Chapter 9. Microsoft Windows
Network Security
MICROSOFT WINDOWS COMPUTERS can be very useful by themselves,
but they are far more effective when they are able to communicate with one
another. Windows computers that can communicate and exchange
information have the ability to assume specific roles that make your
organization's computing environment more efficient and effective.
Unfortunately, connecting computers also makes accessing your
organization's information easier for unauthorized users as well as
authorized users. That means you have to be diligent to ensure the
availability, integrity, and confidentiality of your data.
In this chapter you'll learn about techniques that many organizations use to
ensure that their Windows networks are secure. You'll learn how to connect
computers together without risking your organization's information to loss,
alteration, or disclosure.
Chapter 9 Topics
This chapter covers the following topics and concepts:
•
•
•
•
•
•
•
•
What network security is
What the principles of Microsoft Windows network security are
What Microsoft Windows security protocols and services are
How to secure Microsoft Windows environment network services
How to secure Microsoft Windows wireless networking
What Microsoft Windows desktop network security is
What Microsoft Windows server network security is
What best practices for Microsoft Windows network security are
Chapter 9 Goals
When you complete this chapter, you will be able to:
•
•
•
•
Describe goals for securing Microsoft Windows networks
Secure Microsoft Windows networking services
Secure Microsoft Windows wireless networks
Secure Microsoft Windows workstations and servers
Network Security
Today's IT environments include components connected to form
a network, or multiple networks. A network is a collection of computers
and devices joined by connection media. Network components work
together to support an organization's business functions. This makes
information available for various uses and many users. As networks grow
and become more functional, they can become complex to manage. One
way to help organize network components and keep your network simple is
to categorize components by function. One way to organize components is
to use an IT Infrastructure approach to group components into functional
areas, or domains. Figure 9-1 shows an IT Infrastructure with seven
domains. These are the domains you'll commonly encounter as you study
IT environments.
In a general network perspective, users generally use their workstations to
access other resources that are connected to an organization's local area
network (LAN), a metropolitan area network (MAN), or even
a wide area network (WAN). Table 9-1 lists each of the basic three
network types and their characteristics.
Organizations rely on networked resources more than ever in today's
environments. Networks make it possible to share expensive resources.
Examples of shared resources are color printers, high performance disk
subsystems, and applications. Networks increase efficiency in critical
business functions by supporting faster information transfer and resource
sharing. These benefits often result in direct cost reductions and
productivity increases. Organizations rely on network resources to maintain
cost-efficient operations. Protecting the network-based resources and
services directly affects cost and efficiency. Implementing the controls
necessary to support your security policy and protect your networks makes
your organization more secure and effective.
Figure 9-1. The seven domains of a typical IT infrastructure.
Table 9-1. Network types.
NETWORK
TYPE
SIZE
DESCRIPTION
Local area
network
(LAN)
A LAN covers a small
physical area, such as
an office or building.
LANs are common in homes and
businesses and make it easy to share
resources such as printers and shared
disks.
Metropolitan
area network
(MAN)
A MAN connects two
or more LANs but
does not span an area
MANs are useful to connect multiple
buildings or groups of buildings
spread around an area larger than a
few city blocks.
NETWORK
TYPE
SIZE
DESCRIPTION
larger than a city or
town.
Wide area
network
(WAN)
WANs connect
multiple LANs and
WANs and span very
large areas, including
multiple country
coverage.
WANs provide network connections
among computers, devices, and other
networks that need to communicate
across great distances. For example,
the Internet is a WAN.
technical TIP
There are other types of networks, and you may see a few more terms used to describe
networks. These terms aren't in widespread use but they do describe specific types of
networks. Other types of networks include:
•
•
•
Personal area network (PAN)—A PAN consists of one or more workstations
and its network devices, such as printers, network disk systems, and scanners. A
PAN refers to the networked devices one person would likely use and normally
does not span an area larger than an office or cubicle.
Campus area network (CAN)—A CAN is larger than a LAN but generally
smaller than a MAN. CANs are useful to connect the LANs across multiple
buildings that are all in fairly close proximity to one another.
Global area network (GAN))—A GAN is a newer term for a super-WAN. A GAN
is a collection of interconnected LANs, CANs, MANs, and even WANs that span an
extremely large area.
Network Security Controls
Network security controls often focus on limiting access to remote
resources. A local resource is any resource attached to a local computer—
the same computer to which the user has logged on. A remote resource is any
resource attached to another computer on a network that is different from the
computer to which the user is logged on. The user's computer and the remote
computer must be connected to a network to provide access to the remote
resource. Many of the security controls you'll find to protect network
resources are similar to controls found protecting local resources. You'll learn
more about how each type of control works in a Microsoft Windows network
environment in this chapter. The main types of network security controls
include:
•
•
•
•
•
•
•
Access controls for protected resources, such as printers and shared
folders
Communication controls to limit the spread of malicious software and
traffic
Anti-malware software on all computers in the network to detect and
eradicate malware
Recovery plans, including backups, for all computers and devices in the
network
Procedures to control network device configuration changes
Monitoring tools and other detective controls to help detect and stop
suspicious network activity
Software patch management for all computers and devices in the
network
Principles of Microsoft Windows
Network Security
A secure Microsoft Windows network allows access on demand to resources
for authorized users while denying access for unauthorized users. While the
goal is similar to securing a single computer, putting that goal into practice
involves more types of controls. Setting up a network exposes all resources
in the network to security threats. Securing a Microsoft Windows network
requires attention to three main types of vulnerabilities:
•
•
Physical and logical access—Locate important computers and devices
in physically secure areas and limit access to them. Separate networks
logically into smaller segments to control resource access. Logically
separating networks is beneficial when you need to keep groups of
devices separate. This is common in larger networks.
Traffic flow—Use firewalls and other types of filters to discard
unauthorized traffic on a network. Filters should exist at all network
boundaries and between segments to control network ingress and
egress.
•
Computer and device security—Ensure each computer and device on
the network is prepared to handle any known attack. Any computer or
device that does not have proper security controls deployed poses a
threat to the entire network.
