AAA (authentication, authorization, accounting) Model, 639
ABR (area border routers), 419
Acceptable Use Policy (AUP), 4–5
access
anonymous, 109–110
default IIS options, 377
Deny Access to This Computer from the Network right, 466
group strategy for accessing resources, 490–495
Network Access Quarantine Control and, 670
registry, securing, 615
removable media, 108
user, securing, 615
wireless using IAS, 669
access control. see also data access control
audit requirement analysis, 534–541
domain local groups and, 520
/image/library/english/13827_folders design strategy, 617
registry access control, 541–553
access control entries (ACEs), 513–514
Access Control List Editor, 533
Access Control Lists (ACLs)
NTFS/share permissions, 455–457, 496
data access and, 509
overview of, 513
access control strategy
account security policies, 463–474
administrative and service accounts, 460–462
auditing user account activity, 480–486
delegation strategy, 487–490
for directory services, designing, 454–457, 499
important points about, 496
password policies, designing, 462
password security, 474–480
rights/permissions, assigning, 458–460
risks to directory services, 457–458
access design strategy, 455
access mask, 514
access request, 514
Access This Computer from the Network right, 464
accidental network access, 317, 343
account group, 515
Account Group/ACL (AG/ACL), 517–518, 621–622
Account Group/Resource Group (AG/RG), 518
account groups, 619
Account lockout duration setting, 479
Account Lockout policy
creating, 478–480
duration, 68
password security and, 477
Restricted groups, 470–472
scenario, 503–504
user rights assignments, 463–470
Account lockout threshold setting, 479
account logon event, 537–538
account management, 481
account security policies
implementing via Group Policy, 463
Kerberos policy, creating, 472–474
Restricted groups, 470–472
user rights assignments, 463–470
accounts
administrator, 645
local system, 512
naming conventions, securing, 646
user, securing, 645–646
ACEs (access control entries), 513–514
ACL. see Access Control Lists
Act as Part of the Operating System right, 464
Active Directory (AD)
certificate temples and, 188
DNS RR in, 302–303
domains, 133
IAS servers and, 666
IPSec policy stored in, 273–274
for network infrastructure security, 246
role-based delegation with, 198
WLAN network infrastructure requirement, 322
Active Directory Client Services extensions, 74–75
Active Directory security
access control strategy for directory services, 454–457
account security policies, 463–474
administrative and service accounts, 460–462
auditing user account activity, 480–486
delegation strategy, 487–490
group strategy for accessing resources, 490–495
overview of, 454
password policies, designing, 462
password security, 474–480
rights/permissions, assigning, 458–460
risks to directory services, 457–458
Active Directory Users and Computers Snap-in
Account Lockout policy creation with, 479–480
Audit policy creation with, 482
setting Password Complexity policy with, 477–478
Active Directory-Integrated zones, 300–301
ad hoc wireless network
described, 315
scenario, 347
when to use, 343
Add Workstations to the Domain right, 464
Adjust Memory Quotas for a Process right, 464
administration delegation strategy, 487–490
Administrative account, 461–462
administrative credentials, 283
administrative policies, 4
administrator accounts, 645, 646
administrators
authority delegation for, 197–199
credentials restriction of, 195–196, 231
delegation strategy, 487–490
securing tools for, 197–199
security policies for administrators/IT personnel, 197
advanced digest authentication, 385–386
Advanced Digest Security, 407
AG/ACL (Account Group/ACL), 517–518, 621–622
AG/RG (Account Group/Resource Group), 518
AGDLP
defined, 454
nesting groups, 493–494
user rights and, 513
AH. see Authentication Header
AIA (Authority Information Access) 168-169. see Authentication Header
All ICMP Traffic filter list, 269
All IP Traffic filter list, 269
Allow automatic administrative logon, 611, 612
Allow floppy copy and access to all drivers and all folders, 612
