Security+ Lab Answers

LAB ANSWERS:
SECURITY+ CERTIFICATION
LAB ANSWERS: SECURITY+ CERTIFICATION
LAB 1:
EXAMINING SECURITY THREATS AND VULNERABILITIES

EXERCISE 1-1: IDENTIFYING TYPES OF ATTACKERS WHO MIGHT ATTACK A NETWORK
In this exercise, you will work together as a class to discuss the types of attackers who pose a threat to Contoso Pharmaceuticals. In five minutes, list all people who might want to attack Contoso and what their motivation might be.
ANSWER Answers will vary. Possible answers include: A disgruntled employee who wants to get money from Contoso Organized crime operatives who want to illegally obtain controlled substances Terrorists who want drugs for their attacks Animal rights activists who want to protest laboratory testing A rival pharmaceutical company that wants to steal trade secrets A script kiddie who wants to gain credibility in the hacking community An attacker who is testing the security systems on Contosos network A spammer who wants to mask an e-mail trail A virus writer who just wants to wreak havoc
EXERCISE 1-2: IDENTIFYING THREATS, VULNERABILITIES, AND DEFENSES AGAINST ATTACKS

In this exercise, you will work in small groups. Each group should select one of the attackers listed in Exercise 1-1, Identifying Types of Attackers Who Might Attack a Network. Then, using the instructions below, complete the table on page 4. 1. In the first column, list all the threats that this type of attacker poses. 2. In the second column, list the vulnerabilities that would allow the attack to occur. 3. In the third column, list the defensive measures that Contoso should take. Select from the following list of defensive measures for your entries in the third column of your table.
LAB 1: EXAMINING SECURITY THREATS AND VULNERABILITIES
Defensive Measure
Description
Account security Antivirus software
Auditing Digital signature Encryption Firewall ID (intrusion detection) [also IDS, intrusion detection system] Password security
Create accounts only when needed, grant minimal permissions to get the job done, and remove access when it is no longer required. Use applications that automatically remove malicious software such as viruses, worms, and Trojan horses. Keep antivirus software updated to respond to new threats. Monitor the activities of services, users, and administrators to verify compliance with security policies. Archive and review log files. Use a digital signature. For example, use a digital signature to ensure the integrity of data or verify the identity of a sender. Obscure information so it cannot be understood by an unauthorized person. Install and properly configure a firewall to control and monitor inbound and outbound traffic. Use IDS to alert network administrators of activity resembling known attacks. Choose passwords that are difficult to guess or break. Change passwords frequently, but not too frequently or users will use unsafe ways to remember passwords. Require unique passwords that follow appropriate standards for complexity and length. Audit for compliance with password security. Know what is installed on your system by default. Use the security features built into your applications. Make sure they are configured for the maximum allowable security. Follow the best practices recommended by the manufacturer. Restrict physical access to any of the following components: hardware; software; firmware; data media, such as disks, backup tapes, and Zip drives. Control entry to buildings and rooms by locks or access cards. Dont use untrusted systems. Create a tested standard for configuring all computers of a specific type. Test and apply different baselines for different resources, such as a secure e-mail server, Web server, file server, or desktop computer. Verify that the system maintains a secure configuration. Create documents that specify all security policies. Use technology to enforce security policies whenever possible. Apply software updates to fix known problems with operating systems or applications. Problems with software can allow attackers to bypass security controls. Train users to follow safe computing practices.
Proper configuration
Physical security
Secure baseline
Security policies Software updates
User education
ANSWER Possible answers if the attacker is a rival:

Threat Vulnerability Defense Against the Attack
Insufficient background He might plant checks; inadequate physical someone inside the company as a janitor security so that he can get physical access. Key systems that are He might scan the perimeter servers and inadequately patched; misconfigured key systems look for software exploits that he can run. He might try password Weak passwords attacks against the Internet Web server.
Security policies; physical security
Secure baselines; proper configuration; intrusion detection software
Security policies; user education; password security
Possible answers if the attacker is an animal rights activist.

Threat Vulnerability Defense Against the Attack
She might deface the Web site with graphic pictures of animal experimentation. She might try to sabotage computer systems to stop research. She might try to steal confidential data that relates to animal research by using malicious software to access a server.
Weak passwords; insecure baseline configuration; misconfigured Web server
Password security; secure baseline configuration; proper Web server configuration
Insufficient physical security; Physical security; security inadequate policies to prevent policies; user education social engineering Inadequate virus protection; poor user education; inadequate firewall security; no intrusion detection Antivirus software; thorough user education; adequate firewall security; intrusion detection; encryption
4. When all groups are finished, present your attack scenarios to the other students in the class as though they were a senior management committee.
QUESTION What is the difference between a threat and a vulnerability? ANSWER A threat is any activity that possesses a danger to data and other resources. A vulnerability is a weakness that can be exploited by a threat.
EXERCISE 1-3: CALCULATING RISK

1. Calculate the single loss expectancy (SLE), using the following formula: asset value x exposure factor = SLE. To determine the asset value, consider the amount of monetary loss, such as labor costs, that would occur if the virus had to be cleaned from the workstation. You do not have any data on the value of data that might be lost, so you should not consider it for this exercise. To determine the exposure factor, consider how many workstations are likely to be affected before the virus is contained.
ANSWER SLE = (2.5 lost hours x 200 workstations x $35.00 per hour = 17,500.00) x 0.65 exposure factor = $11,375.00.
2. Calculate the annualized loss expectancy (ALE), using the following formula: SLE x annualized rate of occurrence (ARO) = ALE. The ALE is simply a way of estimating the loss that could occur on a yearly basis if no defensive measures were put in place.
ANSWER ALE = $11,375.00 x 0.75 = $8531.25
3. Calculate the cost/benefit of antivirus software, using the following formula: ALE cost of antivirus software implementation = cost/benefit. In this step, you are determining whether the cost of implementing a countermeasure is less than or greater than the cost of the asset. If the cost of the countermeasure is less than the loss that would occur in the event of a realized threat, the argument for implementing it is clear. To determine the cost of implementing the countermeasure, you need to take into account the cost of software licenses, labor costs, and other relevant factors. In this case, the only data you have relates to the software license and labor costs.
ANSWER Cost/benefit = $8531.25 - (4000 + (0.5 x $20.00 x 200)) = $2531.21
4. Present your findings to the class, using the results from the previous calculations to justify the purchase of antivirus software.
QUESTION This exercise demonstrates a quantitative risk analysis. Is this the only kind of analysis you can or should perform to assess risk? If not, what other kind of risk analysis can you perform? ANSWER You might also want to perform a qualitative risk analysis. In a qualitative risk analysis, quantifiable numbers, such as those that are assigned to asset values and potential losses, are not used. Instead, a qualitative analysis examines various risk scenarios and attempts to rate the seriousness of the risk and effectiveness of various countermeasures. Often, participants are asked to rate the seriousness of risk and the effectiveness of countermeasures, using a ranking scale. However, many other methods can be used to perform a qualitative analysis. These methods include surveys, brainstorming, the Delphi technique, and group and one-on-one meetings. QUESTION The quantitative analysis in this exercise makes only a limited number of assumptions about the kind of loss that would occur if the branch office were infected by a virus. What other kinds of loss should you include in the quantitative risk analysis of a potential virus infection? ANSWER Answers will vary, but they can include the cost of replacing lost or corrupted data;, and the cost of additional follow-up efforts to eliminate potential back doors, worms, Trojan horses, logic bombs, and other potential problems created by the virus payload.
EXERCISE 1-4: CLASSIFYING ATTACKS AND IDENTIFYING DEFENSIVE MEASURES

In this exercise, you will work with your group to complete the empty cells in the following table. To complete the Defensive Measures column, use the information provided in the table for Exercise 1-2, Identifying Threats, Vulnerabilities, and Defenses Against Attacks. Be prepared to explain how you might implement any of the defensive measures you suggest. The first row of the table has been completed as an example.
ANSWER Possible answers include the following:

Attack Type Description Defensive Measures
Buffer overflow
Web defacing
Physical Trojan horse
Denial of service (DoS) attack
The amount of data is larger than the holding area, or buffer, that the program sets aside for incoming data. When the data is placed into the computers memory, it might overwrite other data. Unauthorized alteration of Web site content done to undermine the organizations reputation. An attack that involves direct physical contact with a computer or network components. A computer program that appears to have a benign or useful function, but is actually used for malicious purposes. An attack that prevents a system from performing its intended service.
Software patch; proper configuration
Security baseline; proper configuration Physical security; auditing User education; intrusion detection; antivirus software Intrusion detection; firewall; proper configuration; secure baseline Firewall; intrusion detection; digital signature; encryption User education; security policies; auditing; physical security; account security User education; security policies; antivirus software Encryption; digital signature; firewall; physical security
Spoofing
The practice of making a transmission from an illegitimate source appears to have originated from a legitimate source. An attack that relies on deceiving people, rather than on exploiting the vulnerabilities of computer systems.
Social engineering
Virus
Packet sniffing
A computer program that spreads from computer to computer through some installation vector, such as an executable attachment in an e-mail message. A passive attack that monitors network communications, usually as a preparatory step to an active attack.
QUESTION Worms are often referred to as a kind of virus. However, worms differ from true viruses in one important aspect. In what way do worms differ from true computer viruses? ANSWER A computer virus requires human agency to spread. Without human agency, a virus cannot propagate itself. However, worms can replicate themselves to other computer systems without human agency.
EXERCISE 1-5: APPLYING BASIC SECURITY GUIDELINES

Read the scenario below, and then with your group prepare a brief presentation that addresses the weaknesses of the proposal in the scenario according to the four fundamental security guidelines: physical security, trust, privilege level, and documentation. Be prepared to present your findings to the class. One of the branch offices of Contoso Pharmaceuticals has made a brief proposal for implementing a wireless network to use in meeting rooms and to allow greater mobility for internal laptop users. The IT manager at the branch office is aware that wireless networks are vulnerable to eavesdropping and unauthorized third-party access to the LAN. To mitigate these vulnerabilities, he is proposing that all wireless signals be encrypted using a static Wired Equivalent Privacy (WEP) key that will be distributed to all users on a monthly basis via e-mail. Users will configure their own wireless devices to use the current WEP key. Instructions for configuring WEP keys on the laptops will be included with the e-mail. The proposal states that all wireless network interface cards (NICs) will be configured to use DHCP to make it easier for users to configure their wireless devices, Your manager has asked you to evaluate the proposal and report to her on its merits. You need to assess the proposal according to the fundamental security guidelines for physical security, trust, privilege level, and documentation.
ANSWER Answers will vary, but might include the following points:
1. Physical Security Issues
Wireless networks are not physically secure because the wireless signal can be intercepted by any compatible wireless device within range. To provide better security for a wireless network, you need to encrypt the traffic. You also need to limit the wireless signal range so that it does not extend farther than is desirable by ensuring that wireless access points (APs) are placed away from locations such as windows. Furthermore, the WEP key is not rotated often enough and is more vulnerable to being cracked. (This last issue is also related to trust issues.) Employees could deliberately or inadvertently give the WEP key to unauthorized individuals. Generally, it is not a good practice to trust employees with the WEP key. Transmitting the WEP key via e-mail makes it easy for this information to be transmitted elsewhere. Allowing DHCP wireless clients to connect means that anyone with a compatible wireless device that is within range can automatically connect to the network (This is also a privilege level issue, since unauthenticated users could potentially access the LAN through the wireless network). Current corporate security policies might specify that users are not allowed to configure hardware devices.
2. Trust Issues
3. Privilege Issues
4. Documentation Issues
The proposal does not include information on wireless network usage policies. For example, users and administrators need documentation on the procedures that should be followed if a wireless device is lost or stolen.
LAB REVIEW QUESTIONS

1. What is the relationship between a risk, a threat, and a vulnerability?
ANSWER The relationship between a risk, a threat, and a vulnerability can be expressed as risk = threat + vulnerability. That is, a risk is the likelihood of a threat agent exploiting a vulnerability over a period of time.
2. What is the difference between a passive attack and an active attack?

ANSWER In a passive attack, nothing is done to modify data or impersonate users or devices. Eavesdropping, scanning, and packet sniffing are examples of passive attacks. In an active attack, an attacker attempts to modify data or impersonate users or devices. That is, the attacker is performing some activity, rather than passively collecting information.
3. What is generally the most effective way to deal with passive attacks: prevent them, or detect and stop them?
ANSWER Passive attacks are usually very hard to detect, so the best defense is to try to prevent them from occurring in the first place.
4. What do social engineering attacks target: computers, users, applications, or networks?

ANSWER Users. Social engineering exploits peoples vulnerability to deception. That is, social engineering is often based on fraud and confidence tricks to fool people into giving up information of value to the attacker.
10
5. What do spoofing attacks target: computers, users, applications, or networks?

ANSWER Networks. Although both spoofing and social engineering rely on masquerading and impersonation, the key difference is that in a spoofing attack, the attacker makes it appear as if a network transmission originates from a legitimate source.
LAB CHALLENGE 1-1: COMPARING QUALITATIVE AND QUANTITATIVE RISK ANALYSIS

You are a security administrator for Contoso Pharmaceuticals. Your manager has asked you to make recommendations on the format and process for a new risk analysis that she wants to recommend that the company perform. Specifically, your manager wants you to assess the pros and cons of quantitative and qualitative risk analysis before she presents her plan to executive management. With your group, list the pros and cons of quantitative and qualitative risk analysis and be prepared to present this list to the class for general discussion.
NOTE A quantitative risk analysis uses objective metrics, such as asset values and actual cost of countermeasures, as you learned in Exercise 1-3, Calculating Risk. In contrast, a qualitative risk analysis attempts to assess risk and the effectiveness of countermeasures based on informed opinion, sometimes using surveys that ask respondents to rank the seriousness of risk and effectiveness of countermeasures. A qualitative risk analysis can take many forms. For example, it can ask respondents to submit anonymous written comments that are later compiled for analysis. ANSWER Answers will vary and might include the following: Pros of quantitative risk analysis Uses objective numbers that can be independently verified Provides cost/benefit analysis Can easily be automated Shows losses that can occur on an annual basis Can justify the costs of security countermeasures in financial terms Cons of quantitative risk analysis Might require very complex calculations Can be hard to assign a value to certain kinds of assets, such as data and customer information
11
Can be difficult to agree on the accounting methods that are used to assign value to assets; for example, using book value or using current value (original cost depreciation) Can be difficult to accurately quantify the likelihood of certain kinds of threats Pros of qualitative risk analysis Can be used to achieve consensus when there is disagreement about the likelihood of threats and the need for specific countermeasures Is based on the informed opinions of experienced personnel Allows a wider range of stakeholders and interested parties to have input into the risk analysis Can be used to justify the implementation of security countermeasures Cons of qualitative risk analysis Requires that management trust the informed opinions of staff Does not provide quantifiable cost benefits for implementing countermeasures Does not present information in financial terms, so it might be less persuasive than a quantitative risk analysis in justifying the cost of security countermeasures Relies significantly on intuition and guesswork
12
LAB 2:
ESTABLISHING AND MAINTAINING BASELINE SECURITY

EXERCISE 2-1: CREATING AND APPLYING SECURITY TEMPLATES
Configuring and Applying a Security Template
10. In the Interactive Logon: Message Text For Users Attempting To Log On dialog box, ensure that the Define This Policy Setting In The Template check box is selected, type Unauthorized access is prohibited. If you are not an authorized user, do not attempt to log on and then click OK.
QUESTION Why is it a good idea to include a warning for unauthorized users who attempt to log on using stolen or cracked credentials? ANSWER A clearly posted warning removes any ambiguity about the organizations policy regarding unauthorized access and makes it more difficult for an unauthorized user to defend his or her actions in civil or criminal court. Although laws regarding the issue of unauthorized access to computer systems vary from jurisdiction to jurisdiction, a possible defense for an attacker could include the fact that the logon system did not indicate it was illegal for her to access the system.
Testing the Security Template Configuration

1. With the Welcome To Windows screen open, press CTRL+ALT+DELETE.
QUESTION Does the legal notice appear with the title and message that you configured? ANSWER Yes.
LAB 2: ESTABLISHING AND MAINTAINING BASELINE SECURITY
13
2. Click OK.
QUESTION Does the user name of the last logged-on user appear in the Log On To Windows dialog box? ANSWER No.
5. In the details pane, click Telnet.

QUESTION What is the Telnet service startup type? ANSWER Disabled. QUESTION Why can the studentx account view the properties of the Telnet service? ANSWER The studentx account is a member of the Authenticated Users group, which was explicitly given the Read permission to the Telnet service. If this permission were removed from Authenticated Users, members of this group would not be able see any of the properties of the service, including its startup type.
7. In the Telnet Properties (Local Computer) dialog box, in the Startup Type list, select Manual, and then click OK.
QUESTION Were you able to change the startup type? Why or why not? ANSWER No. Only members of the local Administrators group have the permissions required to change the startup type for the Telnet service.
9. Attempt to shut down the computer.

QUESTION Were you able to shut down the computer? Why or why not? ANSWER No. Only members of the local Administrators group have the right to shut down the computer.
14
EXERCISE 2-3: ASSESSING BASELINE SECURITY BY USING MICROSOFT BASELINE SECURITY ANALYZER (MBSA)
11. Review the available scanning options, select Learn More About Scanning Options, select the In The Future Do Not Show This Message check box, click OK in the Internet Explorer dialog box, and then read the description of the scanning options.
QUESTION What does selecting the Use SUS Server option do? ANSWER Selecting the Use SUS Server option allows MBSA to check for security updates against a list of SUSapproved updates.
18. In the Score column of the report, move the mouse pointer over a red X so that the mouseover event pop-up description appears.
QUESTION What does a red X indicate? ANSWER A red X indicates that the check failed (critical).
19. Move the mouse over the various icons in the Score column.
QUESTION List the meanings of the icons you see in the Score column. ANSWER Answers may vary, depending on what students see in the report. A red exclamation mark indicates that MBSA was unable to perform a particular scan. A yellow X indicates that the check failed (non-critical). A blue i indicates more information is available. A green check mark indicates that the check passed. A blue star indicates a recommended best practice.
20. Locate the item that displays Windows Security Updates in the Issue column, and then click Results Details.
QUESTION What information is displayed in the Results Details page? ANSWER The Results Details page lists the Microsoft Security bulletin ID, a description of the vulnerability, and the reason that the test failed for the particular vulnerability.
15
EXERCISE 2-4: MAINTAINING BASELINE SECURITY BY USING MICROSOFT SOFTWARE UPDATE SERVICES (SUS)
Installing and Configuring SUS
26. Click Approve Updates. Because you chose to synchronize the list of approved items from the server from which you downloaded the updates, all of the updates are already approved. Notice that the check box to approve updates is dimmed. The reason for this is that you have configured your SUS server to rely on an upstream SUS server (Instructor01) for the update approval.
QUESTION In this exercise, you are not downloading updates from Microsoft but from another SUS computer on the network. What are some advantages of this configuration? ANSWER Answers will vary, and can include the fact that updates can be centralized and consequently conserve Internet bandwidth. It is also important to note that this configuration limits the number of computers that need to communicate over the Internet. Another advantage is that the approval process for updates can be centralized and handled by a small group of people.

1. Why would you want to use the Security Configuration And Analysis tool when you are deploying either group policy or a local policy to change security settings?
ANSWER Answers will vary. However, a key advantage of the Security Configuration And Analysis tool is that it allows you to analyze the effects of a policy template before and after implementing it.
2. Your organizations security policy states that after software updates have been tested and approved, they must be installed on user workstations with a minimum amount of end user interaction. How would you configure a Windows Update policy to meet this requirement?
ANSWER In Configure Automatic Updates property, you would enable option 4 Auto Download And Schedule The Install.
16
3. You have installed SUS on your network. What do you need to do to make updates available to client computers on the network?
ANSWER You must approve updates, using the SUS administrative interface, before they can be made available to clients.
4. You have set up a dedicated workstation to perform MBSA scans of computers on your network. Your organizations security policy states that this computer cannot have a direct connection to the Internet. What do you need to do in order to scan computers for needed security updates?
ANSWER You must obtain a current copy of the Mssecure.xml file and copy it to the dedicated workstation.
5. What happens if you import more than one security template into the Security Configuration And Analysis tool?
ANSWER The database will merge the templates into one composite template. If there is a conflict in the settings among the imported templates, the last template imported will take precedence.
6. What permissions do you need to run an MBSA scan against a local or remote computer?
ANSWER You need to have local administrative privileges.
LAB CHALLENGE 2-1: AUTOMATING MBSA SCANS

You are the security administrator for Contoso Pharmaceuticals. Your manager has recently heard about MBSA. She would like you to install it on a dedicated workstation to scan computers to verify that approved service packs and other security-related updates have been installed. The dedicated workstation has access to the Internet through a proxy server. Your manager wants the MBSA scan to run during off hours at least once a week, and she wants to view the information in a well-formatted and meaningful report. You currently have an SUS server on your network that is used to distribute approved updates to your intranet. Using the MBSA components installed on your workstation, create a configuration that allows your workstation to run checks for security patches on all computers in the contoso.com domain in such a way that
17
the scan can be triggered by a schedule and the results of the scan can be imported into a database or spreadsheet.
ANSWER In order to complete this lab, you must use the command-line version of MBSA, not the GUI version. The following command is a possible answer:
Mbsacli /hf -d contoso.com -o tab -f MBSAreport.txt -sus "http://instructor02"
You can put this command in a batch file that can be triggered according to a schedule using the AT command.
18
LAB 3:
MONITORING AND MAINTAINING ACCOUNT AND ACCESS CONTROL SECURITY

EXERCISE 3-1: USING MBSA TO DETECT ACCOUNT VULNERABILITIES
7. When the report appears, in the Sort Order box, click Issue Name, and then click Result Details to view the first and subsequent vulnerabilities in the list.
QUESTION How many accounts on the local computer have administrator rights? ANSWER MBSA indicates that more than two accounts have administrator rights. QUESTION Which accounts have administrative privileges on the local computer? ANSWER Four accounts have administrator rights: the local Administrator, Contoso\Adminx, and two local accounts, Sally and Bob. QUESTION Did the check of the local Guest Account pass or fail? ANSWER The check of the local Guest account passed because the account is disabled. QUESTION Did the Local Account Password test pass? ANSWER No. The results indicate that some user accounts have blank or simple passwords. QUESTION Consult the MBSA help file and list the weak passwords that MBSA can detect. ANSWER Password is blank; password is the same as the user name; password is the same as the computer name; password contains password, admin, or administrator.
LAB 3: MONITORING AND MAINTAINING ACCOUNT AND ACCESS CONTROL SECURITY
19
QUESTION Which accounts failed the test? ANSWER The Administrator account, the Guest account, and the two local user accounts, Sally and Bob, have blank or weak passwords.
EXERCISE 3-2: EXAMINING AND CHANGING ACCOUNT SECURITY

Using Resultant Set Of Policy to View Policies Applied to the Local Computer
16. In the details pane, double-click Enforce Password History, and then select the Precedence tab.
QUESTION Where does the Enforce Password History policy setting come from? ANSWER The policy setting comes from the Default Domain Policy.
17. Double-click the remaining password settings and review their configuration.
QUESTION List the remaining password setting configurations and where they originated. ANSWER All password policies originate from the Default Domain Policy. Maximum Password Age = 42 days Minimum Password Age = 1 days Minimum Password Length = 7 characters Password Must Meet Complexity Requirements = Enabled Store Passwords Using Reversible Encryption = Disabled
18. In the console tree, browse to Computer Configuration\Windows Settings\Security Settings\Local Policies, select Audit Policies, and then
20
review the settings in the details pane.

