulnerabilities Must also handle disruptions due to mistakes, accidents, and natural disasters
Attackers Network security personnel
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Perfect security is not possible. Networks are designed, implemented, monitored, and used by people, and people are fallible. In fact, if you look closely at any network, you are likely to find a security incidenteither someone attempting to break in or someone doing something that could lead to a break-in. Also, Law #8 of The Ten Immutable Laws of Security Administration states that the difficulty of defending a network is directly proportional to its complexity. Characteristics of attackers Attackers have many characteristics that give them advantages over network security personnel. Attackers:
Can attack with very low cost. Attackers can automate most of an initial attack strategy by using scripts. Even seasoned attackers use scripts, but they know how to write their own and write new ones to deal with new situations. Only need to understand one vulnerability. Attackers need only one entry point into a network. From there they can launch additional attacks and leave back doors to facilitate future reentry. Outnumber security personnel. There are so many attackers that have access to scripts that if you put an unpatched computer on the Internet, there is a 100 percent chance that it will be compromised. Have unlimited time. Do not follow any set of rules.

Characteristics of network security personnel
Network security personnel:

Must dedicate time and resources to defend the network against attacks. There is a limited amount of time and resources that network security personnel have to secure networks. Must protect end users and managers who may not be vigilant: If every user treated security as a high priority, most attacks could not succeed. For most businesses, making security a high priority would
take away from primary business activities. Often security makes business inconvenient or even impossible, so it is consciously or unconsciously lowered in importance. Law #2 of The Ten Immutable Laws of Security Administration states that security only works if the secure way also happens to be the easy way. People do not care about security until it strikes close to home even if you educate users by using a concerted security awareness campaign. Law #1 of The Ten Immutable Laws of Security Administration states that nobody believes anything bad can happen to them until it does. Until executives see the need for security, they may be reluctant to invest money in it.

Must understand all threats and vulnerabilities. Must also handle disruptions due to mistakes, accidents, and natural disasters.
Additional reading
For more information about why network security fails, see The Ten Immutable Laws of Security Administration on the TechNet page of the Microsoft Web site at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/s ecurity/essays/10imlaws.asp.
What Do Network Security Personnel Do When Security Fails?

Improve operational security
Module Module 12 12
Module Module 13 13
Securing assets when security has failed

Module Module 14 14
Preserve business continuity

1 1 2 2 3 3
Respond to security incidents
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points When network security fails, network security personnel:
Improve operational security. After security fails, you must determine how to ensure that the attack does not happen again. Part of this process is improving operational security. Did you have security policies? Where did they fail? Was it a lapse in user education or user response to install security updates? Are you auditing and logging events? Do you have enough information to revise your plan so the attack cannot happen again? Many organizations were attacked by the NIMDA virus twice because network security personnel did not realize all of the ways that NIMDA can attack. Preserve business continuity. You must have a plan to recover, regardless of whether you are recovering from a natural disaster, a massive attacker onslaught, or a server that someone accidentally dropped down a flight of stairs. Ensure that your recovery mechanisms do not leave you vulnerable to other attacks. For example, protect your backup tapes just like any other physical asset. Keep a copy offsite in a secure location. Respond to security incidents. Have a plan to respond to security incidents, and practice the steps in this plan so that you do not panic when an incident happens. Many organizations create an incident response team to respond to incidents, communicate about incidents, and preserve evidence in case the organization decides to prosecute an attacker.
Practice: Identifying How Assets Are Secured
1 2 3
Explore Explore this this interactive multimedia multimedia piece Read Read the the information information on on the the Security Measures tab tab and then watch what the network security administrator administrator does does to defend against against attacks Discuss Discuss what what you you understand understand about about the the defense strategies strategies of of network security security personnel
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Instructions To start this activity, open the Web page on the Student Materials CD, click Multimedia, and then click the title of the activity. Spend about 10 minutes exploring this interactive multimedia piece. For each attack, read the information on the Security Mechanisms tab, and then click the play button to see the attack and watch a network security administrator defend against the attack. When you finish, discuss network security strategies with the class.
10
Assessment: Identifying How Assets Are Secured

This lesson explained what network security personnel do to secure an organizations assets.
*****************************ILLEGAL FOR NON-TRAINER USE****************************** 1. The Northwind Traders network was compromised by an internal attacker. The attacker carried the main file server past the security guard and also took the only backup tapes. What security measures would have helped prevent this attack? Choose all that apply. A. Physically securing the backup tapes. B. Applying the latest security patches and hotfixes. C. Implementing a policy that forbids computer equipment from leaving the building. D. Encrypting all data that is transmitted across the network.
11
Lesson: Resolving Ethical Dilemmas When Securing Assets

The Relationship Between Policies, Laws, and Ethics Ethical Dilemmas that Network Security Personnel Encounter What Is a Code of Ethics? An Example Code of Ethics for Network Security Personnel Guidelines for Resolving Ethical Dilemmas
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction This lesson explains the role that ethics play in network security. It also provides examples of ethical dilemmas that network security personnel encounter and guidelines for resolving ethical dilemmas. After completing this lesson, you will be able to:

Lesson objectives
Explain the difference between policies, laws, and ethics. Give examples of ethical dilemmas that network security personnel encounter. Discuss what a code of ethics for network security personnel may look like. Resolve ethical dilemmas when securing information.

12
The Relationship Between Policies, Laws, and Ethics

Network security is dictated by:
Security Policies
Laws
Ethics are norms and principles of right conduct beyond written policies and laws
Ethics
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points When most people consider what it takes to secure a computer network, they think about the written policies, technical configurations, or laws that influence a security solution. However, the ethical behavior of the people who implement, maintain, and use the network is just as important. The following table shows the relationship between security policies, laws, and ethics.
Term Security policies Description Physical documents that explain how an organizations security design is implemented to protect the confidentiality, integrity, and availability of assets. Polices are enforced by network user actions, technical configuration, and physical barriers. Mandates by local or national governing bodies that require organizations in certain industries to take specific security measures on their networks. There may be legal requirements for protecting privacy, applying software updates, or for filing reports. Norms and principles of right conduct beyond written policies and laws. These principles are decided and acted on by a group, and they may be discussed or understood without being spoken about. Example Your organization has a policy in place that says only administrators have access to the file servers. This policy is enforced by using passwords and storing the servers in locked rooms. Industry regulations may require restricted access to servers with certain types of information.
Laws
Ethics
There is no policy about physically securing servers. There is no regulation regarding server access for your industry. Someone leaves the server room unlocked. It is still not ok for someone to go in and damage the servers.
Even in the most efficient organization, it is unlikely that there will be a written policy for every possible challenge that network security personnel encounter. Ethics make network users and network security personnel recognize that the
13
absence of a policy or a law against doing something does not mean that it is ok to do. Additional reading For more information about ethics, see the following resources:

The Ethics Resource Center at http://www.ethics.org. The Markkula Center for Applied Ethics at http://www.scu.edu/ethics. International Business Ethics Institute at http://www.business-ethics.org. Institute for Global Ethics at http://www.globalethics.org.
14
Ethical Dilemmas that Network Security Personnel Encounter

Ethical Ethical dilemmas are are complex issues issues that force choices between competing courses courses of of action. action. You You may may be be facing facing an an ethical ethical dilemma dilemma when: There is no obvious or easy answer Your choice involves competing good or competing bad outcomes Examples of ethical dilemmas: It is is easier and and faster to fix something by bending bending a policy policy what what do do you do? To catch an an attacker attacker you you must attack attack back how far do do you you go? go? Some of of your your teams teams standard practices practices regularly contradict the organizations policies policies do you change change the policy or do what is is most secure?
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Example ethical dilemmas The following bullets show several examples of the types of ethical dilemmas that network security personnel encounter:
Bending the rules to fix things quickly. It may be faster to set someones password so it never expires, so they do not keep having support issues, but it violates policy. It may be easier to use remote control on a persons computer without their permission, even though permission is usually required before running those utilities. Do you follow the policies strictly, or do you bend them to improve user experience or to make the organization run more smoothly? Pursuing an attacker into someone elses system or attacking back. While handling a security incident, you discover vulnerabilities in your own system and in the systems of others. You realize that you can pursue the attackerif you do it quickly. If you pursue an attacker into other peoples systems without their approval, you risk becoming no better than the attacker. But if you do not, you may lose valuable evidence against the attacker. What do you do? Temporarily using illegal copies of software. You need an application to make your network more secure, but it could be weeks before the budget for it is approved. A friend has the application and a CD burner. You always get funding for this type of application and you plan to pay for copies as soon as the budget is approved. Do you make illegal copies? Finding inappropriate use of the network or inappropriate materials on a coworkers computer. While looking for some data, you find something else that you did not expect: a coworker is violating the acceptable use policy for Internet access. Or, you discover that your bosss computer contains inappropriate graphic files. Do you follow policy and report a member of your own team? Making mistakes. You made a mistake, violated policy, and left a weakness that allowed your network to be attacked. You found and fixed the problem so that it can never happen again. Do you report yourself?

15
Handling inadequate policies. Some of your teams standard practices regularly contradict the organizations policiesfocusing on saving time instead of following the exact procedure. Do you follow the policy or do what is most secure?
16
What Is a Code of Ethics?

A code of ethics is a set of guidelines that describes the norms and principles of right conduct that a group agrees to work by A code of ethics:
Establishes a baseline for addressing complex issues Enhances the professionalism and image of the staff by promoting ethical behavior May act as a reference for construction of local site acceptable use policies
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Although a code of ethics may be written or unwritten, a written code of ethics is more useful to someone who faces an ethical dilemma. In complex situations, employees can use the code of ethics, in addition to their professional judgment, to help understand what the organization expects of them.
17
Example Code of Ethics for Network Security Personnel

Protect information integrity, confidentiality, and availability Commit to continuous learning and knowledge sharing Do not unnecessarily infringe on the rights of users Treat all users equitably do not not discriminate discriminate Do not accept network security tasks that you are not qualified to do Commit to understanding the organizations policies and the law and stay current as they change Maintain the highest level of personal integrity
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Depending on the organization, a code of ethics may range from unwritten but understood guidelines for acceptable behavior to detailed, multichapter documents that attempt to dictate priorities for all possible situations. The slide shows an example of a simple code of ethics for network security personnel. To see the code of ethics that people who pursue the Certified Information Systems Security Professional (CISSP) certification must agree to, see the International Information Systems Security Certification Consortium (ISC)2 Web site at http://www.isc2.org/cgi/content.cgi?page=31. For more examples of codes of ethics, visit the following Web sites:
Additional reading
The System Administrators Guild (SAGE) Web site at http://www.usenix.org/sage/publications/code_of_ethics.html The Global Information Assurance Certification (GIAC) Web site at http://www.giac.org/COE.php The Australian Computer Society Web site at http://www.acs.org.au/national/pospaper/acs131.htm The Information Assurance Advisory Council Web site at http://www.iaac.org.uk/ethics/ The ACM Computing and Public Policy Web site at http://www.acm.org/constitution/code.html The System Administrators Guild of Australia Web site at http://www.sageau.org.au/ethics.html
18
Guidelines for Resolving Ethical Dilemmas

Know your organizations code of ethics When you encounter an ethical dilemma:
What to do
1. Trust your instincts 2. Stall for time
Why
When first faced with an ethical dilemma, people feel their entire body tense up. Trust this first instinct that something is wrong. People make mistakes when they dont take the time to think about all organizational values, obligations, and consequences. By talking with people you trust, you will have a broader perspective to base a decision on.
3. Talk to others
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Ethical dilemmas are not easy. What to do when faced with an ethical dilemma will vary from situation to situation and organization to organization. You can follow these general guidelines when faced with an ethical dilemma:
Know your organizations code of ethics. When faced with a difficult decision, it will help if you understand what your organizations expectations of you are. When you encounter an ethical dilemma: Trust your instincts. When faced with an ethical dilemma, people respond viscerally (your entire body will tense as you sense that something is wrong). Trust this first instinct that something is wrong. Stall for time. People make mistakes when dealing with ethical dilemmas because they make decisions too quickly. Do not let a person or situation rush you into a decision. Take the time to think about organizational obligations, your own values, and the consequences of your decisions. Talk to others. We all carry our own biases with us. By talking with people that you trust, you will have a broader perspective on which to base your decision.
19
Practice: Resolving Ethical Dilemmas
1 2 3
Read the ethical dilemma Discuss the dilemma with your group and decide decide what what to do Share your groups decision with the class and discuss why you made the decisions that you did
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Instructions Discuss the following ethical dilemma with your small group and come to an agreement about what Bob should do. After your group makes a decision, share it with the rest of the class. Important If you are taking this lesson online, do not do this practice by yourself. When faced with a dilemma such as this, you should not make decisions without getting input from others. Find others to work with to resolve this ethical dilemma. Ethical dilemma Bob is a network administrator at a research company that requires the highest possible security. Stringent security policies require two separate networks: one for regular corporate communications and one for all corporate research. The vice president of research is inconvenienced by having to maintain two separate workstations, one on each network. He orders Bob to connect one workstation to both networks at the same time. He wants it to be done the next day, while he is attending a conference. Bob knows that the vice president is a high-profile person in the organization with power and influence. Bob also knows that if the research data is compromised, it could put the organization out of business. What should Bob do?
20
Assessment: Resolving Ethical Dilemmas When Securing Assets

This lesson explained the role that ethics plays in network security, provided examples of ethical dilemmas that network security personnel face, and offered guidelines for resolving ethical dilemmas.
*****************************ILLEGAL FOR NON-TRAINER USE****************************** 1. When faced with an ethical dilemma, what should you do? Choose all that apply. A. Trust your instinct that something is wrong. B. Stall for time so that you can make a more informed decision. C. Read the company handbook to find out what to do. D. Get input from people that you trust before making a decision.
21
Lab A: Preparing to Secure Assets

Exercise 1: Defining Your Role in Securing Network Assets
*****************************ILLEGAL FOR NON-TRAINER USE******************************
THIS PAGE INTENTIONALLY LEFT BLANK
Module 3: Implementing Secure Computing Baselines
Overview
Introduction to Trusted Computing Bases Establishing a Secure Baseline Monitoring a Secure Baseline Physically Securing Computers Maintaining a Secure Baseline
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction In this module, you will learn how to create a secure computing environment that complies with an organizations security policy. The module also describes guidelines for protecting physical resources and facilities. In addition, you will learn about the tools that you can use with computers running Microsoft Windows operating systems to monitor and maintain a secure environment. After completing this module, you will be able to:

Objectives
Describe a trusted computing base. Describe guidelines for establishing a secure baseline. List common tools that you can use to monitor a baseline. Explain how to physically secure computers. Describe how you can maintain baselines.
Lesson: Introduction to Trusted Computing Bases

What Is a Trusted Computing Base? Threats to a Trusted Computing Base Evaluation and Certification of a Trusted Computing Base Requirements for Maintaining a Trusted Computing Base
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction For an organization to maintain a secure network environment, it must specify configurations for hardware, software, firmware, and procedures that comply with the organizations security policy. This secure configuration is known as a trusted computing base. After completing this lesson, you will be able to:

Objectives
Describe a trusted computing base. Explain the threats to a trusted computing base. Describe evaluation and certification options. List the requirements for maintaining a trusted computing base.
What Is a Trusted Computing Base?

A trusted computing base is the total combination of protection mechanisms within a computer system A trusted computing base: Includes hardware, software, firmware, and procedures Is the implementation of an organizations security policy
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points A trusted computing base is the total combination of protection mechanisms within a computer system. It includes detailed security requirements for all elements of an organizations computing environment. The computing base is referred to as trusted because it provides the most secure computing environment that an organization can provide, given the knowledge and abilities that the organization possesses. A trusted computing base is the implementation of an organizations security policy. To compromise security, an attacker must subvert one or more of the components of the trusted computing base. A trusted computing base should include security mechanisms that:

Enforce user authentication and access control to computers. Restrict access to information in transit across a network. Ensure the confidentiality of records and establish audits. Ensure that data is not destroyed or stolen.
Threats to a Trusted Computing Base

An external threat is the discovery of a vulnerability that compromises a trusted computing base An internal threat can be the inadequate monitoring of a trusted computing base or noncompliance with software updates
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Any change to a trusted computing base has the potential to affect the security of the organization. External threat An external threat is the discovery of a new vulnerability that the components to the trusted computing base do not protect against. For example, a trusted computing base may require installing service packs, such as Windows 2000 SP3. However, a new threat may appear that is not addressed by the current version of the software. An internal threat is a threat that is inherent in one or more elements of the trusted computing base. Such threats can include a bad design of the trusted computing base or inadequate implementation. Internal threats can include:
Internal threat
Inadequate monitoring. If an organizations procedures do not adequately monitor the trusted computing base, changes to it may go undetected. When changes are undetected, the organization may trust the computing base even though the conditions for trust are no longer present. Noncompliance with updates. In some organizations, viruses such as Code Red and Nimbda are still prevalent because users have not applied security updates, which are part of the trusted computing base. Poor design. If you do not design the trusted computing base adequately, its implementation will not protect the organization.
Evaluation and Certification of a Trusted Computing Base

The certification process is: Based on an extensive evaluation of a computer systems configuration Often used for compliance with requirements for government use Common evaluation methods include: Trusted Computer System Evaluation Criteria (TCSEC) Information Technology Security Evaluation Criteria (ITSEC) The Common Criteria evaluation system International Standards Organization standard ISO 17799
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points In the same way that financial institutions rely on external auditors to evaluate and certify their financial operations for compliance with industry standards, many organizations rely on external sources to evaluate and certify their trusted computing base. Evaluation of a computer system means that a certain configuration has been tested and meets the requirements of the evaluation criteria. Certification means that a specific computer system in its entirety has been tested to meet these requirements. For example, Windows 2000 may be evaluated to comply with a security standard. A specific computer running Windows 2000 may be certified to meet the requirements. Often, government agencies require that computing systems are evaluated or certified for a specific level of security. For example, certain government agencies can use Windows 2000 only after the U.S. National Security Agency (NSA) certifies that the operating system is secure in a specified configuration. In private industry, organizations comply with established standards to satisfy legal requirements, meet government standards, or follow good business practice. Evaluation standards Common evaluation standards include:
Trusted Computer System Evaluation Criteria (TCSEC). TCSEC was developed by the U.S. Department of Defense National Computer Security Center (NCSC). TCSEC is a set of standards against which computers systems and applications are evaluated. These standards are published in several rating systems. The most common set of standards is known as the Orange Book. The NCSC security evaluation process evaluates commercial products. Vendors submit their products for evaluation and receive an evaluation rating that indicates the degree of security that the product can provide when it is properly configured and used. The NCSC evaluation standard defines several levels of security. The C2 level is the highest level that a commercial operating system can achieve.

Information Technology Security Evaluation Criteria (ITSEC). In the United Kingdom, the Computer and Electronics Security Group (CESG) performs an ITSEC evaluation that is equivalent to the TCSEC evaluation process. Common Criteria for Information Technology Security Evaluation (CCITSE). Normally referred to as Common Criteria, this standard replaces the TCSEC and ITSEC processes. Common Criteria evolved with input from multiple governments. Government agencies in Australia, the United States, and several European countries use it. Because Common Criteria is an international standard, evaluation results that are issued by one country's evaluation authority under the Common Criteria are recognized internationally by other governments.
International Standards Organization standard ISO 17799. This internationally recognized information security standard is used by many commercial organizations. It is essentially a generic security policy that describes the general security standards, but not the settings that are specific to any operating system.
Several Microsoft products have been submitted for evaluation and have successfully completed the process. Microsoft Windows NT 4.0 has received TCSEC and ITSEC evaluation. Windows 2000 has successfully completed Common Criteria evaluation. Additional reading For more information about evaluation and certification, see the white paper, C2 Evaluation, at: http://www.microsoft.com/technet/security/news/c2eval.asp. Also see the white paper, The New Common Criteria Security Evaluation Scheme and the Windows 2000 Evaluation, at http://www.microsoft.com/technet/security/prodtech/secureev.asp. Also see the Microsoft Knowledge Base article, Q93362, C2 Evaluation and Certification for Windows NT.
Requirements for Maintaining a Trusted Computing Base

Detailed configurations and procedures
Extensive documentation
Change and configuration management
Procedural review
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Maintaining a trusted computing base requires the following elements:
Detailed configuration and procedures. For each component and configuration, define a required setting. For example, require a minimum password length of eight characters. Extensive documentation. Document every configuration step. For example, document the computers that have file and print sharing enabled. Change and configuration management. Define procedures for applying changes, such as procedures for testing and applying service packs. Procedural review. Review procedures regularly to find potential weaknesses. For example, you may discover that procedures for securing computers do not include all operating system components. Whenever possible, someone outside the organization should perform the procedural review.
Practice: Identifying Threats to a Trusted Computing Base
1 Note any threats that you have 2 Discuss as a class
encountered to a trusted computing base at your workplace
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Instructions As a class, discuss the threats that you have encountered to a trusted computing base at the workplace. Be careful not to reveal information that may jeopardize the security of your employers computing base.
Assessment: Introduction to Trusted Computing Bases
Did you understand this lesson?
Complete the assessment question to confirm it.
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Multiple choice 1. Which of the following statements are true? Choose all that apply. a. A trusted computing base defines secure settings for a single computer, such as a Web server or a client computer.
b. A trusted computing base is the implementation of an organizations security policy. c. Lack of documentation may constitute a threat to the trusted computing base.
d. A trusted computing base defends your network against all known viruses.
10
Lesson: Establishing a Secure Baseline

What Is a Secure Baseline? Guidelines for Securing Windows 2000 Services Guidelines for Securing File Systems and File and Print Services Guidelines for Securing Critical Applications How to Establish a Secure Baseline Guidelines for Using Templates to Enforce Security
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction A secure baseline applies the trusted computing base to computers and their settings. For example, a baseline typically contains specific settings for securing a Web server running Windows 2000. In this lesson, you learn about secure baselines and the guidelines to follow to secure components of a secure baseline. After completing this lesson, you will be able to:

Objectives
Describe the elements of a secure baseline. Describe guidelines for securing Windows 2000 services. Describe guidelines for securing file systems and file and print services. Describe guidelines for securing critical applications. Explain how to establish a secure baseline. Describe guidelines for using Security Templates.
11
What Is a Secure Baseline?

A secure baseline:
Implements elements of a trusted computing base on a computer Describes all relevant configuration settings for secure computing Describes all administrative procedures
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points A secure baseline is a detailed description of how to configure and administer a computer. A secure baseline implements the components of a trusted computing base on a specific computer. It also describes all relevant configuration settings for secure computing. Elements of a secure baseline include:
Settings for services and applications. Only specified users have permissions to start a service or run an application. Configuration of operating system components. All sample files that are included with Internet Information Systems (IIS) must be removed from the computer. Permissions and rights assignments. Only administrators have permissions to change operating system files. Administrative procedures. The Administrator password on a computer is changed every 30 days.
12
Guidelines for Securing Windows 2000 Services

Determine whether service is required
SynAttackProtect TcpMaxHalfOpen
Secure registry settings and files
Verify the latest security updates
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Guidelines for securing Windows 2000 services include:
Determine whether a service is required. Running a service that is not required on a computer presents a potential vulnerability. If a service is not required, it may not be adequately monitored, and may be exploited by an attacker without your noticing it. Verify the latest security updates. If the latest security updates are not applied, the service may be vulnerable to known attacks. Secure registry settings and files. Without applying the correct permissions, an attacker could change the registry settings or files that are associated with the service to threaten your network security.
13
Guidelines for Securing File Systems and File and Print Services
Grant only the permissions required to perform tasks Minimize the number of permissions assignments and use permissions inheritance Combine file permissions and shared folder permissions Enable File and Print Services only if required
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Guidelines for securing file systems and file and print services include:
Grant only required permissions. Excessive permissions can lead to users having inappropriate access to confidential data, or the accidental or purposeful destruction of data. For example, if users must review but not change a spreadsheet that contains financial data, only assign Read permission and not Write permission. Minimize the number of permissions assignments. Keep the number as low as possible. For example, if 1,000 users permission require to access specific data, the best solution is to put the users in a group, and then assign the appropriate access permissions to the group. That way, you create only one permission assignment. To use permissions most efficiently, apply permission assignments to folders and use inheritance whenever possible. Combine file permissions and shared folder permissions. A common strategy is to rely primarily on file permissions to control access to data because they apply whether files are accessed from the local computer or across the network. By combining file permissions with shared folder permissions, you can restrict access to the network beyond the restrictions that apply to local access. Enable File and Print Services only if required. Computers running Windows 2000 or Windows XP enable the server service by default, which provides access to shared folders and printers on your computer from the network. In many cases, client computers do not require this functionality. In those cases, disable the server service.
14
Guidelines for Securing Critical Applications

Install only required components Grant only required access to features Stay informed about vulnerabilities in applications Change default passwords
PASSWORD
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Guidelines for securing applications that are critical to your organizations business include:
Install only required components. Many applications consist of multiple components. By choosing the default or full installation, you may install some components that you do not require, which can increase the complexity of the installed product and the number of potential points of failure. Also, components that are used infrequently are typically not monitored as closely as other components, which can lead to security breaches going undetected. Grant only required access to features. In a database program, such as Microsoft SQL Server 2000, grant users permission to add or change data only if their job requires it. For example, consider granting specified users the ability to view financial data, but not to change the data. Stay informed about vulnerabilities in applications. Software companies often maintain Web sites or mailing lists that contain information about threats and application updates. For example, Microsoft publishes security bulletins with recommended updates. Change default passwords. Leaving the default or blank password for an application is a common but serious installation mistake. Even if an administrator plans to change the password later, it is often forgotten. Knowing this, attackers often try to use blank or default passwords to can gain access to the application.
Additional information
For more information about Microsoft security bulletins, see the Microsoft Security & Privacy Web site at http://www.microsoft.com/security. To subscribe to Microsoft security bulletins, see the Product Security Notification Web page at http://www.microsoft.com/technet/security/bulletin/notify.asp.
15
How to Establish a Secure Baseline

1 2 3 4
For each computer, inventory all applications and services Document required security settings for operating system, applications, and services Apply settings to each computer Establish audit methods to detect changes to baselines
Key points
Use the following steps to establish a secure baseline: 1. Make note of all applications and services on a computer: Without a complete inventory of all the hardware and software components on a computer, you may fail to secure crucial components or you may fail to notice hardware changes that require changes to the baseline. 2. Document the required security settings for the operating system, applications, and services: Include every security-related setting and configuration step, including administrative procedures. Be sure to review the guidelines to ensure suitability. 3. Apply settings to the computer. Consider using automated methods such as Group Policy, which can save time, ensure consistency, and minimize errors. 4. Establish audit methods to detect changes to the baseline. An audit will detect changes in computer settings in addition to changes to the baseline.
Additional reading
For more information about creating a secure baseline, see the Prescriptive Architecture Guides: Microsoft Solution for System ArchitectureInternet Data Center Web page at http://www.microsoft.com/technet/itsolutions/idc/pag/pag.asp?frame=true. For additional computer baselines, see the Center for Internet Security Web site at http://www.cisecurity.org. For information about maintaining monitoring secure baselines, see Security Operations Guide for Windows 2000 Server at http://www.microsoft.com/technet/security/prodtech/windows/windows2000/st aysecure/default.asp?frame=true
16
Guidelines for Using Templates to Enforce Security

Use Windows security templates to apply consistent security settings Create templates for each computer role Use a combination of templates to combine general and specialized settings to computers Apply templates by using Group Policy Use the Security Configuration and Analysis snap-in to detect changes to baselines
Key points
Security templates apply a number of security settings to a computer at the same time. You can apply security templates to computers running Windows 2000 and later. You can use the sample templates in the <Systemroot>\Security\Templates folder or use the Security Templates snap-in to create or modify templates. You use the Security Configuration and Analysis snap-in to apply a template and then compare the template settings to the actual computer settings.
Template guidelines
Use the following guidelines to apply security templates:

Use templates for each role. The security settings for a given computer role are usually the same. You can create one template for servers running Microsoft SQL Server and another template for client computers. Before you create templates, identify common computer roles and then design a template for each role. Use a combination of templates. Often, some security settings must apply to all computers in an organization; other security settings apply to only one type of computer. For example, all computers in an organization may have a minimum password requirement for local computer accounts, but only Web servers require that Internet Information Services (IIS) is running To reduce complexity, create one template for all common settings, and then create another template for each common computer role. Apply the common template to all computers, and then apply the specialized template only to the computers that you created it for.
Use Group Policy to apply templates. You can automate the process of assigning templates by using Group Policy. Group Policy can also ensure that template settings are automatically reapplied if any template settings change on a computer. Monitor the baseline. You can monitor changes to the baseline by using the Security Configuration and Analysis snap-in. The snap-in can detect discrepancies between template settings and the current computer settings.
17
Practice: Applying a Security Template
1 Read the scenario

Follow the steps to apply a Windows 2 2000 security template
Instructions Scenario
Read the scenario and then follow the steps to apply a Windows 2000 security template. Contoso Pharmaceuticals security policy requires that all computers running Windows 2000 are configured with the minimum security settings that are defined in the security template basicsv.ini. You must apply these settings to all computers running Windows 2000. 1. Log on using the following information: User name: Adminx (where x is your assigned student number) Password: P@ssw0rd Log on to: contoso 2. Click Start, and then click Run. 3. In the Run dialog box, type mmc and then click OK. 4. In the Console1 window, on the Console menu, click Add/Remove Snapin. 5. In the Add/Remove Snap-in dialog box, click Add. 6. In the Add Standalone Snap-in dialog box, under Available Standalone Snap-ins, click Security Configuration and Analysis, click Add, click Security Templates, and then click Add. 7. In the Add Standalone Snap-in dialog box, click Close, and then click OK to close the Add/Remove Snap-in dialog box. 8. On the Console menu, click Save As. 9. In the Save in box, navigate to the desktop. 10. In the File name box, type Baseline Tools and then click Save. 11. Maximize the Baseline Tools and Console Root windows. 12. In the console tree, click Security Configuration and Analysis. 13. In the console tree, right-click Security Configuration and Analysis, and then click Open database.
Practice
18
14. In the Open database dialog box, in the File name box, type Server (where Server is your assigned computer name), and then click Open. 15. In the Import Template dialog box, click basicsv, and then click Open. In the details pane, Security Configuration and Analysis displays a message indicating that you may now configure or analyze your computer. 16. In the console tree, right-click Security Configuration and Analysis, and then click Configure Computer Now. 17. In the Configure System dialog box, click OK to accept the default log path and start the configuration. Security Configuration and Analysis displays the Configuring Computer Security message box, which shows the progress of the configuration process, indicating which areas are being configured. 18. When Security Configuration and Analysis has finished applying the template, close Baseline Tools. 19. In the Microsoft Management Console dialog box, click No. 20. Close all open windows, and then log off.
19
Assessment: Establishing a Secure Baseline
Multiple choice
1. You have decided to implement security settings by using security templates. Which of the following actions should you perform? (Choose the correct answer.) a. Create a separate security template for each computer in your network. b. Create a separate security template for each type of user. c. Create a separate security template for each computer role. d. Create a single security template for all computers.
20
Lesson: Monitoring a Secure Baseline

How to Monitor Secure Baselines What Is the Microsoft Baseline Security Analyzer? How to Use the Microsoft Baseline Security Analyzer What Is HfNetChk? Guidelines for Using Baseline Monitoring Tools
Introduction
Monitor a secure baseline regularly to compare the current configuration with the trusted computing base, to investigate and fix discrepancies, and to adjust the baseline to manage new vulnerabilities or changing needs. This lesson introduces tools that you can use to monitor and maintain your baseline. After completing this lesson, you will be able to:

Lesson objectives
Describe how to monitor a secure baseline. Describe the Microsoft Baseline Security Analyzer. Explain how to use the Microsoft Baseline Security Analyzer. Describe the HfNetChk tool. List the guidelines for using baseline monitoring tools.
21
How to Monitor Secure Baselines

1 2 3 4
Regularly compare a computers configuration with its secure baseline Investigate the cause of discrepancies Fix discrepancies Adjust baselines to address new vulnerabilities or changing needs
Key points
Use the following steps to monitor secure baselines in your organization: 1. Regularly compare each computers configuration with its baseline. Set a schedule so that you can detect problems early. 2. Investigate the cause of discrepancies. Sometimes, there is a legitimate reason for a discrepancy. For example, someone has changed the configuration because of changing business needs. But a change could also be a symptom of a security compromise. Before you fix a problem, investigate the reasons for the change. 3. Fix discrepancies. Configure the computer to revert back to the baseline and ensure that the settings will not get changed again. 4. Adjust the baseline as necessary. If new vulnerabilities or a change in business needs occurs, adjust the baseline to accommodate these issues. After thoroughly testing the baseline settings, implement the new baseline, and then continue to monitor the computer configuration by using the updated baseline.
22
What Is The Microsoft Baseline Security Analyzer?

The Microsoft Baseline Security Analyzer (MBSA) monitors a single computer or multiple computers to detect:
Missing critical updates to operating systems Weak passwords Common configuration weaknesses in Windows, Microsoft Office, Internet Information Services, SQL Server, and Internet Explorer
Key points
The Microsoft Baseline Security Analyzer (MBSA) detects potential security problems on one or more computers. It compares computer settings with a basic computer security baseline that Microsoft provides. When you run MBSA, it does the following:
Detects common vulnerabilities. It looks for missing critical security updates to the operating system, weak or blank passwords, and common configuration weaknesses in Windows NT 4.0 SP4 and later, Windows 2000, and Windows XP, IIS versions 4.0 and 5.0, SQL Server 7.0 and later, Microsoft Office 2000, Microsoft Office XP, and Microsoft Internet Explorer 5.01 or later. Retrieves an Extensible Markup Language (XML) file from Microsoft. This file is an up-to-date database of security updates, which MBSA uses to analyze your computer settings and create a report. You can use the information in the report to fix the problems that MBSA finds.
MBSA is intended to find the most common security problems. It does not check for all possible security problems or enforce your organizations baseline settings.
Additional reading
For more information about the Microsoft Baseline Security Analyzer, see the white paper, Baseline Security Analyzer, at http://www.microsoft.com/technet/security/tools/tools/mbsahome.asp. Also see the MBSA Web site at http://www.microsoft.com/technet/security/tools/tools/mbsawp.asp.
23
How to Use The Microsoft Baseline Security Analyzer

1 2 3 4 5
Use an administrative account to start MBSA Select the computers to scan Select the vulnerabilities to scan for Analyze MBSA results Correct vulnerabilities
Key points
To use MBSA, choose all the computers in a domain or all the computers within an IP address range. Then select the types of vulnerabilities that you want to scan for. The XML file that MBSA downloads is digitally signed so that MBSA can check its authenticity. If MBSA cannot connect to the Internet, it uses an older version of the XML file if one is present. MBSA then scans for vulnerabilities. After the scan is complete, MBSA displays a report, which it also saves to a file so that you can view it later. Analyze the results to determine if any of the vulnerabilities require action. Then take action to correct the vulnerability. Not all potential vulnerabilities may require action. For example, MBSA detects instances when there are more than two administrator accounts on a computer. Based on the requirements for your computer, this may be a legitimate configuration. Be familiar with the computer configurations in your network and use that information with the MBSA report to analyze vulnerabilities and determine actions. You can also automate MBSA by running it from the command line.
24
What Is HfNetChk?
HFNetChk is a command-line tool that enables an administrator to check the update status of all computers in a network from a central location Checks for missing critical updates and creates a network-wide report
Runs on Windows NT 4.0, Windows 2000, and Windows XP systems Can create more detailed results than MBSA
Key points
Microsoft Network Security Hotfix Checker (HfNetChk) is a command-line tool that you can use to monitor your secure baseline. HfNetChk works in the following ways:
Unlike MBSA, HfNetChk only checks for missing critical security updates. Microsoft defines a critical update as one that would cause a serious security breach if it were not implemented. HfNetChk can be used on computers running Windows NT 4.0, Windows 2000, or Windows XP. HfNetChk does not look for other security vulnerabilities that MBSA checks for, such as weak passwords. However, HfNetChk can provide more detailed results than MBSA about the information that it does report on.
Additional reading
For more information about HfNetChk, including command-line options, see the article, Frequently Asked Questions about the Microsoft Network Security Hotfix Checker (Hfnetchk.exe) Tool, at http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q305385
25
Guidelines for Using Baseline Monitoring Tools

Run monitoring tools at regular intervals Ensure usage of up-to-date vulnerability databases Use MBSA to assess multiple vulnerabilities Use HfNetChk to check for missing updates only Ensure secure storage of results from monitoring tools Immediately address problems found by monitoring tools
Key points
When you run HfNetChk or MBSA, the tool downloads the latest version of the hotfix database from Microsoft. If the computer that you are running the tool on does not have Internet connectivity, you can copy the XML file from another computer to which you have downloaded the database. Make sure that the information that is gathered from these tools is stored securely. If anyone can access these files, hackers may gain valuable information about the vulnerabilities in your network.
Additional reading
For more information about using baseline monitoring tools, see:

The Microsoft Security & Privacy Web site at http://www.microsoft.com/security. The Security Tools and Checklist Web site at http://www.microsoft.com/technet/security/tools/tools.asp.
26
Practice: Assessing Baseline Security by Using MBSA

Practice: Assessing Baseline Security by Using MBSA
1 Read the scenario 2 Follow the steps to use Microsoft Baseline Security Analyzer to
monitor a baseline.
Instructions Scenario Practice
Read the scenario, and then follow the steps assess baseline security by using MBSA. You have been asked to assess the current security settings of a server at Contoso Pharmaceuticals. You have decided to do this by using MBSA. 1. Log on using the following information: User name: Adminx (where x is your assigned student number) Password: P@ssw0rd Log on to: CONTOSO 2. Click Start, and then click Run. 3. In the Run dialog box, type \\london\setup\mbsasetup.msi and then press ENTER. 4. In the Microsoft Baseline Security Analyzer Setup wizard, click Next. 5. On the License Agreement page, click I accept the license agreement, and then click Next. 6. On the User Information page, type your name and organization, and then click Next. 7. On the Destination Folder page, click Next. 8. On the Choose install options page, deselect the Show Readme file after installation check box, and then click Next. 9. On the Select Features page, click Next. 10. On the Ready to Install the Application page, click Next. After the installation is complete, Baseline Security Analyzer opens. 11. Maximize the Baseline Security Analyzer window. 12. Click Scan a computer.
27
13. Review the available scanning options. 14. Deselect the Check for SQL vulnerabilities check box, and then click Start scan. MBSA attempts to download XML files from Microsoft to update its database of hotfixes. Because MBSA cant connect to the Microsoft Web site, it cant check for missing hotfixes. You will check for missing hotfixes in the lab for this module. 15. When the scan is complete, review the details for each of the potential problems that MBSA identified. 16. Close Microsoft Baseline Security Analyzer. 17. In the Microsoft Baseline Security Analyzer Setup wizard, click Finish. 18. Close all open windows, and then log off.
28
Assessment: Monitoring a Secure Baseline
Multiple choice
1. Which of the following vulnerabilities can Microsoft Baseline Security Analyzer detect? Choose all that apply. a. Blank passwords b. Short passwords c. Missing security hotfixes for Windows XP d. Missing security hotfixes for Windows 98
29
Lesson: Physically Securing Computers

Why Is Physical Security Important? Common Threats to Physical Security How to Decommission Computers Securely Guidelines for Physically Securing Computers
Introduction
Securing access to an organizations physical resources, such as buildings, hardware, and physical data links, is as important as securing the software. If an attacker can gain physical access to an organization, he can potentially access the organizations network, hardware, and data. In this lesson, you will learn about how to physically protect your environment. After completing this lesson, you will be able to:

Objectives
Explain why physical security is important. Identify common threats to physical security. Describe how to decommission computers securely. List guidelines for physically securing computers.
30
Why Is Physical Security Important?
External Attacker
Internal Attacker
An attacker
Outside the network Inside the network
Can
Enter your facility unnoticed Steal or compromise company data Gain access to a restricted area Access confidential data
Key points
Anyone with unrestricted physical access to a computer can potentially gain access to any data on that computer and change the computer configuration, including installing malicious programs. To protect against external and internal threats, implement measures to protect both the building and the servers, workstations, and other hardware in it. Attackers that take advantage of shortcomings in physical security in several ways, including:
External attacker scenario. Without proper physical security of a building, an external attacker could enter a facility unnoticed, locate an unattended computer, and load a Trojan horse application that sends keystrokes, including passwords, to a location on the Internet. Internal attacker scenario. A server room that is not secured properly is vulnerable to an internal attacker, who could enter the room and extract an account database from a server. The attacker could then perform a brute force attack on the password hashes in the database to obtain user passwords, and then access confidential data on other users accounts.
31
Common Threats to Physical Security

Resource Threat
Unauthorized entry or exit Remote surveillance
Buildings
Unauthorized access to sensitive computers Secure areas in buildings Theft of company garbage Installation of eavesdropping hardware or software Sabotage of infrastructure Theft of computers Installation of unauthorized programs Theft of passwords and data
Physical data links
Hardware
Key points
In addition to the common threats that are listed in the preceding slide, consider places where the physical security of your network is not under your direct control. For example, consider the following:
Wireless networks often expand the physical control of your data link for up to one mile from the location of the access point. Your organization may share space for data wiring with other organizations, or share entrances and exits to your offices, such as in leased office buildings.
Protection against eavesdropping
Physical security also includes measures to prevent eavesdropping on magnetic emissions from computing equipment. An attacker with sophisticated eavesdropping equipment can potentially reconstruct data based on electromagnetic radiation (EMR) that is emitted from network cables, monitors, and other hardware. For example, sophisticated equipment can pick up EMR that is emitted by monitors from a distance of 200 to 300 meters. This type of technology is sometimes referred to as Tempest, after a U.S. military program in the 1960s. You can use magnetic shielding to prevent these types of emissions from your equipment. In a high security environment, a Faraday Cage, which completely encloses the computing equipment, can prevent all magnetic emissions. Effective magnetic shielding can be very expensive.
32
How to Decommission Computers Securely

Remove all data from the computer, including data stored on:
Hard drives Proprietary ROM modules

Remove all media from storage devices Destroy removable media, such as:
Floppy disks CD-ROMs and DVD-ROMs Storage tapes
Key points
When decommissioning a computer or disposing of removable media, ensure that you permanently erase all data from the computer and the media. Deleting data from a computer does not guarantee that the data is secure. A determined attacker may be able to reconstruct deleted data from the media. Government and private organizations often have requirements for destroying data. For example, U.S. military guidelines for sensitive data may require overwriting the data several times in a row with random data, sending the media through a shredder, incinerating the media, burying it in a high-security military landfill, or combining several of these methods. To permanently destroy data on media, use one or more of the following methods:
Use specialized software that overwrites the data on the media multiple times. Degauss, or erase information, from the media by exposing it to a strong magnetic field. Physically destroy the media.
33
Guidelines for Physically Securing Computers

To secure Consider Security methods for entering and leaving facilities How to secure information in buildings
Facilities
Computers
How to secure access to all computers How to secure access to computers in sensitive areas How to secure computers by using firmware, passwords, or biometrics How to educate users to potential threats and vulnerabilities of mobile devices Requiring the use of hardware locks and alarms Using encryption to overcome physical threats
Mobile devices
Key points
Many methods exist for physically securing computers. Balance the cost of each method with the level of security that it provides. Consider the following guidelines:
To protect facilities: Require employees to use either keys or electronic badges. Electronic badges are much more expensive than keys, but they provide much greater security and better monitoring. To secure computers: Remove the media, including hard drives, or secure the room where the computer is stored. Securing rooms provides more protection than securing only the entrances and exits to the building. To secure mobile devices and portable computers: Due to their portability, mobile devices and portable computers often require a combination of physical methods to secure properly, such as locks and data encryption.
Mobile devices
Handheld personal computers, mobile phones, and other mobile devices also require special security because users increasingly use them to connect to corporate networks or the Internet. Even if users do not store sensitive data on these devices, the devices often contain the users authentication information, which an attacker can exploit. Mobile devices are also often equipped with 802.11 wireless network interfaces. Wireless connections, if not properly secured, are vulnerable to eavesdropping in public areas, such as airports. Attackers can also receive wireless transmissions in areas that are close to your building, such as a parking lot or an apartment building.
Additional reading
For more information about physical attacks on computers, see the white paper, Analysis of Alleged Vulnerability in Windows 2000 Syskey and the Encrypting File System, at http://www.microsoft.com/technet/security/topics/efs.asp. For more information about how to physically secure computers, see the white paper, 5-Minute Security AdvisorBasic Physical Security, at http://www.microsoft.com/technet/columns/security/5min/5min-203.asp.
34
For more information about security for handheld devices, see the white paper, Pocket PC Security, at http://www.microsoft.com/technet/itsolutions/mobile/maintain/mblsecur.asp. For more information about security for portable computers, see the white paper, 5-Minute Security AdvisorThe Road Warriors Guide to Laptop Protection, at http://www.microsoft.com/technet/columns/security/5min/5min205.asp.
35
Assessment: Physically Securing Computers
Multiple choice
1. Marys portable computer was stolen when she left it unattended at an airport. The laptop contains confidential company data. Mary uses a strong password, which she has never shared. Which of the following can the laptop thief do? Choose all that apply. a. Erase all data from the portable computers hard disk and sell the computer. b. Access all non-confidential data on the portable computer. c. Access all confidential data on the portable computer. d. Change the users password and use the new password to connect to Marys corporate network.
36
Lesson: Maintaining a Secure Baseline

The Role of Change Management in Securing Computers Types of Security Updates Guidelines for Deploying Security Updates What Is Windows Automatic Update? What Is Microsoft Software Update Services?
Introduction
Maintaining a secure baseline requires that you monitor the baseline for changes and discrepancies and apply security updates to the baseline when they become available. In this lesson, you will learn about the types of security updates that are available from Microsoft and methods for applying them. At the end of this lesson, you will be able to:

Objectives
Describe change management procedures when securing computers. List the types of Microsoft security updates. Describe guidelines for deploying security updates. Explain how Windows Automatic Update works. Explain how Microsoft Software Update Services works.
37
The Role of Change Management in Securing Computers

Change management updates baselines because of: New requirements New vulnerabilities Improved practices Change management must follow policies Decide who implements changes and when Define rules for testing changes Consider whether a system restart is required Ensure rollback procedures are in place Document changes
Key points
Change management is an organized, systematic application of knowledge, tools, and resources to cause change. Applying change management practices to a secure baseline ensures that updates occur in a timely, organized, and effective manner. The following table provides examples of changes that can require you to modify your secure baseline.
Change New requirements New vulnerabilities Improved practices Example A Web server that provides only static Web content must now provide dynamic Web content A new vulnerability to Microsoft Internet Explorer has been reported; Microsoft has developed a fix for the problem Your organization decides to implement more frequent password changes
When you implement changes to a secure baseline, consider the following:

Decide who in your organization can implement changes and define the rules for when to implement them. Test all changes outside of a production environment before implementing them to ensure continuity of business functions. If you need to restart systems, schedule system changes when it will have the least impact on the daily function of the business. Ensure that you can undo the changes if problems occur. Even if changes are thoroughly tested, unexpected problems may occur in a product environment that require a rollback. Document your changes so that you can troubleshoot problems. Problems may occur after you install a service pack, which could be related to the service pack. By documenting changes, you can investigate the source of the problems and also the latest version of the baseline.
38
Types of Security Updates

Security update Hotfix Security rollup package Description Fix for a single issue or a small number of issues Microsoft performs limited testing only Can be combined by using QChain Multiple hotfixes packaged for easy installation Major update Cumulative set of previous updates May contain previously unannounced fixes May contain feature changes Microsoft performs extensive testing
Service pack
Key points
Microsoft and many other software companies supply updates when security problems in their products are discovered. An update that modifies software is sometimes referred to as a patch. Microsoft supplies the following types of software updates:
Hotfixes. Microsoft releases hotfixes for one or several issues. Microsoft tests hotfixes in a limited number of environments to ensure their speedy release. Although hotfixes generally do not cause problems, they do not receive the same level of testing as other updates, such as service packs. Security rollup packages. These updates install several critical hotfixes in a single step. Security rollup packages undergo more thorough testing than hotfixes. Service packs. These updates include all fixes that are available at the time of the service packs release and all fixes that were included in previous service packs. Service Packs undergo extensive testing by Microsoft.
Installing updates
When installing several updates, install the most recent service pack first. If a newer security rollup package is available, install it next. Finally, install any hotfixes that are required to maintain security.
Important Do not connect your computer to the Internet until you have completely secured the computer by installing updates and configuring security settings. Download any updates from a computer that you already secured and then copy them and apply them to computers that you have not secured.
To apply hotfixes to multiple computers, create a command file that starts each hotfix installation program with the command-line optionq. This process eliminates the need for user intervention. Run QChain.exe as the last command in the command file.
39
When you apply multiple hotfixes to a computer at one time, each hotfix may replace the same file with a different version. To ensure that you apply the latest version of a file, use the following procedure: 1. Run each hotfix installation program by using the command line optionz, so that the installation program does not restart the computer. 2. Run QChain.exe to reorder the files that are updated when the computer restarts. 3. Restart the computer manually.
For more information about the latest service packs and security rollup packages that are available for Microsoft products, see the Top Security Service Packs and Security Rollup Packs Web site, at http://www.microsoft.com/technet/security/tpsrvpck.asp. For more information about QChain, see the Knowledge Base article, Q296861, Use QChain.exe to Install Multiple Hotfixes with Only One Reboot. For information about the availability of updates and how to download them, see the product page for the product you want to update on the Microsoft Corporation Web site at http://www.microsoft.com.
40
Guidelines for Deploying Security Updates

Stay informed about available updates Microsoft Security Bulletins Mailing lists Security announcements from other vendors Apply only critical updates Test updates before applying them Document updates
Key points
Use the following guidelines to deploy security updates:

Stay informed about available updates. Important sources for information about security updates include the Microsoft Security Bulletin Notification list, Microsoft product newsgroups, and third-party e-mail lists and security mailing lists. Apply only critical updates. Apply updates only if they pertain to problems that you are experiencing or if they fix a critical problem. Microsoft Security Bulletins classify the severity of vulnerabilities. After reading a Security Bulletin, assess the severity in your environment. For example, the severity assessment will be different for a Web server that is connected to the intranet than one that is connected to the Internet. Security rollup packages and service packs contain enough critical fixes to serious vulnerabilities to warrant installation on all computers.
For information about security updates for Microsoft products, subscribe to the Microsoft Security Bulletin Notification list at http://www.microsoft.com/technet/security/bulletin/notify.asp.
41
What is Windows Automatic Updates?

Microsoft Windows Automatic Updates is a Windows component that downloads and installs updates to client computers Included in Windows 2000, Service Pack 3 Included in Windows XP, Service Pack 1 Available for separate installation
Key points
Windows Automatic Updates is a feature of Windows 2000 and Windows XP that automatically downloads security updates to client computers. It is included with Windows 2000 Service Pack 3, Windows XP Service Pack 1, and the Windows .NET Server family.
You can configure Windows Automatic Updates to automatically download new critical updates to your computer for later installation. You can also configure Windows Automatic Updates to automatically install the updates or to prompt you to install the updates. Use Automatic Updates in Control Panel to configure Windows Automatic Updates. To configure administrative options, such as download locations and install times, add the wuau.adm administrative template to Group Policy. You can then configure settings under Computer Configuration\Administrative Templates\Windows Components\Windows Update.
If you are running an earlier version of Windows 2000 or Windows XP, you can download Windows Automatic Updates as a separate component at http://www.microsoft.com/windows2000/downloads/recommended/susclient/de fault.asp.
42
What Is Microsoft Software Update Services?

