Guidelines for Reducing the Impact of Interoperability on Security  70-643    NS0-201   70-237    70-271   70-642
Use the following guidelines to reduce the impact of interoperability on security. These guidelines refer to the process of encrypting data but also highlight the need to consider interoperability.

 Note  To make this example simple, this discussion is restricted to communications across the data network.
 

Determine what current processes will be part of the design. This is a good first step.

Develop a list of the hardware and software that will be used in the design. This list can be compiled by addressing the following issues:

What computers will be used? Are products such as routers, firewalls, and other network devices currently separating computers that must share information?

What operating system and version will be used? Is specific application software used? For example, is Microsoft Word used for documents? Is Microsoft Excel used for spreadsheets? Will documents be copied across the network? Collected from an intranet site? And will they be attached to e-mail messages or be in the body of e-mail messages?

Will the hardware and software used affect which security protocols can be used? Consider, for example, that IPSec is implemented at a lower layer than SSL. IPSec can be used to encrypt all data without any need to redesign the application. SSL, however, must be designed into the application.

Evaluate the capabilities of current processes, hardware, and software. The list of possible solutions that can be used in any particular security design depend on the capabilities of existing hardware and software and the capabilities of planned purchases of hardware and software. Use the following questions to evaluate current system capabilities and available products:

What security software and mechanisms currently exist? In today’s networks, the use of IPSec should be considered, as should virtual private networks (VPNs) for remote communications, SSL for access to intranet servers, and e mail encryption. The use of SSH (secure shell) is also a possibility for encrypting communications that might be used to manage databases and file servers where information resides. Many of these products and processes are built into Windows Server 2003

Are proprietary encryption products already a part of the network infrastructure?

Can all clients that will be used participate when specific communication protocols are selected? This will narrow the field of possibilities or determine the need for hardware and software upgrades.

Evaluate other communication protocols and software if no solution exists for your current configuration and if funding exists for additional purchases.

Review existing standards for communication protocols. How old is the standard? Do vendors adhere to it? Which vendors? Is there a wide range of implementation decisions to be made? Is the standard volatile or stable?

For each protocol, determine where interoperability issues exist. One way to make this determination is to contact other individuals and organizations that are already using the protocol you are considering. Ask your current vendors to provide you with contact information for customers who are using their products with the products that you already have or plan to purchase. Ask the contacts that they provide if both products work well together.

Determine the best communications protocol for each need. For each of your needs, rank the possibilities by determining cost to implement, availability, relative security offered, and interoperability issues. This process will show you how a protocol that seems best in one scenario is not well-suited to another scenario. For example, Internet Protocol Security/Layer Two Tunneling Protocol (IPSec/L2TP) is a better choice for VPNs than Point-to-Point Tunneling Protocol (PPTP) if security is the only parameter measured. However, other factors—such as the ability to transit Network Address Translation (NAT) or the cost to upgrade all client computers—might prevent it from being selected.

Guidelines for Mitigating the Cost of Security
Follow these guidelines to minimize the cost of security:  XK0-002   70-299   MB7-517   70-643  MB7-515

Always insist on a clear and complete statement of the cost that security adds to any project. Whether the cost is prepared by vendors, internal IT staff, management, or the security designer, it must be complete.

Look at security solutions that reduce cost. Are there security technologies suitable for this project that can reduce overall cost and thus improve profitability? An example of such technologies is the use of Secure Sockets Layer (SSL) encryption accelerator cards in e-commerce projects. People rarely doubt the need for secure servers to protect the transmission of sensitive customer or partner financial information during an e-commerce transaction. However, SSL encryption does reduce the number of transactions that can be processed per minute. Slowing the processing of monetary transactions is not a good thing, but removing SSL encryption is not an acceptable solution. SSL-encryption accelerator cards are the answer. Although these cards add cost to a security project, they pay for themselves because they allow the number of possible SSL-encrypted transactions to increase and provide the required care of customer information as it traverses the Internet.

Look for security technologies that, if not employed, absolutely will result in the failure of the project or will result in large, unnecessary expenses. No one today can imagine running an e-mail gateway without antivirus protection. However, it was not long ago that the purchase of such products was seen only as an expense that might be useful. Many organizations learned the hard way that not providing and frequently updating antivirus protection on both the gateway and the end-user machine leads to business interruptions and larger expenses than the cost of providing protection in the first place.

Look for other tangential business drivers that, if not analyzed, can lead to increased expense. For example, confidentiality and integrity—or perhaps the lack of confidentiality and integrity—are becoming increasingly larger legal issues. Ignorance of relevant laws and regulations is not an excuse not to follow them. Potentially large fines and lawsuits can be the result of failure to follow current laws. Another example is that although designing and deploying security can be expensive and require significant expertise, the lack of security can cost even more. The hard costs of the security design—such as costs for equipment, training, and so on—should always be a part of the project cost-benefit analysis. In some cases, it can be shown that adding security reduces the cost of doing business.

