Session 9 Tp 9

Microsoft Windows Server 2003 Network Infrastructure – Planning and Maintenance/ Session 9 / Slide 1 of 38

Session 9

Planning a Secure Baseline

Installation


Windows Server 2003 provides two tools to analyze the server performance: Performance Console Network Monitor

The types of counter logs are: trace counter Alert

Review


Review Contd… Two filters provided by the Network monitor are

Capture Filter Display Filter

Network services are applications that always run in the background

Four services that enable us to monitor the network server are: DHCP DNS WINS Routing and Remote Access


Review Contd… DNS server hosts the information that

enables client computers to resolve memorable, alphanumeric DNS names to the IP addresses that computers use to communicate with each other

WINS uses a distributed database that is automatically updated with the names of computers currently available and the IP address assigned to each one


Objectives Select Computers on a Network Select Operating System in Network Discuss security issues Set permissions Work with Group Policy Object Explain domain controller Secure servers


Selecting Computers in a Network

Each machine in a network performs a certain role

Standardizing the hardware and software depending on the roles of computer in the network enables: Administration of several computers

manageable in a network Easier to troubleshoot the network

Computers in a network are classified as: Server Desktop Workstation Portable Workstation


Server Server is a centralized computer in a network

which performs different roles on a network Server is a computer having a faster processor,

larger memory size, and hard disk space Depending on the roles servers on a network

are classified as follows: Backup server Database server Domain Controller Web server

E-mail server File and Print server Infrastructure server


Hardware Specifications for the Server

Depends on the requirements and capabilities of the applications that will be running on the server

Computers designed to be a server usually have more robust power supplies than personal computers or workstations


Desktop Desktop workstation can have a wide

range of roles ranging from simple systems designed to run one or two small applications to high-powered computers performing complex graphics, video and computer-aided functions

Workstation may work without CD-ROM and floppy disk drives. Such workstation cannot install their own applications.


Hardware Specifications for the Desktop

While designing the hardware specifications for a desktop workstation, the objective is to create hardware specifications suitable for a wide variety of jobs


Selecting Operating System

While selecting the operating system in a network, we must match up it with the hardware specifications

Some of the important factors are as follows: Application Compatibility Support issues Security features Cost


Security Design Team Security team must be a well balanced team

consisting of people from technical, management, and financial backgrounds

Security team should consider the following issues: Identifying the most valuable resources Identifying danger to the resources Significant resources Analyzing different security resources available Deciding the security features Impact of the security features on the administrator,

managers, and the users


Security Life Cycle The security life cycle consists of the

following: Security Infrastructure

Access Control Auditing Authentication Encryption Firewalls

Implementation of security features Security Management


Managing Security Managing the security in a network is

continuous process Network must after a certain period of time

the network according to the latest technology available

Administrator must monitor the user accounts Network traffics must be maintained If several users on a network try to access the

network, sometimes the network may crash due to heavy traffic


Modifying Permissions of a File or Folder

We can set different permissions for a file

File permissions serve as an important security tool on a network


Sharing File Permissions We can assign

permissions to the desired group or users

When the Windows 2003 operating system is installed, the windows share program creates administrative share by default


Registry Permissions Registry gets modified

when we install different applications

Registry also gets modified if we configure the operating system

We can also manually edit this registry

Administrator has the rights to modify the contents of the registry


Group Policy Object Group policy Object enables

us to configure the security parameters

It performs the functions such as distributing new software for configuring system settings and remapping directories

Group Policy Object is associated with an Active Directory container object


Event Log Event log enables us to control the log

performance


System Services Certain programs are

continuously running at the background

Windows 2003 assigns default values to the services


Domain Controller Requires more security, as the failure of domain

controller may be a disaster to the network Performs the following functions:

Provides authentication Stores group policies Distributes group policies

To provide security these domain controllers must be in a secured location

We must provide a password for domain controller, so that unauthorized users will not get access to the domain controller


Debug Programs Debug Programs provides a

debugging tool This tool enables the

software developers to debug applications during process of creating

It enables us to access any process on the computer. We can even access the kernel of the operating system.


Services for a Domain Controller

Domain controller requires additional services along with the member services

These services are as follows: Distributed file system File replication service Intersite messaging Kerberos key distribution center Remote procedure call locator


Adding Workstations to the Domain

Authenticated users have the rights to add computers to the domain up to 10 ten computers to an Active Directory


Allow Log On Locally Facilitates users and groups to log

on the computer from the console Users having this right also have

the right to access some of the important operating system elements


Shut Down the Domain Controller

It is necessary to carefully shut down the system as this would affect the systems over the network

Default Domain Controller grants this right to the following groups: Administrators Backup operators Print operators Server operators


Securing Infrastructure Servers

Infrastructure servers are the computers that run network support services such as, DNS, DHCP, and Windows Internet Name Service.

Services that we must include using the automatic startup type are as follow: DHCP server DNS server NT LM security support provider Windows internet name service


Configuring DNS Security DHCP servers centrally manage IP

addresses and related information and provide it to clients automatically

If you want this computer to distribute IP addresses to clients, then configure this computer as a DHCP server


Protecting Active Directory-Integrated DNS

When we create Active Directory-integrated zones on the DNS server, the zone database is stored as part of the Active Directory database

Groups such as, DnsAdmins, Domain Admins, and Enterprise Admins groups have full permission for the MicrosoftDNS container


Protecting DNS Database Files

Active Directory does not have all the DNS zones integrated. For such DNS zones the zone databases are simple text files.

System creates DNS logs files There are no file system permissions to

maintain the DNS zone databases using the DNS zone databases using the DNS console or for accessing DNS server information using a client


Configuring DHCP Security Several techniques can be used

against denial of service attacks, they are as follows: Use the 80/20 address allocation

method Create a DHCP server cluster


Monitoring DHCP Activity We are able to monitor the activity of a

DHCP sever with the help of different tools Performance console and Network Monitor

tools enables to monitor the activity of the DHCP server

Windows 2003 server operating system directly integrates the DHCP audit log facility. We can enable DHCP audit logging using group policies.


Summary We can categorize the computers in a

network as follows: Server Desktop workstation Portable workstation

While selecting the operating systems consider the following: Application compatibility Support issues Security features Cost


Summary Contd… The security team should identify the

following issues: Identify the most valuable resources Identify danger to the resources Analyze different security resources

available Decide the security features Impact of the security features on the

administrator, managers, and the users


Summary Contd… File permissions serve as an important

security tool on a network. Suppose that an organization stores the information of a customer in a particular file.

Registry of windows gets modified when we install different applications. It also gets modified if we configure the operating system.


Summary Contd… Group policy Object enables us to

configure the security parameters We can configure the Windows Server

2003 operating system to audit the events

Active directory permission enables us to modify the permissions for accessing and managing objects in the Active Directory database


Summary Contd… Most important server on the windows

2003 server operating system using the active Directory is the domain controllers

Domain controller requires more security, as the failure of domain controller may be a disaster to the network


Summary Contd… Authenticated users have the rights to

add computers to the domain. They can add up to 10 ten computers to an Active Directory

Infrastructure servers are the computers that run network support services such as, DNS, DHCP, and Windows Internet Name Service

Technology

Session 9 Tp 9