13-20 Chapter 13 Designing a Security Infrastructure 2. You are installing an IEEE 802.11b wireless network in a private home using com- puters running Windows XP, and you decide that data encryption is not necessary, but you want to use Shared Key authentication. However, when you try to config- ure the network interface adapter on the clients to use Shared Key authentication, the option is not available. Which of the following explanations could be the cause of the problem? a. WEP is not enabled. b. Windows XP SP1 is not installed on the computers. c. Windows XP does not support Shared Key authentication. d. A PKI is required for Shared Key authentications. 3. Which of the following terms describe a wireless network that consists of two lap- top computers with wireless network interface adapters communicating directly with each other? (Choose all that apply.) a. Basic service set b. Infrastructure network c. Ad hoc network d. Access point Lesson Summary ■ Most wireless LANs today are based on the 802.11 standards published by the IEEE. ■ WLANs have two primary security hazards: unauthorized access to the network and eavesdropping on transmitted packets. ■ To secure a wireless network, you must authenticate the clients before they are granted network access and encrypt all packets transmitted over the wireless link. ■ To authenticate IEEE 802.11 wireless network clients, you can use Open System authentication, Shared Key authentication, or IEEE 802.1X. ■ To encrypt transmitted packets, the IEEE 802.11 standard defines the Wired Equiv- alent Privacy (WEP) mechanism. Lesson 3 Providing Secure Network Administration 13-21 Lesson 3: Providing Secure Network Administration For administrators of large networks, one of the main objectives is to minimize the amount of travel from site to site to work on individual computers. Many of the admin- istration tools included with Windows Server 2003 are capable of managing services on remote computers as well as on the local system. For example, most Microsoft Manage- ment Console (MMC) snap-ins have this capability, enabling administrators to work on sys- tems throughout the enterprise without traveling. These are specialized tools used primarily for server administration, however, that can perform only a limited number of tasks. For comprehensive administrative access to a remote computer, Windows Server 2003 includes two tools that are extremely useful to the network administrator, called Remote Assistance and Remote Desktop. After this lesson, you will be able to ■ Configure Windows Server 2003 Remote Assistance ■ List the security features protecting computers that use Remote Assistance ■ Configure Windows Server 2003 Remote Desktop Estimated lesson time: 0 minutes 3 Using Remote Assistance Remote Assistance is a feature of Windows XP and Windows Server 2003 that enables a user (an administrator, trainer, or technical support representative) at one location to con- nect to a distant user’s computer, chat with the user, and either view all the user’s activi- ties or take complete control of the system. Remote Assistance can eliminate the need for administrative personnel to travel to a user’s location for any of the following reasons: Off the Record In Microsoft interfaces and documentation, the person connecting to a cli- ent using Remote Assistance is referred to as an expert or a helper. ■ Technical support A system administrator or help desk operator can use Remote Assistance to connect to a remote computer to modify configuration parameters, install new software, or troubleshoot user problems. ■ Troubleshooting By connecting in read-only mode, an expert can observe a remote user’s activities and determine whether improper procedures are the source of problems the user is experiencing. The expert can also connect in inter- active mode to try to recreate the problem or to modify system settings to resolve it. This is far more efficient than trying to give instructions to inexperienced users over the telephone. 13-22 Chapter 13 Designing a Security Infrastructure ■ Training Trainers and help desk personnel can demonstrate procedures to users right on their systems, without having to travel to their locations. To receive remote assistance, the computer running Windows Server 2003 or Windows XP must be configured to use the Remote Assistance feature in one of the following ways: ■ Using Control Panel Display the System Properties dialog box from the Control Panel and click the Remote tab. Then select the Turn On Remote Assistance And Allow Invitations To Be Sent From This Computer check box (see Figure 13-9). Tip By clicking the Advanced button in the Remote tab in the System Properties dialog box, the user can specify whether to let the expert take control of the computer or simply view activities on the computer. The user can also specify the amount of time that the invitation for remote assistance remains valid. Figure 13-9 The Remote tab in the System Properties dialog box ■ Using Group Policies Use the Group Policy Object Editor console to open a GPO for an Active Directory domain or organizational unit object containing the client computer. Browse to the Computer Configuration\Administrative Tem- plates\System\Remote Assistance container and enable the Solicited Remote Assistance policy (see Figure 13-10). Tip The Solicited Remote Assistance policy also enables you to specify the degree of con- trol the expert receives over the client computer, the duration of the invitation, and the method for sending e-mail invitations. The Offer Remote Assistance policy enables you to specify the names of users or groups that can function as experts, and whether those experts can perform tasks or just observe. Lesson 