|
|
 |
|
|
|
ALS Designing Microsoft® Windows® 2000 Network Security
|
|
|
Author
|
|
Microsoft Corporation
|
|
|
Pages
|
1104
|
|
Disk
|
N/A
|
|
Level
|
Beg/Int
|
|
Published
|
06/13/2001
|
|
ISBN
|
9780735612693
|
|
|
|
|
|
|
|
|
Index
Note to the reader Italicized page numbers refer to tables and illustrations.
3DES encryption algorithm. See Triple DES (3DES) encryption algorithm
A
Access Control Entities (ACEs) 5, 150
access security
administrator access 123-26, 124, 141
secondary access 126-29
account lockout policy 36
account mapping 378-80, 379, 380
Account Operators group 112
account policies 34-37
Kerberos policy 37, 83, 83, 243
lockout policy 36, 243
password policy 35-36, 243
security templates and 243
ACEs. See Access Control Entities (ACEs)
actions, IPSec filters 447-50, 448
design considerations 449
example of using 449-50, 450
Active Directory 21-62
audit strategy 52-56
design basics 25-26
domain structure 33-39
Enterprise CAs and 345
forest structure 25-32
Group Policy objects 231-32, 232
integrated zones 291-92
integrating with Kerberos realms 672-75, 673, 674
IPSec deployment 460-61
mappings 380
OU structure 40-51
overview of 21-22
review questions on 62
scenarios related to 23-24, 57-61, 58, 66, 66
security design exercise 57-61, 58
synchronizing with NetWare 669-70, 670
Active Directory Installation Wizard 493
Active Directory Migration Tool (ADMT) 30
Active Directory Services Interface (ADSI) 89
Active Directory Sizer (ADSizer) 69
administration 107-42
delegation of 40-45, 59
exercise on designing for networks 136-41
group membership planning 111-22, 138-40
OU structures for 60-61
overview of 107
remote methods of 134-35
review questions on 142
RunAs service 126-29
scenario on 108-10, 108, 110
secure access to 123-26, 141
Telnet 129-31
Terminal Services 131-33
administrative CA structure 356, 356, 358
administrative groups 111-22
analyzing 138-39
auditing 114-16
custom 118-22, 118, 121, 122
default Windows 2000 groups 111, 111-13
design considerations 116, 138-40
planning 111-22, 138-40
protecting membership in 139-40
restricted groups for maintaining 115-16, 115
scenario related to 117-18, 117, 118
third-party reporting tools 114
administrative scripts 128
Administrator account
alternative 125
protecting 124, 126, 126
renaming 125
Administrators group 112
ADMT. See Active Directory Migration Tool (ADMT)
ADSI. See Active Directory Services Interface (ADSI)
ADSizer 69
Advanced Attributes dialog box 194
AFP. See Apple Filing Protocol (AFP)
A-G-DL-P strategy 150, 150, 152, 153
A-G-U-DL-P strategy 150-51, 151, 153, 153
AH. See Authentication Headers (AH)
AIA. See Authority Information Access (AIA)
algorithms
3DES 409
DES 409
IPSec 451-52, 451, 452
MD5, 395, 403
RC2, 408-09
SHA1, 403
analyzing. See also evaluating
administrative groups 138-39
business requirements 10-12
Directory Services Client 89-91
analyzing
group memberships 138-39, 155-57
Kerberos authentication 73-84
security settings and templates 263-68, 264, 266, 267
standard authentication 88
technical requirements 15-16
ANI/CLI. See Automatic Number Identification/Calling Line Identification (ANI/CLI)
Apcompat.exe utility 251, 252
API (application programming interface) 4
Apple Filing Protocol (AFP) 676
AppleTalk Network Integration Services 657
application-layer security 389-425
determining key usage 417-18
digital signing 402-06
e-mail encryption 407-10, 407, 408
encrypting transmitted data 407-16
lab exercises on 421-23
overview of 389, 393
planning 419-21
review questions on 424
scenario on 390-92, 390, 391
SMB signing 393-402
SSL encryption 410, 411, 411, 412-14, 412, 413