Microsoft Software Update Services (SUS) is a Windows component that manages Windows security updates Requires Windows 2000 Server Cannot be installed on a domain controller Can be configured to download updates from Microsoft Requires administrator approval to make updates available to clients
Key points
Many organizations do not want users to download and install updates without testing and approving the updates first. When you use Microsoft Software Update Services (SUS) to apply updates, a server downloads available updates from the Microsoft Web site. After administrator approval, updates become available to other computers on your network. Be sure to test an update thoroughly before approving it. You can use SUS to deploy critical updates to servers running Windows 2000 and client computers running Windows 2000 Professional or Windows XP Professional.
For more information about SUS or to download SUS, see the Microsoft Software Update Services Web site at http://www.microsoft.com/windows2000/windowsupdate/sus/default.asp.
43
Multimedia: Microsoft Software Update Services
Instructions
This animation provides an overview of the core features, functionality, and benefits of using Software Update Services.
44
Assessment: Maintaining a Secure Baseline
Multiple choice
1. You have decided to use Software Update Services (SUS) in your organization. Which of the following tasks must you perform? Choose all that apply. a. Install SUS on a computer running Windows 2000 Server. b. Approve updates that are downloaded from the Windows Update site. c. Assign updates to client computers. d. Install the Automatic Updates feature on all client computers that are running Windows 2000 with Service Pack 3 or Windows XP with Service Pack 1. e. Configure client computers to automatically install updates from a server running SUS.
45
Lab A: Establishing and Maintaining Baseline Security

Exercise 1: Creating and Applying Security Templates Exercise 2: Monitoring Baseline Security by Using Security Configuration and Analysis Exercise 3: Managing Hotfix Installations by Using HfNetChk and QChain Exercise 4: Using Microsoft Software Update Services
Contents Overview Lesson: Introduction to Access Control Assessment Lesson: Implementing an Authentication Strategy Assessment Lesson: Implementing an Access Control Strategy Assessment Lab A: Securing Accounts (MBSA)
Module 4: Securing Information Using Access Control and Authentication

1 2 10 11 20 21 30 31
Beta Materials Do not use for purposes other than beta testing
Overview
Overview
Introduction to Access Control Implementing an Authentication Strategy Implementing an Access Control Strategy
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction In this module, you will learn about strategies for controlling how users access computer resources. You will use single and multi-factor authentication protocols to verify the identity of users. You will then apply an access control model to enforce how authenticated users can access computer resources on your network. After completing this module, you will be able to:

Objectives
Describe the process of access control. Develop a strategy for authenticating users. Develop a strategy for controlling user access to resources on your network.
Lesson: Introduction to Access Control

Lesson: Introduction to Access Control
What Is Access Control? Why Is Access Control Necessary? The Principle of Least Privilege Password-Based and User-Based Access Control User Rights and Permissions
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction This lesson defines access control and explains its importance in protecting network resources. You will learn strategies for granting the appropriate level of user permissions, the types of access control, and the difference between rights and permissions. After completing this lesson, you will be able to:

Lesson objectives
Describe authorization, authentication, and access control. Explain the importance of access control to protect network resources. Explain the principle of least privilege. Identify the differences between user-based and password-based access control. Identify the differences between user rights and permissions.
What is Access Control?

What Is Access Control?
Authorization is the process of determining whether something or someone has permission to access a resource John Doe has permission to access this resource
Authentication is the process of verifying the identity of something or someone User is really John Doe
User
Resource Access control is the model for implementing authorization John Doe needs permission to access this resource
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Access control is the process of authorizing users or groups to access objects, such as files or printers, on the network. Network security is based on two fundamental concepts: authentication and authorization. Access control is also the specific model for implementing authorization. Consider the following:
Authentication. The process of verifying the identity of something or someone. Authentication usually involves a username and a password, but can include any method of demonstrating identity, such as a smart card, retina scan, voice recognition, or fingerprints. Authorization. The process of determining whether an identified user is permitted access to the resource and what the appropriate level of access is for the user. The owner of a resource, such as an administrator, determines whether a user is a part of a predetermined group or has a certain level of security clearance. By setting the permissions on a resource, the owner controls which users and groups on the network can access the resource.
Additional reading
For more information about access control, see Authorization under Additional Reading on the Web page on the Student Materials CD.
Why Is Access Control Necessary?

Why Is Access Control Necessary?
To enable authorized users to access the resources that they need to do their jobs
Resource Resource
To prevent unauthorized users from accessing resources

*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Users in an organization require access to specific resources to accomplish their work. However, giving users unlimited access to system and network resources may compromise network security and stability. To balance these needs, access control:

Enables authorized users to access the resources that they require. Prevents unauthorized users from accessing resources.
Access control enforces the security of the organization and helps maintain network stability. For example, employees in the Accounting department may need to view, but not create or modify, certain Personnel department files. The Personnel department uses access control to define which users have read access, write and modify access, or no access to the files. By assigning read access, the Personnel department provides accounting personnel with the resources that they need without allowing changes to important files.
The Principle of Least Privilege

The Principle of Least Privilege
Provide Provide users users with the minimum privileges privileges needed needed to to accomplish accomplish the tasks tasks they they are authorized authorized to perform
Change Change Read Read access access Eastern HR Manager Read Read access access Change Change Western HR Manager
1 1 2 2 3 3
Change Change
HR Database (East)
Change Change Corporate HR Manager Read Read access access Read Read access access
HR Database (West)
Payroll Manager
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points The principle of least privilege states that you should provide users with the necessary level of privilege to perform their jobsand no more. By denying transactions that are not necessary for job performance, attackers cannot use extraneous privileges to circumvent network security. For example, regional managers may require change permissions on their own human resources databases but only need read access to the databases of other regions. A corporate human resources manager may require change permissions on all databases, but a payroll manager may only require read access on the same databases. Another type of least privilege is self-imposed. A network administrator may choose to use an ordinary, non-administrative user account for everyday tasks and use his administrator account to perform administration tasks. In either situation, you limit the potential scope and damage of an attack. Additional reading For more information about the principle of least privilege, see the white papers, Principle of Least Privilege and Secure Infrastructure Design, under Additional Reading on the Web page on the Student Materials CD.
Password-Based and User-Based Access Control

Password-Based and User-Based Access Control
Password-based access control: control:
Only Only uses uses a a password password to to access access a a resource resource Does Does not not require require that that users users verify verify their their identity identity Requires Requires that that each each resource resource have have a a password password Requires Requires users users to to remember remember multiple multiple passwords passwords Enables Enables multiple multiple users users to use the same password to access the the resource resource
User-based access control:

Enables Enables administrators administrators to to administer administer users users and and access access control control from from a a centralized centralized location location Requires Requires that that users users verify verify their their identity identity Does Does not not require require users users to to remember remember multiple multiple passwords passwords Requires Requires an an account account for for every every user user Enables Enables administrators administrators to to apply apply permissions permissions to to user accounts accounts directly directly Can Can be be used used to to grant grant user user rights rights
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points One way to control access to resources is to determine whether a user possesses the appropriate password, regardless of the users identity. Another method is to base access control on individual user accounts. The two types off access control are:
Password-based access control. You can apply protection to a shared resource on a computer by requiring a password. Users need only that password to access the files. Password-based access control is a weak form of security, but it is convenient in an environment without user accounts. User-based access control. This approach controls access through user rights and permissions. You can apply protection to individual files based on user accounts. The network authenticates users after they log in. Users then receive a unique user ID, which they present whenever they access the network resource. User-based access control offers a centralized way to give individuals specific access to resources, but you must maintain individual accounts for every user.
User Rights and Permissions

User Rights and Permissions
User Userrights rightsauthorize authorizeusers usersto to perform performsystem-wide system-wideactions, actions, such suchas aslogging loggingon onto toa asystem system interactively interactivelyor orbacking backingup upfiles files and anddirectories directories Permissions Permissionsare arerules rules associated associatedwith withan anobject objectsuch such as asa afile fileor orprinter printerto todetermine determine what whattype typeof ofaccess accessthe theuser useris is allowed allowed
Right to back up a system file
Permission to access a printer
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points In a user-based access control model, you authorize users to exercise specific rights and permissions. A right is the ability to perform a task. A permission is the ability to access to a resource. The differences are:
User rights. Apply to user accounts and define capabilities at the local level. There are two types of user rights: privileges, such as the right to back up files and directories, and logon rights, such as the right to log on to a system locally. Permissions. Are attached to objects and define the type of access that the user may have on a resource, such as file systems, network files, and shared printers.
Although user rights and permissions can apply to individual user accounts, you can administer them by using group accounts. A user who logs on as a member of a group automatically inherits the rights and permissions that are associated with that group. Additional Reading For more information about user rights and permissions, see the article, Introduction to User Rights, under Additional Reading on the Web page on the Student Materials CD.
Practice: Configuring Permissions in Windows 2000

Practice: Configuring Permissions in Windows 2000
Given the scenario, set the appropriate permission settings Discuss your answers as a class
1 Level 1 Projects
Level 2 Projects
Level 3 Projects
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Instructions Given the following scenario, set the appropriate permission setting and then discuss your answers as a class. Scenario: As an administrator, you are responsible for the security of three new project teams. The teams are divided into three levels, based on the sensitivity of the information. Secure these resources so that: Each user in the NW region who is assigned to a project has full control of the project files. Each user and her team members that are assigned to a project must have read access to the project that immediately precedes or follows it. No other users in the Northwest region may access any of the files in the folders. The only existing groups are the default groups and the Northwest region, which includes all users in the Northwest regionincluding other users who will not require access to the projects. The folders are created with the default permissions in Microsoft Windows 2000.
You already created the folder structure that you need to secure, and you identified the users for each category. What steps would you need to follow to be able to secure these projects? Answer follows: (with questions inline) Proper steps to follow: Beta Materials Do not use for purposes other than beta testing
1. Create a group for each level Level 1 Level 2 Level 3
Question: How do you ensure that the other users from the NW Region cannot access the files?
2. Remove the default Everyone Full Control permissions from the project folders If the folders were created beneath another folder, you could just remove the Everyone group from the top level group and inheritance would remove if from the others. (by default the everyone group has full control of folders)
3. Assign full control permissions to group for the project that the group is working on. Level 1 Level 1 Project folders Full Control Level 2 - Level 2 Project folders Full Control Level 3 - Level 3 Project folders Full Control
4. Assign Read permissions to the project next to it. (ie, level 1 should only have read access to the next level which is level 2, but level 2 will need read access to the project above it and immediately below it, 1 & 3) Level 1 - Level 2 Project folders Read Level 2 - Level 1 Project folders Read Level 2 - Level 3 Project folders Read Level 3 - Level 2 Project folders Read
5. Add the appropriate users to each of the groups. Q: Why do you add the users to the groups as the last step?
10
Assessment
Assessment
Complete these assessment questions to confirm it.
*****************************ILLEGAL FOR NON-TRAINER USE****************************** You want to protect organizational assets from intrusion, but grant employees access to the necessary resources on the network and specific rights on their computers. You want your solution to be centrally managed and to provide specific types of access to employees. 1. Which would you implement to provide this? A. Implement an access control system that enables you to specify the permissions and privileges to user accounts that they require to do their jobs. B. Implement an access control strategy that uses passwords to access all of the resources. Provide the separate password to all of the resources and provide these passwords to the employees. C. Implement an access control strategy that uses passwords to access all of the resources. Use the same password for all of the resources to simplify management and provide the passwords to the employees that require access. Answer:
11
Lesson: Implementing an Authentication Strategy

Lesson: Implementing an Authentication Strategy
Common Windows Authentication Protocols Using Passwords to Provide Single-Factor Authentication Guidelines for Implementing and Enforcing Password Policies Using Multifactor Authentication Methods Guidelines for Implementing Authentication Guidelines for Auditing Authentication
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction This lesson describes how Windows operating systems verify user identity by using passwords, smart cards, biometrics, or combinations of methods. It concludes with guidelines for implementing, enforcing, and auditing user authentication. After completing this lesson, you will be able to:

Lesson objectives
Describe common Windows authentication protocols. Describe the use of passwords to provide single-factor authentication. Explain guidelines for implementing and enforcing a password policy. Explain how multifactor authentication methods secure the authentication process. Apply guidelines for implementing user authentication. Apply guidelines for auditing user authentication.

12
Common Windows Authentication Protocols

Common Windows Authentication Protocols
Requirement
Speed Smart cards Documentation
NTLM
Slower authentication because of passthrough authentication Proprietary Microsoft standard, poorly documented
Kerberos
Faster authentication because of unique ticketing system
No support for smart-card logon Support for smart-card logon
Open standard, fully documented Cryptographic protection for No protection for access control access control data carried in Data protection data carried in NTLM messages Kerberos tickets Compatible with other Only compatible with Microsoft networks implementing Compatibility networks Kerberos Provides compatibility for Operating system Must be in a Windows 2000 Windows operating systems domain compatibility prior to Windows 2000
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Authenticating the identity of users, computers, or services is an important step in securing a network environment. Windows uses two primary authentication protocols: NTLM and Kerberos.
NTLM protocol. This service uses a challenge-response mechanism to authenticate users and computers running Windows Me and earlier or computers running Windows 2000 Server that are not part of a domain. Windows validates user credentials by using the Net Logon service and the NTLM protocol to query the Security Access Manager (SAM) on a domain controller. Windows 2000 and Windows XP Professional support the following three methods of challenge-response authentication: LAN Manager (LM). The least secure form of challenge-response authentication. It is susceptible to eavesdropping attacks. NTLM version 1. A more secure form of challenge-response authentication than LM. NTLM version 2. The most secure form of challenge-response authentication. It introduced a secure channel to protect the authentication process.
Kerberos version 5 authentication protocol. As the default authentication protocol for Windows 2000 and Windows XP Professional, Kerberos version 5 protocol is designed to be more secure and scalable across large, diverse networks. It is more flexible and efficient than NTLM. It provides faster connections, mutual authentication, delegated authentication, simplified trust management, and interoperability. Kerberos version 5 protocol uses secret key encryption to protect logon credentials that travel across the network. The Active Directory directory service domain controller maintains user account and log-in information to support the Kerberos service protocol. Both the network domain controllers and the client computers must be running Windows 2000 or later.
13
Additional Reading
For more information about NTLM, see the Knowledge Base article Q147706, How to Disable LM Authentication on Windows NT and Microsoft NTLM, under Additional Reading on the Web page on the Student Materials CD. For more information about Kerberos, see the article, Kerberos Explained, under Additional Reading on the Web page on the Student Materials CD or view the animation, How Kerberos Works, under Media on the Web page on the Student Materials CD.
14
Using Passwords to Provide Single-Factor Authentication

Using Passwords to Provide Single-Factor Authentication
P@$$w0rD
User Single-Factor Authentication Resource
Passwords or PINs are the simplest but least secure method of authenticating users Passwords provide users with access to all of the resources to which they have been granted authorization Compromised passwords compromise all associated resources Passwords may be stored on the local system providing hackers an opportunity to steal passwords
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Single-factor authentication is any authentication method that requires the user to supply only one form of identification, such as a PIN, a biometric method, or an ID card. Passwords are the most common type of single-factor authentication. A password provides users with access to all of the resources that they have been granted authorization to. When a password is compromised, all resources that are associated with the account are also compromised. Users often use the same password on multiple systems to make it easier for them to remember. If they use a strong password on a weak system, the password may be stolen and used to access other systems that use the same account name and password. Use passwords carefully to ensure security. By implementing these recommendations, and educating users in your organization to do the same, you will help protect user passwords:

Never write down your password. Never share your password with anyone. Never use your network logon password for another purpose. Use different passwords for your network logon and the Administrator account on your computer. Change your network password every 60 to 90 days or as often as required in your environment. Change your password immediately if you suspect that it has been compromised.
15
Guidelines for Implementing and Enforcing Password Policies

Guidelines for Implementing and Enforcing Password Policies
When implementing implementing a password policy: Educate Educate users users about about password requirements in the organization organization Advise users not to use easily discovered personal info to easily discovered personal info in in passwords passwords When enforcing enforcing a a password password policy: policy: Consider Consider the the users ability ability to remember remember complex complex passwords passwords that that change change frequently frequently Use Use Group Policy Policy to to enforce enforce password password policies policies to to control: control: Password Password history Maximum Maximum password age Minimum Minimum password password length Complexity Complexity requirements requirements
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Authentication is your first defense against intruders. A weak password policy will invalidate the security that firewalls, encryption, and other measures provide. You defend against this vulnerability by implementing a password policy and educating users about the policy. Although you can enforce strong passwords through Group Policy in Windows 2000 Active Directory, employee education is the only way to keep users from writing down passwords or using discoverable personal information in passwords. Group Policy allows administrators to enforce strong passwords and safe login policies on a domain level. Because you can apply Active Directory policies at different levels of the domain hierarchy, be sure to set important domain-wide security policies to No Override. This setting prevents lower-level organizational units from overriding these configurations. A good password policy includes the following controls:
Control Enforce password history Maximum and minimum password age Minimum password length Defines Whether users are allowed to reuse old passwords How long users wait between password changes How long user passwords must be. If passwords are set too long, users may write passwords on paper Whether users must use a combination of upper- and lower-case letters, digits, and special characters in their passwords
Passwords must meet complexity requirements
16
Using Multifactor Authentication Methods

Using Multifactor Authentication Methods
P@$$w0rD
User
Multifactor Authentication
Resource
Single-factor Single-factor authentication: authentication:

Uses Uses a a single single form form of of identification, identification, typically typically based based on on a a password password or or PIN PIN
Multifactor authentication:
Combines Combines multiple multiple forms forms of identification identification to to provide provide more more secure secure authentication authentication May May be be based on: on: What What you you know: know: password password or or PIN PIN What What you you have: have: smart smart card card Who Who you you are: are: biometrics, biometrics, such such as as thumbprint or or iris iris scan scan
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Multifactor authentication requires the user to supply at least two forms of identification. Typically, this includes something that the user knows, such as a user ID or password, and something that the user possesses, such as a smart card or a unique biometric feature, such as a fingerprint. Multifactor authentication strengthens authentication by proving that information was sent or received by a specific person and that the person was present at the time of the transaction. In a high-security environment, authentication systems may integrate a public key infrastructure (PKI) and a smart card with a biometric feature, such as an iris pattern, voice, fingerprint or handwritten signature. Additional reading For more information about multifactor authentication, see the article, It Takes Three, under Additional Reading on the Web page on the Student Materials CD.
17
Guidelines for Implementing Authentication

Guidelines for Implementing Authentication
Authentication requirement
Highest level of authentication security Backward compatibility with operating systems prior to Windows 2000 Windows 2000 in a non-Active Directory environment Disable unnecessary variants of NTLM by setting the LAN Manager Authentication Level Security option in the policy for the computer or the domain
0
NTLM
Kerberos
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Whether you choose NTLM or Kerberos to authenticate computers and users depends on the following factors:
NTLM. Use NTLM when you require backward compatibility to computers running Windows Me and earlier or Windows 2000 in a non-Active Directory environment. Kerberos version 5. Use Kerberos version 5 protocol when you require the highest level of authentication security and compatibility with Kerberos systems running on any platform. Guidelines
When using NTLM, disable unnecessary or less secure versions of NTLM by setting the LAN Manager Authentication Level Security option in the policy for the computer or the domain controller. If you do not have clients that require LAN Manager Authentication, you should disable the storage of LAN Manager hashes. Windows 2000 Service Pack 2 provides a registry setting to disable these hashes. Additional reading For more information about NTLM, see the Knowledge Base article Q147706, How to Disable LM Authentication on Windows NT. For more information about when Windows 2000 uses NTLM, see the article, Access Denied: Knowing When Win2K Uses NTLM Rather Than Kerberos Authentication under Additional Reading on the Web page on the Student Materials CD.
18
Practice: Identifying Weaknesses in Authentication Methods

Practice: Identifying Weaknesses in Authentication Methods
Teresa, we plan to build this interactivity in the new Hack Attack template. Students will explore weaknesses in several passwords by clicking on a list of passwords and discovering how long it would take to crack. The students will also read an explanation of why each password is strong or weak. If we run out of time, it is okay to drop this practice.
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Instructions
19
Guidelines for Auditing Authentication

Guidelines for Auditing Authentication
When auditing authentication:

Audit account logon events Audit account management Audit logon events Shut down the system immediately if you are unable to log security audits Monitoring logon attempts and account management activity may help you to identify unauthorized attempts to log on
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points You can identify unauthorized attempts to access your network by monitoring logon attempts and account management activity. Use one or more of the following audit policy options to monitor these activities:
Audit account logon events. Use this option to track logon attempts that occur on remote computers. For example, by enabling success auditing for account logon events on a domain controller, you will log every user who is validated by the domain controller. Audit account management. Configure this option to monitor when a user account or group is created, changed, deleted, renamed, disabled, or enabled. You can also monitor when a password is set or changed. Audit logon events. Use this option to audit each instance of a user logging on, logging off, or making a network connection to a computer. Be sure to audit for failure to help detect unauthorized attempts to access accounts. Shut down the system immediately if unable to log security audits. Typically, when a log fills, new events are written over the older entries. Attackers often mask their activities by filling the log and overwriting their security after they attack a system. Use this policy to shut down the system if a security audit cannot be logged.
20
Assessment
Assessment
*****************************ILLEGAL FOR NON-TRAINER USE****************************** As the network security administrator, it is your responsibility to secure access to the building and the database in one of the labs. Only certain users require access to the inner labs. Each of those users has specific information that they require access to. Management requires access to the rest of the building during working hours. Although the building is secure, it does not require the same level of protection that the inner labs require. Implement a form of access control that will adequately protect the resources and yet provide ease of access to the authorized users and specific delineation of access to the different areas. Maintaining passwords or PINs has proven to be difficult because the users were writing the PINs down to remember them. 1. Which will provide the appropriate amount of protection while still providing relatively easy access? A. Provide a PIN that all employees can use to access the building to ease administration and provide another PIN that all employees can use to access all of the inner labs. Only provide that PIN to the employees that require access to the labs. Change the PINs annually. B. Provide a separate PIN that each employee can use to access the building and use the same PIN for the inner labs. Set the PINs to expire weekly. C. Provide a separate PIN to each employee that requires access to the building. Implement multifactor authentication to grant access to the inner labs and to provide access to only the labs that they require access to. Change the PINs every six weeks. Answer:
21
Lesson: Implementing an Access Control Strategy

Lesson: Implementing an Access Control Strategy
The Access Control Models How an Operating System Enforces Access Control Guidelines for Setting Rights and Permissions Guidelines for Using Administrative Accounts Demonstration: Using the Runas Command Guidelines for Auditing the Use of Permissions and User Rights
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Developing an access control strategy can help you prevent common security vulnerabilities, such as inadequately protected resources or users with excessive rights and permissions. This lesson presents guidelines for implementing an effective access control strategy. After completing this lesson, you will be able to:

Lesson objectives
Describe the different access control models. Describe how the operating system helps enforce access control. Implement user rights and permissions. Explain guidelines for determining when to use administrative accounts. Use the runas command to run programs as a different user. Audit the use of user rights and permissions.
22
The Access Control Models

Discretionary Access Control (DAC) (DAC)
Used Used by by Windows Windows to to secure secure resources resources and and objects Based Based on on a a user's user's identity identity or or group group membership membership File File owners owners can can change change permissions permissions for for other other users users
Role-Based Role-Based Access Access Control (RBAC)

Based Based on on assigned assigned roles roles a a user user is is allowed allowed to to perform within within an organization File File owners owners cannot cannot change change permissions permissions for for other other users users
Mandatory Mandatory Access Access Control Control (MAC)

Appropriate Appropriate for for multilevel, multilevel, secure secure military military applications applications Based Based on on the the sensitivity sensitivity of the the information information and and the formal formal authorization authorization of of users users File File owners owners cannot cannot change change permissions permissions for for other other users users
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points An access control model defines a computer and network system's rules for user access to information resources. Access control models provide confidentiality, integrity, and accountability by supplying audit trails.
Discretionary Access Control (DAC). This method is used by Windows to secure resources and objects. DAC uses Access Control Lists to restrict access to information based on a user's identity or group membership. DAC is discretionary because a file owner can change permissions on a file. This type of access control is usually based on a user's identity or group membership. Role-based access control (RBAC). In this method, security is managed at a level that corresponds closely to the organization's structure. Authorization decisions are administered centrally, based on the roles of individuals in an organization. A system's security administrator grants or revokes system privileges based on a user's role. This model works well for corporations that have a large turnover of personnel. For example, all data entry clerks should have the same system access. You could create a data entry clerk role and then assign the users to it. Mandatory Access Control (MAC). Used for multi-level secure military systems and highly sensitive information systems and networks, MAC stipulates that each object and subject have security classification tags that define clearance levels for specific operations. An operation is only permitted when a subject and object have complimentary clearance levels for the requested operation.
Additional reading
For more information about RBAC, see the articles Role-Based Access Control for the Web and Role-Based Access Controls under Additional Reading on the Web page on the Student Materials CD.
23
How an Operating System Enforces Access Control

DACL
Access Control Entries User A: Full control User B: Read access
As a file owner, User A may assign permissions to User B
Read Read access access
User A
Resource
User B
Key points
The operating system controls access to specific objects by using an Access Control List (ACL). Each object can have a DACL for assigning permissions, or a Security Access Control List (SACL) for auditing access to objects, such as folders or printers. Each DACL contains access control entries (ACEs), which specify access permissions to an object for users or groups of users. Permissions are cumulative in Windows 2000, as they are in NT 4. If you grant a user Read permission, but the user belongs to a group with Write and Delete permission, the user's permissions become Read, Write, and Delete. For example: 1. Sally owns a folder that she wants to share with Ginger. After Sally uses Windows to assign Read permissions to Ginger, an Access Control Entry is made for Ginger with Read permission in the DACL for the folder. 2. When Ginger logs on, the system authenticates her and grants an access token that contains the Security Identifier (SID) of Ginger and any groups that she is a member of. 3. When Ginger attempts to access the folder, the operating system compares the SID in the ACE with the Security Identifier SIDs in Gingers access token. If they match, she is granted the appropriate level of access, which, in this case, means that she can read the files in the folder.
24
Guidelines for Setting Rights and Permissions

When setting permissions and rights:
Use groups instead of individual accounts Review all permissions permissions and and rights rights for for the the Everyone Everyone and Authenticated Authenticated Users Users groups Use inheritance when possible to simplify administration of permissions Be detailed in the assignment of permissions and rights
Key points
When setting rights and permissions observe the principle of least privilege. When setting rights and permissions:
Use groups instead of individual accounts. The easiest way to administer a secure workgroup is to create new groups and assign permissions to the groups rather than to individual users. Later you can change individual user permissions by adding or removing users from groups. Review all rights and permissions for the Everyone and Authenticated Users groups. Be sure to review the default permissions to restrict unnecessary access. Windows 2000 automatically assigns all users to the Everyone group and all validated users to the Authenticated Users group. The default permissions in Windows 2000 is Everyone full control, which includes individuals who use the guest account Use inheritance when possible to simplify the administration of permissions. By default, any permissions that you assign to the parent folder are inherited by the subfolders and files in the parent folder. Inheritance simplifies administration when there is a collection of folders or files that require similar security. Be detailed in the assignment of rights and permissions. Set permissions directly to the object and permit the least permissions that the user requires. Even if permissions are inherited, you can still assign explicit permissions to override the inherited ones.
Additional reading
For more information about what the default permissions in a fresh installation of Windows 2000 on an NTFS drive is, see the article, Default NTFS Permissions in Windows 2000, under Additional Reading on the Web page on the Student Materials CD.
25
Guidelines for Using Administrative Accounts

To best use administrative accounts:
Do not allow users to log on as as members members of the Administrators group Create an additional, non-administrative account for each administrator in the domain Use a non-administrative non-administrative account account to to perform perform routine routine tasks Use the runas command to to start applications in different security contexts
Key points
Apply the principle of least privilege to administrators, just like you do to users. To maintain security with administrative accounts:
Do not allow users to log on as members of the Administrators group. Viruses can do greater damage when they are activated from an account with Administrator permissions. Create non-administrative accounts for each administrator. If compromised, an account with Administrator permissions can do more damage than a user account. Use a non-administrative account to perform routine tasks. This account allows system administrators to separate administrative operations from user-level operations. Use the runas command to start applications in different security contexts. If administrators use non-administrative accounts to perform routine tasks, they need a way to perform administrative tasks without logging off and logging back on. By using the runas command, an administrator can run specific administrative tasks from non-administrative accounts.
26
Demonstration: Using the Runas Command

Demonstration: Using the Runas Command
In this demonstration, the instructor logs on with restricted rights and performs an Admin task using the Runas command
Instructions
In this demonstration, the instructor logs on with restricted rights and performs an Admin task using the Runas command
Tasks
1.
Detailed steps
a.
Run Computer Management logged on as Student1 and verify what utilities you can access.
Log off as Administrator and then log on using the following information: User name: Student1 Password: P@ssw0rd Log on to: contoso Point out to the students you are currently logged on user Student1in Contoso.
b. Press Ctl Alt Delete to bring up the Windows Security dialog box.
c.
Click Cancel to close the Windows Security Dialog box Administrative Tools, and then click Computer Management.
d. Click the Start button, point to Programs, then point to e. f.
In the console tree, expand System Tools and Event Viewer. Click Security in the console tree. Point out the error message that appears advising you that you dont have the appropriate privileges to complete this action.
g.
Click OK to close the error. Point out the error message that appears advising of an error in reading the list of shares.
h. Expand Shared Folders in the console tree and click Shares.
i. j.
Click OK to close the error. Expand Storage in the console tree and click Disk Management.
27
Point out the error message that appears advising that access to the Disk Manager is denied because the logged on user doesnt have the appropriate rights.
k. Click OK to close the error. l. 2. Run Computer Management a.
Close Computer Management. Click the Start button, point to Programs, then point to Administrative Tools, and then righe-click Computer Management. The Run As Other User dialog box appears prompting you for alternate credentials to use to run this program.
with the administrator credentials and verify that you can now access the various utilities.
b. Select Run as from the drop down menu.
c. e. f. g.
Type Administrator for the User Name: Type contoso for the Domain and then click OK. In the console tree, expand System Tools and Event Viewer. Click Security in the console tree. Point out that no error message appears, and the Security log opens. (There may not be any entries in the log).
d. Type P@ssw0rd for the Password.
h. Expand Shared Folders in the console tree and click Shares.
Point out that no error message appears, and the list of shares for the local computer appear.
i.
Click the Action menu and select New File Share. The Create Shared Folder dialog box appears letting you create a share. This verifies that you can not only see the shares but can create them also.
j.
Click Cancel to close the Create Shared Folder dialog box. Point out that no error message appears, and we now have access to Disk Manager.
k. Expand Storage in the console pane and select Disk Management.
3. Verify the logged on user.
a.
Press Ctl Alt Delete to bring up the Windows Security dialog box Point out to the students you are still logged on user Student1 in Contoso.
b. Click Cancel to close the Windows Security Dialog box c.
Close Computer Management.
d. Log off Student1 and log back on as Administrator.
28
Guidelines for Auditing the Use of Permissions and User Rights
Use the appropriate group to ensure adequate auditing information Do not audit everything Monitor the Audit policy to prevent a rogue administrator from turning off auditing to perform a forbidden action Configure the size of the security log to accommodate additional auditing information Audit for successes and failures depending on what is being audited
Key points
Windows 2000 provides a security auditing facility that can log several kinds of security-related events. You can use this information to build a profile of regular activity, identify and track suspicious events, and retain legally valid evidence of an intruders actions. Auditing events are written to the security log. Auditing is disabled by default. To enable auditing or to read auditing logs by using the Event Viewer, you require administrator access to the computer. Guidelines for auditing permissions include:
Use the appropriate group to ensure adequate auditing information. Do not include users or groups that will have normal access to a resource. Do not audit everything. Auditing incurs overhead on the computer that is performing the auditing. Only audit the events that are important to you and include only the groups or users that you need to audit. Monitor the Audit policy to prevent an administrator from turning off auditing. It is not possible to restrict an administrators actions in Microsoft Windows NT and Windows 2000. Although you can monitor an administrators actions, administrators can replace system components, manipulate security policy, and alter logs on the computer. Therefore, an administrator could bypass auditing or remove evidence of his or her activities. Configure the size of the security log to accommodate additional auditing information. Another important aspect of event log management is to manage the size of the event log and what happens when the maximum size is reached. For example, to preserve important audit information, you may choose not to overwrite events when the log fills up. Audit for successes and failures depending on what is being audited. Monitor the Audit policy to prevent administrators from turning off auditing, performing a forbidden action, and then turning auditing back on. Also, be sure to audit for failed attempts so you can track attempts to guess
29
passwords. To discover if someone has gained access to a forbidden area, audit for success.
30
Assessment
*****************************ILLEGAL FOR NON-TRAINER USE****************************** 1. In your network, when should an administrator use an account with administrator rights to log on? A. Only when performing duties as the administrator. Use an ordinary account with low privileges for non-administrative functions. B. Depending on the extent of administration that the administrator needs to do. If he or she is performing more administrative than non-administrative functions, logging on with an account that has administrative rights is preferable. C. Never, always log on to the computer as an ordinary user. Answer:
2. How will an administrator perform administrative functions if he or she is logged on to an account that does not have administrative rights? A. The administrator will us the runas command to provide the credentials of the administrator account, which includes the rights that are necessary to perform the administrative functions. B. The administrator will us the runas command to provide the credentials of an account that has been assigned to him or her, which will provide the rights necessary to perform the administrative functions. C. The administrator will log off as the ordinary user and then log on to the account that provides administrative rights. After performing the administrative tasks, the administrator will log off and then log on as an ordinary user. Answer:
31
Lab A: Securing Accounts (MBSA)

Lab A: Securing Accounts (MBSA)
Exercise 1: Examining account security
In this exercise, students will use Microsoft Baseline Security Analyzer to analyze the security of passwords and password requirements on their computers
Exercise 2: Changing account security
In this exercise, students will make changes to passwords and password requirements and run MBSA again to view the changes
Module 5: Using Cryptography to Secure Information

Contents Overview Lesson: Introduction to Cryptography Lesson: Using Symmetric Encryption Lesson: Using Hash Functions Lesson: Using Public Key Encryption 1 2 11 18 25
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, places or events is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2002 Microsoft Corporation. All rights reserved. Microsoft, MS-DOS, Windows, Windows NT, <plus other appropriate product names or titles. The publications specialist replaces this example list with the list of trademarks provided by the copy editor. Microsoft, MS-DOS, Windows, and Windows NT are listed first, followed by all other Microsoft trademarks listed in alphabetical order. > are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries. <The publications specialist inserts mention of specific, contractually obligated to, third-party trademarks, provided by the copy editor> The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Overview
Introduction to Cryptography Using Symmetric Encryption Using Hash Functions Using Public Key Encryption
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Cryptography is a method of keeping information secret. Most often, you encrypt information when you transfer it from one location to another. You can also encrypt information for the purpose of storing it safely. This module will introduce you to the basic concepts of cryptography, and how to encrypt information by using symmetric encryption, hash functions, and public key encryption. After completing this module, you will be able to:

Objectives
Describe how cryptography works. Describe symmetric encryption. Describe how to use a hash function to encrypt data. Describe public key encryption.
Lesson: Introduction to Cryptography

What Is Cryptography? What Are Algorithms? What Are Keys? Common Uses of Cryptography Considerations for Assessing Encryption Strength
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Cryptography is a method of securing information while transporting it from one location to another or while storing it. Ancient cultures used cryptographic techniques to send diplomatic and military information securely. This lesson describes modern cryptography, its common uses, and ways to assess the strength of an encrypted message. After completing this lesson, you will be able to:

Objectives
Define cryptography. Describe the use of algorithms in cryptography. Describe the use of keys in algorithms. Explain the common uses of cryptography. List considerations for assessing encryption strength.
What Is Cryptography?
Cryptography is a set of techniques used to encode and decode information Ciphertext hides information in a message while it is transferred from one location to another or while stored
Encryption Encryption hello Plaintext Plaintext #4(*d Ciphertext Ciphertext
Decryption Decryption
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points In modern organizations, cryptography ensures the confidentiality of information while it is transmitted across networks or while it is stored on magnetic media. Most often, organizations use cryptography to prevent a third party from viewing the information. In cryptography, plaintext is the information before it is encrypted. Ciphertext is the encrypted information. Decrypting ciphertext requires the knowledge or possession of a secret that is only available to someone who is authorized to decrypt the ciphertext.
What Are Algorithms?

Algorithms are mathematical formulas to encrypt or decrypt data You can publish algorithms or keep them secret Multiple users can use the same algorithm to encrypt or decrypt multiple data sources Algorithm (Plaintext) = Ciphertext
Algorithm Advance 2 spaces Advance 2 spaces Plaintext A K Ciphertext C M
e=f(m)
Examples
Key points
To encode data, cryptography employs algorithms, which, in the context of cryptography, are mathematical formulas that encrypt or decrypt data. The following generic expression describes the way that an algorithm works:
e=f(m)
In this expression, encrypted data (e) is the result of applying a generic function, or algorithm, (f) to a message (m). Often, the creator of an algorithm will publish it for public scrutiny and testing. If the testing does not reveal any weaknesses, the algorithm is considered to be a strong algorithm. Sometimes algorithms are kept secret, which makes it harder for an attacker to decrypt your data because he has to determine what the algorithm is before decrypting a message. However, keeping an algorithm secret can also prevent the algorithm from undergoing the scrutiny that may reveal weaknesses in the algorithm, thereby giving you a false sense of security. Most commercially used algorithms are public. Secret algorithms are sometimes used by government intelligence agencies.
Practice
In the following example, replace each letter in plaintext with the letter that follows it by two spaces in the alphabet. When a letter is at the end of the alphabet, start again at the beginning of the alphabet. For example, replace the letter Y with the letter A. Use this simple algorithm to encode the following phrase:
Windows XP
What Are Keys?

A key is a string of bits that is used to vary the results of an algorithm Keys are normally secret Key length and complexity influence the strength of encryption
Examples
Algorithm and Key (Plaintext) = Ciphertext

Key 3 5 Plaintext A A Ciphertext D F
Algorithm Advance x spaces Advance x spaces
Key points
A key varies the result of an encryption. It is harder to decrypt the data without knowing the key. The advantage of using an algorithm that uses keys is that multiple users can use the same algorithm to encrypt or decrypt multiple data sources. If you know an algorithm and one key, you cannot decrypt data that was encrypted by using the same algorithm but a different key. Using an algorithm that uses keys enables you to use a public algorithm without compromising your data. For example, using a key that is 10 bits long can produce 1,024 versions of ciphertext by using the same algorithm and plaintext. Increasing the key length and complexity increases the strength of the encryption.
Practice
As shown in the slide, the algorithm is the same; however, using a different key produces different ciphertext. Choose a key and use the algorithm and key to encode the following phrase:
Windows XP
Compare the results with another student. Can you easily decrypt the other students ciphertext?
Practice: Understanding Algorithms
Discussion 1 Read the description of the algorithm 2 Decrypt the encrypted text, rfbsu 3 As a class, discuss the strength of the encryption method
Analyze the algorithm in the following scenario and decrypt the encrypted text. Then discuss the strength of the encryption method. The algorithm that is used to encrypt the data is: Replace the first letter of the text with the letter immediately preceding it in the alphabet. Replace the next letter of the text with the letter immediately following it in the alphabet. Repeat this process until all of the letters have been processed. This algorithm produced the ciphertext rfbsu. What is the plaintext?
Common Uses of Cryptography

Use Confidentiality Integrity checking Authentication Nonrepudiation Anti-replay Detail Prevents the reading of data during transmission and storage Verifies that a message has not been altered Verifies the identity of a user or a computer Ensures that the sender of a transmission cannot deny sending the message Ensures that intercepted data cannot be used to impersonate the original sender
Key points
Modern cryptography can provide confidentiality, data integrity, authentication, nonrepudiation, and anti-replayall of which help provide data security.
Confidentiality. Ensures that only authorized personnel can access information. Encrypting data is one way to provide confidentiality. Data integrity. Ensures that it is possible to detect whether an unauthorized modification has occurred. Integrity protects against a man-in-the-middle attack, in which an attacker modifies data during transmission, such as intercepting an e-mail message and altering the message before forwarding it to the recipient. Authentication. Verifies that data originates from the user or computer that claims to send the information. It also protects against imposters and manin-the-middle attacks. Nonrepudiation. Ensures that an individual or process cannot deny performing a task or sending data. For example, nonrepudiation ensures that a party to a contract cannot refute having signed the contract. Anti-replay. Prevents an attacker from intercepting a message and sending it again at a later time. For example, an attacker could capture a logon sequence and then replay the network packets to log on at a later time. Antireplay precautions, such as adding encrypted time stamps to data, prevent such an attack.
Considerations for Assessing Encryption Strength

Encryption strength relies on the strength of the algorithm and the length and complexity of the key
Computing Computing time time needed needed to to complete complete a a brute brute force force attack attack
1 1 year year
1 1 day day
1 1 minute minute
Algorithm Algorithm and and key key strength strength
Key points
No encryption method is completely secure. Given knowledge of the algorithm and enough time, attackers can reconstruct most encrypted data. A strong algorithmone that is built on sound mathematical methods, creates no predictable patterns in encrypted data, and has a sufficiently long keycan deter most attacks. When you use a strong algorithm, the only way to break the encryption is to obtain the key. An attacker can obtain a key by stealing it, by tricking someone into revealing the key (a form of social engineering), or by trying all possible key combinations. This last method is commonly known as a brute force attack. Increasing the key length exponentially increases the time that it takes an attacker to perform a brute force attack.
Example
The following table illustrates the average length of time that it would take to decrypt ciphertext by using a brute force method that attempts 100,000 keys per second:
Key length (in bits) 10 20 30 40 64 128 Time to decrypt Less than 1 second 21 seconds 6 hours 255 days Almost 12,000 years Over 200 septillion years (a number with 27 digits), longer than the life of the universe
An encryption is strong enough when it becomes impractical for an attacker to carry out a brute for attack. Make sure that the strength of encryption is appropriate for the amount of time that the data must remain encrypted. When estimating the time it takes for an attacker to perform a brute force attack,
consider that such attacks can perform many more operations per second than in the preceding example. National laws may restrict the encryption methods that you can use to encrypt data. These laws try to ensure that encryption is not too strong for law enforcement or intelligence agencies to decrypt. Some governments also restrict the import and export of encryption technologies. When using encryption, ensure that you comply with all applicable laws.
10
Assessment: Introduction to Cryptography
Multiple choice
1. What is the relationship between keys and algorithms in cryptography? Choose the correct answer. a. A key determines the length of the algorithm. b. An algorithm must be secret, but a key can be either published or secret. c. The key is the mathematical formula that is used to encrypt text, and the algorithm is the decrypted text. d. The key determines how the algorithm encrypts data. e. The algorithm adds the key to plaintext and then encrypts the combination.
11
Lesson: Using Symmetric Encryption

How Symmetric Encryption Works Common Algorithms for Symmetric Keys Strengths and Weaknesses of Symmetric Encryption Guidelines for Using Symmetric Encryption
Introduction Objectives
Symmetric encryption uses an algorithm and a single key. This lesson describes how to use symmetric encryption to secure data. After completing this lesson, you will be able to:

Describe how symmetric encryption works. List common algorithms that use symmetric keys. Discuss the strengths and weaknesses of symmetric encryption. Describe guidelines for using symmetric encryption.
12
How Symmetric Encryption Works

Symmetric encryption uses a single key to both encrypt and decrypt data Security of encrypted data depends on the secrecy of the key
Key Key #4(*d Symmetric Symmetric Algorithm Algorithm Symmetric Symmetric Algorithm Algorithm Key Key
hello
hello
Key points
Symmetric encryption is a method of encryption that uses the same key to encrypt and decrypt a message. If one person encrypts and decrypts data, that person must keep the key secret. If the data is transmitted between parties, each party must agree on a shared secret key and find a secure method to exchange the key. The security of encrypted data depends on the secrecy of the key. If someone gains knowledge of the secret key, he or she can use the key to decrypt all the data that was encrypted with the key.
13
Common Algorithms for Symmetric Keys

Algorithm Data Encryption Standard (DES) Triple DES Advanced Encryption Standard (AES) International Data Encryption Algorithm (IDEA) Blowfish RC4 Key Length 56-bit key Performs three DES operations, the equivalent of 168-bit key Variable key lengths 128-bit key Variable key lengths Variable key lengths
Key points
Common algorithms that use symmetric keys include:

Data Encryption Standard (DES). Relatively slow, DES is suitable for high security applications only with modifications. For example, the Encrypting File System (EFS) in Windows uses a modified version of DES, called DESX. Triple DES. Although more secure than DES and widely used, Triple DES is slow compared to other algorithms because it performs three encryption passes on the data. Advanced Encryption Standard (AES). Also known as Rijndael, AES is the current standard chosen by the U.S. National Institute for Standards (NIST.) AES specifies a cryptographic algorithm for use by U.S. government agencies to protect sensitive (classified) information. AES can use key lengths of 128, 192, and 256 bits. Because the authors of AES have stated that this algorithm will not be patented, more and more software is starting to include this algorithm.
International Data Encryption Algorithm (IDEA). This widely used algorithm uses 128 bits. IDEA is patented and requires licensing for commercial use. Blowfish. This extremely fast algorithm has a variable-length key ranging from 32 bits to 448 bits. Free for use of any kind, this algorithm is implemented in many programs. Blowfishs developers have created a newer algorithm called Twofish, which is gaining popularity. RC4. This algorithm is a stream cipher, which modifies the key when the algorithm encrypts successive portions of plaintext. Widely used in commercial applications, RC4 is a public algorithm that employs variablelength keys. RC4 is the security foundation for the 802.11b WEP (Wireless Equivalent Privacy) wireless LAN standard.
14
Strengths and Weaknesses of Symmetric Encryption
Strengths
High-speed encryption and decryption Several algorithms use variable key length
Weaknesses
Secure key exchange may be difficult Key management may be difficult
Key points
Compared to other types of encryption, symmetric encryption and decryption are performed at relatively high speeds. Several algorithms use variable key lengths that enable you to choose a key that balances encryption speed with the appropriate level of security. A long key increases the time to encrypt and decrypt data, but the encryption is more secure. A shorter key decreases the time to encrypt and decrypt data, but it is also less secure. Choose the key length that is appropriate for your task. If two parties need to exchange data, each party must exchange a key. This requires a secure communication channel, making symmetric encryption only feasible if such a channel exists. If you need to exchange data with a large number of people, you need a separate secret key for each party. This can make key management very difficult. For example, if a group of people have to exchange encrypted data with each other, the number of keys required is n(n-1)/2. For example, if three people need to exchange encrypted data with each other, a total of 3 keys would be necessary.
Practice
If ten people need to exchange data with each other, how many keys must be used?
15
Guidelines for Using Symmetric Encryption
Use symmetric encryption when you:

Encrypt large amounts of data Need to ensure confidentiality Have a secure method to exchange the secret key
Key points
Symmetric encryption is the most efficient method for encrypting data. If you need to keep data confidential, symmetric encryption protects data from access by anyone who does not possess the secret key. However, unlike other encryption methods, symmetric encryption provides only confidentiality and verification of message integrity. It does not:
Protect against a man-in-the-middle attack that replaces the entire message with different ciphertext. Allow for nonrepudiation because there are at least two parties that possess the same secret key, and because either party could have encrypted a message that can be decrypted with the secret.
Key exchange presents another challenge to symmetric encryption. If no secure method is available to exchange a secure key, you cannot guarantee confidentiality or ensure that a third party cannot obtain the secret key.
16
Practice: Determining When To Use Symmetric Encryption

1 2 3
Scenario 1 2 3
To ensure You Five must hundred encrypt theemployees confidentiality a file on inyour your of Contosos computers company hard disk. must customer exchange data, Would you confidential you have usedecided symmetric e-mailto encryption messages encrypt theacross for data. thisOnly the purpose? Internet. one department manager in each of Contosos twenty worldwide branches is allowed to access this confidential data. No one else has access to the data.
1 1
2 2
3 3
Instructions
For each scenario, decide if you should use symmetric encryption. Discuss answers as a class.
17
Assessment : Protecting Information by Using Symmetric Encryption
Multiple choice
1. Two of your servers must encrypt network traffic that travels between them. Should you use symmetric encryption for this purpose? Choose the correct answer. a. Yes. Symmetric encryption provides a method to exchange keys securely. b. No. Symmetric encryption requires a different key for each connection between servers, making key management complicated. c. Yes. This scenario requires only one key, which is easy to store and manage. d. No. Symmetric encryption makes it impossible to securely store the same key on each server.
18
Lesson: Using Hash Functions

What Is a Hash Function? Demonstration: How Hash Functions Work Common Hash Functions Guidelines for Using Hash Functions
Introduction Objectives
Another way to encrypt data is by using a hash function. This lesson describes how hash functions work and guidelines for using them. After completing this lesson, you will be able to:

Define a hash function. Describe common hash functions. Describe guidelines for using hash functions.
19
What Is a Hash Function?

