|
Designing a Secure Network Framework |
|
|
1 | (36) |
|
|
2 | (1) |
|
Analyzing Business Requirements for Security Design |
|
|
2 | (9) |
|
Analyzing Existing Security Policies and Procedures |
|
|
3 | (1) |
|
|
4 | (1) |
|
|
4 | (1) |
|
Security versus Usability |
|
|
5 | (1) |
|
Determining Requirements for Securing Data |
|
|
5 | (1) |
|
|
5 | (2) |
|
Analyzing Current Security Practices |
|
|
7 | (1) |
|
Using Resultant Set of Policies |
|
|
7 | (3) |
|
Recognizing Internal Security Threats |
|
|
10 | (1) |
|
Designing a Framework for Implementing Security |
|
|
11 | (17) |
|
Predicting Threats to Your Network |
|
|
12 | (1) |
|
Recognizing External Threats |
|
|
13 | (6) |
|
What Motivates External Attackers? |
|
|
19 | (1) |
|
Implementing Risk Analysis |
|
|
20 | (1) |
|
Addressing Risks to the Corporate Network |
|
|
21 | (1) |
|
Analyzing Security Requirements for Different Types of Data |
|
|
22 | (1) |
|
Responding to Security Incidents |
|
|
23 | (1) |
|
Recognizing Attack Indicators |
|
|
23 | (1) |
|
Creating an Incident Response Plan |
|
|
24 | (3) |
|
Recovering Network Services After an Attack |
|
|
27 | (1) |
|
Analyzing Technical Constraints when Designing Security |
|
|
28 | (5) |
|
Recognizing Capabilities of the Existing Infrastructure |
|
|
28 | (1) |
|
Identifying Technology Limitations |
|
|
29 | (1) |
|
Analyzing Interoperability Constraints |
|
|
30 | (1) |
|
Interoperability with MIT Kerberos |
|
|
30 | (3) |
|
Integrating UNIX DNS with Windows Server 2003 |
|
|
33 | (1) |
|
|
33 | (2) |
|
Frequently Asked Questions |
|
|
35 | (2) |
|
Securing Servers Based on Function |
|
|
37 | (82) |
|
|
38 | (1) |
|
Defining a Baseline Security Template |
|
|
38 | (42) |
|
Best Practices for Security Templates |
|
|
40 | (1) |
|
Windows Server 2003 Predefined Security Templates |
|
|
40 | (2) |
|
Default Security (Setup security.inf) |
|
|
42 | (1) |
|
Reapplying Default Security Settings |
|
|
43 | (1) |
|
Domain Controller Default Security (DC security.inf) |
|
|
43 | (1) |
|
|
43 | (1) |
|
|
44 | (1) |
|
Highly Secure (hisec*.inf) |
|
|
45 | (3) |
|
System Root Security (rootsec.inf) |
|
|
48 | (1) |
|
No Terminal Server User SID (Notssid.inf) |
|
|
49 | (2) |
|
Configuring Security Templates |
|
|
51 | (1) |
|
|
52 | (2) |
|
|
54 | (2) |
|
|
56 | (1) |
|
|
56 | (1) |
|
|
57 | (1) |
|
|
57 | (1) |
|
|
58 | (1) |
|
Configuring Security for Down-Level Clients |
|
|
58 | (2) |
|
Deploying Security Templates |
|
|
60 | (1) |
|
Using Group Policy to Deploy Security Settings |
|
|
60 | (6) |
|
Reviewing the Result of Security Policy Settings |
|
|
66 | (2) |
|
Using Security Configuration and Analysis to Review Security Settings |
|
|
68 | (2) |
|
Using the secedit.exe Command-Line Tool |
|
|
70 | (1) |
|
|
71 | (1) |
|
|
72 | (1) |
|
|
73 | (1) |
|
|
74 | (1) |
|
|
75 | (1) |
|
|
