Planning a Change and Configuration Management Framework  Secedit is used at the command prompt to automate security configuration tasks.  Local Security Policy is used to configure security policies on a nondomain controller.These policies apply only to the local machine.  Security templates are used to configure security policies according to preset definitions and can be imported into Group Policy.  The Security Settings extension to Group Policy is used to configure security on an OU, a site, or a domain. Planning a Security Update Infrastructure  MBSA scans for security vulnerabilities in the operating system and other Microsoft components, including IIS, Exchange Server, SQL Server, Internet Explorer, and Windows Media Player.  The command-line program for running MBSA is mbsacli.exe.  MBSA gives administrators a report after a scan has been completed.This report explains what security issues were discovered and how to correct them.  Microsoft SUS is used to apply security updates from a centralized location within the LAN, giving administrators more control and providing more efficient downloading of updates. www.syngress.com 850 Chapter 11 • Planning, Implementing, and Maintaining a Security Framework 255_70_293_ch11.qxd 9/10/03 6:24 PM Page 850 Q: I have a legacy application that requires anonymous access, and some users cannot access the application.What can I do? A: It is possible that your application requires you to grant access to the Anonymous Users group, which is not part of the Everyone group. If you need to grant access to the Anonymous group, you must explicitly add the Anonymous Logon security group and its permissions. Q: I have multiple domains that need access to resources located in other domains. How can this be set up? A: If users in one domain need access to resources in another domain within the same forest, you do not need to do anything special.This is because, by default, a two-way transitive trust exists between the root domains of every domain tree in the forest so users in any domain in the forest can access resources in any other domain in that forest (if they have the proper permissions). However, to speed up the authentication process between domains, you can create a shortcut trust. If the users in one domain need access to resources in a domain that is in a different forest, you can either create a forest trust between the two forests (which is transitive and will allow all domains in each forest to access all domains in the other) or you can create an external nontransitive trust directly between the two domains. Q: I want to keep my domain Administrator account under wraps for security reasons. What can I do to accomplish this? A: You can disable the built-in Administrator account, since all hackers know the default account name and that is half the information they need to take control of your server. Then you can give administrative privileges to another account.When the Administrator account is disabled, it can still be used in Safe Mode for troubleshooting and repairing problems. Alternatively, you can rename the built-in Administrator account so hackers won’t be able to recognize it so easily.You should not log on as Administrator for performing everyday tasks. Instead, use the Run as command when you need to perform administrative tasks. www.syngress.com Planning, Implementing, and Maintaining a Security Framework • Chapter 11 851 Exam Objectives Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the Exam Objectives presented in this chapter, and to assist you with real-life implementation of these concepts. You will also gain access to thousands of other FAQs at ITFAQnet.com. 255_70_293_ch11.qxd 9/10/03 6:24 PM Page 851 Q: I am trying to audit folder access by a particular user, and I cannot see any information in the event log.What could be the problem? A: Although you can set other types of auditing and they will start immediately, when you want to audit access to objects such as folders, object auditing must be enabled.Then you need to set auditing properties on the object you want to audit (in this case, the folder).To enable object auditing, edit Group Policy for the local computer or the domain policy. In the left pane of the GPO Editor, click Computer Configuration | Windows Settings | Security Settings | Local Policies | Audit Policies and in the right pane, double-click Enable object auditing. Then select to audit successes, failures, or both. Q: I need to apply password policies to all clients. How can I do this? A: Password policies are configured in the Security Settings | Account Policies node of Group Policy on a local or domain GPO. Password policies cannot be set at the site or OU level.You can configure Group Policy to enforce password history, set a maximum and minimum password age, set a minimum password length, enforce complexity requirements, or enable storage of passwords using reversible encryption.The latter should be done only if necessary for compatibility purposes, since it decreases security instead of increasing it. Q: How can I centrally manage security and provide updates for my client machines? A: If client computers are running Windows XP,Windows 2000 Professional or Server, or Windows Server 2003, you can use the Microsoft Baseline Security Analyzer (MBSA) to scan for security problems and use a Microsoft Software Update Services (SUS) server to apply security updates. Both of these tools can be downloaded from the Microsoft Web site. SUS consists of two parts: the SUS server component and the client Automatic Update feature.The SUS server component synchronizes with the Windows Update site and downloads critical updates, security updates, and security rollups to the SUS server. Client machines need the Automatic Update feature installed so they can connect to the SUS server and download the updates that you have approved for distri- bution. Q: