Index - Windows Server 2003 Network Security Design Study Guide (Exam 70-298) [Electronic resources] نسخه متنی

Index

S

SACLs (system access control lists), 159

Schneier, Bruce, 85

screened subnets, 52

Secondary Logon service, 252

secondary networks, 375

Secure Communications dialog box, 263, 263

Secure Shell (SSH) tool, 390

Secure Sockets Layer. See SSL

security analysis, 2–34

case study, 29–30

case study answers, 33–34

case study questions, 31–32

exam essentials, 23–24

of existing policies/procedures, 8–11, 12

key terms, 24

overview, 22

of requirements for securing data,

See also access control

backups, 18

data access audits, 18

data access permissions, 19

data retention, 19

defined, 17

design scenario, 20

network versus local storage, 17–18

overview, 17, 19–20

review question answers, 28

review questions, 25–27

of security risks,

See also 2

design scenario, 6–7

identifying assets at risk, 2–3

identifying threats, 3–5

qualitative analysis, 4

quantitative analysis, 4

of technical constraints

design scenario, 23

interoperability constraints, 21–22

overview, 21

real world scenario, 22

security baselines,

See also IIS;

175

at computer level, 13–17, 13–15, 17

defined, 12, 288–289

at domain level, 12

Security Configuration And Analysis snap-in,

See also MMC;

13, 13

analyzing server/template compliance, 16–17, 17, 301–302, 301

applying templates to servers, 16, 302

defined, 342–343

overview, 290, 310

security descriptors, 158, 159–160

Security Options settings, 297, 298, 330

security policies and procedures,

See also GPOs

access policy, 9

account password policies, 137, 139–141

accountability policy, 9

authentication policy, 9

in certificate authority design, 209–210

certificate policy, 210

computer purchasing guidelines, 9

configuring IPSec policies, 76–78, 76, 78

designing audit policies

and audit review procedures, 178

for client security, 330

design scenario, 178

for IIS security, 268–269, 269

for network resource access, 176–177

documenting, 11–12

enforcing

overview, 10–11

real world scenario, 11

software restriction policies, 332–334, 333–335

on Windows Server 2003, 11–17, 13–15, 17

policies, defined, 8

privacy policy, 9

procedures, defined, 10

real world scenarios, 9, 11, 12

recommended policies, 8

resource availability statements, 9

software restriction policies

certificate rules, 335

default security levels, 332, 333

defined, 332

design scenario, 337

Disallowed setting, 332, 333, 336

enforcement settings, 332–334, 333–335

hash rules, 335, 336

Internet Zone rules, 335

path rules, 336

Unrestricted setting, 332

warning, 332

standard policies, 8

system/network maintenance policy, 10

templates, 13–17, 13–15, 17

updating, 11

violations reporting policy, 10

Security Templates snap-in,

See also client;

MMC;

13, 13

creating/modifying templates, 14–16, 14–15, 291–294, 292, 294

overview, 310

security threats, 36–66,

See also security analysis

attacks

of Code Red worms, 249–250

on data packets, 5, 68–69

on DNS servers, 304–308, 305–308

on IIS, 242, 249–250

on passwords, 5, 121–124, 122, 135, 137

types of, 4–5

case study, 62–63

case study answers, 66

case study questions, 64–65

categories of, 42

defined, 3

exam essentials, 55–56

key terms, 56

predicting threats to the networkoverview, 3–4, 55

attacker motives and, 36–37

common vulnerabilities, 37

design scenarios, 39, 41

external threats, 39–41, 40–41

internal threats, 38–39

with threat modeling, 41–43

to wireless networks, 99, 105–106

recovering services and/or data

analyzing intrusions, 48–50, 48–50

disconnecting from network, 48

documenting, 47

overview, 47, 51

real world scenario, 51

taking system snapshots, 48

in remote network management, 370

responding to incidents

design scenario, 47

designing procedures for, 44–47

incident severity levels, 45–46

overview, 44

real world scenario, 45

steps in, 46–47

review question answers, 60–61

review questions, 57–59

securing network perimeters

using back-to-back configurations, 53, 53

using bastion hosts, 52, 52

design scenario, 54

offsite computers and, 55

overview, 52

real world scenario, 54

by segmenting networks, 54

using three-pronged configurations, 53, 53

vulnerabilities in authentication

compatibility, 124

encryption, 124

evaluating cost of, 137, 138

excessive privileges, 136

passwords, 121–124, 122, 135, 137

security updates. See client

Server Message Block (SMB) signing, 78–79

server security, 288–321,

See also IIS;