Security templates are text files that store policy settings from the Security node in an Active Directory Group Policy. These text files can be imported and applied to GPOs, altering the settings in the GPO to conform to a particular security standard. Because they are text files, security templates are often far easier to manipulate than GPOs.  MB4-641  000-M26  70-448  000-209   MB4-640   352-001  642-524  HP0-M17

Security templates can be edited in two ways. The first is by using the Security Template snap-in of the Microsoft Management Console. This method is the simplest way to edit the templates because it displays them in a form that is similar to that of the Group Policy Editor. Because security templates are stored in text file format, you can also edit security templates by using a text editor such as Notepad. This method is far more complicated and requires detailed knowledge of the security template syntax. Unless there is a compelling reason to do so, use the Security Template snap-in, because editing by using Notepad might lead to inadvertent errors in a template which, when applied, could make a system insecure.

After a security template is created, it must be deployed before it can have any influence on the security configuration of a system. Security templates are generally deployed by importing them into a Group Policy object. Once they have been imported into a Group Policy object, that Group Policy object can then be applied to sites, domains, and organizational units. Security templates can also be deployed by importing them into local Group Policy objects on standalone systems that are not a part of the domain. This can be done by editing the local Group Policy object (gpedit.msc) or by importing the template using the secedit command.

The principles involved in deploying a security template across a domain are similar to the principles involved in deploying Group Policy objects. In general, deployment should be as specific as possible. Grouping target systems into organizational units or sites is far preferable to deploying GPOs with security templates applied at the domain level. This way only the systems that are the targets of these policies will have to process them, and systems for which the policies are not relevant will not be delayed. The more Group Policy settings that are applied within a domain to all machines, the longer those machines take during startup and logon to process all of the policies to reach a final configuration.

One of the advantages to using security templates to configure the security settings in Group Policy objects is that they provide a documented point of reference for determining what went wrong when unexpected results appear. The security configuration and analysis tool can be used to look into the expected results. An administrator can also diagnose where what was planned diverged from what actually happened. One of the most common problems that occurs when security settings are applied is that the rules of Group Policy inheritance are forgotten. Policies applied at the organizational unit level override those applied at the domain level, which in turn override those applied at the site level, which finally override those that are applied locally. This gets even more complicated when policies are applied with the “no override” and “block inheritance” settings. Understanding how these options work is the key to diagnosing problems that occur in the application of security templates.  HP0-M23  000-938   000-100  000-960  000-995  190-805  HP0-S16

P4s 70-647 Microsoft exam demo

CA validity periods SY0-101 70-630 70-647 70-297
Every certificate issued by a CA has a validity period that ends with the certificate's expiration date. Because a CA is really just another entity that has been issued a certificate-either issued by itself (in the case of a root CA) or issued by a parent (in the case of a subordinate CA)-every CA has a built-in expiration date. The expiration date of a CA's certificate is more important than that of other certificates, however.

Although a CA's certificate can be renewed just as easily as any other certificate, a CA cannot issue a certificate with an expiration date valid beyond the expiration date of its own certificate. Therefore, when a CA's certificate reaches the end of its validity period, all certificates it has issued will also expire. Because of this, if you purposely do not renew a CA, you can be assured that all the certificates that the now-expired CA has issued can no longer be used. In other words, there will be no 'orphaned' certificates that are still within their validity period but that have been issued by a CA that is no longer valid.

Because a CA that is approaching the end of its own validity period issues certificates valid for shorter and shorter periods of time, you need to have a plan in place to renew the CA well before it expires in order to avoid issuing certificates of a very short validity period. For example, in the case of Windows Server 2003, the root CA's certificate defaults to a validity period of five years. You should renew it every four years, however, to prevent new certificates from being published with lifetimes shorter than a year. 70-272 70-284

You can reduce the time required to administer a PKI by increasing the validity period of the root CA. As with any certificate, you should choose a validity period shorter than the time required for an attacker to break the root CA key's cryptography. Given the current state of computer technology, one estimate is that a 4096-bit private key would take about 15 to 20 years to crack. While a determined attacker could eventually crack a private key by using the corresponding certificate, the end result would be useless if the certificate had expired by the time the attack completed.

Certificate revocation
A certificate has a specified lifetime, but CAs can reduce this lifetime by the process known as certificate revocation. The CA publishes a certificate revocation list (CRL) that lists serial numbers of certificates that it regards as no longer valid. The specified lifetime of CRLs is typically much shorter than that of a certificate. The CA might also include in the CRL the reason the certificate has been revoked. A revocation might occur because a private key has been compromised, because a certificate has been superseded, or because an employee has left the company. The CRL also includes the date the certificate was revoked.

