| < Day Day Up > |
|
SACLs (system access control lists), 159
Schneier, Bruce, 85
screened subnets, 52
Secondary Logon service, 252
secondary networks, 375
Secure Communications dialog box, 263, 263
Secure Shell (SSH) tool, 390
Secure Sockets Layer. See SSL
security analysis, 2–34
case study, 29–30
case study answers, 33–34
case study questions, 31–32
exam essentials, 23–24
of existing policies/procedures, 8–11, 12
key terms, 24
overview, 22
of requirements for securing data,
See also access control
backups, 18
data access audits, 18
data access permissions, 19
data retention, 19
defined, 17
design scenario, 20
network versus local storage, 17–18
overview, 17, 19–20
review question answers, 28
review questions, 25–27
of security risks,
See also security threats
defined, 2
design scenario, 6–7
identifying assets at risk, 2–3
identifying threats, 3–5
qualitative analysis, 4
quantitative analysis, 4
of technical constraints
design scenario, 23
interoperability constraints, 21–22
overview, 21
real world scenario, 22
security baselines,
See also IIS;
server
auditing and, 175
at computer level, 13–17, 13–15, 17
defined, 12, 288–289
at domain level, 12
Security Configuration And Analysis snap-in,
See also MMC;
server
adding to MMC, 13, 13
analyzing server/template compliance, 16–17, 17, 301–302, 301
applying templates to servers, 16, 302
defined, 342–343
overview, 290, 310
security descriptors, 158, 159–160
Security Options settings, 297, 298, 330
security policies and procedures,
See also GPOs
access policy, 9
account password policies, 137, 139–141
accountability policy, 9
authentication policy, 9
in certificate authority design, 209–210
certificate policy, 210
computer purchasing guidelines, 9
configuring IPSec policies, 76–78, 76, 78
designing audit policies
and audit review procedures, 178
for client security, 330
design scenario, 178
for IIS security, 268–269, 269
for network resource access, 176–177
documenting, 11–12
enforcing
overview, 10–11
real world scenario, 11
software restriction policies, 332–334, 333–335
on Windows Server 2003, 11–17, 13–15, 17
policies, defined, 8
privacy policy, 9
procedures, defined, 10
real world scenarios, 9, 11, 12
recommended policies, 8
resource availability statements, 9
software restriction policies
certificate rules, 335
default security levels, 332, 333
defined, 332
design scenario, 337
Disallowed setting, 332, 333, 336
enforcement settings, 332–334, 333–335
hash rules, 335, 336
Internet Zone rules, 335
path rules, 336
Unrestricted setting, 332
warning, 332
standard policies, 8
system/network maintenance policy, 10
templates, 13–17, 13–15, 17
updating, 11
violations reporting policy, 10
Security Templates snap-in,
See also client;
MMC;
server
adding to MMC, 13, 13
creating/modifying templates, 14–16, 14–15, 291–294, 292, 294
overview, 310
security threats, 36–66,
See also security analysis
attacks
of Code Red worms, 249–250
on data packets, 5, 68–69
on DNS servers, 304–308, 305–308
on IIS, 242, 249–250
on passwords, 5, 121–124, 122, 135, 137
types of, 4–5
case study, 62–63
case study answers, 66
case study questions, 64–65
categories of, 42
defined, 3
exam essentials, 55–56
key terms, 56
predicting threats to the networkoverview, 3–4, 55
attacker motives and, 36–37
common vulnerabilities, 37
design scenarios, 39, 41
external threats, 39–41, 40–41
internal threats, 38–39
with threat modeling, 41–43
to wireless networks, 99, 105–106
recovering services and/or data
analyzing intrusions, 48–50, 48–50
disconnecting from network, 48
documenting, 47
overview, 47, 51
real world scenario, 51
taking system snapshots, 48
in remote network management, 370
responding to incidents
design scenario, 47
designing procedures for, 44–47
incident severity levels, 45–46
overview, 44
real world scenario, 45
steps in, 46–47
review question answers, 60–61
review questions, 57–59
securing network perimeters
using back-to-back configurations, 53, 53
