In this chapter, we took a step back from looking at how to secure the various components of the Windows Server 2003 infrastructure and asked the question: How do we secure the tools were using to secure the network? As weve seen, the network management process itself can quickly provide an attacker a means of infiltrating your network if you do not set up administrative and technical controls to prevent it. Any well-designed network security plan should take both of these types of measures into account to control things such as how administrative credentials are used on a network, how to secure the utilities that are used (and which of those utilities should be permitted in the first place), and how to defend against vulnerabilities arising from improper behavior on the part of network administrators. As with most security topics weve discussed, this effort will only be complete if it includes both technical measures to secure the use of specific administrative utilities and the creation of administrative policies, such as mandating the use of RunAs or policies regarding the necessary information to obtain before resetting a user s password over the phone.
After looking at the overall importance of creating a secure network management policy, we also examined two other critical pieces of the network management puzzle. Although Microsoft has made great strides in improving the security of the Windows Server 2003 operating system, its simply unavoidable that, as time goes on, new security vulnerabilities will be discovered and new patches will be released to correct them. Deploying security patches, especially in a large enterprise environment, has always been a problematic situation for network administrators. In an effort to make this process simpler and improve the overall security of its operating systems, Microsoft has made a number of utilities freely available to network administrators to assist in the patch management process. In Chapter 4 we looked at two in particularthe Microsoft Baseline Security Analyzer (MBSA) and the Software Update Service (SUS)and how they can be incorporated into a network security design.
We wrapped up this chapter with a review of the domain and forest trust model and how it has been updated for Windows Server 2003. In preparation for the 70-298 exam, we focused on ways to create your domain and forest designs to provide the most secure environment possible in an enterprise environment, including the need to incorporate dissimilar operating systems and corporate cultures to create a secure, unified whole.