networking concepts lesson 10 part 1 - network admin & support - eric vanderburg

Networking Concepts – Eric Vanderburg ©2005

Chapter 10Network Administration & Support


Managing Users & Groups

Active Directory Users & ComputersEdit a text file in LinuxComputer Management for local clients


Best Practices

Administrators should have 2 accounts Have an account for normal use Use the administrator level account only when it is needed “Run As” SU (Super User)

Rename the administrator account (cannot be deleted or disabled)

Disable the guest account (also add restrictions) Only access from this computer No permissions No access times

Audit use of administrative rights In Linux, a user account can be disabled by editing the password

file and deleted by using the userdel command


Considerations• User name naming

conventions• Password complexity• Logon Hours• Auditing• Security


Passwords

Change passwords oftenToo often: written downNot often enough: insecure networkDictionary attacks

NOS Passwords lengthsWindows 2000/2003 limit is 128 charactersWindows NT limit is 14 charactersLinux limit is 256 characters


Computer Accounts

Used to restrict access to the domain to certain computers

Must be Domain/Enterprise admin to add computers


User Rights

Permissions - access to resources Rights - permitted actions

Log on locally Shut down the computer Share resources Manage printers Add computers to the domain Adjust quotas Backup & Restore Take ownership ……


Groups

Security Group Local Group Global Group Universal Group

Distribution Group Users should be placed in groups Permissions should be given to groups, not individual

user accounts Users can belong to many groups Effective permissions – End result of all group

memberships. All permissions from all groups are added together but deny overrides allow (use deny sparingly)


Built in Groups

Administrators (Also Domain & Enterprise)

Account Operators - Create and manage user accounts

Backup Operators - backup & restore

Incoming Forest Trust Builders - make one way trusts to the root forest domain

Network Configuration Operators - Change TCP/IP settings for DCs

Performance Log Users - configure performance counters, logs, & alerts

Performance Monitor Users - remotely view performance monitor

Print Operators Remote Desktop Users Replicator - Can change the way AD

data is sent between DCs and can start the replicator

Server Operators - log onto DCs, start & stop services, backup & restore, format…

Cert Publishers - Publish CRL, CTL, & Templates

Enrollment Agent - Issue Certs DHCP Administrators DNS Admins Group Policy Creator Owner Schema Admins Help Services Group - Manage Help

& Support center (remote assistance) Guests


Automatic Groups

User Groups Everyone Authenticated Users –

non guest users Interactive – local user Network – logged onto

domain Creator / Owner Anonymous Logon Terminal Services User Dialup

Program/Service Groups Service Batch System


Automatic Groups


Domain & Forest Groups

Local GroupFor permissions to local resourcesOther groups should be inside

Global GroupUser accounts should go here

Universal Groups Contains accounts from entire forestNative mode only


Functional Levels

Functional Level Supported DC OS

Windows 2000 MixedWindows NT 4.0Windows 2000Windows Server 2003

Windows 2000 Native Windows 2000Windows Server 2003

Windows Server 2003 Interim

Windows NT 4.0Windows Server 2003

Windows Server 2003 Windows Server 2003

• Domain or forest functional level


Functional Levels

Functional Level OptionsWindows 2000 Mixed No Universal Groups & Nesting

Windows 2000 Native

Universal Groups Allowed,Group Nesting Allowed,Group Conversion Allowed,SID History

Win Server 2003 Interim No Universal Groups & Nesting

Windows Server 2003

Universal Groups Allowed,Group Nesting Allowed,Group Conversion Allowed,SID History, Rename DC’s


Trusts

Types 1-way 2-way Transitive Universal – all domains in a tree trust each other

NT uses 1-way explicit trusts 2000 & 2003 use 2-way transitive implicit

trusts Allows sharing between domains (permissions

are still needed)


Accounts

SID (Security Identifier) - Unique number for AD objects

We see names, Windows sees SIDsRecreated accounts will have new SIDsNT stores user rights in SAM (Security

Accounts Manager)2000 & 2003 stores rights in AD


Event Viewer

System Log – records information about operating system services and hardware

Security Log – records security events based on audit filters or policy settings

Application Log – maintains information about applications

Directory Service DNS Server File Replication Service


Performance Monitor

Records individual events to show trends in a graph

Object – the item you want to track (ex: processor)

Counter – the aspect of the item that you want to track (ex: interrupts/sec)


Monitoring

Network Monitor Install from Add/Remove Windows Components

(must be server OS) Data read from and written to server each second Queued commands Number of collisions per second Security errors Connections currently maintained to other servers

(server sessions) Linux users can choose from many open

source add on products


Long-term monitoring

Develop a baselineUpdate the baseline when the network

changesBandwidth changesNew serversSoftware change

Compare performance to the baseline


Security

Know the costsCosts due to loss of dataCosts of downtimeCost of implementing security measures

Physical must be protected firstShare oriented security (Win9x)User oriented security (Win2k, 2k3, XP)


Security

Securing dataMake it safe from intrudersMake sure damaged data can be replaced

Plan for network security Identify threatsCommunicate with other managers in office

to make sure security system meets needs (it is not only about IT & think of the users)


Windows Security Features

KerberosPKI (Public Key Infrastructure)Group PolicyVPN (Virtual Private Network)IPSec (IP Security)


Windows 2003

CLR (Command Language Runtime) – reduces bugs that leave Windows vulnerable by reducing the power of individual programs, placing them under the control of the OS.