Securing a Microsoft network involves deploying controls that protect all
network components from all known threats. Although that may sound like
a large goal, it's manageable when you approach it in a structured manner.
The first step in understanding how to secure a network is to explore the
most common components of networks.
Common Network Components
The main purpose of any network is to provide users with the ability to access
and share remote resources. Networks use three main types of components to
meet this goal. These components work together to allow users to share
resources and reduce the need for multiple dedicated resources such as
printers, file storage systems, and backup devices. The three main types of
components in networks include:
•
•
•
Connection media—The adapters and (sometimes) wires that connect
components together. Not all connection methods use wires. With
wireless devices, radio waves transmit data. So, connection media
includes wireless adapters.
Networking devices—Hardware devices that connect other devices
and computers using connection media
Server computers and services devices—Hardware that provides one
or more services to users, such as server computers, printers, and
network storage devices
Many physical devices found in networks are actually combinations of several
types of components. These components should work together to provide
easy access to desired resources and still maintain the security of an
organization's information. Figure 9-2 shows common network components.
Figure 9-2. Common components found in networks.
Connection Media
The purpose of any network is to allow multiple computers or devices to
communicate with each other. By definition, networked computers and
devices are connected to one another and have the necessary software to
communicate. In the past, networked computers and devices were connected
using cable. Today's networks contain a mix of cables and wireless
connections. While the technical details of network connections are beyond
the scope of this discussion, it is important to have a general understanding of
a network's components.
There are two options to establish network connections between computers
and devices. You either build your own network or pay another organization
to allow you to use their network for your purposes. The following sections
that cover connection media assume you own the connection media and are
installing the hardware necessary to establish network communications. The
following network connection media options appear most commonly in LANs,
CANs, and MANs, but may be used in other networks as well.
WIRED NETWORK CONNECTIONS
There are four basic cabling options for most physical network connections,
including coaxial cable. Each option has its own advantages and
disadvantages. If you choose to use physical cables for part, or all, of your
network you will have to run cables to each device. Running cables between
devices takes careful planning. Make sure when you explore cabling options
you evaluate the cost of installing all of the cables and connection hardware to
support both your current and future needs. Table 9-2 lists the four basic
cable options, along with the advantages and disadvantages of each one.
WIRELESS NETWORK CONNECTIONS
Wireless connections are very popular in today's network environments,
where flexibility is an important design factor. Wireless connections allow
devices to connect to your network without your having to physically connect
to a cable. This flexibility makes it easy to connect computers, or devices, in
situations where running cables is either difficult or not practical for
temporary connections. The Institute of Electrical and Electronic
Engineers (IEEE) defines standards for many aspects of computing and
communications. The IEEE 802.11 defines standards for wireless local area
network (WLAN) communication protocols. A protocol is a set of rules that
govern communication.
Table 9-2. Basic network cabling options.
CABLE
TYPE
DESCRIPTION
Unshielded
twisted
pair (UTP)
The most common type of network cable,
UTP generally consists of two or four
pairs of wires. Pairs of wires are twisted
around each other to reduce interference
with other pairs. The most common type
of UTP is category five UTP, which
supports 100 megabits per second
(Mbps) for two pairs of wires and 1,000
Mbps for four pairs.
•
Same as UTP, but with foil shielding
around each pair and optionally around
the entire wire group to protect the cable
from external radio and electrical
interference
•
Shielded
twisted
pair (STP)
ADVANTAGES
AND
DISADVANTAGES
•
•
•
•
•
•
Lowest cost
Easy to install
Susceptible to
interference
Limited
transmission
speeds and
distances
Low cost
Easy to install
More
resistant to
interference
than UTP
Same speed
limitations
but supports
CABLE
TYPE
DESCRIPTION
ADVANTAGES
AND
DISADVANTAGES
longer run
lengths
Coaxial
A single copper conductor surrounded
with a plastic sheath, then a braided
copper shield, and then the external
insulation
•
•
•
•
Fiber optic
A glass core surrounded by several layers
of protective materials
•
•
•
•
Higher cost
Difficult to
install
Very resistant
to
interference
Higher speeds
and longer
run lengths
Highest cost
Easy to run
cable;
installing end
connectors
requires
special tools
Immune to
radio and
electrical
interference
Extremely
high speeds
and long run
lengths
There are four main protocols currently in the 802.11 standard. As with the
discussion of wired network connections, the technical details are beyond the
scope of this discussion, but it is important to know the basic differences
between different wireless protocols. Table 9-3 lists the four most common
wireless protocols.
Communication Protocol
A communication protocol isn't as complex as the name implies. The technical details of
each protocol can be quite complex but the concept is pretty simple. A protocol is just a
set of rules parties use to communicate. You use protocol rules every day. For example,
suppose you want to invite a person to attend a meeting. If that person is a close friend
you would use an informal greeting and style of conversation. If, on the other hand, the
person is an elected official you would likely use a far more formal greeting and choice
of words. You decide how to communicate based on your own protocol rules. You'll
learn more about computer communication protocols later in this chapter.
Generally, hardware that supports protocols with faster speeds with longer
range costs more than hardware with slower protocols. Your choice of
wireless protocols will likely be based on cost, transmission speed
requirements, and other devices that may cause interference in a specific
frequency.
WARNING
In all cases, allowing wireless connections to your network increases the potential for
unauthorized users to access network resources. If you choose to implement wireless
connections, you must ensure you are using strong access controls and strong wireless
encryption. In other words, use Wi-Fi Protected Access (WPA) as opposed to Wired
Equivalent Privacy (WEP).
Bluetooth is a popular wireless protocol for connecting devices over short
distances. The most popular use of Bluetooth is to create PANs of devices that
communicate with a computer or device. Headsets, mice, and printers are
some examples of devices that commonly support the Bluetooth protocol.
From a security perspective, it is important to consider Bluetooth support for
your computers and devices when you are developing wireless policies and
controls. Bluetooth enabled computers are vulnerable to several types of
wireless attacks unless you protect all wireless connections.
Table 9-3. Common 802.11 wireless standards.
