Bulletproof Scenario


CompanyABC is a small software company with offices all over the world. CompanyABC supports roaming salespeople who travel from office to office. CompanyABC prides itself on its ability to make resources available to the end users. CompanyABC has security policies in place that require encrypting all data on databases and file servers as well as all communications between computers. CompanyABC requires strong authentication for access to any and all systems.

Bob is an employee at CompanyABC. Bob works in sales travels often. He needs near constant access to contact databases and e-mail and has a fancy new notebook with a wireless network interface and Windows XP.

This section will take a look at a typical day for Bob and highlight the security features that enable Bob to perform his daily tasks in a secure manner.

Bob has just arrived in a remote office and needs to access a document that he has stored on a file server back at the corporate headquarters. Bob has been given access to a conference room to use as a temporary office. Bob boots up his notebook and is prompted to enter his smartcard. Bob places his smartcard-enabled employee badge into the smartcard reader in his notebook and is asked for a PIN. Bob enters his PIN and is authenticated to the notebook. As Bob's notebook launches Windows XP, it sends a DHCP request via the wireless network interface. Along with this DHCP request, Bob's system sends a ClassID that was configured on his system when it was first imaged . Luckily for Bob, the MAC address of his wireless card was entered into a RADIUS server that all of the wireless access points use to authenticate users at a hardware level. This allows the access point to process Bob's DHCP request. The request reaches a DHCP server located on an isolated network in the office. This Network site behind a firewall only allows VPN traffic to reach a specific pair of load-balanced VPN servers. Because the ClassID on Bob's machine matches the ClassID on a scope on the DHCP server, Bob's machine is given a valid IP address.

Bob launches his VPN connection and attaches to the local VPN server. Bob now has an L2TP connection secured with IPSec to the office network. At this point, a domain login prompt appears and Bob authenticates himself to the network via his Active Directory login. Pleased with his progress, Bob decides to reward himself with a nice cup of coffee. Knowing that the kitchen requires badge access to enter, Bob removes his employee badge from the notebook and walks to the kitchen. By removing his badge, the smartcard driver tells the system to lock itself.

This is a behavior that is configured on the notebook. While Bob is away, other users cannot gain access to his notebook. Bob returns shortly and unlocks his notebook via the smartcard and PIN combination. Because Bob has access to the corporate network, he decides to access his document on the server back at HQ.

When Bob's notebook requests the file from the server, the server informs Bob's notebook that it requires Transport Layer Security to access the resources. Bob's notebook and the server exchange certificates and random values and create a pre-master secret. This secret is used to generate their session keys. These session keys are used to encrypt the communications. When Bob's notebook told the server which ciphers it supported it informed the server that it only supports Microsoft Enhanced DSS and Diffie-Hellman SChannel Cryptographic Provider, which is the way the notebook was configured when it was first imaged. The server accepts this cipher and the channel is established.

The document Bob wants is sitting in his personal folder. This folder is encrypted via EFS based on a certificate that was issued to Bob by the corporate Certificate Authority. Because Bob's notebook possesses the correct key, he is able to decrypt the file to view it. Bob has also enabled several coworkers to decrypt the file so that it can be shared.

Bob, being just computer savvy enough to be dangerous, decides that this is just too much effort to get to a single file. Knowing that he is going to need to access this file again the next day at another office, Bob decides that he is going to create a local cached copy of the file through offline folders. Luckily, a Windows XP client with a Windows 2003 backend allows Bob's offline copy to remain encrypted. Now when Bob loses his notebook at the airport again, the company doesn't have to worry about a loss of intellectual property.



Microsoft Windows Server 2003 Insider Solutions
Microsoft Windows Server 2003 Insider Solutions
ISBN: 0672326094
EAN: 2147483647
Year: 2003
Pages: 325

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net