Best practices to follow for Microsoft Windows network security?

User Generated

mbzovrfheivinyvfg

Computer Science

ISOL534 Application Security

University of cumberlands

Description

Question:

Chapter 9 in your text has some best practices to follow for Microsoft Windows network security. Which two would you start with and why? Can you think of others not on the list? If so, introduce them.


Chapter 9 topic is attached.

Note: Attached Chapter 9 (Search for heading "Best Practices for Microsoft Windows Network Security" in the document) has a list of best practices to follow for Microsoft Windows network security. Please pick any two and start explaining why they are the best practices to follow. If you think of others not on the list, introduce them and explain. Please explain in detail.


References:

  • Solomon, Michael. Security Strategies in Windows Platforms and Applications, 2nd ed. Burlington, MA: Jones & Bartlett, 2014.

Unformatted Attachment Preview

Chapter 9. Microsoft Windows Network Security MICROSOFT WINDOWS COMPUTERS can be very useful by themselves, but they are far more effective when they are able to communicate with one another. Windows computers that can communicate and exchange information have the ability to assume specific roles that make your organization's computing environment more efficient and effective. Unfortunately, connecting computers also makes accessing your organization's information easier for unauthorized users as well as authorized users. That means you have to be diligent to ensure the availability, integrity, and confidentiality of your data. In this chapter you'll learn about techniques that many organizations use to ensure that their Windows networks are secure. You'll learn how to connect computers together without risking your organization's information to loss, alteration, or disclosure. Chapter 9 Topics This chapter covers the following topics and concepts: • • • • • • • • What network security is What the principles of Microsoft Windows network security are What Microsoft Windows security protocols and services are How to secure Microsoft Windows environment network services How to secure Microsoft Windows wireless networking What Microsoft Windows desktop network security is What Microsoft Windows server network security is What best practices for Microsoft Windows network security are Chapter 9 Goals When you complete this chapter, you will be able to: • • • • Describe goals for securing Microsoft Windows networks Secure Microsoft Windows networking services Secure Microsoft Windows wireless networks Secure Microsoft Windows workstations and servers Network Security Today's IT environments include components connected to form a network, or multiple networks. A network is a collection of computers and devices joined by connection media. Network components work together to support an organization's business functions. This makes information available for various uses and many users. As networks grow and become more functional, they can become complex to manage. One way to help organize network components and keep your network simple is to categorize components by function. One way to organize components is to use an IT Infrastructure approach to group components into functional areas, or domains. Figure 9-1 shows an IT Infrastructure with seven domains. These are the domains you'll commonly encounter as you study IT environments. In a general network perspective, users generally use their workstations to access other resources that are connected to an organization's local area network (LAN), a metropolitan area network (MAN), or even a wide area network (WAN). Table 9-1 lists each of the basic three network types and their characteristics. Organizations rely on networked resources more than ever in today's environments. Networks make it possible to share expensive resources. Examples of shared resources are color printers, high performance disk subsystems, and applications. Networks increase efficiency in critical business functions by supporting faster information transfer and resource sharing. These benefits often result in direct cost reductions and productivity increases. Organizations rely on network resources to maintain cost-efficient operations. Protecting the network-based resources and services directly affects cost and efficiency. Implementing the controls necessary to support your security policy and protect your networks makes your organization more secure and effective. Figure 9-1. The seven domains of a typical IT infrastructure. Table 9-1. Network types. NETWORK TYPE SIZE DESCRIPTION Local area network (LAN) A LAN covers a small physical area, such as an office or building. LANs are common in homes and businesses and make it easy to share resources such as printers and shared disks. Metropolitan area network (MAN) A MAN connects two or more LANs but does not span an area MANs are useful to connect multiple buildings or groups of buildings spread around an area larger than a few city blocks. NETWORK TYPE SIZE DESCRIPTION larger than a city or town. Wide area network (WAN) WANs connect multiple LANs and WANs and span very large areas, including multiple country coverage. WANs provide network connections among computers, devices, and other networks that need to communicate across great distances. For example, the Internet is a WAN. technical TIP There are other types of networks, and you may see a few more terms used to describe networks. These terms aren't in widespread use but they do describe specific types of networks. Other types of networks include: • • • Personal area network (PAN)—A PAN consists of one or more workstations and its network devices, such as printers, network disk systems, and scanners. A PAN refers to the networked devices one person would likely use and normally does not span an area larger than an office or cubicle. Campus area network (CAN)—A CAN is larger than a LAN but generally smaller than a MAN. CANs are useful to connect the LANs across multiple buildings that are all in fairly close proximity to one another. Global area network (GAN))—A GAN is a newer term for a super-WAN. A GAN is a collection of interconnected LANs, CANs, MANs, and even WANs that span an extremely large area. Network Security Controls Network security controls often focus on limiting access to remote resources. A local resource is any resource attached to a local computer— the same computer to which the user has logged on. A remote resource is any resource attached to another computer on a network that is different from the computer to which the user is logged on. The user's computer and the remote computer must be connected to a network to provide access to the remote resource. Many of the security controls you'll find to protect network resources are similar to controls found protecting local resources. You'll learn more about how each type of control works in a Microsoft Windows network environment in this chapter. The main types of network security controls include: • • • • • • • Access controls for protected resources, such as printers and shared folders Communication controls to limit the spread of malicious software and traffic Anti-malware software on all computers in the network to detect and eradicate malware Recovery plans, including backups, for all computers and devices in the network Procedures to control network device configuration changes Monitoring tools and other detective controls to help detect and stop suspicious network activity Software patch management for all computers and devices in the network Principles of Microsoft Windows Network Security A secure Microsoft Windows network allows access on demand to resources for authorized users while denying access for unauthorized users. While the goal is similar to securing a single computer, putting that goal into practice involves more types of controls. Setting up a network exposes all resources in the