Comp Ti A Security

STUDENT MANUAL
Security+ A
CompTIA
Certification
CHUCK SWANSON
ANDREW LAPAGE
ROBYN FEIOCK
NANCY CURTIS
Security+ A
CompTIA
Certification
Chuck Swanson
Andrew LaPage
Robyn Feiock
Nancy Curtis
Security+ A CompTIA Certification
Part Number: 085544
Course Edition: 2.0
ACKNOWLEDGMENTS
Project Team
Curriculum Developers/Technical Writers: Chuck Swanson (Security+, MCT, MCSE+I—Windows NT 4, MCSE—Windows
2000, MCNI, MCNE, CTT), Andrew LaPage (Security+, MCP), Robyn Feiock and Nancy Curtis (Security+, Network+, MCSE—
Windows NT 4/Windows 2000, MCT, CNA) • Development Assistance: Alan J. Meeks (MCSE—Windows NT 4/Windows 2000,
MCT, Network+, CIWA) • Development Assistance: Mike Casper • Content Manager: Clare Dygert • Copy Editors: Angie J.
French and Jay Smith • Reviewing Editors: Christy D. Johnson and Laura Thomas • Technical Editor: Cory Brown • Quality
Assurance Coordinator: Frank Wosnick • Graphic Designer: Isolina Salgado • Project Technical Specialist: Michael Toscano
NOTICES
DISCLAIMER: While Element K Courseware LLC takes care to ensure the accuracy and quality of these materials, we cannot guarantee their accuracy, and all materials are provided without any warranty
whatsoever, including, but not limited to, the implied warranties of merchantability or fitness for a particular purpose. The name used in the data files for this course is that of a fictitious company. Any
resemblance to current or future companies is purely coincidental. We do not believe we have used anyone’s name in creating this course, but if we have, please notify us and we will change the name in
the next revision of the course. Element K is an independent provider of integrated training solutions for individuals, businesses, educational institutions, and government agencies. Use of screenshots or
another entity’s product name or service in this book is for editorial purposes only. No such use should be construed to imply sponsorship or endorsement of the book by, nor any affiliation of such
entity with Element K. Certain exercises in this course manual assume that the user has access to various software products. Element K is not responsible for providing the user of this course manual
with access to those software products. Each user of this course manual is responsible for complying with the terms of any and all software licensing agreements associated with such software products.
Some of the tools and procedures presented in this course could cause problems if used improperly or maliciously in a live network environment. These tools are not a threat in any simulated activities
presented here, nor are they a threat when presented as part of instructor-led training in a closed classroom environment. However, the installation and use of the programs or procedures presented
outside of a controlled environment is the sole responsibility of the end-user and may result in criminal prosecution. Element K does not endorse or recommend the illegal use of any of the scanning or
hacking tools described in this course. This courseware contains links to sites on the Internet that are owned and operated by third parties (the “External Sites”). Element K is not responsible for the
availability of, or the content located on or through, any External Site. Please contact Element K if you have any concerns regarding such links or External Sites.
TRADEMARK NOTICES Element K and the Element K logo are trademarks of Element K LLC.
Microsoft and Windows are registered trademarks of Microsoft Corporation in the U.S. and other countries. Novell and NetWare are registered trademarks of Novell, Inc. in the U.S. and other countries.
Sun, Solaris, and Sun Microsystems are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. All other product names and services used throughout this book
may be common law or registered trademarks of their respective proprietors.
Copyright © 2003 Element K Content LLC. All rights reserved. Screenshots used for illustrative purposes are the property of the software proprietor. This publication, or any part thereof, may not be
reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, storage in an information retrieval system, or otherwise, without express written
permission of Element K, 500 Canal View Boulevard, Rochester, NY 14623, (585) 240-7500, (800) 434-3466. Element K Courseware LLC’s World Wide Web site is located at
www.elementkcourseware.com.
This book conveys no rights in the software or other products about which it was written; all use or licensing of such software or other products is the responsibility of the user according to terms and
conditions of the owner. Do not make illegal copies of books or software. If you believe that this book, related materials, or any other Element K materials are being reproduced or transmitted without
permission, please call 1-800-478-7788.
The logo of the CompTIA Authorized Curriculum Program and the status of this or other training material as "Authorized" under the CompTIA Authorized Curriculum Program signifies that, in CompTIA’s
opinion, such training material covers the content of the CompTIA’s related certification exam. CompTIA has not reviewed or approved the accuracy of the contents of this training material and specifically
disclaims any warranties of merchantability or fitness for a particular purpose. CompTIA makes no guarantee concerning the success of persons using any such "Authorized" or other training material in
order to prepare for any CompTIA certification exam. The contents of this training material were created for the CompTIA IT Security+ exam covering CompTIA certification exam objectives that were
current as of December, 2002.
How to Become CompTIA Certified: This training material can help you prepare for and pass a related CompTIA certification exam or exams. In order to achieve CompTIA certification, you must register
for and pass a CompTIA certification exam or exams. In order to become CompTIA certified, you must:
1. Select a certification exam provider. For more information please visit http://www.comptia.org/certification/general_information/test_locations.asp.
2. Register for and schedule a time to take the CompTIA certification exam(s) at a convenient location.
3. Read and sign the Candidate Agreement, which will be presented at the time of the exam(s). The text of the Candidate Agreement can be found at http://www.comptia.org/certification/general_
information/candidate_agreement.asp.
ii Security+ A CompTIA Certification

4. Take and pass the CompTIA certification exam(s).
For more information about CompTIA’s certifications, such as their industry acceptance, benefits, or program news, please visit http://www.comptia.org/certification/default.asp. CompTIA is a non-profit
information technology (IT) trade association. CompTIA’s certifications are designed by subject matter experts from across the IT industry. Each CompTIA certification is vendor-neutral, covers multiple
technologies, and requires demonstration of skills and knowledge widely sought after by the IT industry. To contact CompTIA with any questions or comments: Please call + 1 630 268 1818
questions@comptia.org
iii
NOTES
iv Security+ A CompTIA Certification

CONTENTS
SECURITY+ A COMPTIA CERTIFICATION
LESSON 1: IDENTIFYING SECURITY THREATS

A. Identify Social Engineering Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
B. Classify Software Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Software Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Port Scanning Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Eavesdropping Attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
IP Spoofing Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Hijacking Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Replay Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Man-in-the-Middle Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Denial of Service/Distributed Denial of Service (DoS/DDoS) Attacks . . 12
Malicious Code Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Attacks Against the Default Security Configuration . . . . . . . . . . . . . . . . 16
Software Exploitation Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Misuse of Privilege Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Password Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Backdoor Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Takeover Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Contents v
CONTENTS
C. Identify Hardware Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
LESSON 2: HARDENING INTERNAL SYSTEMS AND SERVICES

A. Harden Base Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Corporate Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
System Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Hardened Operating System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Security Baselines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Microsoft Baseline Security Analyzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Windows 2000 and Windows XP Security Policy Settings . . . . . . . . . . . . . 39
Windows 2000 and Windows XP Security Audits . . . . . . . . . . . . . . . . . . . . 42
Unnecessary Services, NLMs, and Daemons . . . . . . . . . . . . . . . . . . . . . . 44
Security Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
B. Harden Directory Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Directory Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
The Lightweight Directory Access Protocol (LDAP) . . . . . . . . . . . . . . . . . 78
Directory Service Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Hardened Directory Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
C. Harden DHCP Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
DHCP Server Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Hardened DHCP Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
D. Harden Network File and Print Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
SMB Signing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Hardened File and Print Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
LESSON 3: HARDENING INTERNETWORK DEVICES AND SERVICES

A. Harden Internetwork Connection Devices . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Internetwork Device Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Hardened Internetwork Connection Devices . . . . . . . . . . . . . . . . . . . . . 99
B. Harden DNS and BIND Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
DNS and BIND Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Hardened DNS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
vi Security+ A CompTIA Certification

CONTENTS
C. Harden Web Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Web Server Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Web Server Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Hardened Web Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Microsoft IIS Lockdown Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
D. Harden FTP Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
FTP Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Hardened FTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
E. Harden Network News Transport Protocol (NNTP) Servers . . . . . . . . . . . . . . 130
Hardened NNTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
F. Harden Email Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Email Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Hardened Email Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Email Security Using S/MIME and PGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
G. Harden Conferencing and Messaging Servers . . . . . . . . . . . . . . . . . . . . . . 145
Instant Messaging Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Hardened Conferencing and Messaging Server. . . . . . . . . . . . . . . . . . . 146
LESSON 4: SECURING NETWORK COMMUNICATIONS

A. Secure Network Traffic Using IP Security (IPSec) . . . . . . . . . . . . . . . . . . . . . 154
Data Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Data Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Internet Protocol Security (IPSec). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Data Integrity and Encryption in IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
IPSec Transport Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Internet Key Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
IPSec Security Associations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Windows 2000 and Windows XP IPSec Policy Agent . . . . . . . . . . . . . . . . 160
Windows 2000 and Windows XP IPSec Driver . . . . . . . . . . . . . . . . . . . . . . 160
Default IPSec Policies in Windows 2000 and Windows XP . . . . . . . . . . . . 160
Windows XP IPSec Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Contents vii
CONTENTS
B. Secure Wireless Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Wireless Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Mobile Device Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Wireless Security Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
C. Secure Client Internet Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Browser Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Internet Explorer Security Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Hardened Web Browser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
D. Secure the Remote Access Channel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Remote Access Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Hardened Remote Access Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
LESSON 5: MANAGING PUBLIC KEY INFRASTRUCTURE (PKI)

A. Install a Certificate Authority (CA) Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . 198
Public Key Infrastructure (PKI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
CA Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
B. Harden a Certificate Authority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Certificate Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
The Certificate Life Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
CA Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Hardened CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
C. Back Up Certificate Authorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
D. Restore a Certificate Authority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
LESSON 6: MANAGING CERTIFICATES

A. Enroll Certificates for Entities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Certificate Enrollment Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
B. Secure Network Traffic Using Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Secure Socket Layer (SSL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Transport Layer Security (TLS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
C. Renew Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
D. Revoke Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Certificate Revocation List (CRL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
viii Security+ A CompTIA Certification

CONTENTS
E. Back Up Certificates and Private Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
F. Restore Certificates and Private Keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Private Key Replacement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Private Key Restoration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
LESSON 7: ENFORCING ORGANIZATIONAL SECURITY POLICY

A. Enforce Corporate Security Policy Compliance . . . . . . . . . . . . . . . . . . . . . 252
B. Enforce Legal Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Legal Security Compliance Requirements . . . . . . . . . . . . . . . . . . . . . . . . 255
C. Enforce Physical Security Compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Physical Resource Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
D. Educate Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
The Employee Education Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
End User Responsibility for Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
LESSON 8: MONITORING THE SECURITY INFRASTRUCTURE

A. Scan for Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
The Hacking Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Vulnerability Scanning Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Types of Security Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Vulnerable TCP and UDP Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
B. Monitor for Intruders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Intrusion Detection Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
C. Set Up a Honeypot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Honeypots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
D. Respond to Security Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Incident Response Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Contents ix
CONTENTS
APPENDIX A: AUTHENTICATION AND AUTHORIZATION
APPENDIX B: UNDERSTANDING MEDIA

A. Removable Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Tape Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Disk Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
CD-ROM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Floppy Disks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
B. Cabling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
Bounded and Unbounded Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
Coaxial Cable (Coax) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Twisted Pair (UTP/STP) Cable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
APPENDIX C: SECURESYSTEMS.DOC
APPENDIX D: SECURITY+ EXAM OBJECTIVES MAPPING
APPENDIX E: AUTOMATED SETUP INSTRUCTIONS

LESSON LABS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
SOLUTIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
GLOSSARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
x Security+ A CompTIA Certification

INTRODUCTION
ABOUT THIS COURSE

Security+™: A CompTIA Certification is the primary course you will need to take if your job
responsibilities include securing network services, network devices, and network traffic. It is
also the main course you will take to prepare for the CompTIA Security+ examination (exam
number SY0-101). In this course, you’ll build on your knowledge and professional experience
with computer hardware, operating systems, and networks as you acquire the specific skills
required to implement basic security services on any type of computer network.
This course can benefit you in two ways. If you intend to pass the CompTIA Security+ exami-
nation (exam number SY0-101), this course can be a significant part of your preparation. But
certification is not the only key to professional success in the field of computing security.
Today’s job market demands individuals with demonstrable skills, and the information and
activities in this course can help you build your security-related skill set so that you can confi-
dently perform your duties in any security-related professional role.
Course Description
Target Student
This course is targeted toward an Information Technology (IT) professional who has network-
ing and administrative skills in Windows-based TCP/IP networks and familiarity with other
operating systems, such as NetWare, Macintosh, UNIX/Linux, and OS/2, who wants to: further
a career in IT by acquiring a foundational knowledge of security topics; prepare for the
CompTIA Security+ Certification examination; or use Security+ as the foundation for advanced
security certifications or career roles.
Course Prerequisites
CompTIA A+ and Network+ certifications, or equivalent knowledge, and six to nine months
experience in networking, including experience configuring and managing TCP/IP. Students
can obtain this level of skill and knowledge by taking the following Element K courses:
• A+ Certification: Core Hardware
• A+ Certification: Operating Systems
• Network+ Certification: 3rd Edition
Students can obtain additional TCP/IP knowledge from the Element K course Windows 2000:
Network and Operating System Basics.
Introduction xi
INTRODUCTION
Although not required, students might find it helpful to obtain foundational information from
introductory operating system administration courses.
How to Use This Book

As a Learning Guide
Each lesson covers one broad topic or set of related topics. Lessons are arranged in order of
increasing proficiency with Security+™; skills you acquire in one lesson are used and devel-
oped in subsequent lessons. For this reason, you should work through the lessons in sequence.
We organized each lesson into results-oriented topics. Topics include all the relevant and sup-
porting information you need to master Security+™, and activities allow you to apply this
information to practical hands-on examples.
Through the use of sample files, hands-on activities, illustrations that give you feedback at cru-
cial steps, and supporting background information, this book provides you with the foundation
and structure to learn Security+™ quickly and easily.
As a Review Tool
Any method of instruction is only as effective as the time and effort you are willing to invest
in it. In addition, some of the information that you learn in class may not be important to you
immediately, but it may become important later on. For this reason, we encourage you to
spend some time reviewing the topics and activities after the course. For additional challenge
when reviewing activities, try the “What You Do” column before looking at the “How You Do
It” column.
As a Reference
The organization and layout of the book make it easy to use as a learning tool and as an after-
class reference. You can use this book as a first source for definitions of terms, background
information on given topics, and summaries of procedures.
Course Objectives
In this course, you will implement and monitor security on networks and computer systems,
and respond to security breaches.
You will:
• identify security threats.
• harden internal systems and services.
• harden internetwork devices and services.
• secure network communications.
• manage a PKI.
• manage certificates.
• enforce an organizational security policy.
xii Security+ A CompTIA Certification

INTRODUCTION
• monitor the security infrastructure.
• identify the characteristics of various media.
Course Requirements
Hardware
To run this course make sure all equipment is on the Microsoft Hardware Compatibility List
(HCL) for Microsoft Windows 2000 Server and Microsoft Windows XP Professional. The
Microsoft Windows HCL can be found at: www.microsoft.com/hcl. You will need one com-
puter for each student and one for the instructor. Each computer will need:
• Pentium processor, 300 MHz or greater.
• 256 megabytes (MB) of Random Access Memory (RAM) or greater.
• 10 gigabyte (GB) hard disk or larger.
• Super VGA (SVGA) or higher resolution monitor capable of a screen resolution of at
least 800 x 600 pixels, at least 256-color display, and a video adapter with at least 4 MB
of memory.
• 3.5” 1.44 MB floppy disk drive.
• Bootable CD-ROM drive.
• Mouse or compatible tracking device.
• Network adapter and cabling connecting each classroom computer.
• Network interface card and network cabling.
• Internet access is recommended as some activities require Internet access. This will also
allow access to the numerous URLs that are referenced throughout the book. Students will
benefit from being able to access the latest information about security such as new types
of attacks and the latest security breaches to different products. Make sure to use IP
addresses that do not conflict with other portions of your network.
• The instructor computer will need a display system to project the instructor’s computer
screen.
Software
• Microsoft Windows 2000 Server or Windows 2000 Advanced Server with sufficient
licenses.
• Microsoft Windows 2000 Service Pack 2.
• Microsoft Windows 2000 Service Pack 3.
• Internet Explorer 6.0 with Service Pack1. If you will have Internet access during class,
you can download the installation setup file from www.microsoft.com/windows/ie/
downloads/ie6sp1/download.asp. If you will not have Internet access during class, you
will need to order the Internet Explorer 6 CD from www.microsoft.com/windows/ie/
ordercd/ie6sp1.asp.
• Microsoft Windows 2000 Security Rollup Package 1 (January, 2002). (W2KSP2SRP1.exe)
Download the Network Installation package from www.microsoft.com/windows2000/
downloads/critical/q311401/default.asp.
Introduction xiii
INTRODUCTION
• Microsoft Baseline Security Analyzer version 1.0 (MBSASetup.msi):
www.microsoft.com/technet/security/tools/Tools/MBSAhome.asp.
• Microsoft Internet Information Server (IIS) Security Rollup Package (Q319733)
(Q319733_W2K_SP3_X86_EN.exe): www.microsoft.com/Windows2000/downloads/
security/q319733.
• Microsoft IIS Lockdown Tool version 2.1 (IISLockd.exe). Go to www.microsoft.com/
downloads and search for Lockdown Tool.
• Microsoft Windows XP Professional with sufficient licenses. Be sure that you meet the
activation requirements for your classroom situation.
• Microsoft Windows XP Service Pack 1.
• The Cumulative Patch for Windows Media Player (Q320920). Go to www.microsoft.com/
technet/security/bulletin/ms02-032.asp. Download the executable for Windows Media
Player 6.4 (wm320920_64.exe).
• Microsoft Exchange Server 2000 Standard Edition or Enterprise Edition with sufficient
licenses.
• Microsoft Exchange 2000 Service Pack 3.
• Microsoft Exchange Instant Messaging client for Windows 2000 (mmssetup.exe):
www.microsoft.com/exchange/downloads/2000/IMclient.asp.
• Microsoft Network Monitor 2.0, Service Pack 1 (available with Systems Management
Server 2.0 with Service Pack 2), with sufficient licenses.
• Intrusion SecurityAnalyst. Go to www.intrusion.com/products. Click Other Products, and
then click the Downloads link for SecurityAnalyst. Download the evaluation version (SA_
SP2.exe). You will have to register.
• Smbrelay.exe: www.phreak.org/archives/exploits/microsoft.
• L0phtCrack 4 (LC4) (LC4Setup.exe): www.atstake.com/research/lc/download.html.
• Internet Security Systems (ISS) RealSecure Desktop Protector version 3.4 evaluation copy
(RSDPEvalSetup.exe): www.iss.net/products_services/enterprise_protection/rsdesktop/
protector_desktop.php. Click Download Trial. You will have to register.
• Foundstone Tools. Go to www.foundstone.com/knowledge/free_tools.html and individu-
ally download SuperScan v3.0 (superscan.exe), UDPFlood v2.0 (udpflood.zip) and
DDosPing v2.0 (ddosping.zip). Or, if you would like to have all the tools available in
class, you can select Download All Tools (approximately 3.38MB).
Class Setup
The classroom computers will be configured to dual-boot between Windows 2000 Server and
Windows XP Professional. In the following procedures you will set up the instructor computer
first so that you can copy the Windows 2000 Server and Windows XP Professional source files
to the instructor computer’s hard drive and share them. Then, you can install the student com-
puters over the network. On all computers, you will install and configure Windows 2000
Server first, then Windows XP Professional.
xiv Security+ A CompTIA Certification

INTRODUCTION
Optional: Automated Setup Instructions
To help streamline the classroom setup process, Element K has provided two setup scripts and
special instructions for using the scripts to set up the instructor and student computers. While
these instructions may be used in place of the manual instructions that follow, all the hardware
and software requirements for this course still apply. Our testing has shown that these scripts
may reduce the time required for classroom setup by up to 50 percent, depending on your spe-
cific hardware configuration. For detailed setup instructions using these scripts, refer to . Note:
These scripts will set up only the computers for the classroom; they will not set up the
optional Lesson Labs. Those still must be set up manually, and as always, they are completely
optional and not required for the lesson activities to key in the classroom.
Instructor Computer—Windows 2000 Server:

See your manufacturer’s reference manual for hardware considerations that apply to your specific hardware
setup.
When installing over the network with MS-DOS boot disks, it is best to use SMARTDRV.EXE and HIMEM.SYS to
greatly reduce setup times. Also, Windows 98 Startup disks can be used to access local CD-ROM drives.
Approximate setup time: 16 hours for a base system, plus time to image other computers. Imaging the systems
is highly recommended, as this will make it easier to set up class or lab activities repeatedly.
1. Start the Windows 2000 Server setup program. (You can either boot the computer with
the Windows 2000 Server installation compact disc inserted into the CD-ROM drive, or
share the installation source files on a network drive and create MS-DOS network boot
disks to install over the network from the shared drive.)
2. Install a new copy of Windows 2000 Server (clean install) using the following parameters:
• Accept the license agreement.
• Create a new 6 GB C drive.
• Install Windows 2000 Server on the C drive. Format the drive to NTFS.
• Select the appropriate regional and language settings for your country.
• Enter the appropriate name and organization for your environment.
• Enter the product key, if necessary.
• Specify the appropriate number of per-server licenses for all classroom computers to
connect to this server. For example, with 10 students, set the number to 10.
• Use a computer name of Server100.
• Set the Administrator password to !Pass1234.
• On the Windows 2000 Components page, select (do not check) Internet Information
Services (IIS) and click Details. Check both File Transfer Protocol (FTP) Server and
NNTP Service and click OK. Then select Networking Services and click Details.
Check Dynamic Host Configuration Protocol (DHCP) and click OK. Click Next.
• Set the date and time settings appropriate for your location.
• On the Network Settings page, select Custom Settings and click Next. Open the
properties of the TCP/IP protocol and configure it with a static IP address of
192.168.y.100, where y is a unique number on your local subnet. For example, if this
is the only classroom in your location, then the instructor’s IP address would be
Introduction xv
INTRODUCTION
192.168.1.100. Enter this same IP address as the Preferred DNS Server address. (You
will install and configure DNS later.) Enter a subnet mask of 255.255.255.0.
• Accept the default workgroup name of Workgroup.
Note: The activities in this course require static IP addresses. If you are attached to a corporate net-
work, consult with your TCP/IP or network administrator to verify that this IP configuration does not
conflict with any other addresses in your location. Internet access is recommended in this class, so
you should also consult with them on an appropriate method of providing access (for example, Net-
work Address Translation (NAT)). Also, check with them on any additional parameters that may be
needed for Internet access; for example, a default gateway and additional DNS servers. If you do add
additional DNS servers for Internet access for each computer, make sure you always leave the class-
room configured DNS server IP address as first in the list.
3. When installation is complete, log on as Administrator with a password of !Pass1234.

Then complete the following steps:
a. Select I Will Configure This Server Later and click Next.
b. Uncheck Show This Screen At Startup.
c. Close the Windows 2000 Configure Your Server window.
4. Change your display settings by completing the following steps:
a. Right-click the desktop and choose Properties.
b. On the Settings tab, change the screen area to 800 by 600 pixels. Click OK twice,
and then click Yes.
5. Create a new E drive on the computer by completing the following steps:
a. Right-click My Computer and choose Manage. Click Disk Management.
b. Right-click in the area of unallocated space on Drive 0 and choose Create Partition.
c. Use the Create Partition Wizard to create a new partition with the following param-
eters:
• Primary Partition.
• 4000 MB disk space.
• Drive letter E.
• File format: FAT32.
• Volume label: XPVolume.
6. In Computer Management, configure the FTP Publishing service and the Telnet service by
completing the following steps:
a. Expand Services And Applications. Select Services.
b. In the right pane, verify that the FTP Publishing Service is started and that its startup
type is Automatic.
c. Double-click the Telnet servce and select Automatic as the startup type. Click Start.
After the service starts, click OK.
d. Close Computer Management.
7. Open Windows Explorer and create a C:\SPlus folder. Share the SPlus folder with the
default share settings. In the C:\SPlus folder, create the following subfolders and add the
specified contents:
• Srv2000: From the Microsoft Windows 2000 server compact disc, copy the I386
folder and its contents.
• W2KSP2: Copy the Microsoft Windows 2000 Service Pack 2 files.
xvi Security+ A CompTIA Certification

INTRODUCTION
• W2KSRP: Copy the Microsoft Windows 2000 Security Rollup Package 1.
• IIS: This will contain the following subdirectories:
• SecRollup: Copy the Microsoft Internet Information Server (IIS) Security Rollup
Package.
• Lockdown: Copy the Microsoft IIS Lockdown Tool.
• IE6: Copy Microsoft Internet Explorer 6 setup files from the IE6 installation
CD-ROM so students can do a full installation without Internet access, or, if you will
be setting up Internet access in the classrom, you can simply copy the small file
ie6setup.exe that you downloaded from Microsoft. There are steps for both types of
installs in the activity.
• WMPPatch: Copy the Cumulative Patch for Windows Media Player.
• XPPro: Copy the \I386 folder and its contents from the Microsoft Windows XP Pro-
fessional compact disc.
• XPProSP1: Copy the Microsoft Windows XP Service Pack 1 files.
• MBSA: Copy the Microsoft Baseline Security Analyzer.
• E2K: Copy the Microsoft Exchange 2000 Standard or Enterprise Edition compact
disc.
• E2KSP: Copy the Microsoft Exchange 2000 Service Pack 3 files.
• E2KIM: Copy the Microsoft Exchange Instant Messaging Client.
• SMS: Copy the SMSSetup folder and the NMext folder from the Microsoft Systems
Management Server 2.0 with Service Pack 2 installation compact disc.
• SecurityAnalyst: Extract the Intrusion SecurityAnalyst setup files from the zipped
source file. Place the extracted files directly in the \SPlus\SecurityAnalyst folder, not
a subfolder.
• SMBRelay: Copy smbrelay.exe.
• LC4: Copy L0phtCrack4.
• RealSecureDP: Copy RSDPEvalSetup.exe.
• Tools: Copy the Foundstone Tools. If you used the option to download all the tools,
extract foundstone_tools.zip to \Tools. Otherwise, use the following subdirectories:
1. SuperScan: Copy SuperScan v2.0.
2. UDPFlood: Extract the UDPFlood v2.0 files from the zipped source file.
3. DDosPing: Extract the DDosPing v2.0 files from the zipped source file.
• CourseCD: Copy the PowerPoint slides for the course and the PowerPoint viewer
application from the course compact disc that shipped with this book. (If you prefer,
you can run the slides directly from the CD’s Autorun interface.)
• Student: Extract the data files from the course compact disc that shipped with this
book to the \Student directory. Remove the Read-only attribute from the data files
after extracting them.
8. Create a domain controller by completing the following steps:
a. Choose Start→Run.
b. In the Open text box, type dcpromo to start the Active Directory Installation Wizard,
and click Next.
Introduction xvii
INTRODUCTION
c. Use the Active Directory Installation Wizard to promote the server to domain con-
troller using the following parameters:
• Domain Controller For A New Domain.
• Create A New Domain Tree.
• Create A New Forest Of Domain Trees.
• Full DNS Name: domain100.internal.
• Domain NetBIOS name: accept the default of DOMAIN100.
• Accept the default locations for the Active Directory database and log.
• Accept the default location for the SYSVOL folder.
• Click OK in the DNS message box.
• Verify that Yes, Install And Configure DNS On This Computer is selected.
• Select Permissions Compatible Only With Windows 2000 Servers.
• Directory Services Restore Mode Administrator Password: password.
d. On the Summary screen, click Next.
e. After the Active Directory Installation Wizard completes, click Finish.
f. Click Restart Now when prompted.
g. Log on as Administrator with a password of !Pass1234.
9. Change your DNS zone type from Active Directory-integrated to Standard Primary by
• From the Start menu, choose Programs→Administrative Tools→DNS.
• Expand your DNS server and expand Forward Lookup Zones. Select and right-click
the Domain100.internal zone object and choose Properties.
• Change the Type to Standard Primary. Click OK twice.
• Change Allow Dynamic Updates to Yes. Click OK.
• Close DNS.
10. Create a DHCP scope by completing the following steps:
a. From the Start menu, choose Programs→Administrative Tools→DHCP.
b. Right-click the DHCP server object (server100), and choose New Scope.
c. Use the New Scope Wizard to create a DHCP scope using the following parameters:
• Scope Name: Local100
• Address Range: 192.168.#.101-101/24, where # is your unique number for the
classroom. (A range of just one address.)
• Do not add exclusions.
• Accept the default lease duration.
• Do not configure DHCP scope options.
• Do not activate the scope.
• Close DHCP.
11. Install the Microsoft Loopback Adapter by completing the following steps:
a. In Control Panel, run Add/Remove Hardware. Click Next.
b. Verify that Add/Troubleshoot A Device is selected and click Next.
c. In the Devices list, select Add A New Device and click Next.
xviii Security+ A CompTIA Certification

INTRODUCTION
d. Select No, I Want To Select The Hardware From A List and click Next.
e. In the Hardware Types list, select Network Adapters. Click Next.
f. In the Manufacturers list, select Microsoft. The Loopback Adapter is the only adapter
listed. Click Next twice, and then click Finish.
g. In Control Panel, open Network And Dial-Up Connections.
h. Right-click Local Area Connection 2 (the loopback adapter) and choose Rename.
i. Type Loopback Adapter and press Enter.
j. Close Network and Dial-Up Connections.
12. Configure and enable RRAS by completing the following steps:
a. From the Start menu, choose Programs→Administrative Tools→Routing And Remote
Access.
b. Right-click the server object (Server100) and choose Configure And Enable Routing
And Remote Access using the following settings:
• Select Virtual Private Network (VPN) Server.
• Accept the default protocols (TCP/IP).
• Select the Loopback Adapter as the Internet connection.
• Assign IP addresses automatically.
• Don’t use RADIUS.
• Click OK to close the DHCP Relay Agent message box.
c. Expand the RRAS server object, expand IP Routing, and open the properties of the
DHCP Relay Agent. Configure the agent with the server’s IP address.
d. Right-click DHCP Relay Agent and choose New Interface. Select the Loopback
Adapter. Accept the default relay agent properties.
e. Collapse all the expanded nodes of the tree and close Routing And Remote Access.
13. Allow authenticated users to log on to the domain controller by completing the following
steps:
a. From the Start menu, choose Programs→Administrative Tools→Domain Controller
Security Policy.
b. Expand Security Settings, Local Policies.
c. Select User Rights Assignment.
d. In the details pane, double-click Log On Locally.
e. In the Security Policy Setting dialog box, click Add.
f. In the Add User Or Group dialog box, click Browse.
g. In the Select Users Or Groups dialog box, click Authenticated Users.
h. Click Add, and then OK.
i. Click OK twice more. Close Domain Controller Security Policy.
14. Double-click the Connect To The Internet icon. Run the Internet Connection Wizard to
configure Internet Explorer as appropriate for your classroom. If you’re not connected to
the Internet, you can choose I Connect Thru A LAN.
15. Install the Microsoft Windows 2000 Service Pack 2 from the C:\SPlus\W2KSP2 directory.
Accept the license agreement, back up the installation files, and click Install. Restart the
computer when prompted and log back on as Administrator with a password of
!Pass1234.
Introduction xix
INTRODUCTION
16. Install Microsoft Exchange 2000 Standard Edition (or optionally Enterprise Edition) by
running C:\SPlus\E2K\Launch.exe. Click Exchange Server Setup and install using the fol-
lowing parameters:
• Agree to the license agreement.
• For the Microsoft Exchange 2000 component, choose the Custom installation action.
• Verify Install is selected for Microsoft Exchange Messaging and Collaboration
Services.
• Verify Install is selected for Microsoft Exchange System Management Tools.
• Choose Install for Microsoft Exchange Instant Messaging Service.
• Create a new Exchange Organization named Organization100.
17. Install Exchange 2000 Service Pack 3 from the C:\SPlus\E2KSP\ folder. (The exact path
to the installation file might vary depending on how you obtained the Service Pack.) Click
Install Service Pack 3. Accept all the update defaults.
When you rename the files, be careful not to create a double extension (Default.htm.htm), which can hap-
pen with the file extensions view turned off.
18. Create the Web sites you’ll use in class by completing the following steps:
a. Copy the Northeast.htm, Boc2.gif, and Swashtop.gif files from the student data files
to C:\Inetpub\wwwroot. Rename Northeast.htm to Default.htm. (This creates the
Nuclear Plant Training Site home page.)
b. Create a C:\Register directory. Copy the Register.htm and Dac10001.gif files from
the student data files to this folder.
c. In the C:\Register directory, rename Register.htm to Default.htm. This creates the
Student Registration Web page.
d. From the Start menu, choose Programs→Administrative Tools→Internet Services
Manager.
e. Expand the Server100 object and select the Default Web Site.
f. Right-click the Default Web site and choose New→Virtual Directory.
g. Use the Virtual Directory Creation Wizard to create a new virtual directory with the
following parameters:
• Alias: Register
• Directory: C:\Register
• Access Permissions: Use the defaults.
h. Close Internet Services Manager.
i. Open Internet Explorer and connect to http://Server100 to verify that you can see the
default Web site (the Nuclear Plant Training Site).
j. Connect to http://Server100/Register to verify that you can see the Registration Web
Page. Close Internet Explorer.
19. Open the PowerPoint slides from C:\SPlus\CourseCD to verify that they display properly.
xx Security+ A CompTIA Certification

INTRODUCTION
Instructor Computer—Windows XP Professional:
1. Run Windows XP Professional Setup: reboot the computer from the Microsoft Windows
XP Professional installation compact disc, or, from within Windows 2000 Server, run the
\I386Winnt32.exe program from the Windows XP Professional installation source files.
2. Install a new copy of Microsoft Windows XP Professional (clean install) using the follow-
ing parameters:
• Install on the 4 GB E drive. Leave the file system (FAT32) intact.
• Name the instructor computer Client100.
• On the Network Settings page, select Custom Settings. Click Next. Open the proper-
ties of the TCP/IP protocol and configure the TCP/IP protocol settings with a static
IP address of 192.168.y.200 where y is your unique number for the classroom. Enter
a subnet mask of 255.255.255.0. Do not enter a classroom DNS server address.
• Accept the default workgroup name.
3. After the computer restarts, use the Welcome To Microsoft Windows Wizard to configure
the computer by completing the following steps:
a. Set up your Internet connection as appropriate for your classroom. If you’re not con-
nected to the Internet, you can skip this Internet step.
b. Do not activate Windows.
c. Create a user account named Admin100. This user should become part of the Admin-
istrators group by default. When you finish the Wizard, the system should log you on
automatically as this user.
4. Create and configure user accounts by completing the following steps:
a. Right-click My Computer and choose Manage.
b. Expand Local Users And Groups, and select the Users folder.
c. Right-click the Admin100 account and choose Set Password. Click Proceed.
d. Enter and confirm a password of password and click OK twice. (This user’s pass-
word will change during the course of the class.)
e. Right-click the Users folder and choose New User.
f. Create a new user named ChrisC.
g. Enter and confirm a password of Certification1 (observe the capitalization). Uncheck
User Must Change Password At Next Logon and click Create. Click Close.
h. Close Computer Management.
5. Configure sharing on the C:\SPlus folder by completing the following steps:
a. Use Windows Explorer or My Computer to open the C drive.
b. Right-click the SPlus folder and choose Sharing And Security.
c. Click the If You Understand The Security Risks But Want To Share Files Without
Running The Wizard Click Here link.
Introduction xxi
INTRODUCTION
d. Select Just Enable File Sharing and click OK.
e. In the SPlus Properties dialog box, under Network Sharing And Security, check
Share This Folder On The Network.
f. Uncheck Allow Network Users To Change My Files. Click OK. It will take a few
minutes for the permissions to be set on all the subfolders.
g. Close My Computer or Windows Explorer.
6. Install Microsoft Network Monitor 2.0 from the C:\SPlus\SMS\NMext\I386 directory, by
double-clicking the Setup.exe file. When prompted, accept the license agreement and
select all default choices.
7. Configure Windows 2000 Server to be the default choice in the boot loader menu by com-
pleting the following steps:
a. From the Start menu, right-click My Computer and choose Properties.
b. Select the Advanced tab.
c. Under Startup And Recovery, click Settings.
d. From the Default Operating System drop-down list, select Microsoft Windows 2000
Server /fastdetect.
e. Click OK twice. The first hands-on activity in the course uses the Windows XP Pro-
fessional installation.
Student Computers—Windows 2000 Server:

Now that the Instructor computer has finished and the shares have been created on the instruc-
tor’s computer (\\Server100 or \\Client100) you can now install all the student computer
simultaneously using the following procedure.
If possible, set up a few additional computers as spares if you have the available resources.
1. Start the Windows 2000 Server setup program. (You can either boot the computer with
the Windows 2000 Server installation compact disc inserted into the CD-ROM drive, or
create MS-DOS network boot disks to install over the network. These bootable disks
should connect to the \\Client100\SPlus\Srv2000 share, which contains the Windows 2000
Server installation compact disc source files, and then run the command winnt.)
When installing over the network with MS-DOS boot disks, it is recommended to use SMARTDRV.EXE and
HIMEM.SYS to greatly reduce setup times. Also, Windows 98 Startup disks can be used to access local
CD-ROM drives.
• Install Windows 2000 Server on the C drive. Format the drive to NTFS.
• Specify the appropriate number of per-server licenses for all classroom computers to
connect to this server. For example, with 10 students, set the number to 10.
xxii Security+ A CompTIA Certification

INTRODUCTION
• Name each student computer Server#, where # is a unique integer you assign to each
student.
• On the Windows 2000 Components page, select (do not check) Internet Information
Services (IIS) and click Details. Check both File Transfer Protocol (FTP) Server and
NNTP Service and click OK. Then select Networking Services and click Details.
Check Dynamic Host Configuration Protocol (DHCP) and click OK. Click Next.
properties of the TCP/IP protocol and configure the TCP/IP protocol settings with a
static IP address of 192.168.y.#, where y is your unique number for the classroom
and # is the unique integer you assigned to each student. For example, if this is the
only classroom in your location, and this is the third student computer you are
installing, then the student computer name would be Server3 and the IP address
would be 192.168.1.3. Enter a subnet mask of 255.255.255.0. Enter this same IP
address as the Preferred DNS Server address. (You will install and configure DNS in
a later step.)
• When installation is complete, log on as Administrator with a password of !Pass1234.
3. When installation is complete, log on as Administrator with a password of !Pass1234.
Then complete the following steps:
a. Select I Will Configure This Server Later and click Next.
b. Uncheck Show This Screen At Startup.
c. Close the Windows 2000 Configure Your Server window.
4. Change your display settings by completing the following steps:
a. Right-click the desktop and choose Properties.
b. On the Settings tab, change the screen area to 800 by 600 pixels. Click OK twice,
and then click Yes.
5. Create a new E drive on the computer by completing the following steps:
a. Right-click My Computer and choose Manage. Click Disk Management.
b. Right-click in the area of unallocated space on Drive 0 and choose Create Partition.
c. Use the Create Partition Wizard to create a new partition with the following param-
eters:
• Primary Partition.
• 4000 MB disk space.
• Drive letter E.
• File format: FAT32.
• Volume label: XPVolume.
6. In Computer Management, configure the FTP Publishing service and the Telnet service by
a. Expand Services And Applications. Select Services.
b. In the right pane, verify that the FTP Publishing Service is started and that its startup
type is Automatic.
c. Double-click the Telnet servce and select Automatic as the startup type. Click Start.
After the service starts, click OK.
Introduction xxiii
INTRODUCTION
d. Close Computer Management.
7. Create a domain controller by completing the following steps:
a. Choose Start→Run.
b. In the Open text box, type dcpromo to start the Active Directory Installation Wizard,
and click Next.
c. Use the Active Directory Installation Wizard to promote the server to domain con-
troller using the following parameters:
• Domain Controller For A New Domain.
• Create A New Domain Tree.
• Create A New Forest Of Domain Trees.
• Full DNS Name: domain#.internal, where # is the unique number assigned to
this student/computer.
• Domain NetBIOS name: accept the default of DOMAIN#.
• Verify that Yes, Install And Configure DNS On This Computer is selected.
• Directory Services Restore Mode Administrator Password: password.
d. On the Summary screen, click Next.
e. After the Active Directory Installation Wizard completes, click Finish.
f. Click Restart Now when prompted.
g. Log on as Administrator with a password of !Pass1234.
• From the Start menu, choose Programs→Administrative Tools→DNS.
• Expand your DNS server and expand Forward Lookup Zones. Select and right-click
the Domain#.internal zone object and choose Properties.
• Change the Type to Standard Primary. Click OK twice.
• Change Allow Dynamic Updates to Yes. Click OK.
• Close DNS.
b. Right-click the DHCP server object (server#), and choose New Scope.
• Scope Name: Local#, where # is the student/computer’s unique number.
• Address Range: 192.168.y.50+#/24, where y is your unique number for the
classroom and # is a unique integer you assigned to each student. For example,
for Server6 in classroom 1, create a range of 192.168.1.56 – 192.168.1.56 (a
range of just one address).
• Do not add exclusions.
• Accept the default lease duration.
xxiv Security+ A CompTIA Certification

INTRODUCTION
• Do not configure DHCP scope options.
• Do not activate the scope.
• Close DHCP.
10. Install the Microsoft Loopback Adapter by completing the following steps:
a. In Control Panel, run Add/Remove Hardware. Click Next.
b. Verify that Add/Troubleshoot A Device is selected and click Next.
c. In the Devices list, select Add A New Device and click Next.
d. Select No, I Want To Select The Hardware From A List and click Next.
e. In the Hardware Types list, select Network Adapters. Click Next.
f. In the Manufacturers list, select Microsoft. The Loopback Adapter is the only adapter
listed. Click Next twice, and then click Finish.
g. In Control Panel, open Network And Dial-Up Connections.
h. Right-click Local Area Connection 2 (the loopback adapter) and choose Rename.
i. Type Loopback Adapter and press Enter.
j. Close Network and Dial-Up Connections.
Access.
b. Right-click the server object (Server#) and choose Configure And Enable Routing
• Select Virtual Private Network (VPN) Server.
• Accept the default protocols (TCP/IP).
• Select the Loopback Adapter as the Internet connection.
• Assign IP addresses automatically.
• Don’t use RADIUS.
• Click OK to close the DHCP Relay Agent message box.
steps:
Security Policy.
Introduction xxv
INTRODUCTION
13. Double-click the Connect To The Internet icon. Run the Internet Connection Wizard to
configure Internet Explorer as appropriate for your classroom. If you’re not connected to
the Internet, you can choose I Connect Thru A LAN.
14. Install the Microsoft Windows 2000 Service Pack 2 from the \\Client100\SPlus\W2KSP2
directory. Accept the license agreement, back up the installation files, and click Install.
Restart the computer when prompted and log back on as Administrator with a password
of !Pass1234.
15. Install Microsoft Exchange 2000 Standard Edition (or optionally Enterprise Edition) by
running \\Client100\SPlus\E2K\Launch.exe. Click Exchange Server Setup and install using
the following parameters:
• For the Microsoft Exchange 2000 component, choose the Custom installation action.
• Verify Install is selected for Microsoft Exchange Messaging and Collaboration
Services.
• Verify Install is selected for Microsoft Exchange System Management Tools.
• Choose Install for Microsoft Exchange Instant Messaging Service.
• Create a new Exchange Organization named Organization#.
16. Install Exchange 2000 Service Pack 3 from the \\Client100\SPlus\E2KSP\ folder. (The
exact path to the installation file might vary depending on how you obtained the Service
Pack.) Click Install Service Pack 3. Accept all the update defaults.
When you rename the files, be careful not to create a double extension (Default.htm.htm), which can hap-
pen with the file extensions view turned off.
17. Create the Web sites you’ll be using in class by completing the following steps:
a. Copy the Northeast.htm, Boc2.gif, and Swashtop.gif files from the student data files
to C:\Inetpub\wwwroot. Rename Northeast.htm to Default.htm. (This creates the
b. Create a C:\Register directory. Copy the Register.htm and Dac10001.gif files from
the student data files to this folder.
d. From the Start menu, choose Programs→Administrative Tools→Internet Services
Manager.
e. Expand the Server# object and select the Default Web Site.
f. Right-click the Default Web Site and choose New→Virtual Directory.
g. Use the Virtual Directory Creation Wizard to create a new virtual directory with the
• Alias: Register
• Directory: C:\Register
• Access Permissions: Use the defaults.
h. Close Internet Services Manager.
xxvi Security+ A CompTIA Certification

INTRODUCTION
i. Open Internet Explorer and connect to http://Server# to verify that you can see the
j. Connect to http://Server#/Register to verify that you can see the Registration Web
Student Computers—Windows XP Professional:

1. Run Windows XP Professional setup: Reboot the computer from the Microsoft Windows
XP Professional installation compact disc, or create MS-DOS network boot disks to install
over the network. These bootable disks should connect to the \\Client100\SPlus\XPPro
share, which contains the Microsoft Windows XP Professional installation compact disc
source files, and then run the command winnt.
CD-ROM drives.
ing parameters:
• Install on the 4 GB partition, drive E. Leave the file system (FAT32) intact.
• For each student computer: name the computer Client#, where # is a unique integer
you assigned to each student.
IP address of 192.168.y.200+#, where y is your unique number for the classroom and
where # is a unique integer you assigned to each student. For example, in classroom
1, the address for Client6 would be 192.168.1.206. Enter a subnet mask of 255.255.
255.0. Do not enter a classroom DNS server address.
the computer as follows:
• Set up your Internet connection as appropriate for your classroom. If you’re not con-
nected to the Internet, you can skip the Internet connection.
• Do not activate Windows.
• Create a user account named Admin#. This user should become part of the Adminis-
trators group by default. When you finish the Wizard, the system should log you on
c. Right-click the Admin# account and choose Set Password. Click Proceed.
Introduction xxvii
INTRODUCTION
d. Enter and confirm a password of password and click OK twice. (This user’s pass-
word will change during the course of the class.)
e. Right-click the Users folder and choose New User.
f. Create a new user named ChrisC.
g. Enter and confirm a password of Certification1 (observe the capitalization). Uncheck
User Must Change Password At Next Logon and click Create.
h. Create another user with Admin100 as the user name. Enter and confirm a password
of !Pass1234. Uncheck User Must Change Password At Next Logon and click
Create. Click Close.
i. Right-click the Admin100 user and choose Properties. Select the Member Of tab.
Click Add. Enter Administrators and click OK twice.
j. Close Computer Management.
5. Install Microsoft Network Monitor 2.0 from the C:\SPlus\SMS\NMext\I386 directory, by
Server /fastdetect.
e. Click OK twice. The first hands-on activity in the course uses the Windows XP Pro-
fessional installation.
IMPORTANT: The following instructions are for the optional Lesson Labs at the end
of this book. Lesson Labs are meant to be self-guided practice activities for students
to reinforce what they learned in class and are completely separate from the activities
you’ll present in the classroom. There are eight Lesson Labs in this course (one for
each lesson). Only the labs for Lesson 1 and Lesson 7 can be completed in the class-
room immediately following the lessons because they are question/answer labs and
do not have any hands-on activities. The other six labs use different computer and
network configurations and must be setup up independently outside the classroom if
you choose to have students complete them.
Optional: For the Lesson 2, Lab 1 Domain

Controller:
Unless otherwise noted, the hardware and software requirements for the lesson-level lab activity computers are
the same as for the course as a whole.
Check with your lab supervisor to see if unique numbers are required in your lab. Your unique number is desig-
nated as #, and the unique lab room number is designated as y (y will generally be 1 if you only have one lab
room).
1. Start the Windows 2000 Server setup program.
xxviii Security+ A CompTIA Certification

INTRODUCTION
CD-ROM drives.
• Install Windows 2000 Server on drive C. Format the drive to NTFS.
• Specify the appropriate number of per-server licenses for all lab computers to con-
nect to this server. For example, with 10 students in the lab, set the number to 10.
• Name the computer NUC01.
• Accept all the default Windows components.
static IP address of 192.168.y.#, where y is your unique number for the lab and # is
the unique integer assigned to you. For example, if your lab number is 3, then the
student computer name would be Server3 and the IP address would be 192.168.1.3.
Enter a subnet mask of 255.255.255.0. Enter this same IP address as the Preferred
DNS Server address. (You will install and configure DNS in a later step.)
The activities in this course require static IP addresses. Internet access is recommended in this
class, so consult with your TCP/IP or network administrator or lab supervisor to verify that this IP
configuration does not conflict with any other addresses in your location. Also, check with them on
any additional parameters that may be needed for Internet access; for example, a default gateway and
DNS servers.
3. Select I Will Configure This Server Later and click Next.

4. Uncheck Show This Screen At Startup.
5. Close the Windows 2000 Configure Your Server window.
6. Right-click the desktop and choose Properties.
7. On the Settings tab, change the screen area to 800x600 pixels.
8. Right-click My Computer and choose Properties.
9. Select the Network Identification tab and click Properties.
10. Click More and enter nuclear.internal as the primary DNS suffix, where # is a unique
integer. (Make sure this name doesn’t conflict with another domain name on the network.)
11. Click OK to close any open dialog boxes and click Yes to restart the computer when
prompted.
12. Log on as Administrator with a password of !Pass1234.
13. Choose Start→Run.
Introduction xxix
INTRODUCTION
14. In the Open text box, type dcpromo to start the Active Directory Installation Wizard, and
click Next.
15. Use the Active Directory Installation Wizard to promote the server to domain controller
using the following parameters:
• Select Domain Controller For A New Domain.
• Select Create A New Domain Tree.
• Select Create A New Forest Of Domain Trees.
• Full DNS Name: nuclear.internal.
• Domain NetBIOS name: accept the default of NUCLEAR.
• Select Yes, Install And Configure DNS On This Computer.
• Directory Services Restore Mode Password: password.
16. On the Summary screen, click Next.
17. After the Active Directory Installation Wizard completes, click Finish. Click Restart Now
when prompted.
18. Log on as Administrator with a password of password.
19. Choose Start→Programs→Administrative Tools→DNS.
20. Expand the DNS server object and Forward Lookup Zones. Right-click the new zone and
choose Properties.
21. Change the Type to Standard Primary. Click Yes to accept.
22. In the Allow Dynamic Update drop-down list, select Yes. Click OK.
23. Close DNS.
24. Open Windows Explorer and create a C:\SPlus folder.
25. In the C:\SPlus folder, create the following subfolders:
• IE6: Copy Microsoft Internet Explorer 6 setup files.
• WMPPatch: Copy the Cumulative Patches for Windows Media Player (wm320920_
64.exe).
26. Double-click the Internet Explorer icon.
27. Use the Internet Connection Wizard to configure Internet Explorer as appropriate for your
network setup.
xxx Security+ A CompTIA Certification

INTRODUCTION
Optional: For the Lesson 3, Lab 1 Server:
room).
CD-ROM drives.
• Name the computer Server#, where # is a unique integer assigned to each student in
your lab.
Enter a subnet mask of 255.255.255.0.
Note: The activities in this course require static IP addresses. Internet access is recommended in this
DNS servers.

7. On the Settings tab, change the screen area to 800x600 pixels.
8. Choose Start→Settings→Control Panel, and open Add/Remove Programs.
Introduction xxxi
INTRODUCTION
9. Click Add/Remove Windows Components.
10. On the Windows 2000 Components page, select the words (don’t check the check box)
Internet Information Services and then click Details.
11. Check FTP Server and NNTP Service and then click OK. Click Next.
12. On the Completing The Windows Components wizard page, click Finish.
13. Close Add/Remove Programs and Control Panel.
14. Open Computer Management and expand Services And Applications. Select Services.
15. In the right pane, verify that the FTP Publishing Service is started and that its startup type
is Automatic.
16. Close Computer Management.
17. In the C:\SPlus folder, create the following subfolders:
• IIS\SecRollup: Copy the Microsoft Internet Information Server (IIS) Security Rollup
Package.
• IIS\Lockdown: Copy the Microsoft IIS Lockdown Tool.
19. Use the Internet Connection Wizard to configure Internet Explorer as appropriate for your
lab.
20. Install Microsoft Windows 2000 Service Pack 2. Accept the license agreement. Restart the
computer when prompted, and log back on as Administrator.
21. Install the Microsoft Windows 2000 Security Rollup Package.
22. Install Microsoft Internet Explorer 6.
Optional: For the Lesson 4, Lab 1 Client Computers:

HIMEM.SYS to greatly reduce setup times. Also, Windows 98 Startup disks can be used to access local CD-ROM
drives.
room).
1. You will need two Windows XP computers for this activity. Run Windows XP Profes-
sional setup: Install a new copy of Microsoft Windows XP Professional (clean install)
using the following parameters:
• Create a new 4 GB C drive and format it using NTFS.
• For the computers: name the first computer NUCXP1 and the second NUCXP2.
xxxii Security+ A CompTIA Certification

INTRODUCTION
IP address of 192.168.y.200+#, where y is your unique number for the lab and where
# is a unique integer assigned to you. Do not enter a lab DNS server address.
• Set up your Internet connection as appropriate for your lab.
• Create a user account named Admin#. This user should become part of the Adminis-
trators group by default. When you finish the Wizard, the system should log you on
3. Open Control Panel, User Accounts. Click the Admin# account and click Create A
Password.
4. Enter and confirm a password of password, click Create Password, and then click Yes,
Make Private.
5. Close User Accounts and Control Panel.
6. Obtain Microsoft Systems Management Server 2.0. Install Microsoft Network Monitor 2.0
by double-clicking the Setup.exe in the \NMext\I386 directory on the Microsoft Systems
Management Server 2.0 installation files. When prompted, accept the license agreement
and select all default choices.
Optional: For the Lesson 5, Lab 1 Domain

Controllers:
room).
CD-ROM drives.
• Install Windows 2000 Server on a new 6 GB C drive. Format the drive to NTFS.
• Name the computers BROKERSRV1 and BROKERSRV2.
Introduction xxxiii
INTRODUCTION
Enter a subnet mask of 255.255.255.0. Enter this same IP address as the Preferred
DNS Server address. (You will install and configure DNS in a later step.)
DNS servers.

7. On the Settings tab, change the Screen area to 800x600 pixels.
8. Right-click My Computer and choose Properties.
9. Select the Network Identification tab and click Properties.
10. Click More and enter brokers.internal as the primary DNS suffix. (Make sure this name
doesn’t conflict with another domain name on the network.)
11. Click OK to close any open dialog boxes and click Yes to restart the computer when
prompted.
13. Choose Start→Run. In the Open text box, type dcpromo to start the Active Directory
Installation Wizard, and click Next. Use the Active Directory Installation Wizard to pro-
mote the server to domain controller using the following parameters:
• For the first computer, select Domain Controller For A New Domain. For the second
computer, select Join An Existing Domain.
• For the first computer, select Create A New Domain Tree.
• For the first computer, select Create A New Forest Of Domain Trees.
• Full DNS Name: brokers.internal.
• Domain NetBIOS name: accept the default of BROKERS.
• Select Yes, Install And Configure DNS On This Computer.
• Directory Services Restore Mode Password: password.
14. On the Summary screen, click Next.
xxxiv Security+ A CompTIA Certification

INTRODUCTION
15. After the Active Directory Installation Wizard completes, click Finish.
16. Click Restart Now when prompted.
18. Choose Start→Programs→Administrative Tools→DNS.
19. Expand the DNS server object and Forward Lookup Zones. Right-click the brokers.
internal zone and choose Properties.
20. Change the Type to Standard Primary. Click OK to accept.
21. Change Allow Dynamic Update to Yes. Click OK. Close DNS.
22. Double-click the Internet Explorer icon. Use the Internet Connection Wizard to configure
Internet Explorer as appropriate for your lab.
computer when prompted and log back on as Administrator.
Optional: For the Lesson 6, Lab 1 Server:

room).
CD-ROM drives.
• Name the computer BankSRV1.
Enter a subnet mask of 255.255.255.0.
• When installation is complete, log on as Administrator with a password of password.
Introduction xxxv
INTRODUCTION
DNS servers.

7. On the Settings tab, change the Screen area to 800x600 pixels.
8. In Control Panel, open Add/Remove Programs.
9. Click Add/Remove Windows Components.
10. Check Certificate Services.
11. Click Yes in the message box, and then click Next.
12. On the Certificate Authority page select Standalone root CA, and then click Next.
13. On the CA Identifying Information page enter the following:
• CA Name: StandaloneRootCA
• Organization: InternationalBank
• Organizational unit: Education
• City: Chicago
• State or Province: Illinois
• Country/Region: US
• E-mail: secadmin@bankers.internal
• CA description: Standalone Root CA for Chicago
• Valid for: 1 Year On the CA Identifying Information page, click Next.
14. On the Data Storage Location page, click Next.
15. Click OK when prompted to stop IIS. Complete the wizard.
16. Close Add/Remove Programs and Control Panel.
18. Use the Internet Connection Wizard to configure Internet Explorer for Internet access as
appropriate for your lab.
computer when prompted and log back on as Administrator.
Optional: For the Lesson 8, Lab 1 Client Computers:

room).
1. You will need two Windows XP computers for this activity.
xxxvi Security+ A CompTIA Certification

INTRODUCTION
CD-ROM drives.
ing parameters:
• Create a new 4 GB C drive. Install on the C drive and format it using NTFS.
• Name the computers ITSTAFF1 and SCIFACULTY1
IP address of 192.168.y.200+#, where y is your unique number for the lab and where
# is a unique integer assigned to you. For example, in lab 1, the address for Client6
would be 192.168.1.206. Enter a subnet mask of 255.255.255.0. Do not enter a lab
DNS server address.
• Skip the Internet configuration (you won’t need an Internet connection for this lab).
• Create a user account named Admin#. (Create the same Admin# on both computers.)
This user should become part of the Administrators group by default. When you fin-
ish the wizard, the system should log you on automatically as this user.
4. Open Control Panel, User Accounts. Click the Admin# account and click Create A
Password. Enter and confirm a password of !Pass1234 and click Create Password, and
then click Yes, Make Private.
5. On ITStaff1, create a user account named ITTest and make it a limited account. Then give
it a password of password. Close User Accounts and Control Panel.
6. On the ITStaff1 and SciFaculty1 computers, open My Computer and create a C:\SPlus
folder.
7. On the ITStaff1 computer, create the following subfolders and add the associated tool:
• SuperScan: Copy the SuperScan v2.0 setup file.
• @stakeLC4: LC4setup.exe.
8. On the SciFaculty1 computer, create the following subfolders and add the associated tool:
• RealSecureDP: Internet Security Systems (ISS) RealSecure Desktop Protector evalua-
tion (RSDPEvalSetup.exe).
• BackOfficer: NFR BackOfficer Friendly (both the nfrbofl executable file and the asso-
ciated bof folder). You can download bof-1-01.zip from http://
online.securityfocus.com/tools/2222.
Introduction xxxvii
INTRODUCTION
9. On SciFaculty1, open My Computer. Choose Tools→Folder Options. On the View tab,
uncheck Use Simple File Sharing.
10. On SciFaculty1, create a folder on the C drive named Physics Exams.
List of Additional Files

Printed with each activity is a list of files students open to complete that activity. Many activi-
ties also require additional files that students do not open, but are needed to support the file(s)
students are working with. These supporting files are included with the student data files on the
course CD-ROM or data disk. Do not delete these files.
xxxviii Security+ A CompTIA Certification

LESSON 1
LESSON 1 Lesson Time

2 hour(s)
Identifying Security Threats
Lesson Objectives:
In this lesson, you will identify security threats.
You will:
• Identify social engineering attacks.
• Describe audit attacks.
• Identify hardware attacks.
Lesson 1: Identifying Security Threats 1

LESSON 1
Introduction
Computer security is an ongoing process that includes setting up the security systems, harden-
ing them, monitoring them, responding to attacks in progress, and deterring attackers. As a
security professional, you’ll be involved in all phases of that process. But, in order for that
process to be effective, you need to understand the threats you’ll be protecting your systems
against. In this lesson, you’ll learn to identify the various types of security threats that you
might encounter.
You’re at home, eating dinner. Your phone rings. A credible-sounding operator explains that
you have won a free family vacation to Disney World. There is just a small processing fee that
needs to be paid by credit card. Could you read your card number and expiration date, please?
You are probably a savvy enough consumer that you would never give your credit card num-
ber out over the phone to an unsolicited caller. Yet, phone scams like this bilk thousands of
unsuspecting people out of their money every year. How could this be? It is because some
people do not recognize this as an attack against their personal credit. They can’t protect them-
selves against a threat they don’t understand, and in the realm of computing security, neither
can you. That’s why it’s so important to understand the computing security threats you might
encounter before you can protect your systems and network. Valuable data can be lost along
with the financial costs associated with a recovery. As a matter of fact, in February, 2001,
economist Frank Bernhard, then at the University of California – Davis, found that U.S. com-
panies lose 5.7 percent of their annual revenue to security-related losses
(www.newsfactor.com/perl/story/7349.html). If you know how to recognize those security
threats, maybe you can keep this kind of loss from happening at your company.
TOPIC A
Identify Social Engineering Attacks
When you think about attacks against information systems, you might think most about pro-
tecting the technological components of those systems. But people, the system users, are as
much a part of an information system as the technological components; they have their own
vulnerabilities, and they can be the first part of the system to succumb to certain types of
attacks. In this first topic, you’ll learn to identify social engineering attacks—threats against the
human factors in your technology environment.
For technical people, it can be easy to forget that one of the most important components of
information systems is the people using those systems. Computers and technology don’t exist
in a vacuum; their only benefit comes from the way people use them and interact with them.
Attackers know this, and so they know that the people in the system are as good a target for
attack as any other. If you want to protect your systems and data, you need to be able to rec-
ognize this kind of attack when it happens.
Identify Social Engineering Attacks

Definition:
A social engineering attack is a type of attack where the goal is to obtain sensitive
data, including user names and passwords, from network users through deception and
trickery. While this attack isn’t always aimed directly at computer hardware or network
infrastructure, it can turn out to be just as destructive, because this type of attack is
2 Security+ A CompTIA Certification

LESSON 1
usually a precursor to another type of attack, such as a software attack, or even an
attack against your private branch exchange (PBX) or internal telecommunications
system. Symptoms of a social engineering attack are often invisible or appear as
second-hand stories that somebody got a strange phone call or email asking them to do
one thing or another. Social engineering attacks work because they take advantage of
users who aren’t particularly technically savvy and who are usually willing to help
solve what are presented as problems. On the other hand, these attacks can also take
advantage of technically savvy users, such as those on a help desk, if the attacker pre-
tends to be a user who needs help.
Figure 1-1: Social engineering attacks.
Example:
Some examples of a social engineering attack are listed below. In each example, an
attacker deceives a trusting user into giving up some sensitive information.
• An attacker calls an employee and pretends to be calling from the help desk. The
attacker tells the employee he’s reprogramming the order-entry database and he
needs the employee’s user name and password to make sure it gets entered into
the new system.
• An attacker creates an executable (for example, a file with a .vbs or .exe file
extension) that prompts a network user for his user name and password. He then
emails the executable to the user with the story that he needs the user to double-
click the file and log on to the network again to clear up some logon problems the
organization’s been experiencing that morning.
• An attacker contacts the help desk pretending to be a remote sales representative
who needs assistance setting up his dial-in access. Through a series of phone
calls, the attacker obtains the phone number for remote access and the phone
number for accessing the organization’s PBX and voicemail system.
We’ll cover spam and email hoaxes later in the course.

LESSON 1
• An attacker sends an executable file disguised as an electronic greeting card
(e-card) or as a patch for the operating system or a specific application. The
unsuspecting user launches the executable, which might disable his operating sys-
tem or corrupt files stored on the hard disk.
Hackers, Crackers, and Attackers

As with any area of knowledge, a sound understanding of computer and network secu-
rity depends on the understanding of important words or phrases. When reading and
learning about computer security, you’ll often see the terms hacker, cracker, and
attacker, and you should be able to distinguish the meaning of these terms. Originally,
a hacker was a user who excelled at computer programming and who enjoyed every-
thing about working with computer systems. As time went by and network and system
intrusions started happening with increasing frequency, those reporting these incidents
started calling those intruders “hackers,” while those in the hacker community pre-
ferred the term cracker, a term that is used to describe someone who breaks into a
network or a single system with malicious intent. You’ll also often see such an intruder
referred to as an attacker, a term which clearly represents the malicious intent of those
who intrude into others’ computer systems.
Additionally, there are two other terms that you should be familiar with (and will be
familiar to fans of old Hollywood Westerns): white hat and black hat. A white hat is a
hacker who exposes security flaws in applications and operating systems so manufac-
turers can fix them before they become widespread problems, often working for an
organization dedicated to helping uncover security vulnerability or working for the
manufacturer itself. As you can probably guess then, a black hat is a hacker who
exposes vulnerabilities for financial gain or for some malicious purpose. White hats
and black hats get their names from characters in old Westerns: the good guys always
wore white hats, while the bad guys wore black hats.
ACTIVITY 1-1
Identifying Social Engineering Attacks
Scenario:
Your IT department wants to know when they are being attacked and what type of attacks are
occurring. As the new security administrator for your organization, you will be responsible for
determining which events are true social engineering attacks and which are false alarms. The
organization is concerned about these false alarms and tightening security too much in
response, and they want to make sure they know the difference between attacks and normal
activity. They do not want customers or users to be halted in their tracks when they are per-
forming normal tasks with no malicious intent. They have asked you to analyze a list of recent
network interactions and classify them as true social engineering attacks or as false alarms.

LESSON 1
What You Do How You Do It
1. True or False? A supposed customer calls the help desk stating that she can-
not connect to the e-commerce Web site to check order status. She would also like a
user name and password. The user gives a valid customer company name, but is not
listed as a contact in the customer database. The user doesn’t know the correct com-
pany code or customer ID.
2. True or False? The VP of Sales is in the middle of a presentation to a group of

key customers and accidently logged off. She urgently needs to continue with the pre-
sentation, but forgot her password. You recognize her voice on the line, but she is
supposed to have her boss make the request according to the company password secu-
rity policy.
3. True or False? A new accountant was hired and is requesting that a copy of
the accounting software be installed on his computer so he can start working
immediately. Last year, someone internal compromised company accounting records,
so distribution of the accounting application is tightly controlled. You have received all
the proper documentation for the request from his supervisor and there is an available
license for the software.
4. True or False? Christine receives a message in her instant messaging software

asking for her account and password. The person sending the message states that the
request comes from the IT department, because they need to do a backup of Chris-
tine’s local hard drive.
5. True or False? Rachel gets an email with an attachment that is named

NewVirusDefinitions.vbs.
6. True or False? A user calls the help desk stating that he is a phone technician
needing the password to configure the PBX and voice mail system.
7. True or False? A security guard lets a vendor team though without a required
escort as they have shirts on from the preferred vendor, and they stated they were
called in to fix an urgent problem. The guard attempted to call the authorization con-
tact in the organization, but the phone was busy for over 10 minutes.
8. True or False? The CEO of the organization needs to get access to data
immediately. You definitely recognize her voice, but a proper request form hasn’t
been filled out to modify the permissions. She states that normally she would fill out
the form and should not be an exception, but she urgently needs the data.

LESSON 1
TOPIC B
Classify Software Attacks
In Topic 1A, you learned about attacks against the human component of information systems,
but there are many, many other types of security threats that can be aimed directly against the
technological elements of the system as well. In this lesson, we’ll divide the major types of
computer security attacks into two roughly defined categories. In this topic, you’ll identify the
types of attacks that target your computers and devices and the applications, operating systems,
and protocols that they use.
The network is the lifeblood of today’s business, whether it is your company’s Local Area
Network (LAN) or your e-commerce connection to the Internet. A software attack against the
computers in your network can bring your company to its knees, and part of your job as a
security professional will be to prevent that. But, as you know, you can’t protect against what
you can’t recognize. This topic will help you identify the software attacks that you’ll need to
be on guard against.
Software Attacks
Definition:
A software attack is any attack that targets an application, an operating system, or a
protocol. The goal of a software attack is to disrupt or disable the applications, operat-
ing systems, and protocols running on the computers in your enterprise, or to exploit
them in some way to gain access to a single or multiple systems or a network. A soft-
ware attack might be used by itself or in combination with another type of attack, such
as a social engineering attack, and the different types of software attacks might be used
alone or in combination with each other.
Example: Eavesdropping
Eavesdropping on network communications is an example of a software attack. In this
type of attack, an attacker captures unsecured packets as they travel across a network.
The attacker then examines the packets to retrieve usernames or passwords so he can
later gain access to secured resources. In this example of a software attack, the attacker
targets the protocols used to transport the packets across the network.
Port Scanning Attacks

Definition:
A port scanning attack is a type of software attack where a potential attacker scans the
computers and devices you have connected to the Internet to see which TCP and UDP
ports are listening and which services on the system are active. Depending on which
type of monitoring software you have installed and how it’s configured, you might be
alerted that a foreign host scanned certain ports on your system, or the port scans
might happen without your knowledge. Port scanning attacks are often the first step a
hacker takes to determine where your systems are vulnerable.

LESSON 1
Figure 1-2: Port scanning attacks.
Example:
An example of a port scanning attack is when an attacker uses a utility to contact a
computer on the Internet to see which ports are open and which services are using
those open ports. For example, on a Web server, port 80 (and probably others) will be
listening, and the HTTP service will be using that port. An attacker can use this infor-
mation to exploit the Web server’s operating system to gain access to the computer and
the network it’s connected to. There are many utilities available that potential attackers
can use to scan ports on remote networks, including Nmap, SuperScan, and Strobe.
Eavesdropping Attacks
Definition:
An eavesdropping attack, also sometimes called sniffıng, is a type of software attack
where an attacker tries to gain access to private network communications, using a util-
ity such as Dsniff or Network Monitor, in order to steal the content of the
communication itself or to obtain user names and passwords for future software
attacks, such as a takeover attack. These attacks can be made against both traditional
communications across the network wire and wireless communications. For an attacker
to eavesdrop on a private network, the attacker must have physical access to the net-
work or the ability to physically tap into the network wire somewhere within the
organization. On the other hand, to eavesdrop on wireless communications, an attacker
need only have the proper software, receiving device, and a location somewhere in
close proximity to the wireless network. In most cases, you’ll never know somebody is
eavesdropping on your network, unless perhaps you spot an unknown computer leasing
an IP address from a DHCP server.

LESSON 1
Figure 1-3: Eavesdropping attacks.
Example:
An example of an eavesdropping attack is a disgruntled employee who installs packet-
sniffing software on a network host and then analyzes the packets to obtain user names
and passwords he can use to access network resources with administrative privileges.
Similarly, an attacker could sit with a laptop in the parking lot of an organization and
use a wireless device and packet-sniffing software to access data as it passes through a
wireless network.
IP Spoofing Attacks
Definition:
An IP spoofing attack is a type of software attack where an attacker creates IP packets
with a forged source IP address and uses those packets to gain access to a remote
system. IP spoofing attacks take advantage of:
• Applications and services that authenticate based on source IP address.
• Devices that run Sun RPC, X Windows.
• Services that have been secured using TCP wrappers.
• Network File System (NFS) and UNIX r commands (such as rlogin).
• Applications that use authentication based on IP addresses.
Generally, UNIX hosts and services that do not use Kerberos authentication are more
prone to spoofing attacks than NetWare and Windows systems, because trust relation-
ships on UNIX hosts are more easily exploited and can be configured to use address-
based authentication. Spoofing attacks also take advantage of routers that have not
been configured to drop incoming external packets with internal IP addresses as the
source addresses. One signal of a potential IP spoofing attack is to find incoming pack-
ets at your border routers with internal IP addresses as the source IP address.

LESSON 1
Figure 1-4: IP spoofing attacks.
Example:
For example, imagine a scenario where an attacker wants to gain access to a UNIX
host with an IP address of 192.168.100.101 and an application that authenticates only
hosts with 192.168.100.x addresses. With an IP address of 10.10.125.252, the applica-
tion isn’t going to authenticate the attacker, whose IP address is 10.10.100.252. So the
attacker creates IP packets with the forged source IP address of 192.168.100.186 and
sends those packets to the UNIX host. Because the network’s border router hasn’t been
configured to reject packets from outside the network with internal IP addresses, the
router forwards the packets to the UNIX host, where the attacker is authenticated and
given access to the system.
Hijacking Attacks
Definition:
A hijacking attack is a software attack where the attacker takes control of (hijacks) a
TCP session (after authentication at the beginning of the session) to gain access to data
or network resources using the identity of a legitimate network user. During a hijack-
ing attack, the attacker can either participate in the TCP session and access the packets
as they pass from one host to another, or take control of a TCP session between two
hosts, disconnect one of the hosts, and continue communication with the other host as
if it were one of the original parties to the session. A hijacking attack might manifest
itself in a sudden dropped connection, but most likely you’ll never know a session has
been hijacked.

LESSON 1
Figure 1-5: Hijacking attacks.
Example:
For example, suppose an attacker is monitoring communications between client and
server using a tool such as Hunt or Juggernaut. After the client has authenticated to the
server, the attacker can use the tool to insert himself into the communication stream,
disconnect the user at the client, and take control of the user’s session with the server,
while the server is never aware that it’s now communicating with a different host. The
attacker has then taken control of, or hijacked, the session, and can manage the session
in any way he wants, sending commands to the server to do just about anything the
original user could do.
Replay Attacks
Definition:
A replay attack is a software attack where an attacker captures (through eavesdropping
or sniffing) network traffic in the form of packets and stores it for retransmittal at a
later time to gain unauthorized access to a specific host or a network. This attack is
particularly successful when an attacker captures packets that contain user names, pass-
words, or other authentication data. Replay attacks differ from eavesdropping attacks
because, in eavesdropping attacks, the attacker just listens to network communication,
while in a replay attack, the attacker saves the packets for reuse at a later time. In
most cases, replay attacks are never discovered.

LESSON 1
Figure 1-6: Replay attacks.
Example:
For example, an attacker uses sniffer software to intercept and store a user’s logon traf-
fic as that user is signing on to a network connected to the Internet. To later gain
access to that network, the attacker can replay those stored packets to masquerade as
that user and have all that user’s privileges in that network.
Man-in-the-Middle Attacks
Definition:
A man-in-the-middle attack is a type of software attack where an attacker inserts him-
self between two hosts to gain access to their data transmissions. Typically in a man-
in-the-middle attack, an attacker intercepts data transmitted from a source computer
and responds to the data as if it (the attacker) were the intended destination. The
attacker then forwards the data to the intended destination and then intercepts and
responds to the reply as if it (the attacker) were the original source computer. Man-in-
the-middle attacks are used to gain access to user names, passwords, and network
infrastructure information for future attacks or to gain access to the content of the
packets being transmitted. Man-in-the-middle attacks are similar to eavesdropping
attacks in that both types of attacks monitor network traffic and capture IP packets as
they make their way through the network. Man-in-the-middle attacks differ from eaves-
dropping attacks because instead of just listening to and capturing network traffic, in a
man-in-the-middle attack, the attacker is actually making the sender and receiver

LESSON 1
believe they are communicating with each other, when in fact they’re communicating
with the attacker’s computer. This deception allows attackers to manipulate the com-
munication rather than just observe it passively. Like eavesdropping attacks, there will
be no signs that a man-in-the-middle attack is in progress or has just taken place.
Figure 1-7: Man-in-the-middle attacks.
Example:
A typical man-in-the-middle attack might happen like this: An attacker sets up a host
on a network with IP forwarding enabled and a utility like Dsniff installed to capture
and analyze packets. After analyzing network traffic to determine which server would
make an attractive target, the attack might proceed in the following way:
1. The attacker intercepts packets from a client that are destined for the server.
2. The attacker’s computer sends a fake reply to the client.
3. The attacker’s computer forwards a fake packet to the server, modified to look
like the attacker’s computer is the original sender.
4. The server replies to the attacker’s computer.
5. The attacker’s computer replies to the server as it if were the original client.
In this way, the attacker has access to both sides of a session between a client and
server and in the process can access valuable information, including sensitive data and
user credentials.
Denial of Service/Distributed Denial of Service

(DoS/DDoS) Attacks
Definition:
A DoS attack is a type of software attack in which an attacker attempts to disable sys-
tems that provide network services (usually computers or routers connected directly to
the Internet) in one of the following ways:
• Flooding a network link with more data than the available bandwidth can manage.
• Sending data that’s meant to exploit flaws in an application.
• Consuming a system’s resources to the point that it shuts down.

