Contents Overview 1 Lesson: Determining Threats and Analyzing Risks to Computers 2 Lesson: Designing Security for Computers 8 Lab A: Designing Security for Computers 23 Module 6: Creating a Security Design for Computers Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.  2002 Microsoft Corporation. All rights reserved. Microsoft, MS-DOS, Windows, Windows NT, Active Directory, ActiveX, BizTalk, PowerPoint, Visio, and Windows Media are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Module 6: Creating a Security Design for Computers iii Instructor Notes In this module, students will learn how to determine threats and analyze risks to computers in an organization. Students will also learn how to design security for computers throughout the computers’ life cycles, from initial purchase to decommissioning. After completing this module, students will be able to:  Determine threats and analyze risks to computers.  Design security for computers. To teach this module, you need the following materials:  Microsoft ® PowerPoint ® file 2830A_06.ppt  The animation Microsoft Software Update Services, 2810A_03_A005_1952.htm, located in the Media folder on the Web page on the Student Materials CD. It is recommended that you use PowerPoint version 2002 or later to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, all the features of the slides may not be displayed correctly. To prepare for this module:  Read all of the materials for this module.  Complete the practices.  Complete the lab and practice discussing the answers.  Watch the animation.  Read the additional reading for this module, located under Additional Reading on the Web page on the Student Materials CD.  Visit the Web links that are referenced in the module. Presentation: 60 minutes Lab: 30 minutes Required materials Important Preparation tasks iv Module 6: Creating a Security Design for Computers How to Teach This Module This section contains information that will help you to teach this module. Lesson: Determining Threats and Analyzing Risks to Computers This section describes the instructional methods for teaching this lesson. Emphasize that students are responsible for the security of a computer at each stage in its life cycle. This page is intended simply to give examples of vulnerabilities. To elaborate attacks, draw upon your own experience. The next page deals with common vulnerabilities, so try not to skip ahead. Explain the threats, but do not discuss how to secure against them. The second lesson in the module covers that topic. Emphasize that off-site repair of computers is also a risk that students may need to protect against. If an attacker has physical control of a user’s computer, the user has lost the security battle. Ask students what recommendations they would make to the government agency in the scenario. Lesson: Designing Security for Computers This section describes the instructional methods for teaching this lesson. Emphasize that students must understand what the implications of an update are to a system before they install or deploy the update to their networks. Encourage students to test all updates before deployment. You can play the animation by clicking the arrow on the slide. Use this page to review the content of the module. Students can use the checklist as a basic job aid. The phases mentioned on the page are from Microsoft Solutions Framework (MSF). Use this page to emphasize that students must perform threat analysis and risk assessment on their own networks for the topic covered in this module, and then they must design security responses to protect the network. Assessment There are assessments for each lesson, located on the Student Materials compact disc. You can use them as pre-assessments to help students identify areas of difficulty, or you can use them as post-assessments to validate learning. The Security Life Cycle of a Computer Why Security of Computers Is Important Common Threats to Computers Practice: Analyzing Risks to Computers Common Methods for Applying Security Updates Multimedia: Microsoft Software Update Services Security Policy Checklist Module 6: Creating a Security Design for Computers v Lab A: Designing Security for Computers To begin the lab, open Microsoft Internet Explorer and click the name of the lab. Play the video interviews for students, and then instruct students to begin the lab with their lab partners. Give students approximately 20 minutes to complete this lab, and spend about 10 minutes discussing the lab answers as a class. Use the answers provided in the Lab section of this module to answer student questions about the scope of Ashley Larson’s request in her e-mail. For general lab suggestions, see the Instructor Notes in Module 2, “Creating a Plan for Network Security.” Those notes contain detailed suggestions for facilitating the lab environment used in this course. Customization Information This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs. This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware. This module includes only computer-based interactive lab exercises, and as a result, there are no lab setup requirements or configuration changes that affect replication or customization. The lab in this module is also dependent on the classroom configuration that is specified in the Customization Information section at the end of the Automated Classroom Setup Guide for Course 2830A, Designing Security for Microsoft Networks. Lab Setup There are no lab setup requirements that affect replication or customization. Lab Results There are no configuration changes on student computers that affect replication or customization. General lab su ggestions Important Module 6: Creating a Security Design for Computers 1 Overview ***************************** ILLEGAL FOR NON - TRAINER USE ****************************** In this module, you will learn how to determine threats and analyze risks to computers in an organization. You will also learn how to design security for computers throughout their life cycles, from initial purchase to decommissioning. After completing this module, you will be able to:  Determine threats and analyze risks to computers.  Design security for computers. Introduction Ob jectives 2 Module 6: Creating a Security Design for Computers Lesson: Determining Threats and Analyzing Risks to Computers ***************************** ILLEGAL FOR NON - TRAINER USE ****************************** The computers on your network present many opportunities for attackers to access your organization’s data. Ensuring that your computers are secured and updated throughout their operational lives is essential to maintaining a secure network. After completing this lesson, you will be able to:  Describe the security life cycle of a computer.  Explain why securing computers is important.  