using bastion hosts, 52, 52
design scenario, 54
offsite computers and, 55
overview, 52
real world scenario, 54
by segmenting networks, 54
using three-pronged configurations, 53, 53
vulnerabilities in authentication
compatibility, 124
encryption, 124
evaluating cost of, 137, 138
excessive privileges, 136
passwords, 121–124, 122, 135, 137
security updates. See client
Server Message Block (SMB) signing, 78–79
server security, 288–321,
See also IIS;
remote network
case study, 316–317
case study answers, 321
case study questions, 318–320
exam essentials, 310
key terms, 310
overview, 3, 309–310
physical security, 374
review question answers, 314–315
review questions, 311–313
securing DNS servers
against cache pollution, 307–308, 307–308
design scenario, 309
disabling dynamic updates, 305–307, 306
DNSSEC extensions support, 309
limiting zone transfers, 304, 305
real world scenario, 306
supporting secure updates, 307
using security baseline templates,
See also security baselines
analyzing server compliance with, 290, 301–302, 301
applying, 16, 302
auditing before, 289–290
custom templates, 291–294, 292
defined, 288
design scenarios, 295, 303–304
for domain controllers, 294–299, 296, 298
elements in, 289
in Enterprise Client environments, 292
for file servers, 299–300
in High Security environments, 293
for infrastructure servers, 299
in Legacy Client environments, 292
linking to GPOs, 302
for member servers, 290–294, 292, 294
for POP3 mail servers, 300
predefined templates, 290–291
resolving server conflicts with, 302, 303
storage location, 292
trusted computing base and, 288
warnings, 295, 297, 299
using Security Configuration And Analysis snap-in
adding to MMC, 13, 13
analyzing server/template compliance, 16–17, 17, 301–302, 301
applying templates to servers, 16, 302
defined, 342–343
overview, 290, 310
using Security Templates snap-in
adding to MMC, 13, 13
creating/modifying templates, 14–16, 14–15, 291–294, 292, 294
overview, 310
Service Set Identifier. See SSID
Share permissions, 169–172, 171, 374
Shell Hardware Detection service, 252
Shiva Password Authentication Protocol (SPAP), 83
SIDs (Security IDs), 159–160
Site Security Handbook (RFC 2196), 9–10
SLAs (service level agreements), 18
smart cards
authentication, 217
defined, 85
runas command and, 135
Smart Card service, 252
storing certificates in, 217
SMB (Server Message Block) signing, 78–79
SMS (Systems Management Server), 342, 343
SMTP (Simple Mail Transfer Protocol), 255
snap-ins, 380, 380–381,
See also MMC
social engineering attacks, 5
software assets, 2
software restriction policies,
See also client;
security policies
certificate rules, 335
defined, 332
design scenario, 337
Disallowed setting, 332, 333, 336
enforcement settings, 332–334, 333–335
hash rules, 335, 336
Internet Zone rules, 335
path rules, 336
setting default security levels, 332, 333
Unrestricted setting, 332
warning, 332
Software Update Services. See SUS
spamming attacks, 5
SPAP (Shiva Password Authentication Protocol), 83
Special Administration Console Helper, 252
Special Administration Consoles in EMS, 390–392, 391
Specify intranet Microsoft update service location setting, 348–349 , 349
spoofing identity attacks, 5, 42, 43
SQL Server 2000 security, 3
SSH (Secure Shell) tool, 390
SSID (Service Set Identifier), 100
SSL (Secure Sockets Layer)
defined, 71, 71–73
overview, 70, 375
PKI example, 195, 195, 201–202, 202–203
stand-alone CAs (certificate authorities), 207
storing data. See security analysis
STRIDE threat model, 42–43
SUS (Software Update Services),
See also client
benefits, 343–344
clients, configuring, 347–350, 348–350
defined, 342
design scenario, 351
how it works, 344
installing, 344–345
overview, 343
servers, configuring, 344–347, 345–347
svchost.exe, 49–50, 49
system access control lists (SACLs), 159
System Properties dialog box
Automatic Updates tab, 350, 350
Remote tab, 383–384, 383–384, 386–388, 387
System Services settings, 331
| < Day Day Up > |
|