ExamInsight For Designing Security for a Microsoft Windows 2000 Network Examination 70-220
CD-ROM practice exam provided by BeachFrontQuizzer, Inc., Friendswood, Texas
Author Patrick Simpson MCNE, MCNI, MCSE+I, MCT Published by TotalRecall Publications, Inc. 1103 Middlecreek Friendswood, TX 77546 281-992-3131 NOTE: THIS IS BOOK IS GUARANTEED: See details at www.TotalRecallPress.com
TotalRecall Publications, Inc. This Book is Sponsored by BeachFront Quizzer, Inc. Copyright
2003 by TotalRecall Publications, Inc. All rights reserved. Printed in the
United States of America. Except as permitted under the United States Copyright Act of 1976, No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means electronic or mechanical or by photocopying, recording, or otherwise without the prior permission of the publisher. The views expressed in this book are solely those of the author, and do not represent the views of any other party or parties. Printed in United States of America Printed and bound by Data Duplicators of Houston Texas Printed and bound by Lightning Source, Inc. in the USA and UK ISBN: 1-59095-607-9 UPC: 6-43977-02220-2 The sponsoring editor is Bruce Moran and the production supervisor is Corby R. Tate.
Worldwide eBook distribution by:
This publication is not sponsored by, endorsed by, or affiliated with Microsoft, Inc. The “Windows® 2000, MCSE™ Microsoft logos are trademarks or registered trademarks of Microsoft, Inc. in the United States and certain other countries. All other trademarks are trademarks of their respective owners. Throughout this book, trademarked names are used. Rather than put a trademark symbol after every occurrence of a trademarked name, we used names in an editorial fashion only and to the benefit of the trademark owner. No intention of infringement on trademarks is intended. Disclaimer Notice: Judgments as to the suitability of the information herein for purchaser’s purposes are necessarily the purchaser’s responsibility. BeachFront Quizzer, Inc. and TotalRecall Publications,Inc. extends no warranties, makes no representations, and assumes no responsibility as to the accuracy or suitability of such information for application to the purchaser’s intended purposes or for consequences of its use.
This book is dedicated to my wife Joy, and my children Lucas, Bethany and Alexander, for their patience and support. Thanks also to Bruce for the encouragement and support. Lastly, but mostly, thanks be to God, from Whom all gifts proceed.
Patrick Simpson
ExamInsight™ For Designing Security for a Microsoft® Windows® 2000 Network Examination 70-220 BY Patrick Simpson MCNE, MCNI, MCSE+I, MSCE, MCT with Contributing Author Chris Timmons
About the Author Patrick Simpson is a Microsoft MCSE, MCSE +I, MCT and a Novell Master CNE and Master CNI. He has been a Microsoft Certified Trainer for five years and working in the IT industry for approximately 9 years, specializing in network consulting and technical education. Patrick has written numerous certification study aids for both Microsoft Windows 2000 exams and for Novell certification exams. Pat is married and has three children and is currently working for a technical consulting/education company in Green Bay, WI.
About the Contributing Author Chris Timmons is a Network Security Architect and Systems Administrator. He has worked in various fields for several years specializing in Information Systems and Physical Security systems for several larger national and international firms He has written several papers covering various aspects of security. Chris is married and is currently the owner of a technical consulting firm in Ottawa, Ontario, Canada.
About The Book Part of the InsideScoop to IT Certification Series, this new Self Help and Interactive Exam Study Aid with CD-ROM Practice testing material is now available for candidate’s preparing to sit the Microsoft 70-220 Designing Security for a Microsoft® Windows® 2000 Network certification exam. The book covers the information associated with each of the exam topics in detail and includes information found in no other book. Using the book will help readers determine if they are ready for the Microsoft 70-220 Designing Security for a Microsoft® Windows® 2000 Network certification exam. Each chapter in this book includes a pre- and post-assessment quiz to measure comprehension of each topic. This book explains the concepts in a clear and easy-to-understand manner to help you not only pass the exam, but to apply the knowledge later in a real-world situation. Chapter summaries help wrap up each topic. The large glossary at the end of the book provides a review of essential exam-related terms and concepts that will prove invaluable just before taking the exam. Helpful tips and time management techniques will alleviate pre-exam jitters and put you in control. For implementing Windows 2000 Security in a production environment, tips on pre-installation, workstation tuning, application tuning, registry hacks, and maintenance techniques are included. Save $20! Special Offer for this book is our exclusive BeachFront Quizzer, Inc. CD-ROM test engine that creates randomized simulated exams drawn from a database of 18 Case Studies with 220+ sample exam questions. Written to mimic the real exam, you also get complete answers and explanations plus a detailed scoring summery showing test results at the end of each practice exam.
NOTE: THIS IS BOOK IS GUARANTEED: See details at www.bfqpress.com
Introduction One of the first things I noticed about the Microsoft Official Curriculum is the distinct separation between taking the exams, and the actual implementation afterwards. Nothing is ever as clearly defined. It is never as simple as it may seem. The first thing my first instructor ever said to me was to forget everything I was about to learn as soon as I left the classroom. I have never heard a statement make such a demoralizing impact upon students. People begin to question the value of the information being presented. Attention spans plummet. Communication and interaction between mentor and students takes a nosedive. People immediately begin to memorize information and dump it rather than trying to absorb and relate this information into the workplace. Sound familiar? This book goes beyond the classroom! You will find very valuable information relating to the real world of Windows 2000 Security here and keep it on your as shelf as reference material.
A Quick overview of this book chapters: Chapter 1: Analyzing Business Requirements Chapter 2: Analyzing Technical Requirements Chapter 3: Analyzing Security Requirements Chapter 4: Designing a Security Solution Chapter 5: Designing Security Access Between Networks Chapter 6: Designing Security Communication Channels Chapter 7: Scenario Concepts with Practice Questions Appendix A Index Money Back Book Guarantee Microsoft 70-220 Practice Exam Offer
1 43 65 87 133 153 175 227 275 279 280
Table of Contents VII
Table of Contents About the Author .................................................................................................VIII About the Contributing Author...............................................................................IX About The Book .....................................................................................................X Introduction ...........................................................................................................XI Forward .............................................................................................................. XIV 70-220 Exam Specifications ............................................................................... XV Networking Terminology ................................................................................... XXII
Chapter 1: Analyzing Business Requirements I
1
Introduction ..................................................................................................... 2 Getting Ready - Questions.......................................................................... 3 Getting Ready - Answers ............................................................................ 4 II Analyzing the business models................................................................... 5 The Company Model and Geographical Scope: ................................................ 5 Regional Model:.................................................................................................. 5 National Model:................................................................................................... 5 International Model:............................................................................................ 6 Subsidiaries: ....................................................................................................... 6 Branch Offices: ................................................................................................... 6 Pop quiz 1.1 .................................................................................................... 7 III Analyzing the Company Process ................................................................ 9 Information Flow Process:.................................................................................. 9 Communication Flow Process:........................................................................... 9 The Product Life-Cycle Process:...................................................................... 10 Decision Making Process: ................................................................................ 10 Pop Quiz 1.2 ................................................................................................. 11 IV Analyze Organizational Structures............................................................ 13 Management Model:......................................................................................... 13 Company Organization:.................................................................................... 14 Vendors/Partners/Customer Relations:............................................................ 14 Acquisition Plans: ............................................................................................. 15 Pop Quiz 1.3 ................................................................................................. 15 V Analyzing Company Strategies................................................................. 17 Company Priorities: .......................................................................................... 17
VIII Table of Contents Company Projected Growth and Growth Strategy: ..........................................17 Relevant Laws and Regulations:......................................................................18 The Company's Tolerance for Risk: .................................................................18 Total Cost of Operations: .................................................................................19 Pop quiz 1.4 ..................................................................................................19 VI Business and Security Requirements .......................................................21 Business Requirements for the End User: .......................................................21 Security Requirements for the End User:.........................................................22 Pop quiz 1.5 ..................................................................................................23 VII Analyze the Structure of IT Management .................................................25 Centralized Administration: ..............................................................................25 Decentralized Administration:...........................................................................25 The Funding Model:..........................................................................................26 Outsourcing: .....................................................................................................26 The Decision Making Process:.........................................................................26 The Change Management Process:.................................................................27 Pop quiz 1.6 ..................................................................................................27 VIII Analyzing the Companies Current Model .................................................29 Physical Model: ................................................................................................29 Information Security Model:..............................................................................29 IX Analyze Security Risks..............................................................................30 Pop Quiz 1.7 .................................................................................................31 X Chapter 1: Summary .................................................................................33 XI Chapter 1: Post-Assessment (Answers appear in Appendix A.) .............35
Chapter 2: Analyzing Technical Requirements I
43
Introduction ...................................................................................................44 Information:.......................................................................................................44 Getting Ready - Questions........................................................................45 Getting Ready - Answers ..........................................................................46 II Evaluate Company Technical Environment ..............................................47 Company Size, User, and Resource Distribution:............................................47 Geographic Work Sites and Remote Sites Connectivity: .................................47 Net Available Bandwidth: .................................................................................48 Performance Requirements: ............................................................................48 Methods for Accessing Data and Systems: .....................................................48 Network Roles and Responsibilities: ................................................................49
Table of Contents IX Administrative Network Roles and Responsibilities ..................................... 49 User Network Roles and Responsibilities..................................................... 49 Service Network Roles and Responsibilities ................................................ 50 Resource Ownership Network Roles and Responsibilities .......................... 50 Application Network Roles............................................................................ 50 Pop Quiz 2.1 ................................................................................................. 51 III Analyze the Security Design ..................................................................... 53 Systems And Applications:............................................................................... 53 Planned Upgrades and Rollouts:...................................................................... 54 Technical Support Structure:............................................................................ 54 Planned Network and Systems Management: ................................................. 54 Pop Quiz 2.2 ................................................................................................. 55 VI Chapter 2: Summary ................................................................................. 57 V Chapter 2: Post-Assessment (Answers appear in Appendix A.) ............. 59
Chapter 3: Analyzing Security Requirements I
65
Introduction ................................................................................................... 66 Information:....................................................................................................... 66 Getting Ready - Questions........................................................................ 67 Getting Ready - Answers .......................................................................... 68 II Design a Security Baseline ....................................................................... 69 Domain Controllers:.......................................................................................... 70 Operations Masters: ......................................................................................... 70 Application Servers: ......................................................................................... 71 File and Print Servers:...................................................................................... 71 RAS Servers:.................................................................................................... 71 Desktop Computers:......................................................................................... 71 Portable Computers: ........................................................................................ 72 Kiosks: .............................................................................................................. 72 Pop Quiz 3.1 ................................................................................................. 73 III Identify Resource Security ........................................................................ 75 Printers: ............................................................................................................ 75 Files: ................................................................................................................. 75 Shares: ............................................................................................................. 76 Internet Access:................................................................................................ 77 Dial-in Access:.................................................................................................. 77 Pop Quiz 3.1 ................................................................................................. 78
X Table of Contents VI V
Chapter 3: Summary .................................................................................79 Chapter 3: Post-Assessment (Answers appear in Appendix A.) .............81
Chapter 4: Designing a Security Solution I
87
Introduction ...................................................................................................88 Information:.......................................................................................................88 Getting Ready - Questions........................................................................89 Getting Ready - Answers ..........................................................................90 II Design an Audit Policy ..............................................................................91 What is an Audit Policy:....................................................................................91 Where to start: ..................................................................................................91 Things to Audit:.................................................................................................92 Pop Quiz 4.1 .................................................................................................93 III Design a Delegation of Authority Strategy ................................................95 What is an Authority Strategy:..........................................................................95 How do I start the design:.................................................................................95 Suggested Authority Strategies:.......................................................................96 Pop Quiz 4.2 .................................................................................................97 IV Designing Security Policies.......................................................................99 What is a Security Policy:.................................................................................99 Where do I start the Design:.............................................................................99 Security policies for Sites: ..............................................................................100 Security Policies for Domains:........................................................................100 Security Policies for Organizational Units: .....................................................100 Pop Quiz 4.3 ...............................................................................................101 V Design an Authentication Strategy..........................................................103 What are the authentication methods:............................................................103 Certification Based Authentication Method: ...................................................103 Kerberos Authentication Method: ...................................................................103 Clear Text Passwords Method: ......................................................................103 Digest Authentication Method: .......................................................................104 Smart Card Authentication Method: ...............................................................104 NTLM Authentication Method:........................................................................104 RADIUS Authentication Method: ....................................................................104 SSL Authentication Method:...........................................................................104 TLS (Transport Layer Security): .....................................................................105 Pop Quiz 4.4 ...............................................................................................105
Table of Contents XI VI
Design a Security Group Strategy ..........................................................107 Designing a Security Group: ..........................................................................107 Security Group:...............................................................................................107 Manage Security Group: ................................................................................108 Integrate Security Group with other Domains: ...............................................108 Pop Quiz 4.5 ...............................................................................................109 VII Design a Public Key Infrastructure..........................................................111 Where do I Start: ............................................................................................111 Certificate Authority (CA) Hierarchies: ...........................................................111 Certificate Server Roles: ................................................................................111 Manage Certificates: ......................................................................................112 Integrating with Third-Party CAs: ...................................................................112 Map Certificates: ............................................................................................112 Pop Quiz 4.6 ...............................................................................................113 VIII Windows 2000 Network Services Security .............................................115 Where to Start the Design: .............................................................................115 Windows 2000 DNS Security Designs: ..........................................................115 Windows 2000 Remote Installation Services (RIS) Security Design: ............115 Windows 2000 SNMP Security Design: .........................................................116 Windows Terminal Server Security Designs: .................................................116 Pop Quiz 4.7 ...............................................................................................117 IX Chapter 4: Summary ...............................................................................119 X Chapter 4: Post-Assessment (Answers appear in Appendix A.) ...........121
Chapter 5: Designing Security Access Between Networks 133 I
Introduction .................................................................................................134 Information:.....................................................................................................134 Getting Ready - Questions......................................................................135 Getting Ready - Answers ........................................................................136 II Secure Access to Public and Private Networks......................................137 What is a Public Network: ..............................................................................137 What is a Private Network: .............................................................................137 Difference between Public and Private Networks: .........................................137 Pop Quiz 5.1 ...............................................................................................139 III Provide External Users with Secure Access...........................................141 Who is an External User:................................................................................141 Secure Access:...............................................................................................141
XII Table of Contents IV
Secure Access Between Private Networks.............................................142 Secure Access within a LAN: .........................................................................142 Secure Access within a WAN:........................................................................142 Secure Access across a Public Network:.......................................................142 Pop Quiz 5.2 ...............................................................................................143 V Chapter 5: Summary ...............................................................................146 VI Chapter 5: Post-Assessment (Answers appear in Appendix A.) ...........147
Chapter 6: Designing Security Communication Channels
153
I
Introduction .................................................................................................154 Information:.....................................................................................................154 Getting Ready - Questions......................................................................155 Getting Ready - Answers ........................................................................156 II Design an SMB-Signing Solution............................................................157 SMB Signing Solution:....................................................................................157 Pop Quiz 6.1 ...............................................................................................159 III Design an IPSec Solution .......................................................................161 The IPSec Encryption Scheme: .....................................................................161 The IPSec Management Strategy Design:.....................................................161 Negotiation Policies: .......................................................................................162 Security Policies: ............................................................................................162 IP Filters: ........................................................................................................163 Security Levels: ..............................................................................................163 Pop Quiz 6.2 ...............................................................................................164 IV Chapter 6: Summary ...............................................................................166 V Chapter 6: Post-Assessment (Answers appear in Appendix A.) ...........168
Chapter 7: Scenario Concepts with Practice Questions
175
I Introduction .................................................................................................175 II BFQ - Supreme Division .........................................................................176 III BFQ - ExGovern Division ........................................................................186 IV BFQ - ProTax Division ............................................................................192 V BFQ - Excel Division ...............................................................................198 VI BFQ - ABC Toys Division........................................................................206 VII BFQ - MediAssociate ..............................................................................212 VIII BFQ - Kellok Division ..............................................................................218 IX Chapter 7: Summary ...............................................................................226
Table of Contents XIII
Appendix A
227
Chapter 1: Answers............................................................................................227 Chapter 2: Answers............................................................................................232 Chapter 3: Answers............................................................................................236 Chapter 4: Answers............................................................................................239 Chapter 5: Answers............................................................................................244 Chapter 6: Answers............................................................................................248 Chapter 7: Answers............................................................................................252 Chapter 7: Scenario II: BFQ – Supreme Division...........................................252 Chapter 7: Scenario III: BFQ – ExGovern Division ........................................256 Chapter 7: Scenario IV: BFQ – ProTax Division ............................................258 Chapter 7: Scenario V: BFQ – Excel Division ................................................260 Chapter 7: Scenario VI: BFQ – ABC Toys Division........................................264 Chapter 7: Scenario VII: BFQ – MediAssociate .............................................268 Chapter 7: Scenario VIII: BFQ – Kellok Division ............................................271
Index Money Back Book Guarantee Microsoft 70-220 Practice Exam Offer
275 279 280
XIV Forward
Forward The purpose of this study guide is to supply you the information required to pass the Windows 2000 70-220 Certification exam. The 70-220 examination is one of the Microsoft Windows 2000 elective exams to a series of certifications that can be acquired. Once you’ve passed this exam, you are considered to be an industry professional having expert knowledge of the Windows 2000 Security. Security is not a one-time initiative. It is a steady ongoing process that must be reviewed and changed consistently over the entire span of a network as it evolves. Windows 2000 lends itself to that by being the most flexible and scalable operating systems Microsoft has ever developed. This exam guide will familiarize you these methods and Microsoft’s exam approach. It is assumed that the reader has a basic understanding of the Windows 2000 Security. Do not expect to pass if you are not properly prepared. You should also know to take the exam a second time, you can expect a completely different selection of questions. Microsoft uses a rather large pool from which to randomly select questions. To retain in memory as much of the knowledge in this book for testing purposes you should first read the Objectives to get familiar with the section, answer the Assessment questions to see what areas you are weak in, read each section thoroughly, and answer all of the Review questions correctly before going on to the next section. I also highly recommend you use a non-production Windows 2000 Workstation and Server network to follow along with each section of the book to physically see and perform the actions described. Then use the BeachFront Quizzer testing media to solidify what you have learned and to prepare you for testing and passing the exam.
70-220 Exam Specifications XV
70-220 Exam Specifications Exam 70-220:Installing, Configuring, and Administering Microsoft Windows 2000 Professional http://www.microsoft.com/traincert/exams/70-220.asp Information you will find in their document will include the following. Credit Toward Certification When you pass the Designing Security for a Microsoft® Windows® 2000 Network exam, you achieve Microsoft Certified Professional status. You also earn credit toward the following certifications: Core or elective credit toward Microsoft Certified Systems Engineer on Microsoft Windows 2000 certification Audience Profile Candidates for this exam operate in medium to very large computing environments that use the Windows 2000 network operating system. They have a minimum of one year's experience designing network infrastructures in environments that have the following characteristics: x Supported users range from 200-26,000+ x Physical locations range from 5-150+ x Typical network services and applications include file and print, database, messaging, proxy server or firewall, dial-in server, desktop management, and Web hosting. x Connectivity needs include connecting individual offices and users at remote locations to the corporate network and connecting corporate networks to the Internet. Skills Being Measured This certification exam tests the skills required to analyze the business requirements for security and design a security solution that meets business requirements. Security includes: x Controlling access to resources x Auditing access to resources x Authentication x Encryption
XVI Exam Preparation Guide
Analyzing Business Requirements The initial phase of designing security for a company or an organization involves gathering business information about the company, in terms of locations, connectivity, processes, and issues such as product life cycles, the company’s tolerance for risk and how the company identifies costs. In gathering this information, there are not decisions to be made; rather the designer/consultant is looking for issues that will help in weighing recommendations later in the design process. The designer needs to understand the IT department and how management is currently performed, how decisions are made, and the physical connectivity used between locations. In addition to this, the future plans of the company or organization in each of these areas needs to be clarified, so that any design recommendations can accommodate these plans. While much of this information gathering is not technical in nature, these issues in many cases will affect the security recommendations and aspects of the final design x Analyze the existing and planned business models. x Analyze the company model and the geographical scope. Models include regional, national, international, subsidiary, and branch offices. x Analyze company processes. Processes include information flow, communication flow, service and product life cycles, and decision-making. x Analyze the existing and planned organizational structures. Considerations include management model; company organization; vendor, partner, and customer relationships; and acquisition plans. x Analyze factors that influence company strategies. x Identify company priorities. x Identify the projected growth and growth strategy. x Identify relevant laws and regulations. x Identify the company's tolerance for risk. x Identify the total cost of operations. x Analyze business and security requirements for the end user. x Analyze the structure of IT management. Considerations include type of administration, such as centralized or decentralized; funding model; outsourcing; decision-making process; and change-management process. x Analyze the current physical model and information security model. x Analyze internal and external security risks.
70-220 Exam Specifications XVII
Analyzing Technical Requirements This set of objectives is still consulting in nature, providing the designer with additional background information affecting the eventual design recommendations for the client company. The sheer size of the company, the number of users and the distribution of resources, such as DHCP or DNS servers, web servers and the like must be considered when building a security design. When the resources are accessed, how much bandwidth is available and for how long the resource is accessed will then lead the designer to consider certain solutions and discard others. Windows 2000 Active Directory provides the designer with many variations on the rights users may be given and the types of administrators that may be created. Existing systems and applications may be impacted by recommendations, and so changes may be necessary in this area. For instance, DNS in Windows 2000 must support SRV records, something that current DNS servers often do not support. Rollouts and upgrades may not proceed as planned, depending upon which security measures are put in place. Companies use a mix of support personnel, both internal and contractor. The security design will have to consider the training needs and the roles that each of these administrators will play after implementation. Network and systems management may be affected by the security design. Software packages in use may need to be replaced or upgraded. Management practices may no longer be possible in the newly secured network. The systems must allow for flexibility and growth, such as acquisitions. All of these issues add to the richness and complexity of the security design, challenging the designer to balance many issues in the design process. x Evaluate the company's existing and planned technical environment. x Analyze company size and user and resource distribution. x Assess the available connectivity between the geographic location of work sites and remote sites. x Evaluate the company's existing and planned technical environment. x Analyze company size and user and resource distribution. x Assess the available connectivity between the geographic location of work sites and remote sites. x Assess the net available bandwidth. x Analyze performance requirements. x Analyze the method of accessing data and systems. x Analyze network roles and responsibilities. Roles include administrative, user, service, resource ownership, and application.
XVIII Exam Preparation Guide x Analyze the impact of the security design on the existing and planned technical environment. x Assess existing systems and applications. x Identify existing and planned upgrades and rollouts. x Analyze technical support structure. x Analyze existing and planned network and systems management.
Analyzing Security Requirements The implementation of Active Directory adds tremendous capability in the securing of computers in a Windows 2000 network. Security settings for computers can be created using security templates provided by Microsoft, adding incremental security templates, or by creating custom templates. The settings can then be applied to multiple computers by placing computers in Active Directory containers and using Group Policy objects to push the security template settings. It is important to identify the different roles that the various Windows computers play in the network. Clearly domain controllers have different security requirements than do file servers, as laptops have different risks associated with their use than do kiosks. Each resource must be evaluated in terms of security needs. Shares, files, and printers are all examples of common resources in a network environment. Each resource has to be identified and the associated security risks and countermeasures recommended for many of these resources, Active Directory containers or group nesting will provide the focal point of access, and the resource will have a DACL or ACL that provides an interface for setting permissions. x Design a security baseline for a Windows 2000 network that includes domain controllers, operations masters, application servers, file and print servers, RAS servers, desktop computers, portable computers, and kiosks. x Identify the required level of security for each resource. Resources include printers, files, shares, Internet access, and dial-in access.
Designing a Windows 2000 Security Solution While security design begins in the earlier sectionsrs, with the discovery of information describing the Client Company or organization, the process of linking security solutions with needs begins in this section. This section examines the major areas of security in Windows 2000 and in each area seeks to clarify the purpose and scope of the security solution. We begin by looking at auditing, move on to delegation of authority and then look more closely at security policies, both account policies and Group Policies. From there we look at the different authentication solutions available in Windows 2000, clarifying the use for each, and the basics of each.
70-220 Exam Specifications XIX We move on to security groups, the basis for organizing user accounts and giving access in a Windows 2000 network, then PKI, especially certificate services in Windows 2000. After detailing the other security solutions that rely upon certificate services, we close by looking at Windows 2000 services that need additional attention in ensuring their security: DNS, RIS, SNMP and terminal services. Much of the detail in each of these areas is presumed to be already known; it is the job of the designer to know which solution to recommend for different situations, and to be aware of the larger, company-wide impact of each solution. The focus here is matching the solution to the need. x Design an audit policy. x Design a delegation of authority strategy. x Design the placement and inheritance of security policies for sites, domains, and organizational units. x Design an Encrypting File System strategy. x Design an authentication strategy. x Select authentication methods. Methods include certificate-based authentication, Kerberos authentication, clear-text passwords, digest authentication, smart cards, NTLM, RADIUS, and SSL. x Design an authentication strategy for integration with other systems. x Design a security group strategy. x Design a Public Key Infrastructure. x Design Certificate Authority (CA) hierarchies. x Identify certificate server roles. x Manage certificates. x Integrate with third-party CAs. x Map certificates. x Design Windows 2000 network services security. x Design Windows 2000 DNS security. x Design Windows 2000 Remote Installation Services (RIS) security. x Design Windows 2000 SNMP security. x Design Windows 2000 Terminal Services security.
XX Exam Preparation Guide
Designing a Security Solution for Access Between Networks Corporate networks today are increasingly connecting, site-to-site, client-to-site, and even client-to-client. The costs and complexity of providing this connectivity has increased over the past few years, with the recent trend towards using the Internet rather than leasing lines between sites, and using the Internet for remote users rather than dial-up connectivity (like RAS, etc). This movement towards the Internet as a low-cost solution has given rise to concerns about security. Data transmissions across the Internet cannot be considered secure unless they are encrypted. Furthermore, this type of connectivity gives rise to the need to authenticate, that is, validate the identity of the sender. Otherwise, data transmissions could be intercepted, modified and forwarded on without knowledge that it had occurred. To reduce the risks involved in these areas, authentication and encryption solutions, loosely labeled as VPN or Virtual Private Network, have evolved. This section begins with a brief discussion of private and public networks, and then moves on to discuss the concerns and solutions for connectivity for external users and in LAN and WAN networks in Windows 2000. x Provide secure access to public networks from a private network. x Provide external users with secure access to private network resources. x Provide secure access between private networks. x Provide secure access within a LAN. x Provide secure access within a WAN. x Provide secure access across a public network. x Design Windows 2000 security for remote access users.
70-220 Exam Specifications XXI
Designing Security for Communication Channels Whether the communication is occurring on a LAN connection, or across some WAN interface, there may be the need to secure the channel. This section covers the use of SMB signing in a LAN to ensure authenticated communications, and the use of IPSec in securing communications in either a LAN or a WAN setting. While in the previous section we discussed VPN solutions in terms of fitting the solution with the need, in this section we focus on the use of IPSec in securing communications channels between two Windows 2000 computers. We will look at more detail in terms of how to design, configure, manage and tune IPSec configurations in a Windows 2000 network x Design an SMB-signing solution. x Design an IPSec encryption scheme. x Design an IPSec solution. x Design an IPSec management strategy. x Design negotiation policies. x Design security policies. x Design IP filters. x Define security levels.
XXII Networking Terminology
Networking Terminology There are a lot of different terms and acronyms that you will be learning in this book. It must be assumed that you have a certain amount of networking experience or you may find it necessary to supplement this material with some other books on the subject of networks in general. Before we go very far we will need to define some of the common terms that we will be using often throughout our text. Additional terminology will be introduced as we learn more about security. The Glossary in the back of the book contains a more complete list of security-related terms. x
x
x
ACPI - Advanced Configuration and Power Interface -- an open industry specification that defines a flexible and extensible interface. This allows system designers to select appropriate cost/feature trade-offs for power management. Access control list (ACL) - A list of security protections that apply to an entire object, a set of the object’s properties, or an individual property of an object. There are two types of access control lists: discretionary and system. Authentication - A basic security function of cryptography. Authentication verifies the identity of the entities that communicate over the network. For example, the process that verifies the identity of a user who logs on to a computer either locally, at a computer’s keyboard, or remotely, through a network connection.
Networking Terminology XXIII x
x
x
x x
x
x x
x x
Certificate - A digital document that is commonly used for authentication and secure exchange of information on open networks, such as the Internet, extranets, and intranets. A certificate securely binds a public key to the entity that holds the corresponding private key. Certificates are digitally signed by the issuing certification authority and can be issued for a user, a computer, or a service. The most widely accepted format for certificates is defined by the ITU-T X.509 version 3 international standard. Certificate Services - The Windows 2000 service that issues certificates for a particular CA. It provides customizable services for issuing and managing certificates for the enterprise. DACL – Discretionary Access Control List. A feature that is part of an object’s security that denies or grants users and/or groups permission to access the object. Because the object’s owner is the only one who can change the permissions granted or denied in the DACL, access is at the owner’s discretion. Decryption - The process of making encrypted data readable again by converting ciphertext to plaintext. Digital signature - A means for originators of a message, file, or other digitally encoded information to bind their identity to the information. The process of digitally signing information entails transforming the information, as well as some secret information held by the sender, into a tag called a signature. Digital signatures are used in public key environments and they provide nonrepudiation and integrity services. Encrypting File System (EFS) - A new feature in Windows 2000 that protects sensitive data in files that is stored on disk using the NTFS file system. It uses symmetric key encryption in conjunction with public key technology to provide confidentiality for files. It runs as an integrated system service, which makes EFS easy to manage, difficult to attack, and transparent to the file owner and to applications. Encryption - The process of disguising a message or data in such a way as to hide its substance. Firewall – A method to keep a network secure, firewalls are used to give employees access to the Internet without breaching internal security, as well as preventing external intrusion into the internal network. Hostnames – User-friendly names given to computers in a TCP/IP Network. Kerberos authentication protocol - An authentication mechanism used to verify user or host identity. The Kerberos v5 authentication protocol is the default
XXIV Networking Terminology
x
x x x
x
x
x
x
x
x
authentication service for Windows 2000. Internet Protocol security and the QoS Admission Control Service use the Kerberos protocol for authentication. Key - A secret code or number required to read, modify, or verify secured data. Keys are used in conjunction with algorithms to secure data. Windows 2000 automatically handles key generation. For the registry, a key is an entry in the registry that can contain both subkeys and entries. In the registry structure, keys are analogous to folders, and entries are analogous to files. In the Registry Editor window, a key appears as a file folder in the left pane. In an answer file, keys are character strings that specify parameters from which Setup obtains the needed data for unattended installation of the operating system Trusted User – A user who either has an account in the domain or whose account belongs in a trusted domain. IP address – The numeric identifier that the TCP/IP protocol uses to communicate. MMC – Microsoft Management Console – a framework for hosting administrative consoles. The objects on the tree, including web pages, folders and management tools, define a console. PKI - Public Key Infrastructure - a system of digital certificates, Certificate Authorities, and other registration entities that verify and authenticate the validity of each party involved in an Internet transaction. Private key - The secret half of a cryptographic key pair that is used with a public key algorithm. Private keys are typically used to digitally sign data and to decrypt data that has been encrypted with the corresponding public key. Proxy server - A firewall component that manages Internet traffic to and from a local area network and can provide other features, such as document caching and access control. A proxy server can improve performance by supplying frequently requested data, such as a popular Web page, and can filter and discard requests that the owner does not consider appropriate, such as requests for unauthorized access to proprietary files. Public key cryptography - A method of cryptography in which two different but complimentary keys are used: a public key and a private key for providing security functions. Public key cryptography is also called asymmetric key cryptography. SID – Security Identifier – A unique identifier that represents the entity that exists in a Windows 2000 environment. A SID can represent a user, a computer, or a group of users. Secure Sockets Layer (SSL) - A proposed open standard developed by Netscape Communications for establishing a secure communications channel to prevent the
Networking Terminology XXV
x
x
interception of critical information, such as credit card numbers. Primarily, it enables secure electronic financial transactions on the World Wide Web, although it is designed to work on other Internet services as well. Smart card - A credit card-sized device that is used with a PIN number to enable certificate-based authentication and single sign-on to the enterprise. Smart cards securely store certificates, public and private keys, passwords, and other types of personal information. A smart card reader attached to the computer reads the smart card. Symmetric key encryption - An encryption algorithm that requires the same secret key to be used for both encryption and decryption. This is often called secret key encryption. Because of its speed, symmetric encryption is typically used rather than public key encryption when a message sender needs to encrypt large amounts of data.
Analyzing Business Requirements 1
Chapter 1: Analyzing Business Requirements The objective of this chapter is to provide the reader with an understanding of the following: •
Companies can be categorized by geographic models: regional, national and international
•
It is necessary to understand both the information process and the communications process of the company.
•
How to balance between company growth, tolerance for risk and the cost of your solution
•
How end-user business and security requirements lead to Group Policy object design
•
How Windows 2000 security lends itself to role-based or decentralized management
•
The impact of WAN connections and the issues surrounding internal and external security threats for companies
2 Chapter 1: 70-220 Certification
I
Introduction
The initial phase of designing security for a company or an organization involves gathering business information about the company, in terms of locations, connectivity, processes, and issues such as product life cycles, the company’s tolerance for risk and how the company identifies costs. In gathering this information, there are not decisions to be made; rather the designer/consultant is looking for issues that will help in weighing recommendations later in the design process. The designer needs to understand the IT department and how management is currently performed, how decisions are made, and the physical connectivity used between locations. In addition to this, the future plans of the company or organization in each of these areas needs to be clarified, so that any design recommendations can accommodate these plans. While much of this information gathering is not technical in nature, these issues in many cases will affect the security recommendations and aspects of the final design.
Analyzing Business Requirements 3
Getting Ready - Questions 1) What is the difference between a regional and a national model? 2) Which process, information or communication, is more often automated in most organizations? 3) Does centralized management offer better control than decentralized management? 4) When balancing between a company’s tolerance for risk and the need to secure information, when would a solution be a bad recommendation? 5) Do LAN topologies create issues for the security design in most cases?