I’ve just installed a WAP on our company network so employees can roam with their laptops and stay connected to the network (for example, when they attend meetings in conference rooms). Is there anything I need to be aware of in regard to security issues? A: Wireless networking is inherently less secure than traditional wired networks because data is transmitted via radio frequency (RF) signals, which are “out there in the air,” vulnerable to capture by anyone who is within range and has the proper equipment. Although you might think “within range” means within the 300 feet or so that wireless manufacturers specify for their devices, a hacker with a high-gain Yagi antenna can connect to your network from much farther away.This situation is exacerbated by the www.syngress.com 852 Chapter 11 • Planning, Implementing, and Maintaining a Security Framework 255_70_293_ch11.qxd 9/10/03 6:24 PM Page 852 fact that default settings for most WAPs leave the network wide open, with SSID broadcasting enabled and WEP disabled. Even if you have turned off SSID broadcasting and enabled WEP, that doesn’t mean you’re safe.A hacker can still use commonly avail- able tools to capture packets sent between legitimate users and determine the SSID from them.Then they can break WEP encryption, which has numerous vulnerabilities, using WEPCrack or other hacker tools. It is best to treat a wireless network as an untrusted network; however, you can make it more secure by using technologies such as 802.1x and 802.11i, by incorporating other mechanisms such as MAC filtering along with WEP, and by implementing secure authentication methods such as RADIUS/IAS and using higher-level protocols such as IPSec to protect wireless traffic. Planning and Implementing Active Directory Security 1. You have instituted new security policies for the IT department. One important rule is to never log on as Administrator unless it is absolutely necessary.To enhance secu- rity, you want everyone to use their regular user accounts for everyday tasks so you can maintain security as much as possible. A junior administrator comes to you and says he does not wish to log on to the server with an administrative account, but he needs to use a program that requires administrative privileges.What can he do? A. If running the program requires administrative privileges, he cannot run it unless he logs off and logs back on as Administrator. B. He can open the Computer Management console and use the Set password option. C. He can right-click the program he wants to run, select Properties, click the Advanced button, and configure the program to run without administrative privi- leges. D. He can right-click the program, choose the Run as command, and enter the Administrator account name and password. www.syngress.com Planning, Implementing, and Maintaining a Security Framework • Chapter 11 853 Self Test A Quick Answer Key follows the Self Test questions. For complete questions, answers, and explanations to the Self Test questions in this chapter as well as the other chapters in this book, see the Self Test Appendix. 255_70_293_ch11.qxd 9/10/03 6:24 PM Page 853 2. You have been hired as the network administrator for a small law firm.The first thing you want to do when you take over the job is increase the security on the network. You evaluate the current security level and find it lacking.You decide that you need to secure account passwords using strong encryption on domain controllers.Which utility should you use? A. System Key Utility B. Secedit C. MBSA D. SUS 3. You have recently hired a new junior administrator to assist you in running the net- work for a medium-sized manufacturing company.You are explaining to your new assistant that AD objects are assigned security descriptors to allow you to implement access control.You tell your assistant that the security descriptor contains several dif- ferent components.Which of the following are contained in the security descriptor for an object? (Select all that apply.) A. Discretionary access control list B. System access control list C. Dynamic access control list D. Ownership information 4. You are attempting to troubleshoot some problems with access that you think can be traced back to membership in multiple groups.You want to ensure that all administra- tive accounts are able to perform the tasks they need to accomplish, but you want to remove the built-in accounts from all groups to which they’ve been added by another administrator, and give them only the access they had by default.You are a little con- fused because you know that the built-in accounts already belong to some groups at installation, and you don’t want to remove them from groups they are supposed to belong to.To which groups does the Domain Administrator account belong in Windows Server 2003 by default? (Select all that apply.) A. Schema Admins B. Enterprise Admins C. Group Policy Creator Owners D. Backup Operators www.syngress.com 854 Chapter 11 • Planning, Implementing, and Maintaining a Security Framework 255_70_293_ch11.qxd 9/10/03 6:24 PM Page 854 Planning and Implementing Wireless Security 5. You want to allow wireless clients the ability to change their passwords after they authenticate on the network.Which method of authentication should you implement for these clients? A. EAP-TLS B. EAP C. PEAP D. EAP-MS-CHAP v2 6. You are implementing a new wireless network and need to change the default settings for the equipment on the WLAN.What information should you change? (Select all that apply.) A. SSID password B. SSID network name C. Domain Administrator password D. Domain Administrator account should be renamed 7. You have a number of users who need to be able to roam through the building with their laptop computers and still stay connected to the network. Because of the nature of their work, it is important that they have relatively fast access for transferring a lot of very