network to security threats. Securing a Microsoft Windows network requires attention to three main types of vulnerabilities: • • Physical and logical access—Locate important computers and devices in physically secure areas and limit access to them. Separate networks logically into smaller segments to control resource access. Logically separating networks is beneficial when you need to keep groups of devices separate. This is common in larger networks. Traffic flow—Use firewalls and other types of filters to discard unauthorized traffic on a network. Filters should exist at all network boundaries and between segments to control network ingress and egress. • Computer and device security—Ensure each computer and device on the network is prepared to handle any known attack. Any computer or device that does not have proper security controls deployed poses a threat to the entire network. Securing a Microsoft network involves deploying controls that protect all network components from all known threats. Although that may sound like a large goal, it's manageable when you approach it in a structured manner. The first step in understanding how to secure a network is to explore the most common components of networks. Common Network Components The main purpose of any network is to provide users with the ability to access and share remote resources. Networks use three main types of components to meet this goal. These components work together to allow users to share resources and reduce the need for multiple dedicated resources such as printers, file storage systems, and backup devices. The three main types of components in networks include: • • • Connection media—The adapters and (sometimes) wires that connect components together. Not all connection methods use wires. With wireless devices, radio waves transmit data. So, connection media includes wireless adapters. Networking devices—Hardware devices that connect other devices and computers using connection media Server computers and services devices—Hardware that provides one or more services to users, such as server computers, printers, and network storage devices Many physical devices found in networks are actually combinations of several types of components. These components should work together to provide easy access to desired resources and still maintain the security of an organization's information. Figure 9-2 shows common network components. Figure 9-2. Common components found in networks. Connection Media The purpose of any network is to allow multiple computers or devices to communicate with each other. By definition, networked computers and devices are connected to one another and have the necessary software to communicate. In the past, networked computers and devices were connected using cable. Today's networks contain a mix of cables and wireless connections. While the technical details of network connections are beyond the scope of this discussion, it is important to have a general understanding of a network's components. There are two options to establish network connections between computers and devices. You either build your own network or pay another organization to allow you to use their network for your purposes. The following sections that cover connection media assume you own the connection media and are installing the hardware necessary to establish network communications. The following network connection media options appear most commonly in LANs, CANs, and MANs, but may be used in other networks as well. WIRED NETWORK CONNECTIONS There are four basic cabling options for most physical network connections, including coaxial cable. Each option has its own advantages and disadvantages. If you choose to use physical cables for part, or all, of your network you will have to run cables to each device. Running cables between devices takes careful planning. Make sure when you explore cabling options you evaluate the cost of installing all of the cables and connection hardware to support both your current and future needs. Table 9-2 lists the four basic cable options, along with the advantages and disadvantages of each one. WIRELESS NETWORK CONNECTIONS Wireless connections are very popular in today's network environments, where flexibility is an important design factor. Wireless connections allow devices to connect to your network without your having to physically connect to a cable. This flexibility makes it easy to connect computers, or devices, in situations where running cables is either difficult or not practical for temporary connections. The Institute of Electrical and Electronic Engineers (IEEE) defines standards for many aspects of computing and communications. The IEEE 802.11 defines standards for wireless local area network (WLAN) communication protocols. A protocol is a set of rules that govern communication. Table 9-2. Basic network cabling options. CABLE TYPE DESCRIPTION Unshielded twisted pair (UTP) The most common type of network cable, UTP generally consists of two or four pairs of wires. Pairs of wires are twisted around each other to reduce interference with other pairs. The most common type of UTP is category five UTP, which supports 100 megabits per second (Mbps) for two pairs of wires and 1,000 Mbps for four pairs. • Same as UTP, but with foil shielding around each pair and optionally around the entire wire group to protect the cable from external radio and electrical interference • Shielded twisted pair (STP) ADVANTAGES AND DISADVANTAGES • • • • • • Lowest cost Easy to install Susceptible to interference Limited transmission speeds and distances Low cost Easy to install More resistant to interference than UTP Same speed limitations but supports CABLE TYPE DESCRIPTION ADVANTAGES AND DISADVANTAGES longer run lengths Coaxial A single copper conductor surrounded with a plastic sheath, then a braided copper shield, and then the external insulation • • • • Fiber optic A glass core surrounded by several layers of protective materials • • • • Higher cost Difficult to install Very resistant to interference Higher speeds and longer run lengths Highest cost Easy to run cable; installing end connectors requires special tools Immune to radio and electrical interference Extremely high speeds and long run lengths There are four main protocols currently in the 802.11 standard. As with the discussion of wired network connections, the technical details are beyond the scope of this discussion, but it is important to know the basic differences between different wireless protocols. Table 9-3 lists the four most common wireless protocols. Communication Protocol A communication protocol isn't as complex as the name implies. The technical details of each protocol can be quite complex but the concept is pretty simple. A protocol is just a set of rules parties use to communicate. You use protocol rules every day. For example, suppose you want to invite a person to attend a meeting. If that person is a close friend you would use an informal greeting and style of conversation. If, on the other hand, the person is an elected official you would likely use a far more formal greeting and choice of words. You decide how to communicate based on your own protocol rules. You'll learn more about computer communication protocols later in this chapter. Generally, hardware that supports protocols with faster speeds with longer range costs more than hardware with slower protocols. Your choice of wireless protocols will likely be based on cost, transmission speed requirements, and other devices that may cause interference in a specific frequency. WARNING In all cases, allowing wireless connections to your network increases the potential for unauthorized users to access network resources. If you choose to implement wireless connections, you must ensure you are using strong access controls and strong wireless encryption. In other words, use Wi-Fi Protected Access (WPA) as opposed to Wired Equivalent Privacy (WEP). Bluetooth