QUESTION What is the common setting for all the Audit policies? ANSWER The common setting for all the Audit policies is Not Defined.
Viewing and Modifying the Local Security Policy

6. In the Minimum Password Length Properties dialog box, in the Minimum Password Must Be At Least box, verify that the value is set to 7 characters, and then click OK.
QUESTION Why cant you change account policy values through the Local Security Settings MMC console? What tools can you use to change AccountPolicy values? ANSWER When a computer is a member of a Microsoft Windows 2000 or Windows 2003 domain, account policies are determined at the domain level. To change account policies, you must modify the domain policy where these values are set. To do this, you can use the Active Directory Users And Computers (ADUC) console or Group Policy Management Console (GPMC).
11. In the Audit Privilege Use Properties page, select the Success check box, and then click OK.
QUESTION Why can you change these settings, but not the password policy settings, using the Local Security Settings MMC console? ANSWER Because no Group Policy settings are defined for these objects that would consequently override settings defined locally, you can modify these settings.
21
Managing Local Accounts and Viewing Security Logs

3. In the details pane, double-click Administrators. The Administrators Properties dialog box opens, showing all of the accounts that are members of the Administrators group.
QUESTION What extra accounts are in the Administrators group? ANSWER Sally and Bob.
16. Click OK to reset the password and close the Set Password For Guest dialog box.
QUESTION Why is P@ssw0rd acceptable as a password but password is not? ANSWER P@ssw0rd meets minimum complexity requirements.
17. Click OK to close the Local Users And Groups dialog box, indicating the password has been successfully set.
QUESTION If the Guest account is disabled, why should you assign a complex password to it? ANSWER If the Guest account is inadvertently enabled, a preassigned, complex password will secure the account.
23. In the details pane of the Security Log, double-click the entries that belong to the Account Management category, and then review them.
QUESTION What Account Management events are recorded? ANSWER Removing Bob and Sally from the Administrators group, deleting the Bob and Sally accounts, and resetting the password for the Guest account.
22
QUESTION Why is it a good idea to configure security auditing for account management events? ANSWER To keep a record of such events and to help you detect the improper use of administrative privileges.
EXERCISE 3-3: CONFIRMING ACCOUNT SECURITY CONFIGURATION CHANGES

6. When the report appears, in the Sort Order box, click Issue Name, and then view the first vulnerability in the list.
QUESTION How many individual accounts on the local computer have Administrator rights? Which accounts are they? ANSWER Only two appear: Adminx and the local Administrator account. QUESTION Did the check of the local Guest Account pass or fail? Why? ANSWER The check of the local Guest account passed because the account is disabled. QUESTION Did the Local Account Password test pass? Why? ANSWER Yes. All of the accounts have strong passwords assigned to them.
EXERCISE 3-4: USING ALTERNATE CREDENTIALS TO PERFORM ADMINISTRATIVE TASKS

11. In System Tools, expand Shared Folders, and then select Shares. You will see a warning message indicating that you do not have permission to see the list of shares.
QUESTION What security groups have permissions to manage shares? ANSWER Members of the Administrators, Server Operators, and Power Users groups can manage shares.
23
15. Expand Event Viewer, and then select the Security log. Security audit events appear in the details pane.
QUESTION Why are you able to view the Security log? ANSWER Even though you are logged on using an account that does not have administrative credentials, you launched the Computer Management console with alternate credentials that do have administrative permissions.
16. Double-click a number of recent entries in the Security log.

QUESTION Does the Security log show events related to the use of alternate credentials? What authentication methods are reported as being used by security principals when they log on? ANSWER The Security log records authentication events for both the Studentx and the Adminx accounts. The Security log should contain events that list either Negotiate or Kerberos as authentication methods (packages). (Negotiate means that Kerberos authentication will be attempted before falling back to NTLM methods of authentication.)
34. On the Docs Properties page, select the Share Permissions tab.
QUESTION What permissions does the Studentx account have to the newly created \Docs folder when access occurs through the shared folder (\\Computerx\Docs)? ANSWER Although the Studentx account has NTFS modify permissions to the \Docs folder, it has only the Read permission through the shared folder by virtue of its membership in the local Users group. This means that the accounts effective permission to the \Docs folder is read-only when access occurs over the network. When the user accesses the folder locally, the shared folder permissions will not apply and the user will have Modify access.
EXERCISE 3-5: INSTALLING WINDOWS 2003 ADMINISTRATION TOOLS PACK

6. Click Start, and then select Administrative Tools.
QUESTION Name at least three utilities that were added to the Administrative Tools menu. ANSWER Answers will vary but should include Active Directory Domains And Trusts, Active Directory Sites And Services, Active Directory Users And Computers, and others.
24
EXERCISE 3-6: EXAMINING ACTIVE DIRECTORY ACCESS CONTROL LISTS

Viewing Active Directory Permissions
9. In the Advanced Security Settings For Employeesxx window, click the Name column to sort the entries by name.
QUESTION How many entries exist for the Adminx and Studentx accounts? ANSWER There are five entries for the Adminx account and two for the Studentx account.
16. Review the effective permissions for the Studentx account by scrolling down the list of permissions.
QUESTION What objects is the Studentx account allowed to create and delete? ANSWER The Studentx account can create and delete user objects.

1. When are password complexity requirements enforced?
ANSWER Password complexity requirements are enforced when passwords are created or changed. Consequently, it is a good idea to apply password complexity requirements in a policy before creating accounts.
2. What are the default password complexity requirements of a Windows 2003 domain?
ANSWER Passwords cannot contain all or part of the user's account name. Passwords must be at least six characters long. Passwords must contain characters from three of the following four categories: English uppercase characters (A through Z) English lowercase characters (a through z) Base 10 digits (0 through 9) Nonalphabetic characters (for example, !, $, #, %).
25
3. When you use MBSA to scan computers for vulnerabilities, when should you disable scans for weak passwords?
ANSWER When a domain controller contains a large number of accounts, you might want to disable the option to scan for weak passwords because this type of scan can take a considerable amount of time if a large number of accounts have to be evaluated.
4. What important security principle is implicit in the use of the Run As command?
ANSWER The principle of least privilege. Using the Run As command makes it unnecessary for a network administrator to log onto the network using an administrative account for most of the tasks she has to perform.
5. A user belongs to two security groups that have been granted different NTFS permissions to a folder. For example, one security group has the Write permission to a folder and another group has Read and Execute permissions. How are NTFS permissions determined for the user? What happens if one of the groups is explicitly granted the Deny permission to the file or folder?
ANSWER In the absence of Deny permissions, NTFS permissions are combined. In the example above, the users permissions would be Write, Read, and Execute. However, if the Deny permission had been explicitly granted, the Deny permission would take precedence.
6. A user has been granted NTFS modify permissions to a folder and Read and Execute permissions to a file within the folder. What are the users effective permissions to the file?
ANSWER File permissions have precedence over folder permissions, even when the Deny permission is present on the folder.
7. NTFS permissions are an example of what kind of access control? a. Discretionary access control (DAC) b. Mandatory access control (MAC) c. Role-based access control (RBAC)
ANSWER a.
26
8. The help desk receives a call from a user who claims that he has lost his password and wants it reset. The help desk technician asks the user a number of questions to verify the users identity and then resets the password. Subsequently, it is discovered that the help desk technician and company were both victims of fraud perpetrated by an individual who stole an employees personal information and used it to gain access to the network. How does delegating authority to reset user account passwords to an individual who knows most or all of the users help to mitigate the risk from this kind of attack?
ANSWER The help desk and the company were victims of a social engineering attack. When help desk technicians are responsible for resetting passwords for many users, the technicians are vulnerable to this kind of fraud because they do not know the user personally, as would be the case with a manager or some other trusted person who could be delegated authority to reset passwords.
LAB CHALLENGE 3-1: EXAMINING AUTHENTICATION METHODS

You are a security administrator for Contoso Pharmaceuticals. The contoso domain has recently completed a migration from Microsoft Windows NT 4.0 to Windows 2003. The next upgrade project is to replace all legacy Microsoft Windows 95 and Microsoft Windows 98 clients with Microsoft Windows 2000 Professional or Microsoft Windows XP clients. Because the legacy clients will exist for a short time only, the IT group decided not to install the Active Directory Client Extensions Pack on them. Your manager wants to develop a security plan that will be implemented as soon as the legacy clients have been replaced. In particular, he is concerned that the current authentication mechanisms are unnecessarily weak for an environment that contains only Windows 2000 or higher clients and Windows 2003 domain controllers. For example, he has heard that LAN Manager authentication results in the storage of LAN Manager hashes that can more easily be compromised by a brute-force attack than NTLM hashes can. Your manager wants you to provide a brief list of recommendations for increasing the security of authentication methods used on the network. He would also like you to review the Network Security Settings under Computer Configuration\ Windows Settings\Security in the Local Security Policy of member servers. He wants to know which of these Network Security Settings should be configured, along with the values they should be configured with. Also, he wants you to identify, if possible, one of the standard predefined security templates that ship
27
with Windows 2003 to use as the basis for implementing and enforcing stronger authentication methods.
TIP In order to complete this Lab Challenge, you might have to refer to the Windows 2003 help files. ANSWER Because all clients and servers will use Windows 2000 or higher operating systems, it is possible to eliminate LAN Manager authentication entirely and to use NTLM or NTLM v2 authentication exclusively. At a minimum, the Network Security: LAN Manager Authentication Level setting should be configured to Send NTLM Response Only. Configuring the policy setting to require NTLMv2 authentication only is also possible. Other possible answers include configuring other Network Security Settings, such as Network Security: Minimum Session Security For NTLM SSP Based (Including Secure RPC) Clients, but these answers will be dependent upon the LAN Manager Authentication Level setting. Either the Secure (Secure*.inf) or the Highly Secure (hisec*.inf) template could be used as the basis for configuring policies that implement strong authentication mechanisms. Also, an easily overlooked setting is that the domain mode should be changed to Windows 2003 from Windows 2003 interim.
28
LAB 4:
USING CRYPTOGRAPHY TO SECURE INFORMATION

EXERCISE 4-1: USING EFS FOR ENCRYPTION
Verifying Access Restrictions to an Encrypted File
4. On the Encryption Details For C:\Encrypted Folder\Encrypted File page, review the information.
QUESTION By default, who can transparently access the contents of the encrypted file? ANSWER By default, the user who created the file can transparently access the file. QUESTION Who or what is listed as the recovery agent for the encrypted file? ANSWER The Administrator account is listed as the recovery agent.
Using Cipher to Manage Encrypted Files and Folders

5. Type cipher and then press ENTER.
QUESTION Are there any unencrypted files in the folder? ANSWER The output of the cipher command indicates that the Unencrypted File.txt file is not encrypted. QUESTION What attributes in the output of the Cipher command indicate whether a file is encrypted? ANSWER The E indicates the file is encrypted. The U indicates the file is unencrypted.
LAB 4: USING CRYPTOGRAPHY TO SECURE INFORMATION
29
QUESTION If there are any unencrypted files in the folder, why are they unencrypted? ANSWER The parent folder is unencrypted, which allows the creation of unencrypted files.
6. Type cipher /a /e c:\encrypted folder\*.* and then press ENTER.

QUESTION Which files in the folder are encrypted? ANSWER All existing files in the folder are encrypted. QUESTION Will new files that are added to the folder be encrypted? ANSWER No. The command you entered simply causes the files in the folder to be encrypted. The folder properties have not been configured to encrypt files.
10. Type cipher, press ENTER, and review the output of the command.
QUESTION What will happen to new files if they are added to the C:\Encrypted Folder directory? ANSWER New files added to the folder will be encrypted.
12. At the command prompt, type cipher, press ENTER, and review the output.
QUESTION Why is Encryption Test.txt encrypted? ANSWER The parent folder is encrypted, causing all newly created files in the folder to be encrypted as well.
30
EXERCISE 4-2: PROVIDING REMOTE ACCESS FOR EFS ENCRYPTED FILES

14. In the Permissions For Studenty box, in the Allow column, select the Write check box, and then click OK.
QUESTION Why can the Studentx account configure NTFS permissions on the RemoteEFS folder? ANSWER Studentx created the folder, so the Studentx account is automatically a member of the Creator Owner group. The Creator Owner group has full control permissions for the folder.
23. On the Sharing Was Successful page, click Close, and then close Computer Management.
QUESTION Why did you have to open the Computer Management console with alternate credentials to share the RemoteEFS folder? ANSWER The Studentx account does not have a sufficient level of permissions to create a shared folder and cannot use Windows Explorer to configure the share on the folder.
27. Double-click the RemoteEFSTest file to open Notepad, enter some text, and then save and close the file.
QUESTION How do you know that the file has been encrypted? Why was the file encrypted? ANSWER The file changes color in the Windows Explorer window. Also, you can view the properties of the file to see that it has been encrypted. Also, you can verify whether the file was encrypted by using the Cipher.exe and Efsinfo.exe command line utilities. The file was encrypted because the properties of the folder are configured to encrypt files.
31
EXERCISE 4-3: CONFIGURING AN EFS RECOVERY AGENT

Verifying Certificate Template Permissions and Requesting an EFS Recovery Agent Certificate
12. In the details pane for the Certificate Templates node, right-click Basic EFS, select Properties, and then select the Security tab.
QUESTION What is the meaning of the Enroll permission? ANSWER The Enroll permission determines who can request the particular certificate type.
13. In the Group Or User Names box, select each of the security groups in turn. Note the permissions that are displayed in the Permissions box.
QUESTION What effective permissions does the Studentx account have for basic EFS certificates by virtue of belonging to both the Domain Users and the Authenticated Users groups? ANSWER Because the Studentx account is a member of both Domain Users and Authenticated Users, the Studentx account has Read and Enroll permissions.
16. In the Group Or User Names box, select each security group in turn. Note the permissions that are displayed in the Permissions box.
NOTE The Class Admins group that is listed in the Group Or User Names box was manually created as part of the classroom setup. The group contains all the Adminx accounts used for this lab. QUESTION What security groups can request EFS recovery agent certificates? ANSWER The ClassAdmins, Domain Admins, and Enterprise Admins can request EFS recovery agent certificates.
32
Configuring an EFS Recovery Agent for an OU

5. In the Group Policy Object Editor, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Public Key Policies, and then click to select Encrypting File System.
QUESTION Are any EFS Group Policies defined for the Employeesx OU? ANSWER No. There are no EFS Group Policies defined for the OU.
EXERCISE 4-4: USING ENCRYPTION FOR WEB COMMUNICATIONS

Comparing HTTP and HTTPS Web Traffic
25. In the Security Alert dialog box, click OK. If you receive another security alert indicating that certificate revocation information is not available, click Yes.
NOTE The security alerts that you see are the result of Web browser security configuration. By default, Windows 2003 enables Internet Explorer Enhanced Security Configuration to provide a higher degree of protection than the Web browser configuration for earlier Microsoft Windows operating systems had. QUESTION Once you have connected to a Secure Sockets Layer (SSL) secured Web site, what visual cue in the Web browser indicates that the traffic between the Web browser client and the Web server is encrypted? ANSWER The lock icon in the lower right-hand corner indicates that traffic is encrypted.
33

1. You are using EFS to store sensitive data on your network and are concerned that some applications might be leaving temporary files on local hard drives. What should you do to ensure the confidentiality of temporary files?
ANSWER You should identify the folder locations where these temporary files are stored and configure encryption on the properties of these folders as well.
2. You have enabled a file server to support remote encryption, and users are storing encrypted files through shared folders on the server. In what way is the confidentiality of the data still vulnerable?
ANSWER The data is not encrypted in transit from the client workstation to the server. Therefore, the confidentiality of the data is vulnerable to eavesdropping attacks.
3. Why should you configure encryption at the folder level, rather than at the file level?
ANSWER Newly created or added files to the folder will be automatically encrypted.
4. You move an encrypted file to an unencrypted folder that resides on an NTFS volume. Does the file remain encrypted? What would happen if the file were moved to a folder on a file allocation table (FAT) volume?
ANSWER Encryption travels with the file, as long as the target volume is NTFS 5. If you move the file to an NTFS 4 volume (the version of NTFS used by Microsoft Windows NT 4.0), the file will be decrypted. This is also the case when you move or copy a file to a FAT16 or FAT32 volume. However, if you move an unencrypted file from one folder to an encrypted folder on the same NTFS volume, the file will remain unencrypted. The reason for this is that by moving a file to a different location on the same volume, you have only changed a pointer record in the file table, but not any of the bits belonging to the file itself. If you copy an unencrypted file from one folder to an encrypted folder, the file will be encrypted.
5. You are reallocating a removable hard drive to another user and are concerned that the portable hard drive might contain sensitive information. What Cipher.exe command-line option should you use to
34
ensure that this data cannot be recovered from the hard drive?
ANSWER You can use the Cipher.exe /w command to ensure that data is more thoroughly erased from the hard drive and cannot be recovered by using special tools.
6. You connect to an SSL-enabled e-commerce Web site. How can you view the details of the digital certificate used to establish the SSL-encrypted session?
ANSWER You can double-click the lock icon in the lower right corner of the Web browser to view the details of the digital certificate.
7. You are using Network Monitor to examine HTTPS traffic. You notice that the port used by the Web server is always TCP port 443, but that the TCP port used by the Web browser client varies.
QUESTION What are TCP/IP ports, and what are they used for? ANSWER A port is a kind of connection address for TCP or User Datagram Protocol (UDP) traffic. When upper-layer client applications such as Web browsers connect to server applications such as Web servers, they use well-known port addresses to make the initial connection. For example, the well-known port address of HTTP is 80; for HTTPS it is 443; for SMTP it is 25; for POP3 it 110; and so on. When a client application connects to a server application, it initiates the connection at the well-known port address and informs the server of the TCP or UDP port to be used for the reply. This port is opened dynamically by the client application and is some value above 1024.
35
LAB CHALLENGE 4-1: BACKING UP AND RESTORING EFS KEYS USED TO ENCRYPT AND DECRYPT DATA
You are a security administrator for Contoso Pharmaceuticals. A small group of research scientists uses EFS extensively to protect proprietary data. These scientists are about to receive new dual-processor workstations. Because the EFS digital certificates the scientists use to encrypt and decrypt their data are stored with their profiles on the local computer, they will not be able to access their encrypted data if they lose these certificates. One solution to the problem would be to use roaming profiles. However, company policy does not allow the use of roaming profiles. Although you have configured an EFS recovery agent, the scientists would like to back up their own EFS keys that are found in the EFS certificate and restore them to the new workstations. They have asked you to demonstrate how to back up and restore EFS keys to a different workstation. For this lab challenge, demonstrate how to back up and restore EFS keys for a test user account. You should try to make the demonstration as real as possible by simulating the loss of keys used for EFS encryption. How can you do this?
ANSWER To make the demonstration as real as possible, you should create a user account, use it to encrypt some files, back up its EFS keys, and then delete its local profile to simulate the effect of logging on to a new computer and creating a new local profile. After doing this, you can restore the EFS keys to demonstrate you have access to the encrypted files.
36
LAB 5:
USING CERTIFICATES
EXERCISE 5-1: EXAMINING ROOT CERTIFICATES
Using the Certificates Snap-In MMC Console to View and Manage Root Certificates
6. On the Certificate page, note the information and answer the following questions:
QUESTION What is the intended purpose of the certificate? ANSWER The intended purpose of the certificate is to ensure the identity of the remote computer. QUESTION What entity issued the certificate? ANSWER The certificate was issued by Contoso CA.
22. In the console tree, expand Certificates - Current User, expand Trusted Root Certification Authorities, and then select Certificates, as shown below.
LAB 5: USING CERTIFICATES
37
GL05XX03
QUESTION What kinds of entities are represented by the prepopulated certificates in the Trusted Root Certification Authorities certificate store? ANSWER The certificate store includes the certificates from the Microsoft Windows 2003 Enterprise CAs that are part of the PKI for the Active Directory directory service. Many of the certificates included in the Trusted Root Certification Authorities represent commercial third-party certificate vendors, such as Verisign, that commonly issue certificates for publicly accessible e-commerce sites and other sites that require encrypted sessions.
25. In the console tree, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, and then select Certificates.
QUESTION Is the CONTOSA CA root certificate in the local computer certificate store? ANSWER No. The certificate has been removed.
EXERCISE 5-2: USING CERTIFICATES FOR WEB SERVER SECURITY

Generating a Certificate Signing Request (CSR)
7. On the Delayed Or Immediate Request page, ensure that Prepare The Request Now, But Send It Later is selected, and then click Next.
QUESTION What must you do before you can select the Send The Request Immediately To An Online Certification Authority option? ANSWER To send a request immediately to an online authority, you must implement an Enterprise CA, to which the request is sent. An Enterprise CA, in turn, requires Active Directory.
38
8. On the Name And Security Settings page, type Computerxx Web Certificate (where xx is the two-digit version of your student number) in the Name box; in the Bit Length box, select 2048; and then click Next.
QUESTION What is the maximum bit length you can select? ANSWER 16,384 bits.
EXERCISE 5-3: IMPLEMENTING USER CERTIFICATE AUTHENTICATION FOR ACCESS TO WEB SITES
Creating a Virtual Directory for Certificate-Based Authentication
13. Click OK to close the CertSecure Properties dialog box.
QUESTION What is the effect of the configuration in step 12? ANSWER The user must present a valid digital client certificate to access the virtual directory.
EXERCISE 5-4: EXPORTING AND IMPORTING A CERTIFICATE

Exporting a Web Server Certificate
6. On the Export Private Key page, select Yes, Export The Private Key, and then click Next.
QUESTION Why is it necessary to export the private key? ANSWER The private key is necessary to decrypt data that is encrypted with the public key. The Web browser client encrypts data with the public key, which the Web server needs to be able to decrypt.
7. On the Export File Format page, ensure that Personal Information Exchange PKCS #12 (.PFX) is selected, ensure that Enable Strong
39
Protection is selected, and then click Next. When you enable strong protection, the file containing the certificate information will be protected with a password.
QUESTION Why is it a good idea to enable strong protection when you export this certificate? ANSWER Because the private key is being exported, you must take special care to ensure that the private key is not compromised.

