Networking Concepts Lesson 10 part 1 - Network Admin & Support - Eric Vanderburg

Chapter 10
Network Administration & Support

Networking Concepts – Eric Vanderburg ©2005

Managing Users & Groups
 Active

Directory Users & Computers
 Edit a text file in Linux
 Computer Management for local clients

Networking Concepts – Eric
Vanderburg ©2005

Best Practices


Administrators should have 2 accounts








Rename the administrator account (cannot be deleted or
disabled)
Disable the guest account (also add restrictions)







Have an account for normal use
Use the administrator level account only when it is needed
“Run As”
SU (Super User)

Only access from this computer
No permissions
No access times

Audit use of administrative rights
In Linux, a user account can be disabled by editing the password
file and deleted by using the userdel command

Vanderburg ©2005

Considerations
•
•
•
•
•

User name naming
conventions
Password complexity
Logon Hours
Auditing
Security

Vanderburg ©2005

Passwords
 Change

passwords often

 Too

often: written down
 Not often enough: insecure network
 Dictionary attacks
 NOS

Passwords lengths

 Windows

2000/2003 limit is 128 characters
 Windows NT limit is 14 characters
 Linux limit is 256 characters
Vanderburg ©2005

Computer Accounts
 Used

to restrict access to the domain to
certain computers
 Must be Domain/Enterprise admin to
add computers

Vanderburg ©2005

User Rights
 Permissions

- access to resources
 Rights - permitted actions
Log on locally
 Shut down the computer
 Share resources
 Manage printers
 Add computers to the domain
 Adjust quotas
 Backup & Restore
 Take ownership
 ……


Vanderburg ©2005

Groups


Security Group










Local Group
Global Group
Universal Group

Distribution Group
Users should be placed in groups
Permissions should be given to groups, not individual
user accounts
Users can belong to many groups
Effective permissions – End result of all group
memberships. All permissions from all groups are
added together but deny overrides allow (use deny
sparingly)
Vanderburg ©2005

Built in Groups









Administrators (Also Domain &
Enterprise)
Account Operators - Create and
manage user accounts
Backup Operators - backup &
restore
Incoming Forest Trust Builders make one way trusts to the root
forest domain
Network Configuration Operators Change TCP/IP settings for DCs
Performance Log Users - configure
performance counters, logs, & alerts
Performance Monitor Users remotely view performance monitor

















Print Operators
Remote Desktop Users
Replicator - Can change the way AD
data is sent between DCs and can
start the replicator
Server Operators - log onto DCs,
start & stop services, backup &
restore, format…
Cert Publishers - Publish CRL,
CTL, & Templates
Enrollment Agent - Issue Certs
DHCP Administrators
DNS Admins
Group Policy Creator Owner
Schema Admins
Help Services Group - Manage
Help & Support center (remote
assistance)
Guests

Vanderburg ©2005

Automatic Groups









User Groups
Everyone
Authenticated Users –
non guest users
Interactive – local user
Network – logged onto
domain
Creator / Owner
Anonymous Logon
Terminal Services User
Dialup

Program/Service Groups
 Service
 Batch
 System

Vanderburg ©2005

Automatic Groups

Vanderburg ©2005

Domain & Forest Groups
 Local

Group

 For

permissions to local resources
 Other groups should be inside
 Global
 User

Group
accounts should go here

 Universal

Groups

 Contains

accounts from entire forest
 Native mode only
Vanderburg ©2005

Functional Levels
Functional Level

Supported DC OS

Windows 2000 Mixed

Windows NT 4.0
Windows 2000
Windows Server 2003

Windows 2000 Native

Windows 2000
Windows Server 2003

Windows Server 2003
Interim

Windows NT 4.0
Windows Server 2003

Windows Server 2003

Windows Server 2003

• Domain or forest functional level

Vanderburg ©2005

Functional Levels
Functional Level

Options

Windows 2000 Mixed

No Universal Groups & Nesting

Windows 2000 Native

Universal Groups Allowed,
Group Nesting Allowed,
Group Conversion Allowed,
SID History

Win Server 2003 Interim

No Universal Groups & Nesting

Windows Server 2003

Universal Groups Allowed,
Group Nesting Allowed,
Group Conversion Allowed,
SID History, Rename DC’s

