networking concepts lesson 10 part 1 - network admin & support - eric vanderburg
Post on 19-Oct-2014
292 views
DESCRIPTION
Networking Concepts Lesson 10 part 1 - Network Admin & Support - Eric VanderburgTRANSCRIPT
Networking Concepts – Eric Vanderburg ©2005
Chapter 10Network Administration & Support
Networking Concepts – Eric Vanderburg ©2005
Managing Users & Groups
Active Directory Users & ComputersEdit a text file in LinuxComputer Management for local clients
Networking Concepts – Eric Vanderburg ©2005
Best Practices
Administrators should have 2 accounts Have an account for normal use Use the administrator level account only when it is needed “Run As” SU (Super User)
Rename the administrator account (cannot be deleted or disabled)
Disable the guest account (also add restrictions) Only access from this computer No permissions No access times
Audit use of administrative rights In Linux, a user account can be disabled by editing the password
file and deleted by using the userdel command
Networking Concepts – Eric Vanderburg ©2005
Considerations• User name naming
conventions• Password complexity• Logon Hours• Auditing• Security
Networking Concepts – Eric Vanderburg ©2005
Passwords
Change passwords oftenToo often: written downNot often enough: insecure networkDictionary attacks
NOS Passwords lengthsWindows 2000/2003 limit is 128 charactersWindows NT limit is 14 charactersLinux limit is 256 characters
Networking Concepts – Eric Vanderburg ©2005
Computer Accounts
Used to restrict access to the domain to certain computers
Must be Domain/Enterprise admin to add computers
Networking Concepts – Eric Vanderburg ©2005
User Rights
Permissions - access to resources Rights - permitted actions
Log on locally Shut down the computer Share resources Manage printers Add computers to the domain Adjust quotas Backup & Restore Take ownership ……
Networking Concepts – Eric Vanderburg ©2005
Groups
Security Group Local Group Global Group Universal Group
Distribution Group Users should be placed in groups Permissions should be given to groups, not individual
user accounts Users can belong to many groups Effective permissions – End result of all group
memberships. All permissions from all groups are added together but deny overrides allow (use deny sparingly)
Networking Concepts – Eric Vanderburg ©2005
Built in Groups
Administrators (Also Domain & Enterprise)
Account Operators - Create and manage user accounts
Backup Operators - backup & restore
Incoming Forest Trust Builders - make one way trusts to the root forest domain
Network Configuration Operators - Change TCP/IP settings for DCs
Performance Log Users - configure performance counters, logs, & alerts
Performance Monitor Users - remotely view performance monitor
Print Operators Remote Desktop Users Replicator - Can change the way AD
data is sent between DCs and can start the replicator
Server Operators - log onto DCs, start & stop services, backup & restore, format…
Cert Publishers - Publish CRL, CTL, & Templates
Enrollment Agent - Issue Certs DHCP Administrators DNS Admins Group Policy Creator Owner Schema Admins Help Services Group - Manage Help
& Support center (remote assistance) Guests
Networking Concepts – Eric Vanderburg ©2005
Automatic Groups
User Groups Everyone Authenticated Users –
non guest users Interactive – local user Network – logged onto
domain Creator / Owner Anonymous Logon Terminal Services User Dialup
Program/Service Groups Service Batch System
Networking Concepts – Eric Vanderburg ©2005
Automatic Groups
Networking Concepts – Eric Vanderburg ©2005
Domain & Forest Groups
Local GroupFor permissions to local resourcesOther groups should be inside
Global GroupUser accounts should go here
Universal Groups Contains accounts from entire forestNative mode only
Networking Concepts – Eric Vanderburg ©2005
Functional Levels
Functional Level Supported DC OS
Windows 2000 MixedWindows NT 4.0Windows 2000Windows Server 2003
Windows 2000 Native Windows 2000Windows Server 2003
Windows Server 2003 Interim
Windows NT 4.0Windows Server 2003
Windows Server 2003 Windows Server 2003
• Domain or forest functional level
Networking Concepts – Eric Vanderburg ©2005
Functional Levels
Functional Level OptionsWindows 2000 Mixed No Universal Groups & Nesting
Windows 2000 Native
Universal Groups Allowed,Group Nesting Allowed,Group Conversion Allowed,SID History
Win Server 2003 Interim No Universal Groups & Nesting
Windows Server 2003
Universal Groups Allowed,Group Nesting Allowed,Group Conversion Allowed,SID History, Rename DC’s
Networking Concepts – Eric Vanderburg ©2005
Trusts
Types 1-way 2-way Transitive Universal – all domains in a tree trust each other
NT uses 1-way explicit trusts 2000 & 2003 use 2-way transitive implicit