LESSON 1
Figure 1-8: DoS Attacks.

A DDoS attack is a software attack in which an attacker hijacks or manipulates mul-
tiple computers (through the use of zombies or drones) on disparate networks to carry
out a DoS attack. The main purpose of a DoS or DDoS attack is to disrupt an organi-
zation’s Internet communications to cause embarrassment or to force the organization
to waste time and money in responding to the attack and bringing their systems back
online.
Figure 1-9: DDoS attacks.

DoS/DDoS attacks manifest themselves in a variety of ways, including:
• Sudden and overwhelming requests from a single or multiple hosts from outside
your network.
• Sudden and unexplained drop in the amount of available Internet bandwidth.
• Sudden and overwhelming drain on a specific resource in a system, such as the
system’s processor, which causes the system to freeze.

LESSON 1
Example: Smurf Attack
A Smurf attack is an example of a DoS attack. In a Smurf attack, three parties are
involved: the attacker, the intermediary network, and the victim. The attacker sends a
broadcast IP ping request to the intermediary network (generally, a network with doz-
ens of hosts that the attacker knows will respond to broadcast ping requests). But
instead of using his address as the destination that the hosts in the intermediary net-
work will respond to, the attacker modifies the ping request so it contains the victim’s
IP address. Because the ping was broadcast to the entire intermediary network, all the
hosts on that network will respond to the victim’s IP address, and the ensuing flood of
packets will bring down the victim’s system, most likely a computer or router on the
Internet. Smurf is also an example of a DDoS attack because a single attacker uses
multiple systems to carry out the attack.
Teardrop is another example of a DoS attack.
Example: SYN Flood

A SYN flood is also an example of a DoS attack. In a SYN flood attack, an attacker
sends countless requests (SYN messages) for a TCP connection to an FTP server, Web
server, or any other target system attached to the Internet. The target server then
responds to the request with a SYN-ACK message and, in doing so, creates a space in
memory that will be used for the TCP session when the remote host (in this case, the
attacker) responds with its own SYN-ACK message. However, because the attacker has
crafted the SYN message (usually through IP spoofing) so that the target server replies
with a SYN-ACK message to a computer that will never reply with its own SYN-ACK
message to complete the TCP connection, the target server has reserved memory for
numerous TCP connections that will never be completed. Eventually, the target server
will stop responding to legitimate requests because its memory resources are flooded
with incomplete TCP connections.
Example: Buffer Overflow Attack

A buffer overflow attack is another example of a DoS attack. In a buffer overflow
attack, the attacker takes advantage of an application’s or operating system’s limitation
of a fixed data buffer size by sending data to a system that the attacker knows the sys-
tem can’t handle, because the data is too large for the buffer. When the application or
operating system tries to process the data, the system crashes. Ping of Death, where an
attacker sends an oversized ping request, is an example of a buffer overflow attack.
For more information on DoS and DDoS attacks, see www.microsoft.com/technet/security/bestprac/

netdefnd.asp and Microsoft Knowledge Base (KB) article Q142641.
Malicious Code Attacks

Definition:
A malicious code attack is a type of software attack where an attacker inserts mali-
cious code into a user’s system to disrupt or disable the operating system or an
application. A malicious code attack can also make an operating system or an applica-
tion take action to disrupt or disable other systems on the same network or on a
remote network. In many cases there’s an element of social engineering involved,
especially when an attacker makes it appear as if the executable that launches the mali-

LESSON 1
cious code is from a trusted or benign source. Sometimes the code itself exploits a
user’s system to perpetrate a social engineering attack on a remote system. Typically,
you’ll see the results of malicious code in corrupted applications, data files, and system
files, which will result in malfunctioning applications and operating systems.
An attacker can use a worm to install a zombie as a precursor to a DDoS attack.
Figure 1-10: Malicious code attack.
Example: Viruses
A virus is an example of a malicious code attack. A virus is a sample of code that
spreads from one computer to another by attaching itself to other files. The code in a
virus corrupts and erases files on a user’s computer, including executable files, when
the file to which it was attached is opened or executed. A recent example of a destruc-
tive virus is the Melissa virus, which spread throughout the world attached to
Microsoft Word documents that were sent as email attachments.
Example: Worms
Another example of malicious code is a worm. A worm is a piece of code that spreads
from one computer to another on its own, not by attaching itself to another file. Like a
virus, a worm can corrupt or erase files on your hard drive. An example of a worm is
the Code Red worm, which propagated itself through email attachments, Web files, and
shared files on local networks.
Example: Trojans
A third example of malicious code is a Trojan horse. A Trojan horse is malicious code
that masquerades as a harmless file. When a user executes it, thinking it’s a harmless
application, it destroys and corrupts data on the user’s hard drive.
Example: Logic Bombs

A fourth example of malicious code is a logic bomb. A logic bomb is a piece of code
that sits dormant on a user’s computer until it’s triggered by a specific event, such as a
specific date. Once the code is triggered, the logic bomb “detonates,” erasing and cor-
rupting data on the user’s computer.

LESSON 1
Attacks Against the Default Security
Configuration
Definition:
An attack against the default security configuration is a type of software attack where
an attacker attempts to gain access to or disrupt the operation of a computer by
exploiting the security flaws that exist in the computer’s operating system as it’s
installed out of the box. Because there are many potential avenues of attack against the
default installation of an operating system, there is no single, telltale sign that this type
of attack has taken place.
Figure 1-11: Attacks against default security configuration.
Example:
For example, a default installation of Windows 2000 Server brings with it IIS 5.0 with
Web services enabled. As just about any network administrator can tell you, IIS is a
frequent target for hackers, and for unsuspecting administrators or users, it’s a wide-
open door into the operating system and the computer it’s running on.

LESSON 1
Software Exploitation Attacks
Definition:
A software exploitation attack is a type of software attack where an attacker attempts
to gain access to a system or to sensitive data by exploiting a flaw or feature in an
application. This type of attack is closely related to attacks against the default installa-
tion of an operating system, but where that type of attack is focused on vulnerabilities
in an operating system, software exploitation attacks focus on vulnerabilities in appli-
cations, such as Outlook or Oracle. Typically, a software exploitation attack will
manifest itself in disabled applications or a malfunctioning system.
Figure 1-12: Software exploitation attacks.
Example: AOL Instant Messenger Buffer Overflow

In early 2002, users of AOL Instant Messenger (AIM) were warned of a security vul-
nerability that attackers could use to gain access to a user’s computer and take control
of it. Apparently, an attacker could send a request to play a game that had been modi-
fied to increase its size. Because of the increased size, AIM code wasn’t able to
correctly parse the request, resulting in a buffer overflow, which gave attackers an open
door into the computer without ever leaving a clue as to their identities. This is a well-
known example of a software exploitation attack.
Example: Mathematical Attacks

Weak keys and mathematical (algebraic) attacks are two more examples of software
exploitation attacks, both of which affect block ciphers, an encryption method that uses
a combination of an encryption algorithm and cryptographic key to encrypt blocks of
text rather than individual bits of data. In a weak keys attack, an attacker attempts to
decipher encrypted text by exploiting flaws in a block cipher that produces encryption
keys with known patterns. Similarly, in a mathematical attack, an attacker attempts to
decipher encrypted text using a block cipher that has a highly (and thus predictable
and easily discernible) mathematical structure. Both types of attacks take advantage of
programming flaws in the block ciphers.

LESSON 1
Misuse of Privilege Attacks
Definition:
A misuse of privilege attack is a type of software attack in which an attacker misuses
his or her administrative privileges to gain access to sensitive data. This type of attack
generally involves an employee with some level of administrative privileges, whether it
be over a single machine, a group of machines, or some portion of the network. An
employee who misuses his or her privileges can, among other things, steal sensitive
data, delete or modify data, create users or groups to provide access to those outside
the organization, or disrupt network operations by disabling user accounts and network
services or by changing user access to network resources. Misuse of privilege will
often show up in audit logs, which can detail everything the attacker attempted on a
particular system, depending on how well you’ve configured auditing on your systems.
Figure 1-13: Misuse of privilege attacks.
Example:
An example of a misuse of privilege attack is an employee who has found a market
for his company’s sensitive data. Imagine a scenario where a network administrator is
able to give himself access to private personnel files stored in a database in the human
resources department. From private employee files, he’s able to obtain full names,
addresses, Social Security Numbers, and other data, which he can then sell to others
who can use it for crimes involving identity fraud.
Password Attacks
Definition:
A password attack is a type of software attack in which the attacker tries to guess
passwords or crack encrypted password files. In a password guessing attack, an
attacker attempts to guess user passwords, either manually or through the use of
scripts, in order to gain access to a single system, an application, or a network.
Because users tend to use simple passwords that are easy to remember, such as birth-
days and anniversaries, rather than more complex alphanumeric passwords, an attacker
can script an almost unending series of password guesses using the most popular and
common “simple” passwords. In a password cracking attack, an attacker tries to crack

LESSON 1
(decrypt) encrypted passwords in a directory database or other system file, such as the
Registry or Security Accounts Manager (SAM) in Windows 2000 and Windows XP.
Like misuse of privilege, depending on how you’ve configured auditing on your sys-
tems, password attacks will show up in audit logs as failed or successful logon
attempts.
Figure 1-14: Password attacks.
Example:
The simplest example of a password attack is somebody who doesn’t have access to
your network sitting down at a workstation and typing in guess after guess at a user
name and password. On the other extreme is a brute force attack, where an attacker
employs an application, such as L0phtCrack, to exhaustively try every possible alpha-
numeric combination to try to crack encrypted passwords, such as those in a Windows
NT or Windows 2000 computer’s local SAM database. In both examples, given
enough time and lax security policies, an attacker will eventually find the necessary
password to gain access to the system. This is especially true of brute force attacks.
Backdoor Attacks
Definition:
A backdoor attack is a type of software attack where an attacker creates a mechanism
for gaining access to a computer using a piece of software or by creating a bogus user
account. The mechanism itself is called the backdoor, and if it isn’t found and
removed, it can survive forever, listening on one of the ports and giving an attacker an
easy way to get into the system and execute just about any command. This mechanism
often survives even after the initial intrusion has been discovered and resolved. Typi-
cally, a backdoor is delivered through use of a Trojan horse or some other malicious
code, and backdoor attacks are often impossible to spot because they generally leave
no trace, other than a few innocent looking files.

LESSON 1
Figure 1-15: Backdoor attacks.
Example:
Back Orifice (BO) is an example of a backdoor that an attacker can insert into a Win-
dows system using a Trojan horse or any executable file. By default, in Windows
2000, Back Orifice installs itself into a system file and hides there listening on TCP
port 54320 or UDP port 54321 for commands from the attacker.
Takeover Attacks
Definition:
A takeover attack is a type of software attack where an attacker gains access to a
remote host and takes control of the system. An attacker can use any of the attacks
we’ve identified so far to gain access to the system, including IP spoofing and
backdoors. A takeover attack will manifest itself in loss of control over the particular
system that’s under attack.

LESSON 1
Figure 1-16: Takeover attacks.
NetBus and SubSeven are other backdoors that attackers can use to take control of a system.
Example:
An example of a takeover attack is using BO to take complete control over a target
machine. BO is started every time the computer is started and is hidden from view in
Task Manager. Once installed, an attacker can use BO to basically take control of a
remote system, including shutting down the system, copying and deleting files, modify-
ing the Registry, and starting and stopping services. An attacker can also use BO to log
keystrokes and obtain system information, including the name of the logged-on user,
cached passwords, and memory, CPU, and processor data.
Audit Attacks
Definition:
An audit attack is a type of software attack where an attacker covers his trail by delet-
ing audit entries that might point to an intrusion. Operating systems such as NetWare
6.0 and Windows 2000 Server have native auditing capabilities, and when used prop-
erly, auditing can give valuable clues to system administrators of attacks that are in
progress or that have happened some time in the past. By clearing audit logs, an
attacker can cover up an intrusion and leave a system or network without any trace,
allowing him later access. The most common signals that an audit attack has taken
place are:
• Empty audit logs when they should contain audit entries.
• Gaps in the audit logs where it appears entries that cover a specific time have
been deleted.
• Audit entries that show the audit logs have been erased.

LESSON 1
Figure 1-17: Audit attacks.
Example:
Suppose an attacker has found a way into a Windows 2000 Server and has spent some
time trying to browse files and crack the local SAM database to obtain some
passwords. If auditing had been properly configured on his system, an administrator
who understands how to read the audit logs could probably trace many of the attack-
er’s activities as he worked his way through the system. However, if the attacker knew
enough to clear the audit logs after he was done, most of the evidence of his intrusion
will be gone, although an experienced and alert administrator might see the audit log
had been cleared and be alerted to a possible intrusion.
ACTIVITY 1-2
Classifying Software Attacks
Scenario:
Your IT department wants to know why the performance of some of your computer systems is
degrading. In all the cases of poor performance, your IT administrator, Ronald, has already
used existing network baseline data to rule out the possibility of this performance degradation
occurring as either a temporary spike in traffic or insufficient hardware resources. You and
Ronald believe your systems are under attack, but now you need to know the type of attack
that is occurring in each instance so that you can devise an appropriate response.
1. Kim, a help-desk staffer, gets a phone call from Alex in human resources stating that
he can’t log on. Kim looks up the account information for Alex and sees that the
account is locked. This is the third time the account has locked this week. Alex insists
that he was typing in his password correctly. Kim notices that the account was locked
at 6 A.M.; Alex says he was at a meeting at a client’s site until 10 A.M. today. It seems
like a case of .

LESSON 1
2. Judi, who does backups, states that according to her log files, an IT administrator per-
formed a restoration on the accounting server last night. You send out an email asking
all the members of the IT department whether there were any problems with the serv-
ers last night as you see nothing entered on the IT problem log forms. All of IT
responds stating no problems occurred last night. Something isn’t right, and it all adds
up to .
3. You find out the security log was cleared on the file and print server. No one in IT
claims responsibility. No matter who did this, you consider it .
4. Your antivirus software has detected the ILOVEYOU virus. You’re under attack from
.
5. While administering user accounts you notice that a new account called LyleBullock
has been created on your server. You know of no user in your organization with that
name. The account also is part of the administrators group. It’s a classic
.
6. While you are connected to another host on your network, the connection is suddenly
dropped. When you review the logs at the other host, it appears as if the connection is
still active. You suspect .
7. Your e-commerce Web server is getting extremely slow. Customers are calling stating
that it is taking a long time to place an order on your site. This could be
.
8. Your intranet Webmaster, Tim, has noticed an entry in a log file from an IP address
that is within the range of addresses used on your network. Tim does not recognize
the computer name as valid. Your network administrator, Deb, checks the DHCP server
and finds out the IP address is not in any of the scopes. This seems to be a case of
.
9. Tina, the network analysis guru in your organization, analyzes a network trace capture
file and finds out that packets have been intercepted and retransmitted to both a
sender and a receiver. You’ve experienced .
10. You get an email from an outside user letting you know in a friendly way that she
found it very easy to determine the correct password to access your FTP server. To
prove it, she includes the FTP password in the email. All your files are still on the FTP
server and have not been modified. Although this person had no malicious intent, you
still consider it .

LESSON 1
TOPIC C
Identify Hardware Attacks
In Topic 1B, you classified types of threats that target the software running on the computers
in your network. The other major class of computer security threats includes attacks that target
the computers, peripherals, and other network devices themselves. In this topic, you’ll identify
the types of attacks that are directed against the physical devices in your enterprise.
It’s important to keep attackers off your network’s computers, but it’s also important to keep
them from stealing, compromising, or destroying the hardware you’ve invested in. In order to
do that, you need to know about the kinds of attacks that can be mounted against the hardware
inside those systems. As in the case of software attacks, you can’t defend against attacks that
you don’t understand. This topic will give you that understanding.

Definition:
A hardware attack is an attack that targets a computer’s physical components and
peripherals, including its hard disk, motherboard, keyboard, network cabling, or smart
card reader. One goal of a hardware attack is the destruction of the hardware itself or
acquisition of sensitive information through theft or other means. A second goal of a
hardware attack is to make important data or devices unavailable through theft or
vandalism. Much like a DoS attack, this second goal is meant to disrupt a company’s
business or cause embarrassment due to the loss of the data.
Example:
If an intruder breaks into a locked server room and steals the hard disks out of a
server, this is an example of a hardware attack because the attack is targeting the
physical hardware of the computer and not the computer’s applications or operating
systems.

LESSON 1
ACTIVITY 1-3
Scenario:
Your manager, the security administrator in your organization, has asked that you help com-
plete a report for senior management about the possible security risks you face and some
suggested solutions. You’ve been presented with a list of scenarios and have been asked to
identify whether the type of attack described in each scenario is a hardware attack.
1. An intruder enters a locked building at night and steals five laptops from various users
in the software development department. What type of attack is this?
2. An intruder enters a locked building at night, sits at a user’s desk, and tries to enter a
user name and password to log on to the computer based on notes he finds taped to
the user’s monitor. What type of attack is this?
3. To obtain user names and passwords, an attacker installs a device on a keyboard that
records the user’s keystrokes. What type of attack is this?
4. An attacker removes the battery backup on a critical server system and then cuts
power to the system, causing irreparable data loss. What type of attack is this?
5. An attacker tricks a user into running an executable that modifies an application on

the user’s mobile device so it consumes more power than normal and depletes the
device’s battery, causing data loss. What type of attack is this?

LESSON 1
Lesson 1 Follow-up
In this lesson, you identified the three main types of security threats you will face: social engi-
neering attacks, software attacks, and hardware attacks. Understanding the types of threats you
face is an important first step in learning how to protect your network and respond to an
intrusion.
1. What type of attack do you think is most dangerous?
2. Which type of attack do you think it might be most difficult to guard against?

LESSON 2

7 hour(s)
Hardening Internal Systems

and Services
Lesson Objectives:
In this lesson, you will harden internal systems and services.
You will:
• Harden a computer’s operating system.
• Harden directory services.
• Harden a DHCP server.
• Harden file and print servers.
Lesson 2: Hardening Internal Systems and Services 27

LESSON 2
Introduction
Securing your computer networks against attacks and damage from inside or outside your
organization is an ongoing process, not a single task. There are several phases in the process,
and this course is going to explore each of them in turn. The first step in the process is to cre-
ate as secure an environment as you possibly can. In this course, we’ll take an “inside-out”
approach to configuring security, starting with the systems and services that are closest to your
internal users, and then moving out to securing the perimeter of your network. So, in this les-
son, you’ll learn to secure the systems and services that your internal users interact with every
day.
Securing your computers and networks against intruders isn’t that different from securing your
own home. You can secure the perimeter of your home by locking the doors and installing
alarm systems, but once the burglars get past those, they’ll have access to everything inside.
And, there’s always the possibility of an “inside job”; someone who might come into your
home with a legitimate excuse, but who really wants to cause some damage. So, you can’t just
secure from the outside in; you need to secure from the inside out, by doing things like lock-
ing up your valuables in a home safe or even moving them to a bank’s safe deposit. Then,
even if the crooks do get inside, they won’t be able to simply grab your jewelry and go.
Securing your internal computer systems is like setting up security inside your house; it pro-
tects against the burglars who get in, and it even helps to protect against people on your own
network who might have mischief in mind.
INSTRUCTOR ACTIVITY 2-1

Assessing Vulnerabilities
Setup:
Your computer is configured to dual-boot between Windows XP Professional and Windows
2000 Server. You are booted to Windows XP Professional and logged on as an administrator.
All necessary security tools are in the C:\SPlus folder on your hard drive. The Administrator
password for Windows 2000 Server is !Pass1234.
Scenario:
You’re a network security expert who’s been asked to evaluate the vulnerabilities in a client’s
network. The client currently has a network of Windows 2000 Server and Windows XP Profes-
sional computers. You’ve decided to use L0phtcrack to check for password strength and
Superscan to scan for listening ports.

LESSON 2
1. In Windows XP, use L0phtcrack to a. In the C:\SPlus\LC4 folder, double-click

perform a strong password audit on Lc4setup. Use the wizard to complete a
your computer. default installation.
b. Choose Start→All Programs→LC4→LC4.

Click Trial.
c. Click Next to advance the wizard.
d. On the Get Encrypted Passwords page of

the wizard, verify Retrieve From Local
Machine is selected. Click Next.
e. On the next page of the wizard, select

Strong Password Audit. Click Next.
f. On the next page of the wizard, select all

options and click Next. Click Finish.
g. Click Cancel to skip registering the

product. The brute force attack is not
available in the trial version.
h. Click OK when the auditing session is

complete.
i. Close LC4 without saving changes.
2. What type of attack is this?

LESSON 2
3. In Windows XP, use Superscan to a. In the C:\SPlus\Tools\Superscan folder,
perform a port scan on your double-click Superscan. Use the wizard
computer. to complete a default installation.
b. In the Superscan window, click Port List

Setup.
c. In the Select Ports area, click Select All.
d. Click OK.
e. Click No. There is no need to save

changes to the list file.
f. Back in the main window, click Start.
g. When the scan is complete, double-click

the computer in the host list to display
the results of the scan.
h. Close Superscan.
5. Reboot into Windows 2000 Server. a. Restart the computer and choose Win-
dows 2000 Server from the boot loader
menu.
b. Log on as Administrator with a password

of !Pass1234.
6. In Windows 2000, use L0phtcrack to a. Install L0phtcrack and perform a strong

perform a strong password audit on password audit on the system.
your computer.
b. Close L0phtcrack.
7. In Windows 2000, use Superscan to a. Install Superscan and perform a port

perform a port scan on your scan.
computer.
b. Close Superscan.

LESSON 2
TOPIC A
Harden Base Operating Systems
There are many different computing systems and services running on your network, and they
all have their own security needs. However, all those computers have one thing in common;
they all have an operating system. So, increasing the security on the operating system is going
to be part of your security plan no matter what kind of network services you run on those
computers. In this topic, you’ll learn standard ways to tighten up the security on all the operat-
ing systems in your environment.
Attackers know that the presence of an operating system is the common denominator on all
your systems, so they consider the operating system a good place to start their attack. That
makes it a good place to start your defense. Once attackers get control of an operating system,
they can do almost anything they want to bring down the applications and services that run on
top of that system. Tightening up operating system security will make any kind of computer
harder to attack.
Corporate Security Policy

Definition:
A corporate security policy is a collection of policies that defines how security will be
implemented within a particular organization. The security policy is usually a fairly
lengthy document consisting of individual policies for each resource within the
organization. No matter how many individual policies an organization has, each policy
is written for the same purpose: to protect the availability, confidentiality, and integrity
of sensitive data and resources within an organization. This includes the network infra-
structure, the physical and electronic data, the applications, and the physical
environment of the organization. Ultimately, the final corporate security policy is a
result of extensive research and due care on the part of many individuals within an
organization to be certain that the assets are as safe as possible.
Within each individual policy section, there is specific information that outlines exactly
what is being covered by that particular policy, such as:
• The policy statement, which outlines the plan for the individual security
component.
• A standard, which defines how adherence to the policy will be measured.
• Guidelines, which are suggestions for meeting the policy standard or best
practices.
• Procedures, which are step-by-step instructions that detail specifically how to
implement the policy.
Analogy:
A good security policy provides functions similar to a government’s foreign policy.
The policy is determined by the needs of the organization. Just as the United States
needs a foreign policy because of real and perceived threats from other countries, orga-
nizations also need a policy to protect their data and resources. The United States’
foreign policy defines what the threats are and how the government will handle those

LESSON 2
threats. A security policy does the same for an organization; it defines threats to its
resources and how those threats will be handled. Policy forms the plan that ties every-
thing together. Without a formal policy, you can only react to threats instead of
anticipating them and preparing accordingly.
Individual Security Policies

The SANS (SysAdmin, Audit, Networking and Security) Institute has identified a list
of approximately 25 different possible security policies ranging from an Acceptable
Use Policy (AUP) to a Wireless Standards Policy. There are other organizations, such
as the Internet Engineering Task Force (IETF), that provide templates like Request for
Comments (RFC) 2196 for different security policies. The corporate security policy of
a particular organization cannot include every possible individual security policy, but
there are several common policies that are almost always included:
• Acceptable Use Policy—This policy defines the acceptable use of an organiza-
tion’s physical and intellectual resources.
• Audit Policy—This policy details the requirements and parameters for risk assess-
ment and audits of the organization’s information and resources.
• Extranet Policy—This policy sets the requirements for third-party entities that
desire access to an organization’s networks.
• Password Policy—This policy defines standards for creating strong passwords. It
also defines what an organization considers weak passwords and the guidelines for
protecting the safety of passwords.
• Wireless Standards Policy—This policy defines what wireless devices can connect
to an organization’s network and how to use them in a safe manner that protects
the organization’s security.
To view the complete list of policies from the SANS Institute, see www.sans.org/newlook/resources/
policies/policies.htm#template.
To view RFC 2196, see www.cis.ohio-state.edu/cgi-bin/rfc/rfc2196.html.
ISO 17799 is a standard for information security that is currently under development by the Interna-
tional Standards Organization (ISO). To view information on ISO 17799, see http://
enterprisesecurity.symantec.com/article.cfm?articleid=356&PID=470086, www.securityauditor.net/
iso17799/index.htm, and https://www.bspsl.com/secure/iso17799software/cvm.cfm.
Separation of Duties
In addition to the policies developed within the information security department, other
departments will have policies that overlap with information security such as human
resources, building security, and finance. These policies may be not be owned or man-
aged by the information security department; in fact, it is good business practice to
have the responsibility for individual policies distributed throughout the organization in
different departments. This is often referred to as a separation of duties. No one person
or department should be exclusively responsible for all security issues. This concept
applies to policies, procedures, and ownership of an organization’s assets, whether
physical or virtual. Regardless of who owns a policy and the procedures and the
responsibility for enforcing it, security professionals must work with each department
as a main point of contact to ensure continuity in the overall corporate policy.

LESSON 2
Documentation Handling
As a security administrator, you might be called upon to manage, maintain, and update
the documentation relating to your organization’s security policies and network
organization. These documents include the security policies themselves, as well as sup-
porting documents such as a network map, inventories, and activity logs. Each
document should include change-tracking information including the current revision
number, the revision date, the revision author, and the contents of each revision.
You might want to assign each security document a classification level. Commonly
used classifications include Public, Internal Use Only, Confidential, and Restricted. The
classification of a document not only determines who has the right to see or alter the
document, but also determines the correct procedure for storing, archiving, and han-
dling the document. Storage, archival, and destruction procedures involve the media
the document is stored on (disks, tape, paper) as well as the way the document is
secured. Proper destruction procedures can range from simply recycling a printed pub-
lic document, to reformatting disks seven or more times, to shredding, then
incinerating restricted documents.
Example: Nuclear Plant Password Policy

A nuclear plant has a password policy that all employees must adhere to. Each
employee is responsible for using strong passwords and protecting those passwords
accordingly. It contains guidelines for strong passwords to use and weak passwords to
avoid.
ACTIVITY 2-2
Examining a Security Policy
Data Files:
• NuclearPlantPasswordPolicy.rtf
Setup:
You’re using a Windows XP Professional computer named Client#, where # is a unique
number. There’s an administrative account named Admin#, where # is also a unique number,
which has a password of password.
Scenario:
As the new security administrator for a nuclear plant, you will be responsible for maintaining
and updating the documentation related to security policies, as well as for understanding and
enforcing the policies. Before you can be effective in these new duties, you’ve decided that
you need to familiarize yourself with the existing policy documents in the organization. Use
the \\Client100\SPlus\Student\NuclearPlantPasswordPolicy.rtf file to answer the following
questions.

LESSON 2
1. If necessary, log on to Windows XP. a. Reboot the computer and choose Win-
dows XP Professional from the boot
loader menu.
b. Log on as Admin# with a password of

password.
2. Examine the policy document. a. Connect to \\Client100\SPlus\Student.
b. Open the NuclearPlantPasswordPolicy.

rtf file.
c. When you have answered the following

questions, close WordPad.
3. What type of security policy document is this?
4. What other types of policy documents might you need in order to create a complete
security policy?
5. Which of the general components of a policy document are represented in this docu-
ment?
6. How often must users change their passwords in order to adhere to this policy?
7. What is the minimum length for a password according to this policy?
8. Would “gandalf8” be an acceptable password according to this policy? Why or why not?

LESSON 2
System Vulnerabilities
Each operating system has unique vulnerabilities that also present a variety of opportunities for
would-be attackers and can lead to the threats you learned about previously. The following
four tables list some common security vulnerabilities in Windows 2000, Windows XP, NetWare
6, and Sun Solaris. (These tables are meant to describe some well-known vulnerabilities; they
are not exhaustive lists. For up-to-date information about security vulnerabilities, check the
manufacturers’ Web sites and other security references.)
The following table lists some vulnerabilities in Windows 2000 Server.
Vulnerability Description
DNS zone transfers DNS zone transfers can provide a wealth of information about
the internal structure of a network because they include DNS
records for every host in an organization. By default, zone trans-
fers are allowed to any DNS server.
Telnet service To gain unauthorized access, an attacker could exploit the pre-
dictability of the name of the pipe created during the
establishment of a Telnet session. Code could be placed on the
server and executed when the pipe is opened.
Internet Information Services Because IIS is installed and enabled by default, it can provide
easy access to a Windows 2000 server.
Directory Services Restore Mode Allows an attacker to boot into Directory Services Restore mode
Administrator password and access Active Directory data.
Local SAM attack Member servers’ Security Accounts Manager (SAM) databases
are vulnerable to password-cracking utilities because of how the
passwords are stored. Also, in some circumstances, deleting the
SAM on a member server will reset the Administrator account’s
password to blank.
Remote Datagram Protocol (RDP) When multiple malformed packets are sent to the RDP port on a
Windows 2000 server, it could cause the system to suddenly
crash, resulting in a DoS.
The next table lists some vulnerabilities in Windows XP Professional.
Universal Plug and Play (UPnP) This vulnerability involves sending a fake notification message
buffer overflow to the UPnP service on a Windows XP machine. The resulting
buffer overflow could lead to a takeover attack.
RAS phonebook The Remote Access Service (RAS) phonebook module in Win-
dows XP does not properly check a specific attribute value,
which can cause malformed data requests to lead to an attacker
receiving LocalSystem privileges and the ability to execute mali-
cious code on the target system.
SNMP buffer overrun When malformed data is sent to the Simple Network Manage-
ment Protocol (SNMP) service running on Windows XP, a
specially designed malicious management request could lead to a
DoS, a takeover attack, or a malicious code attack.

LESSON 2
Outlook Express and Internet Two of the most frequent targets—Outlook Express and Internet
Explorer Explorer—are vehicles for malicious code, takeover, and DoS
attacks that exploit numerous security vulnerabilities in both
applications, both of which are installed by default with Win-
dows XP.
Internet Connection Firewall (ICF) Protects inbound communication but doesn’t stop Trojans and
viruses from connecting to the Internet from your system.
The following table describes some NetWare 6 vulnerabilities.
NetWare Loadable Modules (NLMs) Because NetWare systems rely on NLMs, they are vulnerable to
fake NLMs that grant an attacker access to the system in some
way. A popular malicious NLM allows the attacker to change the
supervisor’s password on the server. There are also Trojan NLMs
that mimic real NLMs, and attackers can use flaws in real NLMs
to compromise the system.
NetWare Core Protocol (NCP) Attackers can flood the NetWare server with malicious and fake
requests NCP requests, which results in a DoS attack when the server
crashes and stops responding.
Server console Anyone with physical access to the server console can run NLMs
to gain administrative access to the server.
RCONSOLE The RCONSOLE password is not encrypted by default.
The following table lists some of the vulnerabilities of the UNIX operating system and some
known vulnerabilities of Sun Solaris 9 specifically.
Trusts and address-based authentica- By masquerading as another host, an attacker can bypass the
tion .rhosts security implementation to gain access to a remote Solaris
system.
Daemons Improperly configured daemons, or daemons with security flaws,
could lead to system compromise.
setuid programs A security flaw in a setuid program, especially a setuid root pro-
gram, could give an attacker elevated privileges or access to the
root (or both).
r services Weak authentication mechanisms for these services provide
opportunities for spoofing attacks.
Berkeley Internet Name Domain Because BIND runs with root privileges, BIND vulnerabilities
(BIND) DNS can lead to unauthorized root access.
Samba 2.0.8 and 2.0.9 If Solaris is running either of these versions of Samba, an
attacker can exploit a symbolic link condition to gain elevated
access and overwrite and destroy system files.

LESSON 2
Hardened Operating System
Definition:
A hardened operating system is an operating system that has been configured to pro-
tect against software and hardware attacks according to a defined security policy. A
hardened operating system may include some or all of the following security configu-
ration settings:
• The latest operating system patches to close any security holes in the default
installation of the operating system. Operating system patches can remove vulner-
abilities in services and add-ons, such as the DNS service, the Telnet service, and
IIS, and vulnerabilities in the operating system itself, such as programming flaws
that could lead to UPnP buffer overflows, RAS phonebook attacks, SNMP buffer
overruns, and exploitation of Windows XP’s firewall (ICF). Operating system
patches can also protect against flaws in the implementation of protocols, such as
RDP, in the operating system.
• Strong passwords to protect against password-cracking utilities, to keep passwords
such as the Directory Services Restore Mode Administrator password secure, and
to protect SAM databases.
• The latest application patches, which are independent of the operating system
patches, to close application vulnerabilities, such as those in Outlook Express and
Internet Explorer, that could lead an attacker into the operating system.
• Antivirus software to protect against malicious code.
• Disabled unnecessary services to prevent attackers from exploiting them. For
example, disabling or removing IIS on a Windows 2000 Server computer will
remove a host of vulnerabilities associated with that service, and disabling SNMP
on Windows XP can resolve the SNMP buffer overrun vulnerability.
• Disabled or deleted guest accounts or other unnecessary accounts, and renamed
default accounts, all of which an attacker could use to gain access to the system.
(If an attacker has a user name, he or she has half of what’s necessary to enter a
system.)
• Restricted access permissions so that only those users who absolutely need access
are allowed into the system.
• Security policies to control, limit, or restrict user interaction with the system.
• Warning messages or banners displayed at user logon to warn users that only
authorized use is allowed. These banners could be important in future civil litiga-
tion or criminal prosecution, and can put all users on notice that their activity
might be monitored. All warning banners should comply with the legal require-
ments of your jurisdiction.
• Audit policies to track resource and directory access.
• Locked rooms to physically secure mission-critical servers and devices, to which
only trusted administrators have access.
• Backup strategies to protect sensitive data and restore it in the event of an attack.
Backup media should be stored offsite. Backups help ensure business continuity in
the event of an attack.

LESSON 2
Example: USA Travel’s Servers
USA Travel has a security policy that requires their servers to have the latest operating
system patches and antivirus software, and to be kept in a locked room. So each
branch office administrator checks for and applies operating system updates weekly,
keeps all servers up-to-date with the latest antivirus software, and keeps the servers in
a locked room to which only she and the branch manager have keys. These servers are
hardened because they have been secured according to USA Travel’s security policy.
Security Baselines
A security baseline is a collection of security configuration settings that are to be applied to a
particular system in the enterprise. Generally speaking, a specific security baseline will outline
a minimum security configuration that you can use as criteria against which you can compare
other systems in your network. When creating a baseline for a particular computer, the settings
you decide to include will depend on its operating system and its function in your organization
and should include manufacturer recommendations. So you will have separate baselines for
desktop clients, file and print servers, DNS/BIND servers, application servers, directory ser-
vices servers, and for all those same types of systems depending on whether they’re running
Windows, NetWare, or a version of UNIX or Linux.
Baselines should be documented so they can be applied consistently throughout your organiza-
tion, and they will include all the hardening methods that you’re employing for each operating
system and type of computer. Once you’ve decided on a baseline, you can implement it with
each new deployment or upgrade.
Microsoft Baseline Security Analyzer

Microsoft provides a free tool that you can use to scan computers running Windows NT 4.0
(with SP4 or higher), Windows 2000, and Windows XP and compare them against Microsoft’s
recommended security baselines. It’s called the Microsoft Baseline Security Analyzer (MBSA),
and you can download it from the Microsoft Security Web site at www.microsoft.com/
security. To run MBSA, your computer must be running Windows 2000 or Windows XP and
have Internet Explorer 5.01 or later. You can use MBSA to scan any computer on the network
to which you have administrative rights. If you’re going to scan a computer with IIS, you must
have the IIS files installed on the computer on which you’re running MBSA.
When you run MBSA, it scans the computers you specify and searches for improperly config-
ured settings and missing service packs and hotfixes in the following:
• Windows operating system (including password expiration and complexity, file system, the
Guest account, the number of local Administrators, and unnecessary services)
• IIS 4.0 and IIS 5.0
• SQL Server 7.0 and SQL Server 2000
• Applications such as Microsoft Office, Internet Explorer, and Outlook Express
If it finds misconfigurations in the operating system or any of the features or applications
above, it will report them in an easy-to-read format, much like the one you see in Figure 2-1.
You can then use that security report to fix any problems by installing hotfixes or service packs
or by implementing the configuration recommendations.

LESSON 2
Figure 2-1: MBSA displays the results of a scan.
Windows 2000 and Windows XP Security Policy

Settings
Buried in the hundreds of Group Policy settings on Windows 2000 and Windows XP comput-
ers is a set of policies devoted solely to securing the operating systems. The security policy
settings can be found in the main Group Policy window under Computer Configuration, Win-
dows Settings. You can also find the security policy settings in the following locations:
• The Domain Controller Security Policy utility (where you’ll find just the security policy
settings) on the Administrative Tools menu on Windows 2000 domain controllers.
• In the Local Security Policy utility on all Windows 2000 Server and Windows XP Profes-
sional computers.
You can use security policies to configure a wide variety of security-related settings. Table 2-1
lists security policy settings in Windows 2000 and how you can use them to configure security
on your servers. You can use security policy settings to configure security locally, or you can
use them to configure security on Windows 2000 computers across the network using Group
Policy.
On a Windows 2000 server computer, you’ll be able to configure only Account Policies, Local Policies, Public Key
Policies, and IP Security Policies using the Local Security Policy utility.

LESSON 2
Table 2-1: Windows 2000 Security Policy Settings
Security Policy Setting Use it To
Account Policies Define password policy and account lockout policy.
Local Policies Set an audit policy, user rights assignments, and machine-
specific security options (like suppressing the display of the last
user who logged on in the Log On To Windows dialog box).
Event Log Set event log parameters, such as maximum log sizes and user
access to the logs.
Restricted Groups Track and control membership of groups that you consider sensi-
tive or privileged. If an unauthorized user is added to the group,
this policy setting can remove the user automatically.
System Services Configure service startup values and configure security for criti-
cal system services, such as the Server and Workstation services.
Registry Set security on Registry keys.
File System Set security for file system objects.
Public Key Policies Have computers automatically submit a certificate request to an
enterprise CA and install the issued certificate; create and dis-
tribute a certificate trust list; establish common trust root CAs;
and add encrypted data recovery agents and change your
encrypted data recovery policy settings.
IP Security Policies Create and configure IPSec to secure IP traffic on the network.
Table 2-2 lists the security policy settings you can configure on a Windows XP Professional
computer using Local Security Policy. You can use these settings to configure Windows XP
computers that are part of a domain or workgroup, although they would most likely be used to
configure security on Windows XP computers in a workgroup setting.
Table 2-2: Local Security Policy Settings on a Windows XP Computer

Security Policy Setting Use it To
Account Policies Define password policy and account lockout policy.
Local Policies Set an audit policy, user rights assignments, and machine-
specific security options (like suppressing the display of the last
user who logged on in the Log On To Windows dialog box).
Public Key Policies Add encrypted data recovery agents.
Software Restriction Policies Restrict users’ ability to install and run applications on their
computers.
IP Security Policies Create and configure IPSec to secure IP traffic on the network.
Like all Group Policy settings, you can configure security policy at the local, site, domain, or
organizational unit (OU) level. And like other Group Policy settings, security settings are
inheritable, but OU settings override domain settings, which override site settings, which over-
ride local settings, unless of course you force Group Policy inheritance.

LESSON 2
ACTIVITY 2-3
Investigating Windows XP Security Policy Settings
Scenario:
You’re the security administrator for a large national bank, and you’ve been asked to investi-
gate the security settings that you can configure in Windows XP as part of the bank’s attempt
to create a corporate security policy. Your manager has submitted a list of questions she needs
answered before she can go ahead with the next stage in the creation of the security policy.
1. On the Windows XP computer, open a. Choose Start→Control Panel.

Local Security Policy.
b. Click Performance And Maintenance,
and click Administrative Tools.
c. Double-click Local Security Policy.
2. Is there a password policy setting that lets you set a minimum password age?
3. By default, how long are passwords valid on a Windows XP computer?
4. Is there a way to lock out a user after he or she has entered the wrong username or
password three times?
5. By default, which users have been assigned the right to log on locally to a Windows XP
computer?
6. Is there a security option that will allow you to create and display a warning banner
when users log on?
7. Under Public Key Policies, what setting can you configure?

LESSON 2
8. What are the three default IP Security policies?
9. True or False? Security settings configured at the domain level will override
local policy settings on Windows XP computers in that domain.
Windows 2000 and Windows XP Security Audits

Just about everything that happens on a Windows 2000 or Windows XP computer is logged in
one of the logs in Event Viewer. After a typical installation, Windows 2000 and Windows XP
computers have three logs in Event Viewer: the application log, the security log, and the sys-
tem log. Depending on the services installed on a Windows 2000 server, Event Viewer might
also have a DNS server log, a directory service log, and a file replication service log. By
default, system events are written to all logs except the security log, which requires you to
select and configure which security-related events you want to log. Table 2-3 describes the
security events you can log.
Table 2-3: Security Audit Events

Security Event Used to Track
Account logon events User logon events at remote computers that use this computer to
validate the logon. Can be used on domain controllers to track
user logons at remote workstations.
Account management Changes to or additions of user and group accounts. Can also be
used to track account deletions.
Directory service access User access of directory service objects. In a separate step, audit-
ing must also be enabled on the objects you want to monitor.
Logon events Users logging on to this computer.
Object access User access of objects on the computer, including files, folders,
and Registry keys. In a separate step, auditing must also be
enabled on the objects you want to monitor.
Policy change Changes to user rights assignment, audit, and trust policies.
Privilege use Use of privileged rights, such as changing the system time.
Process tracking Actions or operations performed by a program or procedure. This
information is most useful to programmers who might be track-
ing a program’s execution.
System events Restarts, shutdowns, and events that impact system security.
Because auditing is configured as a policy, you can apply an audit policy at the local computer
using local policy or across the organization using Group Policy. To apply an audit policy, you
must first enable the policy and then decide whether to log successes or failures, or both,
depending on your audit strategy and security policy. For example, your security policy might
require the auditing of only account logon failures and not successes, or it might not require
the audit of policy changes at all. Once you’ve enabled and configure auditing, all events will
be written to the security log in Event Viewer, which will require careful monitoring to detect
possible attackers or intruders. Monitoring Event Viewer should be part of your overall net-
work monitoring strategy.

LESSON 2
ACTIVITY 2-4
Investigating Auditing of Security Events
Scenario:
As part of the process of creating the bank’s security policy, you’ve been asked to answer sev-
eral questions about the process and potential value of enabling security audits on the
Windows XP computers.
1. What are some of the benefits of setting up an audit policy?
2. In addition to monitoring the overall security of a network and its resources, why else
might events in the security log be important?
3. What might a series of unsuccessful logon events indicate?
4. What type of threat or attack could you discover by monitoring successful user logons?
5. What type of attack could you discover by monitoring successful changes to user or
group accounts?
6. What type of attack might an empty security log indicate?

LESSON 2
Unnecessary Services, NLMs, and Daemons
When deciding which Windows 2000 services to disable, be sure to thoroughly investigate
each candidate to see if you can safely disable it based on the server’s network role. Some
services might be required for a server performing a certain function, while others might be
performing no service at all. For example, on a Windows 2000 server that you’re using as a
print server, you shouldn’t disable the Print Spooler service. However, on a Windows 2000
server that’s being used only to store departmental files, the Print Spooler service can easily be
disabled. Again, researching the Windows 2000 Server documentation and controlled testing
will tell you which services you can disable.
On the other hand, NetWare and UNIX/Solaris default installations don’t have many unneces-
sary services installed. When installing these operating systems you must select which services
to install, so unlike Windows 2000 Server, if you don’t choose to install a service explicitly, it
isn’t installed. However, as in Windows 2000, keeping the number of services running to the
absolute minimum gives attackers less of an opportunity to find a way into the system.
Because of that, and because of the nature of the NetWare and UNIX/Solaris default installa-
tions, what you should be looking for with those two operating systems are not which services
to disable but which services should you not enable to begin with.
Table 2-4 contains some examples of Windows 2000 services, NetWare 6 NLMs, and Solaris 9
daemons that you can safely disable or not enable at all on most computers (again depending
on the server’s role).
Because servers are likely to have more services running than a workstation, we’re not focusing on Windows XP
in this section. However, you can usually disable many of the same core operating system services on Windows
XP that you can on Windows 2000 Server.
Table 2-4: Services, NLMs, and Daemons You Can Safely Disable or Not Enable
Operating Sys- Service, NLM, or Dae-
tem mon Comment
Windows 2000 Alerter service Used to forward alerts generated on the local computer
to users or remote computers. Disable to prevent a
social engineering attack.
Clipbook service Used only to transfer clipboard data between
computers.
Fax service Used only if users will be sending and receiving faxes
from the system.
Messenger service Used for sending pop-up messages between users. Dis-
able to prevent a social engineering attack.
Print Spooler service Can be safely disabled on computers not accessing
printers.
World Wide Web Publish- Unnecessary if the server isn’t a Web server.
ing service
NetWare 6 Portal.nlm and nsweb.nlm Not necessary if the server isn’t a Web server.
Nwftpd.nlm Used only for FTP access.
Named.nlm Used only on DNS servers.
Dhcpsrvr.nlm Used only on DHCP servers.
Java.nlm Unnecessary unless you support Java applications on
the server.

LESSON 2
Operating Sys- Service, NLM, or Dae-
tem mon Comment
Solaris 9 nfsd Necessary only on file servers.
dhcpd Used only on DHCP servers.
named Used only on BIND servers.
Samba Unnecessary unless you need the server to connect to
Microsoft systems to share data.
anonftp Allows anonymous FTP access; use only when abso-
lutely necessary.
UNIX /etc/inetd.conf Remove unnecessary Internet services from this con-
figuration file to strengthen against port scanning
attacks.
Security Templates
Definition:
Security templates are text files that specify security settings in the areas of account
policies, local policies, the event log, restricted groups, system services, and the
Registry. Security templates give you a way to standardize security settings based on
computer role and the level of security you require and to apply those settings consis-
tently to multiple computers. They also help automate the task of applying separate
security settings when you harden your systems—a task which can involve configuring
settings in several different utilities. Windows 2000 and Windows XP security tem-
plates are stored in %systemroot%\Security\Templates.
You can use Windows 2000 security templates on Windows 2000 Server and Windows 2000 Profes-
sional computers.

LESSON 2
Figure 2-2: A portion of a Windows 2000 security template.
Example: Windows 2000 Security Templates

There are several types of Windows 2000 security templates, which are described in
Table 2-5. A sample of a Windows 2000 security template is displayed in Figure 2-2.
Table 2-5: Windows 2000 Security Templates

Category Templates Description
Basic Basicdc (domain con- These templates are used to apply the default
trollers) and Basicsv security settings that are configured when you
(servers) complete a clean install of Windows 2000. You
can use these templates to apply the default secu-
rity configuration to computers you’ve upgraded
to Windows 2000 or to restore the defaults on a
Windows 2000 computer.
Secure Securedc and Securews This template is used to apply increased security
settings in the areas of account policy, auditing,
and some security-related Registry keys.
Highly Secure Hisecdc and Hisecws This template applies security settings that create
the most secure Windows 2000 environment. It
requires that all network communications be digi-
tally signed and encrypted at a level that can be
provided only by Windows 2000. This means you
can’t communicate with any downlevel Windows
clients.

LESSON 2
Example: Windows XP Security Templates
Table 2-6 describes the security templates available in Windows XP. While you will
see the Hisecdc and Securedc security templates in Windows XP, you wouldn’t apply
them to a Windows XP computer because they contain system settings for domain
controllers.
Table 2-6: Windows XP Security Templates

Category Templates Description
Compatible Compatws This template is used so that members of the
Users group can run applications that don’t meet
Windows 2000/XP application specifications
without being members of the Power Users
group.
Secure Securews Like the similar Windows 2000 security template,
this template is used to apply increased security
settings in the areas of account and password
policy, auditing, and some security-related Regis-
try keys.
Highly Secure Hisecws This template applies the most restrictive security
settings, especially those settings that apply to
authentication and directory access.
System root Rootsec You can use this template to apply default secu-
security rity settings to the system root (used to reapply
the default settings in the event the settings are
modified).
Default security Setup security You use this template to reapply the system-wide
configuration security settings that come with a default installa-
tion of Windows XP.
You can also use security templates to analyze your current system settings by comparing your current settings
to those that Microsoft recommends and includes as part of the template.
You can use the Security Configuration And Analysis tool, a Microsoft Management
Console (MMC) snap-in, to apply a security template. If you want to examine or
modify template settings, you can use the Security Templates snap-in. You can apply
one of the default templates without modifying it, or you can choose one that is simi-
lar to your needs and then modify it accordingly. Before you apply any of the
templates, be sure to examine them closely to see which settings they contain. You can
also automate the deployment of security templates by using Group Policy.
For more information on how to deploy security templates, see Windows 2000 Help or
www.microsoft.com/windows2000/techinfo/howitworks/security/sctoolset.asp.

LESSON 2
ACTIVITY 2-5
Investigating Security Templates
Scenario:
As part of the ongoing effort to create the bank’s security policy, you’ve been asked to investi-
gate ways to automate the deployment of mandatory security settings throughout the company.
You’ve recently discussed the security templates that ship with Windows 2000 and Windows
XP in a strategy meeting, and now you’ve been asked to provide answers to some follow-up
questions.
1. Open a blank MMC and snap in the a. Choose Start→Run, and enter MMC.
Security Templates tool.
b. Choose File→Add/Remove Snap-in.
c. In the Add/Remove Snap-in dialog box,

click Add.
d. Scroll to find the Security Templates

snap-in, select it, and click Add. Click
Close.
e. In the Add/Remove Snap-in dialog box,

click OK.
f. Maximize the Console Root window and

then the Console1 window.
g. Expand Security Templates,

D:\Windows\Security\Templates.
h. If necessary, resize the panes so you can

see all the security templates.
2. How do the password policy settings differ in the compatws and securews templates?
3. If you want to audit account logon events and account management, but not object
access, which security template would you use?

LESSON 2
4. Which workstation template uses restricted groups to protect the Administrators and
Power Users groups?
5. If you want to reset the system-wide security policy settings to the default configura-
tion, you would apply the template.
If you want to reset the security settings on the system root, you would apply the
template.
6. Why would you choose to use Group Policy to apply security templates instead of
applying the templates locally to individual computers?
7. Close the Console1 window without a. Close the Console1 window.

saving changes.
b. Click No when prompted to make
changes.
Harden Base Operating Systems

Procedure Reference: Harden a Windows XP Operating System
To harden a Windows XP operating system:
1. Apply the latest service packs or hotfixes to close any security holes in the operat-
ing system.
a. Connect to the Windows Update Web site at http://
windowsupdate.microsoft.com or run the executable for the service pack or
hotfix, which you can obtain from Microsoft’s Web site.
b. Use the wizards to complete the installations and restart when prompted.
2. Disable the Welcome screen to remove the list of Windows XP users.
a. Open Control Panel and click User Accounts.
b. Under Pick A Task, click Change The Way Users Log On Or Off.
c. Uncheck Use The Welcome Screen.
On a Windows XP Professional computer in a domain, implement policies at the domain level. On

stand-alone or workgroup Windows XP computers, implement policies locally.
3. Change account passwords to comply with security policy requirements, which

should include enforcing the use of strong passwords.
a. Open Control Panel and User Accounts.
b. Select the account you want to change and click Change My Password.
c. Enter and confirm a new password.

LESSON 2
4. Set appropriate password policies to make passwords more difficult to crack or
guess.
a. Open Control Panel, click Performance And Maintenance, click Administra-
tive Tools, and open Local Security Policy.
b. Expand Account Policies and select Password Policy.
c. In the details pane, double-click the settings, and enable and configure pass-
word policies according to your security policy.
5. Set appropriate account lockout policies to restrict user logon attempts.
a. In Local Security Settings, under Security Settings, Account Policies, select
Account Lockout Policy.
b. In the details pane, double-click the settings, and enable and configure
account lockout policies according to your security policy.
6. Set appropriate audit policies to monitor resource and directory access.
a. In Local Security Settings, expand Local Policies.
b. Select Audit Policy.
c. In the details pane, double-click the settings, and enable audit policies
according to your security policy.
7. Set appropriate user rights assignments to restrict user access to the system.
a. In Local Security Settings, under Local Policies, select User Rights
Assignments.
b. In the details pane, double-click the settings, and configure user rights assign-
ments according to your security policy.
8. Set the appropriate security options, which can include warning banners, to con-
trol user interaction with the system.
a. In Local Security Settings, under Local Policies, select Security Options.
b. In the details pane, double-click the settings, and enable and configure the
security options according to your security policy.
9. Configure the Event Log settings as part of your implementation of an audit
policy.
10. Convert any FAT or FAT32 drives to NTFS to enable NTFS security and restrict
access to only those users and groups that need access.
a. Determine the volume label of the drive you want to convert.
b. In a command prompt window, enter the command convert drive:
/fs:ntfs, where drive is the letter of the drive you want to convert.
c. When prompted, enter the volume label.
d. Enter N to skip dismounting the drive, and then enter a Y to schedule the
conversion for the next system restart.
e. Restart the computer.
11. Use the Microsoft Baseline Security Analyzer to establish a security baseline to
which vulnerabilities might still exist.
12. Install the latest application patches for applications such as Outlook Express and
Internet Explorer.
13. Install antivirus software to protect against malicious code.

LESSON 2
14. Disable unnecessary services to prevent attackers from exploiting them.
a. Open Control Panel, and then open Performance And Maintenance.
b. Open Administrative Tools, and then double-click Services.
c. Double-click the service you want to disable and, from the Startup Type
menu, select Disabled.
15. Disable or delete guest accounts or other unnecessary accounts, and rename
default accounts.
16. Secure critical systems in locked rooms to prevent tampering and sabotage.
17. Establish a regular backup schedule to back up the operating system’s critical
components and services.
Procedure Reference: Harden the Windows 2000 Operating System

To harden a Microsoft Windows 2000 Server operating system:
If you are deploying multiple hotfixes at once in your own environment, you can chain them together
by using the Qchain tool. This will make it easier to deploy hotfixes so you don’t have to reboot
between each one. For more information, visit: www.microsoft.com/downloads/release.asp?
ReleaseID=29821.
1. Apply the latest service packs or hotfixes to close any security holes in the operat-
ing system.
a. Connect to the Windows Update Web site at http://
windowsupdate.microsoft.com or run the executable for the service pack or
hotfix, which you can obtain from Microsoft’s Web site.
b. Use the wizards to complete the installations and restart when prompted.
2. Disable unnecessary services to prevent hackers from exploiting the services to
gain access or control of the system.
b. Expand Services And Applications and select Services.
c. In the details pane, disable any unnecessary services by double-clicking the
service and choosing Disabled from the Startup Type drop-down list.
3. Install Internet Explorer 6 to update the server’s browser and remove the vulner-
abilities found in Internet Explorer 5.x. (Install Internet Explorer from the
Windows Update Web site.)
4. Configure strict access control on the HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Control\SecurePipeServers\Winreg Registry key.
a. Choose Start→Run and enter regedt32.
b. In the Registry Editor window, in HKEY_LOCAL_MACHINE, expand
\SYSTEM\CurrentControlSet\Control\SecurePipeServers.
c. Select the Winreg subkey.
d. Choose Security→Permissions.
e. In the Name list, configure access only for the most trusted group of
administrators.

LESSON 2
5. Set RestrictAnonymous=1 in the Registry under HKEY_LOCAL_MACHINE\
SYSTEM\CurrentControlSet\Control\LSA to restrict user access to the system
using null sessions.
a. Choose Start→Run and enter regedt32.
b. In the Registry Editor window, in HKEY_LOCAL_MACHINE, expand
\SYSTEM\CurrentControlSet\Control.
c. Select Lsa.
d. In the right pane, double-click restrictanonymous, and in the Data text box,
type 1.
6. Install the Windows Media Player security patch.
7. Use the Microsoft Baseline Security Analyzer to establish a security baseline.
8. Enforce the use of strong password to protect against password cracking utilities.
9. Install antivirus software to protect against malicious code.
10. Disable or delete guest accounts or other unnecessary accounts, and rename
default accounts.
a. On a Windows 2000 domain controller, open Active Directory Users And
Computers, and delete unnecessary accounts and rename default accounts.
b. On a Windows 2000 server, open Computer Management. In the Local Users
And Groups folder, delete unnecessary accounts and rename default accounts.
11. Configure security policy settings to control or limit user interaction with the
system. In a domain setting, deploy security policy settings using Group Policy. In
a workgroup setting, use Local Security Policy to deploy security policy settings.
12. Create messages or banners to warn users against unauthorized use of the system.
13. Deploy an audit policy to track resource and directory access.
14. Secure critical systems in locked rooms to prevent tampering and sabotage.
15. Establish a regular backup schedule to back up the operating system’s critical
components and services.
Solaris 9 Automated Security Enhancement Tool (ASET)

Solaris 9 provides a similar set of templates that you can use to secure Solaris 9 serv-
ers called the Automated Security Enhancement Tool (ASET). You can use ASET to
secure Solaris servers using one of three predefined levels of security, which are
described in Table 2-7. When ASET runs, it performs a series of checks on the follow-
ing components:
• System files
• System configuration files
• File permissions
• Users and groups
• Environment variables
• eeprom security
• Firewall
You can disable the firewall check if the server isn’t a firewall by editing the ASET environment
file (asetenv).

LESSON 2
ASET checks settings and configures them to correspond to the level of security
you’ve chosen. If there are any security issues ASET can’t fix, it reports them to you
so you can configure those settings manually. ASET reports are stored in the /usr/aset/
reports directory. Like Windows 2000 security templates, you can edit the ASET
environment file to add custom settings by configuring the user environment variables
section.
Table 2-7: ASET security levels.

Security Level Description
Low ASET checks components and reports vulnerabilities. Mini-
mal configuration changes made at this level.
Medium ASET checks components and configures system to restrict
access.
High ASET sets most restrictive access permissions at this level,
giving security the priority over system access.
Hardening Application Servers

Network servers that aren’t dedicated to providing a specific network service, such as
DNS or DHCP, are often used as application servers, providing applications such as
Oracle, Exchange, or a custom application, to network users. When you need to harden
application servers, use the same procedure to harden their operating systems as was
described in this topic. Additionally, you need to work with your vendor to make sure
the application or applications running on those servers are patched or otherwise
securely configured to prevent attackers from exploiting that software to find a way
into your network.
ACTIVITY 2-6
Hardening a Stand-alone Windows XP Operating
System
Data Files:
• SecureSystems.doc
Setup:
Tools, Service Packs, and data files you will need for this activity are available on the network
in the \\Client100\SPlus share in the following folders:
• Windows XP Service Pack: \XPProSP1
• Microsoft Baseline Security Analyzer: \MBSA
• SecureSystems.doc: \Student
Scenario:
As the security administrator for a large national bank, you need to make sure your new Win-
dows XP Professional client computers are secure. For now, these computers will be deployed
in a workgroup. With the current Windows 98 systems, the bank’s IT department has had
problems in the past with viruses; with short or non-existent passwords; with users bypassing

LESSON 2
the logon and accessing confidential data, such as background investigation checks; and with
users logging on with Guest access. Before connecting the new Windows XP Professional
computers to your network, you need to make sure that the base operating system is hardened
to minimize the likelihood of attacks from users and to provide auditing trails in order to be
able to catch someone who has attempted to breach the security on your system.
The IT department has designed a security deployment plan for all new systems, including the
Windows XP Professional desktops, and you as the security administrator need to make sure
the plan is implemented. Your new antivirus software will arrive soon, but for now you will
use the bank’s security design document, SecureSystems.doc, and implement the appropriate
changes on your Windows XP Professional systems.
Your first task is to harden a Windows XP computer named Client#, where # is a unique
number. The default administrator account has been set up with a password of !Pass1234.
There is also an administrative-level account named Admin#, where # is the computer number.
The password for this account is password. There is also a workgroup administrative account
named Admin100. The password for this account is !Pass1234.

LESSON 2
1. Install the Windows XP Service a. Use the Start→Run command to open

Pack. the \\Client100\SPlus shared folder.
b. Run the \XPProSP1\XPSP1 self-extracting

cabinet file. The Service Pack files are
automatically extracted and the Setup
Wizard runs.
c. Complete the Setup Wizard with the fol-

lowing parameters:
• Archive the files to the default
uninstall folder.
d. When the setup is complete, click Finish.

The computer will restart.
e. Reboot to Windows XP Professional and

log back on as Admin#.
f. To verify that the Service Pack installation

was successful, open the System Proper-
ties dialog box. The System version
should display with Service Pack 1.
g. Close the System Properties dialog box.

LESSON 2
2. Disable the Welcome screen. a. From the Start menu, choose Control
Panel and click User Accounts.
b. Under Pick A Task, click Change The Way

Users Log On Or Off.
c. Uncheck Use The Welcome Screen. Use

Fast User Switching is automatically
unchecked as well.
d. Click Apply Options.
e. Close User Accounts and Control Panel.
f. Log off. Instead of the Welcome Screen,

you now can log on using the Log On To
Windows dialog box.
g. Log on as Admin#.
3. Change the Admin# account pass- a. Open the \\Client100\SPlus\Student\

word to !Pass1234 to comply with SecureSystems.doc file and locate the
the password security requirements password policy settings.
as specified in the
SecureSystems.doc file.
b. Open Control Panel and User Accounts.
For your convenience, this file is printed

as an Appendix in the back of the course c. In User Accounts, click the Admin#
manual. account and click Change My Password.
d. In the Type Your Current Password text

box, type password.
e. Enter and confirm !Pass1234 as the new

password for the Admin# account.
f. Click Change Password.
g. Close User Accounts.

LESSON 2
4. Set the appropriate Password Policy a. In Control Panel, click Performance And
as specified in the Maintenance.
b. Click Administrative Tools.
c. Open Local Security Policy.
d. Expand Account Policies and select Pass-

word Policy.
e. Double-click Enforce Password History.
f. Enter the appropriate value for this

policy as specified in
SecureSystems.doc.
g. Click OK.
h. Set the appropriate value for the Maxi-

mum Password Age policy.
i. Set the appropriate value for the Mini-

mum Password Age policy.
j. Set the appropriate value for the Mini-

mum Password Length policy.
k. Double-click Password Must Meet Com-

plexity Requirements.
l. Select Enabled.
m. Click OK.
5. Set the appropriate Account Lock- a. In Local Security Settings, under Account
out Policy as specified in the Policies, select Account Lockout Policy.
b. Double-click Account Lockout
Threshold.
c. Enter the appropriate value for this

policy as specified in
SecureSystems.doc.
d. Click OK.

LESSON 2
e. Click OK to accept the Suggested Value
Changes for the related Account Lockout
Policy settings.
6. Set the appropriate Audit Policy as a. In Local Security Settings, under Local
specified in the SecureSystems.doc Policies, select Audit Policy.
file.
b. Double-click Audit Account Logon
Events.
c. Check Success and Failure.
d. Click OK.
e. Configure the appropriate auditing set-

tings for the Audit Account Management
policy.
f. Configure the appropriate auditing set-

tings for the Audit Logon Events policy.
g. Configure the appropriate auditing set-

tings for the Audit Object Access policy.
h. Configure the appropriate auditing set-

tings for the Audit Policy Change policy.
i. Configure the appropriate auditing set-

tings for the Audit Privilege Use policy.
j. Configure the appropriate auditing set-

tings for the Audit System Events policy.
7. Set the appropriate User Rights a. In Local Security Settings, under Local
Assignment as specified in the Policies, select User Rights Assignment.
SecureSystems.doc file. You will
only need to change policies if the
default setting for a given policy does b. Double-click Access This Computer From
The Network.
not match the recommended setting
in the SecureSystems.doc file.

LESSON 2
c. Select the Everyone group and click
Remove.
d. Click OK.
e. Configure the appropriate rights assign-

ments for the Change The System Time
policy.
f. Configure the appropriate rights assign-

ments for the Log On Locally policy.
8. Set the appropriate Security a. In Local Security Settings, under Local

Options as specified in the Policies, select Security Options.
b. Configure the appropriate policy setting
for the Accounts: Limit Local Account
Use Of Blank Passwords To Console
Logon Only policy.
c. Double-click Accounts: Rename Adminis-

trator Account.

LESSON 2
d. In the text box, type your first name.
e. Click OK.
f. Configure the appropriate policy setting

for the Accounts: Rename Guest
Account policy.
g. Configure the appropriate policy setting

for the Audit: Audit The Access Of Glo-
bal System Objects policy.
h. Configure the appropriate policy setting

for the Audit: Audit The Use Of Backup
And Restore Privilege policy.
i. Configure the appropriate policy setting

for the Audit: Shut Down System Imme-
diately If Unable To Log Security Audits
policy.
j. Configure the appropriate policy setting

for the Devices: Allow Undock Without
Having To Log On policy.
k. Configure the appropriate policy setting

for the Devices: Prevent Users From
Installing Printer Drivers policy.
l. Configure the appropriate policy setting

for the Devices: Restrict CD-ROM Access
To Locally Logged-on User Only policy.
m. Configure the appropriate policy setting

for the Devices: Restrict Floppy Access
To Locally Logged-on User Only policy.
n. Double-click the Devices: Unsigned

LESSON 2
Driver Installation Behavior policy.
o. From the drop-down list, select Do Not

Allow Installation.
p. Click OK.
q. Configure the appropriate policy setting

for the Interactive Logon: Do Not Display
Last User Name policy.
r. Configure the appropriate policy setting

for the Interactive Logon: Do Not
Require CTRL+ALT+DEL policy.
s. Double-click the Interactive Logon: Mes-

sage Text For Users Attempting To Log
On policy.
t. In the text box, type the text in the Code

Sample.
See Code Sample 1
u. Click OK.
v. Configure the appropriate policy setting

for the Interactive Logon: Message Title
For Users Attempting To Log On policy.
w. Configure the appropriate policy setting

for the Interactive Logon: Number Of
Previous Logons To Cache policy.
x. Configure the appropriate policy setting

for the Interactive Logon: Smart Card
Removal Behavior policy.
y. Configure the appropriate policy setting

for the Network Access: Sharing And
Security Model For Local Accounts
policy.
z. Configure the appropriate policy setting

for the Network Security: Force Logoff
When Logon Hours Expire policy.
aa. Configure the appropriate policy setting

for the Shutdown: Allow System To Be
Shut Down Without Having To Log On
policy.

LESSON 2
ab. Close Local Security Settings and the
Administrative Tools window.
Code Sample 1
Warning! This system is for authorized users only. Anyone using this
system without authorization is subject to prosecution. In addition,
the system may be monitored. By using this system, you consent to
monitoring. Any suspicious activity may be reported to the proper
authorities.

LESSON 2
9. Test some of the Security Options a. Open Computer Management and
policy settings. expand Local Users and Groups. (To
open Computer Management, open the
Start menu, right-click the My Computer
object, and choose Manage.)
b. Select the Users folder. The Administra-

tor account has been renamed with your
first name. The Guest user account has
been renamed and disabled.
c. Close Computer Management.
d. Open My Computer.
e. Right-click any folder or drive and

choose Sharing And Security. The Sharing
tab appears with the settings for the Clas-
sic sharing and security model.
f. Close the property sheet and My

Computer.
g. From the Start menu, choose Log Off.
h. In the Log Off Windows message box, click

Log Off.
i. Press Ctrl+Alt+Delete to open the Log On

To Windows dialog box. The new security

LESSON 2
warning dialog box appears.
j. Click OK to close the security warning dia-

log box. The Log On To Windows dialog
box opens. The name of the last-
logged-on user is not visible.
k. Click Options. The Shut Down button in

this dialog box is grayed out.
10. Test the Account Lockout policy a. In the Log On To Windows dialog box,
settings. enter Admin# as the user name.
b. Enter pass as the password.
c. Click OK to attempt to log on with an

incorrect password. A warning box
appears informing you that your logon has
failed.
d. Click OK to close the warning box.
e. Attempt to log on with an incorrect

password repeatedly. After several
attempts, you should see a message that
your account has been locked out. You
can also lock the account out immediately
by attempting to log on with a blank
password. Windows XP Professional inter-
prets this as the start of a dictionary-
based password attack.
f. Click OK to close the message box.
g. Log on as your first name with a pass-

word of !Pass1234. The Administrator
account name is now your first name.
h. Open Computer Management, expand

Local Users and Groups, and select the
Users folder.
i. Right-click the Admin# account and

choose Properties.
j. Uncheck Account Is Locked Out and click

OK.

LESSON 2
11. Test the Password policy settings. a. Log off and log back on as Admin#.
b. From the Start menu, choose Control

Panel→User Accounts.
c. Click the Admin# account and click

Change My Password.
d. In the Type Your Current Password text

box, type !Pass1234.
e. Click Change Password to attempt to cre-

ate a blank password.
f. Click OK to close the User Accounts mes-

sage box.
g. Click Cancel to close the User Accounts

dialog box.
h. Close User Accounts.
12. Configure the appropriate Event a. In Control Panel, click Performance And
Log settings as specified in the Maintenance.
b. Click Administrative Tools.
c. From the Administrative Tools group,

open Event Viewer.
d. Right-click the Application log and

choose Properties.
e. Set the value for the Maximum Log Size

as specified in the SecureSystems.doc
file.
f. Select the appropriate option under

When Maximum Log Size Is Reached.
g. Click OK.
h. Follow a similar procedure to configure

the security properties for the Security
Log and the System Log.
i. Close Event Viewer and the Administra-

tive Tools window.

LESSON 2
13. Convert the E drive to NTFS. a. Open My Computer and determine the
volume label for Drive E. You will need
the volume label to confirm the file sys-
When converting drives to NTFS make
tem conversion.
sure to always use the Convert command
as opposed to the Format command so
you do not lose data. b. Close My Computer.
c. Open a command prompt window. (From

the Start menu, click Run and enter cmd,
or choose All Programs→Accessories→
Command Prompt.)
d. Enter the command convert e: /fs:ntfs.
e. When prompted for the volume label for

drive E, enter xpvolume.
f. Type N and press Enter. You do not need

to force a dismount of drive E.
g. Type Y and press Enter to schedule the

conversion for system restart.
h. Close the command prompt window.
i. Reboot the computer to Windows XP

Professional. The system checks the disk
and converts the file system during the
reboot. The computer will restart multiple
times. You might receive a STOP error,
but the conversion should complete
successfully.
j. Log on as Admin100 with a password of

!Pass1234.
k. Open My Computer and select Drive E to

verify the file-system conversion. The file
system should display in the Details sec-
tion as NTFS.

LESSON 2
14. Install the Microsoft Baseline Secu- a. Open the \\Client100\SPlus\MBSA folder
rity Analyzer. and run the MBSAsetup.msi installation
package.
b. Complete the Microsoft Baseline Secu-

rity Analyzer Setup Wizard by using the
• Accept the default User Information
settings.
• Accept the default Destination
Folder settings.
• On the Choose Install Options page,
uncheck Show Readme File After
Installation and uncheck Launch
Application After Installation.
• Accept the default program feature
selections.

LESSON 2
15. Scan your system to establish a a. On the desktop, double-click the
security baseline. Microsoft Baseline Security Analyzer
shortcut.
b. Click Scan A Computer.
c. Verify that your computer name appears

in the Computer Name box and click
Start Scan.
d. Review the scan results and click any

Result Details or How To Correct This
links to determine the security recom-
mendations reported by MBSA. Don’t fix
anything based on the suggestions now, as
you will harden the system more in later
activities.
e. Close MBSA.
16. Can you tell if all current security patches have been implemented on the Windows XP
Professional system? If not, why?
17. How would you fix some of the problems the scan has detected?

LESSON 2
ACTIVITY 2-7
Hardening a Windows 2000 domain member
Data Files:
Setup:
Tools, Service Packs, and data files for this activity are available on the network at
\\Server100\SPlus in the following folders:
• Windows 2000 Security Rollup Package 1: \W2KSRP
• Internet Explorer 6: \IE6
• Windows Media Player Security Patch: \WMPPatch
Scenario:
Your next task as the bank’s security administrator is to make sure your new servers are
secure. With the current Windows NT server systems, the bank’s IT department has had addi-
tional problems in the past with users, both internal and external, accessing services they were
not supposed to, as well as some problems with attacks on the default Internet Information
Server (IIS) configuration from Internet users. The bank wants to minimize the possibility of
those attacks without removing IIS altogether, as many of the systems will be deployed later as
Web servers, or will host applications that require IIS. For now, you as the security administra-
tor will disable these services until you harden them later on as you need them. Also, the
security plan calls for disabling the Print Spooler service on servers that are not being used as
print servers. Before connecting the new Windows 2000 Servers to your network and joining
the computers to the domain, you want to make sure that the server operating system is hard-
ened to minimize the likelihood of attacks from both internal and external users. Because these
will be domain member computers, all security-related policies will be set at the domain level,
so there is no need for you to configure them individually, but you will need to perform other
hardening steps individually on each system.
Windows 2000 Server systems, and you as the security administrator need to make sure the
plan is implemented. Using the deployment design document SecureSystems.doc, implement
the changes on your Windows 2000 Server system, named Server#, in domain Domain#. The
default administrator account has been set up with a password of !Pass1234.