Vanderburg ©2005

Trusts
 Types

1-way
 2-way
 Transitive
 Universal – all domains in a tree trust each other


 NT

uses 1-way explicit trusts
 2000 & 2003 use 2-way transitive implicit
trusts
 Allows sharing between domains (permissions
are still needed)
Vanderburg ©2005

Accounts
 SID

(Security Identifier) - Unique number
for AD objects
 We see names, Windows sees SIDs
 Recreated accounts will have new SIDs
 NT stores user rights in SAM (Security
Accounts Manager)
 2000 & 2003 stores rights in AD
Vanderburg ©2005

Event Viewer
 System

Log – records information about
operating system services and hardware
 Security Log – records security events based
on audit filters or policy settings
 Application Log – maintains information
about applications
 Directory Service
 DNS Server
 File Replication Service
Vanderburg ©2005

Performance Monitor






Records individual
events to show trends in
a graph
Object – the item you
want to track (ex:
processor)
Counter – the aspect of
the item that you want to
track
(ex: interrupts/sec)

Vanderburg ©2005

Monitoring
 Network

Monitor

Install from Add/Remove Windows Components
(must be server OS)
 Data read from and written to server each second
 Queued commands
 Number of collisions per second
 Security errors
 Connections currently maintained to other servers
(server sessions)


 Linux

users can choose from many open
source add on products
Vanderburg ©2005

Long-term monitoring
 Develop

a baseline
 Update the baseline when the network
changes
 Bandwidth

changes
 New servers
 Software change
 Compare

performance to the baseline
Vanderburg ©2005

Security
 Know

the costs

 Costs

due to loss of data
 Costs of downtime
 Cost of implementing security measures
 Physical

must be protected first
 Share oriented security (Win9x)
 User oriented security (Win2k, 2k3, XP)
Vanderburg ©2005

Security
 Securing

data

 Make

it safe from intruders
 Make sure damaged data can be replaced
 Plan

for network security

 Identify

threats
 Communicate with other managers in office
to make sure security system meets needs
(it is not only about IT & think of the users)
Vanderburg ©2005

Windows Security Features
 Kerberos
 PKI

(Public Key Infrastructure)
 Group Policy
 VPN (Virtual Private Network)
 IPSec (IP Security)

Vanderburg ©2005

Windows 2003
 CLR

(Command Language Runtime) –
reduces bugs that leave Windows vulnerable
by reducing the power of individual programs,
placing them under the control of the OS.
 IIS 6.0 – configured for maximum security by
default & disabled by default
 Unsecured clients cannot login – Windows 95,
and NT prior to SP4 cannot login to Windows
2003 domain by default; certificates and
encryption required by all clients
Vanderburg ©2005

Kerberos
 Authentication

Method (Win2k &2k3

default)
 Based on RFC 1510
 Uses Kerberos version 5
 Replaces NTLM (NT LAN Manager) &
NTLMv2 – still used with pre 2k clients

Vanderburg ©2005

Kerberos Components
KDC (Key Distribution Center)
 AS (Authentication Service)
 Verifies identity through AD
 Gives TGT (Ticket Granting Ticket) which gives access to certain
resources
 TGS (Ticket-Granting Service)
 Verifies TGT
 Creates a service ticket & session key for a resource based on
TGT. Client can present the service ticket to another server to
access it’s content.
NOTE: Servers have tickets too.
 Only services it’s own domain. Must refer to another TGS for
interdomain resource access (gives referral ticket)
 Server with the desired resource
 Client


Vanderburg ©2005

Items of Note
 Delegation

with Forwarding and Proxy For a server such as a database server
to access resources on your behalf.
(given proxy or forwarding ticket)
 NTP (Network Time Protocol) is used to
synchronize time between machines.
Keys are based on system time so all
must be the same.
Vanderburg ©2005

PKI
 Deploying

a PKI allows you to perform
tasks such as:
 Digitally

signing files (documents and
applications)
 Securing e-mail
 Enabling secure connections between
computers,
 Better user authentication (smart cards)
Vanderburg ©2005

Certificates
Digital certificates - Electronic credentials,
consisting of public keys, which are used to
sign and encrypt data.
 CA (Certification Authority)
Issues digital certificates. Form a hierarchy
 Root CA
 Subordinate CA
 Intermediate CA
 Issuing CA
 Rudimentary CA
restricted to issuing certain certs


Vanderburg ©2005

Select CA Role

Certificates
View issued certs from
Certificates MMC
Certificate policy and practice statements
The two documents that outline how the
CA and its certificates are to be used, the
degree of trust that can be placed in these
certificates, legal liabilities if the trust is
broken, and so on.
 Certificate repositories - Where certificates
are stored and published. (AD)
 CRL (Certificate Revocation List) - List of
certificates that have been revoked before
reaching the scheduled expiration date
 CTL (Certificate Trust List) - The list of the
certificates you trust. If you trust a root,
you trust all certs from that root.