is a popular wireless protocol for connecting devices over short distances. The most popular use of Bluetooth is to create PANs of devices that communicate with a computer or device. Headsets, mice, and printers are some examples of devices that commonly support the Bluetooth protocol. From a security perspective, it is important to consider Bluetooth support for your computers and devices when you are developing wireless policies and controls. Bluetooth enabled computers are vulnerable to several types of wireless attacks unless you protect all wireless connections. Table 9-3. Common 802.11 wireless standards. PROTOCOL MAXIMUM TRANSMISSION SPEED RANGE (ft) INDOOR/OUTDOOR FREQUENCY 802.11a 54 Mbps 115/390 5 GHz 802.11b 11 Mbps 125/460 2.4 GHz 802.11g 54 Mbps 125/460 2.4 GHz 802.11n 150+ Mbps 230/820 2.4 GHz / 5 GHz Figure 9-3. Simple network with a single hub. Networking Devices Once you decide on the types of connections you'll use for your network you have to decide how your components connect to one another. Only the simplest networks with very few devices have every component connected. With more than just a few devices, this arrangement would make managing your network connections extremely difficult. Networks in today's environments use several types of devices to keep connections manageable. You'll see many different types of devices, but the following two sections discuss the ones you'll most commonly use. HUB The simplest network device is a hub. A hub is simply a box with several connectors, or ports, that allows multiple network cables to attach to it. Common hubs have four, eight, 16, or 32 ports. A hub is a hardware repeater. A hub takes input from any port and repeats the transmission, sending it as output on every port, including the original input port. Hubs make it easy to connect many devices to a network by connecting each device to the hub. Figure 9-3 shows a simple network created using a single hub. SWITCH Hubs are inexpensive devices used to connect many computers and devices to a network. One problem with hubs is that they repeat all network traffic to all ports. This can cause message collisions and a frequent need to resend messages. Hubs also tend to contribute to network congestion since every computer and device receives all network traffic. Networks are designed to handle collisions and congestion but at the cost of high performance. A switch can help avoid many collision and congestion issues and actually speed up networks. A switch is a hardware device that forwards input it receives only to the appropriate output port. For example, if Computer A wants to send a message to Computer B, a switch will only send the message from Computer A's port to Computer B's port. No other computers ever see the message. As an additional benefit, if Computer C wants to send a message to Computer F at the same time Computers A and B are talking, the switch can handle both connections at the same time without causing a collision. Switches are also more secure since the only computers that actually see information exchanged over the network are the computers involved in the transfer. This is more secure than a hub that repeats messages to all connected computers. ROUTER A router is another network device that connects two or more separate networks. A router can connect any types of networks as long as they use the same protocols. Routers are more intelligent than switches and actually inspect the address portion of the packets on your network. The router examines the destination address and then forwards the packet to the correct outbound port. Routers can be standalone hardware devices or computers with multiple network interfaces running routing software. Routers also provide an important security capability. You can define rules for each router that tell the router how to filter network traffic. You can restrict which packets are allowed to flow through the network. Routers give the ability to aggressively control how users and applications use the network. GATEWAY A gateway is a network device that connects two or more separate networks using different protocols. Networks using different protocols may include wired LANs, wireless LANs, and WANs. A gateway can perform many of the tasks a router performs but also has the ability to translate network packets from one protocol to another. Since it translates messages between protocols, a gateway is much more complex than either a router or a switch. One of the most common types of gateways is one that connects a LAN to the Internet. This type of gateway is often called an Internet gateway. Gateways are necessary anytime you want to connect two networks that use different protocols. Gateways provide the same filtering capabilities of routers, and much more. Gateways analyze more than just the destination address and port of each message. Since the gateway has to translate an entire message from one protocol to another, detailed rules can be set up to filter out inappropriate traffic. Server Computers and Services Devices Networks provide easy access to shared resources and shared services. Centralized services make it possible for multiple users to share information and physical resources at a lower cost than duplicating information or purchasing devices for every workstation. Examples of shared resources include: • • • • File storage Printer and print services Central database and document management systems Central authentication services NETWORK FILE SERVER One common service present in even the earliest networks is the file sharing service. A file server is a computer or hardware device that has at least three distinct components: • • • One or more connected hard disk drives A network interface Software to provide network access to files and folders on the attached disks In the past, most file servers were computers that managed shared folders or file systems. The file server managed connections and supported authorized read/write access to its disks by remote users. Computer-based file servers are still in widespread use, but standalone hardware devices with internal hard disk drives are becoming more popular. A file server's main purpose is to provide secure access to its disk drives for remote users. NETWORK PRINT SERVER A print server provides the interface between the network and one or more printers. Like file servers, the actual server can be a computer or a standalone hardware device. In either case, the print server accepts print jobs from authorized users and processes them. That means the print server may contain the intelligence to store multiple print jobs and provide advanced abilities to manage the printing process. Print servers vary widely in capabilities but all generally exist to allow multiple remote users to share printers. DATA STORAGE Network data storage may sound like the service the file server provides but the two services are distinct. A file server only stores files. A data storage server organizes data and attempts to make it more accessible than just a list of files. Data storage software includes database management systems and document management systems. Both types of management software provide efficient, effective centralized access to data and documents for remote users. Another substantial difference between file servers and data storage products is that data storage products generally provide far greater control over access authorization. File servers can control access to individual folders and files, but data storage software can control access to the contents of files. Database management systems and document management systems often provide their own features to maintain and authorize users and requests. These systems manage large amounts of data and can grant or deny access to individual pieces of information stored inside very large files. The advantage of databases and document management systems is they can provide fast and efficient access to large amounts of data while maintaining security of the data down to a very specific level. APPLICATION SERVICES Application servers are computers that run application programs on behalf of remote users. Instead of having remote users install and run programs, a user can request that an application server run the program and return the results. There are several advantages to using application servers: 1. Software does not need to be installed on every user's computer; one license supports all users on one server (or several servers). 