3 Providing Secure Network Administration 13-23 Figure 13-10 The Solicited Remote Assistance Properties dialog box Creating an Invitation To receive remote assistance, a client must issue an invitation and send it to a particular expert. The client can send the invitation using e-mail, Microsoft Windows Messenger, or can save it as a file to be sent to the expert in some other manner, using the interface shown in Figure 13-11. Figure 13-11 The Remote Assistance page of the Help And Support Center tool 13-24 Chapter 13 Designing a Security Infrastructure Tip When users create invitations, they can specify a password that the expert has to sup- ply to connect to their computers. You should urge your users to always require passwords for Remote Assistance connections, and instruct them to supply the expert with the correct pass- word using a different medium from the one they are using to send the invitation. Once the expert receives the invitation, invoking it launches the Remote Assistance application, which enables the expert to connect to the remote computer, as shown in Figure 13-12. Using this interface, the user and the expert can talk or type messages to each other and, by default, the expert can see everything that the user is doing on the computer. If the client computer is configured to allow remote control, the expert can also click the Take Control button and operate the client computer interactively. Figure 13-12 The expert’s Remote Assistance interface Securing Remote Assistance Because an expert offering remote assistance to another user can perform virtually any activity on the remote computer that the local user can, this feature can be a significant security hazard. An unauthorized user who takes control of a computer using Remote Assistance can cause almost unlimited damage. However, Remote Assistance is designed to minimize the dangers. Some of the protective features of Remote Assistance are as follows: ■ Invitations No person can connect to another computer using Remote Assis- tance unless that person has received an invitation from the client. Clients can configure the effective lifespan of their invitations in minutes, hours, or days, to prevent experts from attempting to connect to the computer later. Lesson 3 Providing Secure Network Administration 13-25 ■ Interactive connectivity When an expert accepts an invitation from a client and attempts to connect to the computer, a user must be present at the client con- sole to grant the expert access. You cannot use Remote Assistance to connect to an unattended computer. ■ Client-side control The client always has ultimate control over a Remote Assistance connection. The client can terminate the connection at any time, by pressing the Esc key or clicking Stop Control (ESC) in the client-side Remote Assistance page. ■ Remote control configuration Using the System Properties dialog box or Remote Assistance group policies, users and administrators can specify whether experts are permitted to take control of client computers. An expert who has read- only access cannot modify the computer’s configuration in any way using Remote Access. The group policies also enable administrators to grant specific users expert status, so that no one else can use Remote Access to connect to a client computer, even with the client’s permission. ■ Firewalls Remote Assistance uses Transmission Control Protocol (TCP) port number 3389 for all its network communications. For networks that use Remote Assistance internally and are also connected to the Internet, it is recommended that network administrators block this port in their firewalls, to prevent users out- side the network from taking control of computers that request remote assistance. However, it is also possible to provide remote assistance to clients over the Inter- net, which would require leaving port 3389 open. Using Remote Desktop While Remote Assistance is intended to enable users to obtain interactive help from other users, Remote Desktop is an administrative feature that enables users to access computers from remote locations, with no interaction required at the remote site. Remote Desktop is essentially a remote control program for computers running Windows Server 2003 and Windows XP; there are no invitations and no read-only capabilities. When you connect to a computer using Remote Desktop, you can operate the remote computer as though you were sitting at the console and perform most configuration and application tasks. Off the Record One of the most useful application of Remote Desktop is to connect to servers, such as those in a locked closet or data center, that are not otherwise easily acces- sible. In fact, some administrators run their servers without monitors or input devices once the initial installation and configuration of the computer is complete, relying solely on Remote Desktop access for everyday monitoring and maintenance. 