LESSON 2
1. If necessary, reboot your computer a. Restart the computer.

into Windows 2000 Server and log
on as Administrator.
b. Choose Windows 2000 Server from the
boot loader menu.
c. Log on as Administrator.
2. Install the Windows 2000 Security a. While logged on as Administrator, open

Rollup Package 1. \\Server100\SPlus\W2KSRP.
b. Double-click the rollup installation file

to extract the files for the security rollup.
c. In the Choose Directory For Extracted

Files dialog box, enter C:\rollup and click
OK to specify a directory for the
extracted rollup files.
d. In the Setup Wizard, click Next.
e. To accept the license agreement, select I

Agree and click Next. The security rollup
is installed.
f. When prompted, click Finish to restart

the computer.
g. Log back on as Administrator.

LESSON 2
3. Stop the unnecessary services. a. On the desktop, right-click My Computer
and choose Manage to open Computer
Management.
b. Expand Services And Applications and

select Services.
c. Right-click the FTP Publishing Service

and choose Properties.
d. From the Startup Type drop-down list,

select Disabled.
e. Click Stop.
f. After the service stops, click OK.
g. Use a similar procedure to disable and

stop the Network News Transport Proto-
col service.
h. Use a similar procedure to disable and

stop the Print Spooler service.
i. Use a similar procedure to disable and

stop the World Wide Web Publishing
service.
j. Close Computer Management.

LESSON 2
If You Have Internet Access
4. Install Internet Explorer 6. a. Open the \\Server100\SPlus\IE6 folder.
b. Double-click the IE6Setup file.
c. Select I Accept the Agreement and click

Next.
d. Click Next. The Setup file connects to the

Internet Explorer download site on
Microsoft’s Web site to obtain the
required files. The amount of time
required for the download will vary
depending upon the speed of your
Internet connection.
e. If you see a list of incomplete installation

components, click Next.
f. When the installation is finished, click

Finish to restart the computer.
g. Log on as Administrator. Windows Update

updates various files.
If You Do Not Have Internet Access
5. Install Internet Explorer 6. a. Open the \\Server100\SPlus\IE6 folder.
b. Open the \I386 folder and double-click

Setup.exe.
c. Click Install Internet Explorer 6 And

Internet Tools.
d. Select I Accept The Agreement and click

Next.
e. Click Next. Setup installs the updated

components.
f. When the installation is finished, click

g. Log on as Administrator. Windows Update

updates various files.
h. If you are prompted to resume Setup,

click Next, and then click Finish.

LESSON 2
6. Make the appropriate registry a. From the Start menu, choose Run.
changes.
b. Enter regedt32 and click OK.
c. Maximize the Registry Editor window.
d. Select and maximize the HKEY_LOCAL_

MACHINE window.
e. Select and expand the HKEY_LOCAL_

MACHINE\SYSTEM\CurrentControlSet\
Control\SecurePipeServers key.
f. Select the Winreg subkey.
g. Choose Security→Permissions.
h. In the Name list, select the Administra-

tors (DOMAIN#\Administrators) group.
i. In the Permissions list, check the Allow

check box for Full Control. Click Apply.
j. In the Name list, select the Backup

Operators group. Click Remove.
k. Click OK.
l. Select the HKEY_LOCAL_MACHINE\

SYSTEM\CurrentControlSet\Control\LSA
key.
m. Double-click the Restrictanonymous

value.
n. In the Data text box, type 1.
o. Click OK.
p. Close the Registry Editor.

LESSON 2
7. Apply the Windows Media Player a. Open the \\Server100\SPlus\WMPPatch
Security Patch. folder.
The installation steps might vary depend- b. Run the Windows Media Player 6.4
ing on the current version of the patch. Update installation file (wm320920_64.
exe).
c. When installation is complete, click OK.
8. Install the Microsoft Baseline Secu- a. Open the \\Server100\SPlus\MBSA folder

rity Analyzer. and run the MBSASetup.msi installation
package.
b. Complete the Microsoft Baseline Secu-

rity Analyzer Setup wizard by using the
• Accept the default User Information
settings.
• Accept the default Destination
Folder settings.
• On the Choose Install Options page,
uncheck Show Readme File After
Installation and uncheck Launch
Application After Installation.
• Accept the default program feature
selections.

LESSON 2
9. Scan your system to establish a a. On the desktop, double-click the
security baseline. Microsoft Baseline Security Analyzer
shortcut.
b. Click Scan A Computer.
c. Verify that your computer name appears

in the Computer Name box and click
Start Scan.
d. Review the scan results and click any

Result Details or How To Correct This
links to determine the security recom-
mendations reported by MBSA.
e. Close MBSA.
10. Can you tell if all current security patches have been implemented on the Windows
2000 Server system? If not, why?

LESSON 2
DISCOVERY ACTIVITY 2-8
Applying a Service Pack
Activity Time:
30 minutes
Setup:
Service Pack 3 is available on the network at \\Server100\SPlus\W2KSP3.
Scenario:
You have completed a basic hardening procedure on all Windows 2000 domain member
computers. However, Microsoft has just released a new Service Pack that postdates the last
security patches that you applied when you hardened your servers. The bank’s security policy
recommends applying the newest service packs as soon as possible.
1. If necessary, reboot your computer into Windows 2000 Server.
2. Install Windows 2000 Service Pack 3, accepting all defaults.
The location of the installation file might vary depending upon the source of the Service Pack. For example,
it might be in the Update folder.
TOPIC B
Harden Directory Services
In Topic 2A, you learned to increase security on base operating systems to make any kind of
computer service more secure. But system security doesn’t stop there, because, for each spe-
cialized service you run in your environment, there are also specialized security problems and
holes that attackers are just longing to find and exploit. In the remainder of this lesson, you’ll
learn how to increase security on a variety of internal network services, starting with one of
the most fundamental and wide-ranging: the directory service that your organization depends
on for day-to-day user operations.
Have you ever lost your personal organizer? You know, the book, device, or calendar that has
your whole life in it—your appointments, key phone numbers, addresses? Remember how lost
and desperate you felt? Well, the directory service for your network is like the organizer for
your whole business. Your business really doesn’t want to lose that service to an attacker who
might get inside your network to attack it. By increasing directory security, you can make the
service a much tougher nut to crack.

LESSON 2
Directory Services
Definition:
A directory service is a network service that stores information about all the objects in
a particular network, including users, groups, servers, client computers, and printers.
Users can use the directory service to access network resources, such as folders, print-
ers, and other network services, such as DNS or DHCP. Directory services can also be
used to centralize security and to secure access to network resources through access
control lists (ACLs) on network objects such as users, groups, computers, printers, and
folders. There is a set of rules in a directory service as to how objects are created and
what their characteristics (attributes) can be, and that set of rules is called the schema.
While schemas define a directory and its objects and containers, most schemas are
extensible, meaning they can be extended, or modified, to support the specific needs of
an organization.
Example:
Novell Directory Services (NDS) is an example of a directory service. NDS holds
information about all the users, groups, servers, printers, and other objects in a Novell
NetWare network. Users can use NDS to find network resources, such as printers, and
administrators can control access to such resources through access control lists. NDS
also has a schema that controls how objects are created and what attributes an adminis-
trator may assign to them. NDS is illustrated in Figure 2-3 as an example of a
directory service.
Figure 2-3: NDS is an example of a directory service.

LESSON 2
Example:
Microsoft Active Directory service, which can be installed on any of the Windows
2000 Server or Windows .NET Server operating systems, is another example of a
directory service. Active Directory holds information about all network objects for a
single Windows 2000 domain or multiple Windows 2000 domains. Active Directory
allows administrators to centrally manage and control access to resources using access
control lists. Active Directory also allows users to find resources anywhere on the
network. Active Directory also has a schema that controls how objects are created and
what attributes an administrator may assign to them.
The Lightweight Directory Access Protocol (LDAP)

The Lightweight Directory Access Protocol (LDAP) is a protocol that is used on TCP/IP net-
works to access an LDAP directory service database or a directory service such as Active
Directory or NDS. Like directory services, LDAP has a schema that defines exactly what you
can and can’t do with it while accessing a directory database and the form your query must
take when accessing the directory and how the directory server will respond. And like a
schema for a directory service, the LDAP’s schema is extensible, which means you can make
changes or add on to it.
Directory Service Vulnerabilities

Because directory services are the heart and sole of any network, they’re highly prized by net-
work attackers as a rich store of information. Once the directory database has been
compromised, an attacker can do just about anything in the network—almost nothing’s off
limits.
Besides the security threats and operating system vulnerabilities we’ve covered so far, there are
some vulnerabilities that are unique to a directory service. Some examples of these vulnerabili-
ties are listed in Table 2-8.

LESSON 2
Table 2-8: Directory Service Vulnerabilities
Directory Service Vulnerability Description
Active Directory Pre-Windows 2000 Com- This group allows read-only access to the security
patible Access group context Everyone if you install the domain controller
to be compatible with pre-Windows 2000 servers.
Default permissions on Default NTFS permissions on volumes and, espe-
Sysvol cially, the SYSVOL file structure leave the door open
for attackers to gain unauthorized access through null
sessions and the Everyone security context.
Null sessions By default, Windows 2000 machines allow null ses-
sions and anonymous enumeration of account
information. The right utility, such as Netcat or
Nmap, or even a simple UNC connection to a Win-
dows 2000 machine in the right format, can use a
null NetBIOS session to find out system information,
which can then be used for later attacks.
NTLM version 1 An attacker using a sniffer can detect passwords and
user names by simply viewing packets on network
segments that contain downlevel (Windows 9x and
pre-SP4 Windows NT 4.0) computers when they
authenticate with Windows 2000 domain controllers.
With user names and passwords, unauthorized access
to Active Directory can be attained quite easily.
NDS Public Read access to Public Read access to the NDS tree after a default
NDS tree installation of NDS allows the display of account
names and other directory info to non-logged-in
users. This information could be used to gain access
to the NDS tree later on during an attack.
NDS Common Gateway It’s possible to remotely browse the NDS tree if a
Interface (CGI) security particular CGI (/lcgi/ndsobj.nlm) is available and an
attacker exploits it by sending it malformed data.
Remote browsing will reveal directory information to
use in subsequent attacks.
NDS for NT elevated If an attacker has a valid Novell NDS account of any
security access security level, it may be possible to gain access to
any NT domain machine as Domain Admin by using
another NDS account that has been checked as having
domain administrative rights over the NT domain.
Hardened Directory Service

Definition:
A hardened directory service is a directory service that has been configured to protect
against software and hardware attacks according to a defined security policy. A hard-
ened directory service may include some or all of the following security configuration
settings:
• A hardened operating system to prevent attackers from exploiting operating sys-
tem vulnerabilities to attack the directory service.
• Current security patches for the directory service to close security holes in the
directory service itself.

LESSON 2
• An established backup schedule for the directory service database.
• Restricted user and administrative access. For example, to secure a Windows 2000
domain controller, you should limit access to the Sysvol share and not use the
Pre-Windows 2000 Compatible Access group.
• On a Windows 2000 domain controller, restricted null sessions.
• In a Windows 2000 domain, NTMLv2 for all downlevel clients.
Example: USA Travel’s Directory Services

According to USA Travel’s security policy, only the network administrator can admin-
ister the directory service, all operating system patches must be kept current, and the
directory services server must be kept in a locked room. Therefore, administrative
rights have been restricted on the directory services server to only the network admin-
istrator, and the server is kept in a locked room. The administrator has also configured
automatic updates to alert him to new updates to the server’s operating system.
Because the directory service and the directory service server have been configured
according to the company’s security policy, this is an example of a hardened directory
service.
Harden Directory Services

Procedure Reference: Harden Active Directory Domain Controllers
To harden a Windows 2000 Active Directory domain controller:
1. Harden the domain controller’s operating system to prevent attackers from
exploiting operating system vulnerabilities to attack the directory service.
2. Establish a regular backup schedule for the directory service database.
3. Use the Security Configuration And Analysis tool to analyze the domain controller
settings using the Hisecdc template as the criterion.
a. Snap the Security Configuration And Analysis utility into a blank MMC.
b. In the console tree, right-click the Security Configuration And Analysis
object and choose Open Database.
c. Name the new database and click Open.
d. Select the Hisecdc security template and click Open.
e. In the console tree, right-click the Security Configuration And Analysis
object and choose Analyze Computer Now. Click OK.
f. Review the results by expanding the nodes in the console tree and by exam-
ining settings in the details pane.
4. For a single domain controller, apply the Hisecdc template directly to the domain
controller to restrict user and administrative access.
a. In the console tree, right-click the Security Configuration And Analysis
object and choose Configure Computer Now.
b. Accept the default path for the error log file.
5. For multiple domain controllers, deploy the Hisecdc template through Group
Policy to restrict user and administrative access.
a. In Active Directory Users And Computers, open the properties of the Domain
Controllers Organizational Unit (OU) and select the Group Policy tab.

LESSON 2
b. With the Default Domain Controllers Policy selected, click Edit.
c. Expand Computer Configuration/Windows Settings.
d. Select and right-click Security Settings and choose Import Policy.
e. Select the Hisecdc template and click Open.
f. Close Group Policy, click OK in the property sheet, and close Active Direc-
tory Users And Computers.
6. Re-analyze the domain controller to verify the settings have been configured.
7. Apply the latest security patches for the directory service to close security holes
in the directory service itself.
8. Restrict null sessions to the domain controller.
9. Configure the downlevel client to use NTLMv2 for authentication to the domain
controller.
Directory Management Tools

You can use a plain LDAP browser or editor, such as the Active Directory Administra-
tion Tool (Ldp.exe) seen in Figure 2-4, that ships with the Windows 2000 Server
Support Tools, to work with a directory database. But in most cases, especially with
Windows 2000 and NetWare 6, you’ll probably use a GUI utility, such as Active
Directory Users And Computers or ConsoleOne to manipulate directory data, creating
users and groups, populating groups, and setting security on the objects.
Figure 2-4: Using Ldp to access the Active Directory directory service.
While the plain text editor might be useful in troubleshooting situations, the GUI utili-
ties are easier to work with, as you can see when you compare Figure 2-5 with Figure
2-4. In addition, you can create scripts that use LDAP to automate routine directory
maintenance tasks, such as adding large numbers of users or groups and checking for
blank passwords or disabled or obsolete user accounts.

LESSON 2
Figure 2-5: Using Active Directory Users And Computers to access the Active
Directory directory service.
LDAP is defined in RFC 1777.
ACTIVITY 2-9
Hardening Directory Services
Data Files:
Scenario:
Your next task as the bank’s security administrator is to make sure Active Directory is secure.
With the current Windows NT domain environment, the bank’s IT department has had prob-
lems in the past with users, both internal and external, logging on with user accounts that were
not their own. They also had problems with users not changing their passwords in the domain
and using easy-to-guess passwords. There were also some problems with attacks on servers
from Internet users. The bank wants to minimize the possibility of the attacks to the Active
Directory domain. Before connecting the new Active Directory domain controllers to your net-
work and joining the new Windows XP professional computers to the domain, you want to
make sure that Active Directory is hardened to minimize the likelihood of attacks from both
internal and external users.
The IT Department and Active Directory design team has created a deployment plan for the
Windows 2000 Active Directory servers and you as the security administrator need to make
sure the plan is implemented. Using the deployment design document SecureSystems.doc,
implement the changes on your Windows 2000 server systems.

LESSON 2
1. Analyze the domain controller secu- a. Open the \\Server100\SPlus\Student\

rity settings against the appropriate SecureSystems.doc file and determine
security template as specified in the required security template.
the SecureSystems.doc file.
b. From the Start menu, choose Run.
c. Enter mmc and click OK.
d. Maximize the Console1 and Console Root

windows.
e. Choose Console→Add/Remove Snap-in.
f. Click Add.
g. Select Security Configuration And Analy-

sis and click Add. Click Close.
h. Click OK.
i. Right-click Security Configuration And

Analysis and choose Open Database. You
need to create a database of desired
security settings to analyze against the
current settings.
j. In the File Name text box, enter DC.sdb.

Click Open.
k. In the Import Template dialog box, select

Hisecdc.inf and click Open.
l. Right-click Security Configuration And

Analysis and choose Analyze Computer
Now.
m. Click OK to accept the default error log

file.

LESSON 2
n. In the console tree, expand Security Con-
figuration And Analysis, expand Local
Policies, and select Audit Policy. There
are several policy settings in the template
for this category that differ from the cur-
rent setting on the domain controller.
o. Select Security Options. There are sev-

eral policy settings in this category that
differ.
There are also policy settings in the Password

Policy and Account Lockout Policy categories
of the template that differ from the current
computer settings. However, these policies can
only be set at the domain level, not on a lower
OU such as the Domain Controllers OU. For
example, applying this template to the Domain
Controllers OU will not affect the domain’s
password policy.
p. Minimize the MMC console.

LESSON 2
2. As the domain administrator, use a. From the Start menu, choose Programs→
Group Policy to deploy the appro- Administrative Tools→Active Directory
priate security template to domain Users And Computers.
controllers in your domain.
b. Expand your Domain# object.
c. Right-click the Domain Controllers OU

d. Select the Group Policy tab.
e. With the Default Domain Controllers

Policy selected, click Edit.
f. Expand Computer Configuration/

Windows Settings and select Security
Settings.
g. Right-click Security Settings and choose

Import Policy.
h. Select the Hisecdc.inf security template

and click Open.
i. Close Group Policy.
j. In the Domain Controllers Properties dia-

log box, click OK.
k. Close Active Directory Users And

Computers.
3. What other security templates are available in a default installation of Windows 2000?

LESSON 2
4. Refresh the group policy settings on a. Open a command prompt window.
the domain controller.
b. Enter secedit /refreshpolicy machine_
policy.
c. Close the command prompt window.
5. Reanalyze the system to verify that a. Switch to the MMC console window.
the policy changes from the tem-
plate are in effect.
b. Right-click Security Configuration And
Analysis and choose Analyze Computer
Now.
c. Click OK to accept the default error log

file.
d. Expand Local Policies and select Audit

Policy. The policy settings on the domain
controller are now consistent with the
settings in the template.
e. Select Security Options. The policy set-

tings on the domain controller are now
consistent with the settings in the tem-
plate, with the exception of the
Automatically Log Off Users When Logon
Time Expires setting, which is applied at
the domain level.
f. Close the MMC console. There is no need

to save the console.

LESSON 2
TOPIC C
Harden DHCP Servers
In Topic 2B, you learned to increase the security on one of your most important internal net-
work services, your directory. Clients who connect to that directory internally will need to get
network addressing information from another important network service: DHCP. In this topic,
you’ll learn to increase the security on your company’s DHCP servers.
If your DHCP servers go down, or start handing out bad address information, it actually won’t
affect your network infrastructure too much. After all, the major systems on your network will
have hard-coded IP addresses and don’t need to rely on DHCP. But those systems and services
exist to serve your network clients, and if DHCP is compromised, the clients are the ones who
won’t be able to connect, and the network team is going to start getting phone calls from irate
users. Avoid this nightmare by making your DHCP servers as hard to hijack as you possibly
can.
DHCP Server Vulnerabilities

In addition to the base operating system vulnerabilities we’ve already covered, DHCP servers
also have some specific vulnerabilities, some examples of which are described in Table 2-9.
Table 2-9: DHCP Server Vulnerabilities

MAC address spoofing An attacker leases an IP address by pretending to
be hardware that’s part of the corporate network.
As a result, they can communicate with the other
computers on that network.
Novell DHCP server buffer overflow The DHCP server shipped with NetWare 6.0 SP1
has been found to contain various buffer overflows
in the handling of malformed DHCP requests,
which causes the service to ABEND (ABnormal
END), and potentially causes the entire server to
reboot.
Scope modification An attacker gains access to a DHCP server and
modifies the scope, causing incorrect IP address
leases and disrupting communications on the
network.
Rogue DHCP servers Anyone with administrative access to a server can
install the DHCP service, create a scope with false
addresses, and begin handing them out to DHCP
clients, thus preventing the clients from communi-
cating on the network.
DHCP for remote clients A remote access server that uses DHCP to assign
remote clients IP addresses can provide attackers
with IP addresses and other network configuration
information if they can connect to the remote
access server.

LESSON 2
Hardened DHCP Server
Definition:
A hardened DHCP server is a DHCP server that has been configured to protect against
software and hardware attacks according to a defined security policy. A hardened
DHCP server may include some or all of the following security configuration settings:
• A hardened operating system to prevent attackers from exploiting operating sys-
tem vulnerabilities to attack the DHCP server.
• The latest security patches for the DHCP service to remove any vulnerabilities in
the DHCP service itself, such as the DHCP server buffer overflow vulnerability in
the DHCP server shipped with NetWare 6.0 SP1.
• An established backup plan for the DHCP database so it can be restored if it’s
ever deleted or corrupted as the result of an attack.
• Authorization in Active Directory in a Windows 2000 network to prevent rogue
DHCP servers from disrupting network communications.
• DHCP broadcast packets that do not traverse border routers.
• Restricted administrative access to prevent attackers from gaining unauthorized
administrative access and modifying scope or server properties.
Example: USA Travel’s DHCP Server

According to USA Travel’s security policy, only the network administrator can admin-
ister the DHCP server, all operating system patches must be kept current, and the
DHCP server must be kept in a locked room. Therefore, administrative rights have
been restricted on the DHCP server to only the network administrator, and the server is
kept in a locked room. The administrator has also configured automatic updates to alert
him to new updates to the server’s operating system. Because the DHCP server has
been configured according to the company’s security policy, this is an example of a
hardened directory service.
Harden DHCP Servers

Procedure Reference: Harden a Windows 2000 DHCP Server
To harden a Windows 2000 DHCP server:
1. Harden the operating system to prevent attackers from exploiting operating system
vulnerabilities to attack the DHCP server.
2. Install the latest security patches for the DHCP service to remove any vulnerabili-
ties in the DHCP service itself.
3. Establish a backup plan for the DHCP database so it can be restored if it’s ever
deleted or corrupted as the result of an attack.
4. In the DHCP administrative tool, right-click the DHCP server object and choose
Authorize to guard against rogue DHCP servers in an Active Directory domain.
5. Remove the DHCP Relay Agent to prevent DHCP broadcast packets from travers-
ing the router.
a. From the Administrative Tools menu, choose Routing And Remote Access.
b. Expand the server object and IP Routing.
c. Select and right-click DHCP Relay Agent, and choose Delete.

LESSON 2
6. Restrict administrative access to prevent attackers from gaining unauthorized
administrative access and modifying scope or server properties.
ACTIVITY 2-10
Hardening DHCP
Scenario:
One of the next tasks as the bank’s security administrator is to make sure DHCP is secure.
With the current Windows NT Server systems, the bank’s IT department has had problems in
the past with rogue DHCP servers being set up on the network and giving out unauthorized IP
addresses. The bank also had problems with some Windows NT DHCP servers giving out
addresses on subnets they were not supposed to. Before connecting the new Windows 2000
DHCP Servers to your network, you want to make sure that DHCP is hardened to minimize
the likelihood of attacks from both internal and external users.
Although DHCP is running on a domain controller for classroom and testing purposes, DHCP servers should not
be running on domain controllers, as this is a security risk. This will allow the possibility of client spoofs of
domain controllers. Also, if you have Active-Directory-integrated DNS zones and you have more than one DHCP
server covering the same subnet (for redundancy), you may need to add them to the DNSUpdate Proxy group.
To prevent rogue Windows 2000 DHCP servers from being installed on the network, the
Active Directory design team has decided to have all the Windows 2000 DHCP servers autho-
rized in Active Directory. To prevent DHCP addresses from passing to inappropriate subnets,
they have decided to eliminate the DHCP Relay Agent from all Windows 2000 routers. As the
security administrator, you need to make sure these changes are implemented.
1. Authorize the DHCP server. a. From the Start menu, choose Programs→
Administrative Tools→DHCP.
Do not activate the DHCP scope.
b. Select and right-click the DHCP server
object, and choose Authorize.
c. Choose Action→Refresh until the server

object appears with a green upward-
pointing arrow.
d. Close DHCP.

LESSON 2
2. Remove the DHCP Relay Agent in a. From the Start menu, choose Programs→
Routing and Remote Access. Administrative Tools→Routing And
Remote Access.
You can also harden RRAS itself so that
it does not use DHCP. b. Expand your server object, and expand
IP Routing.
c. Select and right-click DHCP Relay Agent,

and choose Delete.
d. Click Yes to confirm the deletion.
e. Close Routing And Remote Access.
3. Why would you delete the DHCP relay agent?
TOPIC D
Harden Network File and Print Servers
Once clients connect to your network with their DHCP address and get authenticated by the
directory service, they are going to want to access basic network resources, like shared files
and network printers, in order to get their day-to-day work accomplished. The servers that host
your shared files and printers might not be as specialized as the other network services we’ve
discussed, but they do have their own security needs. In this topic, you’ll learn to increase the
security of the basic file and print sharing services on your network.
File and print servers might not seem like the most interesting or exciting network services,
but they are in need of your protection. For one thing, if these servers are compromised, so is
the ability of network users to do their day-to-day jobs. For another thing, you don’t want
attackers getting access to sensitive company information that might be stored in files on those
servers. So, these basic services are as worthy of your security attention as anything else that’s
running on your network.
SMB Signing
The Server Message Block (SMB) protocol runs on top of protocols such as TCP/IP, IPX/SPX,
and NetBEUI, and is used to access shared network resources, such as files and printers. SMB
typically works in this way:
1. A client computer sends SMB packets to a server to establish a connection.
2. After a client computer makes the initial connection to the server, it uses SMB packets to
send requests for shared data or commands to a shared printer.

LESSON 2
3. The server that received the request responds, returning SMBs containing the data that the
client requested or responses to commands sent to a printer.
Because this type of two-way communication is prone to man-in-the-middle attacks (and
maybe a subsequent DoS attack if the attackers sends the server a malformed SMB packet),
depending on the level of security your network data requires, you should implement SMB
signing to help secure this type of communication. When you implement SMB signing, your
client computer will insert a digital signature into each SMB it sends between it and the server.
The server will then examine the digital signature to verify it was sent from the client it’s sup-
posed to be communicating with. In this way both the client and server can authenticate each
other and ensure that their communications have not been intercepted. In the same way, for
especially sensitive data, you can configure your servers and clients to require SMB signing,
and if one or the other of the two isn’t configured to use SMB signing, they won’t be able to
initiate a session.
SMB is used in Windows 95, Windows 98, and Windows NT 4.0 (SP3 or higher). It’s also
used in NetWare 6 (CIFS.NLM) and is available for the UNIX environment, including Solaris,
as Samba. SMB is implemented in Windows 2000 and Windows XP as the new standard
called Common Internet File System (CIFS).
Hardened File and Print Server

Definition:
A hardened file and print server is a file and print server that has been configured to
protect against software and hardware attacks according to a defined security policy. A
hardened file and print server may include some or all of the following security con-
figuration settings:
• A hardened operating system to remove any vulnerabilities in the file-sharing and
print services.
• An established backup plan to protect sensitive files in the event of an attack.
• Restricted access to file and print resources.
• Disabled administrative shares.
• SMB signing enabled to prevent man-in-the-middle attacks.
• File encryption enabled to protect sensitive files.
• Restricted physical access to the printer or the paper tray on the printer.
Example: USA Travel’s File and Print Servers

According to USA Travel’s security policy, all operating system patches must be kept
current on all file and print servers. Therefore, the administrator has configured auto-
matic updates to alert him to new updates to all the file and print servers’ operating
systems. Because the file and print servers have been configured according to the com-
pany’s security policy, they are examples of hardened file and print servers.
Harden Network File and Print Servers

Procedure Reference: Harden a Windows 2000 File and Print Server
To harden Windows 2000 file and print servers:
1. Harden the operating system to remove any vulnerabilities in the file-sharing and
print services.

LESSON 2
2. Establish a regular backup schedule to protect sensitive files in the event of an
attack.
3. Use NTFS permissions to secure files and folders.
a. Open Windows Explorer or My Computer.
b. Browse to the file or folder you want to secure.
c. Right-click the file or folder and choose Properties.
d. Select the Security tab and configure the appropriate NTFS permissions.
e. For a shared folder, select the Sharing tab and configure the appropriate share
permissions.
4. Remove administrative shares as specified in your security policy.
a. In Regedt32, expand HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\LanmanServer. Select the Parameters key.
b. Choose Edit→Add Value, and type AutoShareServer in the Value Name text
box.
c. From the Data Type drop-down list, select REG_DWORD, and click OK.
d. In the DWORD Editor dialog box, in the Data text box, type 0. Click OK.
e. Reboot the computer and verify that the administrative shares have been
removed.
5. Force SMB signing to prevent man-in-the-middle attacks.
a. From the Administrative Tools menu, choose Domain Controller Security
Policy.
b. Expand Windows Settings, Security Settings, and Local Policies, and select
Security Options.
c. Enable the Digitally Sign Client Communication (Always) policy.
6. Encrypt sensitive files and folders using the Encrypting File System (EFS).
a. In Windows Explorer or My Computer, right-click the file or folder you want
to encrypt and choose Properties.
b. On the General page of the property sheet, click Advanced.
c. Check Encrypt Contents To Secure Data.
7. Restrict physical access to printers that may contain sensitive documents.

LESSON 2
ACTIVITY 2-11
Hardening File and Print Servers
Data Files:
Scenario:
One of the next tasks as the bank’s security administrator is to make sure your file and print
servers are secure. With the current Windows NT Server systems, the bank’s IT department has
had problems in the past with users accessing resources that they were not supposed to have
access to. There were also SMB man-in-the-middle attacks. The bank also had problems with
some confidential print jobs being taken from printers. Before connecting the new Windows
2000 file and print servers to your network, you want to make sure that your file and print
servers are hardened to minimize the likelihood of attacks from both internal and external
users.
Although the file and print server is running on a domain controller for classroom and testing purposes, you
should not use a domain controller as a file and print server because it poses a security risk.
To prevent users from accessing information that they are not supposed to and to prevent
attackers from getting data, the bank’s IT department has decided to tighten permissions and
implement appropriate countermeasures to prevent these attacks. As shares are created on the
systems by the desktop support group, the IT department will verify that only the minimal per-
missions necessary are assigned. As the security administrator, your job is to implement any
required system-wide security changes on all servers that will function as file and print servers.
The underlying operating systems for these servers were hardened at installation time accord-
ing to the general OS hardening guidelines of the organization. In some cases, you need to
alter that configuration to permit the systems to function in their new roles. The IT department
has provided you with a security recommendations document, SecureSystems.doc, that contains
the desired security configuration information for file and print servers.
1. Enable the Print Spooler service. a. Open Computer Management.
b. In Computer Management, expand Ser-

vices And Applications and select
Services.
c. Double-click the Print Spooler service.
d. Set the Startup Type to Automatic and

click Apply.
e. Click Start.
f. Once the service has started, click OK.

LESSON 2
2. How can you prevent users from stealing print jobs from the printers?
3. Determine which folders are cur- a. In Computer Management, expand Shared

rently shared on the Windows 2000 Folders and select Shares.
Server.
b. When you have identified all the shares,
close Computer Management.
4. What shares are currently available on the Windows 2000 server?
5. What could you do with the default administrative shares to harden the Windows 2000
server?
6. Remove the administrative shares a. Open the \\Server100\SPlus\Student\

as specified in the SecureSystems.doc file and locate the
SecureSystems.doc file. File And Print Server Hardening Recom-
mendations section.
b. From the Start menu, choose Run.
c. Enter regedt32 and click OK.
d. Expand the HKEY_LOCAL_MACHINE\

SYSTEM\CurrentControlSet\Services\
LanManServer\Parameters key.
e. Choose Edit→Add Value.
f. In the Value Name text box, type

AutoShareServer.

LESSON 2
g. From the Data Type drop-down list, select
REG_DWORD and click OK.
h. In the DWORD Editor dialog box, in the

Data text box, type 0.
i. Click OK.
j. Close Registry Editor.
7. Verify that the administrative a. Reboot the computer to Windows 2000

shares are not re-created on the Server. The reboot will take longer than
next restart. usual.
b. Log on as Administrator.
c. Open Computer Management.
d. Expand Shared Folders and select

Shares. The administrative shares, with
the exception of the CD-ROM drive share
and the Inter-Process Communication
(IPC$) share, are no longer present.
e. Close Computer Management.

LESSON 2
8. Force SMB signing for all communi- a. From the Start menu, choose Programs→
cations as specified in the Administrative Tools→Domain Controller
SecureSystems.doc file. Security Policy.
With this setting enabled, users can print, Don’t choose Domain Security Policy.
but will not be able to see the print
queue.
b. Expand Windows Settings, Security Set-
tings, and Local Policies, and select
Security Options.
c. Verify that the Digitally Sign Client Com-

munication (Always) policy is Enabled.
d. Close Domain Controller Security Policy.
Lesson 2 Follow-up
In this lesson, you hardened your internal servers and the services they provide. Because your
internal systems hold much of your organization’s sensitive data, it’s important to make sure
they’re as secure as possible.
1. Does your organization stay current with all the latest operating system patches? Why
or why not?
2. Which operating system do you think is most secure: Windows 2000, NetWare 6, or
Solaris 9? Why?

LESSON 3

5 hour(s), 30 minutes
Hardening Internetwork
Devices and Services
Lesson Objectives:
In this lesson, you will harden internetwork devices and services.
You will:
• Harden internetwork connection devices.
• Harden DNS and BIND servers.
• Harden Web servers.
• Harden FTP servers.
• Harden NNTP servers.
• Harden email servers.
• Harden conferencing and messaging servers.
Lesson 3: Hardening Internetwork Devices and Services 97

LESSON 3
Introduction
Securing internal systems is like putting your valuables in a safe inside your home. It makes it
harder for an intruder to abscond with your jewelry. Ideally, however, you’d like to prevent
that intruder from getting inside your house at all, by locking the doors, installing alarms,
planting bushes, or getting a barking dog. Securing the perimeter of your network is as impor-
tant as securing the perimeter of your home, if you want to keep the bad guys from getting in
in the first place.
TOPIC A
Harden Internetwork Connection
Devices
Tightening the perimeter of your network means increasing security anywhere that traffic can
flow between your internal systems and external systems, whether the external systems are on
the Internet or on other private networks. At the most basic level, this means making sure that
only desired network packets can make it past the connection devices, such as routers,
firewalls, and gateways, that create the physical connection between your private networks and
the outside world. In this topic, you’ll learn how to secure the internetwork connection devices
that sit between your valuable private systems and the attackers that want to get at them.
Attackers that attack from outside your private network have a fundamental challenge: they
have to get their packets onto your private network before they can start doing anything bad to
your systems. That means that they have to get their traffic past your border guards—your
routers and other internet connection devices. If you secure these devices properly, your legiti-
mate business communications can go through, but attackers’ communications will be stopped
at the border.
Internetwork Device Vulnerabilities

Like every computer in your network, the network connection devices in your network have
their own set of security vulnerabilities. You’ll often find that the routers you have connecting
your network to the Internet are some of the most frequently scanned systems you have and
are favorite targets, especially for DoS/DDoS attacks. The following table lists some examples
of vulnerabilities in your routers, bridges, and switches that attackers are looking to exploit.
SNMP SNMPv1 uses clear text to send SNMP community names,
which can be used to gain administrative access and take over
network connection devices. If you’re using SNMP, try to use
SNMPv2 or higher. If you have no need for SNMP, disable it.
Telnet Because Telnet communications are unencrypted by default,
attackers can more easily hijack the session.
Router configuration files If you improperly store copies of router configuration files on
unsecured servers, attackers could gain administrative access to
the devices.

LESSON 3
Finger An attacker can attempt to determine the type of router you’re
using by sending a request to this service. Once the attacker
knows the type of service, he can work on known exploits for
that type of device.
Small servers (for example, echo on These rarely-used Cisco services could be exploited for a CPU
port 7 and chargen on port 19) DoS attack if bombarded with requests from an attacker.
Improperly configured IP filters Improperly configured incoming and outgoing IP filters could
lead to an attacker either gaining entry into your network using
a spoofed IP address (incoming) or using your network to launch
a DoS attack (outgoing).
Default ports An attacker can learn the type of device by trying to attach to
manufacturer’s default ports. Again, once the type of device is
discovered, the attacker can exploit its known vulnerabilities.
IP source routing Using source-routed packets with spoofed source addresses, an
attacker can use an internal host to gain information about the
internal network and open ports on internal systems.
ICMP redirect packets Attackers can use ICMP redirects in two ways: to flood a router
and cause a DoS attack by consuming memory resources; and to
reconfigure routing tables using forged packets.
RIPv1 RIPv1 provides a weak level of authentication, which can pro-
vide opportunities for an attacker to connect to a device and
manipulate the routing table possibly to cause a DoS attack.
See www.cisco.com for more information on small servers.
Hardened Internetwork Connection Devices

Definition:
A hardened internetwork connection device is an internetwork connection device that
has been configured to protect against software and hardware attacks according to a
defined security policy. A hardened internetwork connection device may include some
or all of the following security configuration settings:
• A hardened operating system to close security holes in services such as Telnet or
Finger, or the Cisco small servers.
• Secret SNMP community names to prevent attackers from using the names to
gain administrative access to the device. You can also upgrade to SNMPv2 for a
greater level of SNMP security.
• Secured router configuration files to keep configuration details secret.
• Appropriate ingress and egress filters to help prevent IP spoofing (incoming) and
DoS (outgoing) attacks.
• Disabled or reconfigured default ports to prevent attackers from trying to attach to
manufacturers’ default ports.
• Disabled IP source routing to prevent attackers from gaining information about
the internal network.
• Blocked ICMP redirects to prevent DoS attacks and attacks against routing tables.

LESSON 3
• RIPv2 to enable a greater level of security and authentication and to help prevent
unauthorized changes to routing tables.
Example: USA Travel’s Border Routers

As part of the security policy, all border routers at all USA Travel branch offices are
required to have IP source routing disabled and must be configured to drop incoming
packets with internal source IP addresses. The network administrator in the Seattle
branch office has configured his border router to drop incoming IP packets with inter-
nal source addresses, and he has disabled IP routing. Because this router has been
configured according to USA Travel’s security policy, it can be considered hardened.
Harden Internetwork Connection Devices

Procedure Reference: Harden a Windows 2000 Router
To harden a Windows 2000 router:
1. Harden the operating system to close security holes in operating system services.
2. Disable SNMP if not in use. If in use, try to upgrade to SNMPv2. Keep SNMP
community names secret.
3. Physically secure router configuration files to keep configuration details secret.
4. Configure appropriate ingress and egress filters to help prevent IP spoofing
(incoming) and DoS (outgoing) attacks.
5. Disable or reconfigure default ports to prevent attackers from trying to attach to
manufacturers’ default ports.
6. Disable IP source routing to prevent attackers from gaining information about the
internal network.
7. Block ICMP redirects to prevent DoS attacks and attacks against routing tables.
8. Implement RIPv2 to enable a greater level of security and authentication.
a. In Routing And Remote Access, expand IP Routing and select the General
object.
b. Right-click the General object and choose New Routing Protocol.
c. Select RIP Version 2 for Internet Protocol and click OK.
d. Right-click the RIP object and choose New Interface. Select the internal
interface, modify any properties, and click OK.
9. Configure RIP peer-to-peer security to prevent updates from authorized routers.
a. In Routing And Remote Access, under IP Routing, open the properties of the
RIP object and select the Security tab.
b. Select Accept Announcements From Listed Routers Only.
c. Add the addresses of the desired peer routers and click OK.
VLAN and NAT Devices

Devices other than routers, such as VLAN and NAT devices, can also present targets
for attackers.

LESSON 3
• Improperly configured VLAN devices and associated switches give attackers the
opportunity to redirect packets from one VLAN to another (VLAN hopping) and
to capture those packets and the data they contain.
• Relying solely on NAT devices (without a properly configured firewall) can
expose your network to attack if the attackers are able to gain access through any
open ports in the device. In addition, NAT does not hide host information, which
means attackers could gain access to host-specific information and then use
known exploits to compromise the device. Also, improperly configured NAT
devices may be vulnerable to IP spoofing attacks.
ACTIVITY 3-1
Hardening a Windows 2000 Router
Scenario:
One of the next tasks as the bank’s security administrator is to make sure your routers are
secure. In the past, the bank has had problems with attackers accessing services and data that
they were not supposed to have access to through the routers. Before connecting the new Win-
dows 2000 routers behind a firewall on your network, you want to make sure that your routers
are hardened to minimize the likelihood of attacks, especially DDoS and spoofing attacks, from
external users. After you configure the routers, the bank’s desktop team will test the connec-
tions from laptops to make sure the security is not too restrictive.
To prevent users from accessing information that they are not supposed to and to prevent
attackers from getting data, the bank’s IT department has decided to create a demilitarized
zone (DMZ) by implementing two software-based routers using Windows 2000 Routing and
Remote Access Server. These routers will be installed behind the existing hardware-based
firewall, which has already been hardened. To help ensure security on these software-based
routers, they will run RIPv2 and will communicate with each other securely by RIP peer
security. The bank also wants to implement packet filters to drop incoming external packets
with internal private IP addresses as the source addresses to prevent attackers from spoofing
internal IP addresses on the private subnet.

LESSON 3
1. Install RIP version 2 for IP as a new a. From the Start menu, choose Programs→
routing protocol on the Routing and Administrative Tools→Routing And
Remote Access Server, using the Remote Access.
Local Area Connection as the RIP
protocol interface.
b. Expand your server object and expand
IP Routing.
c. Select and right-click the General

object, and choose New Routing
Protocol.
d. In the Routing Protocols list, select RIP

Version 2 For Internet Protocol and click
OK.
e. Under IP Routing, select and right-click

the RIP object and choose New
Interface.
f. In the Interfaces list, select Local Area

Connection and click OK. The RIP Proper-
ties – Local Area Connection Properties
sheet opens. You will use the default set-
tings on the General page.
You can use the Help button to investigate the vari-

ous property settings.

LESSON 3
g. Select the Advanced tab. You will use the
default Advanced settings.
h. Click OK.
2. Why would you not check Activate Authentication in the General properties for RIP on
the Local Area Connection interface?
3. What type of attacks do the default Advanced settings for RIP on the Local Area Con-
nection interface protect against?

LESSON 3
4. Modify the RIP protocol’s security a. In the Tree pane, right-click the RIP
properties with the appropriate object and choose Properties.
peer router settings.
b. Select the Security tab.
c. Select Accept Announcements From

Listed Routers Only.
d. In the Router IP Address text box, enter

your partner’s IP address.
e. Click Add.
f. Click OK.
g. Close Routing and Remote Access.
5. What is the security benefit of the peer security feature that you have just enabled?
6. What basic operating-system hardening procedures will also protect a software-based

router such as this?
7. This software-based router does not have a live connection to another subnet. If the
computer was a true multi-homed router with multiple network cards, what additional
hardening steps should you take on this router to accomplish the additional security
goals in the scenario?

LESSON 3
TOPIC B
Harden DNS and BIND Servers
Once you’ve hardened the devices that provide the communications channel outside your net-
work, as you did in Topic 3A, you can turn your attention to securing the services you provide
to users across that channel. Because DNS provides name resolution, DNS queries and
responses are going to be some of the most common elements in network communications
between your internal systems and the Internet. So, in this topic, we’ll start the process of
locking down network services by hardening DNS servers.
Without DNS name resolution, the Internet would be almost unusable. Unfortunately, DNS
servers also can provide unscrupulous attackers with too much useful information about your
business and its systems. Also, if your DNS infrastructure goes down, so can your business.
You need to make sure your DNS servers are secure from attack and are configured to give out
information only to authorized parties.
DNS and BIND Vulnerabilities

In addition to the security threats we’ve already covered, there are some threats that are unique
to the DNS service and to UNIX-based Berkeley Internet Name Domain (BIND) servers.
Those threats are listed in the following table.
DNS spoofing An attacker manipulates DNS records to send DNS clients to
fraudulent Web sites where the attacker can record data
transmissions.
DNS hijacking An attacker gains administrative access to a DNS server and
modifies or deletes records, which can eliminate a company’s
Internet presence until the problem is found and resolved.
Cache corruptions (aka cache poison- Some Microsoft DNS servers are vulnerable to malformed que-
ing or cache pollution) ries, or accepting malicious data from a remote name server,
which may result in corruption of the DNS cache and can result
in a DoS attack. It can also allow an attacker to redirect the Web
sites that use the vulnerable DNS.
Input validation On a BIND server, specially formatted user input, when improp-
erly validated, may be used to execute code with the permissions
of the BIND user.
Environment variables A specially executed query may expose environment variables
via the program stack on a BIND server. This can provide
potentially sensitive information that may result in further
attacks.

LESSON 3
Hardened DNS Servers
Definition:
A hardened DNS server is a DNS server that has been configured to protect against
software and hardware attacks according to a defined security policy. A hardened DNS
server may include some or all of the following security configuration settings:
• A hardened operating system to prevent attackers from exploiting OS vulnerabili-
ties to attack the DNS service.
• A regular backup schedule to preserve the DNS database in case of attack.
• Limited administrative access to help prevent DNS hijacking.
• Required authentication on InterNIC domain records to help prevent DNS
hijacking.
• Active Directory-integrated zones on internal Windows 2000 DNS servers with
secure dynamic updates to prevent DNS hijacking, DNS spoofing, and cache
corruption.
• Up-to-date security fixes for the DNS service to help prevent malicious code
attacks that could result from improper input validation or that can expose envi-
ronment variables to an attacker.
Example: USA Travel’s DNS Servers

In the corporate security policy, all internal Windows 2000 DNS servers at USA Trav-
el’s corporate offices are required to have Active Directory-integrated zones and secure
dynamic updates enabled. The DNS administrator has installed DNS on all domain
controllers, created Active Directory-integrated zones, and enabled secure dynamic
updates on those zones. Because the DNS servers have been configured according to
USA Travel’s security policy, they can be considered hardened.
Harden DNS and BIND Servers

Procedure Reference: Harden a Windows 2000 DNS Server
To harden a Windows 2000 DNS server:
1. Harden the operating system to prevent attackers from exploiting OS vulnerabili-
ties to attack the DNS service.
2. Establish a regular backup schedule to preserve the DNS database in case of
attack.
3. Limit the number of administrators and keep user names and passwords secure to
help prevent a hijacking attack.
4. Require authentication for changes to InterNIC domain records to help prevent
DNS hijacking attacks.
5. Switch your domain to Native mode and change DNS zones to Active Directory-
integrated, and enable secure dynamic updates to prevent DNS hijacking, DNS
spoofing, and cache corruption.
a. Open Active Directory Users And Computers.
b. Right-click your domain and choose Properties.
c. Click Change Mode. Click Yes to confirm the change.
d. Open DNS.

LESSON 3
e. Right-click the DNS zone you want to change and choose Properties.
f. In the Type section, click Change.
g. Select Active Directory-integrated and click OK.
h. In the zone’s Properties dialog box, from the Allow Dynamic Updates drop-
down list, select Only Secure Updates.
6. Secure the DNS cache against pollution.
a. In DNS, right-click the DNS server object and choose Properties.
c. Check Secure Cache Against Pollution.
7. Install up-to-date security fixes for the DNS service to help prevent malicious
code attacks or other attacks that target the service’s vulnerabilities.
ACTIVITY 3-2
Hardening DNS
Data Files:
Scenario:
One of the next tasks as the bank’s security administrator is to make sure your DNS servers
are secure. In the past, when the bank managed its own DNS, without assistance from the ISP,
it has had problems with DNS hijack attempts, where attackers redirected users to a fake bank
Web page. All Windows NT domain controllers and DNS servers at the bank have now been
upgraded to Windows 2000. Before connecting the new Windows 2000 DNS Server to your
network, you want to make sure that your DNS server is hardened to minimize the likelihood
of attacks from both internal and external users. To prevent attackers from hijacking DNS
records, the bank’s IT department has decided to implement a secure DNS server.
Windows 2000 DNS Servers, and you as the security administrator need to make sure the plan
is implemented. The IT department has already established a DNS solution with the ISP for
other DNS servers running BIND, so you do not have to configure those servers. Using the
deployment design document SecureSystems.doc, implement the changes on your Windows
2000 DNS server.

LESSON 3
1. As the domain administrator, switch a. From the Start menu, choose Programs→
Active Directory to Native mode. Administrative Tools→Active Directory
Users And Computers.
b. Right-click the domain#.internal object

c. Click Change Mode.
d. Click Yes in the message box to confirm

the mode switch.
e. Click OK twice.
f. Close Active Directory Users And

Computers.
2. Change DNS zones to Active a. From the Start menu, choose Programs→
Directory-integrated. Administrative Tools→DNS.
b. Expand your DNS Server object and

expand the Forward Lookup Zones
folder.
c. Select and right-click the domain#.

internal DNS zone, and choose
Properties.
d. In the Type section, click Change.
e. Select Active Directory-integrated and

click OK.
f. Click OK to confirm the change.
g. Click Apply to apply the change and keep

the property sheet open.
3. Enable Secure Dynamic Updates in a. In the domain#.internal DNS zone property

DNS. sheet, from the Allow Dynamic Updates
drop-down list, select Only Secure
Updates.
b. Click OK.

LESSON 3
4. Secure the DNS cache against a. Right-click the DNS server object and
pollution. choose Properties.
b. In the property sheet for your DNS server,

select the Advanced tab.
c. Verify that Secure Cache Against Pollu-

tion is checked and click Cancel.
d. Close DNS.
TOPIC C
Harden Web Servers
In Topic 3B, you hardened the DNS servers that provide name resolution between your inter-
nal systems and the Internet. One of the most common reasons to provide DNS services is so
that outside users can access your company’s own Web sites. Because nearly every company
in today’s business environment has a Web presence, many security specialists will have the
responsibility of securing Web services. In this topic, you’ll perform the steps you need to
secure your Web servers.
A functioning Web site is a major part of your company’s public persona. Most companies
today wouldn’t be without a Web site any more than they would be without a phone number.
Hacking or defacing an informational Web site can be a terrible embarrassment for your
company. But even beyond that, for many companies, a Web presence is essential to how they
do business; in e-commerce, the Web site is the business. If the Web site goes down, so does
your ability to take orders, respond to customer service requests, and ship products. Therefore,
your Web site is one of your company’s most important assets. It’s your responsibility to do
everything you can to protect it from attack.
Web Server Authentication Methods

While every organization has a public Web site with information that’s freely available to any-
one who wants it, there are often situations when you want to restrict access to sensitive
information and allow only trusted users to read and modify it. In such situations, you must
have a method for ensuring that only certain users can access that data, which means you need
to have a way to authenticate users and then control their access to specific files and folders.
Authenticating users and providing access to Web resources on the Internet is much like
authenticating users in the local network and allowing them access to local network resources.
The difference is it happens across the Internet and not on the local network.
When you authenticate users you want to ensure they’re who they say they are and provide
some method for securely transferring the user name and password and eventually data once
the user is authenticated. When it comes to controlling access to specific files, folders, or direc-
tories, you can employ access control lists on your Web server in the same way you would on
any other server in your network. To build access control lists, you can use accounts that are

LESSON 3
local to the Web server, such as a local SAM database on a Windows 2000 Web server, or you
can use a larger enterprise-wide directory service, such as Active Directory or NDS eDirectory.
You can use both directory services to set permissions on specific files and folders to control
access to private or sensitive data on your Web server.
There are several methods available for authenticating users and protecting data transfer,
depending on which Web server version you use. These methods are described in the following
table.
Don’t forget that you must still configure access control lists to provide user access to files; this step is separate
from configuring these Web security features.
Security Method Description

Address-based authentication Authentication based on host’s IP address. As we’ve seen,
because of its vulnerability to IP spoofing, you should avoid the
use of address-based authentication.
Anonymous authentication As the name states, anonymous access means users don’t have to
enter a user name or password to gain access to the files on your
Web server. You should generally reserve this type of access for
public Web sites.
Basic authentication Users are prompted to provide a user name and password, which
is authenticated against a local accounts database. User names
and passwords are often sent in clear text, making them vulner-
able to network sniffers. Can be combined with Secure Sockets
Layer (SSL) to encrypt credentials.
Digest Similar to basic authentication, except user name and password
are encrypted using a hashing algorithm. The hashing algorithm
is applied to the credentials, and the result, called a hash or a
digest, is sent instead of clear text. Digest is highly secure and
works through proxy servers and firewalls. In Windows 2000,
you may need to configure user passwords to be stored using
reversible encryption when using Digest authentication, for
example, when you use authentication with Instant Messaging.
Without reversible encryption, this is similar to storing clear text
passwords, and is a security risk.
Integrated Windows authentication Uses Kerberos version 5 with Active Directory or NT challenge/
(in Windows 2000 networks) response authentication method (using a password hash). Does
not work through a proxy server, so it’s best for intranet use in a
Microsoft network. Requires IE 2.0 or higher or a browser that
supports HTTP 1.1.
Certificates Certificates can be used for access in place of or as a supplement
to user name and password. (Required for SSL.)
Web Server Vulnerabilities

Like every other type of server or network device, Web servers have some vulnerabilities that
are unique. The following table lists some examples of these vulnerabilities.
Because attackers are finding new ways to exploit Web servers every day, you must constantly check with your
vendor for new threats and available patches.

LESSON 3
Format string An attacker passes invalid parameters to a format string func-
tion, such as the printf or sprintf functions in the C standard
library. This results in a buffer overflow, which may allow the
attacker to execute arbitrary code on the server.
Improper input validation If your Web developers have not coded proper input validation
(that is, a mechanism for accepting only valid user input),
attackers can send malicious code and have it executed locally
on the Web server.
CGI scripts CGI scripts can provide system information to an attacker or can
be used to execute commands locally on the Web server.
Execution of code outside the Web An attacker executes files outside of the Web root. These files
root will generally be accessed and executed with the same permis-
sions as the Web server. One common method is by accessing
files at a URL with multiple“..” directories, to break above the
Web root. For example, ../../../../Windows/System32/cmd.exe to
get to the root hard disk and execute the Microsoft Windows
command interpreter.
Web server applications Web servers running applications (for example, servers using
Active Server Pages (ASP), Internet Services Application Pro-
gramming Interface (ISAPI), PHP (a recursive acronym that
simply stands for PHP: Hypertext Processor), Practical Extrac-
tion and Report Language (Perl), and Java 2 Platform Enterprise
Edition (J2EE)) are more susceptible to attacks that exploit
weaknesses in these technologies. Such servers may also access
databases, further opening the window for potential exploits.
Weak authentication User name and password are sent across the Internet in clear
text, which makes them particularly vulnerable to eavesdroppers
and sniffers.
Clear text transmissions Exchange of sensitive information in clear text is a perfect target
for an attacker.
HTML source code Viewing a Web page’s source code can reveal data about a com-
pany that an attacker can later use for another type of attack.
Hardened Web Server

Definition:
A hardened Web server is a Web server that has been configured to protect against
software and hardware attacks according to a defined security policy. A hardened Web
• A hardened operating system to prevent attackers from exploiting the operating
system to attack the Web server service.
• An auditing and logging strategy to track suspect activity on a Web server.
• The latest Web server patches and fixes to protect against programming errors that
may cause buffer overflows or allow attackers to execute code on the Web server.
• Appropriate access controls on Web sites and Web data files to prevent malicious
code attacks.

LESSON 3
• Limited script execution permissions to prevent malicious code attacks.
• Limited virtual directories to remove potential targets for attack.
• Disabled unnecessary Web services and applications to prevent attackers from
exploiting the services and applications to gain access to the Web server.
• Strong authentication to prevent sensitive data, such as passwords, from being
sent across the Internet in clear text.
• Encrypted communications where appropriate to prevent sensitive data from being
transmitted in clear text.
• Clean HTML source code that does not reveal any confidential information.
Example: USA Travel’s Web Server

USA Travel’s corporate policy requires any Web servers to have a hardened operating
system and the latest Web server security fixes. The Web administrator has hardened
the Windows 2000 operating system on the Web server, and has configured automatic
update notification to stay on top of any new Windows 2000 security fixes. She’s also
installed the latest IIS 5.0 security patches, and regularly scans Microsoft’s site for
news on new security threats. Because the Web server is configured according to the
security policy, it can be considered hardened.
Microsoft IIS Lockdown Tool

Microsoft has created a utility called the IIS Lockdown tool, which is freely downloadable
from their Web site, that you can use to automate the process of hardening an IIS 4.0 or IIS
5.0 Web server running on Windows NT Server 4.0 or Windows 2000 Server. The IIS
Lockdown tool uses templates, much like Windows 2000 and Windows XP security templates,
to apply a security configuration to your IIS server based on the role the server is going to
play and the type of software that’s installed. The wizard will apply a security configuration
that matches the role you’ve selected and enables the software to function properly but will
disable services and lockdown settings that aren’t explicitly necessary for the role and software
you’ve chosen.
For more information on hardening IIS, visit: www.microsoft.com/technet/security/tools/ChkList/wsrvSec.asp.
As you work through the wizard, you can use the pages shown in the following table to con-
figure your IIS settings.
Page Description
Select Server Template You can select the role that the server will play in your network.
These roles include Small Business Server, Proxy Server, BizTalk
Server, Static Web Server, and Server That Does Not Require
IIS. Which role you choose will determine which settings are
configured and which services are enabled or disabled. You must
check View Template Settings on this page to see the next three
pages.

LESSON 3
Page Description
Internet Services You can enable or disable Web Service (HTTP), File Transfer
Service (FTP), Email Service (SMTP), and News Service
(NNTP). You can also choose to remove a specific service
completely. The template you choose on the previous page deter-
mines which services are selected by default. You can customize
the default depending on what services you need.
Script Maps You can enable or disable support for specific script maps,
including .asp, .shtml, and .htr.
Additional Security You can remove selected virtual directories, set file permissions
for anonymous users on specific utilities and directories, and dis-
able Web-based Distributed Authoring and Versioning
(WebDAV). Again, depending on which template you choose at
the beginning of the wizard, some or all of these options might
be selected. You can customize to fit your needs.
URLScan You can choose to install URLScan, which is a utility that you
can configure to filter out certain types of HTTP requests made
to your IIS server. If requests meet certain predefined and
customizable criteria, URLScan will deny the request, log the
request and the reason it was denied, and present an error mes-
sage to the user who made the request.
You can see more detailed information about URLScan in the IIS Lockdown tool Help files or
www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools/urlscan.asp.
After you’ve completed the wizard, Microsoft recommends that you test your Web server to
ensure that it provides the services that you need it to provide. If you find that the server is too
secure, you can run the tool again to restore the server’s previous settings, or you can make
minor adjustments in settings to meet your needs.

LESSON 3
ACTIVITY 3-3
Investigating the Microsoft IIS Lockdown Tool
Setup:
The IIS Lockdown tool is on the network at \\Server100\SPlus\IIS\Lockdown.
Scenario:
As you plan ways to secure your Web servers, you’ve suggested to those planning the security
implementation that you use the IIS Lockdown tool to help automate the hardening process for
your Web servers, which currently run Solaris 9, Windows NT 4.0 (with IIS 4.0), and Win-
dows 2000 (with IIS 5.0). You’ve been asked to answer some questions and submit a report
that outlines the benefits of the tool.
1. Why use the IIS Lockdown tool?
2. Of the three Web servers you currently have, which can you use the IIS Lockdown tool
to secure?
3. Why would you choose to enable URLScan?
4. True or False? You can use the IIS Lockdown tool to completely remove IIS
from a server.
5. True or False? You may not make any manual changes after running the IIS
Lockdown tool.
Harden Web Servers

Procedure Reference: Harden a Windows 2000 Web Server
To harden a Windows 2000 Web server:
1. Harden the operating system to prevent attackers from exploiting the operating
system to attack the Web server service.
2. Enable IIS logging to track suspect activity on a Web server.
a. From the Administrative Tools menu, choose Internet Services Manager.

LESSON 3
b. Expand the IIS server object.
c. Select and right-click the Default Web Site and choose Properties.
d. On the Web Site page, check Enable Logging.
3. Install the latest Web server patches and fixes, including the IIS Security Rollup,
to protect against programming errors.
4. Run the IIS Lockdown Wizard to lock down the Web server by setting appropriate
access controls, disable unnecessary services, limit script execution, and limit vir-
tual directories.
a. Run the IIS Lockdown executable.
b. In the Server Templates list, select Static Web Server.
c. Check View Template Settings and click Next.
d. Click Next three times.
e. Verify that Install URLScan Filter On The Server is checked. Click Next
twice.
5. Implement strong authorization where appropriate to secure user logons to the
Web server.
6. Encrypt communications with the Web server when appropriate to prevent sensi-
tive data from being transmitted in clear text.
7. Remove confidential company information from the HTML source code on any
publicly available Web pages.
ACTIVITY 3-4
Hardening a Web Server
Data Files:
Setup:
Data files and other resources are located on the network in \\Server100\SPlus in the following
folders:
• IIS Security Rollup: \IIS\SecRollup
• IIS Lockdown Wizard: \IIS\Lockdown
Scenario:
You disabled the World Wide Web Publishing service until you were ready to harden IIS and
deploy your Web server. Well, now you’re ready! As the bank’s security administrator you
need to make sure your Web servers are secure. In the past, the bank has had problems with
attackers running code on the Web servers and either bringing down the Web site or stealing
information. Before connecting the new Windows 2000 IIS Servers to your network, you want
to make sure that your Web server is hardened to minimize the likelihood of attacks from both

LESSON 3
internal and external users. To prevent attackers from compromising IIS, the bank’s IT depart-
ment has decided to implement a secure static Web server. The IT department has designed a
security deployment plan for the IIS servers and documented it in SecureSystems.doc. It’s your
job, as the security administrator, to implement the plan.
1. Uninstall Windows Service Pack 3 a. Open Control Panel and run Add/Remove
before beginning this activity to Programs.
avoid conflicts with the IIS Security
Rollup Package.
b. In the Currently Installed Programs list,
click Windows 2000 Service Pack 3.
c. Click Change/Remove.
d. Click Yes to confirm that you want to

remove the Service Pack.
e. When prompted, click OK to restart the

computer. Log back on as Administrator.
2. Enable and start the World Wide a. Open Computer Management.

Web Publishing service.
select Services.
c. Double-click World Wide Web Publishing

Service.

select Automatic. Click Apply.
e. Click Start.
f. After the service has started, click OK.
g. Close Computer Management.

LESSON 3
3. Enable IIS logging on the default a. From the Start menu, choose Programs→
Web site. Administrative Tools→Internet Services
Manager.
b. Expand your IIS server object.
c. Under your server, select and right-click

the Default Web Site, and choose
Properties.
d. On the Web Site page, verify that Enable

Logging is checked and click OK.
e. Close Internet Information Services.
4. Install the IIS Security Rollup a. Open the \\Server100\SPlus\IIS\SecRollup

Package. folder. (Now that the Server100 system
has been hardened, you will need to con-
nect to this share as the Domain100\
Administrator user with a password of
!Pass1234.)
b. Double-click the Security Rollup installa-

tion file.
c. In the Choose Directory For Extracted

Files dialog box, type C:\secrollup and
click OK.
d. In the Windows 2000 Hotfix Setup window,

click Continue to stop the necessary
services.
e. When prompted to reboot, click Continue

and reboot the computer to Windows
2000 Server.
f. Log on as Administrator.

LESSON 3
5. Run the IIS Lockdown Wizard with a. Open the \\Server100\SPlus\IIS\
the appropriate choices to lock Lockdown folder.
down the Web server.
b. Run the IIS Lockdown file to launch the
Make sure to read the important note on IIS Lockdown Wizard.
the first screen regarding service packs
and hotfixes.
c. Click Next.
d. Select I Agree and click Next to accept

the license agreement.
e. In the Server Templates list, select Static

Web Server.
f. Check View Template Settings and click

Next.
g. Click Next three times to accept the

default template settings for Internet Ser-
vices, Script Maps, and Additional
Security.
h. Verify that Install URLScan Filter On The

Server is checked and click Next twice
to start the lockdown.
i. When the lockdown is complete, click

View Report.
You will see errors in the report, but these

relate to other services that are running on this
server and do not relate to the Web server
hardening.
j. After you review the report, close

Notepad.
k. Click Next, and then click Finish to com-

plete the wizard.

LESSON 3
TOPIC D
Harden FTP Servers
In Topic 3C, you learned to harden the Web services that enable your company to share
Internet information with the outside world. Another Internet service that many companies
offer to facilitate two-way file sharing across the Internet is the File Transfer Protocol (FTP).
In this topic, you’ll learn to secure the FTP servers running on your network.
FTP is a unique Internet protocol because you can use it not only to get file information from
a server, but also to transfer files to the FTP server. For this reason, it’s a good target for an
attacker who might want to introduce malicious code or other undesirable files into your
network. Attackers also might want to grab user credentials from the FTP server; you’ll see
how easy it is to do this in the following activity. Using the techniques in this topic can help
you restrict access to your FTP server to authorized parties and limit the amount of damage
attackers can do if they are able to connect.
ACTIVITY 3-5
Identifying FTP Password Vulnerabilities
Setup:
You will work with a partner in this activity; both partners’ servers are running the FTP
service. You can log on to the FTP servers using any user name or password. Each partner will
connect to the other partner’s FTP server. Installation source files for Network Monitor Service
Pack 1 are available at \\Server100\SPlus\SMS\NMext\I386.
Scenario:
Part of the security deployment plan at your firm will involve hardening the FTP servers. Cur-
rently, the FTP servers are configured to accept any user name and password for
authentication, and users generally log on with their Windows 2000 domain user accounts. The
firm is particularly concerned with verifying that your FTP servers are not vulnerable to pass-
word eavesdropping attacks. You want to see if this is a valid concern by taking a look to see
how vulnerable your FTP user names and passwords are.

LESSON 3
1. Enable the FTP service. a. Open Computer Management, expand

Services And Applications, and select
Services.
b. Open the properties of the FTP Publish-

ing Service.
c. Set the Startup Type to Automatic, click

Apply, and then click Start.
d. When the service has started, close the

property sheet and Computer
Management.
2. Determine the MAC address of your a. Open a command prompt window.

network adapter.
b. Enter ipconfig /all. Make a note of the
Physical Address value for the Local Area
Connection adapter.
c. Close the command prompt window.
3. Install Network Monitor. a. Run the \\Server100\SPlus\SMS\NMext\

I386\Setup.exe file.
b. Click Next. The license agreement file

automatically opens in WordPad.
c. Close WordPad.
d. Select I Accept The License Agreement

and click Next.
e. Click Next to begin the installation.
f. Click Finish.

LESSON 3
4. Begin capturing network data sent a. From the Start menu, choose Programs→
between your computer and other Administrative Tools→Network Analysis
destinations on your local network. Tools→Network Monitor.
b. In the Select Default Network message

box, click OK.
c. In the Select A Network dialog box,

expand Local Computer and select the
interface with the MAC address you
identified in the previous step.
d. Click OK.
e. Maximize the Network Monitor window

and the Capture window.
f. Choose Capture→Filter.
g. Double-click INCLUDE ANY <—> ANY.
h. In the Station 1 area, select the entry

with a Name of LOCAL and an Address
that matches your Local Area Connec-
tion’s MAC address.
i. Click OK twice.
j. Choose Capture→Start.
5. Use FTP to access the FTP server a. Open a command prompt and enter ftp
and log on as a domain user Server# where # is your partner’s com-
account. puter number.
b. Enter Administrator as the user name

and !Pass1234 as the password. You
should then see a message that says,
“User administrator logged in.”
c. Enter bye to disconnect your FTP session.
d. Close the command prompt.

LESSON 3
6. Stop the capture and review the a. Choose Capture→Stop and View. Your
capture log. capture should look similar to the follow-
ing screen shot.
b. After you have located a frame containing

a clear-text password, close Network
Monitor without saving the capture or
any unsaved address database entries.
7. How did you identify the frame containing the clear-text password?
FTP Vulnerabilities
Besides the vulnerabilities covered already in this course, FTP servers have some specific vul-
nerabilities that are listed in the following table.
Basic authentication Like Web servers, basic authentication on an FTP server passes
user names and passwords in clear text.
Anonymous access (blind FTP) There are no authentication or access control mechanisms that
can prevent malicious activity. Additionally, a blind FTP server
could be used for illegal activity; for example, it could become
a warez server.
Unnecessary services Extra unnecessary services running on the FTP server could pro-
vide an avenue of attack.
Clear text transmissions By default, FTP data transfers are not encrypted, which leaves
the data open to sniffers and eavesdroppers on the local network
or across the Internet.

LESSON 3
Firewall configuration Because it’s sometimes difficult to configure communication
through a firewall, such as FTP traffic, administrators may err
on the side of permissiveness and open holes in their security
perimeter.
Hardened FTP Server

Definition:
A hardened FTP server is an FTP server that has been configured to protect against
software and hardware attacks according to a defined security policy. A hardened FTP
system to attack the FTP server.
• Strong authentication to prevent user names and passwords from being transmitted
in clear text and to prevent the FTP server from being used anonymously for ille-
gal activity.
• Strict access controls to prevent anonymous access to the server.
• Disable unnecessary services to prevent attackers from exploiting those services to
attack the FTP service.
• Encrypted communications where appropriate to prevent data from being sent in
clear text.
• Physical location behind a properly configured firewall.
Example: USA Travel’s FTP Server

USA Travel has one FTP server that employees and customers use to exchange data.
USA Travel’s security policy requires strong authentication for the FTP server. There-
fore, the network administrator for USA Travel configured digest authentication for
FTP users. Because the FTP server has been configured according to USA Travel’s
security policy, it is considered hardened.
Harden FTP Servers

Procedure Reference: Harden a Windows 2000 FTP Server
To harden a Windows 2000 FTP server:
1. Harden the operating system to prevent attackers from exploiting the OS to attack
the FTP server.
2. Configure strong authentication to prevent clear text transmissions during user
logon and to prevent anonymous access.
3. Run the IIS Lockdown Wizard to lock down the FTP server by setting strict
access controls and disabling unnecessary services.
b. In the Server Templates list, select Dynamic Web Server (ASP Enabled).

LESSON 3
d. Check File Transfer Service (FTP) and click Next.
e. Click Next twice.
f. Verify that Install URLScan Filter On The Server is checked. Click Next
twice.
4. Encrypt communications where appropriate to prevent data from being sent in
clear text.
5. Put the server behind a properly configured firewall.
Secure Shell (SSH) and Secure FTP (SFTP)

Secure Shell (SSH) and Secure FTP (SFTP) are protocols for the secure remote login
and transfer of data. SSH is essentially a secure replacement for the rsh application on
Linux and UNIX systems. Most SSH clients also implement terminal software, similar
to rlogin, allowing them to be used as a replacement for the telnet protocol for login
and access of remote servers. SSH is a secure way to replace both rlogin and telnet
because both rsh and telnet are non-encrypted protocols that transfer all of their infor-
mation, including the login/password, over the network in plaintext. SSH uses a variety
of encryption methods and the entire session, including authentication, is encrypted to
ensure security.
The OpenSSH project (www.openssh.org) is currently the leading command-line open source imple-
mentation of SSH. There are two versions of SSH. The current version, Version 2, is considered to be
significantly more secure than the original, SSH Version 1. SSH Clients and Servers are available for
nearly all operating systems in a commercial or open source implementation.
SFTP is simply a secure, SSH-encrypted, version of the FTP protocol. Users may also
use the scp command, which is a secure, drop-in replacement for the rcp command on
Linux and UNIX hosts. This command is used for transferring files over a secure, SSH
connection. Many SSH implementations have a corresponding SFTP implementation
(and nearly all have an SCP implementation). While there are other protocols available
for secure login and file transfer, including FTP over SSL and Telnet over SSL, these
tools have mostly been replaced by SSH/SCP/SFTP at most installations.
The Microsoft IIS Lockdown Tool

You can use the Microsoft IIS Lockdown Tool to automate some of the FTP hardening
steps. If you have previously run the Lockdown Tool to harden other services on your
server, you will need to re-run the tool to undo those changes before hardening FTP.

LESSON 3
ACTIVITY 3-6
Hardening an FTP Server
Setup:
Resources are located on the network in \\Server100\SPlus in the following folder:
Although the FTP service is running on a domain controller for classroom and testing purposes, this is
a security risk.
Scenario:
National Bank is preparing to deploy FTP servers on the network on top of dynamic Web
servers. The IT department has enabled FTP on your Windows 2000 Server; now, as the
bank’s security administrator, you need to make sure the FTP server is secure. In the past, the
bank has had problems with users accessing files they should not have had access to. Before
connecting the new Windows 2000 FTP Server to your network, you want to make sure that
your FTP server is hardened to minimize the likelihood of attacks from both internal and exter-
nal users. The IT department also wants to prevent anyone sending genuine user names and
credentials when they log on to the FTP server.
1. Run the IIS Lockdown Wizard to a. Run \\Server100\SPlus\IIS\Lockdown\

undo changes. IISLockd.exe.
If the Lockdown Tool hangs and stops b. Click Next, and then click Yes to restore
responding, or the undo procedure fails, the original server settings.
try re-running the tool. If it fails again,
reboot your computer. The undo proce-
dure can take 20 minutes or more. c. When the settings have been restored,

LESSON 3
2. Run the IIS lockdown wizard with a. Run the IISLockd.exe file to launch the
the appropriate choices to lock IIS Lockdown Wizard.
down the FTP server.
b. Click Next.
c. Select I Agree and click Next to accept

d. In the Server Templates list, select

Dynamic Web Server (ASP Enabled).
e. Check View Template Settings and click

Next.
f. Check File Transfer Service (FTP) and

click Next.
g. Click Next twice to accept the default

choices for Script Maps and Additional
Security.


View Report.
You will see errors in the report. These are for

other services and are not related to FTP
hardening.

Notepad.
k. Click Next, and then click Finish to close

the wizard.

LESSON 3
3. Configure the Default FTP Site to a. From the Start menu, choose Programs→
accept only anonymous logons. Administrative Tools→Internet Services
Manager.
b. In the tree pane, expand your server

object.
c. Select and right-click the Default FTP

Site, and choose Properties.
d. Select the Security Accounts tab.
e. Check Allow Only Anonymous

Connections.
f. Click OK.
g. Close Internet Information Services.

LESSON 3
ACTIVITY 3-7
Verifying FTP Password Security
Scenario:
You have hardened your FTP server and restricted its logon configuration. You want to make
sure that you have really solved the problem of domain users transmitting their user names and
passwords to your FTP server in clear text.
1. Start capturing all data sent a. From the Start menu, choose Programs→
between the local computer and all Administrative Tools→Network Analysis
other destinations on the network. Tools→Network Monitor.
b. Choose Capture→Filter.
c. Double-click INCLUDE ANY <—> ANY.
d. In the Station 1 area, select the entry

e. Click OK twice.
f. Choose Capture→Start.
2. Use FTP to access the FTP server a. Open a command prompt and enter ftp
and attempt to log on as a domain server# where # is your partner’s com-
user account. puter number.
b. Enter Administrator as the user name

and !Pass1234 as the password. You
receive a Login Failed error message. You
are still connected to the FTP server,
however.