IIS 6.0 – configured for maximum security by default & disabled by default

Unsecured clients cannot login – Windows 95, and NT prior to SP4 cannot login to Windows 2003 domain by default; certificates and encryption required by all clients


Kerberos

Authentication Method (Win2k &2k3 default)

Based on RFC 1510Uses Kerberos version 5Replaces NTLM (NT LAN Manager) &

NTLMv2 – still used with pre 2k clients


Kerberos Components

KDC (Key Distribution Center) AS (Authentication Service)

Verifies identity through AD Gives TGT (Ticket Granting Ticket) which gives access to certain

resources TGS (Ticket-Granting Service)

Verifies TGT Creates a service ticket & session key for a resource based on

TGT. Client can present the service ticket to another server to access it’s content. NOTE: Servers have tickets too.

Only services it’s own domain. Must refer to another TGS for interdomain resource access (gives referral ticket)

Server with the desired resource Client


Items of Note

Delegation with Forwarding and Proxy - For a server such as a database server to access resources on your behalf. (given proxy or forwarding ticket)

NTP (Network Time Protocol) is used to synchronize time between machines. Keys are based on system time so all must be the same.


PKI

Deploying a PKI allows you to perform tasks such as:Digitally signing files (documents and

applications)Securing e-mail Enabling secure connections between

computers, Better user authentication (smart cards)


Certificates Digital certificates - Electronic credentials,

consisting of public keys, which are used to sign and encrypt data.

CA (Certification Authority)Issues digital certificates. Form a hierarchy

Root CA Subordinate CA

Intermediate CA Issuing CA Rudimentary CA

restricted to issuing certain certs

Select CA Role


Certificates

Certificate policy and practice statements The two documents that outline how the CA and its certificates are to be used, the degree of trust that can be placed in these certificates, legal liabilities if the trust is broken, and so on.

Certificate repositories - Where certificates are stored and published. (AD)

CRL (Certificate Revocation List) - List of certificates that have been revoked before reaching the scheduled expiration date

CTL (Certificate Trust List) - The list of the certificates you trust. If you trust a root, you trust all certs from that root.

View issued certs from Certificates MMC

Double click to see cert


Certificate Server Role

Publish certificates - The PKI administrator makes certificate templates available to clients (users, services, applications, and computers) and enables additional CAs to issue certificates.

Enroll clients - Users, services, or computers request and receive certificates from an issuing CA or a Registration Authority (RA). The CA\RA administrator or enrollment agent uses the information provided to authenticate the identity of the requester before issuing a certificate.

Publish CRL & CTL - Users need to know which certificates are revokes and which servers are trusted by their CA.

Renew or revoke certificates


Group Policy

Group Policy MMC

AD Users & Computers MMC

Select your group policy

Edit as needed


Group Policy

Double click an item to edit the properties for it

Properties


VPN

Encapsulates & encrypt one packet inside another

Server to Server - Connecting LANsClient to Server - Remote users &

Extranet


VPN Protocols

L2TP (Layer 2 Tunneling Protocol) Encrypts with IPSec Works on many protocols (X.25, ATM, IP, Frame

Relay) PPTP (Point to Point Tunneling Protocol)

Encrypts with MPPE (Microsoft Point to Point Encryption) - 40, 56, or 128bit

Authenticates with PAP (Password Authentication Protocol), CHAP (Challenge Handshake Authentication Protocol), MSCHAP, or EAP

Works only over IP


VPN Advantages

Distance is not a concern More scalable - can adjust bandwidth to use Less reliant on expensive modem pools


IPSec

Tunnel - encrypts the header and the payload of each packet

Transport - encrypts the payload only. All systems must be IPSec compliant Encryption

Authentication Encryption SHA (Secure Hash Algorithm) - 160bit, high overhead. MD5 (Message Digest 5) - 128bit

Data Encryption DES (Data Encryption Standard) 56bit 3DES (Triple DES) - high processor overhead AES

IPv6 has IPSec built-in


Security

FirewallsIDSHoneypotMalicious CodeWirelessA “hardened” OS is one

that has been made as secure as possible


Hardware Firewalls

Screened host - hardware firewall filters packets & ports. Bastion host does application filtering. NAT or proxy

Multiple DMZ – each section has its own set of firewalls and DMZ separating it from the others

