Public Key Infrastructure Fundamentals 70-642 70-271 70-445 70-237
Computer networks are no longer closed systems in which a user’s mere presence on the network can serve as proof of identity. In this age of information interconnection, an organization’s network might consist of intranets, Internet sites, and extranets-all of which are potentially susceptible to access by unauthorized individuals who intend to maliciously view or alter the organization’s digital information assets.
There are many potential opportunities for unauthorized access to information stored on networks. A person can attempt to monitor or alter information as it crosses the network, including e-mail messages, electronic commerce transactions, and file transfers. A thief who steals a laptop computer can attempt to access confidential documents stored on the computer. An attacker might attempt to impersonate a legitimate user to gain access to information that would not otherwise be authorized.
A well-planned PKI can reduce the likelihood of each of these common attacks. As a security administrator, you must understand the fundamentals of PKI, and be able to deploy a Windows Server 2003 Certificate Services infrastructure.
Cryptography and Encryption
Cryptography is essential for the secure exchange of information across intranets, extranets, and the Internet. From a technical point of view, cryptography is the science of protecting data by mathematically transforming it into an unreadable format, otherwise known as encryption. To a business, cryptography is a means to reduce the likelihood of a costly security compromise by providing authentication, confidentiality, and data integrity.
Network encryption comes in two main varieties: shared key encryption and public key encryption. Shared key encryption requires both the sender and the recipient of an encrypted message to have a shared secret-a password that can be used to encrypt and decrypt the message. Shared key encryption is easy to understand, but it is difficult to implement on a large scale. After all, to allow secure communication between 1,000 employees at a company would require about 1 million passwords to be exchanged, because any two users who wanted to communicate would need to exchange a unique password.
For example, if Sam wants to send an encrypted electronic message to Toby, Sam first walks over to Toby and whispers a password in his ear. Then, when Toby receives the electronic message, Toby decrypts it with the password. As long as nobody else knows the password, Sam can be sure that the contents of the message are private.
The second common network encryption mechanism is public key encryption, also known as asymmetric key encryption. Public key encryption uses one key to encrypt a message, and a second, related key to decrypt the message. These two keys form a key pair. One of these keys is kept private, and the other key can be shared publicly (hence the name, public key encryption).
For example, if Sam wants to send an encrypted message to Toby, Sam uses Toby’s public key to encrypt the message. When Toby receives the message, Toby uses his private key to decrypt it. Only Toby’s private key can be used to decrypt a message encrypted with his public key, so Sam can be sure that nobody else was able to view the contents of the message.
There’s another interesting way to use public key encryption: digital signatures. If Sam wants to prove to Toby that Sam, and not somebody else, sent the message, Sam can use Sam’s own private key to encrypt the message. After Toby receives it, Toby needs to use Sam’s public key to decrypt the message. If it decrypts properly, Toby can be certain that Sam’s private key was used to encrypt it and that the message hadn’t changed since Sam sent it. Of course, encryption takes a great deal of processing power, so Sam would probably choose to encrypt a short hash of the message instead of the entire message, and append the hash onto the end of the message. That would be sufficient to prove that Sam sent the message and that it hadn’t been modified in transit. NS0-201 70-643 70-631
Deploying Updates on New Clients 70-649 1D0-470 117-202 70-620
The setup process is a very vulnerable time for new computers. Updates can fix the vast majority of vulnerabilities for computers running Microsoft Windows, but if you install a computer using the original distribution of Windows, those vulnerabilities will be present during the setup process. Fortunately, there are steps you can take to limit the risk of having those vulnerabilities exploited. First, you should leave new computers disconnected from the network during the setup process, or use a firewall to block traffic from potentially dangerous networks. Second, you can integrate as many of the updates as possible into the Windows setup files, so that the updates are present even during the setup process.
After this lesson, you will be able to
Design a dedicated network for installing new computers one at a time, with minimal infrastructure.
Design a dedicated network for installing new computers in assembly-line fashion.
Integrate service packs into Windows setup files.
Automatically install updates after an automated installation.
Estimated lesson time: 30 minutes
Security Considerations
Computers are under attack from the moment they connect to the Internet. Worms and viruses are constantly active, probing every IP address for vulnerabilities. Microsoft Windows Server 2003 is much more resilient to attacks that might occur during the installation process than earlier versions of Windows because it adheres to the “secure by default” ideal. However, vulnerabilities have been discovered in unpatched computers running Windows Server 2003, and these vulnerabilities might be exploited during the setup process.