A hash function is a function that computes a hash from data A hash is a unique, fixed-length string of bits
Hash Hash Function Function
Hello Dave
Enclosed is my feedback about your proposal.
Hello
3XO62L Hash Hash
You can use hash functions to: Ensure message authenticity and integrity Simplify digitally signing messages or data
95R87A Hash Hash Function Function Hash Hash
Create a password hash that you can transmit or store instead of a password
Key points
A hash function is a type of encryption that takes data of any length and encrypts it to create a fixed-size string of data, called a hash. A hash is also sometime referred to as a digest. Hash functions are one-way functions, that is, you cannot reconstruct the original data from the hash. Because of this characteristic, you would not use a hash to ensure confidentiality. However, you can use a hash to determine whether data has been changed by creating the hash at two different times and comparing the results. For example, you can create a hash from data in a file. When you perform the same function at a later time and the hashes are identical, you are assured that the file has not changed. If the hashes are not identical, the file has changed. Hashes have a fixed length so that an attacker cannot deduce the length of the original data from the hash. Because the hash is normally smaller than the original data, storing a hash is more economical than storing a second copy of the data. You use a hash function to detect any tampering with the data in a message. A hash is often shorter than the original text. When you create a hash, it is extremely unlikely that the hash is the same as a hash created from different data. Although you cannot guarantee that different data will not produce the same hash, it is computationally unfeasible to find different data that produces the same hash.
20
Demonstration: How Hash Functions Work
Key points
In this demonstration, you will see that:

The result of applying a hash function to the same data is always the same. The length of a hash is fixed and does not vary with the length of the data. A hash value changes in an unpredictable way when the data changes.
21
Practice: Using Hash Functions
1 Read the scenario

Determine if you should use a hash 2 function
3 Discuss your answers with the class
Read the following scenario, determine if you should use a hash function, and then discuss your answers with the class. Your organization secures offices by using electronic locks that require a key combination. When an employee forgets the key combination, he must show identification to a security guard. The security guard then retrieves the key combination from a database and gives it to the employee. Can you store hashes of the key combinations instead of the actual passwords to prevent employees who gain unauthorized access to the database from viewing the passwords?
22
Common Hash Algorithms

Algorithm MD4 Source RFC 1320 Characteristics 128 bits, very fast Appropriate for medium security usage 128 bits, fast More secure than MD4 Widely used 160 bits Standard for the U.S. government Slower than MD5
MD5
RFC 1321
SHA-1
FIPS 180-1
Key points
Several algorithms are commonly used to perform hash functions. Internet Requests for Comments (RFCs) defines two of the most popular algorithms, Message Digest 4 (MD4) and Message Digest 5 (MD5). Another algorithm, Secure Hash Algorithm (SHA-1), is defined by the U.S. Federal Information Processing Standard, FIPS 180-1.
23
Guidelines for Using Hash Functions

Use hash functions to ensure the integrity of: E-mail messages
Stored files Transmitted data Programs To ensure authenticity of a hash, do one of the following: Store it in a trusted location Sign it using a private key
Key points
Using a hash function can ensure that e-mail messages have not been tampered with while in transit. You can confirm that data transmitted across the network have not changed since the hash was created. And you can ensure that program files have not been modified You must have a secure channel to exchange the hash or a trusted location to store the hash. If a hash value comes from an untrustworthy source, an attacker may have altered the data and the hash value that was created from the data. To ensure the integrity of a hash, store it in a trusted location such as a secure Web site. You can also sign a hash by using a private key.
24
Assessment: Using Hash Functions
Multiple choice
1. You must ensure the confidentiality and integrity of e-mail messages that you send over the Internet. Which of the following statements is true? a. You can provide only message confidentiality by using a hash function. b. You can provide only message integrity by using a hash function. c. You can provide both message confidentiality and message integrity by using a hash function. d. You can provide neither message confidentiality nor message integrity by using a hash function.
25
Lesson: Using Public Key Encryption

How Public Key Encryption Works How Digital Signing Works Common Algorithms for Public Key Encryption Strengths and Weaknesses of Public Key Encryption Guidelines for Using Public Key Encryption
Introduction
Public key encryption is a form of encryption that uses a pair of keys to ensure data confidentiality. This lesson explains how to use public key encryption to encrypt data and authenticate messages. After completing this lesson, you will be able to:

Objectives
Describe how public key encryption works. Describe how digital signing authenticates data. List common algorithms for public key encryption. List the strengths and weaknesses of public key encryption. Describe the guidelines for using public key encryption.
26
How Public Key Encryption Works

Asymmetric encryption uses public and private key pairs to encrypt data Public and private keys are generated at the same time Encryption can be performed with either key in the pair, but decryption always requires the other key
Public Public Key Key Private Private Key Key
hello
Encryption Encryption Algorithm Algorithm
#4(*d
Decryption Decryption Algorithm Algorithm
hello
Key points
Public key encryption, also called asymmetric encryption, is an encryption method that uses a public key and private key pair to encrypt data. Public keys are available to anyone. Private keys must be kept secret. Public key encryption has the following characteristics:
Anyone can encrypt data by using your public key, which is available as public information. However, only you possess the corresponding private key, so only you can decrypt the data. The person who uses the private key generates the key pair. Most commonly public keys are stored in a certificate. You create the key pair by using a program that generates keys. For example, you can use Internet Information Services (IIS) to create a key pair to encrypt Web traffic.
Additional reading
For more information about certificates, see Module 6, Using a PKI to Secure Information, in Course 2810, Fundamentals of Network Security.
27
How Digital Signing Works

Digital signing uses public and private keys to provide authentication and integrity checking to messages and files
Sender
e-mail
Hash Hash Function Function
54321 54321 Senders Senders Private Private Key Key
%^&*( %^&*( e-mail
Recipient Recipient
%^&*( %^&*( e-mail Hash Hash Function Function
Senders Senders Public Public Key Key 54321 54321 Matching Matching hashes hashes verify verify the the integrity integrity of of data
54321 54321
Key points
One way that you can use public key encryption is to authenticate an e-mail message. This is known as digital signing. Digital signing encrypts a message with your private key. The recipient then decrypts the message with your public key. If the decryption succeeds, the recipient is assured that the message originated from you and has not been changed. This assurance exists because only you know your own private key.
Example
Most often, you encrypt a hash of the message, not the entire message. The following scenario shows how digital signing of an e-mail message works. 1. As the sender, you encrypt a hash of the e-mail message using your private key. 2. The recipient decrypts the hash using your public key. Decrypting the hash with your public key ensures that the hash was encrypted with your private key, verifying that you sent the message. The recipient then performs an identical hash function and compares the resulting hash with the hash that you sent with the message. If both hashes match, the recipient can be assured that the e-mail message originated from you and that it has not been changed. Because only you can encrypt a message that a recipient can decrypt with your public key, signing also provides nonrepudiation. If a message can be decrypted with your public key, you cannot deny that you signed the message. Other types of digital signing work in a similar manner. For example, when signing software, a software publisher signs a program so that a user who installs the program can verify the authenticity and integrity of the program file.
Note National laws determine whether digital signature methods are legally binding. When you use digital signatures in legal matters, consult with an expert in this area.
28
Common Algorithms for Public Key Encryption

Algorithm RSA Considerations Variable key length De-facto standard for public key encryption Variable key length Used to securely establish a shared secret Variable key length Currently too slow for widespread implementation
Diffie-Helman
Elliptic curve cryptography
Key points
All common public key algorithms use a variable key length, which makes them adaptable to a wide variety of uses.
RSA. Named after its inventors, Ron Rivest, Adi Shamir and Leonard Adleman), RSA is the de-facto standard for encrypting data using public key encryption. The patent for RSA has expired, and now the RSA algorithm is available for free. Diffie-Helman. Also named after its inventors, Whitfield Diffie and Martin Helman, the Diffie-Helman algorithm is a specialized algorithm that enables two people to exchange a secret key over an insecure medium without having to first agree on a shared secret. Elliptic curve cryptography. This relatively new form of encryption can use shorter keys to achieve the same level of security that other algorithms achieve by using longer keys. Short keys are important for use in computers with small storage spaces, such as smartcards or handheld computers. Currently, elliptic key cryptography is not fast enough to be used commercially, but this may change.
29
Strengths and Weaknesses of Public Key Encryption
Strengths
Does not require a secure method to exchange a secret key Provides a method to validate an individual
Weaknesses
Decryption of data is time-consuming Inefficient for large amounts of data
Key points
Public key encryption has both advantages and disadvantages. One advantage is that it provides a secure means of communication without having to exchange a secret key. The public key can be provided to anyone who wants to send you encrypted information, but only you can decrypt that information. Key management is easy because each user only needs to protect a single private key. There is no need to agree on a separate secret with every person you exchange data with. Another advantage is that public key encryption can validate an individual and the integrity of data. You can use a private key to create a digital signature, which can be used to verify your identity. Digital signatures help provide an authentication method and nonrepudiation. A disadvantage of public key encryption is that it is slow. It can quickly encrypt information, but decrypting the information is processor-intensive, and therefore not suited to encrypt large amounts of data.
30
Guidelines for Using Public Key Encryption

Guidelines for Using Public Key Encryption
Use public key encryption to:

Encrypt data when you are unable to exchange secret keys securely Exchange secret keys before encrypting large amounts of data, and then encrypt the data by using the secret key
Key points
Public key encryption does not require the exchange of secret keys. Each user requires only one private key and can provide the corresponding public key to any other users. There is no need to keep the public key secret. Often, you can encrypt a large amount of data for transmission between two users by combining public key encryption and symmetric encryption. To perform this task: 1. Use public key encryption to encrypt a secret key for transmission from one user to another. 2. Use the secret key to encrypt a large amount of data before sending it to the other user. This method provides a secure channel for exchanging the secret key. Encrypting the data with the secret key is more efficient then encrypting the data using public key encryption. For example, EFS uses a combination of public key encryption and symmetric encryption to secure data on a hard disk.
31
Multimedia: How EFS Works
Key points
EFS is a feature of the Windows operating system. In this animation, you will see the following:

How EFS combines public key encryption and symmetric encryption. A user encrypts data with a symmetric key known as a file encryption key (FEK). The FEK is encrypted with the users public key, and also encrypted separately with the key recovery agent (KRA)s public key. Either the user or the key recovery agent uses his private key to decrypt the FEK, and then uses the FEK to decrypt the data.
32
Practice: Determining When Public Key Encryption Works

1 2 3
Scenario 1 2 3
The security Five Your hundred company policy employees policy of requires your inorganization your that company all emustmessages mail requires exchange that all sent confidential data between on laptop e-mail employees computers messages in must your be company encrypted. acrossand the business Internet. partners has to be signed.
1 1
2 2
3 3
Instructions
For each scenario, decide if you should use public key encryption. Discuss answers as a class.
33
Assessment: Using Public Key Encryption
Multiple choice
1. Two of your servers must encrypt a large amount of network traffic that travels between them. Should you use asymmetric encryption? a. Yes. Public key encryption is efficient for large amounts of data. b. No. Public key encryption is inefficient for large amounts of data. c. Yes. Key storage is more secure for public key encryption than for symmetric encryption. d. No. Key storage is less secure for public key encryption than for symmetric encryption.
34
Lab A: Using Cryptography to Secure Information

Exercise 1: Choosing Encryption Methods Exercise 2: Using Encryption for EFS Exercise 3: Using Encryption for Web Communications
Module 6: Using a PKI to Secure Information

Contents Overview Lesson: Introduction to Certificates Lesson: Introduction to Public Key Infrastructure 1 2 12
Lesson: Deploying and Managing Certificates21
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, places or events is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2002 Microsoft Corporation. All rights reserved. Microsoft, MS-DOS, Windows, Windows NT, <plus other appropriate product names or titles. The publications specialist replaces this example list with the list of trademarks provided by the copy editor. Microsoft, MS-DOS, Windows, and Windows NT are listed first, followed by all other Microsoft trademarks listed in alphabetical order. > are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries. <The publications specialist inserts mention of specific, contractually obligated to, third-party trademarks, provided by the copy editor> The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Beta Materials Do not used for purposes other than Beta testing
Overview
Introduction to Digital Certificates Introduction to Public Key Infrastructure Deploying and Managing Certificates
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Many individuals and organizations today depend on the Internet for both communication and commerce. It is important that they have a secure channel to transmit information. This module shows how you can use a public key infrastructure and digital certificates to provide that secure channel. After completing this module, you will be able to:

Objectives
Describe the way digital certificates work. Describe a public key infrastructure and its components. Describe how to deploy and manage digital certificates.
Lesson: Introduction to Certificates

What Is a Digital Certificate? Common Uses of Certificates How To Create Certificates Ways To Store Certificates How Smart Cards Use Certificates
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction A digital certificate is a way to verify the identity of a user or a computer when you transmit data electronically. This lesson describes how digital certificates are used, created and stored, and how smart cards can use certificates. At the end of this lesson, you will be able to:

Objectives
Describe a digital certificate. List the ways in which certificates are used. Describe how to create a digital certificate. Describe the ways to store a digital certificate. Describe how smart cards use digital certificates.
What Is a Digital Certificate?

A certificate contains a public key; a digital signature ensures the certificates authenticity Digital certificates: Are signed by certification authorities (CAs) Verify the identity of a user, computer or program that presents the certificate Contain details about the issuer and the subject
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points When you transmit data electronically, digital certificates verify the identity of a user or a computer. For example, you can send a certificate with a signed email message. The certificate enables the recipient to verify the sender of the message. You can also use the public key that is included with the certificate to encrypt or decrypt data. A certificate is signed by a Certification Authority (CA), which certifies the validity of all information in the certificate. Before a CA issues a certificate, the CA verifies the identity of the requestor. An attacker cannot modify the certificate without the CAs knowledge. The verification can include:

A manual background check of the requestor by a certificate administrator. Comparing the users credentials against the Discretionary Access Control List (DACL) of a certificate.
Certificate contents
ISO standard X.509, which is maintained by the International Organization for Standardization (ISO), defines the structure of a certificate. A certificate contains the following information:
The public cryptographic key from the certificate subjects public and private key pair. Information about the subject that requested the certificate. The user or computers X.500 distinguished name.. The e-mail address of the certificates owner. Details about the CA. Expiration dates. A hash of the certificate contents to ensure authenticity.

Common Uses of Certificates
802.1x 802.1x
Digital Digital Signatures Signatures
Encrypting Encrypting File File System System
Internet Internet Authentication Authentication
IP IP Security Security
Secure Secure E-Mail E-Mail
Smart Smart Card Card Logon Logon
Software Software Code Code Signing Signing
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points The following table describes the ways in which you can use certificates:
Method 802.1x Description: Encrypts data transmitted between wireless devices. Wireless devices use the public key in a certificate to secure data during transmissions. The 802.1x protocol also uses certificates to authenticate wireless devices. Uses the public key in a certificate to verify that data has been signed with the corresponding private key Uses the public key in a certificate to encrypt file encryption keys (FEKs). Verifies the identity of a Web server for Web clients. Web servers can also use certificates to verify the identity of Web clients. Verifies the identity of computers and encrypts data as it is transmitted across the network. Verifies signed e-mail messages and to decrypt e-mail messages. Verifies the identity of a user in a mart card logon. Verifies the identity of a software publisher.
Digital signatures Encrypting File System (EFS) Internet authentication
IP Security (IPSec) Secure E-mail Smart card logon Software code signing
How To Create Certificates

User Computer
Private Key Private/Public
Key Pair
Public Key
Application
Service Certificate Authority
Certificate Administrator
1 1 2 2 3 3
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points The process of requesting and receiving a certificate is known as enrollment. A user or computer initiates enrollment by providing unique informationsuch as a e-mail address or common nameand a newly generated public key to a CA. The CA uses this information to authenticate the identity of the user before issuing a certificate. The process of requesting and issuing a certificate is as follows: 1. Applicant generates a key pair. The applicant generates a public and private key pair, or is assigned a key pair by an authority in the organization. 2. Applicant sends certificate request to the CA. The applicant provides the information requested by the CA in a certificate request and sends it to the CA. The applicant includes the public key with the certificate request. 3. Administrator reviews the request. A certificate administrator reviews the certificate request to verify the information. Based on the presented information, the certificate administrator issues the certificate or denies the certificate request. If the CA is an enterprise CA, validating the certificate request may be based solely on the user's credentials. If the user has the required permissions for the requested certificate template, the certificate request is automatically approved. 4. Upon approval, the CA issues the certificate. The CA creates the certificate and issues the certificate to the certificate requestor. The CA signs the certificate to prevent modification. The certificate includes the requestor's identifying information and the submitted public key.
Multimedia: Using A Certificate to Secure Web Traffic
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Instructions This animation demonstrates the process by which a Web client and a Web server establish an SSL connection, including:

The process of exchanging a certificate. The components of the certificate that are used in the process.
Practice: Examining a Certificate
1 Read the scenario 2 Discuss your answer with the class
Read the scenario. Then choose the best proposal for securing Active Directory objects. Contoso Pharmaceuticals European information technology group has decided to decentralize their user account administration. Currently all user accounts are administered by administrators in the central office. Only administrators in the central office can add or remove user accounts, or make any changes to these accounts. After the reorganization, administrators for each country should be able to add and remove user accounts for users in that country. Human Relations (HR) employees in each country should be able to make changes to the contact information of users, such as telephone numbers and addresses. Network administrators from the affected countries have proposed several solutions. Which method do you recommend as the most secure one?
Proposal 1: Place all European users into a single organizational unit (OU). Assign the Full Control permission for the OU to all administrators. Assign permissions to create, delete, and manage user accounts to all HR employees. Proposal 2: Divide European users into OUs according to which country they work in. Assign the Full Control permission for each OU to the corresponding countrys administrators. Assign permissions to create, delete, and manage user accounts in each OU to the corresponding countrys HR employees. Proposal 3: Divide European users into OUs according to which country they work in. Assign the Full Control permission for each OU to the corresponding countrys administrators. Assign permissions to change contact information of user accounts in each OU to the corresponding countrys HR employees. Proposal 4: Place all European users into a single OU. Assign the Full Control permission for the OU to administrators that manage all European operations. Assign the Full Control permission for all user accounts in a country to that countrys administrators. Assign permissions to modify contact information of user accounts to each countrys HR employees.
Ways To Store Certificates

Computers On a computer, certificates are stored for a user, a computer, or a service account On a smart card, certificates provide physical protection of a private key In a file, certificates are used to: Transfer information between computers Provide physical protection of private key Certificates can be published: On a Web site In Active Directory
Smart Card
File
Web
1 1 2 2 3 3
Active Directory
Key points
You can store certificates with or without a private key. Normally, when you possess the private key, you store it with the certificate. You can store certificates in the following ways:
On a computer, for a user, computer, or service account. Windows encrypts certificates that are stored on a computer. This ensures that only the authorized computer account, user, or service account can access the certificates. On a smart card. A smart card is essentially a small computer that protects information, such as private keys. A user must enter a personal identification number (PIN) to use the certificate. Exported to a file. You can store a certificate in a file to transfer information between computers or to physically protect a private key by removing the key from a computer. Common formats for exporting certificate to a file are: Public Key Certificate Standard (PKCS) #12: stores private and public keys PKCS #7, Distinguished Encoding Rules (DER) and Base-64: stores the certificate only.
Published to a secure Web site or in Active Directory. You can publish certificates to make them available to other users and computers.
10
How Smart Cards Use Certificates

Smart cards store the certificate and the private key
The private key never leaves the smart card
Smart cards use a PIN to protect private keys

The smart card locks after an incorrect PIN is entered multiple times
Key points
A smart card is a credit card-sized microcomputer without a graphical user interface. Smart cards provide tamper-resistant and portable security solutions for tasks such as securing e-mail messages or logging on to a domain. You use smart cards to store dataincluding certificates and the corresponding private keysecurely. Smart cards work with computer software to generate key pairs and to provide access to the key pair and certificates stored on the smart card.
Enhanced security
Smart cards enhance network authentication security by using cryptographybased identification and two-factor authentication. To authenticate with the network, the user must possess the smart card and know the personal identification number (PIN) of the smart card. An attacker would have to obtain both the user's smart card and the PIN to impersonate the user. Smart cards enhance security in the following ways:
Interactive log on. You can use a smart card for logging on to a workstation. When a user logs on with a smart card, the Windows operating system uses a certificate that is stored on the smart card to authenticate the user. Client authentication. You can use a smart card to authenticate access to resources, such as connecting to a secure Web site. Remote log on. You can use the certificate on the smart card for remote access and virtual private network (VPN) authentication attempts. Private key storage. You can move a private key from a computer to a smart card. You can then keep the smart card in a secure location, such as a safe until you need the private key to perform an action.
11
Assessment: Introduction to Certificates
Did you understand this lesson? Complete the assessment question to confirm it.
*****************************ILLEGAL FOR NON-TRAINER USE****************************** 1. While establishing an SSL connection to https://www.contoso.msft, Internet Explorer informs you that there are problems with the certificate. Upon further investigation, you determine that the certificate was issued by a trusted CA and that the certificate is valid. However, the certificate was issued for www.nwtraders.msft. You instruct Internet Explorer to ignore the problem and continue communicating with the Web site despite the problem with the certificate. Which of the following statements are true? (Choose all that apply.) a. You can encrypt information that you exchange with the Web site. b. You can only exchange clear-text data with the Web site. c. You have assurance that the Web site that you connect to belongs to Contoso. d. The Contoso Web site accepted your connection and redirected you to the Northwind Traders Web Site.
12
Lesson: Introduction to Public Key Infrastructure

What Is a Public Key Infrastructure? The Role of Certification Authority What Is a Trusted Root Certificate? What Is a Distributed Trust? Guidelines for Using Private and Commercial CAs
Introduction
Organizations rely on the network for both internal and external communications and to conduct business. A public key infrastructure is a way to secure communications and business transactions. This lesson describes the components of a public key infrastructure, and how a public key infrastructure works with certificates and certification authorities. At the end of this lesson, you will be able to:

Objectives
Describe a public key infrastructure and its components. Describe the role of the certification authority. Describe a trusted root certificate. Describe a distributed trust. List guidelines for using private and commercial certification authorities.
13
What Is a Public Key Infrastructure?

Tools for Key and Certificate Management Certification Authority Certificate and CRL Distribution Points
Digital Certificate
Certificate Revocation List
Public KeyEnabled Applications and Services
A public key infrastructure (PKI) is the combination of software, encryption encryption technologies, technologies, and and services services that that enables enables organizations organizations to secure their communications and business transactions
Key points
In a public key infrastructure (PKI), certificates are exchanged between authenticated users and trusted resources that secure data and manage identification credentials both within and outside the organization. The following table describes the components of a PKI.
PKI component Digital certificate Certification Authority Certificate Revocation List (CRL) Certificate and CRL distribution points Description Authenticates users and computers. Issues and manages the certificates issued to users, computers, and services Lists the certificates that are revoked by a CA before reaching their scheduled expiration date. Makes certificates and CRLs publicly available, either inside or outside an organization. Publishers can use a directory service, such as X.500, the Lightweight Directory Access Protocol (LDAP), or operating system specific directories, or publish certificates and CRLs on Web servers. Manages issued certificates, publishes CA certificates and CRLs, configures CAs, imports and exports certificates and keys, and recovers archived private keys. Deploys applications and services that can use these certificates. For e-commerce and secure network access, you can combine cryptographic functions such as digital signing and encryption
Certificate and CA management tools
Public key-enabled applications and services
14
The Role of a Certification Authority

A Certification Authority (CA): Verifies the identity of a certificate requester The mode of identification depends on CA policy Issues certificates The CA policy determines information in certificate, such as allowed usage Manages certificate revocation The CA ensures that invalidated certificates are no longer used
Key points
A certification authority (CA) is a computer with the Certificate Services service loaded. The CA provides the following network management tasks:
Verifies the identity of the certificate requestor. Before issuing a certificate to a requesting user or computer, a certificate administrator validates the requestor to ensure that certificates are only issued to approved users or computers. The validation method depends on the type of CA: a CA may require a background check before a certificate is issued. Alternatively, the certificate may be issued based on the credentials presented during the certificate request.
Issues certificates to requesting users and computers. After the identity of the requesting user or computer is validated, the CA issues the requested certificate. The type of requested certificate determines the content of the issued certificate. For example, an IPSec certificate includes application policies that only enable IPSec authentication for the certificate usage. Manages certificate revocation. The CA publishes a certificate revocation list (CRL) at regular intervals. The CRL consists of a list of certificates issued by the CA that can no longer be trusted. The CRL includes the certificate serial number and the reason that the certificate was revoked.
15
What Is a Trusted Root Certificate?

A root certificate is a self-signed certificate issued to CAs You designate a root certificate as trusted by adding it to a trusted root store
Microsoft Microsoft Root Root Certificate Certificate Program Program
Subjec t: RootC Issuer : RootC A A
Computers Computers Trusted Trusted Root Root CA CA Store Store
Domain Domain Group Group Policy Policy
Configuration Configuration Naming Naming Context Context in in Active Active Directory Directory
Key points
A root certificate is a self-signed a certificatethe CA that issues the certificate is also the recipient of the certificate. You must use the Certificates snap-in to add a root CA certificate to your personal or computer trusted root store. When a certificate is presented to an application, one of the validation tests that the application performs is to determine whether the certificate was issued by a CA that chains to a trusted root. If the presented certificate chains to a trusted root CA, the certificate is implicitly trusted by a client.
Designating Trusted Root CAs
You can designate trusted root certificates by using:

Microsoft Root Certificate Program. Microsoft ships a set of root certificates that are included in the root store from commercial CA's such as Verisign, RSA, and Thawte. There are over 100 default trusted root certificates. Computers trusted root CA store. The local administrator or a user can add a root certificate to a trusted root store. The local administrator uses the Certificates snap-in to add a root certificate to a computers trusted root. Certificates included in a computer's trusted root store are trusted by all users of that computer. The certificate trust does not extend beyond that computer. A user uses the Certificates snap-in to add a root certificate to the user's trusted root store. Any certificates included in the user's trusted root store are trusted only by that user.
Domain group policy. A domain administrator or user with the permissions to modify Group Policy can designate trusted root certificates for all computers within the site, domain, or Organizational Unit (OU) where the Group Policy object is applied. Active Directory. A member of the Enterprise Admins group can publish a root certificate in Active Directory by using the Certutil.exe tool so that all users and computers in the Active Directory forest trust this root CA
16
What Is a Distributed Trust?

In a distributed trust, when a client trusts the root CA, it trusts all the certificates in the certificate chain Each CA validates the identity of other entities The client often trusts multiple root CAs Distributed trust is based on a trusted third-party model
Issuing CA Issuing CA Issuing CA
Root CA
Root CA
Intermediate CA
Intermediate CA
Key points
In a distributed trust, a client trusts multiple CAs to validate the identity of users or computers. Multiple CAs form a certificate chain. In a certificate chain, a root CA can issue certificates to other CAs, which then issues certificates to users and computers. When a client trusts a root CA to perform validation tasks, it implicitly trusts all other CAs authorized by the root CA to issue certificates. Using certificate chains makes is possible for clients to trust a large number of CAs without having to trust each one specifically. Only the root CA needs to be trusted. A root CA determines the policies of subordinate CAs. When a root CA issues a certificate to a subordinate CA, it guarantees that the subordinate CA conforms to the policy of the root CA and any intermediate CAs. The policies of subordinate CAs can be more restrictive than policy of a root CA, but not less restrictive. Clients often trust multiple root CAs. This enables an organization to use certificates that have been issued within the organization and also certificates that have been issued by other organizations.
17
Guidelines for Using Private and Commercial CAs
Use a private CA when:

Your Your organization administers administers its its own own PKI Certificates Certificates are are used used only in your your organization Certificates Certificates are used with business business partners partners and and cross-certification cross-certification is is feasible feasible
Use a commercial CA when:

Your Your organization organization does does not not have have its own PKI PKI Certificates Certificates must be trusted outside outside your your organization organization Certificates Certificates are used used with business business partners and cross-certification cross-certification is not feasible feasible
*****************************ILLEGAL FOR NON-TRAINER USE****************************** To support a PKI, you can use certificates from a private CA that your organization operates or certificates from a commercial CA such as VeriSign, Thawte, or RSA.
Private CA guidelines
Use a private CA when:

Your organization administers its own PKI. Administering a PKI requires significant resources and is normally only performed by large organizations. Administering a PKI can save money when you need a large number of certificates because you do not have to purchase them from a commercial CA. Certificates are used only in your organization. You can configure all computers in your organization to trust your private root CA because you control that root CA and set policies that provide the level of security that you require. Cross-certification with business partners is feasible. Cross certification allows one organization to create a limited trust for certificates from another organization.
Public CA guidelines
Use a commercial CA when:

Your organization does not have its own PKI. Relying on a commercial CA to issue all certificates can be cost effective when you only require a small number of certificates. Certificates must be trusted outside your organization. Users outside your organization normally do not trust your root CA and therefore will not trust your root CA issued by one of your CAs. Cross-certification with business partners is not feasible. If you are not able to establish limited trust for certificates from another organization, you can require certificates from a mutually trusted source, such as a commercial CA.
18
Practice: Using PKIs
1 2
Read the scenario Discuss your answer with the class
Instructions
Read the scenarios. Then determine whether a public key infrastructure (PKI) based on a commercial or private certificate authority (CA), is appropriate in a given scenario. Northwind Traders has 20,000 employees worldwide. To increase security, Northwind Traders has decided to implement smartcard logons for all users. Northwind Traders also plans to require that all e-mail messages sent within the organization are digitally signed. Northwind Traders maintains a public Web site that accepts orders for Northwind products and a Web site for a small number of suppliers. The supplier Web site requires certificates to authenticate users who connect to this Web site. Northwind Traders is evaluating the use of private and commercial CAs to implement their CA infrastructure. What should they choose and why?
Scenario 1
Scenario 2
Contoso has added a new branch office in Kota Bharu, Malaysia. This branch office has its own IT department, which administers the network infrastructure independently from the corporate IT department. The Malaysian IT department wants to install a certificate on their public Web site so that Malaysian customers can get secure access to this Web site. You have been asked to evaluate vendor proposals. One vendor has proposed a private CA solution. This is clearly the cheapest solution in the long run because it involves no recurring costs after setting up the initial infrastructure. The second proposal includes a certificate from a commercial root CA that is not listed in the list of root CAs in Internet Explorer. However, the vendor assures you that these certificates will work after users acknowledge an initial warning when accessing the Web site. Once users add the certificate to their list of trusted certificates, these warnings will no longer happen. The third proposal consists of purchasing a certificate from a commercial CA that is chained to a root CA in the list of trusted root CAs in Internet Explorer. Beta Materials Do not used for purposes other than Beta testing
19
This is the most expensive option the office would have to renew the certificate every two years at a significant cost. Which of the proposals should the Kota Bharu office implement?
20
Assessment: Introduction to Public Key Infrastructure
Multiple choice
1. Contoso is starting a joint venture with Northwind Traders. The joint venture requires that engineers from Northwind Traders access a Contoso Web server that requires certificate authentication. Root certificates for several commercial CAs and Contosos private CA are installed on the Web server. All Northwind Traders employees have certificates that have been issued by Northwind Traders CA. Which of the following strategies should you choose to allow your Web server to authenticate the engineers by using user certificates that these engineers provide.? (Choose the best answer.) a. Issue certificates from Contosos private CA to each engineer. b. Install a root certificate for Northwind Traders CA on the Contoso Web server. c. Require each engineer to acquire a certificate from a commercial CA d. Map each certificate that has been issued by Northwind Traders to a certificate that ahs been issued by Contoso.
21
Lesson: Deploying and Managing Certificates

The Certificate Life Cycle How to Request Certificates How to Revoke Certificates How to Import and Export Certificates
Introduction
Certificates are the basic component of a PKI, and establish credentials so that organizations and individuals can securely transmit information and conduct transactions on the Internet. In order to maintain a secure environment, you need to be able to deploy, update, and revoke certificates. At the end of this lesson, you will be able to:

Objectives
Describe the certificate life cycle. Request certificates. Revoke certificates. Import and export certificates.
22
The Certificate Life Cycle

Certificate Certificate Revocation, Revocation, Expiration, Expiration, or or Renewal Renewal Certificate Certificate Request Request
5 4 3
Certificate Certificate Distribution Distribution
1 2
Certificate Certificate Usage Usage
Certificate Certificate Generation Generation
Key points
When a certificate is issued, it passes through various phases and remains valid for a certain period of time. This is known as the certificate lifetime. The CA Policy determines the certificate lifetime. You can renew a certificate in a cycle until the certificate is revoked or expired, or the issuing CA is unavailable. The certificate life cycle includes the following phases: 1. Users, computers, or services generate a public/private key pair and submit a certificate request to a CA. The certificate request contains the public key and identifying information. 2. The CA generates the certificates. 3. The certificate is distributed to the requesting user, computer, or service. 4. The user, computer, or service uses the certificate when working with PKIenabled applications. 5. The certificate reaches the end of its lifetime. At this point, the certificate: Expires if the validity period for the certificate terminates. Is renewed to issue a new certificate that may or may not use the existing public key. Is revoked because of a situation or incident that requires the termination of the certificate before its validity period expires.
23
How to Request Certificates

Supply Supply information information about about the the subject subject Name E-mail address address Organization Locality Intended use Submit the the request request
Use Use Web enrollment Use Use a a certificate certificate request request file file Use Certificate Request Wizard
Key points
To request a certificate, submit the request to the CA with information about the subject using one of the following methods:
Web enrollment. In this method, you use an application such as Internet Information Services (IIS) that can connects to a CA to create a certificate request and request the certificate from a CA. IIS and other applications can use information in Active Directory to automatically connect to a CA and request a certificate. Certificate request file. In this method, you use an application such as IIS that can create a certificate request file to create a certificate request file. You then submit the file to a CA by e-mail or by connecting to the CAs Web site.. Certificate Request Wizard In this method, you connect to the Web site of the CA and submit all required information.
Additional reading
For more information about how to request and administer certificates, see Manage Certificates in Windows 2000 Server online Help at http://www.microsoft.com/windows2000.
24
Practice 6C: Deploying and Managing Certificates
1 2
Read the scenario Follow the steps to request a certificate
Read the scenario and then follow the steps to request a certificate. Contoso Pharmaceutical will soon require that users use certificates for authentication at certain corporate Intranet sites. You have already installed an enterprise CA at Contoso that will allow users to request certificates. Before you send instructions to users to obtain certificates, you will make sure that the certificate enrollment process is working correctly. 1. Log on using the following information: User name: Adminx (where x is your assigned student number) Password: P@ssw0rd Log on to: contoso 2. Open Internet Explorer and connect to https://london/certsrv. 3. In the Security Alert dialog box, click OK. 4. In Microsoft Certificate Services ensure that Request a certificate is selected, and then click Next. 5. On the Choose Request Type page, ensure that User Certificate is selected, and then click Next. Certificate enrollment by using a Web page requires an ActiveX control that runs on the local computer. Internet Explorer requires you to approve the installation of these ActiveX controls. 6. In each of the two Security Warning dialog boxes, click Yes. The ActiveX controls collected all information about your user account that is required to request a certificate. 7. On the User Certificate Identifying Information page, click Submit. 8. In the Potential Scripting Violation dialog box, click Yes. The CA issued the certificate that you requested. To use the certificate on your computer you must install it into the user certificate store. 9. On the Certificate Issued page, click Install this certificate. Beta Materials Do not used for purposes other than Beta testing
Practice
25
10. In the Potential Scripting Violation dialog box, click Yes. 11. Close Internet Explorer. 12. Click Start, and then click Run. 13. In the Run dialog box, type mmc and then click OK. 14. In the Console1 window, on the Console menu, click Add/Remove Snapin. 15. In the Add/Remove Snap-in dialog box, click Add. 16. In the Add Standalone Snap-in dialog box, under Available Standalone Snap-ins, click Certificates, and then click Add. 17. In the Certificates snap-in dialog box, ensure that My user account is selected, and then click Finish. 18. Click Close to close the Add Standalone Snap-in dialog box, and then click OK to close the Add/Remove Snap-in dialog box. 19. In the console tree, expand Certificates Current User, expand Personal, and then click Certificates. 20. In the details pane, double-click Admin x (where x is your student number). The certificate has been issued by the Contoso CA and you can use the certificate for several purposes, including proving your identity to a remote computer. 21. In the Certificate dialog box, click OK, and then close Console1 without saving any changes. 22. Ask your instructor to confirm that the certificate has been issued by viewing the issued certificates in Certification Authority. Next, ask your instructor to revoke the certificate. Once the certificate has been revoked, will you be able to continue using the certificate? ____________________________________________________________ ____________________________________________________________ ____________________________________________________________ ____________________________________________________________ 23. Close all open windows, and then log off.
26
How to Revoke Certificates
Revoke a certificate at the Certificate Authority (CA)
Publish a Certification Revocation List (CRL)
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Revoking a certificate is a way to invalidate a certificate before its regular expiration date. To revoke a certificate, first, revoke the certificate at the CA. Then you must publish revoked certificate to a Certificate Revocation List (CRL).
Revoking a certificate
To revoke a certificate means marking an issued certificate in the CAs database as revoked. You revoke a certificate when:

A private key has been compromised. The user has left the organization. The CA has been compromised. The certificate has been superceded by a new certificate. The CA has ceased operation.
Publishing to a CRL
An application that is configured to check the revocation status of a certificate downloads the CRL when it checks the validity of a certificate. For an application to recognize that a certificate has been revoked, the following conditions must exist:

The certificate has been revoked. The revoked certificate has been published to the CRL. Publishing to the CRL is separate step that the CRL administrator must perform after revoking one or more certificates.
The certificate must contain the location of the CRL publication point (Active Directory or a Web site). The application must be configured to perform CRL checking. The application cannot have a valid cached copy of a previous version of the CRL. If the application has a cached copy of the CRL, it continues to use that version until it expires. The application will not download an updated version of the CRL until the current version has expired.

27
Suspending a certificate
Some CAs allows you to suspend a certificate. When you suspend a certificate it is added to the CRL, but you can validate the certificate again and remove it from the CRL. Suspend a certificate when you want to temporarily invalidate it. For example when a user who possesses the private key is leaving the organization for a fixed period of time and will return later.
28
How to Export and Import Certificates
To import a certificate: 1 Use the the Certificates snap-in 2 the certificate

Choose Choose the the store to import
To export a certificate: 1 Use Use the Certificates snap-in 2 the the certificate
Choose Choose the the store to export
applicable, choose choose how to 3 If applicable, protect the the private key
Choose whether whether to to export export 3 Choose the the private key
4 Choose Choose the the file type

Assign a a password password to 5 Assign protect protect the private key
Importing a certificate
Import a certificate when you need it on a computer that does not already have the certificate. To import a certificate, in the Certificates snap-in. right-click the certificate store that you want t to import the certificate into, and then click Import. The Certificate Import wizard then prompts you for the location of the certificate import file and a password if the import file is encrypted.
Exporting a certificate
Export a certificate when you need to recover from a loss of the certificate, remove a private key from a computer, prevent access to the private key, or move certificates to a different computer. To export a certificate, in the Certificates snap-in. right-click the certificate, and then click Export. The Certificate Export wizard then prompts you for a file name, a storage format, and whether you want to export the private key. The choice about which storage format to use depends on the requirements for the computer to which you will later import the certificate. If you plan to import the computer into a certificate store on another computer running Windows, you can choose the default format that the wizard suggests. The wizard only allows you to export a private key with the certificate if you possess the private key and if the private key has been marked for export. The Certificate Export Wizard prompts you to supply a password to encrypt an export file that contains a private key. The security of the private key depends on the security of the password that you choose. You will need this password when importing the certificate and the private key to the same computer or another computer.
29
Assessment: Deploying and Managing Certificates
Multiple choice
1. A user at Contoso has lost a laptop that holds a copy of his private key, which he uses to authenticate when accessing a corporate Web site. You determine that this constitutes a key compromise and you revoke the certificate. When will the corporate Web site start to reject authentication attempts that use the revoked certificate? (Choose the correct answer.) a. Immediately upon revocation at the CA b. When the CRL that contains the certificate is published by the CA c. When the corporate Web server renews an expired CRL for your CA d. When the validity period of the certificate expires
30
Lab A: Using Certificates

Exercise 1: Installing a Certificate Students will install a root certificate. Exercise 2: Issuing a Certificate Students will acquire a Web server certificate from a CA. Exercise 3: Using Certificates to Encrypt Data Students will use a certificate to encrypt Web traffic. Exercise 4: Examining Certificates Students will examine certificates for components such as issuer, expiration and permitted use. Exercise 5: Exporting and Importing Certificates Students will export and import certificates to move them between computers.
31
Module 7: Securing Internet Applications & Components

Contents Overview Lesson: Securing Web Servers Assessment Lesson: Configuring Security for Common Internet Protocols Assessment Lesson: Configuring Security for Web Browsers Assessment Assessment Lab A: Securing Web Servers 1 2 13 14 21 22 28 34 35
Lesson: Configuring Security for Databases 29
ab B: Protecting Clients from Active Content36
Overview
Overview
Securing Web Servers Configuring Security for Common Internet Protocols Configuring Security for Web Browsers Configuring Security for Databases
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction When you expose a network to the Internet, you introduce several potential threats to your network assets. In this module, you will learn how to protect your network against common attacks from the Internet by securing the servers that provide Web content and by configuring Internet protocols to optimize security. You will also learn how to secure the Web browsers of your internal users and secure internal databases that are exposed to the Internet. After completing this module, you will be able to:

Objectives
Secure Web servers against common attacks Configure security for common Internet protocols Configure security for the Web browsers of internal users Configure security for internal databases that are exposed to the Internet
Lesson: Securing Web Servers

Lesson: Securing Web Servers
Common Attacks Against Web Servers Guidelines for Securing Operating Systems How to Secure IIS Guidelines for Securing Web Servers Considerations for Encrypting Web Traffic with SSL
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction A Web server is a computer that provides Web content to users on the Internet. This lesson describes common attacks against Web servers and guidelines for preventing those attacks. You will learn the steps for securing the operating system running on a Web server, guidelines for securing Microsoft Internet Information Server (IIS), and considerations for encrypting the data that travels between Web servers and clients. After completing this lesson, you will be able to:

Lesson objectives
Explain common attacks against Web servers Secure the operating system of the Web server Secure an IIS server Secure the Web server software Secure traffic between the server and client with Secure Socket Layer (SSL)
Common Attacks Against Web Servers

Common Attacks Against Web Servers
Attacks using sample applications Reconnaissance attacks Exploits of:

Default configurations Poor Web design
Denial-of-service attacks
Buffer overflow SYN flooding Ping of death
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Web servers are directly exposed to Internet users anywhere in the world. Consequently, they are also exposed to numerous potential attacks. The most common types of attacks against Web servers include:
Attacks that use sample applications and admin scripts. Instead of guessing the location of commands, attackers exploit sample applications with default paths on the server. Admin scripts contain code that can be used to determine make configuration changes on the computer, such as resetting passwords and reboot the server. Reconnaissance attacks. These occur when an intruder is looking for vulnerabilities on a network. Potential attacks include ping sweeps, DNS zone transfers, e-mail reconnaissance, and port scans. Exploits of default configurations. By default, the wwwroot and ftproot folders are located on same drive as operating system. If an attacker is able to access the Web folder, they may get access to the root of the drive and the system folders. Exploits of poor Web design. Exposing administrative functionality through a Web page, allowing users to send open queries against a database, or hard coding SQL server paths are all examples of exploitable Web design. Denial of service (DoS) attacks. These occur when an intruder attempts to overloading a resource, such as network links, the CPU, or the disk subsystem to disable the computer. Examples of DoS attacks include: Buffer overflow. Attackers can execute arbitrary commands by overflowing the buffer. SYN flooding. Attackers send multiple TCP connection requests to the target computer where the source IP address in the packet is replaced with a non-valid address. The resources on the target computer become busy trying to acknowledge these connections.
Ping of death. This attack involves a large number of ICMP echo request packets sent to a single computer. The target computer tries to respond to all of the packets, causing a buffer overflow that crashes the computer. Additional reading For more information about DoS attacks, see Best Practices for Preventing DoS/Denial of Service Attacks. For more information about data security, see Data Security and Data Availability in the Administrative Authority under Additional Reading on the Web page on the Student Materials CD.
Guidelines for Securing Operating Systems

Guidelines for Securing Operating Systems
File System Use NTFS on Web sites running Microsoft Windows Review directory directory permissions Set access access control for the anonymous user account Store Store executable executable files files in a a separate separate directory User Accounts Accounts Choose Choose strong passwords passwords for for all all accounts accounts including the Administrator Administrator account Change Change passwords frequently frequently Review Review user user accounts accounts frequently frequently Maintain Maintain strict account policies policies Limit Limit membership membership of the the Administrators Administrators group group Services Run necessary services only Unbind unnecessary services from your Internet adapter cards Enable Enable auditing Use encryption when when administering your computer computer remotely remotely Back up the the registry and vital files files often often Run virus checks checks regularly regularly
*****************************ILLEGAL FOR NON-TRAINER USE****************************** To secure a Web server you must first secure the operating system of the server. The security features in Windows Internet Information Server (IIS) are built upon those in Microsoft Windows. The following settings will help secure your Web server operating system: Guidelines for securing the file system
Use NTFS. The NT File System (NTFS) is more secure and reliable than the File Allocation Table (FAT) system. Review directory permissions. In Windows 2000, when you create new folders, Windows assigns Full Control permissions to the Everyone group by default. Assign these permissions to necessary users only. Check NTFS permissions on network drives. In Windows 2000, Windows creates new shared resources and assigns Full Control permissions to the Everyone group by default. Assign these permissions to necessary users only. Set access control for the account used for anonymous access. Limit the access on the computer given to the IUSR_computername account. Store executable files in a separate directory. This makes it easier to assign access permissions and auditing. Review user accounts often. Check for new accounts that were not created by a valid administrator. Review the rights given to the IUSR_computername account. All users gaining anonymous access to your site have the rights assigned to this account. You can also use auditing to monitor when and by whom security policies are changed. Choose complex passwords. Passwords are more difficult to guess if they consist of a combination of lowercase and uppercase letters, numbers, and special characters.
Guidelines for securing user accounts

Maintain strict account policies. Keep track of what types of access are given to important user accounts and groups. This includes knowing who has the ability to change security policies. Limit the membership of the Administrators group. This group typically has full access to the computer. Assign a complex password to the Administrator account and rename it. The default Administrator account password is blank. To improve security, set a difficult password for this account. Run minimal services. Run only the services that are absolutely necessary for your purposes. Each additional service that you run presents an entry point for malicious attacks.. Do not use domain controllers as Web servers. Domain controllers are constantly processing authentication requests and processing other domain related functions. Running a Web service on the domain controller decreases performance and could expose Active Directory to attacks. Enable auditing. Auditing is a valuable tool for tracking access to important files. You can also use auditing to track server events, such as a change in your security policy. Use encryption if administering your computer remotely. To protect sensitive information, such as the password for the Administrator account, use Secure Sockets Layer (SSL) or IPSec to provide encryption. Use a low-level account to browse the Internet. Using the Administrator, Power User, or another highly privileged account to browse the Internet opens potential entry points for attacks. Back up vital files and the registry often. No security effort can guarantee data safety. In the worst case scenario, you may have to rebuild the modified or destroyed data from your backup. Run virus checks regularly. Any computer on an open network is susceptible to computer viruses. Regular virus checkups can help avoid unnecessary data loss. Also keep the virus signatures updated. Unbind unnecessary services from your Internet adapter cards. Be sure to check with your system administrator before unbinding services because this could have undesirable effects on other users of your system.
Guidelines for securing services
Additional reading
For more information about securing the operating system, see the Microsoft Windows 2000 Server Deployment Guide. Chapter 11, Planning Distributed Security under Additional Reading on the Web page on the Student Materials CD.
How to Secure IIS

How to Secure IIS
Install the latest security updates Use the IIS Lockdown Tool
Set appropriate ACLs on virtual directories Disable or remove all sample applications Remove the unneeded virtual directories Remove unused application mappings
Set appropriate IIS log file ACLs Enable logging Use the most secure form of authentication
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points IIS is the Microsoft Web and FTP server. Like all Web applications, it is vulnerable to external attacks if not properly configured. The following steps will greatly increase IIS security:
Install the latest security updates. Install the most current security updates on the Web server to protect against known exploits. Use the HFNetCheck tool to confirm that your IIS servers have the current updates. Use the IIS Lockdown Tool: Set appropriate ACLs on virtual directories. For example, if your Web site is used only for viewing information, assign only Read permissions. If a directory or site contains ASP applications, assign Scripts Only permissions instead of Scripts and Executables permissions. Disable or remove all sample applications. Sample applications are not installed by default and should never be installed on a production server. Remove the unneeded virtual directories. Some virtual directories provide functionality for specific situations such as the ability to reset Windows NT and Windows 2000 passwords from an intranet site. Remove any virtual directories that you do not specifically require. Remove unused application mappings. IIS is preconfigured to support common filename extensions such as .asp and .shtm files. If your Web site does not require support for these types of files, remove the application mappings for them.
Set appropriate IIS log file ACLs. This will prevent an attacker from modifying or deleting the log files. Enable logging. Configure auditing for the Web site to detect whether your server is being attacked and by whom.