Vanderburg ©2005

Double click to see cert

Certificate Server Role







Publish certificates - The PKI administrator makes certificate
templates available to clients (users, services, applications, and
computers) and enables additional CAs to issue certificates.
Enroll clients - Users, services, or computers request and receive
certificates from an issuing CA or a Registration Authority (RA).
The CARA administrator or enrollment agent uses the
information provided to authenticate the identity of the requester
before issuing a certificate.
Publish CRL & CTL - Users need to know which certificates are
revokes and which servers are trusted by their CA.
Renew or revoke certificates

Vanderburg ©2005

Group Policy
AD Users & Computers MMC
Select your
group policy

Group Policy MMC

Edit as needed

Vanderburg ©2005

Group Policy

Properties

Double click
an item to edit
the properties
for it

Vanderburg ©2005

VPN
 Encapsulates

& encrypt one packet

inside another
 Server to Server - Connecting LANs
 Client to Server - Remote users &
Extranet

Vanderburg ©2005

VPN Protocols




L2TP (Layer 2 Tunneling Protocol)
 Encrypts with IPSec
 Works on many protocols (X.25, ATM, IP, Frame
Relay)
PPTP (Point to Point Tunneling Protocol)
 Encrypts with MPPE (Microsoft Point to Point
Encryption) - 40, 56, or 128bit
 Authenticates with PAP (Password Authentication
Protocol), CHAP (Challenge Handshake
Authentication Protocol), MSCHAP, or EAP
 Works only over IP
Vanderburg ©2005

VPN Advantages
 Distance

is not a concern
 More scalable - can adjust bandwidth to use
 Less reliant on expensive modem pools

Vanderburg ©2005

IPSec





Tunnel - encrypts the header and the payload of each
packet
Transport - encrypts the payload only.
All systems must be IPSec compliant
Encryption


Authentication Encryption





Data Encryption






SHA (Secure Hash Algorithm) - 160bit, high overhead.
MD5 (Message Digest 5) - 128bit
DES (Data Encryption Standard) 56bit
3DES (Triple DES) - high processor overhead
AES

IPv6 has IPSec built-in
Vanderburg ©2005

Security
 Firewalls
 IDS
 Honeypot
 Malicious

Code

 Wireless
A

“hardened” OS is
one that has been
made as secure as
possible Networking Concepts – Eric
Vanderburg ©2005

Hardware Firewalls
Screening Router - filters
packets & closes ports

Screened host - hardware
firewall filters packets & ports.
Bastion host does application
filtering. NAT or proxy
Multiple DMZ – each section has
its own set of firewalls and DMZ
separating it from the others

Screened Subnet/DMZ
(Demilitarized Zone) – put
external access machines in
between 2 firewalls

Vanderburg ©2005

Hardware requirements
 Storage

– large amounts of log files will
be present on this computer so there
must be a large amount of storage
 Processor – this computer will be
analyzing many packets
 2 NICs – must be able to connect the
outside with the inside

Vanderburg ©2005

Software Firewalls
 Most

are cumbersome to configure and control
 Inexpensive extra layer of protection
 Firewall places itself in between the NIC and
the TCP/IP stack
 Vendors
Windows Firewall (built-in)
 Novell Border Manager (built-in)
 Macintosh Firewall (built-in)
 Norton Internet Security
 BlackIce
 ZoneAlarm


Vanderburg ©2005

IDS (Intrusion Detection System)








NIDS (Network IDS) – analyzes network traffic
HIDS (Host IDS) – analyzes traffic sent only to its host
LIDS (Linux IDS) – Open source IDS for linux clients
or servers (http://www.lids.org/)
Looks at network or host traffic based on rules to
determine whether an attack is in progress
The IDS can be configured to respond accordingly ex:
close ports, ban IP addresses, alert admins, close
shares, disable accounts, ect..
Examples: snort