Although it is possible to update and secure a computer running Windows so that it can be connected directly to the Internet without becoming infected by a worm or a virus, a computer does not have the benefit of updates or security hardening during the installation process. If you attempt to install Windows on a computer while it is connected to the Internet, there is a high probability that it will be attacked, and possibly exploited.
Security Alert Earlier versions of Windows have several widely exploited vulnerabilities, and will almost certainly be exploited during the setup process if connected to the Internet. 352-001 70-290 70-536
Security Alert Not all attacks originate from the Internet. Worms and viruses might have infected computers on the local area network, and will be scanning computers inside the firewall for vulnerabilities. Therefore, you must still take measures to protect computers while installing the operating system, even if they are only connected to a private network.
Assessing Patch Levels 70-441 350-001 350-018
Auditing is one of security’s core concepts. Without auditing, security degrades over time. Updating is certainly no exception to this; even if you configure an airtight updating infrastructure, at some point a computer on your network will go unpatched. This can happen when a mobile computer is disconnected from the network for an extended period, when a user changes a computer’s configuration settings, and when the installation process of an update is interrupted.
MBSA is a powerful tool that you can use to assess the patch levels on your network. If and when a computer fails to install an update, MBSA can detect it. If there are rogue computers on your network that are not participating in your patching infrastructure, MBSA can find them. You can even schedule MBSA to scan your network for unpatched computers at night, so you can review the reports in the morning without waiting for the scan to occur.
MBSACLI
Scanning a large network should be done on a regular basis to find computers that have not been properly updated. However, scanning a large network is a time-consuming process. While the MBSA console is the most efficient way to interactively scan a network, the Microsoft Baseline Security Analyzer command-line interface (MBSACLI) provides a way to script an analysis. By using scripts, you can schedule scanning to occur automatically, without your intervention. In this way, you can have MBSACLI generate a report that you can refer to on demand.
Security Alert It’s convenient to schedule MBSACLI scans after business hours so you don’t consume network resources during working hours; however, if you do this, you won’t scan computers that users take home with them. It’s a good idea to schedule scans at various times during the day.
Another good reason to schedule scans by using MBSACLI is to scan from multiple points on your network. For example, if your organization has five remote offices, it is more efficient to scan each remote office by using a computer located in that office. This improves performance, reduces the bandwidth used on your wide area network, and allows you to scan computers even if a perimeter firewall blocks the ports that MBSACLI uses to scan.
MBSACLI runs in one of two modes: MBSA and HFNetChk. MBSA mode provides similar functionality to that of the graphical MBSA console. HFNetChk mode provides backward compatibility with earlier versions of the tool, and also provides additional functionality not supported in MBSA mode. Some of the additional features provided by HFNetChk mode are connecting to network resources as another user, specifying an XML data source, and scanning a set of computers specified in a text file. HFNetChk mode scans only for missing updates; it will not scan for other types of vulnerabilities, such as weak configuration settings. 640-801 70-291 1D0-510 MB6-508
Configuring Authentication for Web Users 920-221 70-299 70-541
Active Directory is a perfect way to store credentials for internal users because it can provide single sign-on authentication for a variety of network resources, including Web servers. If your organization provides an internal Web site, the Web site should authenticate users by using their existing Active Directory user accounts. If the Web site accesses information on the user’s behalf, such as querying a database to retrieve confidential benefits information, the Web site should access that information by using the user’s own credentials.
Active Directory is not the ideal way to store credentials for external users. Many organizations invite customers, potential customers, and partners outside the organization to access information, files, and data. Today, information is usually shared with external users by means of a Web site. If the Web site allows anyone on the Internet to access content, these Web users will be considered anonymous. However, the anonymous user’s requests must still be issued in the context of a valid security principal in order to access files and data.