LESSON 3
3. Attempt to log on to the FTP server a. At the FTP prompt, enter user
anonymously. anonymous.
b. When prompted for the password, enter

password. You should then see a message
that says, “230 Anonymous user logged
in.”
It is a convention on the Internet to supply

your email address as the password when you
log on to an FTP server as “anonymous.” How-
ever, you can enter any password you like.
c. Enter bye to disconnect your FTP session.
d. Close the command prompt.
4. Stop the capture and review the a. Choose Capture→Stop and View.
capture log.
b. After you have located the frames show-
ing the successful and unsuccessful
logons, close Network Monitor without
saving the capture or unsaved database
entries.
5. What security problems can remain with anonymous-only logons?
6. Other than restricting logons, how else could you protect against an eavesdropping
attack against clear text FTP passwords?

LESSON 3
TOPIC E
Harden Network News Transport
Protocol (NNTP) Servers
In the last two topics, you learned to secure two very common Internet services that your com-
pany might offer: Web services and FTP services. Although perhaps less common, another
standard Internet service your company might provide is hosting newsgroup communications
through servers running the Network News Transfer Protocol (NNTP). If your company main-
tains NNTP servers, you can use the procedures in this topic to secure them.
Security on NNTP servers is important for some of the same reasons that security on Web and
FTP servers is important. You don’t want attackers posting inappropriate content in your
newsgroups, and you don’t want attackers grabbing user credentials from your news server and
using them to poke around on other services in your network. Securing NNTP properly can
help prevent these problems and security breaches.
Hardened NNTP Server

Definition:
A hardened NNTP server is an NNTP server that has been configured to protect
against software and hardware attacks according to a defined security policy. A hard-
ened NNTP server may include some or all of the following security configuration
settings:
system to attack the NNTP server.
• Strong authentication to prevent user names and passwords from being transmitted
in clear text and to prevent the NNTP server from being used anonymously for
illegal activity.
• Strict access controls to prevent anonymous access to the server.
• Disable unnecessary services to prevent attackers from exploiting those services to
attack the NNTP server.
Example: USA Travel’s NNTP Server

USA Travel hosts one NNTP server for its registered clients. According to USA Trav-
el’s security policy, the NNTP server must have strong authentication enabled. The
network administrator enabled digest authentication on the NNTP server, and because
that setting complies with USA Travel’s security policy, the NNTP server can be con-
sidered hardened.
Harden NNTP Servers

Procedure Reference: Harden a Windows 2000 NNTP Server
To harden a Windows 2000 NNTP server:
1. Harden the operating system to prevent attackers from exploiting the operating
system to attack the NNTP server.

LESSON 3
2. Configure strong authentication to prevent usernames and passwords from being
transmitted in clear text and to prevent the NNTP server from being used anony-
mously for illegal activity.
3. Run the IIS Lockdown Wizard to lock down the NNTP server by setting strict
access controls and disabling unnecessary services.
b. In the Server Templates list, select Dynamic Web Server.
d. Check News Service (NNTP), and click Next.
e. Click Next twice.
twice.

You can use the Microsoft IIS Lockdown Tool to automate some of the NNTP harden-
ing steps. If you have previously run the Lockdown Tool to harden other services on
your server, you will need to re-run the tool to undo those changes before hardening
NNTP.
ACTIVITY 3-8
Hardening an NNTP Server
Activity Time:
30 minutes
Setup:
Your Windows 2000 server is running as a Web and FTP server, and it has been locked down
by using the IIS Lockdown Wizard. The NNTP service was disabled when the base operating
system was hardened. Resources are located on the network in \\Server100\SPlus in the follow-
ing folder:
Scenario:
You disabled the NNTP service until you were ready to harden IIS and deploy your NNTP
server. The bank has decided that they now want to use NNTP, FTP, and enable ASP on the
IIS server. As the bank’s security administrator you need to make sure your NNTP servers are
secure. In the past, the bank has had problems with users accessing newsgroups that they
should not have had access to. Before connecting the new Windows 2000 NNTP Server to
your network, you want to make sure that your NNTP server is hardened to minimize the like-
lihood of attacks from both internal and external users. To prevent attackers from attacking
NNTP the bank’s IT department has decided to implement a secure NNTP server.
Windows 2000 NNTP Servers, and you as the security administrator need to make sure the
plan is implemented.

LESSON 3
1. As the domain administrator, enable a. Open Computer Management, expand

and start the NNTP service. Services And Applications, and click
Services.
b. Double-click the Network News Trans-

port Protocol service.
c. From the Startup Type drop-down list,

select Automatic.
d. Click Apply.
e. Click Start.
f. When the service has started, click OK.
2. Run the IIS Lockdown Wizard to a. Run \\Server100\SPlus\IIS\Lockdown\

If the Lockdown Tool hangs, or if the b. Click Next, and then click Yes to restore
undo procedure fails, try re-running the the original server settings.
tool. If it fails again, reboot your
computer. The undo procedure can take
20 minutes or more. c. When the settings have been restored,

LESSON 3
3. Run the IIS Lockdown Wizard with a. Run the IIS Lockdown file to launch the
down the NNTP server.
b. Click Next.
c. Select I Agree and click Next to accept


Dynamic Web Server.

Next.
f. Check File Transfer Service (FTP) and

News Service (NNTP), and click Next.
g. Click Next twice to accept the default

choices for Script Maps and Additional
Security.


View Report.
You will see errors in the report. These are

from services unrelated to NNTP.

Notepad.
k. Click Next, and then click Finish to close

the wizard.

LESSON 3
TOPIC F
Harden Email Servers
The Internet services we’ve discussed in the last three topics are important reasons why the
Internet is useful for businesses today. But the “killer app” of the Internet has always been
email. If your company maintains its own email servers, hardening them will be another
important component in tightening up the perimeter of your network. So, in this topic, you’ll
learn to increase security on your company’s email servers.
There are very few businesses today who don’t provide email for their employees, and the
email stream is a major source of traffic flow between the corporate network and the Internet.
Lots of bad things can come into your network through email, including all sorts of malicious
code. Your users’ email credentials can be a gateway for attackers into other parts of your
network. For these reasons, it’s important to make sure that your email servers are secure.
Email Vulnerabilities
There are numerous known email vulnerabilities, and there seem to be new ones discovered
every week. The following table lists some examples of common email vulnerabilities.
Email worms Users with an email client that uses a particular version of
Microsoft Internet Explorer may be vulnerable to the automatic
execution of arbitrary code in an email. This can result in the
spread of the code to other clients using other email addresses
found in a variety of places on the computer, including the
user’s contact management application (for example, Microsoft
Outlook), the Web browser’s local cache, and the contents of
email messages received and stored on the system. Nimda is an
example of an email worm.
Malicious code A user who opens and executes malicious code disguised as an
attachment may infect their machine and others on their
network. The malicious code may reveal sensitive information
on the system, fill the hard disk to maximum capacity, or recur-
sively delete files. For example, in some versions of Outlook
and some instant messaging applications, files that don’t meet
the 8.3 filenaming convention are truncated with an ellipsis. This
could mean a user will execute a file because he or she can’t see
the file extension or the complete file name, leading to a serious
code attack.
Data buffers There have been numerous buffer overflows found in Sendmail,
Microsoft Exchange Server, and other email protocols (including
SMTP, POP, and IMAP) servers throughout the years.
Spam A malicious user can flood a network with emails and effectively
cause a DoS by overloading an organization’s email servers. An
attacker can also use target servers set up as SMTP relays to
launch spam attacks against other networks.

LESSON 3
Hoaxes Email hoaxes are examples of social engineering attacks. Hoaxes
can cause users to delete “dangerous” files that are actually
critical system files or otherwise misconfigure their systems to
prevent against bogus threats.
Hardened Email Server

Definition:
A hardened email server is an email server that has been configured to protect against
software and hardware attacks according to a defined security policy. A hardened email
• A hardened operating system to prevent attackers from exploiting the OS to attack
the email server software.
• The latest security patches and fixes for the email server software to help protect
against threats such as buffer overflows, worms, and other malicious code.
• Enterprise antivirus software to protect against worms and viruses.
• Message tracking to monitor communications and detect potentially malicious
activity, such as email hoaxes and spam.
• An established logging and auditing strategy to track server performance and
detect suspicious activity.
• Message size limitations to prevent attackers from sending oversized messages to
overload email systems.
• Blocked SMTP traffic from specific domains or IP addresses to protect against
spam or malicious activity.
• Disabled unnecessary services and applications to prevent an attacker from
exploiting them to gain access to the OS or email server software using such
methods as buffer overflows.
• Encrypted communication where appropriate to protect sensitive data.
Example: USA Travel’s Email Servers

USA Travel’s corporate security policy dictates that its email servers have all the latest
operating system and server software patches, have enterprise antivirus software, have
message size limitations, and are backed up regularly. Therefore, USA Travel’s
Exchange administrator searches for and installs the latest Windows 2000 and
Exchange 2000 security hotfixes every week, has installed an enterprise antivirus soft-
ware package on all Exchange servers, has limited message sizes to 1 MB, and backs
up the mail servers every night. Because all these steps comply with USA Travel’s
security policy, the email servers are hardened.
Email Security Using S/MIME and PGP

To help protect email and ensure that what the sender sends is exactly what the recipient
receives, two methods have been developed to secure email: Pretty Good Privacy (PGP) and
Secure Multipurpose Internet Mail Extensions (S/MIME). Both methods are described in the
following table.

LESSON 3
Method Description
PGP PGP uses a variation of public key cryptography to encrypt
emails: the sender encrypts the contents of the email message
and then encrypts the key that was used to encrypt the contents.
The encrypted key is sent with the email, and the receiver
decrypts the key and then uses the key to decrypt the contents.
PGP also uses public key cryptography to digitally sign emails
to authenticate the sender and the contents.
S/MIME S/MIME is an extension of MIME, which was originally created
to allow users to share attachments to the original email, such as
JPEG and MPEG files. S/MIME was created to prevent attackers
from intercepting and manipulating email and attachments by
encrypting and digitally signing the contents of the email using
public key cryptography. S/MIME ensures that the email that’s
received is the same email that was sent, and that its contents
are the original contents included by the sender.
Public key cryptography and certificates will be covered later in this course.
Harden Email Servers

Procedure Reference: Harden an Exchange Server
To harden an Exchange server:
the email server software.
2. Install the latest security patches and fixes for the email server software to help
protect against threats such as buffer overflows.
3. Install enterprise antivirus software to protect against worms and viruses.
4. Enable message tracking on the Exchange server object to monitor communica-
tions and detect potentially malicious activity, such as email hoaxes and spam.
a. On the Exchange server, open Exchange System Manager.
b. Expand Servers and select your server.
c. Right-click your server and choose Properties.
d. On the General page, check Enable Message Tracking.
5. Enable minimum diagnostic logging for MSExchangeIS/Mailbox/Logons for your
Exchange server object to track server performance and detect suspicious activity.
b. Expand Servers, and select your server.
c. Right-click your server and choose Properties.
d. Select the Diagnostics Logging tab.
e. In the Services list, expand MSExchangeIS and select Mailbox.
f. In the Categories list, select Logons.

LESSON 3
g. Under Logging Level, select Minimum.
6. Enable message size limits to prevent attackers from sending oversized messages
to overload email systems.
b. Expand Servers and your Exchange server.
c. Select a storage group.
d. In the details pane, right-click the Mailbox Store and choose Properties.
e. Select the Limits tab.
f. Configure storage limit settings as appropriate for your system.
7. Enable SMTP logging for the SMTP protocol’s SMTP Virtual Server object.
a. In Exchange System Manager, under your server, expand Protocols.
b. Select SMTP.
c. In the details pane, right-click the Default SMTP Virtual Server and choose
Properties.
d. On the General page, check Enable Logging.
8. If necessary, block inbound SMTP traffic to protect against spam or malicious
activity.
a. In Exchange System Manager, under your server, expand Protocols.
b. Select SMTP.
c. In the details pane, right-click the Default SMTP Virtual Server and choose
Properties.
d. Select the Access tab.
e. Click Connection.
f. In the Connection dialog box, verify that All Except The List Below is
selected and click Add.
g. Block SMTP traffic based on IP addresses or domain names.
9. Run the IIS Lockdown Wizard to lock down the Exchange server to disable
unnecessary services and applications.
b. In the Server Templates list, select Exchange Server 2000.
d. Verify that E-mail Service (SMTP) is checked.
e. Click Next three times.
twice.
10. Encrypt communication where appropriate to protect sensitive data.

You can use the Microsoft IIS Lockdown Tool to automate some of the hardening
steps for an Exchange server. If you have previously run the Lockdown Tool to harden
other services on your server, you will need to re-run the tool to undo those changes
before hardening Exchange.

LESSON 3
ACTIVITY 3-9
Hardening an SMTP Server
Data Files:
Setup:
The Exchange server is also an IIS server running the WWW and FTP services. These services
were previously hardened by running the IIS Lockdown Wizard. The SMTP service is
disabled. Data files and other resources are located on the network in \\Server100\SPlus in the
following folders:
• Windows 2000 Server installation files: \Srv2000
Scenario:
National Bank supports SMTP email services by using Microsoft Exchange 2000 Server. One
of the next tasks as the bank’s security administrator is to enable SMTP and to make sure
these SMTP servers are secure. In the past, the bank has had problems with DoS attacks on
the Exchange Servers. Before connecting the new Exchange 2000 Server to your network, you
want to make sure that your Exchange 2000 server is hardened to minimize the likelihood of
attacks from both internal and external users. To prevent attackers from attacking Exchange
2000 Server, the bank’s IT department has decided to implement a secure Exchange 2000
Server.
The IT department and the Exchange 2000 design team have designed a security deployment
plan for all new systems, including the Windows 2000 Exchange 2000 Servers, and you as the
security administrator need to make sure the plan is implemented. One part of the plan is to
make sure that FTP is not running on any SMTP servers, in order to eliminate any possible
attacks on the mail servers through FTP. The Exchange 2000 design team is planning to install
virus protection software on the Exchange server when you are done hardening.

LESSON 3
1. Enable message tracking on the a. Open the \\Server100\SPlus\Student\

Exchange server object. SecureSystems.doc file and locate the
Exchange 2000 Hardening
Recommendations.
b. From the Start menu, choose Programs→

Microsoft Exchange→System Manager.
c. Expand Servers and select your server.
d. Right-click your server and choose

Properties.
e. On the General page, check Enable Mes-

sage Tracking and click Apply to keep
the property sheet open.

LESSON 3
2. Enable minimum diagnostic logging a. On your server’s property sheet, select
for MSExchangeIS/Mailbox/Logons the Diagnostics Logging tab.
on your Exchange server object.
b. In the Services list, expand MSExchangeIS
and select Mailbox.
c. In the Categories list, select Logons.
d. Under Logging Level, select Minimum.
e. Click OK.
3. In the First Storage group, enable a. In the Tree pane of Exchange System Man-
Message size limits on the Mailbox ager, expand your server and select the
Store and Public Store, according to First Storage Group.
the specifications in the
b. Right-click Mailbox Store and choose
Properties.
c. Select the Limits tab.

LESSON 3
d. In the Storage Limits section, check all
three check boxes.
e. In the Issue Warning At (KB) text box,

enter 40000 to set a Warning limit of
40000 KB.
f. Set a Prohibit Send limit of 50000 KB.
g. Set a Prohibit Send And Receive limit of

60000 KB.
h. Click OK.
i. Open the properties of the Public Folder

Store and select the Limits tab.
j. Set the same limit values and click OK.
4. Why would you enable message size limits?

LESSON 3
5. Enable and start the SMTP service. a. Open Computer Management.

select Services.
c. Double-click the Simple Mail Transport

Protocol service.

select Automatic. Click Apply.
e. Click Start.
f. When the service has started, click OK.
6. Enable SMTP logging for the SMTP a. In the Exchange System Manager Tree
protocol’s SMTP Virtual Server pane, under your server, expand the Pro-
object. tocols folder and select SMTP.
When hardening Exchange 2000 Server, b. Right-click the Default SMTP Virtual
you should also enable IIS logging. You Server and choose Properties.
did this in an earlier activity.
c. On the General page, check Enable

Logging.
d. Click Apply to keep the property sheet

open.
7. Block inbound SMTP traffic for the a. In the Default SMTP Virtual Server Proper-
domains specified in the ties sheet, select the Access tab.
SecureSystems.doc file by adding
them to the Access/Connection
Control list for the SMTP Server b. Click Connection.
object.
c. In the Connection dialog box, verify that
All Except The List Below is selected,
and click Add.
d. Select Domain.

LESSON 3
e. In the SMTP Configuration message box,
click OK.
f. In the Name text box, enter hacker.com

and click OK.
g. Add the intruder.com domain to the list.
h. Click OK twice to close the Connection

dialog box and the Default SMTP Virtual
Server Properties sheet.
i. Close Exchange System Manager.
8. Run the IIS lockdown wizard to a. Run \\Server100\SPlus\IIS\Lockdown\

If the Lockdown Tool hangs and stops b. Click Next, and then click Yes to restore
responding, or the undo procedure fails, the original server settings.
try re-running the tool. If it fails again,
reboot your computer. The undo proce-
dure can take 20 minutes or more. c. When the settings have been restored,

LESSON 3
9. Run the IIS lockdown wizard with a. Run the IIS Lockdown file to launch the
down the Exchange server.
b. Click Next.
If you did not key the preceding optional
activity, NNTP will not be installed, so
that check box will be grayed out. c. Select I Agree and click Next to accept

Exchange Server 2000.

Next.
f. Verify that Web Service (HTTP), E-mail

Service (SMTP), and News Service
(NNTP) are checked, and that File Trans-
fer Service (FTP) is unchecked. Check
Remove Unselected Services.
g. Click Yes to verify that you want to

remove FTP.
h. Click Next three times to accept the

default choices for Script Maps and Addi-
tional Security.
i. Verify that Install URLScan Filter On The

to start the lockdown. The Windows Com-
ponents Wizard will run automatically to
remove the FTP service.
j. If you are prompted for the location of

the Windows 2000 Server installation files,
enter the path \\Server100\SPlus\
Srv2000\I386 and click OK.
k. When the lockdown is complete, click

View Report.

LESSON 3
You will see errors in the report. These are
from other services unrelated to Exchange.
l. After you review the report, close

Notepad.
m. Click Next, and then click Finish to close

the wizard.
10. Verify that FTP is no longer a. From the Start menu, choose Programs→
installed. Administrative Tools→Internet Services
Manager.
b. Expand your server object. The default

FTP site is no longer installed.
c. Close Internet Services Manager.
TOPIC G
Harden Conferencing and
Messaging Servers
Another way that your company might be communicating across the Internet with foreign net-
works is through the use of various types of collaboration services. Tools like instant
messaging and video conferencing are no longer novelties but, instead, are commonplace and
legitimate tools for business communications. In this topic, you’ll learn to secure communica-
tions that use these real-time interactive services.
With collaboration services, such as instant messaging, your employees are communicating
with the outside world in real time. The communication is instantaneous and performance is of
the essence. Before you know it, an attacker could insert something undesirable into the com-
munication and you wouldn’t have time to stop it. It’s better to secure these systems so that an
attacker can’t connect to them in the first place.
Instant Messaging Vulnerabilities

While both conferencing and instant messaging servers are vulnerable to the same exploits
covered so far in this course, including sniffing or eavesdropping, it’s important to note that a
popular social engineering attack has had success in the recent past against instant messaging
users. The attack happens like this: The attacker contacts the target and masquerades as a staff
member of the instant messaging network that the target is using. The attacker then elicits per-

LESSON 3
sonal or financial information from the target by requesting it to verify the target’s identity or
licensing information. While this attack isn’t the sort of high-tech attack you might expect
against your network, it’s another example of how a clever attacker can use plain old decep-
tion to exploit your users and gain access to your network.
Hardened Conferencing and Messaging Server

Definition:
A hardened conferencing and messaging server is a conferencing and messaging server
that has been configured to protect against software and hardware attacks according to
a defined security policy. A hardened conferencing and messaging server may include
some or all of the following security configuration:
the server software.
• Appropriate access controls to prevent unauthorized users from accessing the
system.
• Encrypted communication where appropriate to protect sensitive data.
• Educated users to help prevent against social engineering attacks.
Example: USA Travel’s Instant Messaging Server

USA Travel’s corporate security policy requires users to log on to the instant messag-
ing server. Therefore, the network administrator has limited access to the server only to
those users who have domain accounts. Because this configuration is protected accord-
ing to the corporate security policy, this instant messaging server is considered
hardened.
Harden Conferencing and Messaging Servers

Procedure Reference: Harden Exchange Messaging Servers
To harden an Exchange messaging server:
the server software.
2. Set appropriate authentication properties on the IIS Instant Messaging virtual
directory to prevent unauthorized users from accessing the system.
a. Open Internet Services Manager.
b. Expand your server and expand the Default Web Site.
c. Select and right-click the InstMsg virtual directory and choose Properties.
d. Select the Directory Security tab.
e. In the Anonymous Access And Authentication Control area, click Edit.
f. Configure anonymous authentication and authenticated access as appropriate
for your system.
3. Encrypt communication where appropriate to protect sensitive data.
4. Educate users to help prevent against social engineering attacks.

LESSON 3
ACTIVITY 3-10
Hardening an Instant Messaging Server
Data Files:
Setup:
You have a new installation of a Windows 2000 Server setup as an Exchange 2000 Server with
Instant Messaging installed. The computer is named Server#, and it is in a domain named
Domain#, where # is a unique integer assigned to you by the instructor. The default adminis-
trator account has been set up with a password of !Pass1234. The Exchange 2000 Server has
been hardened along with running the IIS Lockdown Tool. Data files are located in
\\Server100\SPlus\Student and the IM Client is at \\Server100\SPlus\E2KIM. Your email
address is administrator@server#.
Although the Exchange Server with Instant Messaging is running on a domain controller for classroom and test-
ing purposes, this is a security risk.
Scenario:
You have already hardened your Exchange 2000 Server and IIS with the IIS Lockdown Tool.
Now, one of the next tasks as the bank’s security administrator is to make sure your Instant
Messaging servers are secure. In the past, the bank has had problems with users using Instant
Messaging with unauthorized users. Before connecting the new Instant Messaging server to
your network, you want to make sure that your Instant Messaging server is hardened to mini-
mize the likelihood of attacks from both internal and external users. To prevent attackers from
attacking Instant Messaging, the bank’s IT department has decided to implement a secure
Instant Messaging server.
The IT department and the Exchange 2000 Server design team have designed a security
deployment plan for all new systems, including the Instant Messaging servers, and you as the
security administrator need to make sure the plan is implemented. After you implement the
changes on your Exchange 2000 server, you should be sure to verify the IM clients can con-
nect to the IM server with the new security configuration. The network administrators will then
place the server behind the firewall.
Because the DNS hierarchy for each class domain is independent, this activity will not enable you to send Instant
Messages between classroom computers.

LESSON 3
1. Create a new Instant Messaging a. Open \\Server100\SPlus\Student\

home server using the appropriate SecureSystems.doc.
parameters as documented in
SecureSystems.doc.
Microsoft Exchange→System Manager.
c. Expand the Servers object, expand your

server, and expand the Protocols folder.
d. Select the Instant Messaging (RVP)

object.
e. Right-click Instant Messaging (RVP) and

choose New→Instant Messaging Virtual
Server to launch the New Instant Messag-
ing Virtual Server Wizard.
f. Click Next.
g. Complete the wizard using the following

parameters (substitute your computer’s
number for the # sign when appropri-
ate):
• Display Name: IMServer#
• Enable the Default Web Site for
Instant Messaging.
• DNS Domain Name: Server#
• Allow the server to host user
accounts.
h. Close Exchange System Manager.

LESSON 3
2. Set the appropriate authentication a. From the Start menu, choose Programs→
properties on the Internet Informa- Administrative Tools→Internet Services
tion Server (IIS) Instant Messaging Manager.
virtual directory.
b. Expand your server and expand the
Default Web Site.
c. In the Default Web Site, select and right-

click the InstMsg virtual directory, and
choose Properties.
e. In the Anonymous Access And Authentica-

tion Control area, click Edit.
f. Uncheck Anonymous Access.
g. In the Authenticated Access area,

uncheck Digest Authentication For Win-
dows Domain Servers. Only Integrated
Windows Authentication should be
checked.
h. Click OK twice.
i. Close Internet Services Manager.

LESSON 3
3. What authentication methods should be enabled on the Instant Messaging Virtual Direc-
tory if users log on through a proxy server?
a) Anonymous access
b) Basic authentication
c) Digest authentication
d) Integrated Windows authentication
4. True or False? If you use Digest Authentication, you must configure user pass-
words to be stored using reversible encryption.
5. Modify the Exchange Features prop- a. From the Start menu, choose Programs→
erties of your Active Directory user Administrative Tools→Active Directory
account to enable Instant Messaging Users And Computers.
and use your Instant Messaging
server as your home server.
b. Expand your domain and select the
Users folder.
c. Right-click the Administrator user and

choose Exchange Tasks to launch the
Exchange Task Wizard.
d. Click Next.
e. Complete the wizard using the following

settings:
• Enable Instant Messaging.
• Browse to select IMServer# as the
Instant Messaging Home Server.
• Instant Messaging Domain Name:
Server#.
f. Close Active Directory Users And

Computers.
6. Install the IM client. a. Open \\Server100\SPlus\E2KIM and run

the MMSSetup program.
b. Click Yes to accept the license

agreement.
c. In the MSN Messenger window, click the

Click Here To Sign In link.
d. In the E-mail text box, enter

administrator@server# and click OK.
MSN Messenger should sign you on
automatically.

LESSON 3
7. Verify that you can start the IM cli- a. Close the MSN Messenger window.
ent and log on with the new
authentication settings.
b. In the message box, click OK.
c. In the System Tray, right-click the MSN

Messenger icon and choose Exit.
d. From the Start menu, choose Programs→

MSN Messenger. MSN Messenger should
start and log you on automatically.
e. Close the MSN Messenger window and

exit the program.
Lesson 3 Follow-up
In this lesson, you hardened the devices and computers that are exposed to the Internet and
provide services to both local and remote users. By securing the systems that act as a border
around your network, you provide a higher level of security to your internal network resources.
1. Which internetwork connection device do you think is most important to secure?
2. Which provides a greater security threat to your organization: your border router or
your email infrastructure?

NOTES

LESSON 4

Securing Network
Communications
Lesson Objectives:
In this lesson, you will secure network communications.
You will:
• Secure network traffic using IPSec.
• Secure wireless traffic.
• Secure client Internet access.
• Secure the remote access channel.
Lesson 4: Securing Network Communications 153

LESSON 4
Introduction
If an attacker taps in to your network media and starts reading information directly off the
wire, you might as well call it a day. The best passwords in the world won’t protect your sys-
tems if an attacker pulls them out of an authentication session. The most secure email server in
the world won’t help keep your data safe if an attacker can read a sensitive email message in
transit. So, you can’t just secure the systems on the ends of the communication; you need to
make sure the information flowing between them on the network is secure as well.
TOPIC A
Secure Network Traffic Using IP
Security (IPSec)
When you secure network traffic, it’s not a single operation. You need to consider various
types of traffic, such as LAN, WAN, and wireless communications. We’ll start with a method
that you can apply in many types of situations. In this topic, you’ll learn how to configure
Internet Protocol Security (IPSec), a powerful, general-purpose technique for protecting data on
IP networks.
IPSec is a flexible and powerful tool that can help you ensure not only that only authorized
data is getting through your network systems, but also that the data can be read only by autho-
rized parties. So, IPSec can prevent hackers both from hijacking a session and from scanning
the network data for information. Unfortunately, used incorrectly, IPSec can also shut down
legitimate communications on your network. So, learning to apply IPSec correctly is an
indispensible skill for any network security professional.
Data Integrity
To protect against replay or man-in-the-middle attacks, you need to provide a method that two
computers can use to verify that the data they’re exchanging is the original, unmodified data—
that is, you need to provide a way for Computer A to verify that the data it receives from
Computer B is the same data Computer B sent and vice-versa. One method is to use a mes-
sage digest. A message digest, also called a digital signature, is created by using a one-way
encryption algorithm, also called a hashing algorithm, such as MD5 and SHA-1, both of which
are described in Table 4-1. The algorithm produces a numerical result, called a digest or hash
value, of a fixed size, which is just a condensed form or representation of the original data.
The data and the digest are sent to the recipient, who then decrypts the digest and recomputes
the digest from the received file using the same algorithm. If the recomputed digest matches
the digest that was sent with the data, the file is proved to be intact and tamper-free from the
sender. Digital signatures promote data integrity and non-repudiation by ensuring that data is
authentic from the source and that one party can’t deny involvement in an electronic
transaction.
While message digests are a secure way to authenticate data, attackers can attempt to use the “birthday paradox”
to generate a separate but identical version of a hash. For more information about birthday attacks, see
www.rsasecurity.com/rsalabs/faq/2-4-6.html.

LESSON 4
Table 4-1: Hashing Algorithms
Hashing Algorithm Description
Secure Hash Algorithm (SHA-1, SHA-256, SHA- Considered the stronger of the two hashing algo-
384, and SHA-512) rithms described here, SHA-1 produces a 160-bit
hash value, while SHA-256, SHA-384, and SHA-
512 produce 256-bit, 384-bit, and 512-bit digests,
respectively.
Message Digest 5 (MD-5) This algorithm produces a 128-bit message digest.
Data Encryption
One way to protect data passing through unsecured data channels is to encrypt the data.
Encryption is the process of converting the data into coded form in such a way that only
authorized parties can access the information. Only those with the necessary password or
decryption key can decode and read the data. Encryption promotes confidentiality of sensitive
data.
Many encryption schemes and methods are available. Electronic mail packages often offer the
ability to encrypt messages. Specialized encryption devices can be inserted into the data-
transmission media to encrypt all the data that passes through. The level of encryption that you
implement depends on the value of the data. When considering the value, consider what loss
would be incurred if your competitors or the general public were to become aware of the con-
tents of the data.
Data is encrypted and decrypted using algorithms, which in turn use a private key, a public
key, or a combination of the two. Data encryption is either symmetric or asymmetric, as
described in Table 4-2.
Table 4-2: Encryption algorithms.

Encryption Algo-
rithms Description Examples
Symmetric/Private key Symmetric encryption, also known as private • Data Encryption Standard
key encryption, works with one key. All of (DES)
the objects on the network that have this key
• Triple DES (3DES)
can encrypt and decrypt messages. Because
this key is available only to the sender and • Advanced Encryption Stan-
receiver of the message, it is referred to as a dard (AES) algorithm
private key. For security, the key must be (Rijndael)
kept safely guarded and should never travel • Rivest Cipher (RC) 4 and 5
over the communications media. The admin- • Skipjack
istrator can establish the private key or it can
• Blowfish
be embedded in hardware coding. If the key
ever changes, all devices must be upgraded. • CAST-128
Symmetric cryptography provides a lower-
level of security in exchange for a faster
encryption rate. Stream ciphers are symmet-
ric encryption algorithms.

LESSON 4
Encryption Algo-
rithms Description Examples
Asymmetric/Public Asymmetric, or public key encryption, is • Rivest Shamir Adelman
key more secure than symmetric encryption (RSA) cryptosystem
because it uses two keys. The public key is
• Diffie-Hellman
available to everyone on the network, so
messages are encrypted by using the recipi- • Elgamel
ent’s public key. Only the recipient’s private
key can be used to decrypt the message.
This dual-key system eliminates the need to
share a private key. Asymmetric encryption
was developed by Whitfield Diffie and Mar-
tin Hellman. While asymmetric cryptography
is highly secure, it isn’t as fast as symmetric
cryptography.
The encryption algorithms in Table 4-2 use different methods for encrypting data. Two com-
monly used methods are stream cipher and block cipher:
• Stream cipher, a type of symmetric encryption, encrypts data one bit at a time. Each
plaintext bit is transformed into encrypted ciphertext. These algorithms are relatively fast
to execute. The ciphertext is the same size as the original text. This method produces
fewer errors than other methods, and when errors occur, they affect only one bit. RC4 is
an example of a stream cipher.
• Block cipher encrypts data a block at a time, often in 64-bit blocks. It is usually more
secure, but is also slower, than stream encryption. There are several modes of block
cipher encryption. In ECB (Electronic Code Block) encryption, each block is encrypted by
itself. Each occurrence of a particular word is encrypted exactly the same. In CBC
(Cipher Block Chaining) encryption, before a block is encrypted, information from the
preceding block is added to the block. In this way, you can be sure that repeated data is
encrypted differently each time it is encountered. The CFB (Cipher FeedBack mode)
encryption model allows encryption of partial blocks rather than requiring full blocks for
encryption. DES is an example of a block cipher.
Internet Protocol Security (IPSec)

As you’ve seen so far in this course, there are a wide variety of ways attackers can gain access
to your network and wreak havoc on your systems and disrupt your communications. While
the main focus so far has been hardening your systems, we haven’t secured the actual network
traffic—that is, the packets of data as they travel along the network wire—until now.
Internet Protocol security (IPSec) is a set of open, non-proprietary standards that you can use
to secure data as it travels across the network or the Internet. Many operating systems and
devices support IPSec such as Windows 2000, Windows XP, NetWare 6, Solaris 9, and routers.
While IPSec is an industry standard, it is implemented differently in the various operating
systems.
For the current state of IPSec and to view all the RFCs that describe IPSec technologies, see the Internet Engi-
neering Task Force Web site at www.ietf.org/html.charters/ipsec-charter.html.
IPSec can protect your network communication in several ways:

LESSON 4
• IPSec provides data authenticity and integrity by verifying the identities of the computers
that are transmitting data to one another. In this way, IPSec can prevent IP spoofing and
man-in-the-middle attacks.
• IPSec provides anti-replay protection by using sequence numbers to protect the integrity
of the data being transmitted. Packets captured can’t be replayed later to be used to gain
unauthorized access to your network.
• IPSec prevents repudiation by providing verification that a computer sending information
is the computer it purports to be.
• IPSec protects against eavesdropping and sniffing by providing data encryption mecha-
nisms to allow you to encrypt data as it travels across the network.
While IPSec can’t always protect against every attack, as you’ll see in the coming sections,
IPSec is a highly effective way to secure your network traffic through the use of authentication
and encryption. How does IPSec protect against such a variety of attacks? Through an array of
protocols and services, which we’ll begin to examine next.
Data Integrity and Encryption in IPSec

Remember that IPSec is an important security tool because it provides data integrity and
encryption. The first of these properties, data integrity, is provided by using message digests.
IPSec uses hash method authentication codes (HMACs) to verify data integrity, which means
that it guarantees that the data sent from one computer in a two-computer (end-to-end) session
is the same data that arrives at the receiving computer on the other end. IPSec can use one of
two hashing algorithms to provide data integrity: MD5 and SHA-1.
Because of the high level of encryption, Windows 2000 and Windows XP systems must have the high encryption
pack installed to use 3DES. In addition, because of its strong level of encryption, 3DES is one of those technolo-
gies that may not be available for export to some countries outside North America. See www.microsoft.com/
windows2000/downloads/recommended/encryption/default.asp and www.bxa.doc.gov/Default.htm for more
information.
The second of these properties, encryption, is provided by one of two encryption algorithms,
DES or 3DES.
• DES is a symmetric encryption algorithm that encrypts data in 64-bit blocks using what
appears to be a 64-bit key, while in fact it really has only the strength of a 56-bit key
because 8 bits are used for parity. So only seven bits of each byte are used for DES,
which results in a key length of only 56 bits.
• 3DES is a symmetric encryption algorithm that encrypts data by processing each block of
data three times using a different key each time. It first encrypts plain text into ciphertext
using one key, it then encrypts that ciphertext with another key, and it last encrypts the
second ciphertext with yet another key.
Depending on how you configure IPSec, you can use message digests, data encryption, or
both.
IPSec Transport Protocols

IPSec uses two transport protocols, Authentication Header protocol and Encapsulating Security
Payload protocol. While they’re similar in function, they use different methods to protect data,
and depending on how you implement IPSec policies in your enterprise, you can use one or
both of these protocols at the same time.

LESSON 4
Figure 4-1: AH packets.

• Authentication Header (AH) protocol provides data integrity through the use of MD5 and
SHA. AH takes an IP packet and uses either MD5 or SHA to hash the IP header and the
data payload, and then it adds its own header to the packet, as depicted in Figure 4-1. The
AH header is inserted into the packet behind the original IP header but ahead of the TCP
or UDP header and the header inserted by the Encapsulating Security Payload protocol (if
you’re using AH and ESP together). Among other things, the AH header consists of the
Security Parameters Index (SPI), the sequence number of the packet, and the hash data.
(The SPI helps the computer keep track of the computers it’s communicating with.) The
computer on the other end receives the IP packet, calculates the hash value, and compares
it to the data in the AH header to verify the integrity of the payload. If the values don’t
match, the packet is dropped.
• The other IPSec transport protocol is the Encapsulating Security Payload (ESP) protocol,
which provides data integrity as well as data confidentiality (encryption) using one of the
two encryption algorithms, DES or 3DES. Like AH, ESP uses MD5 or SHA to hash an IP
packet’s header and payload, but it includes the hash in the ESP authentication data at the
end of the packet instead of in the ESP header, which contains the packet’s sequence
number and the SPI. The ESP header is inserted behind the IP header and the AH header
(if there is one) but before the IP payload. You can see how ESP signs an IP packet in
Figure 4-2. After the payload, you’ll find the ESP trailer, which contains mostly padding
(required by the ESP packet format) and the ESP authentication data, where you’ll find
the hash for verifying data integrity. ESP encrypts only the payload and not the headers in
IPSec’s transport mode.
Figure 4-2: ESP packets.

LESSON 4
Internet Key Exchange
Along with the algorithms that are used to verify data integrity, IPSec uses the Internet Key
Exchange (IKE) protocol to create a master key, which in turn is used to generate bulk encryp-
tion keys for encrypting data. (IKE is a newer term for the Internet Security Association and
Key Management Protocol and Oakley key generating protocol, usually seen as ISAKMP/
Oakley.) The computers involved in the secured communication never exchange the master
key. Instead, the Diffıe-Hellman (DH) algorithm is used separately by each computer to gener-
ate the master key. Using DH, the computers agree on a prime number and a public key, which
are used along with each computer’s secret key to create another set of numbers that are
shared between the computers. The computers then use the DH algorithm to each separately
calculate matching master keys. Because no other computer can access the two computers’
secret keys, no other computer can use the DH algorithm to create the master key.
Different DH groups provide different levels of encryption through varying sizes of the prime
number that the computers exchange to begin the key generation process. The higher a DH
group, the larger the prime number and the higher the level of security the generated key
provides. The DH group on both computers involved in the communication session must
match in order for the keying to be successful.
IPSec Security Associations

A security association (SA) is the negotiated relationship between two computers using IPSec.
SAs are the result of the two-stage negotiation process. These stages are known as Phase 1 and
Phase 2. The Phase 1 SA is the agreement between the computers on how communication will
take place (authentication, encryption, master key generation). The resulting Phase 1 SA is a
bi-directional relationship. Think of this first SA as the agreement to communicate—the com-
puters have established a secure channel over which to send data.
Figure 4-3: Security associations.

Phase 2 produces two one-way SAs on each computer: one inbound SA and one outbound SA.
The Phase 2 SA is used for the actual transmission of data. Where the first SA was the agree-
ment to communicate, this SA is the actual communication.
A computer may have several Phase 1 and Phase 2 SAs with a variety of computers: think
about a popular file server in your network that can have any number of users connected to it
at any given time. Phase 1 SAs last for one hour by default, which allows computers to
exchange data using multiple Phase 2 SAs without having to start from scratch with a Phase 1
SA. You can configure SA lifetimes for a longer or shorter duration.

LESSON 4
Windows 2000 and Windows XP IPSec Policy
Agent
The IPSec Policy Agent is a service that runs on each Windows 2000 Server, Windows 2000
Professional, and Windows XP Professional computer, where it’s displayed as the IPSEC Ser-
vices service. The IPSec Policy Agent starts when the system starts and checks Active
Directory for IPSec policy for computers that are members of a domain. If the computer isn’t a
domain member, then the IPSec Policy Agent checks the Registry for local IPSec policy. When
it finds IPSec policy information, it transfers that information to the IPSec driver. The IPSec
Policy Agent checks for policy information at system startup and at regular, configurable
intervals.
Windows 2000 and Windows XP IPSec Driver

After the IPSec Policy Agent gathers the IPSec policy to be applied to the computer, the IPSec
driver has the responsibility for implementing that policy. Based on policy requirements, the
IPSec driver watches packets being sent and received to determine if the packets need to be
signed and encrypted. If the IPSec driver determines that packets need to be signed and
encrypted (outbound) or verified and decrypted (inbound), it is responsible for managing those
services using the various IPSec components described previously. You might see this driver
called the IPSec security driver in Windows XP Professional.
Default IPSec Policies in Windows 2000 and

Windows XP
Now that you have some of the basics of IPSec under your belt, it’s time to take a look at how
all this is implemented in Windows 2000 and Windows XP. Like other security features, IPSec
can be deployed through Group Policy. And like many other security settings in Group Policy,
IPSec policies are applied to the computer, not the user, and all the normal Group Policy rules
apply.
As you can imagine, because there are so many configurable settings in IPSec policies, they
could be difficult to create from scratch for a beginner or even an experienced administrator
who’s unfamiliar with IPSec. Luckily, there are three default IPSec policies that you can use as
a starting point. And while these default policies do exist, they have not been assigned, which
in IPSec terms means the settings have not been applied. You must explicitly assign IPSec
policies if you want to apply their settings. The Windows 2000 and Windows XP default IPSec
policies are:
• Client (Respond Only)—This policy allows the computer to communicate normally until
another computer requests security. The computer will then use the default response rule
to negotiate a secure session.
• Secure Server (Require Security)—This policy requires the computer to require secure
communications at all times. The computer will not communicate with another computer
that can’t negotiate a secure session.
• Server (Request Security)—This policy requests negotiations for a secure session but will
communicate with a computer that does not respond to the request.
It’s important to understand that IPSec policies are meant to work in pairs, meaning that IPSec
policies must be assigned to each computer you want to use IPSec to secure communications.
For example, simply assigning an IPSec policy to a file server or client separately will not
work; you must assign an IPSec policy to the client and the file server if you want them to

LESSON 4
communicate using a secure session. If you don’t deploy policies in pairs, you’re not going to
get the security you’re looking for, and you might even end up isolating some of your systems
from the rest of the network. So with those caveats in mind, let’s take a look at the default
settings and see how all the IPSec components you’ve learned about so far are implemented in
Windows 2000.
IPSec policies are composed of rules. A rule has five components:
• IP filter, shown in Figure 4-4, which describes the specific protocol, port, and source com-
puter or destination computer to which the rule should apply. An outgoing or incoming
packet that matches an IP filter triggers a filter action. Remember, it’s the IPSec driver
that matches IP filters to IP packets, and you can have only one IP filter selected in the
list at one time.
• Filter action, which is the action the IPSec driver should take when it encounters a packet
that matches an IP filter. The choices are Permit, Request Security (Optional), and Require
Security, as shown in Figure 4-5.
• Authentication method, which is the method for establishing a trust relationship as part of
the Phase 1 SA. The three choices are Kerberos, a certificate, or a pre-shared key that you
create. All computers must enter an identical pre-shared key.
• Tunnel setting, which allows you to configure the computer to create a tunnel to another
computer.
• Connection type, which lets you specify the network connection to which this rule
applies. The three choices are all network connections, only the Local Area Network, or
only remote access connections.
Figure 4-4: IP filter list.

LESSON 4
Figure 4-5: Filter actions.
Figure 4-6: IPSec policy rules.

LESSON 4
There are multiple rules in each default policy, as you can see in Figure 4-6, and it’s the
default Dynamic rule that you can use to set the authentication and encryption methods we
examined earlier and configure the manner in which a computer will negotiate secure
communications. All rules that are checked in a default policy are applied.
ACTIVITY 4-1
Investigating the Default IPSec Policies
Scenario:
You are the security administrator for an organization called MilTrack that does consulting for
military personnel. As the organization begins the process of adopting a security policy, you’ve
been asked some questions about a report you submitted detailing the default IPSec policies in
Windows 2000 and Windows XP.
1. Why use IPSec? Why isn’t it enough to harden the servers and the client computers?
2. In Windows 2000, display the default a. From the Administrative Tools menu,
IPSec policies. choose Domain Controller Security
Policy.
b. If necessary, expand Security Settings

and select IP Security Policies.
3. If you want a Windows 2000 server to request negotiations for a secure session but still
communicate with a computer that does not respond to the request, you would use
the default IPSec policy.
4. If you want a Windows 2000 server to require secure communications at all times and
not communicate with another computer that can’t negotiate a secure session, you
would use the default IPSec policy.
5. Display the Server default IPSec a. Double-click the Server (Request Secu-
policy and open the All IP Traffic rity) policy.
rule.
b. In the list of security rules, double-click
All IP Traffic.
6. How are the five components of the rule displayed?

LESSON 4
7. Match the component with its description.
IP filter a. Defines the action the IPSec driver
should take when it encounters a
packet that matches an IP filter.
Filter action b. Describes the specific protocol, port,
and source computer or destination
computer to which the rule should
apply.
Authentication method c. Allows you to configure the computer
to create a tunnel to another
computer.
Tunnel setting d. Lets you specify the network connec-
tion to which this rule applies.
Connection type e. Establishes a trust relationship as part
of the Phase 1 SA.
8. If you choose to use a pre-shared key as the authentication method, which characters
must the key contain?
9. True or False? You must explicitly assign a policy to a computer to apply its
settings to that computer.
10. What would happen if you had a Secure Server policy assigned to a Windows 2000
server but no Client policies assigned to the Windows XP computers in the network?
11. Close all windows. a. Click Cancel in the Edit Rule Properties
dialog box.
b. Click Cancel in the Server (Request And

Security) Properties dialog box.
c. Close Domain Controller Security Policy.
Windows XP IPSec Tools

Windows XP Professional includes a new snap-in called IP Security Monitor that you can add
to a custom MMC console. You can use the monitor to focus on a computer and monitor the
IPSec implementation for that computer. You can use IP Security Monitor to view a wide vari-
ety of IPSec statistics, including data on SA negotiations, IPSec driver workload, key
generation, and the amount of data transferred using IPSec.
Windows XP also includes a snap-in called IP Security Policy Management. This snap-in con-
tains the default IPSec policies in their own snap-in so you can add them to a custom MMC
instead of accessing the policies in Local Security Policy.

LESSON 4
ACTIVITY 4-2
Installing IP Security Snap-ins
Scenario:
Before you can begin MilTrack’s IPSec implementation, you need to install the Windows XP
IPSec tools on your Windows XP computer. After installation is complete, you’re looking to
begin IPSec implementation on all your Windows XP computers and Windows 2000 servers.
1. Reboot the computer into Windows a. Restart the computer and choose Win-
XP Professional. dows XP Professional from the boot
loader menu.

of !Pass1234.

LESSON 4
2. Create a custom MMC console con- a. From the Start menu, choose Run.
taining IP Security Policy
Management and IP Security
Monitor. b. Enter mmc and click OK.
c. Maximize the Console1 and Console Root

windows.
d. Choose File→Add/Remove Snap-in.
e. Click Add.
f. In the Available Standalone Snap-ins list,

select IP Security Monitor and click Add.
g. Select IP Security Policy Management

and click Add.
h. In the Select Computer Or Domain dialog

box, verify that Local Computer is
selected and click Finish.
i. Click Close to close the Add Standalone

Snap-in dialog box.
j. Click OK to close the Add/Remove Snap-in

dialog box.
k. Choose File→Save As.
l. Enter IPSec Management as the file

name.
m. Click Save to save the console to the

default location.
3. Why are there Server and Secure Server policies on a Windows XP computer?
Secure Network Traffic Using IPSec

Procedure Reference: Secure Network Traffic Using IPSec
To secure network traffic using IPSec:
1. Create an appropriate IPSec policy or identify an appropriate default policy. In
Windows 2000 or Windows XP, for maximum security, choose Secure Server
(Require Security). To modify an existing policy:

LESSON 4
a. Open IP Security Policy Management or Local Security Policy and display
the default IPSec policies.
b. Right-click the appropriate security policy and choose Properties.
c. In the Properties dialog box, modify the policy according to your security
policy guidelines.
2. Deploy the IPSec policy by assigning it to the appropriate computers. In a Win-
dows environment, you can automate this procedure by using Group Policy.
To deploy IPSec policies on the local computer, right-click the policy you want to
assign and choose Assign.
To deploy IPSec policies using Group Policy, assign the appropriate IPSec policy
at the site, domain, or OU level.
3. Test IPSec communications to verify that only secured hosts can communicate
with each other.
4. Verify that communications are secure by examining network data with a packet
analyzer such as Network Monitor or, in Windows environments, the Windows IP
Security Monitor MMC snap-in. To verify communications using Windows IP
Security Monitor:
a. In Windows IP Security Monitor, expand your computer object.
b. Expand the Main Mode folder and select the Security Associations folder.
c. Right-click the security association object and choose Properties to see the
authentication mode as well as the encryption and data integrity algorithms
negotiated for the security association.
ACTIVITY 4-3
Securing Network Traffic Using IPSec
Scenario:
Most of MilTrack’s consulting is done on site at military bases throughout the world, and it is
your responsibility to set up Windows XP computers in each site, so that consultants can fill
out background check applications and send them to a security officer for review. The consult-
ants fill out applications while sitting at an available Windows XP system in an isolated
workgroup. The data is then transferred to the security officer’s Windows XP computer so that
she can review it before sending it to the government for final approval. The consultants will
then be granted or denied the appropriate clearance to enter the military installations. In the
past, MilTrack had consultants sit at the security officer’s computer and fill out the forms;
however, this created a backlog of consultants waiting to use her computer. You now want to
use additional isolated computers in your workgroup and transfer data securely between the
computers using IPSec. The first workgroup you will secure by using IPSec contains two com-
puters, your computer and the other Client# computer.

LESSON 4
Windows XP Professional desktops, and you as the security administrator need to make sure
the plan is implemented. Part of the plan requires that confidential data be encrypted across the
network using IPSec. Because you do not have Kerberos-based authentication in your
workgroup, or have a Certificate Authority available at the various military sites, IPSec secu-
rity will be based on the use of pre-shared keys. For your implementation of IPSec, you will
use a pre-shared key of bogus123.

LESSON 4
1. Modify the appropriate IPSec policy a. In the console tree pane, select IP Secu-
for your computer to use a pre- rity Policies On Local Computer.
shared key of bogus123.
b. In the details pane, right-click the Secure
Enter the key exactly as it appears here. Server (Require Security) policy and
IPSec is case-sensitive. choose Properties.
c. In the IP Filter List, select the All IP Traf-

fic filter but do not uncheck the check
box.
d. Click Edit.
e. Select the Authentication Methods tab.
f. Click Add.
g. Select Use This String (Presharedkey).
h. In the Use This String text box, type

bogus123.
i. Click OK.

LESSON 4
j. In the Authentication Method Preference
Order list, select Preshared Key and click
Move Up. Preshared Key should now be
first in the list.
k. Click OK.
l. Click Close.
2. Assign the policy. a. Right-click the Secure Server (Require

Security) policy and choose Assign. The
Policy Assigned value for the Secure
After you assign the policy, you need to
Server policy should be Yes.
wait for your partner before proceeding
to the next step.
3. Verify that you can connect to your a. Open a command prompt window.
partner’s computer using IPSec
security.
b. Enter ping client#, where # is your part-
ner’s computer number.
c. After you receive four successful replies,

close the command prompt window.

LESSON 4
4. Verify that you have an IPSec Secu- a. In the Tree pane of the IPSec Management
rity Association with your partner. console window, expand IP Security
Monitor and expand your computer
object. Your computer object should
You might have security associations
appear with a green upward-pointing
with other computers as well, due to net-
work browser broadcast traffic. arrow.
b. Expand the Main Mode folder and select

the Security Associations folder. In the
right pane, you should see a security asso-
ciation between your IP address and your
partner’s IP address.
c. Right-click the security association

object and choose Properties. You can
see the authentication mode (preshared
key) as well as the encryption and data
integrity algorithms negotiated for this
security association.
d. Click Cancel to close the property sheet.
e. Close IPSec Management. You do not

need to save console settings.
TOPIC B
Secure Wireless Traffic
Another reason why you might need to implement specialized network security is because of a
particular type of networking technology that you are incorporating in your LAN. Wireless
networking is becoming more and more prevalent in all types of LAN environments, and wire-
less devices and protocols pose their own security challenges. In this topic, you’ll learn to
secure traffic over wireless LAN connections.
Wireless networking has become more and more popular because of the mobility it gives to
network users, and the simplicity of connecting components to a LAN. However, that very
simplicity creates security problems, because any attacker with physical access and a laptop
with a wireless network adapter can attach to your wireless LAN, and once an attacker’s on
your network, you have trouble. If you know the right security procedures, you can provide
the convenience of wireless connections to your users without compromising network security.
Wireless Protocols
Just as wired devices on a network use protocols to communicate, so do wireless devices.
Listed in the following table are the most common wireless protocols today.

LESSON 4
Figure 4-7: Wireless protocols.
Protocol Description
Wireless Application Protocol (WAP) A protocol that’s used to transmit data to and from wireless
devices such as cell phones, PDAs, and handheld computers,
sometimes over very long distances to be displayed on small
screens. You can use WAP to transmit Web pages (using Wire-
less Markup Language—WML), email, and newsgroups. WAP is
an industry standard developed by companies such as Ericsson,
Motorola, and Nokia. WAP has five layers: Wireless Application
Environment, Wireless Session Protocol, Wireless Transport Pro-
tocol, Wireless Transport Layer Security (WTLS), and the
Wireless Datagram Protocol.
802.11b 802.11b (also called Wi-Fi, short for “wired fidelity”) is prob-
ably the most common and certainly the least expensive
wireless network protocol used to transfer data among comput-
ers with wireless network cards or between a wireless computer
or device and a wired LAN. 802.11b provides for an 11 Mbps
transfer rate in the 2.4 GHz frequency. (Some vendors, such as
D-Link, have increased the rate on their devices to 22Mbps.)
802.11b has a range up to 1000 feet in an open area and a range
of 200 to 400 feet in an enclosed space (where walls might
hamper the signal).
802.11a 802.11a is a more expensive but faster protocol for wireless
communication than 802.11b. 802.11a supports speeds up to 54
Mbps in the 5 GHz frequency. Unfortunately that blazing speed
has a limited range of only 60 feet, which, depending on how
you arrange your access points, could severely limit user
mobility. Although more secure and faster, 802.11a isn’t as
widely deployed at 802.11b.

LESSON 4
Mobile Device Vulnerabilities

Although they are not stationary and not connected permanently to a network, mobile devices
share some of the same vulnerabilities as the computers and devices that are permanently con-
nected to a LAN. And, of course, they have some unique vulnerabilities. Some examples of
both are included in the following table.
Data stored in plaintext Often, users store personal and confidential information (for
example, Social Security numbers, medical information, credit
card numbers) on their handheld devices using a built-in text
editing application or the device’s contact manager (Palm
Databook or Microsoft Pocket Outlook). These contact managers
do not store their information in an encrypted format. Palm OS
permits the user to specify records as Private, but this is not an
encrypted format and is easily accessible by an attacker familiar
with the inner workings of the operating system, which means
much of this data is accessible to crackers who have either stolen
or temporarily borrowed a device.
Viruses While there are currently few viruses and Trojans that affect
handheld devices, they do exist. In fact, Symantec distributes a
version of its antivirus software for Palm OS. Like other viruses,
those that affect handheld devices cause trouble typically by
deleting or corrupting data.
Buffer overflows As with desktop and server applications, it’s also possible for
applications on handheld devices to be vulnerable to buffer over-
flows, which may cause the device operating system to crash or
reboot, and may also cause the loss of data or execution of rogue
code on devices.
SSL on WAP Many WAP gateways, through which WAP data travels between
the Web server and the handheld device, have been found to
have an SSL vulnerability. These gateways may not check the
validity of the SSL certificate used for data encryption, which
may allow rogue sites to capture personal and financial informa-
tion without the user’s knowledge.
Lack of authentication By default, many wireless access points (APs) will accept com-
munications from just about any wireless device. While this
might seem ideal because it means easy access to network
resources without a lot of configuration, it also creates the perfect
opportunity for the wrong people to get into your network, mak-
ing wardriving a very real threat.

LESSON 4
Wired Equivalent Privacy (WEP) WEP provides 64-bit, 128-bit, and 256-bit encryption using the
Rivest Cipher 4 (RC4) algorithm for wireless communication that
uses the 802.11a and 802.11b protocols. While WEP might sound
at first like a good solution, ironically WEP currently isn’t as
secure as it should be. The problem stems from the way WEP
produces the keys that are used to encrypt data. Because of a
flaw in the method, attackers could easily generate their own
keys after capturing (with a tool such as AirSnort) and analyzing
as little as 10 MB of data transferred through the air. So while
WEP is the only solution for now, until the release of newer ver-
sions of the 802.11 protocol, it isn’t the best one.
Wireless Transport Layer Security WTLS is the security layer of WAP and is the wireless equiva-
(WTLS) lent of TLS in wired networks. WTLS is fast becoming the de
facto security standard for WAP communications. While in most
cases WTLS is meant to provide secure WAP communications, if
it’s improperly configured or implemented, it can expose wireless
devices to attacks that include email forgery and sniffing data
that’s been sent in plain text.
Some experts believe that wireless communication is inherently insecure and that there isn’t currently any practi-
cal way of really securing it.
Wireless Security Methods

And just as there are methods for securing wired communication on a LAN, there are methods
and protocols to secure wireless communication. The following table describes some of the
common methods for securing wireless communication.

Keep sensitive data private Don’t include any data on a wireless device, such as a PDA,
that you’re not willing to lose if the device is lost or stolen.
Antivirus software If it’s available for your specific device and OS, antivirus soft-
ware can be just as important on a wireless device as it is on a
computer.
Software updates Updated software not only provides additional functionality but
can also close security holes in wireless devices.
WTLS Again, like WEP, WTLS has its flaws, but properly configured it
does provide a layer of security for WAP communications.
Authentication and access control Because many wireless access points will accept connections
from any devices using a compatible protocol, there must be a
way to filter unwanted network traffic, from a scheming attacker
or even the guy across the street in the coffee shop. There are
several methods for authentication and access control, from
MAC address filtering to authenticating users against a directory
service such as Active Directory or NDS.

LESSON 4
802.1x Used to provide a port-based authentication mechanism for wire-
less communications using the 802.11a and 802.11b protocols.
802.1x uses EAP to provide user authentication against a direc-
tory service.
WEP While WEP has its flaws, it does provide some measure of pro-
tection from all but the most determined attackers.
Secure Wireless Traffic

Procedure Reference: Secure a Wireless Router
To secure wireless traffic:
1. Keep the software on your wireless router up to date.
2. Enable 802.1x to authenticate wireless clients.
3. Enable WTLS to provide authentication and privacy for your wireless
communications.
4. Enable MAC filtering on your wireless routers to prevent unauthorized clients
from connecting to the network.
a. Open the properties of your router.
b. Configure your router to only accept connections from computers with speci-
fied MAC addresses.
c. Add the MAC addresses of the computers you want to connect to the wire-
less router to its properties.
5. Configure and enable data encryption with WEP to prevent data theft. To config-
ure your wireless router and wireless network card to use WEP:
a. Open the properties of your router.
b. Enable WEP and select an encryption level. Configure an encryption key.
c. Enable WEP on your wireless network card and select an encryption level.
Configure an encryption key.

LESSON 4
ACTIVITY 4-4
Securing Wireless Traffic
Data Files:
• Wireless.exe
Setup:
This is a simulated activity. In this simulation, you have a Windows XP Professional computer
named elementk-ngqv7t. The Windows XP Professional computer has a wireless network
adapter with a MAC address of 00-40-05-B8-2D-7C. The adapter is configured to obtain
addressing information automatically. There is an 802.11b-compliant wireless router providing
network and Internet access. The router’s MAC address is 00-40-05-B7-FF-81. In the simula-
tion, the router obtains IP addressing dynamically from a DHCP server and automatically
issues IP addresses to wireless clients on the 192.168.0.x network. The IP address of the
administrative interface on the router is 192.168.0.1. Wireless clients use this IP address as
their default gateway. The default management account for the router is admin with no
password.
This activity was written using a D-Link Enhanced 2.4 GHz Wireless Router, model 614+ and D-Link Enhanced
2.4 GHz Wireless PCI adapter, model DWL 520+. For more information, visit www.dlink.com.
Scenario:
You have been assigned the task of tightening security for a small insurance sales organization
called Eckert Insurance, Inc. Many of the employees are mobile users, and it is your responsi-
bility to set up Windows XP laptop and desktop computers with wireless cards so that users
can communicate with each other without having to run any cables. The CEO, Jim McBee, is
concerned that attackers may steal customer information. Jim says that employees run applica-
tions and transfer customer data and sales information on Windows XP Professional systems
configured in a workgroup. Jim wants to make sure that only valid computers can communi-
cate with each other and also wants to encrypt the data transferred between computers.
You have successfully tested Internet access through the router on the first desktop computer.
Now, you need to configure the router’s security features. First, you must configure the router
with MAC filtering enabled and verify that the Windows XP Professional computer can com-
municate with the wireless router. You will then need to configure WEP on the router to verify
that the data will be encrypted. The IT consultants for Eckert Insurance have developed a plan
for wireless usage that requires all wireless traffic to be encrypted using 256-bit encryption
with a key of all 5s. The IT consultants will later work with Eckert Insurance’s ISP to secure
the router’s firewall, DMZ, and port filtering options. Configure the wireless security on your
wireless router.

LESSON 4
1. Run the Wireless.exe simulation file a. From the student data files, run
and open the Web management Wireless.exe. The simulated environment
interface for the router. contains a simulated computer desktop.
There is a navigation box in the lower-
right corner of the simulation window.
As you work through the simulated activ-
ity, it might occasionally be necessary to
click the Next button in the simulation’s b. Within the simulation window, click the
navigation box in order to advance to the Start button.
next screen.
c. Click Internet to open Internet Explorer.
d. Click in the Address Bar to select the

existing address information.
e. In the Address Bar, type http://

192.168.0.1 and press Enter.
f. In the Connect To 192.168.0.1 dialog box,

in the User Name text box, enter admin
and click OK. (The default Admin pass-
word is blank.) The Web Management
interface page for the router opens.

LESSON 4
2. Configure and enable MAC filtering a. Select the Advanced tab.
on the router.
b. In the left pane, click the Filters button.
c. Select MAC Filters.
d. Verify that your MAC address is listed as

a DHCP client and click Clone. If your
client was not listed, you could manually
enter the computer’s host name and MAC
address in the respective fields.
e. Select Only Allow MAC Address Listed

Below To Access Internet From LAN.
f. Click Apply to save the settings.
g. When the Settings Saved message

appears, click Continue. The client entry
appears in the MAC Filter List.
3. Configure and enable WEP on the a. Select the Home tab.

router with the appropriate
settings.
b. In the left pane, click the Wireless
button.
c. For WEP, select Enabled.
d. From the WEP Encryption drop-down list,

select 256Bit.
e. Select the text in the Key 1 text box.

LESSON 4
f. In the Key1 text box, enter all 5s. A 256-
bit key will require 58 HEX characters, so
you need to enter 58 5s. (In the simula-
tion, press and hold the 5 key; the correct
number of 5s will automatically fill in the
text box.)
In a high security environment, you may want to

use random characters instead of all 5s.
You will find that the simulation only allows you to

enter 38 5s. This is fine for this activity, but if you
were setting this key in the real world, you would
need to enter 58.
g. Click Apply to save the settings.
h. When the Settings Saved message

appears, click Continue.
In a live environment, you might get a Page

Cannot Be Displayed message at this point,
because you might temporarily lose your con-
nection to the router until the router restarts
and the wireless network card detects and
applies the new WEP settings.
i. Within the simulation window, close

Internet Explorer.
4. Verify that the wireless network a. In the simulation window, in the System
card is now automatically using Tray, double-click the icon for the
WEP. D-Link AirPlus Utility .
For performance reasons, you should b. In the left pane, click Encryption to
verify that the data transfer speeds of the verify that the Authentication mode is set
wireless devices are at least 22 Mbps to to Auto.
compensate for the additional overhead
of WEP. On the D-Link 614+ router, the
default setting is Auto, but you can force
the setting to 22 Mbps or reposition the
router so it gets a better signal. With a
better signal, the router should automati-
cally set the data transfer rate to 22
Mbps.

LESSON 4
c. Click Site Survey to verify that WEP is
enabled.
d. Double-click the MAC address for the

Default entry to view the additional
settings.
e. For the first network key, select 256 Bits

from the Key Length drop-down list.
f. In the Network Key text box for the first

network key, enter all 5s.
g. Click OK. You should now be able to con-

nect to the router.
h. Select Site Survey.
i. Double-click the MAC address for the

Default entry to view the additional
settings. You should see that the data
encryption settings now match those that
you configured on the router. However,
you cannot see the 256-bit key—just
asterisks.
Instead of manually entering the key information,

you could wait for the wireless card to detect it
automatically.
j. Click Cancel.
k. Close the D-Link AirPlus utility.

LESSON 4
5. Verify you can still connect to the a. Open Internet Explorer.
Internet with WEP enabled.
b. Select the text in the Address Bar.
c. Type http://www.dlink.com and press

Enter.
d. Close Internet Explorer.
e. In the navigation box in the simulation

window, click Exit to close the
simulation.
TOPIC C
Secure Client Internet Access
In addition to securing the various types of traffic on your internal network, as you did in the
first three topics, you also have to be concerned about the security of network packets that
pass from your network to the Internet. A common source of traffic from your network out to
the Internet is ordinary client-level Web access from users’ Web browsers and other Web tools.
In this topic, you’ll learn to secure the traffic that flows from your client systems onto the
Internet.
You might wonder why you need to care about traffic going out of your network. It seems as
if what you really need to worry about is attackers coming in. But, in fact, attackers can look
at an outbound data stream and get lots of useful information that can help them attack the
network. Attackers will be looking at client traffic to determine the network addresses and
computer names of the source systems inside your network, and they will try to grab user’s
passwords and personal information off the wire as well. To prevent attackers from getting
hold of information that they can use against you, be sure that the data your users send out
into the world is properly secured.
Browser Vulnerabilities
Browsers are applications and, as such, are vulnerable to the same types of attacks that
threaten other applications. However, browsers do have some unique vulnerabilities, examples
of which are described in the following table.
Java Attackers can exploit flaws in Java code to run malicious code
of their own or gain access to the target’s file system.

LESSON 4
Spyware Used to relay private information to advertisers, spyware can
also be used to relay private information to attackers to be used
for a later attack against a system or network.
ActiveX scripts Attackers can create malicious ActiveX scripts that can be
downloaded and executed on unsuspecting users’ systems. An
attacker can embed an ActiveX script in a Web page and, if the
user’s system is improperly secured, use the script to do just
about anything. Signed scripts and applets are one way to help
reduce this threat.
Cookies Cookies can provide attackers with private user data or unautho-
rized access to a Web site if stolen during transmission and
replayed at a later time (“cookie snarfing”).
Autocomplete feature Data stored by a browser’s autocomplete feature could provide
usernames, passwords, and other sensitive information.
Internet Explorer Security Tools

Microsoft’s Internet Explorer has two tools that you can use to help secure the browser against
threats from attackers. Both tools are described in the following table.
Tool Description
Zones You can set one of four levels of security based on the four
zones: Local Intranet (trusted intranet sites), Trusted Sites
(trusted Internet sites), Restricted Sites (untrusted, potentially
damaging sites), and Internet (unclassified sites). You can set
these zones on a per-computer basis, or you can use Internet
Explorer Administration Kit (IEAK) or Group Policy to set
these zones across your organization. Each zone has default set-
tings that dictate how Internet Explorer will display and access
the sites within that zone. The settings for each zone are
customizable. You can also configure how cookies are handled
for sites in the Internet zone (sites you haven’t put in any of the
other zone—most likely sites you haven’t visited yet) using the
Privacy page of the Internet Options dialog box.
Content Advisor You can use Content Advisor to restrict access to Web sites
based on their content, as rated by the Recreational Software
Advisory Council (RSAC), using the categories Language,
Nudity, Sex, and Violence. Or you can use another ratings sys-
tem, such as the Internet Content Rating Association (ICRA) or
SafeSurf. In addition or instead of a ratings system, you can
restrict specific sites, regardless of their content. You can also
require an administrative password to view restricted sites. In
addition, you can choose to turn off the AutoComplete feature to
keep user names and private information from being entered
automatically in Web forms.

LESSON 4
Hardened Web Browser
Definition:
A hardened Web browser is a Web browser that has been configured to protect against
software and hardware attacks according to a defined security policy. A hardened Web
browser may include some or all of the following security configuration settings:
• The latest browser version and up-to-date security patches to prevent attackers
from exploiting the browser software or related code, such as Java.
• Internet zone security in your browser to prevent users from visiting unsafe sites
from which they could download malicious code (such as ActiveX) or applica-
tions (including Spyware).
• Cookie settings to prevent the download of unsecure cookies.
• Disabled autocomplete and password-saving features.
• Optionally, content ratings to prevent users from visiting sites with inappropriate
content.
Example: USA Travel’s Web Browsers

USA Travel’s security policy requires all Web browsers to be the latest version and
have the latest security patches. The network administrator in the Miami office has
upgraded all Web browsers to the latest version of Internet Explorer, and she monitors
Microsoft’s security bulletins weekly to find the latest security updates. Because the
Web browsers are configured according to security policy, they are considered
hardened.
Secure Client Internet Access

Procedure Reference: Secure Internet Explorer
To secure Internet Explorer:
1. Install the latest browser version and up-to-date security patches.
2. Configure Internet zone security in your browser to prevent users from visiting
unsafe sites.
a. Choose Tools→Internet Options.
c. With the Internet zone selected, click Custom Level.
d. Configure the zone appropriate for your requirements.
3. Block unsecure cookies.
b. Select the Privacy tab.
c. Move the Settings slider to High. Click Apply.
4. Allow cookies from secure, trusted sites.
b. Select the Privacy tab.
c. In the Web Sites area, click Edit.

LESSON 4
d. In the Address Of Web Site text box, enter the URLs of the Web sites from
which you’ll accept cookies. Click Allow.
5. Configure content ratings to prevent users from visiting sites with inappropriate
content.
b. Select the Content tab.
c. In the Content Advisor area, click Enable.
d. Select the category you want to configure, and adjust the slider bar to set the
rating level for that particular category.
6. Prevent the browser from saving user passwords on Web site forms.
b. Select the Content tab.
c. Click AutoComplete.
d. Uncheck Prompt Me To Save Passwords.
e. Click Clear Passwords.
f. Click Clear Forms.
Automated Browser Security Configuration

You can automate this process by using an administrative tool that is specific to your
browser. For example, for Microsoft Internet Explorer, Microsoft provides the Internet
Explorer Administration Kit (IEAK), which you can use both to deploy customized
installation of Internet Explorer, and to centralize the configuration of customized
Internet Explorer settings for groups of computers. For Netscape Navigator, you can
use the Netscape Client Customization Kit to perform similar tasks.
ACTIVITY 4-5
Securing Client Internet Access
Data Files:
• IESecurity.rtf
Setup:
Your Windows XP computer has an administrative account named Admin100 with a password
of !Pass1234. This account has permission to access shares on the \\Client100 computer. There
is an unrated Web site available on the network at http://Server100. Files for this activity are
available at \\Client100\SPlus\Student\IESecurity.rtf.
Scenario:
You are the security administrator for a nuclear plant and need to make sure your new Win-
dows XP Professional clients with Internet Explorer are secure. In the past, the plant’s IT
department has had problems with users storing passwords in their Internet browsers. They
have also had problems with users visiting sites that contain inappropriate content, and users
have also downloaded unauthorized programs to their computers. Before connecting the new
Windows XP Professional computers to your network, you need to make sure that the browser
is configured properly to minimize the likelihood of attacks.

LESSON 4
Windows XP Professional desktops and Internet Explorer, and documented it as IESecurity.rtf.
Before the IT Department uses IEAK and SMS to deploy the browser automatically to all
users, this security configuration needs to be set up manually on a test system to verify that
clients will still have the appropriate level of Web access.
1. Unassign the IPSec policies on your a. From the Start menu, choose All
computer. Programs→Administrative Tools→IPSec
Management.
b. In the IPSec Management console, select

IP Security Policies on Local Computer.
c. Right-click the Secure Server (Require

Security) policy and choose Un-assign.
d. Close the MMC console. There is no need

to save the console settings.

LESSON 4
2. Configure Internet Explorer with a. Open the \\Client100\SPlus\Student\
the appropriate zone level for the IESecurity.rtf file.
Internet zone as specified in the
IESecurity.rtf data file.
b. From the Start menu, click Internet to
launch Internet Explorer. Depending on
whether you are connected to the
Internet, you might see a Web page, or
you might see a “page cannot be dis-
played” message.
c. Choose Tools→Internet Options.
d. Select the Security tab.
e. With the Internet zone selected, click

Custom Level.
f. From the Reset To drop-down list, select

High.
g. Click Reset, and then click Yes to con-

firm the change in security level.
h. Click OK.

LESSON 4
3. Block unsecure cookies. a. Select the Privacy tab.
b. Move the Settings slider to High to block

unsecure cookies.
c. Click Apply.
4. Configure the appropriate Web sites a. In the Web Sites area, click Edit.
to allow use of cookies.
b. In the Address Of Web Site text box, type
nrc.gov and click Allow.
c. In the Address Of Web Site text box, type

anl.gov and click Allow.
d. Click OK.
5. Set the appropriate Content Advisor a. Select the Content tab.

rating levels without blocking
approved unrated sites.
b. In the Content Advisor area, click Enable.

LESSON 4
c. With Language selected in the Select A
Category To View The Rating Levels list,
adjust the rating slider to level 1.
d. Set the rating level for each of the

remaining categories to 1.
e. Click Apply.
f. Select the Approved Sites tab.
g. In the Allow This Web Site text box, type

http://Server100 and click Always.
h. Click OK.
i. Enter and confirm !Pass1234 as the Con-

tent Advisor password.
j. In the Hint area, type same as

Admin100.
k. Click OK twice.

LESSON 4
6. Configure the appropriate forms a. On the Content page, under Personal
settings. Information, click AutoComplete.
b. Uncheck Prompt Me To Save Passwords.
c. Click Clear Passwords.
d. Click OK in the message box to confirm

that you want to clear passwords.
e. In the AutoComplete Settings dialog box,

click OK.
f. Click OK to close the Internet Options dia-

log box.
Instructor Only:
7. Reboot your computer to Windows a. Restart your computer and boot to Win-
2000 Server. This is to make the dows 2000 Server.
http://Server100 Web site available.
b. Log on as Administrator.
Students:
8. Verify that you can connect to the a. In the Internet Explorer Address bar, type
http://Server100 Web site. http://Server100 and press Enter. You
should see the default Web page on the
Server100 Web site.
b. Close Internet Explorer.

