Tài liệu Module 7: Creating a Security Design for Accounts pdf

30 253 0
  • Loading ...
1/30 trang

Thông tin tài liệu

Ngày đăng: 18/01/2014, 05:20

Contents Overview 1 Lesson: Determining Threats and Analyzing Risks to Accounts 2 Lesson: Designing Security for Accounts 9 Lab A: Designing Security for Accounts 21 Module 7: Creating a Security Design for Accounts Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.  2002 Microsoft Corporation. All rights reserved. Microsoft, MS-DOS, Windows, Windows NT, Active Directory, ActiveX, BizTalk, PowerPoint, Visio, and Windows Media are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Module 7: Creating a Security Design for Accounts iii Instructor Notes In this module, students will learn how to determine threats and analyze risks to accounts in an organization. Students will also learn how to design security for accounts, including determining security requirements, creating password policies, and designing strategies to manage account security. After completing this module, students will be able to:  Determine threats and analyze risks to accounts.  Design security for accounts. To teach this module, you need Microsoft® PowerPoint® file 2830A_07.ppt. It is recommended that you use PowerPoint version 2002 or later to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, all of the features of the slides may not be displayed correctly. To prepare for this module:  Read all of the materials for this module.  Complete the practices.  Complete the lab and practice discussing the answers.  Read the additional reading for this module, located under Additional Reading on the Web page on the Student Materials CD.  Visit the Web links that are referenced in the module. Presentation: 45 minutes Lab: 30 minutes Required materials Important Preparation tasks iv Module 7: Creating a Security Design for Accounts How to Teach This Module This section contains information that will help you to teach this module. Lesson: Determining Threats and Analyzing Risks to Accounts This section describes the instructional methods for teaching this lesson. A substantial part of this module should be review for your students. However, explain that it is frequently a subject that is overlooked or not properly implemented, hence the security risks. Emphasize that account scope and group membership have the most impact on account security. One of the primary goals of an attacker is to elevate his privileges to the Administrator or SYSTEM level of access. External and internal attackers may use a variety of approaches to gain access to a network. This page is intended simply to give examples of vulnerabilities. To elaborate attacks, draw upon your own experiences. The next page deals with common vulnerabilities, so try not to skip ahead. Explain the vulnerabilities, but do not discuss how to secure against them. The second lesson in the module covers that topic. This practice involves a simple quantitative risk analysis. Ensure that students realize that this is a simple exercise to prevent them from becoming distracted by real-world details that were omitted for the sake of brevity. Lesson: Designing Security for Accounts This section describes the instructional methods for teaching this lesson. For security, instruct students to always audit who is adding administrators on a network. For additional security, suggest that administrators be required to use smart cards for authentication. Authentication is discussed in greater detail in Module 8, “Creating a Security Design for Authentication.” Answers may vary. Use the security responses that students give to generate classroom discussion. Use this page to review the content of the module. Students can use the checklist as a basic job aid. The phases mentioned on the page are from Microsoft Solutions Framework (MSF). Use this page to emphasize that students must perform threat analysis and risk assessment on their own networks for the topic covered in this module, and then they must design security responses to protect the networks. Assessment There are assessments for each lesson, located on the Student Materials compact disc. You can use them as pre-assessments to help students identify areas of difficulty, or you can use them as post-assessments to validate learning. Account Types and Their Security Requirements Why Account Security Is Important Common Vulnerabilities of Accounts Practice: Analyzing Risks to Accounts Guidelines for Using Administrative and Service Accounts Practice: Risk and Response Security Policy Checklist Module 7: Creating a Security Design for Accounts v Lab A: Designing Security for Accounts To begin the lab, open Microsoft Internet Explorer and click the name of the lab. Play the video interviews for students, and then instruct students to begin the lab with their lab partners. Give students approximately 20 minutes to complete this lab, and spend about 10 minutes discussing the lab answers as a class. Use the answers provided in the Lab section of this module to answer student questions about the scope of Ashley Larson’s request in her e-mail. Students will look at a Microsoft Visio® diagram called CP Active Directory OU Design.vsd. Use this diagram and the lab answers provided in the Lab section of the module to answer student questions about the scope of Ashley’s e-mail request and to lead classroom discussion after students complete the lab. For general lab suggestions, see the Instructor Notes in Module 2, “Creating a Plan for Network Security.” Those notes contain detailed suggestions for facilitating the lab environment used in this course. Customization Information This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs. This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware. This module includes only computer-based interactive lab exercises, and as a result, there are no lab setup requirements or configuration changes that affect replication or customization. The lab in this module is also dependent on the classroom configuration that is specified in the Customization Information section at the end of the Automated Classroom Setup Guide for Course 2830A, Designing Security for Microsoft Networks. Lab Setup There are no lab setup requirements that affect replication or customization. Lab Results There are no configuration changes on student computers that affect replication or customization. General lab suggestions Important Module 7: Creating a Security Design for Accounts 1 Overview *****************************ILLEGAL FOR NON-TRAINER USE****************************** In this module, you will learn how to determine threats and analyze risks to accounts in an organization. You will also learn how to design security for accounts, including determining security requirements, creating password policies, and designing strategies to manage account security. After completing this module, you will be able to:  Determine threats and analyze risks to accounts.  Design security for accounts. Introduction Objectives 2 Module 7: Creating a Security Design for Accounts Lesson: Determining Threats and Analyzing Risks to Accounts *****************************ILLEGAL FOR NON-TRAINER USE****************************** Computer networks use accounts to grant users access to the information on a network. If an attacker gains access to an account that has excessive privileges, or breaks the password that is associated with an account, the attacker can obtain authorized access to a network. After completing this lesson, you will be able to:  Describe security requirements of different account types.  