4 Chapter 1: 70-220 Certification
Getting Ready - Answers 1) The national model is a large version of the regional model, in most cases. The only factor that may affect your final security design is the number of remote sites and the connectivity in use between those sites and the main site. 2) In most organizations, the information process is automated, while the communications process is manual in nature. 3) Centralized management does generally offer better security, that is, better control. 4) Where the cost of protective measures far exceeds the value of the information being protected. 5) While LAN topologies will create some security issues, WAN topologies will remain the primary focus of the design.
Analyzing Business Requirements 5
II
Analyzing the business models
Companies can generally be categorized based upon geographic locations. In this section we examine the common models and discuss the impact of each of these models upon decisions that may be made in the design process. In general, the issues presented by the different business models are those created by the differing laws and regulations in different countries, as well as the possible language barriers. There are often vastly different laws regarding issues like the strength of encryption available: for instance, it is against the law to import 128-bit browsers outside of the US and Canada. Some countries restrict the use of certain levels of encryption in PKI implementations. Companies that do not operate in multiple countries will not have to be as concerned in their security design and implementation process. They will, however, still have to take into consideration future scalability and growth, as well as interaction with present and future business partners or affiliates.
The Company Model and Geographical Scope: Models include regional, national, international, and include considerations for subsidiary and branch offices. The first three differ mostly in size or scope of the company, with the international model presenting the most challenge. Subsidiary operations and branch offices will sometimes affect the Active Directory design, while not necessarily affecting security considerations.
Regional Model: A regional model describes a company that has WAN connectivity between locations, but does not span across an entire country. This type of company will not be affected by differing international laws or restrictions, but will still require planning to accommodate the connectivity issues between remote locations. It may necessitate the use of PKI in combination with VPN solutions and firewalls in each location, but the particulars will require additional information about the company.
National Model: A national model is a large version of a regional model, generally reflecting operations in multiple regions of the country, connected again by WAN links.
6 Chapter 1: 70-220 Certification As with the regional model, the national model does not have to deal with varying laws and regulations from differing countries, and will have many of the same needs in terms of PKI, VPN or firewall solutions, but in a larger scope.
International Model: This model provides the most complex set of issues for the designer. Companies in this model operate in different countries, and are often very volatile in terms of size and locations. While retaining the many problems associated with WAN connectivity between multiple locations, there are the additional issues of legal requirements in each country in regards to security implementations, language issues, and cultural barriers possibly affecting the planning and implementation process. The constant growth of the company into other locations simply further complicates these issues.
Subsidiaries: When dealing with a subsidiary of a larger company, the subsidiary’s geographic scope may fall into one of the three models above. In addition, there may be additional corporate political problems. The designer has to be aware of the relationship with the parent company and its potential impact on design decisions and implementation plans. For instance, the subsidiary may be autonomous, and security implementations between the parent and subsidiary may have to be separately but jointly planned. This may introduce additional political elements and greatly complicates the process. Cultural and political differences between offices may prove prohibitive during implementation if adequate preparation and planning has not been conducted.
Branch Offices: Branch offices often have limited resources and connectivity. Characterized by small numbers of personnel, branches are often present in regional, national and international companies, and need to be identified early in the information-gathering phase of the design process. Solutions at larger locations may require special consideration for implementation at branch offices. In many companies, personnel working at branch offices connect back to the main location with laptop computers. Securing these users will obviously call for very different solutions.
Analyzing Business Requirements 7 Pop quiz 1.1
1) 2) 3) 4) 5)
Pop Quiz 1.1 Questions Which geographic model is most affected by differences in laws and regulations between countries? Which of the three geographic models would be characterized by WAN connectivity? Language barriers might arise in which of the geographic models? What aspect of a subsidiary is most important to understand? What are the two major limitations of branch offices?
8 Chapter 1: 70-220 Certification
Pop quiz 1.1
1) 2) 3) 4) 5)
Pop Quiz 1.1 Answers The international model is most affected by differences in laws and regulations in the different countries. The regional, national and international models are all characterized by WAN connectivity. Language barriers are most apt to arise in the international model. The relationship between the parent company and the subsidiary may have an impact on design recommendations and decisions. Branch offices often have limited resources and limited connectivity.
Notes:
Analyzing Business Requirements 9
III
Analyzing the Company Process
This level of analysis seeks to describe the process flow of the company, similar to examining the blood flow inside the human body. How does information flow within the company? Between the company and partners? How do people communicate? What are the primary tools that are used for communications? Is communications always internal, or is it also with external partners? What are the current products that the company leverages for profit? Who are the customers? What information and communications processes surround the product? What is the expected life of the product? When the product is near its end, will its value to the company still necessitate the level of security that it warranted in its “youth”? Who makes the “final decision” in the company, especially as it relates to this security planning and implementation process? Or does a group or committee make the decision? The answers to these questions and many more will provide the process flow, the “blood flow”, of the company to the designer.
Information Flow Process: Processing information has become a key differentiator between companies. The information that a company uses to remain competitive and flexible will flow from platform to platform, system to system and from user to user. The flow of information may be from an outside partner into the company or from the company to external entities or may be entirely internal. In practice, most companies have information flow of each kind, and the cross-platform and cross-system nature of the marketplace creates additional challenges for the designer. The designer needs to identify and characterize the information flow by security need, remembering that not all information processes have the same need for security.
Communication Flow Process: Communication flow may be similar and somewhat related to information flow, but is often manual in nature, not automated. Users initiate communications with other individuals, using e-mail, postal mail and company mail. Individuals may be internal or external to the company, and as with information flow, the designer knows that not all communications has the same need for security. This requires a close look at the intent and content of communications to determine the security need before recommendations can be made.
10 Chapter 1: 70-220 Certification The flow of information and communication within the design must be closely scrutinized, since certain architectural considerations will have different requirements and abilities. If information is flowing between different offices and locations, a VPN may be called for. Likewise, it may also be a signal to consider how other mechanisms, such as Kerberos, may be used effectively.
The Product Life-Cycle Process: Information flow and communication flow are often tied directly to a product that has a life cycle within the company. When the product has reached the end of its life cycle, the security needs may decrease as the value of the product decreases in the company. New products are released and the information and communication flow surrounding the new products must also be evaluated for security needs.
Decision Making Process: It is critical that the designer determine the decision-making process that the company uses prior to entering into the grueling data-gathering and planning phases. The people who will have the final say must be involved in the process from the beginning. The designer must know whether the company practices empowerment or is very authoritarian in its management style, whether the company is organized into autonomous units or is more traditional in its organizational chart. The differences will reflect in the choice of whom to include in the design, planning and implementation phases. To not include the appropriate individual could result in either a failure due to lack of buy-in from those directly affected, or from a lack of support from those whose final approval is required.
Analyzing Business Requirements 11 Pop Quiz 1.2
1) 2) 3) 4) 5)
Pop Quiz 1.2 Questions What is the difference between information flow and communications flow in a company? Which type of flow, information or communication, would e-mail be more apt to use? What is the connection between product life-cycle and information or communication flow? What is the connection between the decision-making process and the information or communication process? Why is it important to understand the decision-making process?
12 Chapter 1: 70-220 Certification
Pop Quiz 1.2
1) 2) 3)
4)
5)
Pop Quiz 1.2 Answers Information flow is often automated, while communications flow is often manual in nature. E-mail would be more apt to use communication flow. As a product nears the end of its product life cycle, the need to secure information flow or communication flow related to the product often diminishes. It is important to identify decision makers in the company, and involve them in the communications flow or information flow surrounding design. Without understanding the decision-making process, the design could fail to include key decision makers in the early stages, resulting in a lack of commitment and possible rejection of the design recommendations.
Notes:
Analyzing Business Requirements 13
IV
Analyze Organizational Structures
If the process flow is the “blood flow” of the company, then the organizational structures form the skeleton of the company. To understand the management model can shed light on the decision-making process discussed earlier, and may give some insight into how the company will view proposals in terms of value versus cost to the company. The way in which the company is organized can affect Active Directory design and ultimately affect the placement and use of Group Policy objects in the security design. Relationships with vendors, partners and customers can all affect security design recommendations, especially if those relationships involve some exchange of information or access to company data. Finally, we will look at acquisition plans and note that these plans have the potential to disrupt the design process at any time.
Management Model: Closely related to the decision-making process earlier, the management model has impact early in the design process, especially in terms of whom to include and how to communicate progress. Companies may be privately owned, or may be publicly traded. The senior management may be a Board of Directors and CEO or CIO, or it may be a small group of relatives as in a family-owned company. Each management model changes the process in terms of communications, approvals, inclusion and level of risk the company can or is willing to assume. In some companies, IT has great influence on the final decision, while in other companies the operations, development, or production groups have the most influence. Since implementation eventually needs approval, it is very important that the design process be communicated to those principals that control the decision-making process. The appropriate company personnel need to be included in the design process to ensure buy-in from those directly affected. Approval must be obtained prior to the commencement of any design or implementation. Employees who may not have an impact on the design should also be made aware of any implications or pending changes that the design may bring, since it is they who will be directly affected. This will lead itself to a smoother implementation and less resistance from the masses.
14 Chapter 1: 70-220 Certification
Company Organization: Is the company divided into autonomous business units? Or, is the company divided geographically? Some companies organize around products and then make those productgroups self-managed. Each of the different approaches offers differing challenges to the designer. In the autonomous model, separate approvals may be necessary, which may change the timeframe for implementation and increase the risk of failure. In the geographical model, management style and decision-making processes still must be clarified before the designer can proceed on to gather information. Again, the main issues in this area initially have to do with whom to include in the process and to whom to communicate the status of the process. Later in the design process, company organization may affect the recommendations for security implementations between locations or Active Directory sites. Certain sites or groups may have a final decision making power over other groups, whether geographically or business units.
Vendors/Partners/Customer Relations: Does the company have “special” relationships with certain vendors? Are they using Electronic Data Interchange (EDI) or some other form of data exchange between companies? Or, does the company provide customers with access to information, perhaps enabling customers to directly purchase product? Almost all companies have select vendor partners, and will provide those partners with access to information or require advance information from those partners as part of their strategic value to one another. In this age of the Internet, almost all companies have an Internet presence and allow enduser customers some access to corporate information, often to actually purchase product directly from their web site. The designer must know about these relationships and factor them into the security design. An example of such would be where a partner company discloses source code, but only if minimum physical and information security requirements are met, and legally contracted under Non-Disclosure Agreements (NDA’s). This type of information flow must be considered.
Analyzing Business Requirements 15
Acquisition Plans: Companies are either growing or they are dying. Will this company acquire other competitor companies and absorb them, or will the plan call for expansion into new regions or new countries? Is this company itself a potential acquisition target? Will the company enforce its own processes and architecture, or adopt the standards of the merged or acquired company? Growth brings change. Geographic boundaries may expand, into regional, national, or perhaps international scopes. Decision-making processes, information and communication flows will be impacted. The designer needs to be aware of these issues to ensure the successful completion of the security design.
Pop Quiz 1.3
1) 2) 3) 4) 5)
Pop Quiz 1.3 Questions Why is an understanding of the management model important in the early stages of design? How is the management model related to the level of risk the company is willing to tolerate? What company process is strongly related to company organization? Where do vendor-partner relationships create the most concerns in company processes, in information flow or communication flow? Can acquisition plans cause an untimely end to the design process?
16 Chapter 1: 70-220 Certification
Pop Quiz 1.3
Pop Quiz 1.3 Answers 1) As mentioned earlier, it is important to identify the decision makers and include them in the early phases of design. The management model will help identify those individuals. 2) Additionally, different management models have different tolerance for risk. Publicly traded companies cannot afford security failures, while privately held companies’ tolerance for risk, will be driven by the owners. 3) Company organization has a strong impact on the decision-making process. 4) While this can vary, generally vendor-partner relationships are characterized by the exchange of information, and often in an automated manner. (Information flow) 5) No. But acquisitions can alter the planning and the recommendations. The designer has to stay abreast of any potential changes in this area.
Notes:
Analyzing Business Requirements 17
V
Analyzing Company Strategies
These are factors that often compete for attention in management meetings. In the design process there needs to be an understanding of how these issues are viewed by the company. Security is often viewed an unnecessary financial drain or usability constraint. Security recommendations will need to be justified before they can be implemented. The justification can take many forms, from alignment with company priorities to reducing the risk in a sensitive product area to decreasing the company’s total costs of ownership. Woven throughout this analysis are the issues of laws and regulations, along with the impact of growth on systems and products throughout the company.
Company Priorities: The company probably has a Vision Statement and a Mission Statement. These can begin the discovery of the company’s priorities. However, management and leadership have a great affect upon the priorities of a company, and so are subject to change as leadership changes. Company priorities may also be changed by a change in market conditions; for example, as a product comes under intense competition, new products may be brought to market more rapidly, or sales and distribution channels may be realigned. Management is constantly revisiting company priorities as competitiveness is constantly being challenged. This is not so much a security design area as a company politics area. As these changes become apparent, it is up to the designer to ensure that security remains in line with the companies vision.
Company Projected Growth and Growth Strategy: As we said earlier, companies are either growing or they are dying. The designer needs to know how the company plans to grow and how much the company plans to grow in the near future. While we looked at acquisitions earlier, companies also grow through other strategies. Franchising has become a common growth strategy and would have significant impact on the information and communication flows for the company. Some companies have plans to divest themselves of unprofitable products groups, and increase their focus on the remaining “core” products. Again, this can have a significant impact upon plans for the designer.
18 Chapter 1: 70-220 Certification
Relevant Laws and Regulations: Laws and regulations have their greatest impact on companies with an international presence, because of the varying nature of laws and regulations in differing countries. Solutions that work in one country may not be allowed in another. Companies that maintain Internet e-commerce sites also must also be aware of the laws and regulations regarding their web sites. Companies that work in certain business sectors have specific legal requirements regarding privacy of information, such as banks and financial institutions, as well as health providers and hospitals. Certain security technologies are surrounded by import and export legislation, like digital certificates, encryption, and other elements of PKI.
The Company's Tolerance for Risk: This factor is often closely tied to the competitive niche in which the company operates. Companies working in the defense industry; that is, working under contract for the US or Canadian governments, generally have very high security standards and a very low tolerance for risk. On the other hand, state agencies often must make information readily available to the public. Privately held companies have differing requirements than do publicly traded companies when it comes to the need for security. Publicly traded companies have additional concerns with the untimely dissemination of financial information in regards to Securities Regulations. The higher the tolerance for risk, the less the company is apt to be interested in elaborate security measures surrounding their business. The lower the tolerance for risk, the more receptive the company will be to security recommendations, even if they are costly. The cost of securing the information, monetary or otherwise, must never outweigh the value of the information being protected. The most effective way to define risk is with this simple equation: RISK = THREAT X VULNERABILITY X COST Threat is the frequency of potentially adverse events. Since it is a frequency, it is potentially measurable. And since the events are only potentially adverse, threat itself is not necessarily dangerous. Vulnerability is the likelihood of success of a particular threat against a system. It may be quantifiable as easily as yes or no, such as whether a certain attack will work upon a particular system, but should rather be expressed as the probability of success, expressed as a percentage of likelihood, since often variables will impact upon its success or failure.
Analyzing Business Requirements 19 Cost can be accounted for in two ways. Hard costs are easily quantifiable in terms of man-hours, replacement hardware, and other purchases. Soft costs however, require a bit more research. These costs include the value of the data, the potential value loss to reputation, even loss of customers if this resource was exposed or damaged. Think in terms of basic math. If a designer manages to reduce any of the components to zero, then there is no risk. Zero times zero equals zero. If you can negate the costs, the threat or the vulnerability, then the risk is also counteracted.
Total Cost of Operations: One of the goals of any design should be to lower the TCO, or Total Cost of Ownership. The designer must know how the company assigns costs and how costing is seen by the company. Many of the implementation recommendations will have costs associated. It is very important that they also can be shown to lower costs for the company. To do this, the designer has to understand the ways in which the company costs things like downtime, support, communications technologies, etc. Security measures will have a cost, but can be shown to lower costs in other areas of the company, such as downtime or loss of productivity. Many times, security costs can be relayed into associated projects, such as acquisitions, growth, development, or contractual obligations. Pop quiz 1.4
1) 2) 3) 4) 5)
Pop Quiz 1.4 Questions Which of the factors in this section is primarily an issue of understanding company politics? Which factors would require your security recommendations to be highly scalable? Is the relationship between tolerance for risk and cost of implementation direct or inverse? Is there a relationship between tolerance for risk and the ways in which a company assigns costs? Which types of technology solutions are often impacted by differing laws and regulations in different countries?
20 Chapter 1: 70-220 Certification
Pop quiz 1.4
1) 2) 3) 4)
5)
Pop Quiz 1.4 Answers Company priorities are generally a reflection of the company’s politics. The company’s projected growth or acquisition strategy may require the security design to scale very rapidly. The higher the tolerance for risk, the lower the cost of implementation, therefore the relationship is an inverse one. Yes. As the designer assesses the tolerance for risk and makes recommendations, the company will then assign costs to the recommendation. The designer needs to understand the costing practice and be able to discuss the cost of security versus the cost of a loss. Digital certificates, encryption, and other PKI-enabled technology solutions all are impacted by the varying laws and regulations in countries around the world.
Notes:
Analyzing Business Requirements 21
VI
Business and Security Requirements
End user requirements are certainly integral to the security design process. These issues overlap with information and communications flow, organizational model, and relevant laws and regulations. As we will see, the more thorny issues often revolve around use of laptops, which may then be impacted by laws and regulations if users travel to other countries where the encryption technology may not be compatible with the parent organization. Additionally, there may be the need for VPN between locations, or use of SSL on web sites. Again, as with much of the information in this first level of analysis, these issues simply provide the background against which technology solutions are then designed.
Business Requirements for the End User: In this area of information gathering, we are focusing in on the needs of the end user. Why does the end user need technology to better perform their duties? How does the end user fit in the information flow or the communications flow described earlier? The company will need to provide access to information and tools for communications for the end user. The designer needs to clarify these means of access, and then plan for security based on many other issues discussed earlier. People may be uploading or downloading data from company servers. Web sites may be used to provide access to information. Traveling users with laptops may need to have dial-up access to e-mail or other resources. Separate locations may need to share information so that users can better perform their duties. Often these issues surface as the information and communications flow is clarified.
22 Chapter 1: 70-220 Certification
Security Requirements for the End User: These are not separate from, but are directly tied to the prior issues of business requirements. Once the business requirements are understood, and the company’s tolerance for risk is understood, and the model is clarified, which may give rise to issues in the area of laws and regulations, the designer is then ready to begin to weave the security design. As we have been discussing, there are certain key places where security requirements are typically present: web sites, laptops, point-to-point across public infrastructure (giving rise to VPN needs) and e-mail. In the next section we will see the issues of the current physical model, and the current information security model.
Analyzing Business Requirements 23 Pop quiz 1.5
1) 2)
3)
4)
5)
Pop Quiz 1.5 Questions What are three issues previously discussed that are related to the issue of the business requirements of the end user? The end users include many people that use laptop computers to communicate to corporate servers with dial-up connections to access sensitive company information. What are some security solutions that might be implemented to improve security for these end users? The company maintains a web site at which the company sales people connect with browser-enabled software to access product information, such as anticipated product release dates, etc, that are not to be made available to the general public. This site, however, is also used to host the company intranet web content. What Windows 2000 solutions can be used to help secure the product information from other employees? The company is currently using a distributed, replicated database application between locations to coordinate inventory, sales and accounting information. What solutions in Windows 2000 may help them to reduce their costs to connect these locations without compromising security? Name three areas of company technology that typically call for security recommendations?
24 Chapter 1: 70-220 Certification
Pop quiz 1.5
Pop Quiz 1.5 Answers 1) Information and communications flow, organizational model, and relevant laws and regulations are related to the business requirements of the end-user. 2) For users connecting using laptops and dial-up accounts, companies use VPN solutions. 3) The company can secure the intranet web site with SSL, requiring the sales people to authenticate before accessing the product information. 4) The company could use a site-to-site VPN to ensure authentication and subsequent encryption of data to and from the database servers. 5) Web sites, the use of laptops, and location-to-location connectivity across public infrastructure are three situations that typically call for security .
considerations
Notes:
Analyzing Business Requirements 25
VII Analyze the Structure of IT Management With the introduction of Active Directory, Windows 2000 lends itself strongly to decentralized models of IT management. In many situations, the designer will want to recommend that security can be increased by the use of role-based management. Separate roles can be established for managing Active Directory, managing sites, configuring and maintaining certificate services and so on. To understand the company’s current IT management philosophy is the beginning step in understanding how to help the company transition to role-based management. Additional issues in IT that need to be understood include the use of contractors or consultants, how projects are funded in the company, and how decisions are made and how change is processed in the company.
Centralized Administration: In today’s IT business, most companies will decide to centrally manage certain tasks or functions. Typically those areas involving a higher level of technical expertise, or involving a higher level of risk will be centrally managed by a small, well-trained group of IT professionals. PKI, e-commerce, directory services (Active Directory design and modification) are all examples of areas that are typically centrally managed. The more routine tasks can be handled by local support personnel whose training may not be as in depth and whose impact would not be as great if problems should occur.
Decentralized Administration: While certain high-level IT areas are almost certain to be centrally managed in most companies or organizations, other rather low-level functions are almost always decentralized. Tasks like adding new or troubleshooting printers, adding new users, changing passwords, fixing end-user problems at their workstations are all examples of tasks that most companies will decentralize. Since they involve little risk and require a lower level of technical expertise, the company will allow the tasks to be performed by entry-level support personnel in the IT department or division. In companies that currently decentralize these tasks, the introduction of role-based management in Windows 2000 will be very accepted.
26 Chapter 1: 70-220 Certification
The Funding Model: Any solution you present will require funding. The company may see IT as a cost center in their organization, consuming resources rather than generating revenue. Other organizations have successfully re-deployed their IT departments as profit centers, charging the companies departments or divisions for services, and also selling their expertise outside the company. The designer needs to know within which model they are operating, since justification for expenditures in the former example will be much more difficult than in the latter. Attention should also be given to the company budgeting process to be sure that recommendations would receive the necessary funding for future implementation.
Outsourcing: Most companies have employed consultants or contractors on a part-time or projectoriented basis, and continue to do so today, especially in light of the very tight IT market. For the designer this could mean having to work with non-employees to plan or implement, or could be problematic when current solutions have been created by different people over time, many of whom did not adequately document their work. Additionally, the company may not have adequate expertise in certain areas, leaving the planning and implementation at risk. Other implications that may arise would be the access of confidential information by external contacts, and the enforcement of NonDisclosure Agreements.
The Decision Making Process: As with the discussion of decision-making in the company at-large, the decision-making process in the IT department needs to be well understood. Does the IT Manager (CTO, CIO, etc) make the final decision, or is the decision made at the level of impact? Can the CTO/CIO override objections from other factions in the IT department? Who has the “final” say in issues that impact the design process? Who in the IT department finalizes budgets and has the authority to approve or deny projects from a budget perspective?
Analyzing Business Requirements 27
The Change Management Process: Since clearly the information you are gathering will change over time, there needs to be a process to react to the changes. The process may be well defined and flexible, or poorly defined and rigid. Worse, there may be no process defined at all to deal with changes. In many cases, the lack of or poor design of a process will hinder implementation as the security design attempts to move forward. Pop quiz 1.6
1) 2) 3) 4) 5)
Pop Quiz 1.6 Questions What type of security management is Windows 2000 designed to accommodate? What are typical tasks that a company will centrally manage? What are typical tasks that a company will decentralize in terms of management? Why is funding an issue for the design process? Where in the design process does outsourcing have an impact? How does the change-management process relate to the decision-making process studied earlier?
28 Chapter 1: 70-220 Certification
Pop quiz 1.6
1) 2)
3)
4)
5)
Pop Quiz 1.6 Answers Windows 2000, with the introduction of Active Directory, is designed to easily accommodate decentralized or role-based administration. Examples of areas typically centrally managed include PKI, e-commerce, directory services (Active Directory design and modification), while adding new printers or troubleshooting printers, adding new users, changing passwords, fixing end-user problems at their workstations are examples of tasks well-suited to decentralized administration. The security design will cost money to implement. It is necessary to understand any constraints that the budget may place on the design process. Outsourcing may be necessary for some implementation areas. Also, the company may already use outsourcing, which may make the implementation more difficult. The change-management process is an automation of the decisionmaking process. It allows the security design to be dynamic and to change as company conditions change in the future.
Notes:
Analyzing Business Requirements 29
VIII Analyzing the Companies Current Model The current physical model for the company centers mainly on the issues around connectivity, along with the current security solutions in use by the company. Granted, there is quite a bit of overlap in this area and prior discussions about process flow, company organization, growth and many of the earlier topics, but these issues add depth to the already discovered information in this early discovery phase of the design process.
Physical Model: What are the prevailing LAN and WAN solutions in use by the company? While LAN topologies can create issues in a security design, (peer-to-peer versus server based domain model), the WAN connectivity between sites are primarily an issue. What is the bandwidth between locations, T-1, ISDN, or perhaps 64 Kbps? Most analysts consider a T-1 connection to be high-speed and reliable, at the upper-end of WAN connectivity. Companies with T-1 connections have much more flexibility when it comes to recommending security solutions. For those companies with 64 Kbps between locations, the recommended solution may include increased telecommunications costs, as lines may need to be upgraded. Additionally, how do customers or vendor/partners connect? The issue of connectivity also overlaps with the company organization and with subsidiaries discussed earlier. The networks at either end could be autonomously managed and operated. The prior discussions of information and communications flow along with issued around vendor/partner relationships add complexity to the model as it emerges.
Information Security Model: How does the company currently secure information? Again we ask if firewalls are in place, and if PKI is in use, and whether the company is using VPN technology, in either site-to-site or client-to-site mode. This knowledge can help the designer in determining the company’s readiness to evaluate and perhaps adopt security technology solutions. Organizations that are already involved in state-of-the-art technologies will be more accepting of the security technologies embedded in Windows 2000. Overlapping the security model are issues discussed earlier like the tolerance for risk, how the company assigns costs, the IT management model and others. The larger the gap between the company’s current security model and the recommendations, the more clearly the analyst will need to be able to show value as opposed to cost of the solution and alignment with company priorities.
30 Chapter 1: 70-220 Certification
IX
Analyze Security Risks
The nature of security risks is related to the prior discussions of tolerance for risk, product life cycles and projected growth, among others. Depending upon the nature of the business, the issue of external risks can be either quite small or rather large. For companies with active e-commerce sites, the exposure to external attempts at accessing sensitive data increases. Companies or organizations with a high public profile are natural targets for potential intrusions. Internal intrusions make up as much as 80% of the security risks in most companies according to industry experts. Often we spend so much time looking at the external threat that we miss the more common internal threat. Internal risks generally call for Kerebos-related solutions as well as EFS on local workstations. Laptop computers, because of the ease of theft, are especially good candidates for use of EFS. External threats call for SSL and the use of Certificate Authority services, as well as IPSec and other tunneling and encryption protocols. Many times physical threats, internal intrusions, or unauthorized access to systems can be minimized through effective security policies. A company that has an active security awareness program will be less likely to suffer detrimental effects if their employees are conscious of their actions, such as locking workstations or securing physical access to sensitive areas or systems.
Analyzing Business Requirements 31 Pop Quiz 1.7
1) 2) 3)
4)
5)
Pop Quiz 1.7 Questions Which type of physical connectivity adds more complexity to security design, LAN or WAN? What other issues may create additional costs when looking at solutions between locations connected with 64 Kbps lines? The company currently uses Verisign public key certificates to secure its web site. Does this aid the designer or hinder in the design and recommendation process? In your discovery process you determine that the company, which maintains a government contract, has a low tolerance for risk. How will they view costly recommendations to secure information and communications processes? The client company maintains an e-commerce web site. What other factors about the company will help you in your analysis and recommendations?
32 Chapter 1: 70-220 Certification
Pop Quiz 1.7
1) 2) 3)
4)
5)
Pop Quiz 1.7 Answers WAN connectivity clearly adds more complexity to security design. The 64 Kbps connectivity may not be adequate for the security design, and additional bandwidth may be required. The use of Verisign keys will neither aid nor hinder the security designer. Windows 2000 certificate solutions are fully interoperable with external vendor solutions, like Versign. A low tolerance for risk means that the company recognizes a high cost for security losses. They will be much more receptive to increased costs due to security recommendations. The designer needs to understand the company’s tolerance for risk, since e-commerce has a fair amount of potential risk. Generally e-commerce sites are secured using external vendor solutions, like Verisign, which will increase the costs for securing the web site.
Notes:
Analyzing Business Requirements 33
X
Chapter 1: Summary
• The company model is one of the most broad looks we can take of a company, yet it encompasses many aspects of operation. Look for international models in the testing, with an eye on the impact of laws and regulations especially in the areas of encryption and browser security. • Information flow and communication flow overlap with many other areas of company operations. Watch for use of laptop computers, web site issues, and e-mail security in these areas. • The management model and company organization can help sort out whose opinion really counts as you are preparing recommendations. In the case studies you will often have the comments of various company managers, and, as in the real world, they will not always agree. You must know who makes the final decision and have their support. • Larger companies have all kinds of vendor/partner relationships that add complexity to the picture. For the test, be aware of the use of SSL on web sites used for sharing information, and that Kerebos has multi-platform compatibility. • Tolerance for risk and the ways in which companies cost technology solutions are often alluded to in comments by key management people. Look in the exam for differing opinions, and be ready to identify who’s opinion is most important. • Laws and regulations will be an issue for any company that operates across international borders – which will be most of the case companies you will see. • End user requirements will almost always revolve around laptops, secure e-mail, or securing information on websites. Know the appropriate technology solutions for each, and the issues around differing laws and regulations in each. • The whole issue if IT management comes down to this: Microsoft is really hyped about the potential for Windows 2000 to offer very granular decentralized (role-based) management for the enterprise network. Hopefully the case company is similarly inclined.
34 Chapter 1: 70-220 Certification • The last section we discussed the physical mode, which generally helps to clarify the Active Directory site design. The issue of security and internal and external risks breaks down into just a few areas of recommendations: Kerebos for better security on the LAN, VPN connectivity between locations utilizing IPSec and PPTP, SSL at web sites and encryption on browsers, and the use of smart cards to secure computer access.
Analyzing Business Requirements 35
XI
Chapter 1: Post-Assessment
(Answers appear in Appendix A.)
1) Which of the geographical models is most prone to legal or regulatory conflicts? A. Regional B. National C. International D. Branch E. Subsidiary
2)
For which process is a site-to-site VPN a more appropriate solution? A. Communication Process B. Information Process C. Decision-making Process D. Management Process E. The Change Management Process
36 Chapter 1: 70-220 Certification
3) Your client company allows selected vendor partners into their web site to access order information. Which of the following is a good recommendation for securing this extranet site? A. PKI B. Kerebos C. VPN D. IPSec E. SSL
4) Your client company uses part-time contract help frequently. What Active Directory component lends itself well to securing these users without unduly increasing the company’s costs of business? A. Certificate Authority B. Organizational Units C. Group Policy Objects D. Sites E. Domains
5) The client company has manufacturing operations in North America, Europe and South America, and provides all technical support from corporate headquarters. What type of management does this describe? A. Centralized Operations/Decentralized IT Support B. Decentralized Operations/Decentralized IT Support C. Centralized Operations/Centralized IT Support D. Decentralized Operations/Centralized IT Support
Analyzing Business Requirements 37
6) Salespeople in the client company often connect from hotel rooms with laptop computers to transfer sensitive sales information to and from the company web site. What aspect of company operation does this describe? A. Communication Flow B. Information Flow C. Product life-cycle process D. Company Organization
7) Which of the following would have the greatest impact on recommendations for securing the connection described in the previous question? A. Tolerance for risk B. Cost of operations C. Laws and Regulations D. Decision-making process
8) The company is planning on releasing a new product and is concerned that competitors do not become aware of the impending launch. What aspects of the company will have the greatest influence on your security recommendations? (Choose 2) A. Tolerance for risk B. Cost of operations C. Laws and Regulations D. Decision-making process
38 Chapter 1: 70-220 Certification
9) The client organization is family-owned and operates branches in all fifty states. It uses a very centralized operations and IT approach. Which company executive will have the most influence on the acceptance of your design proposals? A. Chief Financial Officer (CFO) B. Chief Information Officer (CIO) C. Chief Operations Officer (COO) D. Owner and Chief Executive Officer (CEO)
10) The client organization is publicly traded, and operates in 7 countries worldwide. The operations in each country are autonomous, while IT is centrally supported from the corporate headquarters. Which two of the following factors are the most critical in your pre-design analysis? A. Product life cycle B. Information flow C. IT management D. End user needs E. Laws and regulations
11) The CFO is convinced the COO is paranoid about security, and that security has been fine at the company. The COO admits that he is very concerned about the internal risks to information security. What aspect of the company can help you most in determining how tightly to recommend security measures? A. Geographic model B. Product life cycle C. Tolerance for risk D. Company organization E. Management model
Analyzing Business Requirements 39
12) What are two aspects of company operations that are most affected by the company’s growth strategy? (Choose 2) A. Laws and Regulations B. Management model C. Information flow D. Communication flow E. Decision making process
13) What aspect of company operations always must be balanced against tolerance for risk in making security recommendations? A. Laws and regulations B. Information flow C. Cost of operations D. Communication flow E. IT management
14) When evaluating end user security needs, what type of use adds the most complexity to the design? A. Office productivity software B. Internet browser software C. Laptop computers D. Workstation sharing
40 Chapter 1: 70-220 Certification
15) Which of the following would have the greatest impact upon the IT management recommendations for your client company? A. The client company uses centralized administration B. The client company uses decentralized administration C. Funding is plentiful D. The client company uses a large amount of outsourcing
16) Which aspect of company operation is most closely aligned with the need to understand the IT funding model? A. Total cost of operations B. Decision making process C. Company organization D. Growth and growth strategy
17) What aspect of the physical model can be used by the designer in the creation of sites in the Active Directory design process? A. LAN connections B. WAN connections C. Use of digital certificates D. Site-to-site VPNs
Analyzing Business Requirements 41
18) Which of the following connections would be considered lowbandwidth WAN connections? A. T-1 B. 56 Kbps C. 100 Mbps D. 2-3 Gbps
19) The client company is using IIS web servers to disseminate information to selected vendor/partners. Which security component will most likely be part of the recommendations made for this company? A. IPSec B. Group Policy C. Kerebos D. SSL with digital certificates
20) Your client is involved in extensive governmental contract work, consisting of highly confidential Department of Defense information maintained on laptop computers. Which security measure would likely be part of a recommendation for this company? A. Group Policy B. SSL using digital certificates C. Kerebos D. EFS
Analyzing Technical Requirements 43
Chapter 2: Analyzing Technical Requirements The objective of this chapter is to provide the reader with an understanding of the following: •
As company size and the number of users increase, resource distribution becomes an increasingly complex issue.