PROTOCOL
MAXIMUM
TRANSMISSION
SPEED
RANGE (ft)
INDOOR/OUTDOOR
FREQUENCY
802.11a
54 Mbps
115/390
5 GHz
802.11b
11 Mbps
125/460
2.4 GHz
802.11g
54 Mbps
125/460
2.4 GHz
802.11n
150+ Mbps
230/820
2.4 GHz / 5
GHz
Figure 9-3. Simple network with a single hub.
Networking Devices
Once you decide on the types of connections you'll use for your network you
have to decide how your components connect to one another. Only the
simplest networks with very few devices have every component connected.
With more than just a few devices, this arrangement would make managing
your network connections extremely difficult. Networks in today's
environments use several types of devices to keep connections manageable.
You'll see many different types of devices, but the following two sections
discuss the ones you'll most commonly use.
HUB
The simplest network device is a hub. A hub is simply a box with several
connectors, or ports, that allows multiple network cables to attach to it.
Common hubs have four, eight, 16, or 32 ports. A hub is a hardware repeater.
A hub takes input from any port and repeats the transmission, sending it as
output on every port, including the original input port. Hubs make it easy to
connect many devices to a network by connecting each device to the
hub. Figure 9-3 shows a simple network created using a single hub.
SWITCH
Hubs are inexpensive devices used to connect many computers and devices to
a network. One problem with hubs is that they repeat all network traffic to all
ports. This can cause message collisions and a frequent need to resend
messages. Hubs also tend to contribute to network congestion since every
computer and device receives all network traffic. Networks are designed to
handle collisions and congestion but at the cost of high performance.
A switch can help avoid many collision and congestion issues and actually
speed up networks. A switch is a hardware device that forwards input it
receives only to the appropriate output port.
For example, if Computer A wants to send a message to Computer B, a switch
will only send the message from Computer A's port to Computer B's port. No
other computers ever see the message. As an additional benefit, if Computer C
wants to send a message to Computer F at the same time Computers A and B
are talking, the switch can handle both connections at the same time without
causing a collision. Switches are also more secure since the only computers
that actually see information exchanged over the network are the computers
involved in the transfer. This is more secure than a hub that repeats messages
to all connected computers.
ROUTER
A router is another network device that connects two or more separate
networks. A router can connect any types of networks as long as they use the
same protocols. Routers are more intelligent than switches and actually
inspect the address portion of the packets on your network. The router
examines the destination address and then forwards the packet to the correct
outbound port. Routers can be standalone hardware devices or computers
with multiple network interfaces running routing software.
Routers also provide an important security capability. You can define rules for
each router that tell the router how to filter network traffic. You can restrict
which packets are allowed to flow through the network. Routers give the
ability to aggressively control how users and applications use the network.
GATEWAY
A gateway is a network device that connects two or more separate networks
using different protocols. Networks using different protocols may include
wired LANs, wireless LANs, and WANs. A gateway can perform many of the
tasks a router performs but also has the ability to translate network packets
from one protocol to another. Since it translates messages between protocols,
a gateway is much more complex than either a router or a switch.
One of the most common types of gateways is one that connects a LAN to the
Internet. This type of gateway is often called an Internet gateway. Gateways
are necessary anytime you want to connect two networks that use different
protocols. Gateways provide the same filtering capabilities of routers, and
much more. Gateways analyze more than just the destination address and
port of each message. Since the gateway has to translate an entire message
from one protocol to another, detailed rules can be set up to filter out
inappropriate traffic.
Server Computers and Services Devices
Networks provide easy access to shared resources and shared services.
Centralized services make it possible for multiple users to share information
and physical resources at a lower cost than duplicating information or
purchasing devices for every workstation. Examples of shared resources
include:
•
•
•
•
File storage
Printer and print services
Central database and document management systems
Central authentication services
NETWORK FILE SERVER
One common service present in even the earliest networks is the file sharing
service. A file server is a computer or hardware device that has at least three
distinct components:
•
•
•
One or more connected hard disk drives
A network interface
Software to provide network access to files and folders on the attached
disks
In the past, most file servers were computers that managed shared folders or
file systems. The file server managed connections and supported authorized
read/write access to its disks by remote users. Computer-based file servers
are still in widespread use, but standalone hardware devices with internal
hard disk drives are becoming more popular. A file server's main purpose is to
provide secure access to its disk drives for remote users.
NETWORK PRINT SERVER
A print server provides the interface between the network and one or more
printers. Like file servers, the actual server can be a computer or a standalone
hardware device. In either case, the print server accepts print jobs from
authorized users and processes them. That means the print server may
contain the intelligence to store multiple print jobs and provide advanced
abilities to manage the printing process. Print servers vary widely in
capabilities but all generally exist to allow multiple remote users to share
printers.
DATA STORAGE
Network data storage may sound like the service the file server provides but
the two services are distinct. A file server only stores files. A data storage
server organizes data and attempts to make it more accessible than just a list
of files. Data storage software includes database management systems and
document management systems. Both types of management software provide
efficient, effective centralized access to data and documents for remote users.
Another substantial difference between file servers and data storage products
is that data storage products generally provide far greater control over access
authorization. File servers can control access to individual folders and files,
but data storage software can control access to the contents of files. Database
management systems and document management systems often provide their
own features to maintain and authorize users and requests. These systems
manage large amounts of data and can grant or deny access to individual
pieces of information stored inside very large files. The advantage of
databases and document management systems is they can provide fast and
efficient access to large amounts of data while maintaining security of the data
down to a very specific level.
APPLICATION SERVICES
Application servers are computers that run application programs on behalf
of remote users. Instead of having remote users install and run programs, a
user can request that an application server run the program and return the
results. There are several advantages to using application servers:
1. Software does not need to be installed on every user's computer; one
license supports all users on one server (or several servers).
2. Updating software is easier; only application servers need to be
updated.
3. Programs running on application servers tend to be closer to the
database servers that store the data they need to run. Running
programs on servers that are close to database servers can make
accessing data much faster.
4. Since the database sends less data to the users' computers, more data
stays inside an organization's secure network.
