MCSE Designing Security for a Windows Server 2003 Network Exam 70-298 Study Guide [Electronic resources]

Elias N. Khnaser

نسخه متنی -صفحه : 122/ 68
نمايش فراداده

Chapter 9: Securing Network Resources

Introduction

Chapter 8, “Securing Active Directory,” the next step is to actually secure the files and folders themselves. Windows permissions are discretionary, which means that users with the Change Permissions or Full Control permissions or users who have ownership of a file or folder can change its permissions to their heart’s content. With this in mind, you should design a permission scheme that will provide sufficient access for end users to do their jobs, but not unnecessary permissions that might affect the security of your overall network.

Windows Server 2003 establishes a default permission structure when you first install the operating system, but you might need to change these defaults to meet your needs. In this chapter, we examine some common risks that can affect your file shares, such as data corruption caused by viruses or security breaches arising from incorrectly assigned permissions. Then, we’ll look at ways to design a permission structure for the files and folders in a large, multiserver environment, as well as best practices for securing the Windows Registry.

An advance in Windows 2000 gave users the ability to encrypt files on a hard drive using the Encrypted File System (EFS). EFS combines public key cryptography (using Certificate Services) with 3DES encryption to allow users and administrators to extend file security beyond NTFS permissions. This feature has been expanded and improved in Windows Server 2003, including the ability to encrypt files remotely, and to share encrypted files among multiple users. The proper use of EFS within an enterprise requires careful planning, both in terms of user education and technical implementations. For example, you need to implement a means to recover encrypted files if a user’s private key is lost or damaged.

The last topic we’ll talk about here is designing a secure backup and recovery strategy for your network resources. The disaster recovery process is really your last line of defense where security is concerned—if all else fails and your data has been compromised somehow, you can turn to your backup tapes to restore anything that has been lost or corrupted. However, what if your backups themselves create an avenue for attackers to compromise your network? We’ll look at ways to secure the backup process itself, including physically securing backup media, and assigning rights and permissions to perform backups and restores in a secure manner.