LESSON 4
TOPIC D
Secure the Remote Access Channel
In Topic 4C, you secured data that flowed from internal client systems out to the Internet.
Many companies also support clients who connect from the other direction; from foreign net-
works into the internal network via a remote access connection. In this topic, you’ll learn to
secure data that enters your network over this type of inbound network connection.
If you provide remote access services, whether through dial-up or VPN connections, you are
providing an avenue into your network from outside your physical network boundaries. This is
attractive to the many business users today who work at least part of the time from home,
from a remote office, or while travelling. And you can bet it’s an attractive avenue for attack-
ers, too. You can’t see the person who is connecting from a remote location, like you could if
someone tried to plug into an Ethernet jack in your home office. So you better take other pre-
cautions to make sure that only authorized folks are accessing your network over the remote
access connection.
Remote Access Vulnerabilities

Remote access servers and connections are vulnerable to the same threats we’ve seen so far in
this course for other types of communications, services, servers, and operating systems. How-
ever, there are a few special vulnerabilities you should keep in mind, including those against
your telecommunications and PBX infrastructure. Some examples are shown in the following
table.
PPTP Microsoft’s implementation of PPTP is susceptible to a number
of attacks, including a dictionary attack against its LAN Man-
ager (LM) password authentication mechanism.
DHCP for remote access clients If an attacker can connect to a remote access server that assigns
clients’ IP addresses using DHCP, the attacker can get a valid IP
address and have the run of the network.
Improperly configured remote access While most administrators might never think of allowing unlim-
security ited access attempts or being lax with user name and password
requirements on the local network, sometimes the same care
isn’t given to remote access. Such an improper configuration
could lead to brute force attacks against a dial-in remote access
server.
Wardialers These tools are used to dial every available phone number in an
organization to find which numbers can be used to access
modems, fax machines, and voicemail systems. This information
can then be used to launch another attack. Wardialers include
ToneLoc and PhoneSweep.

LESSON 4
PBX systems Some PBX systems ship with default user names and passwords
for administrative purposes. A wardialer can detect the type of
PBX system, and then an attacker can use the manufacturer’s
default to exploit the system. Once inside the PBX system, an
attacker can access private information that can be used for fur-
ther attacks, including social engineering attacks.
Hardened Remote Access Server

Definition:
A hardened remote access server is a remote access server that has been configured to
protect against software and hardware attacks according to a defined security policy. A
hardened remote access server may include some or all of the following security con-
figuration settings:
the remote access service.
• PPTP disabled on your remote access server to prevent a dictionary attack against
LM password authentication.
• A static IP address pool for remote access clients with just enough network infor-
mation to allow a remote connection and network connectivity.
• Properly configured security on your firewall to only allow valid traffic to your
remote access server.
• Restricted remote access to the telephone system, fax machines, and any other
device that can accept outside connections to prevent wardialing and other attacks
against your PBX/phone system and other devices.
• An established audit or logging policy to detect and stop suspicious activity.
Example: USA Travel’s Remote Access Servers

All Windows 2000 RAS servers in USA Travel’s branch office are required to have a
DHCP address pool for clients dialing in to the server and the latest operating system
patches, according to USA Travel’s security policy. Therefore, the network administra-
tor for the Los Angeles office has configured automatic OS update notification on the
Windows 2000 RAS server, and has configured a static IP address pool to assign
addresses for the five employees who normally dial in to the server. Because this con-
figuration matches USA Travel’s security policy, the RAS server can be considered
hardened.
Secure the Remote Access Channel

Procedure Reference: Secure the Remote Access Channel
To secure the remote access channel to a Windows 2000 RAS server:
1. Disable PPTP on your remote access server.
a. From the Start menu, choose Programs→Administrative Tools→Routing And
Remote Access.
b. Below your server object, select the Ports object.

LESSON 4
c. Right-click the Ports object and choose Properties.
d. Select the WAN Miniport (PPTP) and click Configure.
e. Uncheck Remote Access Connections (Inbound Only).
f. Uncheck Demand-dial Routing Connections (Inbound And Outbound).
g. Click OK twice.
2. Configure input and output filters to allow only valid traffic to your server. For
example, block traffic on ports for protocols you do not use on your remote access
server. To filter out incoming PPTP traffic from external networks:
a. In Routing And Remote Access, under IP Routing, select the General object.
b. Right-click the appropriate interface object and choose Properties.
c. Click Input Filters. Select the filter for Protocol 47 and click Remove.
d. Remove the TCP filters with Source and Destination ports of 1723.
e. Click OK twice.
3. Set up a static pool of addresses to give out to remote access clients so that
attackers can’t get addresses from a DHCP server.
a. In Routing And Remote Access, right-click your RRAS server object and
choose Properties.
b. Select the IP tab.
c. Select Static Address Pool.
d. Click Add.
e. Create a static IP address pool using an appropriate addressing scheme.
4. Configure security on your firewall to only allow valid traffic to your remote
access server.
5. Restrict remote access to the telephone system, fax machines, and any other
device that can accept outside connections.
6. Enabling auditing or logging to record any suspicious activity.
Common Remote Access Ports

A remote access server only needs to communicate with clients on a limited number of
ports. The following table lists the ports for the common remote access protocols. You
should only open other ports on your remote access server if there is a specific need to
do so.
Table 4-3: Remote Access Protocol Port Numbers

Port Number Service
500 ISAKMP
1701 L2TP
1723 PPTP

LESSON 4
If you are running Windows 2000 on a RRAS server, you should be sure to apply Ser-
vice Pack 1. The Windows 2000 Service Packs increase security on your RRAS server
by implementing a default set of filters on your external router interface. The default
filters permit inbound and outbound TCP and UDP traffic on ports 500, 1701, and 1723
only. They also permit traffic for Protocol 47, or Generic Route Encapsulation (GRE),
the data encapsulation protocol for PPTP. See Microsoft Knowledge Base article
Q260926 for more information.
ACTIVITY 4-6
Hardening a Remote Access Server
Setup:
The Windows 2000 Server computer has a physical LAN adapter and also a virtual Microsoft
Loopback Adapter to simulate the presence of an external connection object. The Microsoft
Loopback Adapter has been configured with default IP settings. The RRAS server is configured
to use DHCP to distribute IP addresses to remote access clients.
Although the Routing and Remote Access Server (RRAS) is running on a domain controller for classroom and
testing purposes, Routing and Remote Access Server (RRAS) should not be running on domain controllers as
this is a security risk.
Scenario:
One of the next tasks as the bank’s security administrator is to make sure your Remote Access
servers are secure. In the past, the bank has had problems with attackers accessing services and
data that they were not supposed to have access to through VPN connections. You will now
provide VPN services through new Windows 2000 Routing and Remote Access Servers. To
prevent users from accessing information that they are not supposed to and to prevent attackers
from getting data, the bank’s IT department has decided to place the new VPN Routing and
Remote Access Server behind the existing hardware firewall to set up a demilitarized zone
(DMZ). The hardware-based firewall has already been secured. Also, the Active Directory team
has already created a remote access security policy to determine who will have VPN access to
RRAS servers in your domain. Before connecting the new VPN server to your network, you
want to make sure that the VPN servers are hardened to minimize the likelihood of attacks
from external users. In particular, the bank does not want legacy PPTP Remote Access clients
to connect, but only clients that support L2TP with IPSec encryption. Because you will not use
PPTP on your server, you want to block PPTP packets that come from external networks. You
also want to configure the incoming clients with a reserved pool of static addresses on your
internal network. The network administration team has reserved the address range of
192.168.x.10-20 for this purpose. After you configure the VPN server, the bank’s desktop team
will test the connections from laptop VPN clients to make sure the security is not too
restrictive.

LESSON 4
1. If necessary, reboot to Windows a. Restart the computer and choose Win-

2000 Server. dows 2000 Server from the boot menu.

of !Pass1234.
2. Disable PPTP on the RRAS server. a. From the Start menu, choose Programs→
Administrative Tools→Routing And
Remote Access.
b. Below your server object, select the

Ports object.
c. Right-click the Ports object and choose

Properties.
d. Select the WAN Miniport (PPTP) and

click Configure.
Do not select the WAN Miniport (L2TP).
e. Uncheck Remote Access Connections

(Inbound Only).
f. Uncheck Demand-dial Routing Connec-

tions (Inbound And Outbound).
g. Click OK. The Used By status of the WAN

Miniport (PPTP) object should appear as
None.
h. Click OK. All the WAN Miniport (PPTP)

objects disappear from the Ports list.

LESSON 4
3. Filter out incoming PPTP traffic a. Under IP Routing, select the General
from external networks. object.
On a production system, if you decide to b. Right-click the Loopback Adapter inter-

remove any default filters, you should face object and choose Properties.
keep a record of the original filter con-
figuration (a screen shot or note will do)
in case you need to re-enable them at a c. Click Input Filters.
later time.
d. Select the filter for Protocol 47 and click

Remove.
e. Remove the TCP filters with Source and

Destination ports of 1723.
f. Click OK twice.
4. Set up the static IP address pool. a. Right-click your RRAS server object and
choose Properties.
b. Select the IP tab. The server is configured

to use DHCP to assign IP addresses.
c. Select Static Address Pool.
d. Click Add.
e. Enter 192.168.1.10 as the Start IP

Address.
f. Enter 192.168.1.20 as the End IP

Address.
g. Click OK twice.
h. Close Routing And Remote Access.

LESSON 4
Lesson 4 Follow-up
In this lesson, you took the next step in securing your network by securing the actual network
communication itself. This includes using IPSec to authenticate and encrypt communications
between two computers, securing wireless communications, securing users’ Internet access, and
securing remote access to your network. This is an important step because network security
doesn’t mean just securing your systems, it means making sure attackers can’t access the data
transfer between your systems.
1. How do you secure the network traffic in your organization?
2. What do you think is the biggest challenge in securing remote access?

LESSON 5

Managing Public Key

Infrastructure (PKI)
Lesson Objectives:
In this lesson, you will manage a PKI.
You will:
• Install a Certificate Authority (CA) Hierarchy.
• Harden a Certificate Authority.
• Back up CAs.
• Restore the CA.
Lesson 5: Managing Public Key Infrastructure (PKI) 197

LESSON 5
Introduction
Certificate-based security is becoming more and more prevalent in today’s computing environ-
ment, as even the most casual Internet user is now exposed to the familiar software publisher
certificate window that pops up to verify the authenticity of a piece of software they are
downloading. Many companies opt to implement certificate-based security in securing both
public and private network communications, network servers, and user connections. If your
company implements a PKI infrastructure to issue certificates, then, as a security professional,
it certainly will be part of your job to create, manage, and support that infrastructure.
TOPIC A
Install a Certificate Authority (CA)
Hierarchy
You can implement certificate-based security either by obtaining certificates from a public Cer-
tificate Authority (CA), or by establishing your own CA. If you plan to use your own CA
servers to issue certificates on your network, then the first step in the process of setting up
public key security is installing the CA servers. In this topic, you’ll install CA servers into a
CA hierarchy.
You can only trust a certificate if you can trust the CA that issued it, and you can only trust
that CA if you can trust the CA above it in the chain. The entire certificate security system will
fail if the basic CA hierarchy is not properly established and authorized. If your job as a secu-
rity professional requires you to implement a CA design by installing CAs, you can use the
skills in this topic to make sure it’s done properly.
Public Key Infrastructure (PKI)

For more information on PKCS, visit www.rsasecurity.com/rsalabs/pkcs/index.html.
A public key infrastructure (PKI) is a system that is composed of a CA, certificates, software,
services, and other cryptographic components for the purpose of enabling authenticity and vali-
dation of data and/or entities—for example, to secure transactions over the Internet. A PKI is
composed of:
• Digital certificates—Electronic documents that bind the entity’s public key to the informa-
tion regarding that entity, to verify that an entity is who it claims to be.
• A Certificate Authority (CA)—The Certificate Authority is responsible for issuing digital
certificates to computers, users, or applications.
• A registration authority (RA)—The registration authority is responsible for verifying users
identity and approving or denying requests for digital certificates.
• A certificate repository—The database that contains the digital certificates.
• A certificate management system—A system that provides the software tools to perform
the day-to-day functions of the PKI.

LESSON 5
Each of these components works together to provide digital certificate management services.
The components may all be housed on one server or they may be spread out over multiple
servers and even in different parts of the world.
CA Hierarchy
A PKI is implemented through a trust model or as it is more commonly called, a CA
hierarchy. A CA hierarchy is a single CA or group of CAs that work together to issue digital
certificates. At any given time, there may be thousands of issued certificates circulating in a
large corporation. A CA Hierarchy provides a way for multiple CAs to distribute the workload
and provide certificate services more efficiently.
Figure 5-1: Components of a CA hierarchy.

In addition, if a CA lower in the hierarchy is compromised, only those certificates issued by
that particular CA, or under that CA, are invalid. The remaining CAs that have not been com-
promised can continue issuing certificates and provide certificate services until the
compromised CA is restored or replaced. Figure 5-1 and the following paragraphs describe the
components of a CA hierarchy.
In Windows 2000, do not install Certificate Services on a domain controller because it could pose a security risk.

LESSON 5
Figure 5-2: The root CA.

The root CA is the top-most CA in the hierarchy and consequently, the most trusted authority
in the hierarchy. The root CA issues the first certificate (a self-signed certificate) in the
hierarchy. In a centralized system, root CAs then issue end-user certificates and perform the
day-to-day management of certificate. In a decentralized system, the root CA issues certificates
to subordinate CAs and the subordinate CAs handle the day-to-day functions of the certificates.
In the Microsoft world, a CA is considered an enterprise CA if it’s integrated with Active
Directory while it’s considered a stand-alone CA if it’s not. In the Novell world, a root is
either organizational if it is created in-house by a particular organization or a global root if it
is housed at Novell. Unix does not make any further distinctions for root CAs.
Root CAs can be designated either private or public:
— A private root CA is created by a company for use primarily within the company itself.
The root will be set up using CA software and configured in-house.
— A public root CA is created by a third-party vendor (or commercial vendor such as
Verisign) after they consult with a company and determine the company’s particular CA
needs and requirements. Commercial CA vendors offer a wide variety of services to make
setting up a PKI easier from creating the root CA to issuing the initial certificates to end
users.
Subordinate CAs, whether there is one or there are a hundred, also issue certificates, but their
main function is to provide day-to-day management of the certificates including renewal, sus-
pension, and revocation. An organization may create as many subordinate CAs as resources
will allow. Depending on your company’s particular needs, you may opt for one of the imple-
mentations shown in Table 5-1. A subordinate CA has a parent-child relationship its root CA.

LESSON 5
Figure 5-3: The subordinate CA.
Table 5-1: CA Hierarchy Implementation Options

Business or Security Requirement CA Hierarchy Implementation
A company with thousands of employees The subordinate CAs are designated by geographic location
worldwide. to balance the number of issued certificates among the indi-
vidual CAs.
A company that wants individuals to The subordinate CAs are designated by function or depart-
access specific applications only. ment so the individual CAs serve groups of people with
specific resource needs.
A company that has tight security and The subordinate CAs are designated by the security
allows individuals differing levels of required to obtain a certificate. Some CAs may be set up to
access to the same resources. issue a certificate with a network ID and password, other
CAs may require a person to present a valid driver’s
license.
Root CA Security
To provide the most secure environment possible for the root CA, companies will often
set up the entire CA hierarchy and then take the root offline, allowing the subordinate
CAs to issue all certificates. This strategy ensures that the root CA is not accessible by
anyone on the network and thus, it is much less likely to be compromised.
Install a Certificate Authority (CA) Hierarchy

Procedure Reference: Install a Certificate Authority Hierarchy
Depending on your CA hierarchy design, you might need to install root CAs as well as
subordinate CAs. The general steps you will use to install a CA hierarchy are:
1. Install the root CA if you are not using a third-party CA. To install a Windows
2000 CA:
a. Open Add/Remove Programs and click Add/Remove Windows Components.
b. Select the CA type.
c. Enter the CA identifying information.

LESSON 5
d. Select the storage location for the CA database and log.
e. Stop Internet Information Services if prompted.
Refer to RFC 3280 for standards for identifying information for CAs. You can find this RFC at
www.ietf.org/rfc/rfc3280.txt.
2. Verify the CA installation by checking the properties of the installed CA.

3. If you will maintain your own root CA, secure the root CA by removing it from
your network. Once the root CA is offline, you will need to use file-based requests
to obtain the certificates for your subordinate CAs, as you will not be able to
transmit the requests across the network.
4. Install the subordinate CAs. To install a Windows 2000 subordinate CA:
a. If you are maintaining your own Windows 2000 root server, retrieve the root
server certificate from http://root-server/certsrv (substitute your server name
for “root-server”), and install the certification path into the Root Store on the
server where you will install the subordinate CA.
b. Install the subordinate CA using the Add/Remove Windows Components wiz-
ard in the same manner that you installed the root server.
c. During the installation, request a server certificate from the root CA. (If the
root CA is offline, you will have to save the request as a file, take the file to
the root CA, and request the certificate.)
d. At the root CA, issue the certificate for the subordinate CA. If the root CA is
offline, you will need to save the certificate as a file and take the file to the
new subordinate CA.
e. Start the CA service at the subordinate CA and install the new CA server
certificate.
5. If your design plan calls for additional levels of issuing CAs, install those CAs as
well.

LESSON 5
ACTIVITY 5-1
Installing a Certificate Authority Hierarchy
Data Files:
• UniversityCAspecs.rtf
Setup:
The data file for this activity is available at \\Server100\SPlus\Student\UniversityCAspecs.rtf.
The installation source files for Windows 2000 server are available at \\Server100\SPlus\
Srv2000. You will need a floppy disk for this activity.
Scenario:
As the security administrator for a private university located in Rochester, NY, one of your job
functions is to make sure the Certificate Authority hierarchy designed by the IT department is
implemented correctly. In the past, the university has had problems with CAs being set up as
stand-alone and having unauthorized users being granted certificates. To prevent users from
receiving unapproved certificates and accessing information that they are not supposed to, and
also to prevent attackers from getting data, the university has decided to implement a new
secure CA hierarchy using Windows 2000 Servers. The IT design team has created and docu-
mented a CA implementation plan in UniveristyCASpecs.doc. The plan calls for installing a
root CA for the entire university, taking the root CA offline, and then installing subordinate
CAs for each college. The Windows 2000 Servers on which you will install Certificate Ser-
vices have already been hardened to minimize the likelihood of attacks against the operating
system itself from external users.
Although Certificate Services is running on a domain controller for classroom and testing purposes, this is a
security risk.
You and your partner will need to decide on who will be the root CA (University CA) and who will be the subordi-
nate CA (College CA).
On the Server Designated as the Root CA:
1. Install Certificate Services on the a. Open Control Panel and run Add/Remove
root CA. Programs.
b. Click Add/Remove Windows

Components.
c. In the Windows Components list, check

Certificate Services.

LESSON 5
d. In the message box, click Yes.
e. Click Next.
f. Select Stand-alone Root CA and click

Next.
g. As the CA Name, enter

UniversityRootCA#.
h. As the Organization, enter SecurityOrg.
i. As the Organizational Unit, enter

Education.
j. As the City, enter Rochester.
k. As the State Or Province, enter New

York.
l. As the Country/Region, verify that US is

selected.
m. As the E-mail, enter

secadmin@domain#.internal.
n. As the CA Description, enter Stand-alone

CA Root for Rochester.
o. Set the Valid For value to 1 Years. Click

Next.

LESSON 5
p. Click Next to accept the default database
and log storage locations.
q. Click OK when prompted to stop IIS.
r. If prompted for the path to the Windows

2000 Server installation files, enter the
path \\Server100\SPlus\Srv2000\I386. (If
prompted for credentials, enter
domain100\administrator with a password
of !Pass1234.)
s. When the installation is complete, click

Finish.
t. Close Add/Remove Programs and Control

Panel.
2. Verify that Certificate Services was a. From the Start menu, choose Programs→
installed properly. Administrative Tools→Certification
Authority. The UniversityRootCA# object
should appear in the MMC console.
b. Open the properties of the

UniversityRootCA# object. The Descrip-
tion should appear as you configured it
during the installation.
c. Click View Certificate. The certificate

should expire in one year.
d. Click OK to close the certificate.
e. Click OK to close the property sheet. You

can leave Certification Authority open.
Wait until your lab partner has completed the previous steps before proceeding.

LESSON 5
On the Server Designated as the
Subordinate CA:
3. Retrieve the root CA certificate and a. Run Internet Explorer.

install the CA certificate path from
your lab partner’s root CA.
b. In the Address text box, enter http://
server#/certsrv where # is your partner’s
computer number.
c. Select Retrieve The CA Certificate Or

Certificate Revocation List. Click Next.
d. Click Install This CA Certification Path.
e. Click Yes when prompted to add the cer-

tificate to the Root Store.
f. Close Internet Explorer.
4. Why do you need to install the CA certification path?
5. What should you do to secure your root CA physically after it is installed?

Subordinate CA:
6. Install Certificate Services on the a. Open Control Panel and run Add/Remove
subordinate CA. Programs.
You will save the certificate request as a b. Click Add/Remove Windows

file because, in a secure environment, the Components.
root CA is kept offline on an isolated
subnet. Certificates and requests are
moved to and from the root CA on c. In the Windows Components list, check
removable storage media such as floppy Certificate Services.
disks. Although, in the classroom, your
root CA is online, you will perform the
procedures that are appropriate for a
secure, offline CA.

LESSON 5
d. In the message box, click Yes.
e. Click Next.
f. Select Stand-alone Subordinate CA and

click Next.
g. As the CA Name, enter

CollegeSubordinateCA#.
h. As the Organization, enter SecurityOrg.
i. As the Organizational Unit, enter

Education.
j. As the City, enter Rochester.
k. As the State Or Province, enter New

York.
l. As the Country/Region, verify that US is

selected.
m. As the E-mail, enter

secadmin@domain#.internal.
n. As the CA Description, enter Stand-alone

Subordinate CA for Rochester.
o. The certificate validity period will be

determined by the parent CA. Click Next.
p. Click Next to accept the default database

and log storage locations.
q. Select Save The Request To A File and

click Next. By default, the request file
will be saved to the root of the C drive.
r. Click OK when prompted to stop IIS.
s. If prompted for the path to the Windows

2000 Server installation files, browse to
select \\Server100\SPlus\Srv2000\I386.

LESSON 5
t. Click OK in the message about requesting
a certificate from the parent CA.
u. When the installation is complete, click

Finish.
v. Close Add/Remove Programs and Control

Panel.
w. Copy the certificate request file from

the C directory to a floppy disk. The
request file will have a .req extension.
Wait until your lab partner has completed the previous step before proceeding.

LESSON 5
On the Server Designated as the Root CA:
7. Use the certificate request file to a. Insert the floppy disk containing the cer-
request a certificate for your lab tificate request file into your floppy disk
partner’s subordinate CA. drive.
b. Open the A drive.
c. Right-click the certificate request file

and choose Open With.
d. Select Notepad and click OK.
e. Choose Edit→Select All, and then

choose Edit→Copy.
f. Close Notepad.
g. Run Internet Explorer and connect to

the URL http://server#/certsrv, where #
is your own student number.
h. Verify that Request A Certificate is

selected and click Next.
i. Select Advanced Request and click Next.
j. Select Submit A Certificate Request

Using A Base64 Encoded PKCS #10 File
Or A Renewal Request Using A Base64
Encoded PKCS #7 File and click Next.
k. Click in the Saved Request text box and

choose Edit→Paste. Click Submit.
l. Click the Home link in the Certificate

Pending Web page.
8. Issue the pending certificate a. In Certification Authority, expand the

request. UniversityRootCA# object and select the
Pending Requests folder.
b. In the details pane, right-click the pend-

ing request and choose All Tasks→Issue.
c. Select the Issued Certificates folder. The

newly-issued certificate for the subordi-
nate CA should appear in the details pane.

LESSON 5
9. Create a certificate file for your lab a. Switch to Internet Explorer.
partner’s subordinate CA.
b. Select Check On A Pending Certificate
and click Next twice.
c. On the Certificate Issued Web page, click

Download CA Certificate.
d. In the File Download dialog box, click

Save.
e. Save the file as A:\Certnew.cer.
f. In the Download Complete dialog box,

click Close.
g. Close Internet Explorer.
Wait until your lab partner has completed the previous steps before proceeding.

LESSON 5
Subordinate CA:
10. Start the Certificate Server and a. Insert the floppy disk containing the
install the CA certificate for the downloaded server certificate file into
subordinate CA. your floppy disk drive.

Administrative Tools→Certification
Authority. The CollegeSubordinateCA
object should appear in the MMC console
with a red square icon, indicating that it
is not started.
c. Select and right-click the

CollegeSubordinateCA object and choose
All Tasks→Start Service.
d. Click Yes when prompted to install the

certificate.
e. Browse to select and open the

A:\Certnew.cer file. (You will need to
select .cer from the Files Of Type drop-
down list.)
f. Click OK to close the message that the

revocation server is offline. The service
will start and the CA object will appear
with a green check mark.

LESSON 5
TOPIC B
Harden a Certificate Authority
In Topic 5A, you installed a CA. Before you begin allowing the CA to issue certificates on
your network, you should set up security on all the CA servers themselves. In this topic, you’ll
learn hardening techniques for your CA servers.
You put a certification hierarchy in place so that you can use trusted certificates to secure all
types of devices, services, and users in your network. But how much can you trust that hierar-
chy? If one of your CA servers is hacked and compromised, the answer is, not at all.
Certificate security is no good if the source of the certificates is insecure, so before you roll
out your certificate program, make sure your CA servers are as secure as you need them to be.
Certificate Policies
Definition:
A certificate policy (CP) is a security policy that determines what information a digital
certificate will contain, what the requirements are to obtain a certificate, and the speci-
fications for the information in the certificate. The CP is developed by representatives
from the entire company including management, security, and network architecture.
The CP is formalized and an official certificate policy document is created. After the
CP is finalized, the CA software is configured to implement the stated policy.
Some companies make the document available on the Internet. For an example of a certificate policy
and certificate practice statement, go to www.entrust.com/resources/pdf/cps.pdf.
Once the certificate policy is finalized into a formal document and the CA software is
configured to conform to that policy, a separate certificate practice statement (CPS) is
developed. The CPS specifies how a particular CA will manage its certificates based on
the certificate policy for that CA. For example, the CP may require a photo ID be pre-
sented to obtain a certificate. The CPS will state that users can go to a designated local
registration authority and present their driver’s license to meet this requirement.
Each certificate policy is specifically created for a particular set of business require-
ments and security needs. The certificate policy can vary widely depending on its
purpose. A company may have several certificate policies at the same time and thus
have several types of certificates available to entities both inside and outside the
organization.
This variety of policies results in end users with several certificates. The end users then
have multiple key pairs depending on the purpose each certificate is used for. End
users may also have a single certificate that combines services such as encryption and
digital signatures. This is known as a dual key pair because the keys perform more
than one purpose.
Table 5-2 shows some of the ways certificate policies can vary.

LESSON 5
Table 5-2: Certificate Policy Considerations
Consideration Options
How will users be authenticated to There is a variety of ways (or combination of ways) users
the CA? can be authenticated, from filling out a form on the
Internet to showing up in person and having a photo ID
required.
What are the legal implications if Who is responsible if the issued certificates are misused
the CA is compromised? by some individuals? The individual that misused them or
the company that issued them?
What is the certificate going to be The certificate may be used for access to specific
used for? applications.
How will the user’s private key be Companies have several options to choose from that
stored? include storing the private key on the hard drive of the
user’s computer, a separate device such as a smart card,
or on the user’s PDA. Any of these can be further pro-
tected by requiring a password before the key can be
accessed.
What is the user responsible for? Do user’s need a specific security clearance? What does a
user do if their private key is compromised or lost?
Can the user’s private key be Exporting a private key can be useful if it is lost. It is
exported? also a greater security risk. The more places a private key
is available in, the more exposed it is to attackers.
What are the requirements to Will the certificate be automatically renewed? Will the
renew a certificate? user be required to go through the enrollment process
again? Will there be a separate authentication process for
renewals?
How long will the certificate life- What is the length of time a certificate is valid for? The
time be? longer it is valid, the more time an attacker has to find a
way to access it. On the other hand, a certificate that
needs to be renewed often can create a lot of administra-
tive overhead.
What type of cryptographic algo- More complex algorithms require numerous high level
rithm will the certificate use? mathematical calculations and are more difficult to break.
Depending on your companies needs, you may not
require extremely complex algorithms. The less complex
ones are still very secure. Complex algorithms take more
time to encrypt/decrypt data.
What will be the length of the pub- Longer key pairs contain more data bits and thus are gen-
lic and private key pair? erally more secure. Again, this makes it more difficult for
attackers to compromise the private key.
Example: University Project

A private university has several professors and graduate students working on a project
that they hope results in a patent for the college. Some of the students working on the
project are out-of-state. The university needs to be sure that only the individuals work-
ing directly on the project have access to it. The data integrity is critical to the project.
Because the information is expected to be patented, confidentiality is absolutely
necessary. All these elements can be built into the certificate policy.

LESSON 5
Consideration Requirement Implementation
Highly sensitive data. Cannot be Integrity, Strong cryptographic algorithm.
tampered with or stolen. confidentiality.
Users located in different parts of Identity verification. Users will go to local registration
the world. authority and present photo ID
with notarized letter from
university.
Only specific individuals are User’s private key Store private key on a smart card
allowed to access the project. must be secure. that requires a password.
Although the information resides
on the university servers, not all
the students can access the data.
Project will take several years. Long certificate Require a long key pair.
lifetime.
Example: Shopping On The Internet

An Internet company that sells clothing needs certificates as well, but they have totally
different requirements. To obtain a certificate, a user applies online with a valid credit
card. The certificate is configured to set spending limits on each user based on their
credit history in an effort to limit the clothing company’s liability. In addition, the cer-
tificate will also need to have a built-in parameter for non-repudiation so sales cannot
be denied once they are processed.
Consideration Requirement Implementation

Easy access to make Simple enrollment form via Users fill out form on Internet
purchases. Users from all over Internet. to access site.
the world.
Users must be who they say Non-repudiation. Users supply valid credit card
they are to purchase number to make purchases.
merchandise.
The Certificate Life Cycle

The parameters specified in your certificate policy will determine your certificate life cycle.
The following diagram describes the certificate life cycle. The life cycle consists of: issuance,
revocation, expiration, and renewal.

LESSON 5
Figure 5-4: The Certificate Life Cycle.

1. Issuance—The life cycle begins when the root CA is issued its self-signed key pair. The
root CA then begins issuing certificates to other CAs and end users.
2. Revocation—For a variety of reasons (misuse, lost keys, security compromise) certificates
can be revoked.
3. Expiration—Certificates expire per the parameters set in the certificate policy.
4. Renewal—Some expired certificates will be renewed. Certificates can be renewed more
than once, again, depending on the CP parameters. The entire cycle ends when the root
CA’s self-signed certificate is revoked or expired.
As a general rule, the longer the life cycle is, the less administrative overhead involved. This
could pose a higher security risk, however, because a longer life cycle also gives attackers
more time to break the cryptography of the key pair or otherwise compromise the system.
Also, with a shortened lifetime, new developments in cryptography could allow you have enti-
ties renew certificates that are more secure.
The actual life cycle of your certificates will be based on your business requirements and secu-
rity needs. Table 5-3 shows the most common factors that affect a certificate life cycle,
although this is not a comprehensive list.
Table 5-3: Certificate Life Cycle Factors

Factor Variables Implications
The length of the CA’s What length key is appropri- The longer the key, the more data bits to
private key ate? 56-bit, 128-bit, or more? work with. Long keys require more
resources (number of computers, time
involved, etc.) to break. Attackers may not
think it’s worth the effort.

LESSON 5
Factor Variables Implications
Strength of the cryptogra- How complex will the algo- The more complex the mathematical func-
phy used rithm be? Will it be created tions are that are used in the algorithm, the
by a programmer or devel- harder it is for an attacker to decrypt.
oped by algorithm software?
Physical security of the Where is the CA kept? Is it Higher physical security is essential for
CA and private key in a locked area or just pro- longer life cycles. All the policy in the
tected by a password? Who world won’t protect a private key if it is
has access to it? not physically secure. Keep in mind that
physical security may be expensive.
Security of issued certifi- Where is the private key The more secure the user’s private keys are,
cates and their private stored? On a smart card? On the better it is for the security of the overall
keys the desktop? Is a password system. Conversely, users can forget pass-
required? words or lose smart cards and that means
more work for administrators.
Risk of attack Is your CA offline or online? Your CA may be secure but an attacker can
Is your root CA within your use another access point that is not as
company or handled by a secure on your network to gain access to
third-party company? What the CA.
type of business are you in?
Does your company have an
intranet?
User trust Who is using the issued cer- You can generally trust internal users
tificates? External or internal (employees on the corporate network) more
users? than external users (individuals accessing
through the Internet).
Administrative involve- Long life cycles require less Although a long life cycle requires less
ment administrative work. Short administrative work (renewals, revocations,
life cycles require more etc.), it also gives attackers more time to
administrative work. gain access.
CA Vulnerabilities
While CA servers are vulnerable to the same exploits covered so far in this course, including
eavesdropping and malicious code, CAs also have unique vulnerabilities, all of which center
around the security of certificates and keys. If there isn’t tight control placed on the issuance
of certificates and keys, attackers could obtain certificates and exploit those trust relationships.
The following table describes a few common vulnerabilities.
Unauthorized users Your CA should issue certificates only to autho-
rized users. If access control is too loose, attackers
could obtain and exploit certificates from your CA.
Physical security If an attacker can physically access your CA,
there’s no limit to what he or she can accomplish.
Private keys Weak private keys threaten the security of your
entire CA hierarchy because they can more easily
be broken and exploited by an attacker.

LESSON 5
Hardened CA
Definition:
A hardened CA is a CA that has been configured to protect against software and hard-
ware attacks according to a defined security policy. A hardened CA may include some
or all of the following security configuration settings:
the CA server software.
• Strict access controls on certificate requests to prevent unauthorized users from
obtaining certificates.
• Location behind a firewall to prevent unauthorized users from connecting to the
server for any reason.
• Tight physical security to prevent attackers from accessing the server itself.
• Longer key lengths to make keys and your entire CA hierarchy more secure.
Example: USA Travel’s Windows 2000 CA

USA Travel’s security policy requires their root CA to be located in a locked room to
which there is limited physical access. In addition, only authorized users must be
allowed to obtain a certificate. The network administrator for the main corporate office
has placed the server in a locked room to which only he and two other administrators
have access. In addition, the administrator has configured security on the CA server so
that only authenticated network users may request certificates. Because the CA is con-
figured according to the established security policy, it can be considered hardened.
Harden a Certificate Authority

Procedure Reference: Harden a Windows 2000 Certificate Authority
To harden a Windows 2000 Certificate Authority:
1. Harden the operating system.
2. Use Active Directory Sites And Services to set permissions for individual certifi-
cate templates so that only authorized entities can obtain certificates. To set
permissions for individual certificate templates:
a. Choose Programs→Administrative Tools→Active Directory Sites And
Services.
b. If necessary, choose View→Show Services Node.
c. Expand Services, then Public Key Services, and select Certificate Templates.
d. Double-click the template you want to secure, and configure security as
necessary.
3. Place all CA servers behind a firewall.
4. Physically secure the CAs.
5. For greater security and to make it more difficult for attackers to crack your keys,
use longer key lengths.

LESSON 5
Balance Security and Accessibility
Although it would seem that a long key pair combined with a very complex algorithm
would provide the longest life cycle and less administrative overhead, this combination
can reduce the speed of encrypting and decrypting data on the network. A long life
cycle also allows attackers more time to break the code.
ACTIVITY 5-2
Hardening a Windows 2000 Certificate Authority
Data Files:
Scenario:
One of the next tasks as the university’s security administrator is to make sure the certificate
server is hardened based on the design documents of the IT department. In the past, the uni-
versity has had problems with unauthorized users being granted certificates. You have installed
new Windows 2000 CAs as Enterprise CAs in your domain so that you have the ability to
configure the certificate server to restrict user access to certificate templates. The IT department
has documented the required certificate template permission settings in the UniversityCAspecs.
rtf security guidelines document.
In the classroom, your CA is actually installed as a stand-alone CA. You will still be able to perform the required
permissions configurations in the Active Directory.
1. Use Active Directory Public Key Ser- a. From the Start menu, choose Programs→
vices to configure the appropriate Administrative Tools→Active Directory
permissions on the User template as Sites And Services.
specified in the UniversityCAspecs.
rtf file.
b. Choose View→Show Services Node.
c. Expand Services, then Public Key Ser-

vices, and select Certificate Templates.
d. In the Templates list, double-click User.
e. Select the Security tab.
f. With Authenticated Users selected, verify

that Read and Enroll are checked and
click OK.

LESSON 5
2. Use Active Directory Public Key Ser- a. In the Templates list, double-click
vices to configure the appropriate WebServer.
permissions on the WebServer tem-
plate as specified in the
UniversityCAspecs.rtf file.
c. With Authenticated Users selected, verify

that Read and Enroll are checked and
click OK.
d. Close Active Directory Sites and

Services.
3. Suppose the University wanted only faculty members to be able to enroll certificates
from its Enterprise CAs. How would you configure security?
TOPIC C
Back Up Certificate Authorities
As a network administrator, you’re probably used to backing up data and services on a regular
basis, so that you can restore the information in case of damage or loss. Your CA database is
no different. You should always have a valid CA backup on hand as a safety net for your CA
servers.
Back Up Certificate Authorities

Procedure Reference: Back Up a Certificate Authority
To prepare for the worst, back up your CA. The backup steps will vary depending
upon the CA software you are using. To back up a Windows 2000 CA:
1. Open Certification Authority.
2. Right-click your CA object and choose All Tasks→Backup CA.
3. Use the Certification Authority Backup Wizard to back up the CA’s private key,
CA certificate, log, and request queue.
4. Back up the CA configuration information by performing a System State backup.
See the Windows 2000 Help system for more information on using Windows
Backup to back up the System State.
You should also periodically back up your entire CA server, by using a third-party
backup tool.

LESSON 5
ACTIVITY 5-3
Backing up a Certificate Authority
Data Files:
Scenario:
One of the next tasks as the university’s security administrator is to make sure the certificate
server is backed up based on the design document of the IT department. The university is con-
cerned about the possibility of the certificate server failing or being breached by an attacker
and wants to implement a backup strategy.

LESSON 5
1. Back up your certificate server. a. In Certification Authority, right-click your

CA object and choose All Tasks→Backup
CA to launch the Certification Authority
Backup Wizard.
b. Click Next.
c. Check Private Key And CA Certificate.

Check Issued Certificate Log And Pend-
ing Certificate Request Queue.
Configuration information can only be
backed up as part of a Windows 2000 Sys-
tem State backup.
d. In the Back Up To This Location text box,

enter C:\CABackup. Click Next.
e. Click OK to create the new C:\CABackup

directory.
f. Enter and confirm !Pass1234 as the pass-

word for the private key and certificate
file backup.
g. Click Next, and then click Finish to per-

form the backup.
2. If you did lose your root CA due to system failure and you did not have the password to
restore, what would happen to the certificates that have already been issued?

LESSON 5
3. Verify that the backup was a. Open the C:\CABackup folder. It should
successful. contain the backup copy of the server cer-
tificate and a DataBase folder containing
the remaining backup items.
b. Close the C:\CABackup folder window.
TOPIC D
Restore a Certificate Authority
In Topic 5C, you learned to back up your CA to prevent against disaster. With luck, you’ll
never have to use that backup, but you should be ready to do so just in case the CA ever does
go down. In this topic, you’ll learn to restore a CA server from a backup.
There are lots of things that can bring a CA server down. Ordinary problems such as a bad
hard disk or a loss of power can affect the system just like any other system, or, despite your
best efforts at hardening the server, an attacker might target and compromise the CA to obtain
user IDs, issue false certificates, or simply deny CA services. In these cases, restoring your
clean backup will be part of your plan for a speedy, safe, and effective CA restoration.
Restore a Certificate Authority

Procedure Reference: Restore a Certificate Authority
Thankfully, you backed up your CA. Now you can restore it. To restore a CA:
2. Right-click your CA object and choose All Tasks→Restore CA.
3. Use the Certification Authority Restore Wizard to restore the CA’s private key,
CA certificate, log, and request queue from the backup location.
4. Restore the CA configuration information by performing a System State
restoration. See the Windows 2000 Help system for more information on restoring
the System State.

LESSON 5
ACTIVITY 5-4
Restoring a Certificate Authority
Setup:
A certificate for Server authentication has been issued and the CA has been backed up. The
CA log files are stored in C:\WINNT\System32\Certlog.
Scenario:
Some of the files for your CA server have become corrupted. Fortunately, you have a backup
copy that you can use to restore your CA.
1. Delete your CA server’s a. Open the C:\WINNT\System32\CertLog

edb00001.log file. folder.
b. Delete the Edb00001.log file.
c. Minimize the C:\WINNT\System32\

CertLog folder window.

LESSON 5
2. Restore your certificate server. a. In Certification Authority, right-click your
server object and choose All Tasks→
Restore CA.
b. Click OK when prompted to stop Certifi-

cate Services.
c. In the Certification Authority Restore Wiz-

ard, click Next.
d. Check the Private Key And CA Certifi-

cate check box, and check the Issued
Certificate Log And Pending Certificate
Request Queue check box.
e. In the Restore From This Location text

box, enter C:\CABackup and click Next.
f. In the Password text box, enter

!Pass1234 and click Next.
g. Click Finish.
h. Click Yes when prompted to start Certifi-

cate Services when the restore is
complete.
3. Verify that the restore was a. Switch to the C:\WINNT\System32\

successful. CertLog folder window. The log file is
present in the folder.
b. Close the C:\WINNT\System32\CertLog

folder and Certification Authority.
Lesson 5 Follow-up
In this lesson, you learned to manage a certificate-based security system through a public key
infrastructure (PKI). The tasks involved in managing a PKI range from implementing a CA
hierarchy to understanding how to restore the CA and restore lost keys. As a security profes-
sional, these skills will be vitally important if your company implements a PKI. You will be
the person they call on to get the services up and running.
1. What types of CAs are you familiar with?
2. Have you been involved in implementing a PKI? Explain.

LESSON 6

Managing Certificates
Lesson Objectives:
In this lesson, you will manage certificates.
You will:
• Enroll certificates for entities.
• Secure network traffic using certificates.
• Renew certificates.
• Revoke certificates.
• Back up certificates and private keys.
• Restore certificates and private keys.
Lesson 6: Managing Certificates 225

LESSON 6
Introduction
Digital certificates are a versatile method for authenticating a variety of network transactions.
Properly used, certificates enable servers, clients, and applications to prove their identities and
validate their communications across almost any network connection. To get the full benefit of
certificate security, you should be able to manage all the phases of the certificate process, from
enrollment to revocation, and that’s what we’ll do in this lesson.
TOPIC A
Enroll Certificates for Entities
Using certificates is a process that has several stages. The first stage is enrolling and installing
certificates for the entities (users, devices, and services) who need them. In this topic, you’ll
learn to enroll certificates for various entities that require them.
A CA by itself doesn’t do you any good. You have to get the certificates enrolled properly for
the appropriate entities in order to implement certificate-based security. If a user, server, or
client machine doesn’t have the right certificate, there is nothing you can do to secure commu-
nications to or from that entity. The skills you’ll learn in this topic will help you request and
install the proper certificates for each security situation.
Certificate Enrollment Process

Certificate enrollment depends on the level of security the CA requires from an entity to obtain
the certificate. The exact process of certificate enrollment is determined by the certificate
policy (CP) for that particular CA.
Table 6-1: Steps in the Certificate Enrollment Process

Enrollment Step Explanation
Entity submits request for certificate. An entity follows the procedure (for example, filling
out an online form) to obtain a certificate.
User authenticated by the RA. Authentication is determined by the certificate policy
requirements (for example, network userid and pass-
word, driver’s license, or other unique identifier).
Policy applied to request. The CP for the particular CA issuing the certificate
applies the certificate policy to the request.
Request sent to CA. If the identity of the entity is authenticated success-
fully and the policy requirements are met, the
certificate request is sent on to the CA.
CA issues certificate. The certificate is created and put in the repository.
User is notified certificate is complete. The entity is notified that the certificate is available
and the certificate is delivered.

LESSON 6
Example: Thousands of Certificates to Enroll
Within corporations that have a large number of entities to issue certificates to, a vari-
ety of tools may be used to speed up the process. For instance, if a corporation of
10,000 employees scattered throughout the world decided to implement a PKI, there
would be a tremendous amount of administrative overhead involved to enroll each
employee for a certificate. In this case, the corporation could pull existing employee
information from a human resource database to initially authenticate users. Then
employees could be given a telephone number to call to complete the process. As an
alternative, the employees could fill out automated forms on an intranet. Very often,
however, large corporations will have the third-party vendor that is setting up the root
CA handle the entire process of certificate enrollment for the employees. There are two
drawbacks to this option: it can be very cost prohibitive, and you can’t identify each
user’s identity individually, which can be a security risk.
Enroll Certificates for Entities

Procedure Reference: Enroll a Certificate for a Windows 2000 Web Server
Nothing happens in a CA hierarchy until certificates are enrolled for each entity. To
enroll a certificate for a Windows 2000 Web server:
1. Request the certificate. The certificate request can be saved as a file or submitted
across the network.
• You can request certificates for users by using the Web-based enrollment
form on your certificate server’s home page at http://servername/certsrv.
• Or, you can request a Web server certificate by using the Web Server Certifi-
cate Wizard in Internet Services Manager.
a. In Internet Services Manager, right-click your server and choose
Properties.
b. Select the Directory Security tab.
c. Click Server Certificate.
d. Complete the wizard with all the appropriate information.
2. If the certificate request is saved as a file, take the file to the issuing CA and sub-
mit it manually. If the CA is not configured to issue certificates automatically, the
CA administrator will issue the certificate manually.
3. After the certificate has been issued, install it. To install a certificate on a Web
server:
a. Download and save the certificate.
b. In Internet Services Manager, open the properties of the Default Web Site.
c. Select the Directory Security tab and click Server Certificate. Click Next.
d. Verify that Process The Pending Request And Install The Certificate is
e. Verify that the correct certificate is selected.
f. Click Next, and then click Finish to install the certificate.

LESSON 6
ACTIVITY 6-1
Enrolling Certificates
Data Files:
Scenario:
Now that your certificate server is functional, one of the next tasks as the university’s security
administrator is to enroll certificates for entities that require them. The university maintains a
Web-based student registration system. Internet Information Services has already been hard-
ened on your CAs and all University Web servers. One of the first implementations of using
certificates will be to make sure the data being transferred is secure on the student registration
Web servers. In order to do so, you will need to enroll a certificate for the Web server accord-
ing to the specifications in the UniversityCAspecs.rtf file.
The focus of this activity is on enrolling the certificate, not setting up the secure Web communications.

LESSON 6
1. Create a file-based request for a a. From the Start menu, choose Programs→
new Web server certificate from Administrative Tools→Internet Services
your CA. Manager.
b. Expand your Web server object.
c. Select and right-click the Default Web

Site object, and choose Properties.
e. Click Server Certificate to launch the

Web Server Certificate Wizard.
f. Click Next.
g. Verify that Create A New Certificate is

h. Verify that Prepare The Request Now

But Send It Later is selected and click
Next.
The other option is grayed out because your

server does not permit immediate submission.
i. Click Next to accept the default Name

and Bit Length settings.
j. Enter Security Org as the Organization

and Education as the Organizational Unit.
Click Next.
k. Enter Server# Web Server as the Com-

mon Name. Click Next.
l. Enter New York as the State/Province

and enter Rochester as the City/Locality.
Click Next.
m. Click Next to accept the default file name

and location for the certificate request
file. By default, it is saved as
C:\Certreq.txt.
n. Click Next, and then click Finish to gen-

erate and save the request file.

LESSON 6
o. Click Cancel to close the property sheet.
2. Submit the request to your certifi- a. Use Notepad to open the C:\Certreq.txt
cate server. file.
b. Choose Edit→Select All, and then

choose Edit→Copy.
c. Close Notepad.
d. Use Internet Explorer to connect to

http://server#/certsrv.
e. Verify that Request A Certificate is

f. Select Advanced Request and click Next.
g. Select Submit A Certificate Request

Using A Base64 Encoded PKCS #10 File
Or A Renewal Request Using A Base64
Encoded PKCS #7 File and click Next.
h. Click in the Saved Request text box and

choose Edit→Paste. Click Submit.
i. Click the Home link in the Certificate

Pending Web page.
3. Issue the requested server a. In Certification Authority, select the

certificate. Pending Requests folder.
b. Right-click the pending request with a

Request Common Name of Server# Web
Server and choose All Tasks→Issue. You
may have to scroll to the right a bit in
order to view the Request Common Name.
c. Select the Issued Certificates folder. The

newly-issued certificate should appear in
the details pane.

LESSON 6
4. Download the newly-issued certifi- a. Switch to Internet Explorer.
cate as a file.
b. Select Check On A Pending Certificate
and click Next.
c. Select the Saved-Request Certificate and

click Next.
d. On the Certificate Issued Web page, click

Download CA Certificate.
e. In the File Download dialog box, click

Save.
f. Save the file as C:\Certnew.cer.
g. In the Download Complete dialog box,

click Close.
h. Close Internet Explorer.
5. Install and verify the certificate. a. In Internet Services Manager, open the
properties of the Default Web Site.
b. Select the Directory Security tab and

click Server Certificate.
c. Click Next.
d. Verify that Process The Pending Request

And Install The Certificate is selected
and click Next.
e. Verify that the C:\Certnew.cer file is

f. Click Next, and then click Finish to

install the certificate.
g. Click View Certificate. The details of the

certificate match your request, which
verifies that this is the correct certificate.
h. Click OK to close the certificate.
i. Click Cancel to close the property sheet.

LESSON 6
TOPIC B
Secure Network Traffic Using
Certificates
Once an entity has a certificate enrolled, as you did in Topic 6A, you can use the certificate to
secure network traffic flowing to and from that entity. Setting up the security is the next step in
the process, so, in this topic, you’ll use certificates to secure network communications.
The end result of all your PKI planning, installation, and configuration is a mechanism for
securing network communications. As you know by now, unsecure network communication is
open to a variety of attacks, including eavesdropping. Attackers can use simple tools to steal
data as it travels across the network and, most importantly, capture user names and passwords
to get into your most sensitive systems. In this topic, you’ll learn how to secure data using
certificates—another method for keeping attackers out of the critical components in your
network.
Secure Socket Layer (SSL)

Secure Socket Layer (SSL) is a stateful security protocol that combines digital certificates for
authentication with RSA public key, symmetric encryption. As illustrated in Figure 6-1, SSL
communication starts with a client requesting a session with a server. The server responds by
sending its digital certificate and public key to the client. The server and client then negotiate
an encryption level. Once they agree on a level, the client generates a session key, encrypts it,
and sends it with the public key from the server. The session key then becomes the key used
in the conversation.
Figure 6-1: SSL.

LESSON 6
SSL is widely deployed on Web sites and the Internet because it’s a server-driven process. The
client simply has to support SSL; it doesn’t need a registered certificate. This means that any
of 60 million Internet users can connect to a Web site through a secure connection, as long as
their browsers can support SSL. Web sites that begin with https:// are sites that require SSL.
Transport Layer Security (TLS)

Transport Layer Security (TLS), the next generation of SSL, uses certificates and public key
cryptography for mutual authentication and data encryption over a TCP/IP connection. TLS
provides a mechanism for two computers to verify each other’s identity (mutual authentica-
tion), to establish a secure, tamper-resistant channel for communication, and to encrypt data
using negotiated secret keys. Like SSL, TLS is an important security mechanism because it
protects sensitive communication from eavesdropping and tampering by using a secure,
encrypted, and authenticated channel.
For more information on TLS, see RFC 2246. For more information on SSL, visit http://wp.netscape.com/eng/
ssl3/.
Secure Network Traffic Using Certificates

Procedure Reference: Secure Network Traffic with Certificates
The purpose of using certificates is securing communication to and from your network.
The Internet plays a large part in how much traffic your network has to handle. The
method you will use to secure network traffic with certificates will vary depending on
the types of network services you maintain. To secure a Windows 2000 Web site with
certificates:
1. In Internet Information Services, open the properties of the Web site and select
the Directory Security tab.
2. In the Secure Communications area, click Edit.
3. Check Require Secure Channel (SSL).
4. Configure the desired channel settings, such as 128-bit encryption.
5. Click OK.
6. If this Web site has subordinate virtual directories, select the directories you want
to inherit the new security configuration and click OK.

LESSON 6
ACTIVITY 6-2
Securing Network Traffic with Certificates
Data Files:
Setup:
A certificate has been installed on the Web server. There is a home page for a student registra-
tion Web site on the server at the URL http://server#/register. The data file for this activity is
available at \\Server100\SPlus\Student\UniversityCAspecs.rtf.
Scenario:
Now that you have obtained and installed the required certificate, your next task as the univer-
sity’s security administrator is to enable secure communications on the student registration
Web site, which the University’s Webmaster has created on the Web server at http://server#/
register. You need to ensure that the enrollment data being transferred to and from the
registration Web site is secured according to the specifications in the UniversityCAspecs.rtf
file.
1. Verify that you can connect to the a. Open Internet Explorer.

student registration Web site.
b. In the Address box, enter http://server#/
register where # is your student number.
You should see the home page for the stu-
dent registration Web site.
c. Close Internet Explorer.

LESSON 6
2. Enable the appropriate secure com- a. In Internet Information Services, under
munications method and encryption the Default Web Site, open the proper-
level for the student registration ties of the Register virtual directory.
Web site.
b. Select the Directory Security tab.
c. In the Secure Communications area, click

Edit.
d. Check Require Secure Channel (SSL).
e. Check Require 128-bit Encryption.
f. Click OK twice.
3. Test unsecure communications with a. Open Internet Explorer.

the student enrollment Web site.
b. In the Address box, enter http://server#/
register where # is your student number.
You should receive a message that the
page must be accessed over a secure
channel.
4. Why did it fail?

LESSON 6
5. Test secure communication with a. In the Address box, enter https://
the student enrollment Web site. server#/register where # is your student
number.
b. Click OK to acknowledge that you are

making a secure connection.
c. In the Security Alert dialog box, click

View Certificate. Even though the name
on the certificate does not match the site
name, you can see that it is the Web
Server certificate you issued for this
server.
d. Click OK to close the certificate.
e. In the Security Alert dialog box, click Yes

to connect to the secure site.
f. Close Internet Explorer.
6. Were you successful? Why?
TOPIC C
Renew Certificates
After you initially configure certificate-based security, as you did in Topic 6B, the remainder of
your certificate management tasks have to do with maintaining the certificates over the rest of
their life cycle. Because certificates are temporary and can expire, your first concern will be
with renewing existing certificates at the appropriate intervals. In this topic, you’ll learn to
renew certificates.
Just like a driver’s license, certificates are designed to expire at regular intervals. If the driver’s
license was good indefinitely, society would have no way to verify over time that the driver
was still qualified to drive. And if certificates didn’t expire, an entity on the network could use
one indefinitely even if its job role or function had changed. So that drivers can keep their
license past the expiration period, most motor vehicle departments have a renewal process in
place that doesn’t interrupt a driver’s right to be on the road. It’s the same way with
certificates. You should renew certificates appropriately so that you don’t have any interrup-
tions in your security services.

LESSON 6
Renew Certificates
Procedure Reference: Renew Certificates
The procedures for renewing a certificate will vary depending upon the entity for
whom you are renewing, and on your CA software. For example, Windows users can
use the Certificates MMC console to renew certificates in their personal store, while
CA administrators can use Certification Authority to renew their CA certificate.
To renew a CA certificate in Windows 2000:
2. Right-click your CA object and choose All Tasks→Renew CA Certificate.
3. Stop Certificate Services when prompted.
4. Choose whether or not to generate a new key pair when prompted.
5. View the new certificate to verify that the expiration date has been extended.
ACTIVITY 6-3
Renewing a CA Certificate
Scenario:
Your root CA key has been compromised! To avoid student records being accessed inappropri-
ately, you need to correct the root CA key problem immediately.
You will perform this activity on the root CA server only.

LESSON 6
On the Root CA server:
1. Renew the root CA certificate. a. In Certification Authority, right-click your

CA object and choose All Tasks→Renew
CA Certificate.
b. When prompted to stop Certificate Ser-

vices, click Yes.
c. Select Yes to generate a new key pair.
d. Click OK.
e. Open the properties of your CA object.
f. Click View Certificate. The renewed cer-

tificate should expire one year from the
current date.
g. Click OK, and then click Cancel to close

the certificate and the property sheet.
TOPIC D
Revoke Certificates
In Topic 6C, you learned to perform certificate renewal, which is necessary when you want a
security entity to be able to continue using a certificate past its original expiration period. You
might sometimes encounter the opposite case, when you want a security entity to permanently
stop using a certificate for a period of time. To do that, you must revoke the certificate, which
is what we’ll do in this topic.
Remember that certificates are sort of like driver’s licenses; although they are only good for a
limited period, most people can simply renew theirs to keep it valid past the original
expiration. But sometimes, a driver loses the right to drive. In the same way, sometimes a
security principal no longer needs a certificate or should no longer be able to authenticate with
a certificate. Just like the driver’s license, the certificate has to be revoked to prevent its further
use.
Certificate Revocation List (CRL)

A Certificate Revocation List (CRL) is a list of certificates that were revoked before the expira-
tion date. A certificate may be revoked for a number of reasons including:
• The certificate owner’s private key has been compromised or lost.

LESSON 6
• The certificate was obtained by fraudulent means.
• The entity is no longer trustworthy (this can occur when an employee leaves a company
under normal circumstances or when a subordinate CA is hacked).
Each CA has its own CRL that can be accessed through the directory services of the network
operating system or a Web site. The CRL generally contains the owner’s name, certificate
number, reason why the certificate was revoked, and other pertinent information. Many soft-
ware programs, including email applications, will check the status of a certificate before
relying on it by checking a CA for up-to-date CRLs.
Certificate Suspension
Certificate revocation permanently invalidates a given certificate. You can revoke cer-
tificates on any type of CA. Some Unix-based certificate server systems also support
certificate suspension, which enables you to temporarily invalidate a certificate with the
option of later reinstating it. Certificate suspension is not supported on Windows 2000
CAs. Applications that check certificate status by checking CRLs will also check for
suspended certificates as part of the certificate status check.
Revoke Certificates
Procedure Reference: Revoke a Certificate
You may need to revoke certificates when an entity is compromised. To revoke a cer-
tificate:
1. Revoke the certificate itself. For Windows 2000, in Certification Authority, select
the Issued Certificates folder, right-click the certificate you want to revoke, and
choose All Tasks→Revoke Certificate. You can specify a reason why the certifi-
cate was revoked.
2. Publish the CRL. The CRL is published automatically at an interval that you
specify, and can also be published manually.
• To publish a Windows 2000 CRL manually, in Certification Authority, right-
click the Revoked Certificates folder and choose All Tasks→Publish.
• To modify the CRL publication interval on a Windows 2000 server, in Certi-
fication Authority, open the properties of the Revoked Certificates folder and
set the Publication Interval to the desired value.
Destroy Certificate Files

When you have revoked a certificate, you should also destroy the certificate if it has
been stored as a file in any other location. For example, if the revoked certificate had
been installed on a smart card, you should destroy or reprogram the card, to protect the
confidential information contained within the certificate itself.

LESSON 6
ACTIVITY 6-4
Revoking Certificates
Setup:
The certificate server has been backed up.
Scenario:
One of your colleagues in IT thinks that a student has compromised the public and private key
pairs on the student registration Web server. IT wants to make sure the suspect keys are no
longer used. In cases like this, the University’s CA security guidelines call for revocation of
the compromised certificate and immediate publication of the CRL.
1. Revoke the certificate for the Web a. In Certification Authority, select the
server. Issued Certificates folder.
b. Right-click the certificate that was

issued to Server# Web Server and
choose All Tasks→Revoke Certificate.
c. In the Certificate Revocation dialog box,

from the Reason Code drop-down list,
select Key Compromise.
d. Click Yes to revoke the certificate.
e. Select the Revoked Certificates folder.

The certificate you revoked should appear
in the folder.
2. When will users know that the certificate is revoked?
3. Suppose an attacker maliciously misuses administrative privileges to revoke

certificates. What could you do to reinstate the certificates?
4. Publish the CRL manually. a. In Certification Authority, right-click the

Revoked Certificates folder and choose
All Tasks→Publish.
b. Click Yes to verify that you want to pub-

lish a new CRL.

LESSON 6
5. Verify that the CRL is current. a. Open the properties for the Revoked
Certificates folder.
b. Click View Current CRL. The Effective

Date for the current CRL should be the
current date and time. The next auto-
matic update is scheduled on the default
weekly update schedule.
c. Select the Revocation List tab. The cer-

tificate you revoked should be in the list.
The certificate only appears in the CRL on the

subordinate CA. It is not known if this is by
design, or if it is an anomaly in the Windows
2000 root CA.
d. Click OK to close the Certificate Revoca-

tion List.
e. Click OK to close the Revoked Certificates

property sheet.
ACTIVITY 6-5
Modifying the CRL Publication Interval
Setup:
You have a new installation of a Windows 2000 Server configured as a certificate server. The
computer name is Server# and it is installed in a domain named Domain#, where # is a unique
integer assigned to you by the instructor. The default administrator account has been set up
with a password of !Pass1234.
Scenario:
Your CA is configured with the default publication interval for the CRL. The University’s CA
security guidelines call for daily publication of the CRL. You’re responsible for configuring
your CA in accordance with the guidelines.

LESSON 6
1. Change the publication interval for a. In Certification Authority, open the prop-
the CRL. erties of the Revoked Certificates
folder.
b. In the Revoked Certificates Properties dia-

log box, set the Publication Interval to 1
Days.
c. Click Apply. The Next Update schedule

will change the next time the list is
published.
If you want to see the Next Update schedule

value change, publish the CRL manually again.
d. Click OK to close the property sheet.
TOPIC E
Back Up Certificates and Private
Keys
Without certificate keys, public-key security simply cannot function. Due to their necessity,
keys should be safeguarded closely. However, despite the best precautions, keys are occasion-
ally damaged or lost. You need to have backup procedures for certificates and keys so that you
can restore them when needed.
Back Up Certificates and Private Keys

Procedure Reference: Back Up Certificates and Private Keys
The procedure for backing up a certificate will vary depending upon the type of certifi-
cate and the operating system you are using. To back up user certificates and private
keys in Windows 2000:
1. As the user, create a custom MMC console containing the Certificates snap-in.
2. In the Certificates console, expand Certificates, Current User.
3. Expand the Personal store and select the Certificates folder.
4. Select the certificate with the appropriate intended purpose.
5. Right-click the certificate and choose All Tasks→Export.

LESSON 6
6. Complete the appropriate steps in the Export wizard. For maximum security, use a
strong password and export the certificate to a floppy disk. Store the disk in a
secure location.
ACTIVITY 6-6
Backing Up a Certificate and Private Key
Data Files:
• UniversityCASpecs.rtf
Setup:
You will need a floppy disk for this activity.
Scenario:
The University has decided to secure email communications through the use of individual
email certificates for each student and staff member. The security design team has developed
recommendations for the strength of the email certificates. They have also developed recom-
mendations for maintaining backup copies of the email certificates and their associated private
keys, to guard against loss or compromise of the certificates. As the security administrator,
your job is to support enrollment for email certificates, and to maintain backups of each issued
certificate according to the specifications in the UniversityCAspecs.rtf. You will need an email
certificate enrolled and backed up for your own personal Administrator user account.

LESSON 6
1. Request a certificate for email pro- a. Open Internet Explorer and connect to
tection for the Administrator user. http://server#/certsrv, where # is your
student number.
If your system is unable to download the
ActiveX control to create the enrollment b. Verify that Request A Certificate is
form, you will need to install the Certifi- selected and click Next.
cate Enrollment Control patch from
Microsoft Security Bulletin MS02-048
(Knowledge Base article Q323172). You c. Select Advanced Request and click Next.
can download the patch from http://
support.microsoft.com/default.aspx?
scid=kb;en-us;323172. d. Verify that Submit A Certificate Request
To This CA Using A Form is selected and
click Next.
e. Enter administrator as the Name and

administrator@domain#.internal as the
E-Mail.
f. From the Intended Purpose drop-down

list, select E-Mail Protection Certificate.
g. In the Key Size text box, enter 1024.
h. Check Mark Keys As Exportable.
i. Click Submit.
j. Click the Home link in the Certificate

Pending Web page.
2. Issue the pending user certificate. a. In Certification Authority, select the

Pending Requests folder.
b. Right-click the pending request with a

Request Common Name of Administrator
and choose All Tasks→Issue.
3. Install the new email certificate for a. In Internet Explorer, select Check On A
the Administrator user. Pending Certificate and click Next.
b. With the E-Mail Protection Certificate

selected, click Next.
c. Click Install This Certificate.
d. Close Internet Explorer.

LESSON 6
4. Create a Certificates MMC console a. Click Start and choose Run.
for the Administrator user.
b. Enter mmc and click OK.
c. Choose Console→Add/Remove Snap-in.
d. Click Add.
e. Select Certificates and click Add.
f. Verify that My User Account is selected

and click Finish.
g. Click Close, and then click OK.
h. Choose Console→Save As.
i. Save the console as Certificates.msc in

the default storage location.

LESSON 6
5. Export the certificate and its pri- a. Insert a floppy disk in the disk drive.
vate key to a floppy disk.
b. In the Certificates console, expand
You should store the backup media in a Certificates—Current User. Expand the
secure location. Personal store and select the Certifi-
cates folder.
c. Select the certificate with an intended

purpose of Secure Email. (Scroll to the
right to see the Intended Purposes
column.)
d. Right-click the certificate and choose All

Tasks→Export.
e. In the Certificate Export Wizard, click

Next.
f. Verify that Yes, Export The Private Key

is selected and click Next.
g. Click Next to accept the default file for-

mat and strong protection.
h. Enter and confirm !Pass1234 as the

password. Click Next.
i. Enter A:\mailcert as the file name. Click

Next.
j. Click Finish.
k. Click OK to close the message box.
l. Remove the floppy disk from the drive.

LESSON 6
TOPIC F
Restore Certificates and Private Keys
In Topic 6E, you learned to create backups of certificates and private keys. That way, if there
is a problem with a certificate or private key, you can recover them from the backup. In this
topic, you’ll learn how to restore certificates and private keys.
Certificates and private keys can get lost or destroyed, and when they do, you lose access to
the data they protected. For example, if a user loses the smart card containing a certificate, the
user won’t be able to log on to your network and do work. This might not happen very often,
but when it does, restoring the certificate from the backup is the way to get your security
structure back in place quickly and easily.
Private Key Replacement

When a private key is lost, most people think the most important thing to do is to recover the
encrypted data. However, this is just the first step in a larger process that has serious conse-
quences for security. Once the data is recovered, there is still the issue of what to do about the
possible security risk caused by a lost private key. These steps allow you to recover the data
and ensure the continued security of your CA:
1. Recover the private key.
2. Decrypt any encrypted data.
3. Destroy the original private key.
4. Obtain a new key pair.
5. Re-encrypt the data.
Private Key Restoration

You know the process to replace a lost private key, but it’s the lost data that is the highest
priority. A private key can become unavailable for several reasons including: an individual for-
gets the password to access the key, they leave the company voluntarily or involuntarily, or
they lose the key. To recover the data, you must first restore the private key. It is important to
have a plan to recover this data and minimize the impact of the lost or compromised key
before it happens.
There are two primary methods for restoring a lost private key:
• Key escrow—The decryption key is split into several parts and the parts are distributed to
escrow agents or trustees. The trustees can then use the parts to reconstruct the lost key or
decrypt the information directly.
• Restore from backup—A backup is made of the private key on a floppy disk or other type
of removable media. The private key can then be restored from the backup location.
M of N Control
Regardless of which recovery method you use, there are only a certain number of
agents or trustees that have the authority to recover a key. To determine how many
agents are required, the M of N Scheme is commonly used. The M of N Scheme is a
mathematical control that takes into account the total number of key recovery agents
along with the number of agents required to perform a key recovery.

LESSON 6
For more information about M of N, see the RSA Web site at www.rsasecurity.com/rsalabs/faq/
2-1-9.html and related links.
Restore Certificates and Private Keys

Procedure Reference: Restore a Certificate and Private Key
Certificate and key restoration procedures will vary depending upon the type of certifi-
cate you need to restore and the software you are using. To restore a user’s certificate
and private key in Windows 2000:
1. Open a Certificates MMC console for the affected user account.
2. Open the Personal store, right-click the Certificates folder, and choose All Tasks→
Import.
3. Specify the location of the backup certificate, and provide a password if
prompted. If you want to be able to create a new backup of the private key, select
Mark The Private Key As Exportable.
ACTIVITY 6-7
Restoring a Certificate and Private Key
Setup:
There is a backup copy of the Administrator user’s email certificate and private key on a
floppy disk. There is a Certificates MMC console for the Administrator user.
Scenario:
A staff member’s email certificate and private keys have become corrupted. Fortunately, you
have followed the procedures in your security policy document and maintain backup copies of
all user certificates and private keys. You can use these backups to correct the user’s problem.
1. Delete the Administrator user’s a. In the Certificates MMC console, right-

email certificate. click the Secure E-mail certificate and
choose Delete.
b. Click Yes to confirm the deletion.

LESSON 6
2. Restore the certificate and private a. Insert the floppy disk containing the
key from the backup. backup copy of the Administrator’s
email certificate in the floppy disk
drive.
b. In the Certificates console, in the Personal

store, right-click the Certificates folder
and choose All Tasks→Import.
c. Click Next.
d. Enter A:\Mailcert.pfx as the File Name.

Click Next.
e. Enter !Pass1234 as the password.
f. Check Mark The Private Key As

Exportable. Click Next.
g. Click Next to place the certificate in the

Personal Store.
h. Click Finish.
i. Click OK in the message box. The restored

certificate should appear in the Certifi-
cates folder in the Personal store.
j. Close Certificates. There is no need to

save console settings.
Lesson 6 Follow-up
In this lesson, you learned what is involved in the day-to-day management of certificates.
Regardless of how simple or complex your certificate hierarchy is, you will still need to do
different tasks such as issue, revoke, renew, and eventually expire certificates. Each of these
tasks play an equally important role in managing certificates.
1. What types of certificate management functions have you performed?
2. Which function of digital certificate management do you find the most common? What
function is the most complex?

NOTES

LESSON 7

Enforcing Organizational
Security Policy
Lesson Objectives:
In this lesson, you will enforce an organizational security policy.
You will:
• Enforce corporate security policy compliance.
• Enforce legal compliance.
• Enforce physical security compliance.
• Educate users.
Lesson 7: Enforcing Organizational Security Policy 251

LESSON 7
Introduction
In the first six lessons of this course, you implemented your security infrastructure, completing
the first phase in the network security process. In the next two lessons, you’ll embark on the
second phase: maintaining and monitoring the security infrastructure. In this lesson, you’ll per-
form the tasks that are necessary to maintain compliance with your organization’s security
requirements.
There were a lot of tasks related to setting up network security, from hardening an operating
system to managing a PKI infrastructure. It might seem as if setting up network security is the
most important phase in the security process, but that’s not true. The most important phase,
and the phase you should be spending the most time and energy on, is the “watchdog” phase,
where you maintain your infrastructure and monitor the network for holes and attacks.
Remember, once the walls to the fort are up, your job’s not done. On your network, you’re not
just watching for attacks; you’re also watching to make sure ordinary wear and tear doesn’t
weaken your security structure. This lesson will give you the skills you need to make sure
your network security structure stays strong and intact.
TOPIC A
Enforce Corporate Security Policy
Compliance
In the first several lessons of this course, you learned the skills you need to configure security
according to the requirements of your organization. After the initial configuration, you will
need to make sure that the configuration is maintained appropriately over time. In this topic,
you’ll learn to enforce compliance with your own organization’s security policy.
It’s not enough to have a security policy documented or even to take the initial steps to config-
ure your systems to match the policy. Unless you have a way to ensure that you conform to
the policy on an ongoing basis, cracks are going to appear in your security infrastructure, and
the attackers will be out there just waiting to pry open those cracks and jump through onto
your network. To maintain a safe and secure environment, make sure you take the time to
make sure you are always in compliance with the security needs of your own organization.
Enforce Corporate Security Policy Compliance

Enforcing corporate security policy compliance is not an easy task. It requires the cooperation
and understanding of many individuals throughout the organization. However, if you follow
some basic guidelines, you can help ensure that you are keeping your company’s sensitive data
and resources safe.
Guidelines
To enforce corporate security policy compliance:
• Read all applicable policy documents thoroughly so that you understand the stan-
dards and guidelines that pertain to your organization.
• Monitor security-related activities in your organization.
• Take appropriate actions to correct the situation when a security policy is broken.

LESSON 7
Example:
You discover that some users in your organization are using four-character passwords.
Short passwords like this are very vulnerable to a dictionary-based or brute-force pass-
word attack. Your corporate security policy states that all passwords should be at least
eight characters. You decide to implement a policy setting on your Windows domain
that requires a minimum password length of eight characters. Users will now be
required to bring their passwords in line with the corporate standard.
ACTIVITY 7-1
Enforcing a Security Policy for an Organization
Data Files:
• NationalBankAcceptableUsePolicy.rtf
Scenario:
As the security administrator for National Bank, a help desk employee, Randy Williams, has
given you a report of information gathered at the help desk. He thinks that there are some pos-
sible security issues. He asks you to determine whether or not they are within the guidelines of
your Acceptable Use security policy. You will not be responsible for terminating users, but it is
your responsibility to enforce the policy and make sure the appropriate changes are made
based on possible breaches. You will then report back to Randy with your findings.
Using the \\Server100\SPlus\Student\NationalBankAcceptableUsePolicy.rtf policy document,
determine which of the following scenarios are within the guidelines of the organization’s
policy. If not, what steps would you take to enforce the security policy?
1. A user, Curt, decides to practice his skills with Network Monitor, a tool that he just
learned to use in a Microsoft SMS class.
Is this permissible? Why or why not?
2. What action, if any, should you take?
3. A user, Nancy, has been changing her password quarterly.

LESSON 7
5. Tina gets an email from a relative stating that a malicious virus has been circulating on the
Internet. The email asks the user to forward the information immediately so others are
not infected. She sends it to the AllUsers distribution list.
7. Cathy’s screensaver kicks in every 30 minutes. It requires a password to unlock.
TOPIC B
Enforce Legal Compliance
In Topic 7A, you learned to enforce security policies that are designed to meet the internal
needs of your organization. But, as a security professional, you might have responsibility for
meeting the security needs of outside legal authorities as well. In this lesson, you’ll enforce
compliance with any security requirements that your company might legally be required to
meet.
Legal security compliance requirements can affect your company in a variety of situations. You
might work for a company in a publicly-regulated industry such as the nuclear power industry.
Your company might have business partnerships with or provide services or products to any
one of a number of government agencies. You also have responsibilities to your local munici-
pality for safety and security. As a security professional, you’ll need to be able to demonstrate
that your company is in compliance with any or all of these entities’ security requirements.