13-26 Chapter 13 Designing a Security Infrastructure Exam Tip Be sure that you understand the differences between Remote Assistance and Remote Desktop, and that you understand the applications for which each is used. ! Remote Desktop For Administration is essentially an application of the Terminal Services service supplied with Windows Server 2003. A desktop version called Remote Desktop is included with Windows XP Professional. When you use Terminal Services to host a large number of clients, you must purchase licenses for them. However, Windows Server 2003 and Windows XP allow up to two simultaneous Remote Desktop connections without the need for a separate license. When you connect to a computer using Remote Desktop, the system creates a separate session for you, independent of the console session. This means that even someone working at the console cannot see what you are doing. You must log on when con- necting using Remote Desktop, just as you would if you were sitting at the console, meaning that you must have a user account and the appropriate permissions to access the host system. After you log on, the system displays the desktop configuration asso- ciated with your user account, and you can then proceed to work as you normally would. Activating Remote Desktop By default, Remote Desktop is enabled on computers running Windows Server 2003 and Windows XP. Before you can connect to a computer using Remote Desktop, you must enable it using the System Properties dialog box, accessed from the Control Panel. Click the Remote tab and select the Allow Users To Connect Remotely To This Computer check box, as shown earlier in Figure 13-9, and then click OK. Note Because Remote Desktop requires a standard logon, it is inherently more secure than Remote Assistance, and needs no special security measures, such as invitations and session passwords. However, you can also click Select Remote Users in the Remote tab to display a Remote Desktop Users dialog box, in which you can specify the names of the only users or groups that are permitted to access the computer using Remote Desktop. All users with Administrator privileges are granted access by default. Using the Remote Desktop Client Both Windows Server 2003 and Windows XP include the client program needed to connect to a host computer using Remote Desktop (see Figure 13-13). In addition, both operating systems include a version of the client that you can install on earlier Windows operating systems. Lesson 3 Providing Secure Network Administration 13-27 Figure 13-13 The Remote Desktop Connection client Tip Windows Server 2003 also includes a Remote Desktops console (accessible from the Administrative Tools program group) that you can use to connect to multiple Remote Desktop hosts and switch between them as needed. Practice: Configuring Remote Assistance In this practice, you configure a computer running Windows Server 2003 to receive remote assistance from another computer. Exercise 1: Activating Remote Assistance Using Control Panel In this exercise, you use the Control Panel’s System Properties dialog box to activate Remote Assistance on the computer. 1. Log on to the computer as Administrator. 2. Click Start, point to Control Panel, and then click System. The System Properties dialog box appears. 3. Click the Remote tab. 4. In the Remote Assistance group box, select the Turn On Remote Assistance And Allow Invitations To Be Sent From This Computer check box. 5. Click Advanced. The Remote Assistance Settings dialog box appears. 6. Make sure that the Allow This Computer To Be Controlled Remotely check box is selected. 13-28 Chapter 13 Designing a Security Infrastructure 7. In the Invitations group box, change the Set The Maximum Amount Of Time Invi- tations Can Remain Open selector value to 1 hour, and then click OK. 8. Click OK to close the System Properties dialog box. Exercise 2: Activating Remote Assistance Using Group Policies In this exercise, you use group policies to activate remote assistance for all the com- puters in the domain. Note This exercise is an alternative to the individual computer configuration you performed in Exercise 1. It is not necessary to do both. 1. Log on to the computer as Administrator. 2. Click Start, point to Administrative Tools, and then click Active Directory Users And Computers. The Active Directory Users And Computers console appears. 3. Click the icon for the contoso.com domain in the scope pane, and from the Action menu, select Properties. The Contoso.com Properties dialog box appears. 4. Click the Group Policy tab, and then click Edit. The Group Policy Object Editor console appears. 5. Expand the Computer Configuration, Administrative Templates, and System con- tainers, and then select the Remote Assistance container. 6. In the details pane, double-click the Solicited Remote Assistance policy. The Solic- ited Remote Assistance Properties dialog box appears. 7. Click the Enabled option button, and then click OK to accept the default settings. 8. Close the Group Policy Object Editor console. 9. Click OK to close the Contoso.com Properties dialog box. 10. Close the Active Directory Users And Computers console. Exercise 3: Creating an Invitation In this exercise, you create an invitation for an expert to give you remote assistance. For the purposes of this exercise, you will save the invitation to a file, but on an actual net- work, you might e-mail it to the appropriate person or send it using Windows Messenger. 1. Click Start and then click Help And Support. The Help And Support Center page appears. 2. Under Support, click the Remote Assistance hyperlink. The Remote Assistance page appears. Lesson 3 Providing Secure Network Administration 13-29 3. Click Invite Someone To Help You. The Pick How You Want To Contact Your Assistant page appears. 4. Click Save Invitation As A File (Advanced). The Remote Assistance – Save Invita- tion page appears. 5. Under Set The Invitation To Expire, set the duration of the invitation to 10 minutes, and then click Continue. 6. Type a password of your choice in the Type Password text box, and again in the Confirm Password text box, and then click Save Invitation. The Save As dialog box appears. 7. Save the invitation file to the root of your computer’s C drive. Tip If you are connected to a network, and another computer running Windows Server 2003 or Windows XP is available, you can use that computer to initiate a Remote Assistance ses- sion with your server by double-clicking the invitation file. 8. Close the Help And Support Center window. Lesson Review The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson materials and try the question again. You can find answers to the questions in the “Questions and Answers” section at the end of this chapter. 