How to Cheat at Designing Security for a Windows Server 2003 Network

by ;
Format: Paperback
Pub. Date: 2006-04-08
Publisher(s): Elsevier Science
List Price: $44.95

Buy New

Usually Ships in 8 - 10 Business Days.
$42.70

Rent Book

Select for Price
There was a problem. Please try again later.

Used Book

We're Sorry
Sold Out

eBook

We're Sorry
Not Available

Summary

Windows 2003 Server is unquestionably the dominant enterprise level operating system in the industry, with 95% of all companies running it. And for the last tow years, over 50% of all product upgrades have been security related. Securing Windows Server, according to bill gates, is the company's #1 priority. While considering the security needs of your organiztion, you need to balance the human and the technical in order to create the best security design for your organization. Securing a Windows Server 2003 enterprise network is hardly a small undertaking, but it becomes quite manageable if you approach it in an organized and systematic way. This includes configuring software, services, and protocols to meet an organizations security needs. * The Perfect Guide if "System Administrator is NOT your primary job function * Avoid "time drains" configuring the many different security standards built into Windows 2003 * Secure VPN and Extranet Communications

Table of Contents

Designing a Secure Network Framework
1(36)
Introduction
2(1)
Analyzing Business Requirements for Security Design
2(9)
Analyzing Existing Security Policies and Procedures
3(1)
Acceptable Use Policies
4(1)
Privacy versus Security
4(1)
Security versus Usability
5(1)
Determining Requirements for Securing Data
5(1)
The CIA Triad
5(2)
Analyzing Current Security Practices
7(1)
Using Resultant Set of Policies
7(3)
Recognizing Internal Security Threats
10(1)
Designing a Framework for Implementing Security
11(17)
Predicting Threats to Your Network
12(1)
Recognizing External Threats
13(6)
What Motivates External Attackers?
19(1)
Implementing Risk Analysis
20(1)
Addressing Risks to the Corporate Network
21(1)
Analyzing Security Requirements for Different Types of Data
22(1)
Responding to Security Incidents
23(1)
Recognizing Attack Indicators
23(1)
Creating an Incident Response Plan
24(3)
Recovering Network Services After an Attack
27(1)
Analyzing Technical Constraints when Designing Security
28(5)
Recognizing Capabilities of the Existing Infrastructure
28(1)
Identifying Technology Limitations
29(1)
Analyzing Interoperability Constraints
30(1)
Interoperability with MIT Kerberos
30(3)
Integrating UNIX DNS with Windows Server 2003
33(1)
Summary
33(2)
Frequently Asked Questions
35(2)
Securing Servers Based on Function
37(82)
Introduction
38(1)
Defining a Baseline Security Template
38(42)
Best Practices for Security Templates
40(1)
Windows Server 2003 Predefined Security Templates
40(2)
Default Security (Setup security.inf)
42(1)
Reapplying Default Security Settings
43(1)
Domain Controller Default Security (DC security.inf)
43(1)
Compatible (Compat*.inf)
43(1)
Secure (secure*.inf)
44(1)
Highly Secure (hisec*.inf)
45(3)
System Root Security (rootsec.inf)
48(1)
No Terminal Server User SID (Notssid.inf)
49(2)
Configuring Security Templates
51(1)
Account Policies
52(2)
Local Policies
54(2)
Event Log
56(1)
Restricted Groups
56(1)
System Services
57(1)
Registry
57(1)
File System
58(1)
Configuring Security for Down-Level Clients
58(2)
Deploying Security Templates
60(1)
Using Group Policy to Deploy Security Settings
60(6)
Reviewing the Result of Security Policy Settings
66(2)
Using Security Configuration and Analysis to Review Security Settings
68(2)
Using the secedit.exe Command-Line Tool
70(1)
secedit Configure
71(1)
secedit Analyze
72(1)
Secedit Import
73(1)
Secedit Export
74(1)
secedit validate
75(1)
secedit generaterollback
75(1)
secedit refreshpolicy Replaced by GPUpdate
76(1)
Deploying Security Using Scripts
77(3)
Design Security for Servers that Have Specific Roles
80(33)
Common Server Roles
81(2)
Server Security Best Practices
83(4)
Configuring Security for Domain Controllers
87(1)
Common Threats to Domain Controllers
87(1)
Audit Backup and Restore Events
88(1)
Restrict Access to Removable Media
88(1)
Restricting Anonymous Access
89(1)
Digitally Signing Authentication Traffic
90(1)
Securing the Internet Information Server (IIS) Role
91(1)