trusts Allows sharing between domains (permissions
are still needed)
Networking Concepts – Eric Vanderburg ©2005
Accounts
SID (Security Identifier) - Unique number for AD objects
We see names, Windows sees SIDsRecreated accounts will have new SIDsNT stores user rights in SAM (Security
Accounts Manager)2000 & 2003 stores rights in AD
Networking Concepts – Eric Vanderburg ©2005
Event Viewer
System Log – records information about operating system services and hardware
Security Log – records security events based on audit filters or policy settings
Application Log – maintains information about applications
Directory Service DNS Server File Replication Service
Networking Concepts – Eric Vanderburg ©2005
Performance Monitor
Records individual events to show trends in a graph
Object – the item you want to track (ex: processor)
Counter – the aspect of the item that you want to track (ex: interrupts/sec)
Networking Concepts – Eric Vanderburg ©2005
Monitoring
Network Monitor Install from Add/Remove Windows Components
(must be server OS) Data read from and written to server each second Queued commands Number of collisions per second Security errors Connections currently maintained to other servers
(server sessions) Linux users can choose from many open
source add on products
Networking Concepts – Eric Vanderburg ©2005
Long-term monitoring
Develop a baselineUpdate the baseline when the network
changesBandwidth changesNew serversSoftware change
Compare performance to the baseline
Networking Concepts – Eric Vanderburg ©2005
Security
Know the costsCosts due to loss of dataCosts of downtimeCost of implementing security measures
Physical must be protected firstShare oriented security (Win9x)User oriented security (Win2k, 2k3, XP)
Networking Concepts – Eric Vanderburg ©2005
Security
Securing dataMake it safe from intrudersMake sure damaged data can be replaced
Plan for network security Identify threatsCommunicate with other managers in office
to make sure security system meets needs (it is not only about IT & think of the users)
Networking Concepts – Eric Vanderburg ©2005
Windows Security Features
KerberosPKI (Public Key Infrastructure)Group PolicyVPN (Virtual Private Network)IPSec (IP Security)
Networking Concepts – Eric Vanderburg ©2005
Windows 2003
CLR (Command Language Runtime) – reduces bugs that leave Windows vulnerable by reducing the power of individual programs, placing them under the control of the OS.
IIS 6.0 – configured for maximum security by default & disabled by default
Unsecured clients cannot login – Windows 95, and NT prior to SP4 cannot login to Windows 2003 domain by default; certificates and encryption required by all clients
Networking Concepts – Eric Vanderburg ©2005
Kerberos
Authentication Method (Win2k &2k3 default)
Based on RFC 1510Uses Kerberos version 5Replaces NTLM (NT LAN Manager) &
NTLMv2 – still used with pre 2k clients
Networking Concepts – Eric Vanderburg ©2005
Kerberos Components
KDC (Key Distribution Center) AS (Authentication Service)
Verifies identity through AD Gives TGT (Ticket Granting Ticket) which gives access to certain
resources TGS (Ticket-Granting Service)
Verifies TGT Creates a service ticket & session key for a resource based on
TGT. Client can present the service ticket to another server to access it’s content. NOTE: Servers have tickets too.
Only services it’s own domain. Must refer to another TGS for interdomain resource access (gives referral ticket)
Server with the desired resource Client
Networking Concepts – Eric Vanderburg ©2005
Items of Note
Delegation with Forwarding and Proxy - For a server such as a database server to access resources on your behalf. (given proxy or forwarding ticket)
NTP (Network Time Protocol) is used to synchronize time between machines. Keys are based on system time so all must be the same.
Networking Concepts – Eric Vanderburg ©2005
PKI
Deploying a PKI allows you to perform tasks such as:Digitally signing files (documents and
applications)Securing e-mail Enabling secure connections between
computers, Better user authentication (smart cards)
Networking Concepts – Eric Vanderburg ©2005
Certificates Digital certificates - Electronic credentials,
consisting of public keys, which are used to sign and encrypt data.
CA (Certification Authority)Issues digital certificates. Form a hierarchy
Root CA Subordinate CA
Intermediate CA Issuing CA Rudimentary CA
restricted to issuing certain certs
Select CA Role
Networking Concepts – Eric Vanderburg ©2005
Certificates
Certificate policy and practice statements The two documents that outline how the CA and its certificates are to be used, the degree of trust that can be placed in these certificates, legal liabilities if the trust is broken, and so on.