5. Server computers generally have the ability to serve many users
efficiently, speeding up application programs.
Many of today's application programs rely on distributed design, which means
at least part of the application runs on an application server. This application
model gets a lot of attention from developers and attackers alike. Be sure to
secure application servers along with the other components of your network.
FIREWALLS
A firewall is a common network component. It filters network traffic to block
suspicious packets or messages. A firewall examines all network traffic and
compares it to predefined rules. Firewall rules tell the firewall software
whether to forward or deny traffic. After matching traffic to its rules, a firewall
should drop or reject any network messages that are unauthorized or
suspicious. So, much of a firewall's effectiveness is based on its rules.
Firewalls run as software on computers, or as standalone devices. Either way,
the firewall needs at least two network adapters to separate incoming traffic
from outgoing traffic. Routers and gateways often include firewall
functionality and the ability to filter traffic before forwarding it.
One very useful application of firewalls is to separate your organization's
secure networks from its unsecure networks. This is most useful when you
want to separate your Internet access point from the secure network. Many
organizations want to expose some services to the Internet while maintaining
separation from the internal network. Firewalls make this scenario possible.
Many organizations use two firewalls to create an un-trusted network that
Internet users can access, and a trusted network for secure resources. The
two networks are connected, but separated by a firewall.
The un-trusted network is called a demilitarized zone (DMZ). The DMZ is a
convenient place for Web servers, File Transfer Protocol (FTP) servers, or any
servers you want unauthorized users to access without being able to get into
your trusted network. Figure 9-4 shows a DMZ with two firewalls.
Many firewalls provide the ability to translate an external IP address into an
internally mapped IP address. The firewall stores a table that allows the
software to translate the IP address for incoming and outgoing traffic. This
feature, called network address translation (NAT) hides the true IP address
of internal computers from outside nodes. External nodes only see a generic
IP address. The firewall receives traffic from the external IP address and
changes the destination IP address to route the message to the correct
internal IP address.
Figure 9-4. DMZ with two firewalls.
The main principle of Microsoft Windows network security is to ensure you
enforce the Availability, Integrity, Confidentiality (A-I-C) Triad properties for
your information. Design the controls for the network media, traffic flow, and
network computers and devices to ensure a secure environment and
information.
Microsoft Windows Security Protocols
and Services
Every computer or device connected to a network is called a node. Nodes
communicate with one another by agreeing on a set of communication rules
called a protocol. A communication protocol sets the rules for how nodes
construct, send, receive, and interpret messages. Each protocol serves a
specific purpose and has its own structure for constructing and addressing
messages. In fact, several protocols are necessary to transport a message
from one application to an application running on a remote computer. The
physical media has one way of handling data, the network addressing
software uses a different protocol, and applications use yet another set of
rules to communicate.
Most discussions of network protocols include a discussion of the Open
System Interconnection (OSI) reference model. The OSI reference
model is a generic description for how computers use multiple layers of
protocol rules to communicate across a network. The OSI reference model
defines seven different layers of communication rules. You'll also likely
encounter another popular reference model, the Transmission Control
Protocol/Internet Protocol (TCP/IP) reference model, when discussing
network protocols. The TCP/IP reference model defines four different
layers of communication rules. Both models are useful to describe how
protocols work and how to implement them in network
communications. Figure 9-5 shows the TCP/IP reference model and the
OSI reference model.
Protocols provide the ability for applications to exchange information with
other applications on other computers. For example, most Web browser
applications communicate with a Web server application using
the Hypertext Transport Protocol (HTTP). Web browsers can use
other protocols, but HTTP is the most common protocol for regular Web
pages. The Web browser passes the message to the networking software
layer. That layer handles the details of breaking the message into smaller
packets suitable for networks, addressing the target machine, and routing
the request across the network to ensure it arrives.
A common networking protocol is Transmission Control
Protocol/Internet Protocol (TCP/IP). TCP/IP is actually a
combination of two separate protocols, but they work together in so many
environments that they are often referenced as a single protocol.
Finally, the networking software passes the messages off to the software
that physically controls the hardware that sends the data using physical
media. This is the software and hardware that creates the radio
transmission for wireless networks or electrical signals for Ethernet.
It is important to know the protocols your systems and applications use.
You can change many protocol settings to make your systems more secure.
You'll learn more about the specific protocol settings to use in the
hardening chapters. For now, you should be aware of the most common
protocols and the ones that relate most directly to security. Table 9-4 shows
a list of common protocols and how each one relates to your environment's
security.
Figure 9-5. TCP/IP and OSI reference models.
Layered Protocols in Real Life
The idea of layered protocols sounds complex. It really reflects what happens in
human-to-human communication. Layers and translations are used in subtle ways
every time you talk with a different person. Here's an example that demonstrates the
obvious need for multiple layers.
Consider how ambassadors communicate in the United Nations. Assume the U.S.
ambassador wants to send a written note to the ambassadors of China, Russia, and
Italy. In this example the protocol rule in place requires all written messages to be
presented in French. Here is how the message travels through the U.N.:
1. The U.S. ambassador writes a message in English, then hands the message to a
translator (the ambassador layer passes the message to the translator layer).
2. The translator translates the message into French, then hands it to an aide to
take to the mailroom (the translator layer passes the message to the aide layer).
3. The aide makes three copies of the message, addresses each copy and places the
messages in the U.S. outbox in the mailroom (the aide layer duplicates and
passes the messages to the mailroom clerk layer).
4. The mailroom clerk picks up the messages from the U.S. outbox and places them
in the appropriate inboxes for China, Russia, and Italy (the mailroom clerk
handles the physical transfer).
5. An aide for each country, (China, Russia, and Italy), picks up the message and
delivers it to the translator (the aide layer collects a message from the mailroom
and passes it to the translator layer).
6. The translator translates the message from French into the country's national
language and gives it to the ambassador (the translator layer translates the
message and passes it to the ambassador layer).
7. The ambassador for each country reads the message and takes appropriate
action.
Figure 9-6. Message flow in the U.N. example.
Table 9-4. Common network communication protocols.