Explain why account security is important.  List common vulnerabilities to accounts. Introduction Lesson objectives Module 7: Creating a Security Design for Accounts 3 Account Types and Their Security Requirements *****************************ILLEGAL FOR NON-TRAINER USE****************************** User accounts define the actions that a user can perform. Accounts require different security based on who uses them. Type of account Level of trust Examples External users Low Anonymous Web users, authenticated Web users, business partners Internal users Medium Contract employees, full-time employees, accounts used by testers Administrators High Users with administrator rights, service accounts used by applications, data administrators, service administrators Accounts receive their authority from the following sources:  User rights. These rights authorize users to perform specific actions on a computer, such as backing up files and directories that do not have NTFS (NTFS file system) permissions. User rights also include logon rights, such as the ability to log on to a system interactively.  Permissions. Discretionary access control lists (DACLs) control permissions to Active Directory® directory service objects and NTFS folder and file objects. DACLs are comprised of access control entries (ACEs), which define the protections that apply to an object and its properties.  Account scope. Microsoft® Windows® 2000 and Microsoft Windows XP use local and domain accounts to define the scope of an account’s authority. Local accounts have authority only on the local computer. Domain accounts have authority throughout the domain or forest. Key points 4 Module 7: Creating a Security Design for Accounts  Group membership. Security groups enable you to assign the same security permissions to large numbers of user accounts in a single operation, which ensures consistent security permissions across all members of a group. By using security groups to assign permissions, rather than assigning permissions to individual accounts, you can easily manage and audit permissions. For more information about accounts, see the white paper, Active Directory Users, Computers, and Groups, at: http://www.microsoft.com/technet/ prodtechnol/ad/windows2000/maintain/adusers.asp. Additional reading [...]... manage accounts and passwords Anyone who can manage an account can change the rights and permissions of the account or disable its use Anyone who can manage a password to an account can, at any time, access all of the information that the account can access Who can obtain account information Account information often includes personal data, such as home addresses, birthdates, and telephone numbers Each account... that is presented, and then enter an appropriate security response Answers may vary Scenario Risk strategy Security response Attacker who has physical access to a computer can extract LSA secrets and obtain service account passwords of domain service accounts Mitigate Use local accounts for services Attacker can use brute force to easily break LAN Manager password hashes Avoid Remove LAN Manager passwords... administrative accounts to create a record of how the accounts are used When designing security for service accounts: Run service accounts as System or local user accounts Service account passwords for non-System accounts are stored as LSA secrets, which an attacker can extract If the account is a domain account, an attacker who extracts the password from a computer can then log on to the domain Create... Click Reply, and then type your answer to Ashley’s questions 3 Click Send to save your answers to a folder on your desktop 4 Discuss your answers as a class 22 Module 7: Creating a Security Design for Accounts Lab A: Designing Security for Accounts Lab Questions and Answers Answers may vary The following are possible answers 1 Ensure that only domain administrators can manage user accounts that belong... Stored as an MD4 hash value of the password LAN Manager Stored as the concatenation, or linking, of the two 7-character halves of the password that are used to encrypt a constant using Data Encryption Standard (DES) Service account Stored in plaintext as an LSA secret Cached logon credentials Not stored persistently An attacker who has physical access to a computer can extract NTLM and LAN Manager password... rights and permissions for legitimate purposes Module 7: Creating a Security Design for Accounts 7 Practice: Analyzing Risks to Accounts *****************************ILLEGAL FOR NON-TRAINER USE****************************** Scenario Weak passwords on the Northwind Traders network are vulnerable to attack If an attacker guesses a weak password that a user account uses, the company estimates a loss... (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service and Elevation of privilege) and life cycle threat models Manage risks Qualitative and quantitative risk analysis Phase Task Details Building Create policies and procedures for: Managing accounts Assigning rights and permissions Creating and deleting accounts Implementing service accounts Granting administrator rights and responsibilities... metadata that includes the password policy for the account An attacker can use account information to identify the footprint of a network Additionally, you must develop processes for: Creating and deleting accounts Monitor the creation of new accounts and ensure that unused accounts are locked out and promptly deleted You must also create procedures for creating and distributing account passwords Granting... password hash values from the Security Accounts Manager (SAM) database and attack the hashes offline by using commonly available tools To prevent the compromise of these passwords, remove LAN Manger password hashes from the computer if you are not using the LAN Manager authentication protocol, and then implement strong passwords Additional reading For more information about Kerberos version 5 authentication... strong passwords Module 7: Creating a Security Design for Accounts 21 Lab A: Designing Security for Accounts *****************************ILLEGAL FOR NON-TRAINER USE****************************** Objectives After completing this lab, you will be able to apply security design concepts to account security Scenario You are a consultant hired by Contoso Pharmaceuticals to help the company design security for . Threats and Analyzing Risks to Accounts 2 Lesson: Designing Security for Accounts 9 Lab A: Designing Security for Accounts 21 Module 7: Creating a Security. Configuration container, or the Global Catalog. Note 12 Module 7: Creating a Security Design for Accounts Considerations for Using and Managing Accounts
- Xem thêm -

Xem thêm: Tài liệu Module 7: Creating a Security Design for Accounts pdf, Tài liệu Module 7: Creating a Security Design for Accounts pdf, Tài liệu Module 7: Creating a Security Design for Accounts pdf

Gợi ý tài liệu liên quan cho bạn

Nhận lời giải ngay chưa đến 10 phút Đăng bài tập ngay