TLS encryption 410, 412-14, 412, 414
Application mode 131
application programming interface (API) 4
applications
alternative credentials for running 127
compatibility issues 251-52, 252
configuring for SSL encryption 411
DMZ security and 581-85, 581, 582, 583
OU structure for deploying 50-51, 50
public key-enabled 337
sample 561, 561
unauthorized installation of 615
application servers 167-68, 167
defining on networks 245
packet filters for 583, 583, 584-85, 584
assessment
of group usage 149-54, 149, 150, 151, 153
of Terminal Services administration 131-32
Asynchronous NetBEUI (AsyBEUI), 486, 487
auditing
group membership 114-15
Internet access 641-43, 642, 643
network usage 309
Web server 564
audit policy 244
audit strategy 52-56
applying 54-55, 55
configuring settings 52-53
design issues 53-54, 56
authentication 63-106
business requirements 68
certificate-based 373-80
delegation process 80-82, 81
of down-level clients 88-93, 105
heterogeneous 661-68
infrastructure analysis 101, 101
IPSec 453-54, 453-54, 461-63, 462
Kerberos v5 protocol 6, 8, 70-84, 453, 453
lab exercises on designing 102-05, 102, 103
Macintosh client 661-63, 662, 663
multiple domain 79-80, 79
NetWare client 663-64, 664
network 76-77, 77
NTLM 85-87, 86, 87
overview of 63-64
Proxy Server 623-24, 624
RADIUS 521-28
remote access 483-84, 485, 486, 498-99, 499
review questions on 106
risks in heterogeneous environments 668
scenario related to 65-67, 65, 66, 67
server placement issues 94-100, 104
smart card 77-79, 78, 373-77, 373, 377
standard 88
technical requirements 69
two-factor 484
UNIX client 664-66
Web 378-80, 379, 380
Authentication Headers (AH) 395, 432-33
assessing 432-33, 432
deploying 433
example of applying 437
reasons for using 436-37
Authentication Service Exchange 72, 73, 75-76, 75
Authority Information Access (AIA) 350
Automatic Number Identification/Calling Line Identification (ANI/CLI), 498, 499
B
backup domain controllers (BDCs) 148, 478
Backup Operators group 113
baselines, security 710, 711, 712
Basic templates 248-49
BDCs. See backup domain controllers (BDCs)
Berkeley Internet Name Daemon (BIND) 292
BINL. See Boot Information Negotiation Layer (BINL)
Block action 447, 449
Block Policy Inheritance option 46-47, 47, 218, 218, 235-36, 235
Boot Information Negotiation Layer (BINL) 302-03
business requirements 10-14, 12
analyzing for security 10-12
applying in security design 13-14
authentication process and 68
Group Policy design 230-31
C
callback options 496
caller ID 495, 498
Canonical Name (CNAME) records 290
Capolicy.inf file 350-52
code examples 350-51, 354
sections in 351-52
CAs. See Certification Authorities (CAs)
certificate distribution points (CDPs), 337, 352, 352
certificate management tools 336-37
Certificate Practice Statement (CPS) 335
Certificate Revocation List (CRL), 336, 350, 366-69, 366
digital certificates and 405
example of using 368-69, 368
planning factors for 367
publication points 410
certificates 336
acquisition of required 376
automatic issuance of 345, 346, 363-64, 364, 461-63, 462
configuring CAs to issue 375-76
IPSec authentication and 453, 461-63, 462
manual issuance of 364
mapping to user accounts 378-80, 379, 380
renewing 350, 369-71, 369, 370, 372
revoking 366-69, 366
scenario on managing 334-35
smart card logon process 373-77, 373, 377
Web authentication with 378-80, 379, 380
certificate templates 336, 344
configuring CAs to issue 375-76
defining permissions for 374-75
IPSec configuration 462
certificate trust lists (CTLs) 342
Certification Authorities (CAs) 9, 336-72
choosing 337-39, 339, 348-49, 349
defining the requirements for 381
