CIS288 WEEK 10, PART 2: Securing Network Clients Slide 1 Introduction Welcome to week 10 of C-I-S 288: Security Design

in a Windows 2003 Environment. In the previous lesson we discussed securing network resources. In this lesson we will discuss securing network clients. Next Slide: Slide 2 Objectives When you complete this lesson you will be able to: Design a strategy for securing client computers; Design a strategy for hardening client operating systems; Design a client authentication strategy; Analyze authentication requirements; Establish account and security requirements; Design a security strategy for client remote access; Design remote access policies; Design access to internal resources; And Design an authentication provider and accounting strategy for remote network access by using Internet Authentication, or I-A-S. Slide 3 Securing Client Computers Next Slide: While the M-C-S-E Core Four exams focus a great deal of attention on securing the server operating system, services, and processes, most network administrators will tell you that securing end-user desktops can present a far greater challenge in a real-world network. Servers exist in a tightly secured environment: software is installed and updated only under well-controlled conditions, and only after thorough testing. Moreover, security patches and updates for server services often receive more visibility and attention from vendors and security watchdogs alike. Securing network clients is a critical process, if for no other reason than that your network clients outnumber your servers ten, one hundred, or even one-thousand to one. Staying abreast of any new vulnerabilities for your client computers and patching those vulnerabilities in a timely and efficient manner can mean the difference between a wellsecured network and a Code Red infestation waiting to

happen. Slide 4 Hardening Client Operating Systems Next Slide: When you receive a new workstation from a major manufacturer, youll often find that the operating system has been installed in an insecure fashion. Often, a vendor will create a default operating system installation designed to make a new computer easy to use and navigate for an inexperienced user; however, this can have major ramifications in terms of the security of a newly installed computer. Hardening client operating systems is a critical first step in safeguarding your client operating systems from internal or external intrusion and attackers. At a minimum, this involves the removal of any nonessential tools, utilities, or other administrative options that could be exploited by an attacker to gain access to your systems. The hardening process will also ensure that all necessary security features have been activated and configured correctly for any administrative or nonadministrative user accounts used to gain access to the client system, rather than simply providing easy access to an Administrator account. Slide 5 Enabling Patch Managemen t Next Slide: As a part of the Trusted Computing Initiative, Microsoft has attempted to stream-line the patch management and installation process using both built in functionality within Windows Server 2003 and freely available services and addons. The first step in effective patch management is obviously the ability to know that a patch is necessary and available. The Security Bulletin Notification Service provides e-mail bulletins whenever a security vulnerability for a Microsoft product has been reported and confirmed, usually along with information on how to obtain necessary or otherwise reconfigure vulnerable systems. The notification service classifies security vulnerabilities into one of four categories, as shown on this slide. By remaining alert to the presence of security updates and patches, you can then define processes to distribute the necessary software updates to all of your network clients. Next Slide:

Slide 6

Restricting User Access to Operating System Features

As mentioned previously when talking about hardening client operating systems, sometimes the default installation of an operating system gives the users more control over their desktop than you, the administrator, would really like. Windows Server 2003 makes it a relatively simple matter to lock down operating system features using Group Policy Objects. You can restrict access to items such as the command prompt, the run line, and Control Panel. Here are other operating system features that you can restrict through group policies: Hide all icons on the desktop; Dont save settings at exit; Hide specified drives in My Computer; Prohibit users from using the Display icon in Control Panel; Disable and remove links to Windows Update; Disable changes to taskbar and Start menu settings; Disable/ Remove the Shut Down command; Hide the My Network Places icon; Remove the Map Network Drive and Disconnect Network Drive; And Disable Internet Options in Internet Explorer.

Slide 7

Designing a Client Authenticati on Strategy

Next Slide: Any network security design needs a client logon strategy that addresses the following three topics: authentication, authorization, and accounting. This A-A-A Model is an Internet standard for controlling various types of network access by end users. Put simply, authentication is concerned with determining that a user is who he or she claims to be. Authorization focuses on what a user is permitted to do once he or she has passed the authentication stage, and accounting or auditing tracks who did what to a network file, service, or other resource. Windows Server 2003 addresses all three facets of this security standard with the use of the user authentication strategies. Next Slide:

Slide 8

Designing a Secure Remote Access Plan

When designing a network, most modern corporations will need to include some means of remote access for traveling and telecommuting members of their workforce. There are two general options that you can choose from when designing a remote access solution for your network. The first option is to use a direct-dial remote access server thats running the Routing and Remote Access service with a modem, bank of modems, or dedicated WAN connection physically attached to the server. The second option is V-P-N connections. V-P-N design should call for the most secure encryption that your R-A-S clients will be able to support. Since V-P-N traffic is traversing the Internet, you need to mandate the strongest level of encryption possible to ensure the confidentiality and integrity of your data and your users account and password information.

Slide 9

Designing Remote Access Policies

Next Slide: You can use remote access policies to verify any number of settings both before and after a R-A-S client is allowed to connect to your corporate network. When planning your remote access policy strategy , you can use one of the following three approaches: Common policy which is where you can create a single common policy that creates a universal connection template for anyone connecting using a particular access method; Default policy will grant remote access to any user with a valid Active Directory account; And Custom policy will allow you to specify a more detailed configuration for a particular access method. Next Slide:

Slide 10

Providing Access to Internal Network Resources

Once youve granted access to your network through any of the remote access methods, youll need to provide your users the ability to connect to the actual resources and data contained within your network. Perhaps the most convenient feature of remote access in Windows Server 2003 is that your clients, once granted access, will use standard tools and interfaces to connect to internal network resources. Any services that are available to a user connected via the LAN will be made available to R-A-S clients by way of the R-A-S authentication and logon processes. Next Slide:

Slide 11

Using Internet Authenticati on Service

Beginning as early as the Option Pack add-on for N-T fourpoint-zero, Microsoft has offered I-A-S as a RADIUS server. The release of I-A-S included in Windows Server 2003 expands and improves the existing I-A-S functionality, and includes connection options for wireless clients, as well as authenticating network switches and the ability to relay requests to remote RADIUS servers. The RADIUS support provided by the I-A-S service is a popular way to administer remote user access to an enterprise network. For example, you can instruct your users to dial a local telephone number for a regional I-S-P, and then authenticate against your I-A-S server using V-P-N client.

Slide 12

Summary

Next Slide: We have reached the end of this lesson. Lets take a look at what we have covered. Discussed first was the strategy for securing client computers. Securing network clients is a critical process. Staying abreast of any new vulnerabilities for your client computers and patching those vulnerabilities in a timely and efficient manner can mean the difference between a wellsecured network and a Code Red infestation waiting to happen. Hardening client operating systems is a critical step in safeguarding your client operating systems from internal or external intrusion and attackers. Next we discussed client authentication strategy. Any network security design needs a client logon strategy that addresses the following three topics: Authentication,

Authorization, and Accounting. This A-A-A Model is an Internet standard for controlling various types of network access by end users. We concluded the lesson with a discussion on the strategy for client remote access. There are two general options that you can choose from when designing a remote access solution for your network. The first option is to use a directdial remote access server thats running the Routing and Remote Access service with a modem, bank of modems, or dedicated WAN connection physically attached to the server. The second option is V-P-N connections. V-P-N design should call for the most secure encryption that your R-A-S clients will be able to support.