PROTOCOL
DESCRIPTION
SECURITY NOTES
Telnet
Protocol used for
connecting terminals to
servers. Sends text to and
from the server. Telnet is
useful for remote
administration using
command-line utilities.
Telnet sends all information,
including usernames and
passwords, in readable text.
Telnet should always be
considered insecure and not
used.
SSH (Secure
Shell)
Similar to Telnet, except
messages are encrypted.
Useful for secure remote
system administration
using command-line
utilities.
Older versions, such as 1.X,
contain documented
vulnerabilities. Newer
versions are secure for most
uses.
HTTP
(Hypertext
Transfer
Protocol)
Used for most Web
browser/Web server
communication
All data is sent in the clear.
HTTP is not appropriate for
confidential data.
HTTPS
(Hypertext
Transfer
Protocol Secure)
Secure HTTP. Useful for
exchanging confidential
information between Web
browsers and Web servers.
HTTPS uses SSL/TLS to
provide encryption services.
Ensure your Web server is
using SSL version 3.X or
TLS.
SSL/TLS
(Secure Socket
Layer/Transport
Layer Security)
SSL is the predecessor of
TLS. Both protocols
provide encryption for
application layer protocols,
such as HTTPS.
TLS is the most secure. Do
not use versions 1.X or 2.X of
SSL. Only use SSL 3.X or
TLS unless your application
does not support newer
versions.
TCP/IP
(Transmission
Control
The most common
protocol pair for Internet
communication
TCP/IP is a frequent target for
attackers since it is used in so
many applications. Use helper
protocols, such as TLS, to
PROTOCOL
DESCRIPTION
Protocol/Internet
Protocol)
SECURITY NOTES
secure TCP/IP
communications and filters to
detect malicious traffic.
UDP (User
Datagram
Protocol)
Another common protocol
used in place of IP when
persistent connections are
not necessary or desirable.
Use the same precautions as
TCP/IP. Use UDP with other
protocols and filters.
IPSec (Internet
Protocol
Security)
A protocol suite used to
secure IP communication
by encrypting each IP
packet
IPSec secures any messages
that use IP to communicate.
IPSec is transparent to
applications that use it.
PPP (Point-topoint Protocol)
Protocol to establish a
direct connection between
nodes
PPP includes the ability to
encrypt and authenticate
messages.
PPTP (Point-topoint Tunneling
Protocol)
One of three common
protocols used for virtual
private networks (VPNs)
PPTP relies on PPP's
encryption and authentication
features to provide a VPN for
applications that use TCP.
L2TP
Another common protocol
used for VPNs
Operates at a lower level than
PPTP and must rely on a
higher level protocol, such as
IPSec, to provide encryption.
L2TP relies on UDP to
transport messages.
SSTP (Secure
Socket
Tunneling
Protocol)
New VPN protocol that
uses SSL/TLS to encrypt
HTTP traffic in a tunnel
SSTP overcomes limitations
that PPTP and L2TP messages
have with firewalls and NAT
devices. SSTP has no conflicts
with NAT translation.
PROTOCOL
DESCRIPTION
SECURITY NOTES
WEP (Wired
Equivalent
Privacy)
Older protocol for securing
wireless network traffic
Legacy protocol to encrypt
wireless network traffic.
Better than nothing, but not
sufficient to secure
confidential information.
WPA (Wi-Fi
Protected
Access)
WPA and WPA2 are more
secure protocols than WEP
with stronger encryption
for wireless network
traffic.
The latest version of WPA,
WPA2, is based on AES
encryption and supports
several modes for varying
needs of encryption security.
Kerberos
Protocol network nodes
can use it to authenticate
themselves to one another
using an insecure network.
Windows uses Kerberos as a
default authentication
protocol.
Windows uses protocols to communicate with other nodes across a
network. This allows a program running on one computer to communicate
with a program on another computer. It is common that the program on at
least one end of a communication channel is a Windows service. A
Windows service is a long-running program that performs a specific set of
functions, such as a firewall, database server, or a Web server. Services
generally run without requiring user intervention and commonly run on
server computers. Most services that provide network related functions
monitor one or more ports. A port is a numeric identifier that programs
use to classify network messages.
technical TIP
Most Web traffic is directed to port 80 on a server computer. When a server receives a
Web-related message it redirects the message to the service that monitors port 80.
Most likely, any service that monitors port 80 is a Web server.
Securing Microsoft Windows
Environment Network Services
Securing services is an important step in securing Windows computers.
Services are often powerful programs that can be dangerous if an attacker
takes control. Since services are just programs, they can contain
programming errors and vulnerabilities. While there are many specific
configuration strategies to secure each type of service, there are three highlevel strategies that will keep all your services more secure. These strategies
include keeping all service software up to date, limiting the permissions
granted to service user accounts, and removing unneeded services.
Service Updates
Before enabling any service, develop a plan for keeping the service up to date.
Service programs generally run for long periods of time waiting for requests.
The services commonly monitor communication ports for requests and
respond anytime they receive messages. Attackers know which services are in
widespread use and they also know how to find out if you are running any
services of interest. Whenever attackers uncover new vulnerabilities, they
generally share the information with other potential attackers and start
looking for vulnerable systems.
Once a new vulnerability surfaces, it is important to mitigate it as soon as
possible. You can mitigate many vulnerabilities using compensating controls.
The best way to address vulnerability is to remove it. Many updates to service
software do just that. Keep current on the latest releases available for any
services you run. Keeping Windows updated with the latest service packs will
keep many services up to date, but will not address any non-Microsoft
services you run. If you run any non-Microsoft services, such as the Apache
Web server or an Oracle database, you'll need to consult their Web sites for
update information. Keeping your services up to date will help maintain your
environment's security.
Service Accounts
Recall that Windows defines rights and permissions based on user accounts.
Windows runs every program as a specific user. That means even services run
as a user. By default, many services run as a local admin account. If an attacker
can exploit vulnerability and compromise a service, it is possible the attacker
could assume the identity of the user running the service. For this reason, it is
important to run each service as a user that possesses the minimum privileges
necessary to perform the service's functions.