LESSON 7
Legal Security Compliance Requirements
The legal security requirements of an organization may not necessarily be neatly defined in
one individual security policy. Legal requirements affecting information security may be part of
non-security related policies such as an organization’s code of ethics. Legal security is a gray
area that is constantly changing. For these reasons, it is essential that security professionals
work closely with the legal counsel of their organization to limit liability for the organization
and protect the assets. Information security professionals, government agencies, and higher-
learning educators are working together to find common ground to deal with the consequences
of the laws in different countries and industries. However, at this time there are no set stan-
dards or guidelines to follow. Each incident is totally unique and is treated as such.
Legal issues involve three distinct areas of concern for the organization: the employees, the
customers, and the business partners. Table 7-1 lists some of the considerations for each of
these areas.
For more information on standards and regulations, including various international standards, visit http://
securityresponse.symantec.com/avcenter/security/Content/security.articles/corp.security.policy.html.
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is important federal legislation that
impacts security professionals in the United States. This legislation provides standards for maintaining individu-
al’s health records and guidelines for enforcing those standards. It also guarantees the security and privacy of
health information. Any security professional working with health care or a related industry in the United States
must be aware of this law.
Table 7-1: Legal Issues That Affect Corporate Security

Legal Requirement Considerations
Employees Who is liable for misuse of email and Internet resources? The
organization, the employee, or both?
What is the extent of liability for an organization for criminal acts
committed by its employees?
What rights to privacy do employees have regarding electronic
communications?
Customers What customer data is considered private and what is considered
public?
How will a company protect the privacy and confidentiality of
customer information?
Business Partners Who is liable if the data resides in one location (country) and the
processing takes place in another location?
Who is responsible for the security and privacy of the information
transmitted between an organization and a business partner? The
sender or the receiver?
In the legal realm, the critical issues for security professionals are:
• Evidence collection—Following the correct procedure for collecting evidence from floppy
disks, hard drives, smart cards, and other media. As in any other case, evidence that is
improperly collected may not be admissible in court.
• Evidence preservation—Criminal cases can take years to resolve and the evidence needs
to be properly preserved for a lengthy period of time.

LESSON 7
• Chain of custody—A complete inventory of evidence that shows who has handled specific
items and where they have been stored is essential. This document must be kept secure at
all times to prevent tampering.
• Jurisdiction—Determining exactly who has the right to investigate and prosecute an infor-
mation technology criminal case can be extremely difficult due to overlapping laws for
copyright, computer fraud, and mail tampering. In addition, each country has its own laws
and these laws may vary depending on what part of the country is involved.
It is imperative that security professionals work closely with law enforcement from the very
beginning when a security incident occurs. It takes the coordinated effort of security profes-
sionals, local and international law enforcement, and the court systems to successfully
prosecute technology crimes. The best place to start is to consult with your organization’s legal
counsel before an incident occurs.
Requirements of Regulated Industries

In addition to the various local, state, federal, and international legal considerations,
some organizations may have additional requirements posed by regulated industries
such as utility companies, hazardous material manufacturers, and medical professions.
The requirements can vary widely depending on the industry involved and are specific
for each organization.
Enforce Legal Compliance

Enforcing compliance with legal security requirements that affect your organization can be a
complex matter. However, if you enforce legal security compliance effectively, you will protect
your company against potentially devastating legal and financial consequences as well as
enhancing your overall security.
Guidelines
To verify that your organization is in compliance with the legal requirements of gov-
ernment and regulated industries:
• Read all relevant policy documents that your organization maintains.
• Work with your organization’s legal counsel to stay current with all governmental
actions that affect security requirements for your industry, and update your inter-
nal policies accordingly.
• Request periodic reviews of your internal policy documents from legal counsel.
• Monitor your organization for compliance with all relevant regulations.
• Take appropriate actions if you determine that your organization is not in
compliance.
Example:
You are a security administrator for a nuclear power plant, which is subject to regula-
tion by the Nuclear Regulatory Commission (NRC). To keep yourself abreast of new
NRC regulations, you visit the NRC’s RuleForum Web site (http://
ruleforum.llnl.gov/) on a weekly basis. When new rules are proposed, you work with
your legal team to determine if your existing policies and procedures would be in com-
pliance with the new rules. If not, you draft an action plan for modifying your policies
and procedures and implement the plan once the final rule is adopted.

LESSON 7
ACTIVITY 7-2
Enforcing Legal Compliance for an Organization
Data Files:
• NationalBankAcceptableUsePolicy.rtf
Scenario:
As the security administrator for National Bank, you have been assigned the task of determin-
ing when appropriate legal action should be taken based on the bank’s Acceptable Use policy.
Use the Acceptable Use policy document to determine if your security policy calls for legal
action in any of the following situations.
1. A user opens an attachment which causes a virus to spread within the organization.
2. A user emails a copy of a new type of encryption software program to a user in a for-
eign country for testing.
3. A user scans your network for open ports.
4. A user forwards an email which appears to be a “Ponzi” or “Pyramid” scheme.
5. Two employees have an argument at lunchtime. During the afternoon, one user sends
a threatening email to the other. The second employee is afraid to leave the building
unescorted that evening.

LESSON 7
TOPIC C
Enforce Physical Security
Compliance
You now have the skills to verify your company’s compliance with internal and external secu-
rity policies on an ongoing basis. There’s one more piece to maintaining a complete security
infrastructure, and that is to make sure that the physical components of your company’s secu-
rity plan are in place. In this topic, you’ll learn to enforce compliance with policies for
physically securing information assets.
Your Windows 2000 Server runs one of your company’s most sensitive databases. You’ve
spent hours removing services, tightening ACLs, authenticating connections, and filtering traffic
to and from the server. You are convinced that nobody can connect to this computer or its sen-
sitive data unless they are supposed to get in. Wouldn’t it be too bad if the last employee in
the building on Friday forgot to lock the server room door, and a attacker posing as a mainte-
nance worker walked in, opened the computer case, and stole the hard disk? What will you do
if a disaster strikes? If you don’t want this to really happen to you, don’t neglect the physical
security enforcement procedures in this topic.
Physical Resource Vulnerabilities

A physical security policy may be a part of your corporate security policy, it may be a separate
policy, or it may be a combination of both. Because of the surge in social engineering attacks,
physical security has tremendous implications for information technology security. All the
firewalls and anti-hacking software in the world won’t matter if physical security is breached.
Therefore, it is critical that the IT security team works together with building security and
local service providers to be sure there are no physical “holes” for an attacker to exploit. It is
also imperative that you are able to recover in the case of a disaster. Your organization should
create a Business Continuity Plan (BCP) so that the organization can continue to operate when
a crisis has occurred. You should also create a Disaster Recovery Plan (DRP) so that the orga-
nization has procedures in place for protecting personnel, physical assets, and information
resources, during a natural or man-made disaster. The safety of your personnel should always
be your first concern in any disaster situation, regardless of the implications for physical and
information security.
There are numerous physical vulnerabilities in any organization including the buildings,
devices (such as computers), cell phones, PDAs, and the communication links that connect all
of the components. Part of an effective physical security policy is a plan to ensure business
continuity in the event of a major disaster. It does not matter if a disaster is the result of a
man-made event (such as a phone cable being accidentally cut by construction equipment) or
the result of a natural disaster (like an electrical storm). Best practices require that an organiza-
tion have a BCP in place to prepare for a significant interruption in day-to-day activities
without seriously affecting the business activities.

LESSON 7
Table 7-2: Physical Resource Vulnerabilities
Physical Resource Vulnerability Considerations
Building(s) Location—Is the building located in a high-crime area, or in a relatively
remote location that would be hard to access in the event of a natural
disaster?
Fire suppression—Is the building adequately covered by a fire-suppression
system? Are critical systems and server rooms equipped with special fire
protection methods that won’t compromise data?
Shielding—Is the building protected from electrical surges and other inter-
ference from the outside?
Devices Servers—Are all the servers in one location? If someone gains access to a
server room, does she have access to every server in the company?
Laptops/PDAs—These items are easily misplaced or stolen and often con-
tain highly sensitive information.
Cell phones—Confidential conversations about proprietary company infor-
mation should be held on land lines and not over wireless channels that do
not use encryption. You also may want to disallow the use of wireless
devices altogether.
Communications Phone company cables, transformers, and switches can be intentionally or
unintentionally damaged or tapped.
Third-party ISPs and other service providers may have security holes that
your organization has no control over.
Wireless technology is quickly becoming a popular means of
communicating. Protecting your wireless cells from outside intruders is
critical.
ACTIVITY 7-3
Investigating Business Continuity and Disaster Recovery
Plans
Scenario:
As security administrator for your company, Riordan Software Systems, you’ve been asked to
join a committee of high-level managers to develop a Business Continuity Plan (BCP) and
Disaster Recovery Plan (DRP). Before the committee’s first meeting, you decide to do some
research on the Internet.
1. Search the Internet for information a. Open Internet Explorer and go to your
on BCPs and DRPs. favorite search engine.
b. Search for information on Business Con-

tinuity Plans and Disaster Recovery
Plans.
c. Examine the information you find.

LESSON 7
2. A is a policy that defines how normal day-to-day business will
be maintained in the event of a major systems failure.
3. In your own words, how is a BCP different than a DRP?
4. Why is it important to create a BCP?
5. Why is it important to create a DRP?
6. What tools are available to help you create a BCP and DRP?
7. In your opinion, which of the tools you’ve found in your research would be most help-
ful to you in creating a BCP or DRP? Why?
8. You’ll probably see in your research that risk assessment is an important part of creat-
ing a BCP. Why is that?
9. In your opinion, of buildings, devices, and communications, which do you think is gen-
erally most vulnerable to attack? Which do you think would be most difficult to
recover?
10. Close your browser window when a. Click the Close button to close your
you’re done. browser window.

LESSON 7
Enforce Physical Security Compliance
Procedure Reference: Enforce Physical Security Compliance
Although it seems that enforcing physical security compliance would be a simple task
compared to other areas of the security policy, it is actually a little more complicated
than it first appears. Physical compliance is generally something you can see, but it
requires the cooperation of both security professionals and end users to be effective. To
enforce physical security:
1. Read the physical security policy document thoroughly so you can enforce its
rules, which may include provisions for the following:
• Secured facilities, with adequate protection against fire and electrical
interference.
• Secured devices, including servers, desktops, laptops, and PDAs.
• Secured land-line communications, including physical phone lines and com-
munications through your telephone service provider and your ISP.
• Secured wireless communications, including restricted cell phone use.
2. Implement a backup policy that includes offsite backups of critical components,
including servers and data on desktop or laptop computers, in case of a physical
attack or natural disaster.
3. Implement a Business Continuity Plan (BCP). For example, implement redundant
solutions, such as mirrored servers in remote locations or redundant links, in case
of a physical attacks or natural disasters. A BCP might also contain a plan to
implement an alternate site, depending on the nature of your business.
4. Implement a Disaster Recovery Plan (DRP). For example, identify how you will
protect your employees as well as your computing resources in the case of a dan-
gerous event such as a fire. A DRP should also include a plan for securely
recovering your systems.
5. Test your physical security by implementing planned physical breaches.
Usually security personnel are notified that you will be testing. This is critical in high security
sites such as military installations, nuclear plants, and other environments where firearms are
used. Consult the legal team within the organization before testing physical security breaches.
6. Take the appropriate actions when a physical security policy procedure is broken.
Alternate Sites
Depending on the nature of your business, you might need to implement alternate sites
to ensure that an attack doesn’t cause any disruption in your operations. Alternate sites
are in different geographic regions and are used to continue your business in the event
of a failure at your primary physical location. Alternate sites are generally one of three
types, as described in Table 7-3. Which site you implement depends on the needs of
your organization.

LESSON 7
Table 7-3: Types of Alternate Sites
Type of Alternate Site Description
Hot This type of alternate site is in constant contact with your
primary site. It has the resources and infrastructure—
including computers, software, network and Internet
connections, electricity, and security—necessary to immedi-
ately continue operations after a failure at your primary
site, almost eliminating any downtime.
Warm A warm site is in periodic contact with the primary site,
and has most of the resources necessary to continue
operations. However, it will take longer to switch opera-
tions to this site.
Cold This site will take longest to switch to in the event of a
failure at the primary site. This type of site may be little
more than a secure physical location without the computer,
software, and networking resources necessary to avoid what
could be days of downtime.
Secure Recovery
When creating a DRP, it’s important to include provisions for securely recovering data,
systems, and other sensitive resources. The DRP should include steps necessary to
secure not only physical resources, such as computers, the network infrastructure, and
any physical backup media, but steps to secure the recovery process itself. This might
mean designating a trusted administrator to administer the DRP and any steps taken to
restore systems or processes necessary to recover from disaster and continue operations
either at the primary site or an alternate site.
ACTIVITY 7-4
Implementing a Physical Security Policy for an
Organization
Data Files:
• UKSecurityPolicy.rtf
Scenario:
As the security administrator for your organization located in London, you have been assigned
the task of implementing a security policy. You are basing your policy, UKSecurityPolicy.rtf,
on the sample template available from www.ruskwig.com/security_policies.htm. Currently,
the top priority at your organization is physical security, as someone recently broke into com-
pany headquarters and stole hardware and data. You need to protect over £100,000 worth of
new equipment that is now centrally stored in your computing center. At the minimum, you
will be implementing the following security measures in the computing center:
1. Locks will be placed on computer room doors.
2. Blinds will be installed on windows.
3. No computers will be placed by windows.

LESSON 7
4. Locks will be placed on windows.
5. Motion-detection and perimeter intruder alarms will be installed.
6. All contractors will be escorted in and out of the facility.
Your task is to determine which other security recommendations in the UKSecurityPolicy.rtf
document your organization should adopt, and to enforce the policy once it is finalized. Use
the security policy to determine appropriate answers to the following questions:
1. Which security level does your organization fall under? Why?
2. Besides using blinds and locks on the windows, what else could you recommend using
to secure the windows from unauthorized access?
3. Once the motion-detection alarms are installed, what procedure will you need to fol-
low to verify they are working properly?
4. Given the security requirements of this company and the category of risk the comput-
ing center falls into, what other physical security recommendations could you make,
based on this document?

LESSON 7
TOPIC D
Educate Users
In the first three topics, you acquired the skills you need to keep your security infrastructure
healthy. But security is the responsibility of all the individuals in the organization, not just the
professional security team. In this topic, you’ll learn how to give users the information they
need to follow appropriate security practices in their day-to-day work.
An attacker calls Mary, poses as a network administrator, and hangs up after a brief conversa-
tion, knowing Mary’s user ID and password. John leaves his laptop on his desk, unlocked,
over the weekend, and it is stolen by a member of the cleaning crew. Tina always logs into her
computer as Administrator with a blank password because it’s easier. It’s clear that none of
these users are following good security practices, and, if nobody told them how to do things
any better, it’s not necessarily their fault. How can you prevent this scenario? It is your
responsibility to educate or coach your users about their individual security responsibilities. An
educated user will make far fewer calls to support technicians for help with simple how-to
questions and prevent security breaches.
The Employee Education Process

Most employees know that the security policy is put in place for a reason, but they may not
fully understand exactly why strict compliance is so important. It is up to security profession-
als to educate employees and encourage their compliance. When employees are partners with
the security team, they are much more likely to respond positively to the security needs of an
organization. A security professional can create this attitude of teamwork by performing the
steps shown in Table 7-4.
Table 7-4: The Employee Security Education Process

Step Explanation
Awareness Education begins with awareness. An employee can’t be responsible
for what they don’t know. The partnership between an employee and a
security professional begins when the security professional creates an
awareness of the potential threats to corporate security. Employees also
need to be aware of the role they play to protect those assets and
resources. A security professional can create awareness through semi-
nars, email, or information on a company intranet.
Communication Once employees are aware of security issues and the role they play in
protecting the organization’s assets, the lines of communication are
open. It is important that the lines of communication stay open. Secu-
rity professionals can accomplish this by encouraging employees to
ask questions and provide feedback on security issues.

LESSON 7
Step Explanation
Education Finally, employees should be educated from the moment they walk
through the door for the first time. Security starts the second they
become an employee and have access to the physical building and
resources, as well as the intellectual property inside. Newly hired
employees should be trained as soon as possible in correct security
procedures. Education should continue as the technology changes and
new information becomes available. Education takes many forms, from
training sessions to online courses employees can take at work. Edu-
cated users are one of your best defenses against social engineering
attacks.
End User Responsibility for Security

Employee responsibility is one of the most easily overlooked aspects of a organization’s secu-
rity policy. However, employees can be your biggest ally in protecting the organization’s
assets. Unfortunately, many employees view their responsibilities for corporate security policy
as unimportant compared to their day-to-day workload. The fact is, security is every employ-
ee’s responsibility, and it is more commonly breached at the employee level than anywhere
else in an organization. As easy as it would be for security professionals to overlook this
aspect of the security structure, it would be dangerous. Attackers need to gain access and rights
to mount an attack. The easiest way for them to accomplish this is through employees.
Examples of employee’s security responsibilities are shown in Table 7-5.
Table 7-5: Employee Security Responsibilities

Security Requirement Examples of Employee Responsibilities
Access to resources Physical—Employees should not allow anyone in the building
without an ID badge. Employee should not allow other individuals
to “piggyback” on a single ID badge.
Systems—Proper use of user IDs and passwords. This information
should never be shared or written down where it is accessible to
others.
Devices—Properly storing laptops, cell phones, and PDAs when
not in use.
Confidentiality of information Physical—Access within the building should be restricted to only
those areas an employee needs to access for job purposes. Hard
copies of files should be locked away at all times.
Systems—All confidential files should be saved to an appropriate
location on the network and not on a hard drive or floppy disk.
Devices—Employees must use correct procedures to log off all
systems and shut down computers when not in use. Wireless com-
munication devices must be approved by IT department and
installed properly. Laptops and PDAs must be kept in a locked
cabinet or drawer when not in use.

LESSON 7
Educate Users
When you educate your users, you give them the ability to participate in the process of ensur-
ing the security of the organization. Because many attacks involve the unwitting participation
of unsuspecting users, educating uses to raise their level of awareness of proper security proce-
dures can greatly increase the overall security of your organization.
Guidelines
To educate your users on security practices:
• Train new users on how to use their computers, applications, and organizational
security policies. Focus in on potential security problems throughout the training.
• Post all policies so that they are easily available to all users.
• Notify users when changes are made to policies. Educate them on the new
changes.
• Periodically test user skills after training to verify they are implementing proper
security. For example, you can use planned social engineering attacks.
• Post information such as a link to http://hoaxbusters.ciac.org/ on the company
Web site to assist users in determining whether or not emails are hoaxes.
Example:
In new-hire orientation, all new employees at your organization are briefed on the
security standards of your company and connect to the company’s internal Web site,
which contains links to all the company’s security policy documents. After training,
you email the address of the Web site to all new employees. One new Accounting
department employee has difficulty creating an acceptable password for the accounts
payable database system; she visits the Web site, opens the password policy document
stored there, and successfully creates a strong password in accordance with corporate
guidelines.
ACTIVITY 7-5
Educating Users
Scenario:
As the security administrator for a nuclear power plant, one of your responsibilities is coordi-
nating the employee security education program. The plant has recently experienced several
security incidents involving improper user behavior. IT staff and plant management have come
to you for recommendations on how to implement proper employee training procedures to pre-
vent similar problems in the future.

LESSON 7
1. A virus has spread throughout your organization, causing expensive system downtime and
corruption of data. Once you have dealt with the immediate crisis, you review network
logs to try to determine the source of the virus. It soon becomes apparent that it was sent
to many users as an email attachment. The original email presented itself as a marketing
survey and stated that if the user double-clicked the attachment, a tracking message
would be sent to Microsoft. The user would receive $10 from PayPal as a thank you. The
email also suggested forwarding the attachment to friends and family. You quickly deter-
mine that this is a well-known email hoax that had already been posted on several hoax-
related Web sites.
Most of the users in your organization received the email from the same individual inside
the company. When questioned, this employee said that he thought it sounded as if it
could be legitimate, and he couldn’t see any harm in “just trying it.”
How could better user education have helped this situation?
2. What education steps do you recommend taking in response to this incident?
3. You come in on a Monday morning to find laptops had been stolen from several employee’s
desks over the weekend. After reviewing videotapes from the security cameras, you find
that as an employee exited the building through the secure rear door on Friday night, she
held the door open to admit another individual. You suspect this individual was the thief.
When you question the employee, she states that the individual told her that he was a
new employee who had not yet received his employee badge, that he only needed to be in
the building for a few minutes, and that it would save him some time if she could let him
in the back door rather than having to walk around to the receptionist entrance. Your
security policy states that no one without identification should be admitted through the
security doors at any time, but the employee says she was unaware of this policy. You ask
her to locate the security policy documents on the network, and she is unable to do so.

LESSON 7
5. One of your competitors has somehow obtained confidential data about your organization.
There have been no obvious security breaches or physical break-ins, and you are puzzled
as to the source of the leak. You begin to ask questions about any suspicious or unusual
employee activity, and you begin to hear stories about a sales representative from out of
town who didn’t have a desk in the office and was sitting down in open cubes and plugging
her laptop in to the corporate network. You suspect that the sales representative was
really an industrial spy for your competitor. When you ask other employees why they
didn’t ask the sales representative for identification or report the incident to security, the
other employees said that, giving their understanding of company policies, they didn’t see
anything unusual or problematic in the situation. You review your security policy docu-
ments and, in fact, none of them refer to a situation like this one.
Lesson 7 Follow-up
In this lesson, you performed routine tasks that ensure your organization stays in compliance
with the organization security policy. Although this is not nearly as exciting as chasing attack-
ers or managing a PKI, it is even more essential to the health of your security structure. All
the effort you put into identifying potential security threats and securing the individual systems
will not protect your company’s sensitive data if the security policy is not adhered to. When
there is a security breach, it is the administrators that ensure policy compliance that are held
responsible. The policy is developed to protect company assets, and it is up to the security pro-
fessionals to be sure the policy is followed.
1. What are some corporate policies that you are familiar with?
2. Have you ever witnessed a policy being broken? What was the result?

LESSON 8

Monitoring the Security

Infrastructure
Lesson Objectives:
In this lesson, you will monitor the security infrastructure.
You will:
• Run vulnerability scans.
• Monitor for intruders.
• Set up a honeypot.
• Respond to security incidents.
Lesson 8: Monitoring the Security Infrastructure 269

LESSON 8
Introduction
This lesson deals with the task that takes up the bulk of the security process; watching and
waiting for something bad that you hope never happens. It’s not an exciting job; it’s not a job
that’s ever finished; it’s not a job that people are going to pat you on the back for every day at
work. However, it might be the most important job you can do as a security professional,
because the sooner you can detect traces of unauthorized activity on your network, the sooner
you can stamp them out, and the better the chance you have of preventing any network dam-
age or data loss.
TOPIC A
Scan for Vulnerabilities
Monitoring your security infrastructure is an ongoing job responsibility for a security
professional. You will need to perform a variety of tasks on a regular basis to ensure that your
security is not breached. One of these regular tasks is to periodically review your system vul-
nerabilities, so that you can detect them before attackers do. In this topic, you will scan for
vulnerabilities on your system.
Many times, one of the first steps an attacker takes to break into a system is to scan the sys-
tem for vulnerabilities. It is critical to discover where the possible points of entry are on your
network and systems. Even if you have taken every precaution to harden your network compo-
nents and services, there will still be vulnerabilities that you may not be aware of, but that you
can be sure attackers will find. The best way to find these vulnerabilities is to perform a scan
yourself and patch the holes before the attackers find them.
The Hacking Process

The hacking process typically pertains to individuals trying to get in to your network from the outside. You
should be aware that individuals with potentially harmful intentions can be inside the network as well.
While it’s probably true that no two network attacks are the same or are carried out in the
same manner, generally speaking there is a process that most experienced attackers employ
when they carry out an attack. The more you know about this process the better you’ll be able
to recognize it in its early stages and put an end to it before it takes down your servers or
compromises your data.
Figure 8-1: The hacking process.

LESSON 8
Keep in mind that in some attacks the attacker doesn’t necessarily need to complete all four steps.
The process an attacker uses generally contains these four steps:

1. Footprinting. In this step, sometimes called profiling, the attacker chooses a target and
begins to gather information. You might be surprised at the amount of information that’s
readily, publicly available about most organizations. Just by using tools, such as a Web
browser and an Internet connection, an attacker can determine the IP addresses of a com-
pany’s DNS server; the range of addresses assigned to the company; names, email
addresses, and phone numbers of contacts within the company; and the company’s physi-
cal address. A visit to the company’s dumpster might reveal some other sensitive
information that the attacker can use to figure out how to proceed with the attack. Also,
with the names and titles of people within the organization, the attacker can begin the
process of social engineering to gain even more private information. Hidden within the
HTML code of a company’s Web page might be other useful information, such as IP
addresses and names of Web servers, operating system versions, file paths, and names of
developers or administrators. DNS servers are also a favorite target during this step
because, if not properly secured, they can provide a detailed map of an organization’s
entire network infrastructure.
2. Scanning. The second step is scanning an organization’s infrastructure to see where vul-
nerabilities might lie. In this step, the attacker will scan the target’s border routers,
firewalls, Web servers, and other systems that are directly connected to the Internet to see
which services are listening on which ports and to determine the operating systems and
manufacturers of each system. Additionally, the attacker might begin a wardialing cam-
paign to determine if there are any vulnerabilities in the organization’s PBX. The attacker
might even drive up to the company with a laptop and a wireless card to see if there are
any wireless access points to provide a way into the network (wardriving).
3. Enumerating. After determining network vulnerabilities and software exploits, the attacker
will try to gain access to resources or other information. The attacker can obtain these
through social engineering, network sniffing, dumpster diving, watching a user log in,
hacking tools like Legion, or searching for Post-It notes stuck to monitors or keyboards as
friendly reminders of which credentials to use on which system. If the attacker can obtain
at least a valid user name he can begin the process of cracking the users password
through either a brute force attack or by cracking the hashed password that’s stored in a
user accounts database file.
4. Attacking. Finally, once the attacker has a clear picture of an organization’s network infra-
structure, a list of possible vulnerabilities and exploits, and valid user names and
passwords, all that’s left is the actual attack.
You might never even know an attacker has accessed your network, especially if it’s an experi-
enced attacker. The longer an attacker has access to your network, the more damage he can do.
So it’s important to understand the preliminary stages of an attack and stop the attacker before
he reaches the final step.
Vulnerability Scanning Tools

Once an attacker has made a footprint of your organization, the next step in hacking a system
is to scan your network for vulnerabilities. An attacker is looking for IP addresses that can be
accessed via the Internet as well as the operating system, system architecture, and services run-
ning on the device associated with an IP address. The best way to prevent this is to run

LESSON 8
vulnerability scans on a regular basis. This can be done periodically by the security administra-
tors, but the most effective way is to perform an ethical hack. An ethical hack occurs when
someone hacks into a system (planned) and report the results back to the organization. This
method emulates what a real attacker might do and can be very effective at finding security
holes.
Whether the scan is performed by security personnel or an attacker, the tools are the same.
There are two basic types of vulnerability scanners—general vulnerability scanners and
application-specific vulnerability scanners. General vulnerability scanners examine multiple
platforms and networks configurations for generic vulnerabilities. Application-specific scanners
look for vulnerabilities specifically in Internet-exposed applications such as Web servers and
mail servers.
Although you can use application-specific vulnerability scanners if you suspect a problem in a
particular area, it is more common to start with a general vulnerability scanner. Some of the
most commonly used tools for general vulnerability scanning are:
• Nessus at www.nessus.org/
• Nmap at www.insecure.org/nmap/
• ISS REALSecure at www.iss.net/
• SAINT at www.saintcorporation.com
• WebTrends Security Analyzer at www.netiq.com/webtrends/default.asp
• GFI LANGuard at www.gfi.com/lannetscan/index.htm
• CyberCop at www.mcafeeasap.com/content/cybercop_asap
Each of these tools works on multiple platforms.
Types of Security Scans

There are several types of scans that you can run on your systems to look for security vulner-
abilities, and the type of scan you want to perform will dictate the tool you use to complete
the scan. Table 8-1 lists types of security scans and the tools you would use to complete them.
Table 8-1: Types of Security Scans

Scan Type Tools Used
General vulnerabilities MBSA, Nessus, Security Analyst, SAINT, and ISS Internet Scanner,
NMap, REALSecure, Security Analyzer, LANGuard, and Cybercop
Man-in-the-middle vulnerabilities Smbrelay
Port vulnerabilities Superscan, ShieldsUP!, NMap, and Netcat
Password vulnerabilities @stake LC4, L0phtCrack, John the Ripper, Pandora
TCP/IP vulnerabilities Security Administrator Tool for Analyzing Networks (Satan)
Web-based vulnerabilities Whisker
Vulnerable TCP and UDP Ports

Attackers are very familiar with ports that are used by virtually every organization out of
necessity. For instance, port 80 must be open to allow Internet connections. You can protect it,
but you can’t close it completely. For that reason, it is important that port 80 is scanned regu-
larly for abnormal activity. Table 8-2 shows some of the ports that are commonly open and in
use by an organization and therefore vulnerable to attack.

LESSON 8
For a complete list of TCP/UDP ports, see www.iana.org/assignments/port-numbers.
Table 8-2: Vulnerable TCP/UDP Ports

Port Service Description
7 echo Echo service
19 chargen Character generator service
20 ftp-data FTP data
21 ftp FTP control
23 telnet Telnet service
25 SMTP Simple Mail Transfer Protocol for email services
42 nameserver Host name server use for WINS replication
53 DNS DNS server
80 http Hypertext Transfer Protocol (HTTP)
88 Kerberos Kerberos protocol
110 POP3 Post Office Protocol 3 for email services
119 NNTP Newsgroups
135 loc-srv/epmap RPC port mapper for initiating communications
137 NETBIOS-NS NetBIOS name service
138 NETBIOS-DGM NetBIOS broadcasting
139 NETBIOS-SSN NetBIOS Session service
143 IMAP Internet Message Access Protocol for email services
389 ldap Lightweight Directory Access Protocol for directory services
443 https HTTP over SSL
445 MS-DS Microsoft-DS port
464 kpassword For Kerberos authentication
500 isakmp ISAKMP/Oakley key exchange protocol
563 nntps NNTP over SSL
636 ldaps LDAP over SSL
995 POP3s POP3 over SSL
1701 L2TP Layer 2 Tunneling Protocol
1723 PPTP Point-to-Point Tunneling Protocol
If you scan a Windows system for open ports, you may see a variety of port assignments over
1024. This does not mean the service associated with that port is running on the Windows
system. Port numbers above 1024 are registered ports, not well-known ports, and they are not
managed by the Internet Assigned Numbers Authority (IANA), although IANA maintains the
registry list. Windows assigns these ports dynamically as session ports to create network
connections.

LESSON 8
Scan for Vulnerabilities
Procedure Reference: Scan for Vulnerabilities
Regardless of the type of vulnerability scan you are going to perform, the general pro-
cedure is the same:
1. Install scanning software that is appropriate for the type of scan you want to
perform. For example, install SuperScan for a port scan, Security Analyst for a
general vulnerability scan, or LC4 for a password scan.
2. Scan your system with the parameters that are appropriate for your environment.
3. If possible, scan your system from an external network as well. You can use a
Web-based scanning tool such as ShieldsUP! at www.grc.com.
There are a variety of specialized Web-based scanning services, such as www.netscan.org,

which scans for broadcast amplification vulnerabilities. Be sure to harden your network and check
with your router administrators before using NetScan, however; if your network is not configured
properly, NetScan might list you as a Broadcast Amplification Site that attackers might then
attempt to exploit.
4. Manually review your system audit logs as well as any logs created by the scan-
ning program.
5. If possible, install a tool to automate the process of reviewing and analyzing audit
logs.
6. If vulnerabilities are found, revisit your hardening procedures to harden your oper-
ating systems and devices.
7. Consider registering with Security Event Aggregators such as www.dshield.org/
or www.mynetwatchman.com/. They will also analyze your firewall logs and act
as a fully automated abuse escalation/management system.

LESSON 8
ACTIVITY 8-1
Scanning for Port Vulnerabilities
Setup:
The services running on this Windows 2000 Server computer include Active Directory, DNS,
DHCP, Certificate Services, Microsoft Exchange, a secure Web site, and a news server.
SuperScan is available on the network at \\Server100\SPlus\Tools\Superscan\Superscan.exe.
Do not use this tool, or any other hacking tools in class, on a computer other than those specified in the activi-
ties unless the instructor grants permission. There may be serious ramifications if you use these tools outside of
the classroom subnet. For example, they may violate certain ISP agreements.
Scenario:
You are the security administrator for a large brokerage firm and need to make sure your new
Windows 2000 servers are secure by scanning your servers for open ports. The brokerage
firm’s IT department has had problems in the past with attackers getting access to applications
on servers by getting through the firewall and accessing open ports on the servers. You have
already hardened your servers and now want to check your work. Before connecting the new
Windows 2000 servers to your network, you need to make sure not only that the base operat-
ing system is hardened, but also that no unnecessary ports are open on the servers to minimize
the likelihood of attacks. There are two Windows 2000 servers that you are responsible for
scanning; your own computer, and another Windows 2000 server named Server100.
1. Install SuperScan. a. Run the \\Server100\SPlus\Tools\

Superscan\Superscan.exe file. (If you are
prompted for credentials, connect as the
domain100\administrator user, with a
password of !Pass1234.) The SuperScan
files are automatically extracted and the
Setup Wizard runs.
b. Click Next.
c. Click Finish to accept the default installa-

tion folder.
d. Click Yes to create the installation folder.

SuperScan is installed and runs.

LESSON 8
2. Scan all ports on your Windows a. In the Hostname Lookup area, click
2000 Server computer. Lookup. The localhost IP address of 127.
0.0.1 should resolve to your own host
name.
b. In the Configuration area, click Port List

Setup. The default port scanning list is
loaded from a file called Scanner.lst.
c. Scroll the Select Ports list to determine

the ports that are included in the default
port scanning list.
d. Click OK.
e. In the Scan Type area, select Every Port

In List.
f. Click Start to start the scan.
g. When the scan is complete, click Expand

All to expand the tree list of the scan
results. The list shows each open port on
the server.
h. Click Save.
i. Save the scan results as Localhost.txt in

the SuperScan folder.
j. Click OK to close the List Saved Success-

fully message box.
3. What ports were open on your Windows 2000 Server? Should these ports be open?

LESSON 8
4. Scan all ports on the \\Server100 a. In the Hostname Lookup text box, enter
computer. Server100.
b. Click Lookup to resolve the name and IP

address.
c. Click Start to perform the scan.
d. Expand and review the scan results.
e. Save the scan results as Server100.txt.
f. Click OK to close the List Saved Success-

fully message box.
g. Close SuperScan.
5. What ports were open on the Server100 computer? Should these ports be open?
6. If you have Internet access, connect a. Open Internet Explorer.

to www.grc.com and run ShieldsUP!
b. In the Address text box, enter www.grc.
Depending on the type of Internet access com.
you have, the results for this step will
vary. For example, if you are connecting
from a classroom that is located behind a c. After the page loads, scroll down to the
firewall, the scan will return results for Hot Spots section and click the
the firewall itself. In this way, you can ShieldsUP! link.
see if your firewall is properly hardened.
If you are scanning the firewall, only one
person should scan at any given time. d. Click OK to make the secure connection.
e. Scroll down and click the Test My

Shields! button.
f. Click Yes to leave the secure site and per-

form the scan.
g. After you review the results of the scan,

click the Probe My Ports! button.
h. After you review the results of the port

probe, close Internet Explorer.

LESSON 8
7. Did the scan or probe reveal any vulnerabilities?
ACTIVITY 8-2
Scanning for System Vulnerabilities
Setup:
The Intrusion SecurityAnalyst tool is available on the network at \\Server100\SPlus\
SecurityAnalyst\Setup.exe.
Scenario:
You are the security administrator for a small government agency. You have already hardened
all of your servers and other computer systems, but a new regulation requires that you also
perform periodic vulnerability scans to audit system security against a high-security standard
profile. Periodic scans will enable you to see what vulnerabilities lie in your network, and also
keep track of any changes that have been made to your systems. This will allow you to moni-
tor internal users as well as detect outside attackers. You have selected SecurityAnalyst as your
vulnerability scanning tool.
1. Install Intrusion SecurityAnalyst. a. Run the \\Server100\SPlus\

SecurityAnalyst\Setup.exe file.
b. Click Next.
c. Click Yes to accept the license

agreement.
d. Click Next on all pages of the wizard to

install the program with the default
settings.
e. When the installation is complete, click

f. Reboot to Windows 2000 Server and log

back on as Administrator.

LESSON 8
2. Determine the configuration of the a. Double-click the SecurityAnalyst desktop
current Security Standard used by shortcut to open Intrusion
SecurityAnalyst. SecurityAnalyst.
b. Click No to skip the network computer list

refresh.
You have more options if you refresh the net-

work from within SecurityAnalyst.
c. In the Analyst Bar on the left side of the

screen, click Set Security Standard to
open the Current Security Standard pane.
The current security standard is Default
Best Practices. You will be analyzing your
system against this relatively high-security
baseline.
d. In the central Current Security Standard

pane, select the Windows 2000 tab. The
first section of the standard involves
account restriction baseline settings.
e. In the left-hand Set Security Standard

pane, click the II. Password Strength
section.
f. Select and review the remaining sec-

tions of the Security Standard.
g. In the Current Security Standard pane,

click Close.
3. Audit your system against the a. In the Analyst Bar, click Run Security
default Security Standard. Audit to open the Run Security Audit-New
SnapShot pane.
b. Click Refresh Network.
c. With the Domain radio button selected,

enter your domain name and click Start.

LESSON 8
d. When the network refresh is complete, in
the Microsoft Network list, expand your
domain and check your computer name.
e. Check all the available run options.
f. Check Save Results To Archive.
g. Click Start. When the audit is complete,

you will see a report card with a score for
six different security areas. With the cur-
rent system configuration and the default
Security Standard, you will receive a score
of Fail in each area.
Remember that security is relative. While your

system might fail against a very tight security
standard, bringing it up to that standard might
make it unusable for your purposes. Your task
at all times is to balance security requirements
against the functionality requirements for a
given system.
4. View the risks on your system. a. On the Report Card screen, click List
Risks.
b. After you have viewed the risks, click

Close to return to the Report Card.
5. What is the source of most of the failure ratings on this system?

LESSON 8
6. View the analysis information. a. From the menu bar, (not the left-hand
Analyst Bar), choose Analysis→System-
wide Analysis.
The system-wide analysis reports results

for Password Policy, Services, Disk Quotas,
and assorted other settings.
b. Choose Analysis→Expert Mode Analysis.

The expert mode analysis reports results
for Account Restrictions, Password
Strength, Access Control, System Monitor-
ing, Data Integrity, and Data
Confidentiality.
c. Choose Analysis→Risk Analysis. This

gives you a graphical summary of the risk
areas on this computer. You can click the
button under each bar of the graph to
view more details.
d. Close SecurityAnalyst.
7. Given this analysis information, what steps could you take to harden your system fur-
ther?
8. Is it always desirable to harden a system as much as possible?
SMBRelay
SMBRelay is a command-line program that you can use to determine if Windows com-
puters are vulnerable to a man-in-the-middle attack against the Server Message Block
(SMB) protocol. If this protocol is compromised, an attacker can then read the data
stream to gain access to Windows passwords and crack them with a password-cracking

LESSON 8
tool. If you can use the smbrelay /IL <adapter> /IR <adapter> command
to bind smbrelay to your system’s network adapter, your system is vulnerable to this
type of attack. Because SMBRelay is not graphical, you will need to use the
smbrelay /? Help command to determine the functionality and command syntax
for its remaining switches and parameters.
SMBRelay is a small but powerful tool. Like many administrative and scanning tools,
SMBRelay can be used for both legitimate and improper purposes, so you should be
sure to control its distribution on your network. See http://is-it-true.org/pt/
ptips1.shtml and www.bugnet.com/alerts/ba0105011.html for more information on
SMBRelay.
ACTIVITY 8-3
Scanning for Man-in-the-Middle Vulnerabilities
Setup:
SMB Signing has been implemented on your computers as part of the hardening process.
Scenario:
One of the next tasks as the security administrator for the brokerage firm is to make sure your
new Windows 2000 systems are secure by scanning your systems for various vulnerabilities.
The brokerage firm’s IT department wants to make sure they have done everything reasonable
to prevent intrusions and that none of your security measures have been altered or
compromised. The firm is particularly concerned with verifying that the servers are not suscep-
tible to man-in-the-middle attacks.
1. Copy SMBRelay from the network to a. Create a folder named SMBRelay on your
a new C:\SMBRelay folder on your C drive.
local computer.
b. Connect to \\Server100\SPlus\SMBRelay.
c. Copy the \SMBRelay.exe file into the

local C:\SMBRelay folder.
d. Close all open windows.
2. Enumerate your network interfaces a. Open a command prompt window.

and their indexes.
b. Change to the smbrelay directory (use
cd \smbrelay).
c. Enter smbrelay /? to view the Help infor-

mation on the various SMBRelay switches.

LESSON 8
d. Enter smbrelay /E. Your local Ethernet
adapter will appear as Interface #, where
# is a variable number.
3. Attempt to bind SMBRelay to the a. Enter smbrelay /IL # /IR #. Substitute

Ethernet card adapter for local and your adapter number for the # symbol.
relay IP addresses.
b. Close the command prompt window.
4. Were you successful? Why or why not?
5. Why would an attacker attempt this operation?
ACTIVITY 8-4
Verifying Password Strength
Do not use this tool, or any other hacking tools, on computers other than specified in the activities unless the
instructor grants permission. There may be serious ramifications if you use these tools outside of the classroom
subnet.
Setup:
On your Windows XP Professional computer, there is a non-administrative user account named
ChrisC with a password of Certification1. The Windows XP Professional system has been
hardened. The @stakeLC4 evaluation software is available on the network at \\Client100\
SPlus\LC4\LC4Setup.exe.

LESSON 8
Scenario:
As the security administrator for a nuclear plant you need to make sure your new Windows XP
Professional systems are secure by scanning your system on a regular basis for vulnerabilities.
You want to make sure that you have not left any security holes that attackers can exploit. You
have already hardened your systems and now you want to check the strength of the passwords
for the administrative and user-level accounts on your system. The Windows XP Professional
systems have been set up in a workgroup on your network; you have chosen the LC4 software
to audit the passwords to make sure that the passwords cannot be attacked. You will audit the
passwords with LC4.
1. Reboot into Windows XP Profes- a. Restart your computer and choose Win-
sional and log on as Admin100. dows XP Professional from the boot
loader menu.
b. Log on as Admin100 with a password of

!Pass1234.
2. Install LC4. a. Run the \\Client100\SPlus\LC4\

LC4Setup.exe file.
b. Click Next twice.
c. Click Yes to accept the license

agreement.
d. Click Next three times to accept all the

default installation settings.
e. When the installation is complete, click

Finish.

LESSON 8
3. Attempt to retrieve passwords from a. From the Start menu, choose All
your local computer using a quick Programs→LC4→LC4.
password audit.
b. Click Trial.
There is a significant fee for a registered ver-

sion of LC4.
c. In the LC4 Wizard, click Next.
d. Verify that Retrieve From The Local

Machine is selected and click Next.
e. Verify that Quick Password Audit is

f. Click Next to accept the default reporting

style options.
g. Click Finish.
h. Click OK in the Auditing Session Com-

pleted message box.
i. Maximize the LC4 window.
4. Were all the passwords received? Why or why not?

LESSON 8
5. Attempt to retrieve passwords from a. On the LC4 toolbar, click the New Session
your local computer using a strong button .
password audit.
b. Click No. You do not need to save the

session.
c. Click the LC4 Wizard button .
d. Click Next.
e. Verify that Retrieve From The Local

Machine is selected and click Next.
f. Select Strong Password Audit and click

Next.
g. Click Next to accept the default reporting

style options.
h. Click Finish. This audit session will take

longer than the quick audit session. You
can watch the progress in the Dictionary
Status area.
i. In the Please Register message box, click

Cancel. The trial version of LC4 does not
include the brute force attack.
j. Click OK in the Auditing Session Com-

pleted message box.
6. Were all the passwords retrieved? Why or why not?
7. What should you do to prevent any of the passwords on this system from being stolen
by an attacker?

LESSON 8
8. Attempt to retrieve passwords from a. On the LC4 toolbar, click the New Session
a remote computer using a strong button.
password audit.
b. Click No. You do not need to save the
session.
c. Click the LC4 Wizard button.
d. Click Next.
e. Select Retrieve From A Remote Machine

and click Next.
f. Verify that Strong Password Audit is

g. Click Next to accept the default reporting

style options.
h. Click Finish.
i. In the Machine text box, enter Client#,

where # is the number of another com-
puter on the network.
j. Click OK.
k. Click OK twice to close the LC4 error

message boxes.
l. Close LC4.

LESSON 8
TOPIC B
Monitor for Intruders
One of the components of monitoring your security infrastructure is performing periodic vul-
nerability scans, which you did in Topic 8A. Another regular task is to watch your systems for
any signs of an attack by an intruder. In this topic, you’ll use various tools to monitor the
activity within your network for signs of intrusions.
You’ve spent a lot of time securing individual network components and making sure the secu-
rity policies are being followed. Everything seems to be in place. But, what if an attempt to
break into your network is brewing on the horizon? Will you know how to recognize the signs
and prevent disaster? If an attacker does manage to breach your security, how can you track
the activity for law enforcement? If you use the appropriate security-monitoring tools and pro-
cedures, you will be prepared to do battle with anyone trying to use your network
inappropriately.
Intrusion Detection Systems

Definition:
An Intrusion Detection System (IDS) is a software and/or hardware system that scans,
audits, and monitors the security infrastructure. IDS software can also analyze data and
alert security administrators to potential problems within the infrastructure. Each sys-
tem is totally unique depending on the type of implementation and the components
chosen to build the system. IDSs are categorized primarily by their monitoring method.
The two most common implementations of an IDS are network-based IDS (NIDS) and
host-based IDS (HIDS):
• A network-based IDS is an IDS system that uses primarily passive hardware sen-
sors to monitor traffic on a specific segment of the network. The system can be
implemented as software, but this is not very common. One of the main draw-
backs of a network-based IDS is that is cannot analyze encrypted packets because
they have no method for decrypting the data. An advantage of a network-based
IDS is that is uses very little network resources.
• A host-based IDS is an IDS system that uses primarily software installed on a
specific host such as a Web server. Host-based IDSs can analyze encrypted data if
it is decrypted before reaching the target host. However, host-based IDSs use the
resources of the host they are installed on and this can slow down processing
time.

LESSON 8
Figure 8-2: Three types of IDS.
There are also application-based IDSs, although they are not commonly used due to the expense of
implementation. They may be used sporadically in conjunction with a network-based or host-based
configuration to add another layer of protection to a critical application such as a customer database.
Many companies use a combination of network-based, host-based, and application-based monitoring

IDSs.
See www.packetnexus.com/idsfaq/Section_3.html and www.dshield.org/ for more IDS information.
Table 8-3: IDS Comparison—Network-based vs. Host-based Monitoring

Network-based IDS Host-based IDS
What is it? Primarily hardware sensors Primarily software applications
How it works Monitors traffic on specific network Monitors traffic on the host it is
segment installed on
Monitors Packets for protocol anomalies and Log files, inadvisable settings or
known virus signatures passwords, and other policy vio-
lations
Encrypted data Can’t analyze encrypted data Can analyze encrypted data if it
is decrypted before it reaches the
target host
Passive vs. active Passive Passive or active
Resource utilization Use resources on network Uses computing resources on
host they are monitoring
Capabilities Broad scope but very general Narrow scope but very specific

LESSON 8
Network-based IDS Host-based IDS
Alerts Management console or email mes- Management console or email
sages messages
Best use To secure a large area with non- To secure a specific resource,
critical data. Provides broad-based such as a Web server, that has
overall security. Most cost effective critical data. Somewhat cost pro-
hibitive
Management issues Generally not a problem installing May be service agreements or
on network other policy restrictions that pre-
vent the installation on a host
Legal issues Hard to use as evidence in court May be admissible as evidence in
court
Passive vs. Active IDS

A passive IDS detects potential security breaches, logs the activity, and alerts security
personnel. An active IDS detects a security breach according to the parameters it has
been configured with, logs the activity, then takes the appropriate action to block the
user from the suspicious activity. This can be accomplished by logging the user off a
system or possibly reconfiguring the firewall to block the source. IDS developers are
working toward more and more active systems.
IDS Analysis Methods

IDSs also use different methods to analyze the data that is collected. There are two
primary methods of analysis:
• Signature-based analysis looks for network, host, or application activity that com-
pares signatures in the datastream with known attack signatures.
• Anomaly-based analysis looks for network, host, or application changes compared
to preset parameters. This is also known as profile-based analysis.
Example: An IDS Implementation: State University

State University has approximately 4,000 student and a faculty and staff of 600
employees. Each year, the university expects 1,000 to 1,500 new incoming freshman.
Most of the information the new students will need for registering for classes and navi-
gating the campus is on the university intranet. Although the Web site is not
considered mission-critical, it would create tremendous problems to have it hit with a
virus or hacked into and tampered with. The university gets much of its funding from
the state and has limited personnel resources to implement an IDS.
After considering all the alternatives, State University implemented a network-based
IDS. This will give them general intrusion detection capabilities over the entire
network. They chose a popular IDS software package that integrates auditing, analyz-
ing, and managing the system. The security administrator installed and configured the
software to manage sensors placed on each segment of the network. The security
administrator would like more intrusion-detection protection on the Web server but for
now, it is too cost prohibitive to implement.

LESSON 8
Example: An IDS Implementation: National Bank
National Bank is a banking institution with thousands of encrypted transactions occur-
ring daily. The have offices all over the world and the transaction databases are in use
24 hours a day, seven days a week. National Bank has developed several Business-to-
Business (B2B) Web partnerships with brokerage houses and insurance agencies. The
highest priority for National Bank is confidentiality and data integrity. Management has
granted the security administration permission to do whatever is necessary to get the
system implemented as quickly as possible.
The security administrators decided to hire a consulting firm to do the initial assess-
ment and installation. The consulting firm suggested a several-tiered approach to the
intrusion detection system. In addition to the firewalls already in place, National bank
now has a network-based system of sensors on each segment of the network to moni-
tor all traffic within the system. In addition, a host-based system is in place on each
Web server and email server. To supplement the PKI infrastructure security required
for all transactions, each transaction database has an application-based system to moni-
tor its own activity for anomalies.
Non-Example: Patchwork Security: XYZ Internet Company

The XYZ Internet Company has been in business for approximately six months. Two
months ago they were hit with a particularly nasty email virus and as a result, the net-
work administrator would like to implement an IDS. The network administrator has a
very limited staff and budget. In fact, he is not only the network administrator, he is
also responsible for network security. He researched IDSs and requested the funds and
time to implement a simple network-based IDS. Management, however, does not see
the need to allocate funds to more hardware, software, and resources. They have asked
the network administrator to do what he can with what is already in place for now.
The network administrator hardened operating systems and applications, configured
alerts on the mail server to notify him when the hard disk space is low (to prevent a
spammer from filling up the hard drive), and installed virus protection software. In
addition, he set up an additional filter on the firewall to further restrict suspicious
packets.
Intrusion Detection System Components

IDSs can be comprised of a variety of hardware sensors, intrusion detection software,
and IDS management software. For suggestions for IDS software and comparison
charts of several products, see www.networkintrusion.co.uk/ids.htm and
www.nss.co.uk/ids/.
IDS Legal Issues

With the growing popularity of IDSs, new legal issues arise. From a legal point of
view, the host is the asset that you want to protect. In the event of a security incident
that requires outside investigation and potential prosecution, a host-based or
application-based IDS is a valuable tool for gathering evidence because the audit logs
from these IDSs may be admissible in court. Audit logs from network-based IDSs are
harder to use than host-based IDSs as evidence because they do not show the result of
the actions—only the actual series of actions themselves which do not necessarily
prove a result.
On the other hand, service level agreements (SLAs) or other management issues may
prohibit the installation of host-based or application-based IDS software on production
servers. Companies that provide software or hardware service and support may invali-
date an SLA if a host-based or application-based IDS is installed on the host. If that is
the case, the only feasible solution is a network-based IDS.

LESSON 8
Monitor for Intruders
Procedure Reference: Monitor for Intruders
To monitor for intruders:
1. Install monitoring software such as an Intrusion Detection System (IDS).
2. Configure the monitoring software according to your specific needs—for example,
you can set up email alerts and configure logging.
3. Periodically, use the monitoring software to actively monitor system activity in
real time.
4. Set up a schedule to monitor and review logs on your IDS and computer systems.
ACTIVITY 8-5
Installing Intrusion Detection Software
Setup:
The Windows XP Professional system has been hardened and scanned for vulnerabilities. The
Internet Security Systems (ISS) RealSecure Desktop Protector evaluation software is available
on the network at \\Client100\SPlus\RealSecureDP\RSDPEvalSetup.exe.
Scenario:
You are the security administrator for a large brokerage firm and need to make sure your new
Windows XP Professional systems are secure by actively monitoring your system for intruders.
The brokerage firm’s IT department wants to take a proactive approach to security and catch
the intruders before they do harm. You have already hardened your servers and scanned for
vulnerabilities. Now, you want to be able to actively monitor for intrusions in real time, as
well as to log suspicious activity for later analysis. Before connecting the new Windows XP
Professional systems to your network, you need to make sure that the chosen intrusion detec-
tion software, Internet Security Systems’ RealSecure Desktop Protector, is installed and
configured.

LESSON 8
1. Install RealSecure Desktop a. As Admin100, run the \\Client100\SPlus\

Protector. RealSecureDP\RSDPEvalSetup.exe file.
The RealSecure Desktop Protector files
are automatically extracted and the setup
wizard runs.
b. Click Next.
c. Complete the setup wizard with the fol-

lowing parameters:
• Accept the other installation
defaults.
d. When the setup is complete, uncheck I

Would Like To View The README File
and click Finish.
2. Use the IDS software to determine a. In the System Tray, click the RealSecure
if any intruders have attempted to Desktop Protector icon . The entry
access your system. on the Events tab shows you that
RealSecure Desktop Protector began
RealSecure Desktop Protector also has a detecting intrusion events as soon as it
Notifications feature that can alert you at was installed.
the time an intrusion is detected. See
RealSecure Desktop Protector Help for
b. Select the Intruders tab. This tab would
more information.
report the system name or IP address of
any intruder systems.
c. Select the History tab. This page displays

an ongoing history of critical and suspi-
cious intrusion events.
3. Modify the BlackICE settings to a. Choose Tools→Edit BlackICE Settings.

enable packet and evidence log log-
ging on the IDS.
b. Select the Packet Log tab.
c. Check Logging Enabled.
d. Select the Evidence Log tab. Logging

should be enabled by default.
e. Click OK.

LESSON 8
ACTIVITY 8-6
Monitoring for Intruders
Setup:
The Windows XP Professional system has been hardened and the evaluation version of the
RealSecure Desktop Protection intrusion detection software has been installed. Foundstone’s
SuperScan port scanner has also been installed to the C:\Program Files\Superscan folder. In
Internet Explorer, Content Adviser is configured to block unrated Web sites. You will work
with a partner in this activity; one partner will play the role of the intruder, and the other part-
ner will play the role of the monitored system.
Scenario:
One of the next tasks as the security administrator for the brokerage firm is to make sure your
new Windows XP Professional systems are secure by actively monitoring your system from
intruders. The brokerage firm’s IT department wants to make sure you catch intruders before
they do harm. You have already hardened your servers, scanned for vulnerabilities, and
installed intrusion detection software. You have a schedule for reviewing the IDS logs, but as
part of the security plan, you also perform periodical real-time monitoring on the IDS. If the
intrusion detection software is detecting intruders properly, you might be able to catch one in
the act!
You and your lab partner will need to decide who will be the intruder and who will be monitoring their system.
After completing the activity, you can reverse roles and go through the steps again.
On the Computer Designated as the

Intruder:
1. Attempt to access the C$ adminis- a. While logged on as Admin100, from the

trative share on your lab partner’s Start menu, choose Run.
computer.
b. Enter \\client#\c$ and click OK. Use
your partner’s computer number for #.
c. Close the C$ share window.

LESSON 8
Monitored System:
3. Verify that the intrusion was a. In RealSecure Desktop Protector, on the

detected. History page, click the yellow line in the
Events graph. (If you do not see a yellow
line, select Min in the Interval area to
show a more granular view.) This takes
you to the suspicious event entry on the
Events page. There should be suspicious
port probes and failed SMB logon events
from the intruder computer.
b. Double-click one of the suspicious event

entries from your partner’s computer.
This takes you to the entry for this
intruder on the Intruders page. You can
see the available detail information about
the intruder computer.

Intruder:
4. Scan for open ports on all comput- a. Run C:\Program Files\SuperScan\

ers on your subnet. Scanner.exe.
b. In the Hostname Lookup area, click Me.
c. In the Scan Type area, select All Selected

Ports In List.

LESSON 8
d. Under IP, click the 1..254 button.
e. Click Start.

Monitored System:
5. Verify that the intrusion was a. Select the Events tab. You should see
detected. various port probes and scans from your
partner’s computer.
To see the attack in progress, select the
Events tab before your partner starts the b. Select the History tab. You should see a
scan in the previous step. spike in suspicious activity in the Events
graph. You may need to wait for the pro-
gram view to refresh in order to see the
new spike.
6. What intrusions were detected?

LESSON 8
7. If you have Internet access, use the a. Select the Events tab.
advICE feature of Real Secure Desk-
top Protector to research the
intrusions. b. Select the most recent event.
If time permits, reverse roles and repeat

c. Click the advICE button in the lower-right
the activity. corner of the screen.
d. In the Content Advisor dialog box, select

Always Allow This Web Site To Be
Viewed.
e. In the Password text box, enter

!Pass1234. Click OK to permit access to
the advICE Web site.
You might need to repeat these steps as you

click other links on the advICE Web site. If you
prefer, you can turn off Content Advisor in
Internet Explorer instead.
f. In the advICE Web page, click the FAQ

link. This page provides you with a
searchable FAQ database with information
about various security intrusions.
If time permits, click other informational links

on the advICE site.
g. Close Internet Explorer.
h. Close RealSecure Desktop Protector and

SuperScan.

LESSON 8
TOPIC C
Set Up a Honeypot
In Topic 8B, you monitored your network to catch attackers red-handed. A honeypot system
can be used in conjunction with another system monitoring methods as a way to detect and
stop attackers before they can cause you damage. In this topic, you’ll learn to configure a
honeypot system.
Just as with physical-world crime, there are occasions when you know that there is inappropri-
ate activity going on, yet for one reason or another, you aren’t quite ready to act to apprehend
the perpetrator. In a physical-world criminal case, this might entail prolonged surveillance of a
known suspect to gather evidence. Or, there might even be a crime “sting,” which permits a
suspect to do something illegal under controlled conditions to increase the chances of
conviction. Honeypot systems provide similar functionality when fighting network intrusions in
the digital world. A properly-designed and implemented honeypot system entices attackers so
that you can catch them in the act without any real damage to your systems.
Honeypots
Definition:
A honeypot is a security tool that lures attackers away from legitimate network
resources while tracking their activities. Honeypots appear and act as a legitimate com-
ponent of the network but are actually secure lockboxes where security professionals
can block the intrusion and begin logging activity for use in court or even launch a
counterattack. Honeypots can be software emulation programs, hardware decoys, or an
entire dummy network.
• Software-based honeypots are elaborate emulations that mimic real network
components. The attacker is not really in the network or accessing actual network
components. Thus, security on the actual network is never compromised. How-
ever, the work involved in creating a software emulation that would fool a
blackhat is quite complex. Software emulations are usually contracted out to com-
panies that specialize in this type of project. If a company did build a software
emulation honeypot poorly and an attacker discovered the facade, her only option
would be to leave and unfortunately, if she didn’t take the bait, it may be difficult
to catch anyone.
• Hardware-based honeypots are systems comprised of hardware and software com-
ponents that are partially disabled and improperly configured to entice attackers.
They reside within the network but have special security controls in place to pre-
vent attackers from taking the honeypot over or using it to access the rest of the
network. A hardware-based honeypot is relatively easy to build, but there is
always the threat of an experienced attacker having more access to the actual net-
work than she should have.
• A composite or dummy network honeypot system uses software emulations and
actual hardware and software components to create an entire honeypot network
apart from the legitimate network. This type of deployment allows for an incred-
ible amount of data to be gathered against an attacker. Although the honeypot
network combines the best each system, it is very expensive to build and
maintain.

LESSON 8
Regardless of what type of honeypot you deploy, the fact remains the honeypots have
one purpose—to lure individuals in and track their activities. This is an incredibly
valuable tool for security professionals because the activity logs may be used as evi-
dence in court in the event of a criminal trial. However, the act of luring individuals in
could potentially be perceived as entrapment or violate the code of ethics of your
organization. These legal and ethical issues should be discussed with the legal counsel
and human resources department of your organization.
A excellent real-world example of a dummy network type of honeypot is the HoneyNet Project http://
project.honeynet.org. The project is a joint effort by over 30 security professionals to study attacks
and share this information on the Web.
Example: Honeypot—State University

State University has a network-based IDS. In the last six months, the security adminis-
trator has noticed an increase of suspicious activity centering on the Web servers. He is
concerned that the servers are being scoped out for an attack. He would like to set up
a honeypot to gather more information and protect the Web servers from attack. How-
ever, he is not certain that the servers are in being targeted, and management is not
convinced that spending money on another security system is necessary.
The security administrator decides to build a hardware-based honeypot with extra com-
ponents he has and use a freeware program to set it up. He is hoping to gather enough
information to warrant a more complex system in the future.
Example: Honeypot—National Bank

National Bank has a complex IDS system that is managed by a team of highly trained
security administrators. The senior administrator has discussed the option of honeypots
with management to further protect highly sensitive data.
After discussing the options, it is decided that the best approach is a small honeypot
network. The senior security administrator works with an outside consulting firm to
create simulations for their Web server, transaction database, and customer database. In
the meantime, other members of the security team builds hardware-based honeypots to
support the software emulations on this “network.” To divert attention away from the
legitimate network and create interest in the new honeynet, National Bank releases an
inconspicuous press release about a new database installation that will make transac-
tion information safer.
Set Up a Honeypot
Procedure Reference: Set Up a Honeypot
To set up a honeypot:
1. Determine what type of attack or attacks you are trying to detect.
2. Install and configure the honeypot system. This can either be a third-party soft-
ware package that mimics a live server, or simply a system with weak security
that you set up manually and expose on your network.
3. Test the honeypot to verify it is working properly. Act as an attacker to verify it
looks real.
4. Monitor the honeypot, both in real time and by reviewing activity logs
periodically.

LESSON 8
5. Take the appropriate action when you catch the attacker; for example, turn them
over to the appropriate legal authorities.
ACTIVITY 8-7
Installing a Honeypot
Setup:
Network Monitor has been installed. Microsoft Exchange is running. You will work with a
partner in this activity; one partner will play the role of the monitored honeypot system, and
the other partner will play the role of an attacker.
Scenario:
State University has had a problem in the past with students uploading and downloading files
from the university’s internal faculty FTP site and wants to catch the perpetrators. Instead of
attempting to catch the students during the last breach, the FTP server was just hardened to
immediately stop the attacks. No students have broken in since. However, now that the live
FTP servers are secure, you would really like to catch the intruders. A faculty member, Dean
Allison Ager, suspected it was her account that was compromised, as she frequently uploads to
the FTP site. Her FTP account, like other faculty accounts at the University, is named with her
first initial and last name. Dean Ager admitted that at times she wasn’t following the best prac-
tices section of the university security policy, using easy passwords such as her last name and
first name, and writing them down on sticky notes attached to the computer monitor in her
office. She also indicated that many students and teaching assistants have access to her office.
You suspect that her account would quickly become a target again if you deployed an FTP
server with no file-access controls and no anonymous user access. The IT department has
checked with the legal department in the university and they have given the green light to
deploy this FTP honeypot to try to detect the intruder.
You and your lab partner will need to decide who will act as the student attacker and who will be the security
administrator. After completing the activity, if time permits, you can reverse roles and go through the steps again.
On Both Systems:
1. If necessary, reboot into Windows a. Restart the computer and choose Win-
2000. dows 2000 Server from the boot loader
menu.

of !Pass1234.

LESSON 8
Monitored Honeypot System:
2. Install FTP and provide one or more a. Open Control Panel and run Add/Remove
dummy FTP data files. Programs.
b. Click Add/Remove Windows

Components.
c. Select Internet Information Services (IIS)

but do not uncheck the check box. Click
Details.
d. Check File Transfer Protocol (FTP)

Server and click OK.
e. Click Next. If you are prompted for the

location of the Windows 2000 Server
installation files, enter \\Server100\
SPlus\Srv2000\I386. If you are prompted
for credentials, connect as the
domain100\administrator user with a
password of !Pass1234.
f. Click Finish.
g. Close Add/Remove Programs and Control

Panel.
h. Copy the SecureSystems.doc file from

\\Server100\SPlus\Student to C:\Inetpub\
ftproot. Populating the FTP server with
some data files will make the honeypot
system appear as normal as possible to
the potential intruder.

LESSON 8
3. Configure FTP not to permit anony- a. From the Start menu, choose Programs→
mous logons. Administrative Tools→Internet Services
Manager.
b. Expand your server object and open the

properties of the Default FTP Site.
c. Select the Security Accounts tab.
d. Uncheck Allow Anonymous Connections.
e. Click Yes to confirm that users will be

sending passwords across the network
unencrypted.
f. Click OK.
g. Close Internet Information Services.
4. Create a vulnerable user account a. From the Start menu, choose Programs→
on the FTP honeypot computer. Administrative Tools→Active Directory
Users and Computers.
b. Right-click the Users folder and choose

New→User.
c. In the Full Name text box, enter AAger.
d. In the User Logon Name text box, enter

AAger. Click Next.
e. Enter and confirm password as the

password. Click Next.
f. Uncheck Create An Exchange Mailbox.

Click Next.
g. Click Finish.
h. Close Active Directory Users And

Computers.

LESSON 8
5. Begin monitoring network traffic to a. From the Start menu, choose Programs→
and from the FTP honeypot Administrative Tools→Network Analysis
computer. Tools→Network Monitor.
b. Choose Capture→Filter.
c. Double-click INCLUDE ANY <—> ANY.
d. In the Station 1 area, select the entry

e. Click OK twice.
f. Choose Capture→Start.

LESSON 8
On the Computer Designated as the Student
Attacker:
6. From the command line, attempt to a. Open a command prompt window.

ftp to the honeypot computer.
b. Enter ftp server#, where # is your part-
If anonymous access is not permitted on ner’s computer number.
an FTP site, attackers must obtain a
legitimate user account. Attackers know
that users all too often employ easy-to- c. When prompted for the user name, enter
guess passwords such as their first aager.
name, their last name, or simply the
word “password.”
d. When prompted for the password, enter
ager. You should receive an Login Failed
message.
e. Enter user aager.
f. When prompted for the password, enter

allison. You should receive an Logon
Failed message.
g. Enter user aager.
h. When prompted for the password, enter

password. You should be able to log on.
i. Enter ls to list the files on the FTP site.
j. Enter get securesystems.doc to down-

load the file.
k. Enter bye to disconnect.
l. Close the command prompt window.

LESSON 8
Monitored Honeypot System:
8. Stop the capture and review the a. In Network Monitor, choose Capture→
capture log. Stop And View. You can see all the logon
attempts, all the attempted password
entries, and the data transfer that
occurred during the attacker’s session.
b. After you have reviewed the capture log,

close Network Monitor without saving
the capture or any unsaved address
database entries.
9. What was the source IP address of the attack? How can this assist you in finding the
attacker?
10. Why would you suspect this student was the previous attacker to the FTP site?
If time permits, reverse roles and repeat the activity.
TOPIC D
Respond to Security Incidents
With this topic, we’ve arrived at the last phase of the network security cycle. This is the phase
that you hope never arrives: your network is under attack, and you need to respond. In this
topic, you’ll learn to respond to the security breaches.
You might hope that if you implement security well and monitor vigilantly, you might never
have to live through a network attack. But, simply put, attacks are inevitable. Attackers are out
there every day, ceaselessly trolling the Internet with automated tools that can uncover and
penetrate susceptible systems. No matter how secure your network, detecting an attack is a
question of when, not if. The skills you’ll learn in this topic will help you to respond appropri-
ately when this does occur.
Incident Response Policy

Of all the security policies within an organization, an incident response policy (IRP) is one of
the most important to the continued safety of physical and intellectual assets. The incident
response policy generally answers these questions:

LESSON 8
• Who will determine an actual security incident has occurred?
• Who will be notified when an incident occurs?
• How are individuals/departments notified?
• Who is responsible for responding to the incident?
• What is the appropriate response?
An IRP usually involves several departments and depending on the severity of the incident,
may involve the media. The human resources and public relations department of an organiza-
tion generally work together in these situations to determine the extent of the information that
will be made available to the public. Information is released to employees, stockholders, and
the general public on a need-to-know basis.
ACTIVITY 8-8
Investigating Incident Response Policies
Scenario:
As security administrator for your organization, Leland Hospital Systems, you’ve been asked
to join a committee of high-level managers to develop an incident response policy (IRP).
Before the committee’s first meeting, you decide to do some research on the Internet.
1. Search the Internet for information a. Open Internet Explorer and go to your
on IRPs. favorite search engine.
b. Search for information on incident

response policies.
c. Examine the information you find.
d. Compare the information you find with

the findings of other students in class.
2. In your own words, why is it important to have an incident response policy?
3. What do you think are the most important components in the policies you’ve found?
4. How do you think the policies you’ve found answer the questions in the concepts pre-
ceding this activity?

LESSON 8
5. In general, do you think it’s important to notify employees of ordinary security inci-
dents? Why or why not?
6. Why might you want to alert law enforcement officials of a security incident? Why
might you want to notify the media?
Respond to Security Incidents

Procedure Reference: Respond to Security Incidents
To respond to security incidents:
1. Consider doing nothing. Some types of attacks, such as a ping sweep, do no dam-
age in themselves. Stopping the attack might be a waste of your effort and a
tip-off to the attacker.
2. For attacks from across the network, use network monitoring tools to identify the
source.
You might need to work with your ISP or your internal network or router administrators to gather
the necessary information and respond to the attack.
3. Gather evidence, in the form of network trace files, security logs, and so on, if the
attack is not causing immediate damage.
4. Block the source of a network attack if it becomes necessary to stop the attack.
5. For DDoS attacks, scan for and remove any zombie agents on your local network,
using a tool such as Zombie Zapper from http://razor.bindview.com.
6. Shut down the affected systems and move them to an isolated subnet, but only if
necessary to stop the attack or prevent further system damage.
7. Reverse the damage to the affected systems:
• For malicious code attacks, run antivirus software to disinfect the systems.
• For other attacks, restore lost files, user accounts, and other objects from a
backup.
• If a backup is not available, rebuild the lost objects manually.
• As a last resort, reinstall the systems.
8. Gather any additional evidence regarding the source of the attack.
9. Perform a quantitative and qualitative damage assessment to determine a dollar
value of the cost of the attack.

LESSON 8
10. You might need to turn evidence of the attack, including the identity of the perpe-
trator (if known), over to your computer forensic team or proper authorities in
accordance with your organization’s security policies and local legal requirements.
11. Re-evaluate your system hardening and perform additional hardening steps, if
appropriate.
ACTIVITY 8-9
Responding to a DoS Attack
Setup:
The Windows 2000 system has been hardened, and Network Monitor has been installed and
has been used previously to capture data on your local network. Port 80 is open on the server.
All computers on your network are on the 192.168.y.x subnet, where y is a number unique to
your network. You will work with a partner in this activity; one partner will play the role of
the intruder, and the other partner will play the role of the monitored system. The tools and
data files you will need for this activity are available on the network in the \\Server100\SPlus\
Tools share in the following folders: \UDPFlood\udpflood.exe and \DDosPing\ddosping.exe.
Scenario:
As you are monitoring your network performance, you notice a performance degradation on
one of your Web servers. The security policy for your organization states that any such perfor-
mance degradation should be treated as a symptom of a possible DoS or DDoS attack until
proved otherwise.
You and your lab partner will need to decide who will be the attacker and who will be acting as the monitoring
system. After completing the activity, you can reverse roles and go through the steps again.

Monitoring System:
1. Begin monitoring system perfor- a. Right-click the Taskbar and choose Task
mance with Task Manager. Manager.
b. Select the Performance tab. This page

gives you an ongoing snapshot of system
resource usage, including a graphical rep-
resentation of CPU and memory usage.
c. Minimize Task Manager.

LESSON 8
2. Start capturing data between your a. From the Start menu, choose Programs→
computer and other destinations on Administrative Tools→Network Analysis
the network. Tools→Network Monitor.
b. Click the filter icon on the toolbar.
c. Double-click INCLUDE ANY* < -- >*ANY.
d. Select the Local entry in the Station 1

Window that has the MAC address of
your network adapter.
e. Click OK.
f. In the Capture Filter window, click OK.
g. Choose Capture→Start.

Attacker:
3. Use Udpflood.exe to start a a. Run \\Server100\SPlus\Tools\UDPFlood\

30-second DoS attack on your lab udpflood.exe. If you are prompted for
partner’s Windows 2000 Server. credentials, connect as the domain100\
administrator user with a password of
!Pass1234.
b. In the IP/Hostname text box, enter

Server#, where # is your partner’s com-
puter number.
c. In the Port text box, enter 80.
d. In the Max Duration (Secs) text box, enter

30.
e. Move the Speed slider to Max to gener-

ate the maximum number of packets
during the attack.
f. Click Go.
g. When the attack is complete, close UDP

Flooder.

LESSON 8
Monitoring System:
4. During the attack, examine Task a. Switch to Task Manager. The CPU Usage
Manager for signs of a performance History shows signs of increased activity.
degradation. However, depending on the hardware
resources in your system, the actual
impact on system performance will prob-
ably be minor.
b. When the activity subsides, close Task

Manager.
5. Analyze the captured data for signs a. Switch to Network Monitor.

of an attack.
b. Choose Capture→Stop and View. Your
capture should look similar to the follow-
ing screen shot.
c. After you have examined the capture

results, close Network Monitor without
saving the capture.
6. Which packets in the capture created the DoS condition? (You might need to widen the
Description column.)
7. Can you determine the source of the attack?
8. What is the first thing you should consider doing in response to this DoS attack?
9. How else could you respond to this DoS attack?

LESSON 8
10. What steps should you take once the attack is resolved?
11. If the attacker wanted to automate the attacks instead of having to do so manually,
what can the attacker do?
All Computers:
12. Use DDoSPing to check for any zom- a. Run \\Server100\SPlus\Tools\DDoSPing\

bie agents on your network. ddosping.exe.
b. Verify that 192.168.y.1 appears in the

Start IP Address text box. Substitute your
network number for y.
c. Verify that 192.168.y.1 appears in the

End IP Address text box. Substitute your
network number for y.
d. Click Start.
e. When the test is complete, close

DDoSPing.
13. Were any zombie agents detected?
If time permits, reverse roles and repeat the activity.