Most public Web sites on the Internet allow anonymous access for at least a portion of the site. In other words, the general public can retrieve pages from the Web server without providing credentials. This does not mean that authentication is not taking place, however. Any user or process that accesses a file or other network resource must do so in the context of a security principal (a user, a computer, or a service account). When Internet Information Services (IIS) accesses files to be sent to an anonymous user, it uses a specified user account to access those files. When anonymous access is not allowed, users must provide their own credentials. XK0-002 70-536 646-230
As an administrator, you can control which user account IIS uses to access files and other network resources on behalf of anonymous users. By default, this account is automatically created during the IIS installation process and is named IUSR_computername. To specify different user credentials for IIS to use when accessing files and resources on behalf of an anonymous user, first create a new user account, and then follow these steps:
Log on to the computer as an administrator.
Click Start, click Administrative Tools, and then click Internet Information Services Manager.
Expand the computer node, and then expand the Web Sites folder. Right-click the node for the Web site you are editing, and then click Properties.
Click the Directory Security tab. In the Authentication And Access Control grouping, click the Edit button.
The Authentication Methods dialog box appears. Type the user’s credentials in the User Name and Password fields, and then click OK.
Click OK again to return to the Internet Information Services Manager.
Considerations for Evaluating Your Environment 70-431 70-646 70-236
When establishing an authentication strategy for your organization, you must become familiar with your current environment, including the structure of your organization; the users, computers, and services in your organization that require authentication; and the applications and services that are in use. This will help you to understand the requirements and constraints of your organization.
When evaluating your environment, identify the following:
The number of domain controllers in your organization. Ensure that there are enough domain controllers to support client logon requests and authentication requests while meeting your redundancy requirements. A sufficient number of domain controllers will ensure that a large volume of authentication requests will not result in authentication failures, even if a domain controller is offline because of hardware or network failures.
The type of network connectivity between site locations in your organization. Ensure that clients in remote sites are connected well enough to authenticate to domain controllers located in main sites. If connectivity is an issue, consider installing domain controllers in sites that might have logon problems because of slow or unreliable links. 642-415 642-373 70-642
Planning Everyone is always concerned about whether they have enough bandwidth, but it’s latency that’s more likely to cause authentication problems across wide area network links. Authentication requires very little bandwidth. However, packets must go back and forth across the link several times. If latency causes a significant delay for each round trip, authentication will seem slow.
The number of certification authorities (CAs) that are available in your organization and their locations. Ensure that you have enough CAs to support the anticipated number of certificate requests.
Guidelines for Creating a Strong Password Policy
Encryption limits your vulnerability to having user credentials intercepted and misused. Specifically, password encryption is designed to be extremely difficult for unauthorized users to decrypt. Ideally, when a strong password is used, it should take an attacker months, years, or decades to identify the unencrypted password after the attacker captures the encrypted or hashed password. During that time, the password should have been changed—making the unencrypted password now useless.
In contrast, weak passwords can be identified in a matter of hours or days, even when they have been encrypted. Encryption cannot protect against passwords that are easily guessed, because weak passwords are vulnerable to dictionary attacks. Dictionary attacks encrypt a list of common passwords, and compare each possibility with the captured cyphertext. If the password appears in the password dictionary, the attacker will identify the password quickly. You can defend against this vulnerability by implementing a strong password policy.
Off the Record The best way to understand how effective dictionary attacks are is to grab a password cracking tool from the Internet and experiment with it on a test machine. I can’t point you to a specific tool, but they’re not hard to find. 70-271 70-445 70-237
The following steps demonstrate the flow of events that occur when a client authenticates to a domain controller using any of the NTLM protocols: 70-649 1D0-470 117-202 jn0-562
The client and server negotiate an authentication protocol. This is accomplished through the Microsoft negotiate Security Support Provider (SSP).
The client sends the user name and domain name to the domain controller.
The domain controller generates a 16-byte random character string called a nonce.
The client encrypts the nonce with a hash of the user password and sends it back to the domain controller.
The domain controller retrieves the hash of the user password from the security account database.
The domain controller uses the hash value retrieved from the security account database to encrypt the nonce. The value is compared with the value received from the client. If the values match, the client is authenticated.
The Kerberos Authentication Process
The Kerberos protocol gets it name from the three-headed dog in Greek mythology. The three components of Kerberos are:
The client requesting services or authentication.
The server hosting the services requested by the client.
A computer that is trusted by the client and server (in this case, a Windows Server 2003 domain controller running the Kerberos Key Distribution Center service).
