98-367 Chapter Six

Chapter 6: Protecting Clients and Servers

Topics Covered:

  • Understanding User Account Control
  • Keeping Systems updated
  • Protecting clients
  • Protecting servers
  • Exploring DNS security issues

Some common techniques but servers and clients have different roles.

Understanding User Account Control

Provides protection by seperating privileges needed for administrative tasks and standard tasks.
When user logs into admin account they are assigned two tokens, one for regular activities and another for admin tasks.
When an admin token is used a UAC prompt will appear. Admin token is only used for the single approved task to prevent
misuse.

Understanding the Dimmed Desktop

When UAC prompts, it “dimms” the desktop. While desktop is dimmed application activity is suspended to prevent
malware from triggering and responding to the UAC request.

Modifying User Account Control

UAC can be changed in control panel.

  • Always notify me when: notify when a program tries to install software or make changes. Recommended if you install
    lots of new software

  • Notify Me Only When Programs Try to Make Changes to My Computer (Default): notified only when changes are being made
    that require administrator permissions.

  • Notify Me Only When Program Try To Make Changes To My Computer (Do Not Dim My Desktop): Same as default only no dimming
    which is good for older systems with lower resources however not recommended due to security implications.

  • Never Notify Me When: This setting turns off UAC, really only for older applications that dont work with UAC. This weakens overall
    security and really not recommended at all.

Keeping Systems Updated

Process of discovery and resolution of security flaws:

  1. Flaw Discovered
  2. Vendor Notified
  3. Vendor Develops and Tests Solution
  4. Vendor Makes Update Available
  5. Updates Downloaded and Installed

Updates can be reverse engineered so important to actually download and apply patches.

Updating Systems with Automatic Updates

Updates can be downloaded and installed in a scheduled and automated way if configured to do so.

3 Update Categories:

  • Important: Impacts security, privacy and stability (recommended to install automatically)
  • Recommended: Addresses non critical problems, can enhance experience with windows or software
  • Optional: Drivers, New Software etc

4 Update Settings:

  • Installed Updates Automatically (Recommended): Automatically downloaded and installed based on the schedule, used in
    most organizations.
  • Download Them But Let Me Choose Whether To Install Them: If you want to know exactly when updates are installed, you
    can use this option. You’re notified when updates have been downloaded and are ready for installation
  • Check For Updates But Let Me Choose Whether To Download and Install Them: what the title says
  • Never Check For Updates: Not Recommended
Updating System with WSUS or SCCM

Testing is done on updates but not with all possible hardward and software configurations. Tools allow
administrators to control flow of updates to allow testing etc.

  • Windows Server Update Services (WSUS): Free download, can be installed to server and used to manage updates to clients
  • System Center Configuration Manager (SCCM) is an add-on product, not free and does more than WSUS. Can schedule when
    updates are deployed to clients.

SCCM has extra features but basic functionality is the same.

Using Group Policy to Configure Clients

Group policy can be used to define update settings such a automatic update settings.

Protecting Clients

Client issue examples:

  • Offline folders (how to encrypt)
  • Prevent running unauthorized applications (software restriction policies)
Understanding Offline Folders

Offlinefolders allow a user to have access to shared data while disconnected from network. When a system reconnects
it re synchronizes, users are notified in the event of merge conflicts. Offline settings can also set files as read only.

Encrypting Offline Folders

When user accesses file encrypted with EFS it is decrypted, which is fine on local machine but over network it means data is sent to client
unencrypted. Also decrypted versions of the file are cached. Offline folders can be encrypted to prevent unencrypted data from being stored.

Using Software-Restriction Policies

Create policies for what software can be run

  • Disallowed (whitelist): Blocks all from running except for exceptions in the additional rules section. Usecase: Kiosk
  • Basic User: Only allow programs that need basic user rights to run
  • Unrestricted (blacklist): Default rule, allows all software to run as long as user has permissions. Only blocks explicitly defined software.

Applocker is similar to group restriction policies but allows control of what programs can be run based on group membership. App locker only works with Vista and
Windows 7.

Software-Restriction Policy Additional Rules:

  • Path: Blocks an application from the defined path from running, includes subfolders or can just specify full path to executable.
  • Network Zone: Internet, Local Computer, Local Intranet, Restricted Sites and Trusted Sites. Can set what is allowed to run based on these.
  • Certificate: Digitally Signed applications can be run if cert is allowed, applications must be signed
  • Hash: If matches a hash algorithm not allowed, useful because name and path do not matter
Protecting Servers
Using Separate VLANs

VLAN is a managed LAN that can be created on a Layer 3 switch. Provides security and increased performance by segregating network.
This limits broadcast traffic from servers, which is more secure and also improves network performance.

