ITS 3250 - Securing Systems

Security Strategies in Windows...
Chapters 9 and 10

This lesson presents an introduction to Windows network security and administration. Objectives important to this lesson:

1. Network security
   
2. Microsoft network security
   
3. Windows security protocols
   
4. Securing network services
   
5. Wireless networking
6. Desktop network security
7. Server network security
   
   
8. Security administration
9. Due diligence and regulatory compliance
   
10. Policies, standards, procedures, and guidelines
    

Concepts:

Chapter 9

Chapter 9 is about network concepts. It begins with some basic ideas about types of networks based on their geographic size. The designations below can overlap, and they are only rough designations, not true measures.

• Personal Area Network (PAN) - very short range methods are used for one person to connect to their own devices
  
• Local Area Network (LAN) - typical coverage is within one building, but it is more common to be one floor of a building or one work area
  
• Metropolitan Area Network (MAN) - meant to cover several blocks or a small city; this is actually a series of LANs that are linked together with longer range wireless technologies or standard wired ones
• Campus Area Network (CAN) - very similar to a MAN, but usually operated by one organization, such as a school or a business
  
• Wide Area Network (WAN) - typically, a network that spans multiple cities or countries
• Global Area Network (GAN) - multiple WANs are connected to make a network that covers a planet (only Earth at this time) and may use satellite relays to span continents

On page 193, the text splits resources into two groups, but uses a limited view of the second one;

• local resources - any resources directly connected to the computer a user is on, such as a printer or scanner that is connected to the user's computer by a cable
• remote resources - any resources not directly connected to the user's computer; the text tells us that a remote resource will be connected to another computer, but it may only be connected to a network the user can access

The text informs us that the point of security controls on a network is to protect the remote resources that are part of the network. However, there are several points that overlap in the list of important controls on page 193. Some are listed below.

• access controls for printers and shared folders - Printers are often devices attached to a network, but it is more complicated in Windows networks. Users typically connect to a printer through an AD object that runs as a process on a server. It provides a driver to users and serves as their gateway to the printer's actual print queue. Shared folders may be on a workstation, but are more often on a file server.
• communication controls - Limiting the spread of malware is often done by scanning email and attachments, but is also done by controlling access to web sites and outside storage services.
• antimalware programs - This concerns the network devices, but it overlaps onto the actual local computers and devices of the network users. The line showing where a local device exists can be blurry.
• software installation, configuration, and patch management - These all apply to the devices anywhere on a well managed network, whether we consider them to be local or remote.

The text continues with the idea that having a network itself is a risk. It exists to share resources, and security exists to control, allow, and prevent that sharing. The text goes on to consider some aspects of historical and current network technologies. Four physical media types are listed on page 196, and six wireless protocols are listed on page 197. Devices that are commonly found on networks are discussed on pages 198 through 202. Starting on page 202, the text reviews the OSI network reference model, HTTP, and TCP/IP. More common network protocols are listed on pages 205 and 206. Several of the listed protocols are used for secure transmission of data.

You should browse through this material in case any of it is not familiar to you. If you have any questions about it, please bring them up in class or in an email to me.

On page 207, the text begins some advice about services, the programs we run on a server that justify its existence. There is an insight in the introductory paragraph that is worth noting. Services are programs, and they watch traffic sent to ports or memory addresses for business that concerns them. The text points out that they are programs, and are as prone to error and failures most other programs. Yes, Virginia, there is a Santa Claus, but he's not perfect. The administrator has to help out.

• Install updates to services - Like any program, you can expect there will be patches and updates related to security. Make your patches on a regular schedule if they are not made automatically.
• Watch your service accounts - Services use service accounts that are like user accounts. They are both granted permissions to do the things they need to do. Unlike user accounts, a service account can be added automatically when the service is installed, and it may be given more rights and permissions than we would agree with it having. This link will take you to a Microsoft article about service accounts in Windows 10 and Server 2016. The article confirms the note on page 208, stating that there can be some automatic management of service accounts if you are running Server 2008 or later. As the text also states, you should not rely on just the automatic management when you are concerned about the accounts having the least privileges that they need.
  • In particular, note the advice about setting the password to never expire (so your service does not suddenly stop), and also set it so the user (the service itself ) cannot change the password.
  • Why set that last one? Do it in case you forgot to revoke login rights for the account, and in case the inevitable hacker finds a way around that.
  • Make sure that the account does not belong to a default group that would give it more permissions than you want it to have.
• Only run necessary services - When you set up a server, you can define what roles it will fulfill. A role that is no longer needed for a server will continue to run the services associated with that role. When you are sure that a running service is not needed on a particular box, the text recommends three levels of removal, each of which is more drastic than the last:
  • Stop the service - Change the Startup Type to manual, so the service does not run on boot. A service that is already running can be stopped on the server's Services snap-in.
  • Disable the service - Change the Startup Type to disabled, which will prevent Windows from starting it.
  • Remove the service - Remove the actual program that provides the service and you can be sure that it will not run.

The text offers some advice about wireless configuration on page 210. The suggestions are pretty elementary.

