Thomas W. Shinder

MCSA/MCSE 70-290: Overview of Windows Server 2003

This chapter provides important background information that is necessary to understand what Windows Server 2003 is. It describes what Windows Server does, and how it works. It discusses the NT operating system (OS) family tree in order to fully appreciate the features and capabilities of Microsofts new server operating system. It is noted that the Windows Server 2003 is based on the same operating system kernel as Windows NT. The chapter also discusses the important concepts on which a Microsoft enterprise-level network is essentially built. Windows Server 2003 brings many new features and improvements that make the network administrators job easier. Furthermore, the chapter briefly summarizes whats new in Windows Server 2003, and introduces to the four members of the Windows Server 2003 family—namely, the Web Edition, the Standard Edition, the Enterprise Edition, and the Datacenter Edition. Licensing issues and other issues encountered while installing the new OS or upgrading from Windows 2000 are also explored.

MCSA/MCSE 70-290

This chapter provides important background information that is necessary to understand what Windows Server 2003 is. It describes what Windows Server does, and how it works. It discusses the NT operating system (OS) family tree in order to fully appreciate the features and capabilities of Microsofts new server operating system. It is noted that the Windows Server 2003 is based on the same operating system kernel as Windows NT. The chapter also discusses the important concepts on which a Microsoft enterprise-level network is essentially built. Windows Server 2003 brings many new features and improvements that make the network administrators job easier. Furthermore, the chapter briefly summarizes whats new in Windows Server 2003, and introduces to the four members of the Windows Server 2003 family—namely, the Web Edition, the Standard Edition, the Enterprise Edition, and the Datacenter Edition. Licensing issues and other issues encountered while installing the new OS or upgrading from Windows 2000 are also explored.

Firewall and DMZ Design: Check Point NG

Publisher Summary This chapter reviews the basics of Check Point NG FireWall-1/VPN (virtual private network)-1 to give a solid understanding about firewalls operating process and features. Check Point NG FireWall-1/VPN-1 is a full-featured firewall that runs on a variety of platforms including Sun Solaris, Microsoft Windows NT/2000, and dedicated appliances manufactured by Nokia and Check Point. A key component of any security policy is a well-designed demilitarized zone (DMZ). Because hosts in the DMZ are externally accessible over the Internet, DMZs design can make or break the overall security of network because the DMZ can be the entry point for malicious-minded individuals into the network. FireWall-1/VPN-1 also has significant VPN capability for both site-to-site and user-to-site configurations. Site-to-site VPN is interoperable with products from all other major firewall vendors. For user VPN access, two varieties of VPN client—SeculKemote and SecureClient— are available with the latter providing personal firewall functionality in addition to the standard VPN features of SeculKemote.

Firewall and DMZ Design

Publisher Summary This chapter reviews the basics of Check Point NG FireWall-1/VPN (virtual private network)-1 to give a solid understanding about firewalls operating process and features. Check Point NG FireWall-1/VPN-1 is a full-featured firewall that runs on a variety of platforms including Sun Solaris, Microsoft Windows NT/2000, and dedicated appliances manufactured by Nokia and Check Point. A key component of any security policy is a well-designed demilitarized zone (DMZ). Because hosts in the DMZ are externally accessible over the Internet, DMZs design can make or break the overall security of network because the DMZ can be the entry point for malicious-minded individuals into the network. FireWall-1/VPN-1 also has significant VPN capability for both site-to-site and user-to-site configurations. Site-to-site VPN is interoperable with products from all other major firewall vendors. For user VPN access, two varieties of VPN client—SeculKemote and SecureClient— are available with the latter providing personal firewall functionality in addition to the standard VPN features of SeculKemote.

Implementing Secure Wireless Networks

This chapter provides an understanding of implementation of secure wireless networks. Wireless local area networking is not exactly a new technology, but it has gained rapid acceptance in the past two years and is in wide use now with new deployments being set up every day. Wireless networking provides a new era of data connectivity unmatched by cabled networks. Increases in the speed of deployment, access to data, and scalability mean that the needs of specific user communities can be addressed in ways that were unavailable to network architects a few years ago. New streams of end-user applications and services are being developed to provide businesses and consumers alike with advanced data access and manipulation. Wireless technologies provide the greatest flexibility of design, integration, and deployment of any networking solution available. With only transceivers to install in the local station and a wireless hub or access point to be configured for local access, it is simple to retrofit wireless networking within existing structures or create access services that traditional networking infrastructures are not capable of addressing.