Using ``Configure Your Server'' to Set Up IIS
92(1)
Basic Security for IIS
93(1)
Using URLScan and IISLockdown
93(2)
Configuring Security for POP3 Mail Servers
95(1)
Security Levels
96(1)
Authentication Methods
96(1)
Securing Other Network Roles
97(1)
Securing Network Infrastructure Servers
97(1)
Securing DHCP Servers
98(1)
Securing DNS Servers
99(1)
WINS Servers
100(1)
Securing File, Print, and Member Servers
101(1)
Securing Terminal Servers
101(2)
Securing Remote Access Servers
103(2)
Streaming Media Server
105(1)
Modifying Baseline Security Templates According to Role
106(3)
Applying Security Across the Enterprise
109(4)
Summary
113(3)
Frequently Asked Questions
116(3)
Designing a Secure Public Key Infrastructure
119(36)
Introduction
120(1)
Designing a Public Key Infrastructure
120(18)
Understanding PKI
123(2)
Designing a Certification Authority Implementation
125(5)
Geographical Hierarchy
130(1)
Organizational Hierarchy
131(1)
Network Trust Hierarchy
131(2)
Designing a Logical Authentication Strategy
133(1)
Designing Security for CA Servers
134(1)
Common Threats Against Certificate Services
134(2)
Securing an Enterprise Hierarchy
136(1)
Securing a Stand-Alone CA
137(1)
Designing Certificate Distribution
138(14)
Designing Enrollment and Distribution
144(2)
Approving Certificates by CA Administrators
146(1)
Revoking Certificates by CA Administrators
147(1)
Establishing Renewal and Auditing
148(4)
Summary
152(2)
Frequently Asked Questions
154(1)
Securing the Network Management Process
155(36)
Introduction
156(1)
Securing the Network Management Process
156(13)
Managing the Risks of Network Administration
157(1)
Security Policies for Administrators and IT Personnel
158(1)
Delegating Authority Securely
158(2)
Securing Common Administrative Tools
160(1)
Microsoft Management Console
161(1)
Terminal Server
161(3)
Remote Desktop for Administration
164(2)
Remote Assistance
166(1)
Telnet
167(1)
Designing Security for Emergency Management Services
168(1)
Designing a Security Update Infrastructure
169(6)
Designing a Software Update Service Infrastructure
170(2)
Using Group Policy to Deploy Software Updates
172(1)
Design a Strategy for Identifying Computers That Are Not at the Current Patch Level
173(2)
Designing Trust Relationships Between Domains and Forests
175(12)
Designing Forest and Domain Trust Models
178(1)
Default Trust Relationships
179(1)
External Trusts
179(1)
Selecting the Scope of Authentication for Users
180(1)
Realm Trusts
181(1)
Shortcut Trusts
182(1)
Designing Security for Interoperability
182(5)
Summary
187(2)
Frequently Asked Questions
189(2)
Securing Network Services and Protocols
191(92)
Introduction
192(1)
Designing Network Infrastructure Security
192(86)
Common Types of Attacks
196(1)
Assessing Risk for Network Services
197(2)
IPSec Overview
199(1)
Security Associations
200(1)
Phase I Security Association
200(4)
Phase II Security Association
204(1)
IPSec Modes
204(1)
IPSec Protocols
204(3)
Authentication Header
207(1)
Encapsulated Security Payload
208(2)
The IPSec Process
210(1)
IPSec Policies Overview
210(1)
Default IPSec Policies
210(1)
IPSec Rules
211(5)
Predefined Filter Lists
216(1)
Predefined Filter Actions
217(1)
IP Packet Filtering
218(1)
netsh Commands
218(1)
How IPSec Policy Is Applied
219(2)
Assigning Domain-Based IPSec Policy
221(1)
Exporting and Importing IPSec Policy
222(1)
Assigning OU-Based IPSec Policy
223(1)
Assigning Local IPSec Policy
223(1)
IPSec Driver Modes
224(3)
IPSec Best Practices
227(1)
Designing IPSec Policies
228(1)
Configuring IPSec Policy
229(1)
Assigning IPSec Policy
230(3)
Designing IP Filtering
233(3)
Configuring a Firewall Configuration
236(1)
Securing DNS
237(1)
Common Threats to DNS
237(1)
DNS Namespace
238(1)
Single Namespace
238(1)
Delegated Namespace
239(1)
Internal Namespace
239(1)
Segmented Namespace
239(1)
Securing the Namespace
239(1)
DNS Server Service
240(3)
DNS Zones
243(2)
DNS Resource Records
245(1)
DNS Clients
245(1)
Designing Security for Data Transmission
246(1)
SSL/TLS
246(5)
S/MIME
251(1)
SMB Signing
251(3)
Port Authentication for Switches
254(1)
Using Segmented Networks
254(1)
Design Security for Wireless Networks
255(1)
Types of Wireless Networks
255(1)
Brief Wireless History
256(2)
Threats to Wireless Networks
258(2)
Quick Review of PKI and RADIUS/IAS
260(1)
Public Key Infrastructure
260(1)