Use the most secure form of authentication possible. Integrated Windows authentication and Digest authentication are more secure than Basic authentication. You can also use client certificates for highly secure authentication.
Note The URLscan tool screens all incoming requests to the server and filters them based on rules set by the administrator. This secures the server by ensuring that only valid requests are processed Additional reading For more information about:
Securing IIS, see the Internet Information Services Resource Guide, Chapter 9 Security under Additional Reading on the Web Page on the Student Materials CD. HFNetChk, see Microsoft Network Security Hotfix Checker (Hfnetchk.exe) Tool Is Available, (Knowledge Base article Q303215), under Additional Reading on the Web Page on the Student Materials CD. The IIS Lockdown Tool, see IIS Lockdown Tool under Additional Reading on the Web Page on the Student Materials CD. URLScan, see INFO: Availability of URLScan Version 2.5 Security Tool (Knowledge Base article Q307608), under Additional Reading on the Web Page on the Student Materials CD.
Guidelines for Securing Web Servers

Guidelines for Securing Web Servers
Limit the use of Write, Scripts, and Executables permissions Use the most secure form of authentication when needed Encrypt traffic between the Web server and client for confidential data Implement a strategy to identify servers running unapproved services
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points In addition to securing the operating system and IIS, complete the following to secure your Web servers:
Limit the use of Write, Scripts, and Executables permissions. You can control whether programs and scripts are allowed to run in a specific Web or directory by setting Execute permissions for specific Web sites and directories. The Execute permission settings are: None. This option does not enable any programs or scripts to run in the specified Web or directory. Scripts only. This option enables applications to run in the specified directory without setting the Execute permission. The Scripts only permission is significantly more secure than the Scripts and Executables permission. For example, you can run ASP pages from a Web site or directory but you cannot execute .exe or .dll files. Scripts and Executables. This option enables any application to run in the specified directory and is not recommended.
Use the most secure form of authentication when needed. Weigh the cost of security with the ease of use of the site. Consider how many users will access your site and how you want to manage access. Encrypt traffic between the Web server and client for confidential data. SSL prevents attackers from viewing traffic and it allows Web servers to validate their identity with an encryption certificate. Implement a strategy to identify servers running unapproved services. Unauthorized systems represent a danger to the stability of the computing environment. Use active or passive port scanning to identify unauthorized systems.
Additional reading
10
For more information about securing IIS, see the Internet Information Server 5.0 Resource Guide, Chapter 9 under Additional Reading on the Web page on the Student Materials CD.
11
Considerations for Encrypting Web Traffic with SSL

Considerations for Encrypting Web Traffic with SSL
Encryption
To prevent the interception of confidential data, consider encrypting data with SSL SSL negatively negatively affects affects performance performance because all data in the requested page must be encrypted Only use SSL when necessary to: Provide assurance of a Web sites identity Protect confidential data such as user credit card information, bank account information, and passwords
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Secure Sockets Layer (SSL), in conjunction with HTTPS protocol and server certificates provides encryption and supports Web server authentication. SSL only protects transmitted data and is not a replacement for other site security mechanisms. Performance The drawback of SSL is the latency caused by session overhead and the additional processing required to encrypt and decrypt the session. The longer the key length used for encryption, the more server resources are needed. Therefore, transmitting a file using 128-bit SSL encryption will use much more server processing resources than transmitting the same file without encryption. Limit your use of SSL to communications that justify the cost of protection. Examples include when you need to prove the Web site identity or when you need to protect confidential data, such as customer credit card information, back account information, or passwords.
When to use SSL
12
Practice: Securing the FTP Service on a Web Server

Practice: Securing the FTP Service on a Web Server
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Instructions .
13
Assessment
Assessment
Your company wants to hosts its ecommerce Web site on a server running Windows 2000 Advanced Server. Youve just installed IIS with the default configuration. Which of the following tasks should you perform to increase the security for the site? (Choose all that apply) a. Disable the HTTP service b. Install the latest security patches c. Run the IIS Lockdown Tool
*****************************ILLEGAL FOR NON-TRAINER USE****************************** 1. Your company wants to hosts its e-commerce Web site on a server running Windows 2000 Advanced Server. Customers will be entering ordering information and passing private information to the Web site and you need to keep this traffic secure. You are concerned that the server be as secure as possible from potential attackers taking advantage of known exploits and future ones. You have installed IIS with the default configuration. Which of the following tasks should you perform to increase the security for the site? (Choose all that apply.) 1. Configure the Web site to encrypt the traffic using SSL. 2. Configure the Web site to encrypt the traffic using the IIS Lockdown Tool 3. Disable the HTTP service and other services that wont be used on the Web site. 4. Use the MBSA tool to determine how many users will be accessing the site. 5. Install the latest service packs and security updates, and keep the site updated on a regular schedule. Answer:
14
Lesson: Configuring Security for Common Internet Protocols

Lesson: Configuring Security for Common Internet Protocols
Vulnerabilities of FTP and NNTP Protocols Guidelines for Securing FTP and NNTP Servers Methods for Configuring IIS for Secure FTP Operations Configuring FTP Traffic With SSH Guidelines for Configuring Security for Common Internet Protocols
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Internet protocols are standardized sets of rules for communicating between hosts. Common examples include the File Transfer Protocol (FTP) for sending and receiving files on the Internet and the Network News Transfer Protocol (NNTP) for posting and viewing news messages. Unfortunately, these protocols were developed before most threats to network security were recognized. This lesson describes ways to configure these protocols to defend against common attacks. After completing this lesson, you will be able to:

Lesson objectives
Identify inherent vulnerabilities of the FTP and NNTP protocols Apply guidelines for securing servers running FTP and NNTP Configure IIS to secure FTP operations Describe how to use SSH to secure communications Apply guidelines for securing common Internet protocols
15
Vulnerabilities of FTP and NNTP Protocols

Vulnerabilities of FTP and NNTP Protocols
FTP - NNTP
No record of who has requested information with anonymous logon Usernames, and passwords are transmitted in plaintext Vulnerable to denial-of-service attacks
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points FTP and NNTP are common Internet protocols. Vulnerabilities introduced by these protocols include:
No record of who has requested information with anonymous logon. There is often no record of who has requested specific information. If the anonymous FTP account is not securely configured, anonymous attackers may be able to add or modify files. Usernames and passwords are transmitted in plaintext. FTP poses a security problem similar to use of the Telnet protocol because passwords are transmitted over the Internet in plaintext where attackers may intercept them. Vulnerable to denial-of-service attacks. Another problem with anonymous FTP is the threat of denial-of-service attacks. For deliberate or accidental denial-of-service attacks, authorized users may be denied access to a system if too many file transfers are initiated simultaneously.
16
Guidelines for Securing FTP and NNTP Servers

Guidelines for Securing FTP and NNTP Servers
FTP - NNTP
Run FTP and Web services on separate servers Create a secure tunnel before creating the FTP session Use different usernames and passwords than other services are using Set appropriate permissions Restrict Public News Group Access
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points To secure servers running the FTP and NNTP protocols:
Run FTP, NNTP and Web services on separate servers. By keeping them on separate servers, you limit the threat that attackers can use these services to attack other important data or services. At a minimum configure the FTP root and the NNTP root to be on another drive other than the system drive. Create a secure connection for the FTP and NNTP session. Passwords are transmitted in plaintext by default. Consider creating a secure tunnel before making the FTP session to encrypt data between the client and server. Use different usernames and passwords than other services. Do not use the same FTP or NNTP username and password for other services. If one is compromised then the others are also compromised. Set appropriate permissions. The default ACLs on the FTP server directory is Everyone-Full Control. Only provide users with the permissions they need. Use Read Permissions on files and folders for data that will not change. If you need to support Everyone-Write, place the folder on a different volume than the IIS server so that you can use the Windows 2000 disk quotas to limit the amount data written to the folder. Restrict Public News Group Access. Apply the security permissions to restrict public news group access to the root news directory.
Additional reading
For more information about access control, see HOW TO: Configure the Security for a Server That Uses Microsoft NNTP Service in Windows 2000 under Additional Reading on the Web page on the Student Materials CD.
17
Methods for Configuring IIS for Secure FTP Operations

Methods for Configuring IIS for Secure FTP Operations
Use anonymous connections to avoid avoid plaintext passwords Establish Establish quotas quotas on the the drive drive for for the the FTP site Restrict IP IP addresses addresses Use a a VPN for for secure secure FTP sessions Create a separate separate anonymous anonymous account for for FTP Set the NTFS permissions permissions to to allow allow only only necessary necessary access access Enable FTP traffic filtering
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Apply the following settings in IIS to mitigate against common vulnerabilities introduced by the FTP protocol:
Use anonymous connections to avoid plaintext passwords. By default, usernames and passwords are transmitted in plaintext. By using anonymous connections, this data is not exposed. Establish FTP drive quotas. To prevent overuse of the FTP server, you can set up the FTP directory on a separate volume and specify the total maximum amount of data that users can upload. Restrict IP addresses. Configure the server to allow access only from trusted or known IP addresses or groups. Use a Virtual Private Network (VPN) for secure FTP sessions. Establish a secure tunnel prior to sending unencrypted data to protect the data from interception. Create a separate anonymous account for FTP. Create a separate anonymous user account for each FTP virtual server. For example, if you need to implement security auditing for anonymous users from individual FTP sites, you will need to create multiple anonymous FTP accounts. Set the NTFS permissions to allow only necessary access. Setting permissions let you further secure the data on the FTP server, however, you will have to protect the passwords passed in plaintext. Enable FTP traffic filtering. Only allow FTP-based traffic to and from the FTP server. This secures the FTP server from malicious attacks on other services running on the FTP server.
18
Encrypting FTP Traffic With SSH

Encrypting FTP Traffic With SSH
SSL Tunnel FTP User with Private Key Remote Computer with Public Key
SSH is a secure protocol that replaces Telnet, FTP, and RSH to provide authentication and encrypted communications over unsecured channels SSH protects against: IP spoofing IP source routing DNS spoofing Interception of plaintext passwords
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points SSH (Secure Shell) is a program that allows users to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. Unlike Telnet, it provides strong authentication and secure communications over unsecured channels. SSH protects the user from simple packet sniffing of plaintext passwords and other sensitive data which is easy and prominent with its predecessors. Unlike Telnet, passwords are encrypted before being transmitted over a network. Secure Shell protects against:
IP spoofing. Where a remote host sends out packets which pretend to come from another, trusted host. SSH even protects against a spoofer on the local network, who can pretend he is your router to the outside. IP source routing. Where a host can pretend that an IP packet comes from another, trusted host. DNS spoofing. Where an attacker forges name server records Interception of plaintext passwords. Or other data by intermediate hosts

Because you can configure SSH to encrypt and forward PPP and other protocols, you can use SSH to set up a VPN tunnel through which you can run a secure FTP session. Additional reading For more information about SSH, see SSH under Additional Reading on the Web page on the Student Materials CD.
19
Guidelines for Configuring Security for Common Internet Protocols

Guidelines for Configuring Security for Common Internet Protocols
Disable unnecessary services Enable vulnerability scanners and port scanners Disable NetBIOS over TCP/IP Reconfigure the TCP/IP Stack to handle TCP/IP protocol attacks Configure protocol rules in your firewall
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points In summary, perform the following to best secure common Internet protocols:
Disable unnecessary services. If you are not hosting an FTP server, disable or remove the FTP service. Enable vulnerability scanners and port scanners. Typically, each network service on Windows 2000 listens on a specific port for service client requests. Port scanners are usually the first set of tools that attackers use to identify targets ports and they are helpful to determine the current port configurations on your servers. Disable NetBIOS over TCP/IP. Another way to prevent attackers from gaining access to your workstation or server through a facility other than TCP/IP is to disable NetBIOS (Network Basic Input/Output System) over TCP/IP. This way, no one can try to remote-mount drives or remote-edit registries. Reconfigure the TCP/IP stack to handle TCP/IP protocol attacks. By default, the TCP/IP stack is configured to handle traffic under normal working conditions. If a Windows 2000 server or workstation is going to be exposed to the Internet, reconfigure the TCP/IP stack to handle the various TCP/IP protocol attacks. Configure protocol rules in your firewall. Protocol rules determine which protocols clients can use to access the Internet. Define protocol rules that allow or deny use of one or more protocol definitions. You can configure protocol rules to apply to all IP traffic, to a specific set of protocol definitions, or to all except a specific set of protocol definitions.
Additional reading
For more information about SYN attacks, see Internet Server Unavailable Because of Malicious SYN Attacks under Additional Reading on the Web page on the Student Materials CD.
20
Practice: Assessing Portal Security

Practice: Configuring Security for Common Internet Protocols
In this practice, students will write or alter a file on an improperly configured FTP server.
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Instructions
21
Assessment
Assessment
*****************************ILLEGAL FOR NON-TRAINER USE****************************** 1. You have configured multiple FTP sites to which customers can upload data. For management reasons, you need the FTP sites root directories to be on the same volume and they are currently on the system drive. You notice that the system drive starts to fill up quickly from data being uploaded to one of the FTP sites and you are concerned that if the system drive fills up, the computer will stop running. Which of the following should you do? (Choose all that apply.) A. Create a separate anonymous account for each FTP virtual server to use. B. Move the FTP directories to another volume than the system volume and configure quotas on the accounts used. C. Configure the NTFS permissions on the ftp root folder to Read only which will set the permissions for each of the FTP sites to Read only through permission inheritance. D. Configure the FTP sites to only allow anonymous connections.
22
Lesson: Configuring Security for Web Browsers

Lesson: Configuring Security for Web Browsers
What Types of Internet Content Are Potentially Dangerous? Guidelines for Configuring Security for Web Browsers Security Settings in Internet Explorer Privacy Settings in Internet Explorer Enforcing Web Browser Settings
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction You have secured servers that run Internet services to protect your network from attackers on the Internet. You must also configure security for internal users who access the Internet. This lesson explains how to protect your network from dangerous Internet content by configuring the Web browsers of your network users. After completing this lesson, you will be able to:

Lesson objectives
Identify potentially dangerous types of Internet content Configure security for the Web browsers of your network users Configure security settings in Internet Explorer Configure privacy settings in Internet Explorer Enforce the Web browser settings for your network users
23
What Types of Internet Content Are Potentially Dangerous?

What Types of Internet Content Are Potentially Dangerous?
Type of content
ActiveX controls VBScript and JavaScript CGI Scripts Cookies Viruses
Security implication
An untrusted source might create ActiveX controls that damage or further compromise the system An untrusted source might exploit security flaws in a Web browser to run with expanded privileges, access restricted data, or compromise the system If the scripts are not written correctly, they may compromise the host If compromised or sniffed, cookies may provide access to sites that use them as credentials May be present in downloaded files or applications
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Each type of Internet content carries a potential risk. For example, active content enables more interactive Web sites by running processes on the client, but it also provides attackers with a tool to run malicious code or breach user privacy. Different types of Internet content include:
VBScript.and JavaScript. Sets of commands that execute without user interaction. These scripts can interact with HTML code, enabling Web authors to provide dynamic content. Security flaws in a Web browser may grant access to areas on the computer that would otherwise be excluded. ActiveX controls. Objects that download automatically and runs without user interaction. Unlike VBScript and JavaScript, ActiveX controls have full access to the Windows operating system. This type of control will run in the context of the logged on user and could potentially control the system. CGI Scripts. Common Gateway Interface (CGI) scripts run on Web servers and may reveal information about the server that will help attackers. A subverted CGI script may have enough privileges to mail out the system password file, examine the network information maps, or launch a log-in session on a port. Cookies. Many sites use cookies to implement access control. An eavesdropper may intercept a cookie and use it to obtain access to the site. Because browsers use the Domain Name System (DNS) to determine what cookies belong to a server, it is possible to trick a browser into sending a cookie to a rogue server by temporarily subverting the DNS. Viruses. There are many opportunities to download files and applications when browsing the Internet. Viruses are often spread through downloaded files.
Additional reading
For more information about active content, see Client Side Security under Additional Reading on the Web page on the Student Materials CD.
24
Guidelines for Configuring Security for Web Browsers

Guidelines for Configuring Security for Web Browsers
Consider restricting active content Consider restricting cookies Use an online virus checker Configure digital certificates You can enforce some of these client settings in Active Directory by using Group Policy or with the Internet Explorer Administration Kit
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points To protect your network from potentially dangerous Internet content:
Consider restricting active content. Internet Explorer allows you to specify how you want to download and run active content. For example, you can specify trusted sources for necessary controls. Consider restricting cookies. Because cookies may track private information, you can prevent cookies from your computer. However disabling all cookies may prevent you from accessing some sites. Internet Explorer allows you to specify which cookies to block or allow. Use an online virus checker. Using a virus checker that checks files that are copied to your computer will be your first defense for protecting your computer from malicious content while browsing the Internet. Configure digital certificates. Use certificates to verify the identity of individuals and organizations on the Web and to ensure the integrity of Internet content.
Enforcing Web Browser Settings
Your organization's acceptable use policy should describe when users may download and execute software from other hosts; limitations on the kinds of information that may be included in e-mail; and whether application components must be digitally signed. You can enforce some of these Web client settings in Active Directory by using Group Policy or with the Internet Explorer with the Internet Explorer Administration Kit (IEAK). The IEAK enables you to create customized browsers with preset options, including security zone, proxy settings, and privacy settings that users cannot modify.
25
Security Settings in Internet Explorer

Security Settings in Internet Explorer
Security Settings
Local intranet zone: Assign a low security level to allow users to run active content Internet zone: Assign a higher security security level level to prevent users from running active active content and and downloading downloading code Trusted sites zone. If there are specific sites you trust, assign trust to individual URLs or entire domains Restricted sites zone. For sites on the Internet that that contain potentially harmful Web content, assign the highest restrictions.
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Internet Explorer divides online content into distinct security zones. You can assign a unique security level to each zone that will define the level of browser access granted to clients. You can control settings for ActiveX controls, downloading and installation, scripting, cookie management, password authentication, cross-frame security, and Java capabilities based on the zone to which a site belongs.
Local intranet zone. Because you probably trust sites on your companys intranet, you probably want users to be able to run all types of active content from this location. To provide this capability, set the Local intranet zone to a low level of security. Internet zone. Assign a higher security level to prevent users from running active content and downloading code. Trusted sites zone. If there are specific sites you trust, assign trust to individual URLs or entire domains. If there are specific sites you trust, you can place individual URLs or entire domains in the Trusted sites zone. For other sites on the Internet that are known to be sources of potentially harmful Web content, you can select the highest restrictions. Restricted sites zone. For sites on the Internet that contain potentially harmful Web content, assign the highest restrictions. This will prevent users from downloading and running active content.
Any Web page that you open from the local computer will bypass your security settings. Only open Web pages on your local computer if you are familiar with and trust the content and the author.
26
Privacy Settings in Internet Explorer

Privacy Settings in Internet Explorer
Privacy Settings
For the the highest privacy, privacy, block block all all cookies cookies Blocking cookies may prevent prevent you you from from viewing viewing certain certain sites sites You can override the privacy setting on a per-site basis Allowing session cookies cookies may may enable enable you you to to view view sites sites without storing cookies cookies Privacy settings settings only only apply apply to to the the Internet Internet zone zone and and do do not not affect affect other zones
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Internet Explorer provides several options for managing how cookies are stored on your computer. You may choose to accept, block, or prompt for first-party and third-party cookies. Even if you choose in this dialog box to block cookies, the Web sites that created the existing cookies on your computer can still read them. The privacy settings in Internet Explorer include:
Block all cookies. This setting will prevent you from viewing sites that require cookies. However, you can override the setting on an individual site basis. If you allow session cookies that are cached only while a user is visiting the Web server, you can view sites without storing cookies on your computer. Active Server Pages (ASP) often use session cookies. Privacy settings only apply to the Internet zone. Internet Explorer automatically accepts all cookies from Web sites in both the Local intranet and the Trusted sites zones and blocks all cookies from Web sites in the Restricted sites zone. Therefore it is important that you can trust all of the local intranet sites you visit.
27
28
Assessment
Assessment
Did you understand this lesson? Complete these assessment questions to confirm it.
*****************************ILLEGAL FOR NON-TRAINER USE****************************** 1. After configuring Internet Explorer 6 to block all cookies, you discover that your computer is still saving cookies from your intranet. Why is this? A. This is by design and cannot be changed. Privacy settings are configured for the Internet zone only. B. The configuration setting for the Intranet zone was improperly configured. You must reconfigure the Intranet zone. Answer: 2. To protect you computer from downloading unsigned active content, you configured the security settings for the Internet Zone to Medium. To test the new configuration, you access a Web page that you have copied to your C:\ drive that contains an unsigned control. You discover the Web page still runs. How can you prevent this from happening? A. You cannot. Accessing HTML pages on the local hard drive bypasses all security settings and is not configurable. The security setting of Medium will prevent any unsigned controls from being downloaded. B. The default security setting of Medium enables the download and running of active content that is not signed. You will need to set the security level to High and try loading the Web page again.
29
Lesson: Configuring Security for Databases

Lesson: Configuring Security for Databases
Common Security Threats and Vulnerabilities to Database Servers The Impact of Compromised Database Servers Guidelines for Securing Database Servers
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction A primary goal of network security is to protect information. An organizations most valuable information, such as customer credit card numbers, is typically stored in databases. As a result, database servers are a primary target of both external and internal attackers. This lesson explains what network security personnel do to configure security for databases against common attacks. After completing this lesson, you will be able to:

Lesson objectives
Identify common security threats and vulnerabilities to database servers Explain the impact of compromised database servers Apply best practices for securing database servers
30
Common Security Threats and Vulnerabilities to Database Servers

Common Security Threats and Vulnerabilities to Database Servers
Threats Threats
Unauthorized deletion or modification
of information Unauthorized disclosure of information

Vulnerabilities Vulnerabilities
Software bugs and flaws
Poorly-designed applications,
automated reports and databaseintegrated processes or procedures Incorrect permissions Default configuration
Viruses, Trojan horses, or worms may attack these vulnerabilities
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Your organization likely stores its most valuable information in databases. Threats to database servers include:
Unauthorized deletion or modification of information. If an attacker gains access to a database, they may add, delete, or modify data. Unauthorized disclosure of information. An attacker may expose sensitive data, such as company financial records or customer credit card numbers.
Vulnerabilities of database servers open your network up to attackers, viruses, and Trojan horses. Vulnerabilities of database servers include:
Software bugs and flaws. Design flaws in database applications can provide a mechanism for attackers to exploit known vulnerabilities in the product to compromise the server. Prevent this by installing all current security fixes and Service Packs. Poorly-designed applications, automated reports and database-integrated processes or procedures. These may introduce vulnerabilities that will bypass the configuration of the server compromising the databases. Incorrect permissions. Will provide an attacker an easy way to access the data. Incorrect permissions may also allow an ordinary user to delete data inadvertently. Default configuration. To keep the server secure, keep the service packs and security hotfixes current, remove unneeded accounts, and change all default passwords.
31
The Impact of Compromised Database Servers

The Impact of Compromised Database Servers
Potential Impacts
Private information stolen stolen For example, a credit card database Further escalation of privilege If attackers obtain SA access, they can run query strings to obtain obtain administrator administrator access to the database, the server, and other servers Loss of business continuity Loss of critical data could stop work processes
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points The impact of a successful attack on a database server may include damage to the finances and reputation of an organization. Specific impacts include:
Private information stolen. When a database is compromised, the attacker has access to that information. This may include company sensitive information, such as employee personal information or could include customer related information such as credit history, credit card numbers, or social security numbers. Further escalation of privilege. If an attacker obtains System Administrator access, they can run query strings to obtain administrator access to the database, the server, and other servers. Once an attacker compromises the database server, they may also issue operating system commands to grant remote command shell access through SQL. Loss of business continuity. When a database is compromised, it takes time to take the database server offline, investigate the intrusion and damage, and then restore data from a backup. Any business activities that rely on the compromised database will stop during this process.
32
Guidelines for Securing Database Servers

Guidelines for Securing Database Servers
Never use a blank or weak SA password Use encryption Enable auditing Use NTFS Avoid installing SQL on IIS servers, domain controllers, or Exchange servers Scan for misconfigurations and missing patches by using MBSA Explicitly deny access to all Stored Procedures and Extended Stored Procedures
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Apply the following guidelines to protect your database server from the most common vulnerabilities:
Never use a blank or weak System Administrator password. A compromised SA account gives administration rights over the server plus the rights of the SQL service account. For example, if the SQL server is installed on a domain controller and is compromised using the SA account, the attacker will have administrative access to the entire domain. Use encryption. To protect the data that is being sent to and from the database server, force encryption all communications with the SQL server and encrypt the data in the database. Enable auditing. To track to track end user activity, database administrator activity, security events, utility events, server events, and audit events. Use NTFS. Secure SQL Server 2000 data files, executables, and DLLs using NTFS permissions. Only provide access to the SQL Server service domain user account, the local SYSTEM account, and the local Administrators group. Avoid installing SQL on IIS servers, domain controllers, or Exchange servers. SQL administrators on SQL-installed Domain Controllers are domain administrators. SQL administrators on IIS & Exchange servers can control or disrupt IIS and Exchange services Scan for misconfigurations and missing patches by using MBSA. An unpatched SQL server negates any application, configuration, or development efforts you may take. The Microsoft Baseline Security Analyzer will detect vulnerabilities and any necessary security-related patches and hotfixes. Explicitly deny access to all Stored Procedures and Extended Stored Procedures. Attackers may use them to attack applications, change system configuration settings, or deny service to clients.
33
Additional Reading
For more information about auditing SQL, such as creating an audit stored procedure, see SQL Server Books Online for SQL Server 2000
34
Assessment
Assessment
*****************************ILLEGAL FOR NON-TRAINER USE****************************** 1. You are responsible for securing a SQL server that has been installed on one of the domain controllers in the network. You have given the SQL service account administrative rights on the local computer. If the SQL server is compromised by using the SA account, the attacker will have whatever rights the SQL Server service account has on the computer. In this case, the attacker will have domain administrator rights. What could you do to prevent this? (Choose all that apply.) A. Install SQL on a separate server from the domain controller. Preferably on a computer that isnt performing any other function in the domain, such as a Web server. B. Use a standard account on the local computer for the SQL service account C. Use an administrator account on the local computer for the SQL service account, but lock out the SA account. D. Provide a complex password for the SA account. Answer:
35
Lab A: Securing Web Servers

Lab A: Securing Web Servers
36
Lab B: Protecting Clients from Active Content

Lab B: Protecting Clients from Active Content
37
Contents Overview Lesson: Securing E-mail Servers Assessment Lesson: Securing E-Mail Clients Assessment Lesson: Securing Instant Messaging Assessment Lab A: Securing Mail Servers
Module 8: Implementing Security for E-Mail and Instant Messaging

1 2 11 12 15 16 21 22
iii
Instructor Notes
Instructor_notes.doc
Overview
Overview
Securing E-mail Servers Securing E-Mail Clients Securing Instant Messaging
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction An important function of networks is to facilitate the transfer of messages to and from network users. Attackers exploit messaging functionality by using email and instant messages as tools in their attacks. This module describes how to secure e-mail and instant messaging on your network. After completing this module, you will be able to:
! ! !
Objectives
Secure e-mail servers against common threats Secure e-mail clients against common threats Secure instant messaging against common threats
Lesson: Securing E-mail Servers

Lesson 1: Securing E-mail Servers
How E-Mail Servers Send and Receive Messages Common Attacks Against E-Mail Servers Security Implications of Common E-Mail Protocols Considerations for Using Signing and Encryption Guidelines for Securing E-Mail Servers
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction E-mail servers are computers that send, receive, route, store, and filter electronic mail. This lesson describes how e-mail servers work, how attackers exploit e-mail servers, and how you can configure your e-mail servers to best prevent attacks. After completing this lesson, you will be able to:
! ! ! ! !
Lesson objectives
Describe how e-mail servers send and receive e-mail Identify and explain common threats to e-mail servers Identify and explain vulnerabilities of the e-mail protocols Protect e-mail content through signing and encryption Secure your e-mail servers from common attacks
How E-Mail Servers Send and Received Messages

Local storage (POP3 or IMAP)
Mail from a Local User
SMTP e-mail server
Mail from an external SMTP server Mail from an anonymous external user
Forward to Another SMTP Server

Key points
A typical e-mail server consists of a computer or group of computers running the following e-mail protocols:
!
Simple Mail Transfer Protocol (SMTP). A protocol used in sending and receiving e-mail which handles outgoing mail. It has limited ability to store e-mail messages. Post Office Protocol 3 (POP3). A protocol that enables the user to save email messages in a server mailbox and download them periodically from the server Internet Message Access Protocol (IMAP). Like POP3, IMAP allows users to store e-mail messages for periodic download.
An SMTP e-mail server interacts with clients and other servers in the following ways:
!
Receive mail from local users. Clients commonly send e-mail through an SMTP server. The e-mail client configures their outbound e-mail to go to an SMTP server for relay to the final destination. Forward mail to other SMTP servers. When the SMTP server receives email destined to a different domain, it forwards the message to the designated SMTP server for the domain of the recipient. Receive mail from external SMTP servers. The SMTP server receives forwarded messages from SMTP servers in the originating domain. Receive mail from anonymous external users. The SMTP server may be configured to allow anonymous users to connect to the server to send messages. Transfer mail to local storage. The final destination of the e-mail message may be on the local domain. SMTP does not store messages locally, but it can pass e-mail messages to either a POP3 server or IMAP server to the folder of the client.
Common Attacks Against E-Mail Servers

Common Attacks Against E-Mail Servers
Type of threat
Data theft or tampering Denial of service
Description
Copying, changing, or listening to e-mail traffic that is transmitted over a network Preventing connections to an e-mail server or network by flooding that server or network with incorrect and incomplete data Impersonating another person by configuring that persons e-mail Spoofing address in the perpetrators e-mail client MailRelaying e-mail through e-mail servers with the intent of relaying disguising the actual origin of the e-mail message A malicious self-replicating program which can indirectly overload E-mail virus e-mail servers. Users may inadvertently activate a virus that uses the Global Access List to mail itself

Key points
There are several common attacks against e-mail servers:

!
Data theft or tampering. Corporate e-mail messages often contain sensitive information. Attackers may attempt to copy, change or listen to e-mail traffic to steal or tamper with that information. Denial of service (DoS). Preventing connections to a server or network by flooding that server or network with incorrect or incomplete data. A similar DoS attack is called mail bombing where the attacker sends thousands of email messages until the attacked server fails. Forgery. There are two common types of e-mail forgery: Spoofing. Connecting to an e-mail server to send mail as another user. Mail relay. Using an e-mail server that does not require credentials to relay e-mail. Attackers use mail relay to generate spam or e-mail attacks while hiding their identity.
E-mail virus. A simple program often carried by e-mail that infects other files by replicating and embedding copies of itself. For example, the Melissa macro virus spread through e-mail by sending a copy of itself to e-mail addresses from the global address list.
Security Implications of Common E-Mail Protocols

E-mail protocol
Vulnerabilities
Message text transmits in plaintext Protocol accepts e-mail messages from the Internet anonymously allowing for spoofing or relay Message text transmits in plaintext By default, message text transmits in plaintext
Recommendations
Use S/MIME to provide encryption Use SSL for server-to-server communication Disallow anonymous connections over an intranet Use IPSec to encrypt messages Use SSL or IPSec Require authentication Configure the client and server to use IMAP4 encryption
SMTP
HTTP, POP3
IMAP4
*****************************ILLEGAL FOR NON-TRAINER USE****************************** E-mail messaging uses a few common protocols. Each has its own unique security vulnerabilities that you can address:
SMTP
Mail sent to and from SMTP servers is sent in plaintext and is susceptible to interception. To avoid this, encrypt e-mail traffic to and from the server using S/MIME (Secure Multipurpose Internet Mail Extensions) or create a secure connection to the server using Secure Socket Layer (SSL) or Internet Protocol Security (IPSec). To prevent the server from being used to relay message from unknown sources, such as spammers, allow only connections from known domains, IP address, or group of addresses. HTTP mail, also known as Web-based e-mail, allows you to view e-mail from any computer connected to the Internet using a Web browser. HTTP mail bypasses any security configured for incoming mail on an organizations e-mail servers. In addition, users may send non-encrypted traffic to the Web-based email server, making interception of username, passwords and the contents of the e-mail possible. Using a Web based e-mail system that uses a secure connection, such as SSL, will prevent attackers from intercepting data. POP3 is a standard protocol in which e-mail is received and held by an Internet server. Most Internet Service Providers support POP3. E-mail text may be transmitted to and from the server in plaintext. Consider securing the traffic to the e-mail server with SSL or using IPSec to secure all transmissions on the network. IMAP4 is an Internet protocol for retrieving mail from a server. It replaces the POP3 mail protocol, which requires mail to be stored locally on the client. Unlike POP3, IMAP4 allows mail messages to be left and managed on the mail server, which ensures that users who log into different machines will still be able to access all of their e-mail. Like POP3, e-mail is susceptible to interception. Configure the client and server to use IMAP4 encryption. For more information about using IMAP to provide secure communications, see HOW TO: Secure IMAP Client Access in Exchange 2000 under Additional Reading on the Web page on the Student Materials CD.
HTTP mail
POP3
IMAP4
Additional reading
Considerations for Using Signing and Encryption

Considerations for Using Signing and Encryption
Considerations Details In an enterprise, key creation and management is centralized and performed by the administrator When used for personal use, key creation and management is left to the user S/MIME and PGP work with the existing public key infrastructure in an organization Enterprise solutions provide centralized management of certificates Individuals will have to obtain their own digital certificate S/MIME and PGP are not compatible Ensure that destination clients are compatible with your encryption technology Outlook and Outlook Express has built in support for S/MIME PGP is free for personal use but not for enterprise use Individuals will still have to acquire a digital certificate
Key management
Certificate management Compatibility with other email systems Expense
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Sensitive data in e-mail messages may be visible as it travels over a network. To prevent data from being intercepted and read, consider encrypting e-mail messages. Traditionally, there have been two ways to secure e-mail: Pretty Good Privacy (PGP) and Secure Multipart Internet Mail Extensions (S/MIME). Both are based on public key cryptography, where users each possess two keys, a public key for encrypting, and a private key for decrypting and signing messages. The two basic features of this type of security are privacy and authentication. S/MIME uses the Public Key Cryptography Standards (PKCS) to build security on top of MIME by including encryption information and a digital certificate as components in e-mail messages. PGP is a dual-key or public-key cryptosystem. One key is kept secret and the other key is made public. To communicate with the owner of the secret key, you encrypt a message with the corresponding public key. You can only decrypt this message with the secret key. Consider the following when implementing signing and encryption of e-mail:
!
Key Management. Keys need to be exchanged with the users that will be exchanging e-mail. An enterprise solution provides the ability to centrally manage these keys in your organization for both S/MIME and PGP. If you are not using an enterprise solution, then individual users must share the keys manually. Certificate Management. Certificates are used to ensure authenticity for the sending party. Enterprise solutions also provide centralized management of certificates. For private use, individuals are responsible for obtaining private certificates from a certificate authority such as Verisign.

!
Compatibility. S/MIME and PGP are incompatible. You must ensure that the destination client is compatible or they will not be able to decrypt your e-mail messages. Expense. S/MIME requires a public key infrastructure (PKI) in your organization or the purchase of your own key certificate. S/MIME is free if you have an existing PKI. You must pay for the commercial use of PGP but the non-commercial version is free
Additional reading
For more information about S/MIME and PGP, see the S/MIME Version 2 Message Specification, S/MIME Mail Security The PGP Corporation. S/MIME and OpenPGP, OL2000: Encryption and Message Security Overview [Q195477 links under Additional Reading on the Web page on the Student Materials CD.
Guidelines for Securing E-Mail Servers
Remove unnecessary services and components Block unused ports Disable relay from anonymous connections Configure a bridgehead server Implement a front-end/back-end server topology Run IIS Lockdown Wizard with the Exchange Server Template Run antivirus software Apply the latest service pack and all subsequent hotfixes

Key points
Perform the following to secure your e-mail servers:

!
Remove unnecessary services and components. Extraneous services increase administrative and security overhead. You can enhance security by disabling or removing any IIS services and components from your e-mail servers that are not required by Exchange 2000. Block unused ports. Identify the ports associated with each service that your Exchange 2000 organization uses and filter out the unused ports. Disable relay from anonymous connections. Configure servers to deny messages from unidentified domains. Reduce exposure to the Internet by: Configure a bridgehead server. Connect an e-mail server to the Internet and configure it to handle all e-mail in and out of the organization. By using a bridgehead server, it is not necessary for every server running Exchange 2000 to have Internet connectivity; this arrangement increases security, because only the bridgehead server is exposed to the Internet. Implement a front-end/back-end server topology. Position each front-end server as the single point of access. Because the front-end server does not store user information, it provides an additional layer of security. Configure the front-end server to authenticate requests before proxying them, which helps protect the back-end servers from security breaches.
Run the IIS Lockdown Too with the Exchange Server template. Use the IIS Lockdown Tool on every server running Exchange to remove unnecessary virtual directories, enhance file security, and process real time URL requests against user defined configurations. Install virus filters and antivirus software. Virus filters stop viruses before they move into or out of your organization. You can use a simple virus filter that searches for specific filenames or strings in messages, or a more complex filter that strips attachments of certain types, including those inside of zipped files. Install virus scanners on e-mail servers and virus filters on gateways and firewalls.

!
Apply the latest service pack and all subsequent hotfixes. Apply updates not only to Exchange 2000 but also to Windows 2000 and IIS. Visit the Microsoft Security Web site regularly for the most current security bulletins or subscribe to the Microsoft Security Notification Service.
10
Discussion: Determining Security for E-Mail Protocols

Disscussion: Determining Security for E-Mail Protocols
Discussion
1 2 3
Read the scenario Identify security problems Discuss problems with Northwind Traders choice of e-mail protocols

Instructions
Northwind Traders has configured their e-mail system to provide e-mail access to employees over the Internet as well as over the LAN. The connections to the e-mail server over the LAN use IMAP4. When users connect to the e-mail server over the Internet they use the HTTP protocol through the URL http://mail.nwtraders.msft/. Northwind Traders is concerned that e-mail content, such as passwords and sensitive information, may be intercepted over unsecured communications. Also, they do not want spammers to use their email server to relay SMTP. Therefore, they have implemented SSL to secure server-to-server SMTP communications. Northwind Traders has an existing Public Key Infrastructure. What is wrong with this scenario and what could they do to make this scenario more secure? Answer: Text is sent over both protocols in plaintext. Northwind Traders should configure the IMAP4 settings on the clients and servers to use encryption. This will prevent the data from being intercepted and read. To protect the transmissions to the HTTP server they could require clients to establish a secure connection to the HTTP server using SSL. They could also require that clients use a VPN to access the server. Northwind Traders could provide another level of security by using S/MIME to encrypt and sign the e-mail messages.
11
Assessment
Assessment
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Northwind Traders wants to provide their employees with a means to encrypt their e-mail to other users in the domain and to digitally sign their e-mail to prove authenticity. They want to make the solution centrally managed in the domain and make the solution as easy for the users to use with little user interaction or configuration. Northwind Traders has an existing PKI solution. Which of the following configurations will provide the necessary requirements while using the existing PKI solution? A. B. C. D. Implement a PGP solution and have the users manage their own keys. Implement a PGP solution and centrally manage the keys in the network. Implement an S/MIME solution and have the users manage their own keys. Implement an S/MIME solution and centrally manage the keys.
Answer: D
12
Lesson: Securing E-Mail Clients

Lesson: Securing E-Mail Clients
Common Threats to E-Mail Clients Guidelines for Configuring Microsoft E-Mail Clients

Introduction
An e-mail client is a software application for composing, sending, and receiving e-mail messages. Like e-mail servers, e-mail clients may be vulnerable to certain attacks. This lesson describes common attacks against e-mail clients and how you can configure your clients to best prevent attacks. After completing this lesson, you will be able to:
! !
Lesson objectives
Identify and explain common threats to e-mail clients Secure your e-mail clients
13
Common Threats to E-Mail Clients

Common Threats to E-Mail Clients
Threat
Impersonation
Description
Attacker creates a false return address or connects directly to an SMTP port on the target computer. Attacker modifies the e-mail header in transit. Attacker reads on modifies contents of an e-mail Eavesdropping message in transit. Visible passwords Some e-mail systems send passwords in plaintext HTML e-mail Malicious code could run on the client Non-updated Software updates are usually available once security flaws are detected software Viruses spread Virus scanners can usually detect harmful code received in email and prevent its execution through e-mail Web-based Allows an entry point for mail that circumvents current security controls e-mail

Key points
The most common e-mail protocols do not include provisions for reliable authentication or encryption by default. This allows attackers to forge e-mail messages or intercept messages in transit. Although extensions to these basic protocols exist, the decision to use them must be part of an e-mail server administration policy. There are several common attacks against e-mail clients:
!
Impersonation. An attacker creates a false return address by modifying the e-mail header in transit or by connecting directly to a SMTP port on the target computer to enter the false e-mail message Eavesdropping. An attacker intercepts e-mail headers and contents as they are transmitted in plaintext. As a result, the attacker can read or alter the contents of a message. HTML e-mail. An attacker embeds executable code in the HTML e-mail, such as VBScript or JavaScript. Attackers may also direct users to a malicious Web page with the same type of executable code. Non-updated software. An attacker may exploit e-mail client or operating systems that do not have the latest security patches or service packs. Viruses and executable programs spread through e-mail. Executable programs received in e-mail run in the users security context and are only limited by the restrictions placed on that user account. Malicious program are often disguised as something useful or entertaining Web-based e-mail. When users access e-mail from Internet servers, they completely bypass any security configurations on the corporate e-mail servers, including the filtering of viruses and harmful attachments.
14
Guidelines for Configuring Microsoft E-Mail Clients

Guidelines for Configuring Microsoft E-Mail Clients
Install all current client-side security patches Define when to allow active content rendering capabilities Use security zones to define security settings when viewing HTML formatted e-mail Educate users about the risk or running executable e-mail attachments without fully understanding their origin and purpose Always use a virus scanner Always update the virus signature Use plaintext only to read all messages

Key points

!
Install all current client-side security patches. Maintain all relevant patches to address known security problems. Define when to allow active content rendering capabilities. You can enforce the rendering through Outlook security settings. Use security zones to define security settings when viewing e-mail in HTML format. Change Outlook HTML mail to run in the Restricted Sites zone. Ensure that scripting and ActiveX controls are disabled in the Restricted Sites zone. Always use a virus scanner and update the virus signature. Enforce the use of virus software on your users computers. Consider using plaintext only to read all messages. This strategy eliminates the risk of running malicious active content from your e-mail. Educate users about the risks of running executable e-mail attachments without fully understanding their origin and purpose. The rapid spread of the ILOVEYOU virus demonstrated that many users, even in high-tech firms, do not understand the risk in running programs they receive in e-mail.
15
Assessment
Assessment
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Clients in the network routinely receive e-mail from Web-based Internet e-mail systems outside of the company control. What are the security concerns over the employees receiving e-mail this way and what are some of the things that you can do to mitigate these concerns? (Choose all that apply.) A. E-mail received in the fashion bypasses internal security systems. This email could contain active content or contain attachments with viruses that will not be removed prior to opening the e-mail. B. E-mail received in this fashion may overload the e-mail servers and prevent client access. C. User information and e-mail contents may be passed over the Internet in plaintext. D. Install virus scanners on the clients and educate users about threats from attachments E. Educate users to only send company related e-mail using Internet based email systems during after work hours. F. Install virus scanners on the internal mail servers Answer: A, C, and D
16
Lesson: Securing Instant Messaging

Lesson 3: Securing Instant Messaging
How Instant Messaging Works Common Vulnerabilities of Instant Messaging Guidelines for Securing Instant Messaging

Introduction
Instant messaging is a service that uses Internet technology to allow people to exchange text messages. Messages may travel through a central server or directly from one computer to another. This lesson describes how instant messaging works, common attacks against instant messaging, and how you can configure instant messaging to best prevent attacks After completing this lesson, you will be able to:
! ! !
Describe how instant messaging works Identify and explain the common vulnerabilities of instant messaging Secure instant messaging from common attacks
17
How Instant Messaging Works

How Instant Messaging Works
LAN
External Messaging Server
Internal Messaging Server Internal Internal messaging messaging servers serverskeep keep all alltraffic trafficinside inside the thefirewall firewall Some Somemessaging messaging services servicesallow allowdirect direct communication communication between betweenclients clients
Client A Some Someexternal external messaging messaging services servicesrelay relay all allmessages messages
1 1
2 2
3 3
Client B

Key points
Instant messaging allows users to send messages to anyone on a list of people with which they wish to interact. The list is often called a buddy list or contact list. Each messenger service uses a proprietary protocol. Instant messaging is based on mail protocols. Messages are sent through Port 25 using SMTP and received through Port 110 using POP3. When the client accesses the service, the service verifies their credentials and logs the user on to the messaging server. At this point, instant messaging servers use different strategies for relaying messages. Some instant messaging servers:
!
Relay all messages. Some servers to receive and transmit every instant message, even when both clients are on the same LAN. Allow direct communication between clients. Once the server verifies credentials, it allows clients to communicate directly based on their IP addresses and ports. Can be set up inside the corporate firewall. By running your own instant messaging server, you can ensure that no messages or information about internal clients goes outside of the firewall.
18
Common Vulnerabilities of Instant Messaging

Common Vulnerabilities of Instant Messaging
Most messaging systems send plaintext messages Internet-based messaging systems often transmit messages over the Internet, even if the recipient is on the same LAN Users may unknowingly send sensitive information outside of the intranet Messaging provides a direct channel of communication to clients from unknown sources and is difficult to manage

Key points
Instant messaging systems commonly send data in plaintext. If the messaging server is located on the Internet, then messages are transmitted over the Internet in plaintext, even when the intended recipient is on the local LAN. Users in the same office may expose private or sensitive information without realizing that instant messaging is not inherently secure. Instant messaging, like any peer-topeer communication, is difficult for IT departments to regulate.
19
Guidelines for Securing Instant Messaging

Guidelines for Securing Instant Messaging
Educate users on the risks associated with unsecured transmissions Consider using a third-party encryption program if your instant messaging system does not support encryption Block the ability to receive messages from unknown accounts If you require secure messaging, configure an enterprise messaging system behind a firewall Secure the intranet communication by using IPSec

Key points

!
Educate users on the risk. There is less control over instant messaging than many technology managers like. Be sure to educate uses that instant messaging may not be secure. Create a policy for transmitting sensitive data over instant messaging. Consider using a third-party encryption program if your instant messaging system does not support encryption. Most instant messaging systems do not protect the confidentiality of messages. If your users will be sending sensitive or personal information, consider supplying a third-party encryption solution. Block the ability to receive messages from unknown accounts. Because most messaging systems allow users to send messages to users that are not on their buddy lists, configure the client to block any messages from unknown accounts. If you require secure messaging, configure an enterprise messaging system behind a firewall. To prevent your messages from being intercepted over the Internet configure a messaging server such to provide instant messaging service on the local network. Secure the intranet communication by using IPSec. This will secure not only the normal communications traffic between computers on the network, but also the instant messages.
Note Even if you are employing IPSec, your transmissions will be still sent over the Internet in unencrypted form if your instant messaging system uses an Internet messaging server.
20
Practice: Exploring Threats to Instant Messaging

Practice: Exploring Threats to Instant Messaging
Practice
1 2
Analyze the NetMon capture Identify identify messages sent through instant messaging

Instructions
Teresa, this hands-on practice is located at: \\moc\review\2810a\labdocs\Practices\2810A_08_Practice_A.doc
21
Assessment
Assessment
*****************************ILLEGAL FOR NON-TRAINER USE****************************** 1. Your users require the ability to exchange instant messages with each other within your organization. Because of the dynamic nature of their work, they rely on instant messaging for quicker answers than in e-mail. You are concerned about the possibility of proprietary information being exposed over the Internet. How can you mitigate this? (Choose all that apply.) A. By deploying an internal messaging system. B. By using an Internet messaging system and deploying IPSec to encrypt the communications between the computers on the network. C. By educating your users that information sent over the messaging systems may be monitored. D. By blocking ports that the messaging systems use at the firewall to the Internet Answer: A and D Answer feedback: Answer A: This will keep instant messages on the LAN, but will not keep users from installing other messaging systems. Answer B: This will encrypt the traffic over the local network only. As soon as the data is transmitted over the Internet, it will no longer be encrypted. Answer C: This is a good idea but you should warn users not to send private information over the Internet. Forbid Internet-based instant messaging, if necessary. Answer D: By blocking the port on the firewall that the messaging systems use, you will prevent any messages from being passed to the Internet.
22
Lab A: Securing Mail Servers

Lab A: Securing Mail Servers
Exercise 1: Securing the Microsoft SMTP Service In this exercise, students will configure the Microsoft SMTP Service to not accept messages for relaying. Exercise 2: Applying Security to Outlook Students will receive e-mail that has some problems. Students go in and configure Outlook 2002 so that this doesnt happen again.
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Lab.doc
Module 9: Managing Security for Directory Services and DNS

Contents Overview 1 Lesson: Securing Directory Services Against Common Threats 2 Why Secure Directory Services? Common Threats to Directory Services Methods for Securing Information Guidelines for Securing Directory Services Practice: Securing Active Directory Data Assessment: Securing Directory Services Against Common Threats Lesson: Securing DNS Against Common Threats Why Secure DNS? Common Threats to DNS Methods for Securing DNS Guidelines for Securing DNS Practice: Examining the Impact of a DNS Security Breach 3 4 5 6 7 8 9 10 11 12 13 14
Assessment: Securing DNS Against Common Threats 16 Lab A: Managing Security for Directory Services and DNS 18
Beta Materials do not use for purposes other than Beta testing
Overview
Securing Directory Services Against Common Threats Securing DNS Against Common Threats
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction For many organizations and users, a network is an effective means of communicating and conducting business. To operate efficiently, network administrators often use directory services and protocols such as DNS to make it easy to store and locate information about network resources. In this manner, the network itself becomes a source of information and therefore a potential target for an attacker. This module describes the ways in which you can protect directory services and DNS against attacks. After completing this module, you will be able to:

Objectives
Describe how to secure directory services against common threats. Describe how to secure DNS against common threats.
Lesson: Securing Directory Services Against Common Threats

Why Secure Directory Services? Common Threats to Directory Services Methods for Securing Directory Services Guidelines for Securing Directory Services
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Directory services are repositories of information about a networks resources, including applications, files, printers, and users. As business demands require interaction with external networks and users, it is important that you protect the information in directory services. This lesson describes common threats to directory services and lists ways to secure these repositories. At the end of this lesson, you will be able to:

Objectives
Describe why securing directory services is important. List common threat to directory services. Describe methods for securing directory services. Describe guidelines for securing directory services.
Why Secure Directory Services?

Directory services are repositories for information such as: User account information, including passwords Data that supports an organizations information infrastructure Information that is required for computers, network services and applications to function Public and confidential data about employees
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Directory services help you manage network resources effectively. These repositories provide a consistent way to name, describe, locate, access, and manage, and secure information about the components of a network. You can use directory services, such as Active Directory directory services, to centrally manage and share information on network resources and users. Be aware that the advantages of directory services, centrally stored and managed information, also increases the risk of an attack to gain access to this information.
Common Threats to Directory Services
Unauthorized access to information
Unauthorized database modifications
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Unauthorized access to information can compromise:
Information about the networks infrastructure, such as network infrastructure servers and shared resources. Confidential information about the organization, such as unlisted telephone numbers and payroll information. User credentials, including user certificates.
Unauthorized database modification can cause:

Unauthorized access. An attacker may change permissions to allow future unauthorized access. Disruption of operations. An attacker can change user information, or make unauthorized changes to human resource information, such as pay levels.
Methods for Securing Information

Method
Minimize the number of administrative accounts Partition Active Directory Configure permissions Secure physical access to domain controllers
Considerations
Domain Administrators Physical access to security domain To create effective Assign permissions to and Enterprise Administrators controllers can give unlimited boundaries, divide Active restrict access to Active have far-reaching access to access to Active Directory data Directory into separate Directory Active Directory and can forests Assign permissions at the modify all Active Directory Server object and attribute levels Corporate Desktop Desktop data v v reduce the Fewer accounts number of people who can cause damage
Domain Domain Domain Domain Domain Domain
Research Server
Domain
Printer
Domain Domain Domain
Domain
Domain Controller
1 1
2 2
3 3
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Minimize administrative accounts Assign users and administrators only the permissions that they need to perform their jobs. You can assign permissions to the entire object or to specific attributes of the object. For example, you can assign the Modify permission for an entire user object or just for a users telephone number. If you assign the Modify permission only for the telephone number, then users cannot modify the password, address, or other information. Partitioning Active Directory is one of the most important aspects of Active Directory. Your security requirements for Active Directory may require multiple domains or even multiple forests. It is important that you decide who to add to the Domain Admins group in each domain. Domain administrators of any domain in the forest have the potential to take ownership and modify any information in the Configuration container of Active Directory. These changes will be available and replicate to all domain controllers in the forest. Therefore, for any domain that is joined to a forest, you must consider that the domain administrator of that domain is trusted as an equal to any other domain administrator Configure permissions Within an Active Directory domain, you can delegate permissions for organizational units (OUs) or specific child objects such as user accounts or computer accounts. To delegate permissions, use the Delegation of Control wizard, or modify the objects properties. Use extra care when physically securing Active Directory domain controllers. Physical access to a domain controller enables an attacker to access and change any information in Active Directory, such as confidential corporate data, financial records, and personal data. Active Directory contains a number of security features to prevent such unauthorized access, but software cannot completely protect against a determined attacker. For more information about securing Activity Directory, see the Deployment Planning Guide, in the Windows 2000 Server Resource Kit at: http://www.microsoft.com/windows2000/techinfo/reskit/dpg/default.asp.
Partitioning Active Directory
Physically securing domain controllers
Additional reading
Guidelines for Securing Directory Services

Make security part of directory services Secure all protocols for database access such as LDAP, X.500, and replication protocols Audit access to directory database Document permission assignments Balance restrictive permissions with the purpose of each directory service
Key points
Use the following guidelines to secure directory services:

Make security part of directory services. Balance security criteria with other design criteria, such as ease of access and performance. Secure all protocols for database access. For example, require Secure Sockets Layer (SSL) to encrypt connections that use LDAP, X.500, and replication protocols. Audit access to directory database. Auditing alerts you to unauthorized directory access. Document permission assignments. Make directory permissions part of the trusted computing baseline. Balance restrictive permissions with the directory services purpose. Directory services provides access to information, however, inappropriate access to information may cause security breaches.
Practice: Securing Active Directory Data
1 Read the scenario 2 Discuss your answer with the class
Read the scenario and then select the best proposal to secure Active Directory objects. Share your answer with the class. Contoso Pharmaceuticals European information technology group has decided to decentralize their user account administration. Currently all user accounts are administered by administrators in the central office. Only administrators in the central office can add or remove user accounts, or make any changes to these accounts. After the reorganization, administrators for each country should be able to add and remove user accounts for users in that country. Human Relations (HR) employees in each country should be able to make changes to the contact information of users, such as telephone numbers and addresses. Network administrators from the affected countries have proposed several solutions. Which method do you recommend as the most secure one? Proposal 1: Place all European users into a single organizational unit (OU). Assign the Full Control permission for the OU to all administrators. Assign permissions to create, delete, and manage user accounts to all HR employees. Proposal 2: Divide European users into OUs, according to which country they work in. Assign the Full Control permission for each OU to the corresponding countrys administrators. Assign permissions to create, delete, and manage user accounts in each OU to the corresponding countrys HR employees. Proposal 3: Divide European users into OUs according to which country they work in. Assign the Full Control permission for each OU to the corresponding countrys administrators. Assign permissions to change contact information of user accounts in each OU to the corresponding countrys HR employees. Proposal 4: Place all European users into a single OU. Assign the Full Control permission for the OU to administrators that manage all European operations. Assign the Full Control permission for all user accounts in a country to that countrys administrators. Assign permissions to modify contact information of user accounts in a country to that countrys HR employees.
Assessment: Securing Directory Services Against Common Threats

Multiple choice
1. Contoso has a research department that develops new products. To perform these functions, the research department stores confidential data in Active Directory. What is the best strategy that Contoso can use to ensure that nobody outside the research department can gain access to this data while still allowing communication and cooperation between employees in all departments? (Choose the correct answer.) a. Configure appropriate access permissions for all objects in Active Directory. b. Configure appropriate access permissions for all objects in Active Directory and configure separate Active Directory domains. c. Configure appropriate access permissions for all objects in Active Directory and configure separate Active Directory forests. d. Configure appropriate access permissions for all objects in Active Directory and physically separate the research departments network from the main corporate network.
Lesson: Securing DNS Against Common Threats

Why Secure DNS? Common Threats to DNS Methods for Securing DNS Guidelines for Securing DNS
Introduction
DNS is an industry-standard protocol that locates computers on an Internet Protocol (IP)-based network. DNS translates friendly names that users can remember, such as www.microsoft.com, into number-based addresses that the network can recognize, such as207.46.134.190. This lesson describes common threats to this protocol and ways to secure DNS. At the end of this lesson, you will be able to:

Objectives
Describe why securing DNS is important. List common risks to DNS. Describe methods for securing DNS. Describe guidelines for securing DNS.
10
Why Secure DNS?