WARNING
Avoid using a domain admin account for any service. If a domain admin account is used,
an attacker can jeopardize an entire network by compromising a service running on
your least secure computer.
Carefully review the user account used for each service. You can see which
user Windows uses for each service in the Services MMC snap-in. You can use
these steps to access the Service Properties:
1. Choose the Windows Start button then select Administrative Tools >
Services.
2. Select a service, open the Context Menu (right mouse click), then select
Properties.
3. Choose the Log On tab to view or change the user account Windows
uses to run the service.
Instead of using default accounts for services, create one or more user
accounts that limit what services can do. Here are guidelines for creating
secure accounts for services:
•
•
•
•
•
•
•
Create a new account, with leading underscores in the name (this makes
it easier to identify service accounts).
Use strong passwords.
Revoke all logon rights for local and remote logons.
Set the Password Never Expires property.
Set the User Cannot Change Password property.
Remove the user from all default groups.
Assign the minimum privileges necessary to run services.
These guidelines will help create user accounts that are safer for services. Any
service compromise will have less impact than a service using a local or
domain admin account. Be sure to test the new accounts extensively. Be sure
to grant sufficient permission to the user for the service to perform all the
necessary tasks.
Necessary Services
The best way to secure a specific service is to disable, or even remove it. If the
service isn't running, it isn't providing any functionality. If a service is not
needed on a computer, stop it from running. It is important to disable unused
services. Since a service monitors one or more communications ports, each
service is a potential point of attack. Start only the necessary services.
For Windows Server 2008 computers, only enable the role(s) you need the
computer to perform. Windows will not install services that do not fit a
specific role. For example, if you don't need a Web server running on a
computer, don't enable the Web server role. A server that doesn't have
Internet Information Services (IIS) installed is immune to IIS vulnerabilities.
For both Windows 7 and Windows Server 2008, review all of the services in
the Services MMC snap-in. Ensure that you need each running service.
Figure 9-7. Windows Services startup options.
If a service is not needed, there are several steps you can take:
•
•
•
Stop it—Stop a service in the Services snap-in. Change its Startup Type
to Manual to disable the service from starting automatically when the
system boots.
Disable it—Change the Startup Type to Disabled to tell Windows not to
start a service.
Remove it—If an unneeded service is installed on a computer, remove
the software for the service. The procedure to remove a service depends
on the type of service.
Figure 9-7 shows the startup options in the Services MMC Snap-in.
Regardless of your mitigation actions, take the time to review all of the
services your computers run. Ensure each running service is necessary for
that computer to accomplish its goals. Stop any unnecessary services. Each
service you stop removes another potential attack point from your
environment.
Securing Microsoft Windows Wireless
Networking
Securing your wireless network is a crucial step in securing your overall
Windows environment. Allowing unsecured wireless access to your
Windows network can provide easy access for attackers and undermine
your efforts to secure your environment. Wireless access makes it easier for
anyone to connect to your network even from outside your physical
environment. An attacker armed with a notebook computer and a wireless
card can access an unsecured wireless network from as much as several
hundred feet away from the access point. You can't rely on any physical
security measures to protect your wireless networks, as you can with wired
connections.
There are several steps you can take to secure wireless networks. The actual
steps you take to enable each of the following suggestions depend on your
wireless hardware manufacturer. However, all current wireless devices
provide the ability to make your wireless network more secure. For specific
instructions for your hardware consult the hardware manufacturer's Web
site or user guide. Follow these guidelines to make any wireless network
more secure:
•
•
•
•
•
Use WPA or WPA2 encryption—Do not use WEP unless your wireless
access point does not support WPA/WPA2. Security professionals have
demonstrated they can compromise WEP in a matter of minutes.
WPA/WPA2 is the only secure protocol you should consider for
confidential information available on a wireless network.
Use Media Access Control (MAC) address filtering—Most wireless
access points allow you to define valid MAC addresses. If you enable
MAC address filtering, only valid MAC addresses can connect to the
wireless network. MAC address filtering does make administration
more difficult and attackers can spoof MAC addresses, but adding layers
of controls makes the environment safer.
Disable Service Set Identifier (SSID) broadcast—Many attackers scan
for potential victim networks by collecting information for all networks
broadcasting Service Set Identifiers (SSIDs). Turning off the SSID
broadcast doesn't make your network more secure but it makes it less
visible to casual scanners.
Limit outside eavesdropping—Each wireless access point has an
effective transmission range. You can move the devices away from
external walls to make it harder to use a signal outside your physical
environment. Locate your wireless devices as far away from external
walls as possible while still providing ample coverage for your
organization's users.
Physically separate wireless networks by purpose—Many
organizations deploy at least two wireless networks. One wireless
network is secure and requires each new device and user to register
with an administrator before getting access. This wireless network
would likely provide access to the organization's internal network.
Another wireless network uses fewer controls and makes it easy for
guests to connect. This second wireless network would likely only
connect to an Internet bridge. This approach makes it easy to give
guests Internet access without exposing your organization's network.
WARNING
If you do not turn on the security features of your wireless Internet devices, you may be
the victim of Wi-Fi Jacking. This occurs when attackers walk or drive through business
areas (and neighborhoods) and identify unprotected wireless LANs from the street
using a laptop or a handheld computer. When they find an unprotected network, they
can hijack that wireless connection to download illegal materials, send spam, etc. They
can also use their connection to the wireless network to hack into other computers on
the LAN to steal information and identities.
Limiting access to wireless networks makes your environment far more
difficult for attackers to compromise. Wireless security is only one layer in
your overall security plan, but it is an important one.
Microsoft Windows Desktop Network
Security
Windows desktop computers operate in the Workstation Domain in the IT
Infrastructure and generally operate as clients in network communications.
That means desktop computers generally initiate communication by
sending requests to servers in another domain. The main areas of focus
with respect to desktop network security should be user authentication and
authorization, malicious software protection, and outbound traffic
validation.