Remote Authentication Dial-In User Service and Internet Authentication Service
261(1)
Designing Wireless LANs
262(1)
Designing WLAN Network Infrastructure
262(1)
Active Directory
263(4)
DHCP Configuration
267(1)
DNS Configuration
268(1)
Public Key Infrastructure
268(1)
RADIUS/IAS
268(1)
Designing Authentication for Wireless Networks
268(1)
802.11 Identity Verification and Authentication
269(1)
802.11 Wired Equivalency Privacy (WEP) Encryption
269(1)
802.1X Authentication
269(1)
802.1X and Extensible Authentication Protocol
270(1)
IAS Support for 802.1X Authentication
271(1)
802.1X Group Policy Settings
271(3)
Selecting User or Computer-Based Authentication
274(2)
Designing and Testing Wireless Access Infrastructure
276(2)
Summary
278(3)
Frequently Asked Questions
281(2)
Securing Internet Information Services
283(52)
Introduction
284(1)
Designing User Authentication for IIS
284(23)
Designing Certificate Authentication
287(1)
Directory Service Mapping
288(1)
One-to-One Mapping
288(3)
Many-to-One Mapping
291(2)
Designing Windows Logon Authentication
293(1)
Anonymous Authentication
293(3)
Basic Authentication
296(1)
Digest Authentication
297(2)
Integrated Windows Authentication
299(2)
Designing RADIUS Authentication
301(1)
Using the Internet Authentication Server
302(3)
Securing the RADIUS Implementation
305(2)
Designing Security for IIS
307(22)
Securing IIS Installations
308(4)
Risks to IIS Servers and How to Harden IIS Against Them
312(2)
Securing FTP
314(1)
Securing NNTP
314(1)
Securing SMTP
315(1)
New Security Features in IIS 6.0
315(4)
Designing a Monitoring Strategy for IIS
319(1)
Creating a Monitoring Baseline
319(8)
Identifying a Security Incident
327(1)
Design a Content Management Strategy for Updating an IIS Server
328(1)
Summary
329(1)
Solutions Fast Track
330(2)
Frequently Asked Questions
332(3)
Securing VPN and Extranet Communications
335(38)
Introduction
336(1)
Designing Security for Communication Between Networks
336(12)
Using Windows Server 2003 as a Router
337(3)
Static Routes
340(2)
RIP
342(3)
Open Shortest Path First
345(1)
Designing Demand Dial Routing between Internal Networks
346(2)
Designing VPN Connectivity
348(21)
Selecting Protocols for VPN Access
350(1)
PPTP
350(8)
L2TP
358(5)
New Windows Server 2003 VPN Features
363(1)
Using Remote Access Policies
364(3)
Designing Routing Between Internal Networks
367(1)
Designing an Extranet Infrastructure
367(1)
Cross-Certification of Certificate Services
368(1)
Summary
369(2)
Frequently Asked Questions
371(2)
Securing Active Directory
373(42)
Introduction
374(1)
Designing an Access Control Strategy for Directory Services
374(32)
Analyzing Risks to Directory Services
377(1)
Assigning Rights and Permissions
377(2)
Considerations for Using Administrative and Service Accounts
379(2)
Designing Effective Password Policies
381(1)
Establishing Account Security Policies
381(1)
User Rights Assignments
382(6)
Using Restricted Groups
388(1)
Creating a Kerberos Policy
389(2)
Establishing Password Security
391(3)
Setting Password Complexity Requirements
394(1)
Creating an Account Lockout Policy
395(2)
Auditing User Account Activity
397(1)
Creating an Auditing Policy
398(1)
Auditing Logon Events
398(2)
Auditing Object Access
400(2)
Analyzing Auditing Data
402(1)
Creating a Delegation Strategy
403(1)
Service Administrators and Data Administrators
403(1)
Isolation and Autonomy
404(1)
Selecting a Delegation Structure
404(2)
Designing the Appropriate Group Strategy for Accessing Resources
406(5)
Designing a Permission Structure for Data
407(1)
Using Global Groups
407(1)
Using Domain Local Groups
408(1)
Using Universal Groups
408(1)
Combining and Nesting Groups
408(1)
Domain and Forest Functional Levels
409(2)
Summary
411(3)
Frequently Asked Questions
414(1)
Securing Network Resources
415(102)
Introduction
416(1)
Designing an Access Control Strategy for Files and Folders
416(39)
Analyzing Risks to Data
417(1)
Physical Loss of Data
417(1)
Data Corruption
417(1)
Viruses, Worms, and Other Software Attacks
417(1)
Security Breaches
418(1)
Auditing Practices
418(1)
Reviewing Access Control and Access Control Lists
418(1)
Permissions
419(1)
User Rights
419(1)
Object Auditing
420(1)
Access Control Lists
420(1)
Access Control Entry
420(2)
Groups
422(1)
Security Groups
422(1)
Access to Resources
423(1)
User/ACL
423(1)