•
How the connectivity between sites, including the net available bandwidth, may impact security design choices and access to resources.
•
There are timing issues relating to when the resources are accessed and how the access is enabled, both of which relate back to the issues of bandwidth.
•
What kind of administrative roles are necessary to maintain the security design? Are their default roles already in existence or will these roles need to be created based upon specific needs?
•
Are the existing systems and applications sufficient for the design, or will they need to be replaced or upgraded? How does the company’s planned upgrades or rollouts affect your design?
•
How much of technical support is provided currently through staff, and how much through outside contractors? How much of the management of the network and systems is automated, and how much will need to be based upon design recommendations?
44 Chapter 2: 70-220 Certification
I
Introduction
This set of objectives is still consulting in nature, providing the designer with additional background information affecting the eventual design recommendations for the client company. The sheer size of the company, the number of users and the distribution of resources, such as DHCP or DNS servers, web servers and the like must be considered when building a security design. When the resources are accessed, how much bandwidth is available and for how long the resource is accessed will then lead the designer to consider certain solutions and discard others. Windows 2000 Active Directory provides the designer with many variations on the rights users may be given and the types of administrators that may be created. Existing systems and applications may be impacted by recommendations, and so changes may be necessary in this area. For instance, DNS in Windows 2000 must support SRV records, something that current DNS servers often do not support. Rollouts and upgrades may not proceed as planned, depending upon which security measures are put in place. Companies use a mix of support personnel, both internal and contractor. The security design will have to consider the training needs and the roles that each of these administrators will play after implementation. Network and systems management may be affected by the security design. Software packages in use may need to be replaced or upgraded. Management practices may no longer be possible in the newly secured network. The systems must allow for flexibility and growth, such as acquisitions. All of these issues add to the richness and complexity of the security design, challenging the designer to balance many issues in the design process.
Information: This chapter, not unlike Chapter 1 and the next chapter, Chapter 3, is more about setting the stage than it is about actual security technology recommendations. Chapter 4 and beyond deal with using the security tools included with Windows 2000, actually designing security and the different settings in which the tools are best used. Information gathered in this section will point to or away from specific security solutions in later findings about the client company.
Analyzing Technical Requirements 45 Scenario questions from Microsoft will provide this type of information. It becomes necessary to separate out the essential from the non-essential. The essential information combines with other pieces to paint a picture of a resource issue or an access issue, etc. You must eliminate nonessential information when answering Case Study questions.
Getting Ready - Questions 1) The client company has three main locations in Dallas, Atlanta and Chicago; connected by 56 Kbps leased lines. There are 14,000 users at the headquarters offices in Dallas, while each of the other locations has approximately 4,000 users. The locations are all using the 10.x.x.x private IP addressing scheme. Dallas maintains both the company intranet web server, and the company’s Internet web server, both behind a Cisco firewall. What are some of the resources that would typically be provided locally to the 4,000 users in Atlanta and Chicago? 2) Users are complaining that the connection to the intranet web server is slow. Would the designer recommend replacing the leased lines with DSL based on that complaint? 3) All IT management has been centralized in Dallas for years. What type of administrative roles could be implemented to simplify the management of the other two locations? 4) The company maintains very sensitive product information and project information in secure folders on the intranet web server. How can the access to this server be secured so that those users in Atlanta and Chicago will not be compromised in Dallas? 5) What tools exist in Windows 2000 to help manage security for the intranet web server and to trap attempts by non-authorized personnel to access the information?
46 Chapter 2: 70-220 Certification
Getting Ready - Answers 1) With this little amount of information, the main resources that users would need are IP-related. Users probably will need DHCP services as their workstations start up and DNS services to access Internet sites. The question here is whether those resources will be provided locally or centralized in Dallas. 2) Connectivity to the intranet web server is probably not occurring across the 56 Kbps lines. A more detailed look would probably reveal T-1 connectivity to a local ISP for the users at each location. So the performance problem at the web server may have more to do with server configuration than connectivity. 3) Administrators at the other two locations can be allowed to change passwords, manage printers and change backup tapes. The last two roles are available as default groups on Windows 2000 servers, while the password management role would need to be created using Group Policies in Active Directory, and would lead to some issues in the area of Active Directory design. 4) The users in Atlanta and in Chicago should be connecting with an SSL connection, so that the transmissions will be encrypted. The local users in Dallas could also use SSL connections. This is all providing they are connecting to the intranet web server using a browser, or some other SSL-compatible application. 5) Aside from the tools that the web server application (i.e., IIS) may provide, the administrator can enable auditing and then view attempts in the Security log using Event Viewer.
Analyzing Technical Requirements 47
II
Evaluate Company Technical Environment
This area of analysis requires diverse information. Topological maps of the company, locations of and the number of users at each location, user resources and the location of those resources in relation to the users, the bandwidth between locations; all of these along with the hows and whens of user access to resources add detail necessary to the design process. Add to this the issues of network administration and the need to clearly define roles for administrators and for various users, and the security design can begin to take form. Some companies will present locations with numerous users accessing resources at other locations across low bandwidth connections. Because of the company’s concern over poor performance, the designer may prefer to make those resources available locally for the users, but administrative support may not be available locally. Perhaps the company may be able to replace leased lines with DSL and create a VPN between locations. This section provides information that adds details necessary before the design can be fully considered.
Company Size, User, and Resource Distribution: In this area we are looking for sheer size or volume of user accounts versus the resources needed and where the users and resources are in relation to each other. For instance, the client company may have 200 branch offices with 10-25 users at each branch, with each user needing a DHCP address and DNS, but these resources may only be available from the corporate headquarters. Other resources include WINS servers, printers, file servers, web servers, etc. In gathering this information, attention also needs to be given to the hardware infrastructure; i.e., hubs, switches, routers, etc. The placement of firewalls and VPN endpoints also must be determined.
Geographic Work Sites and Remote Sites Connectivity: Tied to the size and user and distribution issues discussed above is the issue of connectivity. If the connectivity between the 200 branch offices and the corporate headquarters is all T-1, then it becomes much simpler to make recommendations. In the real world, however, most companies have limitations, such as low-bandwidth leased lines or dial-up connections between locations.
48 Chapter 2: 70-220 Certification Upgrading connectivity is generally an expensive proposition. Earlier information related to tolerance for risk, cost of operations, and company priorities come to play in this area. Often in case studies connectivity will be represented graphically, sometimes in a textbased description. Interviews with company management personnel are also used to present information related to issues of tolerance for risk or company priorities. It is then left to the reader to determine whose perspective is more important.
Net Available Bandwidth: Net available bandwidth is the bandwidth left after the business needs for the WAN connection have been satisfied. An actual determination would require sniffing equipment to track the utilization, and therefore be able to calculate the net available bandwidth. In some cases your security recommendations may require more bandwidth, as in the above situation where DHCP services would be centralized. Case studies may present this information as a roadblock, insisting that current performance is “sluggish”, but also noting that there is not money to upgrade the connectivity.
Performance Requirements: This centers not so much around the quantity of utilization, as it does the timing or patterns of use. Are there particular times when certain resources are accessed, potentially creating a bottleneck? Is the access long in duration, or is it brief in nature? When people are accessing a resource, does the connection stay open even after the need has been satisfied? These questions and many more will paint a picture of the load placed on the network, in terms of from where to where, when and how, and may eventually lead to recommendations, as mentioned earlier, to create Active Directory sites and schedule replication during off-hours. Or the designer may find that the company needs to replace the dedicated leased lines with DSL connections to the Internet and establish a VPN between sites.
Methods for Accessing Data and Systems: Data and systems can be centrally controlled, in terms of how access is granted. In other cases, the resource may be made available at the remote location. We could be talking about accessing data on a centralized web server, or accessing SQL databases at numerous sites.
Analyzing Technical Requirements 49 In each case, design recommendations may cause problems for user access. Additionally, many companies have firewalls in place, or are using NAT routers to provide internal users with access to the Internet. For example, in the case of securing web sites, the recommendations will require the use of SSL with digital certificates. The certificates may lead into a recommendation to implement an internal Certificate Authority, or the use of an external CA such as Verisign or GTE CyberTrust. Remember that the application being used to access the data at the web site would need to support SSL connections, otherwise either the application would need to be replaced or the SSL solution would not work.
Network Roles and Responsibilities: Windows 2000 is rich in ways in which to separately enable functionality. Besides the built-in groups provided for role-based administration, like server operators, backup operators, etc., there is the ability to organize users within Active Directory and then apply Group Policies to limit or enable certain functionality. In any event, the designer needs to understand the differing roles that will be needed and plan for the implementation of those that do not exist by default. Administrative Network Roles and Responsibilities Administrative roles are pre-defined in a Windows 2000 network through the existence of default groups, such as backup operator, printer operator, etc. Depending upon the decision to centralize or decentralize administration, additional roles (beyond those already implemented as default groups) may need to be created, such as password administrators, group administrators, etc. User Network Roles and Responsibilities User roles have only those rights to resources necessary to fulfill their business roles. Typically users can logon and access certain file, print or application services, depending upon their responsibilities in the business. Some users may require access to a SQL database, while others may need to access certain resources on the company’s intranet web server. The security designer has to be aware of these needs so that recommendations do not interfere with user access.
50 Chapter 2: 70-220 Certification Service Network Roles and Responsibilities Additionally, certain services, such as replication service, require the existence of special administrative accounts to run and perform their functions. These accounts are not enabled for logon; rather they run as needed by the appropriate services. The design needs to take into account these roles and the impact of security measures on their access. For example, replication services may not work after certain security measures are put in place. Resource Ownership Network Roles and Responsibilities Resource ownership roles may need to be modified from the defaults already in place in a Windows 2000 network, sometimes to secure the access to a resource from the creator of the resource itself, as in the case of securing folder structures that have been created by department or division managers. Access to access-restricted data may be gained if a user has permission to take ownership of that file or folder. Application Network Roles Some applications, like services, require default accounts to then access the resources the application needs to be effective. SQL applications, terminal server applications and others must be considered in the design process.
Analyzing Technical Requirements 51 Pop Quiz 2.1
1)
2)
3) 4) 5)
Pop Quiz 2.1 Questions BFQ, Inc is a training company that maintains locations in seven southeastern states in the U.S. Headquarters is in Selma, Alabama and provides accounting, marketing and operations services for the 27 training centers that are part of the organization. Each center has its own sales and training staff, ranging in size from 4 to 20 people in total at a given branch. The branches connect to headquarters using 56 Kbps leased lines, while providing Internet access through a DSL line to a local ISP. Each branch maintains its own servers to provide DHCP and DNS for the office and classrooms. Salespeople check schedules and register clients using Internet Explorer on Windows NT Workstations. The company web site, which has secure pages for sales, also provides public access on the Internet. Each site downloads updated class schedule and roster information each morning from the headquarters operations staff using a contact management software product and uploads billing information at the end of the day to the headquarters accounting staff using a standard accounting package. Which service or services are likely to be impacted negatively by security design because of bandwidth limitations? What type of security solution would allow this company to drop the leased lines while still accessing services at headquarters from the branch locations? Would centralized or decentralized management be more appropriate for BFQ, Inc.? Which data needs to be considered for encryption? Which data does not? What types of administrative activities should be delegated to personnel at the branches?
52 Chapter 2: 70-220 Certification
Pop Quiz 2.1
1)
2)
3)
4)
5)
Pop Quiz 2.1 Answers Any services using the 56 Kbps lines are already working with limited bandwidth. Examples here would include the daily download of class schedule and roster information as well as the daily uploads of accounting information. The DSL lines could be secured with site-to-site VPNs, allowing the daily downloads and uploads to be directed across these connections. Remember that DSL lines are typically 7 to 8 times faster than the leased lines mentioned. BFQ, Inc. should probably centralize most of the network administration. Small staff numbers at many branch locations would make control difficult otherwise. The scheduling of clients at the web site and the daily downloads and uploads all should be considered for encryption. More information from the company would be necessary to determine their tolerance for risk in each of these areas. The branches maintain servers, and so would probably have someone from their location as a member of the local backup operators group. Additionally, the headquarters administrators should create administrative roles for the branches allowing someone locally to perform basic helpdesk administration; i.e., changing passwords, creating new users and adding them to the appropriate groups, managing printers, etc.
Notes:
Analyzing Technical Requirements 53
III
Analyze the Security Design
The implementation of Windows 2000, with Active Directory the various security components, can have a considerable impact on the technical environment of a company, both existing and planned. Some systems or applications may not function in the new network. Upgrades and application rollouts can be done in a Windows 2000 environment with more automation and more securely, but perhaps the upgraded or newly rolled-out application is not fully compatible with the Windows 2000 security solutions you are recommending. The support staff will need training, and how do you recommend contract support staff be handled? What systems management tools are currently in use, and will they work properly in the new network or will they need to be replaced? Scenarios will vary, but often in this area you will be presented with the need to upgrade or rollout an application securely, using Windows 2000 tools such as Remote Installation Services (RIS). Some of the solutions for concerns in this section are more related to Active Directory design; i.e., the creation of separate OUs to enable Group Policies that will limit the capabilities of a certain group of users or computers.
Systems And Applications: From a security perspective, here we are not concerned about office productivity applications or many of the basic file servers in a network. The systems and applications will become evident through the information already gathered in earlier analyses, and will clearly be different for each client company. As discussed in the earlier sections, companies may have a low tolerance for risk associated with certain systems or applications in use in the network. It is your task to identify those systems or applications and to then secure them appropriately. For instance, a company may use an intranet to maintain sensitive information related to product development or rollout. It may not be enough to simply secure access to the intranet web sever. Since most security risks are internal in nature, it may be necessary to provide for encryption of the communications between users and the web server, even on the local network. This can thwart the attempts of malicious users using sniffers or other packet capturing tools.
54 Chapter 2: 70-220 Certification
Planned Upgrades and Rollouts: Tied to the issues of existing systems or applications is the question of who should be able to access the system or application, and how that access is enabled. In today’s network environments, many applications are installed on the local workstation, rather than running from the servers. As applications are upgraded or rolled-out, it is important to assure that only those individuals who should have access can actually install or upgrade the application. Windows 2000 RIS can help automate while securing this process.
Technical Support Structure: How heavily does the company utilize out-sourced technical support? Is this anticipated to increase or decrease as time goes by? Additionally, is technical support available at all locations, or is support provided across WAN connections for some locations? For how many locations? The answers to these questions can affect Active Directory design, and eventually affect security design, often in the creation of special purpose OUs and Group Policy objects to secure the users in the particular OUs. Also, the staff will need training to acclimate them to the new network and the new security tools. Their roles may be changing based upon the recommendations for administration. These hidden costs must be realized, in terms of training or after hours support.
Planned Network and Systems Management: Attention here is directed to the issue of how the networks and systems are managed. In many companies the management is automated using software packages or hardwarebased tools. The security design may render some of the tools ineffective, and they may then need to be replaced. Or in some cases, there may be very few existing tools in use, and the security design may call for the implementation of tools to enable the monitoring and management of the network or systems in question. Windows 2000 has many built-in tools, such as auditing, Performance Monitor, Network Monitor, etc., for auditing the network and for network management, and the designer should consider these tools in their appropriate use.
Analyzing Technical Requirements 55 Pop Quiz 2.2
Pop Quiz 2.2 Questions 1) We are still at BFQ, Inc., the training company. Company management wants to migrate the entire network to Windows 2000 Server and Windows 2000 Professional. The newest version of Microsoft Office and Internet Explorer are to be rolled out to all locations. Additionally, they have purchased an integrated package that combines the contact management, scheduling of clients in classes, scheduling of classes, billing, ordering and inventory of student workbooks into a single software product called FastTrack. This was scheduled to be installed at headquarters first, and then rolled out to the branches in an orderly manner. FastTrack was purchased because of its compatibility with Windows NT 4.0, but it has not been tested for Windows 2000. Each branch has technical trainers with considerable knowledge, but the manager of IT at headquarters does not trust them to handle the software roll out because of their lack of field experience. Additionally the IT manager wishes to reduce outside support costs that have been escalating for the management of the routers and switches and hubs in the company network. What factor(s) mentioned above is most important in the planned rollout of the FastTrack? 2) How would you propose the rollout of the new integrated software package be handled? 3) How can the IT manager’s concerns about the lack of experience of the technical trainers be addressed? 4) What would be a viable alternative to having the trainers roll out FastTrack? 5) What recommendation would help the IT manager reduce some of the outside support for hardware management?
56 Chapter 2: 70-220 Certification
Pop Quiz 2.2 Pop Quiz 2.2 Answers 1) Clearly the most significant factor is the question of Windows 2000 compatibility. If the new integrated software is not compatible, problems will arise. 2) The roll can be delegated to the technical training staff at each location, but should be automated using RIS to alleviate the concerns of the IT manager. 3) You can propose to the IT manager that the combination of RIS and training the trainers on the use of RIS is a failsafe means to perform the roll out. If the IT manager is still unwilling to allow the technical trainers to roll out the software, then the roll out could be accomplished by using contracted technical support personnel. 5) The company should purchase an SNMP-enabled hardware management product, similar to HP Openview to allow for monitoring and configuration of the hardware at the various sites.
Notes:
Analyzing Technical Requirements 57
VI
Chapter 2: Summary
• The number of users, where they are located in relationship to the resources they need to access, and the means by which they access those resources combine to suggest certain security solutions, or to reveal problems with security recommendations. Look for data access that needs to be either encrypted or access that needs to be authenticated. • Low bandwidth connections between sites will naturally leads to issues. Active Directory sites can be created to reduce synchronization traffic during peak usage times. Low bandwidth leased lines can often be replaced with higher bandwidth DSL or cable modems and VPN solutions employed, thereby increasing usable bandwidth and reducing communications costs. • Windows 2000, somewhat the same as Windows NT 4.0, has default administrative roles that include the most commonly decentralized tasks in a network environment: printer management, backup and restore, server operator, etc. With careful design in Active Directory, roles can be created that encompasses other tasks, such as changing user passwords, unlocking user accounts, setting group membership, etc. • Design consultants can become overly impressed with the technology. Often the recommendations can cause problems because of existing systems or applications. For example, an existing NAT router for providing Internet access for users will naturally filter traffic on the inbound path, thereby rendering some solutions unfeasible. • Look for planned software rollouts or upgrades. A security design that fails to consider these can make the process of upgrading or rolling out software much more difficult and time-consuming. For instance, Active Directory OUs can contain the computers or users with which the upgrade or rollout needs to be associated, so that a Group Policy can be created to help automate the process.
58 Chapter 2: 70-220 Certification • Technical support staff will almost always need training. Many companies use contract support staff, which creates natural concerns for security design. Again, contract support staff could all be placed in a single OU and a Group Policy enabled to limit their capabilities. In other settings, placing them in a single OU would not fit in the Active Directory design, so then use of groups would be more appropriate. • There are numerous tools with Windows 2000 to help automate security management, such as auditing, network monitor, security analysis, etc. Existing thirdparty tools have to be evaluated to ensure that the design will not render them useless.
Analyzing Technical Requirements 59
V
Chapter 2: Post-Assessment
(Answers appear in Appendix A.)
1) Our scenario company, BFQ, Inc. has recently acquired a competitor, BeachFront, that operates mostly in the mid-Atlantic and southeastern states. With 44 training centers in place, the merge with BeachFront will pose quite a challenge. BeachFront communicated with the training sites using faxes, POP e-mail and standard postal mail. Each center has run autonomously and simply forwarded receivables and payables to the home office in Scranton, PA. The home office maintains centralized accounting functions like payroll, accounts payable and accounts receivable. They also maintain a centralized web server for Internet access so that clients can simply go to www.beachfront.com and check schedules at any of the 44 centers. Fortunately, both companies currently use Windows NT 4.0 servers along with IIS for the web sites. After the merge, the entire company is to be on a single WAN, using FastTrack for coordination across locations. Headquarters and home office functions will need to remain separate for some time, but as FastTrack is rolled into BeachFront, the home office will be scaled out. What else must you determine before security solutions can be recommended? A. You must know the number of people employed at each of BeachFront’s training centers. B. You need to identify the communications solutions in place at each BeachFront location and the net available bandwidth. C. You need to know what accounting application BeachFront uses in the home office. D. You must identify the POP e-mail vendors in use by BeachFront.
60 Chapter 2: 70-220 Certification
2) After a closer examination, you have learned that FastTrack is a web-enabled application. Users will schedule classes for their centers, add students to classes and order additional student materials for upcoming classes and then connect to a secure site to upload the data. At the headquarters location, the class registrations will generate accounts receivable activity through the accounting department, while student materials will automatically be ordered based upon available inventory. What factor is most critical in this situation for our client company? A. Clearly the net available bandwidth between locations will be the most pressing concern. B. Training of the personnel at each location will be the largest issue. C. Securing the web server from unauthorized access will be the first and largest issue. D. The most important factor is still the sheer number of users at each location.
3) Typically the majority of the activity on the FastTrack web server will occur at the end of the day. What resource will need to be optimized so that performance does not suffer? A. The communications lines from each site to the Internet will need to be upgraded. B. The users at each site will need to be using high-performance workstations. C. The web server will need to be tuned with high performance hardware and high bandwidth connectivity. D. Sites will need to access the web server on a planned rotation, so that it is not over burdened.
Analyzing Technical Requirements 61
4) Which recommendation would help secure the data upload from the training sites most effectively? A. Purchase dedicated leased lines from each center to the headquarters office for the data upload. B. Fax the information in to the headquarters office at the end of each day. C. Change the configuration of FastTrack so that all activity could occur real time, rather than accumulate and then be uploaded at the end of the day. D. Only allow one user from each site to perform the upload, which would be authenticated.
5) What type of operational model and management model does this implementation of FastTrack imply? A. Centralized operations/Centralized management B. Centralized operations/Decentralized management C. Decentralized operations/Centralized management D. Decentralized operations/Decentralized management
6) BeachFront has standardized on Netscape browsers, while BFQ, Inc uses Internet Explorer. In what areas might this pose a problem for the security design? A. If the design calls for using SSL connections, then the Netscape browser will have to be replaced. B. The secure web server application for FastTrack may not be compatible with Netscape. C. FastTrack may not be compatible with Netscape. D. This should pose no problem at all.
62 Chapter 2: 70-220 Certification
7)
Rank the following recommendations from most too least expensive. A. Purchase dedicated leased lines from each center to the headquarters office for the data upload B. The web server will need to be tuned with high performance hardware and high bandwidth connectivity. C. A dedicated high-performance workstation is to be placed at each center to perform the data upload for FastTrack. D. All connections to the web server will be authenticated using SSL.
8) The current web sites for BFQ, Inc. and BeachFront are out-sourced. The vendors maintain the content on the sites and also maintain the sites at their own location. Management feels that all maintenance of the web servers should come in-house. Rank the following issues in order of importance for the move of the web servers to in-house management. A. Training of the in-house staff on the FastTrack application, its configuration and maintenance. B. Physically relocating the servers to the headquarters location. C. Hiring someone to continue to develop content for the public portion of the web site. D. Retraining of users to connect to the relocated web servers.
Analyzing Technical Requirements 63
9) The merging company will have a high tolerance for risk; i.e., the information on the web servers is really not all that confidential or critical. In determining the best recommendation for maintaining the secure web servers, which two issues must be weighed? (Choose 2) A. Administrative model-centralized versus decentralized B. Cost of outsourcing C. Security need of the company as indicated in interviews with management D. Operating systems that the web servers are running on
10) The determination has been made to support the web servers using contract technical support personnel. What additional recommendation might be made to further secure this environment? A. Implement a Certificate Server and use SSL connections for all access, including public queries. B. Implement auditing on the web server to track events, especially related to server management. C. Place the server behind a secure firewall. D. Create Active Directory accounts for the contract personnel and restrict their access to the rest of the corporate network.
Notes:
Analyzing Security Requirements 65
Chapter 3: Analyzing Security Requirements The objective of this chapter is to provide the reader with an understanding of the following: •
Computers in a Windows 2000 network are secured using security templates and Group Policy settings. Default, basic and compatible templates are available or the administrator can create custom templates to set specific settings or use incremental templates to increase security.
•
Security settings requirements for Windows 2000 computers differ based upon the computer’s role; i.e., is the computer a laptop, a domain controller, a web server?
•
Use of the pre-defined templates differs depending upon whether the Windows 2000 computer was upgraded from Windows NT 4.0 or newly installed.
•
Securing file and print resources is done mainly through the configuration of the DACL (discretionary access control list). IPSec can provide additional print job security, while EFS on NTFS 5 volumes can be used to encrypt and secure local file systems.
•
Internet access can be provided simply through the implementation of NAT, which will also provide some security of private hosts from the public network.
•
Dial-in access security centers on authentication, that is, verifying the identity of the user attempting the access, and remote access policies that set day and time access is allowed, maximum session times, encryption settings, and network resource accessibility.
66 Chapter 3: 70-220 Certification
I
Introduction
The implementation of Active Directory adds tremendous capability in the securing of computers in a Windows 2000 network. Security settings for computers can be created using security templates provided by Microsoft, adding incremental security templates, or by creating custom templates. The settings can then be applied to multiple computers by placing computers in Active Directory containers and using Group Policy objects to push the security template settings. It is important to identify the different roles that the various Windows computers play in the network. Clearly domain controllers have different security requirements than do file servers, as laptops have different risks associated with their use than do kiosks. Each resource must be evaluated in terms of security needs. Shares, files, and printers are all examples of common resources in a network environment. Each resource has to be identified and the associated security risks and countermeasures recommended for many of these resources, Active Directory containers or group nesting will provide the focal point of access, and the resource will have a DACL or ACL that provides an interface for setting permissions.
Information: Scenarios in the Microsoft course and in the exam can actually provide some pretty difficult questions. You need to know auditing quite well, as well as security templates and the process of baselining computer security and then comparing the baseline template with the current configuration to find potential “holes” in the current network.
Analyzing Security Requirements 67
Getting Ready - Questions 1) What are the three types of security templates that ship with Windows 2000? 2) Which of the security templates offers the least security? 3) What feature of Windows 2000 is most useful in securing files on a Windows 2000 laptop? 4) What new feature of NTFS 5 provides file-level security on local file systems? 4) How can print jobs be secured from interception in a Windows 2000 network?
68 Chapter 3: 70-220 Certification
Getting Ready - Answers 1) Windows 2000 ships with default, basic and compatible security templates, which then are available for domain controllers, servers and workstations. 2) The compatible template is used on Windows 2000 computers that are experiencing difficulty running non-Windows 2000 certified programs. In applying this template, the security settings on files, folders and registry keys that users commonly access are lowered. 3) Laptop computers are very susceptible to theft. Windows 2000 introduced EFS, the Encrypted File System. Even in the event of a loss, the files on the laptop’s hard drive can be encrypted for additional security. 4) NTFS 5 introduced EFS, encrypted file system, which encrypts files on the local hard drive. Only the original user will have the private key necessary to decrypt and read the files. 5) Rather than having print jobs travel as clear text on the network, the workstation and the print server can be configured to use IPSec to provide for encryption/decryption of the print job on the network between the client and printer.
Analyzing Security Requirements 69
II
Design a Security Baseline
This objective speaks to the issue of the role that the Windows 2000 computer plays in the network. The ability to configure all the settings from one location is a key benefit of Windows 2000's Group Policy. And because you can apply Group Policy to Organizational Units (OUs) that contain multiple computers with similar security requirements, it's much easier to apply changes such as assigning permissions to a Registry key. There are many different security configurations available for Windows 2000-based computers. After identifying the computer’s role, the designer can then specify which security template, or the specific configuration of a custom template to be applied to the particular computer. Remember that there is default, basic and compatible security templates for servers, workstations and domain controllers, from which additional settings can be specified. The security templates are then applied using Group Policy objects in Active Directory. Security templates can be customized using the Security Templates tool in MMC (shown below). The Security & Analysis tool in MMC or secedit (a command line utility) can be used to compare a security baseline against current configurations.
Figure 3-1:Security Configuration and Analysis
70 Chapter 3: 70-220 Certification
Domain Controllers: Because domain controllers store Active Directory, they require maximum security settings. For new installations of Windows 2000 server domain controllers, use the default template, defltdc.inf. For domain controllers upgraded from Windows NT 4.0, use the basic template, basicdc.inf. In either case, these templates are only starting points, and will require customization to fully secure the domain controllers in the network. This is mainly accomplished using the Group Policy Editor (GPE), as illustrated below.
Figure 3-1: Group Policy
Operations Masters: Operations masters are domain controllers that fulfill specific roles in a Windows 2000 network. There are five roles defined for operations masters: schema master, domain naming master, RID master, PDC emulator and infrastructure master. Because of the specific nature of these domain controllers, their security requirements are even higher than those of a domain controller. The additional application of an incremental security template, such as the high secure template hisecdc.inf, can apply additional settings.
Analyzing Security Requirements 71
Application Servers: Applications servers are used to host specific applications for use by clients. Examples include web severs, SQL servers, Exchange servers, etc. The applications will generally have their own security configuration capabilities. For newly installed Windows 2000 application servers, the defltsv.inf is used, while the basic template, basicsv.inf is used for upgraded servers. Again, these templates serve as a starting point in setting security on the application servers. Further Active Directory design and Group Policy configuration is necessary for completion of the security configuration.
File and Print Servers: Windows 2000 servers functioning as file and print servers will be secured using the DACL settings appropriate for the specific resource. As with application servers, the default and basic templates serve as a starting point for the security settings, defltsv.inf and basicsv.inf.
RAS Servers: Access to RAS servers is generally controlled through a combination of user settings and RAS settings. As such, a RAS server can be considered just another application server, and so will use the same default and basic templates as starting points, depending upon whether the RAS server was upgraded or newly installed.
Desktop Computers: The consultant needs to identify any desktop computers that may require specific security settings in the network. Theses computers may need smart card devices attached, or may need very low security. Along with the use of the default and basic templates for workstations, defltwk.inf and basicwk.inf, there is also the compatible template, compatws.inf. This template is used in cases where applications will not run on the Windows 2000, and releases some of the security settings. In other words, the compatible template reduces the security settings on the workstation. In some cases, workstation access will be highly secured using smarts card readers and smart cards.
72 Chapter 3: 70-220 Certification
Portable Computers: Since by their very nature portable computers are non-secure, the local file system can be secured in Windows 2000 using EFS (Encrypted File System). Then a theft will only result in the loss of equipment, but not sensitive data. Otherwise, the laptop can be secured using the same templates used for desktop computers above.
Kiosks: These devices are generally deployed in public areas and are designated for public use. They are best secured by enabling them to only run a single application. In public libraries, for instance, the computers are used for only one application – that is, to access the library database and look up availability of books. Security templates are of little concern. If security is needed, the same three that are used for desktop computers can be used here also, but often with no additional configuration. It is wise to mention here that the security of the data is in direct relation to the quality of the passwords. An easily guessed or blank (!) password will invariably allow a malicious user to easily access the data. Other tools allow anyone with physical access to the machine to change any passwords, registry keys, or access NTFS partitions. Careful considerations must be made in cases of extremely sensitive information, such as boot lock devices or secured physical storage of the machine itself. Access is everything!
Analyzing Security Requirements 73 Pop Quiz 3.1
1) 2) 3) 4) 5)
Pop Quiz 3.1 Questions Which needs a higher level of security, a domain controller, a web server or a laptop? What are three levels of template security available for securing Windows 2000 computers? How does the security needs of operations masters differ from those of domain controllers? Explain the impact of Active Directory in the setting of security in a Windows 2000 network. How does security for a kiosk differ from security for a Windows 2000 workstation?
74 Chapter 3: 70-220 Certification
Pop Quiz 3.1
1) 2)
3)
4)
5)
Pop Quiz 3.1 Answers Generally, domain controllers require higher security settings, since they host Active Directory. There are pre-set templates, default, basic and compatible that ship for Windows 2000 computers. There are incremental templates that allow the administrator to add security elements above the already applied template. And there is the ability to create custom templates using the Security Templates tool in Microsoft’s MMC. Operations masters are domain controllers that fulfill special roles in a Windows 2000 network. Because of their special nature, their security needs are typically higher than those of domain controllers in the network. Because of the hierarchical nature of the Active Directory database, Windows 2000 computers with similar security needs can be grouped in the same container. Then the Group Policy for that container can be set to apply the security template for the computers based upon the settings you have determined. This allows settings to be set in a centrally maintained template and then applied uniformly to multiple computers. Kiosks are deployed in low-security settings, such as waiting areas, lobbies, etc. In these implementations, these computers should be set to run a certain (single) application. As such, the kiosk becomes a singlepurpose device, not allowing access to any other resources in the network. A Windows 2000 workstation in the network may have any number of security needs. Highly secure workstations can use smart cards for user authentication. Even less secure workstations will still require a Windows 2000 Active Directory user account to login to the network and access network resources.
Notes:
Analyzing Security Requirements 75
III
Identify Resource Security
This area of security involves the daily administrative needs of users to access the resources they use in the performance of their jobs. File and print resources can generally be secured through configuration of the appropriate DACL. All generally involve the creation and use of groups in Active Directory. By now you should have a very straightforward grasp of the different groups in a Windows 2000 network and their appropriate uses. Share permissions and NTFS permissions as well as printer permissions should also be well understood. Windows 2000 supports auditing of resources in much the same manner as Windows NT 4.0 did, with some improvements with the use of Active Directory. Different departments or divisions of a company will have different security requirements in these areas. Scenarios will present differing needs, and the design will need to reflect these differences.