LESSON 8
ACTIVITY 8-10
Blocking a Network Intruder
Setup:
For this exercise, you will use the Windows XP Professional installation. The computer name
is Client#, where # is your unique integer assigned by the instructor. The default administrator
account has been renamed with your first name and set up with a password of !Pass1234.
There is also an administrative-level account on this computer named Admin100, with a pass-
word of !Pass1234. The Windows XP Professional system has been hardened and the
evaluation version of the RealSecure Desktop Protection intrusion detection software has been
installed. You will work with a partner in this activity; one partner will play the role of the
intruder, and the other partner will play the role of the monitored system.
Scenario:
During regular monitoring of a system, you detect unauthorized attempts to access the root
share of a Windows XP Professional computer. Your organization’s security policy states that
all such access attempts should be blocked at the source.
You and your lab partner will need to decide who will be the intruder and who will be monitoring their system.
After completing the activity, you can reverse roles and go through the steps again.
1. Reboot the computer into Windows a. Reboot into Windows XP Professional.

XP Professional and log on as
Admin100.
b. Log on as Admin100.

Monitored System:
2. Begin monitoring for intruders with a. In the System Tray, click the RealSecure
RealSecure Desktop Protector. Desktop Protector icon.
b. Select the Events tab and choose

Tools→Clear Event List.
c. Click OK.

LESSON 8
Intruder:
3. Attempt to access the C$ adminis- a. As the Admin100 user, from the Start
trative share on your lab partner’s menu, choose Run.
computer.
If your attack isn’t detected after entering your partner’s computer number for #.
\\client#\c$, try using your partner’s IP
address or connecting to the d$ share.
c. Close the C$ folder window.

Monitored System:
4. Block the intruder. a. On the Events page of RealSecure Desktop

Protector, in the Events list, right-click
the intrusion event from your partner’s
computer and choose Block Intruder→
For An Hour.
b. Click Yes to confirm.
After about 45 minutes, you will get messages

prompting you to extend the hour-long block, if
desired. Click No to dismiss the messages and
let the block expire.
c. Select the Intruders tab. Your partner’s

computer appears with a symbol indicat-
ing it has been blocked.

Intruder:
5. Attempt to access the C$ share on a. From the Start menu, choose Run.
your lab partner’s computer.
your partner’s computer number for #.
c. Click OK in the error message that

appears after a few moments.

LESSON 8
Monitored System:
7. Verify that the attempted intrusion a. In RealSecure Desktop Protector, select

was detected and blocked. the Events tab. The attempted intrusion
events appear with a symbol indicating
that the intrusions were blocked.
If time permits, reverse roles and repeat
the activity. Before repeating the activity,
you will need to remove the block in b. Close RealSecure Desktop Protector.
RealSecure Desktop Protector. Open
RealSecure Desktop Protector. On the
Intruders page, right-click the blocked
system and choose Trust Intruder→Trust
And Accept. Confirm the trust and close
RealSecure Desktop Protector.
Lesson 8 Follow-up
In this lesson, you learned to monitor the security infrastructure for any attempts to breach
your organization’s security. An advanced warning of an attack may give you just enough time
to stop the attack before it really gets going. The only way you discover this intrusion early
enough is when you are monitoring your infrastructure on a daily basis.
1. What type of intrusion detection software are you familiar with and how have you used
it to detect attacks?
2. What do you feel is the most important part of the infrastructure to monitor? Why?

Follow-up FOLLOW-UP
In this course, you learned the skills and information you will need to implement and monitor
security on networks and computer systems, and respond to security breaches. You also cov-
ered the majority of the learning objectives that you will need to prepare for the CompTIA
Security+ Certification examination. If you combine this class experience with review, private
study, and hands-on experience, you will be prepared to demonstrate your expertise both
through certification testing and with solid technical competence on your job.
What’s Next?
For more information on additional security courses, see your Element K sales representative,
or visit our Web site at www.elementkcourseware.com.
315
NOTES

APPENDIX A
APPENDIX A
Authentication and
Authorization
While at first they might seem to be the same, authentication and authorization are very
different. Authentication is the process of requiring a user to prove his or her identity, while
authorization is the process of taking that user’s identity after he or she has been authenticated
and allowing or denying access to specific network resources. It’s this two-step process that is
at the very heart of an organization’s security infrastructure.
There are a variety of authentication methods that you can employ in your network. The fol-
lowing table lists some common methods.
For more information on two-factor authentication and tokens, see RSA’s Web site at www.rsasecurity.com/
products/securid/.
Authentication Method Description

User name/password In this type of authentication, a user’s user name and password is com-
pared against a database. If the user name and password match, the user
is authenticated. This method may not be very secure because the user’s
credentials are often transferred in plain text.
Challenge Handshake In CHAP authentication, the authenticating server sends a challenge mes-
Authentication Protocol sage back to the user’s computer when the user tries to log on to a
(CHAP) network or a specific server. The user’s computer responds with a hash
value of the user’s user name and password. The authenticating server
compares the hash value against the result of its own hash function and
if there’s a match, the user is authenticated. CHAP is used to log in to
remote servers.
Certificates When a user authenticates using a certificate, the user presents a digital
certificate in place of a user name and password. A user is authenticated
if his or her certificate is validated by a certificate authority.
Appendix A: Authentication and Authorization 317

APPENDIX A
Authentication Method Description
Kerberos Kerberos authentication uses a key distribution server to validate user
credentials and distribute tickets to the user that allows them to access
the local workstation. Kerberos is a very secure method of authentication
because it uses a strong level of encryption. Kerberos relies heavily on
an accurate time service, so you’ll need to make sure you have a time
server or your authenticating servers are synchronized using an Internet
time server.
Tokens Tokens are text or numerical values in addition to user names and pass-
words that provide an added layer of authentication. Tokens are often
personal identification numbers (PINs) or a second, additional password.
Tokens can be generated by special devices in response to a challenge
from an authenticating server or by devices that generate values using
algorithms independent of a challenge by an authenticating server.
Tokens provide multi-factor or two-factor authentication in that they pro-
vide for a required value in addition to the user’s user name and
password.
Biometrics Biometric authentication involves a user’s physical characteristics as part
of the authentication process. This can involve a fingerprint scanner, a
retinal scanner, or voice-recognition and face-recognition software.
Because biometric authentication is currently very expensive to imple-
ment, it isn’t as widely adopted as other authentication methods.
For a good introduction to the Kerberos protocol, visit: http://web.mit.edu/kerberos/www/dialogue.html
After the user is authenticated, there are several ways to control the user’s access to network
resources. Some of the common methods are described in the following table.
Authorization Method Description

Mandatory Access Control In MAC, access is controlled based on an object’s security label and a
(MAC) user’s security clearance. Objects (files and other resources) are assigned
security labels of varying levels depending on the object’s sensitivity.
Users are assigned a security level or clearance, and when they try to
access an object, their clearance is compared to the object’s security
label. If there’s a match, the user can access the object; if there’s no
match, the user is denied access. MAC security labels can generally be
changed only by a system administrator and not the object’s owner.
MAC is highly secure but isn’t widely implemented because it isn’t as
easy to administer as other authorization methods.
Discretionary Access Control In DAC, access is controlled based on a user’s identity. Objects are con-
(DAC) figured with a list of users who are allowed access to them. An
administrator has the discretion to place the user on the list or not. If a
user is on the list, the user is granted access; if the user isn’t on the list,
access is denied. Unlike MAC, in a DAC authorization scheme, object
owners can generally modify their objects’ access control lists.

APPENDIX A
Authorization Method Description
Role-based Access Control In RBAC, access is controlled based on a user’s role. Users are assigned
(RBAC) to roles, and network objects are configured to allow access only to spe-
cific roles. Roles are created independently of user accounts. To prevent
misuse of privilege attacks, RBAC allows administrator to implement
separation of duties (or roles). A user might have more than one role
assigned to him at one time or might switch from one role to another
over the course of his employment. Using the principle of least privi-
lege, an administrator can assign to a role only those privileges users in
the role need to complete their work.
Privilege Management Infra- A PMI is a collection of authentication and authorization mechanisms
structure (PMI) that allow an administrator centralized control of user and group role-
based privilege management. PMI is often implemented to control user
authentication and authorization for an organization’s Web resources. A
PMI should include an auditing component to track privilege use. PMI
can also offer single sign-on (SSO) capabilities by providing users one-
time authentication for browsing multiple servers or sites.
Appendix A: Authentication and Authorization 319

NOTES

APPENDIX B
APPENDIX B Lesson Time

4 hour(s)
Understanding Media
Objectives:
In this lesson, you will identify the characteristics of various media.
You will:
• define tape media.
• define disk media.
• define CD-ROM.
• define floppy disks and their characteristics.
• Describe the characteristics and use of hard drives.
• define bounded and unbounded media.
• identify coaxial cable.
• identify UTP and STP cable.
• Identify the characteristics of fiber-optic cable.
Appendix B: Understanding Media 321

APPENDIX B
Introduction
This appendix is a review and reference of media types.
You will examine the characteristics that define various kinds of media and determine what
media is most appropriate in given situations.
TOPIC A
Removable Media
Data can be stored on many media, including magnetic tape, CD-ROMs, hard drives, and
floppy disks.
Consider the value of the data stored on your PC. A week’s worth of changes and additions to
files or to a database can have greater value than the entire system on which it is stored.
As companies use PCs for more and more of their business transactions, the value of the infor-
mation kept on these systems increases dramatically. It is important to understand the media
that stores this data.
Tape Media
Definition:
A tape is a magnetically coated strip of plastic on which data can be encoded. Tapes
are accessed sequentially, which means specific data cannot be accessed on the tape
without sequentially going through all of the preceding data. Tapes vary in storage
capacities and formats. Tapes are considered a slower media and are generally used
only for long-term storage and backup.
There are more and more choices every year when it comes to backup media. A few
years ago, you only had a choice between reel-to-reel tapes, QIC cartridges, and very
expensive DAT recorders. Today, the costs of the DAT recorders and media are within
the range of most IT budgets. For workstation backups, QIC cartridges are a popular
choice; you might consider using Iomega’s Jaz or Zip disks. Magnetic tape is still the
most popular backup media.
The following table shows some of the most common backup media.
Maximum Storage
Media Sizes Description
Digital Audio Tape At least 1 GB, up to Used in many different size networks; 4 mm tape,
(DAT) 12 GB about the size of an audio tape
Digital Linear Tape At least 10 GB, up Used mainly in mid- to large-size networks; 0.5-
(DLT) to 12 GB inch cartridges
Quarter-Inch Car- At least 40 MB, up Original width was 0.25 inches; available in 3.5-
tridge (QIC) to 25 GB inch (Traven) or 5.25-inch cartridges; usually
used in smaller networks and stand-alone PCs

APPENDIX B
Example: Quarter-Inch Cartridge (QIC)
Quarter-Inch Cartridge (QIC) technology is among the oldest, most standardized, and
most reliable of the tape technologies. QIC drives are available for most computer
platforms.
QIC cartridges are available in 60 MB, 150 MB, 250 MB, 525 MB, and larger sizes.
Most of the drives designed to read the higher-capacity cartridges can also read the
lower-capacity cartridges.
Two of the biggest detractions to QIC technology are cost and speed. QIC drives are
inexpensive; however, the cartridges are expensive when dollars per megabyte is
considered. Quarter-inch cartridge drives are slow, having about the slowest transfer
rates of any of the tape technologies.
Example: DAT Cartridges

Digital Audio Tape (DAT) is a backup tape format that offers higher storage capacity at
a lower cost than QIC technology. Capacity is from 1 GB to 4 GB and up. Originally
adapted from the audio market, the 4 mm DAT tape format offers higher storage
capacities at a lower cost than does QIC technology. The term “DAT,” or Digital
Audio Tape, is often used to describe 4 mm tape technology.
DAT cartridges are quite small compared with QIC cartridges, and therefore, are much
easier to store and use. Capacities for 4 mm tapes range from 1 GB to 4 GB and more.
DAT tapes are considered to be less reliable than QIC tapes. They are especially vul-
nerable to heat and moisture. Because the tape is pulled out of the cartridge during
operation, to be wrapped around the spinning read/write head, the tapes wear more
quickly than do QIC tapes.
Due to lack of strict standards, 4 mm tape drives are not always compatible: tapes
from one drive might not be readable in another drive. This will probably only be a
problem for larger installations with a large variety of computing equipment.
Example: 8 mm Tape
The 8 mm tape format was originally developed by Exabyte, which continues to be the
only manufacturer of 8 mm drives. Many other manufacturers purchase raw drives
from Exabyte and integrate them into internal or external 8 mm tape drives. This
arrangement ensures compatibility between 8 mm drives.
These 8 mm tape drives offer storage capabilities between 2.2 GB and 10 GB per
cartridge. The tape cartridges are only slightly larger than DAT tapes. They are often
considered more reliable than 4 mm drives; however, the drives and tapes are more
expensive than 4 mm units.
The 8 mm tape drives are popular in the UNIX and workstation industry. These drives
have only recently become popular with network administrators as the amount of data
on LANs has grown.
Example: Digital Linear Tape (DLTA)

Digital Linear Tape (DLTA) is a backup tape technology developed by DEC. Current
storage capacity is up to 50 GB. Digital Linear Tape (DLT) was developed by DEC
who sold this technology to Quantum. The tape is a half-inch cartridge with a single
hub. There are 128 or 208 linear tracks, holding 10 to 35 GB of data. Another DLT
format, Super DLT, holds up to 50 GB. Currently, DLT transfer rates are in the 1.25
MB to 5 MB per second range. The forecast is for DLT to soon hold up to 500 GB
with up to 40 MB per second transfer rates.

APPENDIX B
Disk Media
Definition:
Disks are the most commonly used type of storage. There is a wide variety of different
disk types, including many sizes and formats of floppy disks, hard disks, optical disks,
CD-ROMs (Compact Disc Read-Only Memory), and removable hard disks (such as
Syquest).
In general, all sorts of disk storage share certain common elements. On all disks,
physical differences in the surface of the disk are used to represent data. On floppy and
hard disks, magnetism is used to encode data. On CD-ROM and optical disks, varia-
tions in how the disk surface reflects light are used to encode data.
On disks, tracks are concentric circles (hard and floppy disks) or spirals (CDs and
video discs). On tapes, they are parallel lines. A sector is the smallest unit of storage
read or written on a disk. Disks arrange information into concentric rings called tracks.
Tracks are divided into pie-like slices called sectors. Some disks can be written to only
on one side; others can be written to on both sides. A read/write head can be posi-
tioned over any track, and data is read (or written) as the sectors pass by.
Example:
A disk storage location can be specified by its side, track, and sector. An example is
shown in Figure B-1.
Figure B-1: A disk storage location can be specified by its side, track, and
sector.

APPENDIX B
CD-ROM
Definition:
A CD-ROM (which stands for Compact Disc Read-Only Memory) is an optical disc
storage technology well suited for the distribution of large amounts of information. A
compact disc stores vast amounts (about 682 MB) of information in a convenient, per-
manent medium. Most manufacturers use the ISO standard 9960 or the High Sierra
subset of that standard and provide common file formats.
Data on a CD-ROM is stored as a series of microscopic depressions in a metal sub-
strate, sandwiched in a glass or plastic disc. The data is read by a low-power laser
beam. Binary 1s and 0s are differentiated by the degree of reflectivity of the surface.
The depressions, or pits, reflect differently than the lands, or non-depression areas.
Example:
CDs have many uses: they are used to distribute software and information, such as
collections of data, and to publish books, magazines, or collections of graphics. Most
CDs are indexed, enabling them to be searched easily by using keywords. Although
they are slower to use than hard disks, CDs have become popular as a way to provide
access to large amounts of information.
The mass production of CDs, as when a software manufacturer distributes software on
CDs, begins with a process called mastering, or burning. One master copy of the CD
is created and tested; and then it’s used by a CD publisher to make many (often thou-
sands) of copies, with the per-copy cost typically being less than $1. Figure B-2 shows
the connectors for a typical CD-ROM drive.
Figure B-2: Connectors for a typical CD-ROM drive.

APPENDIX B
ATAPI
Attachment Packet Interface is an extension to EIDE that enables support for
CD-ROM and tape drives. AT Attachment Packet Interface (ATAPI) is an extension to
EIDE that enables support for CD-ROM drives (including CD-R and CD-RW drives),
as well as tape drives on an IDE controller. You can install an ATAPI drive as if it
were just another EIDE drive. With ATAPI drives, it’s not necessary to perform CMOS
configuration. All configuration is handled automatically. ATAPI drives can be set up
as master or slave drives (through jumpers) and can run off the primary or secondary
controller.
MPEG stands for Movie Picture Experts Group. This group has developed MPEG digi-
tal video compression standards and file formats, including MPEG-1 and MPEG-2.
DVD drives also use ATAPI, but in addition require a Movie Picture Experts Group
(MPEG) decoder to decode MPEG files used with DVDs. Two MPEG standards exist:
MPEG-1 and MPEG-2. They are digital video compression standards and file formats
that were developed by the Movie Picture Experts Group. MPEG-1 provides video
resolution of 352 x 240 at 30 frames per second. MPEG-2 provides video resolution of
720 x 480 and 1,280 x 720 at 60 frames per second.
Using CD-ROMs
Some operating systems—such as UNIX, OS/2 2.x, Windows NT, and others—
inherently support CD-ROM drives. Other operating systems, such as DOS, DOS/
Windows, and some versions of NetWare, require additional software in order to use
CD-ROM drives. CD-ROM drives often provide driver software for the operating sys-
tems that need them. Third-party driver software is also available.
Many CD-ROM drives use the SCSI interface to connect to the host system. A com-
mon interface for SCSI CD-ROM drives and other devices, called the Advanced SCSI
Programming Interface, or ASPI, has been developed. This enables the use of a single
ASPI device driver for multiple SCSI devices. An example of such a driver is
Adaptec’s ASPIDSK.SYS.
Practical Issues
Keep the following in mind when you are using CD resources:
• Some older CD-ROM drives require that the disc be placed in a disc caddy, or
protective plastic container, before they can be inserted into the drive. You may
want to consider purchasing additional caddies for storage purposes.
• CD-ROM drives are connected to a host computer by using a SCSI bus or an IDE
bus.
• If you put a SCSI CD-ROM on the same controller as a hard disk, you might see
a performance loss. Check with the hardware vendors for known incompatibilities.
• When you connect the data cable and power to the drive, the configuration is
similar to that of a hard drive—data cable to the left, power cable to the right,
and a red stripe closest to the red power wire.
• Make sure that the jumpers are set properly and that the audio cable is attached.
Audio cables carry only analog sound; digital sounds are carried on the data
cable.

APPENDIX B
Floppy Disks
It is often necessary to share files with other people. One way to do this is to use removable
disks. Another use for removable disks is to provide a second copy or backup of important
files.
Definition:
Floppy disks are similar to hard disks, except that the material on which data is
recorded is not hard; it is made of a floppy material, such as mylar. Read/write heads
record data on floppy disks similar to the way they do on hard disks. Because floppy
disks can be removed from the computer and easily carried, they are not as well pro-
tected as hard disks. To make floppy disks more tolerant (than hard disks) of dust and
scratches, data is not packed as densely into a floppy disk as it is in a hard disk. What
floppy disks lack in storage capacity, they make up in portability. To provide a reason-
able degree of protection for floppy disks, they are contained inside a tight-fitting
square sheath of vinyl or hard plastic.
Example:
There are three floppy-disk formats. These three floppy-disk formats are shown in Fig-
ure B-3.
Figure B-3: Three floppy-disk formats.
Storage Capacity
The amount of data that can be stored in a disk is determined by the number of sides,
tracks per side, sectors per track, and bytes that can be stored in a sector. For example,
a double-sided disk with 80 tracks, 36 sectors, and 512 bytes per sector has a total
capacity of 2 x 80 x 36 x 512, or 2,949,120 bytes. Divide this by 1,024 to get the
number of kilobytes, which is 2,880. The following table shows common floppy-disk
sizes and formats, and their total capacity in kilobytes.

APPENDIX B
Total Capac-
Disk Size Tracks per Sectors Bytes per ity in Sectors per
(inches) Sides Side per Track Sector Kilobytes Cluster
3.5 2 80 36 512 2,880 2
3.5 2 80 18 512 1,440 1
3.5 2 80 9 512 720 2
5.25 2 80 15 512 1,200 1
5.25 2 40 9 512 360 2
5.25 2 40 8 512 320 2
5.25 1 40 9 512 180 1
5.25 1 40 8 512 160 1
The Evolution of the Floppy Disk

Early floppy disks were large; they had an 8-inch diameter and a soft vinyl cover. The
next type of disk to become widely used was the 5.25-inch format, which was essen-
tially the same as the 8-inch format, only smaller. These two types of disks come with
a special envelope, in which they are stored when not in use.
The most commonly used type of floppy disk today is the 3.5-inch disk, which has a
hard plastic cover, and a metal shutter that closes to protect the inner disk from dust
when the disk is not inside a drive mechanism. The 3.5-inch disks do not need to be
stored in an envelope when they are not in use because the metal shutter adequately
protects the disk from normal amounts of airborne particles. Despite the trend toward
smaller disks, the storage capacity of floppy disks has increased dramatically over the
years.
Floppy Disk Drives

Here are some things to keep in mind when you are installing or replacing a floppy
disk drive:
• When you look at the back of the drive, the data connection is on the right and
the power connection is on the left (or above the data connection). This configura-
tion is the opposite of hard drives.
• For floppy disk drive data connectors, Pin 1 is on the left side. To connect the
data cable, place the red strip on the cable nearest to the red wire on the power
connection cable.
• Data cables for floppy disk drives have a twist in them, so that the computer can
recognize and distinguish between multiple floppy disk drives (drives A and B,
usually) in a system. When you are connecting only one drive, connect it after the
cable twist. When you are connecting more than one drive, connect drive A after
the twist and drive B before the twist.
Figure B-4 shows the connectors for a floppy disk drive.

APPENDIX B
Figure B-4: Connectors for a typical 3.5-inch floppy disk drive.
Hard Drives
Definition:
Hard drives, or fixed disks, are a type of storage device that provide fast access to
large amounts of storage in a small, reasonably reliable physical package. Without
them, most modern computing applications would be impossible.
The aggregate of all tracks that reside in the same location on every disk surface. On
multiple-platter disks, the cylinder is the sum total of every track with the same track
number on every surface. On a floppy disk, a cylinder comprises the top and corre-
sponding bottom track. Hard disks are often composed of multiple disks. A cylinder
consists of a track on the top side of the top-most disk, and all of the tracks beneath it.
This is shown in Figure B-5. A cylinder represents all of the data that the read/write
heads can access when they are in a certain position. (There is a separate read/write
head for each side of each disk, but they all move together.)

APPENDIX B
Figure B-5: A cylinder.

Hard drives have been designed to meet users’ needs for speed and capacity. With the
maturation of the technology, designers now add reliability to and reduce the cost of
the design process. This constant redesign process has produced better drives, in many
different types. However, even with differences, almost all hard drives operate the
same way: data is stored as locations of magnetic flux, or change, on a disk of spe-
cially coated aluminum or glass. Hard disks can have one or more of these platters or
disks. The information is read or written with a head, or small magnet, that floats on a
cushion of air over the platter. The platter spins at a high rate, generally 5,400 or 7,200
revolutions per minute (rpm). The heads are moved across the platter by one of two
technologies: older designs used a motor, called a stepper motor, that moved only in
pre-defined increments, or steps. Newer designs use a voice coil, similar to an audio
speaker, to move the heads more precisely over the platter.
Example:
Figure B-6 illustrates the components of a hard drive.

APPENDIX B
Figure B-6: The physical components of a hard drive.
Writing Data to the Hard Disk

Hard disks spin at very fast speeds, and the read/write heads hover over the platters,
very close to the surface so that they can read or write data. The platters are made of a
rigid material, such as aluminum, that is coated with a magnetic material. To write
data, the computer positions the head in a particular track. When the appropriate sector
passes by, pulses of electricity are sent through a coil of wire in the head. This creates
an electromagnetic field, which aligns magnetic particles on the disk surface. By alter-
nating the flow of the current to the head, 1s and 0s can be encoded magnetically.
Each platter has its own read/write head that encodes (writes) and decodes (reads) data
for that platter. Data is read and written in circular tracks as the head floats on a thin
layer of air over the rotating platter.
Reading Data from the Hard Disk

To read data, the computer positions the head over the appropriate track. When the
sector passes by, the magnetic particles on the disk create an electrical current in the
head through a phenomenon known as inductance. In the head, the alternating patterns
of magnetism on the disk translate into alternating flows of electrical current, which
can be translated into 1s and 0s.
Physical Characteristics
Physically, hard drives come in a number of designs. The terms form factor and height
are used to describe the physical characteristics of hard drives that are mounted
internally. External drives are most often simply internal drives mounted in a case that
also has a power supply.
• With regard to a disk drive, the form factor is the overall diameter of the platters
and case, such as 3.5 inches or 5.25 inches, not the size in terms of storage
capacity. The form factor of a drive refers to its width. This measurement is
derived from the original IBM PC/XT case that had drive openings of 5.25

APPENDIX B
inches. Most drives today are actually smaller than their rated form factor and use
spacers, or mounting brackets, to fit within the case. The 5.25-inch and 3.5-inch
form factors are the most popular for desktop and desk-side computer systems.
Newer form factors, designed for use in laptops and notebooks, include 2.5-inch
and even 1-inch designs.
• Again, the height of the drive is a measurement derived from the original IBM
PC/XT case. A device that would fill the height of the drive bay of the XT is con-
sidered to be a full-height device. Other heights include half-height and the newer
1-inch high drives.
You must match the form factor and height of a drive you purchase with the available
openings in your computer. Otherwise, you will have difficulty installing the new
drive.
Installing a Hard Drive

The specific steps for setting up a hard disk in a system depend on the system and the
type of hard disk you are installing; however, the main tasks are:
1. Physically install the hard disk into the computer.
2. Prepare the new hard disk for use in the system.
The Configuration of Hard Drives

You should configure the hard drive before you install it in the case. The drives are
configured with jumpers. There is often a label on the drive with the jumper settings.
The master is the first IDE or EIDE device on a single IDE channel. If the device is
the hard drive on the first IDE channel, the device can be formatted to be the boot
disk. The slave is the second IDE or EIDE device on a single IDE channel. The first
drive is referred to as the master drive. The second drive is referred to as the slave. If
you have two IDE or EIDE devices on the same cable, one needs to be set to master
and the other to slave. This allows both devices to properly communicate on a single
channel. It also specifies the boot order of the drives. The master drive on the first IDE
channel is the first IDE drive accessed when the system boots.
You will need to change the jumper settings to reflect their role (master or slave). Also,
some drives have separate settings if there will only be one drive in the system. This is
usually referred to as single drive or cable select if there is only one drive on the IDE
channel.
If possible, place hard drives on a different channel than CD drives. This requires two
IDE controllers. One or two hard drives should go on IDE 1, as master and slave, or
single. If you have an IDE CD-ROM and a second CD drive (such as a rewriter, DVD,
or just another CD-ROM), they should go on IDE 2 as master and slave.
Hard Drives
Keep the following in mind when you are working with hard drives:
• Because of the delicate nature of hard disks, you need to be very careful when
you are handling them. Do not bump or shake them unnecessarily, and do not
transport them unless they are encased in protective packaging.
• When performance is a less-critical issue than cost, consider adding another hard
disk to an existing controller board, rather than replacing the controller, disk, or
computer.

APPENDIX B
• If you are installing a hard drive, make sure that you’re using the proper cable
rating and type for the hard drive to be installed. Also, you need to be sure to
follow the correct installation and configuration procedures, as described later in
this topic.
Advances in Capacity
Today’s hard drives hold far more information than the hard drives of just a few years
ago. They’re smaller, faster, and more reliable, due to technological advancements such
as improved coatings for platters and smoother platter surfaces. Another improvement
is the advent of the voice coil design, which enables cylinders to be written closer
together. This, in turn, enables more data to be saved to each platter than could be
saved on older hard drives with the same platter size.
DISCOVERY ACTIVITY B-1

Storage Media
Scenario:
You are in the process of purchasing various storage media for your organization. You need to
understand the specifications in order to make your decisions.
1. Form factor refers to a drive’s .
2. How is the storage capacity of a floppy disk determined?
3. Tape drives are used primarily for .

APPENDIX B
TOPIC B
Cabling
A major category of media is network cabling. In this topic, you will become familiar with
cable types and their characteristics.
Networks have gone through quite a lot of changes in the last 15 years, driven mostly by two
factors: speed and reliability. In the early days of networking, conventional wisdom said that
75 percent of all network failures were related to the network media or cabling. Today, older,
less-reliable media types have been phased out, and better assembly techniques have been
developed to make networks far more reliable.
Bounded and Unbounded Media

Definition:
Bounded media is any network media that travels in a contained conductor.
Unbounded media does not travel in a contained conductor (wireless transmission).
Example:
Wires, cables, and fiber optics are examples of bounded media. Radio, microwave, and
infrared use unbounded media. Some examples of bounded and unbounded media are
shown in Figure B-7.
Figure B-7: Bounded and unbounded media.

APPENDIX B
Coaxial Cable (Coax)
Definition:
Coaxial cable, known by its common name of just “coax,” is so named because of the
physical relationship between the center conductor and the shield where they share a
COmmon AXis. Coaxial cable is used with a single-ended signal reference where the
center conductor carries the data signal, and the braided outer shield provides a combi-
nation of the reference signal and a drain for noise control. The braided shield is
separated by a dielectric insulator around the outside of the cable. All coax cables have
to be terminated. It’s complicated, but basically the dielectric insulator and the shield
provide the cable’s electrical characteristics and determine its termination resistance.
While coaxial cable provides better noise rejection than other cable types, it requires a
physical bus topology with a maximum transmission speed of 10 Mbps and tends to be
less reliable. Because of this, it’s rarely used today.
Another type of connector is the Attachment Unit Interface (AUI), which is a 15-pin, D-shaped connec-
tor (a DB-15 connector) that looks like a parallel port connector. Another commonly used name for an
AUI connector is a DIX connector, named for the three companies that developed it—Digital, Intel, and
Xerox.
Example: ThinNet
The most common type of coax used in networks is RG58A/U cable, or ThinNet, as
it’s affectionately known. ThinNet is small in diameter (about an eighth of an inch)
and relatively easy to install. It uses BNC connectors and requires a 50 ohm
terminator. It has an end-to-end distance of 185 meters.
Example: ThickNet
The other type of coax used in Networks is RG-8, or ThickNet. ThickNet is much
harder to work with than ThinNet because it’s about a half inch in diameter and very
stiff. There are two types of connectors for use with ThickNet—the N-connector and a
vampire tap. N-connectors are large, screw-type connectors that look like those used
on two-way radios. Vampire taps are a two-part clamshell connector that clamps over
the cable and pierces the outer jacket to make the connection. ThickNet has an end-to-
end distance of 500 meters. Figure B-8 shows examples of coaxial cable.
Figure B-8: Coaxial cable.

APPENDIX B
Coax Cable Specifications
The following table displays each coaxial cable type with its respective specifications.
RG58A/U ThinNet 185 meters or BNC connector 50 ohm termina-

607 feet tor
RG8 ThickNet 500 meters or N-connectors or 50 ohm termina-
1,640 feet vampire taps tor
Twisted Pair (UTP/STP) Cable

Definition:
Unshielded Twisted Pair (UTP) cable is by far the most popular cable in use today. It’s
easy to install, supports the logical bus/physical star configuration, and is very reliable.
UTP uses two conductors twisted around each other within the cable to carry a differ-
ential signal. The combination of the differential signal and the twists (twists per foot)
give UTP good noise rejection and a maximum distance of 100 meters. Newer cable,
properly installed, can support data speeds up to 1 Gbps.
Category 6 and 7 aren’t official standards but are in the development stages and supported by many
manufacturers because of the demand for high speed connectivity.
Example:
Analog and digital telephone cable are examples of UTP. UTP is also used for varying
speeds of network cable. Figure B-9 displays UTP.
Figure B-9: Unshielded twisted pair.
UTP Categories
UTP comes in different grades, called categories (Category 1 to Category 7 or Cat 1 to
Cat 7), where the cable’s bandwidth capability increases with the category number. Cat
5 is the most popular category, along with its subcategories Cat5+ and Cat5 E
(enhanced). Cat 6 and 7 aren’t official standards but are defined by the cable
manufacturers.

APPENDIX B
Category System Type
1 Telephone (Analog)
2 Telephone (Digital)
3 Network, 10 Mbps
4 Network, 16 Mbps
5 Network, 100 Mbps
5+ Network, 150 Mbps
5 Enhanced Network, 350 Mbps
6 Network, 1000 Mbps
7 Network, 1000 Mbps
RJ-45 Connectors
Cat 5 cables use RJ-45 connectors that look like a common phone plug, only bigger
and with eight conductors. Figure B-10 shows an RJ-45 connector. (The phone connec-
tors are called RJ-11.) One pair of conductors is used for transmitting data and another
for receiving data; the other two pairs are unused. Each pair is color-coded with a solid
color and a white wire with a colored band. For the pin-out of the connectors, there
are two standard color schemes: EIA/TIA 568A and 568B. It’s important that both
ends of a cable be wired with the same color scheme. Both use the same pins for
transmit (TX) and receive (RX), but different color pairs.
Figure B-10: RJ-45 connector.
Assemble Patch Cables

To assemble patch cables:
1. Strip the cable jacket back about three-quarters of an inch (don’t cut or nick the
inner pairs of wires).

APPENDIX B
2. Place the pairs in color order so they lay flat and slip into the connector.
3. Slip the wires into the connector and be sure they’re properly seated and in the
correct order (a 5x eye loupe will help with this). Make sure the outer jacket is
far enough into the connector that it will be captured by the strain relief tab.
4. Insert the cable/connector assembly into a crimping tool and crimp.
The process of assembling patch cables is detailed in Figure B-11.
Figure B-11: Assembling patch cables.
To make a standard patch cable (TX goes to TX), use the same color scheme at each end. To make a
crossover (TX goes to RX) cable, use 568A at one end and 568B at the other.
Shielded Twisted Pair (STP)

Shielded Twisted Pair (STP) has the same twisted-pair wire as UTP, but has a shield
(usually a foil and a drain wire) added to drain away noise. STP has a shorter distance
than UTP (only 90 meters) but has better noise rejection. STP cable grades are called
types and range from type 1 to type 9 with types 1, 1A, 2A, and 6A used in networks.
STP works well in environments where electrical noise is hard to control and cost is
an issue.
Fiber-optic Cable
Definition:
Fiber-optic technology is a point-to-point technology that uses a light to carry a data
signal through cable. The light source is either a laser or high-intensity LED, depend-
ing on transmission range (laser is used for long-range transmission). Because of the
speed of light and fast reaction of the optic devices, fiber-optic signals have very high
data rates—the digital data is flashed through the fiber-optic carrier.
Analogy:
Fiber-optic technology is very much like the signaling devices used to send Morse
code between ships at night. Figure B-12 gives an example of fiber-optic technology.

APPENDIX B
Figure B-12: Fiber optics.
Basic Fiber Construction

Fiber-optic cables use a thin thread of glass to conduct the light from one end of the
cable to the other. This glass thread can break easily, so the rest of the fiber-optic cable
is designed to protect it. The glass core is between 5 and 125 microns (62.5 is most
common). To put it in perspective for you, a sheet of paper is about 25 microns thick.
The core is covered by a silica layer called a cladding, which keeps the light inside the
core.
The fiber is loosely encased inside an inner jacket about an eighth of an inch in diam-
eter, and filled with a lubricant. The core is longer than the jacket and that’s important
because when the temperature changes, the extra length compensates for the jacket’s
expansion and contraction. The jacket is surrounded by an Aramid or Kevlar braid,
making the cable more stable. Like the belts on a car tire, the braid prevents shocks to
the outside of the cable from getting to the core. Finally, the cable has an exterior
jacket or armor.
Example:
Figure B-13 shows some examples of fiber-optic cable.
Figure B-13: Fiber-optic cable.

APPENDIX B
Single-mode fiber
Single-mode fiber carries a single data signal over long distances (a maximum of 30
miles). It has a small diameter core (10 microns) and uses a laser, usually in the invis-
ible, infrared spectrum. Most single-mode fiber transmitters are always on and transmit
data by modulating the amplitude (intensity) of the light.
Though it’s bad practice to look into the end of any fiber connection that is turned on, it’s extremely
dangerous to look into a single-mode fiber connection because of the intensity of the transmitting laser.
Multi-mode fiber
Multi-mode fiber can carry more than one signal at the same time. Using two different
techniques, multi-mode devices can place different light signals onto the cable and
remove each at the other end. Multi-mode fiber uses a larger core than single mode
(50, 62.5, or 100 microns) and has a shorter transmission distance.
Step Index multi-mode fiber uses a transmission diode that angles a signal into the
cable. By adjusting the angle, a transmitter can create multiple transmission paths. Step
mode costs the least to implement, but is limited to shorter distances (a few hundred
feet).
Graded Index fiber uses layers inside the glass core to send multiple signals down the
cable. The core contains glass layers, each of which carries a signal. Graded Index is
used to send higher quality data signals over distances up to 2,500 meters. Figure B-14
shows the difference between Step Index and Graded Index multi-mode fiber.
Figure B-14: Step Index versus Graded Index multi-mode fiber.
Fiber Connectors
There are multiple types of fiber connectors shown in the following table. Figure B-15
illustrates these fiber connectors.

APPENDIX B
Connector Description
ST Fiber ST connectors are used to connect multi-mode fiber. They look
like BNC connectors and have a straight, ceramic center pin and a
bayonet lug lock down. They’re used a lot in network patch panels.
Overall, ST connectors are the most popular type of fiber connector.
SC SC connectors are box-shaped and snap into a receptacle. They’re
seen a lot in a duplex configuration where two fibers are terminated
into two connectors molded together. SC connectors are easy to hook
up.
SMA SMA connectors are similar to ST connectors, but use a threaded fer-
rule on the outside to lock the connector together. SMA connectors
are typically used where water and other environmental conditions
necessitate a waterproof connection that can’t be made with a bayonet
lug type connector.
FC FC connectors are similar to SMA connectors, but use a heavy ferrule
in the center for more mechanical stability than SMA or ST
connectors. FC connectors are not used much in business networking,
but they might find their best use in industrial networking where the
extra mechanical strength of the FC connector is desired.
Figure B-15: Fiber-optic connectors.

APPENDIX B
DISCOVERY ACTIVITY B-2
Becoming Familiar with Fiber-optic Cable
Scenario:
Your manager is unfamiliar with cable media. He asks you the following questions.
1. What type of media is copper cable?

a) Bounded
b) Unbounded
c) Radiated
d) Inferential
2. How many grades does UTP cable come in?

a) Four
b) Five
c) Six
d) Seven
3. On UTP cable, which designation describes telephone connectors?

a) Cat-5T
b) RJ-45
c) RJ-11
d) RJ-568A
4. Why shouldn’t you look into the end of a fiber connector or socket, even if you don’t
see a light?
5. What advantages does fiber have over copper media?
6. How many fiber conductors are needed to implement a full duplex connection?

APPENDIX C
APPENDIX C
SecureSystems.doc
National Bank’s System Hardening Recommendations
Make sure to keep up to date with the latest security patches!
Windows XP Professional Security Recommendations
(workgroup environments)
Note: These steps should be used for all Windows XP Professional clients in a workgroup, and
those that will remain on isolated subnets, such as the Bank’s background investigation
computers. For Windows XP Professional clients participating in a domain, these steps can be
automated by following the steps on Group Policy.
General Settings:
1. Install the latest Windows XP patches and hot fixes on all desktop systems. All security
patches should be installed immediately when available.
2. Do not use Internet Connection sharing.
3. Disable the Welcome Screen.
4. Disable Fast User Switching.
5. For Laptops and Home systems only—Enable the built-in XP Internet Connection
Firewall.
6. Apply the Windows Media Player Security Patch.
7. Convert all drives to NTFS.
8. Install anti-virus software; keep virus definition files up to date.
9. Use the MBSA tool quarterly to verify that the system is secure.
10. Check TechNet and the Center for Internet Security for the latest recommendations for
securing the registry and the file system.
Password Policy Settings:
1. Enforce password history→24 passwords remembered
2. Maximum password age→30 days
3. Minimum password age→7 days
4. Minimum password length→8 characters
5. Password must meet complexity requirements→Enabled
Appendix C: SecureSystems.doc 343

APPENDIX C
6. Store password using reversible encryption for all users in the domain→Disabled
Account Lockout Policy Settings:
1. Account lockout duration→30 minutes
2. Account lockout threshold→3 invalid logon attempts
3. Reset account lockout counter after→30 minutes
Audit Policy Settings:
1. Audit account logon events→Success and Failure
2. Audit account management→Success and Failure
3. Audit directory service access→No auditing (Used for Domain Controllers only)
4. Audit logon events→Success and Failure
5. Audit object access→Failure
6. Audit policy change→Success and Failure
7. Audit privilege use→Failure
8. Audit process tracking→No auditing
9. Audit system events→Success and Failure
User Rights Assignment Policy Settings:
1. Access this computer from the network→Administrators,Users,Power Users,Backup
Operators
2. Act as part of the operating system
3. Add workstations to domain
4. Adjust memory quotas for a process→LOCAL SERVICE,NETWORK
SERVICE,Administrators
5. Allow logon through Terminal Services→Administrators,Remote Desktop Users
6. Back up files and directories→Administrators,Backup Operators
7. Bypass traverse checking→Administrators,Users,Power Users,Backup Operators
8. Change the system time→Administrators
9. Create a pagefile→Administrators
10. Create a token object
11. Create permanent shared objects
12. Debug programs→Administrators
13. Deny access to this computer from the network→SUPPORT_########
14. Deny logon as a batch job
15. Deny logon as a service
16. Deny logon locally→SUPPORT_########,Guest
17. Deny logon through Terminal Services
18. Enable computer and user accounts to be trusted for delegation
19. Force shutdown from a remote system→Administrators
20. Generate security audits→LOCAL SERVICE,NETWORK SERVICE
21. Increase scheduling priority→Administrators
22. Load and unload device drivers→Administrators

APPENDIX C
23. Lock pages in memory
24. Log on as a batch job→SUPPORT_########
25. Log on as a service→NETWORK SERVICE
26. Log on locally→Administrators,Users,Power Users,Backup Operators
27. Manage auditing and security log→Administrators
28. Modify firmware environment values→Administrators
29. Perform volume maintenance tasks→Administrators
30. Profile single process→Administrators,Power Users
31. Profile system performance→Administrators
32. Remove computer from docking station→Administrators,Users,Power Users
33. Replace a process level token→LOCAL SERVICE, NETWORK SERVICE
34. Restore files and directories→Administrators,Backup Operators
35. Shut down the system→Administrators,Users,Power Users,Backup Operators
36. Synchronize directory service data
37. Take ownership of files or other objects→Administrators
Security Options Policy Setttings:
1. Accounts: Administrator account status→Enabled
2. Accounts: Guest account status→Disabled
3. Accounts: Limit local account use of blank passwords to console logon only→Disabled
4. Accounts: Rename administrator account→(Rename this account to yourfirstname)
5. Accounts: Rename guest account→(Rename this account to guser#)
6. Audit: Audit the access of global system objects→Enabled
7. Audit: Audit the use of Backup and Restore privilege→Enabled
8. Audit: Shut down system immediately if unable to log security audits→Enabled
9. Devices: Allow undock without having to log on→Disabled
10. Devices: Allowed to format and eject removable media→Administrators
11. Devices: Prevent users from installing printer drivers→Enabled
12. Devices: Restrict CD-ROM access to locally logged-on user only→Enabled
13. Devices: Restrict floppy access to locally logged-on user only→Enabled
14. Devices: Unsigned driver installation behavior→Do not allow installation
15. Domain controller: Allow server operators to schedule tasks→Not defined
16. Domain controller: LDAP server signing requirements→Not defined
17. Domain controller: Refuse machine account password changes→Not defined
18. Domain member: Digitally encrypt or sign secure channel data (always)→Enabled
19. Domain member: Digitally encrypt secure channel data (when possible)→Enabled
20. Domain member: Digitally sign secure channel data (when possible)→Enabled
21. Domain member: Disable machine account password changes→Disabled
22. Domain member: Maximum machine account password age→30 days
23. Domain member: Require strong (Windows 2000 or later) session key→Disabled
24. Domain member: Require strong (Windows 2000 or later) session key→Disabled

APPENDIX C
25. Interactive logon: Do not display last user name→Enabled
26. Interactive logon: Do not require CTRL+ALT+DEL→Disabled
27. Interactive logon: Message text for users attempting to log on→Warning, This system is
for authorized users only. Anyone using this system without authority is subject to
prosecution. Additionally, the system may be monitored. By using this system, you con-
sent to monitoring and any suspicious activity may be reported to the proper authorities.
28. Interactive logon: Message title for users attempting to log on→Warning! This system is
for authorized users only!
29. Interactive logon: Number of previous logons to cache (in case domain controller is not
available)→1 logon
30. Interactive logon: Prompt user to change password before expiration→14 days
31. Interactive logon: Require Domain Controller authentication to unlock workstation→
Disabled
32. Interactive logon: Smart card removal behavior→Force Logoff
33. Microsoft network client: Digitally sign communications (always)→Disabled
34. Microsoft network client: Digitally sign communications (if server agrees)→Enabled
35. Microsoft network client: Send unencrypted password to third-party SMB servers→
Disabled
36. Microsoft network server: Amount of idle time required before suspending session→15
minutes
37. Microsoft network server: Digitally sign communications (always)→Disabled
38. Microsoft network server: Digitally sign communications (if client agrees)→Disabled
39. Microsoft network server: Disconnect clients when logon hours expire→Enabled
40. Network access: Allow anonymous SID/Name translation→Disabled
41. Network access: Do not allow anonymous enumeration of SAM accounts→Enabled
42. Network access: Do not allow anonymous enumeration of SAM accounts and shares→
Disabled
43. Network access: Do not allow storage of credentials or .NET Passports for network
authentication→Disabled
44. Network access: Let Everyone permissions apply to anonymous users→Disabled
45. Network access: Named Pipes that can be accessed anonymously→
COMNAP,COMNODE,SQL\
QUERY,SPOOLSS,LLSRPC,EPMAPPER,LOCATOR,TrkWks,TrkSvr
46. Network access: Remotely accessible registry paths→System\CurrentControlSet\Control\
ProductOptions,System\CurrentControlSet\Control\Print\Printers,System\CurrentControlSet\
Control\Server Applications,System\CurrentControlSet\Services\Eventlog,Software\
Microsoft\OLAP Server,Software\Microsoft\Windows NT\CurrentVersion,System\
CurrentControlSet\Control\ContentIndex,System\CurrentControlSet\Control\Terminal
Server,System\CurrentControlSet\Control\Terminal Server\UserConfig,System\
CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration
47. Network access: Shares that can be accessed anonymously→COMCFG,DFS$
48. Network access: Sharing and security model for local accounts→Classic—local users
authenticate as themselves
49. Network security: Do not store LAN Manager hash value on next password change→
Disabled

APPENDIX C
50. Network security: Force logoff when logon hours expire→Enabled
51. Network security: LAN Manager authentication level→Send LM & NTLM responses
52. Network security: LDAP client signing requirements→Negotiate signing
53. Network security: Minimum session security for NTLM SSP based (including secure
RPC) clients→No minimum
54. Network security: Minimum session security for NTLM SSP based (including secure
RPC) servers→No minimum
55. Recovery console: Allow automatic administrative logon→Disabled
56. Recovery console: Allow floppy copy and access to all drives and all folders→Disabled
57. Shutdown: Allow system to be shut down without having to log on→Disabled
58. Shutdown: Clear virtual memory pagefile→Disabled
59. System cryptography: Use FIPS compliant algorithms for encryption, hashing, and
signing→Disabled
60. System objects: Default owner for objects created by members of the Administrators
group→Object creator
61. System objects: Require case insensitivity for non-Windows subsystems→Enabled
62. System objects: Strengthen default permissions of internal system objects (e.g. Symbolic
Links)→Enabled
Event Log Settings:
1. Event Log Maximum Size: 9984 KB
2. When Maximum Log Size Reached: Do not Overwrite Events
Windows 2000 Server Hardening Recommendations
1. Install the latest Windows 2000 patches and hot fixes on all server systems. All security
patches should be installed immediately when available. Make sure to configure the sys-
tem before connecting to the Internet, as during the installation, the system is vulnerable.
2. Install the Windows 2000 Security Rollup Package 1.
3. Turn off all unnecessary services (Web service, FTP, NNTP and Print Spooler).
4. Install Internet Explorer 6.0.
5. Convert all drives to NTFS. If the partition you installed Windows 2000 Server on was
converted to NTFS after the installation, use fixacls.exe from the Windows NT Server
Resource Kit to tighten security after converting.
6. Use the MBSA tool to verify the system is secure.
7. Apply the Windows Media Player Security Patch.
8. Protect the Registry from anonymous access from non-adminsitrative users: From HKEY_
LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg,
remove Backup Operators group from permissions list. Grant local Administrators group
Full Control permission.
9. Restrict access to public Local Security Authority (LSA) information: Set. HKEY_
LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous = 1
(value type = REG_DWORD).
Windows 2000 Active Directory Hardening Recommendations
1. Check security on Active Directory objects.

APPENDIX C
2. Policy Security Settings: these settings should be automatically configured by using Group
Policy. All domain controllers will use the Microsoft high-security template file included
with Windows 2000, hisecdc.inf.
3. Check TechNet and the Center for Internet Security for the latest recommendations for
securing the registry and the file system.
4. See the Active Directory administrator or Windows 2000 security administrator for addi-
tional security settings or use of any additional security templates.
Windows 2000 File and Print Server Hardening Recommendations
1. Oversee the Desktop team so that they only grant the minimal NTFS and share permis-
sions necessary for users.
2. Enable the Print Spooler service.
3. Suppress default administrative shares: Set. HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\LanmanServer\Parameters\AutoShareServer = 0 (data type:
REG_DWORD).
4. Microsoft network client: Digitally sign communications (always)→Enabled.
5. Do not set up a file and print server on a domain controller.
Windows 2000 RRAS Hardening Recommendations
1. Use static pools of addresses for VPN clients, not DHCP.
2. Only use L2TP/IPSec for VPN clients.
Windows 2000 DNS Hardening Recommendations
1. For internal DNS servers, install DNS on domain controllers, switch Active Directory to
Native mode, and use AD-integrated DNS zones.
2. Use secure dynamic updates for DNS zones on domain controllers.
3. Install fault tolerant DNS servers on different subnets.
4. Use ISP BIND DNS servers in addition to internal DNS servers.
5. Secure the DNS cache against pollution.
6. For DNS servers in the DMZ, use stand-alone Windows 2000 Servers or BIND DNS. Do
not install DNS on domain controllers when the DNS server will be exposed to the
Internet.
Windows 2000 IIS Hardening Recommendations
1. Enable IIS logging.
2. Install the IIS Security Rollup Package.
3. Run the IIS Lockdown Wizard using the default settings in the Static Web Server tem-
plate; be sure to install URLScan and review the scan results.
4. Do not install IIS on a domain controller.
Exchange 2000 Hardening Recommendations
1. Enable Exchange 2000 diagnostic logging on the MSExchangeIS/Mailbox/Logons at the
minimum level.
2. Enable message size limits of 40,000, 50,000 and 60,000 KB respectively.
3. Enable SMTP logging for the SMTP virtual server.
4. Enable Exchange 2000 message tracking.
5. Block inbound SMTP traffic for the following domains:

APPENDIX C
• hacker.com
• intruder.com
6. Install Exchange compatible anti-virus software and enable attachment restrictions.
Instant Messaging Hardening Recommendations
1. Install Instant Messaging (IM) servers behind firewalls and do not connect them to the
Internet (Use Exchange IM only). IM will be used for internal communication only.
2. IM server will host user accounts.
3. Use Windows Authentication. Do not use Digest authentication, as this will require pass-
words be stored with reversible encyrption.

NOTES

APPENDIX D
APPENDIX D
Security+ Exam Objectives
Mapping
The following table lists the test domains and objectives for the Security+ examination, and
where they are covered in this course. Some objectives were covered in the prerequisite
courses and were not repeated in this course. Objectives covered in the prerequisite courses are
mapped to the course part numbers, which are listed along with their corresponding titles in a
table at the end of this appendix.
Security+ exam objectives are current as of 3/1/2003.
Security+ Test Domains and Objectives Element K Course Lessons and Topics
Domain 1.0: General Security Concepts
1.1 Access Control Appendix A
1.2 Authentication Appendix A
1.3 Non-essential Services and Protocols Lesson 2, Topic A
1.4 Attacks Lesson 1
1.5 Malicious Code Lesson 1, Topic B
1.6 Social Engineering Lesson 1, Topic A
1.7 Auditing Lesson 8, Topic A; Lesson 2, Topic A
Domain 2.0: Communication Security
2.1 Remote Access Lesson 4, Topic D
2.2 E-mail Lesson 3, Topic F
2.3 Web Lesson 3, Topic C; Lesson 4, Topic C
2.4 Directory Lesson 2, Topic B
2.5 File Transfer Lesson 3, Topics D
2.6 Wireless Lesson 4, Topic B
Domain 3.0: Infrastructure Security
3.1 Devices Lesson 1, Topic C; Lesson 3, Topic A; Lesson 4,
Topic B
Appendix D: Security+ Exam Objectives Mapping 351

APPENDIX D
Security+ Test Domains and Objectives Element K Course Lessons and Topics
3.2 Media Appendix B
3.3 Security Topologies Lesson 2, Lesson 3, Lesson 4, Lesson 5, and Les-
son 8
3.4 Intrusion Detection Lesson 8
3.5 Security Baselines Lesson 2, Topic A
Domain 4.0: Basics of Cryptography
4.1 Algorithms Lesson 4, Topic A
4.2 PKI Lesson 5, Topic A
4.3 Standards and Protocols Lesson 4, Topic A
4.4 Key Management/Certificate Lifecycle Lesson 5, Topics A, B, and D; Lesson 6, Topics C,
D, and G
Domain 5.0: Operational/Organizational Security
5.1 Physical Security Lesson 1, Topic C; Lesson 7, Topic C
5.2 Disaster Recovery Lesson 7, Topic C
5.3 Business Continuity Lesson 7, Topic C
5.4 Policies and Procedures Lesson 2, Topic A; Lesson 7; Lesson 8, Topic D
5.5 Privilege Management Appendix A
5.6 Forensics Lesson 7, Topic B
5.7 Risk Identification Lesson 8, Topic A
5.8 Education Lesson 7, Topic D
5.9 Documentation Lesson 7

APPENDIX E
APPENDIX E
Automated Setup Instructions
The classroom computers will be configured to dual-boot between Windows 2000 Server and
Windows XP Professional. You will need one computer for the instructor and one computer for
each student. In the following procedures you will set up the instructor computer first so that
the Windows 2000 Server and Windows XP Professional source files will be shared from the
instructor computer’s hard drive. Then the automated setup will install the student computers
over the network.
See your manufacturer’s reference manual for hardware considerations that apply to your spe-
cific hardware setup.
Approximate setup time using these instructions is 3.5 hours for the instructor system and 3.5
hours for a student system. You must install the instructor computer before you can start the
student computer installations. You may install multiple student computers at the same time.
Before You Get Started

Before you start the process, you’ll need to assemble the following:
• Two (2) blank CD-R discs
• Three (3) blank floppy disks
• Windows 2000 Server installation CD-ROM
• Exchange 2000 Server installation CD-ROM
• Windows XP Professional installation CD-ROM
• Windows 2000 Service Pack 2
• Exchange 2000 Server Service Pack 3
• All the software listed in the Instructor’s Edition setup instructions
Create the Windows 98 Boot Disk

Create the Windows 98 boot disk you’ll need for this setup by completing the following steps:
1. Download the Boot98.exe file from www.bootdisk.com/bootdisk.htm (download the
Windows 98 OEM version).
2. Double-click Boot98.exe and insert a floppy disk when prompted.
3. When the process is complete, remove and label the floppy disk.
Appendix E: Automated Setup Instructions 353

APPENDIX E
Create the Instructor and Student Floppy Disks
Create the instructor and student floppy disks by completing the following steps:
1. From the course CD-ROM, in the DATA\Data\Automated Setup directory, double-click
the INSTRUCTOR.exe file.
2. In the WinImage Self Extractor dialog box, click OK. Insert a floppy disk when
prompted.
3. When the Instructor floppy disk is complete, remove and label it.
4. From the course CD-ROM, in the DATA\Data\Automated Setup directory, double-click
the STUDENT.exe file. In the WinImage Self Extractor dialog box, click OK. Insert a
floppy disk when prompted.
5. When the Student floppy disk is complete, remove and label it.
Create the CD-ROMs Containing Windows 2000

SP2 and Exchange 2000 Server SP3
Create the CD-ROMs containing Windows 2000 SP2 and Exchange 2000 Server SP3 by com-
1. Extract the contents of the Windows 2000 Service Pack 2 file, W2KSP2.exe.
2. Create one CD that contains the following folder and software in the root of the CD:
• W2KSP2: Copy the contents of the I386 folder from the extracted W2KSP2.exe file.
3. Create one CD that contains the following folder and software in the root of the CD:
• E2KSP: Copy all the Microsoft Exchange 2000 Service Pack 3 files and folders.
4. When the process is complete, remove and label the CD-ROMs.
Install the Instructor’s Computer

Install the instructor’s computer by completing the following steps:
1. Use the Windows 98 boot disk to boot the computer.
2. Choose Start Computer With CD-ROM Support.
3. Start Fdisk. Enter Y to enable large disk support.
4. Use Fdisk to delete any existing partitions.
5. Use Fdisk to create a 6 GB primary DOS partition. (You may use a larger partition if
you’d like, but it must be at least 6 GB.)
6. Set the new partition as the active partition.
7. Create a 4 GB extended DOS partition. Define a logical drive using the entire extended
partition.
8. Press Esc until you return to a command prompt. Restart the computer.
9. Use the Windows 98 boot disk to reboot the computer. Start Computer With CD-ROM
Support.
10. Use Format.exe to format the C and D drives. You do not need to copy the system files.
11. Boot the computer with the Instructor floppy disk.
12. When prompted, insert the Windows 2000 Server installation CD and press Spacebar.
13. When you see the CD Found message, press any key to continue.

APPENDIX E
14. Remove the Windows 2000 Server installation CD from the CD drive and eject the floppy
disk when the initial file copy completes and the Windows 2000 Server installation starts
(the Windows 2000 Server Setup blue screen).
15. Enter the following information for the Windows 2000 Server when you are prompted:
a. Enter an appropriate name and organization.
b. Enter the product key, if necessary.
c. Name the computer Server100. Do not change the password that’s been entered
automatically.
d. Set the date and time appropriate for your location.
16. When installation is complete and the computer restarts, if necessary, when the DOS win-
dow appears, move it to the bottom of the screen so that the prompts to insert CDs are
visible. (There might be a delay of several seconds up to a minute before the prompts
begin to appear.)
17. Insert the Exchange 2000 CD-ROM when prompted. Click OK.
18. Insert the Windows XP Professional CD-ROM when prompted. Click OK.
19. Insert the Windows 2000 SP2 CD-ROM. Click OK.
20. Insert the Exchange 2000 Server SP3 CD-ROM. Click OK.
21. After the file copy is complete, the Active Directory Installation Wizard will run, the com-
puter will restart and log on automatically as Administrator. Setup will then install
Windows 2000 SP2 and restart. Setup will then install Exchange 2000 Server and
Exchange 2000 Server SP3.
22. Setup will then begin the Windows XP Professional installation. When prompted:
a. Enter the product key, if necessary. The computer will continue with setup and then
restart into a text-based setup, where it will continue to install the operating system
on the D drive.
b. Enter an appropriate name and organization.
c. Name the instructor computer Client100. Do not change the password that’s been
entered automatically.
d. Set the date and time settings appropriate for your location.
23. When Windows XP installation is complete, the system will reboot into Windows XP and
log on automatically. Because of the default operating system settings, if you don’t imme-
diately continue setup, you’ll be logged out of Windows XP. If that happens, log on as
Administrator with a password of !Pass1234 to continue setup.
24. In Windows XP, configure the IP address by completing the following steps:
a. In Control Panel, open Network And Internet Connections.
b. Open Network Connections.
c. Right-click Local Area Connection and choose Properties
The activities in this course require static IP addresses. If you are attached to a corporate network,
consult with your TCP/IP or network administrator to verify that this IP configuration does not con-
flict with any other addresses in your location. Internet access is recommended in this class, so you
should also consult with them on an appropriate method of providing access (for example, Network
Address Translation (NAT)). Also, check with them on any additional parameters that may be needed
for Internet access (for example, a default gateway and additional DNS servers). If you do add addi-
tional DNS servers for Internet access for each computer, make sure you always leave the
classroom-configured DNS server IP address as first in the list.

APPENDIX E
d. Open the properties of the TCP/IP protocol and configure the TCP/IP protocol set-
tings with a static IP address of 192.168.y.200 where y is your unique number for the
classroom. Enter a subnet mask of 255.255.255.0. Do not enter a classroom DNS
server address.
25. Set up your Internet connection as appropriate for your classroom. If you’re not connected
to the Internet, you can skip this step.
26. Open Windows Explorer and browse to the C:\SPlus folder. In the C:\SPlus folder, create
the following subfolders and add the specified contents:
• IIS: This folder will contain the following subfolders:
— SecRollup: Copy the Microsoft Internet Information Server (IIS) Security Rollup
Package.
— Lockdown: Copy the Microsoft IIS Lockdown Tool.
• IE6: Copy Microsoft Internet Explorer 6 setup files from the IE6 installation
CD-ROM so students can do a full installation without Internet access, or, if you will
be setting up Internet access in the classroom, you can simply copy the small
Ie6setup.exe file that you downloaded from Microsoft. There are steps for both types
of installations in the activity.
• WMPPatch: Copy the Cumulative Patch for Windows Media Player.
• XPProSP1: Copy the Microsoft Windows XP Service Pack 1 files.
• E2KIM: Copy the Microsoft Exchange Instant Messaging Client.
• SMS: Copy the SMSSetup folder and the NMext folder from the Microsoft Systems
Management Server 2.0 with Service Pack 2 installation CD.
• SecurityAnalyst: Extract the Intrusion SecurityAnalyst setup files from the zipped
source file. Place the extracted files directly in the \SPlus\SecurityAnalyst folder, not
a subfolder.
• SMBRelay: Copy smbrelay.exe.
• LC4: Copy L0phtCrack4.
• RealSecureDP: Copy RSDPEvalSetup.exe.
• Tools: Copy the Foundstone Tools. If you used the option to download all the tools,
extract foundstone_tools.zip to \Tools. Otherwise, use the following subfolders in the
Tools folder:
— SuperScan: Copy SuperScan v2.0.
— UDPFlood: Extract the UDPFlood v2.0 files from the zipped source file.
— DDosPing: Extract the DDosPing v2.0 files from the zipped source file.
• CourseCD: Copy the PowerPoint slides for the course and the PowerPoint viewer
application from the course CD that shipped with this book. (If you prefer, you can
run the slides directly from the CD’s Autorun interface.)
• Student: Extract the data files from the course CD that shipped with this book to the
\Student directory. If necessary, remove the Read-only attribute from the data files
after extracting them.

APPENDIX E
27. Install Microsoft Network Monitor 2.0 from the C:\SPlus\SMS\NMext\I386 directory by
28. Configure sharing on the C:\SPlus folder by completing the following steps:
a. Use Windows Explorer or My Computer to open the C drive.
b. Right-click the SPlus folder and choose Sharing And Security.
c. Click the If You Understand The Security Risks But Want To Share Files Without
Running The Wizard Click Here link.
d. Select Just Enable File Sharing and click OK.
e. In the SPlus Properties dialog box, under Network Sharing And Security, check
Share This Folder On The Network. Uncheck Allow Network Users To Change My
Files. Click OK. It will take a few minutes for the permissions to be set on all the
subfolders.
f. Close My Computer or Windows Explorer.
Server /fastdetect.
e. Click OK twice.
30. Reboot the computer into Windows 2000 Server. Log on as Administrator with a pass-
word of !Pass1234.
31. Configure the IP address by completing the following steps:
a. In Control Panel, open Network And Dial-up Connections.
b. Right-click the Local Area Connection object and choose Properties.
c. Open the properties of the TCP/IP protocol and configure it with a static IP address
of 192.168.y.100, where y is a unique number on your local subnet. Enter a subnet
mask of 255.255.255.0. For example, if this is the only classroom in your location,
then the instructor’s IP address would be 192.168.1.100. Enter this same IP address
as the Preferred DNS Server address.
32. Name the Loopback adapter:
a. Right-click Local Area Connection 2 (the loopback adapter) and choose Rename.
b. Type Loopback Adapter and press Enter.
c. Close Network And Dial-up Connections.
a. From the Start menu, choose Programs→Administrative Tools→DNS.
b. Expand your DNS server and expand Forward Lookup Zones. Select and right-click
the Domain100.internal zone object, and choose Properties.
c. Change the Type to Standard Primary. Click OK twice.
d. Change Allow Dynamic Updates to Yes. Click OK
e. Close DNS.

APPENDIX E
b. Right-click the DHCP server object (Server100) and choose New Scope.
— Scope Name: Local100
— Address Range: 192.168.#.101-101/24, where # is your unique number for the
classroom (a range of just one address).
— Do not add exclusions.
— Accept the default lease duration.
— Do not configure DHCP scope options.
— Close DHCP.
Access.
b. Right-click the server object (Server100) and choose Configure And Enable Routing
— Select Virtual Private Network (VPN) Server.
— Accept the default protocols (TCP/IP).
— Select the Loopback Adapter as the Internet connection.
— Assign IP addresses automatically.
— Don’t use RADIUS.
— Click OK to close the DHCP Relay Agent message box.
steps:
Security Policy.

APPENDIX E
a. Copy the Northeast, Boc2, and Swashtop files from the student data files to
C:\Inetpub\wwwroot. Rename Northeast to Default. (This creates the Nuclear Plant
Training Site home page.)
b. Copy the Register and Dac10001 files from the student data files to the C:\Register
directory.
c. In the C:\Register directory, rename Register to Default. This creates the Student
Registration Web page.
If you find you can’t connect to the Web pages, check to be sure the files aren’t named with double
file extensions.
d. Open Internet Explorer and connect to http://Server100 to verify that you can see the
e. Connect to http://Server100/Register to verify that you can see the Registration Web
38. Open the course PowerPoint slides to verify that they display properly.
39. Reboot the computer into Windows XP Professional. You don’t have to log on; the stu-
dent computer setups and the first activity in the course require the instructor computer to
be booted to Windows XP Professional.
Install the Student Computers

IMPORTANT: The instructor computer (CLIENT100) must be booted to the Windows
XP Professional operating system for the student computer unattended installations to
work correctly.
Install the student computers by completing the following steps on each computer:
1. Use the Windows 98 boot disk to boot the computer.
2. Choose Start Computer With CD-ROM Support.
3. At the A:\ prompt, enter fdisk to start Fdisk.exe. Enter Y to enable large disk support.
4. Use Fdisk to delete any existing partitions.
5. Use Fdisk to create a 6 GB primary DOS partition. (You may use a larger partition if
you’d like, but it must be at least 6 GB.)
6. Set the new partition as the active partition.
7. Create a 4 GB extended DOS partition. Define a logical drive using the entire extended
partition.
8. Press Esc until you return to the command prompt. Restart the computer.
9. Use the Windows 98 boot disk to reboot the computer. Start Computer With CD-ROM
Support.
10. Format the C and D drives. You do not need to copy the system files.
11. Boot the computer with the Student floppy disk.
12. When prompted, insert the Windows 2000 Server installation CD and press Spacebar.
13. When you see the CD Found message, press any key to continue.
14. Remove the Windows 2000 Server installation CD from the CD drive and eject the floppy
disk when the initial file copy completes and the Windows 2000 Server installation starts
(the Windows 2000 Server Setup blue screen).
15. Enter the following information for Windows 2000 Server when you are prompted:

APPENDIX E
a. Enter an appropriate name and organization.
c. Name each student computer Server#, where # is a unique integer you assign to each
student. Do not change the password that’s been entered automatically.
d. Set the date and time appropriate for your location.
16. Click OK to acknowledge that you must enter a domain name. Then, during the Active
Directory Installation Wizard, enter the following information when prompted:
a. Full DNS Name: domain#.internal, where # is the unique number assigned to this
student/computer.
b. Domain NetBIOS name: DOMAIN#.
c. Accept the default locations for the Active Directory database and log.
d. Accept the default location for the SYSVOL folder.
e. Click OK in the DNS message box.
f. Verify that Yes, Install And Configure DNS On This Computer is selected.
g. Select Permissions Compatible Only With Windows 2000 Servers.
h. Accept the password that’s automatically entered as the Directory Services Restore
Mode Administrator password.
i. When prompted for the install files, change the Copy Files From location from
E:\i386 to D:\i386 and click OK.
j. Click Finish to complete the wizard. Restart when prompted. You will be logged
back on automatically. (If not, log on as Administrator with a password of
!Pass1234.)
17. When prompted, configure the TCP/IP protocol settings with a static IP address of
192.168.y.#, where y is your unique number for the classroom and # is the unique integer
you assigned to each student. For example, if this is the only classroom in your location,
and this is the third student computer you are installing, then the student computer name
would be Server3 and the IP address would be 192.168.1.3. Accept the subnet mask of
255.255.255.0.
18. When prompted, enter the IP address of the CLIENT100 computer (instructor’s computer
with the SPlus share). Setup will install Windows 2000 SP2 and restart automatically.
19. After the computer reboots automatically, if necessary manually log on as Administrator
with a password of !Pass1234.
20. Enter the following information for the Microsoft Exchange 2000 Server Setup when you
are prompted:
a. Agree to the license agreement.
c. For the Microsoft Exchange 2000 component, choose the Custom installation action.
d. Verify that Install is selected for Microsoft Exchange Messaging and Collaboration
Services.
e. Verify that Install is selected for Microsoft Exchange System Management Tools.
f. Choose Install for Microsoft Exchange Instant Messaging Service.
g. Create a new Exchange Organization named Organization#.
h. Agree to the license agreement.

APPENDIX E
i. Click Finish to complete the wizard and start the Exchange 2000 Server SP3
installation.
21. After the Exchange 2000 Server SP3 installation is complete, enter the following informa-
tion for the Windows XP Professional installation when you are prompted:
a. Enter the product key, if necessary.
b. Enter the appropriate name and organization for your environment.
c. For each student computer, name the computer Client#, where # is a unique integer
you assigned to each student. Do not change the password that’s been entered
automatically.
d. Set the date and time settings appropriate for your location.
22. When the automated setup is completed, the computer will restart automatically, boot into
Windows XP Professional, and log you on as Administrator.
23. Configure the IP address by completing the following steps:
a. In Control Panel, open Network And Internet Connections.
b. Open Network Connections.
c. Right-click Local Area Connection and choose Properties.
d. Open the properties of the TCP/IP protocol and configure the TCP/IP protocol set-
tings with a static IP address of 192.168.y.200#, where y is your unique number for
the classroom and # is a unique integer you assigned to each student. For example,
in classroom 1, the address for Client6 would be 192.168.1.206. Enter a subnet mask
of 255.255.255.0. Do not enter a classroom DNS server address.
a. From the Start menu, right-click My Computer and choose Manage.
c. Right-click the Users folder and select New User.
d. Name the new user Admin# and give it a password of password. Uncheck the check
box for the user to change their password at next logon. Click Create and then Close.
e. Right-click the Admin# user and select Properties.
f. Select the Member Of tab.
g. Click Add and, in the Enter The Object Names To Select text box, enter
Administrators. Click OK.
h. Click OK and close Computer Management.
25. Install Microsoft Network Monitor 2.0 from the \\Client100\SPlus\SMS\NMext\I386 direc-
tory by double-clicking the Setup.exe file. When prompted, accept the license agreement
and select all default choices.
Server /fastdetect.
e. Click OK twice.

APPENDIX E
27. Reboot the computer into Windows 2000 Server. Log on as Administrator with the pass-
word of !Pass1234.
28. Configure the preferred DNS server address by completing the following steps:
a. In Control Panel, open Network And Dial-up Connections.
b. Right-click Local Area Connection and choose Properties.
c. Open the properties of the TCP/IP protocol and configure the Preferred DNS Server
with the same IP address you have assigned to this server.
29. Name the Loopback adapter:
a. In Network and Dial-up Connections, right-click Local Area Connection 2 (the
loopback adapter) and choose Rename.
b. Type Loopback Adapter and press Enter.
c. Close Network and Dial-up Connections.
a. From the Start menu, choose Programs→Administrative Tools→DNS.
b. Expand your DNS server and expand Forward Lookup Zones. Select and right-click
the Domain100.internal zone object, and choose Properties.
c. Change the Type to Standard Primary. Click OK twice.
d. Change Allow Dynamic Updates to Yes. Click OK.
e. Close DNS.
b. Right-click the DHCP server object (Server#) and choose New Scope.
— Scope Name: Local#, where # is the student/computer’s unique number.
— Address Range: 192.168.y.50+#/24, where y is your unique number for the
classroom and # is a unique integer you assigned to each student. For example,
for Server6 in classroom 1, create a range of 192.168.1.56 – 192.168.1.56 (a
range of just one address).
— Do not add exclusions.
— Accept the default lease duration.
— Do not configure DHCP scope options.
— Close DHCP.
Access.
b. Right-click the server object (Server#) and choose Configure And Enable Routing
— Select Virtual Private Network (VPN) Server.
— Accept the default protocols (TCP/IP).
— Select the Loopback Adapter as the Internet connection.
— Assign IP addresses automatically.
— Don’t use RADIUS.

APPENDIX E
— Click OK to close the DHCP Relay Agent message box.
steps:
Security Policy.
a. Copy the Northeast, Boc2, and Swashtop files from the student data files to
C:\Inetpub\wwwroot. Rename Northeast.htm to Default.htm. (This creates the
b. Copy the Register.htm and Dac10001.gif files from the student data files to the
C:\Register directory.
d. Open Internet Explorer and connect to http://Server# to verify that you can see the
e. Connect to http://Server#/Register to verify that you can see the Registration Web

NOTES

LESSON
LABS
LESSON LABS
Due to classroom setup constraints, some labs cannot be keyed in sequence immediately fol-
lowing their associated lesson. Your instructor will tell you whether your labs can be practiced
immediately following the lesson or whether they require separate setup from the main lesson
content.
LESSON 1 LAB 1
Classifying Attacks
Activity Time:
15 minutes
Scenario:
Your IT department wants to know when they are being attacked what type of attacks are
occurring. As the new security administrator for your organization, you have been asked to do
a presentation on the different types of attacks that may occur on your network. Before you do,
you’ll take a look at some sample attacks that have occurred in your organization and classify
them into the appropriate categories.
Lesson Labs 365

LESSON
LABS 1. In all cases of poor performance, your IT administrator Ronald has already ruled
out the possibility of this occurring as either a temporary spike in traffic or not
enough hardware in your servers by using existing baselines. Ronald knows it’s an
attack, but he doesn’t know the type of attack. Fill in the blanks with the most
likely types of attack(s).
A help desk person in your organization sniffs the network for telnet user accounts and
passwords. She then uses this information to log on to the network to steal sensitive
data. What type of attack(s) did the attacker use?
The help desk receives a call from someone claiming to be a support person asking the
FQDN and IP address of the Web server in your organization. A short while later, no
one on the Internet can get to your Web server because the performance has suddenly
dropped. What type of attack(s) did the attacker use?
An IT administrator looks at Human resource records, he then deletes the audit log file
to erase any records of him accessing the files. Just to be sure he hides his steps, he
also does a restore from tape. The next day, he tells the other IT folks that there was a
problem with the a server hard drive and he had to restore a tape backup. What type
of attack(s) did the attacker use?
A user forwards an email with attachments to other users in the organization. The
email stated that a person was in dire need of help and to please forward the email to
others immediately. It causes a virus to spread within the organization. What type of
attack(s) did the attacker use?
An attacker scans your network and finds Port 21 open. She then retrievs a user name
and password for your server. After logging on, she creates an account with adminis-
trative privileges. Later, she logs on with his account and steals data. What type of
attack(s) did the attacker use?

