Chapter Summary

As you have seen, proper prior planning is the single most important key to success when implementing a network security plan. No effective security plan consists of only one security solution; the concept of defense in depth states that multiple, layered security solutions should be implemented to increase network security as much as possible. An example of the defense- in-depth principle would be a network that requires a username and password to gain access to the network. To further protect sensitive information, data on file servers is encrypted using EFS. Lastly, IPSec is implemented to secure network communications as they cross the network cabling itself.

Digital certificates come into play with many of these security solutions. Digital certificates can be used for smart cards to authenticate and verify the identity of the user , digital certificates are required for the use of EFS, and digital certificates can be used to provide security and authentication for IPSec communications on your network. The scope and type of PKI infrastructure you implement will be specified, in large part, by the requirements of your network's users.

Two basic types of CAs are available for use in Windows Server 2003. Enterprise CAs are completely integrated with Active Directory and provide some features not otherwise available in Standalone CAs. Standalone CAs do not require the presence of Active Directory, but if AD is in use, they can make use of it. Standalone CAs can be used to issue certificates and then can be removed from the network to increase their physical security. Each type of CA has two child types: Root and Subordinate. There is only one Root CA within a PKI implementation; all other CAs are Subordinate (or child) CAs. The Root CA signs its own CA certificate, as well as the CA certificate of all Subordinate CAs directly below it. Subordinate CAs issue and sign certificates for network users, computers, and other Subordinate CAs.

Microsoft introduced Software Update Services in Windows 2000 to provide an easy-to-administer way for network administrators to keep their networks up to date with required security updates. SUS has been integrated into Windows Server 2003. Using SUS and Automatic Updates, you can have approved updates automatically installed on client computers on the schedule you have configured. By allowing only administratively approved updates to be installed on client computes, SUS and Automatic Updates help you protect your network from problems that may be caused by required updates that are not compatible with your network or network applications.

After you've planned and implemented a security solution for your network, you need to ensure that your network stays secure. Microsoft has a two-step network security plan: Get Secure, Stay Secure. The Stay Secure portion requires you to maintain security after you have it in place. To maintain security, you need to monitor it. Security monitoring can be accomplished in many ways, but the most common include auditing and event logs. Also, you need to have a functional and well-thought-out change and configuration plan in place to prevent mistakes from being made that can compromise the security of your network.