Kerberos authentication is based on specially formatted data packets known as tickets. In Kerberos, these tickets pass through the network instead of passwords. Transmitting tickets instead of passwords makes the authentication process more resistant to attackers who can intercept the network traffic.
Key Distribution Center 1D0-510 MB6-508 190-802 70-290
The Key Distribution Center (KDC) maintains a database of account information for all security principals in the domain. The KDC stores a cryptographic key known only to the security principal and the KDC. This key is used in exchanges between the security principal and the KDC and is known as a long term key. The long term key is derived from a user’s logon password.
Kerberos authentication process
In a Kerberos environment, the authentication process begins at logon. The following steps describe the Kerberos authentication process:
When a user enters a user name and password, the computer sends the user name to the KDC. The KDC contains a master database of unique long term keys for every principal in its realm.
The KDC looks up the user’s master key (KA), which is based on the user’s password. The KDC then creates two items: a session key (SA) to share with the user and a Ticket-Granting Ticket (TGT). The TGT includes a second copy of the SA, the user name, and an expiration time. The KDC encrypts this ticket by using its own master key (KKDC), which only the KDC knows.
Note Kerberos implements secret key cryptography, which is different from public key cryptography in that it does not use a public and private key pair.
The client computer receives the information from the KDC and runs the user’s password through a one-way hashing function, which converts the password into the user’s KA. The client computer now has a session key and a TGT so that it can securely communicate with the KDC. The client is now authenticated to the domain and is ready to access other resources in the domain by using the Kerberos protocol.
Important When a client receives the session key and TGT from the server, it stores that information in volatile memory and not on the hard disk. Storing the information in the volatile memory and not on the hard disk makes the information more secure, because the information would be lost if the server were physically removed.
When a Kerberos client needs to access resources on a server that is a member of the same domain, it contacts the KDC. The client will present its TGT and a timestamp encrypted with the session key that is already shared with the KDC. The KDC decrypts the TGT using its KKDC. The TGT contains the user name and a copy of the SA. The KDC uses the SA to decrypt the timestamp. The KDC can confirm that this request actually comes from the user because only the user can use the SA.
Next, the KDC creates a pair of tickets, one for the client and one for the server on which the client needs to access resources. Each ticket contains the name of the user requesting the service, the recipient of the request, a timestamp that declares when the ticket was created, and a time duration that says how long the tickets are valid. Both tickets also contain a new key (KAB) that will be shared between the client and the server so they can securely communicate.
The KDC takes the server’s ticket and encrypts it using the server master key (KB). Then the KDC nests the server’s ticket inside the client’s ticket, which also contains the KAB. The KDC encrypts the whole thing using the session key that it shares with the user from the logon process. The KDC then sends all the information to the user.
When the user receives the ticket, the user decrypts it using the SA. This exposes the KAB to the client and also exposes the server’s ticket. The user cannot read the server’s ticket. The user will encrypt the timestamp by using the KAB and send the timestamp and the server’s ticket to the server on which the client wants to access resources. When it receives these two items, the server first decrypts its own ticket by using its KB. This permits access to the KAB, which can then decrypt the timestamp from the client. HP0-145 70-646 70-291
Now both the client and the server have the KAB. The server can be sure that the client has truthfully identified itself because the client used the KAB to encrypt the timestamp. If it is necessary for the server to respond to the user, the server will use the KAB. The client will know that the server has truthfully identified itself because the server had to use its KB to get the KAB.
Exam Tip Be sure you understand the Kerberos authentication process for the exam!
Designing a WINS Replication Strategy 70-236 70-646 70-431 70-293
In designing your WINS infrastructure you must take into account the process of replicating
your WINS database from one WINS server to another WINS server located on
a different subnet. This is very important; you want users from a subnet to be able to
access resources located on a different subnet using NetBIOS-friendly names. This lesson
will show you how a WINS server can be selected as a push or pull partner, which
enables this replication to take place.
Creating a Replication Strategy
Once you have documented your WINS infrastructure and have determined the placement
of all of your WINS servers, routers, subnets, users, and so on, it’s time to create
a replication strategy to improve performance and to add fault tolerance to your enterprise
network. On smaller networks where only one or two WINS servers are needed,
a replication strategy is simple and effortless to create. On larger enterprise networks,
a lot of thought must be put into designing and implementing a replication strategy.