large data files over the network.You need to implement a wireless network that can connect devices up to 54 Mbps and a minimum of 24 Mbps.Which IEEE standard should you choose? A. 802.15 B. 802.11a C. 802.11b D. 802.1x www.syngress.com Planning, Implementing, and Maintaining a Security Framework • Chapter 11 855 255_70_293_ch11.qxd 9/10/03 6:24 PM Page 855 8. You have hired a consultant to help set up wireless access points on your network. He tells you that you should turn on WEP for the wireless network to help protect it from intruders.You tell him that you have heard that WEP has many flaws and you think additional security measures should be implemented. He assures you that WEP works fine.What do you tell him are some of the problems with WEP? A. WEP does not use encryption. B. WEP uses a short (24 bit) initialization vector (IV). C. WEP can use only a 40-bit key. D. WEP uses a public key algorithm. Monitoring and Optimizing Security 9. Your junior administrator wants to change the name of a user account, but he is wor- ried that if he does so, the user will have problems accessing resources that she had previously been given permissions for.The administrator doesn’t want to need to re- create all the group memberships for the newly named account.You tell him there is no need to worry; he can go ahead and change the name, and all the account proper- ties will remain intact.What enables an account to retain its password, profile, group membership, user rights, and membership information? A. Group membership of the account B. Domain the account belongs as a member C. Password encryption method D. Security identifier (SID) 10. You suspect that one of your users has been trying to access data in a folder to which he is not supposed to have permission.You are trying to set auditing on this folder so you can see if there are any failed events in the log indicating that the user did try to open the folder.You enable object auditing in the domain’s Group Policy Object. However, when you go to add this user to be audited for access to the folder, you find that the folder’s property pages do not contain a Security tab.What could be the problem? A. Auditing is not set via the Security tab for folders because they don’t have such a tab. B. You cannot audit folder access for a particular user. C. The folder is not on an NTFS partition. D. You must share the folder before you can audit it. www.syngress.com 856 Chapter 11 • Planning, Implementing, and Maintaining a Security Framework 255_70_293_ch11.qxd 9/10/03 6:24 PM Page 856 Planning a Change and Configuration Management Framework 11. You need to configure Kerberos policies because you want to force user logon restric- tions.You go to the computer of the user on whom you want to enforce these poli- cies and access the Local Security Policy. However, in the GPO Editor, you cannot find Kerberos policies in the Security Settings node under Computer Configuration, under Windows Settings.What is the problem? A. You are looking in the wrong section; Kerberos policies are located in the User Configuration node. B. You cannot set Kerberos policies through the Local Security Policy console. C. You must first raise the domain functional level before Kerberos can be used and this option will appear in the GPO. D. Another administrator has deleted the Kerberos policies node from the GPO. 12. You have been analyzing all of your security configuration information as part of a new project that requires you to provide a detailed report on your network’s security to management.Toward that end, you need to evaluate the security database test.sdb at the command prompt.What command can you use to do this? A. secedit /validate test.sdb B. secedit /analyze test.sdb C. secedit /configure test.sdb D. secedit /export test.sdb 13. You want to set up auditing on several folders that contain important and sensitive information.There are other folders within the specified folders that contain less sen- sitive information, so you don’t want to audit them, because you want to put as little overhead burden on the network as you can.What happens to subfolders and files within a parent folder if auditing has been enabled? A. Subfolders only are audited B. Files only are audited; special access must be turned on for the folders to be audited C. Subfolders and files are audited D. No auditing is performed www.syngress.com Planning, Implementing, and Maintaining a Security Framework • Chapter 11 857 255_70_293_ch11.qxd 9/10/03 6:24 PM Page 857 14. A parent folder has auditing enabled.Two folders,Applications and Phone Listings, are listed under this parent folder.You need to have the Phone Listings folder audited but not the Applications folder. How can this be accomplished? A. It cannot; all subfolders are audited when the parent folder has auditing enabled. B. Right-click the Applications folder, and click the Properties tab, select the Security tab, and click Advanced.Then select the Auditing tab and clear the check box that is labeled Inherit from parent the auditing entries that apply to child objects. Include these with entries explicitly defined here. C. Right-click the Phone Listings folder, click the Properties tab, select the Security tab, and click Advanced. Then select the Auditing tab and clear the check box that is labeled Inherit from parent the auditing entries that apply to child objects. Audit entries defined here. D. Right-click the Phone Listings folder, click the Security tab, and click Advanced.Then select the Auditing tab and clear the check box that is labeled Inherit from parent the auditing entries that apply to child objects. Include these with entries explicitly defined here option. Planning a Security Update Infrastructure 15. You need to install the Microsoft Software Update Services (SUS) within your domain to update security information on client computers.What are the minimum requirements