Tài liệu Module 8: Creating a Security Design for Authentication docx

32 276 0

Daniel Gửi tin nhắn Báo tài liệu vi phạm

Tải lên: 111,504 tài liệu

  • Loading ...
1/32 trang

Thông tin tài liệu

Ngày đăng: 18/01/2014, 05:20

Contents Overview 1 Lesson: Determining Threats and Analyzing Risks to Authentication 2 Lesson: Designing Security for Authentication 8 Lab A: Designing Authentication Security 23 Module 8: Creating a Security Design for Authentication Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.  2002 Microsoft Corporation. All rights reserved. Microsoft, MS-DOS, Windows, Windows NT, Active Directory, ActiveX, BizTalk, PowerPoint, Visio, and Windows Media are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Module 8: Creating a Security Design for Authentication iii Instructor Notes In this module, students learn how to determine threats and analyze risks to authentication. Students learn how to design security for authenticating local users, remote users, and users who access their networks across the Internet. Students also learn when to choose multifactor authentication for additional security. After completing this module, students will be able to:  Determine threats and analyze risks to authentication.  Design security for authentication. To teach this module, you need Microsoft® PowerPoint® file 2830A_08.ppt. It is recommended that you use PowerPoint version 2002 or later to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, all of the features of the slides may not be displayed correctly. To prepare for this module:  Read all of the materials for this module.  Complete the practices.  Complete the lab and practice discussing the answers.  Read the additional reading for this module, located under Additional Reading on the Web page on the Student Materials CD.  Visit the Web links that are referenced in the module. Presentation: 60 minutes Lab: 30 minutes Required materials Important Preparation tasks iv Module 8: Creating a Security Design for Authentication How to Teach This Module This section contains information that will help you to teach this module. Lesson: Determining Threats and Analyzing Risks to Authentication This section describes the instructional methods for teaching this lesson. This slide is presented in several other modules. It is not meant as a realistic network, but as a conceptual picture to represent different parts of a network. Use the slide as well as your knowledge and experience to explain the concepts and to generate discussion. This page is intended simply to give examples of vulnerabilities. To elaborate attacks, draw upon your own experiences. The next page deals with common vulnerabilities, so try not to skip ahead. Explain the threats, but do not discuss how to secure against them. The second lesson in the module covers that topic. This practice involves a qualitative risk analysis. Answers may vary. Lesson: Designing Security for Authentication This lesson contains numerous Web links that you will find valuable in preparing to teach this module. Answers may vary. Use the rankings provided and the security responses that students give to generate classroom discussion. Use this page to review the content of the module. Students can use the checklist as a basic job aid. The phases mentioned on the page are from Microsoft Solutions Framework (MSF). Use this page to emphasize that students must perform threat analysis and risk assessment on their own networks for the topic covered in this module. Students must then design security responses to protect the networks. Assessment There are assessments for each lesson, located on the Student Materials compact disc. You can use them as pre-assessments to help students identify areas of difficulty, or you can use them as post-assessments to validate learning. Overview of Authentication Why Authentication Security Is Important Common Vulnerabilities of Accounts Practice: Analyzing Risks to Authentication Practice: Risk and Response Security Policy Checklist Module 8: Creating a Security Design for Authentication v Lab A: Designing Authentication Security To begin the lab, open Microsoft Internet Explorer and click the name of the lab. Play the video interviews for students, and then instruct students to begin the lab with their lab partners. Give students approximately 20 minutes to complete this lab, and spend about 10 minutes discussing the lab answers as a class. Use the lab answers provided in the Lab section of the module to answer student questions about the scope of Ashley Larson’s e-mail request, and to lead classroom discussion after students complete the lab. If students ask about John Chen’s video interview, explain that by removing the Microsoft Windows® 95-based and Apple Macintosh-based computers, Contoso Pharmaceuticals is able to standardize on Internet Explorer as the company’s Web browser. For general lab suggestions, see the Instructor Notes in Module 2, “Creating a Plan for Network Security.” Those notes contain detailed suggestions for facilitating the lab environment used in this course. Customization Information This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs. This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware. This module includes only computer-based interactive lab exercises, and as a result, there are no lab setup requirements or configuration changes that affect replication or customization. The lab in this module is also dependent on the classroom configuration that is specified in the Customization Information section at the end of the Automated Classroom Setup Guide for Course 2830A, Designing Security for Microsoft Networks. Lab Setup There are no lab setup requirements that affect replication or customization. Lab Results There are no configuration changes on student computers that affect replication or customization. Note General lab suggestions Important Module 8: Creating a Security Design for Authentication 1 Overview *****************************ILLEGAL FOR NON-TRAINER USE****************************** In this module, you will learn how to determine threats and analyze risks to authentication. You will learn how to design security for authenticating local users, remote users, and users who access your network across the Internet. You will also learn when to choose multifactor authentication for additional security. After completing this module, you will be able to:  Determine threats and analyze risks to authentication.  