- Shopping Bag ( 0 items )
Make the right design decisions to protect your business network—and prepare for the Microsoft® Certified Professional (MCP) exam—with this official Microsoft study guide. Work at your own pace through a system of case-study scenarios and tutorials to gain practical experience planning the security infrastructure for a Windows® 2000 network. As you build these real-world design skills, you’re also preparing for MCP Exam 70-220—a core credit on ...
Ships from: Mishawaka, IN
Usually ships in 1-2 business days
Make the right design decisions to protect your business network—and prepare for the Microsoft® Certified Professional (MCP) exam—with this official Microsoft study guide. Work at your own pace through a system of case-study scenarios and tutorials to gain practical experience planning the security infrastructure for a Windows® 2000 network. As you build these real-world design skills, you’re also preparing for MCP Exam 70-220—a core credit on the Windows 2000 MCSE track.
HERE’S WHAT YOU’LL LEARN:
HERE’S WHAT’S INSIDE:
For complete information on MCSE core and elective requirements, go to: http://www.microsoft.com/trainingandservices/default.asp
A Note Regarding the CD or DVD
The print version of this book ships with a CD or DVD. For those customers purchasing one of the digital formats in which this book is available, we are pleased to offer the CD/DVD content as a free download via O'Reilly Media's Digital Distribution services. To download this content, please visit O'Reilly's web site, search for the title of this book to find its catalog page, and click on the link below the cover image (Examples, Companion Content, or Practice Files). Note that while we provide as much of the media content as we are able via free download, we are sometimes limited by licensing restrictions. Please direct any questions or concerns to firstname.lastname@example.org.
All access to Microsoft Windows 2000 resources is based on the credentials that users provide when they authenticate with the network. This chapter will examine the authentication protocols that are used in Windows 2000, the ways to authenticate down-level clients, and the optimum placement of domain controllers (DCs) to facilitate the authentication process.
To complete this chapter, you must read the chapter scenario. This scenario is used throughout the chapter to apply the design decisions discussed in each lesson.
Market Florist is an Internet-based floral delivery company that allows customers to purchase floral arrangements over the Internet and have them delivered anywhere in North America. You have been called in as a security consultant to design an authentication strategy for the Market Florist internal network that will ensure that user credentials are protected during the authentication process.
Market Florist's head office is in Seattle, the Canadian office is in Winnipeg, and the Mexican office is in Monterrey. Market Florist's marketing department is in San Francisco.
Figure 3.1 shows the network links among Market Florist's four offices.
Figure 3.1 The Market Florist Wide Area Network
Market Florist's Active Directory directory service design is comprised of three separate domains: marketflorist.tld, ca.marketflorist.tld, and mx.marketflorist.tld. The Seattle and San Francisco sites authenticate in the marketflorist.tld domain and the Winnipeg and Monterrey sites authenticate with their country's subdomain, as shown in Figure 3.2.
Figure 3.2 The Market Florist Active Directory structure
Market Florist has Windows 2000 servers distributed across its network as shown in Table 3.1.
Table 3.1 Windows 2000 Servers in the Market Florist Network
|Location||Windows 2000 Servers|
|Seattle||Three Windows 2000 DCs for the marketflorist.tld domain.
Two of the DCs are configured as Active Directory-integrated Windows 2000 DNS servers hosting the marketflorist.tld DNS zone.
Two of the Windows 2000 DCs are configured as global catalog servers.
One Windows 2000 member server configured as a WINS server.
|San Francisco||Two Windows 2000 DCs for marketflorist.tld.
One of the Windows 2000 DCs is configured as a global catalog server.
|Winnipeg||Three Windows 2000 DCs for the ca.marketflorist.tld domain.
One of the DCS is configured as an Active Directory-integrated Windows 2000 DNS servers hosting the ca.marketflorist.tld zone.
|Monterrey||Two Windows 2000 DCs for the mx.marketflorist.tld domain.
One of the DCS is configured as an Active Directory-integrated Windows 2000 DNS server hosting the mx.marketflorist.tld zone.
Market Florist Client Computers
The Market Florist network uses a mix of Microsoft Windows 95, Windows NT 4.0 workstation, and Windows 2000 Professional client computers. All client computers were updated to the latest service pack version before January 1, 2000, to ensure that the Market Florist network was Year 2000 compliant.
Table 3.2 shows how the client computers are distributed across the network.