Vanderburg ©2005

Rules
 Rule

base – set of rules that tell the
firewall or IDS what action to take when
types of traffic flow through it.
 Should

be based on security policy

Vanderburg ©2005

Honeypot
A

lure for a hacker
 Wastes the hackers time
 Fake computer or network behind
security barriers
 Can be analyzed to view attack methods
and improve security. Identify what they
are after, what is their skill level, and
what tools they use.
Vanderburg ©2005

Malicious Code
Virus - self-replicating code segment which is be attached to an
executable. When the program is started, the virus code may also run. If
possible, the virus will replicate by attaching a copy of itself to another
file. A virus may also have an additional ``payload'' that runs when
specific conditions are met.
 Trojan horse - malicious code pretending to be a legitimate application.
The user believes they are running an innocent application when the
program is actually initiating its ulterior activities. Trojan horses do not
replicate.
 Worm - self-replicating program, does not require a host program,
creates a copy and causes it to execute; no user intervention is required.
Worms commonly utilize network services to propagate to other
computer systems
 Spyware - a program that secretly monitors your actions. Could be a
remote control program used by a hacker, or it could be used to gather
data about users for advertising, aggregation/research, or preliminary
information for an attack. Some spyware is configured to download other
programs on the computer.


Vanderburg ©2005

Viruses
 Implement

virus protection at these locations:

Workstation – protects a single computer by
scanning files from server or e-mail messages
 Server – scans data read from or written to
server; prevents virus from server spreading
throughout network
 Internet gateway – scans all Web browser,
FTP, and e-mail traffic; stops viruses before
they enter network. Do not infect those checking
your website


Vanderburg ©2005

Wireless Security
 Site

Survey - adjust location and range
so that wireless access extends only to
business borders
 Passwords should be changed and so
should WEP keys. WEP should be
enabled.
 Filter MACs
 Disable SSID broadcasting
Vanderburg ©2005

Preventing Data Loss
 Backup,

Backup, Backup

Normal - copy with a reset of the archive bit
 Incremental






Copies files changed since last full or incremental backup

Differential


Copies files changed since last full backup

Copy - copy with no reset of the archive bit
 Daily - copies all files modified today


 Create

a backup schedule
 Test backups (verify & do a test restore)
 Use a UPS (Uninterruptible Power Supply)
Vanderburg ©2005

Alternate Boot Methods


Recovery Console










Fixmbr: Replace the
master boot record
Fixboot: Write a new boot
sector
Format: format the disk
Diskpart: Manage disk
partitions

Last known good
configuration
Safe mode
Safe mode with networking
VGA mode
Vanderburg ©2005

Other Recovery Programs
 System

Restore - takes snapshots
(restore points) of the system state
 Driver Rollback
 Shadow Copy

Vanderburg ©2005

Shadow Copy
Viewing shadow copies –
WinXP

Viewing shadow copies – Win2k

Select a copy and click restore
to go back to that version

Vanderburg ©2005

Redundancy
 RAID

(Redundant Array of Inexpensive
Disks)
0

- Striping
 1 - Mirroring
 5 - Striping with Parity
 10 - 2 RAID 5 configurations Mirrored
 0+1 - Striped volumes mirrored
 Duplexing

provides redundancy for the
controller also
Vanderburg ©2005

Intellimirror
 Push

software to users or computers

 Assigning
 Publishing

(only for users, not computers)

 Protect

system files from damage
 Mandatory & Roaming profiles
 Not present in NT

Vanderburg ©2005

UPS (Uninterruptible Power Supply)
 Capabilities:

Power conditioning - cleans power, removing
noise
 Surge protection - protects computer from sags
and spikes


 Categories

Stand-by – must switch from wall to battery power
 Online – continually supplies power through
battery; no switching. Wall power recharges battery
continually


Vanderburg ©2005

Auditing
 Records

certain actions for security and
troubleshooting
 Failed

access
 Granted access
 Should

use auditing sparingly – uses
resources & more is harder to utilize
effectively

Vanderburg ©2005

Networking Concepts Lesson 10 part 1 - Network Admin & Support - Eric Vanderburg

Recommended

Recommended

More Related Content

Similar to Networking Concepts Lesson 10 part 1 - Network Admin & Support - Eric Vanderburg

Similar to Networking Concepts Lesson 10 part 1 - Network Admin & Support - Eric Vanderburg (20)

More from Eric Vanderburg

More from Eric Vanderburg (20)

Recently uploaded

Recently uploaded (20)

Networking Concepts Lesson 10 part 1 - Network Admin & Support - Eric Vanderburg