75 | (1) |
|
secedit refreshpolicy Replaced by GPUpdate |
|
|
76 | (1) |
|
Deploying Security Using Scripts |
|
|
77 | (3) |
|
Design Security for Servers that Have Specific Roles |
|
|
80 | (33) |
|
|
81 | (2) |
|
Server Security Best Practices |
|
|
83 | (4) |
|
Configuring Security for Domain Controllers |
|
|
87 | (1) |
|
Common Threats to Domain Controllers |
|
|
87 | (1) |
|
Audit Backup and Restore Events |
|
|
88 | (1) |
|
Restrict Access to Removable Media |
|
|
88 | (1) |
|
Restricting Anonymous Access |
|
|
89 | (1) |
|
Digitally Signing Authentication Traffic |
|
|
90 | (1) |
|
Securing the Internet Information Server (IIS) Role |
|
|
91 | (1) |
|
Using ``Configure Your Server'' to Set Up IIS |
|
|
92 | (1) |
|
|
93 | (1) |
|
Using URLScan and IISLockdown |
|
|
93 | (2) |
|
Configuring Security for POP3 Mail Servers |
|
|
95 | (1) |
|
|
96 | (1) |
|
|
96 | (1) |
|
Securing Other Network Roles |
|
|
97 | (1) |
|
Securing Network Infrastructure Servers |
|
|
97 | (1) |
|
|
98 | (1) |
|
|
99 | (1) |
|
|
100 | (1) |
|
Securing File, Print, and Member Servers |
|
|
101 | (1) |
|
Securing Terminal Servers |
|
|
101 | (2) |
|
Securing Remote Access Servers |
|
|
103 | (2) |
|
|
105 | (1) |
|
Modifying Baseline Security Templates According to Role |
|
|
106 | (3) |
|
Applying Security Across the Enterprise |
|
|
109 | (4) |
|
|
113 | (3) |
|
Frequently Asked Questions |
|
|
116 | (3) |
|
Designing a Secure Public Key Infrastructure |
|
|
119 | (36) |
|
|
120 | (1) |
|
Designing a Public Key Infrastructure |
|
|
120 | (18) |
|
|
123 | (2) |
|
Designing a Certification Authority Implementation |
|
|
125 | (5) |
|
|
130 | (1) |
|
|
131 | (1) |
|
|
131 | (2) |
|
Designing a Logical Authentication Strategy |
|
|
133 | (1) |
|
Designing Security for CA Servers |
|
|
134 | (1) |
|
Common Threats Against Certificate Services |
|
|
134 | (2) |
|
Securing an Enterprise Hierarchy |
|
|
136 | (1) |
|
Securing a Stand-Alone CA |
|
|
137 | (1) |
|
Designing Certificate Distribution |
|
|
138 | (14) |
|
Designing Enrollment and Distribution |
|
|
144 | (2) |
|
Approving Certificates by CA Administrators |
|
|
146 | (1) |
|
Revoking Certificates by CA Administrators |
|
|
147 | (1) |
|
Establishing Renewal and Auditing |
|
|
148 | (4) |
|
|
152 | (2) |
|
Frequently Asked Questions |
|
|
154 | (1) |
|
Securing the Network Management Process |
|
|
155 | (36) |
|
|
156 | (1) |
|
Securing the Network Management Process |
|
|
156 | (13) |
|
Managing the Risks of Network Administration |
|
|
157 | (1) |
|
Security Policies for Administrators and IT Personnel |
|
|
158 | (1) |
|
Delegating Authority Securely |
|
|
158 | (2) |
|
Securing Common Administrative Tools |
|
|
160 | (1) |
|
Microsoft Management Console |
|
|
161 | (1) |
|
|
161 | (3) |
|
Remote Desktop for Administration |
|
|
164 | (2) |
|
|
166 | (1) |
|
|