2. Updating software is easier; only application servers need to be updated. 3. Programs running on application servers tend to be closer to the database servers that store the data they need to run. Running programs on servers that are close to database servers can make accessing data much faster. 4. Since the database sends less data to the users' computers, more data stays inside an organization's secure network. 5. Server computers generally have the ability to serve many users efficiently, speeding up application programs. Many of today's application programs rely on distributed design, which means at least part of the application runs on an application server. This application model gets a lot of attention from developers and attackers alike. Be sure to secure application servers along with the other components of your network. FIREWALLS A firewall is a common network component. It filters network traffic to block suspicious packets or messages. A firewall examines all network traffic and compares it to predefined rules. Firewall rules tell the firewall software whether to forward or deny traffic. After matching traffic to its rules, a firewall should drop or reject any network messages that are unauthorized or suspicious. So, much of a firewall's effectiveness is based on its rules. Firewalls run as software on computers, or as standalone devices. Either way, the firewall needs at least two network adapters to separate incoming traffic from outgoing traffic. Routers and gateways often include firewall functionality and the ability to filter traffic before forwarding it. One very useful application of firewalls is to separate your organization's secure networks from its unsecure networks. This is most useful when you want to separate your Internet access point from the secure network. Many organizations want to expose some services to the Internet while maintaining separation from the internal network. Firewalls make this scenario possible. Many organizations use two firewalls to create an un-trusted network that Internet users can access, and a trusted network for secure resources. The two networks are connected, but separated by a firewall. The un-trusted network is called a demilitarized zone (DMZ). The DMZ is a convenient place for Web servers, File Transfer Protocol (FTP) servers, or any servers you want unauthorized users to access without being able to get into your trusted network. Figure 9-4 shows a DMZ with two firewalls. Many firewalls provide the ability to translate an external IP address into an internally mapped IP address. The firewall stores a table that allows the software to translate the IP address for incoming and outgoing traffic. This feature, called network address translation (NAT) hides the true IP address of internal computers from outside nodes. External nodes only see a generic IP address. The firewall receives traffic from the external IP address and changes the destination IP address to route the message to the correct internal IP address. Figure 9-4. DMZ with two firewalls. The main principle of Microsoft Windows network security is to ensure you enforce the Availability, Integrity, Confidentiality (A-I-C) Triad properties for your information. Design the controls for the network media, traffic flow, and network computers and devices to ensure a secure environment and information. Microsoft Windows Security Protocols and Services Every computer or device connected to a network is called a node. Nodes communicate with one another by agreeing on a set of communication rules called a protocol. A communication protocol sets the rules for how nodes construct, send, receive, and interpret messages. Each protocol serves a specific purpose and has its own structure for constructing and addressing messages. In fact, several protocols are necessary to transport a message from one application to an application running on a remote computer. The physical media has one way of handling data, the network addressing software uses a different protocol, and applications use yet another set of rules to communicate. Most discussions of network protocols include a discussion of the Open System Interconnection (OSI) reference model. The OSI reference model is a generic description for how computers use multiple layers of protocol rules to communicate across a network. The OSI reference model defines seven different layers of communication rules. You'll also likely encounter another popular reference model, the Transmission Control Protocol/Internet Protocol (TCP/IP) reference model, when discussing network protocols. The TCP/IP reference model defines four different layers of communication rules. Both models are useful to describe how protocols work and how to implement them in network communications. Figure 9-5 shows the TCP/IP reference model and the OSI reference model. Protocols provide the ability for applications to exchange information with other applications on other computers. For example, most Web browser applications communicate with a Web server application using the Hypertext Transport Protocol (HTTP). Web browsers can use other protocols, but HTTP is the most common protocol for regular Web pages. The Web browser passes the message to the networking software layer. That layer handles the details of breaking the message into smaller packets suitable for networks, addressing the target machine, and routing the request across the network to ensure it arrives. A common networking protocol is Transmission Control Protocol/Internet Protocol (TCP/IP). TCP/IP is actually a combination of two separate protocols, but they work together in so many environments that they are often referenced as a single protocol. Finally, the networking software passes the messages off to the software that physically controls the hardware that sends the data using physical media. This is the software and hardware that creates the radio transmission for wireless networks or electrical signals for Ethernet. It is important to know the protocols your systems and applications use. You can change many protocol settings to make your systems more secure. You'll learn more about the specific protocol settings to use in the hardening chapters. For now, you should be aware of the most common protocols and the ones that relate most directly to security. Table 9-4 shows a list of common protocols and how each one relates to your environment's security. Figure 9-5. TCP/IP and OSI reference models. Layered Protocols in Real Life The idea of layered protocols sounds complex. It really reflects what happens in human-to-human communication. Layers and translations are used in subtle ways every time you talk with a different person. Here's an example that demonstrates the obvious need for multiple layers. Consider how ambassadors communicate in the United Nations. Assume the U.S. ambassador wants to send a written note to the ambassadors of China, Russia, and Italy. In this example the protocol rule in place requires all written messages to be presented in French. Here is how the message travels through the U.N.: 1. The U.S. ambassador writes a message in English, then hands the message to a translator (the ambassador layer passes the message to the translator layer). 2. The translator translates the message into French, then hands it to an aide to take to the mailroom (the translator layer passes the message to the aide layer). 