List of Figures

Chapter 1: Designing a Secure Network Framework

Figure 1.1: Generating RSoP Data
Figure 1.2: Computer Selection in the RSoP Query Wizard
Figure 1.3: Results of RSoP Query
Figure 1.4: Illustration of a DDoS Attack
Figure 1.5: ktpass Command-Line Descriptions

Chapter 2: Securing Servers Based on Function

Figure 2.1: Setup security.inf Viewed in Notepad
Figure 2.2: Network Security Settings: LAN Manager Authentication Level Security Settings Policy
Figure 2.3: Add/Remove Snap-In to the Microsoft Management Console
Figure 2.4: Viewing and Modifying Predefined Template Settings
Figure 2.5: Information Warning Regarding Down-Level Clients
Figure 2.6: Registry Policy Properties
Figure 2.7: Group Policy Wizard
Figure 2.8: Imported Policy or Template in Group Policy Editor
Figure 2.9: New Group Policy Object
Figure 2.10: Applied Group Policy to Domain or OU
Figure 2.11: Action Alert in Resultant Set of Policy Snap-In
Figure 2.12: Resultant Set of Policy Results
Figure 2.13: Group Policy Management ConsoleOrganizational Unit Management
Figure 2.14: Group Policy Management ConsoleManagement Options
Figure 2.15: Configure Your Server WizardSelect Server Role
Figure 2.16: Configure Your Server Summary of Selected Options
Figure 2.17: Installing Components and Server Role
Figure 2.18: Configure Your Server Wizard Complete
Figure 2.19: IIS Default Web Service Extensions
Figure 2.20: Creating a New Group Policy Link to OU
Figure 2.21: Import Policy Dialog
Figure 2.22: Security Analysis Results

Chapter 3: Designing a Secure Public Key Infrastructure

Figure 3.1: PKI Overview
Figure 3.2: Common Arrangements of the CA Hierarchy of an Enterprise
Figure 3.3: Example of Geographical Hierarchy
Figure 3.4: Example of Organizational Trust Hierarchy
Figure 3.5: Example of Network Trust Security
Figure 3.6: Example of a Three-Tiered CA Enterprise Hierarchy
Figure 3.7: Selecting Certificate Service to Install
Figure 3.8: Warning Screen before Installing Certificate Services
Figure 3.9: Selecting a CA Type
Figure 3.10: Selecting Public and Private Key Pairs
Figure 3.11: CA Identity Information
Figure 3.12: Configuring Database Settings
Figure 3.13: Select a Certificate Type
Figure 3.14: Enter the Users Details to Issue a Certificate
Figure 3.15: Confirmation Screen for a Certificate Request
Figure 3.16: Pending Queue of the CA
Figure 3.17: Approve a Certificate from Pending Queue
Figure 3.18: Auditing Tab of the CA Properties
Figure 3.19: Confirmation to Stop the Certificate Service
Figure 3.20: Confirmation to Generate New Keys

Chapter 5: Securing Network Services and Protocols

Figure 5.1: IPSec Transport Mode with Authentication Header
Figure 5.2: IPSec Tunnel Mode with Authentication Header
Figure 5.3: IPSec Transport Mode with ESP
Figure 5.4: IPSec Tunnel Mode with ESP
Figure 5.5: Key Exchange Security Methods Dialog
Figure 5.6: Disabling Default Response Rule
Figure 5.7: Interaction of IPSec Components
Figure 5.8: IPSec Process
Figure 5.9: Export IPSec Policy via IP Security Policy Management Snap-In
Figure 5.10: Default Policies in Active Directory
Figure 5.11: Default Settings for Key Exchange Security Methods for Default IPSec Policy
Figure 5.12: Web Site Properties Dialog
Figure 5.13: Require Secure Channel (SSL) Configuration
Figure 5.14: Server Message Block Signing Options
Figure 5.15: Sample Domain Wireless Policy Properties Dialog
Figure 5.16: Adding a New Preferred Network
Figure 5.17: Wireless Policy Defined in Default Domain
Figure 5.18: IEEE 802.1X Properties in the Selected Preferred Network
Figure 5.19: Smart Card or Other Certificate Properties Options
Figure 5.20: Protected EAP Properties Options
Figure 5.21: Functional Diagram of Wireless Access Infrastructure
Figure 5.22: IPSec Settings
Figure 5.23: Network Configuration