designing the structure of 355-60, 355, 356, 357, 358, 359
digital signatures issued by 405
disaster recovery planning for 360-61, 361
Enterprise 344-45, 345, 346
example of applying 339, 349
hierarchies for 340-43, 340, 341, 342, 343
issuing certificates 363-66, 364, 365, 375-76
lab exercises on 383-85
managing 363-71
offline 349-55, 352, 353
public vs. private 337-39, 339
renewing certificates 350, 369-71, 369, 370, 372
review questions on 386
revoking certificates 366-69, 366
scopes for 344-49, 344, 348, 349
Standalone 346-48, 347
Challenge Handshake Authentication Protocol (CHAP), 36, 483, 485
Change permission 178
CHAP. See Challenge Handshake Authentication Protocol (CHAP)
child OUs 46, 46
CIFS signing. See SMB signing
Cipher.exe command 201
Client (Respond Only) policy 457, 458, 459
Client for NFS service 689, 690
clients. See also specific types of clients
CMAK package configuration 499-501, 500, 501
configuration scenarios 67, 67, 104, 277
dial-up connections for 498-99, 499
down-level authentication 88-93, 105
enabling RIS server response to 304-05, 304
heterogeneous 653-700
IPSec filters for 446, 446
Macintosh 661-63, 662, 663, 676-78, 678
NetWare 663-64, 664, 678-80, 679
operating system scenario 390-91, 391
remote access security for 495-501, 495, 496
SMB signing deployment 395-400
UNIX 664-66, 680-82, 681
Client/Server Authentication Exchange 73
Client Services for NetWare (CSNW), 683-84, 688
clock synchronization 37, 74
CMAK packages 499-501, 500, 501
CNAME. See Canonical Name (CNAME) records
compatibility issues
heterogeneous networks and 653-700
security templates and 251-52, 252
Compatws.inf security template 251, 254
computer accounts
configuring the GUID attribute for 304, 304
restricting the creation of 305, 305
Computer certificate 369, 462
computer local groups 149, 149
computer roles 245-46
configuration naming context 26
configuring
account policy settings 34-37
audit settings 52-53
CMAK packages 499-500, 500
EFS recovery agents 198-99
firewall 569-70, 570
Group Policy settings 46-48, 46
network devices 309
offline root CAs 350-52, 352
Proxy Server authentication 623-24, 624
security templates 243-44
server placement for authentication 94-100, 96
share permissions 177-78
connections
dial-up 481, 481
heterogeneous 657-60, 659
remote access 481-83, 481, 482
troubleshooting IPSec problems 465
VPN 482, 482
content scanning 548, 551, 639
CPS. See Certificate Practice Statement (CPS)
critical path tasks 710
CRL. See Certificate Revocation List (CRL)
cross-certification hierarchy 341-42, 341, 342
Cryptographic Service Providers (CSPs) 349-50
CSNW. See Client Services for NetWare (CSNW)
CSPs. See Cryptographic Service Providers (CSPs)
CTLs. See certificate trust lists (CTLs)
custom administrative groups 118-22, 118
determining when to create 119-20
guidelines for creating 120
scenario related to 121-22, 121, 122
customer accounts 333
Custom Security Method Settings dialog box 451
custom security templates 255-56
design considerations 255-56
example of applying 256
lab exercise on developing 280-82
D
DACLs. See Discretionary Access Control Lists (DACLs)
Data Decryption Field (DDF) 195
Data Encryption Standard (DES) algorithm 409, 451
Data Properties dialog box 178
Data Recovery Field (DRF) 195
DCs. See domain controllers (DCs)
DC security.inf template 252, 255
DCOM. See Distributed Component Object Model (DCOM)
DDF. See Data Decryption Field (DDF)
decryption 196-97, 200-202. See also encryption
EFS recovery agent 197, 197
original user 196, 196
steps used for 200-201
dedicated administrative accounts 125