3. The aide makes three copies of the message, addresses each copy and places the messages in the U.S. outbox in the mailroom (the aide layer duplicates and passes the messages to the mailroom clerk layer). 4. The mailroom clerk picks up the messages from the U.S. outbox and places them in the appropriate inboxes for China, Russia, and Italy (the mailroom clerk handles the physical transfer). 5. An aide for each country, (China, Russia, and Italy), picks up the message and delivers it to the translator (the aide layer collects a message from the mailroom and passes it to the translator layer). 6. The translator translates the message from French into the country's national language and gives it to the ambassador (the translator layer translates the message and passes it to the ambassador layer). 7. The ambassador for each country reads the message and takes appropriate action. Figure 9-6. Message flow in the U.N. example. Table 9-4. Common network communication protocols. PROTOCOL DESCRIPTION SECURITY NOTES Telnet Protocol used for connecting terminals to servers. Sends text to and from the server. Telnet is useful for remote administration using command-line utilities. Telnet sends all information, including usernames and passwords, in readable text. Telnet should always be considered insecure and not used. SSH (Secure Shell) Similar to Telnet, except messages are encrypted. Useful for secure remote system administration using command-line utilities. Older versions, such as 1.X, contain documented vulnerabilities. Newer versions are secure for most uses. HTTP (Hypertext Transfer Protocol) Used for most Web browser/Web server communication All data is sent in the clear. HTTP is not appropriate for confidential data. HTTPS (Hypertext Transfer Protocol Secure) Secure HTTP. Useful for exchanging confidential information between Web browsers and Web servers. HTTPS uses SSL/TLS to provide encryption services. Ensure your Web server is using SSL version 3.X or TLS. SSL/TLS (Secure Socket Layer/Transport Layer Security) SSL is the predecessor of TLS. Both protocols provide encryption for application layer protocols, such as HTTPS. TLS is the most secure. Do not use versions 1.X or 2.X of SSL. Only use SSL 3.X or TLS unless your application does not support newer versions. TCP/IP (Transmission Control The most common protocol pair for Internet communication TCP/IP is a frequent target for attackers since it is used in so many applications. Use helper protocols, such as TLS, to PROTOCOL DESCRIPTION Protocol/Internet Protocol) SECURITY NOTES secure TCP/IP communications and filters to detect malicious traffic. UDP (User Datagram Protocol) Another common protocol used in place of IP when persistent connections are not necessary or desirable. Use the same precautions as TCP/IP. Use UDP with other protocols and filters. IPSec (Internet Protocol Security) A protocol suite used to secure IP communication by encrypting each IP packet IPSec secures any messages that use IP to communicate. IPSec is transparent to applications that use it. PPP (Point-topoint Protocol) Protocol to establish a direct connection between nodes PPP includes the ability to encrypt and authenticate messages. PPTP (Point-topoint Tunneling Protocol) One of three common protocols used for virtual private networks (VPNs) PPTP relies on PPP's encryption and authentication features to provide a VPN for applications that use TCP. L2TP Another common protocol used for VPNs Operates at a lower level than PPTP and must rely on a higher level protocol, such as IPSec, to provide encryption. L2TP relies on UDP to transport messages. SSTP (Secure Socket Tunneling Protocol) New VPN protocol that uses SSL/TLS to encrypt HTTP traffic in a tunnel SSTP overcomes limitations that PPTP and L2TP messages have with firewalls and NAT devices. SSTP has no conflicts with NAT translation. PROTOCOL DESCRIPTION SECURITY NOTES WEP (Wired Equivalent Privacy) Older protocol for securing wireless network traffic Legacy protocol to encrypt wireless network traffic. Better than nothing, but not sufficient to secure confidential information. WPA (Wi-Fi Protected Access) WPA and WPA2 are more secure protocols than WEP with stronger encryption for wireless network traffic. The latest version of WPA, WPA2, is based on AES encryption and supports several modes for varying needs of encryption security. Kerberos Protocol network nodes can use it to authenticate themselves to one another using an insecure network. Windows uses Kerberos as a default authentication protocol. Windows uses protocols to communicate with other nodes across a network. This allows a program running on one computer to communicate with a program on another computer. It is common that the program on at least one end of a communication channel is a Windows service. A Windows service is a long-running program that performs a specific set of functions, such as a firewall, database server, or a Web server. Services generally run without requiring user intervention and commonly run on server computers. Most services that provide network related functions monitor one or more ports. A port is a numeric identifier that programs use to classify network messages. technical TIP Most Web traffic is directed to port 80 on a server computer. When a server receives a Web-related message it redirects the message to the service that monitors port 80. Most likely, any service that monitors port 80 is a Web server. Securing Microsoft Windows Environment Network Services Securing services is an important step in securing Windows computers. Services are often powerful programs that can be dangerous if an attacker takes control. Since services are just programs, they can contain programming errors and vulnerabilities. While there are many specific configuration strategies to secure each type of service, there are three highlevel strategies that will keep all your services more secure. These strategies include keeping all service software up to date, limiting the permissions granted to service user accounts, and removing unneeded services. Service Updates Before enabling any service, develop a plan for keeping the service up to date. Service programs generally run for long periods of time waiting for requests. The services commonly monitor communication ports for requests and respond anytime they receive messages. Attackers know which services are in widespread use and they also know how to find out if you are running any services of interest. Whenever attackers uncover new vulnerabilities, they generally share the information with other potential attackers and start looking for vulnerable systems. Once a new vulnerability surfaces, it is important to mitigate it as soon as possible. You can mitigate many vulnerabilities using compensating controls. The best way to address vulnerability is to remove it. Many updates to service software do just that. Keep current on the latest releases available for any services you run. Keeping Windows updated with the latest service packs will keep many services up to date, but will not address any non-Microsoft services you run. If you run any non-Microsoft services, such as the Apache Web server or an Oracle database, you'll need to consult their Web sites for update information. Keeping your services up to date will help maintain your environment's security. Service Accounts Recall that Windows defines rights and permissions based on user accounts. Windows runs every program as a specific user. That means even services run as a user. By default, many services run as a local admin account. If an attacker can exploit vulnerability and compromise a service, it is possible the attacker could assume the identity of the user running the service. For this reason, it is important to run each service as a user that possesses the minimum privileges necessary to perform the service's functions. WARNING Avoid using a domain admin account for any service. If a domain admin account is used, an attacker can jeopardize an entire network by compromising a service running on your least secure computer. Carefully review the user account used for each service. You can see which user Windows uses for each service in the Services MMC snap-in. You can use these steps to access the Service Properties: 1. Choose the Windows Start button then select Administrative Tools > Services. 