• Don't use WEP - Wired Equivalent Privacy (WEP) security can be broken due to its repetition of short Initialization Vectors in its keys. This is not as simple as clicking a button, but it is possible if you have the right tools and information. The situation was improved by the introduction of WEP2, which increased the length of the Initialization Vector and changed the authentication method to Kerberos, which is used in Windows network authentication. WPA2 is a current standard and it is preferred in all cases. If your hardware does not support it, buy new hardware.
• Use MAC address filtering - Of course that won't stop any hacker who can spoof a MAC address.
• Disable SSID broadcasting on your wireless access points - This is a fine idea, but it is ineffective for two reasons: remote devices trying to connect will still include the SSID in their transmissions, and so will the WAP once a connection has been made.
• Limit outside eavesdropping - The text means that we should make sure that our WAPs do not transmit beyond the area (building?) in which we want them to work. That is reasonable, but the people on the periphery will complain that their throughput is terrible. Darn.
• Use separate wireless networks for employees and for guests - Your real wireless network should be secure because you use it for business. The text suggests that guests in our environment don't need so much security if they only want to get to the Internet. Really? And when their credit card numbers are snagged by a hacker in the coffee shop, who do you think they will blame? Make them use passwords on a secure system. Just don't give them access to the real network.

The text concludes the chapter with advice about using authentication and authorization, and about updating your virus protection. No news there. It hints that we can do something with firewalls, but that is beyond the scope of this chapter.

Chapter 10

Chapter 10 seems very light weight. The summary is one paragraph and it holds no details. Turning to the contents in the chapter, it is nice that the author introduces you to the Deming Cycle, which is one of the many lessons taught by Dr. William Edwards "Ed" Deming, the creator of Quality Improvement. Plan-Do-Check-Act is a profound attitude change for people who have never heard of it. It says that a good idea must be examined in place, so you can judge whether it is still a good idea in the situation where you have applied it.

Dr. Deming's Plan-Do-Check-Act cycle is not the only lesson he taught. He wrote a lesson called 14 Points for Management that tell us how to run a business so that everyone in it becomes part of its success. Read that lesson, and you will probably see that everything you have ever seen that works in a business has used some of his principles.

The video below presents an additional insight into Dr. Deming's theories, the idea that your four-phase cycle diagram probably does not describe the whole truth. I think he knew that before he taught us PDCA. He just had to get our attention first, then he could teach the next part of the lesson.

The idea of looking for other variables, and looking for relationships and dependencies between the causes and effects, leads us to better troubleshooting, whether that troubleshooting relates to our jobs, our games, or our lives.

The text gives us a series of lists that may be of use to you:

• Page 222 presents a list of security tasks a system administrator might be involved in. These range from communication to users (acceptable use policy) to monitoring and maintenance of the system.
• Page 223 presents a list of controls that relate to confidentiality.
• Page 224 presents a list of controls that relate to data integrity.
• Page 226 presents a list of controls that relate to availability. Note the story on page 221 about the system administrator who did many things right, but provided a backup and restore solution that was outside the maximum acceptable outage time his employer needed. By the definition in the book, that system was not secure. It did not provide access when it was needed.

Page 227 begins a discussion of firewalls, telling us that the Windows Firewall with Advanced Security snap-in for MMC. The link in the previous sentence will take you to a Microsoft document about shutting off the Windows Firewall, which is not recommended by Microsoft, but is recognized as an infrequent necessity. The text provides only one page about settings in the firewall. This article provides a better walkthrough of setting a rule that can be applied to the three domains the firewall recognizes. By the way, the resources on that website, rootusers.com, might provide you with some insights and tools you don't have yet.

Page 229 has a brief introduction to Performance Monitor, which can look at performance logs and current performance of your server or workstation. It is recommended that you use it regularly. This article on makeuseof.com gives you a better introduction and walks you through using the application.

The text offers some material on backups and restores, but this one is really hard to do unless you have some media to make the backup and have high confidence that your restoration will work. As such, it is recommended that you work through the lab on this subject on the Jones and Bartlett web site.

Page 233 discusses Group Policy administration. Be aware that policies in AD can manage assets anywhere on your network, unless you are in a crazy situation with multiple Active Directories in your environment. Page 235 begins a short section on access rights granted through Discretionary Access Control Lists, Every object in a Windows system has such a list in which you can add users and groups, and configure specific rights for them. EFS and BitLocker are reviewed on pages 237 and 238. All of this was discussed back in chapter 4.

On page 240, the text briefly discusses due diligence. You may need to know a bit more about it. A previous text discussed a company having to adopt a security standard, perhaps to meet a contract or legal obligation. By doing this, the company can argue in court that it adopted a security standard of due care. This is a defensible legal position, and one that a company following reasonable precautions would take.

A related concept is that the maintenance of such security standards must be pursued, or the company can still be found at fault. Maintaining such a standard can be called performing due diligence. That phrase is often used in common business discussions to mean that a company is conducting an investigation of some sort. The meaning is different here, although it should be expected that one would have to investigate and inspect a system in order to maintain it properly.

You may wonder why a text would be telling us about pursuing a goal that does not sound like very good protection. Remember that organizations often must make decisions that are based on less than optimal funding. As such, you should still take care to make a choice that provides the best protection you can reasonably obtain, and that still proves that you showed due care and due diligence.

Moving on from the a set of standards that are merely adequate, the text discusses recommended practices and best practices. We should remember while reading this discussion that "best" is a relative term that can only be applied to something until something better comes along. With that understood, this link will lead you to the Federal Agency Security Practices page on the NIST web site. A quick look at some of the documents on that site will show you that most are several years old, which may indicate that new best practices take a while to develop. They are, however, best practices that have been used by reasonable people.