Printers: Printer security involves the setting of printer permissions once the printer has been shared. While the majority of printers in networks today are simple laser printers that require low security, there are other print devices, such as color laser printers, color plotters, etc., that may require access to be restricted to very few users. Remember that print jobs can be further secured in Windows 2000 through the configuration and use of IPSec between workstation and print server, allowing the print job to travel in an encrypted format rather than in clear text. However, if the printer supports mailboxes for forward and storage of print jobs until the user is physically at the machine, I would support their use. There is no sense in encrypting the printer traffic on the network if someone can just as easily either wait at the printer for something interesting to come out, or sift through jobs that printed hours earlier.
Files: Most file access in networks is allowed through the use of shares (see below). Local access can be secured using NTFS on the Windows 2000 workstation. Additional security can be applied by using Microsoft’s new Encrypted File System (EFS) on the local computer. The use of EFS is especially recommended for laptop computers or computers used by individuals with very secure information.
76 Chapter 3: 70-220 Certification Scenarios will often note the use of laptops by certain groups in the company with high security requirements or desktop computers on which the files cannot be compromised. When you specify that you want to use EFS to encrypt a file or a folder, EFS generates a file encryption key (FEK), which consists of a pseudo-random number. The system uses this number and the Data Extended Standard X (DESX) algorithm to create the encrypted file and write it to the hard disk. The system then encrypts the FEK with your public key and stores it with the encrypted file. When you access the encrypted file, the system uses your private key to decrypt the FEK and then uses the FEK to decrypt the file. When you use EFS for the first time, the system automatically generates a public/private key pair if one doesn’t already exist. If you're logged on to a domain, the public/private key pair resides on a domain controller (DC); otherwise, it resides on the local machine. This is one reason why Domain Controllers must be secured both physically, and on the network using the templates. You may be thinking ahead to one danger that EFS might introduce: If a user encrypts important company information and then leaves the company, how do you gain access to the data? To provide for data recovery, EFS generates two copies of the FEK and stores them with the file on the local hard disk. The first copy is encrypted with the user's public key, as I described earlier, and the second is encrypted with the designated recovery agent’s public key. These steps ensure that the recovery agent can access the FEK and decrypt the file if necessary. By default, the domain administrator is the recovery agent for domain computers, and the local administrator is the recovery agent for standalone machines. You can use Group Policy to specify different or additional recovery agents.
Shares: Share permissions are, as with Windows NT 4.0, not adequate to secure the share. Shares should always be created on volumes formatted with NTFS, to take advantage of the more granular NTFS permissions. Remember that when share permission and NTFS permissions combine, the most restrictive applies. By default, new shares are automatically created with Full Control to Everyone.
Analyzing Security Requirements 77
Internet Access: Who should have access to the Internet, and to what resources should access be granted? Internet access can be granted in small environments using NAT, while larger environments may need an HTTP proxy product like Microsoft Proxy. In these situations, is there a need for URL filtering? Should users have access to newsgroups? In all situations, the access could make the network vulnerable to an external attack. Firewall protection will often be needed. Virus scanning software will need to be maintained in the network. These recommendations will impact other design areas, like the training of personnel and administrative roles.
Dial-in Access: With dial-in access, there are two main considerations, and a number of smaller issues. The two main issues are authentication and dial-in permissions; i.e., how can you assure that the users connecting has authorization to connect, and once they connect, what do they have access to? Along with the authentication protocols available to encrypt the authentication request, Windows 2000 includes four other means by which we can authorize the connection attempt: x x x x
ANI/CLI, which verifies the calling number against a list of approved numbers, Callback in which the server will disconnect the users and then call back on a preset number, DNIS, where multiple dial-in lines can be configured with separate security settings Third-party host in which a third party device between the remote access server and the users authenticates the connection, such as a RADIUS or TACAS system.
Beyond these settings, there is the policy settings, which include days and times connection, are authorized, methods for authentication, maximum session time, etc. Remote access policies can be set at the user level or through the remote access policy on the remote access server.
78 Chapter 3: 70-220 Certification Pop Quiz 3.1
1) 2) 3) 4) 5)
Pop Quiz 3.2 Questions What are two elements of security for maintaining printers in a corporate network? What enhancement in NTFS 5 provides additional file-level security in Windows 2000? Which takes precedence in network file systems, the share permission or the NTFS permission? What Windows 2000 service provides Internet access while also securing resources on the private network from the public network? What are the two main issues with dial-in security?
Analyzing Security Requirements 79
VI
Chapter 3: Summary
• Security templates provide a starting point for securing Windows 2000 computers. There are default and basic templates for domain controllers, servers and workstations. There is also a compatible template available for workstations. Default templates are applied to newly installed Windows 2000 computers, while basic templates provide the same level of security for computers upgraded from Windows NT 4.0. • Additional, security can be provided by using incremental templates to increase the level of security for files, registry, and service settings. • Security templates can be customized using the Security Templates tool in MMC. The Security & Analysis tool in MMC or secedit (a command-line utility) can be used to compare a security baseline against current configurations. • Operations masters require the highest level of security, with domain controllers closely behind. • File and print resources are secured primarily through the configuration of their DACL. • Local files on an NTFS 5 volume can be secured by using EFS to encrypt the files on the local drive. • When users access files on an NTFS volume through a network share, the most restrictive permission applies. • The simplest means to provide Internet access to users is implementation of NAT. NAT also “hides” the computers on the private network from the computers on the public network. • Dial-in access consists mainly of configuring authentication and setting remote access policies. Remote access policies can be set either at the user level, or globally at the remote access server.
80 Chapter 3: 70-220 Certification Pop Quiz 3.1
1)
2)
3) 4)
5)
Pop Quiz 3.2 Answers Printers can be secured through printer permissions, when the printer is shared, and the print jobs can be encrypted between workstation and print server through the use of IPSec. NTFS 5 introduce EFS, encrypted file system, which allows all files to be saved on the local hard drive in an encrypted format, so that only the holder of the appropriate private key can read those files. In Windows 2000, as it was in Windows NT 4.0, when share permissions and NTFS permissions combine, the most restrictive permission applies. Windows 2000 can provide network address translation (NAT), which hides the computers on the private network from the public network, as it provides the private clients with access to the public network. The two main issues with dial-in security are authentication of users’ identity, and remote access policies, which determine when and for how long, etc., the user can connect.
Notes:
Analyzing Security Requirements 81
V
Chapter 3: Post-Assessment
(Answers appear in Appendix A.)
1) BFQ, Inc is planning to upgrade some of the existing Windows NT 4.0 domain controllers and replace others. Which security template will be used for the upgraded servers? A. basicdc.inf B. basicsv.inf C. defltdc.inf D. defltsv.inf
2) Which security template will be applied to the newly installed Windows 2000 application servers in BFQ, Inc.’s implementation? A. basicdc.inf B. basicsv.inf C. defltdc.inf D. defltsv.inf
3) BeachFront employs outside sales representatives to maintain relationships with large corporate customers. They often connect from customer sites using their laptop computers to check availability and place customer personnel in classes. What two solutions will be important for securing their remote access to the FastTrack database? (Choose 2) A. Secure the laptop computer using the defltdc.inf. B. Secure the laptop using EFS. C. Secure the connection to FastTrack using SSL. D. Secure the connection to FastTrack using remote access policies.
82 Chapter 3: 70-220 Certification
4) As outside sales people connect back to the FastTrack database, they will need to authenticate to the web server. Which of the following would simplify the administrator’s tasks in giving access to the database files in a secure manner? A. Place the database files on a FAT volume and only use share permissions to restrict access. B. Place the database server on the outside of the firewall so that filter exceptions will not need to be created. C. Create a domain global group called Outside Sales and a domain local group called FastTrack. Place the sales user accounts in the domain global group, the domain global group in the domain local group FastTrack, and give the domain local group access to the database files using share permissions and NTFS 5 permissions. D. Create a domain local group called Outside Sales and a domain local group called FastTrack. Place the sales user accounts in Outside Sales, then place Outside Sales in the domain local group FastTrack, and give FastTrack access to the database files using share permissions and NTFS 5 permissions.
5) At each classroom location, a computer running Windows 2000 will be placed in the lobby and will be running demonstration software similar to that used by BFQ, Inc. in the classrooms. What can be done if the company is not sure that the demo software will run on the Windows 2000 computers? A. Have the administrator logon to the computer in the lobby using his administrator user account so that permissions will not be a problem. B. Apply the compatws.inf to the Windows 2000 computer. C. Apply the basicws.inf to the Windows 2000 computer. D. Have the computer automatically logon as a guest account in Active Directory.
Analyzing Security Requirements 83
6)
Which of the following has the highest security requirements? A. A Windows 2000 computer used as a kiosk in the headquarters lobby. B. The domain controller at the headquarters office that is used by most headquarters personnel for logon. C. The schema master maintained at the BeachFront headquarters offices. D. The web server that hosts the FastTrack web-enabled application.
7) You have created a domain global group named CorporatePartners and a domain local group named FastTrack. Which permissions to the FastTrackData share on an NTFS volume will you give so that users may see the information in the database but not make any changes? A. Give Full Control share permissions and Read NTFS permissions to the CorporatePartners group. B. Give Change share and Full Control NTFS permissions to the Corporate Partners group. C. Give Full Control share and Change NTFS permission to the FastTrack group. D. Give Full Control share and Read NTFS permissions to the FastTrack group.
8) What are two tools that can be used to compare a security template with your current configuration of Windows 2000 computers? (Choose 2) A. Security Templates tool in MMC B. Auditing on the Windows 2000 network C. Security and Analysis tool in MMC D. secanalysis command-line tool E. secedit command-line tool
84 Chapter 3: 70-220 Certification
9) Your church has decided to implement a network, and wants Internet access available for the six people that work in the church office. What is the simplest recommendation for this implementation? A. Have the church purchase Microsoft Proxy to enable Internet access, while securing the private network. B. Enable NAT on the Windows 2000 server. C. Give all of the workstations registered IP address and direct connections to the Internet. D. Enable terminal services on the Windows 2000 server, allow it to have an Internet connection, and have the other six workstations establish a terminal server connection for Internet access.
Analyzing Security Requirements 85
Notes:
Designing a Windows 2000 Security Solution 87
Chapter 4: Designing a Security Solution The objective of this chapter is to provide the reader with an understanding of the following: •
Auditing consists of enabling audit policy in one of nine areas, and the setting the security properties of the resource that needs to be audited.
•
Auditing failure of an event helps to identify an attempt to breach a security measure. Auditing success only identifies the user after the breach has occurred.
•
Windows 2000, with the introduction of Active Directory, adds tremendous abilities to delegate administrative responsibilities, without giving excessive rights.
•
Account policies in a domain and Group Policies in a domain or OU combine to form a security policy for users. Different account policy needs means different domains.
•
Authentication is the process of verifying a user’s identity. Windows 2000 support multiple authentication methods, each for use in different settings.
•
Windows 2000 has two types of groups, security and distribution. Security groups are used to control access to resources. Security groups include domain local, global and universal.
•
Certificate services in Windows 2000 provide much of the underlying technology to deliver security solutions. For example, SSL or TLS, S/MIME, EFS and smart cards all require certificate services.
•
Windows 2000 provides a complete Certificate Authority solution and is also interoperable with external or commercial CAs.
•
Windows 2000 services also need careful scrutiny in terms of security, especially DNS, RIS, SNMP and Terminal services. Each has its own security configuration settings.
88 Chapter 4: 70-220 Certification
I
Introduction
While security design begins in the earlier chapters, with the discovery of information describing the Client Company or organization, the process of linking security solutions with needs begins in this chapter. This chapter examines the major areas of security in Windows 2000 and in each area seeks to clarify the purpose and scope of the security solution. We begin by looking at auditing, move on to delegation of authority and then look more closely at security policies, both account policies and Group Policies. From there we look at the different authentication solutions available in Windows 2000, clarifying the use for each, and the basics of each. We move on to security groups, the basis for organizing user accounts and giving access in a Windows 2000 network, then PKI, especially certificate services in Windows 2000. After detailing the other security solutions that rely upon certificate services, we close by looking at Windows 2000 services that need additional attention in ensuring their security: DNS, RIS, SNMP and terminal services. Much of the detail in each of these areas is presumed to be already known; it is the job of the designer to know which solution to recommend for different situations, and to be aware of the larger, company-wide impact of each solution. The focus here is matching the solution to the need.
Information: This section is all about matching solutions with needs. Scenario questions from Microsoft curriculum continually test the student’s ability to identify which solution is designed for which situation. The scenarios are not as interested in your ability to “finetune” the solution. Certain settings in each area of security are important only because the settings are helpful in securing the solution to a greater degree. Be very clear how each solution fits and is implemented in a Windows 2000 network. Also be clear on the differences when the environment contains non-Windows 2000 computers. Kerebos V5 authentication gives way to NTLM V2 for earlier versions of Windows, while some UNIX computers will interoperate with this version of Kerebos.
Designing a Windows 2000 Security Solution 89
Getting Ready - Questions 1) Your company is concerned that people inside the company may be selling information from data on an NTFS volume to a competitor. What settings need to be configured to log the attempt to access this data? 2) Your company has a location that needs some administrative support, but staff at that location is not highly trained. Can you give support personnel at that location only the rights to change forgotten passwords, without their being able to create new user accounts, etc? 3) The company’s headquarters location needs strict password settings, while the branch offices do not. How can this be set in account policies? 4) What is the default authentication protocol in Windows 2000? 5) Why is DNS in Windows 2000 inherently more secure than traditional implementations?
90 Chapter 4: 70-220 Certification
Getting Ready - Answers 1) Auditing for success and failure of object access needs to be set and then failure of the read permission at the folder on the NTFS volume should be set. 2) Yes, with the introduction of Active Directory, administration can be delegated to object creation or only attribute management. Then an administrator can be given the rights to only modify specific attributes of user objects at their location. 3) To set different account policies, the administrator needs to create different domains and then set each domain’s account policy accordingly. 4) For Windows 2000 workstations the default authentication in Windows 2000 is Kerebos V5. Windows 95, Windows 98 and Windows NT clients will use NTLM. 5) DNS is inherently more secure in Windows 2000 than in traditional implementations because records and zone information is stored in Active Directory. Active Directory is maintained on domain controllers, which have the highest levels of computer security in the network.
Designing a Windows 2000 Security Solution 91
II
Design an Audit Policy What is an Audit Policy:
There are actually nine different audit policies that can be used to track activities in different areas of the network: x Account logon will audit requests at domain controllers for logon validation. x Account management tracks the creation, deletion or changes to user and group accounts in Active Directory. x Directory service access logs all events where users gain access to directory service objects. x Logon auditing shows logon events on the local computer. x Object access is used to enable auditing of files or folders on NTFS volumes and printers that have been shared. x Auditing policy change will help track changes made to user security options, user rights or Audit policies. x The auditing of privilege use is tied to the exercise of user rights, such as taking ownership, or changing system time, etc. x Process tracking is specific to the application for which auditing is enabled and is generally used by programmers to track application events. x System events include things like the startup or shutdown of a computer. Before Windows 2000 will audit access to files and folders, you must use the Group Policy snap-in to enable the Audit Object Access setting in the Audit Policy. If you do not, you receive an error message when you set up auditing for files and folders, and no files or folders will be audited. Once auditing is enabled in Group Policy, log files are created that can be reviewed with Event Viewer, showing the activity and the user engaged in the audited activity.
Where to start: For domain controllers, audit policies are set in the Default Domain Controller Policy. Audit settings are configured in Computer Configuration/Windows Settings/Local Policies/Audit Policy.
92 Chapter 4: 70-220 Certification The security designer needs to identify the security risks for the client company, recommend the technologies in Windows 2000 that can be used to secure the unsecured areas, and then determine areas and settings for auditing. Remember that auditing failure can help to identify attempts to breach security measures, while auditing successes can only affirm the identity of users who have already breached security. Auditing is often enabled and then the administrator must proceed to the resource to specify the particular settings to track and report in the security log. For example, to audit access to folders on NTFS volumes, object access needs to be enabled in auditing, and then the administrator has to set the NTFS permissions access to be audited in the Security tab of the NTFS folder.
Things to Audit: What to audit is directly connected to the areas of security risk that have been identified and to the means by which those areas are generally accessed. For example, to audit access to files on a network server, the files need to reside on an NTFS volume and will be accessed through a share. Auditing policy must be enabled and set to audit object access. Whether to audit success, failure or both will depend upon whether you wish to identify attempts or identify unauthorized access after it has occurred. Then the administrator must set the auditing properties on the Security tab of the appropriate NTFS folder and set to audit based upon the particular NTFS permissions that need to be monitored. Or, as another example, auditing needs to be set after administration has been delegated. If selected users have been given the ability to create new users in Active Directory, then directory service access can be audited to ensure that administrators are not attempting to perform tasks that exceed the design. AUDIT EVENT
POTENTIAL THREAT
Failure audit for logon/logoff
Random hack
Success audit for logon/logoff
Stolen password Break-in
Success audit for user rights, user and group management, security change policies, restart, shutdown, and system events
Misuse of privileges
Success and failure audit for file-access and object-access events. File Manager success and failure audit of Read/Write access by suspect users or groups for the sensitive files.
Improper access to sensitive files
password
Designing a Windows 2000 Security Solution 93
Success and failure audit for file-access printers and objectaccess events. Print Manager success and failure audit of print access by suspect users or groups for the printers.
Improper access to printers
Success and failure write access auditing for program files (.EXE and .DLL extensions). Success and failure auditing for process tracking. Run suspect programs; examine security log for unexpected attempts to modify program files or create unexpected processes. Run only when actively monitoring the system log.
Virus outbreak
Pop Quiz 4.1
1) 2) 3) 4) 5)
Pop Quiz 4.1 Questions What are the two main steps in auditing? How do you enable auditing to “catch” potential breaches of security? Which audit policy is used to enable auditing of files, folders and printers? Which audit policy is used to track the activities of administrators to ensure that they have not exceeded their authority in Active Directory? You have decided to audit access to a folder on an NTFS volume, however, when you go to the Security tab you find all of the check boxes grayed out. What do you need to do so that the boxes can be checked and NTFS auditing will work?
94 Chapter 4: 70-220 Certification
Pop Quiz 4.1
1)
2)
3) 4)
5)
Pop Quiz 4.1 Answers The two main steps in auditing are to enable auditing in the appropriate audit policy, and then to go to the resource being audited and specify the necessary settings. To “catch” intruders before damage can be done, the administrator should enable auditing of failure – so that a failure to access the resource will be logged. You must enable object access either success or failure, and then files, folders and printer permission’s use can be tracked. To track administrative activities in Active Directory enable either account management, or directory service access. If using directory service access, then you would need to specify the types of Active Directory objects you wish to audit. If all of the boxes are grayed out in the Security tab of an NTFS file or folder, then you have not enabled object access in Audit Policy. You need to go to Computer Configuration/Windows Settings/Local Policies/Audit Policy and enable object access, failure and/or success.
Notes:
Designing a Windows 2000 Security Solution 95
III
Design a Delegation of Authority Strategy What is an Authority Strategy:
Windows 2000 and the introduction of Active Directory have changed the approach to administration tremendously. Delegation of authority refers to this process of delegating administrative responsibility through the placement of users or computers in domains or OUs, the use of Group Policy objects and the level at which delegation is set. Authority can be delegated at the object level, or at the attribute level in Active Directory. For example, it is now possible to allow administrators to only change passwords for user accounts, without being able to modify any other properties of the user and without their being able to create in Active Directory at all. In other cases, an individual can have full control from a domain or OU down the Active Directory structure, allowing creation and deletion of objects as well as management of object attributes. The careful design of Active Directory in terms of domain and OU placement and the determination of at what level authority is to be given combine to define an authority strategy.
How do I start the design: The strategy begins with Active Directory design, with the placement of user accounts and computer accounts in a particular OU- depending upon the organization of the company, number of locations, number of users at a given location, support available at a location, etc. Active Directory design considerations include these issues. Once the design has been determined, then the determination of whether authority will be granted at the object level or at the attribute level can be made, and at what level in the Active Directory tree or forest the authority will start. Generally speaking, domains form a natural security boundary in Active Directory. Once created, domains will then have their own set of security groups and require their own administration. Within domains users can be placed in OUs by business function, location, or other factors. Each OU could then have separate administration, or the domain administrator could delegate the more simple tasks within the different OUs to different personnel.
96 Chapter 4: 70-220 Certification
Suggested Authority Strategies: High-level Active Directory administration in organizations should be restricted to a small set of highly trained individuals. Tree-wide and forest-wide management tasks, such as creating new domains, creating and managing sites, delegating authority in Active Directory are all examples of tasks that should only be able to be accomplished by senior support staff. Within each domain, however, it will depend upon the company’s administrative approach. Centralized approaches might allow domain administrators to create new users or groups within the OUs in the domain, while not allowing the administrators to create Active Directory OUs or make changes to the authority strategy – even within their domain. More conservative centralized models would not even allow object creation, only minor attribute-level management, such as fixing passwords or adding members to groups. Remember that Windows 2000 is well suited for role-based administration. There are only a couple of basic strategies for delegation of authority. In the most liberal settings, rights to create and delete all objects in Active Directory and modify the objects’ properties would be granted throughout the OU or domain. More restrictive settings would only allow the creation, deletion and modification of certain classes of objects in Active Directory. The most restrictive settings would allow only the modification of certain attributes of specified objects in Active Directory. The choice of settings will depend upon the level of trust in the knowledge and skills of the support people and in the company’s tolerance for risk.
Designing a Windows 2000 Security Solution 97 Pop Quiz 4.2
1) 2) 3) 4) 5)
Pop Quiz 4.2 Questions What new feature of Windows 2000 provides a high level of granularity in designing a delegation of authority strategy? At what two levels can authority be delegated? Which component of Active Directory forms a natural security boundary? Why would OUs need to be created for a delegation of authority strategy? What type of administrative tasks in Active Directory would more commonly be delegated in Windows 2000 networks today?
98 Chapter 4: 70-220 Certification
Pop Quiz 4.2
1)
2)
3) 4)
5)
Pop Quiz 4.2 Answers With the introduction of Active Directory, companies are now able to organize user accounts in OUs and give different levels of authority within different OUs. Furthermore, authority can be given to modify only a few attributes of certain classes of objects, rather than having to give administrators full control in the domain, as we did in Windows NT 4.0. Authority to make changes in Active Directory can be given at the object level, which then implies all of the attributes of the object, or at the attribute level for a certain group of attributes, such as password change or group membership. Domains create a natural security boundary in Windows 2000. The creation of separate OUs would allow different levels of administration for the different OUs. For example, one OU administrator could have the ability to create new objects in the OU, while another might only be able to change user attributes, like password or group membership. In most networks today, higher-level administrators would delegate daily responsibilities like changing user passwords when they are forgotten, changing user surname, etc.
Notes:
Designing a Windows 2000 Security Solution 99
IV
Designing Security Policies What is a Security Policy:
A security policy will be the combination of an account policy in a domain and the application of Group Policies. Account policy can only be set at the domain level and consists of three categories: password policies, account lockout policies and Kerebos V5 policies. Because these policies affect all users in a domain, different account policy needs will mean the creation of different domains. Group Policy settings apply to either users or computers and can be linked to Active Directory objects such as site, domain or OU objects. When Group Policy objects are configured and then linked to an Active Directory object, they then apply to all users or computers in that object or below that object in Active Directory. Because Group Policies inherit down the Active Directory structure care must be given to the placement of them. Cumulative policies can create complexity and confusion in the network. On the other hand, settings can be specified in the Group Policy at the domain or site level to standardized configurations site or domain-wide, and then settings specific to the OU can be configured in a separate Group Policy for that particular OU.
Where do I start the Design: This design starts with determining the security requirements of the users in each of the company’s different locations, remembering that different needs in areas of account policies translate into the creation of different domains in Active Directory. Once account policy needs have been determined, then needs should be examined in terms of the settings available in Group Policy objects. Group Policy objects are very complex and contain a wealth of functionality, and are associated with sites, domains or OUs. Within each domain there may be a need to create separate OUs for those users with separate Group Policy needs. The design should strive for simplicity, using the fewest objects with the fewest settings possible to accomplish the intended goals. Many companies wish to limit the access that users have on their computers, removing the Run command, removing My Network Places, not allowing changes to display settings, etc. The key with Group Policies is to remember that all of the Group Policies in Active Directory above a user may affect that user. So keep the design simple. Avoid using filters at lower levels to stop the flow of policies, since troubleshooting will then become a painful task.
100 Chapter 4: 70-220 Certification The command-line utility gpresult.exe can be used to determine the current effective policies for a user logged on to a Windows 2000 computer. For more information in using gpresult.exe, refer to the Microsoft Windows 2000 Resource Kit.
Security policies for Sites: A Group Policy can be configured and associated with a site, when all users in domains or OUs in that site have need for the same Group Policy settings. Generally, however, Group Policy settings are applied at the domain or OU level. Account policies, as was stated above, are only settable at the domain level.
Security Policies for Domains: It is at the domain level that account policies are set for all users. If the company has users with different account policies needs, then the company would need to create additional domains. If a Group Policy is created and linked to a domain, it affects all users within the domain. For groups of users that require different Group Policy settings, the company will need to create multiple OUs and then create a separate Group Policy for each OU. Site Group Policy settings from can be overwritten by domain Group Policy settings. Group Policies can be filtered to apply to only certain objects, can be set to block inheritance from above and can be set to No Override, which will ensure that the Group Policy will be applied even if Block Inheritance is set.
Security Policies for Organizational Units: Account policies are set at the domain level, and users in OUs will have those settings applied automatically. Group Policies in OUs will behave exactly as described above in the section on domains. Their settings will inherit into child OUs until they reach a user. Group Policies are applied in the following order: local computer, site, domain, parent OUs, child OUs. The Group Policy closest to the user, in the case of conflicting settings, will be the effective setting. Otherwise, Group Policy settings accumulate as they inherit down the Active Directory tree.
Designing a Windows 2000 Security Solution 101
Figure 4-1: Account Policies Pop Quiz 4.3
1) 2) 3) 4)
5)
Pop Quiz 4.3 Questions Where can account policies be set in a Windows 2000 network? What are the three areas of configuration in account policies? If your company has a group of users that will need a much more restrictive password policy, where will that setting be configured? Three different Group Policies are affecting a single user, each with different display settings. What will the display settings be for the affected user? How can the administrator determine the effective policy settings for a logged on user?
102 Chapter 4: 70-220 Certification
Pop Quiz 4.3
1) 2) 3)
4) 5)
Pop Quiz 4.3 Answers Account policies are always set at the domain level in Windows 2000 networks. Account policies include password settings, account lockout settings and Kerebos V5 settings. If your company has a group of users that needs different account policies of any kind, then you will have to create a separate domain for the users and set the account policy in that domain accordingly. The Group Policy settings from the OU closest to the user will set the user’s display settings. The administrator can run gpresult.exe from the workstation with the user logged on to see the effective policies.
Notes:
Designing a Windows 2000 Security Solution 103
V
Design an Authentication Strategy What are the authentication methods:
The various authentication methods available in Windows 2000 are listed below, with a brief description and typical area of use. Authentication is the process of verifying the identity of the user, and Windows 2000 supports most of the commonly used authentication protocols. Some protocols are used within a corporate network, while others are intended for authentication of access request by external users; i.e., individuals that do not have user accounts in your Active Directory.
Certification Based Authentication Method: Digital certificates can be used to authenticate, that is, verify the identity of the user. Certificates can be issued for users and for computers, and can be mapped to the user or computer account in Active Directory. Certificates, however, cannot be mapped to security groups. They are used most commonly in either smart cards or in SSL (both described below).
Kerberos Authentication Method: Kerebos V5 is a ticket-based protocol used in Windows 2000 networks as the default authentication protocol. Clients are granted TGTs (ticket granting tickets) and STs (service tickets) as they logon and access services in the network. Microsoft’s version of Kerebos is supposed to be interoperable with UNIX Kerebos V5 realms, allowing single sign-on to extend to UNIX clients. This is the protocol that users will use when initiating a logon or accessing application servers in the network.
Clear Text Passwords Method: There is almost no situation in which this method of authentication would be preferable. All of the other authentication methods discussed here incorporate encryption technologies to ensure that passwords are not able to be captured from the network using sniffing tools
104 Chapter 4: 70-220 Certification
Digest Authentication Method: In this method, a symmetric or private key is generated (using DES or some other encryption scheme) and then a digest for the message is created. The sender computes a digital signature as a function of the digest and the originator's private key then transmits the message and the signature to the recipient. This is done so that messages can be encrypted using more efficient encryption algorithms; i.e., not with the public/private keys. The public/private keys are only used to encrypt the session key (or private key) that was created initially. This all is done to improve performance, since public/private key encryption/decryption requires more PC resources than the use of symmetric keys. SSL is the most common and best-known scheme that uses digest authentication.
Smart Card Authentication Method: Smart cards require a card reader attached to the workstation, and contain the user ID, the user’s digital certificate and private key. Logon is similar to the use of a card in an ATM machine, that is, the user places the card in the reader and enters a PIN number. The information is then sent in encrypted format to the KDC (key distribution center) so that the user can obtain a TGT via the Kerebos protocol and be granted an access token. Smart cards are especially useful in high-risk areas, for securing workstations from attempts at unauthorized logon attempts.
NTLM Authentication Method: For clients and servers running earlier versions of Windows, NT LAN Manager protocol is used for authentication. Windows 95, Windows 98 and Windows NT 4.0 computers running Windows 2000 Directory Services Client software will authenticate to the Windows 2000 domain controller using NTLM V2.
RADIUS Authentication Method: RADIUS is used to authenticate dial-in clients. Generally a user will use a RADIUS client to send an authentication request over a dial-up connection to a local ISP, and the request will then be verified either by a RADIUS proxy at the ISP or by a RADIUS server directly.
SSL Authentication Method: SSL authentication is used with secure connections to web sites. For Internet users, SSL provides authentication services using digital certificates to verify the identity of the client or the server and encryption using public key/private key or PKI. SSL is supported by all of the popular browsers, including Internet Explorer, Netscape, etc.
Designing a Windows 2000 Security Solution 105 In situations where companies are allowing access to secure areas of their web site, SSL measures can be used to authenticate requests and to encrypt transmissions between client and server. As mentioned earlier, SSL uses digest authentication for encryption and authentication while minimizing performance degradation associated with public key encryption.
TLS (Transport Layer Security): TLS is very similar to SSL in that it provides communications privacy, authentication, and message integrity by using a combination of public key and symmetric encryption. TLS is a more generic version of SSL first drafted by the IETF (Internet Engineering Task Force), utilizing different encryption algorithms. Windows 2000 uses TLS to encrypt smart card authentication information transmitted when using Extended Authentication Protocol (EAP). Pop Quiz 4.4
1)
2) 3)
4)
5)
Pop Quiz 4.4 Questions As a user logs on to a Windows 2000 network from a Windows 2000 Professional workstation, what authentication protocol will be used by default? What protocol is used if a user logs on from a Windows 98 workstation that has the Windows 2000 Active Directory Client software installed? You need to secure a workstation that contains highly sensitive information on the local hard drive. Aside from using EFS, what authentication method can assure that unauthorized personnel do not logon to the workstation? Users will need to be able to access company resources from hotel rooms using laptop computers while traveling. What authentication service can be used to provide this access in a secure manner? One of your vendors wishes to access information that is hosted in a secure area of your corporate web site. What authentication method can be used to allow this access, while still ensuring authentication of user requests and encryption of all data to and from the web server?
106 Chapter 4: 70-220 Certification
Pop Quiz 4.4
1) 2)
3) 4) 5)
Pop Quiz 4.4 Answers The default authentication protocol in Windows 2000 is Kerebos V5. For workstations running earlier versions of Windows, even if using the Windows 2000 Active Directory Client software, the authentication protocol defaults to NTLM V2. Along with using EFS to secure files on a local hard drive, the use of smart cards can assure that only those with cards can authenticate. The RADIUS protocol is used to authenticate logon requests from dialup clients through ISPs to corporate networks. The most standard protocol for this purpose is SSL, which is supported by most popular browsers. SSL connections can be used to require clientside authentication, using digital certificates, and for data encryption using public key/private key or PKI technologies.
Designing a Windows 2000 Security Solution 107
VI
Design a Security Group Strategy Designing a Security Group:
Windows 2000 has default security groups in Active Directory and on member (or application) servers and workstations. The default groups encompass the typical tasks in administering a network that a company may wish to delegate to specific groups of technical support personnel. Server operators, backup operators, account operators are a few of the available groups for delegating administration in a Windows 2000 network. There is also the need to define groups in Active Directory to allow access to certain applications or other resources. Windows 2000 groups include domain local groups, global groups and universal groups. As was done in Windows NT 4.0, domain local groups are used to grant access to a resource. Global groups are used to organize users with common security needs, and can contain users and global groups from the domain in which it is being created. Universal groups can contain global groups and universal groups from any domain in the forest. Microsoft has always recommended that the administrators place user accounts in global groups, then place the universal groups in the appropriate domain local group and grant access to the resource to the domain local group. Microsoft recommends limiting the use of universal groups for two reasons. First, the global catalogs contain more information about universal groups than about other types of groups, which may increase replication traffic. Secondly, access tokens for users will contain universal group information even if the universal groups listed are not in the domain.
Security Group: The designer is looking for “groups” of users that need access to a common resource. This will drive the need to create groups to enable the access. Again, the user accounts are placed in a global group, while a domain local group has been created and granted access to the “common” resource, and then the global group can be added to the domain local group. Web users, SQL database users, and color laser printer users are all examples of needs for the creation of security groups in a Windows 2000 network.
108 Chapter 4: 70-220 Certification
Manage Security Group: Management of security groups consists mainly of adding and removing members from the global group whose membership in the domain local group drives access. This entire security group scheme can become much more complex if the company decides to use universal groups, or decides to nest global groups inside other global groups. Keeping the design as simple as possible can relieve much administrative overhead in maintaining the security group integrity.