Design security for authentication. Introduction Objectives 2 Module 8: Creating a Security Design for Authentication Lesson: Determining Threats and Analyzing Risks to Authentication *****************************ILLEGAL FOR NON-TRAINER USE****************************** Authentication validates that a user possesses the correct credentials that are associated with an account. In a Microsoft® Windows® network, the authentication methods that are used to verify logon credentials are based primarily on how and where an account is accessing the network. If incorrect configurations or incompatibilities with applications exist, attackers may be able to intercept or impersonate authentication information. After completing this lesson, you will be able to:  Describe authentication in general terms.  Explain why authentication is important.  List common vulnerabilities of authentication. Introduction Lesson objectives Module 8: Creating a Security Design for Authentication 3 Overview of Authentication *****************************ILLEGAL FOR NON-TRAINER USE****************************** When designing security for authentication, consider all types of authentication that your network uses, including applications that use their own authentication protocols. On a Microsoft network, different authentication methods are used, depending on whether a user is directly connected to the local area network (LAN), accessing the network remotely, or accessing the network over the Internet. Key points 4 Module 8: Creating a Security Design for Authentication Why Authentication Security Is Important *****************************ILLEGAL FOR NON-TRAINER USE****************************** While using a friend’s home computer, an external attacker discovers that the computer has Remote Access Service (RAS) credentials to the internal network that are persistently stored on the computer. The attacker successfully authenticates to the network using the credentials, and then gains access to network resources. An internal attacker installs network monitoring software that operates in promiscuous mode to intercept authentication packets. After intercepting packets in an authentication sequence, the attacker performs a brute force attack on the password hash that is retrieved from a packet and determines the user’s password. The attacker later uses the intercepted account name and password to access the network. External attacker scenario Internal attacker scenario [...]... consider: Removing LAN Manager password hashes LAN Manager password hashes are sent along with NTLM authentication messages for compatibility with older operating systems Because an attacker can easily crack LAN Manager password hashes, remove them from the account databases if your network does not require them You can remove LAN Manager password hashes for all accounts on a computer by using a setting in... entire CHAP authentication sequence, she can attack the password hash offline Also, data cannot be encrypted when using the CHAP protocol Therefore, CHAP is not a secure authentication protocol MS-CHAP Similar to CHAP, the Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) is an encrypted authentication mechanism MS-CHAP is also vulnerable to an attacker performing an offline attack on the... be able to: Determine authentication requirements for your network Describe LAN authentication protocols and considerations for authenticating accounts on a LAN Describe considerations for authenticating Web users Describe considerations for authenticating RAS users Explain multifactor authentication Describe considerations for authenticating applications and network devices Module 8: Creating a Security. .. changes will resolve the security vulnerability of the LAN Manager password hashes as explained in the e-mail from Suzan Fine Module 8: Creating a Security Design for Authentication 25 2 What recommendations do you have now that Contoso has standardized on Internet Explorer as its Web browser? You can increase RAS authentication security by no longer supporting CHAP and MS-CHAP v1 for Macintosh and... relative risk? Why? Note: Answers in the table may vary Threats 1 and 5 likely present the greatest risk An attacker can perform threat 1 passively from any place on the network, potentially intercept all authentication packets that use NTLM or LAN Manager, and then attack the password hashes offline Threat 5 is easily carried out with little skill required Both attacks enable an attacker to obtain a. .. the authentication packets from interception, use Basic authentication only in combination with Secure Sockets Layer (SSL) Digest access authentication Uses a user name and password and adds a random value called a nonce to create a hash to improve Basic authentication Digest authentication requires that the server running IIS be a member of an Active Directory domain However, user accounts that use... operating systems Also consider how accounts on network devices are authenticated 5 Design an implementation strategy for authentication After gathering the information in steps 1 through 4, you will be able to design an implementation strategy to authenticate accounts securely 10 Module 8: Creating a Security Design for Authentication LAN Authentication Protocols *****************************ILLEGAL... (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege) and life cycle threat models Manage risks Qualitative and quantitative risk analysis Phase Task Details Building Create policies and procedures for authenticating: Local users and computers Web users RAS users Network applications Network devices Module 8: Creating a Security Design for Authentication. .. 3 Click Send to save your answers to a folder on your desktop 4 Discuss your answers as a class 24 Module 8: Creating a Security Design for Authentication Lab A: Designing Authentication Security Lab Questions and Answers Answers may vary The following are possible answers 1 What actions will you recommend to Ashley to strengthen authentication security on the corporate network? Because Contoso’s network... a user as she enters her password 6 7 42 Module 8: Creating a Security Design for Authentication 7 (continued) Threat Impact Relative risk 6 Attacker steals the smart card of an administrator and succeeds in guessing the PIN (personal identification number) 2 1 2 7 Attacker performs a brute force attack on a user account by using a script Question Probability 2 4 8 What two threats present the greatest . Threats and Analyzing Risks to Authentication 2 Lesson: Designing Security for Authentication 8 Lab A: Designing Authentication Security 23 Module 8:. intercepted account name and password to access the network. External attacker scenario Internal attacker scenario Module 8: Creating a Security Design for
- Xem thêm -

Xem thêm: Tài liệu Module 8: Creating a Security Design for Authentication docx, Tài liệu Module 8: Creating a Security Design for Authentication docx, Tài liệu Module 8: Creating a Security Design for Authentication docx

Gợi ý tài liệu liên quan cho bạn

Nhận lời giải ngay chưa đến 10 phút Đăng bài tập ngay