module 6: designing security for network hosts. overview creating a security plan for network hosts...
TRANSCRIPT
Module 6:Designing Security for
Network Hosts
Overview
Creating a Security Plan for Network Hosts
Creating a Design for the Security of Network Hosts
Lesson 1: Creating a Security Plan for Network Hosts
MSF and Security of Network Hosts
Defense in Depth and Security of Network Hosts
Types of Security Settings for Network Host Security
STRIDE Threat Model and Security of Network Hosts
Practice: Identifying Security Threats to Network Hosts
MSF and Security of Network Hosts
The MSF envisioning and planning phases help you to:The MSF envisioning and planning phases help you to:
Decide which locations your plan will help to protect
Ensure that appropriate countermeasures are applied
Classify your environment:
Legacy Client
Enterprise Client
Specialized Security
Limited Functionality
Decide which locations your plan will help to protect
Ensure that appropriate countermeasures are applied
Classify your environment:
Legacy Client
Enterprise Client
Specialized Security
Limited Functionality
3344
55Plan
Envision
Defense in Depth and Security of Network Hosts
Policies, Procedures, and Awareness
Physical Security
Perimeter
Internal Network
Application
Data
Host
Types of Security Settings for Network Host Security
The Security Guides for Windows XP and Windows Vista include sample security templates based on classificationThe Security Guides for Windows XP and Windows Vista include sample security templates based on classification
Client Hardening
The “Windows Server 2003 Security Guide” includes sample security templates based on distinct server rolesThe “Windows Server 2003 Security Guide” includes sample security templates based on distinct server roles
Server Hardening
Proactive management of security updates is a requirement for keeping your technology environment secure and reliable Proactive management of security updates is a requirement for keeping your technology environment secure and reliable
Patch Management
Control the download and installation of antivirus updates on your computersControl the download and installation of antivirus updates on your computersAntivirus
Distributed firewalls are installed on each individual system, but they must use a centralized access policy Distributed firewalls are installed on each individual system, but they must use a centralized access policy
Distributed Firewall
STRIDE Threat Model and Security of Network Hosts
Administrative password is exposed during installation Administrative password is exposed during installation Spoofing
Baseline security is not deployed uniformly Baseline security is not deployed uniformly Tampering
Security configuration is not updated when a computer’s role changes Security configuration is not updated when a computer’s role changes Repudiation
Sensitive data remains on hard disks and other storage media when the computer is decommissioned Sensitive data remains on hard disks and other storage media when the computer is decommissioned
Information disclosure
Virus infects a computer before virus protection software is installedVirus infects a computer before virus protection software is installed
Denial of service
Computer is not secured properly for its role Computer is not secured properly for its role Elevation of privilege
Practice: Identifying Security Threats to Network Hosts
Test for spoofing threats
Test for tampering and repudiation threats
Test for information disclosure threats
Lesson 2: Creating a Design for the Security of Network Hosts
Life Cycle of a Network Host
Methods for Securing Initial Host Installation
Process for Creating a Secure Baseline
Security for Specific Computer Roles
Methods for Applying Security Updates
Host-Based Firewalls
Methods for Assessing the Security of Network Hosts
Secure Decommissioning of Network Hosts
Practice: Applying Security to a Network Host
Life Cycle of a Network Host
Life-cycle Phase Security consideration
Initial installation Viruses and configuration errors can compromise the security of a computer
Baseline configuration
After initial installation, configure the baseline configuration settings that you require
Role-specific security
Apply additional configuration beyond the baseline configuration for roles that require specific security
Application of security updates
To maintain the baseline security configuration, install the service packs and security updates
Decommissioning Dispose of computers in a way that makes it impossible for attackers to obtain information
Methods for Securing Initial Host Installation
Method DetailsIsolated networks
Protects computers from attackers before security measures are applied
Updated media Ensures that all security updates and service packs are installed during initial configuration
Custom scriptsEnsures that only required services are installed for the computers’ role
Enables the configuration of secure default settingsHard disk imaging
Uses a copy of a secure installation, including applications and security measures
Remote Installation Services
Centrally manages the installation of custom scripts and hard disk images
To create a secure baseline for computers:To create a secure baseline for computers:
Create a baseline security policy for computers
Create custom security templates
Test the custom security templates
Deploy the custom security templates
Create a baseline security policy for computers
Create custom security templates
Test the custom security templates
Deploy the custom security templates
11
33
44
22
Process for Creating a Secure Baseline
Security for Specific Computer Roles
When applying security for specific computer roles:When applying security for specific computer roles:
Predict unique threats to a computer based on its role
Consider the value of data on the computer
Use the baseline procedure to create a unique security template for each computer role
Predict unique threats to a computer based on its role
Consider the value of data on the computer
Use the baseline procedure to create a unique security template for each computer role
Domain Controller File Server Web Server
Methods include:Methods include:
Methods for Applying Security Updates
Domain Controller File Server Web Server
Microsoft Update
Windows Server Update Services
Systems Management Server
Microsoft Update
Windows Server Update Services
Systems Management Server
Host-Based Firewalls
Methods include:Methods include:
Methods for Assessing the Security of Network Hosts
Domain Controller File Server Web Server
The Microsoft Security Assessment Tool
Microsoft Baseline Security Analyzer
Security Configuration Wizard
Third-party software that tests for vulnerabilities
Vulnerability or penetration testing
The Microsoft Security Assessment Tool
Microsoft Baseline Security Analyzer
Security Configuration Wizard
Third-party software that tests for vulnerabilities
Vulnerability or penetration testing
Secure Decommissioning of Network Hosts
Destroy the data that computers store to ensure that attackers cannot retrieve confidential information
Destroy the data that computers store to ensure that attackers cannot retrieve confidential information
Remove media from storage devices before disposal Remove media from storage devices before disposal
Consider physically destroying the media after you erase or format the data on the media Consider physically destroying the media after you erase or format the data on the media
Dispose of printed confidential information in a secure manner, for example, by shredding Dispose of printed confidential information in a secure manner, for example, by shredding
Practice: Applying Security to a Network Host
Apply security by using SCW
Lab: Designing Security for Network Hosts
Exercise 1Identifying Vulnerabilities When Applying Security Updates
Exercise 2Identifying Vulnerabilities When Decommissioning Computers