remote network

case study, 316–317

case study answers, 321

case study questions, 318–320

exam essentials, 310

key terms, 310

overview, 3, 309–310

physical security, 374

review question answers, 314–315

review questions, 311–313

securing DNS servers

against cache pollution, 307–308, 307–308

design scenario, 309

disabling dynamic updates, 305–307, 306

DNSSEC extensions support, 309

limiting zone transfers, 304, 305

real world scenario, 306

supporting secure updates, 307

using security baseline templates,

See also security baselines

analyzing server compliance with, 290, 301–302, 301

applying, 16, 302

auditing before, 289–290

custom templates, 291–294, 292

defined, 288

design scenarios, 295, 303–304

for domain controllers, 294–299, 296, 298

elements in, 289

in Enterprise Client environments, 292

for file servers, 299–300

in High Security environments, 293

for infrastructure servers, 299

in Legacy Client environments, 292

linking to GPOs, 302

for member servers, 290–294, 292, 294

for POP3 mail servers, 300

predefined templates, 290–291

resolving server conflicts with, 302, 303

storage location, 292

trusted computing base and, 288

warnings, 295, 297, 299

using Security Configuration And Analysis snap-in

adding to MMC, 13, 13

analyzing server/template compliance, 16–17, 17, 301–302, 301

applying templates to servers, 16, 302

defined, 342–343

overview, 290, 310

using Security Templates snap-in

adding to MMC, 13, 13

creating/modifying templates, 14–16, 14–15, 291–294, 292, 294

overview, 310

Service Set Identifier. See SSID

Share permissions, 169–172, 171, 374

Shell Hardware Detection service, 252

Shiva Password Authentication Protocol (SPAP), 83

SIDs (Security IDs), 159–160

Site Security Handbook (RFC 2196), 9–10

SLAs (service level agreements), 18

smart cards

authentication, 217

defined, 85

runas command and, 135

Smart Card service, 252

storing certificates in, 217

SMB (Server Message Block) signing, 78–79

SMS (Systems Management Server), 342, 343

SMTP (Simple Mail Transfer Protocol), 255

snap-ins, 380, 380–381,

See also MMC

social engineering attacks, 5

software assets, 2

software restriction policies,

See also client;

335

defined, 332

design scenario, 337

Disallowed setting, 332, 333, 336

enforcement settings, 332–334, 333–335

hash rules, 335, 336

Internet Zone rules, 335

path rules, 336

setting default security levels, 332, 333

Unrestricted setting, 332

warning, 332

Software Update Services. See SUS

spamming attacks, 5

SPAP (Shiva Password Authentication Protocol), 83

Special Administration Console Helper, 252

Special Administration Consoles in EMS, 390–392, 391

Specify intranet Microsoft update service location setting, 348–349 , 349

spoofing identity attacks, 5, 42, 43

SQL Server 2000 security, 3

SSH (Secure Shell) tool, 390

SSID (Service Set Identifier), 100

SSL (Secure Sockets Layer)

defined, 71, 71–73

overview, 70, 375

PKI example, 195, 195, 201–202, 202–203

stand-alone CAs (certificate authorities), 207

storing data. See security analysis

STRIDE threat model, 42–43

SUS (Software Update Services),

See also client

benefits, 343–344

clients, configuring, 347–350, 348–350

defined, 342

design scenario, 351

how it works, 344

installing, 344–345

overview, 343

servers, configuring, 344–347, 345–347

svchost.exe, 49–50, 49

system access control lists (SACLs), 159

System Properties dialog box

Automatic Updates tab, 350, 350

Remote tab, 383–384, 383–384, 386–388, 387

System Services settings, 331