Certificate repositories - Where certificates are stored and published. (AD)
CRL (Certificate Revocation List) - List of certificates that have been revoked before reaching the scheduled expiration date
CTL (Certificate Trust List) - The list of the certificates you trust. If you trust a root, you trust all certs from that root.
View issued certs from Certificates MMC
Double click to see cert
Networking Concepts – Eric Vanderburg ©2005
Certificate Server Role
Publish certificates - The PKI administrator makes certificate templates available to clients (users, services, applications, and computers) and enables additional CAs to issue certificates.
Enroll clients - Users, services, or computers request and receive certificates from an issuing CA or a Registration Authority (RA). The CA\RA administrator or enrollment agent uses the information provided to authenticate the identity of the requester before issuing a certificate.
Publish CRL & CTL - Users need to know which certificates are revokes and which servers are trusted by their CA.
Renew or revoke certificates
Networking Concepts – Eric Vanderburg ©2005
Group Policy
Group Policy MMC
AD Users & Computers MMC
Select your group policy
Edit as needed
Networking Concepts – Eric Vanderburg ©2005
Group Policy
Double click an item to edit the properties for it
Properties
Networking Concepts – Eric Vanderburg ©2005
VPN
Encapsulates & encrypt one packet inside another
Server to Server - Connecting LANsClient to Server - Remote users &
Extranet
Networking Concepts – Eric Vanderburg ©2005
VPN Protocols
L2TP (Layer 2 Tunneling Protocol) Encrypts with IPSec Works on many protocols (X.25, ATM, IP, Frame
Relay) PPTP (Point to Point Tunneling Protocol)
Encrypts with MPPE (Microsoft Point to Point Encryption) - 40, 56, or 128bit
Authenticates with PAP (Password Authentication Protocol), CHAP (Challenge Handshake Authentication Protocol), MSCHAP, or EAP
Works only over IP
Networking Concepts – Eric Vanderburg ©2005
VPN Advantages
Distance is not a concern More scalable - can adjust bandwidth to use Less reliant on expensive modem pools
Networking Concepts – Eric Vanderburg ©2005
IPSec
Tunnel - encrypts the header and the payload of each packet
Transport - encrypts the payload only. All systems must be IPSec compliant Encryption
Authentication Encryption SHA (Secure Hash Algorithm) - 160bit, high overhead. MD5 (Message Digest 5) - 128bit
Data Encryption DES (Data Encryption Standard) 56bit 3DES (Triple DES) - high processor overhead AES
IPv6 has IPSec built-in
Networking Concepts – Eric Vanderburg ©2005
Security
FirewallsIDSHoneypotMalicious CodeWirelessA “hardened” OS is one
that has been made as secure as possible
Networking Concepts – Eric Vanderburg ©2005
Hardware Firewalls
Screened host - hardware firewall filters packets & ports. Bastion host does application filtering. NAT or proxy
Multiple DMZ – each section has its own set of firewalls and DMZ separating it from the others
Screened Subnet/DMZ (Demilitarized Zone) – put external access machines in between 2 firewalls
Screening Router - filters packets & closes ports
Networking Concepts – Eric Vanderburg ©2005
Hardware requirements
Storage – large amounts of log files will be present on this computer so there must be a large amount of storage
Processor – this computer will be analyzing many packets
2 NICs – must be able to connect the outside with the inside
Networking Concepts – Eric Vanderburg ©2005
Software Firewalls
Most are cumbersome to configure and control Inexpensive extra layer of protection Firewall places itself in between the NIC and
the TCP/IP stack Vendors
Windows Firewall (built-in) Novell Border Manager (built-in) Macintosh Firewall (built-in) Norton Internet Security BlackIce ZoneAlarm
Networking Concepts – Eric Vanderburg ©2005
Firewalls (cont)
Multiple firewalls can be used for load balancing
Networking Concepts – Eric Vanderburg ©2005
Firewalls
Windows Firewall
ZoneAlarm
Networking Concepts – Eric Vanderburg ©2005
IDS (Intrusion Detection System)
NIDS (Network IDS) – analyzes network traffic HIDS (Host IDS) – analyzes traffic sent only to its host LIDS (Linux IDS) – Open source IDS for linux clients
or servers (http://www.lids.org/) Looks at network or host traffic based on rules to
determine whether an attack is in progress The IDS can be configured to respond accordingly ex:
close ports, ban IP addresses, alert admins, close shares, disable accounts, ect..
