Microsoft® Official Course

Module 6

Implementing Network Security

Module Overview

Overview of Threats to Network Security

Configuring Windows Firewall

Securing Network Traffic•Configuring Windows Defender

Lesson 1: Overview of Threats to Network Security

Common Network Security Threats

What Is Defense-in-Depth?•Options for Mitigation of Network Security Threats

Common Network Security Threats

• There are a variety of network security threats, but they fall into a number of categories

• Common network-based security threats include:• Eavesdropping• Denial-of-service• Port scanning• Man-in-the-middle

• Hacking is a generic term that refers to the act of trying to crack a computer program or code

What Is Defense-in-Depth?

Policies, Procedures, and Awareness

Physical Security

Hardening, authentication, update management, host-based intrusion detection system

Firewalls, Network Access Quarantine ControlGuards, locks, tracking devices

Network segments, Internet Protocol Security, Network Intrusion Detection System

Application hardening, antivirus

Access Control Lists, encryption, Encrypting File System, Digital Rights Management

Security documents, user education

Perimeter

Internal Network

Host

Application

Data

Defense-in-depth uses a layered approach to security, which:• Reduces an attacker’s chance of success• Increases an attacker’s risk of detection

Options for Mitigation of Network Security Threats

Attack Mitigations

Eavesdropping IPsec, VPNs, intrusion detection

Denial-of-serviceFirewalls, perimeter networks, IPsec, server hardening

Port scanning Server hardening, firewalls

Man-in-the-middle IPsec, DNSSEC

Virus, malicious code Software updates

It is important to implement a holistic approach to network security to ensure that one loophole or omission does not result in another

Lesson 2: Configuring Windows Firewall

Network Location Profiles

Configuring Basic Firewall Settings

Windows Firewall with Advanced Security Settings

Well-Known Ports•Demonstration: Configuring Inbound and Outbound Rules

Network Location Profiles

• The first time that your server connects to a network, you must select a network location

• There are three network location types:• Private networks• Public networks• Domain networks

Configuring Basic Firewall Settings

• Configure network locations

• Turn Windows Firewall on or off, and customize network location settings

• Add, change, or remove allowed programs

• Set up or modify multiple active profile settings

• Configure notifications for Windows Firewall

Windows Firewall with Advanced Security Settings

The monitoring interface displays information about current firewall rules, connection security rules, and security associations.

Connection security rules secure traffic by using IPsec while it crosses the network.

Outbound rules explicitly allow or explicitly deny traffic originating from the computer that matches the criteria in the rule.

Inbound rules explicitly allow or explicitly block traffic that matches criteria in the rule.

The Properties page is used to configure firewall properties for domain, private, and public network profiles, and to configure IPsec settings.

Windows Firewall with Advanced Security filters incoming and outgoing connections based on its configuration

• Use inbound rules to explicitly allow or block traffic that matches the rule’s criteria

• Use outbound rules to explicitly allow or deny traffic that originates from the computer that matches the rule’s criteria

• Use IPsec rules to use IPsec to secure traffic while it crosses the network

• Use the monitoring interface to view information about current firewall rules, IPsec rules, and security associations

• Use the Properties page to configure firewall properties for domain, private, and public network profiles, and to configure IPsec settings

Well-Known Ports

When an application wants to establish communications with an application on a remote host, it creates a TCP or UDP socket

TCP/IP Protocol Suite

TCP TCP UDP UDP

Ethernet Ethernet

HT

TP

(80)

HT

TP

(80)

FTP

(21)

FTP

(21)

SM

TP

(25)

SM

TP

(25)

DN

S (

53)

DN

S (

53)

PO

P3 (

110)

PO

P3 (

110)

SN

MP

(161)

SN

MP

(161)

IPv6IPv6IPv4IPv4ARPARP

IGMP

IGMP

ICMPICMP

HT

TP

S (

443)

HT

TP

S (

443)