.
com
DNS root domain
DNS domains contain computer names and IP addresses Users and computers depend on DNS to access other computers and network resources Active Directory depends on DNS to function
marketing.microsoft.com
Builtin Computers
microsoft
Sales Sales Marketing Marketing
Computer2
Computer1 Computer2
Key points
DNS is the primary locator service for the Internet, Windows networks, and Active Directory. Securing DNS is also known as hardening. Disruptions to DNS may prevent users from doing their work because they cannot access network resources. A disruption may also prevent customers from reaching the organizations servers over the Internet.
Additional reading
For more information about how to use Active Directory to enhance DNS security for Windows 2000, see the Deployment Planning Guide, in the Windows 2000 Server Resource Kit at: http://www.microsoft.com/windows2000/techinfo/reskit/dpg/default.asp.
11
Common Threats to DNS

Threat
Unintended disclosure of information Unauthorized DNS modifications
Risk
DNS contains information about network infrastructure DNS may contain information about an organization Users may be directed to an impostor computer Service may be disrupted
Denial of access to DNS
Users cannot locate computers Disruption of an organizations operations
Key points
Common risks to DNS can include the following:

Unintended disclosure. An attacker who can view your DNS records can identify all your servers and domains controllers. The attacker can use this information to find a target for an attack. DNS zone information normally contains the e-mail address of the person responsible for zone information. An attacker could use the e-mail address or a name derived from the e-mail address in a social engineering attack.
Unauthorized DNS modifications. Computers depend on DNS to find the IP addresses of servers. An attacker can change DNS information and redirect computers to the attackers computer instead of a legitimate server. Unauthorized DNS modifications that prevent users from connecting to servers may results in a disruption of service. Denial of access. By launching a denial of service attack against DNS, an attacker can prevent DNS from functioning correctly. For example, an attacker may use a large number of computers to send a constant stream of packets to the DNS server. The DNS server is so busy processing these packets that it can no longer process legitimate name resolution requests.
12
Methods for Securing DNS

microsoft sales
Limit information available in DNS Prevent unauthorized zone transfers Limit administrative access to the DNS database Limit dynamic updates to DNS
Zone Database
Zone Database
Key points
Methods for securing DNS include:

Limit the information available in DNS: Only make those records that external users require to access resources from the Internet available in the DNS zone. For example, external users can find www.microsoft.com but they cannot access information about Microsoft domain controllers from the Internet. In the start of authority (SOA) record for your DNS zone, use a generic email account that you use only for that purpose. Do not include a users regular e-mail address. For example, use dnsadministrator@microsoft.com, not someone@microsoft.com.
Prevent unauthorized zone transfers: DNS servers use zone transfers to synchronize DNS zone information. Normally, these zone transfers are only required between DNS servers that are authoritative for the same zone. An attacker can use the same zone transfer mechanism to retrieve a complete list of all data in the zone. Prevent this by configuring your DNS server not to transfer zone information or to transfer zone information only to authorized DNS servers. Limit administrative access: To prevent unauthorized changes to DNS data, only allow designated DNS administrators to make changes to DNS data. Limit dynamic updates to DNS: Windows 2000 and later systems use dynamic updates to allow computers to register and update their DNS information. When using dynamic updates, configure your DNS server to only accept secure dynamic updates. This will prevent computers that do not have an Active Directory account from registering IP addresses or making changes to DNS data.
13
Guidelines for Securing DNS

Internet . . com com
Separate internal and external DNS Use Active Directory integrated zones and dynamic updates for internal DNS Do not allow dynamic updates for external DNS Allow zone transfers only to secondary DNS servers
microsoft microsoft
microsoft
Sales Sales Marketing Marketing
sales.marketing.com
microsoft.com
sales.marketing.com
Key points
To secure DNS, separate the information that internal users can access by using DNS from the information that external users can access by using DNS. Make sure that externally accessible DNS servers only contain information about public services, such as DNS records for Web and e-mail server addresses. Also, use Active Directory integrated zone and dynamic updates for internal DNS, but do not allow dynamic updates for external DNS servers. Dynamic updates simplify the administration of DNS, but only authorized computers should update their own DNS registration. Configure your internal DNS server to only allow secure dynamic updates so that only the computers that belong to an Active Directory can register DNS records and update their own records. Restrict zone transfers to transfers from primary to secondary DNS servers so that an intruder cannot use a zone transfer to retrieve all zone data.
14
Practice: Examining the Impact of a DNS Security Breach
1 Read the scenario 2 Follow the step-by-step directions
Instructions
Read the scenario and then follow the steps to secure Active Directory objects. Before you start this practice, ensure that your instructor has configured DNS.
Scenario
Customers of Contoso Pharmaceuticals report that when they connect to www.contoso.msft, they are directed to a Web site that does not appear to be Contosos actual Web site. You have been asked to investigate the reasons for this. 1. Log on using the following information: User name: Studentx (where x is your assigned student number) Password: P@ssw0rd Log on to: CONTOSO 2. Open Internet Explorer, and then connect to www.contoso.msft. What is the name of the computer that you are connected to? ____________________________________________________________ ____________________________________________________________ ____________________________________________________________ ____________________________________________________________ 3. Close Internet Explorer. 4. At a command prompt, type ping www.contoso.msft and then press ENTER. What is the IP address of the computer that you are connected to? ____________________________________________________________ ____________________________________________________________ ____________________________________________________________
15
____________________________________________________________ Before you continue, ensure that your instructor has configured DNS. 5. At the command prompt, type ipconfig /flushdns and then press ENTER. 6. Open Internet Explorer, and then connect to www.contoso.msft. What is the name of the computer that you are connected to? Glasgow ____________________________________________________________ ____________________________________________________________ ____________________________________________________________ ____________________________________________________________ 7. Close Internet Explorer. 8. At a command prompt, type ping www.contoso.msft and then press ENTER. What is the IP address of the computer that you are connected to? ____________________________________________________________ ____________________________________________________________ ____________________________________________________________ ____________________________________________________________ 9. Close all open windows, and then log off.
16
Assessment: Securing DNS Against Common Threats

Multiple choice
1. Contoso has a single DNS server that it uses to support its internal Active Directory structure and allow access to Contosos Web and mail servers from the Internet. The DNS zone that contains the records for the public servers does not allow dynamic updates. The zone that contains Active Directory-related DNS data is configured to allow secure dynamic updates to ensure that only computers that are members of Contosos Active Directory domain can create or change DNS entries. Which types of attacks is Contosos DNS server vulnerable to? (Choose the correct answer.) a. Contoso's DNS server is sufficiently secured against potential attacks b. Contosos DNS server is vulnerable to disclosure of its network infrastructure c. Contosos DNS server is vulnerable to unauthorized changes to its DNS records d. Contosos DNS server is vulnerable to disclosure of user information
17
18
Lab A: Managing Security for Directory Services and DNS

Lab A: Managing Security for Directory Services and DNS
Exercise 1: Assessing the Security Impact of Permissions Students will have limited permissions to make changes. They will change information in Active Directory and then assess the impact of the changes. Then students will lock down Active Directory and view the results of lockdown. Exercise 2: Restricting Zone Transfers Students will perform a zone transfer, restrict a zone transfer, and then attempt to perform a zone transfer again to verify that the restriction worked.
Module 10: Securing Data Transmission

Contents Overview Lesson: Identifying Threats to Network Devices 1 2
Assessment: Identifying Threats to Network Devices 14 Lesson: Implementing Security for Common Data Transmission 15 Assessment: Implementing Security for Common Data Transmission 34
Lesson: Implementing Security for Remote Access 35 Assessment: Implementing Security for Remote Access 50
Lesson: Implementing Security for Wireless Network Traffic 51 Assessment: Implementing Security for Wireless Network Traffic Lab A: Securing Data Transmission 64 66
Overview
Identifying Threats to Network Devices Implementing Security for Common Data Transmission Implementing Security for Remote Access Implementing Security for Wireless Network Traffic
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction This module teaches how to identify threats to network devices and how to secure data transmissions by implementing security for common data transmission, remote access, and wireless network traffic. After completing this module, you will be able to:

Objectives
Identify threats to network devices Implement security for common data transmission Implement security for remote access Implement security for wireless network traffic
Lesson: Identifying Threats to Network Devices

Threats Common Among Network Devices Additional Threats to the Physical Layer Additional Threats to the Data Link Layer Additional Threats to the Network Layer Threats to Telecom Services Guidelines for Protecting Network Devices
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction The first step in protecting your data as it moves from place to place is to understand the threats associated with the network devices that help move data. This lesson lists threats and vulnerabilities that network devices have in common, describes threats and vulnerabilities that are specific to the devices that work at the first three layers of the OSI model, and provides guidelines for protecting those network devices. The lesson also discusses the threats to and vulnerabilities of telecom services such as PBX telephone systems and voicemail systems. After completing this lesson, you will be able to:

Lesson objectives
Identify threats that are common among network devices Identify threats to the physical layer Identify threats to the data link layer Identify threats to the network layer Identify threats to telecom services Protect network devices
Threats Common Among Network Devices

Threats to devices: Attackers can attempt to take over administrative capabilities, them out of service, and eavesdrop on the data that flows through them Vulnerabilities of devices: Most have management utilities that are accessible over the network They all run either firmware or software that can have programming flaws that attackers can exploit They can be tampered with or stolen if attackers get physical access to them They ship with default configurations that are known to attackers
The OSI Model Application Presentation Session Transport Network Network Data-link Data-link Physical Physical Network Devices Routers Routers Switches Switches Hubs Hubs
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Network devices such as routers, switches, and hubs have several threats in common. For example, attackers can take over their administrative capabilities, take the devices out of service, and eavesdrop on the data that flows through them. These common threats stem from the vulnerabilities that network devices have in common:

Most have management utilities that are accessible over the network They all run either firmware or software that can have programming flaws that attackers can exploit They can be tampered with or stolen if attackers get physical access to them They ship with default configurations that are known to attackers

Additional Threats to the Physical Layer

Physical Attackers can:
Sniff electromagnetic emissions from network cables cables Physically tap into network cables Sniff signals from wireless media Take advantage of the vulnerabilities of some network topologies
*****************************ILLEGAL FOR NON-TRAINER USE****************************** In addition to the threats that hubs share with other network devices, there are some threats that are specific to the physical layer. Electromagnetic emissions Copper-based cable transmits a signal by using bursts of electricity along the length of the wire. As this signal moves, it can be read by devices that pick up electromagnetic (EM) emissions. Attackers can read this signal from UTP, coaxial, and STP cable without physically tapping the cable or attaching to the network.
Transmission media UTP cable Coaxial cable Security considerations Attackers can read electromagnetic emissions without physically tapping the cable Better than UTP but not perfectly shielded unless Tempest certified. Has shielding material that can make it more difficult to read than UTP, but all copperbased cables are susceptible unless they are built to specifically shield emissions. Better than UTP but not perfectly shielded unless Tempest certified. Has shielding material that can make them more difficult to read than UTP, but all copper-based cables are susceptible unless they are built to specifically shield emissions Cable must be physically tapped to catch data. Not susceptible to devices that can read electromagnetic emissions because it uses light pulses instead of electric pulses to transmit signals. An attacker would have to physically tap into the cable to read the signals, which would be very difficult to do without disrupting network communications. All data is sent through broadcast mechanisms. Unless the data is encrypted, an attacker can sniff the data if he or she tunes into the right frequency

STP cable

Fiber-optic cable
Infrared, radio frequency, microwave
Cable that has been specifically shielded is sometimes referred to as Tempestcertified because of a U.S. government project to study emissions security. Such a high level of security is usually not required outside of military or government applications. An attack against Tempest-certified cable would require an attacker to have physical access to the cable.
Physical connectivity
Although it is possible to read emissions without tapping into copper cable, it is usually much easier for an attacker with physical access to simply connect to the network with a standard connector. Organizations that use STP and UTP cable either have ports mounted into the wall or have hubs scattered throughout the building. If an attacker has physical access, the attack is as simple as connecting to one of these ports by using a standard cable. Coaxial cable is connected in a long bus. It is relatively easy for an attacker to add another connection to a thin net coax bus. It is slightly more complicated to do this for a thick net bus, but not much thick net is still in use. Fiber optic cable is not as widely used for desktop computers because it is expensive and complex to install. However, an attacker can connect to an available port if he or she can get access. A wireless network is the easiest to connect to. Anyone who can receive the broadcast signal can connect to the network and see all network traffic if security measures arent taken. Additional information about securing wireless is provided in the Implementing Security for Wireless lesson that follows. If you are taking this course out of sequence, see the Implementing Security for Wireless lesson in Module 10, Securing Data Transmission, in Course 2810, Fundamentals of Network Security.
Sniffing
After an attacker is physically connected to your network, he or she can potentially read all traffic on that segment. It is also possible for a remote attacker to install a sniffing agent on a device that is already connected to the network. This enables the attacker to sniff the segment without first getting physical access. If the attacker has a sniffer, it is possible for them to see all network traffic that is not encrypted. It is also possible, although it is very difficult, for an attacker to capture encrypted data and attempt to break the encryption. Networks arranged in different topologies are vulnerable for different reasons:
Topology
A star network is vulnerable because the hub is a single point of failure. If the attacker can physically disable or remove the hub, all network communications are stopped. An attacker can take advantage of the management capabilities built into more intelligent hubs to disable these hubs without having physical access to them. A coaxial bus network is vulnerable because attackers can remove the terminators or create a break in the bus by disconnecting the cable between devices. Ring networks are also vulnerable if the attacker breaks the ring, although some ring topologiesfor example FDDIuse dual rings to provide better fault tolerance.
A full mesh topology eliminates a single point of failure, so in theory it is more secure, but it is usually not practical in a LAN environment. Additional reading For more information about threats to the physical layer, see the documents:
Security on the Network Magazine.com Web site at http://www.networkmagazine.com/article/NMG20000724S0058/2 Fiber-Optic Cable, The Security Mission at http://web.raex.com/~colombo/security/secmis15.htm Spy Agency Taps into Undersea Cable on the ZDNet News Web site at http://zdnet.com.com/2100-11-529826.html?legacy=zdnn Handbook 5, Emanations and Cable Security at http://216.239.33.100/search?q=cache:qL0vkjsjf_sC:www.dsd.gov.au/infos ec/acsi33/HB5p.pdf+tempest+certified+cable&hl=en&ie=UTF-8
Additional Threats to the Data Link Layer

Data-link Attackers can:
Spoof ARP packets and send bogus MAC addresses Overwrite entries in the ARP cache Overload or trick switches into allowing their traffic through
*****************************ILLEGAL FOR NON-TRAINER USE****************************** When one computer needs to communicate with another computer it must first obtain the MAC address of the target computer. When using the TCP/IP protocol, the computer obtains the MAC address by sending out an ARP broadcast with the IP address, which it knows and requesting the MAC address, which is unknown. This activity creates several vulnerabilities that attackers can exploit. ARP spoofing The ARP protocol does not require a computer to verify the sender and receiver during an ARP broadcast. This makes it fairly simple for an attacker to exploit this vulnerability. If computer A requests the IP address for computer B, there is no guarantee that computer B is really the one answering. If computer X responds instead, it can spoof the packet and send its own MAC address as the one that matches the requested IP address. After computer A has this information, even though it is incorrect, it will remain in computer As ARP cache until it expires. Any time computer A attempts to contact computer B by using the incorrect MAC address, the communication is sent to computer X. Computer A dynamically caches computer Bs (or computer Xs) information according to the caching rules determined by the operating system. This makes it possible for an attacker to overwrite the entries in the ARP cache. This is called ARP cache poisoning. Because computer A checks the ARP cache before broadcasting, computer A will always take the MAC address planted by the attacker first. While it is theoretically possible to use static ARP cache entries to mitigate this vulnerability, there are problems with that approach. First, some operating systems allow static ARP cache entries to be updated dynamically so the entries are not actually protected by being static, and second, it is impractical set static ARP entries on more than a few computers. You might actually cause more problems on your network than an attacker if you dont keep the entries properly updated in the event of network adapter changes. If enough bad addresses can be stuffed into the cache, it can cause a denial of service, because the target computer will not be able to send to legitimate hosts. Switches can function at the data link layer to forward packets based on MAC addresses. This functionality was designed to reduce collisions, not to be used as a security measure. Even though a switch may separate computers for traffic
ARP cache poisoning
Switches
purposes, the switch can be overloaded, which could cause a switch to fall back to standard hub mode. Switches may also be tricked by ARP spoofing, which could allow an attackers traffic to move from one segment to another. Switches provide better protection against sniffing than hubs, but they still cannot be relied on for anti-sniffing security because an attacker could use a man-in-the-middle attack by spoofing to both parties in the communication and intercepting their traffic. Additional reading For more information about threats to the data link layer, see the following documents:
ARP and ICMP Redirection Games at http://www.insecure.org/sploits/arp.games.html Cisco Security Advisory: Cisco IOS ARP Table Overwrite Vulnerability at http://www.cisco.com/warp/public/707/IOS-arp-overwrite-vuln-pub.shtml
Additional Threats to the Network Layer

Network Attackers can:
Get an IP address through DHCP Spoof IP addresses Plant sniffing devices on routers Launch denial-of-service attacks against routers Spoof the routing protocol to insert bad routes into neighboring routers Spoof ICMP diagnostic messages
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Routers are vulnerable like any other network devices. But because they are complex, they are even more prone to misconfiguration than hubs. Many routers can be configured with access control lists or filters to determine what traffic is allowed to be forwarded. If these filters are misconfigured, they will not provide the intended security, There are additional threats and vulnerabilities that are specific to the network layer. Attackers can:
Get an IP address through DHCP. DHCP was designed to make IP address administration easier but it was not designed for security. Anyone who can get physical access to a network port can get an IP address. There is no authentication. If you are logging network activity, DHCP-assigned addresses can change frequently enough that you will not be able to trace activity back to a specific client. Although it is theoretically possible to manage these issues by setting up reservations, it makes DHCP less dynamic and poses significant administrative challenges. Spoof IP addresses. Like MAC addresses, IP addresses can be altered by attackers. Plant sniffing devices on routers. Routers can be a single point of failure unless redundancy, in the form of multiple routers, has been designed into the network. Launch denial-of-services attacks against routers. Routers are vulnerable to this type of attack because they process large numbers of packets as they move between networks. If a sniffing device is implanted on a router, it can capture all the traffic that flows through it. Spoof the routing protocol to insert bad routes into neighboring routers. This is called routing table poisoning. Routing protocols are used when two or more routers need to share routing tables. They provide a way to dynamically update the network in response to a routers failure, but they can also be a security vulnerability. RIPv1 has no authentication mechanism, so it would be easy for an attacker to spoof the routing protocol and insert bad routes into a neighbors route table. RIPv2 can set passwords that routers must use when updating routes, but because the passwords are
sent in clear text, they are vulnerable to sniffing. If a router receives bad routing table entries, it attempts to pass them to other routers via the dynamic routing protocols. Bad routing instructions can cause entire segments of the network to be unreachable.
Spoof ICMP diagnostic messages. ICMP was developed to be a helpful diagnostic tool for the TCP/IP protocol but attackers have taken advantage of it. The diagnostic messages from ICMP are easy to spoof, and an attacker can cause a system to shut down by sending a bogus ICMP source quench, for example, or by forcing ICMP to redirect traffic. Here are two examples of this type of attack: Ping of Death. Discovered a few years ago, this attack involves an attacker sending a larger ping packet than permitted by the protocol specifications. The large packet was segmented as it passed through routers, but when it reached its destination and was reassembled, it often cause the receiving system to freeze. Most ICMP implementations are now routinely patched against this exploit. Smurfing. In this attack, an attacker spoofs ICMP ping packets to cause a large number of ping reply packets to be sent to a target computer. This DoS attack is often called smurfing in reference to a cartoon that involved an overwhelming number of small creatures. Many other DoS attacks can be carried out by using ping packets, so very secure networks may not allow ping packets at all. This makes diagnosing legitimate traffic more difficult.
Additional reading
For information about how Internet routers were allegedly bugged with sniffers, read At Large: The Strange Case of the World's Biggest Internet Invasion. by David H. Freedman and Charles C. Mann, published by Simon & Schuster. For more examples of ICMP vulnerabilities, see the following CERT advisories:
Cisco Security Advisory: ICMP Unreachable Vulnerability in Cisco 12000 Series Internet Router at http://www.cisco.com/warp/public/707/GSRunreachables-pub.shtml CERT Advisory : CERT Advisory CA-1996-26 Denial-of-Service Attack via ping at http://www.cert.org/advisories/CA-1996-26.html CERT Advisory CA-1998-01 Smurf IP Denial-of-Service Attacks at http://www.cert.org/advisories/CA-1998-01.html
10
Threats to Telecom Services

Target Threats Attackers can: Steal telephone services Take over administrative capabilities of the device Take devices out of service Eavesdrop on data Attackers can: Run scripts that guess voicemail passwords Manipulate users to get their passwords
PBX telephone system
Voicemail system
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Devices to handle telecom switching and voicemail are routinely attached to the data network. Attackers also pose threats to these telecom services. PBX telephone systems A private branch exchange is a device that switches telephone calls within an organizations phone system while allowing callers to share a few outside lines. PBX telephone systems have many of the same vulnerabilities as routers, hubs, and switches. However, they can have complex configurations that make them more vulnerable to attacks than simple network devices. In addition, because PBX devices and ports are often managed by vendors, there is greater exposure to an attack by someone posing as a legitimate vendor employee. Attackers can:

Steal telephone services Take over administrative capabilities of the device Take devices out of service Eavesdrop on data
Voicemail systems
Voicemail systems are vulnerable to attack because organizations often use known default passwords, openly and insecurely inform users of initial passwords, or do not require their users to change passwords. Users may not be as careful about protecting their passwords and may use weaker passwords than they do for their computers. Users may also be less careful about leaving sensitive information in voicemail than in e-mail. Attackers can attack voicemail systems by running scripts that guess voicemail passwords and by manipulating users into revealing their passwords. For more information about PBX security, see PBX Vulnerability Analysis Finding Holes in Your PBX Before Someone Else Does at http://csrc.nist.gov/publications/nistpubs/800-24/sp800-24pbx.pdf.
Additional reading
11
Guidelines for Protecting Network Devices

Separate networks, as feasible feasible Determine the vulnerabilities inherent in each of your devices Determine how to manage passwords on each device Learn how to properly configure each device Determine the the default configuration of each of your devices devices and change them appropriately Install the latest patches for network devices Limit and secure remote management management capabilities capabilities If you use SNMP, perform the necessary procedures to keep your system secure
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Follow these guidelines to protect network devices:
Separate networks, as feasible. The best way to protect against physical layer attacks is to keep the network physically separate. It is not uncommon to keep confidential information on an entirely separate LAN. As soon as a network has any connection to another network, especially the Internet, vulnerability is increased. Determine the vulnerabilities inherent in each of your devices. Sign up with your vendors to receive notification of discovered vulnerabilities. Read security mailing lists and publications to stay aware of new discoveries. Determine how to manage passwords on each device. Password management is very device-specific. Some devices may only allow simple passwords that can be easily guessed. Always use the strongest passwords available. If the device comes with a default password, change it immediately. If it comes with a blank password, set one immediately. Change passwords as often as is practical. Learn how to properly configure each device. Every network device vendor has a different configuration for their network devices. Determine what must be done for each network device to function securely. Some devices are extremely complex and may require a lot of training to configure properly. Misconfiguration can leave your system vulnerable to serious security breaches. Determine the default configuration of each of your devices and change them appropriately. Changing default passwords of devices may not be enough. Your devices may come with other default settings that should be changed. For example, remote management capability may be automatically enabled. Examine your organizations need for remote management, and if you use it, enable it in the most secure manner possible. Make sure that you know what is installed and enabled by default on every device. This will be common knowledge among attackers.
12

Install the latest patches for network devices. Like servers and workstations, network devices run an operating system, and like all operating systems, they can be prone to programming errors like buffer overruns. Limit and secure remote management capabilities. Set passwords for remote management. Use the strongest possible passwords. Enable encryption and mutual authentication, if available. If you use SNMP, perform the necessary procedures to keep your system secure. SNMP was designed to make managing networks easier by reporting information about network devices. This information can easily be misused by an attacker. To secure your system: Do not use the default public community name. Make sure that SNMP is patched. Block access to SNMP services at the network perimeter. Configure SNMP agent systems to disallow request messages from nonauthorized systems. Segregate SNMP traffic onto a separate management network. Filter traffic as it leaves your network to prevent your network from being used as a source for attacks on other sites. Disable SNMP if you dont need it or dont plan to use it.
Additional reading
For more information about how to protect SNMP, see CERT Details SNMP Security Holes on the Internet Week Web site at http://www.internetweek.com/story/INW20020212S0008.
13
Practice: Identifying Threats to Network Devices
Matching
Match the attack to the potential target
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Instructions Practice Match the attack to the potential target. Each attack and each target may be used more than once.
Attack EM sniffing Spoofing Denial of service Poisoning Password attack Target Router Copper cable ARP cache IP address PBX MAC address Rout table
14
Assessment: Identifying Threats to Network Devices

This lesson identified threats to network devices and provided guidelines for protecting them.
*****************************ILLEGAL FOR NON-TRAINER USE****************************** 1. 1. You are working for an organization that requires a highly secure environment. To ensure that data at the physical layer is secure, what would you do? Choose all that apply. A. Use fiber-optic cabling B. Use UTP cabling C. Restrict access to network cables and ports 2. 2. Which of the following are specific threats to a PBX? a. Attacker can gain access through the remote administration utilities. b. Attacker can access private voicemail through password guessing. c. Attacker can spoof the ARP cache by using a network sniffer.
15
Lesson: Implementing Security for Common Data Transmission

What Is IPSec? How IPSec Secures IP Traffic in Windows 2000 IPSec Policies How IPSec Policies Work Together Demonstration: How to Secure Network Traffic Using IPSec Guidelines for Using IPSec What Is SMB Signing? Considerations for Using IPSec and SMB Signing
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Lesson objectives This lesson explains how IPSec and SMB signing are used to secure common data transmission. After completing this lesson, you will be able to:

Explain what IPSec is Describe how IPSec secures IP traffic Secure network traffic by using IPSec Explain what SMB signing is Decide when to use IPSec and SMB signing
16
What is IPSec?
IPSec is an industry-defined set of standards that verifies, authenticates, and encrypts data at the the IP packet level. IPSec is used to provide data security for network transmissions
Benefits of IPSec:
Mutual authentication authentication before before and and during during communications communications Confidentiality through encryption of of IP traffic Integrity of IP traffic by rejecting modified or or spoofed spoofed traffic Prevention against replay attacks
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Benefits of IPSec One of the biggest weaknesses of encryption is that users will not use it if it is cumbersome or time consuming. The biggest benefit of IPSec is that it provides totally transparent encryption for all protocols from OSI model layer 3 and higher. The administrator sets a series of rules called an IPSec policy. These rules contain filters that specify what types of traffic will require encryption, digital signing, or both. Then, every packet that the computer sends will be encrypted or signed according to the policythe user does not have to know or do anything. Because IPSec is contained inside a standard IP packet, it can travel through a network without requiring special configuration on the devices in between the two hosts. IPSec is an industry standard, so all IPSec implementations that support the RFCs should work together. IPSec provides:
Mutual authentication before and during communications. To prevent manin-the-middle or hijacking attacks, IPSec makes both parties positively identify themselves during the communication process. Confidentiality through encryption of IP traffic. IPSec has two modes: Encapsulating Security Payload (ESP), which provides encryption by using one of a few different algorithms, and Authenticated Header (AH), which signs the traffic but does not encrypt it. Integrity of IP traffic by rejecting modified or spoofed traffic. Both ESP and AH verify the integrity of all IP traffic. If a packet has been modified, the digital signature will not match, and the packet will be discarded. ESP encrypts the source and destination addresses as part of the payload. Prevention against replay attacks Both ESP and AH use sequence numbers, so any packets captured for later replay would be using numbers out of sequence.
Implementing IPSec
Some operating systems, for example Windows 2000 and later, have support for IPSec built into the operating system. There is a client available for download for Windows 98 and later that provides IPSec support over VPNs.
17
The next lesson, Implementing Security for Remote Access, provides additional information about providing IPSec support over VPNs. Other vendors may implement IPSec as an extra layer between the data link (layer 2) and the network layer (layer 3) of the OSI model. If the clients do not support IPSec in some way, it is also possible to configure a secure IPSec tunnel between two routers; the traffic is not protected end-to-end, but at least the tunnel can provide protection across untrusted networks like the Internet. If IPSec is used between two routers, IPSec can either be built into the router operating system or it can be built into a device attached to a router interface. Note IPSec is built into IPv6 bus is optional in IPv4. Additional reading For more information about IPSec, see the following documents:
Microsoft Knowledge Base article, Q231585, Overview of Secure IP Communication with IPSec in Windows 2000 in the Microsoft Knowledge Base at http://support.microsoft.com/default.aspx?scid=fh;ENUS;KBHOWTO. Step-by-Step Guide to Internet Protocol Security (IPSec) on the TechNET page of the Microsoft Web site at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtec hnol/windows2000serv/howto/ispstep.asp.
Both ESP and AH can ensure data integrity. For more information about why AH is included even though it seems redundant, see Los Angeles IETF (March/April 1998) IPSEC Working Group Meeting Minutes at http://web.mit.edu/tytso/www/ipsec/los_angeles/. The section Whither AH? provides interesting insight into the RFC working groups.
18
How IPSec Secures Traffic in Windows 2000

1
IPSec IPSec Policy Policy Active Active Directory Directory IPSec IPSec Policy Policy
Security Security Association Association Negotiation Negotiation (ISAKMP) (ISAKMP)
2
TCP TCP Layer Layer IPSec IPSec Driver Driver TCP TCP Layer Layer IPSec IPSec Driver Driver
1 1
2 2
3 3
Encrypted Encrypted IP IP Packets Packets
Key points
*****************************ILLEGAL FOR NON-TRAINER USE****************************** IPSec configuration is set through either local policy or Active Directory group policy: 1. 1. IPSec policies are delivered to all targeted computers. The policy tells the IPSec driver how to behave and defines what sort of Security Association (SA) can be established. SAs govern what encryption protocols will be used for what types of traffic and what authentication method will be negotiated. 2. 2. The SA is negotiated. The Internet Key Exchange (IKE) module negotiates the SA. IKE is a combination of two protocols: the Internet Security Association and Key Management Protocol (ISAKMP) and the Oakley Key Determination Protocol. If one client requires certificates for authentication and the other client requires Kerberos, IKE will not be able to establish an SA between these two computers. If you look at the packets in Network Monitor, you will see ISAKMP packets going by, but you will not see any subsequent AH or ESP packets. IKE also negotiates rekeying during the session if it is required. 3. 3. IP packets are encrypted. After the SA has been established, the IPSec driver monitors all IP traffic, compares traffic to the defined filters, and if directed to, it either encrypts or signs the traffic.
Additional reading
For more information about the IPSec process, see the The IPSec process topic in the Windows XP Help documentation on the Microsoft Web site at http://www.microsoft.com/windowsxp/home/using/productdoc/en/default.as p?url=/windowsxp/home/using/productdoc/en/sag_IPSec_Und17.asp. For information about SAs, see IPSec Architecture on the TechNET page of the Microsoft Web site at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/securit y/prodtech/network/ipsecarc.asp. This topic, written by Naganand Doraswamy and Dan Harkins, is from Chapter 4 of IPSec The New Security Standard for the Internet, Intranets and Virtual Private Networks, published by Prentice Hall, PTR.

19
For more information about IKE, see the Understanding IKE Negotiation (Advanced Users) section of the Step-by-Step Guide to Internet Protocol Security (IPSec) on the TechNET page of the Microsoft Web site at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtec hnol/windows2000serv/howto/ispstep.asp. For more information about the IPSec driver, see the IPSec driver topic in the Windows XP Help documentation on the Microsoft Web site at http://www.microsoft.com/windowsxp/home/using/productdoc/en/default.as p?url=/windowsxp/home/using/productdoc/en/sag_IPSec_Und16.asp.
20
IPSec Policies
IPSec uses polices and rules to secure network traffic Rules are composed of: Filters Filter actions An authentication method Either Tunnel or Transport mode What connection type the rule applies to Default polices include: Client (Respond Only) Server (Request Security) Secure Server Server (Require (Require Security)
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points You implement IPSec by setting a policy. Each policy can contain several different rules, but only a single policy can be assigned at any one time on any computer. You must combine all desired rules into a single policy. Each rule is composed of : A filter, which tells the policy what type of traffic to match. For example, you can have a filter that only matches http traffic or ftp traffic. A filter action, which tells the policy what to do if the traffic matches. For example, you can tell IPSec to block all ftp traffic but require encryption for all http traffic. The filter action can also specify which hashing and encryption algorithms the policy should use. An authentication method. There are three possible authentication methods: Kerberos, certificates, and a preshared key. Each rule can specify multiple authentication methods. Both computers establishing an SA must have at least one authentication method in common. Whether the rule applies to tunnel or transport modes. Tunnel mode is usually used between routers, and transport mode is used for hosts that need end-to-end security. What connection type the rule applies to. The rule can specify only LAN traffic, only remote access traffic, or all traffic.
In Windows 2000 and later, there are three policies configured by default: Client (Respond only). This name means that if a computer asks the client to use IPSec, it will respond with IPSec. The Client (Respond Only) policy will never initiate IPSec on its own. This policy has one rule, called the Default Response rule. This rule allows the host to respond to a request for ESP as long as both hosts are in trusted Active Directory domains. Server (Request Security). This can be used on both servers and clients. This policy will always try to use IPSec but can fall back to unsecured communications if a client is not configured with an IPSec policy. This policy has three rules, one of which is the same Default Response rule
21
described in the previous bullet. The second rule says to permit ICMP traffic. This is usually desirable because ICMP is a handy diagnostic tool, but you might want to disable it in a highly secure network because there are several known attacks against ICMP. The third rule says to request ESP for all IP traffic. Secure Server (Require Security).This can can also be used on both clients and servers. If this policy is assigned, the computer can only communicate over IPSec and will never fall back to unsecured communications. This policy also has three rules. The first two the Default Response rule and the Permit ICMP are the same as described in the previous bullets. The difference in the Secure Server (Require Security) policy is that all traffic must be encrypted with ESP or the server will not communicate. The P ICMP rule overrides the rule to require security for all other IP traffic.
Note Even though the rules say all IP traffic, there are some traffic types that are excluded by default: broadcast, multicast, RSVP, IKE, and Kerberos. For more information about traffic that IPSec can secure, see the Microsoft Knowledge Base article, Q253169, Traffic That Can--and Cannot--Be Secured by IPSec," on the Microsoft Web site at http://support.microsoft.com.
Additional reading
For more information about the default IPSec policies, see the Configuring Local IPSec Policies topic on the TechNet page of the Microsoft Web site at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn ol/winxppro/reskit/prcc_tcp_bhzb.asp.
22
How IPSec Policies Work Together

No policy assigned No policy assigned No IPSec Client (Respond Only) Server (Request Security) Secure server (Require Security) No IPSec No IPSec Client (Respond Only) No IPSec No IPSec IPSec Server (Request Security) No IPSec IPSec IPSec IPSec Secure Server (Require Security) No communication at all IPSec IPSec IPSec
No communication IPSec at all
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Never consider policies individually. Both computers that are negotiating an SA must find common ground in their policies. The table on the slide shows what happens when default policies work with each other. If two hosts can negotiate a compatible SA, then communication occurs using IPSec. If the two hosts have incompatible policies they may fall back to unsecured communications or not be able to communicate at all. The table only applies to the default policies with the default rules. If you add a rule that says computer A requests ESP for http and computer B requires AH for http, then they will not be able to negotiate an SA. Kerberos authentication is the default for all three default policies. This works for computers in the same Active Directory forest, but if a computer is not a member of the forest, authentication cannot be negotiated. Also, if computer B is modified to use only certificates for authentication for all IP traffic, no SA will be established. It is possible to change computer B to require either Kerberos or certificates. As long as one authentication method matches, authentication can occur. The default policies are provided as examples. If you set the Secure Server policy, then that computer will not be able to communicate with any computer that does not have IPSec enabled. This means that if it needs to do a DNS lookup to a DNS server without IPSec, the request will fail. If it needs to access a server running SQL Server without IPSec, the operation will fail. Alternatively, if you set the Server (Request Security) policy, the computer will fall back to unsecured communications with any computer that does not have a policy in place. Actual IPSec policies should be designed so that they secure the traffic that needs to be secured while allowing basic communication to occur.
23
Demonstration: Securing Network Traffic Using IPSec
In this demonstration, you will see the instructor create a policy and a rule to secure network traffic
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Instructions In this demonstration, you will see the instructor import a policy. You will then discuss its composition as a class. After the instructor demonstrates the components (filter, action, policy), he or she will display a capture in Network Monitor that shows the policy in action. Note Some of these sections are designated as optional. They may be demonstrated if time permits and if the level of student interest warrants it.
Importing a policy into IPSec

1. Log on as Administrator with a password of P@ssw0rd. 2. On the Administrative Tools menu, click Local Security Policy. 3. In Local Security Settings, in the console tree, click IP Security Policies on Local Machine. A list of default policies appears in the details pane. 4. Right-click IP Security Policies on Local Machine, point to All Tasks, and then click Import Policies. 5. Navigate to C:\MOC\2810\Demos\Module10, click 2810demo.ipsec, and then click Open. Four policies appear in the details pane. Managing filter lists and filter actions (Optional) 1. Right-click IP Security Policies on Local Machine, click Manage IP filter lists and filter actions. The Manage IP filter lists and filter actions dialog box appears. 2. Point out that, by default, there are only two IP filters in IPSec, and that the All DNS traffic filter was added during the import. 3. Click on All DNS traffic and then click Edit.
24
Note that there are two lines at the bottom of the screen that define the filter, one for TCP with a Source Port ANY and Destination Port 53, and another one for UDP TCP with a Source Port ANY and Destination Port 53. 4. Double-click TCP protocol to edit it. The Filter Properties dialog box appears. 5. View the Addressing tab. Note the Source address is My IP Address and the Destination address is Any IP Address. Note that Mirrored is selected, which indicates that packets with the exact opposite source and destination are also considered a match. 6. View the Protocol tab. Note that the protocol is TCP and that 6 is unavailable. This is where the From any port To port 53 is selected. The Description tab is blank. 7. Click Cancel. 8. Review the UDP filter in the same way and, when finished, click Cancel. 9. In the Manage IP filter lists and filter actions dialog box, click the Manage Filter Actions tab. Note that there are five Filter Actions displayed. Permit, Request Security (Optional) and Require Security are the default filter actions. Request Digital Signing and Require Digital Signing were added during the import. 10. Double-click Request Digital Signing. The Request Digital Signing Properties dialog box appears. Notice at the top of the box you have choices for Permit, Block, or Negotiate security and negotiate is selected. The Security Method Type is Medium, which corresponds to Authenticated Header. The AH Integrity is using the MD5 hash. ESP Confidential and ESP Integrity are both set to <None> because these packets will only be signed, not encrypted. At the bottom of the dialog box there are three check boxes. Accept unsecured communication but always respond using IPSec is selected. Allow unsecured communication with non IPSec-aware computer is selected. This is why the filter action is called request security instead of require security. The option for Session key Perfect Forward Secrecy is not selected. Enabling PFS ensures that a key used to protect a transmission, in whichever phase, cannot be used to generate any additional keys. In addition, the keying material for that key cannot be used to generate any new keys. Master key PFS should be used with caution as it requires reauthentication. This may cause additional overhead for any domain controllers in your network. It is not required to be enabled on both peers. You could also edit the Security Method and show the different algorithm choices, but unless the class is really absorbing everything else this may lose them entirely. 11. Click Cancel to close the Request Digital Signing Properties dialog box. 12. Double-click Require Digital Signing Notice that the only difference between the request action and the require action is that the require action does not select Allow unsecured communication with non-IPSec-aware computer. 13. Click Cancel, and then click Close to return to the main Local Security Settings window.
25
Examining an existing policy (Optional) 1. Double-click Request IP security, permit signed DNS. The Request IP security, permit signed DNS Properties dialog box appears. Note that a policy consists of IP Security Rules. You can have as many rules in a policy as you want, but only one policy can be active at any time. An IP Security Rule consists of five parts: a filter, a filter action, an authentication method, a mode, and a connection type. There are four listings in the IP Security Rules. All IP Traffic, All ICMP Traffic, and All DNS traffic are selected. <Dynamic> is not selected. 2. Click Cancel. Creating a new policy 4. You will now create a new policy that requires IP security, requires signed DNS, and permits ICMP. 1. Right-click IP Security Policies on Local Machine, and then click Create IP Security Policy. The IP Security Policy Wizard appears. 2. Click Next to continue. 3. On the IP Security Policy Name page, in the Name box, type Require IP Security, Permit Signed DNS 4. In the Description box, type For all IP traffic, require security using Kerberos trust. Do NOT allow unsecured communication with untrusted clients. Permit ICMP. Require signed DNS, and then click Next. 5. On the Requests for Secure Communication page, deselect the Activate the default response rule check box, and then click Next. 6. On the Completing the IP Security Policy Wizard page, verify that the Edit properties box is selected, and then click Finish. The Require IP Security, Permit Signed DNS Properties dialog box appears. 7. Click Add. The Security Rule Wizard appears. 8. Click Next. 9. On the Tunnel Endpoint page, click Next to accept the default of no tunnel. 10. On the Network Type page, click Next to accept the default of All network connections. 11. On the Authentication Method page, click Next to accept the default of Windows 2000 default (Kerberos V5 protocol). 12. In the IP Filter list, select All DNS traffic, and then click Next. Note that you you could click Add to create a new filter from this page if you wanted to. 13. On the Filter Action page, select Require Digital Signing, and then click Next. Note that you can also create a new filter action from this page. 14. On the Completing the New Rule Wizard page, click Finish.
26
15. Repeat steps 7 through 14 to create two more IP Security Rules with the following parameters: This rule does not specify a tunnel, All network connections, Windows 2000 default (Kerberos V5 protocol) authentication, All ICMP Traffic, Permit. This rule does not specify a tunnel, All network connections, Windows 2000 default (Kerberos V5 protocol) authentication, All IP Traffic, Require Security. 16. Click Close. Testing the new policy (Optional) 1. In details pane, right-click Require IP security, permit signed DNS, and then click Assign. 2. Instruct students to attempt to do two things: ping London by IP address, and perform an NSLookup of their partner computer. The ping should succeed. If they attempt to ping London by name that will fail because all DNS traffic is required to be signed. The NSLookup will also fail because London is the DNS server and you it will not respond without signed DNS packets.. 3. In the details pane right-click Require IP security, permit signed DNS, and then click Un-assign. 4. Instruct students to attempt the actions again. Each action should succeed because the policy is no longer enforced. Examining a Network Monitor capture of IPSec network activity 1. On the Administrative Tools menu, click Network Monitor. If prompted, choose a network adapter. 2. Click File, click Open, locate C:\MOC\2810\Demos\Module10\ipsecdemo.cap, and then click Open. The summary window appears on the screen. Packets 1 through 12 are of protocol type ISAKMP. This indicates that London and the local computer are negotiating the key exchange. Packets 13 through 14 are DNS queries for _ldap records. This indicates that Vancouver is trying to access Active Directory records in DNS. Packets 21 and 23 are of protocol type ICMP, which is allowed by the policy. Notice there are several ESP packets in a row when a file was transferred from London to Vancouver. There is a short sequence of ISAKMP in frames 283 through 288 because a new security association has to be negotiated for the authenticated header traffic. Frame 289 shows the first DNS traffic. 3. Double-click frame 289 to examine the DNS traffic. Notice that in the middle pane, after the IP section but before the UDP section, there is a section called AH, for authenticated header. This shows that the require signed DNS rule is working between Vancouver and London. Examining non-encrypted network activity in Network Monitor (Optional) 1. Open C:\MOC\2810\Demos\Module10\noipsecdemo.cap to demonstrate the same network activity but with no IPSec enabled.
27
This might be useful if you have students who are not familiar with Network Monitor. At the end of the demonstration, ensure that all policies are unassigned and that all windows are closed.
28
Guidelines for Using IPSec

Because Because IPSec increases increases processor processor use use and and IP traffic: Enable IPSec on only those computers that require access to sensitive data Reduce the number of filter entries Consider offloading encryption functions Do not not use use pre-shared keys for anything other than test purposes Do not expect all traffic to be protected Do not not expect IPSec IPSec to to protect protect against against attacks attacks at at layers layers 1 1 or 2 2 Use a reasonable key length Be aware of the limitations of IPSec with NAT
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Follow these guidelines for using IPSec:
Because IPSec increases processor use and the packet size of IP traffic: Enable IPSec on only those computers that require access to sensitive data Reduce the number of filter rules entries in each policy . This makes processing more efficient. Consider offloading encryption functions. If you have a network adapter capable of processing encryption, offload encryption functions to the network adapter.
Do not use pre-shared keys for anything other than test purposes. The preshared key is stored in the policy and could be retrieved by an attacker. Do not expect all traffic to be protected. By default, IPSec filters in Windows 2000 do not protect broadcast, multicast, RSVP, IKE, or Kerberos traffic. Do not expect IPSec to protect against attacks at layers 1 or 2. Even if you have IPSec, you are still vulnerable to attacks like ARP cache poisoning. Use a reasonable key length. The longer the key length, the more secure the packets are. If you do not use a strong enough key, it is possible for an attacker to sniff enough packets to attempt to break your key. However, longer key lengths reduce performance. Consider the security needs for the data and protocols that you will be transmitting. Be aware of the limitations of IPSec with NAT. Network address translation works by mapping multiple internal private IP addresses to one or more external public IP addresses. If the packet is protected with IPSec this becomes problematic. For example, TCP and UDP headers contain a checksum that incorporates the values of the source and destination IP addresses and port numbers. When a NAT changes the IP address and/or the port number of a packet, it normally updates the TCP or UDP checksum. When the TCP or UDP checksum is encrypted with ESP, it cannot be updated. Because the addresses or ports have been changed by the NAT, the
29
checksum verification fails at the destination. There are several proposed changes to the IPSec standard to resolve this NAT traversal issue. Additional reading
For more information on NAT traversal, see The Cable Guy - August 2002, IPSec NAT Traversal Overview on the TechNet page of the Microsoft Web site at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/column s/cableguy/cg0802.asp. The Microsoft Knowledge Base article, Q253169, Traffic That Canand CannotBe Secured by IPSec on the Microsoft Web site at http://support.microsoft.com.
30
What Is SMB Signing?

Term SMB Description A protocol that provides a method for client applications in a computer to read and write to files on and to request services from server programs in a computer network
A method of digital signing that uses a keyed hash to protect the integrity of each SMB SMB signing packet. SMB signing adds security against manin-the-middle attacks and TCP/IP session hijacking
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points SMB does not provide encryption. You can configure SMB signing in two ways: enabled and required:
Enabled means that if a client system also has SMB signing enabled, SMB signing is used as the preferred communication method. Required means that all clients must use SMB signing to communicate with the system.
Enabled and required are the terms used prior to Windows 2000. Windows 2000 uses slightly different wording, digitally sign communications 1) if client/server agrees or 2) always. But the effect is the same. SMB signing in Windows 2000 is configured by using either Group Policy or through the security options of the local security policy. For Windows NT 4.0, Service Pack 3 (SP3) and for Windows 98, SMB signing is enabled by a registry modification. Additional reading For more information about SMB signing, see:
The Microsoft Knowledge Base article, Q230545, How to Enable SMB Signing in Windows 98 on the Microsoft Web site at http://support.microsoft.com. The Microsoft Knowledge Base article, Q161372, How to Enable SMB Signing in Windows NT on the Microsoft Web site at http://support.microsoft.com.
31
Considerations for Using IPSec and SMB Signing

If you want:
Mutual authentication Assigned with policies Security for Windows 2000 and later Security for Windows 98 and later Defense against replay, man-in-the-middle, active downgrade attacks Protection for protocols Improved performance by offloading processing An Internet standard Encryption Request and require modes
With ESP
You can use:

IPSec SMB signing
All IP packets
SMB packets only
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points This table provides important information to consider before you use IPSec or SMB signing.
If you want: Mutual authentication Assigned with policies Security for Windows 2000 and later Security for Windows 98 and later Defense against replay, man-in-the-middle, active downgrade attacks Protection for protocols Improved performance by offloading processing An Internet standard Encryption Request and require modes
a)
You can use IPSec
You can use SMB signing X
X X
(a)
X (b) X
X
X X
All IP packets X X With ESP X X
X
SMB packets only
Computers running operating systems earlier than Windows 2000 can only use IPSec for VPN connections.
b)
Assigning with policies only works for computers running Windows 2000. Windows 98 and Windows NT 4.0, SP3 use the registry.
32
Practice: Implementing Security for Data Transmission
1 Read the scenario

Design a rule to support the 2 requirements
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Instructions Scenario Read the following scenario and then design a rule to support the requirements. Circle or write your answer as appropriate. Your administrators use Telnet to remotely manage a network device that supports IPSec (IP Address 192.168.45.12). You want to ensure that all Telnet traffic (TCP port 23) between administrative computers and the network device is guaranteed to be encrypted and digitally signed. The administrator computers are all in the same Active Directory Organization Unit so you will be able to assign one policy that will apply to all administrator workstations, whether they are local or remote administrators. The network device cannot be a member of an Active Directory domain. The network device supports certificates.
Wizard options Specify the tunnel endpoint for the IP Security rule:
Practice
Circle or write your answer for each design consideration This rule does not specify a tunnel. The tunnel endpoint is specified by this IP address: _______________ All network connections Local Area Network (LAN) Remote access Kerberos Certificates Preshared key My IP Address Any IP Address A specific DNS Name _________ A specific IP
Select the network type:

Set the initial authentication method for this security rule:

IP Filter List Specify the source address of the IP traffic:

Module 10: Securing Data Transmission Address_________

33
A specific IP Subnet_________ My IP Address Any IP Address A specific DNS Name_________ A specific IP Address_________ A specific IP Subnet_________
Specify the destination address of the IP traffic:

Select a protocol type For this question, write in the protocol name. You do not need to write in the protocol number. Set the IP protocol port: ___________________________ __

From any port From this port # ________ To any port To this port # ________ Permit Block Negotiate security Do not communicate with computers that do not support IPSec Fall back to unsecured communication Encryption and Integrity Integrity only
Filter Actions: Set the filter action behavior:

Do you want to allow communication with computers that do no support IPSec?
This filter action requires at least one security method for IP traffic.