that you should use for hardware for the server? A. Pentium III, 256MB RAM, NTFS with a minimum of 50MB for the installation folder and 6GB for SUS updates and Active Directory installed B. Pentium III, 512MB RAM, NTFS with a minimum of 100MB for the installation folder and 6GB for SUS updates without Active Directory installed C. Pentium III, 256MB RAM, NTFS with a minimum of 25MB for the installation folder and 6GB for SUS updates without Active Directory installed D. Pentium III, 512MB RAM, NTFS with a minimum of 50MB for the installation folder and 5GB for SUS updates and Active Directory installed www.syngress.com 858 Chapter 11 • Planning, Implementing, and Maintaining a Security Framework 255_70_293_ch11.qxd 9/10/03 6:24 PM Page 858 www.syngress.com Planning, Implementing, and Maintaining a Security Framework • Chapter 11 859 Self Test Quick Answer Key For complete questions, answers, and explanations to the Self Test questions in this chapter as well as the other chapters in this book, see the Self Test Appendix. 1. D 2. A 3. A, B, D 4. A, B, C 5. D 6. A, B 7. B 8. B 9. D 10. C 11. B 12. B 13. C 14. B 15. B 255_70_293_ch11.qxd 9/10/03 6:24 PM Page 859 [...]... 883 Planning, Implementing, and Maintaining a Public Key Infrastructure • Chapter 12 EXAM WARNING A stand-alone CA does not need Active Directory as an enterprise CA does For test day, remember that without Active Directory, all certificate requests made to a stand-alone CA are automatically tagged as pending This means that automatic fulfillment is not available and an administrator must manually approve... of the network when brought back online.This forces an enterprise CA to remain attached to the network, leaving it vulnerable to attackers Stand-Alone CAs Stand-alone CAs do not require Active Directory (although they can use AD information if it is available), and are usually used as either secure root CAs or as an issuer to such applications as stand-alone Web servers Stand-alone CAs are generally... generally not suitable for enterprisetype applications Because certificate templates are not used on a stand-alone CA, a standalone is more basic and easier to maintain than an enterprise CA A stand-alone CA keeps a copy of its CA certificate in a shared folder and if Active Directory is not used, users that need to request certificates need to know the location of the CA Finally, standalone servers can be secured... teller has never heard of As you can see, trust and authentication work hand in hand When transferring data across a network, confidentiality ensures that the data cannot be viewed and understood by any third party.The data might be anything from an e-mail message to a database of social security numbers In the past twenty years, more effort has been spent trying to achieve the goal of data confidentiality... moving downward to a mid-level CA, and finally an issuing-level CA Both the mid-level CA and issuing-level CA are known as subordinate CAs OBJECTIVE EXAM WARNING Although there are certain advantages to using both external and internal CAs when planning an organization’s PKI, you should know that it is possible for a Windows Server 2003 root CA to trust an external root CA, but it is nearly impossible... the network The disadvantages to a stand-alone CA are that an administrator must manually approve or deny every certificate request individually, a stand-alone CA cannot issue log-on certificates, and templates cannot be used with a stand-alone CA, so a key recovery agent cannot be established (we discuss the key recovery agent template below) www.syngress.com 255_70_ 293 _ch12.qxd 9/ 10/03 7:20 PM Page... Naming the CA 6 After the key pair is generated, the Certificate Database Settings dialog box appears As in Figure 12.6, you will notice that both the certificate database and certificate database log textboxes are already filled with default values You may elect to Store configuration information in a www.syngress.com 255_70_ 293 _ch12.qxd 9/ 10/03 7:20 PM Page 875 Planning, Implementing, and Maintaining a. ..255_70_ 293 _ch11.qxd 9/ 10/03 6:24 PM Page 860 255_70_ 293 _ch12.qxd 9/ 10/03 7:20 PM Page 861 Chapter 12 MCSE 70- 293 Planning, Implementing, and Maintaining a Public Key Infrastructure Exam Objectives in this Chapter: 6 Planning, Implementing, and Maintaining Security Infrastructure 6.2 Plan a public key infrastructure (PKI) that uses Certificate Services 6.2.1 Identify the appropriate type of certificate authority... throughout a network For the administrator, there are many areas that need to be secured Internal and external authentication, encryption of stored and transmitted files, and e-mail privacy are just a few examples.The infrastructure that Windows Server 2003 provides links many different public key technologies to give the IT administrator the power necessary to maintain a secure network Most of the functionality... up a smart card enrollment station Finally, we’ll discuss the procedures for using smart cards to log on to Windows, for remote access and VPNs, and to log on to a terminal server Planning a Windows Server 2003 6 Certificate-Based PKI EXAM 70- 293 OBJECTIVE 6.2 Computer networks have evolved in recent years to enable an unprecedented sharing of information between individuals, corporations, and even national . the teller has never heard of.As you can see, trust and authentication work hand in hand. When transferring data across a network, confidentiality ensures that the data cannot be viewed and understood. 8 59 255_70_ 293 _ch11.qxd 9/ 10/03 6:24 PM Page 860 861 Planning, Implementing, and Maintaining a Public Key Infrastructure Exam Objectives in this Chapter: 6 Planning, Implementing, and Maintaining. right-click the program, choose the Run as command, and enter the Administrator account name and password. www.syngress.com Planning, Implementing, and Maintaining a Security Framework • Chapter 11 853 Self