Account Group/ACL (AG/ACL)
424(1)
Account Group/Resource Group
424(1)
Role-Based Authorization
425(1)
Selecting Domain Local Groups or Local Groups as Resource Groups
425(2)
Working with Security Groups
427(1)
Defining Security Group Creation Policy
427(1)
Defining a Security Group Request Process
427(1)
Defining a Security Group Naming Policy
428(1)
Defining a Security Group Nesting Policy
429(2)
Defining a Security Group Retirement Policy
431(2)
Delegating Security Group Maintenance
433(1)
Delegating Account and Resource Group Maintenance
433(5)
Analyzing Auditing Requirements
438(1)
Logon Event
439(2)
Account Logon Event
441(1)
Directory Service Access Event
441(1)
Privilege Use Event
441(1)
Object Access Event
442(1)
System Events
443(1)
Process Tracking Events
443(1)
Policy Change Events
443(1)
Design an Access Control Strategy for the Registry
444(10)
Design a Permission Structure for Registry Objects
454(1)
Designing the Encrypted File System
455(32)
EFS Behavior
457(1)
EFS Best Practices
458(7)
Certificate Storage
465(1)
Certificate Enrollment and Renewal
466(1)
Using cipher.exe
467(5)
Creating a Strategy for the Encryption and Decryption of Files and Folders
472(1)
Increasing User Awareness
472(2)
Configuring File Recovery Agents
474(5)
Removing Recovery Agent Policy
479(1)
Recovering Files
479(1)
Backing Up Keys
479(7)
Disabling EFS
486(1)
Third-Party Encryption Options
487(1)
Designing Security for a Backup and Recovery Strategy
487(24)
Securing the Backup and Restore Process
488(2)
Designing a Secure Backup Process
490(2)
Best Practices for Backups
492(2)
Creating an Automated System Recovery Backup Set
494(2)
Disaster Recovery Best Practices
496(2)
Securing Emergency Management Services
498(1)
Console Redirection
499(3)
Special Administration Console Environment
502(1)
!Special Administration Console Environment
502(1)
Enabling Emergency Management Services
503(1)
Headless Servers
503(1)
Terminal Concentrators
503(1)
Uninterruptible Power Supplies
504(1)
Securing the Remote Management Process
504(1)
Out-of-Band Security
504(1)
Best Practices for Securing Emergency Management Services
505(1)
Securing the Recovery Console
506(2)
Specifying Startup Options for Computers
508(3)
Summary
511(4)
Frequently Asked Questions
515(2)
Securing Network Clients
517(44)
Introduction
518(1)
Securing Client Computers
518(9)
Hardening Client Operating Systems
519(1)
Minimizing Attack Vectors
519(1)
Creating an Anti-Virus Protection Scheme
520(1)
Enabling Patch Management
520(3)
Securing Laptop Computers
523(3)
Restricting User Access to Operating System Features
526(1)
Designing a Client Authentication Strategy
527(11)
Analyzing Authentication Requirements
528(1)
Network Authentication
529(4)
Securing User Accounts
533(1)
Securing Account Naming Conventions
533(1)
Choosing Authentication Protocols
534(1)
Kerberos
534(2)
NTLM Authentication
536(1)
Digest Authentication
537(1)
SSL/TLS
537(1)
Designing a Secure Remote Access Plan
538(18)
Choosing a Remote Access Method
538(1)
Selecting a Remote Access Protocol
539(2)
Designing Remote Access Policies
541(1)
Understanding the Elements of a Remote Access Policy
541(7)
Providing Access to Internal Network Resources
548(1)
Using Internet Authentication Service
548(1)
Authentication Protocols Supported by IAS
548(3)
Using IAS for Dial-Up and VPN
551(3)
Using IAS for Wireless Access
554(1)
Using Network Access Quarantine Control
555(1)
Remote Access Account Lockout
555(1)
Summary
556(2)
Frequently Asked Questions
558(3)
Index 561

An electronic version of this book is available through VitalSource.

This book is viewable on PC, Mac, iPhone, iPad, iPod Touch, and most smartphones.

By purchasing, you will be able to view this book online, as well as download it, for the chosen number of days.

Digital License

You are licensing a digital product for a set duration. Durations are set forth in the product description, with "Lifetime" typically meaning five (5) years of online access and permanent download to a supported device. All licenses are non-transferable.

More details can be found here.

A downloadable version of this book is available through the eCampus Reader or compatible Adobe readers.

Applications are available on iOS, Android, PC, Mac, and Windows Mobile platforms.

Please view the compatibility matrix prior to purchase.