34
Assessment: Implementing Security for Common Data Transmission

This lesson explained how to implement security for common data transmission.
*****************************ILLEGAL FOR NON-TRAINER USE****************************** 1. You are concerned that your LAN is not secure. You want to prevent anyone from eavesdropping on your network traffic. What option should you use? Choose the correct answer. A. SMB signing B. IPSec ESP C. IPSec AH
35
Lesson: Implementing Security for Remote Access

What Is Remote Access? How Remote Node Technologies Work Threats and Vulnerabilities Introduced by Remote Access Considerations for Choosing a Tunneling Protocol Considerations for Choosing a Remote Access Authentication Protocol How RADIUS Secures Remote Access Guidelines for Implementing Security for Remote Access
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction This lesson explains the additional threats and vulnerabilities that are introduced if your organization provides remote access to network users. The lesson provides considerations for using tunneling and remote access protocols, shows the process that RADIUS uses to secure remote access, and provides guidelines for securing remote access. After completing this lesson, you will be able to:

Lesson objectives
Explain what remote access is Describe how remote technologies work Describe threats introduced by providing remote access Choose an authentication protocol Describe how RADIUS secures remote access Implement security for remote access
36
What Is Remote Access?

Remote access is the ability to get access to a computer or a network from a remote remote location location
Types of remote access:

Remote node node a computer establishes a connection on a remote network by means means of modem modem for a dial-up connection or an established Internet connection for VPN Remote control one computer is a passive passive host host and and another computer completely takes over via direct dial, direct cable, or Internet connection Terminal services a remote computer has a session with a host computer over a network or Internet connection
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points If your organization provides employees with remote access, then you are providing them with the means to get access to a computer or the network from a remote location. There are three types of remote access:
Remote node, in which a computer establishes a connection on a remote network by means of modem for a dial-up connection or an established Internet connection for VPN. After the connection is established, the employee can work as if he or she is actually on that remote network. The remote access server isnt a passive hostit can be doing other things as well. There is no sign on the monitor, keyboard, or mouse that it is serving a remote connection. All the files and print jobs are sent across the network just like with a normal network connection. Remote control, in which one computer is a passive host and another computer completely takes over via direct dial, direct cable, or Internet connection. The host is unusable while it is being controlled. The software may lock out the keyboard, mouse, and screen on the host computer or may allow total interaction. The only things sent across the wire are the screen shots, mouse clicks, and key strokes. Terminal services, in which a remote computer has a session with a host computer over a network or Internet connection. After the connection is established, the remote computer has a session on the host computer. The session can run in a window or in full screen mode on the remote computer. The host can have several remote sessions running at the same time, depending on licensing and performance. Unlike remote control, there is no visible sign on the screen that the host is being controlled. The only things sent across the wire are the screen shots, mouse clicks, and key strokes.
Additional reading
Trying to get http://nsa2.www.conxion.com/win2k/guides/w2k-19.pdf For information about remote access security in Windows XP, see the topic Remote Assistance, Security Concerns in the Windows XP Professional Resource Kit on the TechNet page of the Microsoft Web site at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn ol/winxppro/reskit/prmb_tol_drft.asp.
37
For more information about SMS remote control, see the topic Using Remote Control Securely in the Microsoft whitepaper SMS Security Essentials.
38
How Remote Node Technologies Work

Dial-up Dial-up
Remote Remote User User Network Network Server Server Remote Remote User User
VPN VPN
Network Network Server Server
Client Client Service Service
Server Server Service Service
Services Services
Client Client Service Service
Server Server Service Service
TCP/IP TCP/IP NetBEUI NetBEUI LAN LAN Modem Modem Adapter Adapter
TCP/IP NetBEUI TCP/IP NetBEUI LAN LAN Modem Modem Adapter Adapter
Protocols Protocols
TCP/IP TCP/IP NetBEUI NetBEUI LAN LAN Modem VPN VPN Modem Driver Adapter Adapter Driver
TCP/IP NetBEUI TCP/IP NetBEUI LAN LAN Modem VPN VPN Modem Driver Adapter Adapter Driver
Adapters Adapters
Point-to-Point Protocol
1 1 2 2 3 3
Line Line Protocols Protocols
Tunnel
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points When you create a dial-up connection, your modem is used like a network adapter. The packets are encapsulated in the Point-to-Point Protocol (PPP) and transmitted through the telephone system instead of being transmitted directly across the wire. When you make a VPN connection: 1. The data is routed through a VPN driver that functions like a virtual LAN adapter. It does not matter what the transport protocol is because even NetBEUI would be sent through the VPN adapter and encapsulated into PPP. 2. Next, data is tunneled through one of two protocols. Tunneling means wrapping one protocol inside another. The two common tunneling protocols for VPNs are Layer 2 Tunneling Protocol (L2TP) and Point-to-Point Tunneling Protocol (PPTP). 3. PPTP encrypts the data with Microsoft Point-to-Point Encryption (MPPE). L2TP encrypts the data with IPSec. Then, a standard IP header is placed on the data, and it goes back down to the adapters. If the host is establishing the VPN over a LAN connection, the packets go over the standard network adapter, as shown on the slide. It is also possible for a user to dial in to an ISP to establish an Internet connection and then connect to the VPN. In that case, the packets would be sent through the modem like standard dial-up traffic but with all the other data inside as the payload. Note You could also use a VPN inside an organizations intranet to provide secure connections between computers that have been separated for security reasons. For example, a computer on the payroll network might establish a VPN connection to the main corporate network.
39
Threats and Vulnerabilities Introduced by Remote Access

Attackers can:
Use war dialers to rapidly find and access modems Take advantage of the vulnerabilities of home systems, portable devices, and and unsecured computers. For example:
Use a home computers approved connection for a backdoor attack on a trusted system Plant Trojan horses on home computers Target home computers on cable modems that are connected to all neighbors on the cable segment Steal laptops, handheld devices, and home computers Plant keystroke loggers on public computers to capture passwords of employees checking their e-mail via the Web
*****************************ILLEGAL FOR NON-TRAINER USE****************************** A remote user represents a doorway into your network. The door allows legitimate users in but can also allow attackers in. Allowing anyone, authorized or unauthorized, access into your network from a remote location creates risk. Your organization has to decide if the benefits (for example, increased worker productivity, better responsiveness from support personnel, employee work/life balance) outweigh these risks. War dialing Organizations usually provide remote access over dial-up or VPN connections. If employees are allowed to dial directly in, the organization must maintain a bank of modems. Attackers can use a technique called war dialing to find modems and then access the organizations internal network. War dialing means calling blocks of numbers randomly until a modem answers. If the attacker finds a modem, then he or she may use it to reach another network and make your organization pay for the long-distance call. Attackers also use other peoples modems to cover up traces of their own attacks. Note Organizations with large modem banks often use a network appliance to control the serial ports. The network appliance is a network device and is subject to the same attacks as any network device. Threats to and vulnerabilities of home systems VPN access is becoming more popular. Rather than being limited to modem speeds, a user can connect to a high-speed home Internet connection through broadband or cable modem and then establish a VPN over that connection. Even if an organization only allows VPN access, the organization network is still vulnerable, because home systems are very vulnerable to attackers on the Internet. If the home system has an always-on Internet connection, it is even more vulnerable. Computers that use cable modems are on a long bus with other computers in their neighborhood, which provides an attacker with an easy way to get a physical connection to the network. Regardless of the connection type, it is probably easier for an attacker to break into a home computer because home computers:
Do not tend to have as much security as corporate computers.
40

Probably are not patched as regularly and may not have updated virus software running. Probably are not running a secure baseline configuration. May not be running any sort of intrusion detection. Might be running a home firewall appliance, but it might not be configured properly or it might not be running the most recent vendor security updates.

Your users might also have wireless networks at home that are inadequately secured. For more information about securing wireless, see the next lesson Implementing Security for Wireless Network Traffic. If you are taking this course out of order, this lesson can be found in Module 10, Securing Data Transmission, in Course 2810, Fundamentals of Network Security. If an attacker can plant a keystroke logger on a home system, then he or she can see every password as it is sent to the corporate network. If an attacker can plant a remote access Trojan horse, then he or she can control a home system while it is connected to the organizations network and use it as a stepping stone for an attack on another system. Attackers may also have an easier time stealing home desktop computers than computers in office buildings protected by an organizations physical security systems. Threats to and vulnerabilities of portable devices Attackers can also steal laptops, handheld devices, and compact PC phonesall of which may be configured to access the organizations network. Stealing portable devices is even easier than stealing home computers, because an attacker doesnt have to break into a house to get them. Instead, an attacker can simply take them when unsuspecting users set them down in the airport, at the coffee shop, and so on. Given time and physical access, an attacker can probably break any security in place on these devices and use them for remote access into the organizations network. Portable devices create another vulnerability because they are used in unsecured locations. It is easy for someone in an airport to shoulder surf, that is, to look over someones shoulder as they type their password or other confidential data. Or, if one of your users plugs their computer into a hotel broadband connection, that user may be giving an attacker easy access to your system. Threats to and vulnerabilities of unsecured computers Additional reading Users may also access the organizations Web-based services by using Internet cafes or other unsecured computers. It would be easy for an attacker to plant a keystroke logger on a public computer and use it to capture passwords of corporate users checking their e-mail via the Web. For more information about the threats introduced by remote access, see the following documents:
The war dialer topic on the searchSecurity.com Web site at http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci546705,00.html Securing Remote Access on the Network Computing Web site at http://www.networkcomputing.com/602/602work2.html.
41
Considerations for Choosing a Tunneling Protocol

PPTP
No PKI required Works through NAT Multi-protocol, multicast Supports smart card and password user authentication DHCP and static address assignment
L2TP
PKI required No NAT support Multi-protocol, multicast Supports smart card and password user authentication DHCP and static address assignment
IPSec alone
PKI required No NAT support IP only, unicast only No standard user authentication Standard or proprietary dynamic (no standard)
*****************************ILLEGAL FOR NON-TRAINER USE****************************** If you want to set up a secure tunnel over the Internet through a VPN you can not use IPSec unless your client computer has an IP address. Because you must get an IP address as part of the transaction, you must have some kind of Layer 2 protocol. PPTP Microsofts proprietary solution to tunneling over the Internet is PPTP. PPTP combines the encryption and the tunneling together by using Microsoft Pointto-Point encryption (MPPE) MPPE uses the RSA RC4 stream cipher. MPPE can use 40-bit, 56-bit, or 128-bit encryption keys. MPPE for VPN connections changes the encryption key for each packet. The decryption of each packet is independent of the previous packet. MPPE provides only link encryption, not end-to-end encryption. L2TP is a combination of PPTP and Layer 2 Forwarding (L2F), a technology proposed by Cisco Systems, Inc. L2TP only provides tunneling, not encryption, so IPSec is usually used in conjunction with L2TP. The benefits of using L2TP plus IPSec include: Because PPTP does not require Public Key Infrastructure (PKI), it is simpler to deploy and costs less to manage than,L2TP/IPSec or IPSec Tunnel Mode. It also provides backward compatibility back to client computers running Windows 95. Because of IPSec packet authenticity, L2TP/IPSec and IPSec Tunnel Mode cannot pass through a NAT. As discussed in Module 9, Managing Security for Directory Services and DNS, in Course 2810, Fundamentals of Network Security, if the packet is altered in any way, IPSec assumes that it has been tampered with, and NATs job is to tamper with packets to swap public and private IP addresses. Because PPTP is an encrypted IP packet placed inside of a nonencrypted IP packet, it can pass through a NAT. IPSec Tunnel Mode does not define how non-IP traffic is carried. It supports IP-only and Unicast-only traffic. L2TP and PPTP both define how non-IP and multicast traffic can pass through the tunnel to support interoperatiblity between multiple vendors.
L2TP plus IPSec
42
PPTP and L2TP can work with legacy, password-based user authentication systems, and they can support advanced user authentication with smart cards, token cards, biometrics, and similar devices. This is done by negotiating authentication through the PPP layer with PAP, CHAP, or MS-CHAP (password authentication) or by using Extensible Authentication Protocol (EAP) for card-based and biometric authentication systems. IPSec Tunnel mode has no IETF specification for user authentication, so there is no interoperable way to provide user authentication for remote access VPN. If you are using Windows 98, Windows ME, and Windows NT 4.0, you can download the free Microsoft L2TP/IPSec client from the Windows 2000 page of the Microsoft Web site at http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/l2tpc lient.asp. It includes support for a proposed extension of IPSec that can traverse a NAT. The new behavior will be enabled whenever the client connects to a VPN server that also supports the proposed NAT-Traversal extensions for IPSec. Microsoft plans to support these extensions in the Windows .NET Server 2003 family and other industry leaders have NAT Traversal-capable VPN servers in development. Additional reading For more detailed information about VPNs and their protocols, see:
Chapter 9 of the Microsoft Windows 2000 Server Resource Kit Internetworking Guide. The Microsoft whitepaper Virtual Private Networking: An Overview
For more information about IPSec with NAT traversal, see the IETF Internet draft documents:
UDP Encapsulation of IPSec Packets at http://www.ietf.org/internetdrafts/draft-ietf-ipsec-udp-encaps-03.txt. Negotiation of NAT-Traversal in the IKE at http://www.ietf.org/internetdrafts/draft-ietf-ipsec-nat-t-ike-03.txt.
For more information about encryption protocols, see Module 5, Using Cryptography to Secure Information, in Course 2810, Fundamentals of Network Security. For more information about MPPE, see, Request for Comments: 3078, Microsoft Point-To-Point Encryption (MPPE) Protocol, Category: Informational Updates: 2118, March 2001by G. Pall, Microsoft Corporation and G. Zorn, Cisco Systems, at http://www.ietf.org/rfc/rfc3078.txt. This RFC is informational only and does not specify an Internet standard because MPPE is proprietary.
43
Considerations for Choosing a Remote Access Authentication Protocol

Remote authentication protocol Considerations
Requires passwords that are stored by using reversible encryption CHAP Is compatible with Macintosh and Unix-based remote access clients Data cannot be encrypted Used by Windows 95 clients Supports only Microsoft clients Performs mutual authentication Installed by default as the remote access protocol in Windows 2000 and later operating systems Requires PKI Enables multifactor authentication
MS-CHAP MS-CHAP v2 EAP-TLS
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Before you choose a remote access authentication protocol, you should understand the security implications of the protocols:
CHAP. The Challenge Handshake Authentication Protocol (CHAP) is a challenge-response authentication protocol. It uses the Message Digest 5 (MD5) algorithm to hash the response to a challenge that is issued by the remote access server. CHAP is used by various vendors of dial-in servers and client computers, including Macintosh and Unix clients. CHAP uses a three step process to authenticate the user. After the user requests authentication, the CHAP server sends a challenge and session ID. The client hashes the challenge, the session ID, and the password and then sends it back to the server. The server also hashes the challenge, the session ID, and the password and compares it to what the client sent. If they match, the user is authenticated. For the server to perform the hash, it must have access to the users password. This means that the password must be stored by using reversible encryption (which just means that the server can decrypt the password). If the server can decrypt the password so can an attacker. Also, data cannot be encrypted when you use the CHAP protocol. Therefore, CHAP the least secure option.
MS-CHAP. The Microsoft Challenge Handshake Authentication Protocol is similar to CHAP but does not require that passwords be stored by using reversible encryption. Data is encrypted by MPPE. MS-CHAP is more secure than CHAP, but only implement MS-CHAP if you run earlier Microsoft operating systems that require it. Both CHAP and MS-CHAP are only as secure as the strength of the users password. MS-CHAP version 2. MS-CHAP v2 was designed to fix some security issues with MS-CHAP. It uses mutual authentication. Data is encrypted by using separate session keys for transmitted and received data, which makes it more difficult for an attacker to sniff the traffic and use a brute force attack on the key. The session key generation is not entirely based on the
44
users password, so a weak password wont necessarily leave the session vulnerable.
EAP-TLS. Extensible Authentication Protocol Transport Layer Security provides authentication, data integrity, and data confidentiality services. It uses certificates for mutual authentication, negotiation of encryption algorithms, secure exchange of session keys, and message integrity. Use EAP-TLS if you implement multifactor authentication technologies, such as smart cards. EAP-TLS is the most secure remote authentication protocol. However, it is complex and expensive to implement multifactor authentication, and many organizations are not ready or able to make this level of commitment to network security. SecurID is a popular token-based authentication solution that works through EAP. The user is given a key chain device or card that is synchronized to display a specific number every few seconds. The user has to enter that number along with his or her personal identification number (PIN) and user name. The attacker would have to both steal the token and break the PIN to get access.
Additional reading
For more information on SecurID, see the RSA SecurID tour at http://www.rsasecurity.com/products/securid/demos/SecurIDTour/RSASecurID Tour.html. For a comparison of MS-CHAP v1 and v2, see the white paper Cryptanalysis of Microsoft's PPTP Authentication Extensions (MS-CHAPv2) at http://www.counterpane.com/pptpv2-paper.html.
45
How RADIUS Secures Remote Access

4 2
Forwards Forwards requests requests to to a a RADIUS RADIUS server server RADIUS RADIUS Client Client Communicates Communicates to to the RADIUS client client to to grant grant or or deny deny access access Internet Internet Active Active Directory Directory Server Server
Client Client
RADIUS RADIUS Server Server Dials Dials in in to to a a local local RADIUS RADIUS client client to to gain gain network network connectivity connectivity
3
Authenticates Authenticates requests requests and and stores stores accounting accounting information information
1
1 1 2 2 3 3
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Remote Authentication Dial-in User Service (RADIUS) is a way to separate the access functions and from the authentication functions. It also allows auditing and accounting information to be gathered in one central place for all RADIUS servers. Without RADIUS, the server authenticates users and does all of the necessary logging for the users connections. It also provides access, the actual connection. If you use RADIUS, those pieces are separated, so a RADIUS server provides the authentication. The RADIUS server also performs the auditwhich is a log of unauthorized attempts, authorized attempts, and that kind of thingand the accounting of the call statistics. Because the network access server only provides access, it doesnt know whether a user is allowed on or not. It relies on RADIUS RADIUS can be used in different scenarios. In the scenario shown on the slide, a user who is using an Internet service provider is authenticated by using his or her organizations authentication credentials. The ISP configures a RADIUS client in or near the local calling area of the user to be serviced, then: 1. The user calls the ISP Point of Presence (POP) and authenticates himself or herself to the RADIUS client. 2. The ISPs RADIUS client forwards the authentication to a subscribing organizations RADIUS server. 3. The organizations RADIUS server contacts the internal directory service to authenticate the request and stores the accounting information. 4. The organizations RADIUS server communicates to the ISP RADIUS client whether to grant or deny access to the user. The RADIUS client does not require any knowledge of or access to the organizations user accounts database. By using this approach, organizations can easily add and delete users and grant and deny access to the ISP without the ISP having to manage the administration. This approach also enables organizations to centrally track ISP expenses. Users get an easier logon experience, because they only need to
46
remember their organizations logon credentials. The organizations benefits by having users call a local POP instead of paying long-distance charges to call the organization directly. The organization is also relieved of the responsibility and security concerns of maintaining a large bank of modems for direct dial in. Note Microsofts implementation of RADIUS is called IAS, Internet Authentication Server.
Note TACACS+ (Terminal Access Controller Access Control System) is an alternative protocol to RADIUS. TACACS+ uses TCP, whereas RADIUS uses UDP. RADIUS only encrypts the passwords between the RADIUS client and RADIUS server, whereas TACACS+ encrypts everything. RADIUS combines authentication and authorization, whereas TACACS+ separates them so that you can use your preferred authentication mechanism. TACACS+ is separate from and not compatible with any previous versions of TACACS.
47
Guidelines for Implementing Security for Remote Access

Use Connection Manager to predefine and preconfigure network connection icons with certain certain secure properties When using remote control or terminal services using remote services technologies, technologies, establish establish a secure VPN connection connection and then run them over over VPN VPN Use L2TP/IPSec for VPN tunnels tunnels when when NAT NAT traversal traversal is is not not an an issue issue When feasible, use use multifactor authentication to provide secure secure VPN VPN or or dial-up dial-up access Restrict modem usage usage inside the the organizations network Review audit audit logs for RAS activity Use RAS RAS callback security or caller caller ID ID whenever feasible Consider using account lockout security to protect accounts enabled with with remote access access from brute-force password password attacks
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Follow these guidelines when implementing security for remote access:
Use Connection Manager to predefine and preconfigure network connection icons with certain secure properties. It is a best practice to set up your network so that network users cannot create or change their own remote access network connection icons. This stops them from misconfiguring the network connection or configuring it in an unsafe wayfor example, by not requiring encrypted passwords. Connection Manager is one of the standard management utilities in Windows that administrators can use to predefine and preconfigure network connections with certain secure properties. You can set it up to allow non-administrators to change certain properties in the network connection icon, for example, the dial-up phone number. When using remote control or terminal services technologies, establish a secure VPN connection and then run them over VPN. This minimizes the configuration that you might need on your firewall to support additional protocols. It standardizes your entry point into the network so that you can defend these entry points. Use L2TP/IPSec for VPN tunnels when NAT traversal is not an issue. IPSec provides more options for encryption and allows for certificate-based authentication. Some vendors are using interim workarounds for NAT traversal until the IPSec standard is updated to support it. When feasible, use multifactor authentication to provide secure VPN or dial-up access Smart cards or tokens like SecurID are major projects to implement, and they will have associated costs, but they will provide more secure dial-up access. With two-factor authentication, even if an attacker steals a laptop, he or she may not have stolen the smart card or token required to get access. Even if the smart card or token is stolen, the attacker still has to guess or know the PIN. Restrict modem usage inside the organizations network. Use group policy to disable modems on clients running Windows 2000 or later. Conduct modem sweeps periodically to look for unauthorized modems.
48

Review audit logs for remote access activity. All dial-up activity is automatically logged in the system event log. Check for unauthorized remote access. Use remote access callback security or caller ID whenever feasible. Callback is most effective for security if the user is always dialing in from the same location. Consider using Remote Access client lockout security to protect accounts enabled with remote access from brute-force password attacks. The Remote Access client account lockout feature is managed separately from the account lockout settings that are maintained in Active Directory Users and Computers. You control the Remote Access client account lockout settings by manually editing the registry. The account lockout settings do not distinguish between a legitimate user that mistypes a password and an attacker that is trying to crack an account. The advantage of enabling account lockout is that brute force attacks are unlikely to be successful because the account is locked long before the random guesses are successful. However, an attacker can create a denial-of-service condition that intentionally locks out user accounts.
Additional reading
For information about installing and using Connection Manager, see the Windows 2000 Server documentation on the Windows 2000 page of the Microsoft Web site at http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windo ws2000/en/server/help/sag_cmaktopnode.htm. For information about configuring remote access client lockout, see the Microsoft Knowledge Base article Q310302, How to: Configure Remote Access Client Account Lockout in Windows 2000 on the Microsoft Web site at http://support.microsoft.com/default.aspx?scid=kb;en-us;Q310302.
49
Practice: Implementing Security for Remote Access
Scenario 1 Read the scenario 2 List three threats that are introduced by remote access and list security measures to mitigate these threats
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Instructions Scenario Read the scenario, and then list three threats that are introduced by remote access and list security measures that could be taken to mitigate the threats. A manufacturing company has a large mobile workforce. Employees work from home offices half of the time and work from other remote locations half the time while they are traveling. The company is planning to provide remote access to the mobile sales force by using VPN from their homes and by using dial-up when they are traveling with their laptops. Threat #1 and how to mitigate the threat ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ Threat #2 and how to mitigate the threat ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ Threat #3 and how to mitigate the threat ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________
Practice
50
Assessment: Implementing Security for Remote Access

This lesson explained how to implement security for remote access.
*****************************ILLEGAL FOR NON-TRAINER USE****************************** 5. 1. Your organization is rolling out a remote access solution. It will allow users who do not have an Internet Service Provider to dial directly into the network by using RADIUS. Users who already have Internet connectivity will be able to VPN into the corporate network. Half of the remote users are salespeople who dial in from hotels. Which of these three statements is correct? (Choose one) A. Dial-up users should use a secure ID token. B. Dial-up users should be called back at a pre-set telephone. C. The RADIUS client will authenticate the dial-up users and collect the accounting information.
51
Lesson: Implementing Security for Wireless Network Traffic

What Is Wireless Networking? Wireless Standards The Difference Between 802.11 and 802.1x Security WEP Vulnerabilities Threats Introduced by Wireless Networking Guidelines for Securing Wireless Transmissions
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction This lesson explains what wireless networking is and the standards that are used for wireless networking. The lesson discusses the threats and vulnerabilities that are introduced if members of your organization use wireless networking. The lesson ends with guidelines for securing wireless network traffic. After completing this lesson, you will be able to:

Lesson objectives
Explain what wireless networking is Describe threats introduced by wireless networking Use wireless standards Use security protocols for wireless Secure wireless transmissions
52
What Is Wireless Networking?

A A wireless network uses technology that enables devices to communicate communicate by by using using standard standard network protocols and electromagnetic electromagnetic wavesnot network network cablingto cablingto carry signals over part part or all all of of the the communication communication path
Category Fixed Portable Mobile Infrared Description Use of wireless devices or systems in homes and offices in particular, equipment to connect to the Internet by using specialized modems Use of independent, battery-powered wireless devices or systems outside the office, home, or vehicle handheld cell phones and PCS units Use of wireless devices or systems aboard motorized moving vehicles automotive cell phones and PCS Use of devices that convey data by using infrared radiation employed in certain limited-range communications and control systems
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points A wireless network uses technology that enables two or more devices to communicate through standard network protocols and electromagnetic waves not network cablingto carry signals over part or all of the communication path. The four categories of wireless devices are described on the slide.
53
Wireless Standards
Standard 802.11 Description A group of specifications for WLANs developed by IEEE Defines the OSI Physical Layer and MAC portion of the Data Link Layer 11 megabits per second Good range but susceptible to radio signal interference Popular with home and small business users Transmissions speeds as high as 54 Mbps 802.11a Works with wireless ATM systems Works well in densely populated areas Is not interoperable with 802.11, 802.11b, 802.11g Enhancement to and compatible with 802.11b 54 Mbps but at shorter ranges than 802.11b Authenticates clients before it lets them on the network Can be used for wireless or wired LANs Requires greater hardware and infrastructure investment
802.11b
802.11g
802.1x
*****************************ILLEGAL FOR NON-TRAINER USE****************************** 802.11, also known as Wi-Fi, is a family of specifications for wireless local area networks (WLANs) developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 defines the physical and MAC portion of the data link layer in the OSI model. The MAC layer is the same for all 802.11 standards, but the physical implementation varies. 802.11 through 802.11g 802.11b supports higher bit rates than the original 802.11 specification but is still backward compatible with it. 802.11b supports two additional speeds: 5.5 megabits per second (Mbps) and 11 Mbps. It has good range but is susceptible to radio signal interference. Many vendors are making reasonably priced 802.11b devices for the home and small business market. 802.11a allows for faster communication speeds, up to 54 Mbps, but usually at shorter ranges. It uses 12 separate non-overlapping channels, so it works well in densely populated areas. It uses a different part of the radio spectrum than 802.11, 802.11b, and 802.11g, so it is not interoperable with them. 802.11g, is an enhancement to 802.11b and is compatible with that standard. Upgrading from b to g may only require a firmware update instead of all new hardware. It allows for speeds up to 54 Mbps but at shorter ranges than 802.11b. Like 802.11b, it is susceptible to interference. 802.1x The 802.1x extension to 802.11 defines a way of authenticating access to the port before allowing access to the network. It was designed to address some of the shortcomings of 802.11 wireless security but it can also be used for wired LANs. It requires a greater investment in infrastructure because it requires PKI and RADIUS. The hardware may be more expensive than 802.11.
Additional reading
For information about how Microsoft has deployed wireless, see the whitepaper Microsoft Wireless LAN Deployment and Best Practices on the Microsoft Web site. For more information about wireless standards, see Wireless LAN Deployment and Security Basics on the ExtremeTech Web site at http://www.extremetech.com/article2/0,3973,54613,00.asp.
54
The Difference Between 802.11 and 802.1x Security

802.11
Peer-to-peer Peer-to-peer and and infrastructure modes modes provide provide only only primitive primitive security security mechanisms mechanisms Allows Allows for for two two methods methods of of authentication: authentication: open open system and and shared key key WEP WEP encryption encryption requires keys to to be be manually manually changed by the the administrator administrator and and somehow communicated communicated to to the clients clients
802.1x
Works Works on on wired and wireless LANs LANs Uses Uses EAP-TLS EAP-TLS to authenticate connections Requires Requires a PKI Requires Requires RADIUS
*****************************ILLEGAL FOR NON-TRAINER USE****************************** 802.11 802.11 can be used in peer-to-peer mode or infrastructure mode. In peer-to-peer mode (also called ad hoc mode), the clients connect directly to each other, similar to a workgroup. In infrastructure mode, the clients all connect to a wireless access point, which acts like a hub for wireless clients. Regardless of the mode, all clients must know the Service Set Identifier (SSID) that will be used. In peer-to-peer mode, only clients with the same SSID will be able to talk to each other. In infrastructure mode, the client uses the SSID to specify which of the many possible networks it wants to connect to. This constitutes a primitive security mechanism. Also, the access point can be configured so that it only allows known MAC addresses to connect. This is called MAC filtering. 802.11 provides two methods of authentication: open system or shared key. With open system, there is no authentication and no encryption. Shared key uses Wired Equivalent Privacy (WEP) to authenticate clients to the wireless access point and encrypt communication between them. WEP uses a shared secret key, but the standard does not define how to get the keys to the access point and the client. This means that either vendors must write their own proprietary key exchange process or administrators must manually enter the keys for all of the clients. WEP encryption is performed by using the RC4 symmetric encryption algorithm. The encryption key is generated by combining an administratordefined WEP key with a 24-bit Initialization Vector (IV). The standard does not specify how the IV is created, so it varies from vendor to vendor. There can be up to four WEP keys at the same time, but all clients must be configured to use one of these four keys. The keys must be manually changed by the administrator and somehow communicated to the clients. 802.1x 802.1x was designed to create a more secure connection mechanism. It can work on both wired and wireless LANs. 802.1x authenticates the connection before allowing the client on the network. 802.1x uses EAP-TLS to authenticate the connection. EAP-TLS uses certificates on both the client and the server for mutual authentication, so it requires a public key infrastructure. Encryption algorithms and key exchange
55
are specified by the PKI. Unique keys are used for each station and for each session and can be renegotiated during a session. 802.1x also requires RADIUS. RADIUS is a way to forward authentication requests from a RADIUS client to a RADIUS server that can check the authorization and tell the client to allow or deny access. With 802.1x, each wireless access point is a RADIUS client. The access point contacts the RADIUS server to request authentication for the connecting computer. Because each wireless access point is a RADIUS client, the access point itself is authenticating to the RADIUS server by using certificates. Each new access point must be properly authorized, so it is very difficult for rogue access points to be successfully connected to the network. Note It is easy to confuse WAP and WEP. Wireless access points are called APs, not WAPs, because WAP is the Wireless Application Protocol, which is used for portable devices like Web-enabled cellular phones. Additional reading For more information about 802.11 and 802.1x, see the whitepaper Wireless 802.11 Security with Windows XP, by Tom Fout and Warren Barkley, Microsoft Corporation.
56
WEP Vulnerabilities
There are a limited number of IV combinations Keys are not managed well Checksums are not encrypted Packets are vulnerable to attackers who know the destination of the packet The authentication mechanism is limited
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Before you implement wireless, you should also understand the vulnerabilities associated with WEP:
There are a limited number of IV combinations. There is no standard for generating the first IV. Many wireless network cards reset these IVs to zero and then increment them by one for every use. This makes it easy for an attacker to predict the IV. There are only 24 bits in the WEP IV field, which is small enough that keys will be reused. If an attacker can capture two packets that use the same IV, then he or she can probably launch a successful cryptanalysis attack. Keys are not managed well. All WEP key information is stored on each host. If a host is lost or stolen, the keys are vulnerable to misuse. Re-keying static WEP keys is difficult to coordinate, so the same WEP key is often left in use long enough for attackers to discern the key and break the encryption. Checksums are not encrypted. Each wireless packet has a checksum that is added to each frame to verify integrity. Because that checksum is not encrypted, an attacker could change the message if they also change the checksum. The resources required for this attack make it impractical in most cases, but a determined attacker may not be deterred. Packets are vulnerable to attackers who know the location of the destination packet. If the attacker knows the location of the destination address in a packet, then the address can be changed on an otherwise unknown packet. The new destination can be a computer controlled by the attacker. If the packet is sent on the wireless network, the access point will decrypt the packet and send it to the rogue destination. The authentication mechanism is limited. WEP has no support for extended authentication, for example, token cards, certificates and smart cards, onetime passwords, biometrics, and so on
802.1x is much more secure than WEP but it still has a few vulnerabilities. 802.1x uses EAP to request and receive authentication before wireless frames are encrypted with WEP. An attacker sitting outside the building can inject
57
packets into the conversation or capture the EAP messages from a successful authentication for analysis. PEAP is the Protected EAP protocol, an EAP type that addresses this security issue by first creating a secure channel that is both encrypted and integrity-protected with TLS. Then, a new EAP negotiation with another EAP type occurs, authenticating the network access attempt of the client. Additional reading For a detailed description of checksum vulnerabilities, see on the ExtremeTech Web site at http://www.extremetech.com/article2/0,3973,79846,00.asp). . For additional information about WEP vulnerabilities, see the whitepaper Wireless 802.11 Security with Windows XP by Tom Fout and Warren Barkley, Microsoft Corporation.
58
Threats Introduced by Wireless Networking
Attackers can eavesdrop on your information Attackers can steal your identity by spoofing SSIDs or MAC addresses Attackers can shut down access points by jamming air with noise, rerouting connections to dead ends, or disconnecting valid clients Attackers can add unauthorized access points to established networks
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points There are many vulnerabilities inherent in wireless networking. Remember that you are broadcasting to the world, especially if you dont use encryption. Wireless transmissions dont always stop where you want them to stop or go where you want them to go. Many access points ship with un-secure default configurations that broadcast the SSID and do not have encryption enabled. Access points ship with a default SSID that is known to attackers. Configuration can be complicated and time consuming, so many access points are left unsecured. Be aware of these threats to your network:
Attackers can eavesdrop on your information. Attackers have a variety of tools to look for wireless access points by picking up the SSID broadcast. Attackers often run these tools on laptops or handheld devices, so they can drive in a car and scan for access points that have not been secured. This is sometimes referred to as war driving, derived from the term war dialing to look for unsecured modems. If an attacker finds an access point running without encryption, he or she can benignly borrow your Internet connectivity or maliciously sniff your network and use it for an attack against another network. Attackers can steal your identity by spoofing SSIDs or MAC addresses. Even if broadcasting is enabled and MAC filtering is turned on, attackers can still use antennas to capture your signal, determine your SSIDs or valid MAC addresses, and use them to impersonate authorized clients. Attackers can shut down access points by jamming air with noise, rerouting connections to dead ends, or disconnecting valid clients. Wireless communication is performed by using radio frequencies, which are vulnerable to these attacks. Attackers can add unauthorized access points to established networks. Attackers have begun to buy their own wireless access points to hook them up to existing networks. Internal staff can also attach unauthorized wireless access points to the network, which may aid their productivity but will also provide easier access for attackers.
Additional reading
59
For more information about the threats posed by wireless networking, see the following articles:
Antenna on the Cheap (er,Chip) on the OReilly Network Web site at http://www.oreillynet.com/cs/weblog/view/wlg/448. An Atlas of Cyberspaces Maps of Wireless Network Infrastructure at http://www.cybergeography.org/atlas/wireless.html
60
Guidelines for Securing Wireless Transmissions

Use Use 802.1x or or IPSec IPSec when when feasible feasible If If 802.1x isnt possible, possible, consider consider using using IPSec IPSec At a minimum, enable enable WEP WEP Disable Disable SSID SSID broadcasting Change the default default SSID SSID Set the access point for infrastructure mode instead of peer-to-peer Audit for for rogue access points Tune the footprint of of your your wireless range by using site surveys Place access points points in in screened subnets subnets Use MAC MAC filtering
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Follow these guidelines for securing wireless traffic:
Use 802.1x when feasible. Although the investment in PKI, RADIUS, and 802.1x-compatible hardware may be a barrier to many organizations, 802.1x is much more secure than 802.11. If 802.1x isnt possible, consider using IPSec. IPSec provides end-to-end security for all IP traffic. If you dont have an Active Directory domain to provide Kerberos authentication you would need certificates for your IPSec implementation. IPSec wont protect against attacks at layer 2. For more information, see the Implementing Security for Common Data Transmission lesson and the Implementing Security for Remote Access lesson in Module 10, Securing Data Transmissions, in Course 2801, Fundamentals of Network Security. At a minimum, enable WEP. For average security needs, weak encryption will be better than no encryption at all. Disable SSID broadcasting. Attackers can still pick up the SSID by scanning authorized traffic, but at least you will make them work harder than if you give SSID directly to them by using broadcasting. If you disable the broadcast, you also stop users from accidentally attaching to the wrong networks. In a densely populated area that contains a lot of high-tech professionals, for example, you may find that you can unintentionally connect to your neighbors wireless access point just because they are broadcasting. Change the default SSID. There are a limited number of vendors who make wireless access points. If you keep your SSID at the default, attackers can probably guess it in just a few attempts. Also, because the default is often the vendors name, attackers know which vulnerabilities exist in that vendors equipment. Set the access point for infrastructure mode instead of peer-to-peer. Peer to peer may work well at conferences and for other ad hoc networks, but for business operations, use infrastructure mode to gain centralized security through the access point.

61
Audit for rogue access points. It may be useful to have a policy in place to discourage departmental implementations of wireless networks that could compromise the enterprise LAN. If rogue access points are a concern for your organization, network security personnel should keep an updated list of valid access point names and periodically scan the wireless network for access point names that do not appear on the list. Tune the footprint of your wireless range by using site surveys. Try to keep your signal to yourself as much as possible. If you use every access point at full power, you may find that you are providing excellent coverage to the parking lotor worse, to your competitor in the next building. Place your access points in screened subnets. If it is practical for you to implement this, all of your organizations wireless users will have to go through a firewall before accessing organizational resources. The firewall can be used to restrict undesirable traffic originating from the access point. Use MAC filtering. This is only practical in very small LANs.
Additional reading
To read how to deploy a full-scale 802.1x solution, see the Microsoft whitepaper Enterprise Deployment of IEEE 802.11 Using Windows XP and Windows 2000 Internet Authentication Service. For best practices in the enterprise environment, see the whitepaper Microsoft Wireless LAN Deployment and Best Practices.
62
Practice: Implementing Security for Wireless Network Traffic
Procedure 1 Follow the steps in the procedure 2 Answer the questions
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Instructions WEP encrypts all traffic between the clients adapter and the wireless access point. If no encryption is used, then all text is plainly visible when viewed with a network sniffer. The two text documents in this practice contain wireless packets captured and decoded by AiroPeek NX, a wireless packet analyzer by WildPackets. To complete this practice, follow the steps in the procedure and answer the questions.
Practice
Comparing WEP-encrypted and non-encrypted captures

1. Log on as StudentX (where X is your assigned student number.) with a password of P@ssw0rd. 2. Navigate to C:\MOC\2810\Practices\Module10 and open both text files, CaptureA.txt and CaptureB.txt. Which capture file shows packets with WEP encryption enabled, and how can you tell? ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ What is the SSID for this access point? ________________________________________________________________ Is this AP broadcasting the SSID? How can you tell? ________________________________________________________________ Why should you disable broadcasting? ________________________________________________________________ 3. Close all windows and log off.
63
64
Assessment: Implementing Security for Wireless Network Traffic

This lesson explained how to implement security for wireless network traffic.
*****************************ILLEGAL FOR NON-TRAINER USE****************************** 1. You want to implement a wireless solution for your company. You have a 60,000 square-foot warehouse facility and a 1,500 square-foot office facility attached to it. You expect 20 employees to use laptops with wireless network adapters. You need a reasonable level of security, but you can compromise a little on security to spend less. Which wireless standard would you recommend? Choose the best answer.
A. 802.11a B. 802.11b C. 802.11g D. 802.1x 2. Which of the following statements is true? A. WAP is used to encrypt wireless transmissions from the client to the wireless access point. B. WAP is used for end-to-end encryption from the client to the server. C. WEP is used to encrypt wireless transmissions from the client to the wireless access point. D. WEP is used for end-to-end encryption from the client to the server.
65
66
Lab A: Securing Data Transmission

Exercise 1: Implementing a VPN Security Solution Exercise 2: Monitoring IPSec Key Exchange
and Monitoring Security for Network Perimeters
Contents Overview
Module 11: Implementing and Monitoring Security for Network Perimeters

1 20
Lesson: Introduction to Network Perimeters 2 Lesson: Implementing Security on Inbound and Outbound Network Traffic 11 Lesson: Monitoring Network Traffic Lab A: Implementing and Monitoring Security for Network Perimeters 27
Overview
Overview
Introduction to Network Perimeters Implementing Security on Inbound and Outbound Network Traffic Monitoring Network Traffic
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Networks in organizations today are commonly interconnecteddifferent networks within an organization connect to each other, and corporate networks connect to the Internet. This module explains the security implications of connecting networks to each other and describes ways to protect the connection points between networks that have different security requirements. After completing this module, you will be able to:

Explain the role of network perimeters. Implement security on inbound and outbound traffic. Monitor network traffic.
Lesson: Introduction to Network Perimeters

Lesson: Introduction to Network Perimeters
How Networks Are Connected Why Protect Corporate Networks from the Internet? Why Protect Corporate Networks from Each Other? The Role of Perimeter Networks Using an N-Tier Network Architecture
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction A network is a group of two or more computer systems linked together. Networks are the conduit for conducting business within an organization, with other organizations, and with users. This lesson describes how networks are connected to each other and ways to protect a corporate network. After completing this lesson, you will be able to:

Objectives
Describe how networks are connected. List reasons to protect a corporate network from the Internet. List reasons to protect corporate networks from each other. Describe perimeter networks protect corporate networks. Describe how an n-tier architecture helps organizations conduct business on the Internet.
How Networks Are Connected

How Networks Are Connected
Networks are connected to each other by routers, VLANS, firewalls, and proxy servers An entry point into a network is called a network perimeter You control access to a network at the network perimeter
Corporate Corporate Headquarters Headquarters VLAN1 Proxy Server Branch Branch Office Office Router Router LAN
VLAN2
Vendor Vendor Office Office
Firewall
Internet
Firewall
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Your organization may contain networks that can interconnect with other networks and contain sub networks. Each network may have a different security requirement. The following table describes the ways that you can control access to a network at the perimeter.
Device Router Description Connects two separate networks to each other by forwarding packets between the networks. A router may perform simple filtering of such traffic Divides computers that are connected to the same switch into separate networks. You create a VLAN by configuring a switch to separate computers that are connected to the same switch into separate virtual LANs. You configure each port on a switch to belong to one or more virtual networks. The switch forwards packets only between ports that belong to the same VLAN. Firewall Proxy server Forwards packets between networks, but performs much more stringent security checks than a router Receives packets from a computer and then establishes a separate connection to a destination server. The proxy server never forwards packets directly. Instead, it maintains two separate connections, which can enhance security because there is never a direct connection between a client on one side of the proxy server and a server on the other side of the proxy server.
Virtual LAN (VLAN)
Why Protect Corporate Networks from the Internet?

Why Protect Corporate Networks from the Internet?
The Internet is inherently less trustworthy than an internal network Attacks from the Internet are more difficult to track than internal attacks
Corporate Corporate Headquarters Headquarters
External Attacker Internet
Internal Attacker
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Organizations do not have any control over network traffic that originates from the Internet. Therefore, an organization needs to strictly control the traffic that is allowed to enter and leave your organizations network. Viruses, inappropriate, offensive and possibly illegal information, and attacks from hackers are all reasons to control network traffic.
Why Protect Corporate Networks from Each Other?

Why Protect Corporate Networks from Each Other?
Corporate networks consist of segments with varying security requirements

Branch Branch B B Branch Branch A A
Internet
Security policies may prohibit access to the Internet from some network segments Some portions of a corporate network may require stricter access controls than others
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Within your organization, you may want to limit or restrict access to a certain segment of the organizations network. For example, the following departments in an organization may limit network access:
A research department may maintain a separate network to ensure that access to its confidential data is limited. The human resources department may restrict access to its network to prevent unauthorized employees from accessing servers that contain payroll information. To ensure the smooth operation of data processing, an organization may restrict access to a network that connects servers in a data center.
You may also want to restrict access from networks that contain computers that use a wireless or VPN connection because it is more difficult to enforce access to these types of networks.
The Role Of Perimeter Networks

The Role Of Perimeter Networks
A perimeter network is a separate network that is located at the boundary of the internal network
External traffic can access only the perimeter network and not the internal network Common perimeter network types include: Back-to-back perimeter networks Three-homed perimeter networks Corporations may maintain several perimeter networks, each with separate security requirements
Back-to-Back Back-to-Back Network Network Corporate Network Web Server
Three-Homed Three-Homed Network Network Corporate Web Network Server
Internet
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points A perimeter network is separate from both the internal network and the Internetit allows external clients to gain access to specific servers located in the perimeter network, while completely preventing access to the internal network. A perimeter network has the following features:
It contains the resources that you want to make available to users on the Internet while maintaining the security of these resources. You typically use a network perimeter to deploy e-mail and Web servers It uses a back-to-back or three-home network design. Other perimeter designs are usually variations of these two basic designs.
Back-to-back perimeter network
In this configuration, two firewalls are located on either side of the perimeter network. Both firewalls are connected to the perimeter network: One firewall is connected to the Internet; the other firewall is connected to the internal network. There is no single point of access to internal resources. To reach the internal network, a user would need to get past both firewalls. You can configure more restrictive security rules on back-to-back firewalls than on a three-homed firewall. If your organizations access policy specifies limited and very controlled network traffic between the perimeter network and the internal network, you can configure restrictive security rules to protect your internal network more reliably.
Three-homed perimeter network
In a three-homed perimeter network configuration, one firewall is set up with three network adapters. One adapter is connected to the Internet, another to network servers located in the perimeter network, and the third to internal network clients. Although external clients can access the servers in the perimeter, the firewall prevents direct access to resources that are located on the internal network. Using a three-homed firewall gives you a single point of administration to configure access to both the perimeter network and the internal network.
However, a three-homed firewall also represents a single point of access to all parts of your network. You must be especially careful when designing access rules and monitoring for security breaches. Additional reading For more information about perimeter networks, see the white paper, Perimeter Network Scenarios, at: http://www.microsoft.com/technet/prodtechnol/isa/proddocs/isadocs/m_s_c_dm zconfig.asp. See also Course 2150A, Designing a Secure Microsoft Windows 2000 Network.
Using an N-Tier Network Architecture

Using an N-Tier Network Architecture
An n-tier network protects data and operations by dividing operations into multiple tiers Firewalls control the traffic between tiers
Firewall
Firewall
Firewall
Web Tier
Internet
Middle Tier
Data Tier
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Many organizations use n-tier architecture for their e-business operations. This type of architecture divides the servers that perform business functions into multiple tiers: each tier performs a particular portion of the e-business process, and all tiers are separated by firewalls that restrict traffic between them. A common n-tier configuration includes a Web tier that contains the Web servers that users can access from the Internet. The Web servers communicate with servers in the middle tier, which perform the transactions that implement the organizations business logic. The servers in the middle tier communicate with database servers in the data tier. The advantage of this design is that you can control the traffic that is allowed between each tier. An attacker who takes control of a server in the Web tier still cannot gain direct access to data on servers in the data tier. To gain additional access, an attacker would also have to compromise the controls between the different tiers.
Practice: Identifying Network Boundaries

Practice: Identifying Network Boundaries
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Instructions Scenario In this activity, you will identify network boundaries. Read the scenario, review the network diagram, and then discuss your answers with the class. Contoso Pharmaceutical has opened a new office Sao Paulo, Brazil. The network is complete, and to comply with Contosos security policy, you have to identify all the network boundaries in the San Paulo network that need to be secured. Some network connections are not a network boundary because they connect networks with identical security requirements. Some of the connections are not network boundaries because they connect segments that are part of the same network.
For each number on the diagram, identify if the connection is a network boundary. Explain why the connection is a network boundary.
10
Assessment: Introduction to Network Perimeters
Multiple choice
1. Contosos customers can use the Internet to place orders. A Web server processes the order using customer data stored on database servers. When an order is placed, the Web server generates a confirmation e-mail message, which is sent by an e-mail server. The sales department reviews the orders before they are shipped. What should Contoso include in its perimeter network? (Choose all that apply.) a. The Web server that contains the order pages. b. The database server that contains the customer data. c. The desktop computers in the sales department. d. The e-mail server.
11
Lesson: Implementing Security on Inbound and Outbound Network Traffic

Lesson: Implementing Security on Inbound and Outbound Network Traffic
How Switches, Routers, and Firewalls Protect Networks How Packet Filtering Protects Networks How NAT Protects Networks How Content Filtering Protects Networks Guidelines for Configuring Network Devices for Security Guidelines for Choosing a Firewall
Introduction
Switches, routers, and firewalls are all devices that protect the network by controlling the information the can enter and exit a network. This lesson explains how these devices and other filtering methods can protect your network. After completing this lesson, you will be able to:

Objectives
Explain how switches, routers, and firewalls protect networks Explain how packet filtering protects networks. Explain how network address translation protects networks. Explain how content filtering protects networks. Describe guidelines for configuring network devices for security. Describe guidelines for choosing a firewall.
12
How Switches, Routers, and Firewalls Protect Networks

How Switches, Routers, and Firewalls Protect Networks
Device Protection
Limits network traffic to single network segments Creates VLANs Restricts traffic based on source and destination IP addresses Router Restricts traffic based on other IP header information Restricts traffic based on IP header information Restricts traffic based on packet payload Establishes proxy connections
Switch
Firewall
Key points
Switches, routers, and firewalls are devices that protect networks by filtering or restricting information. These devices work in the following ways:
A switch can limit network traffic to a single network segment or create VLANs. Switches generally do not filter traffic that they forward on a single network segment or between VLANs. A router can filter traffic based on information in the IP header such as the source and destination address of a packet, TCP, or UDP port information. A router does not examine the payload section of IP packets. A firewall can filter traffic based on IP header information, the connection state, or information in the payload section of a packet. A firewall may function as a proxy server to further secure network traffic. A firewall may drop packets with an invalid TCP sequence number, which may indicate an attempt to hijack an existing TCP session. A firewall that performs application-layer filtering or content filtering may also drop packets that belong to an e-mail message because the e-mail message contains specific key words.
13
How Packet Filtering Protects Networks

Packet filters are rules that protect networks by determining whether routers or firewalls forward traffic
131.107.1.1 Firewall
Packet Filter 131.107.2.200 Internal Network
Source/Port Any/Any
Destination/Port 131.107.2.200 / 53
Protocol UDP
Direction Incoming
Type Allow
Key points
Routers, firewalls, or other network devices can perform packet filtering. The rules are based on the source address and port; the destination address and port; and other IP header information. IP packets that are not allowed are dropped. Packet filtering may examine each packet separately, or it may ensure that packets fit into an existing connection. Examining packets for fit into an existing connection is called circuit-level filtering or stateful inspection. Packet filters cannot block traffic based on payload.
14
Practice: Applying Rules for Packet Filtering
Instructions
To start this activity, open the Web page on the Student Materials CD, click Multimedia, and then click the title of the activity. In this interactive multimedia activity, you will examine a number of packets and decide whether these packets are allowed by the packet filters
15
How Network Address Translation Protects Networks

How Network Address Translation Protects Networks
Client Client Computers Computers
Internet NAT Device

Internal IP = 192.168.1.1 External IP = 131.107.2.1
IP = 192.168.1.3
Web Server
IP = 131.107.50.1 IP = 192.168.1.4
1. 2.
The client sends the packet to the NAT device The NAT device changes the packet header and sends the packet over the Internet to the Web server The Web server sends a reply to the NAT device The NAT device determines the destination, changes the packet header, and sends the packet to the client
IP = 192.168.1.5
3. 4.
1 1
2 2
3 3
Key points
Network Address Translation (NAT) allows computers with non-routable IP addresses to communicate with computers on the Internet. NAT translates the IP addresses in packets that are forwarded between the private network and the Internet. NAT has the following characteristics:
NAT changes the IP address headers of incoming and outgoing packets to allow communication between internal and external computers. In most cases NAT prevents external access to internal computers. NAT does not provide payload inspection or protect against malicious programs that initiate a connection from inside your network. An attacker can use specially designed packets to reach computers behind a device that performs NAT.