Separating Services

Servers can run multiple services but should not run things that have conflicting security goals. For example domain controllers
should not also be publicly accessible web servers because DCs should be private to local network and web servers need to accept
public traffic (usually).

  • Active Directory Services: Fine to combine Active Directory Services, such as AD DS, AD CS and fine to use Active Directory Integrated DNS server.
  • Application Server: If server hosting sensitive application that acts as a firewall would not be appropriate to also host a web application etc.
  • DHCP and DNS: Ok to have both, if DNS installed on DC can be integrated with Active Directory and enable secure dynamic updates
  • Network Policy and Access Services: Services in this role provide protection and should not be combined with Active Directory Roles. Can use this role for
    VPN or NAP.
  • Fax Server, File Services, Print Services: Can be combined unless one of roles is handling sensitive information.
  • Terminal Services (Remote Desktop): Should not be installed on server hosting Active Directory Roles
  • UDDI Services (Universal Description, Discovery and Integration): Used to share information about web services in an intranet
    or on an extranet. Common to host on web server but should not be combined with Active Directory.
  • Web Server (IIS): Best to limit to only web server role, however internal services could also host file services and print services.
    Active Directory Rights Management Services use and require this role.
  • Windows Deployment Services (WDS): Deploys images of operating systems to systems in a network, common to include DHCP but not recommended
    to host any active directory roles on WDS server.

TL:DR - Active Directory roles should usually be kept separately on not publicly accessible servers.

Using Read-Only Domain Controllers

RODC useful in branch that have less physical security, if server lost of stolen does not compromise sensitive info about domain.
RODCs have a PRP (Password Replication Policy) which controls which passwords can be stored on the RODC and which ones are always
checked across a WAN link with a real DC (and will not cache it).

Domains that support RODCs include the following two special groups.

  • Allowed RODC Password Replication Group: Users added to this group automatically have their passwords cached on each RODC,
    different from the PRP which affects only a single RODC.
  • Denied RODC Password Replication Group: Includes Enterprise Admins and Domain Admins, users in this group will never have passwords cached on RODC.
Exploring DNS Security Issues

Record Types:

  • A (Host) Records: Resolve a host name to an IP
  • PTR: Resolves an IP to a hostname
  • SRV (Service): Identifies computers running services such as domain controller etc
  • SPF (Sender Policy Framework): Identifies systems authorized to send email for a domain, prevents spam and email spoofing
Protecting Against Email Spoofing with SPF records

If no SPF record matches sender most email servers will just assume mail is spam/spoofed and discard it. If no SPF
record exists it is much easier to spoof email

Understanding Dynamic Updates

In microsoft networks a client can pull a different IP with DHCP so uses dynamic DNS records to keep track of clients (A records)

Using Secure Dynamic Updates
  • Only authenticated clients can create DNS records (must first authenticate to AD domain)
  • Can assign permissions to DNS zones as added layer of control

Secure Dynamic Updates Require:

  • DNS Zone must be an Active Directory Integrated Zone
  • DNS Must be installed on a Domain Controller, if DNS is running on another member server can only create primary
    and secondary zones

Chapter Review Questions:

  1. What causes the Windows 7 Desktop to dim when a user attempts an action requiring administrative approval?
  2. True or false: If files are encrypted on a server using EFS, they’re automatically encrypted when a user uses offline folders.
  3. Which of the following can’t be used to update a system?
    a. Automatic Updates
    b. WSUS
    c. SCCM
    d. DNS
  4. True or false: You can use Group Policy to configure all comptuers in a domain to use automatic updates?
  5. True or false: After Microsoft has released security updates, clients are no longer vulnerable to the exploits that the updates resolve?
  6. What kind of DNS records resolves and IP address to a host name?
    a. A record
    b. PTR record
    c. SPF record
    d. MX record
  7. You want to deploy a domain controller to a branch office. However the branch office has very little physical security. What should you do?
    a. Don’t deploy the domain controller
    b. Deploy DNS with the domain controller, and use secure dynamic updates
    c. Deploy a RODC
    d. Remove Administrator accounts before deploying the domain controller.
  8. True or false: You should separate DNS from Active Directory Domain Services for enhanced security?
  9. True or false: You should separate Terminal Services from Active Directory Domain Services for enhanced Security?
  10. True or false: You can enable secure dynamic updates only on DNS servers installed on a domain controller.

Answers:

  1. User Account Control (UAC)
  2. False
  3. d
  4. True
  5. False
  6. b
  7. c
  8. False
  9. True
  10. True

Relevant sections of Certification Exam

Understanding Network Security, Understanding Security Software