1. Your company is installing a computer running Windows Server 2003 in a utility closet that is only accessible to building maintenance personnel. Therefore, you will have to depend on Remote Desktop for maintenance access to the server. You do not have Administrator privileges to the server and your workstation is running Windows 2000 Professional. Which of the following tasks must you perform before you can connect to the server from your workstation using Remote Desk- top? (Choose all that apply.) a. Install the Remote Desktop Connection client on the workstation. b. Activate Remote Desktop on the server using the System Control Panel. c. Enable the Solicited Remote Assistance group policy for the domain. d. Add your account name to the Remote Desktop users list. [...]... workstation b and c 1 3-3 6 Chapter 13 Page 1 3-1 9 Lesson 2 Review Designing a Security Infrastructure 1 Which of the following authentication mechanisms enables clients to connect to a wireless network using smart cards? a Open System authentication b Shared Key authentication c IEEE 80 2.1X authentication using EAP-TLS d IEEE 80 2.1X authentication using PEAP-MS-CHAP v2 c 2 You are installing an IEEE 80 2.11b wireless... traffic transmitted over the WLAN 1 3-3 4 Chapter 13 Designing a Security Infrastructure ■ To authenticate IEEE 80 2.11 wireless network clients, you can use Open System authentication, Shared Key authentication, or IEEE 80 2.1X To encrypt transmitted packets, the IEEE 80 2.11 standard defines the Wired Equivalent Privacy (WEP) mechanism Microsoft recommends the use of IEEE 80 2.1X authentication, in com­ bination... http://www .microsoft. com/technet/security/prodtech/Windows/ SecWin2k/07ssrole.asp Objective 1.4 Review Lessons 1 and 3 in Chapter 8, “Planning a Secure Baseline Installation.” Microsoft Corporation “How to Maintain Windows Security.” This Web page enables you to compare the security capabilities of the various Microsoft Windows operating systems Available on Microsoft s Web site at http://www .microsoft. com/windows/secu­... invitations created by your computer b Press Esc c Refuse the incoming connection when it arrives d Change your user account password c 3 Which of the following operating systems includes the Remote Desktop Connec­ tion client program? (Choose all that apply.) a Windows 2000 Server b Windows XP c Windows Server 2003 d Windows 98 b and c 1 3-3 8 Chapter 13 Page 1 3-3 1 Case Scenario Exercise Designing a... creating these configurations includes examining the security features provided by the operating systems that you intend to use and determining the organization’s security requirements Tested Skills and Suggested Practices The skills that you need to successfully master the Planning and Implementing Server Roles and Server Security objective domain on the 7 0- 293 exam include: ■ Configure security for... features each operating system provides ❑ Practice 2: Examine the security configuration parameters of the computer you are currently using, and list the changes you could make to increase the security of the system Further Reading This section lists supplemental readings by objective We recommend that you study these sources thoroughly before taking exam 7 0- 293 Objective 1.1 Review Lessons 1, 2, and 3 in... area Questions and Answers 1 3-3 5 Questions and Answers Page 1 3-1 0 Lesson 1 Review 1 Which of the following tools can tell you when a computer is missing an important security update? (Choose all that apply.) a Security Configuration and Analysis b Hfnetchk.exe c Microsoft Software Update Services d Microsoft Baseline Security Analyzer b and d 2 You have just implemented a Microsoft Software Update Services... computer running the Microsoft Windows Server 2003 operating sys­ tem, including Group Policy Objects (GPOs) and security templates, and devise scenarios for which each configuration method would be appropriate Practice 2: Examine the settings in the security templates included with Windows Server 2003 using the Security Templates snap-in Then use the Security Configuration And Analysis snap-in to compare... Page 1 3-3 2 1 3-3 9 Troubleshooting Lab Based on the information provided in the Troubleshooting Lab, answer the following questions: 1 Critical Windows operating system security updates are missing Access the Windows Update Web site to download the required security updates 2 Some user accounts have non-expiring passwords In the Computer Management console, access the Local Users And Groups snap-in and,... 2, and 3 in Chapter 10, “Deploying Security Configurations.” Microsoft Corporation Securing Windows 2000 Server Review Chapter 7, “Hardening Specific Server Roles.” Although written for Microsoft Windows 2000 Server, the con­ cepts in this chapter are also applicable to Windows Server 2003 Available on Microsoft s Web site at http://www .microsoft. com/technet/security/prodtech/Windows/ SecWin2k/07ssrole.asp . c. IEEE 80 2.1X authentication using EAP-TLS d. IEEE 80 2.1X authentication using PEAP-MS-CHAP v2 c 2. You are installing an IEEE 80 2.11b wireless network in a private home using com- puters. invitation using e-mail, Microsoft Windows Messenger, or can save it as a file to be sent to the expert in some other manner, using the interface shown in Figure 1 3-1 1. Figure 1 3-1 1 The Remote. to more informa- tion about topics covering the exam objectives. Key Points ■ Microsoft Baseline Security Analyzer is a tool that can scan multiple computers on a network and examine them for