Additional reading
For more information about using NAT with Windows 2000, refer to Windows 2000 Help documentation and Windows 2000 Resource Kit
16
How Content Filtering Protects Networks

How Content Filtering Protects Networks
Content filtering protects by: Providing payload inspection Requiring knowledge about the application protocol Providing protection against viruses and other attacks that cannot be detected by examining IP headers
Source/Port 131.107.5.1 /1026 Destination/Port 131.107.2.200 / 25 Payload Mail FROM: hacker@?.com:RCPT TO:john@contosoi.msft:Data:Virus
Content filtering limitations Processor-intensive Dependent on the content filtering devices knowledge of the application layer protocol and threats
Key points
Content filtering, (also known as application-layer filtering examines the content or payload of a packet, and denies or forwards the packet based on this information. Some firewalls, such as Microsoft Internet Security and Acceleration (ISA) Server 2000, perform content filtering. Content filtering hardware or software must include information about application protocols because it uses that information to interpret the payload of a packet. Content filtering is processor-intensive. Its effectiveness depends on the content filtering devices information about the application layer protocols and threats.
17
Guidelines for Configuring Network Devices for Security

Guidelines for Configuring Network Devices for Security
Use multiple layers of protection Use packet filters for ingress and egress filtering Configure NAT wherever possible Configure routers, switches, and firewalls so they are not vulnerable to attacks Establish procedures to regularly monitor router and firewall logs Configure devices to block all traffic except for the traffic that you specify
Key points
Use the following guidelines to configure network devices for security:

Use multiple layers of protection. Use packet filtering first. Routers can perform packet filtering efficiently and reduce the number of packets that are forwarded to a firewall for further inspection. Then use a firewall to perform content filtering for packets that have passed the packet filter. Use packet filters for ingress and egress filtering. Ingress filtering drops packets with an internal IP address that arrive at the external interface of the router. Egress filtering drops packets with an external IP address that arrive at the internal interface of the router. Configure your router to drop packets with a private IP address that arrive on the routers external interface. Packets with an invalid IP address are often an attempted attack on your network.
Configure NAT. NAT hides internal network addresses from external users and prevents external packet from being routed into your network. Configure routers, switches, and firewalls against attacks. If an attacker can gain access to a network device, then the attacker may reconfigure the devices to circumvent security procedures. An attacker who gains access to a network device may disable packet filtering. Regularly monitor router and firewall logs. Regular monitoring can alert you to potential problems in your configuration or failures in protection mechanisms. Block all traffic except specified traffic. Often, you can configure network devices to either allow all traffic except for the traffic that you explicitly deny, or to deny all traffic except for traffic that you specifically allow. Blocking all traffic except the traffic that you explicitly allow ensures that no unexpected traffic, which may create security problems, is forwarded between networks.
18
Guidelines for Choosing a Firewall

Match the firewall to your requirements Evaluate network design, such as perimeter network support Evaluate support for outgoing and inbound traffic Allow for expansion Evaluate filtering capabilities The firewall should be easy to configure Content filtering capabilities must support the protocols that you use Ensure adequate training
Key points
Most firewalls provide basic packet filtering and most provide stateful filtering. Do not choose a firewall that does not at least include these functions. Review independent evaluations of firewalls, such as evaluations by ICSA Labs, which tests and certifies the security of commercially available firewall products, is a commonly used evaluation. Content filtering is an important distinguishing factor for firewalls. Ensure that this type of content filtering is included with the firewall matches your requirements.
Additional reading:
For more information about ICSA firewall evaluation, see the ICSA Web site at: http://www.icsalabs.com.
19
Assessment: Implementing Security on Inbound and Outbound Network Traffic
Multiple choice
1. Contoso has added a firewall to its network. The firewall provides packet filtering and stateful inspection. Which of the following can this firewall do? (Choose all that apply.) a. Decide whether to forward packets based on the contents of the IP header. b. Decide whether to forward packets based on TCP sequence numbers c. Decide whether to forward packets based on the payload d. Perform Network Address Translation
20
Lesson: Monitoring Network Traffic

Lesson: Monitoring Network Traffic
Why Monitor Network Traffic? Methods for Monitoring Network Traffic What Is Intrusion Detection Software? Guidelines for Using IDS Guidelines for Monitoring Network Traffic
Introduction
Regularly monitoring network traffic in your organization helps you identify typical traffic patterns and detect potential problems. This lesson describes software that you can use to monitor network traffic and includes guidelines for monitoring network traffic. After completing this lesson, you will be able to:

Objectives
Explain why monitoring network traffic is important. List methods for monitoring network traffic. Describe intrusion detection software. Describe guidelines for intrusion detection software. Describe guidelines for monitoring network traffic.
21
Why Monitor Network Traffic?

Why Monitor Network Traffic?
Corporate Corporate Headquarters Headquarters
Internet Web Server Monitoring Stations
Monitoring network traffic can: Reveal intrusions and intrusion attempts Reveal vulnerabilities Provide evidence of intrusions
Key points
When you monitor network traffic, look for specific patterns that can indicate an intrusion attempt. For example, HTTP packets can contain patterns that indicate a Code Red attack on your Web server. Also look for unexpected network traffic compared to your baseline, such as a sudden change in the type or amount of network traffic. For example, a change from a prevalence of incoming HTTP traffic to a prevalence of outgoing HTTP traffic, may indicate that someone is tunneling, or encapsulating other network traffic inside HTTP packets to avoid detection. If you observe traffic that has passed your firewall but should have been blocked, this is evidence that the packet filters have not been configured correctly.
22
Methods for Monitoring Network Traffic

Use packet capture software to monitor the network Network Monitor Third-party network capture software Use filters and triggers to reduce the amount of captured data Use intrusion detection software to automate the monitoring process
Key points
There are several types of software that you can use to look for suspicious patterns in network traffic, including:
Packet capture software. Packet capture software captures packet information and stores it for later view and analysis. For example, you can Microsoft Network Monitor, a component of Microsoft System Management Server (SMS), to capture and store information. Windows 2000 Server includes a limited version of Microsoft Network Monitor. This version can only monitor traffic to and from a single computer.
Filters and triggers. You can use filters and triggers to capture exceptions to normal network traffic. Filters limit the amount of information that collected based on criteria that you set. Triggers start and stop capturing based on the criteria that you set. Intrusion detection software. You can manually examine log files to detect patterns or you can automate the process by using intrusion detection software.
23
What Is Intrusion Detection Software?

What Is Intrusion Detection Software?
Port scans SYN attack

Firewall Internet
Brute force attack
Intrusion detection software: Detects the pattern of common attacks Records suspicious traffic in event logs Integrates with other firewall features to prevent common attacks Alerts administrators to potential attacks
Administrator
Key points
Intrusion detection software (IDS) monitors network traffic and changes to computer settings to detect patterns that can indicate known intrusion attempts. IDS can run on a computer that monitors all traffic on a network or it can monitor only a single computer. IDS may also use an independent computer or device that receives data from hubs, routers, and computers on a network. This type of computer or device is often called an agent or probe. Agents forward data to a central computer running the IDS. Intrusion detection software may be active or passive, network-based or hostbased, and has the following characteristics:
Active IDS blocks network traffic when it detects an intrusion. Normally, active IDS is incorporated into firewalls. Passive IDS monitors network traffic and alerts an administrator when suspicious traffic is detected. Network-based IDS examines network traffic for suspicious patterns. Host-based IDS examines servers or client computers for the patterns of an intrusion. For example, host-based IDS may scan a computer for files that have changed.

24
Guidelines for Using IDS

Guidelines for Using IDS
Consider using both network-based IDS and hostbased IDS Frequently update IDS signatures Understand the nature of intrusions that an IDS can detect Distinguish between real intrusions and false positives Deploy an IDS on each network segment Use a centralized management console to manage an IDS
Key points
Guidelines for using intrusion detection software include:

Consider using both network-based IDS and host-based IDS. Some attacks can be easily detected by examining network traffic. Other attacks can only be identified by changes to a computers configuration. Using both types of IDS increases the chances of detecting an attack. Frequently update IDS signatures. An IDS signature is a pattern that uniquely identifies an attack, such as a specific URL in an HTTP request. IDS only as effective as its signatures. If the IDS does not have the most recent attack signatures, it leaves the network vulnerable. Understand the nature of intrusions that IDS can detect. When IDS reports an attempted intrusion, you must know enough about this type of intrusion to assess whether to take any actions. Distinguish between real intrusions and false positives. Often, IDS alerts you to suspicious network traffic. You must be able to assess these alerts and determine whether they indicate a real. Deploy IDS on each network segment. Each network segment has different network traffic. Normally IDS only detects intrusion attempts on the network segments to which it is connected. To monitor all parts of the network, implement IDS for each segment. Use a centralized management console to manage IDS. IDS often use a decentralized system to analyze or capture network traffic throughout the organization. To get a comprehensive picture of intrusion detection in your organization, use a centralized management console to combine data from all monitoring devices on the network.
25
Guidelines for Monitoring Network Traffic

Guidelines for Monitoring Network Traffic
Document types of allowed network traffic Observe regular network traffic and look for anomalies Review logs and network statistics regularly Set triggers for common intrusions Use multiple IDS products
Key points
Guidelines for monitoring network traffic software include:

Document types of allowed network traffic. Review your organizations security policy to see the type of traffic that is allowed in your organization. For example, many organizations do not allow Telnet traffic. Observe regular network traffic and look for anomalies. Use network devices, monitoring software, and IDS to monitor network traffic. Review logs and network statistics regularly. Use regular inspections to monitor for new traffic patterns and update your baseline as necessary. Set triggers for common intrusions. Use filter and triggers to capture exceptions to normal network traffic Use multiple IDS products. Use a combination of active, passive, networkbased or host-based for comprehensive detection.
26
Assessment: Monitoring Network Traffic
Multiple choice
1. Contoso plans to implement intrusion detection systems. What types of IDS should Contoso consider using? (Choose all that apply) a. Network-based IDS on the internal network. b. Network-based IDS on the perimeter network. c. Host-Based IDS on critical servers. d. Host-based IDS on all client computers.
27
Lab A: Implementing and Monitoring Security for Network Perimeters

Lab A: Implementing and Monitoring Security for Network Perimeters
Exercise 1: Implement Packet Filtering Students will see what is open on a network. They will be given a filter and asked to implement packet filtering. They will also have the option of doing it using RRAS. Exercise 2: Routine Monitoring of Security for Network Traffic Students will use SuperScan to scan for vulnerabilities and verify that packet filtering is working
Module 12: Managing Operational Security

Contents Overview Lesson: Establishing Security Policies and Procedures Assessment Lesson: Educating Users About Security Policies Assessment Lesson: Applying Security Policies to Operational Management Assessment Lab A: Managing Operational Security 1 2 11 12 18 19 24 25
Overview
Establishing Security Policies and Procedures Educating Users on Security Policies Applying Security Policies to Operational Management
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Technology alone will not secure a network. You must define and enforce a clear set of security rules through policies and procedures. Then you must educate users about your policies and apply those policies to ongoing management of the network. After completing this module, you will be able to:
! ! !
Objectives
Explain types of security policies and their purposes Educate users on complying with security policies and procedures Apply security policies in the management of operations
Beta Materials do not use for purposes other than Beta testin
Lesson: Establishing Security Policies and Procedures

What Are Security Policies? The Legal Importance of Security Policies What Are Security Procedures? Elements of a Comprehensive Security Policy
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Security policies define the rules for maintaining network security. Security procedures define how to implement the policies. Together, policies and procedures inform employees of their role in maintaining security, define accountability, and limit your organizations liability. After completing this lesson, you will be able to:
! ! ! !
Lesson objectives
Explain the purpose of a security policy Explain the legal importance of security policies Explain the purpose of security procedures Identify the elements of a comprehensive security policy
What Are Security Policies?

Security policies:
Define an organizations organizations security security requirements requirements and and acceptable acceptable use use Include Include procedures procedures to to detect, detect, prevent, prevent, and and respond to to security security incidents Provide Provide a framework for enforcing information security security
Security policies reflect:

The The culture culture of of the the organization organization The The value of of sensitive information information The The types of of resources resources in in the the organization

Key points
Security policies are formal statements of the rules for employees who access an organization's technology and information assets. Security policies inform users of their requirements for protecting technology and information assets. Security policies:
!
Define an organizations security requirements and acceptable use. A list of what users can and cannot do on the network, including the types of allowed network traffic. Include procedures to detect, prevent, and respond to security incidents. Procedures are detailed steps for responding to an incident, collecting evidence, recovering the system, and protecting the data on the system. Provide a framework for enforcing information security. You must be able to enforce the policy with security tools or with sanctions when technological enforcement is not feasible. The culture of the organization. Some organizations can afford to rely on technologically-competent employees to maintain control and manage security of their resources. Other organizations must maintain stricter control. The value of sensitive information. Policies that protect highly-sensitive resources will be more strict and carry tougher punishments for offenders than policies that protect less sensitive resources. For example, some military or government security policies will be stringent. The types of resources in the organization. Different types of resources require different security policies. For example, servers exposed to the Internet, such as a Web server face different threats than internal servers such as domain controllers. Security polices protecting these resources must reflect those differences. For example, the strictness of the policy or a specific list of allowed software may reflect the type of resource.
Effective security policies reflect:

!
Additional reading
For more information about security policies, see What is a Security Policy and Why Have One? under Additional Reading on the Web page on the Student Materials CD.
The Legal Importance of Security Policies

Security policies:
Protect organizations against " "Damage Damage to reputation reputation " "Financial Financial damages damages Enable organizations organizations to to take take specific specific actions against unacceptable behavior behavior Limit legal liability
When implementing security policies:

Seek advice advice from from your your legal legal department department regarding local, local, national, and international laws, liabilities, liabilities, and and standards standards Consider Consider industrial industrial guidelines Have Have users sign a security security agreement agreement

Key points
Security policies limit an organizations liability in the following ways:

!
Protect organizations against damage to reputation. Security policies must warn users against actions that are contrary to the companys image. For example, sharing or distributing copyrighted materials. Protect organizations against financial damages. Organizations may be held financially responsible for certain actions. For example, installing unlicensed copies of a competitors software. Enable organizations to take specific actions against unacceptable behavior. By warning employees of the punishment for specific unacceptable behavior in advance, organizations know how to act when violations occur. Limit legal liability. By defining and communicating which activities are acceptable and unacceptable in advance, you limit the legal liability if violations occur. Seek advice from your legal department regarding local, national, and international laws, liabilities, and standards. To be enforceable, security policies must comply with all local laws. International organizations must customize policies for all of their locations. Consider industrial guidelines. Security requirements vary by the type of organization. A software company may have different Internet access policies than a government agency. Have users sign a security agreement. Employees should read and sign an agreement to follow security policies and procedures before obtaining a user-ID.
When implementing security policies, be sure to:

!
What Are Security Procedures?

Security procedures:
Define detailed actions in response response to to specific specific security security incidents incidents Provide a quick quick reference reference in times of crisis crisis Help Help eliminate eliminate a single single point point of of failure failure
Security procedures specify:

People to to contact Actions for for limiting limiting the the damage damage from from an an attack Provisions Provisions for for studying studying the the incident incident

Key points
Security procedures are the steps for handling a security incident. Response teams use procedures to eliminate confusion and ambiguity during an incident and to ensure that they respond in an appropriate and thorough manner. Security procedures do the following:
!
Define detailed actions in response to specific security incidents. The time following an incident is the worst time to decide how to respond. Provide a quick reference in times of crisis. The security provides a predefined step-by-step process for responding quickly during the confusion of an attack. Help eliminate a single point of failure. Your disaster recovery plans will help identify single points of failure, such as a key employee, a piece of equipment, or a process that is critical to business continuity. Identifying single points of failure allows you to create backup plans. People to contact. The procedure defines who to contact in a security incident and when to contact them. You will define triggers for contacting local managers and personnel, law enforcement and investigative agencies, and your computer security incident teams. Actions for limiting the damage from an attack. The purpose of containment is to limit the extent of an attack. An essential part of containment is deciding whether to take a system offline, monitor system or network activity, or disable functions. Provisions for studying the incident. The procedure defines exactly what information to record, who can release information, and the procedure for releasing the information. For example, you may have to choose between analyzing the affected servers and quickly restoring systems and services. services.
Effective security procedures specify:

!
Elements of a Comprehensive Security Policy
Security Policy
Privacy policy Access policy Accountability policy Authentication policy Availability statement System and network maintenance policy Violations reporting policy Supporting information

Key points
A comprehensive security policy clearly defines the areas of responsibility for the users, administrators, and management. A security policy includes the following elements:
!
Privacy Policy. Defines reasonable expectations of employee privacy including the monitoring of e-mail, logging of keystrokes, and access to users' files. Access Policy. Defines access rights and privileges to protect assets from loss or disclosure by specifying acceptable use guidelines for users, operations staff, and management. It should provide guidelines for external connections, data communications, connecting devices to a network, and adding new software to systems. Accountability Policy. Defines the responsibilities of users, operations staff, and management. The policy should specify an audit capability, and provide incident handling guidelines needed to provide hold violators accountable. Authentication Policy. Establishes trust through an effective password policy and by setting guidelines for remote location authentication and the use of authentication devices. Availability statement. Sets users' expectations for the availability of resources. The statement should address redundancy and recovery issues, as well as specify operating hours and maintenance periods. It should also include contact information for reporting system and network failures. System & Network Maintenance Policy. Describes how both internal and external maintenance people handle and access technology. For example, whether to allow remote maintenance and how to control it. Violations Reporting Policy. Indicates which types of violations must be reported and to whom the reports are made. A non-threatening atmosphere and the possibility of anonymous reporting will enhance reporting. Supporting Information. Provides contact information for each type of policy violation, guidelines on how to handle outside queries about a security incident, or information which may be considered confidential or
proprietary; and cross-references to security procedures and related information, such as company policies and governmental laws and regulations.
Additional reading
For more information about security policies, see the white paper, Best Practices for Enterprise Security: Security Strategies, at: http://www.microsoft.com/technet/security/bestprac/bpent/sec1/secstrat.asp.
Practice: Identifying Elements of an Effective Security Policy

Instructions
Below are portions of the Password policy for two companies. Read through both policies. You will find good and bad qualities in each policy. From these examples, create a third policy that is clearly defined, understandable, and enforceable. With the class, explain why you removed certain elements and why you retained others. Company A: Passwords on the network must will not be used unless they meet password complexity requirements. The password complexity requreements are: the password must be at least 7 characters long and use a combination of upper case, lower case characters as well as contain numbers and punctuation. All user, system, network, and application passwords must be changed every 5 days.The new password should comply with the policy. All passwords must also have sufficient entropy and completely avoiding right hand/left hand bias. All passwords must be transmitted by using Triple Data Encryption Standard (3DES), 128-bit Secure Socket Layer (SSL), or RSA RC4, 128-bit or stronger encryption. There are no exceptions to compliance with this policy. Computers with accounts on them that do not comply with this policy may be removed from the network until such a time that they comply. Company B: All passwords on the network must be strong passwords that meet industry standard password complexity requirements.Employees will not cache passwords. This means never use the "Remember Password" feature of any application (e.g., Outlook, Instant Messaging, Internet Explorer, etc). All user, system, network, and application passwords must be changed every 7 days. Do not share your passwords with anyone, including administrative assistants or helpdesk. When changing your password, it must be significantly different from prior passwords. Any violations of this policy will lead to the termination of the employee.
10
11
Assessment
*****************************ILLEGAL FOR NON-TRAINER USE****************************** 1. You are implementing security policies for your organization and want to include information on the correct methods for installing additional software. Which type of policy would normally include this information? 2. What do security procedures provide for your organization? Choose all that apply.)
12
Lesson: Educating Users About Security Policies

Common Vulnerabilities Introduced by Users Guidelines for Developing a User Awareness Program Methods for Raising Security Awareness Training Users About Policies and Procedures

Introduction
Users, not technology, are the source of most security vulnerabilities. Even well-written security policies will fail if employees are not aware of their existence. Your organization must educate users about security policies, interpret the implementation of security procedures, and define the role of individuals in protecting network assets. After completing this lesson, you will be able to:
! ! ! !
Lesson objectives
Describe common vulnerabilities introduced by network users Develop a user awareness program Identify methods for educating users about security issues Train users on the best practices for secure use of the network
13
Common Vulnerabilities Introduced by Users

Area
Confidential information Computers and applications
Vulnerabilities " Public discussion of confidential data " Weak passwords " Social engineering " Theft or loss of computers " Unsupported or unapproved applications " Personal use of the network " Misuse of remote access accounts " Unauthorized use of the Internet " Exposure of the network to malicious, offensive, or illegal content
Network Internet access

Key points
Although almost any network may be vulnerable to intentional attacks, users typically introduce security vulnerabilities through a lack of training, failure to provide due care, or misuse of network resources. Common areas of vulnerably include:
!
Confidential information. Users may use a password-saving utility to retain logon credentials for local, LAN, and Internet sites. They may be careless with proprietary data or give confidential information to someone posing as a legitimate user. Computers and applications. Users may download games, screen savers, or other programs without verifying that they are safe and do not contain viruses or Trojan horses. Users may fail to install security patches or make backups of their local data. Network. Users may have access to network shares to which they do not require access. Users may enter their logon credentials during a Remote Access Session from a public computer that caches their credentials. Internet access. Users may use a modem from their LAN client while still connected to the LAN without permission and without the protection of a firewall. Users may open attachments on e-mails from unknown and unexpected sources.
14
Guidelines for Developing a User Awareness Program
Gather relevant information to present to employees Develop a format and forum in which to present the information Prepare the program material Present the program to a pilot group Present the program to senior management Develop a schedule for updating the program

Key points
Develop a user awareness program to educate users on the secure use of computer systems and how to protect themselves from attackers.
!
Gather relevant information to present to employees. Clearly define the type of information you will present to employees. This may include: explanation of security policies, potential consequences of not protecting information, existing security measures, future security measures, and incident-reporting mechanisms Develop a format and forum in which to present the information. Determine a format and forum for the program that will reach the most people successfully. Consider the organizations culture when making the decision. Options include live presentations, intranet presentations, e-mail, voice mail, and in-house newsletters. Prepare the program material. Create a blended learning approach that reaches employees through several different methods. Options include a presentation session, with follow up video or Web-based training. Present the program to a pilot group. Use pilot groups to assess the effectiveness of your program. Use the feedback to modify the components of the program before presenting it to the entire organization. Present the program to senior management. The approval of senior management is important to the success of any security awareness program. This presentation provides another opportunity to review and refine the program before presenting it to all employees. Develop a schedule for updating the program. Keep the material in the program up-to-date so that it continues to hold the attention of employees. There will always be new issues to address, as well as new tools and procedures to follow.
15
Methods for Raising Security Awareness
Create incentives for passing security audits Publicize true worst-case scenarios Give online security quizzes Publish security fliers and posters Educate and train employees

Key points
Use the following methods to increase security awareness among your network users:
!
Create incentive for passing security audits. Conduct spontaneous security audits, such as checking unattended computers to see if they have logged off or locked their keyboard, and providing rewards for passing. Publicize true worst-case scenarios. Fear is a good incentive. Tell how viruses, social engineering, and other easily-avoidable security treats have affected major companies. Give online security quizzes. Conduct quizzes to measure user understanding of your security policies. Provide an incentive for passing or require a passing score for certain privileges. Publish security fliers and posters. Make your security policies as visible as possible. Emphasize policies that are of particular importance for a period of time, such as password protection awareness week. Inform user how to get detailed information. Educate and train employees. Use security policy classes, handbooks, online training, and videos. You will not be able to teach all of the policies in detail, but you can provide an overview of what is expected from employees and the consequences of non-compliance. Create a security Web site. Publish all of the policies for the company organized in a logical way to make it easy for employees to find the information they need. Provide links to training resources. Host a security awareness week. Once a year, update employees on new policies and inform them of any serious problems that have occurred at other firms. Consider including a security awareness section in your monthly employee newsletter.
16
Training Users About Policies and Procedures

Curriculum topics to cover
Information classification, handling and disposal System access Virus prevention Backup Software licenses Internet use E-mail use Physical security of notebooks

Key points
All employees need to be aware of your security policy. Explain and interpret your policies for users. Employees will be more likely to comply with your organizations security policies if they understand the need for each policy. Include a statement that users agree to ask for clarification in the event that they do not understand the purpose of a policy. When training users about security policies and procedures, be sure to cover:
!
Information classification, handling, and disposal. Cover policies on resource handling, such as tape drives, hard drives, and any removable media. Do not rely on deleting contents. Some systems may require a physical destruction to them to completely eradicate the data. System access. Describe who can access each type of system and when that access is granted. Virus prevention. Cover procedures for performing virus checks and updating signature for the virus checker. This policy may include personal computers if users connect to the internal network from home. Backup. Describe how and when backups are performed, whether users must perform their own backup, and where backup data is stored. Software licenses. Emphasize the importance of using only licensed software on the internal network. Users must follow all legal obligations and remove or purchase software after trial periods. Internet use. Advise users whether their Internet usage is monitored. Cover rules on downloading and uploading files. Describe what is allowed and what is considered objectionable. E-mail use. Cover acceptable use of e-mail and any policies on accessing private Web-based e-mail systems from the internal network. Physical security of notebooks. Describe the type of information that is stored on mobile computers and how to protect data in case it is lost or stolen. This policy may include requirements for file encryption.
17
Practice: Discussing the Effectiveness of Security Recommendations

Instructions
Students will discuss incidents of careless behavior that they have observed in users and administrators. The instructor will then lead students to develop methods for addressing each incident. Users:
18
Assessment
*****************************ILLEGAL FOR NON-TRAINER USE****************************** 1. You are responsible for developing user awareness for your security policies. You have determined an effective method for presenting this information to the employees and in the interest of saving time, you are considering bypassing senior management or a pilot group. Why is it important to present it to senior management and to a pilot group?
19
Lesson: Applying Security Policies to Operational Management

Methods for Enforcing Security Policies Guidelines for Enforcing Security Policies Guidelines for Revising Security Policies

Introduction
Once you have secured a network, you must also keep it secure. Ongoing maintenance of secure network operations includes enforcing your security policies and updating your policies to meet changing security needs and conditions. After completing this lesson, you will be able to:
! ! !
Lesson objectives
Describe methods for enforcing security policies Identify and respond to policy infractions Update the security policies
20
Methods for Enforcing Security Policies
Firewalls and proxy servers
File Permissions and ACLs
Group Policy
Auditing
Accountable Employees
Authorized Hardware and Software
Asset Monitoring
Smart Cards
Physical Security

Key points
Technology alone cannot secure a network. To enforce your security policies, you must have a combination of factors including:
!
Accountable employees. This is the single most important factor because uneducated or irresponsible employees can sabotage any other security effort. File permissions and ACLs. Setting appropriate permissions on files and folders helps prevent unauthorized users from accessing company resources. Unauthorized access includes unintentional actions. Group policy. If you are using Windows 2000 and Active Directory, you can enforce certain account and password policies through Group Policy. Authorized hardware and software. Audit for any hardware or software, such as network monitors, that may compromise security. Physical security. Define who can access certain areas and buildings and how to control that access. Smart cards. These devises provide an additional level of security by limiting user access to physical assets or the network. Asset monitoring. Theft of resources, laptops, hardware, memory, is an important issue for many companies. Periodically create an inventory of the assets on the network tools like Microsoft Systems Management Server. Auditing. Examine audit logs for attempts to gain higher security levels by any person, process, or other entity in the network. Examine logs for login, logout, and any change of access or status. Firewalls and proxy servers. These systems act as intermediaries between the computers on the intranet and the Internet to provide security, administrative control, and caching service for the enterprise.
21
For more information on security policies, read, An Overview of Security Policies, under Additional Reading on the Web page on the Student Materials CD.
22
Guidelines for Enforcing Security Policies
Define a consistent process for responding to policy violations Ensure that punishment is commensurate with the infraction Ensure that penalties are enforceable for all employees Get buy-in from all stakeholders Prepare to provide all evidence and documentation Define clear consequences for violations and communicate them to employees

Key points
Perform the following to enforce your security policies:

!
Define a consistent process for responding to policy violations. Create procedure documents with detailed instructions for implementing and enforcing policies. Ensure that punishment is commensurate with the infraction. If punishments are too harsh, the punishment will never be used and the policy will be useless. Never implement a policy you cannot or will not enforce. Your policy may state that violations can result in discipline ranging from reprimand through termination. Ensure that penalties are enforceable for all employees. Enforcing a violation even when committed by upper management requires prior approval from corporate leadership. Get buy-in from all stakeholders. Before publishing your security policies, you will need to get approval from all stakeholders. Approval validates the policies existence and ensures support when enforcing penalties. Prepare to provide all evidence and documentation. Retain security logs, email messages, and cached information from the users computer in case of further legal action. Define clear consequences for violations and communicate them to employees. Post security policies in new employee orientations, the company intranet, and in public areas. Send periodic e-mails to all employees with the current security policy document.
Additional reading
For more information about security policies, see Effective Security Starts with Policies under Additional Reading on the Web page on the Student Materials CD. For more information on incident response policies, see Job Aid 4 Incident Response Quick Reference Card under Additional Reading on the Web page on the Student Materials CD.
23
Guidelines for Revising Security Policies
Update the security policy proactively to reflect developments in the security industry After a security incident, evaluate the applicable security procedures to account for and prevent repeat repeat occurrence When policies are updated, educate users and have them sign a new agreement

Key points
An outdated security policy may be as ineffective as no security policy. Perform the following to maintain up-to-date security policies:
!
Update the security policy proactively to reflect developments in the security industry. Subscribe to security Web sites provided by the vendors of your system components, as well as to security alerts, such as those provided by CERT (the Carnegie Mellon Computer Emergency Response Team). CERT publishes information about recent security attacks and solutions for preventing them. After a security incident, evaluate the applicable security policies and procedures to account for and prevent repeat occurrence. Determine if the security incident was addressed in the existing policies. If not, then revise the current policy or create a new one. Document your procedures and determine if there were additional procedures that for minimizing the impact. When policies are updated, educate users and have them sign a new agreement. Users may not be aware of new or updated policies. Maximize compliance by educating users on any changes in policy that may affect them.
24
Assessment
*****************************ILLEGAL FOR NON-TRAINER USE****************************** 1. Due to recent inappropriate activities by a few employees, you were asked to update your security policies. Since there were no policies addressing this issue, you created a new policy that clearly defines the requirements for compliance and the consequences for infractions. You added this policy to the existing education program to bring this policy change to everyones attention. Unfortunately, you are getting push back from key managers, including those from the legal department and human resources. What may have happened and what can you do to avoid this situation in the future?
25
Lab A: Managing Operational Security

Exercise 1: Analyzing Security Policies Students will review existing security policies, review user feedback, identify problems in these policies, and recommend changes. Exercise 2: Educating Users Students will interpret security policies, strategize ways to communicate with users, and develop materials to educate users. Students will also answer questions about how to enforce the policies.
Module 13: Preserving Business Continuity

Contents Overview Assessment: Preparing to Recover from Disasters Lesson: Performing a Secure Backup and Recovery 1
Lesson: Preparing to Recover from Disasters 2 15 16
Assessment: Performing a Secure Backup and Recovery 24 Lab A: Preserving Business Continuity 25
Overview
Preparing to Recover from Disasters Performing a Secure Backup and Recovery
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction What business continuity and disaster recovery plans look like vary from organization to organization, depending on the type of business, the processes involved, and the level of security that is required. Typically, only very large organizations can maintain complete business continuity during a disaster. Business continuity and disaster recovery plans can be developed within an organization or can be purchased as a service or application. It is not unusual for an enterprise to spend a large portion of its information technology budget on disaster recovery. One important component of a disaster recovery plan is a comprehensive backup and recovery strategy. Backup tapes are vital to the preservation of your data, but they can also represent a serious vulnerability if not properly secured. After completing this module, you will be able to:

Objectives
Assist with disaster recovery Perform a secure backup and recovery
Lesson: Preparing to Recover from Disasters

Common Causes of Business Disruption What Is Business Continuity Planning? How Business Continuity Planning Works Elements of a Business Continuity Plan Common Strategies for Disaster Preparedness The Challenges of Disaster Recovery Planning and Implementation
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction This lesson describes causes of business disruption and explains the difference between business continuity and disaster recovery plans. The lesson then offers strategies for disaster recovery preparedness and ends by having you develop a list of ways to overcome the challenges of disaster recovery for your own organization. After completing this lesson, you will be able to:

Lesson objectives
Describe common causes of business disruption Explain the process of business continuity planning List the elements of a business continuity plan Strategize about how to prepare for disasters Recommend ways for overcoming the challenges of disaster recovery
Practice: Preparing to Recover from Disasters

Game
1 Divide into two teams 2 In five minutes, list as many disasters

as you can think of that could affect your data, equipment, facilities, and personnel
3 Regroup and compare your lists

Discussion a class, discuss how these 4 As disasters would affect day-to-day business operations
1 1 2 2 3 3
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Instructions Divide into two teams. When the instructor gives the signal to start, in five minutes, work with your team to list as many disasters as you can think of disasters that could affect data, equipment, facilities, and/or personnel where you work. At the end of five minutes, regroup and compare your lists. Then, discuss how these disasters would affect day-to-day business operations. ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ How these disasters could affect business operations ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________
Disasters
Common Causes of Business Disruption
Equipment failure Human error Software malfunction or corruption Attacker activities, such as planted viruses and worms, intrusion, and denial of service Disasters Accidents
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Business disruption can vary from a small hardware failure that affects just one system to an earthquake that catastrophically destroys an entire building. To preserve business continuity, network security personnel must first be aware of the things that can happen to their organizations assets that will disrupt business continuity. Common causes of business disruption include:
Equipment failure. For example, you could lose the cooling system in a server or in a server room or your server rack could collapse. Human error. For example, someone doesnt restore the server properly or forgets to power on an important infrastructure device. Software malfunction or corruption. For example, a major bug in the program or corruption in a database. Attacker activities. For example, planted viruses and worms, intrusion, and denial of service attacks. Disasters. For example, natural disasters, such as earthquakes and floods, and human-caused disasters, such as a building being bombed or burned on purpose. Accidents. For example, pipes breaking and flooding a server room or buildings needing to be evacuated because asbestos was discovered in the building. You think you're stressed now? Make sure you have a disaster plan on the TechRepublic Web site at http://www.techrepublic.com/article.jhtml?id=r00219991006eje01.htm&pag e=1. Understanding Data Loss on the Ontrack Data Recovery Web site at http://www.ontrack.com/datarecovery/dataloss.asp.
Additional reading
For more information about the causes of business disruption, see:

What Is Business Continuity Planning?

Business continuity planning is the act of designing processes and procedures to: Prevent mission-critical services from being disrupted Restore the organization to fully functioning operations as quickly and smoothly as possible
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points The goal of business continuity planning is to prevent mission-critical services from being disrupted and to restore fully functioning operations quickly and smoothly. A business continuity plan is a document that describes an organizations processes and procedures that are in place to make sure that essential functions can continue during and after a disaster. The business continuity plan documents how to keep business operations continuing as usual no matter what kind of disruption occurs. Disaster recovery plans and secure backup and recovery strategies are typically components of the business continuity plan.
How Business Continuity Planning Works

To plan for business continuity: 1. 1. Assemble a disaster disaster recovery recovery team team 2. 2. Identify key key business business functions, tools, and equipment 3. 3. Brainstorm Brainstorm threats threats to to business business continuity continuity 4. 4. Put a a disaster disaster recovery recovery plan in in place place 5. 5. Establish notification procedures 6. 6. Review and revise the business business continuity continuity plan plan
1 1 2 2 3 3
Disaster recovery planning is part of the business continuity planning process:

Update Update disaster disaster recovery recovery plan plan regularly regularly
Determine Determine recovery recovery strategies strategies
E D
Document Document recovery recovery procedures procedures
A B C
Practice Practice recovery recovery strategies strategies Test Test recovery recovery strategies strategies
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Business continuity planning is usually performed by high-level management and network security architects or planners. However, it is a good idea for all network security personnel to understand the overall process because most network security personnel at some point either help create, perform, or support parts of the business continuity plan. The business continuity planning process typically includes these steps: 1. Disaster recovery team is assembled. 2. Essential business functions, tools, and equipment are identified. For example, essential business functions that must be maintained during a disaster may include payroll, customer service, major lines of business, and so on. Essential equipment may include computers, software, printers, and office furniture. 3. Threats to business continuity are identified. This step often involves a formal risk analysis to help determine what the priorities are. 4. A disaster recovery plan is put into place. Disaster recovery is the step in the business continuity plan that network security personnel are usually the most closely involved with. The disaster recovery plan documents how an organization will handle potential disasters. Depending on your organization, you may be significantly involved with putting a disaster recovery plan into place or you may just support it if a disaster happens. The general process for doing this step is: a. Determine recovery strategies. This could range from redundant hard drives to redundant servers or redundant data centers. b. Test recovery strategies. Step through your recovery strategy to look for missing components and problems with procedures. Identify and correct any potential weaknesses in the plan. c. Practice recovery strategies. After you have a plan that works, practice it with the employees in charge of implementing the plan. The more often you practice, the better prepared employees will be in an actual disaster.
d. Document recovery procedures. Develop step-by-step procedures for getting a computer or network back online after a disaster. Create an operations handbook that includes procedures for performing backups, implementing offsite storage policies, and restoring servers and the network. e. Update the disaster recovery plan regularly. Review your documentation when you make configuration changes to your computers or network. Updating the documentation is particularly important when you install new versions of the operating system or change the utilities or tools that you use to maintain your system. 5. Notification procedures are established. How will employees and external stakeholders such as customers, vendors, and governmental agencies be notified if there is a disruption in your business? 6. The business continuity plan is reviewed and revised on a regular basis. Review and revise the plan on a set schedule and also when there are significant changes to the business, for example, when your organization acquires a new company.
Additional reading
For more information about business continuity and disaster recovery planning, see:
Determining Windows 2000 Storage Management Strategies on the Windows 2000 Resource Kit page of the Microsoft Web site at http://www.microsoft.com/windows2000/techinfo/reskit/enus/default.asp?url=/windows2000/techinfo/reskit/enus/deploy/dgbj_sto_qzes.asp. Disaster Recovery Planning on the Computing and Network Services page of the University of Toronto Web site at http://www.utoronto.ca/security/drp.htm.
Elements of a Business Continuity Plan
Up-to-date contact information Disaster recovery plan Short-term business resumption plan Long-term business recovery plan Secure backup and recovery strategies A timetable for testing the plan A timetable for updating the plan
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points A business continuity plan should include:
Up-to-date contact information. Keep extensive contact information for key employees and keep it in multiple locations. Keep contact information for vendors who may be part of your recovery process. You dont want to have to look up your server vendor in the telephone book when time is critical. Consider keeping contact information for any significant customers in case you must contact them regarding business interruptions. A disaster recovery plan. This plan specifies an organizations planned strategies for post-failure procedures. Disaster recovery planning is not a two-month projectnor is it a project that, once completed, you can forget about. An effective recovery plan is a live recovery plan. The plan must be kept current and tested and practiced regularly. A short-term business resumption plan. This plan specifies the means to maintain essential services at the crisis location. The primary objective of a business resumption plan is to enable an organization to survive a disaster and to reestablish normal business operations as quickly as possible. A long-term business recovery plan. This plan specifies the means to recover business functions at an alternate location for as long as necessary until the original location can be restored or a new location established. In the short term, you may be able to use a few servers and some notebook computers on cafeteria tables. In the long run, you must get employees actual desks, phones, and copy machines. Secure backup and recovery strategies. These strategies are discussed in the next lesson. If you are taking these lessons out of order, see the Performing a Secure Backup and Recovery lesson in Module 13, Preserving Business Continuity in Course 2810, Fundamentals of Network Security. A timetable for testing the plan. All elements of the plan should be tested as often as possible. Make the test as realistic as possible. A timetable for updating the business continuity plan. Depending on how often your infrastructure changes, you may have to update more frequently.
The plan should be reviewed to some extent at least once year. Some elements, like the contact list, should be updated several times a year.
10
Common Strategies for Disaster Preparedness

Asset Data and services Preparedness strategy Use RAID Use clustering Perform backups Have offsite storage of data Design redundant data links Have hot or cold spares Consider the location of vital equipment Use power management equipment (UPS, surge) Have alternate facilities with necessary equipment Install fire suppression technology Plan for backup power supply Outsource to service providers Cross train IT personnel Keep contact information up to date Keep all documentation in multiple secure locations
Equipment
Facilities
Personnel
*****************************ILLEGAL FOR NON-TRAINER USE****************************** When strategizing about how to prepare for disasters, try to eliminate any single point of failure. Data and services Have a plan to recover databases, research documents, source code, and any other data that could impact business continuity. You may also need critical services like e-mail or Web services to keep your business running. Use RAID. RAID 5 is usually preferred because it also provides good write performance and a lower cost per MB than RAID 1. However, RAID will not help if you lose an entire computer, so also investigate clustering options. Clustering wont help you if the entire server room is destroyed, so set up an offsite location for data storage or at least spread your data across several different locations across the organization. If you have offsite storage or multiple locations, make sure that you have redundant data links to access that data. Decide how much spare equipment to have available and ready to use. If you use RAID, you can keep hot spares running in the computer and regenerate data even if one disk fails. If you have the budget, keep one or more servers standing by. If not, at least keep spares of vital components like power supplies, drives, and controllers. Dont keep all spares in one place. Use racks to keep servers off the floor. Connect all mission-critical devices to an uninterruptible power supply (UPS) and routinely check that its working. If your building power supply is unreliable or vital to operations, consider maintaining a backup power source. Internet collocation facilities routinely maintain multiple connections to the electricity grid in case one part of the grid goes down. Consider outsourcing resources to a collocation facility. Keep your server rooms as far away as possible from potential hazards like large sources of liquids or heavy equipment that could fall. If you live in a flood-prone area, locate server rooms on higher floors. Install appropriate fire suppression technology in the server roomswater sprinklers can damage servers. If recovering business operations immediately is worth the expense, keep a mirrored data site running with real-time copies of all vital data.
Equipment
Facilities
11
Personnel
People are an often overlooked resource in disaster preparedness. In a large disaster, key personnel may not be able to reach the office, or they may even be injured or dead. Every job that is vital to business continuity should be backed up by one or more other employees. All of your IT staff should be able to fulfill multiple job functions in your disaster recovery plan. Keep copies of all documentation in multiple secure locations so that IT staff can refer to them constantly. Have multiple copies of your contact list and have a notification strategy that accounts for the worst possible disasters. Important Fault tolerant hardware is not an acceptable substitute for proper backup procedures.
Additional reading
For more information about strategies for disaster preparedness, see:

Course 2087, Implementing Microsoft Windows 2000 Clustering The Disaster Protection topic in the Microsoft Windows 2000 Advanced Server documentation on the Microsoft Web site at http://www.microsoft.com/windows2000/en/advanced/help/default.asp?url= /windows2000/en/advanced/help/sag_DPtopnode.htm
12
The Challenges of Disaster Recovery Planning and Implementation

Lack of management support and resources dedicated to disaster recovery planning Testing and learning procedures takes takes resources resources and and is often inconvenient Lack of experienced personnel It is difficult to prepare for the totally unexpected People: Dont believe anything bad can happen to them, until it does May dislike and even avoid this subject Make mistakes when they panic
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Disaster recovery planning and implementation is not easy. Here are some common challenges:
Lack of management support and resources dedicated to disaster recovery planning and implementation. If disaster recovery planning and implementation arent supported by management, they are difficult to make happen. Management may support the idea but then find it difficult to devote peoples time and other organizational resources (for example, spare computers to set up hot spares) to disaster recovery when there is urgent, more immediate work to be done. Testing and learning procedures takes resources and is often inconvenient. Testing and learning disaster recovery procedures takes time, money, and resources and is often thought of as inconvenient when there are more urgent tasks to be done. Testing and learning disaster recovery procedures is often relegated to the bottom of a long list of other work that network security personnel must do. However, for procedures to work, they must be practiced and drilled so that they become second nature to people. Lack of experienced personnel. In most organizations, because disaster recovery occurs on an infrequent basis, there are not a lot of people who are trained to know what to do during a disaster. Even people who were trained often forget much of their training as time goes by and no disasters happen. Peoples memories are poor. Without practicing or having well-documented and up-to-date procedures to follow, people are likely to forget how to do things correctly during a disaster. It is difficult to prepare for the totally unexpected. Planning for and implementing disaster recovery is difficult, even for the most experienced professionals. How do you prepare for the totally unexpected? It is common for people to overestimate and underestimate threats. People: Dont believe anything bad can happen to them, until it does This is Law #1 from the Ten Immutable Laws of Security Administration. And it is one of the reasons why so many organizations either dont have
13
disaster recovery plans in place or the plans that they do have are not tested, not practiced, and are out of date. May dislike and even avoid this subject. It is difficult to think about what could happen during some disasters. Loss of buildings, jobs, and human lives are subjects that many people would rather not think about. Make mistakes when they panic
14
Practice: Overcoming the Challenges of Disaster Recovery
Discussion
1 2 3
Review the topic The Challenges of Disaster Recovery Discuss ways to overcome these challenges Create your own list of guidelines for how you can help make disaster recovery planning or implementation work better in your organization
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Instructions Review the previous topic: The Challenges of Disaster Recovery. As a group, discuss ways to overcome these challenges. Create your own list of guidelines for making disaster recovery planning or implementation work well in your organization (or ideas to bring with you to your future organization). ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________
Guidelines for implementing disaster recovery in my organization
15
Assessment: Preparing to Recover from Disasters

This lesson described causes of business disruption and explained the difference between business continuity and disaster recovery planning. It also offered strategies for disaster recovery preparedness and explained some of the challenges of disaster recovery.
*****************************ILLEGAL FOR NON-TRAINER USE****************************** 1. Which statement best describes the distinction between business continuity and disaster recovery planning?
A. Business continuity planning involves how to get back to your predisaster state. Disaster recovery planning involves how to keep your business functioning during disaster conditions.
B. Disaster recovery planning involves how to get back to your pre-disaster

state. Business continuity planning involves how to keep your business functioning during disaster conditions. C. Disaster recovery planning involves documenting procedures. Business continuity planning involves testing procedures. Answer: 2. Which of the following are common strategies for disaster preparedness? Choose all that apply. A. Redundant hardware B. IPSec C. Off site data storage D. Backup power supplies
Answer:
16
Lesson: Performing a Secure Backup and Recovery

Elements of a Secure Backup Strategy Guidelines for Securing Backup Media Guidelines for Securely Testing the Restoration Process
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction An important component of a disaster recovery plan is a comprehensive backup and recovery strategy. This lesson provides the elements of a secure backup strategy and offers guidelines for securing backup media and securely testing the restoration process. After completing this lesson, you will be able to:

Lesson objectives
List elements of a secure backup strategy Secure backup media Securely test the restoration process
17
Elements of a Secure Backup Strategy

Secure offsite storage Secure onsite storage Write protection Data classification Proper level of backup centralization A secure backup scheme, for example: Round Robin Grandfather, Father, Son Tower of Hanoi
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points A secure backup strategy has these elements:
Secure offsite storage. If a disaster happens, ensure that your system can be restored by keeping a recent copy of your files offsite. Make sure that data in this offsite storage is not vulnerable to disasters or theft. Secure onsite storage. Store media in a fireproof safe to enhance security. Plan to have easy access to your most important backed-up files. Have secure onsite storage but not in the same place as the data that was backed up. Make sure that sensitive tapes are kept in a locked area. Write protection. If files are destroyed, lost, or damaged, backup copies may be the only way to recreate files. Write protect archived media to ensure that it cannot be accidentally overwritten. Data classification. If a disaster happens, make sure that you will be able to restore the most important data first. Classify data by recovery time objectivesmission-critical data should have a shorter recovery time objective than other data. Proper level of backup centralization. Although centralization is usually desirable for greater security, it may not be achievable for business reasons. Balance security considerations with data management considerations to decide what is right for your organization. A secure backup scheme. Decide on a plan of incremental, differential, and full backups that allows for recovery in a reasonable amount of time. Automate everything as much as possible to eliminate human error, but check to make sure the automation is working properly. Use a proven tape rotation strategy, for example: Round Robin One tape for each day of the week. Grandfather, Father, Son Son tape sets for each daily backup, with a tape for each end of week, followed by 12 tapes for a monthly backup, with one tape for an annual backup. Tower of Hanoi Each tape is used a different number of times in a rotation set.
18
Additional reading
For more information about creating a secure backup strategy, see:

Backup Strategies on the GRSoftware Web site at http://www.grsoftware.net/backup/articles/backup_strategies.html. Backup Nice and Easy on the PC Magazine Web site at http://www.pcmag.com/article2/0,4149,427105,00.asp.
19
Guidelines for Securing Backup Media

Use Use high quality backup media Restrict Restrict access to backup backup media media Classify Classify data by by level of of sensitivity, label label media media by content content and and classification, classification, and back up up confidential data separately from from public public data data Never Never change the classification of a backup tape after it has been been used Take Take tapes tapes out out of rotation rotation before before they they fail fail and and destroy destroy them them completely completely Monitor Monitor and and record record the the location of every piece of of media Verify Verify the the integrity of backup media Centralize Centralize the backup backup strategy strategy as as much much as possible possible
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Follow these guidelines for securing backup media:
Use high quality backup media. Buy the best that you can afford but make sure that you can still afford enough tapes to do a sensible tape rotation. Restrict access to backup media. Keep backup tapes in a locked area, because they can contain large amounts of confidential data in a form that easily fits into the pocket or briefcase of an attacker. You can further secure backup media by using a password if the backup system allows one. You may be able to restrict the media access to the owner or administrator, but anyone who has administrative access to any computer will be able to restore it. You may be able to encrypt your backup information, but make sure that you have the means to decrypt it if you need it. Classify data by level of sensitivity, label media by content and classification, and back up confidential and sensitive data separately from public data. All data is not equally important. After you have identified your most sensitive and confidential data, back it up separately and label it so that it doesnt get mixed up and stored with public data. Never change the classification of a backup tape after it has been used. It may be possible to reconstruct data even after you have taped over it. Take tapes out of rotation before they fail and destroy them completely. Reformat tapes during their life cycle because they can stretch. Consult your vendor for reasonable expected lifecycles of tapes and then take tapes out of rotation before they reach the end of their lifecycle. Portable media such as diskettes, tapes, and CD-ROMs may be destroyed by crushing, incinerating, shredding, or melting. If they are to be reused, erase portable media by using a secure erasure program before you reuse them. Monitor and record the location of every piece of media. Check backup media in and out. Verify the integrity of backup media. Make sure that your backup media doesnt have viruses, Trojan horses, worms, logic bombs, or other security compromises. If your system is infected by a virus, make sure that any backup tapes that you have are not also infected.
20

Centralize the backup strategy as much as possible. Be aware that users may also be backing up their computers. Sensitive data should not be stored on a users workstation. If you make an emergency repair disk, it has a copy of the SAM database for that computer. If an attacker can get that disk, then he or she can run password cracking utilities against it.
Tip If you are unable to restore data, remember that there are data recovery service organizations that can help you recover. If the backup disk is operational, dont use it. The more you use it, the more you complicate the process of recovering the backup data.
21
Guidelines for Securely Testing the Restoration Process
Test the restoration process frequently Perform test restorations in a secure location Verify that the data was backed up After you restore sensitive data, wipe the drive Follow U.S. Department of Defense standard DoD 5200.28-STD to completely remove traces of data
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Follow these guidelines to securely test the restoration process:
Test your restores frequently. Your backup is only as good as your last restore. You dont have a valid backup until you have tested it and know that it works. Perform test restorations in a secure location. It does no good to restore confidential data to a computer that anyone could access. Verify that data was backed up. Review the logs to look for errors in the backup process. If you dont have sufficient rights or permissions, the backup process will skip those files. If the tape ran out of storage space, you may be missing files. After you restore sensitive data, wipe the drive. After you restore data, that data could be retrieved from the test computer by an attacker who has forensic tools. If the data is sensitive, you must completely wipe the drive. DoD 5200.28-STD is the U.S. Department of Defense government standard for how to completely remove traces of data.
22
Practice: Restoring from a Secure Backup
1 Follow the procedure to restore from a

properly secured backup part of the procedure
2 Answer the questions that come up as 3 Discuss what happened with the class
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Instructions When a backup is created, the media should be secured in some way through the backup process. In the Windows 2000 Backup utility, you can restrict the media so that only the owner or an administrator can complete the restore. In this practice, you will attempt to restore a properly secured backup as a nonadministrator. Follow the procedure, answer the questions, and then discuss what happened with the class.
Procedure
Restoring from a Secure Backup

1. Log on as Studentx (where X is your assigned student number) with a password of P@ssw0rd 2. Click Start, point to Programs, point to Accessories, point to System Tools, and then click Backup. 3. In the Backup window, on the Welcome tab, click Restore Wizard. 4. At the Welcome to the Restore Wizard page, click Next to continue. 5. On the What to Restore page, click Import File. 6. In the Backup file name box, click Browse. 7. In the Select file to catalog box, locate C:\MOC\2810\Practices\Module13, and then double-click Pratice13. 8. In the Backup file name box, confirm that the catalog backup file is C:\MOC\2810\Practices\Module13\practice13.bkf, and then click OK. 9. In the directory tree pane, click to expand File. 10. In the directory tree pane, click expand Media Created 10/11/2002 at 11:54pm. 11. In the Backup file name box, confirm that the catalog backup file is C:\MOC\2810\Practices\Module13\practice13.bkf, and then click OK. 12. In the directory tree pane click to expand the new volume. 13. In the backup file name box, confirm that the catalog backup file is C:\MOC\2810\Practices\Module13\practice13.bkf, and then click OK
23
What message do you get? ________________________________________________________________ This media has been secured. You do not have the proper privileges. 14. Click OK to close the dialog box. 15. Click Cancel to close Restore Wizard. 16. Click the Backup tab. 17. Click in the box to the left of the C drive to select the entire C drive. 18. Click Start Backup. This will not start the backup, but it will allow you to set the options for the backup. 19. In the Backup Job Information dialog box, in the section marked If the media already contains backups, click Replace the data on the media with this backup. Notice the option that is now available at the bottom of the dialog box Allow only the owner and the Administrator access to the backup data. This setting was selected on the backup that you were not able to restore. What would happen if you tried to back up files that you do not have read permissions for? ________________________________________________________________ ________________________________________________________________ If you have the Backup Files and Directories user right, you can back up files that you can't read. Without that right, the backup process will skip any files that you don't have read access to. 20. In the Backup Job Information dialog box, click Cancel. 21. Close the Backup utility and log off.
24
Assessment: Performing a Secure Backup and Recovery

This lesson provided elements of a secure backup strategy and offered guidelines for securing backup media and securely testing the restoration process.
*****************************ILLEGAL FOR NON-TRAINER USE****************************** 1. Which procedure poses the greatest security risk?
A. Backup B. Restore C. Verify

Answer:
2. Which of the following statements is correct? A. Restoring is a significant risk, so test your restore procedure as infrequently as possible. B. When you take tapes out of rotation, format them to destroy residual data. C. Lock your tapes in the most secure climate-controlled space that is available. Answer:
25
Lab A: Preserving Business Continuity

Exercise 1: Identifying Flaws in Recovery Strategies Exercise 2: Designing a Secure Backup Strategy
Module 14: Responding to Security Incidents

Contents Overview Lesson: Identifying Security Incidents ssessment Lesson: Responding to Security Incidents Assessment Lesson: Investigating Security Incidents Assessment Lab A: Responding to Security Incidents 1 2 12 13 23 24 33 34
Overview
Identifying Security Incidents Responding to Security Incidents Investigating Security Incidents
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction No matter how strong your security is, there is a risk that your network may be attacked. Successful attacks often follow a series of unsuccessful attacks, so you must monitor for and be able to recognize attacks. If an attacker is successful and an attack does occur, the earlier that you find out, the easier it will be to contain the damage. This module teaches how to recognize and respond to security incidents. It also teaches how to assist in a formal investigation of a security incident. Objectives After completing this module, you will be able to:

Identify security incidents Respond to security incidents Assist in the formal investigation of a security incident
Lesson: Identifying Security Incidents

Common Indicators of Security Incidents Symptoms of Well-Known Attacks Account Activity to Look For System Activity to Look For Guidelines for Reviewing Log Files
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Even if your organization has comprehensive network security in place, you must still closely monitor your network assets for signs of intrusion and other security incidents. Many attackers make this task more difficult by changing the systems that they break into and hiding their activities. This lesson teaches how to identify security incidentsboth how to recognize certain common attacks and how to find an attack when you are not sure exactly what you are looking for. After completing this lesson, you will be able to:

Lesson objectives
Recognize common indicators of security incidents Recognize symptoms of well-known attacks Identify suspicious account activity Identify suspicious system activity Identify a security incident by reviewing log files
Common Indicators of Security Incidents

Indicator Network irregularities System irregularities Examples Unexplained deviations in baseline performance Accounts are used at irregular times Audited events increase significantly System performance decreases Computers crash or reboot mysteriously Changes to files, file locations, and registry keys Users report security incidents A virus is reported by your anti-virus software Intrusion detection software detects an incident Hardware is missing Visible signs exist of physical compromise Confidential information is published on the Internet or in print Competitor appears to possess trade secrets
Direct reporting of events Physical indicators Business indicators
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Most attacks leave a recognizable trace if you have software that is logging for the type of activity that the attack involves. Performing extensive logging may create extra load on the system and extra network traffic, but it is the best way to see attacks. Most abnormal events are harmless, but some indicate security incidents. If you have a baseline of normal network activity, you will be able to recognize abnormal events. Always investigate abnormal events to determine their causes. Network irregularities
Unexplained deviations in baseline performance. Usually this will be an increase in activity at odd times of day, like the middle of the night. A sudden unexplained decrease might also signal suspicious activity. Accounts are used at irregular times. Certain usersfor example, programmers and night shift workersmay keep irregular hours. If you do not usually see an executive logging on at 2 a.m. and suddenly you see that happening, investigate to make sure that the activity is legitimate. Traffic flowing in unexpected directions. HTTP traffic typically goes out of your network. If you see HTTP traffic coming in, and you dont have an authorized internal Web site, you probably have a security problem. Audited events increase significantly. If you see multiple failed logon attempts, this could indicate a recent company-wide password change, or it could be someone attacking the password on an account. Look for patterns in the failed logon attempts. Also, look for missing log entries, because they could indicate an attacker trying to cover his tracks. System performance decreases. If attackers have installed sniffers or back doors, they may place additional load on the system. They may also use disk space to store hacking utilities or stolen data, which can impact swap file performance. Computers crash or reboot mysteriously. Many hacking utilities require a reboot to initialize. Every authorized reboot should be recorded in a change management log so that unauthorized reboots can be investigated. Changes to files, file locations, and registry keys. File tracking programs, sometimes called tripwire programs, track changes to the file system by creating hashes of files, directories, or entire hard disks. They may detect
System irregularities
changes caused by malicious software that are not detected by your antivirus software. Changes to system files and the Program Files directory may indicate that an attack has occurred. Changes to files, directories, and registry keys that cause programs to run at startup may be a sign of a back door program. Files to watch for include Win.ini and System.ini in \Documents and Settings\All Users\Start Menu\Programs\Startup\. A list of registry keys to watch for is included as a job aid on the Student CD. Direct reporting of events
Users report security incidents. Sometimes users dont realize that they are experiencing a security event. They may suddenly have problems with their password because an attacker has reset it. They may be unable to access their account because the attacker is currently using it. They may complain that their system is acting without their control, which indicates that there might be a remote control back door program installed. A virus is reported by your antivirus software. Any good antivirus program will scan for all known variants of viruses, worms, Trojans, and back doors and will log their activity. Have a plan for reviewing these logs, or you will be unaware of serious threats to your network. If you have one back door program installed, it is highly possible that you have another back door that your virus software may not yet detect. If you suspect that you have a virus that was not detected by your antivirus software, contact your vendor. Vendors usually analyze suspected files to look for new viruses or new strains of an existing virus. If a new virus receives a lot of publicity, assume that your network is vulnerable until you have verified otherwise. Intrusion detection software detects an incident. IDS can only detect known attacks. Just because IDS doesnt find anything, dont discount the possibility of an attack. Some attacks may only register on host-based IDS while others are only logged at the network level. Hardware is missing. Work with the asset management division to account for all hardware. Check with reception or building security to see if components have been removed from the building. Visible signs exist of physical compromise. For example, locked doors propped open and broken windows or locks are signs of physical compromise. Confidential information is published on the Internet or in print. Although this is more often an information leak from an employee, it could indicate a successful attack on your confidential data. Review the object access to see if any unauthorized users have attempted to access information or if authorized users have accessed the data at unusual times or from unusual locations. Competitor appears to possess trade secrets. Passing trade secrets along often involves a lot of printed paper or large amounts of data on portable media. Check print logs to see if a user has been doing an unusual amount of printing at odd times. Verify that none of your backup tapes are missing. If you have software that indicates file copy activity, review these logs to see if the trade secrets have been copied recently.
Physical indicators
Business indicators
Additional reading
For more information about how to recognize security incidents, see Detecting Signs of Intrusion on the CERT Web site at http://www.cert.org/securityimprovement/modules/m09.html.
Symptoms of Well-Known Attacks

Type of attack Back door Virus and worm Denial of service Packet sniffing Network traffic Buffer overrun Logic bomb Mail relay Web defacing Most common symptom Changes to files and registry Unexpected system behavior System crashes Possibly anti-packet sniffing software Packet sniffer Usually only detect after effects Usually no symptoms Outside notification Outside notification
*****************************ILLEGAL FOR NON-TRAINER USE****************************** These are not the only signs that you will see from these attacks, because attackers often modify attacks. Modified versions may use different files and ports. Also, you will only see audit trails if you have the relevant types of auditing enabled and if you are regularly reviewing those logs. Look for gaps in the audit logs, because the attacker may cover his or her tracks. Back door attacks Many back door programs use a Trojan horse or a social engineering approach to get themselves installed. This activity is difficult to trace because it looks like permissible user activity. Back doors often install a server component on the affected computer that is then accessed by the attackers client computer. The installation typically leaves an audit trail in any file tracking software. Back doors often modify the startup files and registry keys to ensure that they stay running all the time. Some back doors register their own DLLs in the registry. If the back door has a remote access component, you may see network activity on specific ports associated with the program. Most back doors allow attackers to change the port used by the back door to avoid detection and firewall restrictions. Remote access back doors, sometimes called Remote Access Trojans (RATs), can take over your computer by remote control. The attacker can manipulate the computer as though he or she is sitting at your keyboard, so be aware of any unusual system activity. The best way to know if you have been affected by a back door attack is to run an updated virus scan. Virus and worm attacks The traces left by viruses and worms vary depending on the payload of the attack. Many viruses alter files, which should be detected by both an antivirus scan and by file tracking software. Some viruses alter registry keys. For example, Nimda makes registry changes to create new shares and to remove security permissions on all shares. Worms usually cause extensive network traffic as they replicate to other hosts. This traffic may be directed at standard ports for file sharing or Web access, so the best indication is a sharp increase in that type of traffic. Viruses may cause strange system behavior, for example, the old Flip virus caused the monitor output to display upside down. E-mail worm viruses usually generate multiple e-mails with the same subject line.
Denial of service attacks
If your system is targeted by a DoS attack, the first symptom will usually be that the system goes down. IDS logs and firewall logs may alert you that a DoS attack is in progress if you have real time alerts enabled. You will see an increase in network activity. It is also possible for a computer to be compromised to be part of a distributed denial of service (DDoS) attack. In this case, your file tracking software may detect changes similar to a back door attack. Your computer may have an open port as the slave component of the DDoS waits for commands from the master component. If your computer is being used in a DDoS attack, you will see a sharp increase in your Internet activitypossibly at a time when you are not logged onto your system. Packet sniffing is a passive attack and therefore very difficult to detect. Sometimes packet sniffers force the network adapter into promiscuous mode to capture all network traffic. This change sometimes registers in a system log file but not always. Anti-sniffing software can sometimes force a sniffer to reveal itself by its activity. It is also possible for an attacker to physically modify the wires on a sniffers network adapter so that the adapter no longer transmits anything, rendering anti-sniffing software useless. This type of modification usually requires physical access to the network. You might be able to see these attacks if you are running your own packet sniffer, but it is difficult to see the significant packets in the large volume of legitimate packets. Your IDS might recognize these attacks. If you are using IPSec for Windows, the presence of log entries indicating a failed key exchange may signal that one of these attacks is occurring. Buffer overflow attacks are extremely difficult to track. To see them, you typically must be running a detailed level audit of system processes. This logging usually produces a large volume of data that is difficult to sift through. Although you may not find the buffer overflow attack, you may notice audit trails of activity after a successful exploit. For example, you may see other log entries for the attackers escalation of privileges and the manipulation of security groups. Logic bombs can also be extremely difficult to track. They are often left by disgruntled employees. If an employee has enough access to leave a logic bomb, he or she often has sufficient access to modify the file tracking logs that you could use to find the attack. Usually the first indication of a mail relay attack is angry letters from other mail administrators or users complaining about spam originating from your system. Your e-mail may also be blocked because you have been added to a real-time black list. Review e-mail logs for suspicious activity like mass mailings. Check your configuration to be sure that the relay setting is turned off. Most Web defacing is done to attract attention, so your first indication of this attack may be a telephone call from a customer or the media asking for a comment. More subtle changeslike an attack designed to spread misinformationmay be very difficult to discover. Review your change management process and look for events that may have left a vulnerability in your Web server. Review tripwire logs and look for unusual changes to content files. Review Web server application logs and URL scan logs for any Webserver-specific attacks.
Packet sniffing attacks
Spoofing, man-in-themiddle, and replay attacks
Buffer overflow attacks
Logic bomb attacks
Mail relay attacks
Web defacing attacks
Account Activity to Look For

Failed logon attempts, either local or domain Accounts that are denied access based on account restrictions Account lockouts Creation of user accounts, especially at odd times of day or by a user who is not an administrator Changes to security groups, especially Administrators or Domain Admins Passwords being reset at unusual times Accounts that are deleted, enabled, or disabled Exercise of privileges like Take Ownership
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points New attacks on networks are created every day. You must be able to recognize common attacks and also the types of things that indicate an attack may have happened or is happening. One of the things to watch is account activity. If any of these activities has occurred, you may be looking at an attack. For an extensive list of event identifiers and patterns to watch for, see the Microsoft whitepaper Security Operations Guide for Windows 2000 Server, Chapter 6, Auditing and Intrusion Detection.
Additional reading
System Activity to Look For

Changes to the system time Any shutdown of a system, local or remote, scheduled or unscheduled Device drivers being loaded or unloaded Changes to auditing policy and/or changes to the log files especially log files being cleared Files being read, backed up, or deleted at odd times and by users who dont have business with those files
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points When looking for signs of an attack on your system, another thing to watch is system activity. If any of these activities has occurred, you may be looking at an attack. For an extensive list of event identifiers and patterns to watch for, see the Microsoft whitepaper Security Operations Guide for Windows 2000 Server, Chapter 6, Auditing and Intrusion Detection.
Additional reading
Guidelines for Reviewing Log Files

Look for patterns and then look for variations variations in in patterns patterns Use searching and filtering to reduce the time it takes to scan log files Group log file content into into events events that that go go together together Look for who is doing the action, what the target of the action is, and when it is taking place If you see something suspicious, note the time of the activity and look in other logs for events that happen at the same time
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points In most organizations, reviewing log files is the most common way for network security personnel to look for security incidents. Techniques for reviewing log files may vary depending on what is being logged and how often. Follow these general guidelines when reviewing log files to look for network security incidents:
Look for patterns and then look for variations in patterns. Most of the time log files show very ordinary network traffic, and there is a rhythm to this ordinary traffic. People log on, access files, and then log off. Look for anything out of the ordinary. Group log file content into events that go together. You may see a long list of files being accessed. You may not need to look at every single file that is being accessed. The significant event may be that the files are being accessed at all. Look for breaks in the pattern of file access. Maybe one file cannot be accessed because it has NTFS security on it. The presence of a failed access attempt may be significant. If you see a file being executed, you may always see a certain pattern of DLLs being called. Look for who is doing the action, what the target of the action is, and when it is taking place. For some workers, logging on at 3 a.m. is routine. For others, a 3 a.m. logon may indicate an attacker is using their account. Also, if your organization employs scientists, for example, it will be normal for a scientist to work with his or her own research documents. But you need to pay attention if anyone else tries to access that researchespecially at 3 a.m. or when you know the scientist is on vacation. If you see something suspicious, note the time of the activity and look in other logs for events happening at the same time. For example, someone might use the NET USE command to connect to another computer. To do this, a log might record the execution of NET.EXE on the originating computer, the log on the target computer will show the logon attempt, and a domain account is being used the domain controller will also log the event.
10
Additional reading
For an extensive list of event identifiers and patterns to watch for, see the Microsoft whitepaper Security Operations Guide for Windows 2000 Server, Chapter 6, Auditing and Intrusion Detection.
11
Practice
Multimedia 1 Review Review a signature of a common attack 2 In In the Museum Museum of Attack Attack Signatures,
identify identify the type of attack by comparing its its signature to those cataloged Repeat Repeat for other signatures of of common
3 attacks attacks
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Instructions Review the attack signatures on this page. Then, compare them to those cataloged in the Museum of Attack Signatures and identify what type of attack each signature is. When you have finished, discuss your answers with the class. To start the Museum of Attack Signatures piece, open the Web page on the Student Materials compact disc, click Multimedia, and then click the title of the activity. Attack signature #1 Your file tracking software shows the addition of No.dll. When you run netstat, you see that something is listening on TCP port 1234. What attack is this? ________________________________________________________________
Attack signature #2
Your Win.ini file has been modified to call Msrun.exe. You find an unauthorized directory full of MP3 files. Netstat shows activity on port 23456. What attack is this? ________________________________________________________________
Attack signature #3
You dont know how it happened, but suddenly you have a lot of new accounts with administrator rights. You dont see any traces in your log files. What attack is this? ________________________________________________________________
12
Assessment
This lesson explained how to identify network security incidents.
*****************************ILLEGAL FOR NON-TRAINER USE****************************** 1. Which of the following statements is correct?
a. It is difficult to know exactly what an attack signature will look like

because they are constantly modified and upgraded.
b. You need special software to detect malicious software like Trojan

horses because standard anti-virus software will not detect it. c. Users logging on at odd times of day is usually a sign of an attack.
2. Which techniques are useful for reviewing log files? Choose all that apply. A. Correlating the time of events across multiple logs and systems. B. Looking at every line individually. C. Grouping like events together D. Looking for patterns
13
Lesson: Responding to Security Incidents

What Is an Incident Response Team? Guidelines for Responding to a Security Incident Guidelines for Determining the Severity of an Incident Guidelines for Limiting Damage from an Incident Guidelines for Communicating about an Incident
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction When an attack on your network has occurred, how you respond to the incident can mean the difference between the attack being a minor security incident and a major incident. This lesson teaches how to respond to security incidents. After completing this lesson, you will be able to:

Lesson objectives
Describe what an incident response team is Respond appropriately to a security incident Determine the severity of a security incident Limit the damage from a security incident Communicate about a security incident
14
What Is an Incident Response Team?

A group responsible for receiving, reviewing, and responding to network security incident reports reports and activity activity
Tasks may include: Members may include:

Security specialists specialists Network administrators administrators Management Communication or PR PR specialists Legal advisors Developing and and rehearsing rehearsing an an incident incident response response plan plan Monitoring for and and responding responding to security incidents incidents Communicating about incidents incidents Documenting incidents Researching new vulnerabilities and attacks
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Many organizations create incident response teams so that there is just one team responsible for receiving, reviewing, and responding to network security incident reports and activity. In some organizations, the incident response team is a full-time group dedicated to this work. In other organizations, an incident response team may be formed to respond to security incidents as they occur. An incident response team typically includes network security specialists, network administrators, and high-level managers. The team may also include communication or public relations (PR) specialists, legal advisors, and others, depending on the make up of the organization. These teams work best when they are as small as possible, well trained on their tasks, and have the full support of the highest levels of management for any necessary action. What an incident response team does varies from organization to organization. However, typically the team performs at least the following tasks:

Developing and rehearsing an incident response plan Monitoring for and responding to security incidents Communicating about security incidents Documenting security incidents Researching new vulnerabilities and attacks Creating a Computer Security Incident Response Team: A Process for Getting Started on the CERT Web site at http://www.cert.org/csirts/Creating-A-CSIRT.html. RFC 2350, Expectations for Computer Security Incident Response by E. Guttman, Sun Microsystems, June 1998.
Additional reading
For more information about security incident response teams, see:

15
Guidelines for Responding to a Security Incident

Trust Trust your instincts and and investigate if something something seems odd odd or or out of place. If further investigation investigation is is warranted, activate activate the the incident incident response plan Decide Decide if evidence evidence must be preserved for future legal action Verify Verify the integrity of of your investigative investigative tools Work Work quickly quickly but but methodically Determine Determine the severity of of the security incident Limit Limit damage Document Document everything relevant relevant to the the incident incident Communicate Communicate securely securely
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points When responding to a security incident:
Trust your instincts and investigate if something seems odd or out of place. If further investigation is warranted, activate the incident response plan. If you are new to network security, trusting your instincts is not easy. When you first start finding out about how networks are attacked, you may think that every little oddity that you see is an attack. Work with an experienced person to help hone your instincts so that you can learn to trust them. Ideally, you will also have a baseline that will make it easier to recognize what abnormal activity looks like. When you recognize that an attack is occurring, activate the incident response plan and get help before proceeding. Decide if evidence must be preserved for future legal action. If it becomes apparent that the incident could be severe, work with the incident response team to decide whether to preserve evidence for future legal action. Verify the integrity of your investigative tools. Attackers may modify the detection software to cover their tracks, so check it before you use it. Work quickly but methodically. If there is an attacker in your system, dont waste time. However, you should also not panic or rush. In an ideal situation, you will have an incident response plan and procedures to follow. If you dont, it is even more important that you work methodically so that you can recreate your actions in detail for others later. Determine the extent of the security incident. Guidelines for this step are in the Guidelines for Determining the Severity of an Incident topic that follows. Limit damage. Guidelines for this step are in the Guidelines for Limiting Damage from an Incident topic that follows. Document everything about the incident. Although you might not need to document what the investigation team ate for lunch, you should plan to document just about everything else. When in doubt, write it down. Sign and date all copies of documents, logs, and printouts. If the incident becomes severe enough to warrant a formal investigation, you will be glad that you documented everything that might be relevant.
16

Communicate securely. Guidelines for this step are in the Guidelines for Communicating about an Incident topic that follows. To ensure that all phases of responding to an incident are properly executed, use Job Aid 4 - Incident Response Quick Reference Card in the Security Operations Guide for Windows 2000 on your Student CD. For a comprehensive discussion of incident response, see the Microsoft whitepaper Security Operations Guide for Windows 2000 Server, Chapter 7, Responding to Incidents. The Cuckoos Egg is a true account of a break in at the Lawrence Berkeley laboratories. Author Cliff Stoll was a system administrator who noticed a $.75 accounting discrepancy that led him to uncover an international computer espionage attack. If he had not kept such extensive documentation, the spy might never have been caught. His motto was, If you dont write it down, it didnt happen.
Additional reading
17
Guidelines for Determining the Severity of a Security Incident

Determine how recently the incident occurred Determine what actions the attacker has taken: What entry points were used Which and how many systems were compromised Whether the attacker gained administrative access What data was compromised What methods the attacker used Determine the extent to which the incident will impact business continuity
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points When responding to a security incident, one of the things that you must do is determine the severity of the incident. To do this:
Determine how recently the incident occurred. Look for the most recent time stamps in the log files. Determine if the attack is currently in process because this may mandate the most severe and fastest response possible. If the attack occurred several months in the past, look for any recurrences. Determine what actions the attacker has taken: What entry points were used. Was physical access involved? If so, was it accessed by an authorized user (indicating either an internal attack or a serious mistake) or by an unauthorized user (indicating a severe weakness in your physical security). Have any unauthorized devices like sniffers or wireless access points been attached to your network? If the attack was purely network based, did originate internally or externally? Did someone get tricked by a Trojan horse? Can you easily close the entry point? Which and how many systems were compromised. Which system was the first to be compromised? Can you trace that computer to the next one attacked? What types of systems were these? Whether the attacker gained administrative access. Has the administrative account been accessed during the course of the attack? Have any accounts recently been granted administrative rights? Have there been any changes to powerful security groups? What data was compromised. Did he access any confidential or mission critical data? Anything that could be life threatening? Anything that could cost the company a lot of money? What methods the attacker used. Can you find any collections of hacking tools stored on your systems? Do your file access logs show any hacking utilities being added or accessed?
Determine the extent to which the incident will impact business continuity. If the intruder is currently accessing a system, you may have to remove that
18
system from the network. If you suspect multiple systems are currently being attacked, you may have to disconnect entire subnets or possibly even remove Internet connectivity. If the administrative access on a computer has been compromised, the computer cannot be considered safe until it is reformatted and reinstalled. If a single back door is found on a system, you must assume the entire system is compromised, and you must reformat and reinstall. A denial of service attack may render a system totally nonfunctional until it is properly patched or another method is found to mitigate the attack. If a mission-critical system has been compromised in any of these ways, your business continuity will be severely impacted unless you have a good business continuity plan.
19
Guidelines for Limiting Damage from an Incident

Prioritize your response: a. a. Protect human life and peoples peoples safety b. b. Protect sensitive sensitive and and classified data c. c. Protect other other data, data, including proprietary and managerial data data d. d. Protect hardware hardware and and software e. Minimize disruption of computing e. computing resources Secure compromised entry points points Disconnect Disconnect compromised systems systems from from the network network Rebuild the the system system Change local, administrative, and service account passwords Avoid Avoid letting the attacker attacker know know that you are aware aware of his his or or her activities activities
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points If you act quickly to limit damage, you may be able to stop a major security event from happening. The exact response to limit damage will depend on your organization and the nature of the attack you encounter. Here are some general guidelines for limiting damage from a network security incident:
Prioritize your response. Start by setting priorities. Your priorities will depend on your organization and the particular attack. However, you can start with these basic priorities: E. Protect human life and peoples safety. Always the top priority. F. Protect classified and/or sensitive data. The incident response plan should define what data is classified and sensitive. This is very difficult to figure out when you are in a hurry because an attack is in progress. G. Protect other data, including proprietary and managerial data. After classified and sensitive data, act to protect the next most valuable data first, before you protect other data. H. Protect hardware and software. Protect against alteration or loss of system files. Protect against physical damage to hardware. This type of damage leads to costly downtime. I. Minimize disruption of computing resources, including processes. Although keeping computing systems running is important, doing so during an attack can cause bigger problems. That is why minimizing disruption of computing resources is generally a relatively low priority.
Secure compromised entry points. Determine the access points used by the attacker and implement measures to prevent future access. Measures may include disabling a modem, adding access control entries to a router or firewall, or increasing physical security measures. Disconnect compromised systems from the network. This is not an easy decision. You must compare what it costs to take a compromised system offline to the further risk you assume if you continue using the system. In almost all cases, you should immediately take the system off the network. However, there may be service agreements in place that may require
20
keeping systems available even with the possibility of further damage occurring. In special cases, your organization may decide to keep a system online with limited connectivity to gather additional evidence during an ongoing attack. This is sometimes called a sandbox, because you are trying to contain the attacker in a part of the network that will not impact other parts of the network. You might also try setting up a honey pot server, a server that looks more attractive than the current target so that the attacker will be lured away to attack a system with no valuable resources. These approaches should only be attempted by highly experienced security professionals who fully understand the risks and benefits.
Rebuild the system. When feasible, rebuild a new system with new hard disks. The existing hard disks should be removed and put in storage as these may be used as evidence if you decide to prosecute attackers. Change local, administrative, and service account passwords. Change local passwords so that they are different than those used before the attack. Also, change administrative and service account passwords elsewhere in the system. Avoid letting the attacker know that you are aware of his or her activities. This is not always practical. Often, essential responses will alert attackers. For example, if you decide to disconnect a system from the network, the attacker will probably suspect he or she has been noticed. Usually the need to regain control and recover from the incident is more important than keeping the attacker engaged so that he or she can be traced.
Additional reading
For more information about limiting damage from a security incident, see RFC 2196, Site Security Handbook, Section 5, Security Incident Handling, by B. Fraiser, Ed., SEI/CMU, September 1997.
21
Guidelines for Communicating Incidents

Decide who needs to be informed Communicate only the necessary level of detail Communicate outside of the incident response team only through a designated spokesperson Be prepared to use non-computer alternatives to communicate when the network is compromised Consider the legal, public relations, and regulatory scope of your communications
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Follow these guidelines for communicating about a security incident:
Decide who needs to be informed. Communicate to the appropriate incident response team members. The team can decide who else needs to be informed and when and how they will be informed. Communicate only the necessary level of detail. Communicate incident details appropriate for the incident response team member. Everyone does not need to know everything. Your incident response plan should identify the types of information that team members need to know. All incident response communication should be on a need to know basis. Include as few people as possible and have a process for briefing top management. Communicate outside the incident response team only through a designated spokesperson. An attack on network security can cause panic, just like any other attack can. If only a designated spokesperson communicates outside of the incident response team, then everyone outside the team will get the same information in a consistent way, which will minimize rumors and panic. Be prepared to use non-computer alternatives to communicate when the network is compromised. If your network is compromised, you may have lost your usual means of communicating with employees. Assume that the attacker can intercept and read your e-mail. If the e-mail server is down, employees wont receive e-mail messages informing them of e-mail problems. Have non-computer alternatives to reach people. Voicemail may work, although voicemail can be attacked too, so it should not be considered a secure alternative, just an alternative. You can hand out flyers or put them in peoples offices or cubicles. Or, you could establish an emergency procedures bulletin board near entrances, elevators, or mail rooms, and train users to check them.
Sometimes there are special circumstances that require additional communication about an incident, for example:
If the attack involves internal personnel, the response team will have to communicate with the Human Resources and Legal departments to make
22
sure that appropriate actions are taken. An employee may have to be fired immediately and escorted from the building.
If you plan to contact your local law enforcement, this decision must be made by the team and contact should be made by one designated team member. It will expedite the process if you know what information will be required before you contact the agency. For example, some law enforcement agencies may not be able to help you unless there is a certain dollar amount to the assessed damages. When you contact law enforcement, your chances of keeping the attack out of the media are greatly reduced. If the attack is newsworthy, the response team will need to communicate about the incident to the public before reporters do. Work with public relations staff to be honest and forthcoming without further compromising network security or public trust. In certain industries, the incident response team may be required to file a report with a regulating agency. If you are aware of other activity from this attacker directed at or through other sites, you may decide to inform the system administrators at those sites. Often, people on other sites are unaware that their systems are being used to reach your system. Depending on the incident, your organization may decide to file a report with CERT or your countrys equivalent. Although CERT will not release the details of your attack without your approval, you may want to restrict knowledge of the incident to as few people as possible. But if you report your problem, they may be able to provide technical assistance. They may be able to connect you to other victims of the attacker to build a legal case. Reporting incidents helps CERT track attack activity and create better support documents for computer security. Reporting attack activity may help keep the Internet more secure. For more information on reporting incidents to CERT, see the CERT Web site at http://www.cert.org/tech_tips/incident_reporting.html. In the United States, also see http://www.cybercrime.gov/reporting.htm for reporting guidelines from the Computer Crime and Intellectual Property Section of the Criminal Division of the U.S. Department of Justice.
Additional reading
23
Assessment
This lesson explained how to respond to security incidents as part of your day-today job.
*****************************ILLEGAL FOR NON-TRAINER USE****************************** 1. Which order is correct? Choose one.
A. Minimize business disruption, protect hardware and software, and then

protect classified data.
B. Protect classified data, minimize business disruption, and then protect

hardware and software.
C. Protect classified data, protect hardware and software, and then

minimize business disruption.
2. You have discovered an attack against your network. How should you communicate about this incident? A. Send a priority e-mail to your manager immediately. B. Contact your company's incident response team immediately. C. Contact your local law enforcement immediately.
24
Lesson: Investigating Security Incidents

What Are the Sources of Evidence? Electronic Evidence to Examine Guidelines for Preserving Electronic Evidence Guidelines for Analyzing Electronic Evidence Guidelines for Communicating During an Investigation
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction The one certainty in formal investigations of security incidents is that formal investigations should be handled by experienced experts who know exactly what they are doing. Unless you are trained to be a formal investigator, it will probably not be your job to perform formal investigations. And if you are not specifically trained, consult with people who are. You should understand how your actions affect evidence. This lesson teaches guidelines for assisting in a formal investigation of a network security incident. Remember that how formal investigations are conducted varies widely from region to region, so it is up to you to learn the requirements of your own organization, law enforcement, and governing agencies. Lesson objectives After completing this lesson, you will be able to:

Describe the sources of evidence in a network security investigation List the evidence that can be examined Preserve electronic evidence appropriately Analyze electronic evidence appropriately
25
What Are the Sources of Evidence?

Anything an an attacker attacker has has touched touched and any documentation that that you keep are are potential potential evidence evidence Type of evidence Examples
Digital traces of activity
Persistent data logs, files, registry keys Volatile data swap files, Temp files, processes that are running, memory, information about ports that are open, the state of the ARP cache, routing table, configuration Broken locks, fingerprints, surveillance footage Backup tapes, archives Log book of events, actions taken, conversations
Physical traces of activity Backup media Records that you keep
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Anything that an attacker has touched is potentially evidence, and you should treat it accordingly. This table provides examples of where evidence is gathered from.
Type of evidence Logical traces of activity
Examples Volatile data, or sources that go away when the system is shut down, include swap files, Temp files, processes that are running, memory, information about ports that are open, the state of the ARP cache, routing table, and configuration. For example, routers or other hardware may be configured or reconfigured by attacking that are just in volatile RAM. Persistent data include files, registry keys, and logs. For example, system logs, security audit logs, application logs, Web server logs, firewall logs, proxy server logs, IDS logs. Broken locks, fingerprints, surveillance footage Backup tapes, archives
Physical traces of activity Backup media
Also, any records that you keep are potential evidence and you should treat these records accordingly. A log book is crucial to assisting in a formal investigation. Recording system events, times, and conversations can lead to a more rapid and systematic identification of the problem. This information can also serve as the base for subsequent stages of incident handling. At a minimum, a log book should contain all system events and audit records, all actions you take and the time you took them, and all external conversations, including the person you talked to and the date, time, and content of the conversation. Warning Never tamper with or modify these sources of evidence unless it is totally unavoidable.
26
Additional reading
For additional information about the sources of evidence, see RFC 3227, Guidelines for Evidence Collection and Archiving, D. Brezinski, In-Q-Tel, and T. Killalea, neart.org, February 2002 at http://www.ietf.org/rfc/rfc3227.txt.
27
Electronic Evidence to Examine

Irregularities and changes to systems and accounts Failed object access Unusual privilege use Activity in modem logs Access control lists on routers Output from intrusion detection systems Changes to file checksums or digital signatures Changes to the registry
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points When you examine electronic evidence, do not modify it if possible. Logging on to a system to gather evidence may irrevocably alter the evidence that you are trying to collect. Even opening files in Windows Explorer can alter the file so that it becomes useless as evidence. When possible, use tools that let you examine evidence remotely. Gather volatile evidence firstbefore you reboot.
To capture this volatile information Open ports Use these tools Netstat* an any port scanner Where to get it Netstat is standard. There are many freeware port scanners, for example, Fport from www.foundstone.com. Standard Windows utility Standard Windows utility Standard Windows utility Standard Windows utility Freeware from www.sysinternals.com. Use Ctrl-Print screen to get a screen shot Standard Windows utilities Freeware from www.sysinternals.com. Runs local or remote? Local Fport runs remotely
Current IP configuration Arp cache NetBIOS name cache All current network connections All current processes
Ipconfig /all* Arp a* Nbtstat c* Net use* Pslist taskmanager
Local Local Local Local Remote Local Local Remote
Routing table Active users currently logged on
Netstat r Route print PsLoggedOn
28
Module 14: Responding to Security Incidents All open files Computer management MMC snap-in. Use shared folders and sessions to show shares in use and open files. DOSKEY /history* Force the server to do a complete memory dump on the Startup and Recovery options of the Systems control panel applet. Standard Windows snap in Remote
Commands in any open DOS command shell Complete memory dump
Standard Windows utilities
Local
Standard Windows control panel applet
Local
This table lists persistent evidence to examine and where to find it.
What to look for Irregularities and changes to systems and accounts Failed object access Unusual privilege use Dial up activity Perimeter Access control lists Signatures of known attacks Changes to file checksums or digital signatures Changes to the registry Where to find it Security audit log Security audit log Security audit log Modem logs Routers and Firewalls Intrusion Detection software File tracking utility Registry tracking utility
Additional reading
For more information about setting up a memory dump, see:

The topic To specify what Windows 2000 does if the system stops unexpectedly in the Microsoft Windows 2000 Server Documentation on the Microsoft Web site at http://www.microsoft.com/windows2000/en/server/help/sysdm_advancd_st artrecover_recovery.htm. Memory Dump Files on the TechNET page of the Microsoft Web site at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtec hnol/winxppro/reskit/prmd_stp_mncs.asp.
29
Guidelines for Preserving Electronic Evidence

If If you you dont dont fully fully understand what you are doing, dont do it Know Know who your legal agencies are, how to contact them, and and what what evidence evidence they require require Dont Dont shut shut down before before evidence evidence can be be collected collected Dont Dont run programs, open open files, or or analyze analyze evidence evidence on on a a compromised compromised system system Make Make a bit-stream bit-stream backup backup of of the the original original media media dont dont investigate investigate the original When When you must alter evidence, document the the nature, extent, extent, and and reasons reasons for for the the changes changes Limit Limit the number number of people who who touch touch evidence Create Create a chain of custody for evidence
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Follow these guidelines to preserve electronic evidence:
If you dont fully understand what you are doing, dont do it. You should either consult your procedures or get help from somebody who knows what to do. In a formal investigation, one guideline stands above all others: dont do anything unless you know what you are doing. It is easy to make a serious mistake that could invalidate legal evidence that you need for possible prosecution. Also, it will be more difficult to account for any changes you make and you may not be able to describe exactly what you did. Never soldier on regardlessyou will just damage your case. Know who your legal agencies are, how to contact them, and what sort of evidence they will require. Dont shut down before evidence can be collected. If you shut down before you collect evidence, not only will you lose volatile evidence, but the attacker may have left logic bombs in the shutdown routine or plug-and-play devices may alter the system configuration and temporary file systems may be erased. Rebooting may cause even greater loss of evidence. The general rule is this: until the compromised hard disk is finished with and restored, it should never be booted from. Dont run programs, open files, or analyze evidence on a compromised system. Any interaction that you have with a running computereven one keystroke on the keyboardcan cause changes in its state, and changes can have negative effects on potential electronic evidence. Because the attacker may have left malicious programs on the system, you may inadvertently trigger something that could change or destroy the evidence youre looking for. Any programs that you use should be on read-only media, such as a CD-ROM or a write-protected floppy disk. Make a bit stream backup of the original media dont investigate the original. A bit-stream backup is an exact copy of a file system that includes every last bit of data belonging to normal, hidden, or deleted files. Make sure that you use a forensic disk duplication utility, not just a commercial disk cloner, so that you can be sure that you are not altering the system.
30
Safeback, Encase, or Linus/Unix DD commands are acceptable methods for performing physical backups.
When you must alter evidence, document the nature, extent, and reasons for the changes. Sometimes altering evidence is unavoidable. In these cases, the nature, extent, and reasons for the changes must be documented. All changes should be accounted for, not just data alteration but also physical alteration of the originals (for example, the removal of hardware components). Limit the number of people who touch evidence. Typically, the more people that touch a potential piece of evidence, the greater the possibility that it will be inadmissible in court. Create a chain of custody for evidence. A chain of custody is verifiable documentation that indicates the sequence of individuals who have handled a piece of evidence and the sequence of locations where it was stored, including dates and times. For a proven chain of custody to occur, you must make sure that:
Evidence is accounted for at all times The passage of evidence from one party to the next is fully documented he passage of evidence from one location to the next is fully
documented Additional reading For additional information about preserving electronic evidence, see the following documents:
Collecting Electronic Evidence After a System Compromise on the AusCERT Web site at http://www.auscert.org.au/render.html?it=2247&cid=1920 Site Security Handbook at http://www.ietf.org/rfc/rfc2196.txt Guidelines for Evidence Collection and Archiving at http://www.ietf.org/rfc/rfc3227.txt The Field Guide for Investigating Computer Crime: Search and Seizure Basics Part 3 on the SecurityFocus Online Web site at http://online.securityfocus.com/infocus/1246 The Field Guide for Investigating Computer Crime, Part 6: Search and Seizure - Evidence Retrieval and Processing on the SecurityFocus Online Web site at http://online.securityfocus.com/infocus/1249 The Field Guide for Investigating Computer Crime: Search and Seizure Approach, Documentation, and Location (Part 5) on the SecurityFocus Online Web site at http://online.securityfocus.com/infocus/1248

31
Guidelines for Analyzing Electronic Evidence

Do not analyze anything unless you are directed to Attempt to reconstruct the actions of the attacker Correlate all log activity and traces of volatile data and put them in chronological order Determine where the initial penetration into the system came from Preserve evidence about any device that may have been compromised
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Follow these guidelines when analyzing electronic evidence:
Do not analyze anything unless you are directed to. Senior network security specialists or other designated personnel on the incident response team should decide what to analyze and how to proceed with analysis during a formal investigation. If you dont have a company incident response team, contact CERT or your national computer security incident response team for guidance. Hire a consultant if necessary, but be wary of anyone who suddenly appears offering security consulting services, because he or she may be an attacker who is trying to earn business and make money.
Attempt to reconstruct the actions of the attacker. As with investigating any other attack, to figure out what happened you must figure out exactly what the attacker did. Correlate all log activity and traces of volatile data and put them in chronological order. The best way to begin reconstructing the actions of an attacker is to correlate all the log activity and traces of volatile data and to put them in chronological order. Determine where the initial penetration into the system came from. You probably made a preliminary finding when you first responded to the attack. Now is the time to evaluate if your assessment was correct. Where did the initial penetration come from? Through an Internet connection? Through a dial-up connection? Was there physical access? Retrace their steps through the network and determine how the attacker got in. Preserve anything that might be considered to be evidence. Know that when an investigation begins, everything that you say becomes evidence. It is wise to limit your discussions about the event, even among the security team.
32
Practice
Game 1 Play the Investigating a Security Incident game 2 See what score you received 3 Play again to see if you can do better
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Instructions To start the Investigation game, open the Web page on the Student Materials compact disc, click Multimedia, and then click the title of the activity. To play the game, read the scenario and then select options to decide what you would do. When you get to an endpoint, your score will appear. You can play the game again to see if you can improve your score.
33
Assessment
This lesson explained how to assist in the formal investigation of a security incident.
*****************************ILLEGAL FOR NON-TRAINER USE****************************** 1. Which statement best describes what you should do during the formal investigation of a security incident? Select the best answer:
A. Do not attempt to investigate a computer attack unless you have proper

training in gathering computer forensic evidence.
B. Get your systems back on line as soon as possible, even if that means
sacrificing forensic evidence.
C. If you do not have special forensic utilities, Windows Explorer can be

used to investigate a compromised computer.
34
Lab A: Responding to Security Incidents

Exercise 1: Determining Which Computers Have Been Compromised

Fundamentals of Network Security

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Fundamentals of Network Security

Transféré par

Droits d'auteur :

Formats disponibles

Module 1: Explaining Security Threats and Vulnerabilities

Module 1: Explaining Security Threats and Vulnerabilities

Module 1: Explaining Security Threats and Vulnerabilities

Lesson: Explaining How Assets Are Attacked

Module 1: Explaining Security Threats and Vulnerabilities

Why Network Security Is Necessary

Module 1: Explaining Security Threats and Vulnerabilities

Multimedia: How Assets Are Attacked

Attacks on networks Threats to networks Vulnerabilities of networks

Module 1: Explaining Security Threats and Vulnerabilities

What Are Threats, Vulnerabilities, and Attacks?

Module 1: Explaining Security Threats and Vulnerabilities

Discussion: How Assets Are Attacked

Module 1: Explaining Security Threats and Vulnerabilities

Module 1: Explaining Security Threats and Vulnerabilities

Monetary gain Notoriety among peers Publicity

Terrorism Vigilantism or activism Espionage

Module 1: Explaining Security Threats and Vulnerabilities

Module 1: Explaining Security Threats and Vulnerabilities

Threats to Network Security

Physical Computers, hubs, components routers

Module 1: Explaining Security Threats and Vulnerabilities

Network administrators Software

Module 1: Explaining Security Threats and Vulnerabilities

T F A threat is a deliberate attempt to bypass security controls on a computer.

Module 1: Explaining Security Threats and Vulnerabilities

Lesson: Communicating the Impact of Risks

Module 1: Explaining Security Threats and Vulnerabilities

Risk Management Risk Identification

Module 1: Explaining Security Threats and Vulnerabilities

The Relationship of Risks to Threats and Vulnerabilities

Module 1: Explaining Security Threats and Vulnerabilities

How Organizations Mitigate Risks

Public Private Secret

Trade Trade Secrets Secrets

Module 1: Explaining Security Threats and Vulnerabilities

Considerations for Identifying Risks

Causes Causes less less damage damage

Module 1: Explaining Security Threats and Vulnerabilities

Guidelines for Communicating the Impact of Risks

Network administrators Managers

Module 1: Explaining Security Threats and Vulnerabilities

Practice: Communicating the Impact of Risks

Module 1: Explaining Security Threats and Vulnerabilities

Module 1: Explaining Security Threats and Vulnerabilities

Lab A: Explaining Security Threats and Vulnerabilities

Before working on this lab, you must have:

Scenario Estimated time to complete this lab: 30 minutes

Module 1: Explaining Security Threats and Vulnerabilities

Module 2: Preparing to Secure Assets

Contents Overview Assessment: Identifying How Assets Are Secured 1

Lesson: Identifying How Assets Are Secured 2 10

Module 2: Preparing to Secure Assets

Module 2: Preparing to Secure Assets

Lesson: Identifying How Assets Are Secured

Module 2: Preparing to Secure Assets

Who Is Responsible for Network Security?

Module 2: Preparing to Secure Assets

What Do Network Security Personnel Do to Secure Assets?

Implement secure computer baselines Use authentication and access control

Use encryption to protect data

Secure data transmission

Manage directory services and DNS security

Module 2: Preparing to Secure Assets

*ILLEGAL FOR NON-TRAINER USE**