Planning and Maintaining Network Security


Remote Assistance, first introduced in Windows XP, provides a built-in mechanism allowing an "Expert" to lend assistance to a "Novice" whether or not by request. The Expert can be located on the same internal network or even somewhere else on the Internet. Remote Assistance allows the Expert to create a connection to the Novice's computer, view the desktop, communicate with the Novice, and even take remote control of the Novice's computer if the Novice allows. Remote Assistance can be performed only on computers running Windows XP or Windows Server 2003 ”a good reason to consider that desktop upgrade to Windows XP. Before a computer is eligible to receive Remote Assistance, however, it must be enabled either locally or by Group Policy.

Users can request Remote Assistance in three basic ways: Windows Messenger, email (sends a URL), or file (creates a Remote Assistance request file). Note that Windows Messenger is not the same as Microsoft Messenger, although both use similar technologies. You can most easily send Remote Assistance requests by using the Help and Support Center, which you can access by clicking Start, Help and Support.

Remote Assistance, like all the Terminal Services and Remote Desktop Protocol “based applications, requires that TCP port 3389 be available to make a connection.

Remote Desktop for Administration, previously referred to as Remote Administration mode in Windows 2000, provides a built-in method to remotely administer and control servers. Provided you have the correct credentials, you can even remotely restart or shut down a server. Of course, you probably ought to warn any users who might be connected to it before doing so!

You can use Remote Desktop for Administration in one of two ways. The first and simplest (although less feature-rich) method is to use the Remote Desktop Connection utility, which you can find by clicking Start, Programs, Accessories, Communications, Remote Desktop Connection.

The second method for creating Remote Desktop for Administration connections is to use the new Remote Desktops Microsoft Management Console (MMC). This method offers two features that Windows administrators have been clamoring for since the introduction of Terminal Services:

  • Multiple connection profiles can be created ” You can configure multiple connections in the Remote Desktops MMC and then switch through them quickly and easily, all within the confines of a single window. The multiple windows required when using the Remote Desktop Connection utility or the Terminal Services client are not required.

  • Connections are made directly to the console session ” In the past, Terminal Services connections could not be made to the console session, preventing many administrators from using Terminal Services for remote administration or causing the use of third-party applications such as PC Anywhere or VNC. Windows Server 2003, using the Remote Desktops console, now creates connections to the console session, allowing administrators to view messages and pop-ups that are not redirected to any other session. There is no other way in Windows Server 2003 to connect to the existing console session and see these messages.

Remote Desktop for Administration, like Terminal Services Administration mode before it, is fairly restrictive in who can use it and how it can be used:

  • Only administrators can create Remote Desktop for Administration connections by default; this is a good thing. You want the number of users with this power to be as small as possible to minimize the risk of an attacker gaining complete control over your network. Access control is handled through membership in the Remote Desktop Users group.

  • Only two Remote Desktop sessions can exist on a computer, and both active and disconnected (but still running) sessions count toward this number. This restriction exists so that the number of concurrent changes being made to a computer is minimized to prevent configuration errors and conflicts. However, this does present a potential for a Denial of Service (DoS) attack against a computer ”or at least the Remote Desktop portion.

In Windows Server 2003, administrators can now use Group Policy to design and implement security policies to secure 802.11 Wireless LANs. The use of both Wired Equivalent Privacy (WEP) and 802.1x authentication is supported. The Group Policy options that are configured in a GPO and applied to a computer then take precedence over any user -configured settings, thus ensuring that your configuration is applied. You can create policies for three types of Wireless LANs:

  • Access point (infrastructure) ” The most common type of Wireless LAN, the infrastructure mode WLAN, consists of wireless clients communicating directly with wireless Access Points (APs). No direct client-to-client communications exist. This is considered to be the most secure type of WLAN.

  • Computer-to-computer (ad hoc) ” Ad hoc WLANs consist of wireless clients communicating directly with each other without the use of an AP in the middle. This type of communication does not provide a direct path to the wired network.

  • Any available network access point preferred ” This option configures the policy to attempt a connection to an Access Point first if one is available. If an AP is not available, the client attempts to create an ad hoc connection if possible. This method is least preferred and usually most problematic over time.

The following are the standard features of the Windows Server 2003 IPSec implementation:

  • IPSec in Windows Server 2003 is policy based. It cannot be configured without an IPSec policy being in place, allowing an administrator to more easily apply settings to groups of objects such as computers or users.