Table 3.2 Market Florist Client Computer Distribution
|Seattle||700 Windows 2000 Professional clients|
|San Francisco||200 Windows 95 clients
300 Windows NT 4.0 workstations
100 Windows 2000 Professional clients
|Winnipeg||200 Windows NT 4.0 clients
300 Windows 2000 Professional clients
|Monterrey||300 Windows 95 clients
100 Windows 2000 Professional clients
Authentication allows network administrators to determine who is accessing the network and to design restrictions so that each authenticated user can access only desired areas of the network. If you don't have a good authentication design, trusted users might be unable to access the network at all times.
After this lesson, you will be able to
Estimated lesson time: 20 minutes
When designing authentication for your Windows 2000 network, you must meet certain business and technical requirements. These requirements define how you can make sure that authentication mechanisms are secured within a Windows 2000 network. The business requirements include these areas:
In addition to business requirements, technical requirements also play a part in the design of your network's authentication strategy. These technical requirements might include the following:
You must design authentication for your network to meet all business and technical objectives defined by your organization. These objectives will provide the framework for your design. If you don't meet all objectives, it's quite possible that you will face a redesign in the near future. Ensure that you have collected all business and technical objectives before completing your authentication design.
Windows 2000 is designed to use Kerberos v5 as the default authentication protocol. Kerberos v5 provides more flexibility in authentication than the NTLM authentication protocol did.
After this lesson, you will be able to
Estimated lesson time: 45 minutes
This lesson examines in detail how Kerberos authentication is used as the default authentication mechanism for Windows 2000–based computers. Before we start looking into design considerations of how Kerberos authentication works and how you can optimize and secure Kerberos authentication, let's look at the core components of Kerberos authentication. The components of the Kerberos v5 protocol include
|About This Book||xxix|
|About the Supplemental Course Materials CD-ROM||xxxi|
|Features of This Book||xxxii|
|Chapter and Appendix Overview||xxxiii|
|About the Online Book||xlviii|
|Sample Readiness Review Questions||xlviii|
|The Microsoft Certified Professional Program||xlix|
|Chapter 1||Introduction to Microsoft Windows 2000 Security||1|
|Chapter Scenario: Lucerne Publishing||2|
|Lesson 1||Microsoft Windows 2000 Security Services Overview||4|
|Lesson 2||Designing Security Business Requirements||10|
|Lesson 3||Designing Security to Meet Technical Requirements||15|
|Chapter 2||Designing Active Directory for Security||21|
|Chapter Scenario: Wide World Importers||23|
|Lesson 1||Designing Your Forest Structure||25|
|Lesson 2||Designing Your Domain Structure||33|
|Lesson 3||Designing an OU Structure||40|
|Lesson 4||Designing an Audit Strategy||52|
|Activity: Designing an Audit Strategy||56|
|Lab 2-1||Designing Active Directory for Security||57|
|Chapter 3||Designing Authentication for a Microsoft Windows 2000 Network||63|
|Chapter Scenario: Market Florist||65|
|Lesson 1||Designing Authentication in a Microsoft Windows 2000 Network||68|
|Lesson 2||Designing Kerberos Authentication||70|
|Lesson 3||NTLM Authentication||85|
|Lesson 4||Authenticating Down-Level Clients||88|
|Lesson 5||Planning Server Placement for Authentication||94|
|Activity: Analyzing Authentication Network Infrastructure||101|
|Lab 3-1||Designing Authentication for the Network||102|
|Chapter 4||Planning a Microsoft Windows 2000 Administrative Structure||107|
|Chapter Scenario: Hanson Brothers||108|
|Lesson 1||Planning Administrative Group Membership||111|
|Lesson 2||Securing Administrative Access to the Network||123|
|Activity: Administering the Network||134|
|Lab 4-1||Designing Administration for a Microsoft Windows 2000 Network||136|
|Chapter 5||Designing Group Security||143|
|Chapter Scenario: Hanson Brothers||144|
|Lesson 1||Designing Microsoft Windows 2000 Security Groups||146|
|Activity: Reviewing Group Memberships||155|
|Lesson 2||Designing User Rights||158|
|Lab 5-1||Designing Security Groups and User Rights||166|
|Chapter 6||Securing File Resources||173|
|Chapter Scenario: Wide World Importers||174|