167 | (1) |
|
Designing Security for Emergency Management Services |
|
|
168 | (1) |
|
Designing a Security Update Infrastructure |
|
|
169 | (6) |
|
Designing a Software Update Service Infrastructure |
|
|
170 | (2) |
|
Using Group Policy to Deploy Software Updates |
|
|
172 | (1) |
|
Design a Strategy for Identifying Computers That Are Not at the Current Patch Level |
|
|
173 | (2) |
|
Designing Trust Relationships Between Domains and Forests |
|
|
175 | (12) |
|
Designing Forest and Domain Trust Models |
|
|
178 | (1) |
|
Default Trust Relationships |
|
|
179 | (1) |
|
|
179 | (1) |
|
Selecting the Scope of Authentication for Users |
|
|
180 | (1) |
|
|
181 | (1) |
|
|
182 | (1) |
|
Designing Security for Interoperability |
|
|
182 | (5) |
|
|
187 | (2) |
|
Frequently Asked Questions |
|
|
189 | (2) |
|
Securing Network Services and Protocols |
|
|
191 | (92) |
|
|
192 | (1) |
|
Designing Network Infrastructure Security |
|
|
192 | (86) |
|
|
196 | (1) |
|
Assessing Risk for Network Services |
|
|
197 | (2) |
|
|
199 | (1) |
|
|
200 | (1) |
|
Phase I Security Association |
|
|
200 | (4) |
|
Phase II Security Association |
|
|
204 | (1) |
|
|
204 | (1) |
|
|
204 | (3) |
|
|
207 | (1) |
|
Encapsulated Security Payload |
|
|
208 | (2) |
|
|
210 | (1) |
|
|
210 | (1) |
|
|
210 | (1) |
|
|
211 | (5) |
|
|
216 | (1) |
|
Predefined Filter Actions |
|
|
217 | (1) |
|
|
218 | (1) |
|
|
218 | (1) |
|
How IPSec Policy Is Applied |
|
|
219 | (2) |
|
Assigning Domain-Based IPSec Policy |
|
|
221 | (1) |
|
Exporting and Importing IPSec Policy |
|
|
222 | (1) |
|
Assigning OU-Based IPSec Policy |
|
|
223 | (1) |
|
Assigning Local IPSec Policy |
|
|
223 | (1) |
|
|
224 | (3) |
|
|
227 | (1) |
|
|
228 | (1) |
|
|
229 | (1) |
|
|
230 | (3) |
|
|
233 | (3) |
|
Configuring a Firewall Configuration |
|
|
236 | (1) |
|
|
237 | (1) |
|
|
237 | (1) |
|
|
238 | (1) |
|
|
238 | (1) |
|
|
239 | (1) |
|
|
239 | (1) |
|
|
239 | (1) |
|
|
239 | (1) |
|
|
240 | (3) |
|
|
243 | (2) |
|
|
245 | (1) |
|
|
245 | (1) |
|
Designing Security for Data Transmission |
|
|
246 | (1) |
|
|
246 | (5) |
|
|
251 | (1) |
|
|
251 | (3) |
|
Port Authentication for Switches |
|
|
254 | (1) |
|
|
254 | (1) |
|
Design Security for Wireless Networks |
|
|
255 | (1) |
|
Types of Wireless Networks |
|
|
255 | (1) |
|
|
256 | (2) |
|
Threats to Wireless Networks |
|
|
258 | (2) |
|
Quick Review of PKI and RADIUS/IAS |
|
|
260 | (1) |
|
Public Key Infrastructure |
|
|
260 | (1) |
|
Remote Authentication Dial-In User Service and Internet Authentication Service |
|
|
261 | (1) |
|
|
262 | (1) |
|
Designing WLAN Network Infrastructure |
|
|
262 | (1) |
|
|
263 | (4) |
|
|
267 | (1) |
|
|
268 | (1) |
|
Public Key Infrastructure |
|
|
268 | (1) |
|
|
268 | (1) |
|
Designing Authentication for Wireless Networks |
|
|
268 | (1) |
|