Examples: snort
Networking Concepts – Eric Vanderburg ©2005
Rules
Rule base – set of rules that tell the firewall or IDS what action to take when types of traffic flow through it. Should be based on security policy
Networking Concepts – Eric Vanderburg ©2005
Honeypot
A lure for a hackerWastes the hackers timeFake computer or network behind
security barriersCan be analyzed to view attack methods
and improve security. Identify what they are after, what is their skill level, and what tools they use.
Networking Concepts – Eric Vanderburg ©2005
Malicious Code
Virus - self-replicating code segment which is be attached to an executable. When the program is started, the virus code may also run. If possible, the virus will replicate by attaching a copy of itself to another file. A virus may also have an additional ``payload'' that runs when specific conditions are met.
Trojan horse - malicious code pretending to be a legitimate application. The user believes they are running an innocent application when the program is actually initiating its ulterior activities. Trojan horses do not replicate.
Worm - self-replicating program, does not require a host program, creates a copy and causes it to execute; no user intervention is required. Worms commonly utilize network services to propagate to other computer systems
Spyware - a program that secretly monitors your actions. Could be a remote control program used by a hacker, or it could be used to gather data about users for advertising, aggregation/research, or preliminary information for an attack. Some spyware is configured to download other programs on the computer.
Networking Concepts – Eric Vanderburg ©2005
Viruses
Implement virus protection at these locations: Workstation – protects a single computer by
scanning files from server or e-mail messages Server – scans data read from or written to
server; prevents virus from server spreading throughout network
Internet gateway – scans all Web browser, FTP, and e-mail traffic; stops viruses before they enter network. Do not infect those checking your website
Networking Concepts – Eric Vanderburg ©2005
Wireless Security
Site Survey - adjust location and range so that wireless access extends only to business borders
Passwords should be changed and so should WEP keys. WEP should be enabled.
Filter MACsDisable SSID broadcasting
Networking Concepts – Eric Vanderburg ©2005
Hardening
Remove unneeded servicesClose unused portsRemove unused user accounts
Networking Concepts – Eric Vanderburg ©2005
Preventing Data Loss
Backup, Backup, Backup Normal - copy with a reset of the archive bit Incremental
Copies files changed since last full or incremental backup Differential
Copies files changed since last full backup Copy - copy with no reset of the archive bit Daily - copies all files modified today
Create a backup schedule Test backups (verify & do a test restore) Use a UPS (Uninterruptible Power Supply)
Networking Concepts – Eric Vanderburg ©2005
Alternate Boot Methods
Recovery Console Fixmbr: Replace the
master boot record Fixboot: Write a new boot
sector Format: format the disk Diskpart: Manage disk
partitions Last known good
configuration Safe mode Safe mode with networking VGA mode
Networking Concepts – Eric Vanderburg ©2005
Other Recovery Programs
System Restore - takes snapshots (restore points) of the system state
Driver RollbackShadow Copy
Networking Concepts – Eric Vanderburg ©2005
Shadow Copy
Enabling shadow copies
Click Settings
Networking Concepts – Eric Vanderburg ©2005
Shadow Copy
Viewing shadow copies – Win2k
Select a copy and click restore to go back to that version
Viewing shadow copies – WinXP
Networking Concepts – Eric Vanderburg ©2005
Redundancy
RAID (Redundant Array of Inexpensive Disks)0 - Striping1 - Mirroring5 - Striping with Parity10 - 2 RAID 5 configurations Mirrored0+1 - Striped volumes mirrored
Duplexing provides redundancy for the controller also
Networking Concepts – Eric Vanderburg ©2005
Intellimirror
Push software to users or computersAssigning Publishing (only for users, not computers)
Protect system files from damageMandatory & Roaming profilesNot present in NT
Networking Concepts – Eric Vanderburg ©2005
Published Applications
Networking Concepts – Eric Vanderburg ©2005
UPS (Uninterruptible Power Supply)
Capabilities: Power conditioning - cleans power, removing
noise Surge protection - protects computer from sags
and spikes
Categories Stand-by – must switch from wall to battery power Online – continually supplies power through
battery; no switching. Wall power recharges battery continually
Networking Concepts – Eric Vanderburg ©2005
Auditing
Records certain actions for security and troubleshootingFailed accessGranted access
Should use auditing sparingly – uses resources & more is harder to utilize effectively