2. Select a service, open the Context Menu (right mouse click), then select Properties. 3. Choose the Log On tab to view or change the user account Windows uses to run the service. Instead of using default accounts for services, create one or more user accounts that limit what services can do. Here are guidelines for creating secure accounts for services: • • • • • • • Create a new account, with leading underscores in the name (this makes it easier to identify service accounts). Use strong passwords. Revoke all logon rights for local and remote logons. Set the Password Never Expires property. Set the User Cannot Change Password property. Remove the user from all default groups. Assign the minimum privileges necessary to run services. These guidelines will help create user accounts that are safer for services. Any service compromise will have less impact than a service using a local or domain admin account. Be sure to test the new accounts extensively. Be sure to grant sufficient permission to the user for the service to perform all the necessary tasks. Necessary Services The best way to secure a specific service is to disable, or even remove it. If the service isn't running, it isn't providing any functionality. If a service is not needed on a computer, stop it from running. It is important to disable unused services. Since a service monitors one or more communications ports, each service is a potential point of attack. Start only the necessary services. For Windows Server 2008 computers, only enable the role(s) you need the computer to perform. Windows will not install services that do not fit a specific role. For example, if you don't need a Web server running on a computer, don't enable the Web server role. A server that doesn't have Internet Information Services (IIS) installed is immune to IIS vulnerabilities. For both Windows 7 and Windows Server 2008, review all of the services in the Services MMC snap-in. Ensure that you need each running service. Figure 9-7. Windows Services startup options. If a service is not needed, there are several steps you can take: • • • Stop it—Stop a service in the Services snap-in. Change its Startup Type to Manual to disable the service from starting automatically when the system boots. Disable it—Change the Startup Type to Disabled to tell Windows not to start a service. Remove it—If an unneeded service is installed on a computer, remove the software for the service. The procedure to remove a service depends on the type of service. Figure 9-7 shows the startup options in the Services MMC Snap-in. Regardless of your mitigation actions, take the time to review all of the services your computers run. Ensure each running service is necessary for that computer to accomplish its goals. Stop any unnecessary services. Each service you stop removes another potential attack point from your environment. Securing Microsoft Windows Wireless Networking Securing your wireless network is a crucial step in securing your overall Windows environment. Allowing unsecured wireless access to your Windows network can provide easy access for attackers and undermine your efforts to secure your environment. Wireless access makes it easier for anyone to connect to your network even from outside your physical environment. An attacker armed with a notebook computer and a wireless card can access an unsecured wireless network from as much as several hundred feet away from the access point. You can't rely on any physical security measures to protect your wireless networks, as you can with wired connections. There are several steps you can take to secure wireless networks. The actual steps you take to enable each of the following suggestions depend on your wireless hardware manufacturer. However, all current wireless devices provide the ability to make your wireless network more secure. For specific instructions for your hardware consult the hardware manufacturer's Web site or user guide. Follow these guidelines to make any wireless network more secure: • • • • • Use WPA or WPA2 encryption—Do not use WEP unless your wireless access point does not support WPA/WPA2. Security professionals have demonstrated they can compromise WEP in a matter of minutes. WPA/WPA2 is the only secure protocol you should consider for confidential information available on a wireless network. Use Media Access Control (MAC) address filtering—Most wireless access points allow you to define valid MAC addresses. If you enable MAC address filtering, only valid MAC addresses can connect to the wireless network. MAC address filtering does make administration more difficult and attackers can spoof MAC addresses, but adding layers of controls makes the environment safer. Disable Service Set Identifier (SSID) broadcast—Many attackers scan for potential victim networks by collecting information for all networks broadcasting Service Set Identifiers (SSIDs). Turning off the SSID broadcast doesn't make your network more secure but it makes it less visible to casual scanners. Limit outside eavesdropping—Each wireless access point has an effective transmission range. You can move the devices away from external walls to make it harder to use a signal outside your physical environment. Locate your wireless devices as far away from external walls as possible while still providing ample coverage for your organization's users. Physically separate wireless networks by purpose—Many organizations deploy at least two wireless networks. One wireless network is secure and requires each new device and user to register with an administrator before getting access. This wireless network would likely provide access to the organization's internal network. Another wireless network uses fewer controls and makes it easy for guests to connect. This second wireless network would likely only connect to an Internet bridge. This approach makes it easy to give guests Internet access without exposing your organization's network. WARNING If you do not turn on the security features of your wireless Internet devices, you may be the victim of Wi-Fi Jacking. This occurs when attackers walk or drive through business areas (and neighborhoods) and identify unprotected wireless LANs from the street using a laptop or a handheld computer. When they find an unprotected network, they can hijack that wireless connection to download illegal materials, send spam, etc. They can also use their connection to the wireless network to hack into other computers on the LAN to steal information and identities. Limiting access to wireless networks makes your environment far more difficult for attackers to compromise. Wireless security is only one layer in your overall security plan, but it is an important one. Microsoft Windows Desktop Network Security Windows desktop computers operate in the Workstation Domain in the IT Infrastructure and generally operate as clients in network communications. That means desktop computers generally initiate communication by sending requests to servers in another domain. The main areas of focus with respect to desktop network security should be user authentication and authorization, malicious software protection, and outbound traffic validation. User Authorization and Authentication Users can only do what you allow them to do. One of the best ways to keep attackers away from your network is to keep them away from your workstations. In addition to physical controls to limit unauthorized access to workstations, it is important to aggressively protect workstations from unauthorized