User Authorization and Authentication
Users can only do what you allow them to do. One of the best ways to keep
attackers away from your network is to keep them away from your
workstations. In addition to physical controls to limit unauthorized access to
workstations, it is important to aggressively protect workstations from
unauthorized logons. This means deploying a user account policy that makes
it difficult for an attacker to log on as an authorized user. Here are some
guidelines to protect your workstations from unauthorized access:
•
•
•
•
•
•
•
•
•
Train all users on how to create strong passwords and protect user
account credentials.
Require unique user accounts with strong passwords for each user.
Use the principle of least privilege to grant minimal rights and
permissions to users.
Audit failed access attempts.
Audit all logons for privileged accounts.
Enable account lockout after five failed logon attempts.
Explore alternate authentication methods. For more privileged users or
workstations, consider multifactor authentication.
Remove or disable unused user accounts.
Disable remote access.
Malicious Software Protection
A popular attack vector for central servers is to compromise a trusted
workstation using malicious software. A workstation is often easier to
compromise than a server due to the relative lack of attention to security
controls. Workstations are frequent targets for attacks. Don't forget to
consider all workstations that will access your organization's environment.
This includes remote workstations. Remote workstations can be very difficult
to manage but you cannot overlook the security risks associated with any
workstation.
You should require all workstations have anti-malware software installed
before you allow them to connect to your environment. This includes
antivirus and anti-spyware software. Ensure the software and the software's
signature databases are up to date. You can use Group Policy to enforce this
requirement. You should also create a schedule to scan workstations for
malicious software. Just because the software is present doesn't mean the
computer is clean. It is important to proactively scan workstations at least
weekly along with active anti-malware shield software to maintain as clean an
environment as possible for your workstations.
Outbound Traffic Filtering
Despite your best efforts, it is possible that one or more of your workstations
may be compromised. One popular attack when targeting workstations is to
place on a workstation malicious software that creates a flood of messages.
Since the workstations inside your network are trusted nodes, your network
will accept the traffic. There are several attacks that send a large volume of
network messages that end up flooding the network and making it unusable
for legitimate traffic. Attacks of this type are called denial of service
(DoS) attacks. The result of a successful DoS attack makes information
unavailable to authorized users since the network is too saturated to respond.
If the attack coordinates with other compromised workstations it is called
a distributed denial of service (DDoS) attack.
You can protect your network from many DoS and DDoS attacks by
configuring each workstation's firewall to filter outbound traffic. Most DoS
and DDoS attacks create traffic that a firewall can easily recognize and refuse
to pass onto the network. Although your workstation has still been
compromised, the attack is not effective if the traffic doesn't make it to the
network. Make sure all workstations have active and up to date firewall rules
that filter incoming and outgoing traffic for known suspicious packets.
Microsoft Windows Server Network
Security
Windows servers provide various types of services for enterprises. In many
cases, servers either directly or indirectly enable enterprise applications to
access shared data to support business functions. While compromising a
workstation may open a door into an organization's secure network,
compromising a server will likely allow an attacker to get even closer to
sensitive or confidential data.
Although each layer of security is important to the overall security of your
organization's data, you should view server security controls as even more
crucial. The controls you place on server computers will only act as
obstacles for attackers that have already found ways to defeat outer layers
of controls. It is likely any attacker that has made it this far is sophisticated
and skilled. You must carefully design, deploy, and monitor controls for
servers in your network to increase the likelihood that you'll stop an attack
before it compromises the data you're trying to protect.
Authentication and Authorization
All three of the A-I-C Triad properties of data security depend on the positive
identification of an authorized user. Your servers inside your organization's
secure network should require specific user accounts to use any service. You
may allow anonymous users or shared user accounts to access some
resources, such as generic Web pages or public file downloads, but these
servers should reside in the DMZ and not in your secure network.
Inside the secure network, you should authenticate all computers and users
before processing resource access requests. Windows uses Kerberos by
default to provide a secure method to establish two-way authentication. This
level of authentication assurance provides protection from eavesdropping or
certain types of replay attacks. A replay attack is one where an attacker
intercepts authentication messages. Unless the attacker is working with a
protected network, it is possible to replay the authentication messages and
log on again. It is similar to your Web browser storing your password to a
Web site. But in this case, the attacker is storing someone else's password.
Kerberos gives both sides of a network conversation the assurance that the
other party is who he or she claims to be.
Carefully examine each server's role to ensure that no unnecessary services
are running. For the services you are running, make sure you have defined
ACLs for all authorized users and all protected resources. Apply the principle
of least privilege for all users. Use GPOs as much as possible to standardize
security settings.
Malicious Software Protection
Servers are vulnerable to malware just like workstations. You must install
antivirus and anti-spyware software on each Windows server on your
network. As with workstations, be sure to update both the software and
signature databases frequently. Check for updated software and signature
databases daily for server computers.
Use Group Policy to enforce this requirement on servers as well as for
workstations. You should also create a schedule to scan each server for
malicious software. Your scan schedule depends on the services and data on
any server, but weekly scans should be the minimum frequency. Scheduled
scans, along with active anti-malware software will help you to maintain as
clean an environment as possible for your servers.
Network Traffic Filtering
Firewalls protect services running on servers by filtering out suspicious traffic
that attackers could use to compromise servers. The success of your firewalls
depends on its rules and location. Standalone firewalls can be used to filter
traffic before it reaches a server or you can implement firewalls on your
servers.
Either option has advantages and disadvantages. Standalone firewalls relieve
some of the workload from your servers. The firewall device processes
firewall rules and only forwards approved traffic. The server never sees traffic
that does not match your firewall rules. The disadvantages of standalone
firewalls include additional administrative workload, since standalone
firewalls are separate devices, and additional hardware cost.
Firewalls that are integrated with servers have advantages and disadvantages.
First, Microsoft firewall uses the familiar MMC interface for administration.
You can also use GPOs to enforce standard rules across multiple servers.
Microsoft's firewall also comes with Windows Server 2008 and does not
require an additional license or hardware purchase. The main disadvantage is
that an embedded firewall adds to the server's workload. The server must
examine all network traffic to apply its filtering rules. Another disadvantage is
that since a firewall is a program, it can have vulnerabilities that attackers
may be able to exploit. An attacker that compromises a server firewall may be
able to gain access to protected resources on that server.
