The 5Step Security Checkup for Education - PowerPoint PPT Presentation

1 / 28
About This Presentation
Title:

The 5Step Security Checkup for Education

Description:

The 5-Step Security Checkup for Education. Barbara Chung. Security Advisor, Education ... The keys to the kingdom, using them inappropriately can forfeit ... – PowerPoint PPT presentation

Number of Views:31
Avg rating:3.0/5.0
Slides: 29
Provided by: bdurt
Category:

less

Transcript and Presenter's Notes

Title: The 5Step Security Checkup for Education


1
The 5-Step Security Checkup for Education
  • Barbara Chung
  • Security Advisor, Education
  • Microsoft Corporation

2
Agenda
  • Secure Administrative Accounts
  • Implement Zones of Trust
  • Build a Baseline
  • Patch
  • Agile Processes

3
1 Secure Administrative Rights
  • The keys to the kingdom, using them
    inappropriately can forfeit everything else you
    do for security
  • Two general types of problems
  • Attackers who obtain admin credentials
  • Users who have been granted admin credentials,
    but may not understand the implications of using
    them carelessly or incorrectly

4
1 Secure Administrative Rights
  • Forest is the security boundary, not the domain.
  • You must trust ALL domain admins
  • Admin accounts not email-enabled, not used as
    desktop accounts, use restricted to trusted
    machines

5
Administrative Accounts
  • Administrator
  • Created accounts assigned to admin groups
  • Accounts that use
  • EFS Data Recovery certificates
  • Enrollment Agent certificates
  • Key Recovery Agent certificates

6
Administrative Groups
  • in Builtin container for example, Account
    Operators, Server Operators
  • in User container for example, Domain Admins,
    Group Policy Creator/Owners
  • Anything that you create and assign admin
    privileges

7
Administrative GroupsDefault Domain Groups
  • Enterprise Admins
  • Domain Admins
  • Schema Admins
  • Group Policy Creator Owners
  • Administrators group
  • Administrator account
  • DS Restore Mode Administrator

8
Admin Account Types
  • Local admin accounts
  • Domain admin accounts
  • Forest admin accounts

9
Principle of Least Privilege
  • Always grant minimum privileges required to
    complete the current task
  • Requires some work, but helps to understand your
    organization
  • Dont do it logging on as Domain Admin to
    troubleshoot a workstation with suspected
    security problems

10
Best Practices
  • Separate domain administrator and enterprise
    administrator roles.
  • Separate user and administrator accounts.
  • Use the Secondary Logon service.
  • Run a separate Terminal Services session for
    administration.
  • Rename the default Administrator account.
  • Create a decoy Administrator account.
  • Create a secondary Administrator account and
    disable the built-in Administrator account.

11
Best Practices, cont
  • Enable Account Lockout for Remote Administrator
    Logons. (passprop.exe)
  • Create a strong Administrator password.
  • Automate scanning for weak passwords.
  • Use administrative credentials on trusted
    computers only.
  • Audit accounts and passwords on a regular basis.
  • Prohibit account delegation.
  • Control the administrative logon process

12
References
  • The Administrator Accounts Security Planning
    Guide http//www.microsoft.com/technet/security/t
    opics/serversecurity/administratoraccounts/default
    .mspx
  • The Services and Service Accounts Security
    Planning Guide http//www.microsoft.com/downloads/
    details.aspx?familyidF4069A30-01D7-43E8-8B30-3799
    DB2D9C2Fdisplaylangen

13
2 Zoning
  • The concept is simple enforce zones of trust
    on/within the network
  • Blue Zone. controlled risk
  • Orange Zone. reduced risk
  • Red Zone.. High risk
  • Why?
  • Youre clear about what youre going to manage
    for security (not EVERYTHING)
  • Time Opportunity

14
2 Zoning
  • Firewalls
  • 802.1x use it to control access to the
    wired/wireless network
  • IPSec control end-to-end communication

15
Zoning802.1x at the Border
  • Standards-based, services and clients built into
    newer versions of Windows, but you can
    mix-and-match
  • Components Authentication directory or
    directories, RADIUS services, network device
    (switch, WAP), client software

16
2 IPSec Domain and Server Isolation
  • Protect trusted assets from unmanaged, rogue and
    guest PCs
  • Complement to other security mechanisms
    (firewall, antivirus, IDS)
  • Restrict communication to domain-managed computers

17
IPsec Domain And Server Isolation
  • Two scenarios
  • Domain isolation
  • Server isolation
  • Protects corporate hosts or servers from
    unmanaged, rogue, and guest PCs
  • Allows communication between hosts to be
    restricted between domain-managed computers

18
IPsec Domain And Server Isolation (2)
  • Provides ability to identify and control
    communications with critical client or server PCs
  • Complements other host security mechanisms
  • Complements network access protections

19
Domain Isolation
  • Allows host to host communication to be limited
    to domain members (managed computers)
  • Requires IPsec authentication and protection for
    any communication with domain members (managed
    computers)
  • Managed computers can initiate communication with
    managed and unmanaged computers
  • Unmanaged computers cannot initiate communication
    with managed computers

20
Scenario Domain isolation
21
Server Isolation
  • Requires IPsec authentication and protection for
    communications from hosts to specific servers
  • Managed computers can initiate communication with
    specific servers
  • Unmanaged computers cannot initiate communication
    with specific servers
  • Group-specific server isolation
  • Only managed computers that are members of a
    specific security group can initiate
    communication with specific servers

22
Scenario Server Isolation
23
Additional resources
  • Microsoft Windows Server 2003 site at
    http//www.microsoft.com/ipsec/
  • How to isolate servers by using Internet
    Protocol security Support WebCast (see Knowledge
    Base article 889383)

24
2) Zoning
  • Wont protect against trusted users/machines!
    (See 1 Secure Administrative Privileges

25
Building a Baseline for Trusted Machines
  • Create visibility for security incidents
  • Automate deployment of lock-down images with
    tools like RIS, ADS
  • Use Security Configuration Wizard to develop
    role-based templates
  • Use Group Policy to enforce security settings

26
Patching
  • .

27
Agility
  • Agile processes are critical to maintaining a
    secure environment
  • Who do users notify when theres a problem?
  • Who can call a security crisis?
  • What happens when a crisis is called?
  • Whats the timeline?
  • How does you security group interface with
    operations group?

28
Questions?
Write a Comment
User Comments (0)
About PowerShow.com