1. Your single intranet Web server should be load balanced with another Web server to increase availability and fault tolerance. The single intranet Web server uses a digital certificate to encrypt Web traffic. What should you do to encrypt Web traffic on the second, load-balanced server?
ANSWER You should export the Web certificate from the first Web server, and then import it to the second, load-balanced Web server.
2. You have configured an intranet Web server with a digital certificate and have used the internal Domain Name System (DNS) nameintranetas the common name for the certificate. The Web server is also accessible from the Internet for customer access. The external DNS name of the Web server is www.contoso.com. Why is the configuration of the digital certificate a problem?
ANSWER Customers will receive a warning message indicating that the name on the certificate does not match the name of the site, resulting in a lack of confidence in the site. Another problem is that the certificate provides information on an internal computer name, which could be used by attackers to gain information about the internal network.
3. Where can you view the common name used for a Web certificate after you connect to an SSL-enabled Web site?
ANSWER By double-clicking the lock icon in the lower right corner of the Web browser, you can view the details of the certificate. The common name is listed in the subject field of the certificate.
40
4. Your organization wants to set up an SSL-enabled Web site that the public can access from the Internet. Your manager suggested that the organization could save money by using Microsoft Certificate Services instead of purchasing a third-party digital certificate from a commercial CA. What is the primary disadvantage of this suggestion?
ANSWER The primary disadvantage is that Internet users will receive a warning message that the certificate cannot be verified up to a trusted CA, resulting in a lack of confidence in the security of the Web site.
5. One of your employees tells you he understands that a digital certificate contains a public key that is used for encryption, but he is somewhat confused about the difference between a public key and a certificate. How do you explain the difference?
ANSWER Public keys are used to encrypt messages, which can be decrypted only by a complementary private key. A certificate contains the public key that Web clients use to encrypt specific messages with Web servers. A digital certificate verifies the identity of the owner of the key through the information contained in the certificate, such as the common name or the name of the CA that issued the certificate. Before communicating with the Web server, the Web browser client verifies the identity of the Web server and verifies that the public key is in fact owned by the Web server; that is where the digital certificate comes in. A good commercial CA will go through an authentication and verification process to ensure that the entity applying for the certificate is providing truthful information.
LAB CHALLENGE 5-2: AUTOMATING THE DISTRIBUTION OF USER CERTIFICATES

Currently, your organization is making limited use of user certificates for authenticating to intranet and extranet Web sites. However, the security team is recommending that your organization make more extensive use of user certificates. Your manager is concerned that the Web-based enrollment she has seen for user certificate acquisition is not a good solution. The organization has close to a thousand employees who might need user certificates, and she is concerned that the help desk will not be able to handle any problems that users will experience. Ideally, she would like to configure Windows 2003 Certificate Services so that user certificates are distributed automatically and transparently to authenticated users. She has asked you to research the possibility of configuring Certificate Services to provide autoenrollment of user certificates. She also wants you to briefly
41
summarize the general requirements and steps to enable autoenrollment of user certificates.
ANSWER A new feature of Windows 2003 is the ability to distribute user certificates through autoenrollment. This means that, depending on the configuration, users will not have to interact with Certificate Services to request or renew certificates. To enable autoenrollment, you must install the CA on either a Windows 2003 Enterprise or Datacenter Server. Autoenrollment for user certificates works only with version 2 certificate templates, which in turn require Active Directory and an enterprise CA. Enabling autoenrollment of user certificates requires that you create a version 2 template of the user certificate, that you configure an enterprise CA to issue autoenrolled user certificates, and that you configure a group policy for domain users who will receive the autoenrolled user certificate.
42
LAB 6:
SECURING THE NETWORK INFRASTRUCTURE THROUGH AN UNDERSTANDING OF TCP/IP TRAFFIC

EXERCISE 6-1: EXAMINING ARP AND ICMP TRAFFIC
Analyzing ARP and ICMP Traffic
16. Select the second instance of ARP_RARP traffic, indicated by the entry in the Description column that displays ARP: Reply, and in the space below, record the following information from the details of the middle pane. FRAME: Total frame length: ETHERNET: Ethernet destination address: ETHERNET: Ethernet source address: ETHERNET: Ethernet type: ARP_RARP: Senders hardware address: ARP_RARP: Senders protocol address: ARP_RARP: Targets hardware address: ARP_RARP: Targets protocol address:
QUESTION Why is the frame length different for the request and the reply? ANSWER The ARP: Reply contains 18 bytes of padding at the end, indicated by the string of 0s. QUESTION What is the relationship between an Ethernet address and a hardware address? ANSWER They are the same. QUESTION What is another name for the hardware address? ANSWER The Media Access Control (MAC) address.
LAB 6: SECURING THE NETWORK INFRASTRUCTURE THROUGH AN UNDERSTANDING OF TCP/IP TRAFFIC
43
QUESTION What are the sizes of the hardware and IP addresses? ANSWER Hardware address, 6 bytes; IP address, 4 bytes. QUESTION What is indicated by a hardware address of FF FF FF FF FF FF? ANSWER This indicates a hardware broadcast address. QUESTION What is the purpose of an ARP request? ANSWER To determine the hardware address for a target IP address by means of a broadcast on the local subnet.
18. Select the second instance of ICMP traffic, as indicated by the entry in the Description column that displays ECHO: Reply; then record the values for the following in the space below. FRAME: Total frame length: ETHERNET: Ethernet destination address: ETHERNET: Ethernet source address: ETHERNET: Ethernet type: IP: Protocol: IP: Fragmentation summary: IP: Time to live: IP: Source address: IP: Destination address:
QUESTION How many ICMP frames are generated (total) as a result of using the Ping command? Hint: In the top pane, count the number of rows that display ICMP in the Protocol column. ANSWER Eight frames: four frames for Echo: From, and four for Echo: Reply.
44
QUESTION Why do the Ethernet source and destination addresses need to be present? ANSWER On Ethernet (and other) networks, hosts communicate with one another by means of hardware addresses. QUESTION At what layer of the OSI model is ICMP implemented? ANSWER The network layer (Layer 3). QUESTION What is the meaning of an IP fragmentation summary value of 0? ANSWER A summary value of 0 indicates that the packet is complete and has not been fragmented. QUESTION What does the IP Time To Live value indicate? ANSWER The IP Time To Live value indicates the maximum number of router hops that the IP datagram will make before it is dropped from the network.
24. From the Capture menu, select Stop And View. In the Microsoft Network Monitor capture summary, note that a number of IP packets follow immediately after the ICMP packets and that Protocol = ICMP appears in the Description column, as shown in the figure below.
45
GL06XX03
QUESTION How many packets are associated with the first Echo: From packet? ANSWER Six additional IP packets are associated with the first Echo: From packet.
25. In the Microsoft Network Monitor capture summary, double-click the first instance of ICMP traffic, as indicated by the entry in the Description column that displays ECHO: From; expand the elements in the middle pane as appropriate; and then record the values for the following in the space below. FRAME: Total frame length: IP: Total length: IP: Fragmentation summary: IP: Fragment offset:
QUESTION What does the Total Frame Length value represent? ANSWER It represents the maximum allowable size of the Ethernet frame.
46
QUESTION Why does the IP Fragmentation summary list a value other than 0? ANSWER It indicates that the significant bits have been set for IP fragmentation. QUESTION What does the Fragment Offset value in this packet indicate? ANSWER The first Fragment Offset value is 0, indicating it is the first fragment of the datagram.
26. Select the remaining IP packets associated with the Echo: From packet; record the total IP length for each of them; and then add the values.
QUESTION What is the sum of the Total IP Length values? ANSWER They total approximately 10,000 bytes.
EXERCISE 6-2: EXAMINING THE ARP CACHE

Verifying the Default Gateway Configuration
12. Examine the ARP protocol traffic in the capture summary, and in the space below record the MAC address of the configured default gateway of your computer. MAC address of default gateway:
QUESTION Why is the ARP traffic querying for the hardware address of the configured default gateway, rather than trying to resolve the 172.16.100.30 IP address to a MAC address? ANSWER When the IP address of the target host is on a remote network, the client needs to communicate with the default gateway on its local subnet.
47
Viewing the Effects of Static Entry on the ARP Cache

11. From the Capture menu, select Stop And View.
QUESTION Why dont you see any ARP traffic in the capture summary? ANSWER Because there is a mapping for the IP address of the default gateway in the ARP cache, the computer does not try to discover the physical address associated with the default gateway. QUESTION Why dont you see any ICMP responses from the configured default gateway? ANSWER Your computer is using an incorrect Ethernet destination MAC address, which is different from the default gateways MAC address. The default gateway will not respond. QUESTION If your computer had an incorrect entry for the default gateway in its ARP cache, would it be able to communicate with computers on a remote network? Why or why not? ANSWER Your computer would not be able to communicate with hosts on a remote network because it cannot communicate with the default gateway.
EXERCISE 6-3: EXAMINING DNS TRAFFIC

Analyzing DNS Query Traffic
7. In the Microsoft Network Monitor capture summary, double-click the first instance of DNS traffic, as indicated by the entry in the Description column that displays Std Qry For. Expand the elements in the middle pane as appropriate, and use the details of the captured frame to answer the following questions:
48
QUESTION What transport layer protocol is used for DNS queries? ANSWER UDP. QUESTION What is the destination port number for DNS queries? ANSWER UDP port 53. QUESTION Why is the source port listed as Unknown in the summary information? ANSWER It is a randomly assigned port number above 1024; that is, it is not a well-known port number. (UDP and TCP ports from 11024 have assigned values.) QUESTION What entries are listed under the DNS Question section of the packet, and what is their significance? ANSWER The DNS question name, along with the DNS question type and class, comprise the DNS query that is made to the DNS server.
8. In the Microsoft Network Monitor capture summary, select the second instance of DNS traffic, as indicated by the entry in the Description column that displays Std Qry Resp. Use the details of the captured frame to answer the following questions.
QUESTION What is the destination port for the DNS query response? ANSWER The destination port is the UDP port specified as the source port in the initial DNS request. QUESTION What is the source port for the DNS query response? ANSWER UDP port 53.
49
QUESTION What additional DNS section does the reply contain? ANSWER It contains an answer section. QUESTION What is the significance of the DNS Time To Live value? ANSWER The DNS Time To Live value indicates how long the record can be cached by the DNS requestor.
Analyzing DNS Zone Transfer Traffic

8. In the Microsoft Network Monitor capture window, double-click the first instance of DNS traffic, as indicated by the entry in the Protocol column that displays DNS. Use the details of the captured frame to answer the following questions.
QUESTION What transport layer protocol is used for DNS in this instance? ANSWER TCP. QUESTION What is the destination port for the transport layer protocol? ANSWER TCP port 53.
10. In the center frame of the Network Monitor capture window, expand TCP: Control Bits, and then record the values for the following fields in the space below. TCP: Sequence Number: TCP: Acknowledgement Number: The figure below shows you where to locate the Sequence Number and Acknowledgement Number fields.
50
GL06XX05
QUESTION In the captured frame, what does S stand for? Hint: Look in the TCP Flags entries for a field where the bit is set to 1. ANSWER It stands for synchronization, also known as SYN. QUESTION What is the purpose of the TCP Option Type and the TCP Option Length? ANSWER These options determine the maximum segment size that the sender wants to receive in reply to the packet.
11. Select the next TCP frame immediately below the one you examined in step 10 that displays Control Bits: .A..S. in the Description column, expand the appropriate objects, and then record the values for the following fields in the space below. TCP: Sequence Number: TCP: Acknowledgement Number:
51
QUESTION In the captured frame, what does A stand for? Hint: Look in the TCP Flags entries for a field where the bit is set to 1. ANSWER It stands for acknowledgement, also known as ACK.
14. Select the remaining DNS frames in sequence, and note their TCP: Sequence Number and TCP: Acknowledgement Number. You should note that a SYN flood attack exploits the mechanism that TCP uses to establish a session between two computers. In a SYN flood attack, the client computer sends a SYN request to the server, and the server subsequently sends a SYN-ACK to the client. However, instead of responding with an ACK, the client sends another SYN request to the server. This causes multiple half-open connections on the server, as the server waits for responses that never arrive to the SYN-ACK messages. If enough resources are consumed by the half-open connections, the result is a denial of service (DoS) attack.
QUESTION What is the purpose of the TCP frames you examined in steps 1012? ANSWER They synchronize sequence numbers for TCP transmissions in order to establish a session between hosts. Once the session has been established through the exchange of sequence numbers and acknowledgements, the TCP data segments are sent and acknowledged sequentially, using the sequence numbers to ensure correct delivery. QUESTION Collectively, the frames you examined in steps 1012 are commonly referred to as what? ANSWER Collectively, the frames are commonly referred to as a three-way handshake.
15. Select the last instance of DNS traffic, as indicated by the entry in the Description column that displays Std Qry Resp, and expand the DNS
52
elements in the middle pane, as shown below.
GL06XX06
Review the details of the captured frame and then answer the following questions.
QUESTION What is the DNS Question Type? ANSWER Request for zone transfer. QUESTION What DNS records are listed in the DNS Answer section? ANSWER All the records for the contoso.com DNS domain name space.
53
EXERCISE 6-4: EXAMINING FTP TRAFFIC

Analyzing FTP Traffic
10. Immediately above the FTP frame, double-click the first frame that displays TCP in the Protocol column and Control Bits: .S in the Description column, as shown below.
GL06XX07
This frame is the beginning of the three-way handshake to establish the TCP connection for FTP.
QUESTION What are the source and destination ports that are listed in this frame? ANSWER The source port will be some value over 1024; the destination port is TCP port 21.
54
11. In the capture summary, double-click the first frame that displays FTP in the Protocol column.
QUESTION What is the relationship between the source and destination ports listed in this frame and the source and destination ports listed in the frame you looked at in step 10? ANSWER The source port for this frame is the destination port in the previous frame, and the destination port for this frame is the source port in the previous frame.
19. Switch to Network Monitor, and then select the frame that displays Data transfer to client in the Description column, as shown below.
GL06XX09
QUESTION What are the source and destination ports in this frame? ANSWER The source port is TCP port 20. The destination port is the same as the value that you calculated in steps 1518. QUESTION How did the remote FTP service know which port to use to transfer the data to the client computer? ANSWER The client informed the FTP service to establish the connection on this port in the frame you looked at in step 12.
55
EXERCISE 6-5: CLASSIFYING ATTACKS BY OSI LAYER

In this exercise, you will work with your lab partner to complete the following paper-based exercise. In the table below, the column on the left indicates a particular kind of attack. For this exercise, complete the column on the right by indicating the primary layer of the OSI model where the attack occurs and a brief description of the attack. Be prepared to discuss the reasons for your classification. Beginning at the bottom, the seven layers of the OSI model are physical, data-link, network, transport, session, presentation, and application.
ANSWER
Attack OSI Layer
Eavesdropping (sniffing)
Ping of death attack
ARP poisoning
Malformed URLs
Port scan attack
SYN flood attack
Physical layer (Layer 1). The attacker must have access to the network cabling or wireless signal to listen to network traffic. Network layer (Layer 3). ICMP is implemented at the network layer. This attack no longer works except on the oldest systems. The target system is pinged with a packet that exceeds the maximum allowable size for a data packet (65,536 bytes). Network layer (Layer 3). ARP is implemented at the network layer. However, MAC addressing is implemented at the data-link layer, so another possible answer is the data-link layer (Layer 2). Application layer (Layer 7). HTTP is implemented at the application layer. By sending malformed URLs to a Web server, the attacker attempts to exploit Web server vulnerabilities. Transport layer (Layer 4). UDP and TCP ports are implemented at the transport layer. In a port scan attack, an attacker scans a target system for open and vulnerable UDP and TCP ports. A port scan attack is often performed as preparation for an active attack. Transport layer (Layer 4). The SYN flag occurs within TCP, which is implemented at the transport layer. In a SYN attack, the attacker sends a large number of multiple synchronization requests that contain bad or spoofed source IP addresses. The client system responds with SYN/ACK replies and waits for replies that never arrive, consuming valuable system resources.
56
Attack
OSI Layer
Source route attack ICMP flood attack
Spam attack
Overlapping fragment attack
Network layer (Layer 3). IP provides routing and is implemented at the network layer. Network layer (Layer 3). ICMP is implemented at the network layer. The target system is flooded with ICMP packets. Application layer (Layer 7). A spam attack occurs when a large volume of unsolicited SMTP mail is sent to the target system. SMTP is implemented primarily at the application layer. Network layer (Layer 3). This attack exploits a vulnerability in the reassembly of packets in which the first IP fragment contains harmless data, but subsequent IP fragments with non-zero offsets overlap TCP header information and cause it to be modified. Fragmentation and reassembly are implemented as part of the IP protocol specification and are implemented at Layer 3.

1. Why must switches be protected in physically secure areas?
ANSWER If an attacker has physical access to a switch, he can corrupt the ARP cache, causing either a DoS attack or theft of data.
2. As a result of a hardware failure, you had to replace a network interface adapter on a computer that is connected to the network through a switch. Now the computer cannot communicate on the network, even though the IP address configuration is correct. What is the problem?
ANSWER The switch probably has not updated its ARP cache, and this is preventing communication with the new network interface adapter.
3. Briefly describe the difference between UDP and TCP.

ANSWER UDP is a connectionless protocol that does not guarantee error-free transmission of data. TCP is a connection-oriented protocol that guarantees correct end-toend transmission of data. TCP has considerably more overhead than UDP.
57
4. Why is it necessary to fragment IP data in some instances?

ANSWER The maximum frame size allowed on the network determines whether IP data needs to be fragmented. The maximum frame size is determined by the physical media and devices, such as routers, that the data has to traverse. If the IP data, including header information, cannot fit into a single frame, it will be fragmented.
5. Why is it a security risk to allow a DNS server to accept incoming connections on TCP port 53 from any host?
ANSWER TCP port 53 is used for transferring zone data; that is, the entire set of DNS records within the DNS zone. Attackers can use this information to footprint the network and subsequently gain sensitive information about computers and the organization itself.
6. Your organization wants to buy a new firewall to protect servers and applications that are running in your demilitarized zone (DMZ) and are available to users on the Internet. Some of these applications use secondary ports. What features should you look for in a firewall in relation to these applications?
ANSWER The firewall should be able understand applications that use secondary ports and make the appropriate modifications to the TCP/IP traffic to allow communication across the firewall for these applications, such as FTP.
7. You have an FTP client behind a simple Network Address Translation (NAT) device. You can connect to remote FTP servers, but you cannot transfer data from the FTP server. What is the likely reason for this problem?
ANSWER The most likely reason that data transfers are failing is that the NAT device is not opening ports so that the FTP server can initiate a connection from TCP port 20 to the FTP client. Furthermore, in the FTP request to initiate a data transfer, the internal IP address of the client is embedded in the payload. The FTP server can only connect to the external address of the NAT device; it cannot connect to the internal address of the FTP client.
58
LAB CHALLENGE 6-1: COMPARING AND CONTRASTING FTP TRAFFIC

Your organization has implemented an internal FTP server for use on the intranet. Your manager has been viewing network captures of FTP traffic on the intranet and has noticed two kinds of FTP traffic: the FTP traffic that occurs when users connect using Ftp.exe from the command prompt, and the FTP traffic that occurs when users connect to the FTP site using Microsoft Internet Explorer. Your manager has asked you to confirm her findings and to explain the differences in FTP traffic when users connect to the FTP site using Ftp.exe from the command prompt and using Internet Explorer. She also wants you to determine whether one method (Ftp.exe or Internet Explorer) is more secure than the other. For this lab challenge, you need to use Network Monitor to capture FTP traffic generated when you use Internet Explorer to connect to an FTP site. To connect to an FTP site using Internet Explorer, open Internet Explorer, type ftp://hostname (where hostname is either the host name or fully qualified domain name of the remote FTP server) in the Address box, and press ENTER. When you have finished capturing the traffic, analyze it and be prepared to discuss the differences between FTP data transfers using the PORT and PASV commands. Your instructor might want to evaluate your analysis of FTP PASV traffic. If this is the case, save the captured FTP traffic in Network Monitor as C:\Lab Manual\ Lab 06\Labwork\YourLastName_6-1_PASV.cap (where YourLastName is your last name). Then, open Notepad, and write a couple of brief paragraphs explaining how the PASV command differs from the PORT command and why one method is more secure than the other. Where possible, make references to actual frames recorded in your saved capture. When you have finished your analysis, save the file as C:\Lab Manual\Lab 06\Labwork\YourLastName_6-1_PASV_analysis.txt. Your instructor will provide specific instructions for submitting the files for evaluation.
ANSWER To connect to an FTP site using Internet Explorer, you must type ftp://<remoteftp-site-address in the address box. By default, when a user requests a data transfer, Internet Explorer uses the PASV command rather than the PORT command. The primary difference between the PASV and the PORT commands is how the secondary connection for the data transfer is handled. With normal FTP (that is, FTP using the PORT command), the FTP server initiates the secondary data connection from TCP port 20 to a dynamic port the FTP client opens for transfer of data. Using the PASV command, the FTP client initiates the secondary connection to transfer data from a dynamic port to another dynamic port that the FTP server opens for the data transfer.
59
FTP has a number of vulnerabilities, and its use should in general be avoided. For example, FTP is vulnerable to port theft, where an attacker can connect to the secondary port used for the transfer of data before the legitimate user can. Also, the standard FTP that ships with Microsoft Windows supports only basic authentication as an authentication mechanism, which cannot protect user names and passwords as they traverse the network. This said,PASV FTP is slightly more secure because it uses dynamic ports for transferring data. With normal FTP using the PORT command, the server initiates the TCP connection to the FTP client from a well-known (predetermined) port (TCP port 20). Furthermore, when FTP clients are behind a firewall and must use the PORT command, the firewall administrator must open up a wide range of ports to accept the incoming connection from the FTP server. This presents an unacceptable security risk for the firewall. PASV FTP is a more firewall-friendly protocol because the FTP client initiates the connection for data transfer, and the firewall will usually accept a return connection from the FTP server.
LAB CHALLENGE 6-2: EXPLORING THREATS TO INSTANT MESSAGING TRAFFIC

Although not officially approved at Contoso Pharmaceuticals, instant messaging (IM) has become very popular. Many employees use IM as an alternative to e-mail to communicate with other employees and with other users outside the company. You need to evaluate the security risks inherent in IM traffic. You have captured some IM traffic between two clients and have saved the capture in a file named C:\Lab Manual\Lab 06\ IM_passwords.cap. For this lab challenge, you need to open this file in Network Monitor, analyze the traffic, and answer the following questions. Your instructor might want to evaluate your responses to these questions. If this is the case, open C:\Lab Manual\Lab 06\ Labwork\Lab Challenge 6-2 Questions.doc, record your answers in the file, and save the file as C:\Lab Manual\Lab 06\Labwork\YourLastName_LC6-2_answers.doc (where YourLastName is your last name). Your instructor will provide specific instructions for submitting the file for evaluation. After you have finished answering the questions, your instructor might want to conduct a classroom discussion on your analysis of IM traffic. 1. What protocol is being used to pass the IM text?
ANSWER This particular messenger client uses HTTP.
60
2. What question is being asked in the first frame of the captured traffic?
ANSWER What is the missing formula for RH3?
3. Do any of the frames contain users e-mail addresses? If so, what frames contain e-mail addresses?
ANSWER Yes, a number of frames contain e-mail addresses. The frame numbers that contain e-mail addresses are 5, 11, 14, 15, 17, 19, 21, 23, and 25.
4. Describe how to use the Find feature on the Network Monitor toolbar to search for text strings in the HTTP data.
ANSWER
1. Click Find. 2. In the Property tab, expand HTTP, and then select Data. 3. In the Relation column, select Contains. 4. Select the Hex or ASCII option, and then type the text in the Value box. 5. Click OK.
5. What frame contains the answer to the question posed in the first frame? What is the answer to the question?
ANSWER The answer is found in frame 8: The missing formula is E-Mc2.
6. What question is being asked in frame 14?