LESSON
LESSON 2 LAB 1 LABS
Hardening an Operating System
Activity Time:
1 hour(s)
You can find a suggested solution for this activity in the Hardening an Operating System.txt file in the Solutions
folder in the student data files.
Setup:
You have a new installation of a Windows 2000 Server on a computer named NUC01 in a
domain named NUCLEAR. The default administrator account has been set up with a password
of !Pass1234. Tools, Service Packs, and data files for this activity are available in the C:\SPlus
folder:
• Windows 2000 Service Pack 2: \W2KSP2
• Windows 2000 Security Rollup Package 1: \W2KSRP
• Internet Explorer 6: \IE6
• Windows Media Player Security Patch: \WMPPatch
Scenario:
You are the security administrator for a nuclear plant and you need to make sure your new
servers are secure. The Windows 2000 servers are currently being installed with the default
configuration and this is leaving the servers vulnerable to attacks. The nuclear plant wants to
minimize the possibility of those attacks and does not want to use IIS. The server being
installed is also a domain controller, and according to the Active Directory design team, you
need to harden with the default high security template. Before connecting the new Windows
2000 Servers to your network and joining the computers to the domain, you want to make sure
that the server operating system on the domain controller is hardened to minimize the likeli-
hood of attacks from both internal and external users.
1. Install the Microsoft Baseline Security Analyzer.
If you are not connected to the Internet, MBSA will be unable to read the list of current security patches from
Microsoft. If the system determines that there are current patches that have not been implemented, this could
mean that Microsoft released additional patches since this course was written. Make sure to check
www.microsoft.com/security and the Windows Update Web site (http://windowsupdate.microsoft.com) for the
latest security patches.
2. Run the Microsoft Baseline Security Analyzer.
3. Correct the problems found by the Microsoft Baseline Security Analyzer.
Lesson Labs 367

LESSON
4. Configure the domain controller with the default high security template.
LABS
LESSON 3 LAB 1
Hardening a Web Server
Activity Time:
1 hour(s)
You can find a suggested solution for this activity in the Hardening a Web Server.txt file in the Solutions folder in
the student data files.
Setup:
You have a new installation of a Windows 2000 stand-alone server on a computer named
Server#, where # is a unique integer assigned to each student in your lab, in a workgroup
named workgroup. The default administrator account has been set up with a password of
!Pass1234. The base operating system has been hardened. Tools, Service Packs, and data files
for this activity are available in the C:\SPlus directory in the following folders:
• IIS\SecRollup: Microsoft Internet Information Server (IIS) Security Rollup Pack-
age
• IIS\Lockdown: Microsoft IIS Lockdown Tool
Scenario:
You are the security administrator for a college and you need to make sure your new Web
servers are secure. The Windows 2000 servers are currently being installed with the default
configuration and this is leaving the servers vulnerable to attacks. The college wants to mini-
mize the possibility of those attacks. They also do not want FTP installed but would like to
use NNTP and ASP. Before connecting the new Windows 2000 Servers to your network, you
want to make sure that the Web server is hardened to minimize the likelihood of attacks from
both internal and external users.
1. Install the Microsoft Internet Information Server (IIS) Security Rollup Package.
2. Verify that logging is enabled on the default Web site.
3. Install the Microsoft IIS Lockdown Tool.
4. Run the Microsoft IIS Lockdown Tool with the appropriate options.
5. What other steps would you take if you were going to further harden the Web
server?

LESSON
LESSON 4 LAB 1 LABS
Securing Network Traffic Using IPSec
Activity Time:
45 minutes
You can find a suggested solution for this activity in the IPSec.txt file in the Solutions folder in the student data
files.
Setup:
You have two Windows XP Professional computers named NUCXP1 and NUCXP2. There is
an administrative-level account on the computer named Admin#. The password for this account
is !Pass1234.
Scenario:
You are the security officer at a nuclear plant and you need to make sure that highly sensitive
data transferred between Windows XP computers is secure. In the past, the nuclear plant has
had problems with employee personnel information being compromised as it traveled across
the network. The plant has decided to not use certificates or deploy Active Directory for now
but wants to require the use of IPSec to secure all IP traffic. The first Windows XP computers
you need to secure are two systems that security officers use daily in a small workgroup.
1. On both Windows XP computers, create an MMC console with the IP Security Policy
Management and IP Security Monitor snap-ins.
2. On both Windows XP computers, configure the appropriate IPSec policy with the
same preshared key.
3. On both Windows XP computers, assign the policy.
4. On NUCXP1, open Network Monitor and start a capture between the two Windows
XP computers.
5. On NUCXP1, try to connect to NUCXP2 to verify the Security Association.
6. On NUCXP1, stop the capture and verify IPSec is being used between the two
computers.
7. Which frame showed the security association between the two computers?
8. How else could you verify the IPSec policy is working?
Lesson Labs 369

LESSON
LABS LESSON 5 LAB 1
Installing and Configuring a Certificate Authority
Activity Time:
45 minutes
You can find a suggested solution for this activity in the Certificate Authority.txt file in the Solutions folder in the
student data files.
Setup:
You have two new installations of a Windows 2000 Server configured as domain controllers.
The computer name is BROKERSRV1 and BROKERSRV2 installed in a domain, BROKERS.
The default administrator account has been set up with a password of !Pass1234.
Scenario:
You are the security administrator for a brokerage firm and you need to make sure your email
communication is secure. The brokerage is currently not encrypting email transmissions and
wants to prevent any attacker from intercepting any emails that contain private client
information. You want to make sure that email communications are secure by implementing
the PKI plan from the brokerage firm’s IT department to minimize the likelihood of attacks
from both internal and external users. The plan calls for an enterprise root CA and a enterprise
subordinate CA and backing up the CA itself along with a separate backup of the domain
controller. Authenticated users should be able to use certificate templates. You should verify
the backups are successful by periodically doing a restore. The IT team will back up the
domain controllers at night and later, the email administrators will start using certificates from
the CA. The IT department wants these descriptions for the CAs:
1. Enter this CA information for the enterprise CA when prompted:
• Broker Root CA.
• Education as the Organizational Unit.
• Enter Syracuse as the City.
• Enter New York as the State Or Province.
• Verify that US is selected as the Country/Region.
• Enter secadmin@broker.internal as the E-mail.
• Enter Enterprise CA Root for Syracuse as the CA Description.
• From the Valid For drop-down lists, select 2 Years.
2. Enter this CA information for the subordinate CA when prompted:
• Broker Subordinate CA.
• Education as the Organizational Unit.
• Enter Syracuse as the City.
• Enter New York as the State Or Province.
• Verify that US is selected as the Country/Region.
• Enter secadmin@broker.internal as the E-mail.
• Enter Subordinate CA Root for Syracuse as the CA Description.

LESSON
• From the Valid For drop-down lists, select 2 Years.
LABS
1. Install the enterprise root CA.
2. Install the enterprise subordinate CA.
3. Verify that Certificate Services was installed properly on each domain controller.
4. Configure Active Directory so that Authenticated Users have permissions to use

certificate templates.
5. Back up the individual CAs.
6. Test a restore of the CAs.
LESSON 6 LAB 1
Managing and Using Certificates
Activity Time:
30 minutes
You can find a suggested solution for this activity in the Certificates.txt file in the Solutions folder in the student
data files.
Setup:
You have a new installation of a Windows 2000 Server configured as a standalone root CA.
The computer name is BankSRV1. The default administrator account has been set up with a
password of !Pass1234. You have an email address of secadmin@bankers.internal.
Scenario:
You are the security administrator for an international bank based in Chicago, Illinois, and you
need to make sure your email communication is secure. The bank is currently not encrypting
email transmissions and wants to prevent any attacker from intercepting any emails that con-
tain confidential information. You want to make sure that email communications are secure by
implementing the PKI plan from the brokerage firm’s IT department to minimize the likelihood
of attacks from both internal and external users. The bank PKI plan requires a standalone root
CA, which has already been installed. Many of the bank employees use laptops. You need to
make sure enrollment of certificates is working properly before you let laptop users enroll. You
also need to backup their individual private keys in case they leave the organization or loose
their private key. You should verify the backups are successful by periodically doing a test
restore. The IT team will back up the servers at night and later, the email administrators will
Lesson Labs 371

LESSON
start using certificates from the CA once you have verified the enrollment process is working
LABS properly. The desktop team will later configure users email to use the certificates. The IT
department stated that once you are done testing with your account you should revoke your
certificate and publish the CRL. The planning document calls for daily updates to the CRL.
1. Request an email certificate for your user account.
2. Issue the pending request.
3. Install the new certificate.
4. Back up the certificate and private key.
5. Delete your email certificate.
6. Restore the certificate and private key from the backup.
7. Revoke your certificate.
8. Change the CRL publishing interval.
9. Publish the CRL.
LESSON 7 LAB 1
Implementing and Enforcing a Security Policy for an
Organization
Activity Time:
30 minutes
You can complete this activity immediately following the lesson or any other time.
You can find a suggested solution for this activity in the Policy.txt file in the Solutions folder in the student data
files.
Data Files:
• UKSecurityPolicy.rtf

LESSON
Scenario:
As the security administrator for your organization located in London, you have been assigned LABS
the task of implementing a security policy. You have downloaded a sample policy from
www.ruskwig.com/security_policies.htm and named it UKSecurityPolicy.rtf. You’ll need to
customize it later for your environment. A help desk employee, Vladimir, has given you a
report of information gathered at the help desk and he thinks that some of these are possible
security issues. He asks you to determine whether or not they are within the guidelines of your
new Security Policy. You will not be responsible for taking any action against the users, but it
is your responsibility to enforce the policy and make sure the appropriate changes are made
based on possible breaches. You will then report back to Vladimir with your findings.
Using the UKSecurityPolicy.rtf policy document, determine which of the following scenarios
are within the guidelines of the organizations new policy. If not, what steps would you take to
enforce the security policy?
1. A user named Allison brings in some floppy disks from home which have some
documents on them that she was editing at home. She scanned them at home with
a virus scanner before bringing them into the office.
2. A user named Amjad downloads some shareware that will assist him in creating
scripts. It was downloaded from a well-known Web site and Amjad started using it
immediately after downloading.
3. A user named Laura accidentally gets a virus on her computer. Rather than report-
ing the virus, she immediately scans her system and is happy that it is now clean.
4. An IT administrator named Ulf logs on to a UNIX system as an administrator to

install new IDS software.
5. An accountant named Rolly uses ftp to download some files from the corporate
UNIX FTP server.
6. Angela, the NetWare administrator, configures the NetWare server for three grace
logins.
7. Kelly set up the voicemail accounts with passwords of eight characters.
8. An IT administrator, Catherine, installs a licensed, authorized copy of Microsoft

SMS to inventory computers.
9. The human resource department has been locking their workstations when they
are not in use.
10. An IT administrator, Alex, installs a new Windows 2000 server, records the admin-
istrator password, and locks it in the IT room.
Lesson Labs 373

LESSON
LABS LESSON 8 LAB 1
Monitoring for Intruders
Activity Time:
45 minutes
You can find a suggested solution for this activity in the Monitoring.txt file in the Solutions folder in the student
data files.
Data Files:
• Monitoring.txt
Setup:
Tools are available on each computer in the C:\SPlus folder. Your computer is a Windows XP
computer named ITStaff1. Your user name is Admin# with a password of !Pass1234.
Scenario:
You’ve recently been hired to assist the security administrator at a large university. Your first
task is to try to figure out who has been trying to break in to student and faculty computers
across campus. The security administrator reports that his investigation so far has determined
that an intruder, possibly from within the campus network, has been scanning ports and trying
to access a number of computers using a variety of methods, including ftp, telnet, and HTTP.
The intruder may be trying to access and compromise sensitive data, such as exams that teach-
ers have stored on their hard drives and student grade reports.
The security administrator wants you to use Windows XP security audits, and the other tools at
your disposal, on a standalone Windows XP computer to try to lure the intruder and discover
who it is. You’ve been told to use the Windows XP computer SciFaculty1, which contains a
folder named Physics Exams that’s meant to appeal to the intruder. There is an administrative-
level account on the computer named Admin#. The Administrator has also copied the
following software onto the SciFaculty1 computer:
• NFR BackOfficer Friendly
• ISS RealSecure Desktop Protector evaluation version
You have the following software available on the ITStaff1 computer:
• @stake L0phtCrack4
• Foundstone SuperScan v2.0
Before you go live on the network with the new honeypot, you’ve been instructed to install
and test the intrusion detection software and the security audits.
1. Install RealSecure Desktop Protector on SciFaculty1.
2. Install and configure BackOfficer Friendly on SciFaculty1.

LESSON
3. Configure auditing on SciFaculty1.
LABS
4. On ITStaff1, use SuperScan to scan SciFaculty1.
5. On ITStaff1, use L0phtCrack to attempt to scan for passwords on SciFaculty1.
6. Try to connect to SciFaculty1 from your computer using at least one user account.
Try to access the Physics Exam folder using the C$ administrative share.
7. Try to ftp and telnet into SciFaculty1.
8. Try to connect to SciFaculty1 using HTTP.
9. What types of intrusion alerts do you see on SciFaculty1?
10. What types of events were written to the security log on SciFaculty1?
Lesson Labs 375

NOTES

SOLUTIONS
SOLUTIONS
Lesson 1
Activity 1-1
1. True True or False? A supposed customer calls the help desk stating that she can-
not connect to the e-commerce Web site to check order status. She would also like a
user name and password. The user gives a valid customer company name, but is not
listed as a contact in the customer database. The user doesn’t know the correct com-
pany code or customer ID.
2. False True or False? The VP of Sales is in the middle of a presentation to a group of

key customers and accidently logged off. She urgently needs to continue with the pre-
sentation, but forgot her password. You recognize her voice on the line, but she is
supposed to have her boss make the request according to the company password secu-
rity policy.
3. False True or False? A new accountant was hired and is requesting that a copy of
the accounting software be installed on his computer so he can start working
immediately. Last year, someone internal compromised company accounting records,
so distribution of the accounting application is tightly controlled. You have received all
the proper documentation for the request from his supervisor and there is an available
license for the software.
4. True True or False? Christine receives a message in her instant messaging software
asking for her account and password. The person sending the message states that the
request comes from the IT department, because they need to do a backup of Chris-
tine’s local hard drive.
5. True True or False? Rachel gets an email with an attachment that is named
NewVirusDefinitions.vbs.
6. True True or False? A user calls the help desk stating that he is a phone technician
needing the password to configure the PBX and voice mail system.
7. True True or False? A security guard lets a vendor team though without a required
escort as they have shirts on from the preferred vendor, and they stated they were
called in to fix an urgent problem. The guard attempted to call the authorization con-
tact in the organization, but the phone was busy for over 10 minutes.
8. False True or False? The CEO of the organization needs to get access to data
immediately. You definitely recognize her voice, but a proper request form hasn’t
been filled out to modify the permissions. She states that normally she would fill out
the form and should not be an exception, but she urgently needs the data.
Solutions 377
SOLUTIONS
Activity 1-2
1. Kim, a help-desk staffer, gets a phone call from Alex in human resources stating that
he can’t log on. Kim looks up the account information for Alex and sees that the
account is locked. This is the third time the account has locked this week. Alex insists
that he was typing in his password correctly. Kim notices that the account was locked
at 6 A.M.; Alex says he was at a meeting at a client’s site until 10 A.M. today. It seems
like a case of a password attack.
2. Judi, who does backups, states that according to her log files, an IT administrator per-
formed a restoration on the accounting server last night. You send out an email asking
all the members of the IT department whether there were any problems with the serv-
ers last night as you see nothing entered on the IT problem log forms. All of IT
responds stating no problems occurred last night. Something isn’t right, and it all adds
up to a misuse of privilege attack.
3. You find out the security log was cleared on the file and print server. No one in IT
claims responsibility. No matter who did this, you consider it an audit attack.
4. Your antivirus software has detected the ILOVEYOU virus. You’re under attack from a
malicious code attack.
5. While administering user accounts you notice that a new account called LyleBullock
has been created on your server. You know of no user in your organization with that
name. The account also is part of the administrators group. It’s a classic backdoor
attack.
6. While you are connected to another host on your network, the connection is suddenly
dropped. When you review the logs at the other host, it appears as if the connection is
still active. You suspect a hijacking attack.
7. Your e-commerce Web server is getting extremely slow. Customers are calling stating
that it is taking a long time to place an order on your site. This could be a Denial of
Service (DoS) attack.
8. Your intranet Webmaster, Tim, has noticed an entry in a log file from an IP address
that is within the range of addresses used on your network. Tim does not recognize
the computer name as valid. Your network administrator, Deb, checks the DHCP server
and finds out the IP address is not in any of the scopes. This seems to be a case of an
IP spoofing attack.
9. Tina, the network analysis guru in your organization, analyzes a network trace capture
file and finds out that packets have been intercepted and retransmitted to both a
sender and a receiver. You’ve experienced a man-in-the-middle attack.
10. You get an email from an outside user letting you know in a friendly way that she
found it very easy to determine the correct password to access your FTP server. To
prove it, she includes the FTP password in the email. All your files are still on the FTP
server and have not been modified. Although this person had no malicious intent, you
still consider it an eavesdropping attack.
Activity 1-3
1. An intruder enters a locked building at night and steals five laptops from various users
in the software development department. What type of attack is this?
This is a hardware attack.

SOLUTIONS
2. An intruder enters a locked building at night, sits at a user’s desk, and tries to enter a
user name and password to log on to the computer based on notes he finds taped to
the user’s monitor. What type of attack is this?
This is a software attack (password attack).
3. To obtain user names and passwords, an attacker installs a device on a keyboard that
records the user’s keystrokes. What type of attack is this?
4. An attacker removes the battery backup on a critical server system and then cuts
power to the system, causing irreparable data loss. What type of attack is this?
5. An attacker tricks a user into running an executable that modifies an application on

the user’s mobile device so it consumes more power than normal and depletes the
device’s battery, causing data loss. What type of attack is this?
This is a combination of social engineering and software attacks (DoS attack).
Lesson 1 Follow-up
Lesson 1 Lab 1
1. A help desk person in your organization sniffs the network for telnet user accounts and
passwords. She then uses this information to log on to the network to steal sensitive
data. What type of attack(s) did the attacker use? Eavesdropping and misuse of privi-
lege attacks.
Solutions 379
SOLUTIONS
The help desk receives a call from someone claiming to be a support person asking the
FQDN and IP address of the Web server in your organization. A short while later, no
one on the Internet can get to your Web server because the performance has suddenly
dropped. What type of attack(s) did the attacker use? Social engineering and DoS/DDoS
attacks.
An IT administrator looks at Human resource records, he then deletes the audit log file
to erase any records of him accessing the files. Just to be sure he hides his steps, he
also does a restore from tape. The next day, he tells the other IT folks that there was a
problem with the a server hard drive and he had to restore a tape backup. What type
of attack(s) did the attacker use? Misuse of privilege, audit, and social engineering
attacks.
A user forwards an email with attachments to other users in the organization. The
email stated that a person was in dire need of help and to please forward the email to
others immediately. It causes a virus to spread within the organization. What type of
attack(s) did the attacker use? Malicious code and social engineering attacks.
An attacker scans your network and finds Port 21 open. She then retrievs a user name
and password for your server. After logging on, she creates an account with adminis-
trative privileges. Later, she logs on with his account and steals data. What type of
attack(s) did the attacker use? Port scanning, eavesdropping, and backdoor attacks.
Lesson 2
Activity 2-1

Password attack.

Port scan attack.
Activity 2-2
3. What type of security policy document is this?

A password policy document.
4. What other types of policy documents might you need in order to create a complete
security policy?
Acceptable Use Policy; Audit Policy; Extranet Policy; Wireless Standards Policy.
5. Which of the general components of a policy document are represented in this docu-
ment?
The document includes a policy statement (sections 1.0, 2.0, and 3.0), policy standards
(section 4.1 and section 5.0), and guidelines (the remaining sections). It does not provide
procedure steps for creating or changing passwords to conform to the policy.

SOLUTIONS
6. How often must users change their passwords in order to adhere to this policy?
At least once every six months.
7. What is the minimum length for a password according to this policy?

Eight characters.
8. Would “gandalf8” be an acceptable password according to this policy? Why or why not?
No. It is simply the name of a fantasy character, followed by a digit. This is prohibited in
section 4.2 A.
Activity 2-3
2. Is there a password policy setting that lets you set a minimum password age?
Yes, under Account Policies, Password Policy, you can configure a minimum password age.
3. By default, how long are passwords valid on a Windows XP computer?

The maximum password age is 42 days.
4. Is there a way to lock out a user after he or she has entered the wrong username or
password three times?
Yes, under Account Policies, Account Lockout Policy, you can configure an account lockout
threshold to lock out users after three failed logon attempts.
5. By default, which users have been assigned the right to log on locally to a Windows XP
computer?
Members of the Administrators, Backup Operators, Power Users, and Users groups. Also,
you can use the Guest account to log on to the computer. You can view these settings in
the Log On Locally Policy in Local Policies, User Rights Assignment.
6. Is there a security option that will allow you to create and display a warning banner
when users log on?
Yes, under Local Policies, Security Options, there’s a setting named Interactive Logon:
Message Text For Users Attempting To Log On. You can enter a message to users using this
setting that warns them against improper use of the computer.
7. Under Public Key Policies, what setting can you configure?

You can add a data recovery agent.
8. What are the three default IP Security policies?

The three default IP Security policies are Client (Respond Only), Secure Server (Require
Security), and Server (Request Security).
9. True True or False? Security settings configured at the domain level will override
local policy settings on Windows XP computers in that domain.
Solutions 381
SOLUTIONS
Activity 2-4
1. What are some of the benefits of setting up an audit policy?

Answers might include: Help determine which use of company resources is legitimate and
which might be the result of an attack on the network; monitor administration of user
and group accounts and privilege use to look for signs of abuse of privilege; and track
logon attempts to look for possible attacks.
2. In addition to monitoring the overall security of a network and its resources, why else
might events in the security log be important?
Answers might include: They could be used at a later date as evidence in the prosecution
of an attacker; and evidence of attacks could be used to justify increased spending on
resources and equipment to increase network security.
3. What might a series of unsuccessful logon events indicate?

A series of unsuccessful logon attempts could indicate an attacker trying random pass-
word attacks.
4. What type of threat or attack could you discover by monitoring successful user logons?
Successful logons, depending on time, day, or location of the logon, could indicate suc-
cessful password attacks, stolen user credentials, or even misuse of privilege.
5. What type of attack could you discover by monitoring successful changes to user or
group accounts?
Depending on the circumstance, you could uncover misuse of privilege attacks.
6. What type of attack might an empty security log indicate?

It might indicate a successful audit attack.
Activity 2-5
2. How do the password policy settings differ in the compatws and securews templates?
In the compatws templates, none of the password policies are defined, whereas there are
password policy settings defined in the securews template.
3. If you want to audit account logon events and account management, but not object
access, which security template would you use?
You would use the securews security template.
4. Which workstation template uses restricted groups to protect the Administrators and
Power Users groups?
The hisecws template.
5. If you want to reset the system-wide security policy settings to the default configura-
tion, you would apply the setup security template.

SOLUTIONS
If you want to reset the security settings on the system root, you would apply the
rootsec template.
6. Why would you choose to use Group Policy to apply security templates instead of
applying the templates locally to individual computers?
You might choose to use Group Policy if you want to deploy security templates to mul-
tiple computers throughout an organization. It would be easier to use Group Policy to
assign the templates at the domain or OU level than it would be to apply templates indi-
vidually to multiple computers.
Activity 2-6
16. Can you tell if all current security patches have been implemented on the Windows XP
Professional system? If not, why?
If you are not connected to the Internet, MBSA will be unable to read the list of current
security patches from Microsoft. If the system determines that there are current patches
that have not been implemented, this could mean that Microsoft released additional
patches since this course was written. Make sure to check www.microsoft.com/security
and the Windows Update Web site (http://windowsupdate.microsoft.com) for the latest
security patches.
Answers may vary, but one step would be to disable unneeded services. This is not called
for in the bank’s security recommendations document, however.
Activity 2-7
10. Can you tell if all current security patches have been implemented on the Windows
2000 Server system? If not, why?
If you are not connected to the Internet, MBSA will be unable to read the list of current
security patches from Microsoft. If the system determines that there are current patches
that have not been implemented, this could mean that Microsoft released additional
patches since this course was written. Make sure to check www.microsoft.com/security
and the Windows Update Web site (windowsupdate.microsoft.com) for the latest security
patches.
Answers may vary, but one would be to disable unneeded services. This is not called for in
the bank’s security recommendations document, however.
Activity 2-9
3. What other security templates are available in a default installation of Windows 2000?
Some answers are: hisecws.inf and compatws.inf.
Solutions 383
SOLUTIONS
Activity 2-10
3. Why would you delete the DHCP relay agent?

Answers might include: You don’t want the DHCP broadcast packets to traverse the
router. This would also prevent valid clients from getting addresses. Alternatively, you
could configure your router with a helper address to hand out DHCP addresses to clients.
Activity 2-11
2. How can you prevent users from stealing print jobs from the printers?
Answers may vary, but you could lock the room the printer is in or get a tray that locks on
the printer itself.
4. What shares are currently available on the Windows 2000 server?

There are folders that are shared for Microsoft Exchange Server and to support Active
Directory. There are also default administrative shares for each disk drive, shared as
[drive$], and for the C:\WINNT folder, shared as [ADMIN$]. The Inter Process Communica-
tion share (IPC$) is required so that the computer can create communications sessions
with other nodes on the network.
5. What could you do with the default administrative shares to harden the Windows 2000
server?
Don’t share them on startup. However, this would eliminate some remote administrative
capabilities.
Lesson 3
Activity 3-1
2. Why would you not check Activate Authentication in the General properties for RIP on
the Local Area Connection interface?
The password is sent unencrypted and is not meant to be used as a security option. If an
attacker used a sniffer, then he or she would see the password.
3. What type of attacks do the default Advanced settings for RIP on the Local Area Con-
nection interface protect against?
These settings will protect against attacks that would attempt to update the routers
incorrectly to cause looping and convergence problems on the routers.
5. What is the security benefit of the peer security feature that you have just enabled?
The router will now only accept update announcements from the peer router. Any other
announcements (for example, from an attacker’s router) will be discarded.
6. What basic operating-system hardening procedures will also protect a software-based

router such as this?
Answers might include strong password requirements for system logon, auditing, and sys-
tem logon banners.

SOLUTIONS
7. This software-based router does not have a live connection to another subnet. If the
computer was a true multi-homed router with multiple network cards, what additional
hardening steps should you take on this router to accomplish the additional security
goals in the scenario?
Implement a filter on the external router interface to block any packets that come from
external source, but which carry an internal IP address.
Activity 3-3
1. Why use the IIS Lockdown tool?

The IIS Lockdown tool can be used to automatically harden a Web server according to
Microsoft’s recommendations instead of making the configuration changes manually.
2. Of the three Web servers you currently have, which can you use the IIS Lockdown tool
to secure?
You can use it on both the Windows NT 4.0 and Windows 2000 Web servers.
3. Why would you choose to enable URLScan?

To more tightly control how your Web server responds to certain HTTP requests and to
keep a log of the types of requests your Web server is denying.
4. True True or False? You can use the IIS Lockdown tool to completely remove IIS
from a server.
5. False True or False? You may not make any manual changes after running the IIS
Lockdown tool.
You may make any manual configuration changes you need after you run the IIS Lockdown
tool.
Activity 3-5
7. How did you identify the frame containing the clear-text password?
It is an FTP protocol request. The Description column entry reads “Req. from port [####],
‘PASS !Pass1234’.”
Activity 3-7
5. What security problems can remain with anonymous-only logons?

Until the users are retrained not to use their domain accounts, they might still attempt
to log on with those accounts. The user names and passwords will still be sent in clear
text.
6. Other than restricting logons, how else could you protect against an eavesdropping
attack against clear text FTP passwords?
Answers may vary; for example, you could encrypt data that is being sent from the FTP
client to the FTP server by using IPSec.
Solutions 385
SOLUTIONS
Activity 3-9
4. Why would you enable message size limits?

To prevent DoS attacks. An attacker could send lots of email to all the mailboxes and fill
the hard drive or hit the maximum limit of 16 GB on standard edition.
Activity 3-10
3. What authentication methods should be enabled on the Instant Messaging Virtual Direc-
tory if users log on through a proxy server?
a) Anonymous access
b) Basic authentication
✓ c) Digest authentication
d) Integrated Windows authentication
4. True True or False? If you use Digest Authentication, you must configure user pass-
words to be stored using reversible encryption.
Lesson 4
Activity 4-1
1. Why use IPSec? Why isn’t it enough to harden the servers and the client computers?
While hardening servers and clients secures those computers, their communications—that
is, the packets they exchange across a network—are still vulnerable to attack. IPSec
secures the packets as they travel from one computer to another, securing that data
against any known form of attack.
3. If you want a Windows 2000 server to request negotiations for a secure session but still
communicate with a computer that does not respond to the request, you would use
the Server default IPSec policy.
4. If you want a Windows 2000 server to require secure communications at all times and
not communicate with another computer that can’t negotiate a secure session, you
would use the Secure Server default IPSec policy.
6. How are the five components of the rule displayed?

The five components of the rule are displayed as tabs in the rule’s Properties dialog box.
7. Match the component with its description.

SOLUTIONS
b IP filter a. Defines the action the IPSec driver
should take when it encounters a
packet that matches an IP filter.
a Filter action b. Describes the specific protocol, port,
and source computer or destination
computer to which the rule should
apply.
e Authentication method c. Allows you to configure the computer
to create a tunnel to another
computer.
c Tunnel setting d. Lets you specify the network connec-
tion to which this rule applies.
d Connection type e. Establishes a trust relationship as part
of the Phase 1 SA.
8. If you choose to use a pre-shared key as the authentication method, which characters
must the key contain?
The key may contain any combination of characters, but the key must be exactly the same
on any computer you want to negotiate a secure connection using IPSec.
9. True True or False? You must explicitly assign a policy to a computer to apply its
settings to that computer.
10. What would happen if you had a Secure Server policy assigned to a Windows 2000
server but no Client policies assigned to the Windows XP computers in the network?
The Windows XP computers would not be able to communicate with the Windows 2000
server.
Activity 4-2
3. Why are there Server and Secure Server policies on a Windows XP computer?
Because you can use them to request or require a secure connection to a Windows XP
computer.
Lesson 5
Activity 5-1
4. Why do you need to install the CA certification path?

This will add your lab partner’s root CA as a trusted root.
5. What should you do to secure your root CA physically after it is installed?

Take the root CA offline; that is, move it to an isolated subnet so that it is not connected
to the network and so that only authorized persons have physical access to it.
Solutions 387
SOLUTIONS
Activity 5-2
3. Suppose the University wanted only faculty members to be able to enroll certificates
from its Enterprise CAs. How would you configure security?
Create an Active Directory group containing all the faculty user accounts, grant that
group Read and Enroll permissions to the templates, and remove the Enroll permission
from the Authenticated Users group.
Activity 5-3
2. If you did lose your root CA due to system failure and you did not have the password to
restore, what would happen to the certificates that have already been issued?
The certificates would be rejected as invalid.
Lesson 6
Activity 6-2
4. Why did it fail?

Because the server now requires secure communications, you must use the HTTPS
protocol.

Yes, after accepting all the dialog boxes, you can connect using the HTTPS protocol.
Activity 6-4
2. When will users know that the certificate is revoked?

When the CRL is published.
3. Suppose an attacker maliciously misuses administrative privileges to revoke

certificates. What could you do to reinstate the certificates?
Restore the CA from a backup.

SOLUTIONS
Lesson 7
Activity 7-1
1. Is this permissible? Why or why not?

No, it is not permissible. According to the policy, network sniffing is prohibited.

If Curt’s manager indicates that Curt should be able to use company resources to practice
his network monitoring skills, have him do so on an isolated subnet.

Yes, this is permissible. The policy states that users only need to change their passwords
every six months. Only system-level accounts need to be changed quarterly.

No action is necessary as Nancy’s actions conform to the security policy.

Tina broke multiple policies. One of them is: Creating or forwarding “chain
letters,” “Ponzi,” or other “Pyramid” schemes of any type.

An IT representative, an HR representative, or Tina’s manager should discuss the relevant
policy with Tina and verify that she understands it. For general staff information, you can
post information such as a link to http://hoaxbusters.ciac.org/ on the company Web site
to assist users in determining whether or not emails are hoaxes.

No, this is not permissible. Cathy is complying with the requirement that her screensaver
be password-protected. However, the screensaver should activate every 10 minutes.

Refer Cathy to the relevant section of the acceptable use policy, and assist her in chang-
ing the activation interval for her screensaver.
Activity 7-2
1. A user opens an attachment which causes a virus to spread within the organization.
The policy does not call for legal action in this situation. However, disciplinary action
may be taken.
2. A user emails a copy of a new type of encryption software program to a user in a for-
eign country for testing.
Depending on your locality and the destination country, this may be a legal violation of
export control laws and legal action might be taken.
Solutions 389
SOLUTIONS
3. A user scans your network for open ports.
may be taken.
4. A user forwards an email which appears to be a “Ponzi” or “Pyramid” scheme.

may be taken.
5. Two employees have an argument at lunchtime. During the afternoon, one user sends
a threatening email to the other. The second employee is afraid to leave the building
unescorted that evening.
Hostile or threatening messages could be considered a form of harassment, which could
be subject to legal action according to the policy.
Activity 7-3
2. A Business Continuity Plan is a policy that defines how normal day-to-day business will
be maintained in the event of a major systems failure.
3. In your own words, how is a BCP different than a DRP?

Answers will vary, but in general, a BCP should focus on what needs to be done to keep
the most critical components of a business running in case of a disaster, while a DRP
should focus on the specific steps needed to recover your systems from a disaster.
4. Why is it important to create a BCP?

It’s important to create a BCP because you want to have a plan in place to keep your busi-
ness operating in the event of a large-scale security event or other disaster. BCPs can
help reduce the financial loss associated with a security attack.
5. Why is it important to create a DRP?

A DRP is important because it will provide the steps necessary to recover critical systems
in the event of a disaster and help reduce any financial loss associated with the disaster.
6. What tools are available to help you create a BCP and DRP?
There are seminars, software utilities, and consulting services available.
7. In your opinion, which of the tools you’ve found in your research would be most help-
ful to you in creating a BCP or DRP? Why?
Answers will vary. One possible answer is a consulting firm that can assess needs and cre-
ate a customized plan. This could save the cost of creating a BCP or DRP in-house.
8. You’ll probably see in your research that risk assessment is an important part of creat-
ing a BCP. Why is that?
By completing a risk assessment, you can determine what parts of the business are most
vulnerable and which are of greatest consequence. You can then formulate a plan to
recover from attack and keep the most important parts of your business operating.
9. In your opinion, of buildings, devices, and communications, which do you think is gen-
erally most vulnerable to attack? Which do you think would be most difficult to
recover?
Answers will vary.

SOLUTIONS
Activity 7-4
1. Which security level does your organization fall under? Why?

Security level 4, due to the monetary value of the equipment you need to protect in a
single location.
2. Besides using blinds and locks on the windows, what else could you recommend using
to secure the windows from unauthorized access?
You could install obscurity filming or even metal bars.
3. Once the motion-detection alarms are installed, what procedure will you need to fol-
low to verify they are working properly?
You will need to perform a walktest.
4. Given the security requirements of this company and the category of risk the comput-
ing center falls into, what other physical security recommendations could you make,
based on this document?
Answers may vary; for example, the escorted contractors should give 48 hours notice on
what they will be doing. Computers could be placed at least 1.5 meters from external
windows.
Activity 7-5
1. How could better user education have helped this situation?

Answers might include: If the employees had been aware of the dangers of opening email
attachments, and had been more knowledgeable about how to identify email hoaxes, it is
unlikely that the virus would have spread as far. If the initial employee in particular had
been better informed, you might have been able to keep the virus out of your organiza-
tion altogether.

Answers might include: Because this was a widespread incident, your response must
include better security information for all users. You should distribute or prominently
post a notice regarding the incident, reviewing proper guidelines for opening email
attachments and for identifying email hoaxes. You should distribute links to common
hoax-debunking Web sites to make it easy for employees to research possible hoaxes. You
should also review your new-hire training procedures to be sure they include information
on email security.

Answers might include: Regardless of the specific policy, if the employee had been
informed of some common-sense security guidelines, she might have not admitted the
stranger without question.
Solutions 391
SOLUTIONS
Answers might include: This seems to be an isolated incident, so you should be sure to
address it with the employee in question by reviewing all security policies with her and
emphasizing the possible consequences of her actions. You should probably also post all
security policies in an easily-accessible location on the network and send out a company-
wide reminder about them. However, because this employee never even attempted to
refer to the policy, the inaccessibility of the policy documents was not a contributing fac-
tor in this incident. Finally, you should review your new-hire security training procedures
to be sure they include common-sense tips on building security.

Answers might include: In this case, it’s not apparent that there were any problems in
the education process. Users were aware of the presence of policy documents, but the
documents themselves were inadequate because they did not deal with the dangers of
this type of situation.

Answers might include: You need to update your acceptable network use policy to make it
clear what kind of authorization an individual needs in order to access the corporate net-
work from within the building. You also need to disseminate this new information to all
employees. You might want to follow this up in a few weeks or months with a “staged”
attack of a similar nature, to see how employees respond.
Lesson 8
Activity 8-1
3. What ports were open on your Windows 2000 Server? Should these ports be open?
Because this server is hosting so many different services, there will be many ports open.
For example, the DNS service runs on port 53. Active Directory uses ports 88, 389, 445,
464, and 636. Ports 23, 25, 110, 143 and 995 support Microsoft Exchange. The Web server
uses 80 and 443. Network connections are created on port 135. The network news service
will use 119 and 563. Ports higher than 1024 are dynamically-assigned ports not associ-
ated with a particular service on this server.
5. What ports were open on the Server100 computer? Should these ports be open?
Results should be similar to the local computer scan.
7. Did the scan or probe reveal any vulnerabilities?

Answers will vary depending upon your Internet access configuration. If your system is
directly exposed to the Internet, the scan will probably find multiple vulnerabilities due
to the large number of ports open on the computer. However, if your computer is located
behind a properly-hardened Internet firewall, the system should pass the scans and
appear to the scanning tool as if it is in “Stealth” mode.

SOLUTIONS
Activity 8-2
5. What is the source of most of the failure ratings on this system?

This system has an abnormally small user accounts database, so an unusually high per-
centage of the user and group accounts on the system have Administrative privileges. A
production system in a normal corporate domain would have many more user-level user
and group accounts.
7. Given this analysis information, what steps could you take to harden your system fur-
ther?
Answers will vary. For example, you could create stronger password policies.
8. Is it always desirable to harden a system as much as possible?

No. Security is a balancing act. Every step you take to harden a system can potentially
restrict access to the system and system usability.
Activity 8-3
4. Were you successful? Why or why not?

No, because SMB Signing has been implemented on this system. This effectively protects
against SMB man-in-the-middle attacks.
5. Why would an attacker attempt this operation?

The passwords retrieved when establishing the session could be used in a password crack-
ing program.
Activity 8-4

No. All the users on the system (except the guest user account, which is disabled) have
passwords strong enough to resist this attack.
6. Were all the passwords retrieved? Why or why not?

No. The Certification1 password for the ChrisC user-level account was cracked, but the
tool only retrieved the last two digits of the more complex passwords on the administra-
tive accounts.
7. What should you do to prevent any of the passwords on this system from being stolen
by an attacker?
Implement strong passwords for all users. Restrict membership of the administrators
group to prevent misuse of privilege attacks.

No. The computer was hardened to prevent remote access to the passwords.
Solutions 393
SOLUTIONS
Activity 8-6

Yes. The Admin100 account is common to both systems. Using this as a workgroup admin-
istrative account, you can access the other computer’s C$ share.
6. What intrusions were detected?

Many types of scans and probes against common ports.
Activity 8-7

Yes. This FTP server is deliberately configured with no logon or file-access security.
9. What was the source IP address of the attack? How can this assist you in finding the
attacker?
The source IP was the attacker’s computer. Once you have the IP address, you can track
the computer using that IP on campus. You can either physically go see who is using that
computer, or view log files to see who logged on.
10. Why would you suspect this student was the previous attacker to the FTP site?
The attacker used Dean Allison Ager’s name when attempting to log on. The dean sus-
pected she was the vulnerable account.
Activity 8-8
2. In your own words, why is it important to have an incident response policy?

Answers will vary, but generally, an incident response policy is important because it will
help reduce confusion during a security incident by detailing who should respond to an
incident and in what fashion, and it will minimize the impact such an incident will have
on an organization.
3. What do you think are the most important components in the policies you’ve found?
Answers will vary.
4. How do you think the policies you’ve found answer the questions in the concepts pre-
ceding this activity?
Answers will vary.
5. In general, do you think it’s important to notify employees of ordinary security inci-
dents? Why or why not?
Answers will vary.

SOLUTIONS
6. Why might you want to alert law enforcement officials of a security incident? Why
might you want to notify the media?
Answers will vary, but generally, you’d want to notify law enforcement if the incident
was serious enough to have a financial impact or other consequence that might warrant a
criminal investigation. You might notify the media to warn other companies to protect
against a specific type of attack or if the incident had any effects on the organization
that might be important to stockholders.
Activity 8-9
6. Which packets in the capture created the DoS condition? (You might need to widen the
Description column.)
All the packets with a destination of Port 80.
7. Can you determine the source of the attack?

Yes. The packets show the source host’s IP address.
8. What is the first thing you should consider doing in response to this DoS attack?
You should consider doing nothing. If the attack is not degrading service, a response
might only warn an attacker to be more careful next time. By watching and waiting, you
might be able to accumulate evidence and take definitive action against the attacker.
9. How else could you respond to this DoS attack?

Answers may vary; for example, because you know the source host, you could block the
source of the attack.
10. What steps should you take once the attack is resolved?
Following any attack, you should always re-evaluate your system hardening procedures;
for example, you can scan your system for open ports and close any unneeded ports.
Always keep in mind that you must not harden a system so much that it becomes
inaccessible.
11. If the attacker wanted to automate the attacks instead of having to do so manually,
what can the attacker do?
Install zombie agents (or drones) on each computer.
13. Were any zombie agents detected?

No.
Activity 8-10

No. Even though you are an administrator, you cannot access the other computer, as your
lab partner blocked your computer as an intruder.
Solutions 395
SOLUTIONS
Appendix B
Activity B-1
1. Form factor refers to a drive’s width.
2. How is the storage capacity of a floppy disk determined?

The amount of data that can be stored in a disk is determined by the number of sides,
tracks per side, sectors per track, and bytes that can be stored in a sector.
3. Tape drives are used primarily for backup.
Activity B-2
1. What type of media is copper cable?

✓ a) Bounded
b) Unbounded
c) Radiated
d) Inferential
2. How many grades does UTP cable come in?

a) Four
b) Five
c) Six
✓ d) Seven
3. On UTP cable, which designation describes telephone connectors?

a) Cat-5T
b) RJ-45
✓ c) RJ-11
d) RJ-568A
4. Why shouldn’t you look into the end of a fiber connector or socket, even if you don’t
see a light?
The infrared light might not be visible to the human eye but will still cause eye damage.
5. What advantages does fiber have over copper media?

Distance and speed.
6. How many fiber conductors are needed to implement a full duplex connection?
Two: one for transmit (TX) and one for receive (RX).

GLOSSARY
GLOSSARY
802.11a audit attack
A more expensive but faster protocol for A type of software attack where an attacker
wireless communication than 802.11b. The covers his trail by deleting audit entries that
802.11a protocol supports speeds up to 54 might point to an intrusion.
Mbps in the 5 GHz frequency.
AUP
802.11b (Acceptable Use Policy) A security policy that
Also called Wi-Fi, short for “wired fidelity,” defines what constitutes the appropriate and
802.11b is probably the most common and inappropriate use of resources within the
certainly the least expensive wireless network organization.
protocol used to transfer data among comput-
ers with wireless network cards or between a authentication
wireless computer or device and a wired The process of proving a user’s or computer’s
LAN. The 802.11b protocol provides for an identity.
11 Mbps transfer rate in the 2.4 GHz
authorization
frequency.
The process of taking a user’s identity after
AH protocol he or she has been authenticated and allowing
(Authentication Header protocol) A protocol or denying access to specific network
that IPSec uses to provide data integrity resources.
through the use of MD5 and SHA. AH takes
backdoor
an IP packet and uses either MD5 or AH to
A mechanism for gaining access to a com-
hash the IP header and the data payload, and
puter that bypasses or subverts the normal
then it adds its own header to the packet.
method of authentication. Back Orifice is an
anomaly/profile-based analysis example of a backdoor.
Looks for network, host, or application
backdoor attack
changes compared to preset parameters. This
A type of attack where the attacker creates a
is also known as profile-based analysis.
mechanism to gain access to a system and its
application-based IDS resources. This can involve software or a
An IDS software component that monitors a bogus user account.
specific application on a host.
BCP
asymmetric encryption algorithm (Business Continuity Plan) A policy that
A cryptographic algorithm that generally uses defines how normal day-to-day business will
one key for encryption and another key for be maintained in the event of a major systems
decryption. failure.
attacker biometric authentication

Another term for a user who gains unautho- Mechanism that uses a person’s physical char-
rized access to computers and networks for acteristics as part of the authentication
malicious purposes. process.
Glossary 397
GLOSSARY
black hat certificate policy
A hacker who exposes vulnerabilities for A security policy that determines what infor-
financial gain or for some malicious purpose. mation a digital certificate will contain and
the parameters for that information.
block cipher
A type of symmetric encryption that encrypts certificate practice statement
data a block at a time, often in 64-bit blocks. A document that states how the CA will
It is usually more secure, but is also slower, implement the certificate policy.
than stream ciphers.
certificate repository
brute force attack A database containing digital certificates.
A type of password attack where an attacker
uses an application to exhaustively try every chain of custody
possible alphanumeric combination to try to A complete inventory of evidence that shows
crack encrypted passwords. who has handled specific items and where
they have been stored.
buffer overflow attack
An attack that exploits fixed data buffer sizes ciphertext
in a target piece of software by sending data Another name for encrypted data.
that is too large for the buffer.
corporate security policy
bulk encryption key A collection of individual security policies
Session key generated from a master key. that defines how security will be implemented
Schannel and Internet Key Exchange (IKE) within a particular organization.
use bulk encryption keys.
cracker
CA A user who gains unauthorized access to
(Certificate Authority) An authority in a net- computers and network for malicious
work that issues digital certificates. CAs can purposes.
provide information to others regarding the
CRL
authenticity of certificates. Most CAs follow
(Certificate Revocation List) A list of certifi-
the Public Key Cryptography Standards
cates that are no longer valid.
(PKCS).
DAC
CA hierarchy
(Discretionary Access Control) In DAC,
A PKI model based on the parent/child
access is controlled based on a user’s identity.
relationship.
Objects are configured with a list of users
certificate enrollment who are allowed access to them. An adminis-
The process of an entity (such as a user, trator has the discretion to place the user on
server or an application) applying for a digital the list or not. If a user is on the list, the user
certificate from a CA. is granted access; if the user isn’t on the list,
access is denied.
certificate life cycle
The lifetime of a certificate from initial issu- DDoS attack
ance to expiration/revocation. (Distributed Denial of Service attack) A soft-
ware attack in which an attacker hijacks or
certificate lifetime manipulates multiple computers (through the
The length of time a certificate is valid. use of zombies or drones) on disparate net-
works to carry out a DoS attack.
certificate management system
A system that provides the software tools to
perform the day-to-day functions of the PKI.

GLOSSARY
default security configuration attack dual key pair
A type of software attack where an attacker Keys that perform more than one purpose,
attempts to gain access to a computer by such as keys that combine services such as
exploiting the security flaws that exist in the encryption and digital signatures.
computer’s operating system.
due care
DH algorithm The process of an individual or organization
(Diffie-Hellman algorithm) A public key algo- thoroughly investigating and researching all
rithm that is used to securely exchange keys the issues and options relating to a particular
between entities without having any prior subject.
secrets. IPSec uses DH to generate master
keys, which are then used to generate bulk dumpster diving
keys for data encryption. The attacker will try to gain valuable infor-
mation from items that are improperly
digest disposed of in the trash.
A numerical result that’s generated from a
mathematical function, usually a hashing eavesdropping attack
algorithm. Also called a message digest. A software attack where an attacker attempts
to gain access to private communications on
digital certificate the network wire or across a wireless
An electronic document that binds two pieces network. This type of attack is used either to
of information together, the entities public steal the content of the communications itself
key and the information regarding that entity, or to gain information that will help the
to verify the entity is who it claims to be. attacker later gain access to your network and
Many certificates are based on the X.509 resources.
standard.
encryption
digital signature The process of converting the data into coded
Information appended to a message identify- form in such a way that only authorized par-
ing the sender and the message. ties can access the information. Only those
with the necessary password or decryption
directory service key can decode and read the data.
A network service that stores information
about all the objects in a particular network, encryption algorithm
including users, groups, servers, client com- A mathematical function that is used for
puters, and printers. encryption and decryption of data.
DoS attack enumeration

(Denial of Service attack) A software attack The attacker will try to gain access to users
in which an attacker disables systems that and groups, network resources, shares, appli-
provide network services by consuming a net- cations and banners, or valid user names and
work link’s available bandwidth, consuming a passwords. The attacker can obtain these
single system’s available resources, or through social engineering, network sniffing,
exploiting programming flaws in an applica- dumpster diving, or watching a user log in.
tion or operating system.
ESP protocol
DRP (Encapsulating Security Payload protocol) A
(Disaster Recovery Plan) A policy that defines protocol that IPSec uses to provide data integ-
how people and resources will be protected in rity as well as data confidentiality
the case of a natural or man-made disaster, (encryption) using one of the two encryption
and how the organization will recover from algorithms, DES or 3DES.
the disaster.
Glossary 399
GLOSSARY
ethical hack honeypot
A hack performed, usually by a third party, to A security tool used to lure attackers away
test an organization’s security infrastructure from the actual network components. Also
and find weaknesses. called decoy or sacrificial lamb.
expired certificate HTTPS

A certificate that has reached the end of its Hypertext Transfer Protocol over SSL. A Web
lifetime. protocol that uses SSL to secure HTTP
connections. HTTPS uses port 443.
footprinting
The attacker chooses a target organization or IDS
network and begins to gather information that (Intrusion Detection System) A software
is publicly available. This can also be called and/or hardware system that scans, audits, and
profiling. monitors the security infrastructure.
guideline IKE
A suggestion for meeting the policy standard (Internet Key Exchange) Used by IPSec to
or best practices. create a master key, which in turn is used to
generate bulk encryption keys for encrypting
hacker data. (IKE is a newer term for the Internet
A user who excels at programming or manag- Security Association and Key Management
ing and configuring computer systems (or Protocol and Oakley key generating protocol,
both). Often used to improperly refer to a usually seen as ISAKMP/Oakley.)
cracker.
IP spoofing attack
hardening A type of software attack where an attacker
The process of securing a computer or other creates IP packets with a forged source IP
device according to a determined security address and uses those packets to gain access
policy. to a remote system.
hardware attack IPSec
An attack that targets a computer’s physical (Internet Protocol security) A set of open,
components and peripherals, including its non-proprietary standards that you can use to
hard disk, motherboard, keyboard, network secure data as it travels across the network or
cabling, or smart card reader. the Internet through data authentication and
encryption. Many operating systems and
hash value
devices support IPSec, such as Windows
A numerical result of a fixed size that is gen-
2000, Windows XP, NetWare 6, Solaris 9, and
erated from a mathematical calculation, called
routers.
a hashing algorithm.
IPSec driver
hashing algorithm
IPSec driver watches packets being sent and
An algorithm used to generate a message
received to determine if the packets need to
digest for some piece of data.
be signed and encrypted based on Group
HIDS Policy or local Registry settings.
(Host-based IDS) An IDS system that uses IPSec Policy Agent
primarily software installed on a specific host
A service that runs on each Windows 2000
such as a Web server.
Server, Windows 2000 Professional, and Win-
hijacking attack dows XP Professional computer that’s used to
A software attack where the attacker takes transfer IPSec policy agent from Active
control of (hijacks) a TCP session to gain Directory or the local Registry to the IPSec
access to data or network resources using the driver.
identity of a legitimate network user.

GLOSSARY
issued certificate MD5
A certificate issued to an individual or other (Message Digest 5) This hash algorithm,
device by a CA. based on RFC 1321, produces a 128-bit hash
value and is used in IPSec policies for data
issuing CA authentication.
A Certificate Authority that issues certificates.
misuse of privilege attack
key escrow An attack in which a user uses legitimate
A method of restoring a private key where the administrative privileges to attack the system.
private key is divided into several parts and
distributed to different individuals or trustees. multi-factor authentication
Using another mechanism for authentication
logic bomb in addition to a user name and password. For
A piece of code that sits dormant on a user’s example, a user name/password and a token.
computer until it’s triggered by a specific
event, such as a specific date. Once the code NIDS
is triggered, the logic bomb “detonates,” eras- (Network-based IDS) An IDS system that
ing and corrupting data on the user’s uses primarily passive hardware sensors to
computer. monitor traffic on a specific segment of the
network.
M of N scheme
A mathematical control that takes into non-repudiation
account the total number of key recovery A feature of digitally signed communications
agents along with the number of agents that provides the recipient a measure of secu-
required to perform a key recovery. rity in the data received. This security comes
from the sender’s or signer’s inability to deny
MAC that they performed a certain action on a
(Mandatory Access Control) Objects (files and block of data.
other resources) are assigned security labels
of varying levels depending on the object’s offline CA
sensitivity. Users are assigned a security level A CA that is isolated from your organization’s
or clearance, and when they try to access an network.
object, their clearance is compared to the
object’s security label. If there’s a match, the password attack
user can access the object; if there’s no A type of software attack in which the
match, the user is denied access. attacker tries to guess passwords or crack
encrypted password files.
malicious code attack
A type of software attack where an attacker PBX
inserts malicious code into a user’s system to (Private Branch Exchange) A private tele-
disrupt or disable the operating system or an phone network managed by an organization
application. A malicious code attack can also for use by its employees.
make an operating system or an application
PGP
take action to disrupt or disable other systems
(Pretty Good Privacy) A method of securing
on the same network or on a remote network.
emails created to prevent attackers from inter-
man-in-the-middle attack cepting and manipulating email and
A type of software attack where an attacker attachments by encrypting and digitally sign-
inserts himself between two hosts to gain ing the contents of the email using public key
access to their data transmissions. cryptography.
master key
A key that is used by a client and a server to
generate session keys.
Glossary 401
GLOSSARY
PKCS private key
(Public Key Cryptography Standards) A set of An encryption/decryption key that is kept
protocol standards developed by a consortium secure and used by one individual or entity
of vendors to send information over the only. It can also be used to digitally sign a
Internet in a secure manner using a public message.
key infrastructure (PKI).
private root
PKCS #10 - Certification Request Syntax A root CA created within a company for
Standard internal use by the company itself.
A PKCS that describes the syntax used to
request certification of a public key and other procedure
information. Instructions that detail specifically how to
implement the policy.
PKCS #7 - Cryptographic Message Syntax
Standard public key
A PKCS that describes the general syntax An encryption/decryption key that is available
used for cryptographic data such as digital on public networks. A public key works in
signatures. conjunction with a private key.
PKI Public Key Cryptography

(Public Key Infrastructure) A system that is The process of encrypting and decrypting data
composed of a Certificate Authority (CA), using a public key/private key pair.
certificates, software, services, and other cryp-
public root
tographic components, for the purpose of
A root CA created by a third-party (or com-
enabling authenticity and validation of data
mercial) vendor for a company for use
and/or entities, for example to secure transac-
outside the company such as the Internet.
tions over the Internet.
RA
plaintext
(Registration Authority) An authority in a net-
Data that is not encrypted. Sometimes called
work that processes requests for digital
cleartext.
certificates from users.
PMI
RADIUS
(Privilege Management Infrastructure) A col-
(Remote Authentication Dial-in User Service)
lection of authentication and authorization
A standard protocol for providing centralized
mechanisms that allow an administrator cen-
authentication and authorization services for
tralized control of user and group role-based
remote users. For more information, see RFCs
privilege management. PMI is often imple-
2138 and 2138.
mented to control user authentication and
authorization for an organization’s Web RBAC
resources. (Role-based Access Control) Access is con-
policy statement trolled based on a user’s role. Users are
assigned to roles, and network objects are
An outline of the plan for the individual secu-
configured to allow access only to specific
rity component.
roles. Roles are created independently of user
port scanning attack accounts.
A software attack where an attacker scans
RC4 algorithm
your systems to see which ports are listening.
(Rivest Cipher 4 algorithm) A symmetric
This is a software attack where the attacker is
encryption algorithm that uses variable-sized
trying to find a way to gain unauthorized
keys (40 to 256 bits) to encrypt data. RC4 is
access.
much faster than DES but not as secure.

GLOSSARY
renewed certificate security baseline
A certificate that has reached the end of its A collection of security configuration settings
lifetime and had the lifetime extended. that are to be applied to a particular system in
the enterprise.
replay attack
A type of software attack where an attacker security templates
captures (through eavesdropping or sniffing) Text files that specify security settings in the
network traffic and stores it for retransmission areas of account policies, local policies, the
at a later time to gain unauthorized access to event log, restricted groups, system services,
a network. and the Registry. They are used to apply a
consistent set of security settings across mul-
revoked certificate tiple computers.
A certificate that has been designated as
invalid before its expiration. separation of duties
A policy of no one individual or department
root CA owning all the responsibility for creating,
The most trusted CA in a CA hierarchy. The managing, and enforcing security policy.
root CA is the top of the hierarchy. Root CAs
can issue certificates for subordinate CAs. session key
A key that is randomly generated, used only
S/MIME once, and then discarded.
(Secure Multipurpose Internet Mail Exten-
sions) S/MIME prevents attackers from SHA
intercepting and manipulating email and (Secure Hash Algorithm) This hash algorithm
attachments by encrypting and digitally sign- is modeled after MD5, and is considered the
ing the contents of the email using public key stronger of the two because it produces a
cryptography. 160-bit hash value.
SA signature-based analysis
(Security Association) The negotiated relation- Looks for network, host or application activ-
ship between two computers using IPSec. SAs ity that compares signatures in the datastream
are the result of the two-stage negotiation with known attack signatures.
process. These stages are known as Phase 1
and Phase 2. smartcard
A device similar to a credit card that contains
scanning a user’s private key. The user may or may not
The attacker uses specific tools to determine be required to use a password to access the
an organization’s infrastructure and discover information on the smartcard.
vulnerabilities. The attacker will scan the tar-
get’s border routers, firewalls, Web servers, SMB protocol
and other systems that are directly connected (Server Message Block protocol) A protocol
to the Internet to see which services are lis- that runs on top of protocols such as TCP/IP,
tening on which ports and to determine the IPX/SPX, and NetBEUI, and is used to access
operating systems and manufacturers of each shared network resources, such as files and
system. printers.
schema Smurf attack

A set of rules in a directory service as to how A type of DoS attack in which a ping mes-
objects are created and what their characteris- sage is broadcast to an entire network on
tics can be. behalf of a victim computer, flooding the vic-
tim computer with responses.
sniffing
See eavesdropping attack.
Glossary 403
GLOSSARY
social engineering attack SYN flood
A type of attack where the goal is to obtain A type of DoS attack in which the attacker
sensitive data, including user names and pass- sends multiple SYN messages initializing
words, from network users through deception TCP connections with a target host.
and trickery.
TACACS+
software attack (Terminal Access Controller Access Control
A type of attack where the goal is to disrupt System Plus) A standard protocol for provid-
or disable the operating systems and applica- ing centralized authentication and
tions running on the computers in your authorization services for remote users.
enterprise. TACACS+ also supports multifactor
authentication. For more information, see
software exploitation attack RFC 1492.
A type of software attack where an attacker
attempts to gain access to a system or to sen- takeover attack
sitive data by exploiting a flaw or feature in A type of software attack where an attacker
an application. gains access to a remote host and takes con-
trol of the system.
spyware
Code that’s secretly installed on a user’s com- TLS
puter to gather data about the user and relay (Transport Layer Security) TLS version 1.0
it to a third party. provides a mechanism for two computers to
verify each other’s identity (authentication), to
SSL establish a secure, tamper-resistant channel
(Secure Sockets Layer) A security protocol for communication, and to encrypt data. This
that combines digital certificates for authenti- protocol is slightly different from SSL and is
cation with RSA public key encryption. not compatible with SSL.
standard token
A definition of how adherence to the policy Text or numerical values in addition to
will be measured. usernames and passwords that provide an
added layer of authentication. Tokens are
stream cipher
often personal identification numbers (PINs)
A type of symmetric encryption that encrypts
or a second, additional password.
data one bit at a time. Each plaintext bit is
transformed into encrypted ciphertext. These Trojan horse
algorithms are relatively fast to execute. Malicious code that masquerades as a harm-
less file. When a user executes it, thinking it’s
subordinate CA
a harmless application, it destroys and cor-
A CA that can create another CA under it in
rupts data on the user’s hard drive.
the hierarchy or manages the day-to-day func-
tions of a CA below the root, including trustee
issuance, revocation, renewal, and expiration. An individual granted private key restoration
rights and responsibilities.
suspended certificate
A certificate that has temporarily been desig- virus
nated invalid for security purposes. A sample of code that spreads from one com-
puter to another by attaching itself to other
symmetric encryption algorithm
files. The code in a virus corrupts and erases
A cryptographic algorithm that generally uses
files on a user’s computer, including execut-
a single key for encryption and decryption.
able files, when the file to which it was
The key is sometimes referred to as a session
attached is opened or executed.
key.

GLOSSARY
WAP zombies (or drones)
(Wireless Application Protocol) A protocol A program installed by an attacker on remote
that’s used to transmit data to and from wire- systems that is later triggered by a command
less devices such as cell phones, PDAs, and from the attacker to launch a DoS attack. An
handheld computers, sometimes over very attacker can create a DDoS attack by secretly
long distances to be displayed on small installing zombie agents on multiple remote
screens. hosts.
wardriving
A popular way to gain unauthorized access to
a network that involves simply driving in a
car with a laptop and a wireless NIC until the
NIC detects a wireless network, which
according to some reports is very easy in
large cities.
warez
(Pronounced “wares”) Pirated software that’s
made available for download and general use.
Servers that contain warez are called warez
servers.
WEP
(Wired Equivalency Protocol) Provides 64-bit,
128-bit, and 256-bit encryption using the
Rivest Cipher 4 (RC4) algorithm for wireless
communication that uses the 802.11a and 802.
11b protocols.
white hat
A hacker who exposes security flaws in appli-
cations and operating systems so
manufacturers can fix them before they
become widespread problems.
worm
A piece of code that spreads from one com-
puter to another on its own, not by attaching
itself to another file. Like a virus, a worm can
corrupt or erase files on your hard drive.
WTLS
(Wireless Transport Layer Security) The secu-
rity layer of WAP and the wireless equivalent
of TLS in wired networks.
X.509
An international standard defining the differ-
ent components that make up a certificate.
Glossary 405
NOTES

INDEX
INDEX
802.11a, 171 CA hierarchy, 199
802.11b, 171 components, 199
implementation options, 201
A installing, 201
Acceptable Use Policy certificate
See: AUP destroying files, 239
AH protocol, 158 enrollment process, 226
anomaly-based analysis, 290 restoring, 248
ASET, 52 suspending, 239
security levels, 53 Certificate Authority
asymmetric encryption, 156 See: CA
attacker, 4 certificate enrollment, 226
attacking, 271 certificate life cycle, 214
audit attack, 21 expiration, 215
AUP, 32 factors, 215
Authentication Header protocol issuance, 215
See: AH protocol renewal, 215
Automated Security Enhancement Tool revocation, 215
See: ASET certificate lifetime, 213
certificate management system, 198
B
certificate policy
backdoor, 19
See: CP
backdoor attack, 19
considerations, 212
BCP, 258
certificate practice statement
black hat, 4
See: CPS
block cipher, 156
certificate repository, 198
browser vulnerabilities, 181
Certificate Revocation List
brute force attack, 19
See: CRL
buffer overflow attack, 14
certificates
bulk encryption key, 159
backing up, 242
Business Continuity Plan
enrolling for entities, 226, 227
See: BCP
renewing, 236, 237
C restoring, 247
revoking, 238, 239
CA, 198
chain of custody, 255
backing up, 219
ciphertext, 156
hardening, 212, 217
client internet access
installing a hierarchy, 198
securing, 181, 183
restoring, 222
conferencing and messaging servers
Index 407
INDEX
hardening, 145, 146 employee security education process, 264
corporate security policy, 31 employee security responsibilities, 265
corporate security policy compliance Encapsulating Security Payload protocol
enforcing, 252 See: ESP protocol
CP, 212 encryption, 155, 157
CPS, 212 encryption algorithms, 155
cracker, 4 enumerating, 271
CRL, 238 ESP protocol, 158
ethical hack, 272
D
data encryption, 155 F
data integrity, 154 file and print servers
DDoS attack, 12 hardening, 90
default security configuration attack, 16 file and printer server
DH algorithm, 159 hardening, 91
DHCP servers footprint, 271
hardening, 87, 88 footprinting, 271
vulnerabilities, 87 FTP
digital certificates, 198 vulnerabilities, 122
digital signature, 154 FTP server
directory management tools, 81 hardening, 119, 123
directory services
example, 77 G
hardening, 77 guidelines, 31
hardening domain controllers, 80
H
vulnerabilities, 78
hacker, 4
Disaster Recovery Plan
hacking process, 270
See: DRP
hardening, 37
DNS and BIND
application servers, 53
vulnerabilities, 105
directory services, 76
DNS and BIND servers
hash value, 154
hardening, 105, 106
hashing algorithm, 154
documentation handling, 33
hashing algorithms, 154
DoS attack, 12
HIDS, 288
drones, 13
hijacking attack, 9
DRP, 258
honeypot, 298
dual key pair, 212
setting up, 298, 299
due care, 31
host-based IDS
E See: HIDS
eavesdropping attack, 6, 7 HTTPS, 233
Also See: sniffing Hypertext Transfer Protocol over SSL
email See: HTTPS
I
email security
IDS, 288
PGP, 135
analysis methods, 290
S/MIME, 135
components, 291
email servers
legal issues, 291
hardening, 134, 136
passive vs. active, 290

INDEX
IKE, 159 malicious code attack, 14
incident response policy, 305 man-in-the-middle attack, 11
instant messaging master key, 159
vulnerabilities, 145 MD5, 154
Internet Explorer message digest, 154
security tools, 182 Message Digest 5
Internet Key Exchange See: MD5
See: IKE Microsoft Baseline Security Analyzer, 38
Internet Protocol Security Microsoft IIS Lockdown tool, 112, 124, 131,
See: IPSec 137
Internet shopping, 214 misuse of privilege attack, 18
internetwork connection devices mobile device vulnerabilities, 173
hardening, 98, 100
N
internetwork devices
Network News Transport Protocol
vulnerabilities, 98
See: NNTP
intruders
network traffic
monitoring, 288, 292
securing using certificates, 232, 233
intrusion detection system
securing with IPSec, 154
See: IDS
network-based IDS
IP spoofing, 8
See: NIDS
IPSec, 154, 156
NIDS, 288
data integrity, 157
NNTP
IPSec
hardening, 130
security associations, 159
transport protocols, 157
O
IPSec default policies
offline CA, 201
Windows 2000, 160
operating system vulnerabilities, 35
Windows XP, 160
NetWare 6, 36
IPSec driver
Sun Solaris 9, 36
Windows 2000, 160
Windows 2000 Server, 35
Windows XP, 160
Windows XP Professional, 35
IPSec Policy Agent
organizational security policy
Windows 2000, 160
enforcing, 252
IPSec Policy Agent
issuing CA, 201 P
password attack, 18
K
PBX, 2
key escrow, 247
PGP, 135
L physical resource
LDAP, 78, 81 vulnerabilities, 258
legal compliance physical resource vulnerabilities, 258
enforcing, 254, 256 physical security compliance
legal security compliance requirements, 255 enforcing, 258, 261
Lightweight Directory Access Protocol PKI, 198
See: LDAP implementation, 199
logic bomb, 15 plaintext, 156
policy statement, 31
M port scanning attack, 6
M of N scheme, 247
Index 409
INDEX
Pretty Good Privacy secure wireless traffic, 171
See: PGP security and accessibility
private branch exchange balancing, 218
See: PBX security association
private key See: SA
replacing, 247 security baseline, 38
restoring, 247, 248 security incidents
private key encryption, 155 responding, 305, 307
private keys security infrastructure
backing up, 242 scanning for vulnerabilities, 270
restoring, 247 security policies
private root CA, 200 individual, 32
procedures, 31 security policy
profiling, 271 components, 31
public key encryption, 156 security scans
public root CA, 200 types, 272
security templates
R Windows 2000, 45, 46
RA, 198 Windows XP, 45, 47
RADIUS, 100 security threats
RC4 algorithm, 173 identifying, 2
registration authority social engineering attack, 2
See: RA separation of duties, 32
regulated industries Server Message Block protocol
requirements, 256 See: SMB protocol
remote access session key, 156
common ports, 192 SFTP, 124
remote access channel SHA, 154
securing, 190, 191 signature-based analysis, 290
remote access vulnerabilities, 190 smart card, 213
replay attack, 10 SMB signing, 90
root CA, 200 SMBRelay, 281
security, 201 Smurf attack, 14
sniffing, 7
S
social engineering attack, 2
S/MIME, 135
examples, 3
SA, 159
identifying, 2, 4
scanning, 271
software attack
schema, 77
classifying, 22
Secure FTP
software attacks
See: SFTP
classifying, 6
secure hash algorithm
software exploitation attack, 17
See: SHA
Solaris 9
Secure Multipurpose Internet Mail Extensions
ASET, 52
See: S/MIME
spyware, 181
Secure Shell
SSH, 124
See: SSH
SSL, 232
Secure Socket Layer
standard, 31
See: SSL
stream cipher, 156

INDEX
subordinate CA, 200 Wireless Application Protocol
symmetric encryption, 155 See: WAP
SYN flood, 14 wireless security
system hardening, 28, 37 methods, 174
base operating systems, 31 wireless traffic
Windows 2000, 51 securing, 175
Windows XP, 49 Wireless Transport Layer Security
See: WTLS
T worm, 15
TACACS+, 100 WTLS, 173
takeover attack, 20
TCP and UDP ports Z
vulnerabilities, 272 zombies, 13
TLS, 233
Transport Layer Security
See: TLS
Trojan horse, 15
trustee, 247
U
unnecessary daemons, 44
unnecessary NLMs, 44
unnecessary services, 44
user
responsibility for security, 265
users
educating, 264
employee security education process, 264
V
virus, 15
vulnerabilities
scanning, 274
vulnerability scanning tools, 271
W
WAP, 171
wardriving, 173
warez, 122
Web server
security methods, 109
Web servers
hardening, 109, 114
WEP, 173
white hat, 4
Windows XP, 160
Wired Equivalency Protocol
See: WEP
Index 411
NOTES

Comp Ti A Security

Enviado por

Dados do documento

Descrição original:

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Comp Ti A Security

Enviado por

Direitos autorais:

Formatos disponíveis

STUDENT MANUAL

ii Security+ A CompTIA Certification

iv Security+ A CompTIA Certification

LESSON 1: IDENTIFYING SECURITY THREATS

LESSON 2: HARDENING INTERNAL SYSTEMS AND SERVICES

LESSON 3: HARDENING INTERNETWORK DEVICES AND SERVICES

vi Security+ A CompTIA Certification

LESSON 4: SECURING NETWORK COMMUNICATIONS

LESSON 5: MANAGING PUBLIC KEY INFRASTRUCTURE (PKI)

LESSON 6: MANAGING CERTIFICATES

viii Security+ A CompTIA Certification

LESSON 7: ENFORCING ORGANIZATIONAL SECURITY POLICY

LESSON 8: MONITORING THE SECURITY INFRASTRUCTURE

APPENDIX B: UNDERSTANDING MEDIA

APPENDIX D: SECURITY+ EXAM OBJECTIVES MAPPING

APPENDIX E: AUTOMATED SETUP INSTRUCTIONS

x Security+ A CompTIA Certification

ABOUT THIS COURSE

How to Use This Book

xii Security+ A CompTIA Certification

xiv Security+ A CompTIA Certification

Instructor Computer—Windows 2000 Server:

3. When installation is complete, log on as Administrator with a password of !Pass1234.

xvi Security+ A CompTIA Certification

xviii Security+ A CompTIA Certification

xx Security+ A CompTIA Certification

Student Computers—Windows 2000 Server:

xxii Security+ A CompTIA Certification

xxiv Security+ A CompTIA Certification

xxvi Security+ A CompTIA Certification

Student Computers—Windows XP Professional:

Optional: For the Lesson 2, Lab 1 Domain

1. Start the Windows 2000 Server setup program.

xxviii Security+ A CompTIA Certification

3. Select I Will Configure This Server Later and click Next.

xxx Security+ A CompTIA Certification

1. Start the Windows 2000 Server setup program.

3. Select I Will Configure This Server Later and click Next.

Optional: For the Lesson 4, Lab 1 Client Computers:

xxxii Security+ A CompTIA Certification

Optional: For the Lesson 5, Lab 1 Domain

1. Start the Windows 2000 Server setup program.

3. Select I Will Configure This Server Later and click Next.

xxxiv Security+ A CompTIA Certification

Optional: For the Lesson 6, Lab 1 Server:

1. Start the Windows 2000 Server setup program.

3. Select I Will Configure This Server Later and click Next.

Optional: For the Lesson 8, Lab 1 Client Computers:

1. You will need two Windows XP computers for this activity.

xxxvi Security+ A CompTIA Certification

List of Additional Files

xxxviii Security+ A CompTIA Certification

LESSON 1 Lesson Time

Identifying Security Threats

Lesson 1: Identifying Security Threats 1

Identify Social Engineering Attacks

2 Security+ A CompTIA Certification

Figure 1-1: Social engineering attacks.

We’ll cover spam and email hoaxes later in the course.

Lesson 1: Identifying Security Threats 3

Hackers, Crackers, and Attackers

4 Security+ A CompTIA Certification