Chapter 6: Securing Internet Information Services

Figure 6.1: IIS 6.0 Worker Process Model
Figure 6.2: IIS 5.0 Isolation Model
Figure 6.3: Directory Security Tab of IIS 6.0
Figure 6.4: Enable Secure Communication
Figure 6.5: One-to-One Mapping Screen
Figure 6.6: Select Credentials for Mapping
Figure 6.7: Add a Wildcard Rule
Figure 6.8: The Rules Window
Figure 6.9: Enter Rule Information
Figure 6.10: Enter Credentials for Many-to-One Mapping
Figure 6.11: Enable Anonymous Access
Figure 6.12: Basic Authentication Warning
Figure 6.13: Basic Authentication Settings
Figure 6.14: Digest Authentication Warning
Figure 6.15: RADIUS Architecture in Windows Server 2003
Figure 6.16: Select Network Services
Figure 6.17: Select Internet Authentication Service
Figure 6.18: IAS MMC Snap-In
Figure 6.19: Properties of Remote Access Policies
Figure 6.20: Edit the Default Policy Settings
Figure 6.21: Web Service Extensions View
Figure 6.22: Enabling the Internet Connection Firewall
Figure 6.23: Available Protocol Configuration Window
Figure 6.24: Entering Machine Name or IP Address to Configure the Firewall
Figure 6.25: Enable Logging for Default Web Site
Figure 6.26: Customizing Log Fields
Figure 6.27: Local Audit Policy Settings
Figure 6.28: Enable Success or Failure Audit Options
Figure 6.29: Enable Health Detection

Chapter 7: Securing VPN and Extranet Communications

Figure 7.1: Configuring Routing and Remote Access
Figure 7.2: Routing and Remote Access Server Setup Wizard
Figure 7.3: RRAS Custom Configuration Screen
Figure 7.4: Setting Up a New Routing Protocol
Figure 7.5: Choosing RIP
Figure 7.6: General Tab of the RIP Property Interface Sheet
Figure 7.7: Security Tab of the RIP Property Interface Sheet
Figure 7.8: Neighbors Tab of the RIP Property Interface Sheet
Figure 7.9: Two Sites Connected via VPN Tunnel
Figure 7.10: Diagram of a PPTP Packet
Figure 7.11: Configuration Screen of the Routing and Remote Access Setup Wizard
Figure 7.12: Remote Access Screen of the Routing and Remote Access Setup Wizard
Figure 7.13: VPN Connection Screen of the Routing and Remote Access Setup Wizard
Figure 7.14: IP Address Assignment Screen of the Routing and Remote Access Setup Wizard
Figure 7.15: DHCP Relay Agent Reminder
Figure 7.16: Setting Up a Demand Dial Interface
Figure 7.17: Connection Type Screen of the Demand Dial Wizard
Figure 7.18: VPN Type Screen of the Demand Dial Wizard
Figure 7.19: Destination Address Screen of the Demand Dial Wizard
Figure 7.20: Protocols and Security Screen of the Demand Dial Wizard
Figure 7.21: Dial In Credentials Screen of the Demand Dial Wizard
Figure 7.22: Dial Out Credentials Screen of the Demand Dial Wizard
Figure 7.23: Diagram of an L2TP Packet
Figure 7.24: Security Tab of the Answering Routers Properties Sheet
Figure 7.25: Authentication Methods Screen
Figure 7.26: Choosing Properties of a Demand Dial Interface
Figure 7.27: Security Tab of the Demand Dial Interface
Figure 7.28: Advanced Security Settings Screen of the Security Tab
Figure 7.29: Smart Card or Other Certificates Properties Screen
Figure 7.30: Setting Credentials on the Demand Dial Interface
Figure 7.31: Remote Access Policy Settings Screen
Figure 7.32: Authentication Tab of the Remote Access Profile Screen
Figure 7.33: Encryption Tab of the Remote Access Profile Screen
Figure 7.34: Dial-in Constraints Tab of the Remote Access Profile Screen
Figure 7.35: IP Tab of the Remote Access Profile Screen

Chapter 8: Securing Active Directory

Figure 8.1: NTFS Permissions Configuration Window
Figure 8.2: Setting Permissions on Folders via Group Policy
Figure 8.3: Files and Folder Permissions Configured in Group Policy
Figure 8.4: Changing the Account a Service Uses to Start
Figure 8.5: Account Policies Window in Group Policy
Figure 8.6: Configuring Restricted Groups in Group Policy
Figure 8.7: Kerberos Policy Configuration
Figure 8.8: Enabling Reversible Encryption on a Per-Account Basis
Figure 8.9: Configuring Password Complexity
Figure 8.10: Logon Events Registration Process
Figure 8.11: Setting Auditing on an Object
Figure 8.12: Advanced Auditing Settings
Figure 8.13: Delegation of Control Wizard