Integrate Security Group with other Domains: The universal group allows global groups from different domains in the same forest to be granted access to a common resource in a simple manner. By placing the global groups from separate domains into a single universal group, access can then be granted to the universal group to give access to users across the different domains.
Designing a Windows 2000 Security Solution 109 Pop Quiz 4.5
1) 2) 3) 4) 5)
Pop Quiz 4.5 Questions What are the three types of security groups in Windows 2000? Why would an administrator use a universal group in a multiple-domain forest? What are typical management tasks in maintaining security groups? True or false? You should not grant access to a resource directly to a universal group. True or false? The recommended manner of granting access to a resource is to add user account to the appropriate domain local group, then add the domain local group to a global group and give permissions to the global group.
110 Chapter 4: 70-220 Certification
Pop Quiz 4.5 Pop Quiz 4.5 Answers Windows 2000 uses domain local groups, global groups and universal groups. If users from different domains require access to a common resource, then they should be added as members to a global group in their respective domain, and the global groups should be added to a universal group and permissions to the resource should be granted to the universal group. 3) Maintenance of security groups essentially means adding new members and removing users as their needs change or they leave the company. 4) False. While Microsoft does not recommend granting permissions directly to global groups, they do recommend granting permissions directly to universal groups. While domain local groups can contain universal groups, it may add unnecessary complexity to the group structure. 5) False. The recommended strategy is to add user accounts to global groups, then add the global groups to the appropriate domain local group and grant permissions to the domain local group.
Notes:
Designing a Windows 2000 Security Solution 111
VII Design a Public Key Infrastructure Where do I Start: Certificate services provide for authentication of users and services and for encryption of data transmission. Digital certificates provide the mechanism for authentication, while public/private key pairs provide the mechanism for encryption/decryption of data. The keys can be minted and digital certificates issued by an external Certificate Authority or by the Certificate Authority that ships with Windows 2000. While some aspects of these PKI services are automated, others will require the creation of a Certificate Authority, a CA hierarchy or the use of an external CA like Verisign or GTECyberTrust. The starting point in design is to determine which applications or services will need to be secured by the use of certificates. S/MIME for secure e-mail, SSL or TLS for authentication to web sites, smart cards and EFS are all examples of solutions that need certificate services for security.
Certificate Authority (CA) Hierarchies: CA hierarchies are for use in large organizations, or in settings where the use of certificates needs to be managed separately, Windows 2000 allows for the creation of Certificate Authority hierarchies. Organized by usage, organizational structure or function, hierarchies consist of a Root CA and subordinate CAs organized with parent/child relationships. The need for certificates to secure SSL or TLS connections as well as to deliver secure e-mail through S/MIME may drive the creation of a usage-based hierarchy. Organizations that need to use Certificate Services across different bases of user, contractors, staff and temporary employees, might create an hierarchy based upon organizational structure. Companies that operate in countries with different regulations regarding the use of PKI will need to create hierarchies based on location.
Certificate Server Roles: In Windows 2000 you may choose to use either your own managed, private CA or an external or commercial CA. Typically a commercial CA is used when the company is dealing mainly with outside users or organizations that need secure access, and the company wishes to outsource the expertise of a third-party company. For those settings where internal expertise is available, the company can create a stand-alone CA. A standalone CA is a private CA with a stand-alone policy, which enables the issuance and maintenance of certificates independent of Active Directory. For internal needs, companies would create a private CA with an enterprise CA policy (often referred to as
112 Chapter 4: 70-220 Certification creating an enterprise CA). For enterprise CAs, if a CA hierarchy is being created, then the determination of which CA will function as the Root CA and which CAs will be subordinate needs to be made. In Certificate Authority hierarchies, the Root CA should be maintained offline, to further secure the server, while subordinate CAs provide for issuance and maintenance of certificates.
Manage Certificates: Certificate management revolves around enrollment, distribution, and expiration or revocation. In a CA hierarchy the Root CA certifies the subordinate CAs, while the subordinate CAs are used to issue certificates to users. Users will trust certificates from the subordinate CAs as long as they trust the Root CA. In the enrollment process, users issue a CSR (certificate signing request) to the CA. Then the CA verifies the information from the CSR (like the identity of the requestor, etc.) and issues a digital certificate along with the public key back to the requestor. Certificates expire based upon certain predetermined dates, or they can be revoked if the manager feels that security of the keys has been compromised.
Integrating with Third-Party CAs: Third party or commercial CAs like Verisign or GTECyberTrust can provide all of the services necessary to fully cryptographically secure either a web site or e-mail. Their services are generally used outside of Active Directory, that is, for users who are outside your organization and for whom you do not wish to maintain an Active Directory user account.
Map Certificates: Certificates can be mapped to Active Directory user accounts, enabling Windows 2000 permissions to drive the access rights after authentication. Certificate mapping can be one-to-one or many-to-one. The one-to-one mapping scheme would require much more administration than the many-to-one scheme, since each user would need a unique certificate. Consider many-to-one mappings to streamline the mapping process. For internal users, you could map their user accounts to a single account that uses the necessary certificate for authentication and encryption, while outside consultants or contractors could use a certificate that is mapped to a user account specially created for that purpose.
Designing a Windows 2000 Security Solution 113 Pop Quiz 4.6
1) 2) 3) 4) 5)
Pop Quiz 4.6 Questions What two services are provided by certificate services? Name four security solutions that require certificate services. What is the difference between a stand-alone and an enterprise CA? Why would a company use the services of a commercial Certificate Authority? When would the use of one-to-one mappings in certificate services be preferable?
114 Chapter 4: 70-220 Certification
Pop Quiz 4.6
1)
2)
3)
4)
5)
Pop Quiz 4.6 Answers Certificate services provide authentication (verification of the identity of the certificate holder), and for encryption/decryption of data between client and server. S/MIME for secure e-mail, SSL or TLS for secure connectivity to web sites, EFS and smart cards are four examples of solutions that require certificate services. A stand-alone CA operates outside of Active Directory and is appropriate for situations where individuals from outside your organization need certificates. Enterprise CAs use Active Directory for the distribution and management of certificates. A company would use a commercial CA if most of the security needs were for outside clients, and they did not wish to issue and maintain the certificates. While increasing direct costs, the use of a commercial CA also may increase user confidence in the process. One-to-one mappings are only preferable when the number of users needing certificates is very small.
Notes:
Designing a Windows 2000 Security Solution 115
VIII Windows 2000 Network Services Security Where to Start the Design: While most of the discussion heretofore has centered upon user authentication/access, there are a number of Windows 2000 services that need to be kept secure. The security is generally an aspect of the configuration of the particular service, as we shall see below. Each of these services has to be individually evaluated for their use in the network, the network design in terms of locations, firewalls, etc., and the potential for damage in the event of failure.
Windows 2000 DNS Security Designs: Windows 2000 DNS is currently much more secure than were previous versions of DNS. This version is dynamic, that is, records will be added and deleted automatically as computer renew and release DHCP addresses. All records are maintained in Active Directory, and all zone replication is handled by Active Directory replication. This provides for additional security, since Active Directory records are maintained on domain controllers, which we have secured very carefully, as discussed previously. Additionally, DNS zones can be configured for secure dynamic updates, allowing only authorized computers to add records to DNS.
Windows 2000 Remote Installation Services (RIS) Security Design: Remote Installation Services (RIS) must be secured so that only authorized individuals or clients can install Windows 2000. Additionally, RIS servers must be authorized in Windows 2000 DHCP, preventing a rogue server from distributing Windows 2000 images. Then the RIS server will be configured in terms of which Active Directory users can connect to and download images from the server. The administrator can set NTFS permissions on answer files to limit who can use which answer files to access the automated installation using RIS. Typically, remote installations will be performed by technical support personnel and not by end-users. So the permissions we are discussing are to be given to administrative support personnel at the various locations throughout the company.
116 Chapter 4: 70-220 Certification
Windows 2000 SNMP Security Design: SNMP is used in TCP/IP networks for remote management and remote monitoring of devices. The key security component of SNMP security is the level of permissions granted to the Community Managers, who will in turn use these permissions to either monitor or to change the configuration of remote devices. While there are five different permissions, only Read and Read Create are meaningful. Read allows the manager to monitor the device MIB and evaluate performance. Read Create (and also Read Write) will allow the manager to change the configuration of the device. While limiting who can change SNMP device configuration by setting permissions to Read the data flow from SNMP device to client can also be secured using IPSec for encryption/decryption of data.
Windows Terminal Server Security Designs: Terminal service has many settings for securing the service, including time restrictions, logon attempts, terminal server group permissions and encryption levels during the session. User accounts in Active Directory have a tab named Terminal Services Profile where Allow Logon to terminal services can be checked or cleared to allow or disallow access to terminal services. Additionally, you can set maximum time limits for the active session and for disconnection of idle connections. Sessions can be configured to run as an application, so that users are limited to the specified application. There are also permissions in terminal services that are configurable for user sessions that can further limit access for user accounts.
Designing a Windows 2000 Security Solution 117 Pop Quiz 4.7
1) 2) 3) 4) 5)
Pop Quiz 4.7 Questions Why is DNS in Windows 2000 inherently more secure than previous versions? What setting in Windows 2000 DNS controls whether or not a client can update a dynamic zone upon logon? Which user accounts in a typical RIS configuration will have permissions to connect to the RIS server at boot? What setting in SNMP has the greatest impact on securing devices from malicious attempts at reconfiguration? Where would the administrator go to disable a specific user’s ability to use terminal services?
118 Chapter 4: 70-220 Certification
Pop Quiz 4.7
1)
2)
3)
4)
5)
Pop Quiz 4.7 Answers DNS in Windows 2000 stores all records in Active Directory. Since Active Directory is stored on domain controllers, which we have already discussed the need to apply security templates for securing at a high level, the records are in a very secure location by default. DNS servers can be set to only allow secure dynamic updates from specified computers. Non-authorized computers would not be able to add records to DNS with this setting enabled. RIS, Remote Installation Services, is typically used by network administrators to install Windows 2000 professional on new workstations. At each location that would use RIS, the RIS server would only be authorized for connections by those specific accounts. In setting SNMP, the permissions Read Create and Read Write allow the device to be remotely reconfigured. Granting only Read permissions will allow the device MIB to be read, but no remote reconfiguration will be able to be done. To disable a specific user’s ability to connect to terminal services, the administrator would go to the user account in Active Directory, select the Terminal Services Profile tab and clear the check mark for Allow Logon to Terminal Server.
Notes:
Designing a Windows 2000 Security Solution 119
IX
Chapter 4: Summary
• Know that setting auditing involves enabling auditing and then setting the audit settings for the resource to be audited. Audit for failure to catch potential hackers for success to document security breaches. Auditing creates security log files that are viewed with event viewer. The creation of the log files places overhead on the server, so verbose logging is generally not left on for extended periods of time. • With the introduction of Active Directory, it is now possible to delegate authority to create all objects in a given container, specified objects in a given container, or only to modify specific attributes of specified objects in a given container. • Security policies are a combination of account policies, which are set at the domain level, and Group Policies, which can be set at the site, domain or OU level. Differing account policy needs means creation of separate domains. Group Policies inherit down the Active Directory structure. Inheritance can be used, by design, or can add complexity as Group Policies combine at lower levels in the forest. • Windows 2000 supports Kerebos V5 for Windows 2000 computers as the default authentication protocol. All other Windows systems can use NTLM authentication. Additional authentication methods are supported in Windows 2000, including SSL or TLS for web connectivity, RADIUS for dial-up connectivity, S/MIME for secure e-mail and smart cards for securing authentication to workstations. • Security groups are used to give access to resources in a controlled manner and to minimize administrative effort. User accounts are placed in global groups based upon common need for a resource, and then the global group is placed in a domain local group, which has been given permission to the needed resource. Universal groups allow global groups from separate domains to be combined and given access in one operation.
120 Chapter 4: 70-220 Certification • Windows 2000 provides certificate services for certificate-based security schemes, including smart cards, S/MIME, SSL and EFS. Private Certificate Authorities can be implemented in Windows 2000, for those companies that wish to manage certificate services internally. Commercial CAs can be used in combination with private CAs. Private CAs can be either Enterprise CAs, which use Active Directory and are for internal needs, or Stand-alone CAs, which do not use Active Directory and are for settings where the majority of users are external to the organization. For larger organizations, Certificate Authority hierarchies can be created, based upon user, structure or location. • In Windows 2000 networks additional scrutiny should be given to DNS, RIS, SNMP and terminal services. Each has its own settings for configuring security.
Designing a Windows 2000 Security Solution 121
X
Chapter 4: Post-Assessment
(Answers appear in Appendix A.)
1) BFQ, Inc. and BeachFront, as the merger proceeds, have expressed an interest in engaging in the expanding area of on-line training. To accomplish this a public web site will need to be created, or access from their current web site will need to be enabled. They want individuals to be able to sign up on-line, pay with personal credit cards, and then to be able to access courses based upon secure user names and passwords. The current web server is maintained at an ISP site, but BFQ, Inc. is considering moving the entire project in-house. What authentication method will remote users need to be able to securely access their on-line learning site? A. Kerebos V5 B. SSL C. RADIUS D. S/MIME E. EFS
2) Given that the company wishes to engage in secure e-commerce for this on-line learning venture, what recommendation would you make for secure credit card transactions? A. Use a stand-alone Certificate Authority. B. Use an Enterprise Certificate Authority. C. Use a commercial Certificate Authority. D. Create a CA Hierarchy.
122 Chapter 4: 70-220 Certification
3) In addition to the on-line courses, BFQ wishes to offer secure e-mail for students who need help with their studies. What solution would need to be configured to support secure e-mail? A. Kerebos V5 B. SSL C. RADIUS D. S/MIME E. Smart Cards
4) The FastTrack databases that maintain the entire customer contact and class history information is maintained on a Windows 2000 server at the headquarters location on an NTFS volume named FTRACK. The merged company will consist of two domains, BFQ.COM and BEACHFRONT.COM in a single forest. Salespeople at each location will need to be able to access the FastTrack to add contact notes and schedule students into classes. How would you recommend this access be implemented? A. Create a global group named Sales and add user accounts from both domains, then add the Sales group to a domain local group named Fast that has been granted NTFS modify permission to the FastTrack database folder. B. Create a domain local group named Sales and add user accounts from both domains, then add the Sales group to a global group named Fast that has been granted NTFS modify permission to the FastTrack database folder. C. Create a global group named Sales in each domain and add user accounts from both domains, then add the Sales group to a domain local group named Fast that has been granted NTFS modify permission to the FastTrack database folder. D. Create a domain local group named Sales in each domain and add user accounts from both domains, then add the Sales group to a global group named Fast that has been granted NTFS modify permission to the FastTrack database folder.
Designing a Windows 2000 Security Solution 123
5) Since this database is the heart of the business, how will you assure that no unauthorized attempts to access the database are occurring? (Choose 2) A. Enable auditing of account management. B. Go to the Security tab of the folder that contains the database and record success of the NTFS Read permission. C. Enable auditing of object access. D. Go to the Security tab of the folder that contains the database and record failure of the NTFS Read permission. E. Go to the Security tab of the folder that contains the database and record failure of the NTFS Modify permission.
6) You have been told by management that someone not in the Sales group has been selling information about corporate customers to the competition. What settings would you recommend to catch the unauthorized access into the FastTrack database? (Choose 2) A. Go to the Security tab of the folder that contains the database and record failure of the NTFS Read permission. B. Enable auditing of object access. C. Go to the Security tab of the folder that contains the database and record success of the NTFS Read permission. D. Enable auditing of account management. E. Go to the Security tab of the folder that contains the database and record failure of the NTFS Modify permission.
124 Chapter 4: 70-220 Certification
7) It is projected that the migration from Windows NT 4.0 to Windows 2000 will take about six months. During that time period, users will be using Windows NT 4.0 workstations with the Windows 2000 Active Directory Client software installed to access resources and perform their daily responsibilities. What protocol will they use for logon authentication? A. Kerebos V5 B. SSL C. NTLM D. RADIUS E. Clear text
8)
Which method of authentication uses symmetric keys for data encryption and then uses public/private key to encrypt the symmetric key for secure transport from sender to recipient? A. Kerebos V5 B. SSL C. S/MIME D. RADIUS E. EFS
Designing a Windows 2000 Security Solution 125
9) BeachFront has pioneered a self-paced training curriculum for students who cannot attend scheduled classes. The courseware is maintained on a Windows 2000 server and accessed using their custom-developed application interface. Similar to CBT or TBT training materials, students may proceed from section to section at their own pace. Each course is accessed from a different Windows 2000 professional workstation. Security, however, has eluded BeachFront. They are concerned that students only access the courses for which they have paid fees. What solution(s) in Windows 2000 can help secure access to this self-paced curriculum? (Choose 2) A. EFS B. SSL C. Smart cards D. Certificate services E. Kerebos V5
126 Chapter 4: 70-220 Certification
10) The developer for the self-based curriculum has come to you and asked if it would be helpful if the different application interfaces for the different courses could run directly on the server. What other method would then be available for securing this self-paced product? A. All students could then use workstations in the self-paced lab could then use Kerebos V5 to logon using accounts created for them in Active Directory. The application could then be launched from the server to access the self-paced course. B. All students could use a browser to access the application on the Windows 2000 server, using SSL authentication to control which application the user could access. C. All students could then use workstations in the self-paced lab could then use Kerebos V5 to logon using accounts created for them in Active Directory. Then, using terminal services, the user could logon to the specific user interface that had been authorized for their user account. D. Students would logon at the lab workstations using smart cards and then launch the server-based application to access the selfpaced courses.
Designing a Windows 2000 Security Solution 127
11) You have decided that the appropriate solution for question #10 is answer D. What settings in terminal services need to be configured to enable the necessary security? (Choose 2) A. The user accounts need the Allow Logon to terminal services box checked on their Terminal Services profile tab. B. Use the Sessions tab in the RDP-TCP Properties dialog box in Terminal Services configuration to set a maximum time limit of 15 minutes. C. Configure the session for the user to run as the application that will run the self-paced course that the user has purchased. D. Configure the Sessions tab on the user account to limit the connection time to 15 minutes. E. Configure the Terminal Services profile tab to download a custom profile that disable changing display settings and sets a default wallpaper.
12) The account policies for BFQ, Inc. require passwords to be changed every 30 days and to require unique passwords. The past 12 passwords cannot be used. Instructors are constantly forgetting their passwords and locking out their accounts. What recommendation would you make to alleviate this problem? A. Place the instructor user accounts in a separate OU, and then set a different password policy for instructors so that they only have to change their passwords every 180 days. B. Place the instructor accounts in a separate OU and create a Group Policy that blocks the domain password policy. C. Place the instructor accounts in a separate OU and give a support person at each location Full Control object rights to the OU. D. Place the instructor user accounts in a separate OU and give a support person at each location the right to modify the password attribute of the user objects in that OU. E. None of these.
128 Chapter 4: 70-220 Certification
13) The outside salespeople for BFQ, Inc carry laptop computers and connect back via the Internet to the FastTrack database with a browser to check the schedule. It has been determined that booking their customer’s employees in classes would not be secure, so the booking takes place on the laptop and is uploaded once they are directly connected to the BFQ, Inc. LAN What solution would you recommend to secure the laptop files in the event of loss or theft? A. SSL B. IPSec C. EFS D. RADIUS E. PKI
14) The decision has been made to allow one person from each remote location to change forgotten passwords and unlock locked accounts. Because of limited bandwidth, the decision has been made to create each location in Active Directory as a domain. Which groups need to be created to implement this plan? (Choose2) A. Create a global group in each domain and add the user account to the global group. B. Create a universal group and add all of the global groups to the universal group. C. Create a domain local group and give the domain local group the write permission at the OU level to change passwords and unlock accounts. D. Create a domain local group and give the domain local group the write permission at the user level to change passwords and unlock accounts. E. Create a universal group and add the domain local groups to the universal group.
Designing a Windows 2000 Security Solution 129
15) Corporate IT management has expressed concern over the plan to delegate authority to the support people at each location. Specifically he is worried that the support people may begin to modify group memberships and compromise the security groups that have been established. What security measures can you recommend that may help allay the fears of this manager? (Choose 2) A. Create a Group Policy for the OU that contains the domain controller computer objects B. Enable auditing of object access. C. Enable auditing of success and failure of modifying group membership in directory service access. D. Set the OU that contains the domain controller computer objects Group Policy settings to No Override.
16) Instructors frequently train at centers away from home. When staying in hotels, they wish to connect back to the company network to do evening work. What security solution would allow them to connect securely from any hotel room? A. IPSec B. SSL C. RADIUS D. EFS E. Smart cards
130 Chapter 4: 70-220 Certification
17) In implementing the solution for #16, you do not wish to place Active Directory-bearing servers at the many different ISP dial-up POPs. What requirement will you have for an ISP to be able to support this solution? A. The ISP must have an 800 number back to their POP that is local to your headquarters location. B. The ISP POPs must have RADIUS servers with replicas of your Active Directory forest for authentication. C. The ISPs must support RADIUS proxy at each POP to forward RADIUS requests to your RADIUS server. D. The ISP POPs must support SSL connections so that the RADIUS client can connect securely back to the corporate RADIUS server.
18) What authentication solution is useful for securing e-mail between individuals? A. Kerebos V5 B. SSL C. S/MIME D. EFS E. Smart cards
Designing a Windows 2000 Security Solution 131
19) Because of bandwidth limitations, the BFQ, Inc. forest will consist of at least 50 domains. What security group implementation will require the least configuration to allow the salespeople from each domain to access the FastTrack database? (Choose 3) A. Create a global group in each domain and add the user accounts to the group. B. Add each global group to a domain local group in the headquarters domain, which has been given Modify NTFS permissions to the FastTrack database. C. Create a domain local group in each domain and give the domain local group NTFS Modify permissions to the FastTrack database. D. Create a universal group and give the universal group NTFS Modify permissions to the FastTrack database. E. Add the global groups to the universal group.
20) The IT manager has read glowing reviews, and wants to install Windows 2000 Professional on all of the workstations at each location. What Windows 2000 solution will help automate these installations while still securing the process? A. DNS B. SNMP C. RIS D. RADIUS E. SSL
Designing Security Access Between Networks 133
Chapter 5: Designing Security Access Between Networks The objective of this chapter is to provide the reader with an understanding of the following: •
The difference between a private and a public network
•
The risks associated with connecting locations across a public network
•
What are the different types of external users in networks today?
•
How to leverage Active Directory to simplify access and security for external users
•
How VPNs are used to secure LAN or WAN networks
•
Why WAN networks across public infrastructure differ in their VPN Issues
134 Chapter 5: 70-220 Certification
I
Introduction
Corporate networks today are increasingly connecting, site-to-site, client-to-site, and even client-to-client. The costs and complexity of providing this connectivity has increased over the past few years, with the recent trend towards using the Internet rather than leasing lines between sites, and using the Internet for remote users rather than dial-up connectivity (like RAS, etc). This movement towards the Internet as a low-cost solution has given rise to concerns about security. Data transmissions across the Internet cannot be considered secure unless they are encrypted. Furthermore, this type of connectivity gives rise to the need to authenticate, that is, validate the identity of the sender. Otherwise, data transmissions could be intercepted, modified and forwarded on without knowledge that it had occurred. To reduce the risks involved in these areas, authentication and encryption solutions, loosely labeled as VPN or Virtual Private Network, have evolved. This section begins with a brief discussion of private and public networks, and then moves on to discuss the concerns and solutions for connectivity for external users and in LAN and WAN networks in Windows 2000.
Information: This section is all about connectivity. You must be very clear about the limitations of each solution; for example, non-Windows 2000 computers must use PPTP for secure VPN connectivity. As was true with previous chapters, know which solution fits in which setting. Then you must identify how previously supplied information may affect your recommendations. For example, a casual mention of a location in another country will affect the encryption solution you may use, because of the differing regulations in different countries regarding use of encryption technology. Fit the solution with the need, and then adjust according to other information that may limit the solution’s implementation.
Designing Security Access Between Networks 135
Getting Ready - Questions 1) The use of T-1, frame relay and ATM solutions is found primarily on which type of network, private or public? 2) What is the difference between a private and a public network? 3) What Windows 2000 technology can be used to provide users with access to the Internet while hiding their workstations from the Internet? 4) Which type of network offers higher bandwidth at lower costs for connecting remote locations? 5) What is the greatest risk in using a public network to connect remote locations?
136 Chapter 5: 70-220 Certification
Getting Ready - Answers 1) T-1, frame relay and ATM are WAN connectivity solutions typically used to create a private network between remote locations. 2) In a private network, the company either owns the connectivity equipment, or leases a dedicated connection between locations. In a public network, the company uses equipment that is also available for use by others to connect remote locations. 3) By enabling the Windows 2000 server as a router and enabling NAT (Network Address Translation), users on the private segment can be granted access to the hosts on the Internet, while not allowing their IP addresses to be visible to users on the Internet. 4) Public networks offer much higher bandwidth solutions at much lower costs than the private connectivity solutions currently available. 5) The greatest risk in using a public network to connect locations is the shared nature of the network, which makes it not secure. This gives rise to the need for VPN solutions for authentication and encryption/decryption of the data during transmission.
Designing Security Access Between Networks 137
II
Secure Access to Public and Private Networks What is a Public Network:
Public networks used shared infrastructure. Because the networks are shared, they are inherently insecure. Transmissions can be intercepted, read, modified, etc. The best example of a public network today is the Internet. Connectivity to the Internet can be provided by using dial-up services, ISDN, DSL, broadband (cable modem), etc.
What is a Private Network: A private network is created when an organization leases or purchases connectivity solutions between locations. T-1, frame relay, and ATM are all examples of WAN solutions commonly used by organizations to provide guaranteed bandwidth and security between remote locations. This type of network is not at risk of outside users intercepting or modifying transmissions, since no one outside the company can access the infrastructure used to connect locations.
Difference between Public and Private Networks: The costs of leasing or purchasing connectivity are high for private networks and the costs escalate as the bandwidth and the distance between endpoints increases. Recently companies have begun to use the Internet as a backbone to connect remote locations. At each endpoint the company establishes an IP connection to a local ISP, and then transmissions between locations flow across the Internet. This type of solution can drastically reduce the cost of connectivity, while at the same time increasing the bandwidth between locations. Unfortunately, as we noted earlier, public networks are not secure. Because the private network is created using dedicated equipment and is not shared with other organizations, transmissions between endpoints can be considered secure and need not be subjected to encryption solutions. As we noted earlier, transmissions across the Internet are susceptible to interception, and could be read or modified. The use of public networks to connect remote locations can be secured using routers configured to provide authentication and/or encryption/decryption. These technologies are loosely referred to as VPN or virtual private networks. VPNs can be created on Windows 2000 servers configured as routers, or on routers purchased from hardware manufacturers.
138 Chapter 5: 70-220 Certification Typically these routers will use PPTP, L2TP/IPSec or IPSec in tunnel mode to provide security by creating encrypted tunnels through which data can be transmitted securely. The only other issue that companies deal with is in providing access to the Internet from their private network in a secure manner. Two solutions can help, NAT (Network Address Translation) and firewalls. The use of NAT allows the hosts on the private network to share a public address for access to the Internet, while not allowing the hosts from the Internet to know of or access the hosts on the private network. Firewalls are additional security used to reject attempts from the public network (ala, the Internet) to intrude into the company’s private network.
Designing Security Access Between Networks 139 Pop Quiz 5.1
1)
2)
3)
4) 5)
Pop Quiz 5.1 Questions You are consulting for a small law office that only supports twelve users. What Windows 2000 solution would you recommend to enable Internet access in the simplest manner for these users? If this law office were part of a regional organization, which connectivity solution would be lower cost, a leased line to the regional home office or a DSL connection to a local ISP? You have recommended the DSL connection to a local ISP to help establish connectivity to the regional home office. What other solution will be required to secure this public network? What are three commonly used encryption/decryption protocols used with Windows 2000 to establish VPN connectivity? The local partner for the law firm wants to reduce costs, and is considering rejecting the recommendation for a VPN to secure the DSL connection. What issues can you bring to his attention that may change his mind?
140 Chapter 5: 70-220 Certification
Pop Quiz 5.1
1)
2) 3)
4) 5)
Pop Quiz 5.1 Answers For this small an implementation, NAT would be the simplest means by which users could be provided with Internet access. A proxy server could also be configured, but would not be as simple as configuring NAT. Leased lines across long distances are generally more expensive that a DSL to a local ISP. The DSL connection could allow connectivity to be established between locations, but then the connection must be secured, since it travels across public infrastructure. A site-to-site VPN could provide an encrypted tunnel through which data could travel securely. The most commonly used protocols for creating an encrypted tunnel between sites are PPTP, L2TP/IPSec and IPSec in tunnel mode. You should remind the individual that data transfers across this connection will travel in clear text. It is possible for individuals outside the law firm to intercept the transmissions and read or modify the contents. Since much of their data is of a legal nature, this should provide adequate motivation to approve the VPN.
Notes:
Designing Security Access Between Networks 141
III
Provide External Users with Secure Access Who is an External User:
External users may take on many forms. They may be vendor partners that you wish to allow access to certain portions of your network. Other external users may be the general public, which you wish to give access to certain information. Some organizations provide their customers with access to data. Users may be granted access through the creation of an extranet, or be connecting using a dial-up connection, or may be using an e-commerce web site for access to resources. Many companies use contract employees or temporary employees who need access to company resources to perform their duties. In each of these situations, once access to the resource has been granted, authentication, or what is sometimes referred to as non-repudiation, and encryption/decryption solutions become necessary.
Secure Access: One means for securing access for vendor partners is to create a separate domain or OU in Active Directory and add the user accounts for their people. The company can then use Active Directory to simplify the management security. Domains are useful when account policy requirements are entirely different from the rest of the internal organization, or if the partner needs to manage their own user accounts, or if slow WAN links separate the vendor and the company location (to reduce replication traffic). Otherwise, it is simpler to create OUs for the vendor, as well as for contract employees or other temporary employees. Role-based management allows the separate OUs to be managed in whatever manner you wish, while still maintaining domain-wide centralized administration. Once the decision has been made whether to create a separate domain or a separate OU, and then security groups are created and granted access to the necessary resources using Windows 2000 permissions for the resource and user accounts are added to the security group as necessary. As we discussed earlier, the security solution is dependant upon the nature of the connectivity. For instance, secure e-mail generally uses S/MIME, web connections can be secured using SSL or TLS, site-to-site connectivity can be secured using L2TO/IPSec to create an encrypted tunnel, dial-up connections can secured using RAS settings and terminal services can be used with session limits, connection permissions, file permissions, etc.
142 Chapter 5: 70-220 Certification
IV
Secure Access Between Private Networks Secure Access within a LAN:
A VPN can be created in a LAN through the implementation of PPTP, L2TP/IPSec or IPSec. Windows 95, Windows 98 and Windows NT computers will not support IPSec. In this type of mixed network, PPTP can be used to create an encrypted tunnel using MPPE (Microsoft Point-to-Point Encryption) with 40-bit encryption keys. In a homogenous network of Windows 2000 computers, L2TP/IPSec can be used to provide a more secure solution. L2TP/IPSec is generally used in client-to-gateway and gateway-to-gateway situations while, for client-to-client security, IPSec transport-mode can be used.
Secure Access within a WAN: Unfortunately, IPSec and L2TP/IPSec traffic cannot pass through a NAT router. Creating a VPN between locations using either of these solutions would require a gateway-togateway (or site-to-site) configuration using PPTP. Most companies, however, do not use NAT across private WAN connections. In many of these situations, L2TP/IPSec will operate successfully and provide a more site-to-site VPN.
Secure Access across a Public Network: When companies use a public network, such as the Internet, as a backbone to connect remote sites, each location is typically using a NAT router to hide the private network from the public network (along with other types of firewall solutions). In these companies, PPTP will be the only viable solution for security between sites, coupled with MPPE and the use of 40-bit, 56-bit, or 128-bit encryption keys. The only other problem in these situations is the issue of regulations in different countries regarding the use of 128-bit encryption keys. Companies that wish to secure connections across national boundaries will need to standardize on the encryption technology available at all locations.
Designing Security Access Between Networks 143 Pop Quiz 5.2
Pop Quiz 5.2 Questions 1) Name three different types of external users in securing a Windows 2000 network? 2) What component of Windows 2000 can be used to simplify the securing of access for external users? 3) What are three reasons to create a separate domain in Active Directory for external users? 4) Why would you create separate OUs in Active Directory rather that a separate domain for external users? 5) After securing access to the resource for the external users, what are two other areas of concern for security design? 6) What are the three common VPN tunneling protocols available for Windows 2000 networks? 7) Your company’s networks use Windows 98 for client operating systems. What VPN solution is supported on these workstations? 8) Which of the three tunneling protocols is compatible with NAT? 9) Which of the three solutions was based on an earlier protocol developed by Cisco Systems and provides the highest level of VPN security? 10) When configuring VPN solutions across public infrastructure, what nontechnical issue can affect the level of security available?
144 Chapter 5: 70-220 Certification
Pop Quiz 5.2
1) 2)
3)
4)
5)
6)
Pop Quiz 5.2 Answers The most common types of external users include vendor partners, customers, temporary or contract employees and the general public. Securing access to a resource for an external user can be simplified by creating an Active Directory user account for the external user and using the Active Directory settings to enable and control security. User accounts in AD have many settings that relate to the security solutions that may be used, such as IPSec, terminal services, etc. A separate domain would be necessary if the external user accounts required different account policy settings (like password security), if the external users needed to be managed by the vendor partner or if the partner location was separated from the company location by a lowbandwidth WAN connection. If the company wants to maintain centralized security, but delegate administration of the external users’ Active Directory accounts back to the partner, then crating a separate OU would be the best choice. Once access to the resource has been secured, then data integrity, as provided by encryption solutions, and non-repudiation, as provided by authentication mechanisms, are the remaining areas of concern. Windows 2000 installs with native support for PPTP, L2TP/IPSec and IPSec for VPN implementations.