Screened Subnet/DMZ (Demilitarized Zone) – put external access machines in between 2 firewalls

Screening Router - filters packets & closes ports


Hardware requirements

Storage – large amounts of log files will be present on this computer so there must be a large amount of storage

Processor – this computer will be analyzing many packets

2 NICs – must be able to connect the outside with the inside


Software Firewalls

Most are cumbersome to configure and control Inexpensive extra layer of protection Firewall places itself in between the NIC and

the TCP/IP stack Vendors

Windows Firewall (built-in) Novell Border Manager (built-in) Macintosh Firewall (built-in) Norton Internet Security BlackIce ZoneAlarm


Firewalls (cont)

Multiple firewalls can be used for load balancing


Firewalls

Windows Firewall

ZoneAlarm


IDS (Intrusion Detection System)

NIDS (Network IDS) – analyzes network traffic HIDS (Host IDS) – analyzes traffic sent only to its host LIDS (Linux IDS) – Open source IDS for linux clients

or servers (http://www.lids.org/) Looks at network or host traffic based on rules to

determine whether an attack is in progress The IDS can be configured to respond accordingly ex:

close ports, ban IP addresses, alert admins, close shares, disable accounts, ect..

Examples: snort


Rules

Rule base – set of rules that tell the firewall or IDS what action to take when types of traffic flow through it. Should be based on security policy


Honeypot

A lure for a hackerWastes the hackers timeFake computer or network behind

security barriersCan be analyzed to view attack methods

and improve security. Identify what they are after, what is their skill level, and what tools they use.


Malicious Code

Virus - self-replicating code segment which is be attached to an executable. When the program is started, the virus code may also run. If possible, the virus will replicate by attaching a copy of itself to another file. A virus may also have an additional ``payload'' that runs when specific conditions are met.

Trojan horse - malicious code pretending to be a legitimate application. The user believes they are running an innocent application when the program is actually initiating its ulterior activities. Trojan horses do not replicate.

Worm - self-replicating program, does not require a host program, creates a copy and causes it to execute; no user intervention is required. Worms commonly utilize network services to propagate to other computer systems

Spyware - a program that secretly monitors your actions. Could be a remote control program used by a hacker, or it could be used to gather data about users for advertising, aggregation/research, or preliminary information for an attack. Some spyware is configured to download other programs on the computer.


Viruses

Implement virus protection at these locations: Workstation – protects a single computer by

scanning files from server or e-mail messages Server – scans data read from or written to

server; prevents virus from server spreading throughout network

Internet gateway – scans all Web browser, FTP, and e-mail traffic; stops viruses before they enter network. Do not infect those checking your website


Wireless Security

Site Survey - adjust location and range so that wireless access extends only to business borders

Passwords should be changed and so should WEP keys. WEP should be enabled.

Filter MACsDisable SSID broadcasting


Hardening

Remove unneeded servicesClose unused portsRemove unused user accounts


Preventing Data Loss

Backup, Backup, Backup Normal - copy with a reset of the archive bit Incremental

Copies files changed since last full or incremental backup Differential

Copies files changed since last full backup Copy - copy with no reset of the archive bit Daily - copies all files modified today

Create a backup schedule Test backups (verify & do a test restore) Use a UPS (Uninterruptible Power Supply)


Alternate Boot Methods

Recovery Console Fixmbr: Replace the

master boot record Fixboot: Write a new boot

sector Format: format the disk Diskpart: Manage disk

partitions Last known good

configuration Safe mode Safe mode with networking VGA mode


Other Recovery Programs

System Restore - takes snapshots (restore points) of the system state

Driver RollbackShadow Copy


Shadow Copy

Enabling shadow copies

Click Settings


Shadow Copy

Viewing shadow copies – Win2k

Select a copy and click restore to go back to that version

Viewing shadow copies – WinXP


Redundancy

RAID (Redundant Array of Inexpensive Disks)0 - Striping1 - Mirroring5 - Striping with Parity10 - 2 RAID 5 configurations Mirrored0+1 - Striped volumes mirrored

Duplexing provides redundancy for the controller also


Intellimirror

Push software to users or computersAssigning Publishing (only for users, not computers)

Protect system files from damageMandatory & Roaming profilesNot present in NT


Published Applications


UPS (Uninterruptible Power Supply)

Capabilities: Power conditioning - cleans power, removing

noise Surge protection - protects computer from sags

and spikes

Categories Stand-by – must switch from wall to battery power Online – continually supplies power through

battery; no switching. Wall power recharges battery continually


Auditing

Records certain actions for security and troubleshootingFailed accessGranted access

Should use auditing sparingly – uses resources & more is harder to utilize effectively

networking concepts lesson 10 part 1 - network admin & support - eric vanderburg

Technology

uninterruptible

backup amp

domain amp

network

amp

list

computer

clients