Chapter 9: Securing Network Resources

Figure 9.1: Access Control List with Access Control Entries
Figure 9.2: Access Mask Compared with Access Request
Figure 9.3: Nested Group Hierarchy
Figure 9.4: LDAP Query
Figure 9.5: Result of LDAP Query
Figure 9.6: Delegating Control of the Finance OU in Active Directory Users and Computers
Figure 9.7: Adding Users to Delegate Control
Figure 9.8: Selecting Tasks to Delegate
Figure 9.9: Completion of Delegation of Control Wizard
Figure 9.10: Shared Folder Permissions Access Control List
Figure 9.11: Modifying Default Permissions on Registry Key
Figure 9.12: Advanced Registry Settings for HKEY_CURRENT_USER
Figure 9.13: Auditing Tab Options
Figure 9.14: Effective Permissions Options
Figure 9.15: Registry Node in Group Policy Object Editor Snap-In
Figure 9.16: Adding Key to Registry Access
Figure 9.17: Selecting the Software Node
Figure 9.18: View or Modify Permissions for Registry Key
Figure 9.19: Users Permissions Set to Read Only by Default
Figure 9.20: Advanced Settings Options
Figure 9.21: Modifying Permissions for the RegEdt32 Registry Key
Figure 9.22: Default Domain Policy with RegEdt32 Permissions Specified
Figure 9.23: Advanced Attributes for EFS Folder Encryption
Figure 9.24: File Attribute Indicating Encryption
Figure 9.25: EFS File Sharing Dialog
Figure 9.26: Adding User for Shared EFS File
Figure 9.27: No User Certificate Available
Figure 9.28: cipher.exe Commands, Part 1
Figure 9.29: cipher.exe Commands, Part 2
Figure 9.30: cipher.exe /R to Create Recovery Agent Key and Certificate
Figure 9.31: Structure of an Encrypted File
Figure 9.32: Encrypting File System Properties Dialog
Figure 9.33: Select Recovery Agents Dialog
Figure 9.34: Importing Certificate for Recovery Agent
Figure 9.35: Windows Warning Regarding Certificate Status
Figure 9.36: Default Domain Policy Encrypting File System Node
Figure 9.37: Key Backup from Microsoft Management Console
Figure 9.38: Export File Format for Certificate Only (Excludes Private Key)
Figure 9.39: Export File Format Including Private Key with Certificate
Figure 9.40: Certificate Export Wizard Successful Completion
Figure 9.41: Export Successful Notice
Figure 9.42: Create Secure Printer
Figure 9.43: SpoolDirectory in Registry
Figure 9.44: Startup and Recovery Options for Local Computer via Control Panel
Figure 9.45: Startup and Recovery Options

Chapter 10: Securing Network Clients

Figure 10.1: Enabling Syskey Encryption
Figure 10.2: Selecting Syskey Encryption Options
Figure 10.3: Confirmation of Syskey Success
Figure 10.4: Interactive Logons Using Local vs. Domain Accounts
Figure 10.5: Passport Sign-On through www.ebay.com
Figure 10.6: Passport on www.expedia.com
Figure 10.7: Creating a Remote Access Policy
Figure 10.8: Remote Access Authentication Methods
Figure 10.9: Remote Access Policy Conditions
Figure 10.10: Installing the Internet Authorization Service
Figure 10.11: The IAS Administrative Console
Figure 10.12: Configuring Permissions for IAS
Figure 10.13: Question 1 Illustration
Figure 10.14: Administrator Properties Sheet

Appendix A: Self Test Questions, Answers, and Explanations

Figure 2.22: Security Analysis Results
Figure 4.15: Figure for Question 1
Figure 5.22: IPSec Settings
Figure 5.23: Network Configuration
Figure 10.13: Question 1 Illustration
Figure 10.14: Administrator Properties Sheet

Chapter 1: Designing a Secure Network Framework

Chapter 2: Securing Servers Based on Function

Chapter 3: Designing a Secure Public Key Infrastructure

Chapter 4: Securing the Network Management Process

Chapter 5: Securing Network Services and Protocols

Chapter 6: Securing Internet Information Services

Chapter 7: Securing VPN and Extranet Communications

Chapter 8: Securing Active Directory

Chapter 9: Securing Network Resources

Chapter 10: Securing Network Clients

Appendix A: Self Test Questions, Answers, and Explanations