dedicated WAN links 502, 502, 503-05, 503, 504
defaults
administrative groups 111, 111-13
Group Policy inheritance 46, 46, 215-17, 216
IPSec policies 457-59, 458
security settings 247-50, 249, 250
share permissions 187
Defltdc.inf security template 248
Defltsv.inf security template 248
Defltwk.inf security template 248
delegation of administration 40-45
applying the decision for 44-45, 44
authentication process and 80-82, 81
Delegation of Control Wizard 40-41, 41
OU hierarchy and 43, 43
requirements for 42-43, 59
Delegation of Control Wizard 40-41, 41
Demilitarized Zones (DMZs), 551-93. See also firewalls
application security 581-85, 581, 582, 583
data flow security 569-93
design considerations 555, 555
DNS server security 565, 567, 570-73, 571, 572, 573, 597-98
e-mail security 577-80, 578, 579, 580, 603-04
examples of applying 555-56, 556, 567-68
FTP server security 565, 575-77, 576, 577
hybrid 553-55, 554
IIS security 559-64, 560, 561, 563, 564
L2TP tunnel servers in 589-92, 590, 591, 592
lab exercises on 596-604, 596
locating the Proxy Server in 631-33, 632
mid-ground 553, 553
other terms used for 551
packet filters for 597-604
planning 596, 596
PPTP tunnel servers in 587-89, 588, 589
private vs. public networks and 552
review questions on 605-06
securing all services in 565-66, 567
standalone CAs and 348
Telnet server security 565
Terminal Services security 585-87, 585, 586, 587
three-pronged 552-53, 552
VPN deployment in 505-10, 506, 507, 587-93, 588, 590, 591, 601-02
Web servers in 573-75, 574, 575, 599-601
DES algorithm. See Data Encryption Standard (DES) algorithm
designing security
business requirements 13-14, 58
technical requirements 15-19
DFS. See Distributed Files System (DFS)
DHCP Administrators group 113
DHCPInform message 298
DHCP servers
authorization process by 297-98, 297
performing DNS updates for down-level clients 298-99, 299
DHCP Service 90, 297-301
assessing the security risks of 297
configuring to perform DNS updates 298-99, 299
designing security for 300-301, 300
lab exercise on 326
preventing client leasing of IP addresses 300
scenarios on 288, 321
server authorization process 297-98
Dialed Number Identification Service (DNIS), 498, 499
dial-in constraints 514
dial-up connections
authorizing 498-99, 499
configuring CMAK packages for 499-501, 500, 501
designing for remote users 495-501, 495, 496
examples of using 483, 486, 497-98, 499, 501, 501
protocols used with 486-87, 487
remote access via 481, 481, 482
digital signatures 402-06, 403, 405
for e-mail messages 402-03, 403, 405
digital signing 402-06. See also SMB signing
design considerations 405
example of applying 405-06
overview of 402-03
protocol choices 404
public key deployment 404-05
steps in process of 403-04
Directory Service module 6
Directory Services Client (DSClient). See Microsoft Directory Services Client (DSClient)
directory synchronization
Active Directory with NetWare clients 669-70, 670
multiple directories 670-72, 671
Directory Synchronization Services (MSDSS). See Microsoft Directory Synchronization Services (MSDSS)
disaster recovery planning 360-61, 361
Discretionary Access Control Lists (DACLs) 5, 71, 114, 291
IPSec certificate templates and 463
security groups for entries in 146-47
Distributed Component Object Model (DCOM) 9
Distributed Files System (DFS) 89
Distributed Password Authentication (DPA) 6, 8-9
distribution groups 146, 147
DMZs. See Demilitarized Zones (DMZs)
DNIS. See Dialed Number Identification Service (DNIS)
DNS Admins group 113
restricting membership in 293
DNS resource records 290, 542
DNS servers
configuring the placement of 94-97, 96