Describe common threats to computers. Introduction Lesson objectives Module 6: Creating a Security Design for Computers 3 The Security Life Cycle of a Computer ***************************** ILLEGAL FOR NON - TRAINER USE ****************************** The security life cycle of a computer includes the following phases:  Initial installation. During the initial installation of an operating system and applications, viruses and configuration errors can compromise the security of a computer. Be sure to set the password for the built-in Administrator account during the initial installation.  Baseline configuration. After initial installation, configure the baseline configuration settings for security that your organization requires for computers.  Role-specific security. Computers that have specific roles, such as Web servers, require additional configuration beyond the baseline security configuration to ensure that they are protected against threats that are specific to the computer’s role.  Application of security updates. During the computer’s lifetime, service packs and security updates for the operating system and applications will be released. To maintain the baseline security configuration, install the service packs and security updates.  Decommissioning. At the end of a computer’s operational lifetime, dispose of it in a way that makes it impossible for attackers to obtain information on the hard disk or media devices. Key points 4 Module 6: Creating a Security Design for Computers Why Security of Computers Is Important ***************************** ILLEGAL FOR NON - TRAINER USE ****************************** When a network administrator installs software on new computers for the Sales department, a virus infects the computers before the administrator can install a service pack that protects against the virus. The virus exploits a known vulnerability and installs a Trojan horse application. The administrator deploys the computers to users without realizing that the computers have been compromised by an external attacker. During an unattended installation of an operating system over the network, the local Administrator account’s password is configured and sent in plain text over the network. An internal attacker who is sniffing packets on the network intercepts the password. The attacker discovers that the password also works with the Administrator account on his manager’s computer. He uses the account to access confidential data on his manager’s computer. External attacker scenario Internal attacker scenario [...]... a computer’s hard disk, or a process in an organization omits the application of service packs before deployment Additional reading For more information about change management, see Appendix C, “Designing an Operations Framework to Manage Security. ” 6 Module 6: Creating a Security Design for Computers Practice: Analyzing Risks to Computers *****************************ILLEGAL FOR NON-TRAINER USE******************************... organization’s security requirements Also, ensure that your organization has policies in place to manage security on computers when they change roles, for example, a file server that is redeployed as a Web server 14 Module 6: Creating a Security Design for Computers Additional reading For more information about designing security for computers with specific roles, see: Chapter 4, “Securing Servers Based... organization or a third party This type of testing not only reveals vulnerabilities, it also shows you how to better protect your network from attackers Important Before performing any type of penetration testing, obtain written approval from management Module 6: Creating a Security Design for Computers Additional reading 19 For more information about the Security Configuration and Analysis MMC snap-in,... Traders should transport the computers, rather than hiring a third party It can store the computers in a secure facility, erase and reformat the computers, and perform an initial installation of necessary software in a secure, offline environment 8 Module 6: Creating a Security Design for Computers Lesson: Designing Security for Computers *****************************ILLEGAL FOR NON-TRAINER USE******************************... XP, you can create and deploy security templates to computers that have similar security requirements To create a secure baseline for computers: 1 Create a baseline security policy for computers This policy contains all business and technical requirements for the computer, operating system, and applications For example, the policy may dictate that all operating systems be protected against SYN-ACK (synchronize... distributing security updates, such as SUS or SMS An organization uses the factory preinstallation of software as the baseline security configuration for all computers Avoid or mitigate Create a custom security template that meets the business and technical requirements of your organization Apply the template to all computers 22 Module 6: Creating a Security Design for Computers Security Policy Checklist *****************************ILLEGAL.. .Module 6: Creating a Security Design for Computers 5 Common Threats to Computers *****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Although technical security measures are essential for securing computers in your organization, the majority of threats to computers are from people and flawed processes For example, an attacker physically attacks a computer’s... Security Design for Computers Lab A: Designing Security for Computers Lab Questions and Answers Answers may vary The following are possible answers 1 What is your plan for managing security updates? To better manage security updates, Contoso should first thoroughly test service packs and then assign them to all client computers in the domain by using Group Policy software installation Each department... computer Ensure that you remove media from storage devices before disposal Media All data and data artifacts on storage media should be removed before you dispose of the storage media If the information that was stored on the media is highly sensitive, consider physically destroying the media after you erase or format the data on the media Documentation Printer ribbons can reveal what was printed on them... http://www.microsoft.com/smserver/evaluation/overview/featurepacks/ suspack.asp Module 6: Creating a Security Design for Computers 17 Multimedia: Microsoft Software Update Services *****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points This animation shows how SUS provides an automated solution for managing and distributing critical Windows patches Additional reading The animation is located . Threats and Analyzing Risks to Computers 2 Lesson: Designing Security for Computers 8 Lab A: Designing Security for Computers 23 Module 6: Creating a Security. “Designing an Operations Framework to Manage Security. ” Key points Additional readin g 6 Module 6: Creating a Security Design for Computers Practice: Analyzing