Advanced Security Template and Group Policy Issues

This chapter provides an understanding of advanced security templates and sheds light on the group policy issues. The chapter begins with an explanation of the process of troubleshooting security template problems. The considerations include group policy, upgraded operating systems, and mixed client-computer operating systems. Different server functions require different security solutions, and this chapter presents some of the most common server implementations that a person can expect to find in his/her network. Following this, the chapter addresses some additional topics associated with using security templates. It also examines troubleshooting issues associated with security template deployments. Difficulty in deploying security templates are usually traced to one of two common problems—upgrade installations or legacy clients. The chapter examines both these tools. The chapter also examines the tools with which one can perform troubleshooting of security template deployment. Subsequently, the chapter deals with the process of configuring server message block (SMB) traffic for security. Configuring secure SMB communications can help prevent the impersonation of clients and servers, but it has some disadvantages associated with it as well. The chapter examines the process and the particulars associated with securing SMB traffic on ones network.

Configuring and Troubleshooting Windows IP Security

This chapter focuses on protecting the integrity and confidentiality of information while it is in transit across a network. An extremely important aspect of todays network administrator is the protection of sensitive data as it travels across a network. Todays networks are very different from the isolated NETBIOS extended user interface networks of yesteryear. Most likely, a network is connected to other networks, including the global Internet, by way of dedicated leased lines or ones organizational remote access server. Some workstations on the LAN might even have their own link to the outside via a modem and phone line. Each of these points of access represents an ever-increasing security risk. Effective network security standards are the sum total of a well-planned and carefully implemented security infrastructure. These measures include hardware security, file and folder access controls, strong passwords, smart cards, social security, physical sequestration of servers, file encryption, and protection of data as it moves across the wire within the organizational intranet and as it moves outside the organization. The chapter also discusses the basics of cryptography and describes how these basic tasks function within the framework of Microsofts implementation of the industry-standard Internet protocol security (IPSec). Finally, the chapter considers the specifics of implementing IPSec in ones network.

Configuring Secure Network and Internet Authentication Methods

This chapter examines the concept of authentication, ensuring that users and servers are who they claim to be. Anonymous authentication directs all user access attempts at a Web site toward one specially configured domain user account that has limited permissions. Basic authentication provides more control such as what Web site users can and cannot do but transmits credentials in encoded plaintext across the Internet. Windows 2000 provides fairly robust Web authentication methods including anonymous and basic authentication as well as more advanced methods such as digest authentication, integrated Windows authentication, and client certificate mapping. Each of these Web authentication methods is described in detail in this chapter, discussing the strengths and weaknesses of each as well as how to configure and implement them. This chapter also examines the concept of Kerberos trusts and how they are implemented between domains in Windows 2000, demonstrating that Kerberos provides a more secure and robust solution for creating trusts among domains with its default of two-way transitive trusts.

Configuring and Troubleshooting Remote Access and VPN Authentication

This chapter discusses the methods to provide secure connectivity to remote users. The tools and services included with the Windows 2000 operating system not only provide a wide range of connectivity methods but also give administrators a high degree of control and flexibility. These solutions range from the use of new authentication methods and secure dial-up procedures to the latest in strong encryption protocols and Internet Protocol security. The two services discussed in this chapter are the remote access service and virtual private networks, both of which are included as a part of the routing and remote access service (RRAS) of the Windows 2000 operating system. Although on the surface these services might seem completely different types of remote access mechanism, they are very closely integrated in the RRAS and can be used in combination to provide secure, flexible remote access solutions for virtually every need.

Responding to and Recovering from Security Breaches

This chapter discusses the actual security incidents and describes how to respond to them. Microsoft is not only the leading provider of services worldwide but also the most exploited as well. One of the biggest issues for security infrastructures is the fact that not a great deal of effort is put into the possibility that there could be a problem. Ones role as a security analyst is to truly look at these possible problems and attack them head-on, one by one, in a process of identification and elimination, so that the problems can be minimized before they occur. On a Microsoft-based network, one should think of a top 10 incident prevention list. The list includes the items such as creating policies that are written down and backed by management; testing everything; auditing and assessing the network, systems, and staff on a constant basis; verifying backup and restoring solution; implementing defense in depth; implementing change management solutions; security training as the key to continuing excellence; conducting an independent audit; building an incident response plan; and creating a computer security incident response team, which is a group of people or a team responsible for dealing with any security incident. The list aids in minimizing the impact, damage, and stress caused by any security incident that occurs.