design activity 295-96, 295
implementing separate external servers 293, 293
Internet access security and 609, 618
restricting zone transfers to 292-93, 292
scenario on deploying 287, 288
securing in DMZs 565, 567, 571-73, 571, 572, 573, 597-98
DNS Service 290-96
Active Directory-integrated zones 291-92, 294
assessing security risks for 290-91
designing security for 293-94, 294, 295-96, 295
DNS Admins group restrictions 293
firewall configurations for 570-73, 571, 572, 573
lab exercise on 325
restricting usage of 571-73, 571, 572, 573
scenarios on 287, 288, 319-21, 320
securing dynamic updates 291-92
traffic flow security 570-72, 571, 572
using separate DNS servers 293, 293
zone transfer restrictions 292-93, 292
DNSUpdateProxy group 113, 299
Domain Admins group 112
Domain Controller certificate template 462
domain controllers (DCs) 63, 148
configuring the placement of 97
defining on networks 245
security analysis of 283-84, 284
domain filters 634-35, 634
domain Group Policies 216
domain local groups 148, 149
Domain Name System service. See DNS Service
domains 26, 33-39
IPSec deployment 460-61
lab exercise on 60
multiple 34-39, 39
single 33-34
domain trees 25, 25
down-level clients
authenticating 88-93, 105
performing DNS updates for 298-99, 299
downloads, security issues 637-39, 638
DPA. See Distributed Password Authentication (DPA)
DRF. See Data Recovery Field (DRF)
DSClient software 88-93
Dumpevt utility 114
Dynamic Host Configuration Protocol service. See DHCP Service
dynamic updates 291-92
E
EAP (Extensible Authentication Protocol), 335, 484, 485
e-businesses 420
Efsinfo utility 201
EFS. See Encrypting File System (EFS)
EFS recovery agents 197-200. See also Encrypting File System (EFS)
configuring 198-99
decision factors for 199
deleting 200
initial 197-98
e-mail messages. See also mail servers
digital signatures for 402-03, 403, 405
DMZ security and 577-80, 578, 579, 580
encrypting 407-10, 407, 408
lab exercise on securing 422
receiving security bulletins as 714
employees
attempts to bypass firewalls by 616, 616
granting Internet access to 626-27, 626
Encapsulating Security Payloads (ESPs) 130, 433-36
assessing 433-35, 434
deploying 435-36, 436
example of applying 437
reasons for using 437
server security and 566
Encrypting File System (EFS) 173, 194-202
decrypting data 196-97, 196, 197
designating an EFS recovery agent 197-200, 199
disabling EFS encryption 199, 200
empty policies and 199
encryption process 195-96, 195
exercise on planning 208-09, 208
NTFS security and 181
overview of 194
PKI-aware systems and 337
private keys and 201
recovering encrypted files 200-202, 202
review questions on 210
encryption 407-16. See also decryption
disabling 199, 200
e-mail 407-10, 407, 408
IPSec 130, 430-31, 432, 436, 451-52, 451, 452
levels of 316-17, 316
local data problems and 176
NTFS file system and 181
process of 195-96, 195
recovering encrypted files 200-202, 202
remote access 514-15
reversible 36
SSL 410, 411, 411, 412-16, 412, 413, 414
Terminal Services 316-17, 316
TLS 410, 412-14, 412, 414
EnrollmentAgent certificate 374, 376
enrollment process 376
Enroll permissions 345, 345
Enterprise Admins group 111, 119-20
Enterprise CAs
deploying 344-45, 345, 346
mixing with Standalone CAs 348, 348
Enterprise Certification Authorities 120
ESPs. See Encapsulating Security Payloads (ESPs)
evaluating. See also analyzing
Internet acceptable use policy 647
IPSec configurations 455-56, 455, 456
permissions 189-90, 189
security templates 261-62
event log 244
Everyone group 493
Exchange Server. See Microsoft Exchange Server
exercises, topical. See lab exercises