WARNING
Be careful about logging firewall traffic. Your log file can become quite large if you don't
monitor and clear it out periodically. Only log the events you really need and carefully
monitor the size of your log files.
Regardless of the type of firewall, set up rules to only allow valid traffic for the
specific server functions you define. Deny, and potentially log, all other traffic.
Best Practices for Microsoft Windows
Network Security
Securing a Windows network is an ongoing endeavor. Although the process
never really ends, you can reach a level of assurance that your network is
secure from most threats. It is important to continually monitor controls to
ensure they are as effective as expected. Here are some best practices that
will help you get started securing your network and provide a good set of
guidelines for ensuring your network stays secure:
•
•
•
•
Identify sensitive data.
Protect sensitive data at rest using encryption.
Establish unique domain user accounts for each user.
Enforce strong passwords for all user accounts.
•
•
•
•
•
•
•
•
•
•
•
•
•
Create new user accounts with limited rights and permission for
services.
• Do not allow any services to run as a domain admin user.
Use Kerberos for secure authentication.
Install firewalls to create a DMZ.
• Place all Internet-facing servers (Web servers and other publicly
accessible servers) in the DMZ.
• Use encrypted communication for all traffic flowing through the
DMZ and the trusted network.
Use encryption for all communication involving sensitive data.
Establish firewall rules.
• Deny all suspicious traffic.
• Allow only approved traffic for servers.
• Filter inbound and outbound traffic for servers and workstations
for malicious messages.
• If your firewall supports it, automatically terminate connections
with sources generating DoS traffic to mitigate DoS attacks in
process.
Install anti-malware software on all computers and establish frequent
update schedules and scans.
• Update software and signature databases daily.
• Perform quick scans daily.
• Perform complete scans at least weekly.
Use WPA or WPA2 for all secure wireless networks.
Disable SSID broadcast for secure wireless networks.
Do not enable wireless or air cards while connected to your
organization's internal network. Always disable your wireless adapter
before connecting a laptop to the wired network.
Do not allow visitors to roam around your facilities using Wireless
LANs. Many Access Points can be physically reset to insecure factory
default settings by pressing a reset switch on the box.
Avoid connecting to public networks. When you connect to an open
wireless network, you should have no expectation of privacy or security.
If you have to use an open wireless connection, do not visit Web sites
that require usernames, passwords, or account numbers, such as online
banking. Use an encrypted connection or a virtual private network
(VPN).
Install a separate wireless access point only connected to the Internet
for guests.
•
Disable or uninstall any services that you do not need.
These best practices provide a solid foundation for establishing and
maintaining a secure Windows network.
CHAPTER SUMMARY
Securing a Windows network means securing all of the components. You
learned about the different components that comprise a Windows network.
You learned about workstations, servers, devices, and software. You also
learned about the process to secure each type of component. While securing
a Windows network takes planning and effort to be successful, it is possible.
Once you know your network and what each component does, you're ready
to start planning for the most effective security controls. No control set is
best for every organization. The controls that work best for your network
will maximize the A-I-C Triad properties for your data and still support
your business functions.
KEY CONCEPTS AND TERMS
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Application servers
Coaxial cable
Connection media
Demilitarized zone (DMZ)
Denial of service (DoS)
Distributed denial of service (DDoS)
Fiber optic cable
File server
Gateway
Hub
Hypertext Transport Protocol (HTTP)
IEEE 802.11
Institute of Electrical and Electronic Engineers (IEEE)
Internet gateway
Local area network (LAN)
Local resource
Metropolitan area network (MAN)
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Network
Network address translation (NAT)
Networking devices
Node
Open System Interconnection (OSI) reference model
Ports
Print server
Protocols
Remote resources
Router
Server computers and services devices
Service Set Identifier (SSID)
Shielded twisted pair (STP)
Switch
TCP/IP reference model
Transmission Control Protocol/Internet Protocol (TCP/IP)
Unshielded twisted pair (UTP)
Wide area network (WAN)
Windows service
Wireless local area network (WLAN)
CHAPTER 9 ASSESSMENT
1. A _______ is a network that generally spans several city blocks.
2. A local resource is any resource connected to the local LAN.
1. True
2. False
3. Which of the following devices repeats input received to all ports?
1. Switch
2. Hub
3. Gateway
4. Router
4. _______ cabling provides very good protection from interference but is
difficult to install.
5. Even the newest wireless protocols are slower than using high quality
physical cable.
1. True
2. False
6. Which LAN device commonly has the ability to filter packets and deny
traffic based on the destination address?
1. Router
2. Gateway
3. Hub
4. Switch
7. A _______ is an untrusted network that contains Internet-facing servers
and is separated from your trusted network by at least one firewall.
8. Which network device feature provides the ability to hide internal
network node addresses?
1. DMZ
2. NAT
3. STP
4. OSI
9. Which network layer reference model includes four layers to describe
how computers use multiple layers of protocol rules to communicate
across a network?
1. IEEE
2. IPSec
3. UDP
4. TCP/IP
10.
Which of the following actions is not an effective way to secure
Windows services that you do not use?
1. Stop it
2. Disable it
3. Block it
4. Remove it
11.
You should disable the _______ broadcast to make wireless
networks harder to discover.
1. SSID
2. NAT
3. MAC
4. WPA
12.
A successful DoS attack violates which property of the A-I-C
Triad?
1. Availability
2. Integrity
3. Consistency
4. Confidentiality
13.
Where must sensitive data only appear encrypted to ensure its
confidentiality? (Select two.)
1. While in use in the Workstation
2. During transmission over the network
3. As it is stored on disk
4. In memory
14.
Which authentication protocol does Windows Server 2008 use as
a default?
1. NTLM
2. Kerberos
3. WPA
4. NAT
15.
What can some firewalls do to attempt to stop a DoS attack in
progress?
1. Alert an attack responder
2. Log all traffic coming from the source of the attack
3. Terminate any connections with the source of the attack
4. Reset all connections
Purchase answer to see full
attachment