In the diagram, Subnet 1 contains a single WINS server named WS1 that services all client
computers on that subnet. When Client1-1 starts up, it registers all of the NetBIOS
information you learned earlier to the WINS database. All of the WINS-enabled client
computers in this subnet are configured to use WS1 as their primary WINS server.
When Client1-2 initiates a connection to \\client1-1, a name-resolution request is made
to the WINS server. The database is checked, and the IP address is returned. 70-649 MB2-632 642-812
Subnet 2 also has a WINS server, named WS2, which services all WINS-enabled workstations
on Subnet 2. When Client2-1 starts up, it too registers its NetBIOS information
to the WINS server, as do all WINS-enabled workstations in Subnet 2. But what would
happen if Client1-1 tried to access Client2-1 using NetBIOS name resolution? The router
in the diagram indicates that broadcast traffic would not pass through it, so NetBIOS
name resolution would have to occur in one of the two other ways you learned:
Lmhosts files or WINS. Let’s assume that there are no Lmhosts files configured for any
of the clients. When Client1-1 queries the WINS database on the WS1 server, there will
not be an entry for Client2-1, or for any other clients in Subnet 2 for that matter, in the
WINS database because Subnet 2 clients register all NetBIOS information to only the
WINS database on the WS2 server.
Securing Your WINS Infrastructure
Any time replication information from one server will traverse a network to reach
another server, you risk the possibility of interception of that data. Just as DNS zone
transfers are susceptible to this type of attack, so is WINS replication data.
Because WINS servers may be exposed to the Internet just like DNS servers are, security
should be of concern. Replication traffic between WINS servers across a public network
such as the Internet can be intercepted. NetBIOS names and IP addresses of your
servers and workstations can be made available to unauthorized personnel. As with
DNS, there are a couple of options you can use to protect your WINS replication data:
Encryption using Internet Protocol Security (IPSec ) 70-620 jn0-562
Encryption using a Virtual Private Network (VPN ) 117-201 117-202
As a network administrator, it is very important that your design always includes security
measures to protect the information and network resources of your company. All
WINS servers should be secured by cipher-locked doors, and access should be
restricted to authorized personnel using Active Directory directory services.
WINS Database 70-299 70-541 XK0-002 70-536
The WINS database uses the Extensible Storage Engine (ESE) to operate. This is the
same engine used by Active Directory directory service, Microsoft Exchange, and many
other Windows components. ESE is built on JET (Joint Engine Technology). Most database
programs such as Microsoft SQL Server, Oracle, and Sybase allow transactions to
first be written to a log file before being written to the database file. This improves
performance because input/output (IO) to a file can be done quickly; subsequent
transactions can be written to the area of the database where the data should be stored.
ESE also separates log files and transactions to optimize performance.
For example, if a WINS-enabled client is booted, the client will register its name and IP
number to the WINS server. The WINS server will write this transaction to a log file
immediately. Later, when the processor is idle, transactions will be permanently written
directly to the database. There are a couple of advantages to this methodology:
Improved performance 646-230 642-533
Fault tolerance 70-272 70-284 220-602
The improved performance has already been demonstrated, but how is fault tolerance
gained in this example? Because all transactions are written to a log file first, a harddisk
crash of the database file could easily be restored from a backup tape combined
with the log files you have stored on a different drive or tape. This would allow you to
bring the server back to the point of failure. That is, transactions could be restored right
up to the point when the crash occurred if you restored your WINS database backup
and the current log files.
Now that you have had a lesson in how most databases work, let’s look at the WINS
database.
WINS Database Files
WINS uses the JET database format to store data in five different file types:
Log Files As you learned earlier, transactions are stored in log files. These files
begin with the letter “J” followed by a decimal number if the log file is a new
transaction, for instance, J10.log. If a log file becomes full, it is renamed with a
hexadecimal number appended to the previous name, such as J100000F.log. Then,
a new log file with the original filename is created.
Log files can grow quickly. As you learned in your earlier brief database lesson,
writing to log files increases speed and efficiency of data storage as well as providing
for recovery in case of a failure or crash. Log files should not be deleted
until a backup of the WINS database has occurred.