During signature verification, applications can check the CRL to determine whether a given certificate and key pair are still trustworthy. Applications can also determine whether the reason or date of the revocation affects the use of the certificate in question. If the certificate is being used to verify a signature, and the date on the signature precedes the date of the revocation of the certificate by the CA, the signature can still be considered valid.

Off the Record Most applications do not analyze the reason code. If a certificate is revoked, it's revoked. The reason code just isn't that important.
To reduce the number of requests sent to the CA, the CRL is generally cached by the client, which can use it until it expires. If a CA publishes a new CRL, applications that have a valid CRL do not usually use the new CRL until the one they have expires.

Windows Server 2003 Certificate Services
A PKI can be used to dramatically increase the security of an organization's network. To make the task of implementing a PKI simpler, Windows Server 2003 includes Certificate Services to help your organization implement PKI. You can use Certificate Services to create a single CA or an entire hierarchy of CAs. Windows Server 2003 also includes several tools for managing CAs, certificates, and certificate templates. These tools will be discussed in detail in the other lessons in this chapter. 646-230 70-536 XK0-002

Although you can implement a PKI by using other software, there are distinct advantages to using Windows Server 2003: no additional cost, and tight integration with Active Directory. You can use Group Policy objects to control which users and computers have the rights to issue and manage certificates. You can use standard authorization lists to control the rights of users and computers to request certificates. You can even use certificates issued by your PKI to authenticate users, computers, and domain controllers when they access resources in Active Directory.

Understanding the Components of an Authentication Model 70-441 VCP-310 640-802
In this lesson, you will learn the meaning of the term authentication, and how it differs from authorization. You will understand that network authentication is similar in function to the common methods of authenticating people in the physical world. You will learn how to optimize the security of authentication in Windows Server 2003 environments while ensuring compatibility with every client that will access your network resources. Finally, you will explore the tools provided for troubleshooting authentication problems.
Network Authentication Systems
In order to authenticate a user on a network with some reasonable certainty that the user is who he or she claims to be, the user needs to provide two pieces of information: identification and proof of identity. In most networks, users identify themselves with a user name or an e-mail address. The way users prove their identity varies, however.
Traditionally, a password is used to prove a user’s identity. A password is a form of a shared secret. The user knows his or her password, and the server authenticating the user either has the password stored, or has some information that can be used to validate the password.
Passwords prove your identity because they are something you know. Other ways to prove your identity are with something you have or something you are. Many modern computer systems authenticate users by reading information from a smart card—something you have. Other computer systems are satisfied that you are who you claim to be only when you prove it with something you are. Biometrics can do this by scanning a unique part of your body such as your fingerprint, your retina, or your facial features. 190-848 350-001 156-915.65
Passwords can be guessed, and smart cards can be stolen. One form of authentication alone may not meet your organization’s security requirements. Multifactor authentication combines two or more authentication methods, and significantly reduces the likelihood that an attacker will be able to impersonate a user during the authentication process. The most common example of multifactor authentication is combining a smart card with a password. Typically, the password is required to retrieve a key stored on the smart card. Before you can authenticate to such a system, you must provide a password (something you know) and a smart card (something you have).
Note The examples in this book rely on using passwords alone for authentication. While this is one of the less secure ways to authenticate users, you probably don’t have smart cards or fingerprint readers connected to your computer. You almost certainly have a keyboard, though.
Storing User Credentials
The server that authenticates the user must be able to determine that the user’s credentials are valid. To do this, the server must store information that can be used to verify the user’s credentials. How and where this information is stored are important decisions to make when designing an authentication model.

The way the user credentials are stored can determine how difficult it is for an attacker to misuse the information and whether those user credentials can be migrated to a new authentication system in the future. Naturally, it is important that this information remains confidential. Instead of simply storing a list of user passwords on a server, and directly comparing the password provided by the user against the list, it’s common to store an encrypted or hashed version of the user password. If an attacker does gain access to the server’s copy of the user’s credentials, the attacker still needs to decrypt the contents before they can be used to impersonate a user. 642-642
350-018 640-801

Network Access Server
A network access server is 70-291 a server that functions as a gateway to a network for remote
clients. Routing and Remote Access service can be used to configure a Windows Server
2003 server as a remote access server, which will enable remote clients to create dialup
connections, or as a VPN server.
Remote access  MCDBA  servers authenticate clients as they attempt to connect, or a centralized
authentication server may be configured if there is a need for multiple remote access
servers. IAS Server, which is Microsoft’s implementation of RADIUS, is such a server.
RADIUS is covered in Lesson 3. In configuring your remote access server, you are able
to:
 Restrict remote clients’ access to only the remote access 70-649 server or to the entire network.
With this option, you can allow certain users to access only what is on the
remote access server. For example, you can have job announcements listed in a
shared folder located on the remote access server that you want potential employees
outside of your organization to have access to. However, you do not want
these users to be able to access any other resources located on other servers on
your network. By 70-297 restricting users to only the remote access server, you have less
chance of an attacker penetrating your local area network.