ANSWER What is the combination to the lab door?
7. What is the answer?

ANSWER The combination to the lab door is 9999. Dont tell anyone.
8. What particular challenge does this kind of traffic present for the firewall administrator?
ANSWER This IM traffic uses unencrypted HTTP, which most firewalls will allow. To prevent this kind of IM traffic from traversing the firewall, you need to either block HTTP entirely or use a sophisticated firewall that can inspect the data payload of the
61
HTTP traffic and accept or deny the traffic based on the contents of the payload.
9. Assuming the organization has a sufficiently advanced firewall, what HTTP fields can a firewall administrator use to prevent this kind of IM traffic from traversing the firewall?
ANSWER The firewall administrator can block IM traffic that is tunneled through HTTP based on the content contained in the HTTP: User-Agent or HTTP: Content-Type field.
62
TROUBLESHOOTING LAB A:
TROUBLESHOOTING PROBLEMS WITH GROUP POLICY

PART 3: TROUBLESHOOTING APPLICATION OF GROUP POLICY
You have submitted your template to the administrator responsible for the OU where the computer objects are located. The administrator informs you that he has imported the template into a group policy object for the OU and has asked you to verify the correct application of the template through the group policy object. In this part of the lab, you will evaluate the group policy that was applied by the administrator responsible for the OU. You will determine the following: The differences between the security template you created in the first part of this lab and the one that is implemented through a group policy in this part of the lab Whether the computer can provide the appropriate services for the departmental users Documentation is crucial. You will be evaluated not only on your ability to correctly identify any problems and recommend solutions, but also on the processes you used to come to your conclusions. Keep a detailed journal of the tools you used and the processes involved in troubleshooting and resolving problems with the group policy. Your journal should also note the reasons for the solutions you propose. You can use the worksheet provided in the Troubleshooting LabA folder as the basis of this journal, or you can use the worksheet as an alternative to the journal. Your instructor might require that you submit your journal or worksheet for evaluation. If this is the case, your instructor will provide you with instructions for submitting the journal or worksheet.
TIP To help you troubleshoot problems created by the application of a new group policy, you should keep in mind the tools related to group policy that you have learned about in previous labs. ANSWER For Part 1 of this lab, answers will vary somewhat, but the template file that students create should, for the most part, be similar to the Setup Security.inf template. A sample answer file, named TroubleShootingLabA Part1 Answer.inf, has been provided for you in the \Answers Guide directory on the Instructor CD. The table below shows where the TroubleShootingLabA Part1 Answer.inf template differs from the Setup Security.inf template.
TROUBLESHOOTING LAB A: TROUBLESHOOTING PROBLEMS WITH GROUP POLICY
63
Policy setting
Troubleshooting Lab A, Part 1 Settings
Setup Security.inf Template Settings
Audit account logon events Audit account management Audit directory service access Audit logon events Audit object access Audit policy change Audit privilege use Audit system events Access this computer from the network Allow log on locally Deny access to this computer from the network Shut down the system Devices: Unsigned driver installation behavior Interactive logon: Do not display last user name Interactive logon: Message text for users attempting to log on
Success, Failure Success, Failure Success, Failure Success, Failure Success, Failure Success Success, Failure Success Administrators, Authenticated Users Administrators, Backup Operators, Power Users ANONYMOUS LOGON, Guests Administrators Do not allow installation Enabled Unauthorized access is prohibited. If you are not an authorized user, do not attempt to log on. LEGAL NOTICE: Authorized Users Only
Success No auditing No auditing Success No auditing No auditing No auditing No auditing Backup Operators, Power Users, Users, Administrators, Everyone Backup Operators, Power Users, Users, Administrators
Backup Operators, Power Users, Administrators Warn but allow installation Disabled
Interactive logon: Message title for users attempting to log on Network security: Do not Enabled Disabled store LAN Manager hash value on next password change Network security: LAN Send NTLMv2 response only, Send NTLM response only Manager authentication Refuse LM and NTLM level
64
Policy setting
Troubleshooting Lab A, Part 1 Settings
Setup Security.inf Template Settings
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients Network security: Minimum session security for NTLM SSP based (including secure RPC) servers Shutdown: Clear virtual memory pagefile ANSWER
Require message integrity, Require message confidentiality, Require NTLMv2 session security, Require 128-bit encryption Require message integrity, Require message confidentiality, Require NTLMv2 session security, Require 128-bit encryption Enabled
No minimum
No minimum
Disabled
In Part 2 of this lab, students can use either Resultant Set of Policy (RSoP) or Security Configuration And Analysis to determine what might be wrong with the group policy that is applied to the ClassroomServers OU. Security Configuration And Analysis is particularly useful for troubleshooting group policy; by using this tool, students can compare the actual computer settings that are applied to the computer with the settings in the template file they created in Part 1 of this lab. The table below shows where the ideal settings in the TroubleShooting Lab A Answer.inf template file differ from the settings that are actually applied through the group policy object. In addition to determining the improper policy settings listed below, students need to also determine that the group policy has disabled a number of services related to Microsoft Internet Information Services (IIS). In particular, both the Web Publishing Service and the HTTP Secure Sockets Layer (SSL) services have been disabled. In their answers, students should give some indication that either or both of these services have been disabled.
Troubleshooting Lab A: Answer.inf setting Troubleshooting Lab A: Break.inf setting
Policy
Audit account logon events Audit account management Audit directory service access Audit logon events Audit object access Audit policy change Audit system events
Success, Failure Success, Failure Success, Failure Success, Failure Success, Failure Success Success
Success Success Success Success Failure Failure No auditing
TROUBLESHOOTING LAB A: TROUBLESHOOTING PROBLEMS WITH GROUP POLICY
65
Policy
Troubleshooting Lab A: Answer.inf setting
Troubleshooting Lab A: Break.inf setting
Allow log on locally Shut down the system Interactive logon: Do not display last user name Network security: LAN Manager authentication level Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
Administrators, Backup Operators, Power Users Administrators Enabled
Backup Operators, Administrators Backup Operators, Power Users, Administrators Disabled
Send NTLMv2 response only, Send NTLMv2 response only, Refuse LM and NTLM Refuse LM No minimum
Require message integrity, Require message confidentiality, Require NTLMv2 session security, Require 128-bit encryption Network security: Minimum Require message integrity, Require message session security for NTLM SSP based (including secure confidentiality, Require NTLMv2 session security, RPC) servers Require 128-bit encryption Shutdown: Clear virtual Enabled memory pagefile
No minimum
Disabled
66
LAB 7:
SECURING COMMUNICATIONS
EXERCISE 7-1: CONFIGURING RRAS FOR REMOTE COMMUNICATIONS
Verifying Server Permissions for Enabling RRAS on a Member Server
7. Verify that your computer is listed in this group.
QUESTION By virtue of this configuration, all member servers in the classroom are members of the RAS And IAS Servers group. Why would this configuration be inappropriate in a production environment? ANSWER It is a good security practice to limit the number of services running on your network. By placing unnecessary servers in the RAS And IAS Servers group, you are potentially increasing the attack surface of your network if local administrators set up unauthorized RRAS servers that can authenticate domain accounts.
Configuring a VPN Client Connection Object

10. On the Connection Computeryy Properties page, select the Security tab.
QUESTION What are the default security settings for the VPN connection object? ANSWER The Security settings are Require Secured Password and Require Data Encryption (Disconnect If None).
LAB 7: SECURING COMMUNICATIONS
67
12. In the Advanced Security Settings dialog box, click the Data Encryption drop-down list and examine the choices, but do not change any of the settings.
QUESTION What is the most secure setting for data encryption? ANSWER The most secure setting is Maximum Strength Encryption (Disconnect If Server Declines).
16. In the Connect To Computer01 dialog box, type vpnuserx (where x is your student number) in the User Name box, type P@ssw0rd in the Password box, and then click Connect. The connection attempt fails.
QUESTION What error message did you receive? ANSWER The error message is Error 649: The Account Does Not Have Permission To Dial In.
19. In Event Viewer, click the System log, and then double-click the system event that displays 20189 in the Event ID column.
QUESTION What configuration changes do you need to make to enable remote access permissions for the user account? ANSWER You must grant the account remote access permissions through the properties of the Active Directory account object or through a remote access policy.
68
Examining Remote Access Permissions and Configuring Remote Access Policies

3. On the VPNUserx Properties page, select the Dial-In tab. The Dial-In page fails to load.
QUESTION Why did the Dial-In page fail to load? ANSWER Only domain administrators have the appropriate permissions to modify the dialin properties of users. Even members of the Account Administrators group do not have sufficient permissions to modify dial-in properties.
6. Review the following figure that shows the default dial-in settings for user accounts, and then answer the questions that follow.
GL07XX03
QUESTION Without changing the default settings of the dial-in user account, how would you grant the user remote access permissions? ANSWER You would grant the user remote access permissions through a remote access policy.
69
QUESTION The dial-in properties include a setting for assigning a static IP address. Why would it be useful to assign a static IP address to a remote user? ANSWER Answers will vary. From the point of view of security practices, it is useful to assign a static IP address to a dial-in user to make it easier to audit the users actions.
9. In the details pane, double-click the Connections To Microsoft Routing And Remote Access Server policy.
QUESTION What is the action if the connection request matches the policy conditions? ANSWER The default action is to deny access.
11. In the details pane, double-click the Connections To Other Access Servers policy.
QUESTION What are the policy conditions for denying remote access? ANSWER Connection requests will be denied based on the time of day. This policy will deny any connection request made at any time.
23. Click Start, select Connect To, click Computeryy (where yy is two-digit version of your partners student number), type vpnuserx (where x is your student number) in the User Name box, type P@ssw0rd in the Password box, and then click Connect.
QUESTION What can you infer about how remote access policies are processed? ANSWER Remote access policies are processed in order from top to bottom. As soon as a remote access policy condition is met, the processing of remote access policies stops.
70
25. At the command prompt, type ipconfig /all and then press ENTER.
QUESTION How many IP addresses are on your computer? What are they? ANSWER If only you have established a VPN connection with your partners computer, you should see two IP addresses on your computer: one for the network adapter, and one for the outbound Remote Access Service (RAS) connection. If both you and your partner have established a VPN connection with each others computers at the same time, you will see an additional address for the inbound RAS connection.
27. At the bottom of the output of the Route.exe command, identify the IP address that is listed as the default gateway.
QUESTION What IP address is listed as the default gateway? ANSWER The IP address used for the RAS connection.
30. On the Computeryy Status page, select the Details tab, and then review the information.
QUESTION What authentication method is being used? What is the encryption strength? ANSWER The authentication method is Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2). The encryption strength is 128 bits, using Microsoft Point-to-Point Encryption (MPPE).
EXERCISE 7-2: COMPARING PPTP WITH L2TP/IPSEC

Installing Computer Certificates on the L2TP Client and Server
3. In the details pane on the right-hand side of the MMC console, note the entries in the Intended Purposes and Certificate Template columns.
QUESTION What entries are in the Intended Purposes and Certificate Template columns? ANSWER Server authentication is the entry in the Intended Purposes column. Web Server is the entry in the Certificate Template column.
71
9. In the Completing The Certificate Request Wizard page, review the information, click Finish, and then click OK.
QUESTION What are the intended purposes of the newly created certificate? ANSWER Client authentication and server authentication.
Examining L2TP/IPSec Security Associations by Using IP Security Monitor

3. In the tree pane, expand IP Security Monitor, expand Computerxx (where xx is the two-digit version of your student number), expand Main Mode, and then click Security Associations, as shown below.
GL07XX04
QUESTION What is listed in the Authentication column in the details pane? ANSWER Certificate (RSA Signature ). QUESTION What security method is used for encryption? ANSWER Triple DES (3DES) is used for encryption.
72
QUESTION What security method is used for integrity? ANSWER Secure Hash Algorithm (SHA-1) is used for integrity.
4. In the tree pane, expand Quick Mode, and click Security Associations.
QUESTION What protocol and ports are used? ANSWER User Datagram Protocol (UDP) port 1701. QUESTION What security method is listed for Encapsulating Security Payload (ESP) confidentiality? ANSWER 3DES is used for encryption. QUESTION What security method is used for ESP integrity? ANSWER Hash Message Authentication CodesMessage Digest 5 (HMAC-MD5) is used for ESP integrity.
Comparing PPTP and L2TP/IPSec Traffic

3. In the Microsoft Network Monitor capture summary, locate and doubleclick the first row (Ethernet frame) that displays PPTP in the Protocol column.
QUESTION What transport protocol and what destination port number are used for PPTP? ANSWER Transmission Control Protocol (TCP) is the transport protocol, and 1723 is the port number.
73
4. Locate and select the first frame that displays LCP in the Protocol column, and then highlight IP Protocol in the middle pane.
QUESTION What IP protocol type is used in this frame? Hint: Look at the description immediately to the right of IP: Protocol = ANSWER General Routing Encapsulation (GRE).
5. Locate and click the first frame that displays PPPCHAP in the Protocol column; then in the middle pane, expand the PPPCHAP row; and then click the PPPCHAP: Data row. In the bottom pane, note the information that is highlighted.
QUESTION What information is sent in clear text in this frame? ANSWER The name of the computer initiating the PPTP connection.
6. Locate and examine other instances of frames that display PPPCHAP in the Protocol column.
QUESTION What other information is sent in clear text in these frames? ANSWER The user name of the account used to initiate the PPTP connection.
7. Locate and examine the frames that display PPP in the Protocol column and MPPE/MMPC in the Description column.
QUESTION What do these frames represent? ANSWER These frames contain the data that is encrypted by MPPE and that is encapsulated within the GRE protocol.
74
10. In the Microsoft Network Monitor capture summary, locate and doubleclick the first frame that displays ISAKMP in the Protocol column.
QUESTION What transport protocol and destination and source port number are used for ISAKMP? ANSWER UPD is the transport protocol, and 500 is the port number.
11. In the same frame that you selected in step 10 above, in the middle pane, expand the ISAKMP row, and scroll down to the bottom of the middle pane.
QUESTION What are the ISAKMP payload types listed in this frame? ANSWER Security Association and Vendor ID.
12. Examine other frames that display ISAKMP in the Protocol column.
QUESTION Name at least four other ISAKMP payload types. ANSWER Some of the ISAKMP payload types include Key Exchange, Nonce, NAT Discovery, Certificate Request, and Fragment.
13. Locate and click the first frame that displays ESP in the Protocol column.
QUESTION What does ESP stand for, as indicated in the IP datagram? ANSWER Encapsulating Security Payload for IPSec. QUESTION What is contained within the ESP payload? ANSWER The ESP payload contains the encrypted data that is transmitted between the VPN client and server.
75
14. Scan the remaining frames in the capture of L2TP data.

QUESTION Do you see any frames indicating the use of the Challenge Handshake Authentication Protocol (CHAP) or the Point-to-Point Protocol (PPP)? ANSWER No. These protocols are used, but they are encrypted.
EXERCISE 7-3: USING RADIUS AUTHENTICATION

Configuring the RADIUS Server
3. On the Internet Authentication Service (Local) Properties page, note the settings on the General tab, and then select the Ports tab.
QUESTION What ports are used for RADIUS authentication and accounting? ANSWER RADIUS authentication uses ports 1812 and 1645 for authentication and ports 1813 and 1646 for accounting.
Configuring a RADIUS Client

14. In the tree pane of the RRAS console, note that the Remote Access Policies and Remote Access Logging nodes are removed upon restart of the RRAS service.
QUESTION Why are the Remote Access Policies and Remote Access Logging nodes removed? ANSWER The Remote Access Logging and Remote Access Policies nodes are removed because the RADIUS server, not the RRAS server, is now responsible for authentication and accounting.
76
Testing RADIUS Authentication

4. Examine the entries in the log file and then close Notepad. If you do not see the log file in the directory, open the C:\Lab Manual\ Lab 07\IN040606.log sample file, and then proceed to step 4.
QUESTION In general, what information is recorded in the log file? ANSWER Authentication and accounting requests received from RRAS servers.
EXERCISE 7-4: EXAMINING WIRELESS SETTINGS FOR 802.1X AUTHENTICATION

Configuring RADIUS for 802.1x Authentication
21. On the Completing The New Remote Access Policy Wizard page, click Finish.
QUESTION If the classroom had an 802.1x-capable WAP, what would you do next to complete the RADIUS configuration? ANSWER The WAP would need to be configured with the appropriate RADIUS client settings.
Examining Wireless Group Policy Settings

11. In the New Preferred Settings dialog box, type WAP-01 in the Network Name (SSID) box, ensure that the Data Encryption (WEP Enabled) and The Key Is Provided Automatically check boxes are selected, and then select the IEEE 802.1x tab.
NOTE The service set identifier (SSID) is analogous to a network name. Generally, a WAP should be configured to not broadcast this name. When a WAP is configured not to broadcast the SSID, the wireless-enabled computers must be configured in advance with the SSID. The 802.1x protocol provides a delivery mechanism for WEP keys, so the check box that indicates the key is provided automatically must be selected.
77
QUESTION What does WEP stand for? ANSWER Wired Equivalent Privacy.
EXERCISE 7-5: USING IPSEC

Configuring an IPSec Policy with a Rule to Block Traffic
18. In the New Rule Properties dialog box, click OK.
QUESTION If this IPSec policy were to be activated (assigned) at this point, could this computer communicate with other computers? ANSWER In general, this computer would not be able to communicate with other computers if the policy were activated (assigned) because the filter action for the rule is to block all IP traffic. However, Internet Key Exchange (IKE) traffic, which is required to negotiate IPSec security, is exempt from filtering.
Assigning and Testing IPSec Policies

5. Switch to the IPSec Tools console, expand IP Security Monitor, expand Computerxx (where xx is the two-digit version of your student number), expand Main Mode, and then click Security Associations.
QUESTION Do you see a security association with your partners computer? ANSWER Yes. If the IPSec policies have been configured correctly, you should see a security association.
78
6. Switch to the command prompt, type ping computerzz -n 10 (where zz is the number of another student computer in the classroom), and then press ENTER.
QUESTION Was the ping successful? Why or why not? ANSWER The computer with the default Client (Respond Only) IPSec policy assigned can ping the other classroom computer. The computer with the custom High Security Research Workstation IPSec policy will receive this message: Destination Host Unreachable. The reason for this is that all IP traffic to hosts other than the specific research workstation is blocked by the IPSec policy.

1. Which protocol, PPTP or L2TP, provides greater security? Explain your answer.
ANSWER L2TP provides better security than PPTP. One reason that PPTP is less secure is that information such as the user name and computer name is passed in clear text during the authentication process. Furthermore, PPTP can be vulnerable to password cracking if weak passwords are used. With L2TP/IPSec, the ESP encryption is established before user authentication information is transmitted across the wire, which means that user names and computer names dont cross the wire in clear text.
2. Which protocol, PPTP or L2TP, is more efficient for transmitting data? Provide reasons for your answer.
ANSWER L2TP/IPSec is less efficient for transmitting data because it uses more overhead for the encryption than PPTP does.
3. Why is it important to use strong passwords if you are using PPTP?

ANSWER During the CHAP authentication process, the user name is passed in clear text. And, although the password is not transmitted, a hash of the password is transmitted. Weak passwords are potentially vulnerable to being cracked in these circumstances.
79
4. What are some of the advantages of using RADIUS authentication for VPN or dial-in access?
ANSWER Two primary advantages of using RADIUS are centralized authentication and centralized accounting. When RADIUS is not used, each RAS server can be considered a kind of authentication island, requiring the administrator to define dial-in policies and conditions on each RRAS server. Also, the administrator must consult RRAS logs on each server for troubleshooting and security auditing. By reducing administrative effort, RADIUS also helps to enhance security.
5. In the 802.1x configuration, you specify that the keys are provided automatically. What keys are provided automatically, and what are some of the advantages of providing these keys automatically?
ANSWER The keys that are provided automatically are WEP keys. One advantage of distributing the keys automatically is that the users do not have to manually enter keys. This eliminates problems that result from user error. More importantly, security of the keys is greatly enhanced because the keys are transmitted over a secure channel, which helps to eliminate problems resulting from intentional or unintentional disclosure of keys to unauthorized third parties.
6. Can an IPSec policy contain multiple rules?

ANSWER Yes. A key to understanding IPSec policies is that a single IPSec policy can consist of one or more rules.
7. What are the three possible IPSec filter actions?

ANSWER The three possible filter actions are Permit, Block, and Negotiate Security.
8. How many IPSec filter lists can be applied to an IPSec rule?

