In our final chapter, we discuss a topic that sometimes has a tendency to be overlooked: client security. It s easy to get so wrapped up in securing our servers and infrastructure that we forget how important the client desktop can be to an organization s security. After all, you can secure and patch your servers all you want, but if a single end user copies a file from a floppy disk that infects his workstation with a Trojan horse, your entire network will be affected (often severely) by this vulnerability. Because of this, we ll spend some time examining the ways to maintain the overall security of the workstations on your network, including ways to secure the client operating system and maintain and enforce virus protection and patch management for all your users.
Another critical issue is that of client authentication. You obviously want your clients to use the strongest level of authentication available, but that is sometimes not practical in a heterogeneous environment. We ll talk about ways to improve the security of your user accounts, and how to select the best authentication protocols to fit the needs of your enterprise. This can include Kerberos, NTLM authentication, Certificate-based authentication, or even a combination of all three. Once you ve created your user authentication scheme, we ll go over ways to enforce that choice throughout your network through tools such as Group Policy.
Finally, we ll talk about creating a secure remote access plan for your end users. We ve discussed virtual private network (VPN) technologies from an infrastructure standpoint earlier in this guide; here we ll examine how remote access choices will affect your end users. This includes your choice of remote access medium: dial-up or VPN, your choice of remote access protocols, and the creation of remote access policies to control the use of your network resources. We ll close with a discussion of Internet Authentication Service, or IAS, which is Windows Server 2003 s RADIUS implementation that can be used for large-scale or heterogeneous remote access deployments.