Choose the authentication methods that will be used by the server. Authentication
is the validation of a user’s credentials when he or she attempts to log on to the
remote access server. In other words: “Are you who you say you are? Does your
password match the one in my database?” A good analogy is the situation of an
out-of-towner trying to pay a bill in a fancy restaurant with a personal check. The
waiter or manager of the restaurant needs to 70-291 authenticate the person writing the
check, usually by asking for two forms of a picture ID (credentials).
Authentication should not be confused with authorization. Authorization is the
verification of the user’s right to be where he or she is. That is: “Yes, you are who
you say you are (authentication), but you are not allowed access (authorized) to
the CEO’s bank account records.” Authorization occurs after a user has logged on
and has been authenticated.

 Configure Point-to-Point Protocol (PPP) options. Point-to-Point Protocol is an
industry-standard protocol that replaced Serial Line Internet Protocol (SLIP)
because of SLIP’s limitation of only 70-646 supporting Internet Protocol (IP). PPP works
with multiple protocols and also has better security features, such as encryption,
mutual authentication, callback, and caller-ID.
Configure event-logging preferences. A network access server supports three
types of logging:
 Event logging, which is the recording of events in the system event log. There
are four levels of event logging available:
Log errors only
Log errors and warnings (the default)
Log the maximum amount of information
Disable event logging
 Local Authentication and accounting logging, which enables you to track
remote access usage and authentication-attempt information.
RADIUS-based authentication and 70-270 account logging, which enables you to
track remote access usage and authentication attempts from multiple remote
access servers. RADIUS is a centralized auditing- and accounting-based server
usually used by most Internet Service Providers.
Authentication Methods for Remote Access
After the remote client, remote server, and network infrastructure are configured, a
method must be implemented to authenticate the clients who will be connecting to the
remote access server and gaining access to your company’s network resources. After
all, you do not want unauthorized access to your company’s resources to occur onyour network. Table 10-3 illustrates the various methods of 70-294 authentication available for
remote access clients, including wireless access clients.

VPN Client
A VPN client TS connects to a network using the Internet or public network as its backbone.
It uses Transmission Control Protocol/Internet Protocol (TCP/IP ) protocols and
tunneling, covered later in this lesson, as a means of securing and encrypting the data
as it traverses the public network.
Wireless Client
Wireless clients connect to a network by using radio frequencies ranging from 2.4 GHz
to 5.0 GHz, depending on which 802.11  70-649   wireless standard is being followed (see Table
10-2 for some of the wireless standards). Infrared (IR) frequencies use the frequency a
little below visible light and spread-spectrum signals to send data over multiple frequencies.
Bluetooth is another popular wireless standard for smaller, short-distance
devices such as Personal Digital Assistants (PDAs), and is supported on Microsoft
Windows XP service pack 1 and later.For a wireless client to connect to a remote access server, a couple of components are
required:
¦ Wireless network interface card (NIC) on the client computer The wireless
NIC translates the workstation’s digital signals into radio signals that are sent to a
transceiver located in the same area as the wireless client workstation. There can
be multiple transceivers spread MCSA  over a large area, if necessary, as discussed in
Lesson 2.
¦ Access point (AP) The access point is the transceiver that receives signals from
the wireless client. The AP is connected to the local area network (LAN) segment,
which subsequently sends the data it receives from the wireless client to the
remote access server.
In designing your wireless network, you must determine where to locate the wireless
APs based on the location of your wireless users. You should create a network diagram
that shows the locations within a building that require wireless coverage, or you can
enable wireless coverage for an entire building. You should also document any devices
that can interfere with your wireless network, such as: 70-297

How Many APs Do I Need?
So far, you have included fault tolerance and redundancy in your network design.
Wireless networking should be no exception. Having only one access point in your
wireless design is not only risky, it will also have an adverse affect if a wireless remote
client is not located close enough to the receiver. The indoor range of most devices is
about a 150-foot radius.
You should have an idea of how many wireless clients will be accessing your network.
In your design phase you should try to estimate the throughput the average wireless
client will use. You can multiply this number by the total number of users and get a
good idea of the wireless bandwidth requirement you will need. This will help you
determine the total number of APs for your 70-646 remote access infrastructure. If there are
too many users accessing an AP, the effective data transmission rate will be lower and
the available bandwidth for each user will be reduced.