Allow Log On Locally right, 464–465
Allow Log On through Terminal Services right, 465
/analyze, 90–91
anonymous access restriction, 109–110
anonymous authentication, 362–364
anti-virus protection, 630
anti-virus software, 485
APIPA (Automatic Private IP Addressing), 421
Application log, 396
Application server mode, Terminal Services, 202
application sharing security, 250–251
application-layer attack, 248
Apply Group Policy permissions, 215
area border routers (ABR), 419
/areas, 89
AS boundary router (ASBR), 420
ASP.NET
404 errors and, 406
IIS 6 authorization options, 388–389
IIS hardening and, 382
ASR. see Automated System Recovery
assets risk analysis, 23
asymmetric encryption, 153–154. see also public key cryptography
asymmetric keys, 304
ATM (Automatic Teller Machine), 153
attack vectors, 629–630
attacks. see also specific type of attack
analysis of, 623
combating network, 18
external, motivations for, 22
network infrastructure security and, 247–249
nontechnical, 20
overview of, 39
recognizing indicators of, 27
risk analysis and, 510–511
threat to wireless networks, 317–318
Audit account logon events setting, 480
Audit account management setting, 481
Audit directory service access setting, 481
audit events, domain controller, 108
Audit logon events policy, 482–483
Audit logon events setting, 481
Audit object access setting, 481, 484–485
Audit policy
creating, 482
Group Policy for, 497
Manage Auditing and Security Log right, 468
on Web server, 501
what to include in, 503
Audit policy change setting, 481
Audit privilege use setting, 481
Audit process tracking setting, 481
audit requirement analysis, 534–541
Audit system events setting, 481
auditing
of account logon events, 537–538
attack indicators and, 27
of Directory Service access events, 538
enabling in IIS, 392–396
enabling on CA server, 181–183, 187
of logon events, 535–537
of object access events, 539
overview of, 615
of policy change events, 540
policy for, 620
practices for data security, 511
of privilege use events, 538–539
of process tracking events, 540
requirements analysis, 534–535
of system events, 539
auditing data analysis, 485–486
auditing user account activity
analyzing auditing data, 485–486
Audit policy, creating, 482
Auditing settings, 480–481
logon events, 482–484
object access, 484–485
AUP (Acceptable Use Policy), 4–5
authentication
anonymous, 362–364
basic, 364–365
client design strategy, 639–640
client requirements analysis, 640–641
digest, 366–367
DLL for IIS security incident detection, 399
with EAP, 316
IEEE 802.1x, 347–348
IIS 6.0, 401
IIS hardening and, 382
IIS RADIUS, 369–375
IIS user, 353–356
IIS Windows logon, 362–369
logical authentication strategy, designing, 165–167, 186–187
multifactor, 645
mutual, 647
network, 641–645
protocols for client access, 646–651
protocols overview, 671
protocols supported by IAS, 663–665
remotely managing wireless network, 348
selecting scope for users in trusts, 223–224
strategy for clients, 672
strong, 127
for wireless networks, 328–336, 340
authentication data header, 261
Authentication Data, ESP authentication trailer, 263
authentication firewall, 224
Authentication Header (AH)
with ESP, 343
ESP vs., 259
function of, 339
IPSec modes and, 256–257, 260–261
IPSec packet protection with, 257–258
no confidentiality with, 263
authentication methods, 118, 254–255
authentication profiles, 658
authentication traffic digital signatures, 110–112
Author Mode, MMC, 201
authority delegation, 197–199
Authority Information Access (AIA), 168–169
authorization framework, IIS 6.0, 388–389
Authorization Manager snap-in, 533
authorization rules, role-based, 519
authorization, role-based, 519
auto-enrollment, CA, 181
Automated System Recovery (ASR)
vs. Emergency Management Console/Recovery Console, 621
when to use, 625
backup set, creating, 596–598
backup set, described, 595
automatic mode, IPSec driver, 279
Automatic Private IP Addressing (APIPA), 421
Automatic Teller Machine (ATM), 153
Automatic Updates, SUS, 632–633
autonomous system (AS), 420
auto-static updates, 416