Designing Security Access Between Networks 145
7) Windows 98 computers support VPN implementations using PPTP, but not L2TP/IPSec or IPSec. 8) PPTP is NAT compatible, while the other two protocols are not. 9) L2TP is an ITEF standard protocol, which had its origins in L2T, a Cisco Systems protocol. L2TP is actually a combination of L2T and PPTP. L2TP/IPSec provides the highest level of VPN security available today in Windows 2000 networks. 10) VPN solutions between sites in different countries will fall under differing regulations regarding the use of encryption technologies. The most widely known restriction is the ban on the export of 128-bit encryption schemes outside of the United States and Canada.
Notes:
146 Chapter 5: 70-220 Certification
V
Chapter 5: Summary
• A private network is one in which connectivity is either owned or leased exclusively by the parent company. In a public network, users share access, reducing costs but increasing security risks. • To provide users access to resources on a public network, like the Internet, from a private network, either NAT or proxy services can be used. • To provide security for computers using public networks, VPN technologies have evolved using PPTP, L2TP/IPSec and IPSec in tunnel mode to provide for nonrepudiation (authentication) and data integrity (encryption). • To provide external users, like contract employees or vendor partners, with secure access to corporate resources, separate domains or OUs can be created in Active Directory. Security groups can then be created, granted access to the appropriate resources, and user accounts created for the external users can be added to the security groups. • Separate domains would be created rather than separate OUs for external users only if the users required different account policies (which are set at the domain level). • A VPN in a LAN environment could use L2TP/IPSec if all of the computers involved were Windows 2000 computers. • Windows 98 or Windows NT computers in a VPN setting cannot use L2TP/IPSec or IPSec, but can use PPTP. • L2TP/IPSec and IPSec are not compatible with NAT. VPNs connecting networks across public infrastructure, like the Internet, would probably use PPTP for site-to-site connectivity, since the VPN servers would probably reside behind the NAT routers at each end. • Connecting locations in different countries using VPN technologies will require knowledge of the relevant laws and regulations regarding the use of encryption technologies in each country.
Designing Security Access Between Networks 147
VI
Chapter 5: Post-Assessment
(Answers appear in Appendix A.)
1) It has come to your attention that after the merger of BFQ, Inc. and BeachFront, a further merger with a South American training organization, Tech 2000, is under consideration. You have just reached the planning stages for recommendations for connecting the two headquarters locations. Management specified that they wanted a low-cost solution for connectivity between headquarters locations, with sufficient bandwidth for future growth, but did not wish to compromise security. What solution would be the best in this situation? A. Lease a 56 Kbps frame relay connection between locations and configure L2TP/IPSec at each end point for security. B. Purchase a DSL connection from a local ISP at each location, and establish a site-to-site VPN using L2TP/IPSec. C. Lease a T-1 between locations and establish a site-to-site VPN using PPTP. D. Purchase a DSL connection from a local ISP at each location and establish a VPN using PPTP.
2) The IT manager for BFQ, Inc. is very concerned about security across the VPN between headquarters locations. He has indicated that the addition of the South American headquarters to the VPN will only heighten his security concerns. What level of security would be best to allay his concerns? A. 40-bit DES B. 56-bit DES C. 3DES D. 128-bit encryption E. PPTP
148 Chapter 5: 70-220 Certification
3) BeachFront has had a long-standing relationship with a contract training company for the supply of contract trainers for classes that BeachFront cannot train. This company, The Trainers, has noted that the contract trainers often have problems accessing training resources at each location as they conduct the classes. They have suggested that the contract trainers need better access to software and other resources to successfully run the classes for which they have been contracted. BeachFront’s VP of Instruction has expressed concern that these contract trainers should only have access during class hours, even though company trainers can access resources after hours for research and class setup. What are three recommendations you would make to provide the access while meeting the concerns of the VP? (Choose 3) A. Create a separate OU named Trainers for the contract trainers with a security group named Contract inside and add all of the Active Directory user accounts for the contract trainers to the Contract group. B. Give permissions to use the appropriate resources to the Contract group. C. Modify the time restrictions for the Trainers OU so that the Active Directory users will only be able to logon during class hours. D. Create a separate domain named Trainers with a security group named Contract inside and add all of the Active Directory user accounts for the contract trainers to the Contract group. E. Modify the time restrictions for the Trainers domain so that the Active Directory users will only be able to logon during class hours.
Designing Security Access Between Networks 149
4) The potential plans to merge with Tech 2000 has changed your recommendations for using VPNs to connect the headquarters locations. With both BFQ, Inc. and BeachFront implementing Windows 2000, what would have been the original recommendation for securing the WAN connectivity? A. SSL B. PPTP C. L2TP/IPSec D. IPSec E. Enterprise CA
5) In examining the addition of Tech 2000 to the connectivity picture, identify two areas of concern in reaching a final recommendation. (Choose 2) A. Tech 2000 uses Windows NT 4.0 and does not plan to upgrade. B. Tech 2000 has no access to a DSL provider. C. Tech 2000 has no internal expertise in VPN technology. D. Tech 2000 is in Argentina, South America. E. Tech 2000 does not use contract trainers.
6) What are two encryption solutions that would be negatively impacted by the need to connect locations in North and South America? (Choose 2) A. 40-bit DES B. 3DES C. IPSec D. 128-bit encryption E. SSL
150 Chapter 5: 70-220 Certification
7) It has been suggested that the newly merged company could provide a web-based question and answer forum for their students as a differentiator. What solution would allow students to securely access this service while keeping administration as simple as possible? A. Create a separate domain for the students. B. SSL C. Client-to-site VPN services D. S/MIME
8) Once the headquarters locations install DSL lines to enable their VPNs, how will they provide Internet access to the internal employees? (Choose 2) A. Microsoft Proxy Server B. Microsoft Certificate Server C. NAT D. IPSec E. SSL
9) As the headquarters locations decide to use NAT to provide their internal users with Internet access, which VPN solution(s) become no longer usable? (Choose 2) A. SSL B. L2TP/IPSec C. PPTP D. IPSec tunnel mode E. 40-bit DES
Designing Security Access Between Networks 151
10) Which of the following would be defined as external users in your analysis of the pending merger between BFQ, Inc. and BeachFront? (Choose 2) A. Contract trainers connecting from their hotel rooms. B. In-house instructors connecting from the classroom. C. Contract instructors connecting from the classroom. D. In-house instructors connecting from their hotel room. E. In house instructors connecting from their office work area.
Notes:
Designing Security Communication Channels 153
Chapter 6: Designing Security Communication Channels The objective of this chapter is to provide the reader with an understanding of the following: •
How SMB signing can be used to secure communications on a LAN
•
How to use Group Policies to enable IPSec for securing communications
•
The need for Automatic Certificate Request Settings in Group Policy for client computers
•
Tools for monitoring and managing your IPSec solution
•
How IPSec negotiation can be used to further secure the communications
•
IP filters and how they can be set to further secure or allow communications
154 Chapter 6: 70-220 Certification
I
Introduction
Whether the communications is occurring on a LAN connection, or across some WAN interface, there may be the need to secure the channel. This chapter begins with a brief discussion of the use of SMB signing in a LAN to ensure authenticated communications. Then the discussion turns to the use of IPSec in securing communications in either a LAN or a WAN setting. While in the previous chapter we discussed VPN solutions in terms of fitting the solution with the need, in this chapter we focus on the use of IPSec in securing communications channels between two Windows 2000 computers. We will look at more detail in terms of how to design, configure, manage and tune IPSec configurations in a Windows 2000 network
Information: Securing communications channels crosses over topically with information from other chapters. SMB signing is presented here for the first time, while IPSec has been discussed previously. As is usual with the concept of design, it is assumed that the student already has an operational understanding of the underlying technology, in this case, SMB signing and IPSec. Designing is a matter of understanding when to use which technology solution, how to configure the solution, the compatibility issues with the solution and other technologies (like firewalls, NAT, etc.), and how to troubleshoot and maintain these solutions. Remember that IPSec with AH uses TCP port 51 while IPSec with ESP uses TCP port 50. In addition, UDP port 500 needs to be opened for either protocol.
Designing Security Communication Channels 155
Getting Ready - Questions 1) SMB signing in Windows 2000 has been enhanced to provide both authentication and encryption solutions. (True or false) 2) What other security solution in Windows 2000 provides essentially the same type of security as SMB signing? 3) How can the implementation of IPSec be simplified in a Windows 2000 network? 4) IPSec is only useful in WAN communications? (True or false) 5) Name three tools in Windows 2000 for managing IPSec communications.
156 Chapter 6: 70-220 Certification
Getting Ready - Answers 1) False. SMB signing is an authentication solution, but does not encrypt the contents of the data packet. 2) IPSec with Authentication Headers does essentially the same thing that SMB signing does; that is, they both provide for mutual authentication. 3) By using Active Directory Group Policy objects, similar IPSec configuration settings can be applied to multiple Windows 2000 computers simply and automatically. 4) False. IPSec is also useful in securing communications on a LAN. Remember that 80% of security failures are from internal, not external threats. 5) IPSec communications can be monitored and maintained using Network Monitor, IPSec Monitor or Event Viewer.
Designing Security Communication Channels 157
II
Design an SMB-Signing Solution SMB Signing Solution:
SMB signing is designed to help secure communications between Windows 2000 servers and clients on a LAN. SMB packets are normally used between client and server to transport data. The SMB signing solution adds a digital signature to every packet that the client and server exchange, after requiring a mutual authentication of both the client and the server. The authentication ensures that any file or data transfer is occurring with the appropriate computer. The digital signature ensures that packets received have not been intercepted and modified in any way. This attempt to intercept, modify and then forward is called a man-in-the-middle attack. SMB signing must be configured at both the client and the server. Server configuration allows the administrator to request SMB signing or to require SMB signing. In the event that the server requires SMB signing, and the client is not configured for SMB signing, the connection will be refused by the server. Clearly the most secure setting for a server is to require signing.
158 Chapter 6: 70-220 Certification If the company’s Active Directory design has computers in a common OU, then a Group Policy can be configured that sets the SMB signing configuration at the same level for all of the Windows 2000 computers. Windows NT 4.0 computers can also participate in SMB signing, provided that SP3 or later has been installed. Windows 95 and Windows 98 clients cannot participate in SMB signing communications. It is worth noting that the same functionality can be obtained by using IPSec with Authentication Headers, although this solution would require Windows 2000 computers exclusively. Remember, however, SMB signing does not encrypt and so does not provide security from interception and examination of the contents of the datagram.
Designing Security Communication Channels 159 Pop Quiz 6.1
1) 2) 3) 4) 5)
Pop Quiz 6.1 Questions What are two features of SMB signing that provide security in a Windows 2000 network? What other security solution ensures message integrity in much the same manner as SMB signing? How can you simplify the SMB signing configuration of multiple Windows 2000 computers? What SMB signing setting will ensure that the server will only communicate with computers that are enabled for SMB signing? How can Windows 95 or Windows 98 computers be enabled for SMB signing in a Windows 2000 network?
160 Chapter 6: 70-220 Certification
Pop Quiz 6.1
1)
2)
3)
4)
5)
Pop Quiz 6.1 Answers SMB signing requires mutual authentication of both the client and the server, and then places a digital signature in every SMB packet to ensure on-going data integrity. SMB signing is very similar to IPSec with Authentication Headers, which provides the same level of packet-by-packet security. IPSec with AH, however, requires the use of all Windows 2000 computers. You can simplify the configuration of multiple Windows 2000 computers by placing them in an OU in Active Directory and enabling a Group Policy for the OU with the appropriate SMB settings. If a server is configured to require SMB signing, then any attempt to connect from a computer that is not configured for SMB signing will be refused. Windows 95 and Windows 98 computers cannot be configured for SMB signing. Windows NT 4.0 computers can be if they have had SP3 or later applied.
Notes:
Designing Security Communication Channels 161
III
Design an IPSec Solution The IPSec Encryption Scheme:
IPSec can be enabled using AH (Authentication Headers) or ESP (Encapsulating Security Payloads). It is ESP that provides for encryption of the data inside the IPSec packet. Domain controllers receive certificates by default in Windows 2000, and will be able to then use the certificates to encrypt IPSec packets. To enable client computers to use certificates, a Group Policy needs to be configured for a site, domain or OU. Within the Group Policy, the Automatic Certificate Request Setting needs to be enabled, which will then allow the computers within that site, domain or OU to automatically receive a certificate. The Automatic Certificate Request Setting also will specify whether to provide the computer with an IPSec certificate, which will only be useful for IPSec communications, or a computer certificate, which can be used in many other security services, such as web services. Finally, when specifying the type of certificate, the administrator must also specify the Certificate Authority that will fulfill the requests for the client computers. Always remember that both hosts must be able to support the level of encryption that has been enabled. For instance, a server may be set for 128-bit encryption while the client connecting may only support 56-bit schemes. In this situation, the connection will not be successful.
The IPSec Management Strategy Design: Once an IPSec implementation has been designed and deployed, it will need to be managed and maintained. As additional computers come on-line, IPSec issues need to be identified and appropriate measures applied. Generally speaking, client computers that need to use IPSec will be placed in the container in which the IPSec policies have been enabled. Once the IPSec design is in place, then it is important to ensure that the design is working. Microsoft provides tools for maintaining IPSec, including Network Monitor, which can be used to evaluate packet traffic and ensure that IPSec traffic between hosts is occurring, IPSec Monitor, which can be used to troubleshoot IPSec filters and settings, and Event Viewer. Additionally, logs can be enabled to monitor the IPSec negotiation process (known as Oakley logs).
162 Chapter 6: 70-220 Certification
Negotiation Policies: Group Policies contain three pre-defined settings to control the negotiation between hosts in IPSec, Client, Server, and Secure Server. Servers in a mixed-mode Windows 2000 network, that is, a network that contains both Windows 2000 and non-Windows 2000 clients, should be set to Server, which causes the server to request an IPSec connection from the client. If the client is not able to support IPSec, as in the case of earlier Windows clients, then the communication will use standard data communications protocols. If communications to the server must be secure, then the setting in IPSec is Secure Server, which requires the client to respond with IPSec. If a client does not respond with an IPSec datagram, then communications will not proceed. With this setting, a Windows 2000 server will never communicate without using IPSec. Because of this, other services may be interrupted, and so IPSec filter exceptions may need to be created to allow certain types of traffic to occur without IPSec negotiation (for example, SNMP would be interrupted by this setting). All clients that support IPSec, that is, Windows 2000 Professional workstations, should be set to Client, which will allow the client to respond to a server requesting or requiring IPSec communications. In this mode, clients do not request IPSec communications, but will respond if necessary. This setting is best configured in a Group Policy and allowed to inherit into OUs in a domain to enable this for Windows 2000 clients. For more complex networks, custom settings can be applied either in Group Policy or at the individual computer. In addition to determining whether or not to use IPSec between hosts, the settings provide for the level of encryption, whether to use AH or ESP, and issues surrounding keys.
Security Policies: Rather than configuring IPSec settings on each computer separately, it is simpler to take advantage of Active Directory and the use of Group Policies. Computer objects which require the same IPSec configuration can be placed in an Active Directory OU and then a Group Policy can be created and configured to apply IPSec settings to those computers. Windows 2000 Professional workstations can receive their IPSec settings through an appropriately configured Group Policy object.
Designing Security Communication Channels 163 Likewise, servers with common IPSec needs can be organized in the same Active Directory OU and the necessary settings configured in a Group Policy object for those servers. For example, client computers will generally be set to Client mode in IPSec, which can be enabled in the Group Policy object that will be applied to the computer objects in an Active Directory OU. Encryption settings, IPSec filters, and many other aspects of IPSec configuration can be managed centrally through the leveraging of Active Directory and Group Policy objects.
IP Filters: IPSec filters are set on specific interfaces to control communications through that interface, or can be set for all interfaces on a computer. Set at the protocol level, filters can be defined based upon source and destination address, transport protocol, source and destination ports, etc. The filters are then set to either negotiate, block or pass-through packets. Negotiate has already been discussed above, and block will clearly cause the computer to drop the packet, while pass-through will open an exception in the IPSec security settings. As we discussed in the example above, a computer with Secure Server may need an exception set to allow SNMP traffic through, based on the TCP port used for SNMP communications, otherwise SNMP management will be interrupted.
Security Levels: As discussed earlier, there are three pre-defined levels of security available in IPSec: Client, Server and Secure Server. The major issue is to be sure that the settings at each end of a connection are compatible. For instance, a Windows 2000 client attempting to connect to a Windows 2000 server that has the Secure Server settings applied will need to have the Client setting applied, or else the connection will be refused. Windows 2000 hosts that require a high level of security will be configured with the Secure Server setting, while the Server setting will be used in mixed-client networks where IPSec may not be available at all hosts.
164 Chapter 6: 70-220 Certification Pop Quiz 6.2
1) 2)
3) 4)
5)
Pop Quiz 6.2 Questions What is the primary difference between IPSec with Authentication Headers and IPSec with Encapsulating Security Payload? What should the IPSec setting be on a Windows 2000 domain controller when you want to ensure that all communications occur using IPSec, but also want Windows 98 clients to be able to connect? The implementation of IPSec is separate from the Active Directory design in your network. (True or false) After implementing IPSec at each end point you have been unable to establish communications. What other issue may need to be resolved to allow the IPSec communications to occur? What limitations in IPSec design will be introduced by the need to establish a VPN between sites in different countries?
Designing Security Communication Channels 165
Pop Quiz 6.2
1)
2)
3)
4)
5)
Pop Quiz 6.2 Answers IPSec with AH provides for mutual authentication between the IPSec entities, but does not encrypt the contents of the data packet. IPSec with ESP provides authentication services like AH, and then also provides for encryption and decryption of the data inside the packet. Since Windows 98 clients cannot use IPSec, the domain controller would have to be set to request IPSec communications. This would allow the Windows 98 clients to connect, but would not fulfill the first objective of ensuring that all communications occur using IPSec. In other words, you cannot accomplish both of these requirements. While it is possible to implement IPSec without Active Directory design considerations, it may be much simpler and faster to place Windows 2000 workstations in Active Directory so that a Group Policy can be used to enable and provide settings for all of the clients from one source. When implementing a VPN with IPSec between locations, there may be a firewall in place blocking the ports that IPSec needs to use to provide secure communications. The firewall will need to have TCP ports 50 and 51 and UDP port 500 opened to allow the IPSec traffic through. When designing IPSec solutions that cross national boundaries, you must consider the level of encryption to be used. Remember that 128-bit keys cannot be used outside of the U.S. and Canada. The lowest level of encryption in common with both locations will need to be the setting used to establish the VPN.
166 Chapter 6: 70-220 Certification
IV
Chapter 6: Summary
• The inclusion of SMB signing in Windows 2000 provides for mutual authentication between Windows 2000 computers, helping to frustrate man-in-the-middle attacks on the LAN. • IPSec is available in either AH or ESP. AH is similar to SMB signing in providing mutual authentication, but has no provision for encryption of data. ESP provides for mutual authentication and for encryption of data, and so is a more secure solution. • Domain controllers have certificates provided to them by default in Windows 2000, but client computers do not. To provide certificates for client computers in Windows 2000, it is simplest to configure Accept Certificate Requests Settings in a Group Policy to then be applied to the appropriate computers. This also requires some considerations in your Active Directory design. • When hosts attempt to connect, IPSec settings can be used to negotiate whether the connection will be secured by IPSec, whether it will be with AH or ESP, levels of encryption, etc. Secure Server would require communications with hosts that have IPSec capability, while Server would prefer IPSec but allow communications with non-IPSec hosts (like Windows 9x clients), and Client is the IPSec setting for clients to respond to IPSec requests and negotiate the IPSec connection. • IPSec communications can be confirmed using Network Monitor or IPSec Monitor. Troubleshooting can be aided by using Oakley logs and Event Viewer. • In general, IPSec design is simplest when using Group Policies implemented at the site, domain or OU level. • IP filters can be set to allow or deny and can be set for source or destination address, or for specific IP ports. These filters can enhance security on an interface by only allowing traffic on certain ports, or to or from certain hosts or certain subnets. • Lastly, remember that the IPSec settings at each end of a connection must be compatible for the connection to be established.
Designing Security Communication Channels 167
Notes:
168 Chapter 6: 70-220 Certification
V
Chapter 6: Post-Assessment
(Answers appear in Appendix A.)
1) Management of BFQ, Inc. is somewhat concerned about security in the facilities when instructors are running classes. Students who attend classes have varying levels of technical knowledge and there is concern that some students may attempt to connect to sensitive company servers. What are two security solutions you could recommend that would address this concern? (Choose 2) A. SSL B. IPSec with AH (Authentication Headers) C. RADIUS D. SMB signing E. EFS
2) Management is also concerned that students may intercept sensitive transmissions that the instructors are exchanging. What solution would help alleviate their concerns? A. SSL B. SMB signing C. IPSec with AH (Authentication Headers) D. IPSec with ESP E. RADIUS
Designing Security Communication Channels 169
3) Which IPSec setting should be used for the servers to ensure that only IPSec clients connect? A. Client B. Server C. Secure Server D. Lockdown
4) Sometimes the instructor machines are running Windows 2000 professional, while at other times they are running Windows 98. What needs to be done when the instructor machines are running Windows 98 to ensure that they can connect and still allow for data encryption? A. Install the Windows 2000 client for Windows 9x so that the instructor machines can support IPSec communications. B. Change the IPSec setting on the server to Server to allow the Windows 98 workstation to connect. C. Nothing. The Windows 98 workstation cannot connect using IPSec, and so the instructors will either be unable to connect, or the servers will need to be set to Server, which would then allow students to attempt to connect. D. Nothing. Windows 98 TCP/IP has the necessary protocol support for IPSec built-in.
170 Chapter 6: 70-220 Certification
5) For the 71 locations in the combined BFQ/BeachFront organization, what would be the simplest way to apply the new IPSec settings to the local servers? A. Have the senior instructor at each location, who is trained on Windows 2000, set the IPSec settings in each server’s Local Computer Policy. B. Create a RIS disk to automate the application of the settings at each server. C. Create and configure a Group Policy that applies the appropriate IPSec settings to the servers. D. The servers do not need IPSec settings. Simply set the instructor workstations to Secure Client, and the servers will then communicate using IPSec.
6) The new BFQ/BeachFront headquarters location is being secured with a hardware-based firewall. What ports will need to be opened to allow IPSec traffic through the firewall? (Choose 3) A. TCP port 50 B. TCP port 51 C. TCP port 500 D. UDP port 50 E. UDP port 500
Designing Security Communication Channels 171
7) After setting up the IPSec settings for the servers at each location, what tools can be used to verify IPSec is working and to troubleshoot in the event IPSec is not working? (Choose 3) A. Ping B. Performance Monitor C. Network Monitor D. Server Monitor E. IPSec Monitor
8) As you are planning the IPSec design, what implications does the impending merger with the South American firm, Tech 2000, present? A. None, really. The technology is interoperable over long distance connections. B. South American telecommunications companies do not have the bandwidth to support an IPSec-enabled VPN. C. The largest issue is the difference in encryption standards between North American and South American countries. D. There are compatibility problems with the English and Spanish versions of Windows 2000 and IPSec implementations.
172 Chapter 6: 70-220 Certification
9) Once the servers at each location are configured with the Secure Server IPSec setting, how will you apply the appropriate settings to the instructor computers used in each classroom? A. Each instructor will need to set and apply the Client policy in Local Security Policy on their workstation. B. Create a Group Policy and apply the Client policy to enable the setting for each instructor computer. C. Create a RIS disk to automate the application of the settings at each instructor computer. D. The workstations do not need to be configured, since the servers are already set for Secure Server.
10) Which of the following provides the highest level of security for IPSec policy settings? A. Client B. Secure Client C. Server D. Secure Server E. Secure Client/Server
Notes:
Scenario Concepts with Practice Questions 175
Chapter 7: Scenario Concepts with Practice Questions The objective of this chapter is to provide the reader with an understanding of the following:
I
•
How to match the appropriate solution with a security need
•
How to identify key information in determining solutions
•
To acclimate the reader to the new testing format for Microsoft’s design tests
Introduction
Microsoft has developed a new testing format for their design tests. The format is an evolution of the scenario-based questions that first appeared some years ago on the Microsoft TCP/IP test. The new scenario questions provide tons of information about the scenario company, followed by questions that cross over the entire testing objective domain of the design test. This chapter contains seven scenarios intended to give you a taste of what you are about to experience. These scenario questions should help you develop the skills necessary to focus in on the information that is pertinent to each question. Microsoft scenarios are famous for the amount of irrelevant information sprinkled throughout. Additionally, many questions call for the “best” solution or recommendation. Yes, I know, it can be rather subjective, but the test scoring is not! Good luck!
176 Chapter 7: 70-220 Certification
II
BFQ - Supreme Division
Company Background BFQ - Supreme was established in the early 80s, with its root in Korea as a manufacturer of Photo Albums.
Divisions Currently the production of each product category is under the supervision of its own divisional head. The logic behind this arrangement is that the production of each type of albums actually requires totally different types of expertise. The president directly oversees the operations of the different divisions. Since the president himself owns the company, there is no board of directors. However, there is a position called Managing Director, which is at the top of the hierarchy. The law of Korea requires this. His wife took the position.
Figure 7-1: Division Structure
Scenario Concepts with Practice Questions 177
Product offerings BFQ - Supreme’s main products are photo albums. Products offering include:
Covered ring type albums: x x x
Self adhesive sheet albums. P.V.C. slip in sheet albums Memo type paper sheet albums.
Flip up type albums: x x x
Single size cover albums. Double size cover albums. Library style albums.
Slip in albums: x x x
Soft transparent P.V.C cover albums. Vinyl padded cover albums. Minimax type albums.
Post bound type albums: x x
Self adhesive sheet albums. Slip in P.V.C sheet albums.
Binder type albums: x x
Self adhesive sheet albums. Slip in P.V.C. sheet albums.
Memo slip in albums: x x
Glue binding type albums. Needlework binding albums.
Book bound type albums: x x
Wood free paper sheet classic type albums. Self adhesive sheet albums.
178 Chapter 7: 70-220 Certification
Wedding albums: x x
Hinge style joint albums Bolt screw type albums. (Post bound type).
Due to the strong predicted growth of its business in the coming years, it plans to develop at least 10 new types of albums in the foreseeable future. BFQ - Supreme is manufacturing not only the finished goods, but also the separated parts of the photo albums, such as 1. 2. 3.
Covers Sheets Labels
Apart from manufacturing products under their own brand, they also accept special orders in term of O.E.M.
Locations and Staffing BFQ - Supreme has three locations, one being the head office and the others being the factories. The president is located in the head office, while the divisional heads are completely mobile – they have to travel around the factories.
Head office Dokok-Dong, Gangnam-Gu, Seoul, Korea Number of Staff: 10
Korea Branch - Factory Goori City Kyunggi-Do, Korea Number of Staff: 600
China Branch - Factory Yangzhong, Jiangsu, China Number of Staff: 300
Scenario Concepts with Practice Questions 179
US Branch – Sales Office Recently opened in San Francisco of California Number of Staff: 30
IT Structure Currently only the head office has a LAN running NT 4.0. The domain model is a simple single domain model. They do not YET have dedicated connection to the factories. The factories are using Win95 as dial up clients to connect to the head office server running RAS. In the coming months 256K dedicated connections will be installed. The president recognizes the importance of IT, and is planning to spend 30% of last year’s revenue on the complete re-design of the IT infrastructure. Because of the growing importance of IT, the head office will house a new IT department. This department is further broken down into 4 smaller departments:
Figure 7-2: Departments Management would like to push for the deployment of web based solutions for the entire company as well as the partners to enter and retrieve information to and from a database on the Internet after the new Windows 2000 infrastructure is in place. Information stored in this database will include customer information, supplier contracts and next year’s projection. The server will be used to host this application and the company’s current Internet web site.
180 Chapter 7: 70-220 Certification
Questions: II 1) How do you implement security for the connections between the different offices and branches? A. Encryption on one end B. Encryption on the client C. Encryption on the server D. Encryption on both ends 2) Which of the following may increase the company’s risk profile (Choose all that apply)? A. Political climate in different parts of Asia B. Server capacity C. Windows 2000 stability D. WAN link reliability 3) For remote access, which of the following may enhance security (Choose all that apply)? A. Verify caller-ID B. Always Callback to Number C. Deny all access D. Filter based on IP 4) Some of the office clerks do not have the hardware capacity to directly install and run a particular application. Which of the following will you choose to allow those clients access to the application securely? A. Use Terminal services B. Use RRAS C. Use VPN D. Use DCOM
Scenario Concepts with Practice Questions 181
5) Which of the following may become the greatest security risk for the company? A. Unauthorized use of network file resources B. Unauthorized use of network printing resources C. Unauthorized use of RAS D. Database intrusion 6) Which of the following may be used to strength Windows 2000‘s authentication mechanism for access to the company database? A. Use SSL certificates B. Use PGP C. Use secure tunnel D. Use ICP 7) Which of the following are valid security settings to secure remote connections for the company (Choose all that apply)? A. L2TP B. PGP C. IPSec D. IDP E.EAP 8) Which of the following is a valid strategy against possible database corruption (Choose all that apply)? A. Daily backup B. Enhanced security C. Privatize the network D. Block all HTTP traffic 9) As an independent designer, how do you classify your relationship with BFQ Supreme? A. BFQ – Supreme is your competitor B. BFQ - Supreme is your employer C. BFQ - Supreme out sources the job to you D. None of the choices
182 Chapter 7: 70-220 Certification
10) Once BFQ - Supreme becomes a native Windows 2000 network, which of the following security protocols will you deploy (Choose all that apply)? A. L2TP B. IPSec C. Kerberos D. MS-CHAP E.None of the choices 11) Part of the BFQ - Supreme’s IT restructuring project is lagging behind schedule. Although this is not in your responsibility area, you like to give the management some useful suggestions. Which of the following will you recommend? A. Outsourcing B. Fire the project team members C. Reassign the team members D. Cancel the project E.Restructure the project 12) Why would you conduct a TCO analysis for the Windows 2000 deployment plan? A. To figure out the initial outlay of deployment and implementation B. To figure out the ROI of deployment and implementation C. To figure out the sunk cost of deployment and implementation D. To figure out the total cost of deployment and implementation 13. Which of the following groups of users will most likely breach the network security? A. Competitors B. External partners C. Business intelligence agent D. Internal Users
Scenario Concepts with Practice Questions 183
14) You need to upgrade some of BFQ - Supreme ’s connectivity medium. Which of the following are valid business factors to consider (Choose all that apply)? A. Cost of equipment B. Line cost C. Brand name D. Supplier reputation E.Cable pin layouts 15) Which of the following group’s concerns is most important to your design considerations? A. Users B. Executives C. Administrators D. Vendor/Partners 16) How do you ensure that legitimate users are not abusing their logon rights at time they are not supposed to log on? A. Filter their traffic B. Lockout their accounts C. Modify their passwords D. Restrict their logon hours in account restrictions 17) The web site that hosts the new web application is suddenly responding very slowly. Which of the following is a possible security risk? A. Attacks on the web site B. Unauthorized logon attempts C. Files copying D. Web server breakdown
184 Chapter 7: 70-220 Certification
18) Vendor/partners will be accessing the web server to access secure portions of the database. Which solution will you recommend to secure the connection? A. L2TP/IPSec B. Kerebos C. MS-CHAP D. SSL
19) The new web application is running on the primary business server at headquarters. End users are complaining that response to regular web site requests is very slow. How would you solve the end user issue in this case? A. Dedicate a server for the new web application B. Dedicate a server for the company current web site C. Neither A nor B D. Both A and B
20) You are considering the use of Terminal Service for BFQ - Supreme. Which of the following can be used to manage its application connections (Choose all that apply)? A. Group policies B. Remote access policies C. NTFS D. EFS E.DFS
Scenario Concepts with Practice Questions 185
Notes:
186 Chapter 7: 70-220 Certification
III
BFQ - ExGovern Division
Background BFQ-ExGovern is an agency specialized in working with government and nonprofit organizations since 1979. Its governmental experience includes working with: x
Cities
x
Counties
x
State Agencies
x
Federal Agencies
x
School Districts
x
Highway Districts
x
Port Authorities
x
Utility Districts
Scenario Concepts with Practice Questions 187
Services For governmental and non-profit entities, BFQ-ExGovern has prepared, compiled, reviewed, and audited financial statements, performed limited scope audits using specific criteria, and, where appropriate, prepared tax returns. BFQExGovern frequently provides recommendations regarding internal accounting controls, organizational and operational structure, the flow of information to management, and other aspects of administration where weaknesses have been observed. BFQ-ExGovern has a team of 100 audit managers who are respected specialists in governmental auditing and accounting procedures. They understand and take into account the limited funds available to government and non-profit organizations. The government-required audits are in accordance with: Generally accepted accounting standards prescribed by the American Institute of Certified Public Accountants Government Auditing Standards issued by the Comptroller General, from the U.S. General Accounting Office Single Audit Act OBM Circulars A-128 and A-133.
188 Chapter 7: 70-220 Certification
Future Vision BFQ-ExGovern is about to acquire its competitor GovernSpec, subject to Federal approval. These two entities will remain independent after the acquisition. Both of them have their web presence, and they will do business using their own brand names. However, the staffs from BFQ-ExGovern can have the rights to access certain resources of GovernSpec. For BFQ-ExGovern itself, a major reorganization will occur as well. The new organization will be service oriented, with the following service departments available: Service Dept 1 ============== Cities Counties State Agencies Service Dept 2 ============== Federal Agencies School Districts Highway Districts Service Dept 3 ============ Port Authorities Utility Districts
Scenario Concepts with Practice Questions 189 The new organization chart for these departments looks like this:
Figure 7-3: New Departments
IT Structure Currently their network is running Windows NT 4 and 3.51. For clients, they have NT 4 Workstation, Win95/98 and also Macintosh. The IT Manager of the company only wants to upgrade the Server and some of the NT Workstations to Windows 2000, and nothing else. There will be 4 sites in the network due to the physical locations of BFQ-ExGovern’s different offices. These sites will be linked with 256K dedicated lines. Some of their computers are placed in the lobby. It has been a problem that during night shift the security in the lobby is too loose.