  • IPSec on Windows Server 2003 can use Kerberos v5, a digital certificate, or a shared secret (string) for user authentication.

  • IPSec mutually authenticates computers prior to any data being exchanged.

  • IPSec establishes a security association (SA) between the two host computers involved in the data transfer. An SA is the collection of a policy and keys, which define the rules for security settings.

  • IPSec encrypts data using Data Encryption Standard (DES) or Triple DES (3DES).

  • IPSec uses the MD5 or SHA1 algorithm for data hashing.

  • IPSec is invisible to users. IPSec operates at the network level of the Open System Interface (OSI) model; therefore, users and applications do not directly interact with the protocol. After an IPSec tunnel has been created, users can connect to applications and services as if they were on the local network and not on the other side of a public network.

The IPSec Authentication Header (AH) provides three services as part of the IPSec protocol. First (as its name might suggest), AH authenticates the entire packet. Second, it ensures data integrity. Third, it prevents any replaying of the packet by a third party who might be trying to penetrate the IPSec tunnel. One service AH doesn't provide is payload encryption. AH protects your data from modification, but an attacker who is snooping the network would still be able to read the data. To prevent the modification of the data, AH uses two hashing algorithms to "sign" the packet for integrity:

  • The Message Digest 5 (MD5) algorithm applies the hashing function to the data in four passes .

  • The Secure Hash Algorithm (SHA1) is closely modeled after MD5. SHA uses 79 32-bit constants during the computation of the hash value, which results in a 160-bit key. Because SHA has a longer key length, it is considered more secure than MD5.

Encapsulating Security Protocol (ESP) provides confidentiality in addition to authentication, integrity, and anti-replay. This portion of the IPSec protocol encrypts the data contents of the packet. The format of the ESP varies, depending on the type and mode of encryption being utilized. ESP can be used alone, in combination with AH, or using Microsoft's implementation, nested within the L2TP.

Policies allow you to quickly and easily configure IPSec based on the settings required within your organization. Windows Server 2003 comes with the following three preconfigured IPSec policies that may or may not meet your needs:

  • Client (Respond Only) ” This policy requires IPSec provided security only when another computer requests it. This policy allows the computer to attempt unsecured communications first and switch to IPSec-secured communications if requested. This policy contains the default response rule, which creates dynamic IPSec filters for inbound and outbound traffic based on the requested protocol and port traffic for the communication that is being secured. This policy, which can be used on workstations and servers alike, provides the minimum amount of IPSec security.

  • Server (Request Security) ” This policy requests security from the other computer and allows unsecured communication with non “IPSec-aware computers. The computer accepts inbound unsecured traffic but always attempts to secure further communications by requesting IPSec security from the sending computer. If the other computer is not IPSec-enabled, the entire communication is allowed to be unsecured. This policy, which can be used on workstations and servers alike, provides a medium level of IPSec security.

  • Secure Server (Require Security) ” This policy is implemented on computers that require highly secure communications, such as servers transmitting sensitive data. The filters in this policy require all outbound communication to be secured, allowing only the initial inbound communication request to be unsecured. This policy has a rule to require security for all IP traffic, a rule to permit ICMP traffic, and the default response rule to respond to requests for security from other computers. This policy, typically used only on servers, provides the highest level of IPSec security on a network. This policy can also be used on workstation computers if you want. Non “IPSec-enabled computers cannot establish any communications with computers using this policy.

Filter actions define the type of security and methods by which security is established. The default methods are Permit, Block, and Negotiate Security. The Permit option passes the traffic without the requirement for security. This action is appropriate if you never want to secure traffic to which a rule applies. The Block action silently blocks all traffic from computers specified in the IP filter list. The Negotiate Security action specifies that the computer is to use a list of security methods to negotiate the appropriate security for the communication.

Often when policies are applied on multiple levels, results can conflict. Using the RSoP snap-in can help you to easily determine where the problem lies and the precedence (processing order) of the policies involved. RSoP can be used in one of two modes:

  • Planning Mode ” This mode allows you to simulate the effect of policy settings that you want to apply to a computer and user.

  • Logging Mode ” This mode allows you to determine the existing policy settings for a computer and user who is currently logged on.



MCSE Windows Server 2003 Network Infrastructure (Exam 70-293)
MCSE 70-293 Exam Prep: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure (2nd Edition)
ISBN: 0789736500
EAN: 2147483647
Year: 2003
Pages: 151
Authors: Will Schmied

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net