|Lesson 1||Securing Access to File Resources||177|
|Activity: Evaluating Permissions||189|
|Lesson 2||Securing Access to Print Resources||191|
|Lesson 3||Planning EFS Security||194|
|Lab 6-1: Securing File and Print Resources||203|
|Chapter 7||Designing Group Policy||211|
|Chapter Scenario: Wide World Importers||212|
|Lesson 1||Planning Deployment of Group Policy||215|
|Lesson 2||Troubleshooting Group Policy||225|
|Activity: Troubleshooting Group Policy Application||229|
|Lab 7-1||Planning Group Policy Deployment||230|
|Chapter 8||Securing Microsoft Windows 2000-Based Computers||239|
|Chapter Scenario: Market Florist||240|
|Lesson 1||Planning Microsoft Windows 2000 Security Templates||243|
|Activity: Evaluating a Security Template||261|
|Lesson 2||Analyzing Security Settings with Security Configuration and Analysis||263|
|Lesson 3||Planning the Deployment of Security by Using Security Templates||269|
|Lab 8-1||Planning Security Templates||275|
|Chapter 9||Designing Microsoft Windows 2000 Services Security||285|
|Chapter Scenario: Lucerne Publishing||287|
|Lesson 1||Designing DNS Security||290|
|Activity: Designing DNS for Internal and External Use||295|
|Lesson 2||Designing DHCP Security||297|
|Lesson 3||Designing RIS Security||302|
|Lesson 4||Designing SNMP Security||309|
|Lesson 5||Designing Terminal Services Security||314|
|Lab 9-1||Planning Security for Network Services||319|
|Chapter 10||Planning a Public Key Infrastructure||331|
|Chapter Scenario: Blue Yonder Airlines||332|
|Lesson 1||Planning a Certification Authority Hierarchy||336|
|Lesson 2||Managing Certification Authorities||363|
|Activity: Planning Certificate Renewal Settings||372|
|Lesson 3||Using Certificates for Authentication||373|
|Lab 10-1||Planning a PKI Deployment||381|
|Chapter 11||Securing Data at the Application Layer||389|
|Chapter Scenario: Fabrikam Inc.||390|
|Lesson 1||Planning Authenticity and Integrity of Transmitted Data||393|
|Lesson 2||Planning Encryption of Transmitted Data||407|
|Activity: Determining Key Usage||417|
|Lab 11-1||Providing Application-Layer Security for Contoso Ltd.||419|
|Chapter 12||Securing Data with Internet Protocol Security (IPSec)||427|
|Chapter Scenario: Fabrikam Inc.||428|
|Lesson 1||Designing IPSec Policies||430|
|Activity: Evaluating IPSec Scenarios||455|
|Lesson 2||Planning IPSec Deployment||457|
|Lab 12-1||Designing IPSec Security||467|
|Chapter 13||Securing Access for Remote Users and Networks||477|
|Chapter Scenario: Hanson Brothers||478|
|Lesson 1||Planning Remote Access Security||481|
|Lesson 2||Designing Remote Access Security for Users||495|
|Lesson 3||Designing Remote Access Security for Networks||502|
|Lesson 4||Designing Remote Access Policy||511|
|Activity: Designing Remote Access Policy||519|
|Lesson 5||Planning RADIUS Security||521|
|Lab 13-1||Designing Security for Remote Access Users||529|
|Chapter 14||Securing an Extranet||539|
|Chapter Scenario: Market Florist||540|
|Lesson 1||Identifying Common Firewall Strategies||543|
|Activity: Identifying Firewall Features||557|
|Lesson 2||Securing Internet-Accessible Resources in a DMZ||559|
|Lesson 3||Securing Data Flow Through a DMZ||569|
|Lab 14-1||Designing Firewall Rules||594|
|Chapter 15||Securing Internet Access||607|
|Chapter Scenario: Wide World Importers||608|
|Lesson 1||Designing an Internet Acceptable Use Policy||612|
|Lesson 2||Securing Access to the Internet by Private Network Users||615|
|Activity: Identifying Security Design Risks||630|
|Lesson 3||Restricting Access to Content on the Internet||634|
|Lesson 4||Auditing Internet Access||641|
|Lab 15-1||Designing Secure Internet Access||644|
|Chapter 16||Securing Access in a Heterogeneous Network Environment||653|
|Chapter Scenario: Blue Yonder Airlines||655|
|Lesson 1||Providing Interoperability Between Windows 2000 and Heterogeneous Networks||657|
|Lesson 2||Securing Authentication in a Heterogeneous Network||661|
|Activity: Identifying Authentication Risks in a Heterogeneous Network Environment||668|
|Lesson 3||Designing Directory Synchronization and Integration||669|
|Lesson 4||Securing Access to Windows 2000 Resources||676|
|Lesson 5||Securing Windows 2000 User Access to Heterogeneous Networks||683|
|Lab 16-1||Securing Heterogeneous Clients||692|
|Chapter 17||Designing a Security Plan||701|
|Chapter Scenario: Fabrikam Inc.||702|
|Lesson 1||Defining a Security Policy||705|
|Lesson 2||Developing a Security Plan||709|
|Lesson 3||Maintaining a Security Plan||713|