802.11 Identity Verification and Authentication |
|
|
269 | (1) |
|
802.11 Wired Equivalency Privacy (WEP) Encryption |
|
|
269 | (1) |
|
|
269 | (1) |
|
802.1X and Extensible Authentication Protocol |
|
|
270 | (1) |
|
IAS Support for 802.1X Authentication |
|
|
271 | (1) |
|
802.1X Group Policy Settings |
|
|
271 | (3) |
|
Selecting User or Computer-Based Authentication |
|
|
274 | (2) |
|
Designing and Testing Wireless Access Infrastructure |
|
|
276 | (2) |
|
|
278 | (3) |
|
Frequently Asked Questions |
|
|
281 | (2) |
|
Securing Internet Information Services |
|
|
283 | (52) |
|
|
284 | (1) |
|
Designing User Authentication for IIS |
|
|
284 | (23) |
|
Designing Certificate Authentication |
|
|
287 | (1) |
|
Directory Service Mapping |
|
|
288 | (1) |
|
|
288 | (3) |
|
|
291 | (2) |
|
Designing Windows Logon Authentication |
|
|
293 | (1) |
|
|
293 | (3) |
|
|
296 | (1) |
|
|
297 | (2) |
|
Integrated Windows Authentication |
|
|
299 | (2) |
|
Designing RADIUS Authentication |
|
|
301 | (1) |
|
Using the Internet Authentication Server |
|
|
302 | (3) |
|
Securing the RADIUS Implementation |
|
|
305 | (2) |
|
Designing Security for IIS |
|
|
307 | (22) |
|
Securing IIS Installations |
|
|
308 | (4) |
|
Risks to IIS Servers and How to Harden IIS Against Them |
|
|
312 | (2) |
|
|
314 | (1) |
|
|
314 | (1) |
|
|
315 | (1) |
|
New Security Features in IIS 6.0 |
|
|
315 | (4) |
|
Designing a Monitoring Strategy for IIS |
|
|
319 | (1) |
|
Creating a Monitoring Baseline |
|
|
319 | (8) |
|
Identifying a Security Incident |
|
|
327 | (1) |
|
Design a Content Management Strategy for Updating an IIS Server |
|
|
328 | (1) |
|
|
329 | (1) |
|
|
330 | (2) |
|
Frequently Asked Questions |
|
|
332 | (3) |
|
Securing VPN and Extranet Communications |
|
|
335 | (38) |
|
|
336 | (1) |
|
Designing Security for Communication Between Networks |
|
|
336 | (12) |
|
Using Windows Server 2003 as a Router |
|
|
337 | (3) |
|
|
340 | (2) |
|
|
342 | (3) |
|
|
345 | (1) |
|
Designing Demand Dial Routing between Internal Networks |
|
|
346 | (2) |
|
Designing VPN Connectivity |
|
|
348 | (21) |
|
Selecting Protocols for VPN Access |
|
|
350 | (1) |
|
|
350 | (8) |
|
|
358 | (5) |
|
New Windows Server 2003 VPN Features |
|
|
363 | (1) |
|
Using Remote Access Policies |
|
|
364 | (3) |
|
Designing Routing Between Internal Networks |
|
|
367 | (1) |
|
Designing an Extranet Infrastructure |
|
|
367 | (1) |
|
Cross-Certification of Certificate Services |
|
|
368 | (1) |
|
|
369 | (2) |
|
Frequently Asked Questions |
|
|
371 | (2) |
|
Securing Active Directory |
|
|
373 | (42) |
|
|
374 | (1) |
|
Designing an Access Control Strategy for Directory Services |
|
|
374 | (32) |
|
Analyzing Risks to Directory Services |
|
|
377 | (1) |
|
Assigning Rights and Permissions |
|
|
377 | (2) |
|
Considerations for Using Administrative and Service Accounts |
|