logons. This means deploying a user account policy that makes it difficult for an attacker to log on as an authorized user. Here are some guidelines to protect your workstations from unauthorized access: • • • • • • • • • Train all users on how to create strong passwords and protect user account credentials. Require unique user accounts with strong passwords for each user. Use the principle of least privilege to grant minimal rights and permissions to users. Audit failed access attempts. Audit all logons for privileged accounts. Enable account lockout after five failed logon attempts. Explore alternate authentication methods. For more privileged users or workstations, consider multifactor authentication. Remove or disable unused user accounts. Disable remote access. Malicious Software Protection A popular attack vector for central servers is to compromise a trusted workstation using malicious software. A workstation is often easier to compromise than a server due to the relative lack of attention to security controls. Workstations are frequent targets for attacks. Don't forget to consider all workstations that will access your organization's environment. This includes remote workstations. Remote workstations can be very difficult to manage but you cannot overlook the security risks associated with any workstation. You should require all workstations have anti-malware software installed before you allow them to connect to your environment. This includes antivirus and anti-spyware software. Ensure the software and the software's signature databases are up to date. You can use Group Policy to enforce this requirement. You should also create a schedule to scan workstations for malicious software. Just because the software is present doesn't mean the computer is clean. It is important to proactively scan workstations at least weekly along with active anti-malware shield software to maintain as clean an environment as possible for your workstations. Outbound Traffic Filtering Despite your best efforts, it is possible that one or more of your workstations may be compromised. One popular attack when targeting workstations is to place on a workstation malicious software that creates a flood of messages. Since the workstations inside your network are trusted nodes, your network will accept the traffic. There are several attacks that send a large volume of network messages that end up flooding the network and making it unusable for legitimate traffic. Attacks of this type are called denial of service (DoS) attacks. The result of a successful DoS attack makes information unavailable to authorized users since the network is too saturated to respond. If the attack coordinates with other compromised workstations it is called a distributed denial of service (DDoS) attack. You can protect your network from many DoS and DDoS attacks by configuring each workstation's firewall to filter outbound traffic. Most DoS and DDoS attacks create traffic that a firewall can easily recognize and refuse to pass onto the network. Although your workstation has still been compromised, the attack is not effective if the traffic doesn't make it to the network. Make sure all workstations have active and up to date firewall rules that filter incoming and outgoing traffic for known suspicious packets. Microsoft Windows Server Network Security Windows servers provide various types of services for enterprises. In many cases, servers either directly or indirectly enable enterprise applications to access shared data to support business functions. While compromising a workstation may open a door into an organization's secure network, compromising a server will likely allow an attacker to get even closer to sensitive or confidential data. Although each layer of security is important to the overall security of your organization's data, you should view server security controls as even more crucial. The controls you place on server computers will only act as obstacles for attackers that have already found ways to defeat outer layers of controls. It is likely any attacker that has made it this far is sophisticated and skilled. You must carefully design, deploy, and monitor controls for servers in your network to increase the likelihood that you'll stop an attack before it compromises the data you're trying to protect. Authentication and Authorization All three of the A-I-C Triad properties of data security depend on the positive identification of an authorized user. Your servers inside your organization's secure network should require specific user accounts to use any service. You may allow anonymous users or shared user accounts to access some resources, such as generic Web pages or public file downloads, but these servers should reside in the DMZ and not in your secure network. Inside the secure network, you should authenticate all computers and users before processing resource access requests. Windows uses Kerberos by default to provide a secure method to establish two-way authentication. This level of authentication assurance provides protection from eavesdropping or certain types of replay attacks. A replay attack is one where an attacker intercepts authentication messages. Unless the attacker is working with a protected network, it is possible to replay the authentication messages and log on again. It is similar to your Web browser storing your password to a Web site. But in this case, the attacker is storing someone else's password. Kerberos gives both sides of a network conversation the assurance that the other party is who he or she claims to be. Carefully examine each server's role to ensure that no unnecessary services are running. For the services you are running, make sure you have defined ACLs for all authorized users and all protected resources. Apply the principle of least privilege for all users. Use GPOs as much as possible to standardize security settings. Malicious Software Protection Servers are vulnerable to malware just like workstations. You must install antivirus and anti-spyware software on each Windows server on your network. As with workstations, be sure to update both the software and signature databases frequently. Check for updated software and signature databases daily for server computers. Use Group Policy to enforce this requirement on servers as well as for workstations. You should also create a schedule to scan each server for malicious software. Your scan schedule depends on the services and data on any server, but weekly scans should be the minimum frequency. Scheduled scans, along with active anti-malware software will help you to maintain as clean an environment as possible for your servers. Network Traffic Filtering Firewalls protect services running on servers by filtering out suspicious traffic that attackers could use to compromise servers. The success of your firewalls depends on its rules and location. Standalone firewalls can be used to filter traffic before it reaches a server or you can implement firewalls on your servers. Either option has advantages and disadvantages. Standalone firewalls relieve some of the workload from your servers. The firewall device processes firewall rules and only forwards approved traffic. The server never sees traffic that does not match your firewall rules. The disadvantages of standalone firewalls include additional administrative workload, since standalone firewalls are separate devices, and additional hardware cost. Firewalls that are integrated with servers have advantages and disadvantages. First, Microsoft firewall uses the familiar MMC interface for administration. You can also use GPOs to enforce standard rules across multiple servers. Microsoft's firewall also comes with Windows Server 2008 and does not require an additional license or hardware purchase. The main disadvantage is that an embedded firewall adds to the server's workload. The server must examine all network traffic to apply its filtering rules. Another