ANSWER Only a single IPSec filter list can be applied to a rule. However, the filter list can comprise a number of packet filter configurations that match incoming or outgoing traffic.
9. How can you protect the traffic between a dial-in server and a RADIUS server?
ANSWER You can protect the traffic with IPSec.
80
LAB CHALLENGE 7-1: CONFIGURING REMOTE ACCESS POLICIES

You are an administrator responsible for configuring remote access polices for employees of your company. A number of employees are sales personnel who often work out of the office. When the sales personnel come into the office, they sit at any available cubicle in a designated area. Because this area does not have enough network ports for the maximum number of sales personnel who can be there at any one given time, your company implemented a wireless network that uses 802.1x authentication. All sales personnel have laptop computers that they bring to the office and take to sales meetings outside the office. Your company wireless access policy stipulates that only members of the SalesStaff group can access the wireless network. Access to the wireless network is allowed only between the hours of 7:00 A.M. and 6:00 P.M. on weekdays. A group called SalesManagers is a member of the SalesStaff group. Members of the SalesManager group have assigned offices and should not have access to the wireless network. Your company remote access policy stipulates that PPTP VPN access is allowed at all times, but only to members of the SalesStaff group. The VPN connection must use the strongest authentication method possible and no less than 128-bit encryption. If the VPN connection is idle for more than five minutes, it must be disconnected by the server. A group named SalesTrainees is a member of the SalesStaff group. Members of this group should not have remote access permissions, either to establish a VPN connection or to use the wireless network. For this lab challenge, in the Employeesx OU (where x is your student number), create the appropriate groups and configure remote access policies on the RADIUS server that you configured in Exercises 7-3, Using RADIUS Authentication, and 7-4, Examining Wireless Settings for 802.1x Authentication. The remote access policies should implement the requirements described in this scenario.
TIP You can use the remote access policies you created in earlier exercises. ANSWER To complete this challenge, you must understand the order in which remote access policies are processed. When a match is found, processing stops on the remote access policies. You first have to create a remote access policy at the top of the policy list that denies access to the Windows group SalesTrainees. No other condition should be specified. The next remote access policy on the list should be for VPN connections. The policy condition should grant access when the NAS-Port-Type matches VPN and the
81
Windows Group is equal to SalesStaff. The profile of the policy should be set to disconnect the session if it is idle for more than five minutes. The authentication method should be set to MS-CHAPv2, and only the check box for strongest encryption (128-bit MPPE) should be selected. The next remote access policy should be one that denies access to SalesManagers. No other condition should be specified. The final remote access policy should be one that allows access to the wireless network for the SalesStaff group between the hours of 7:00 A.M. and 6:00 p.m. This remote access policy includes three policy conditions: The NAS-Port-Type matches the wireless network types, and The Windows group is equal to SalesStaff, and The time of day is between 7:00 A.M. and 6:00 P.M. on weekdays The effect of the policy conditions is that only members of the SalesStaff group who connect to the network with a wireless device between the hours of 7:00 A.M. and 6:00 P.M. will be granted access.
82
LAB 8:
SECURING NETWORK APPLICATIONS

EXERCISE 8-1: EXAMINING WEB BROWSER SECURITY SETTINGS
Comparing Internet Explorer Enhanced Security Configuration Settings
7. Scroll through the option settings in both Internet Options dialog boxes, note the differences, and then answer the following questions. To view brief explanations of any of these settings, click the question mark in the upper-right hand corner of the dialog box, drag the mouse cursor to the option setting, and then click it.
QUESTION What happens when Check For Server Certificate Revocation (Requires Restart) is enabled? ANSWER When this setting is enabled, the Web browser will check to see if the server's certificate that is used to encrypt HTTP traffic and verify the server's identity has been revoked by the issuing certification authority (CA) before accepting it. QUESTION What is the effect of selecting the Enable Install On Demand (Internet Explorer) option? ANSWER If this setting is enabled, components will be automatically downloaded and installed if a Web page requires them.
8. In both Internet Options dialog boxes, select the Security tab, and then compare the respective security level settings for each of the Web content zones.
QUESTION What is the difference in security level settings for the Internet and Trusted Sites zones between both instances of Internet Explorer? ANSWER In the Enhanced Security Enabled configuration, the security level settings for the Internet and Trusted sites zones are High and Medium, respectively. In the Enhanced Security Disabled configuration, the security level settings for the Internet and Trusted Sites zones are Medium and Low, respectively.
LAB 8: SECURING NETWORK APPLICATIONS
83
9. In the instance of Internet Explorer that is enabled for Enhanced Security, select Local Intranet, and then click Custom Level; in the Settings dialog box, scroll to the bottom and locate the settings for User Authentication. Note the settings.
QUESTION What is the setting for User Authentication Logon? ANSWER Anonymous Logon.
13. In the Security tab, ensure that Local Intranet is still selected, click Custom Level, and review the settings for User Authentication.
QUESTION What is the setting for User Authentication Logon? ANSWER Automatic Logon Only In Intranet Zone.
15. Click the Internet zone, and then click Custom Level. Note the settings.
QUESTION What is the setting for User Authentication Logon? ANSWER Anonymous. QUESTION If the setting were changed to Automatic Logon With Current Username and Password, what would happen when a user connected to a site that required NTLM authentication? ANSWER The authentication credentials would be sent automatically.
84
EXERCISE 8-2: COMPARING BASIC WITH INTEGRATED AUTHENTICATION

Configuring Virtual Directories for Basic and Integrated Authentication
11. Read the warning that appears in the IIS Manager dialog box, and then click Yes.
QUESTION Why does the warning not apply to Hypertext Transfer Protocol Secure (HTTPS) connections? ANSWER The warning does not apply to HTTPS connections because the authentication information is sent over an encrypted channel.
16. In the Authentication Methods page, clear the Enable Anonymous Access check box, click OK, and then click OK again to close the Integrated Properties dialog box.
QUESTION What authentication methods are selected by default when you create a virtual directory? ANSWER Anonymous and Windows Integrated Authentication are selected by default.
85
Capturing and Analyzing Basic and Integrated Authentication by Using Network Monitor
12. In the Microsoft Network Monitor capture summary screen, double-click the first frame that displays Status Code 401 in the Description column, expand HTTP in the middle pane (as shown below), and then examine the details of the HTTP payload.
GL08XX04
QUESTION What is listed as the authentication method? ANSWER HTTP: WWW-authenticate = Basic realm = computeryy
14. With HTTP: GET Request From Client expanded in the middle pane, locate the header field labeled HTTP: Authorization and examine the contents of the field.
QUESTION What does this field contain? ANSWER This field contains an alphanumeric string that represents the Base64 encoded user name and password used to log on to the virtual directory.
86
15. In the top pane, immediately below the frame you examined in step 14, select the first frame that displays Status Code = 200.
QUESTION What does a status code of 200 indicate? ANSWER A status code of 200 indicates that the connection to the Web page is successful.
16. In the top pane, immediately below the frame you examined in step 15, select the frame that displays Status Code 401 in the Description column; in the middle pane, ensure that HTTP: Response To Client is expanded; and then locate the two fields that are labeled HTTP: WWWAuthenticate.
QUESTION What authentication methods are listed in the HTTP payload? ANSWER HTTP: WWW-authenticate = Negotiate and HTTP: WWW-authenticate = NTLM.
EXERCISE 8-3: SECURING WEB SERVERS

Reducing Attack Surface by Disabling Unnecessary Services
2. In the details pane, double-click Application Management. Note the startup type and the description of the service.
QUESTION Why would it be a good idea to disable this service on a dedicated Web server? ANSWER If the service is disabled, it is more difficult to install unauthorized software.
3. In the Application Management Properties (Local Computer) dialog box, select the Start Up Type drop-down list.
QUESTION What are the three possible Start Up types? ANSWER Automatic, Manual, and Disabled.
87
4. Leave the Start Up type set to Manual, and then in the Application Management Properties (Local Computer) dialog box, select the Dependencies tab.
QUESTION Are there any service dependencies? ANSWER There are no service dependencies.
6. In the details pane of the Services console, double-click Distributed File System, note its startup type, and then read the description of the service.
QUESTION Why would it be a good idea to disable this service on a dedicated Web server? ANSWER This service is unnecessary on a dedicated Web server. The distributed file system service provides a logical, single point of access for file shares that are distributed across the internal network. A Web service provides this service for external clients by default.
Reducing Attack Surface by Prohibiting Unnecessary Web Service Extensions

3. In the details pane, note the Web service extensions and whether they are prohibited or allowed.
QUESTION Are any Web service extensions allowed? Why or why not? ANSWER Yes, Active Server pages are allowed as a result of installing Software Update Services in Lab 02. The default installation of IIS 6.0 prohibits all Web service extensions.
4. In the Web Service Extensions details frame, click the Open Help link, and then read the corresponding article on enabling and disabling dynamic content.
QUESTION What is the default configuration of IIS 6.0 for delivering dynamic content? ANSWER By default, IIS 6.0 delivers only static content. IIS 6.0 must be explicitly configured to allow dynamic content.
88
Creating and Implementing Application Pools to Enhance Reliability, Performance, and Security of Web Sites
7. Select the Performance tab, and then in the Web Garden area, select 3 in the Maximum Number Of Worker Processes spin box.
QUESTION What is a Web Garden? ANSWER A Web garden is an application pool that uses multiple worker processes.
8. Select the Health tab, and then review the default settings.
QUESTION What is a primary purpose of the settings in this tab? ANSWER The primary purpose is to ensure reliability when worker processes fail.
9. Select the Identity tab, and then select the Predefined drop-down list box.
QUESTION What are the three predefined accounts? ANSWER The three predefined accounts are Network Service, Local Service, and Local System.
20. In the Enable Logging area, click Properties.

QUESTION Where is the log file for this Web site stored? ANSWER The log file is stored in a subdirectory of the %windir%\System32\Logfiles folder. The subfolder name is an alphanumeric string beginning with W3SVC.
89
29. Open Internet Explorer, type http://computeryy:8000 in the Address box (where yy is the two-digit version of your lab partners student number), and then press Enter. You should see your partners default.htm file for the Web Services Web site.
QUESTION If this Web server hosted a .Net Web service application and the application failed, what would happen to other Web sites located on the same computer? ANSWER The other Web sites would not be affected if the application failed.
EXERCISE 8-4: SECURING DNS

Examining Default DNS Server Settings
3. In the Computerxx Properties dialog box, select the Root Hints tab. The Root Hints tab lists the DNS servers that are authoritative for the root or . zone. By default, your DNS server is configured with the root hints of DNS servers that comprise the starting point for DNS queries when your DNS server attempts to resolve a DNS host name to an IP address (also known as a forward lookup) or to resolve an IP address to a DNS hostname (also known as a reverse lookup).
QUESTION What addresses are listed in the Root Hints tab? ANSWER The addresses of the root-level DNS servers on the Internet that comprise the starting point for DNS queries to resolve host names to IP addresses.
8. Double-click the How DNS Query Works search result title, read the article, and then answer the following questions.
QUESTION What is recursion? ANSWER Recursion is the process that occurs when a DNS resolver, such as a DNS client, queries a DNS server to provide name resolution. The DNS client will wait for a response to the query from the DNS server. If the DNS server does not have the answer to the query in its cache or its local database (also known as a zone file), it will perform additional DNS queries to other DNS servers on behalf of the client in an attempt to resolve the name.
90
QUESTION If you disabled recursion on the DNS server, what DNS queries would the DNS server respond to? ANSWER If you disabled recursion, the DNS server would respond positively only to DNS queries for any host nametoIP address mapping in its local database, also known as a zone file. That is, it would not perform queries for hosts in remote DNS domains of which it had no local knowledge.
Creating and Configuring a Primary Forward Lookup Zone

11. In the Dnsmgmt console, under Forward Lookup Zones, select yourprimarydomain.com.
QUESTION In the details pane, how many resource records do you see? What are the record types for the records that you see? ANSWER By default, two resource records are created in the zone. The first is the Start Of Authority (SOA) record type. The second is the Name Server (NS) record type.
24. In the yourprimarydomain.com Properties dialog box, select the Zone Transfers tab.
QUESTION What are the default settings in the Zone Transfers tab? ANSWER The default settings are to allow zone transfers only to servers listed on the Name Servers tab.
25. Click Notify.

QUESTION What are the default notification settings? ANSWER The default setting is to notify servers listed on the Name Servers tab.
91
Creating and Configuring a Secondary Forward Lookup Zone

7. Under Forward Lookup Zones, click the secondary zone you just created.
NOTE You might initially see an error message indicating that the zone information was not transferred. Wait a few moments, and then press F5 to refresh the display. If you still cannot perform a zone transfer, review your configuration and your lab partners configuration. QUESTION What computers are authorized to receive a read-only copy of the entire zone file? ANSWER The configuration of the primary zone allows zone transfers to servers listed on the Name Servers tab. Because your lab partner created a host record for your IP address and created a Name Server record using the host record, you have authority to copy the zone file from your lab partners primary zone.

1. In addition to configuring Web server permissions to authorize access, what other permissions should you configure?
ANSWER You should configure the NTFS file system permissions on the files in the Web server home and virtual directories.
2. Why is NTLM authentication more secure than basic authentication?

ANSWER With basic authentication, the user name and password cross the wire in Base64 encoded clear text. With NTLM authentication, the password does not cross the wire.
3. What aspect of the CIA (confidentiality, integrity, and availability) triad can Web application pools enhance?
ANSWER Availability.
92
4. One of the default settings for the Internet zone is to prompt for a user name and password. Why is this an appropriate setting for the Internet zone?
ANSWER When this setting is disabled, Internet Explorer automatically sends a response to an NTLM challenge issued by a Web server without the users knowledge. A rogue Web site administrator can extract significant information from the response to the known challenge that her Web site issued. By prompting for authentication credentials, users are alerted to potential security issues on unfamiliar Web sites.
5. Why should you restrict zone transfers to only a predetermined and authorized list of DNS servers?
ANSWER To mitigate DNS footprinting attacks. In a DNS footprinting attack, an attacker copies the entire zone file from the DNS server. The attacker can subsequently gain information about your network and organization by the information implicit in host names and IP addresses.
6. Creating multiple secondary DNS servers to hold read-only copies of the primary zone enhances what aspect of the CIA (confidentiality, integrity, and availability) triad?
ANSWER Availability.
7. In addition to restricting zone transfers to a predetermined list of DNS servers, what other steps should you take to protect zone data?
ANSWER If zone information is being transferred over the Internet, you should encrypt the zone data transfer. Also, you should configure firewall rules to prevent unauthorized external hosts from connecting to your DNS server to request a zone transfer.
8. Enabling the setting to protect against DNS cache pollution enhances what aspect of the CIA (confidentiality, integrity, and availability) triad?
ANSWER Integrity. Cache pollution occurs when a rogue DNS server attempts to corrupt the DNS server cache with bogus records.
93
9. If you use basic authentication, what should you do to protect the confidentiality of authentication credentials?
ANSWER You should configure the Web server with a digital certificate to encrypt the authentication session.
LAB CHALLENGE 8-1: DESIGNING AND IMPLEMENTING A SECURE DNS INFRASTRUCTURE

Part 1: Designing a Secure DNS Infrastructure
You are the network administrator for Contoso Pharmaceuticals. Currently, the demilitarized zone (DMZ) contains two DNS servers, ns1.contoso.com and ns2.contoso.com, that host a primary and a secondary zone for the contoso.com domain namespace. The zones contain records for the externally accessible Web and mail servers. These two DNS servers also provide Internet name resolution for a Web proxy server that provides access to Internet Web sites for internal client browsers. They do not contain records for any internal hosts. The DNS name for the internal network and Active Directory is contoso.local. The DNS servers that are authoritative for the contoso.local namespace are accessible only by DNS clients on the internal network. Recently, these two DNS servers in the DMZ were flooded with a huge number of recursive queries from a number of DNS servers that had been compromised by a hacker. During the attack, the Web proxy server could not resolve Internet host names and customers could not resolve the host nameto-IP address mappings of the Web and mail servers. As a result of the attack, you have been asked to redesign the DNS infrastructure in the DMZ to provide greater security. Managements primary concern is that your DNS design protect against future DNS denial of service (DoS) attacks and eliminate any single points of failure, but they are also concerned about protecting the integrity and confidentiality of the DNS data, where appropriate. Management has informed you that you can purchase additional hardware and software if necessary. Also, Contosos Internet service provider (ISP) has offered to help you however they can.
94
For the first part of this lab challenge, you will design the DNS infrastructure based on your responses to the following questions. If required by your instructor, write up a formal proposal based on your responses to these questions and be prepared to hand it in. 1. Should you separate DNS server roles? If so, what roles would you separate and why?
ANSWER Yes, DNS server roles should be separated. One set of two DNS servers should be configured to perform recursive queries for the proxy server. The other set of DNS servers should be configured to resolve queries for hosts in the contoso.com domain but not perform name resolution for other domains (recursion disabled).
2. If you answered yes to question 1, will you need to install additional DNS servers?
ANSWER Yes. You should buy at least one and preferably two more DNS servers.
3. How can your ISP help you enhance the fault tolerance of the contoso.com zone?
ANSWER The ISP can host secondary zone files for contoso.com to eliminate a single point of failure, since it will be on a different subnet.
4. How can your ISP help you enhance the performance of DNS queries from internal DNS resolvers?
ANSWER You can configure the DNS servers used for external name resolution to forward requests to the ISPs DNS servers. Also, you can configure the Web proxy server with the IP addresses of the ISPs DNS servers.
95
5. Based on your responses to the previous questions, how would you configure inbound and outbound access rules for DNS traffic on your firewall?
TIP DNS uses User Datagram Protocol (UDP) port 53 for queries and Transmission Control Protocol (TCP) port 53 for zone transfers. ANSWER On the DNS servers that perform resolution on behalf of the Web proxy client, the firewall should be configured to allow outbound UDP port 53 traffic to any external host (or to the ISPs DNS servers if you want to configure the DNS servers to forward this traffic). For DNS resolution for the contoso.com name space, the firewall should be configured to allow inbound UDP port 53 traffic from any Internet host to DNS servers hosting the contoso.com zone file. Also, the firewall should be configured to allow TCP port 53 traffic to and from the ISPs DNS servers that are hosting a secondary zone file.
Part 2: Securing a DNS Server Against DoS Attacks

You are responsible for a DNS server that hosts the primary zone file for the contoso.com namespace. The DNS server is currently configured to allow zone transfers to another internal DNS server, which you manage. Your ISP has agreed to host a secondary zone file for contoso.com on its DNS server. The server name is ns1.fabrikam.com, and its IP address is 172.16.32.1. You need to configure the DNS server to allow zone transfers to ns1.fabrikam.com. Also, you need to configure the server to provide a maximum degree of protection against any DNS query flood attacks. For this part of the lab challenge, make the necessary configuration changes to your DNS server.
ANSWER The configuration changes that you should make are as follows: Recursion should be disabled in the DNS Server properties. Optionally, the root hints file (cache.dns) should be deleted. Ns1.fabrikam.com needs to be added to the Name Server list. Because recursion has been disabled on the DNS server, the DNS server cannot contact other DNS servers to resolve ns1.fabrikam.com to an IP address. Therefore, the configuration for zone transfers should be changed to allow zone transfers to a specific list of IP addresses (not servers listed in the Name Servers tab), if there isnt a host (A) record for the fully qualified domain name ns1.fabrikam.com.
96
LAB 9:
SECURING INTERNET MESSAGING

EXERCISE 9-1: EXAMINING SMTP RELAY SETTINGS
Using Telnet to Test Default SMTP Relay Settings
7. Type mail from: adminx@computerxx.contoso.com and then press ENTER. This command identifies the sender.
QUESTION Have you authenticated with the SMTP service by issuing this command? ANSWER No, you have not authenticated with the SMTP service. You have merely identified the senders identity, which could be any string of characters as long as it conformed to an e-mail address format.
8. Type rcpt to: mailadmin@fabrikam.com and then press ENTER.

QUESTION What message did you receive in response to this command? ANSWER The response code is 550, indicating that the SMTP service cannot relay for mailadmin@fabrikam.com.
9. Type rcpt to: userx@computerxx.contoso.com and then press ENTER.

QUESTION What message did you receive in response to this command? ANSWER The response code is 250, indicating that the SMTP service can send mail to the target e-mail address. QUESTION Why are you able to send mail to the target e-mail address? ANSWER The SMTP service will accept inbound mail for its configured e-mail domains, in this case, computerxx.contoso.com.
LAB 9: SECURING INTERNET MESSAGING
97
Examining and Configuring SMTP Relay Settings

3. In the Default SMTP Virtual Server Properties dialog box, select the Access tab, and then click Relay, as shown below.
G09XX02
QUESTION In what circumstances is relaying permitted? ANSWER When an e-mail client or server successfully authenticates to the SMTP service.
9. Type rcpt to: mailadmin@fabrikam.com and then press ENTER.

QUESTION What response code did you receive? ANSWER You should receive a 250 response code, indicating that you can send mail to the target e-mail address. QUESTION Why are you able to send e-mail to mailadmin@fabrikam.com? ANSWER You have configured your SMTP server as an open relay that will forward mail from any IP address.
98
EXERCISE 9-2: CONFIGURING DNS MAIL EXCHANGER (MX) RECORDS

Adding a Primary MX Record
12. In the Mail Exchanger (MX) dialog box, click the question mark in the upper right corner, drag the cursor to the Mail Server Priority box, and then click the mouse to bring up an explanation of the field.
QUESTION If more than one MX record is present, how will mail be delivered to the domain? ANSWER The remote mail server will first attempt to deliver mail to the server with the highest priority (lowest number). If delivery fails, the mail server will attempt to deliver mail to the MX record with the next highest priority.
EXERCISE 9-3: EXAMINING DEFAULT POP3 SECURITY

Configuring POP3 Domains and Mailboxes
7. In the Mailbox Name box, type usery (where y is your lab partners student number), and then click OK.
QUESTION What is the format of the account name used for clear text authentication? ANSWER The format for the account name is Userx@domainname.com.
99
Examining Changes to SMTP Domains

2. Expand Default SMTP Virtual Server, and then click Domains. Both computerxx.contoso.com and contoso.com should be listed as local domains. If you do not see these domains, right-click the Domains node in the tree pane of the console, and then click refresh.
QUESTION Why is it necessary for contoso.com to be listed here in addition to computerxx.contoso.com? ANSWER This configuration allows the SMTP service to accept inbound mail addressed to both the computerxx.contoso.com and contoso.com domains.
Analyzing POP3 and SMTP Traffic

12. Click the top frame in the Summary window, and then press the Down arrow to review the contents of subsequent frames in the Detail and Hex windows.
QUESTION Do any of the frames contain potentially sensitive information? If so, what information do they contain? ANSWER Some of the frames contain user names, clear text passwords, and the message contents.
20. Click the top frame in the Summary window, and then press the Down arrow to review the contents of subsequent frames in the Detail and Hex windows.
QUESTION Do any of the frames contain potentially sensitive information that is viewable in clear text? If so, what information do they contain? ANSWER The contents of the message are viewable.
100
EXERCISE 9-4: USING SECURE PASSWORD AUTHENTICATION (SPA)

Capturing and Analyzing SPA Traffic
17. Click the Find Next and Find Previous icons and review the data.
QUESTION What authentication mechanism does SPA use? ANSWER NTLM.
18. Review the remaining POP3 frames in the capture.

QUESTION Do any of the frames contain potentially sensitive information that is viewable in clear text? Hint: To find any clear text information, you can create a find expression for one of the text strings you used in your e-mail message. ANSWER Yes, the contents of the message downloaded to the POP3 client are viewable.

1. How can preventing unauthorized SMTP relaying reduce social engineering attacks?
ANSWER It is relatively easy to alter SMTP headers to make it appear as if an e-mail originated from a different sender than the actual one. If the attacker can also relay an e-mail message from the actual SMTP host used by the impersonated sender, the fraud is more complete and convincing. To defend against being a victim of this kind of attack, you should never allow unauthorized relaying from your SMTP server. Furthermore, with many SMTP implementations, you can perform reverse DNS lookups on incoming messages and verify that the message originated from an IP address that matches the domain name indicated in the HELO/EHLO command. So, while the attacker may be able to spoof the From header of the e-mail message, your SMTP server will reject the message because it doesnt originate from the e-mail server responsible for the domain in the e-mail address.
101
2. How can preventing unauthorized SMTP relaying reduce denial of service (DoS) attacks?
ANSWER Some spammers send extremely large volumes of e-mail. If a spammer sends a large volume of e-mail over an open relay, the SMTP service could be overwhelmed and be unable to process legitimate inbound and outbound e-mail.
3. Why is it desirable to have multiple DNS MX resource records?