Demonstration: Configuring Inbound and Outbound Rules

In this demonstration, you will see how to: • Configure an inbound rule• Test the inbound rule• Configure an outbound rule• Test the outbound rule

Lab A: Configuring Inbound and Outbound Firewall Rules

Exercise 1: Creating an Inbound Firewall Rule•Exercise 2: Creating an Outbound Firewall Rule

Logon InformationVirtual Machines 20687B-LON-DC1

20687B-LON-CL120687B-LON-CL2

User Name Adatum\AdministratorPassword Pa$$w0rd

Estimated Time: 20 minutes

Lab Scenario

Remote desktop is enabled on all client systems through a Group Policy Object (GPO). However, as part of your infrastructure security plan, you must configure certain desktops systems, such as the HR department systems, for limited exposure to remote connections. Before implementing the firewall rules in a GPO you want to validate your plan by manually configuring the rules on local systems. Due to the sensitive nature of the data that could be on these systems, you decide to use firewall rules to prevent all but specific systems from connecting to them remotely. Additionally certain helpdesk systems are not allowed to use the Remote Desktop Connection (MSTSC.exe) program to connect to certain servers. You decide to control this through local firewall rules blocking outbound traffic on the client systems.

Lab Review

• In your environment, where do you use workstation-based firewalls?

Lesson 3: Securing Network Traffic

Benefits of IPsec

Using IPsec

Tools for Configuring IPsec

What Are IPsec Rules?

Configuring Authentication

Choosing an Authentication Method

Monitoring Connection Security•Demonstration: Configuring an IPsec Rule

Benefits of IPsec

IPsec is a suite of protocols that allows secure, encrypted communication between two computers over an unsecured network

• IPsec has two goals: packet encryption and mutual authentication between systems• Configuring IPsec on sending and receiving computers enables the two computers to send secured data to each other• IPsec secures network traffic by using encryption and data signing• An IPsec policy defines the type of traffic that IPsec examines, how that traffic is secured and encrypted, and how IPsec peers are authenticated

Using IPsec

Recommended uses of IPsec include:• Packet filtering• Authenticating and encrypting host-to-host traffic• Authenticating and encrypting traffic to specific

servers• Providing L2TP/IPsec for VPN connections• Site-to-site tunneling• Enforcing logical networks

Tools for Configuring IPsec

To configure IPsec, you can use:• Windows Firewall with Advanced Security MMC

(also used for Windows Server 2008 R2 and Windows 7)

• IP Security Policy MMC (Used for mixed environments and to configure policies that apply to all Windows versions)

• Netsh command-line tool

• PowerShell NetSecurity module cmdlets

What Are IPsec Rules?

Connection security rules involve:

• Authenticating two computers before they begin communications

• Securing information being sent between two computers• Using key exchange, authentication, data integrity,

and data encryption (optionally)

How firewall rules and connection rules are related:• Firewall rules allow traffic through, but do not secure

that traffic• Connection security rules can secure the traffic,

but depend on a firewall rule to allow traffic through the firewall

Configuring Authentication

Option Description

Request Authentication for inbound and outbound connections

Ask that all inbound/outbound traffic be authenticated, but allow the connection if authentication fails

Require authentication for inbound connections and request authentication for outbound connections

• Require inbound traffic be authenticated or it will be blocked

• Outbound traffic can be authenticated, but will be allowed if authentication fails

Require authentication for inbound and outbound connections

Require that all inbound/outbound traffic be authenticated or the traffic will be blocked

When using the Connection Security Rule Wizard to create a new rule, you use the Requirements page to choose one of the following:

Choosing an Authentication Method

Method Key Points

Default Use the authentication method that you configure on the IPsec Settings tab.

Computer and User (Kerberos V5)

You can request or require that both the user and computer authenticate before communications can continue. Requires domain membership.

Computer (Kerberos V5)

Request or require the computer to authenticate using Kerberos v5. Requires domain membership.