After all, once the database has been backed up, there is no reason to keep a copy
of the log files because the transactions have already been posted to the database
and backed up to tape or another media. If, however, the database crashes and
there is no backup of the log files, losing the database would mean losing the files
to recover. If you do not have a software or hardware redundant array of independent
disks (RAID) system in place, you would be able to return the system only to
the point of your last backup. All transactions that occurred between that backup
and the crash would be lost.
Checkpoint files Checkpoint files are used during a recovery process. These
files indicate the location of the information that was successfully written from the
transaction log files to the database file.
Wins.mdb The WINS server database file contains two tables: the IP address-toowner
ID mapping table and the name-to-IP address mapping table.
Winstmp.mdb This is a temporary file created by the WINS server service to aid
in index maintenance. 70-630 640-801 70-297
Res# .log Reserved log files are used if your server runs out of disk space and
cannot create additional transaction log files. The server places outstanding transactions
into these reserved log files, and the WINS service shuts down and logs an
event to Event Viewer.
[QAWI201V3.0] - Business Objects Certified Professional Web Intelligence XI 3.0
[132-S-1002.3] - Avaya Sales Certification Specialist
[132-S-911.2] - Specialist IP Telephony Implement & Support Elective Exam
[050-V60X-CSEDLPS] - CSE RSA Data Loss Prevention 6.0
[000-M26] - RDi SOA Technical Sales Mastery Test
[000-669] - SOA Fundamentals (2008)
[050-710] - Novell Certified Linux Administrator
[156-915.65] - Accelerated CCSE NGX R65
[156-215.65] - Check Point Security Administration I NGX
[190-805] - Using Web Services in IBM Lotus Domino 8 Applications
[HP0-M23] - HP Business Availability Center Foundation
[922-094] - Communication Server 1000 Rls.5.0 Dialing Plan Design & IP
[HP0-S16] - Implementing HP BladeSystem
[642-524] - Securing Networks with ASA Foundation
ToolStrip controls can host a wide range of functionality. ToolStripItems duplicate the functionality of several other Windows Forms controls as well as combine some Windows Forms functionality with menu functionality.000-297 ex0-103 190-801
Tool strips support rafting, merging, rearrangement of controls, and overflow of controls.
MenuStrip controls are used to create menus for forms and host ToolStripMenu-Item controls, which represent menu entries and commands.
The ContextMenuStrip control is used for creating context menus. You can associate a context menu with a control by setting the ContextMenuStrip property.
The Properties window can be used to create default event handlers or to assign preexisting methods to handle events.
A variety of mouse and keyboard events are raised in response to user actions. The MouseEventArgs parameter in many of the mouse events provides detailed information regarding the state of the mouse, and the KeyEventArgs and KeyPressEvent-Args parameters provide information regarding the state of the keyboard.
Event handlers can be created at run time and used to dynamically associate events with methods.
Typically, most real-world applications use databases as a store for the data in that application. For example, inventory systems, contact management systems, and airline reservation systems store data in a database and then retrieve the necessary records into the application as needed. In other words, the data used by an application is stored in a database external to the actual application, and it is retrieved into the application as required by the program.
When creating applications that work with data, the Microsoft .NET Framework provides many classes that aid in the process. The classes that you use for common data tasks such as communicating, storing, fetching, and updating data are all located in the System.Data namespace. The classes in the System.Data namespace make up the core data access objects in the .NET Framework. These data access classes are collectively known as ADO.NET.
Before you can begin working with data in an application, you must first establish and open a connection and communicate with the desired data source. This chapter describes how to create the various connection objects that are used to connect applications to different data sources and sets the basis for working with data in the following chapters. After learning to establish connections to databases in this chapter, we will move on to Chapter 6, “Working with Data in a Connected Environment,” which provides instructions for running queries, saving data, and creating database objects directly between your application and a database. Chapter 7, “Create, Add, Delete, and Edit Data in a Disconnected Environment,” describes how to create DataSet and DataTable objects that allow you to temporarily store data while it is being used in a running application. Finally, Chapter 8, “Implementing Data-Bound Controls,” provides information on binding data to be displayed and worked with in Windows Forms controls.
Typically, data sources are relational databases such as Microsoft SQL Server and Oracle, but, additionally, you can connect to data in files such as Microsoft Office Access (.mdb) and SQL Server (.mdf) database files. The connection object you use is based on the type of data source your application needs to communicate with. 190-712 640-553 190-623