ANSWER To provide greater fault tolerance and availability if an SMTP server fails.
4. You have configured Outlook Express to connect to a POP3 server. When you send an e-mail from a POP3 client, what protocol does Outlook Express use?
ANSWER The client uses SMTP to send the e-mail.
5. When you configure a POP3 client to use SPA, is the confidentiality and integrity of the message protected?
ANSWER No. SPA only protects the confidentiality of the password.
6. What can you do to ensure the confidentiality of an SMTP e-mail message?

ANSWER You must encrypt the contents of the message.
7. What assurances does a digital signature provide?

ANSWER Integrity and nonrepudiation. A digital signature can be used to ensure that messages are not tampered with while in transit and that the purported sender of the message is in fact the actual sender of the message. Furthermore, because the sender of the message is the only one who has access to the private key used to create a digital signature, only she can have sent the message. Therefore, unless the security of the private key has been compromised, the sender cannot deny having sent the message.
102
LAB CHALLENGE 9-1: DIGITALLY SIGNING AND ENCRYPTING E-MAIL

1. What do you need before you can send a digitally signed e-mail?
ANSWER You need a digital certificate for your user account.
2. You are sending an encrypted e-mail. What is used to encrypt the e-mail: the recipients public key, the recipients private key, your public key, or your private key?
ANSWER You encrypt the e-mail with the recipients public key.
3. What is a digital ID in Outlook Express?

ANSWER A digital ID comprises a private key, public key, and digital signature.
LAB 10: SECURING YOUR PERIMETER NETWORK
103
LAB 10:
SECURING YOUR PERIMETER NETWORK

EXERCISE 10-1: USING NETSTAT TO VIEW OPEN PORTS
4. Type netstat es and then press ENTER.
QUESTION What does the output of the command display? ANSWER The output of the Netstat command displays statistics for Ethernet, IP version 4 (IPv4), TCP, UPD, and Internet Control Message Protocol (ICMP).
5. Type netstat na and then press ENTER. The output of the command shows the protocol used (TCP or UDP), the TCP or UDP port number, the local and foreign (remote) address, and the connection state for TCP connections (Listen, Establish, Time_Wait, and so on). The port number is the TCP or UDP port number and is indicated by the number immediately to the right of the IP address. For example, UDP 0.0.0.0:53 indicates that UDP port 53 is in use, which is the port used for DNS query requests.
QUESTION List the open TCP ports that have a value below 1024. ANSWER Results will vary. Typical results will be 21, 25, 53, 80, 110, 135, 139, 443, and 445. QUESTION List the open UDP ports that have a value below 1024. ANSWER Results will vary. Typical results will be 53, 123, 135, 137, 138, 445, and 500.
6. Type netstat a and then press ENTER.

QUESTION What is the difference in the output of this Netstat command compared with the output of the Netstat command in step 5? ANSWER Many of the port numbers and IP addresses are converted to names.
104
7. Type netstat no and then press ENTER.

QUESTION What is the difference in the output of this Netstat command compared with the output of the Netstat command in steps 5 and 6? ANSWER The output of this command shows only the active connections, and it does not show all the ports that the computer is listening on.
18. Click Start, select Run, type notepad c:\lab manual\lab 10\labwork\netstat.log in the Open box, and then click OK.
QUESTION What information is listed in the Netstat.log file? ANSWER The file lists a history of active connections at five-second intervals. You might see connections with both your lab partners and the instructors computers.
EXERCISE 10-2: VIEWING OPEN PORTS ON REMOTE COMPUTERS

6. Examine the output of the port scan. Note that the output of this version of SuperSscan shows only open TCP ports. It does not scan for open UDP ports.
QUESTION In the output of the port scan, locate the Domain Name Server entry. What port number is listed for this entry? ANSWER Port 53 is listed as the port number.
105
EXERCISE 10-3: CREATING PACKET FILTERS BY USING ROUTING AND REMOTE ACCESS SERVICES
Testing Inbound Filters
2. In the command prompt, type ping computeryy (where yy is the twodigit version of your lab partners student number), and then press ENTER.
QUESTION What Ping response message did you receive? ANSWER Request Timed Out.
5. Wait until the scan is finished, and then click Expand All.
QUESTION What does the red X in the Scan Results window indicate? ANSWER The red X indicates that a ping of the target computer failed. QUESTION Why do you not see an open port for the DNS server (53)? ANSWER The destination port (TCP port 53) has been explicitly blocked by the RRAS filter. Any traffic with a destination port of TCP port 53 is dropped by the packet filters.
EXERCISE 10-4: CREATING PACKET FILTERS BY USING IPSEC

Creating an IPSec Policy Rule to Block Traffic from Any Host
30. At the command prompt, type ping computeryy (where yy is the twodigit version of your lab partners student number), and then press ENTER.
QUESTION What ping response message did you receive? ANSWER Request Timed Out.
106
33. Wait until the scan is finished, and then review the scan result output. Minimize Super Scan 3.0.
QUESTION Why isnt there an open port for the DNS server (53)? ANSWER The destination port (TCP port 53) has been explicitly blocked by the IPSec filter.
Adding an IPSec Policy Rule to Allow Traffic from a Specific Host

18. At the command prompt, type ping computeryy (where yy is the twodigit version of your lab partners student number), and then press ENTER.
QUESTION What ping response message did you receive? ANSWER Request Timed Out.
21. Wait until the scan is finished, and then review the scan result output. In the scan results, you should see an open port for the DNS server (53). If you do not see this port in the output of the scan results, review your configuration, paying special attention to the filter action for the Allow DNS From The Lab Partner IP Filter List rule. You might also need to restart the Policyagent service.
QUESTION Why do you see an open port for the DNS server (53)? ANSWER Your IP address has been allowed access to this port on your lab partners computer.
107
Adding an IPSec Filter to Allow Traffic from a Specific Subnet

2. At the command prompt, type ping instructor01 and then press ENTER.
QUESTION Why do you receive a Request Timed Out response, even though your IPSec policy allows outbound ICMP traffic? ANSWER Even though the IPSec policy allows outbound ICMP traffic, it drops all inbound ICMP traffic, including responses to the ping request.

1. Can you use the Netstat command to view the listening ports on a remote computer?
ANSWER No. The Netstat command can only be used to view ports on the local computer.
2. In the output of the Netstat a command, what does the LISTENING state indicate?
ANSWER It indicates that the port is open and ready to accept connections.
3. Why is it a good idea to perform port scans of internal company computers on a regular basis?
ANSWER A remote port scanner can be useful for detecting the presence of Trojan horse programs and other malware that open unauthorized ports.
4. Why is it a good idea to create packet filters for outbound as well as inbound traffic?
ANSWER Limiting outbound traffic is an effective way of enforcing company policies regarding the appropriate use of the Internet. For example, if you do not want to allow any internal clients to connect to FTP servers on the Internet, you can use outbound filters to prevent FTP traffic that originates on your internal network from being forwarded to the Internet. Furthermore, a large number of exploits install software on target computers that cause them to communicate with unauthorized hosts on the Internet. For example, the Slammer worm caused infected computers to try to infect other computers on the Internet using UDP.
108
If more firewall administrators had prevented unnecessary traffic from being forwarded to the Internet from internal hosts, the damage caused by the Slammer worm, or for that matter the Sasser worm, would have been less severe.
5. What advantage does packet filtering in IPSec have over packet filtering in RRAS?
ANSWER IPSec has a more granular configuration than RRAS.
6. When you create an IPSec IP filter, what effect does selecting the Mirrored option have?
ANSWER When you select the Mirrored option, IPSec creates an additional filter that is the exact opposite of the filter you create. So, for example, if you create a DNS filter with a Destination Address of My Address and a Source Address of Any Address, an additional filter with a Destination Address of Any Address and a Source Address of My Address is created.
LAB CHALLENGE 10-1: CREATING PACKET FILTERS FOR PPTP

NOTE You must have completed Lab 7, Securing Communications, before beginning this lab challenge.
Before beginning this lab challenge, you might need to reconfigure the computer that will act as the PPTP client to use PPTP, rather than Layer Two Tunneling Protocol (L2TP), to connect to the RRAS server. See Lab 7, Securing Communications, for details on reconfiguring your client to use PPTP. Also, this lab challenge requires that you determine what ports are used for RADIUS accounting and authentication. To determine what ports are used for RADIUS accounting and authentication, you can use Network Monitor to capture traffic related to RADIUS authentication. Alternatively, you can load the C:\Lab Manual\Lab 10\Pptp-radius.cap file in Network Monitor to determine this information. It would also be helpful to consult the Microsoft Windows Help files before doing this lab challenge. You recently installed a dedicated RRAS and Internet Authentication Service (IAS) server in your perimeter network. Employees will use this server to establish virtual private network (VPN) tunnels to the corporate network using Point-to-Point Tunneling Protocol (PPTP). This server also uses RADIUS to perform a centralized authentication function for other VPN servers. Because this is a dedicated server,
109
you want to ensure that only essential outbound or inbound traffic related to PPTP and RADIUS is allowed on the Internet-facing network interface of this computer. For this lab challenge, work with your lab partner to configure one of your servers with the appropriate packet filters to drop all inbound and outbound traffic except for traffic related to PPTP and RADIUS. Record the packet filter configuration you create in the Lab10Worksheet.doc, which you can find in the C:\lab manual\Lab 10 folder. When you have completed the worksheet, save it as C:\Lab Manual\Lab 10\Labwork\YourLastName-Lab10-PPTP-filters.doc (where YourLastName is your last name). If your instructor requires you to submit the file for evaluation, he or she will provide additional instructions for submitting it. If time permits, remove the packet filters on the RRAS server and re-create the RRAS configuration on the other computer.
IMPORTANT Because you are creating RRAS packet filters on a computer with only one network interface adapter, you might experience delays in accessing the properties of the network interface adapter in RRAS after you have implemented the filters. You might have to wait a short time to open up the property pages after implementing the filters. After completing this lab challenge, remember to remove the packet filters to restore your computer to its original configuration. ANSWER The minimum set of filters are as follows, where x is the last octet of the IP address of the RRAS server, y is the last octet of the address of the RADIUS server, and /32 represents a subnet mask of 255.255.255.255. The configuration will work with the addition of packet filters for RADIUS accounting (UDP 1813), but if you completed all of Lab 7, Securing Communications, packet filters for RADIUS authentication (UDP 1812) are required. Inbound Filters Source Address = Any, Destination Address = 10.1.1.x/32, Protocol = TCP, Destination Port = 1723 Source Address = Any, Destination Address = 10.1.1.x/32, Protocol = Other, Protocol Type = 47 Source Address = Any, Destination Address = 10.1.1.x/32, Protocol = TCP [established], Source Port = 1723 (optional) Source Address = 10.1.1.y/32, Destination Address = 10.1.1.x/32, Protocol = UDP, Source Port = 1812 Source Address = 10.1.1.y/32, Destination Address = 10.1.1.x/32, Protocol = UDP, Source Port = 1813
110
Outbound Filters Source Address = 10.1.1.x/32, Destination Address = Any, Protocol = TCP, Source Port = 1723 Source Address = 10.1.1.x/32, Destination Address = Any, Protocol = Other, Protocol Type = 47 Source Address = 10.1.1.x/32, Destination Address = Any, Protocol = TCP [established], Destination Port = 1723 (optional) Source Address = 10.1.1.x/32, Destination Address = 10.1.1.y/32, Destination Port = UDP 1812 Source Address = 10.1.1.x/32, Destination Address = 10.1.1.y/32, Destination Port = UDP 1813
LAB 11: MAINTAINING OPERATIONAL SECURITY
111
LAB 11:
MAINTAINING OPERATIONAL SECURITY

EXERCISE 11-1: ENHANCING PHYSICAL SECURITY
Scenario
You are a network administrator at the headquarters for Contoso Pharmaceuticals. Because of the sensitivity of the data stored at headquarters, the company has made a significant investment in security measures. For example, physical access to domain controllers and other critical servers is severely restricted. However, domain controllers for the contoso.com domain and a number of child domains are located in geographically remote branch offices. There is a wide disparity in the security environments of these branch offices. For example, some offices are located in single-story buildings that lack 24-hour onsite security personnel. Other offices are located in multistory buildings that have 24-hour onsite security personnel and where after-hour elevator access is restricted to authorized personnel only. In some instances, the domain controllers and other servers are located in the office of the branch office network administrator. The figure below shows the typical arrangement of a dual-purpose room that serves as the network administrators office and as the file server room.
112
110-volt outlet Punchdown block 100-Mb switch
Power strip
128-Kbps connection to Internet Router Domain controller ISA Server 2000 firewall
WINS/DHCP/IIS server File server
Telephone Telephone
Branch office network administrator's office
You are concerned about the lack of physical security of the domain controllers and other servers in some of these offices. Because of the size of the Active Directory directory service, the design of Active Directory and the speed of the WAN links, it is not practical to remove the domain controllers from these remote offices. Doing so would result in excessively long logon times, resulting in a loss of productivity. Furthermore, having domain controllers at the branch offices increases fault tolerance and the availability of Active Directory.
G11XX01
113
You have brought your concerns to management. They agree that the physical security of the domain controllers needs to be enhanced throughout the company and are willing to provide a budget for the improvements. However, before a budget is approved, management wants to see a list of recommendations that will be incorporated into a revised security policy that will outline the minimum standards for physically securing domain controllers at all offices. Management has asked you to provide this list of recommendations. Because the recommendations need to cover the minimum requirements for physically securing all domain controllers, they need to take into account local conditions. In your preliminary research, you have learned that in all locations the lease agreements allow you to make physical changes to the offices, including reconfiguring office space, adding new wiring, and changing ventilation ducts. However, providing 24-hour onsite security personnel is not possible or economical at all locations. The following list of questions will help you compile your list of recommendations. You should, however, go beyond the provided questions to create your final list.
QUESTION If 24-hour onsite security is not possible in all locations, what other measures can you use to provide constant monitoring? ANSWER You can rewire all the offices so you can install alarm systems and closed-circuit television (CCTV) systems. With a CCTV system, the office can be monitored offsite by a third-party security company. QUESTION In cases where the network administrator shares office space with the servers, what changes should you make? ANSWER Because your lease agreements allow you to physically reconfigure the office space, dedicated rooms should be built for the servers. QUESTION What measures can you take to restrict physical access to rooms where the servers are located? ANSWER At the very least, offices should have physical locks. For a locked, high-security server room, a lock that requires multi-factor authentication is the best choice. For example, you could install smart card readers that require network administrators to swipe a card and enter a personal identification number (PIN) number. Also, you could install a biometric scanner that requires a PIN number or password to control access.
114
QUESTION Is the plenum space a concern? If so, how would you deal with it? ANSWER If local building codes permit it, you should build walls that extend completely from the floor to the ceiling (slab to slab). QUESTION Should you log access to the server room? If so, how would you do this? ANSWER Yes, it would be desirable to log access to the server room. You could rely on a sign-in and sign-out sheet. However, you should install an electronic system that can both control access and keep an automatic record of that access. Furthermore, you should use devices that record both who enters and leaves the room; that is, the electronic system must be installed on both sides of the door. QUESTION Who should have access to the server room? ANSWER Only network administrators with the appropriate security clearance. QUESTION Would any changes to the heating or air conditioning system be required? ANSWER Yes. Servers should be kept in an air conditioned environment that maintains an optimal temperature. This might require installing new air conditioning vents and adjusting air flow. Furthermore, the heating, ventilation, and air conditioning system (HVAC) should be designed so that air flow to the server room can be automatically shut off, in the event of a fire, to dampen or extinguish the fire as soon as possible by depriving it of oxygen. QUESTION If it is necessary to build or modify a server room, what consideration should you give to the power requirements? ANSWER Many industrial-strength uninterruptible power supply (UPS) devices require 220-volt power, rather than 110 volt. You need to ensure that the room is wired appropriately to accommodate these devices. If possible, the electrical power should be conditioned before it enters the server room and should be on a separate circuit from the rest of the office.
115
QUESTION What recommendations would you make for a fire suppressant system? ANSWER Where possible, the fire suppressant system should not damage equipment with water or foam. FM-200, which is a replacement for the potentially dangerous and older Halon systems, is an example of a fire suppressant system that would not damage equipment. You can also use a mix of fire suppressant systems. For example, an FM-200 fire suppressant system could be the first system to be triggered in the event of a fire alarm. If the fire reaches a predefined temperature, a wet-pipe or dry-pipe sprinkler system could subsequently be activated. With a dry-pipe system, water is only forced into the pipes once a certain temperature is reached. QUESTION How would you deal with risks that some fire suppressant systems create, in particular those fire suppressant systems that extinguish the fire by removing oxygen from the environment? ANSWER Because some fire suppressant systems displace oxygen, employees will require evacuation training. QUESTION Why should you include in your plan an emergency shutdown procedure for computers in your server room in the event of a fire? ANSWER You should include an emergency shutdown procedure for computers to mitigate the loss of data if the power is suddenly terminated, either deliberately or as a result of fire damage.
116
EXERCISE 11-2: USING THE SYSTEM KEY UTILITY

Updating Syskey to Use a Password for Startup
4. In the Startup Key dialog box, select Password Startup, as shown below; type P@ssw0rd in the Password and Confirm Password boxes; and then click OK.
G11XX02
QUESTION What option in the Startup Key dialog box provides the greatest security? ANSWER The Store Startup Key On Floppy Disk option provides the greatest security, if the floppy disk is stored in a secured location.
15. Close Event Viewer.

QUESTION How can the System Event Shutdown tracker improve an organizations change management processes, especially when administrators have shown an unwillingness to follow proper procedures for manually documenting changes to computer systems? ANSWER The System Event Shutdown tracker can help a company further automate its change management process. An automated process could scan log files for events related to the use of the System Event Shutdown tracker. Properly used, the System Event Shutdown tracker provides appropriate documentation to track system changes.
117
Restoring Default Syskey Settings

5. Close all open windows and restart the computer. While the computer is restarting, answer the following questions.
QUESTION Why is the default Syskey setting less secure than the other options? ANSWER The default setting stores an obscured version of the Syskey in the registry. If an attacker has access to the local registry, the availability of this key will make cracking the encryption on the accounts database easier. QUESTION In order to crack an accounts database that has been secured by Syskey, it is necessary to acquire a copy of the Security Accounts Management (SAM) database and the system files from the target computer. What countermeasures can you take to prevent or detect possible unauthorized copying of these files? ANSWER First, the physical security of the computer needs to be enhanced, especially if it is a domain controller. Second, when Windows is running, these files are locked and cannot be copied. An attacker would have to boot up into another operating system and copy the files. You should, therefore, audit for unauthorized restarts of the computer. If you use the more secure Syskey options, an attacker will not be able to restart the computer and your chances of detecting unauthorized access to the server are improved.
EXERCISE 11-3: ENSURING THE PROPER DISPOSAL OF DATA

Scenario
You are a network administrator for Contoso Pharmaceuticals. Your company is about to upgrade a number of servers, workstations, and backup tape devices. The company wants to donate the used hardware to a local school. Also, because your new backup devices are not compatible with the backup tapes you are currently using, the company wants to donate the spare backup tapes to the local school as well. However, the company has informed the school that, if security considerations warrant it, some of the donated computers will not include hard drives. You have been asked to make recommendations regarding the disposal of this equipment. Some of the hard drives and backup tapes contain highly sensitive and proprietary information.
118
QUESTION Will formatting the hard drives prevent recovery of sensitive data? ANSWER Unless you do multiple low-level formats of Small Computer System Interface (SCSI) drives, formatting will not prevent the recovery of data. Data from reformatted Integrated Device Electronics (IDE) drives can be recovered easily. QUESTION What measures should you take to ensure that data cannot be recovered from the donated hard drives? ANSWER Short of physically destroying the hard drives, you should use a utility that can overwrite all the sectors of the hard drive with random characters. You should overwrite all sectors with random characters multiple times. QUESTION Some of the server hard drives contain highly sensitive information. Would you recommend that these hard drives be donated? ANSWER No. You should thoroughly erase the data on these hard drives by using a special utility designed especially for that purpose, and then the drives should be physically destroyed, for example, by drilling holes in them or immersing them in acid. If the data is valuable enough, industrial spies might be willing to use very sophisticated, advanced, and expensive techniques to find data remnants. QUESTION What should you do to ensure that data cannot be recovered from the backup tapes? ANSWER At the very least, you should overwrite the tapes by using a special deletion program that can overwrite the data multiple times. Degaussing the tapes, while effective, might not entirely prevent the recovery of raw data. QUESTION Would you include the backup tapes in the donated items? ANSWER If the tapes contain highly sensitive information, the best way to mitigate the risk is to thoroughly erase the data and then physically destroy them. Although the company expressed a desire to donate these items, it is not unreasonable for security considerations to override charitable impulses in this situation. Furthermore, as part of its stated intentions, the company is under no obligation to supply these items as part of the donation.
119
QUESTION There are a number of utilities designed to thoroughly erase data. Should you recommend specific utilities? ANSWER Yes. Not all of these utilities are equal. You should recommend a list of approved utilities.
EXERCISE 11-4: USING CIPHER.EXE TO PERMANENTLY DELETE DATA

2. At the command prompt, type cipher /? and press ENTER; note the syntax for the /w switch; and then read the description for the /w switch.
QUESTION The description states that the /w switch removes unused data from the entire volume. What is the purpose of the /w switch syntax allowing you to specify a directory, for example, cipher /w:C:\Test? ANSWER In Microsoft Windows 2000 and later, you can mount a volume in any empty folder on an NTFS file system volume. The only way of accessing this volume is through the folder path, not the drive letter.
11. In the Performance console, select the Physical Disk: %Disk Write Time counter you added in step 7, press CTRL+H to highlight the real-time performance activity in the graph, and observe the activity. Then, using the up and down arrows, look at their values.
QUESTION Do the counters indicate intensive disk activity? ANSWER Yes. The Cipher /w command causes data to be written to unallocated sectors of the physical disk.
12. Switch to the command prompt, and then wait for the command to finish.
QUESTION What three write operations did the Cipher /w command perform? ANSWER The three write operations are to write 0x00, then write 0xFF, and then write random numbers to unallocated space on the volume.
120
EXERCISE 11-5: ENHANCING DATA AVAILABILITY

Scenario
A server used by Contoso Pharmaceuticals contains a large amount of critical data stored in a Microsoft Windows SQL 2000 database that is used extensively to support daily operations of the company. The amount of critical data on the server is close to 50 GB in size, and it is located on a redundant array of independent disks (RAID) 5 volume. The transaction logs for the database are located on a mirrored volume of the same computer. You recently bought a new backup device that is, according to the manufacturer, capable of a native data throughput of around 30 Mbps. The backup device is connected to a dedicated backup computer. This computer is located on the same 100-Mbps Ethernet segment as the server that contains the critical data. Management has stated that, in the event of a catastrophic failure to the server that contains the critical data, the data must be restored and available to users within an hour. A maximum of two hours worth of data loss is tolerable. You test backups and restores of 50 GB of data and find that backup and restore times are far longer than the required minimums. What should you recommend as a solution to ensure that backups can be restored within the minimum time specified by management?
QUESTION The tape device supports a very high-rate native throughput rate. It should easily be able to restore 50 GB in an hour, even with the Verify option enabled. What are the likely bottlenecks? ANSWER The most obvious bottleneck is the speed of the network segment. The segment should be upgraded to Gigabit Ethernet. A less obvious but possible bottleneck is the data transfer rates in the database and backup servers themselves. For example, at a minimum, the Peripheral Component Interconnect (PCI) adapters should have a 64-bit bus width. Also, the hard drive type and hard drive configuration of the database server could be a factor. QUESTION What kinds of backups should you perform: full, differential, incremental, or a combination of these? How often should you perform them? ANSWER Since restore times are so critical and since only two hours worth of data loss is acceptable, you should perform full backups at least once every day and differential backups every couple of hours. You would need to load fewer tapes in a situation like this, thus reducing the time it takes for the restoration.
121
QUESTION If you bought backup software that had specific plug-ins for SQL 2000 databases, what effect would it have on the rate of backups and restores? ANSWER It would likely shorten backup and restore times. QUESTION Assuming that catastrophic failure means the complete destruction of the computer for example, if there were a fire in the server roomwould you be able to build a computer, load an operating system, install SQL, and restore the data within an hour? If not, what solution can you recommend? ANSWER You need a computer that serves as a standby SQL server and can be brought into production at a moments notice. Also, you should consider clustering and server mirroring solutions to provide high availability and fault tolerance.
EXERCISE 11-6: BACKING UP AND RESTORING DATA USING THE INCREMENTAL BACKUP TYPE
Performing Normal and Incremental Backups
2. From the View menu, select Details, and then note the file attributes in the Attribute column.
QUESTION What attribute type is listed in the Attributes column for each file? ANSWER The attribute type is A (or Archive). When a file is added or modified, the Archive bit is turned on, indicating the need for a backup.
14. Switch to Windows Explorer, and then view the attributes of the files in the C:\Lab Manual\Lab 11\Backup folder.
QUESTION How have the file attributes changed? What does this indicate? ANSWER The A (or Archive) bit has been removed. This indicates that the files have been successfully backed up, so the need to archive (back up) the files is no longer required.
122
15. Double-click one of the files to open it in Notepad, press ENTER to make a change to the file, save the file, close Notepad, and then view the file attribute.
QUESTION Did the file attribute on the file change? ANSWER Yes, the A (or Archive) bit was added.
23. Switch to Windows Explorer and view the attribute on the file you modified in step 15.
QUESTION Did the file attribute on the file change? ANSWER Yes, the A (or Archive) bit was removed. QUESTION If you had performed a differential backup, would the file attribute have changed? ANSWER No. A differential backup does not alter the status of the Archive bit when it backs up files.