disadvantage is that since a firewall is a program, it can have vulnerabilities that attackers may be able to exploit. An attacker that compromises a server firewall may be able to gain access to protected resources on that server. WARNING Be careful about logging firewall traffic. Your log file can become quite large if you don't monitor and clear it out periodically. Only log the events you really need and carefully monitor the size of your log files. Regardless of the type of firewall, set up rules to only allow valid traffic for the specific server functions you define. Deny, and potentially log, all other traffic. Best Practices for Microsoft Windows Network Security Securing a Windows network is an ongoing endeavor. Although the process never really ends, you can reach a level of assurance that your network is secure from most threats. It is important to continually monitor controls to ensure they are as effective as expected. Here are some best practices that will help you get started securing your network and provide a good set of guidelines for ensuring your network stays secure: • • • • Identify sensitive data. Protect sensitive data at rest using encryption. Establish unique domain user accounts for each user. Enforce strong passwords for all user accounts. • • • • • • • • • • • • • Create new user accounts with limited rights and permission for services. • Do not allow any services to run as a domain admin user. Use Kerberos for secure authentication. Install firewalls to create a DMZ. • Place all Internet-facing servers (Web servers and other publicly accessible servers) in the DMZ. • Use encrypted communication for all traffic flowing through the DMZ and the trusted network. Use encryption for all communication involving sensitive data. Establish firewall rules. • Deny all suspicious traffic. • Allow only approved traffic for servers. • Filter inbound and outbound traffic for servers and workstations for malicious messages. • If your firewall supports it, automatically terminate connections with sources generating DoS traffic to mitigate DoS attacks in process. Install anti-malware software on all computers and establish frequent update schedules and scans. • Update software and signature databases daily. • Perform quick scans daily. • Perform complete scans at least weekly. Use WPA or WPA2 for all secure wireless networks. Disable SSID broadcast for secure wireless networks. Do not enable wireless or air cards while connected to your organization's internal network. Always disable your wireless adapter before connecting a laptop to the wired network. Do not allow visitors to roam around your facilities using Wireless LANs. Many Access Points can be physically reset to insecure factory default settings by pressing a reset switch on the box. Avoid connecting to public networks. When you connect to an open wireless network, you should have no expectation of privacy or security. If you have to use an open wireless connection, do not visit Web sites that require usernames, passwords, or account numbers, such as online banking. Use an encrypted connection or a virtual private network (VPN). Install a separate wireless access point only connected to the Internet for guests. • Disable or uninstall any services that you do not need. These best practices provide a solid foundation for establishing and maintaining a secure Windows network. CHAPTER SUMMARY Securing a Windows network means securing all of the components. You learned about the different components that comprise a Windows network. You learned about workstations, servers, devices, and software. You also learned about the process to secure each type of component. While securing a Windows network takes planning and effort to be successful, it is possible. Once you know your network and what each component does, you're ready to start planning for the most effective security controls. No control set is best for every organization. The controls that work best for your network will maximize the A-I-C Triad properties for your data and still support your business functions. KEY CONCEPTS AND TERMS • • • • • • • • • • • • • • • • • Application servers Coaxial cable Connection media Demilitarized zone (DMZ) Denial of service (DoS) Distributed denial of service (DDoS) Fiber optic cable File server Gateway Hub Hypertext Transport Protocol (HTTP) IEEE 802.11 Institute of Electrical and Electronic Engineers (IEEE) Internet gateway Local area network (LAN) Local resource Metropolitan area network (MAN) • • • • • • • • • • • • • • • • • • • • Network Network address translation (NAT) Networking devices Node Open System Interconnection (OSI) reference model Ports Print server Protocols Remote resources Router Server computers and services devices Service Set Identifier (SSID) Shielded twisted pair (STP) Switch TCP/IP reference model Transmission Control Protocol/Internet Protocol (TCP/IP) Unshielded twisted pair (UTP) Wide area network (WAN) Windows service Wireless local area network (WLAN) CHAPTER 9 ASSESSMENT 1. A _______ is a network that generally spans several city blocks. 2. A local resource is any resource connected to the local LAN. 1. True 2. False 3. Which of the following devices repeats input received to all ports? 1. Switch 2. Hub 3. Gateway 4. Router 4. _______ cabling provides very good protection from interference but is difficult to install. 5. Even the newest wireless protocols are slower than using high quality physical cable. 1. True 2. False 6. Which LAN device commonly has the ability to filter packets and deny traffic based on the destination address? 1. Router 2. Gateway 3. Hub 4. Switch 7. A _______ is an untrusted network that contains Internet-facing servers and is separated from your trusted network by at least one firewall. 8. Which network device feature provides the ability to hide internal network node addresses? 1. DMZ 2. NAT 3. STP 4. OSI 9. Which network layer reference model includes four layers to describe how computers use multiple layers of protocol rules to communicate across a network? 1. IEEE 2. IPSec 3. UDP 4. TCP/IP 10. Which of the following actions is not an effective way to secure Windows services that you do not use? 1. Stop it 2. Disable it 3. Block it 4. Remove it 11. You should disable the _______ broadcast to make wireless networks harder to discover. 1. SSID 2. NAT 3. MAC 4. WPA 12. A successful DoS attack violates which property of the A-I-C Triad? 1. Availability 2. Integrity 3. Consistency 4. Confidentiality 13. Where must sensitive data only appear encrypted to ensure its confidentiality? (Select two.) 1. While in use in the Workstation 2. During transmission over the network 3. As it is stored on disk 4. In memory 14. Which authentication protocol does Windows Server 2008 use as a default? 1. NTLM 2. Kerberos 3. WPA 4. NAT 15. What can some firewalls do to attempt to stop a DoS attack in progress? 1. Alert an attack responder 2. Log all traffic coming from the source of the attack 3. Terminate any connections with the source of the attack 4. Reset all connections
Purchase answer to see full attachment
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

Attached.

Running head: MICROSOFT WINDOWS SECRITY

Best Practices for Microsoft Windows Network Security
Name of Student
Institution Affiliation
Date

MICROSOFT WINDOWS SECRITY
Introduction
Guarding the security and the privacy of network traffic, either in a cloud or on-sites, is an acute
part of whichever data security strategy. Safeguarding the network structure helps avert attacks,
the block malware, and guard your data from unofficial access, intermittent access, or a loss. In a
public cloud, an isolation of punter infrastructure is essential to upholding security.
Best practices to follow for Microsoft Windows network security
1. Protect sensitive data ...


Anonymous
Super useful! Studypool never disappoints.

Studypool
4.7
Trustpilot
4.5
Sitejabber
4.4

Similar Content

Related Tags