|
379 | (2) |
|
Designing Effective Password Policies |
|
|
381 | (1) |
|
Establishing Account Security Policies |
|
|
381 | (1) |
|
|
382 | (6) |
|
|
388 | (1) |
|
Creating a Kerberos Policy |
|
|
389 | (2) |
|
Establishing Password Security |
|
|
391 | (3) |
|
Setting Password Complexity Requirements |
|
|
394 | (1) |
|
Creating an Account Lockout Policy |
|
|
395 | (2) |
|
Auditing User Account Activity |
|
|
397 | (1) |
|
Creating an Auditing Policy |
|
|
398 | (1) |
|
|
398 | (2) |
|
|
400 | (2) |
|
|
402 | (1) |
|
Creating a Delegation Strategy |
|
|
403 | (1) |
|
Service Administrators and Data Administrators |
|
|
403 | (1) |
|
|
404 | (1) |
|
Selecting a Delegation Structure |
|
|
404 | (2) |
|
Designing the Appropriate Group Strategy for Accessing Resources |
|
|
406 | (5) |
|
Designing a Permission Structure for Data |
|
|
407 | (1) |
|
|
407 | (1) |
|
Using Domain Local Groups |
|
|
408 | (1) |
|
|
408 | (1) |
|
Combining and Nesting Groups |
|
|
408 | (1) |
|
Domain and Forest Functional Levels |
|
|
409 | (2) |
|
|
411 | (3) |
|
Frequently Asked Questions |
|
|
414 | (1) |
|
Securing Network Resources |
|
|
415 | (102) |
|
|
416 | (1) |
|
Designing an Access Control Strategy for Files and Folders |
|
|
416 | (39) |
|
|
417 | (1) |
|
|
417 | (1) |
|
|
417 | (1) |
|
Viruses, Worms, and Other Software Attacks |
|
|
417 | (1) |
|
|
418 | (1) |
|
|
418 | (1) |
|
Reviewing Access Control and Access Control Lists |
|
|
418 | (1) |
|
|
419 | (1) |
|
|
419 | (1) |
|
|
420 | (1) |
|
|
420 | (1) |
|
|
420 | (2) |
|
|
422 | (1) |
|
|
422 | (1) |
|
|
423 | (1) |
|
|
423 | (1) |
|
Account Group/ACL (AG/ACL) |
|
|
424 | (1) |
|
Account Group/Resource Group |
|
|
424 | (1) |
|
|
425 | (1) |
|
Selecting Domain Local Groups or Local Groups as Resource Groups |
|
|
425 | (2) |
|
Working with Security Groups |
|
|
427 | (1) |
|
Defining Security Group Creation Policy |
|
|
427 | (1) |
|
Defining a Security Group Request Process |
|
|
427 | (1) |
|
Defining a Security Group Naming Policy |
|
|
428 | (1) |
|
Defining a Security Group Nesting Policy |
|
|
429 | (2) |
|
Defining a Security Group Retirement Policy |
|
|
431 | (2) |
|
Delegating Security Group Maintenance |
|
|
433 | (1) |
|
Delegating Account and Resource Group Maintenance |
|
|
433 | (5) |
|
Analyzing Auditing Requirements |
|
|
438 | (1) |
|
|
439 | (2) |
|
|
441 | (1) |
|
Directory Service Access Event |
|
|
441 | (1) |
|
|
441 | (1) |
|
|
442 | (1) |
|
|
443 | (1) |
|
|
443 | (1) |
|
|
443 | (1) |
|
Design an Access Control Strategy for the Registry |
|
|
444 | (10) |
|
Design a Permission Structure for Registry Objects |
|
|
454 | (1) |
|
Designing the Encrypted File System |
|
|
455 | (32) |
|
|
457 | (1) |
|
|
458 | (7) |
|
|
465 | (1) |
|
Certificate Enrollment and Renewal |
|
|
466 | (1) |
|
|
467 | (5) |
|