1. You are considering buying a UPS for a server room located in a branch office in Tampa, Florida. Why would it be a good idea to collect data on lightning activity in this, or any other region, before purchasing the UPS?
ANSWER You should look at weather data and lightning activity to help gauge the likelihood of power outages. This will help you determine the capacity and number of UPSs you need to buy. The Tampa Bay area of Florida experiences very frequent lightning storms and is used as an extreme example for the question.
2. Although tools now exist that can run brute-force attacks on Syskeyprotected accounts databases, why is it still a good idea to enable Syskey?
ANSWER It is always a good idea to layer security. A Syskey-protected SAM database is harder to crack than one that isnt protected with Syskey.
123
3. When you delete a file from a hard drive, what actually changes on the hard drive itself?
ANSWER The only thing that changes is the file table (MFT in the case of NTFS, or FAT in the case of DOS). The file table contains pointers to where the file physically exists on the hard drive. The file itself may be spread over many noncontiguous sectors of the hard drive. When you delete the file, the file table marks the area occupied by the file on the hard drive as available for writing. Until the areas of the hard drive occupied by the file are overwritten, the file is still recoverable.
4. How does the Cipher.exe /w command remove unallocated data?

ANSWER The Cipher.exe /w command overwrites the unallocated data on the hard drive with 0s, 1s, and then random numbers.
5. You are considering a backup solution for a number of critical servers on your network. List three or four factors you should consider before deciding on a solution.
ANSWER Answers will vary. Some possible responses are: The speed of the backup and restore operations The speed of the network, for remote backup and restore jobs The amount of data to be backed up The capacity of the media used to back up data The speed at which autoloaders can load tapes The data transfer rates within the computer itself
6. Describe the difference between a differential and an incremental backup type.

ANSWER A differential backup backs up files but leaves the Archive bit alone. When subsequent differential backups are performed, the differential backup backs up the same files plus any new files that have been added or changed since the last full backup. An incremental backup backs up files and then changes the Archive bit. When subsequent incremental backups are performed, only the files that have changed since the last incremental backup are backed up.
124
7. Which backup type takes longer to restore: incremental or differential?

ANSWER An incremental backup takes longer to restore because after the last full backup has been restored, you need to restore each incremental backup in the order that it was performed. When restoring a differential backup, you have to restore only the last full backup and the last differential backup.
LAB CHALLENGE 11-1: BACKING UP CRITICAL FILES

You have recently been made responsible for maintaining and securing a Windows 2003 Server member server. This server has a particularly important role on your network because it issues computer and user digital certificates, both through autoenrollment and Web enrollment. Upon performing a review of the server, you discover that some of the data on the server is regularly backed up, but the registry, system files, boot files, Internet Information Services (IIS) metabase, and certificate services database are not backed up on a regularly scheduled basis. You decide to create a backup job that will back up these critical files on a weekly basis. You schedule the backup to run at 10:00 P.M. every Saturday evening. You want to create this backup job with the least amount of administrative effort. After you complete this challenge, take a screen shot of the Backup tab showing the backup selections and a screen shot of the Schedule Job dialog box showing the weekly job. Save these screen shots as Backup.bmp and Schedule.bmp in the C:\Lab Manual\Lab 11\Labwork folder. If your instructor requires you to submit the screen shots for evaluation, you will be given further instructions.
TIP To take a screen shot, make sure the window element of interest is in the foreground, and then press ALT+PRINTSCREEN to copy the screen shot into the buffer. Open the Paint program, and then press CTRL+V to paste the screen shot into Paint. Finally, save the .bmp file in Paint with the appropriate name. ANSWER In order to successfully complete this lab challenge, the students must perform a system state backup. The following graphics are representative of the screen shots that students should create to demonstrate that they have successfully completed this lab challenge.
125
126
LAB 12:
MAINTAINING ORGANIZATIONAL SECURITY

EXERCISE 12-2: ENFORCING A SOFTWARE RESTRICTION POLICY
7. In the details pane, note the four default rules, and then answer the following questions.
QUESTION What kind of path do these four rules use? ANSWER The rules use a registry path type. QUESTION Is it possible to use wildcards for the path rules? ANSWER Yes, you can use wildcards.
17. Click Start, select Run, type wmplayer.exe in the Open box, and then click OK.
QUESTION What message did you receive? ANSWER You received a message that Microsoft Windows could not open the program because of a software restriction policy.
EXERCISE 12-3: USING WINDOWS FILE PROTECTION TO ENHANCE SYSTEM STABILITY

Examining Windows File Protection Settings
5. Read the descriptions of the remaining Windows File Protection settings, and then answer the following questions.
QUESTION By default, when does Windows perform file scans? ANSWER On setup.
LAB 12: MAINTAINING ORGANIZATIONAL SECURITY
127
QUESTION What is the default maximum size of the file cache? ANSWER On computers running Windows XP, the default maximum size is 50 MB. On computers running Microsoft Windows 2003, the default maximum size is unlimited. QUESTION What is the default location of the folder holding the protected files? ANSWER The default location is %Systemroot%\System32\Dllcache.
Verifying WFP Operation

8. In the details pane, double-click the events that display Windows File Protection in the Source column.
QUESTION What WFP events are listed in the System log? ANSWER The System log shows events for the file replacement and for the initiation and completion of WFP scan operation.
EXERCISE 12-5: USING WINDOWS TOOLS TO DOCUMENT SYSTEM INFORMATION

Using Systeminfo.exe to Document System Summary Information
4. Review the information contained in the text file.
QUESTION Does the output of Systeminfo.txt provide information on hotfixes that have been applied? ANSWER Yes. One of the advantages of this report is that hotfix information is displayed prominently.
128
Using Netdiag to Document Network Configuration

10. On the taskbar, click the Desktop icon, and then double-click the Netdiag file you just created.
QUESTION What is the relationship between the information you see in the output of Netdiag and the information you see in the file? ANSWER The report only contains information that was in view when you clicked the button to save the report to a file.

1. Why is it often undesirable to create overly broad and rigid acceptable use policies?
ANSWER If security and acceptable use policies are overly rigid, the policies are violated more frequently and they become more difficult to enforce. When policies are not enforced, they lose their effectiveness, both with employees and in the courts.
2. Why is it desirable to enforce policies through software, where technologically possible?

ANSWER For policies to be effective and valid, they must be enforced. Enforcing a policy through software is the most effective way of ensuring that the policy is being implemented consistently and fairly throughout the organization.
3. You want to install some legacy third-party software on a computer running Windows XP. However, you have been told that this software overwrites some system files with its own versions of the files. Will you be able to install the software? Why or why not?
ANSWER You will not be able to install the software. WFP will detect the change in the system file caused by the installation program and replace the file with the version verified for use in Windows. In order for software vendors to qualify for the Window XP logo, their software must pass some rigid tests, such as not replacing system files.
129
4. Why is it a good idea to restrict the ability to add Web sites to the Trusted and Intranet Security zones?
ANSWER Internet Explorer security is lower for these zones and will generally allow code from the Web sites to be executed. If you restrict the ability to add Web sites to these zones, you reduce some of the threats from malicious Web sites on the Internet.
5. Tools such as Msinfo32.exe and Systeminfo.exe are very good tools for documenting system configurations in a small environment, but they have a number of limitations that make them inappropriate for storing and analyzing information for a large number of systems. In a large environment, you would probably want to use other tools to inventory hardware, software, and system configuration. What limitations make Msinfo32.exe and Systeminfo.exe inappropriate for storing and analyzing information for a large number of systems? What capabilities would you want in tools that can collect hardware and software configuration information for a large number of computer systems?
ANSWER Msinfo32.exe and Systeminfo.exe lack the ability to output information in a format that can be easily imported into a database or spreadsheet for analysis and linking with other information, such as asset tags. In a large environment, you would want inventory software that can automatically query computers and store information in a database. This makes it easier to track assets, monitor software license consumption, and so on.
6. One of your company policies states that employees should not disable the settings in Microsoft Outlook Express that strip dangerous attachments from e-mails. What is the best way to enforce that policy?
ANSWER Use a group policy to prevent employees from changing the option.
130
LAB CHALLENGE 12-1: ENFORCING SECURITY POLICIES BY USING GROUP POLICY

Scenario
You are a network administrator for Contoso Pharmaceuticals. You have authority in the Active Directory directory service to manage an organizational unit for your branch office. You have been asked to create a group policy that will prevent users from changing Internet Explorer configurations. Specifically, the group policy must prevent users from changing the following settings: Privacy settings Trusted Zone settings Advanced Page settings Connection settings Proxy Server settings Automatic Configuration settings History settings Home Page settings One of the challenges in creating the group policy is that computer objects for employee computers are in a different OU from the employee account objects. You do not have administrative control over this OU and cannot change the group policy for that OU. At least one or more of the listed policy settings must be implemented under computer configuration within the group policy. You discussed the issue with your manager, who told you that, where appropriate, you can use group policy to remove the pages from Internet Options in Internet Explorer so that users will not be able to view these settings at all. In fact, she says it is preferable to prevent users from seeing the Internet Options pages that control these configurations. After you complete this challenge, log on as Contoso\Userx and take a screen shot of the Internet Options General tab. Save the screen shot as Ieoptions.bmp in the C:\Lab Manual\Lab 12\Labwork folder. If your instructor requires you to submit the screen shot for evaluation, he or she will provide further instructions.
TIP To take a screen shot, make sure the window element of interest is in the foreground, and then press ALT+PRINT SCREEN to copy the screen shot into the clipboard. Open the Paint program, and then press CTRL+V to paste the screen shot into Paint. Finally, save the .bmp file in Paint with the appropriate name.
131
ANSWER The most efficient way to meet the requirements for this lab challenge is to remove the Security, Privacy, Connections, and Advanced pages from Internet Options. These pages are disabled under \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel. The History and Home Page settings must be disabled under \User Configuration\ Administrative Templates\Windows Components\Internet Explorer. The screen shot should show only the General, Content, and Programs pages. On the General page, the options to change the home page and history settings should be grayed out. The sample screen shot below shows the appropriate configuration after students have successfully completed the lab challenge.
132
LAB 13:
DETECTING AND RESPONDING TO INCIDENTS

EXERCISE 13-1: CONFIGURING AND EXAMINING DEFAULT AUDIT POLICY SETTINGS
9. When the analysis is complete, in the Baseline Tools console, browse to Security Configuration And Analysis\Local Policies, select Audit Policies, and examine the default audit settings in the details pane.
QUESTION What audit settings are enabled on the computer? ANSWER The computer is configured to audit for successful account logon events and for logon events.
10. In the details pane, right-click Audit Logon Events, select Help, and then read the description.
QUESTION What audit settings are necessary to record a logon event on both the workstation and a domain controller when a domain account is used to log on to the domain from the workstation? ANSWER The Audit Account Logon Event and the Audit Logon Events settings must be enabled.
16. In the tree pane, right-click the Security log, select Properties, examine the settings, and then answer the following questions.
QUESTION What is the default maximum size of the Security log? ANSWER The default maximum size is 16,384 KB. QUESTION What will happen if the size of the entries in the Security log reaches the maximum threshold for the size of the log file? ANSWER Given the default configuration, the oldest events will be overwritten by new events.
LAB 13: DETECTING AND RESPONDING TO INCIDENTS
133
EXERCISE 13-2: CONFIGURING AUDITING OF SECURITY LOG ACCESS

3. Right-click the System log, and then click Properties.
QUESTION Can you determine the size of the log files from the Event Viewer interface while logged as Userx? ANSWER If you access the account as a user without administrative permissions, you cannot see the size of the Event logs in the details pane. If you view the properties of the log files, you can determine this information. However, you will not be able to view the specific log file settings, such as the Maximum Log Size.
6. Click OK to clear the warning message, and then select the other logs in Event Viewer.
QUESTION Why can you view other logs, but not the Security log? ANSWER The Security log contains sensitive information that you can access only when you are logged on with administrative credentials.
11. On the Event Properties page, click the down arrow until you reach the bottom of the log file, and then answer the following questions. When you reach the bottom of the log file, an Event Viewer dialog box appears, prompting you to proceed to the beginning of the log file. Select No.
QUESTION What three event categories do you see? ANSWER The three event categories are Privilege Use, Logon/Logoff, and System Event. QUESTION Do you see an event that indicates the Security log was cleared? ANSWER Yes. The System Event records an event ID of 517, indicating the Audit log was cleared.
134
QUESTION Do you see any events indicating the use of the alternative Run As credentials? ANSWER Yes. Event IDs 528 and 552 indicate the use of alternative credentials. QUESTION Do you see any events indicating that a user with nonadministrative credentials attempted to access the Security log? ANSWER No. The initial attempt by the Userx account to access the Security log is not recorded.
14. In the details pane, right-click Audit Privilege Use, select Help, and then read the description of the Audit Privilege Use policy setting.
QUESTION What kinds of events will cause an audit record to be generated in the Security log if you enable the Audit Privilege Use policy setting? ANSWER An audit record will be generated in the Security log when users try to exercise a user right, such as changing the system time or shutting down the computer.
17. On the Audit Privilege Use Properties page, select the Failure check box, and then click OK.
QUESTION You could also enable the Success setting. What is a disadvantage of enabling both Success and Failure? ANSWER Answers will vary. However, a primary disadvantage is that the Security log would record every instance of a user successfully exercising a user right, resulting in large log files that can quickly become unmanageable.
22. Switch to the first instance of Event Viewer, right-click the Security node, and then click Refresh.
QUESTION What event indicates a failed attempt to access the Security log? ANSWER A Failure Audit type of event appears with an Event ID of 578.
135
EXERCISE 13-3: AUDITING LOGON EVENTS TO DETECT INTRUSION ATTEMPTS

2. Switch to Event Viewer, right-click the Security log, and then select Refresh.
QUESTION Does the Security log record the failed logon attempt? ANSWER No. Only successful logon attempts are recorded. QUESTION Given the current audit settings, can you use Security logs to detect intrusion attempts? ANSWER No. The current auditing configuration causes only successful, not failed, logon attempts to be recorded in the Security log. The Security logs can be used to detect intrusion attempts only in the most limited sense with this configuration. The fact that the Security log records the time of the events can be used to infer possible theft of credentials. If successful logons occur at unusual times, you should investigate further. To detect possible intrusion attempts, you must also enable auditing for failed logon attempts.
QUESTION Why is there no record of the failed logon attempt? ANSWER Audit Account Logon events are generated when a domain account is authenticated on a domain controller, or when a local account is authenticated on a local workstation. Because the failed logon attempt occurred on a workstation using a domain account, no record of the failed logon attempt is recorded in the Security log of the local workstation.
QUESTION Is there a record in the Security log that indicates a failed logon attempt? ANSWER Yes. There is a Failure Audit event with an Event ID of 529, indicating a failed logon attempt.
136
EXERCISE 13-4: AUDITING FILE SYSTEM EVENTS

Configuring Audit Settings on a Folder
5. On the SACL-Test Properties page, select the Security tab, click Advanced, and then examine the permission settings on the Advanced Security Settings For SACL-Test page.
QUESTION What permissions are listed in the Permissions column for the Userx account and the Administrators and Users groups? ANSWER The Userx account and the Administrators group have Full Control permissions. The Users group has Read and Execute and Special (Create Files/Write Data and Create Folders/Append Data). QUESTION Can the Userx account configure auditing on folders or files? ANSWER No. The Auditing tab is not visible to the Userx account.
12. In the Internet Explorer browser window, right-click SACL-Test, select Properties, select Security, and then click Advanced
QUESTION What is the difference between the Advanced Security Settings For SACL-Test page you see when you are logged on as an administrative account vs. the page you see when you are logged on as a user account? ANSWER The Auditing tab is visible to the administrative account, but it is not visible to a user account.
137
Testing Audit Settings

7. In Event Viewer, select the Security log, and review the audit events in the details pane. Leave Event Viewer open.
QUESTION Do you see any audit events indicating an attempt to delete the AuditTest file? ANSWER No, you do not see any events indicating an attempt to either access or delete the file.
9. In the Local Security Settings console, browse to Audit Policy, right-click Audit Object Access, select Help, and then read the description.
QUESTION When you define success or failure settings on Audit Object Access, what kind of access is audited? ANSWER When you enable Audit Object Access, you can audit access to any object that has a System Access Control List. These objects include files, folders, printers, and registry keys.
18. Right-click the Security log, select Refresh, and then examine the audit entries in the details pane.
QUESTION How many failure audit events do you see in the Security log that are related to the action of attempting to delete the file? ANSWER You should see as many as eight failure audit events.
19. Double-click the topmost failure audit event related to the attempt to delete the AuditTest file, and then read the description of the audit entry.
QUESTION What is listed in the Accesses field of the description of the failed audit event? ANSWER The Accesses field should list DELETE.
138
20. On the Event Properties page, click the down arrow to examine the descriptions of the audit failures related to the attempted deletion of the file. Pay attention to the Accesses field in each entry. Click Cancel on the Event Properties page when you reach the end of the Failure Audit events.
QUESTION What three kinds of access are listed in the Accesses field for all the entries related to the failed attempt to delete the file? ANSWER The Accesses field records the following kinds of access: DELETE, ReadAttributes, and READ_CONTROL.
23. In Event Viewer, select the Category column to sort the entries by category, locate the first entry that displays Object Access in the Category column, and then scroll down to the final entry that displays Object Access in the Category column.
QUESTION What potential problems for audit log analysis and system resources are indicated by the number of Success Audit entries? ANSWER Since this represents the access of one user, there are too many entries to analyze. Also, based on the number of entries, this means that in a production environment, the Security log would become very large in a short period of time.
Refining File Audit Settings

16. Examine the recent audit entries that were generated for the file and folder access activity of the Studentx account. In Event Viewer, look for the group of entries that display Studentx in the User column. You should see approximately eight Failure Audit events and two Success Audit events grouped together. The current audit settings have limited the number of audit events you see for folder and file access.
QUESTION Do you see any entries indicating that the Studentx account was able to view the contents of the SACL-Test folder? ANSWER No. Auditing has been disabled for all but successful and failed delete attempts in the SACL-Test folder.
139
QUESTION If the SACL-Test folder contained highly sensitive information, would the current audit settings be sufficient? ANSWER Answers will vary, but at the very least you would probably also want to audit for attempts to read and modify the file. However, it is important to keep in mind that excessive auditing will consume system resources and make log files difficult to manage and analyze.
EXERCISE 13-5: EXAMINING ISA SERVER WEB PROXY LOGS