190 Chapter 7: 70-220 Certification
Questions: III 1) How would you address the security problem of the lobby? A. Install Physical cameras B. Configure Group policy C. Configure Computer policy D. None of the choices
2) Which of the following is true concerning the deployment of a Certificate Services CA for BFQ-ExGovern to secure their web sites? A. The CA must integrate with Active Directory B. The CA must be registered with Active Directory C. The CA can be independent of the Active Directory D. None of the choices
3) You are configuring certificates for the staffs in BFQ-ExGovern. Which of the following can prevent the compromise of security? A. Shorten the renewal cycle B. Lengthen the renewal cycle C. Deploy manual renewal D. Issue renewal quotas
4) You have been asked to implement an enterprise CA in BFQ-ExGovern. Which of the following is required (Choose all that apply)? A. EFS B. Active Directory C. L2TP D. PPTP
Scenario Concepts with Practice Questions 191
5) For extremely strict control of certificates for a small group of managers, which of the following certificate mapping will you use? A. One to Many B. Many to One C. One to One D. Many to Many
6) When will you consider the use of Many to One certificate mapping (Choose all that apply)? A. You have a large amount of clients B. You have a small amount of clients C. You are using an internal CA D. You are using an external CA
7) When you want to associate all certificates from a CA to a single Windows 2000 account, which type of certificate mapping will you choose? A. One to One B. Many to One C. One to Many D. Many to Many
8) You are asked to closely monitor all requests to use BFQ-ExGovern’s web site. One of the project team members proposes that you use a Commercial CA. Which of the following will you do? A. Go ahead and use a Commercial CA B. Reject his proposal C. Configure one computer to use the Commercial CA and acts as an agent D. None of the choices
192 Chapter 7: 70-220 Certification
IV
BFQ - ProTax Division
Background Since 1980, BFQ-ProTax has provided tax services to serve their clients’ needs. Headed by CPAs with many years of experience in a wide array of industries, BFQ-ProTax staff works year-round to stay abreast of developments in the ever-changing state and federal tax laws.
BFQ-ProTax professionals offer a full line of tax services BFQ-ProTax (Redwood City) Preparation of tax returns for the following entities: Individuals Corporations Partnerships Non-profits Pension plans Gift and estates and Fiduciaries. In addition to tax return preparation, BFQ-ProTax also offers services for:
BFQ-ProTax (San Mateo) Business and individual tax planning, projections, and valuations Special reports/projections for tax planning Representation before taxing authorities Support for business acquisition, reorganizations, mergers, and incorporations Sale or purchase of business properties Executive compensation and benefit programs Deferred compensation plans Pension and profit sharing plans Employee benefit programs
Scenario Concepts with Practice Questions 193
BFQ-ProTax (San Bruno) Assistance with accurate and thorough record keeping Sales tax audit prevention Payroll, sales, and use tax Especially for individuals: Estate and gift tax services Retirement planning Investment planning Higher education planning BFQ-ProTax is an unusual organization. Basically every office is separately owned by different Individuals. They do share resources with each other and to enjoy some synergy. They also share the same brand name when promoting their services.
Expected IT Structure BFQ-ProTax (Redwood City) Domain 1 100 Staff BFQ-ProTax (San Mateo) Domain 2 120 Staff BFQ-ProTax (San Bruno) Domain 3 65 Staff
194 Chapter 7: 70-220 Certification
Questions: IV 1) You are creating Active Directory integrated zones for BFQ-ProTax. Which of the following is true regarding this zone type? A. By default only secure dynamic updates are allowed B. By default all dynamic updates are allowed C. By default all updates are allowed D. None of the choices
2) You are creating Active Directory integrated zones for BFQ-ProTax. Which of the following is true regarding the create permission? A. All User Group members can have this permission by default B. Only the Authenticated User Group members can have this permission by manual configuration C. Only the Authenticated User Group members can have this permission by default D. None of the choices
3) BFQ-ProTax needs to deploy line of business applications via the web. However, there is no budget for rewriting the applications to make them web enabled. How should you implement this? A. Run the Application Server mode of Terminal services B. Run the Remote Application mode of Terminal services C. Run the Remote Admin and Application mode of Terminal services D. Use SSL for the browser connections
4) BFQ-ProTax needs to deploy line of business applications via the web. Terminal services are to be deployed. Which of the following can provide fault tolerance under this setup? A. Maintain the database server on the same server B. Do not maintain any database server C. Maintain the database server on other servers D. None of the choices
Scenario Concepts with Practice Questions 195
5) Tim proposed to deploy a T-1 between sites. This solution may be too expensive. Which of the following can act as an alternative for the Windows 2000 Professional clients? A. End to end tunnel with L2TP and IPSec B. End to end tunnel with L2TP and MSCHAP C. End to end tunnel with L2TP and IPSec D. End to end tunnel with L2TP and P2TP
6) BFQ-ProTax’s is creating a web site that needs to be accessible for clients to complete their tax forms on-line. How will you propose securing the site so that others cannot intercept the sensitive information that the clients are entering? A. Use L2TP/IPSec in tunnel mode B. Use SSL with 40-bit keys C. Use PPTP D. Use SSL with 128-bit keys
7) Proxy server will be deployed for the web-enabled tax application. Which of the following secure authentication methods can be deployed for web site user authentication? A. DA B. SH C. Basic D. Challenge E.Response
8) In deploying this web-enabled application, which type of CA will you recommend to BFQ-ProTax? A. Enterprise CA B. Stand-alone CA C. External CA D. Subordinate CA
196 Chapter 7: 70-220 Certification
9) BFQ-ProTax will start to accept online payments. How do you ensure that online transactions are safe for BFQ-ProTax’s clients? A. Deploy SSL B. Deploy MD5 C. Deploy SHA D. Deploy DES E.Request for a certificate from a commercial CA F.Set up its own CA and grant the web site a certificate
10) BFQ-ProTax wants to issue smartcards to all its clients for accessing its secure private information area using Windows 2000 computers located at each of the office locations. Which of the following protocol is needed? A. EAP-TLS B. CHAP C. CHAP 2 D. MS-CHAP E.L2TP
Scenario Concepts with Practice Questions 197
Notes:
198 Chapter 7: 70-220 Certification
V
BFQ - Excel Division
Background BFQ-Excel Forwarder Corp, an international freight forwarder and Customs Broker, has been providing Logistics and Transportation services since 1929. BFQ-Excel also provides logistics and distribution services as well as purchase order management and ancillary freight services in addition to freight forwarding and Customs Brokerage. With over 65 years in the business, BFQ-Excel offers fully computerized documentation and tracking in all areas of its operations. Some of the services offered by BFQ-Excel are: x
Customs Broker
x
Freight Forwarding
x
NVOCC
x
Logistics Management
x
Distribution
x
Consulting
x
Insurance
x
Air Freight
x
Purchase Order Expediting
x
EDI Services
Scenario Concepts with Practice Questions 199
Divisions The company divides its operations into two main categories: Air and Ocean. The management structure is as follow: Air – One director, directly reports to the CEO. Under the director are a group of managers responsible for running the different service departments. Ocean – One director, directly reports to the CEO. Under the director are a group of managers responsible for running the different service departments. The CEO admits that there are overlapping of activities and resources among Air and Ocean. However, he does not plan to modify this structure as of the time being.
Locations There is one headquarters for all of its operations. Headquarters is located in New York. Besides, there are 3 local offices in different regions of the states. BFQ-Excel has the following locations: NY - Headquarters Miami - Air & Ocean Los Angeles - Air & Ocean Chicago - Air & Ocean Since headquarters does not have enough space, BFQ-Excel recently rented a small office place, which is one street block away from the headquarters. The two are connected with ISDN BRI.
200 Chapter 7: 70-220 Certification
IT Structure Headquarters is running an NT4 network. The PDC of the single account domain is located at headquarters. There are 5 BDCs for the account domains, and the BDCs are installed in the local offices. In addition, there are resource domains defined. All servers are running with dual 500 MHz processors and 256M RAM. BFQ-Excel uses State of the Art software to insure that all documentation is prepared quickly and correctly. The software runs on NT Workstation that has TCP/IP configured. The BFQ-Excel Trade BBS allows the customers to receive email responses to the leads. This BBS runs on a standalone Linux server. There are also UNIX and AS400 servers running on the network for various purposes. BFQ-Excel is also in the process of finalizing the installation of new software that will enable its clients to track their shipments on the Internet.
Future Prospect BFQ-Excel has recently become the partner of XSite, a web site that provides a central search engine for local, state and federal government agencies. This new site is useful in the sense that it eliminates the need to track down all the various agencies to locate available services. This partnership is expected to draw substantial new business to BFQ-Excel. The CEO of BFQ-Excel is looking into enhancing its existing IT structure in order to cope with the growing demand for its services. The latest forecast from BFQ-Excel is that in 5 years time the number of employees will be doubled.
Scenario Concepts with Practice Questions 201
Questions: V 1) You need to implement security measures for the servers. Which of the following will you do? A. Put the servers in a locked room B. Set FAT permissions C. Run EFS D. Deploy DFS
2) Which of the following are valid physical security measures for the company’s servers (Choose all that apply)? A. Place the servers in a locked room B. Implement keycard access for the server room C. Do not allow typical employees to enter the server room D. None of the choices
3) Which of the following are recommended to make sure that data can be recovered in case the office building is on fire (Choose all that apply)? A. Use RAID B. Use Cluster Server C. Backup on a daily basis D. Take the backup media off site daily
4) You just set up Windows 2000 network for the company. Which of the following should be modified to enhance security? A. B. C. D.
Disable the administrator account Rename the administrator account Stop the administrator account Delete the administrator account
202 Chapter 7: 70-220 Certification
5) You want to be sure that only legitimate users can log onto the desktop computers. The company is willing to invest for enhancing the security. Which of the following will you recommend? A. SmartCard B. Complex password C. Complex user name D. EFS
6) You want to deploy smartcards for all users on the network. You want to make sure that when the card is removed the machine will be locked. How do you do this? A. Use System Policies B. Use ACL C. Use DCL D. Use Group Policies
7) How do you prevent your BFQ-Excel staff from finding out the name of the last user who logged on? A. Use “Display last user name in logon screen” B. Use “Hide last user name in logon screen” C. Use “Do not display last user name in logon screen” D. Use “Mask last user name in logon screen”
8) Which of the following are the elements of a strong password policy that can be implemented in BFQ-Excel (Choose all that apply)? A. Set password history to remember last 8 passwords B. Passwords must include a mixture of letters, numbers and special characters C. Password must be 8 characters long at least D. None of the choices
Scenario Concepts with Practice Questions 203
9) Which of the following is a valid way to manage trusted partner access to BFQExcel’s web site? A. Use certificates B. Use ACL C. Use DACL D. Use EFS E.Use Group Policy
10) How would you provide greater security for emails in BFQ-Excel (Choose all that apply)? A. Deploy X400 certificate B. Deploy X509 certificate C. Deploy PKI D. Deploy 3Des
11) You want to track random password hacks in BFQ-Excel’s network. Which of the following actions should you take? A. Enable auditing of object success B. Enable auditing of success of logon C. Enable auditing of object failure D. Enable auditing of failure of logon
12) You want to track improper access to BFQ-Excel’s network files. Which of the following event type should you audit? A. Directory Permission Access B. Service Access C. File and Object Access D. Random Object Access
204 Chapter 7: 70-220 Certification
13) How do you detect a virus outbreak in BFQ-Excel’s network? A. Audit the failure of write access to data files B. Audit the success and failure of write access to data files C. Audit the success and failure of write access to program files D. Audit the success of write access to program files
14) Which of the following can be used to help detecting stolen passwords? A. Failure audit of logon and logoff B. Failure audit of logon C. Success audit of logon and logoff D. Success audit of logoff
Scenario Concepts with Practice Questions 205
Notes:
206 Chapter 7: 70-220 Certification
VI
BFQ - ABC Toys Division
Background BFQ-ABC Toys, formerly BFQ - Supreme Hobbies and Toys, is owned and operated by people who have over 110 years of combined experience as retailers, hobbyists, and business professionals. The mission of the company is to introduce, support, and nurture the exciting world of model building and collecting. The toys sold by BFQ-ABC are known as family oriented - they offer product lines that introduce the youth to the excitement of toys. As introductory products, these lines also offer more advanced items for the rest of the family. To make sure that no rain check is ever needed, they keep stock of over 30,000 items in the stores.
Product Offerings The Toy Categories offered by BFQ-ABC are: x x x x x x x x
Dolls Die Cast Trains Model Horses Model Rockets Electric Trains Plastic Models Plush/Stuffed Wooden Trains
Of the above items, all trains related products are under the management of the Train Department. The rest are under the Toys Department. In theory, there is not much resource that can be shared between the two departments. In fact, once BFQ-ABC wanted to merge the 2 departments. However, the plan has been abolished due to heavy objections from the labor union.
Locations The HQ is located in Hong Kong. The purchasing department is in Taiwan. The remainder of the company is in Vietnam. Currently there are 15 retail outlets throughout the world. Due to the rapid growth of the business, they will establish 5 new retail points of presence in the coming two years.
Scenario Concepts with Practice Questions 207 Keep in mind that the outlets are not owned by BFQ-ABC. They are simply franchised outlets. However, the outlets can access the network resources of BFQ-ABC via RAS. SuperToy is the biggest reseller of BFQ-ABC’s products. BFQ-ABC sees SuperToy as its most important partner, and thus allows a dedicated 256K connections between the two companies’ head offices. Each retail outlet has a store manager who must report directly to the directors. Although centralized administration is important, the company prefers to delegate to the local peers to increase the effectiveness in decision making.
IT Structure The company has an IT team of 4. They have developed the NT 4 network using the multiple domain model. All remote offices can connect to the HQ server via the lease lines.
Figure 7-4: IT Teams Each office has its own NT4 domain. There are Win95, 98 and NT clients throughout the network. Some of the computers will be upgraded to Windows 2000.In addition; there is one Netware 4x server that holds a lot of critical information.
208 Chapter 7: 70-220 Certification
Questions: VI 1) Which of the following do not have support of Active Directory in native mode? A. 95 B. 98 C. ME D. None of the choices
2) How do you allow the new Windows 2000 clients to access the Netware server without the need to install NWLink? A. Set up one Windows 2000 server with CSNW (Client Services for NetWare) B. Set up one Windows 2000 server with GSNW (Gateway Services for NetWare) C. D.
Set up one Windows 2000 server with Migration Wizard None of the choices
3) The Netware 4x server will be upgraded to Version 5 with TCP/IP support. Which of the following protocols would a Windows 2000 server with GSNW installed need in order to communicate with the new Netware server? A. TCP/IP B. NetBIOS C. NWLink D. RIP
4) You need to promote a Windows 2000 member server on the network to a domain controller. Which of the following command will you use? A. Dcpromo B. PromoDC C. NetDOM D. NetManage
Scenario Concepts with Practice Questions 209
5) In the upgrade plan, which of the following Windows 2000 services will you identify as REQUIRED for the new Windows 2000 network (Choose all that apply)? A. WINS B. DHCP C. DNS D. IIS E.TS
6) Which of the following roles should you assign to the only domain controller in the Taiwan domain after the Windows 2000 upgrade (Choose all that apply)? A. Schema master B. RID master C. Infrastructure master D. PDC emulator
7) To enable the pre-Windows 2000 clients to use DFS or search through Active Directory, you will: A. Install Directory Services Client on the clients B. Install Directory Services Client on the domain controllers C. Install Directory Services Client on all servers D. None of the choices
8) Which of the following factors must you consider when designing the Operations Master placement? A. Do not put RID Master and GC together on one server B. Do not put Infrastructure Master and PDC emulator together on one server C. Do not put Domain Naming Master and GC together on one server D. Do not put Infrastructure Master and GC together on one server
210 Chapter 7: 70-220 Certification
9) Which of the following roles should be placed together on one server (Choose all that apply)? A. Schema Master B. Domain Naming Master C. RID D. Infrastructure
10) Which of the following may happen when the RID master is temporarily unavailable (Choose all that apply)? A. New security principal objects cannot be created B. New security principal objects can still be created C. Existing security principal objects cannot be searched D. Existing security principal objects will disappear
11) You need to set up logon scripts for the Windows 2000 Pro computers in the company’s new Windows 2000 domain. Which of the following is the valid path for the script? A. Default Computer Policy -> Computer Configuration -> Windows Settings B. Default Domain Policy -> Computer Objects -> Windows Settings C. Default Domain Policy -> Computer Configuration -> Windows Settings D. Default Domain Policy -> Computer Configuration -> Policy Settings
Scenario Concepts with Practice Questions 211
12) BFQ-ABC Toys will open a small shop in India. This shop does not have reliable WAN connection and will not join the company’s Active Directory. It will be a peer-to-peer Windows 2000 network without a domain structure. How will you implement security settings for this network? A. Use Local Security Policy B. Use Domain Security Policy C. No policy can be installed without a domain or Active Directory D. None of the choices
13) Which of the following can only be implemented at the domain level (Choose all that apply)? A. Account lockout B. Kerberos C. Password settings D. None of the choices
14) Some of the laptop users need to modify the system settings and install customized software. Which of the following should you grant them? A. Domain admin privileges B. Enterprise admin privileges C. Site admin privileges D. Local admin privileges E.Group admin privileges
15) Which of the following will be required if one forest is to be used on the new Windows 2000 network, given the fact that BFQ-ABC has many domain controllers available (Choose all that apply)? A. Schema master B. Domain Naming master C. RID master D. Infrastructure master E.PDC emulator
212 Chapter 7: 70-220 Certification
VII BFQ - MediAssociate Background BFQ-MediAssociate Since 1986, BFQ-MediAssociate has been conducting research for legal and health care professionals involved in medical malpractice, personal injury, product liability and workers' compensation cases. Target customers are those who are overwhelmed with complicated health care issues and baffling medical jargon. The founders of BFQMediAssociate have been in the medical-legal consultant field for over ten years. They have been providing consulting services for attorneys, physicians and other legal nurse consultants.
Services BFQ-MediAssociate searches medical literature for articles, standards and guidelines that will enhance customer’s understanding of the case. The search is conducted by RNs experienced in the field, is supplemented with summaries of key articles, and conference sessions to answer the questions. BFQ-MediAssociate locates qualified expert physicians and nurses whose accurate opinions will bolster customer’s position. Its nationwide network of specialists includes both consulting and testifying experts. BFQ-MediAssociate can find the ideal expert fast, and then help the customer to prepare that expert for deposition or trial. BFQ-MediAssociate nurses will accompany the customers during their Independent Medical Examinations. These nurses will be prepared to offer testimony during deposition and trial.
Scenario Concepts with Practice Questions 213
Company Structure IT Structure To offer the services listed above, BFQ-MediAssociate has a very advanced IT infrastructure. Their network deploys fiber optics to connect their office in down town San Jose. The network is running 25 NT 4 Servers and 300 clients. To speed up research, they use a T3 line to connect to the Internet. In addition, there are 4 Solaris workstations specially designed for a fault tolerant web site configuration. In addition, there are 5 offices in different parts of Phoenix, as well as two offices in Austin and Kansas City.
Organization Structure The company is structured in a way that reflects the services it offers. There are mainly 3 departments in the company, one for each main service.
Figure 7-5: Service Structure
214 Chapter 7: 70-220 Certification
Visions The company is expected to expand its network of affiliated professionals. Currently they have more than 25000 professionals in their network nationwide. These professionals are allowed to connect to the head office via dial up access. Due to the fast growth in business, it is estimated that in three years time the number of professionals that work with the company will be doubled. Since to a certain extent these professionals are not in house staffs, the company will want to have a separate community for them. This community should manage their own password and lockout policy on their own. The existing NT4 network was built with scalability in mind. There are 2 account domains together with 5 resource domains. The CIO wants to upgrade the network to W2K. He is impressed by the stability of the new OS. One thing the CIO really wants to implement is some sort of Smartcard devices for the in house staffs to log onto the network. He believes in technologies like Smartcard being the trend of the future. In addition, there is a need for a secure web site to host critical sales information for staffs to access.
Scenario Concepts with Practice Questions 215
Questions: VII 1) Which of the following provided by Windows NT 4.0 can safeguard against intruders? A. EFS B. Kerberos C. TCS D. NT LAN Manager
2) You are recommending a strong password policy for BFQ-MediAssociate. Which of the following will be needed (Choose all that apply)? A. Use long passwords B. Password with letters, numbers and special characters C. Password cannot be repeated often D. None of the choices
3) How would you filter NetBIOS traffic for BFQ-MediAssociate’s secure web site (Choose all that apply)? A. Block port 135 B. Block port 139 C. Block port 143 D. Block port 425
4) EFS is being implemented in BFQ-MediAssociate. An important file named “Xfile.doc” is encrypted. Who can decrypt it (Choose all that apply)? A. File owner B. Power User C. Recovery agent D. Server operator
216 Chapter 7: 70-220 Certification
5) Tom needs to execute a command that should normally be accessible only by Tim. Tim is on vacation. How should Tom execute the command? A. Give Tom Tim’s password B. Give Tom Tim’s login name C. Tell Tom to RUN AS Tim D. Tell Tom to ACT AS Tim
6) The company’s web server is suddenly overloaded with service requests. Which of the following is likely happening? A. DOS B. DOD C. DDR D. DIR
7) You found that HTTPS traffic cannot reach the company’s web site. All other traffics are working fine. The web service is hosted by Windows 2000 IIS. Which of the following should you do? A. Remove the firewall B. Remove the packet filter C. Do not block port 80 D. Do not block port 443
8) You want to make sure that one party in a communication cannot deny that part of the communication occurred within BFQ-MediAssociate’s network. Which of the following is the term to describe this mechanism? A. Non-intrusion B. Non-disclosure C. Non-repudiation D. Non-Exposure
Scenario Concepts with Practice Questions 217
9) Which of the following is the correct default time interval value for site replication between the sites of BFQ-MediAssociate? A. 100 B. 120 C. 180 D. 240
10) Which of the following regarding the Active Directory schema is true? A. A full copy is stored on each GC. B. A partial copy is stored on each GC. C. No copy is stored on the GC. D. Schema can be modified directly with SchemaEdit.exe
11) Which of the following is true regarding schema data replication in Active Directory? A. Schema data is replicated every 180 minutes B. Schema data is replicated according to the site replications schedule C. Schema data is replicated when changes occur D. None of the choices
12) To set up multi site links between the offices in San Jose, Austin, Kansas City and Phoenix, which of the following must be addressed carefully? A. There must be a common replication window among the sites B. There must be different replication windows among these sites C. There must be no replication window among the sites D. None of the choices
218 Chapter 7: 70-220 Certification
VIII BFQ - Kellok Division Background BFQ-Kellok Accounting Service has been in business in the Pacific Northwest for nearly half a century, helping clients to develop effective accounting systems to use as an essential management tool.
Core accounting services Division AR-1 x x x x x
Financial statements for corporations, proprietorships, and partnerships Monthly accounting, including computer-generated journals and ledgers Developing financial accounting and control systems Analysis and implementation of accounting enhancements Training in record keeping
Division AR-2 x x x x x
Cash flow management Compliance with lender requirements Financing, including banks, SBA, FHA Consulting and business planning Budgeting and forecasting
Division AR-3 x x x x x
Computer technology assistance, including network design Bank reconciliations Accounts receivable and payable Inventory control Depreciation schedules and asset records
Division AR-4 x x x
Payroll and other taxes Executive search for controller/financial staff Special purpose reports
Locations Headquarter – Palo Alto
Scenario Concepts with Practice Questions 219 50 staff 2 NT 4.0 servers 1 UNIX server AR – 1 Palo Alto 40 staff 2 NT 4.0 servers 1 UNIX server AR – 2 Redwood City 40 staff 1 NT 4.0 server 1 UNIX server AR – 3 Fremont 70 staff 3 NT 4.0 servers 1 UNIX server AR – 4 Oakland 20 staff 1 NT 4.0 server All locations are interconnected with 128K ISDN lines. All locations share the same password and lockout policies.
220 Chapter 7: 70-220 Certification
NT Domain Model
Scenario Concepts with Practice Questions 221
Questions: VIII 1) When you design the site names for BFQ-Kellok, which of the following must you pay attention to (Choose all that apply)? A. Alphanumeric characters only B. Alphanumeric characters and commas only C. Alphanumeric characters and hyphens only D. Alphanumeric characters and colons only
2) You are planning for the number of sites. AR-4 has suffered a connectivity problem and is expected to have only SMTP connectivity to the outside world within the next 2 years. Which of the following are valid considerations (Choose all that apply)? A. AR-4 must have one domain controller at least B. AR-4 must have two domain controllers at least C. AR-4 should be of separate site D. AR-4 should be integrated with AR-3 and AR-2
3) In your planning, AR-2 and AR-3 are in the same site. However, the network links between them are found to be heavily utilized. Which of the following must you pay attention to? A. They should be separate sites B. They should be combined into a separate domain C. They should be registered with Active Directory D. None of the choices
222 Chapter 7: 70-220 Certification
4) The BFQ-Kellok’s IT guys proposed to use routers to filter traffic in order to reduce traffic between AR-2 and AR-3. Which of the following is true regarding this solution (Choose all that apply)? A. Technically possible B. Technically impossible C. Not a good approach D. A good approach
5) The BFQ-Kellok’s IT guys proposed to use screened subnets for security. Which of the following is needed to implement a screened subnet? A. Active Directory B. Domain controller C. Internet firewall D. Central Server
6) How do you secure the objects in Active Directory? A. Use ACL B. Use DACL C. Use NTFS permission D. Use EFS
Scenario Concepts with Practice Questions 223
7) When can you implement universal groups for BFQ-Kellok (Choose all that apply)? A. When the network is in native mode B. When the network is in mixed mode C. When the network has more than one domain D. When the network has one domain
8) One former executive just left BFQ-Kellok. He had secured a folder with NTFS permissions, and no one has permission to access it. How do you access the data inside? A. Modify Owner B. Recreate the folder C. Hijack the folder D. Boot from DOS and copy the file
9) To implement the highest possible security for computers in AR-1, which of the following will you suggest? A. Remove all permissions for their computers B. Use the COMPATIBLE template for their computers C. Allow only browse permissions for their computers D. Use the HISEC template for their computers
224 Chapter 7: 70-220 Certification
10) Which of the following will happen to an object created by someone who logged on with the administrator account? A. Anyone who belongs to the Administrator Group can only browse the object B. Anyone who belongs to the Administrator Group can only read the object C. Anyone who belongs to the Administrator Group can modify the object D. None of the choices
11) Which of the following is true regarding user and group placement (Choose all that apply)? A. Users should be placed in global groups based on their security needs B. Global groups should be granted access to resources. C. Users should be placed in local groups based on their security needs D. Local groups should be granted access to resources. E.Local groups should be placed in global groups.
12) Which of the following security risks cannot be addressed with EFS (Choose all that apply)? A. File transmission across the network B. File stored locally C. File stored on floppy D. File stored on NTFS
Scenario Concepts with Practice Questions 225
13) Which of the following site names are not valid for use in BFQ-Kellok’s network (Choose all that apply)? A. AR@1 B. AR#2 C. AR 3 D. AR!4
Notes:
226 Chapter 7: 70-220 Certification
IX
Chapter 7: Summary
• Remember that this type of testing is focused on when not how to use security solutions. • Read the entire scenario before looking at the questions. • Before testing, go read as many of the “white papers” on security from Microsoft’s web site as you can. • Memorize port numbers and acronyms, like port 443 for HTTPS, or the difference between ACL and DACL.
Appendix A 227
Appendix A Chapter 1: Answers 1)
C. International. Legal or regulatory differences between different countries can give rise to legal or regulatory conflicts. Branch or subsidiary models, when they involve crossing national borders, also may result in these types of problems.
2)
A. Communications Process. A site-to-site VPN is more appropriate for communications processes between the various sites.
3)
E. SSL. Access to information on web sites is often secured using SSL. An industry-standard protocol, SSL provides both authentication and encryption for sensitive transmission. The only catch is that the application being used to access the web site must be SSL-compatible, such as current web browsers.
4)
B. Organizational Units, however, some may argue for E. Domains. Presuming that the contract help will need Active Directory user accounts, it would be best to create them in a container separate from the user accounts for the full-time employees. Then management of the user accounts can be separately administered. As we will see later, creating a separate domain will be preferable if the user accounts need to have different account policies, like password settings, time restrictions, etc., than those for the fulltime employees.
228 Appendix A: 70-220 Certification
5)
Although brief, this describes a company with D. Decentralized Operations/Centralized IT Support.
6)
A. Communication Flow. As we discussed, information flow is generally an automated process. This scenario describes a manual process.
7)
This question is dependent upon information not provided. Depending upon the nature of the rest of the information, the answer would be A. Tolerance for Risk or C. Laws and Regulations.
8)
The best answers are A. Tolerance for Risk and B. Cost of Operations. The designer needs to balance these against solutions, arriving at the best cost versus risk compromise.
9)
In a highly centralized, family-owned company, D. Owner and Chief Executive Officer (CEO) would have the greatest influence.
Appendix A 229
10) Because the company model is international, E. Laws and Regulations will have an impact on the design. Additionally, since the company has a very centralized IT model, C. IT Management is another area that the designer needs to focus upon.
11) The correct answer is E. Management Model. The designer needs to know whose opinion carries the most weight in management decision-making, especially since there is a significant disagreement here between two senior-level managers.
12) As companies grow, so does the need to extend the C. Information Flow and D. Communication Flow. Each of these areas needs to be able to scale in size while maintaining the security features proposed in the design.
13) C. Cost of Operations. As tolerance for risk lowers, the need for security measures increases, and so will the costs. Tolerance for risk always balances against cost of operations.
230 Appendix A: 70-220 Certification
14) C. Laptop computers add the most complexity to security design. Windows 2000 introduces some features specifically targeted at the issues raised by laptops. EFS allows files to be encrypted directly on the laptop’s hard drive, so that, in case of theft or loss, the files will not be readable by anyone but the original creator. The other issues described here are simply typical of company networks and can be dealt with straightforwardly.
15) D. The client company uses a large amount of outsourcing. If the client company uses outsourced technical support heavily, then any recommendations made will have to be implemented by contractors. The level of training, the transient nature of the contract staff, the lack of company loyalty, and other factors will all make the implementation more difficult.
16) A. Total Cost of Operations is most closely aligned to the IT funding model. If the designer is to understand how the IT portion of the company budget fits into the larger picture, and if the recommendations will not fit into the IT funding model, then a clear understanding of the company’s total cost of operations will be essential.
Appendix A 231
17) B. WAN Connections. In Active Directory design, the presence of low-bandwidth WAN connectivity will lead to the creation of sites.
18) B. 56 Kbps, which is typical of the speed of a current dial-up connection to the local ISP.
19) D. SSL with Digital Certificates is commonly used to secure connections to web sites.
20) D. EFS should be used on laptop computers will need to use EFS, Encrypted File System, to secure the confidential files should the laptop be lost or stolen.
232 Appendix A: 70-220 Certification
Chapter 2: Answers 1)
B. While you will eventually need to know all of these things, the next issue for clarification is to determine the net available bandwidth between locations.
2)
C. Securing the web server from unauthorized access. Net available bandwidth is now only an issue at the site where the web server resides.
3)
C. The web server will need to be tuned with high performance hardware and high bandwidth connectivity to support and sustain the high levels of access.
4)
C. Change the configuration of FastTrack so that all activity can occur in real time. Clearly B. and D. are not reasonable solutions. A. could work, but would probably become a very expensive solution. That leaves C., which would allow the web server hardware and the connectivity to be scaled down somewhat.
Appendix A 233
5)
C. Decentralized operations/Centralized Management. Since each location runs autonomously, the operations would be described as decentralized. However, since the overall operation is centralized using FastTrack, the management would be described as centralized.
6)
D. This should pose no problem at all. From a security perspective, both browsers offer the same functionality. Both are SSL-enabled and compatible with x.509 certificates like those created by Verisign or by Microsoft’s Windows 2000 implementation of Certificate Server.
7)
A. – C. – B. – D. Clearly the recurring monthly charges for leased lines would be the most expensive recommendation, followed by the cost of placing a dedicated, high-performance workstation at each location. The third most costly recommendation would be to “beef up” the web server, and the overall least costly recommendation would be the implementation of SSL.
8)
A. – B. – C. – D. The training of staff to support and maintain the web servers will be of up most importance, while the physical relocation will come in second based upon the need to determine hardware, software, etc., and to transfer the content to the newly configured servers. Hiring someone to work on content should be rather easy, since there are already two vendors supporting the existing web sites. Lastly, the users should need no retraining, since the move of the web server will not be apparent to them as they access it through their browser software.
234 Appendix A: 70-220 Certification
9)
A. & B. must be weighed against each other. The more decentralized the administrative model, the greater the need for training of personnel, which will increase the cost. Balanced against that would be the possibility of using outsourced support the web servers for the merged companies. The designer needs to help the company evaluate the costs between the two recommendations. In addition, as indicated by the next question, the use of contractors will give rise to other needs in terms of Active Directory design or auditing.
10) B. Auditing on a regular basis of the management of the web server. Using SSL for all queries. A. is not a reasonable recommendation, since the company wants to allow public access to schedules. Placing the web server behind a firewall may be recommended, but often web servers are placed outside firewalls, especially those containing content for public access. Also the contract technical support personnel may require physical access to the web server bypassing the firewall. That leaves answers either B. or D. While you may choose to create Active Directory accounts for the contract personnel, it is not absolutely necessary for web server management. Clearly, auditing of the web server on a regular basis would be a good practice is recommend.
Appendix A 235
Notes:
236 Appendix A: 70-220 Certification
Chapter 3: Answers 1)
A. basicdc.inf. For upgrading from Windows NT 4.0 to Windows 2000, domain controllers should have the basicdc.inf applied.
2)
C. defltdc.inf. Newly installed domain controllers should have the defltdc.inf security template applied during the install.
3)
B. and C. are the correct answers. A. is a security template to be applied to domain controllers that have a new install of Windows 2000 server. If you recall the discussions surrounding this application in Chapter 2, access to FastTrack will occur via a web browser, which is easily secured with SSL. That means D. is also not a solution that would be applicable. Remember that whenever laptops are mentioned, EFS will be recommended.