Creating a Strategy for the Encryption and Decryption of Files and Folders |
|
|
472 | (1) |
|
Increasing User Awareness |
|
|
472 | (2) |
|
Configuring File Recovery Agents |
|
|
474 | (5) |
|
Removing Recovery Agent Policy |
|
|
479 | (1) |
|
|
479 | (1) |
|
|
479 | (7) |
|
|
486 | (1) |
|
Third-Party Encryption Options |
|
|
487 | (1) |
|
Designing Security for a Backup and Recovery Strategy |
|
|
487 | (24) |
|
Securing the Backup and Restore Process |
|
|
488 | (2) |
|
Designing a Secure Backup Process |
|
|
490 | (2) |
|
Best Practices for Backups |
|
|
492 | (2) |
|
Creating an Automated System Recovery Backup Set |
|
|
494 | (2) |
|
Disaster Recovery Best Practices |
|
|
496 | (2) |
|
Securing Emergency Management Services |
|
|
498 | (1) |
|
|
499 | (3) |
|
Special Administration Console Environment |
|
|
502 | (1) |
|
!Special Administration Console Environment |
|
|
502 | (1) |
|
Enabling Emergency Management Services |
|
|
503 | (1) |
|
|
503 | (1) |
|
|
503 | (1) |
|
Uninterruptible Power Supplies |
|
|
504 | (1) |
|
Securing the Remote Management Process |
|
|
504 | (1) |
|
|
504 | (1) |
|
Best Practices for Securing Emergency Management Services |
|
|
505 | (1) |
|
Securing the Recovery Console |
|
|
506 | (2) |
|
Specifying Startup Options for Computers |
|
|
508 | (3) |
|
|
511 | (4) |
|
Frequently Asked Questions |
|
|
515 | (2) |
|
|
517 | (44) |
|
|
518 | (1) |
|
Securing Client Computers |
|
|
518 | (9) |
|
Hardening Client Operating Systems |
|
|
519 | (1) |
|
Minimizing Attack Vectors |
|
|
519 | (1) |
|
Creating an Anti-Virus Protection Scheme |
|
|
520 | (1) |
|
Enabling Patch Management |
|
|
520 | (3) |
|
Securing Laptop Computers |
|
|
523 | (3) |
|
Restricting User Access to Operating System Features |
|
|
526 | (1) |
|
Designing a Client Authentication Strategy |
|
|
527 | (11) |
|
Analyzing Authentication Requirements |
|
|
528 | (1) |
|
|
529 | (4) |
|
|
533 | (1) |
|
Securing Account Naming Conventions |
|
|
533 | (1) |
|
Choosing Authentication Protocols |
|
|
534 | (1) |
|
|
534 | (2) |
|
|
536 | (1) |
|
|
537 | (1) |
|
|
537 | (1) |
|
Designing a Secure Remote Access Plan |
|
|
538 | (18) |
|
Choosing a Remote Access Method |
|
|
538 | (1) |
|
Selecting a Remote Access Protocol |
|
|
539 | (2) |
|
Designing Remote Access Policies |
|
|
541 | (1) |
|
Understanding the Elements of a Remote Access Policy |
|
|
541 | (7) |
|
Providing Access to Internal Network Resources |
|
|
548 | (1) |
|
Using Internet Authentication Service |
|
|
548 | (1) |
|
Authentication Protocols Supported by IAS |
|
|
548 | (3) |
|
Using IAS for Dial-Up and VPN |
|
|
551 | (3) |
|
Using IAS for Wireless Access |
|
|
554 | (1) |
|
Using Network Access Quarantine Control |
|
|
555 | (1) |
|
Remote Access Account Lockout |
|
|
555 | (1) |
|
|
556 | (2) |
|
Frequently Asked Questions |
|
|
558 | (3) |
Index |
|
561 | |