User (Kerberos V5)

Request or require the user to authenticate using Kerberos v5. Requires domain membership.

Computer certificate

• Request or require a valid computer certificate, requires at least one CA.

• Only accept health certificates: Request or require a valid health certificate to authenticate, requires IPsec NAP.

Advanced Configure any available method. You can specify methods for first and second Authentication.

Monitoring Connection Security

Options for using the IP Security Monitor:

• Modify IPsec data refresh interval to update information in the console at a set interval

• Allow DNS name resolution for IP addresses to provide additionalinformation about computers connecting with IPsec

• Computers can monitored remotely:• To enable remote management editing, the

HKLM\system\currentcontrolset\services\policyagent keymust have a value of 1

• To Discover the Active security policy on a computer, examine the Active Policy Node in the IP Security Monitoring MMC

• Main Mode Monitoring monitors initial IKE and SA:• Information about the Internet Key Exchange

• Quick Mode Monitoring monitors subsequent key exchanges related to IPsec:

• Information about the IPsec driver

• Use the Connection Security Rules and Security Associations nodes to monitor IPsec connections

• Security Associations that you canmonitor include:

• Main Mode• Quick Mode

The Windows Firewall in Windows 8 incorporates IPsec

Demonstration: Configuring an IPsec Rule

In this demonstration, you will see how to: • Create a connection security rule• Review monitoring settings in Windows Firewall

Lab B: Configuring IPsec Rules

•Exercise 1: Creating and Configuring IPsec Rules

Logon InformationVirtual Machines 20687B-LON-DC1

20687B-LON-CL120687B-LON-CL2

User Name Adatum\AdministratorPassword Pa$$w0rd

Estimated Time: 20 minutes

Lab Scenario

A. Datum uses many outside consultants. The enterprise’s management has a concern that if a consultant was on the company network, they may be able to connect to unauthorized computers.

Lab Review

• In your environment, where do you use authenticated connections between workstation computers?

Lesson 4: Configuring Windows Defender

What Is Windows Defender?

Scanning Options in Windows Defender•Demonstration: Configuring Windows Defender Settings

What Is Windows Defender?

Windows Defender is software that helps protect the computer against security threats

by detecting and removing known spyware from the computer

Schedules scans to occur on a regular basis

Provides configurable responses to severe, high, medium, and low alert levels

Provides customizable options to exclude files, folders, and file types

Works with Windows Update to automatically install new spyware definitions

When a scan results display on the Home page.

Scanning Options in Windows Defender

You define when to scan:

You define scan options:Option Description

Scan archive files Include any archive files, such as .zip or .cab files

Scan removable drives

Includes removable drives, such as USB flash drives, when running a full scan

Create a system restore point

Create a system restore point before removing, running, or quarantining detected items

Allow all users to view the full History results

Allow all users of this PC to see all detected items on the History tab

Remove quarantined files after: <time>

Quarantined files remain disabled until you allow or remove them. The default time is one month

Scan Type Description

Quick scan Scan the areas of the computer that are most likely to be infected

Full scan Scan all areas of the computer

Custom scan Scan specific areas of the computer only

Demonstration: Configuring Windows Defender Settings

In this demonstration, you will see how to: • Perform a quick scan• Test Malware Detection• Examine the Window Defender History

Lab C: Configuring Host-Based Virus and Malware Protection

•Exercise 1: Configuring Windows Defender

Logon InformationVirtual Machines 20687B-LON-DC1

20687B-LON-CL1User Name Adatum\AdministratorPassword Pa$$w0rd

Estimated Time: 10 minutes

Lab Scenario

You are planning to use Window Defender to check for malicious files every day. You also want to ensure that Windows Defender will quarantine any files that it considers a severe risk to your system’s security.

Lab Review

• In your environment, how often are your client computers infected with malware?

Module Review and Takeaways

•Review Questions•Tools•Best Practice