4)
C. is the correct answer. Access to resources in Windows 2000 is administered through the nesting of user accounts in (domain) global groups, and placing those global groups in (domain) local groups, which have been granted the necessary permission to the resource in question. D. is incorrect, since we do not generally place local groups in other local groups. A. is not a good recommendation, since share permissions on a FAT volume do not provide a high level of security. B. is clearly not a good security recommendation.
Appendix A 237
5)
The correct answer is B., apply the compatws.inf template. This template lowers the security settings on a Windows 2000 workstation so that applications that might not run under the basicws.inf template might run. A. is not a good security recommendation for obvious (I hope) reasons. C. may not work, and clearly the question is baiting the reader with compatibility issues. Lastly, the computer may be configured to logon as Guest, but that does not address the issue of possible problems with the demo software.
6)
In order from high to low, the answers are C – B – D – A. The schema master is a domain controller that plays a critical and central role in Active Directory implementation. Domain controllers that provide logon services also need high security, but not as much as a schema master. Web servers hosting sensitive company information may compete with domain controllers for security, but clearly kiosks are of little concern in securing a network.
238 Appendix A: 70-220 Certification
7)
D. Give Full Control Share and Read NTFS permissions to the FastTrack group. Microsoft recommends that permissions be granted to domain local groups, so answers A. and B. are not correct. Answer C. would allow the users with accounts in FastTrack to actually change or write to the FastTrack database, something you do not want.
8)
C. & E. The Security & Analysis tool in MMC and secedit (a command-line utility) can be used to compare a security baseline against current configurations.
9)
B. Enable NAT on the Windows 2000 Server. While all of these recommendations would work, the question called for the simplest recommendation, which would clearly be NAT.
Appendix A 239
Chapter 4: Answers 1)
B. SSL The best answer is SSL, since it is location-independent and compatible with commonly-used browser software. Kerebos is typically used in the company LAN, S/MIME is used for securing e-mail, and EFS is used to encrypt files on a local hard drive (usually on a laptop computer). RADIUS is typically used to secure dial-up access for company employees.
2)
C. Commercial Certificate Authority. While Microsoft’s Certificate Server solution can provide security for this type of transaction, the better recommendation would be to use a commercial CA. In the event of loss of credit card numbers, the use of a third-party CA can help reduce the company’s liability.
3)
D. S/MIME. Kerebos is typically used internally to secure on a LAN, SSL is used to secure connections to and from a web site, RADIUS is used to secure dial-up connections for company employees, and smart cards are used to secure the logon process on a specific workstation.
4)
C. is the correct answer. Microsoft recommends that access to resources be granted by A - G - L- P, that is, add user accounts to a global group in each domain, then add the global groups to a local group and give permissions to the resource to the local group. The only other answer that is even close to this is A., however, you cannot add users from one domain to a global group in another domain.
240 Appendix A: 70-220 Certification
5)
C. & D. Enabling auditing is a two-step process. First you must enable auditing, in this case, of object access (answer C.). Then the resource in question must have auditing set. To assure that no attempts are being made, you would audit failure, in this case, the failure of the NTFS Read permission (answer D.). To audit success would only show everyone who is accessing the database, which would include many users with valid permissions. Additionally, auditing success is to allow a security breach and then attempt to find the identity of whoever was responsible.
6)
B. & C. In this case, the access is already occurring. You start again by enabling auditing of object access (answer B.) and then proceed to audit all of the successes of the NTFS Read permission (C.). Failure will not help, since clearly someone is reading and then selling the information.
7)
C. NTLM. Windows 95, Windows 98 and Windows NT clients using the Windows 2000 client software will use NTLMv2 for authentication.
8)
B. SSL. The method of encryption described is SSL, which actually uses digest authentication. Remember that this method is used to improve the performance associated with encryption/decryption.
Appendix A 241
9)
D. & E. SSL and Certificate Services are the correct answers. EFS, smart cards and Kerebos V5 are all workstation authentication protocols.
10) C. is the correct answer. If the application interface is going to be hosted on the server, then the users will need to use terminal services to access the applications. While the other answers could be “stretched” to fit as answers, none fit the scenario as well as C.
11) For this question, B. and D. will clearly only limit the user’s time. You will need to do A. and then C. to allow the user to access the application interface for which they have paid.
12) E. None of these. The only resolution to a password policy problem is to place the instructor accounts in separate domain, not OU, and set separate account policies in the separate domain.
13) C. EFS. Whenever presented with a question of how to secure files on a laptop, the correct answer will be EFS, Encrypted File System. New with Windows 2000 and NTFS 5, EFS encrypts files directly on the hard drive, allowing only the creator or a recovery agent to decrypt them. This solution protects files from being accessed even using third-party utilities to read directly from the hard drive.
242 Appendix A: 70-220 Certification
14) C. & A. are the correct answers. Answer A. is the standard recommendation from Microsoft of using global groups to organize domain user accounts. After creating the global group, then a local group needs to be created and permissions granted to it. D. could work, but would require much more administrative effort to set up and manage. C. takes advantage of inheritance of permissions in Active Directory, and would only be a problem if you had created separate OUs for different user accounts and did not wish this “password manager” to have control of other users’ passwords.
15) B. & C. are the correct answers. Enabling object access and the auditing directory services access will allow any events related to group membership changes to be viewed. Since you are enabling auditing of both success and failure, the failure will show any attempts to exceed the permissions that the support people at each location have been given, while success should only reflect those administrators that have been given that capability.
16) C. Radius will need to be implemented to connect from a dial-up location through an ISP securely.
17) C. In a RADIUS implementation, an ISP can use a RADIUS proxy server which will forward authentication requests to your company’s RADIUS server for handling. This would be done if the company does not wish to replicate Active Directory information to the ISP.
Appendix A 243
18) C. S/MIME or secure MIME is a protocol used to provide for encryption and decryption of e-mail across unsecured public infrastructure, like the Internet.
19) A., C., & E are the correct answers. The Microsoft recommendations is AGDLP, that is, accounts to global groups, global groups to domain local groups and give permissions to the domain local groups. With the introduction of universal groups in Windows 2000, you can now nest the global groups from the various domains into a single universal group, and add the universal group to the domain local group.
20) C. RIS, remote installation services, enables the automation of the installation of Windows 2000, while still providing for security.
244 Appendix A: 70-220 Certification
Chapter 5: Answers 1)
D. Purchase a DSL connection from a local ISP and establish a VPN using PPTP. The combination of low-cost with sufficient bandwidth will lead to DSL, since the only other solution here that provides sufficient bandwidth is T-1, which is quite expensive. Beyond that there is the issue of how to secure a VPN across the Internet. While the scenario does not provide enough detail to rule out L2TP/IPSec entirely, remember that L2TP/IPSec cannot cross a NAT router and does not work with prior versions of Windows. The “safest” answer in this case is D., which can cross NAT routers and is supported by earlier Windows operating systems.
2)
D. 128-bit encryption, which is the highest level of encryption available with PPTP. There is the possible problem of restrictions using 128-bit keys across international boundaries, but that question comes a bit later in the scenario. Also, remember that DES, 56-bit DES and Triple DES are encryption algorithms used with IPSec, and that Triple DES is quite similar to 128-bit encryption in the encryption strength and in export restrictions.
3)
B. D. & E. are the correct answers. This is a question that leads to Active Directory design and leverage issues. The need to create separate account restrictions causes us to create a separate domain. A separate OU will still use the same domain account restrictions that the other OUs in that domain use, and so will not allow for giving the company instructors greater access than the contract instructors. Otherwise, the group creation solution here is not quite correct. There should be a domain local group which has the necessary permissions, with the global group Contract added.
Appendix A 245
4)
C. L2Tp/IPSec. The original VPN might have been secured with L2TP/IPSec, since both locations were standardizing on Windows 2000. Since the possibility of merging with a company in South America, however, the authentication/encryption solution would need to change to PPTP, as detailed in the next question.
5)
While all of these could be cause for concern, the two that would have the most immediate impact are B. and D. With no access to DSL, the requirement to provide adequate bandwidth for future growth at a low cost will be difficult to fulfill. Additionally, the fact that the company is in South America has far-reaching implications for implementing security solutions, primarily because of export restrictions in the US, and possible restrictions in Argentina concerning the use of encryption. A. is not as large a concern, since the companies could still connect via PPTP. C. is not as large a concern either, since expertise could be flown in or contracted in Argentina.
6)
B. 3DES & D. 128-bit encryption are the correct answers. Both encryption technologies are treated similarly in export restrictions. A., 40-bit DES, is a low level of encryption that is available worldwide. C., IPSec, is not an encryption solution, but uses encryption solutions to secure packets. E., SSL, is also not an encryption solution, but rather uses PKI to deliver keys for the subsequent encryption of transmissions.
246 Appendix A: 70-220 Certification
7)
B. SSL. Since the service is web-based, SSL could be used to provide encryption of all traffic between students and the web server. A., create a separate domain for the students, would be the beginning of a solution in which connectivity uses Kerebos. C. could be used but would require setup on each student computer. D., S/MIME, is used to secure e-mail.
8)
A. Microsoft Proxy Server & C. NAT. The company could simply use NAT or Microsoft Proxy Server to provide the company employees with Internet access.
9)
B. L2TP/IPSec, & D. IPSec tunnel mode, become unusable solutions where NAT is in use. IPSec packets cannot cross NAT routers. In this case, PPTP would be the only VPN solution possible.
10) A. & C. Contract trainers and instructors. External users are external based on their relationship with the company. If they are not fulltime employees, then they are external users, regardless of their location. Such users call for special consideration to provide access to resources in a secure manner.
Appendix A 247
Notes:
248 Appendix A: 70-220 Certification
Chapter 6: Answers 1)
B. IPSec with AH (Authentication Headers) & D. SMB signing, provide for this type of connection security. SSL and RADIUS are solutions for remote connectivity typically, and EFS is a workstation-level encryption solution.
2)
D. IPSec with ESP (Encapsulating Security Payloads) is the correct answer. B. SMB signing, and C. IPSec with AH both provide authentication services, but neither provides encryption of the contents of the packet. RADIUS is an authentication service for remote dial-up connections.
3)
C. Secure Server, which will only allow a connection with a client via IPSec. Server will prefer an IPSec connection, but allow a nonIPSec connection, and Client is used to set the IPSec preferences on a Windows 2000 workstation.
4)
C. Nothing. The Windows 98 workstation cannot be configured to use IPSec, and Microsoft has no plans to provide an IPSec solution for the Windows 9x platforms. Even the Windows 2000 Active Directory client does not add IPSec functionality to a Windows 9x machine. B. is a poor answer since it would lower the security below the company’s stated preference in Question #1.
Appendix A 249
5)
C. Create and configure a group policy. This is again a question where Active Directory design crosses over into security design. The correct answer, calls for the use of Group Policy objects to deliver the IPSec settings to all of the servers with as little administration as possible. That’s why A., while it would work, is not the best, or the simplest, solution.
6)
A., B., & E. The ports used by IPSec are TCP 50 for IPSec ESP, TCP port 51 for IPSec AH, and UDP port 500 for IKE (internet Key Exchange).
7)
A., C., & E. Ping, can be used to verify connectivity. Network Monitor, can be used to view the actual packets and verify that IPSec is in use. Microsoft provides a tool called IPSec Monitor for the purpose of verifying IPSec communications.
8)
C. Encryption standards. While the other answers may provide some issues for security design, the difference between countries standards, would raise the largest issue.
250 Appendix A: 70-220 Certification
9)
B. is the correct answer. This is another question that emphasizes the close relationship between AD design and security design. Create a Group Policy and “push” the IPSec settings to the instructor computers from a single object. This simplifies administration and reduces the potential for errors in configuration.
10) D. Secure Server, provides the highest level of negotiation between server and client. As a matter of fact, it is hardly negotiation, since the server demands an IPSec connection or refuses to connect the client at all.
Appendix A 251
Notes:
252 Appendix A: 70-220 Certification
Chapter 7: Answers 1.
Chapter 7: Scenario II: BFQ – Supreme Division D. Encryption on both ends. Relatively straightforward question.
2.
A. Political climate in different parts of Asia. Political climate will affect business in any country.
3.
A. Verify caller-ID & B. Always Callback to Number. For RAS connectivity, with these actions you can identify the remote access clients. This will help secure the RAS server at headquarters.
4.
A. Use Terminal services. If the company does not wish to upgrade users’ computers, then terminal services can be used to host the application. The terminal services client can run applications as long as they have connectivity and a browser. Also, Terminal services offer secure options for the connection.
5.
D. Database intrusion. Since the database will be accessed over the Internet for entering and retrieving important company information, if it is corrupted or accessed by unauthorized users, the company may assume massive losses.
Appendix A 253
6.
A. Use SSL certificates. Since the company’s database will be accessed over the Internet, SSL is the logical choice for securing access.
7.
A. L2TP & C. IPSec. For the highest level of authentication and encryption available, you should use L2TP/IPSec when trying to establish VPN connections for the offices.
8.
A. Daily backup & B. Enhanced security. Daily backup is an important strategy for fault tolerance. Additionally, it is important to enhance security, so that no unauthorized users can access the database and possible corrupt it.
9.
C. BFQ - Supreme out sources the job to you. If you are an independent designer, then BFQ - Supreme is conducting what we called “outsourcing”. You are an external user in the company.
10. A. L2TP, B. IPSec, & C. Kerberos. Once all of the servers and workstations are running Windows 2000, then Kerberos is the Windows 2000 default for LAN connectivity. L2TP and IPSec will then be the preferred choice for VPN connections.
254 Appendix A: 70-220 Certification
11. A. Outsourcing is the often used by companies to accelerate a project timetable, or to off-load work from project team members so that their project work can proceed faster.
12. D. To figure out the total cost of deployment and implementation. While ROI will be an issue for management, you will need to help them assess the TCO, total cost of ownership, of the new network. While their will certainly be costs for installation and deployment, a TCO can show the reduced costs for management and administration of the new network over time.
13. D. Internal users already have access to the network. Most studies show that the majority of security failures are internal.
14. A. Cost of equipment & B. Line cost. What we are talking about here are the “Business Factors”. Cost, obviously, is an important business factor for consideration.
15. B. Executives. The Executive group concerns about issues like operating environment, market conditions, regulations…etc will take precedence over concerns from the other groups.
Appendix A 255
16. D. Restrict their logon hours in account restrictions. You may limit their logon hours to avoid possible non-legitimate attempts. Map to the objective Analyzing Business and Security Requirements for the End User
17. A. Attack on the web site. If the web site suddenly slows down, a denial of service (DOS) attack may be occurring.
18. D. SSL. The vendor/partners will be using standard browser software to access the web site. The simplest solution to implement for assuring authentication and encryption will be SSL, since most standard browsers are SSL-compatible.
19. D. Both A and B. Since the two services basically serve different groups of users, separate servers should be deployed to maximize performance ands also to provide separate security solutions. The new web application will be accessed by vendor/partners, while the current Internet web site will continue to be accessed by users worldwide.
20. A. Group policies & B. Remote access policies. Both Group Policies and RAS policies have terminal service settings and can be deployed to manage connections to the Terminal service.
Notes:
256 Appendix A: 70-220 Certification
Chapter 7: Scenario III: BFQ – ExGovern Division 1) A. Install Physical cameras. The lobby’s problem is a physical security problem. Cameras to a certain extent can monitor the lobby during night shift.
2)
C. CA can be independent of the Active Directory. A standalone CA can always work by itself without integrating into Active Directory.
3)
A. Shorten the renewal cycle. By requiring more frequent renewals, interception of the key is less likely to result in an opportunity to intrude. Shortening the certificate life would also help in reducing the risk of a loss or theft of a key.
4)
B. Active Directory. Since Certificate Services is an Active Directory-integrated application in Windows 2000, Active Directory is required if you are to set up an Enterprise CA.
5)
C. One to One. This requires that you approve or reject every single request you receive, which will result in increased administration, but also in increased security.
Appendix A 257
6)
A. You have a large amount of clients & D. You are using an external CA. Many to One certificate mapping is suitable when there are many users to secure, making one to one mapping inefficient. This is typically used in conjunction with and external CA, such as Verisign, to secure connections to a public web site using SSL.
7)
B. Many to One. You typically select this when you have many users that need to rely on an external CA.
8)
B. Reject his proposal. Using a Commercial CA is desirable when you are doing business on the Internet. It has nothing to do with a request for monitoring.
Notes:
258 Appendix A: 70-220 Certification
Chapter 7: Scenario IV: BFQ – ProTax Division 1) A. By default only secure dynamic updates are allowed. Anyone specified in the DACL can create or modify DNSNode objects.
2)
C. Only the Authenticated User Group members can have this permission by default. All authenticated users and computers belong to this group.
3)
A. Run the Application Server mode of Terminal services. Application Server mode allows browser client to run the legacy applications using a web connection.
4)
C. Maintain the database server on other servers. By placing the database on another server, the risk of failure can be reduced and fault tolerance improved.
5)
A. End to end tunnel with L2TP and IPSec. A T-1 would provide high bandwidth, but at considerable expense. The company could look at using a DSL connection at each site, and secure the connection with L2TP/IPSec. This would reduce the available bandwidth, but also significantly reduce the cots for the connection.
Appendix A 259
6)
D. Use SSL with 128-bit keys. This web site will be accessed by clients using browsers. SSL with 128-bit encryption will provide the highest level of security that is available. If the company expands to provide access to international clients, then there may be a problem with this solution, since 128-bit encryption is not allowed to be exported outside the US and Canada.
7)
A. DA, digest authentication, which is used by SSL, is secure since it uses a hash function to protect authentication data. It can also work through the Proxy server.
8)
C. External CA. To secure this site with SSL, an external CA like Verisign would be recommended. The use of an external CA helps to reduce liability in the event of a failure, and also simplifies the administration and management issues.
9)
A. Deploy SSL & E. Request for a certificate from a commercial CA. SSL is a popular method for secure web site access. Certificate from an established commercial CA provides a mean of identify authentication while minimizing the company’s liability.
10) A. EAP-TLS. Whenever you see the word “SmartCard”, choose EAP.
260 Appendix A: 70-220 Certification
Chapter 7: Scenario V: BFQ – Excel Division 1) A. Put the servers in a locked room. We are talking here about server security – the physical aspect of security.
2)
A. Place the servers in a locked room. B. Implement keycard access for the server room. C. Do not allow typical employees to enter the server room. Physical security for the server is important, as well as the safety of the equipment.
3)
C. Backup on a daily basis & D. Take the backup media off site daily. RAID and Cluster burns up on the same computer or in the same building. Tape backup is the ideal choice, with off-site storage.
4)
B. Rename the administrator account. Microsoft, and most other software vendors, recommends changing the default name of the administrator account. This gives potential hackers one less advantage in attempting to access your network. Remember though, that the SID is still the same, and can be found that way.
5)
A. SmartCard. Windows 2000, through the use of Active Directory and Certificate Services, has brought the use of smartcards to the desktop. Only the user with the appropriate card and who enters the correct PIN will be able to logon using a smartcard protected computer.
Appendix A 261
6)
D. Use Group Policies. You use Group Policy to customize the logon requirement with Smartcard, taking advantage of Active Directory and minimizing the steps necessary to implement and manage smartcard security.
7)
C. Use “Do not display last user name in logon screen”. This is the correct name of the option that can be found at the Domain Security Snap In, which used to be set using system policies in earlier versions of Windows.
8)
A. Set password history to remember last 8 passwords. B. Passwords must include a mixture of letters, numbers and special characters. C. Password must be 8 characters long at least. Microsoft’s guidelines for password security are similar to this, as are the guidelines from many other software companies regarding password security.
9)
A. Use certificates. Certificates in combination with SSL provides a high level of security as well as good compatibility with a wide range of software, and are typically used to secure access to web sites.
262 Appendix A: 70-220 Certification
10) B. Deploy X509 certificate & C. Deploy PKI. X509 certificates can be used in S/MIME, so that users can sign their e-mail messages digitally. Remember that the term PKI, public key infrastructure, describes a combination of X509 certificates and various hardware or software solutions used to provide authentication and encryption services.
11) D. Enable auditing of failure of logon. You should audit the instances of logon failure. Attempts without success, or failures, will then be recorded in the security log.
12) C. File and Object Access. You need to audit success of File and Object Access and then go to the security tab of the folder in which the unauthorized access is occurring and Enable Success for Use of NTFS Permissions.
13) C. Audit the success and failure of write access to program files. Viruses usually try to modify the program files they infect. Although by the time you look in the security log, the virus outbreak will be pretty widespread.
Appendix A 263
14)
C. Success audit of logon and logoff. Failure audit is for detecting random password hack. If passwords have been stolen, then success of logon and logoff will need to be compared with records of people’s presence at work to catch unauthorized access to the network.
Notes:
264 Appendix A: 70-220 Certification
Chapter 7: Scenario VI: BFQ – ABC Toys Division 1) D. None of the choices. All these clients can join Active Directory, either natively or with add-on software.
2)
B. Set up one Windows 2000 server with GSNW. A Windows 2000 server with GSNW (Gateway Services for NetWare) is just like an agent for the other clients and connects to the Netware server on their behalf, providing the clients with access to file and print resources on the NetWare server.
3)
C. NWLink. Even though Netware 5 supports TCP/IP, the question presumes a Windows 2000 server using GSNW (Gateway Services for NetWare). While Netware 5.x supports pure TCP/IP, in this situation, the Windows 2000 server will have to have NWLink running to support GSNW.
4)
A. Dcpromo. You can promote or demote a server with this command. It is used to install Active Directory on a Windows 2000 server.
5)
C. DNS. Only DNS is required to enable a Windows 2000 network to run with Active Directory. DNS in Windows 2000 will remove the need for WINS, and you can use static IP instead of DHCP in a small network.
Appendix A 265
6)
B. RID master, C. Infrastructure master, & D. PDC emulator. These are per domain roles required for a domain. There can only be one Schema master in a Windows 2000 Active Directory forest.
7)
A. Install Directory Services Client on the clients. The client should be installed on the pre-Windows 2000 clients to enable them to connect to the Active Directory and to use DFS.
8)
D. Do not put Infrastructure Master and GC together on one server. If they are together, problems may arise when trying to update crossdomain reference information. Ideally, place the global catalog (GC) on the Domain Naming Master.
9)
A. Schema Master & B. Domain Naming Master. Also, Domain Naming Master will require GC to be on the same server.
10) A. New security principal objects cannot be created. This normally causes little effects on the general users, as they seldom need to create objects in Active Directory. This will, however, hinder administrators until the RID master becomes available again.
266 Appendix A: 70-220 Certification
11) C. Default Domain Policy -> Computer Configuration -> Windows Settings. In Windows 2000, scripts are managed through the MMC. Remember the path for the exam.
12)
A. Use Local Security Policy. In Administrative Tools you can find the tool for configuring Local Security Policy. If this network were a single domain with a single Windows 2000 domain controller, then Group Policy could be used to set the security settings on the computers.
13) A. Account lockout, B. Kerberos, & C. Password settings. These are all domain wide settings. If there are groups of users that require different settings in any of these areas, then you will need to create a separate domain for those users.
14) D. Local admin privileges. You should grant those users local admin privilege so that they can perform the needed changes only on their laptop. Other privileges would give them too many rights in the network.
15) A. Schema Master & B. Domain Naming Master. Schema Master and Domain Naming Master are per forest roles. The other choices are per domain roles. Since BFQ-ABC has existing domain controllers, the per-domain roles should already be fulfilled by those domain controllers.
Appendix A 267
Notes:
268 Appendix A: 70-220 Certification
Chapter 7: Scenario VII: BFQ – MediAssociate 1) D. NT LAN Manager is the NTLM authentication method, which is the default for NT4. The other answers are all features of Windows 2000.
2)
A. Use long passwords B. Password with letters, numbers and special characters C. Password cannot be repeated often
These are configured on a per domain basis. A strong password policy uses longer passwords that are a combination of numbers, characters and letters, and requires that passwords be changed frequently without allowing previous passwords to be used.
3)
A. Block port 135 & B. Block port 139. Typically there is no need for NetBIOS support via the web. In fact, you should always block these ports.
4)
A. File owner & C. Recovery agent. The Administrator is always assigned the role of recovery agent. The File Owner and the Recovery Agent can decrypt the file using the appropriate private keys.
Appendix A 269
5)
C. Tell Tom to RUN AS Tim. RUN AS is typically used to avoid logging on using the administrator account. Microsoft recommends that administrators logon using a “normal” user account, and launch administrator consoles or applications using RUN AS, rather than staying logged on with administrator privileges.
6)
A. DOS = Denial Of Service attack. This type of attack renders a web server unresponsive to regular user requests by overloading it with large amounts of targeted requests, and therefore, non-functional. It is the kind of attack used on the Internet to cripple some of the large .com sites in the past couple of years.
7)
D. Open port 443. HTTPS uses port 443, while port 80 is for regular HTTP. To enable secure connections to the web server using https, port 443 must be opened at the firewall.
8)
C. Non-repudiation. This can be implemented with cryptography. Non-repudiation is an authentication concern, and ensures that the packet is from the sender that it purports to be from.
9)
C. 180. The default cost for site replication is 100, and the default interval is 180 minutes.
270 Appendix A: 70-220 Certification
10) A. A full copy is stored on each GC. A full copy of the schema and the configuration directory partitions are stored on each GC server.
11) C. Schema data is replicated when changes occur. Schema replication does not follow the site replication schedule. Schema changes occur when you install products or service packs that extend or modify the schema. This does not occur very often.
12) A. There must be a common replication window among the sites. Without a common replication window (a common time frame to allow replication), no replication will occur.
Notes:
Appendix A 271
Chapter 7: Scenario VIII: BFQ – Kellok Division 1) C. Alphanumeric characters and hyphens only. DNS uses site names, so the site names must comply with the DNS name requirement.
2)
A. AR-4 must have one domain controller at least, & C. AR-4 should be a separate site. Since AR-4 has only SMTP connectivity, it has to be of a separate site due to the inefficient replication capability limited by poor connectivity
3)
A. They should be separate sites to help scheduling of authentication traffic across WAN link and reduce bandwidth usage.
4)
A. Technically possible, & C. Not a good approach are correct answers. A better way to reduce traffic is to put domain controllers and GCs on each location so that across the WAN traffic can be minimized.
5)
C. Internet Firewall. The term screened subnet is mostly used with in conjunction with Internet firewall and is used to protect the network from outside intrusion.
272 Appendix A: 70-220 Certification
6)
B. Use DACL. Each object in Active Directory has a DACL which contains entries that determine the access levels for Active Directory objects.
7)
A. When the network is in Native Mode & C. When the network has more than one domain. Universal groups can be created when the network is in native mode, that is, when all domain controllers are running Windows 2000. Additionally, we generally use universal groups when we are trying to provide access to a resource for users from different domains. Keep in mind that we seldom use universal groups, both in the real world and for the exams
8)
A. Modify Owner. Logon as a user with administrative privileges, and then modify the owner of the folder. Replace the permissions on all files and subfolders of the directory. This is similar to “Take Ownership” in NT4.
9)
D. Use the HISEC template for their computers to set the security on their computers at the highest default setting. COMPATIBLE is used if computer applications will not run under HISEC, that is, the applications need more access to local resources to run.
Appendix A 273
10)
C. Anyone who belongs to the Administrator Group can modify the object. The administrators group has wide-reaching rights in the network.
11) A. Users should be placed in global groups based on their security needs & D. Local groups should be granted access to resources. E. is backwards, since we place global groups in local groups so that users can receive their permissions. The Microsoft recommendation is AGDLP.
12) A. File transmission across the network, & C. File stored on floppy. EFS can only protect files locally stored with NTFS partition. It is one of the features of Windows 2000 generally considered useful for securing files on laptop computers.
13) A. AR@1, B. AR#2, C. AR 3, D. AR!4 They all contain restricted characters. Site names must comply with the DNS naming standard. Special characters and space are not allowed, with hyphen as an exception.
Notes:
Index 275
Index -AAccess Control List (ACL), 68, 218 Administrator, 241, 296, 301 Agent, 296 Asynchronous Transfer Mode (ATM), 110, 147 Auditing, 86, 91, 96, 128, 201 Authentication, 91, 109, 170, 178, 182 Authentication Header (AH), 170, 174, 178, 182 -BBandwidth, 50 Baseline, 71 -CCertificate Authority (CA), 119 Certificate Services, 119, 204, 263 Challenge Handshake Authentication Protocol (CHAP), 196, 212 Client, 94, 110, 134, 184 Cluster, 217, 285 Component Object Model (COM), 131 -DDaily Backup, 195, 277 Data Encryption Standard (Des), 110 Desktop, 73 Digital Subscriber Line (DSL), 47, 50, 149 Directory Service, 97 Disable, 217 Discretionary Access Control List (DACL), 67, 73, 81, 219 DNS Server, 46, 127 DNS Zone, 124 Domain Controller, 175, 180, 239
Dynamic-Link Library (DLL), 99 -EEncapsulating Security Payload (ESP), 168, 175, 179, 182 Encrypting File System (EFS), 67, 77 Encryption, 154, 175, 194, 273 Extensible Authentication Protocol (EAP), 112, 195, 212 -FFilter, 194 Firewall, 79, 299 -GGateway, 224, 290 Global Group, 115, 241 Group, 1, 13, 37, 42, 48, 55, 67, 91 Group Policy, 13, 56, 97, 140, 286 Group Policy Object, 13, 56, 101, 273 -HHypertext Transfer Protocol (HTTP), 79, 195, 297 -IIndustry Standard Architecture (ISA), 308 Integrated Services Digital Network (ISDN), 29, 149, 215 Internet Information Services (IIS), 42, 48, 61, 226 IP Address, 47, 87, 148 IPSec Filter, 175 -KKey, 119, 273 -LLayer Two Tunneling Protocol (L2TP), 150, 160, 163, 164, 210
276 Index: 70-220 Certification Library, 191 Local Area Network (LAN), 3, 29 Local Group, 241, 301 -MMicrosoft Point-to-Point Encryption (MPPE), 154 -NNetWare, 224, 290 Network Basic Input/Output System (NetBIOS), 224, 232, 296 NTFS File System, 74, 80, 95, 263 NTLM, 94, 96, 110, 134 NWLink, 224, 290 -OObject, 97, 219, 288 -PPermission, 219 Ping, 185, 273 Point-to-Point Tunneling Protocol (PPTP), 35, 146, 150, 210 Protocol, 112 Proxy Server, 210, 283 -RRedundant Array of Independent Disks (RAID), 217, 285
Registry, 71 Relative ID (RID), 72, 226 -SSecure Sockets Layer (SSL), 34, 119 Security ID (SID), 285 Server Message Block (SMB), 167 Simple Mail Transfer Protocol (SMTP), 238, 299 Smart Card, 110, 135, 141 -TTerminal Services, 125, 137 Transmission Control Protocol / Internet Protocol (TCP/IP), 125, 183 Transport Layer Security (TLS), 91, 112, 123, 153, 212 -UUniform Resource Locator (URL), 79 Universal Group, 115, 128, 300 UNIX, 94, 109, 216, 236 User Account, 125, 157 -WWide Area Network (WAN), 7, 29, 33, 145
278 Other Microsoft Books
Other Microsoft Certification books by TotalRecall Publications InsideScoop to MCP / MCSE Certification: Exam 70-220 Designing Security for a Microsoft Windows 2000 Network ExamWise For MCP / MCSE Certification: Exam 70-220 Designing Security for a Microsoft Windows 2000 Network ExamInsight For MCP / MCSE Certification: Exam 70-210 Managing Microsoft Windows 2000 Professional ExamInsight For MCP / MCSE Certification: Exam 70-216 Implementing and Administering a Microsoft Windows 2000 Network Infrastructure ExamInsight For MCP / MCSE Certification: Exam 70-217 Managing a Microsoft Directory Services Infrastructure ExamInsight For MCP / MCSE Certification: Exam 70-219 Designing a Windows 2000 Directory Services Infrastructure ExamInsight For MCP / MCSE Certification: Exam 70-221 Designing a Microsoft Windows 2000 Network Infrastructure ExamInsight For MCP / MCSE Certification: Exam 70-227 Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000, Enterprise Edition ExamInsight For MCP / MCSE Certification: Exam 70-270 Microsoft Windows XP Professional
Money Back Book Guarantee 279
Money Back Book Guarantee This guarantee applies only to books published by TotalRecall Publications, Inc.! We are so confident in our products, we are prepared to offer the following guarantee to YOU our valued customer: If you do not pass your certification exam after two attempts, we will give money back! Visit http://www.totalrecallpress.com Select “Money Back Book Guarantee” for details. Registered book purchasers who qualify will receive 1. Receive a 50% cash refund of purchase price 2. Receive a free TotalRecall book of equal value. Note: you must pay for shipping and handling. To qualify for this TotalRecall Guarantee you must meet these requirements and perform the following tasks: 1. Register your purchase at the TotalRecall web site http://www.totalrecallpress.com 2. Fail the corresponding exam twice ( No time Limit ) 3. Contact TotalRecall for the RMA # and to claim this guarantee Send email to mailto:
[email protected] Subject must contain your Membership # or Registration # Ship the following to claim your refund. 1. RMA # from returned email 2. Documents of exam scores for both failed attempts 3. Return the Book to the following address TotalRecall Publications, Inc.
Attn: Corby Tate 1103 Middlecreek Friendswood, TX 77546 888-992-3131
[email protected] 281-992-3131 281-482-5390 Fax http://www.bfq.com It's a Passing day here at the BeachFront. Thank you for using the TotalREcall Success Program. Bruce Moran President
280 Practice Exam Offer
Microsoft 70-220 Practice Exam Offer BeachFrontQuizzer (BFQ) version 4.0
With the purchase of this book you qualify to purchase a Beachfront Quizzer, Inc. Practice exam at a $20 discount Visit www.TotalRecallPress.com for details Register your book purchase at www.TotalRecallPress.com Your Registration Code # = EI-02220-2000
Call: 281-992-3131 Good Luck with your certification! Your Book Registration Number is EI-02220-2000 You cannot go wrong with this book because it is GUARANTEED: See details at www.TotalRecallPress.com