Extensible Authentication Protocol (EAP), 335, 484, 485
extranet security 539-606
application servers and 581-85, 581, 582, 583
Demilitarized Zones 551-56, 552, 553, 554, 555
design considerations 548-49, 549, 555
DNS services and 565, 567, 570-73, 571, 572, 573, 597-98
examples of applying 549-51, 550, 551, 555-56, 556, 567-68
firewalls 543-58, 543, 549, 569-70, 570
FTP services and 565, 567, 575-77, 576, 577
lab exercises on 594-604
mail servers and 577-80, 578, 579, 580, 603-04
overview of 539
review questions on 605-06
scenario on 540-42, 541, 542
Telnet services and 565, 567
Terminal Services and 585-87, 585, 586, 587
VPN traffic and 587-93, 588, 590, 591, 601-02
Web servers and 559-64, 560, 563, 573-75, 574, 575, 599-601
extranet servers
defining on networks 246
scenario illustrating roles of 540-42, 541
F
fault tolerance 291
File Encryption Key 195
File Migration utility 658
File and Print Services for NetWare (FPNW), 658, 663, 664, 664
file resources 173-90, 194-202
combining share and NTFS security 185-88
EFS security and 194-202
evaluating permissions 189-90, 189
lab exercises on 203-07, 208-09
Macintosh client access to 676-77, 678
NetWare client access to 678-79, 679
NTFS security and 180-85, 207
review questions on 210
scenario on 174-76, 174, 175
securing access to 177-90
share security and 177-80, 206
UNIX client access to 680-81, 681
file servers 245
file system 244
File Transfer Protocol (FTP), 303, 611. See also FTP server security
filter actions, IPSec 447-50, 448
design considerations 449
example of using 449-50, 450
filtering, Group Policy 48, 48, 221-24, 222, 223, 233-34
Filter Properties dialog box 442
filters, IPSec 442-47. See also packet filtering
defining when not required 443-44
design considerations 444-45
example of using 445-47, 446, 447
server security in DMZs and 565-66, 566
unprotected protocols 444
Web servers and 564, 564
firewalls 543-58
application security and 581-85, 581, 582, 583
content scanning and 548
Demilitarized Zones and 551-56, 552, 553, 554
design considerations 548-49, 549, 555, 594-95
DNS usage restrictions and 571-73, 571, 572, 573, 597-98
e-mail security and 577-80, 578, 579, 580, 603-04
employee attempts to bypass 616, 616
ESP-protected data and 437
example of applying 549-51, 550, 551, 555-56, 556
extranet protection and 543-51, 543, 549
FTP server configuration 575-77, 576, 577
hybrid DMZs and 553-55, 554
identifying features of 557-58
Internet access security and 619, 619, 645-46, 648-49
L2TP/IPSec packets and 489, 589-92, 592
lab exercises on designing 533, 594-604
mid-ground DMZs and 553, 553
NAT process and 436, 439-40, 439, 488, 544-45, 544
packet filters and 545-47, 546
PPTP packets and 488, 587-89, 588, 589
review questions on 605-06
stateful inspection process and 547-48
static address mapping and 547, 547
strategies for configuring 569-70, 570
Terminal Services security and 585-87, 585, 586, 587
three-pronged DMZs and 552-53, 552
time-out tolerance and 548
VPN traffic and 587-93, 588, 590, 591, 601-02
Web server configuration 573-75, 574, 575, 599-601
folders
shared 204
Web server 559-60, 560
forests 25-32, 25
design scenario 287, 287
lab exercise 59-60
multiple 28-32
single 26-28
FPNW. See File and Print Services for NetWare (FPNW)
FQDNs. See fully qualified domain names (FQDNs)
FTP. See File Transfer Protocol (FTP)
FTP server security 565, 567, 575-77
design considerations 576-77
example of applying 577, 577
firewall configurations for 575-77, 576, 577
Internet access and 618-19
Full Control permission 178, 187
fully qualified domain names (FQDNs) 635
Next
Last Updated: Friday, July 6, 2001 |