4. In the log file, toward the top, locate the entry that represents a GET request for a file named Default.ida from the ISA Server, and answer the following questions. Throughout this exercise, you might find it helpful to use the Find feature of Notepad from the Edit menu to quickly locate the entries of interest.
QUESTION Does this entry look like a legitimate request? If not, why not? Hint: look at the length of the request. ANSWER The most obvious problem is that the entry is extremely long (approximately 400 bytes). A less obvious problem is that a request is being made for a file (Default.ida) that normally does not exist in the root directory of a Web site. QUESTION Why would an attacker send an excessively long Uniform Resource Locator (URL) to a Web server? ANSWER When an attacker sends an excessively long URL to a Web server, it is likely she is trying to launch a buffer overflow attack. Although buffer overflow attacks differ in their purpose, they are often used to gain administrative permissions on the target computer. QUESTION Was the request successful? Hint: look at the HTTP status code in the sc-status column (the last entry on the line); an HTTP status code of 200 would indicate a successful request. ANSWER No. An HTTP status code of 502 is recorded for the event, and no subsequent traffic is generated as a result.
140
5. In the log file, locate the group of entries that display the IP address of 10.12.209.34 in the C-IP field (the left-most entry on each of the lines), and answer the following questions.
QUESTION What kinds of files do the requests attempt to invoke? ANSWER All the requests attempt to invoke executable files, either Root.exe or Cmd.exe. QUESTION What features of these requests lead you to believe that they represent an attempt to compromise a Web server? ANSWER The requests appear to be following a systematic pattern. For example, they all make requests to invoke an executable file. Furthermore, multiple requests are made to locate the executable file in likely directories, such as C:\Winnt\System32 and D:\Winnt\System32. All of the requests attempt to execute files that are outside of the virtual directories used by the Web site but are on the local hard drive. The requests also target directories that are likely to allow the running of executable files, such as the \Scripts virtual directory. QUESTION A directory traversal attack attempts to invoke executable files that are found on the local hard drive outside of the virtual directories used by the Web site. Does this group of requests represent an attempted directory traversal attack? ANSWER Yes. The \Winnt and \Winnt\System32 directories should never be included in a Web sites virtual directories. QUESTION Was the attempt to compromise the server successful? Hint: an HTTP status code of 200 indicates a successful request. ANSWER No. An HTTP status code of 502 is recorded for all the requests, and no subsequent traffic is generated as a result.
141
6. In the log file, locate the group of entries that displays the internal IP address of 192.168.100.222 in the C-IP field (the left-most entry on each of the lines), and answer the following questions.
QUESTION Based on the scenario that begins this lab exercise, what features of these requests might cause you to believe that an internal computer might have been compromised? Hint: look at the times the requests are being made. ANSWER Requests for an external Web site named Example2.net occur at regular five-hour intervals. Some computers have been left on during the weekend, and the one employee who came in to the office did not access the Internet. The traffic originating from the computer at 192.168.100.222 likely represents an automated request, which at this point cant be explained by applications normally running on workstations and servers. QUESTION Were the requests from the internal computer to the Example2.net Web site successful? ANSWER Yes. A status code of 200 indicates a successful request. QUESTION What information in the log file can you use to do research on the Internet to determine whether the internal computer has in fact been compromised? ANSWER The c-agent field contains the legitimate-sounding name Autoproxy/0.2-test16. If these entries represent requests made by an internal computer compromised by a Trojan horse program or a worm, a search on the name should result in positive hits on security-related Web sites, assuming that the Trojan horse has been known for some time and has been reported.
142
EXERCISE 13-6: COLLECTING INITIAL EVIDENCE AFTER A SECURITY INCIDENT

Using Default Operating System Tools to Collect Evidence
3. At the command prompt, type netstat -a, press ENTER, and then review the contents of the screen output.
QUESTION Why is it a good idea to collect information on the open ports of a suspect computer? ANSWER If the suspect computer is the target of an attack by a remote computer and the attacking computer has a connection with the remote computer, evidence of the connection will appear in the list of open ports. For example, if a Web server has been infected with the Code Red worm, it will try to infect other computers using TCP port 80. Using the netstat -a command after a computer has been infected with this worm will show all port activity. Furthermore, you can identify a number of Trojan horse programs and other attacks by the ports they open on the computer. By viewing the open ports, you might be able to infer the specific attack that is occurring.
8. Type route print > C:\Lab Manual\Lab 13\Labwork\ RoutingTable.txt and then press ENTER.
QUESTION In steps 58, you collected information on the TCP/IP configuration of the target computer. Why is it a good idea to collect this information? ANSWER It is a good idea to collect information on the TCP/IP configuration for two reasons: This information should be considered baseline information and is needed for comprehensiveness. You need to determine if the TCP/IP configuration has been modified as a result of a successful attack.
143
14. Type arp -a C:\Lab Manual\Lab 13\Labwork\ArpCache.txt and then press ENTER.
QUESTION In steps 911, you examined volatile data related to name resolution and IPtomedia access control (MAC) address resolution. What is the purpose of recording this kind of evidence? ANSWER The Domain Name System (DNS) and the NetBIOS name resolution caches might show the DNS and NetBIOS names of computers that the attacker caused the suspect computer to connect to, either to launch a new attack or to transfer data. Likewise, the Address Resolution Protocol (ARP) cache might show IP addresses on the local subnet that the attacker caused the suspect computer to communicate with. In any event, the DNS, NetBIOS, and ARP caches will show evidence of recent communication activity.
18. Type tasklist C:\Lab Manual\Lab 13\Labwork\Tasklist.txt and then press ENTER.
QUESTION Why is it a good idea to collect data on the tasks and the services currently running on the suspect computer? ANSWER If the attacker left a program running on the suspect computer, it might be identifiable through the task list. Also, a number of well-known attacks use services that are disabled by default, such as Trivial File Transfer Protocol (TFTP). By viewing the services, you might be able to determine whether any services are running on the suspect computer that shouldnt be.
Using Windows Resource Kit and Support Kit Tools to Collect Evidence
3. Type c:\lab manual\lab 13\labwork\memsnap.log (with the quotation marks), press ENTER, and then review the information displayed in Notepad.
QUESTION Both Tasklist.exe and Memsnap.exe display information on running tasks. What advantages does Memsnap.exe have over Tasklist.exe? ANSWER Answers will vary. Memsnap.exe displays more detailed information on processes running in memory. The output of Memsnap.exe also includes information on the date and time, operating system build number, and computer name.
144
6. Type srvinfo -d \\computeryy (where yy is the two-digit version of your lab partners student number), press ENTER, and then review the contents of the screen output.
QUESTION The output of the command issued against the local computer and the remote computer differs slightly: the command issued against the local computer shows detailed information related to the network interface adapter and installed protocols. What might account for this difference? Hint: the reason has nothing to do with the fact that one command is issued against a local computer and the other against a remote computer. ANSWER In order to see the additional information, you must use an account that has administrative permissions on the target computer. Your Adminx account does not have administrative permissions on your lab partners computer.
7. Type srvinfo -d > C:\Lab Manual\Lab 13\Labwork\Srvinfo.txt and then press ENTER.
QUESTION Both the Net Start and the Srvinfo.exe commands display information on running services. What advantages does the Srvinfo.exe command have over the Net Start command? ANSWER Answers will vary. The output of the Srvinfo.exe command displays more information than the output of the Net Start.exe command. It can display information on all the installed services whether they are running or not, it displays information about the service drivers, and it displays information about the computer against which the command is run.
8. Type srvcheck \\computerxx (where xx is the two-digit version of your student number), press ENTER, and then review the contents of the screen output.
QUESTION The Srvcheck.exe command enumerates shares and share permissions on local and remote computers. It can be useful to determine, for example, if an attacker has modified share permissions or created new shares. However, Srvcheck.exe does not display all shares on the computer. What shares does it not display? ANSWER It does not display hidden shares. Hidden shares are created by using a $ character at the end of the share name.
145
11. Type dumpel /?, press ENTER, and then note the capabilities of the command.
QUESTION Can you use the command to filter events that occurred within the past 24 hours and pass them to a text file? If so, why would you want to perform this kind of filtering when investigating an incident? ANSWER Yes, you can filter Event logs by a number of criteria, including the event number and time of days. Event logs can grow quite large. If you were creating a record of events, and writing them to a floppy disk, you would want to collect information that could fit on the floppy disk media. You would also want to scope the information to only entries that were relevant to your investigation.
13. Type security.log, examine the contents of the file containing the audit events, and then close Notepad.
QUESTION The results generated by the command-line utilities could also be generated using GUI-based tools found in Windows operating systems. For example, you could use Event Viewer on one computer to connect to the logs on a remote computer and then export those logs to another computer. Why might you use a command-line tool instead of a GUI-based tool? ANSWER Answers will vary. A primary goal in conducting an initial investigation is to leave as light a footprint as possible while collecting relevant information. Command-line tools occupy very little space in memory, as opposed to the GUI-based tools. Command-line tools run quickly and require relatively few resources of the computer on which they run. Furthermore, they are convenient because they are small enough that many of them can fit collectively on a single floppy disk that can be used as a utility disk for the purpose of responding to incidents. They will also work with the Run As command if administrative permissions are required.

1. Why is it important to pay attention to the settings governing the size of log files and when they will overwrite data?
ANSWER The log files contain important information that you can use to detect intrusions and to troubleshoot systems. If the log files fill up and start overwriting events, you might lose information that could help you when you are investigating problems or incidents.
146
2. Every day, an automated process exports log files from computers on your network and places them in a central location. What special considerations should you give to the locations where the log files are stored?
ANSWER Log files should always be protected from unauthorized access. Because altering log files is a way for attackers to cover their tracks and because log files might contain importation information pertaining to attacks and attempted attacks, it is important to make log files as secure as possible. Securing log files includes not only protecting them with file access permissions but also making backup copies of the logs and storing these backups in secure locations.
3. Why is it a good idea to audit successful and failed attempts to read the Security audit log?
ANSWER Access to the Security logs should be strictly controlled. Any activity that indicates failed attempts (or successful attempts that occur at odd times or with unusual accounts) to read the Security log should be treated as suspicious.
4. In reviewing your audit logs, you notice a number of account lockout events (Event ID 539). However, the users whose accounts have been locked out have not made requests to the Help Desk to have the lockout removed. Why havent the users contacted the Help Desk, and what other information should you be paying attention to in analyzing the account lockout audit entries?
ANSWER The most likely reason that users have not contacted the Help Desk is that the account lockout duration is set for a relatively short period of time and that the failed logon attempts are occurring during off hours when the employees are not at work. By the time the employees arrive at work, the lockout period has expired and they are able to log on normally. You should pay attention to the times that the failed logon events and account lockout events occur.
5. Why is it often advisable to selectively limit the audit information that is generated for successful or failed attempts to access a file or folder?
ANSWER Too much information can be as problematic as too little information. If you audit for every possible kind of file and folder access, you generate a large number of events for every access to the file or folder for which you have turned on auditing. When you generate too much information, it can be difficult to separate relevant, important information from trivial and inconsequential information. Furthermore, generating auditing events consumes systems resources (such as memory and disk space). A busy server on which the auditing of files and folders has been enabled indiscriminately would require significant disk space to store the Security
147
logs. You would also run into issues with having to archive the logs on a frequent basis to avoid overwriting potential security violations.
6. You are responsible for making the initial response to a computer security incident. In addition to executing commands to record system information stored in volatile memory, what other activities should you perform to ensure the potential admissibility of evidence you collect in a court of law?
ANSWER Answers will vary. At the very least, you should be keeping a detailed journal of the activities you perform. A bound notebook is the best place to record entries, because this makes it possible to determine if pages have been removed. The entries should include information on the specific actions you perform, the times that you performed the actions, the people you contacted, and so on. Handwritten entries that are signed and dated are best, even if you are using a standard form for recording the details of the incident response. Other activities that could be performed include photographing the computer monitor, the computer, the cables attached to the computer, and the immediate surroundings, as well as labeling and sealing evidence in bags and containers if components are disassembled. It is important that a verifiable chain of custody be established for all the evidence. This means that all evidence must be labeled with information regarding who collected the evidence, the time of collection, and other relevant information. The chain of custody establishes that evidence is trustworthy by providing a history that shows who handled the evidence and how the evidence was collected, stored, transported, and analyzed.
7. You are responding to a computer security incident involving an employee who was abruptly asked to report to Human Resources after i twas discovered she was using her computer in violation of company policies. You have been asked to collect evidence from the computer. When you arrive at the users workstation, you discover that the employees manager powered off the computer and then restarted it in order to log in with his own credentials to discover more details of the employees activities. How has the manager potentially jeopardized the evidence available on the computer and increased the risk for the company?
ANSWER Answers will vary. First, when the computer was powered off and then restarted, any incriminating evidence stored in volatile memory was irrevocably lost. Second, by restarting the computer, the manager exposed the computer to the potential for running commands that could destroy incriminating data (for example, through the RunOnce registry key). Because the data that you can now collect from the computer has been tainted by the managers actions, the company might not have a sufficiently strong legal basis to support its claims against the employee in either a civil or criminal court.
148
8. You are responding to a security incident involving an employees computer after it was discovered that the employee was using his computer for activities prohibited by company policies. You have recorded information stored in volatile memory. Based on your initial investigation, it is likely the employee will be terminated. Before you shut down the employees computer, what additional actions should you take?
ANSWER Answers will vary. If an employees actions have the potential to involve the company in civil or criminal court proceedings, you should take a bit-level image of the hard drive of the employees computer before shutting it down. A backup of the files on the employees computer is probably insufficient because the backup will contain only the information stored in allocated sectors of the hard drive and will miss recoverable information stored in deallocated sectors. Furthermore, it is important to use imaging software that faithfully copies information from unallocated and deallocated hard drive sectors. Commercial disk imaging software might not have this capability, so you should use special forensic disk imaging software.
9. You are the network administrator for Contoso Pharmaceuticals. While performing a daily review of Web Proxy logs on your ISA Server, you notice a suspicious entry that indicates the presence of a Trojan horse program on an internal computer. How should you respond to this incident? To answer this question, select the possible responses from the following list, and put them in the correct order. a. Disconnect the computer from the network. b. Call the CSIRT. c. Power off the computer. d. Start a written journal of your actions. e. Continue reading the log files. f. Consult the companys Incident Response Procedure Guidelines.
ANSWER f, d, e, and b. You should first consult the Incident Response Procedure Guidelines (f). It is important to follow correct procedures. Then, you should start a written journal detailing your actions (d). If the suspected compromise turns out to be real and if civil or criminal action is a possibility, a written journal helps to establish the admissibility of evidence you gather.
149
You should then either continue to read the log files, looking for additional evidence (e), or contact the CSIRT (b). These last two steps can be transposed but need to be performed immediately after starting a written journal of the incident. You might also need to disconnect the computer from the network or power it off. However, you should keep in mind that disconnecting the computer from the network or powering it off risks the loss of evidence; for example, losing Transmission Control Protocol (TCP) connections to remote hosts. The actions you take at this time depend on whether you and the CSIRT determine if the threat is real and the nature of that threat. Ultimately, though, the decision to disconnect the computer or power it off should come from the CSIRT, unless it is an emergency calling for independent action and good judgment on your part.
LAB CHALLENGE 13-1: CONFIGURING AUDIT POLICIES FOR HIGH SECURITY SERVERS AND WORKSTATIONS
You are a network administrator for Contoso Pharmaceuticals. Among your many duties, you are responsible for monitoring a group of servers used by researchers at the company. Much of the data stored on the servers is highly sensitive. You and your manager have been reviewing the audit settings on this group of computers. You have come to the conclusion that, given the sensitive nature of the data, you need to do extensive auditing on these computers to detect any attempts to compromise the computers or the files they contain. Your manager wants you to audit for the following kinds of activity: Any activity related to logging on and off from the workstations using both domain and local accounts Any attempts to modify and delete files or registry settings Use of printers connected to workstations Any attempt to add or modify user or group objects on the local computers Any attempt to modify user rights or audit policies Any attempt by users to exercise user rights Any attempt to shut down or restart computers Because of the critical nature of the data and the importance of the Security logs on these computers, your manager wants you to provide the following configuration for Security logs: Older events in the Security log should never be overwritten by newer events. If the Security log fills up, the computers should shut down automatically.
150
Ensure that the computer does not shut down prematurely as a result of logging many entries to the Security log. Ideally, the maximum size of the log file should be at least twice the default size for the log file. To complete this lab challenge, create a new group policy object named Audit Policies on your Employeesx organizational unit (where x is your student number). Configure the policy settings, take the appropriate screen shots of the policy settings (you will need more than one screen shot), and save the screen shots as C:\Lab Manual\Lab 13\Labwork\LC13-1-x_LastName.bmp (where x is a sequential number starting with 1 representing each of your screen shots and LastName is your last name). Your instructor might want you to submit your screen shots for evaluation. If so, you will be given specific instructions for submitting your screen shots.
ANSWER To successfully complete this lab challenge, you need to create three screen shots showing the appropriate settings. One screen shot shows the Audit Policy settings, a second screen shot shows a single Security Options setting, and a third screen shot shows the Event log settings. The appropriate settings for each of the three group policy objects are listed below. The following Audit Policy settings should be defined in the group policy: Success and failure should be audited for all events, with the exception of Audit Directory Service Access and Audit Process Tracking. For these two events, the policy should be set as Not Defined. A sample answer screen shot is shown below.
151
G13XX06
The following setting should be enabled under the Security Options group policy object: Audit: Shut Down System Immediately If Unable To Log Security Audits.
G13XX07
The following settings should be defined on the Event Log group policy object: Maximum Security Log Size > 32,000 KBs and Retention Method For Security Log = Manually.
G13XX08
152
TROUBLESHOOTING LAB B:
ANALYZING A SECURITY INCIDENT

PART 1: REVIEW
You are a member of Contoso Pharmaceuticals Computer Security Incident Response Team (CSIRT) and are designated as the chief contact. At 8:30 A.M., Dr. Frank Lee, who is one of the companys top researchers and is generally regarded worldwide as a leading expert in his field, phones you to report that some of his research is missing from the RDFL004 file server he uses to store his top secret research data. He is convinced that his research has been deleted by an unauthorized third party, possibly an industrial spy. The RDFL004 file server on which the files were stored is closely monitored, and only Dr. Lee and a handful of other user accounts were able to access the research that was deleted. At 8:35 A.M., you contact Max Benson, the network administrator and team lead who is responsible for the server containing the deleted files. You ask him to perform an immediate but cursory review of the Security logs that were copied by an automated process from RDFL004 to another server that is used to store audit files. The audit files are copied at 6:00 A.M. every morning. You tell Max not to log on to RDFL004 or perform any activity on it until notified. At 8:45 A.M., Max confirms part of Dr. Lees suspicions and reports to you that the Contoso\Sandram user account deleted the files at approximately 2:55 A.M. The user account belongs to Sandra Martinez, a high-profile employee who often acts as a spokesperson for the company. Max also tells you that he observed some unusual entries in the Event log related to failed logons for both the Contoso\Frankle and Contoso\Sandram accounts just before the files were deleted. Although the CSIRT will not rule out the possibility that Sandra Martinez (or any employee of the company, for that matter) did in fact delete the files, the CSIRT believes this is not a very likely possibility. Currently, Ms. Martinez is attending a conference in Europe. Furthermore, the Contoso\Sandram account has, according to your documentation, no administrative permissions on the server that contained the deleted files. Also, the team believes that Ms. Martinez lacks the in-depth knowledge required to elevate the permissions for her account so that it could delete the files.
TROUBLESHOOTING LAB B: ANALYZING A SECURITY INCIDENT
153
The CSIRT team has put you in charge of investigating whether a security breach has occurred. At 9:00 A.M., you begin your investigation by interviewing Max Benson, who provides you with the following information: Late yesterday, a Web server named CPSRV006 had to be rebuilt. This server is used as a Web server for business-to-business (B2B) transactions. Max notes that Amy Rusko, who is a member of his team and is responsible for performing security audits and applying patches, had to leave work suddenly this morning to deal with a family emergency. She was supposed to ensure that the rebuilt server passed a Microsoft Baseline Security Analyzer (MBSA) audit. Max has just received an e-mail from Amy regarding the MBSA audit she performed just before she had to leave the office. The e-mail contained the most recent change log for CPSRV006, which also showed the results of the MBSA audit. Because Max had to provide an initial response to Dr. Lees incident report this morning, he hasnt had time to read the e-mail or look at the change log. Max reports that he might have lost an old network diagram of the Contoso head office. A couple of days ago, he was working on a new network diagram. He placed the old network diagram among the papers stacked on his desk. When it occurred to him to shred the old diagram, he couldnt find it. At the time, he assumed he had just misplaced it and that it would turn up eventually. But now he wonders whether he threw it out or if someone took it from his desk. Given the events of this morning, he is quite concerned that he doesnt know what happened to the network diagram. Because of this initial information from Max, you decide to widen your investigation to include the recently rebuilt Web server (CPSRV006) in addition to the Internet Acceleration and Security (ISA) Server firewall, the domain controller, and the server where the files disappeared.
PART 2: TROUBLESHOOTING SETUP

Because this is not a hands-on lab, no troubleshooting setup is required.
PART 3: TROUBLESHOOTING
This lab requires you to analyze a number of log files to determine the cause and extent of the attack that occurred against the Contoso network and computer systems. After analyzing the log files, you will formulate an appropriate response to the attack and answer a series of questions related to the lab. You will record your findings and respond to the lab questions in a file named Troubleshooting Lab B Worksheet.doc, which is found in the C:\Lab Manual\TroubleshootingLabB folder.
154
Depending on your instructor, this lab can be performed individually, in small groups, or as the basis for a classroom discussion. To view the log files for this lab, open Windows Explorer and browse to C:\Lab Manual\TroubleshootingLabB. You will see a number of folders that contain log files relating to the incident described in the scenario above. The names and descriptions of the log files are listed in Table B-1.
Table B-1 Log File Content Matrix Log Filename Content
Cpsrv006_changelog.rtf Mbsa-cpsrv006.rtf Cpsrv006-20020214.txt Dc-chi-01-20020214.txt Rdfl004-20020214.txt IPPEXTD20020214.log Netstat-cpsrv006-020214.log Tw-rdfl004-20020214.txt
Manually maintained change log MBSA log for CPSRV006 Security log for CPSRV006 Security log for DC-CHI-01 Security log for RDFL004 ISA Server log Netstat log File integrity checker log for RDFL004
In the C:\Lab Manual\TroubleshootingLabB folder, you will also find a number of other files to help you complete the lab. These files are listed in Table B-2.
Table B-2 Supporting Files Filename Content
Contoso Network Diagram.gif How Assets Are Attacked.doc Security Log Review Procedure.doc Things To Look For In Log Files.doc Troubleshooting Lab B Worksheet
Contoso network diagram A summary of exploits that can be used against computer systems A document that explains Contosos official procedures for reviewing log files A document that provides information on useful strategies for analyzing log files A worksheet containing forms and questions that you complete as part of this lab
To complete this lab, use WordPad to open the file named Troubleshooting Lab B Worksheet.doc. (Because you will need to make entries in a Microsoft Word table, a better alternative is to use Word if it is available. Your instructor can tell you if either application is available.) Troubleshooting Lab B Worksheet.doc consists of four parts, with the first three parts representing typical kinds of documentation you would create when responding to a computer security incident.
155
The first part consists of a table representing journal entries you would make while investigating and responding to an incident. The second part is a table that you complete to show a summary of the log entries that are relevant to the incident. The purpose of this table is to provide a kind of index to the entries in the log files and to show the relationship between events in different log files by grouping the related events together. The third part is an incident response form that you fill in once you have investigated and responded to the incident. To complete this form, you will need to formulate a hypothetical response to the scenario incident. Because this is a scenario-based exercise, you might not be able to fill in all the fields in the form. However, you should provide as much accurate detail as you can, according to the scenario. For example, the form should accurately list the type of attack and the classification of data involved. The fourth part consists of a series of questions that you answer after completing your investigation. Please answer the questions in the worksheet itself. The questions in the worksheet are listed in Part 4, Troubleshooting Lab B Questions, to provide you with some additional guidance in completing this lab. In fact, you might want to consider the questions as you examine the logs, because the questions might help you in your analysis. When you have completed the worksheet, save it as C:\Lab Manual\ TroubleshootingLabB\Labwork\TBLB_YourLastName.doc. If your instructor wants you to submit this worksheet for evaluation, he or she will explain how to do so. Documentation is crucial. You will be evaluated not only on your ability to correctly identify the problems that were introduced and their solutions, but also on the process you used to identify the problems and the solutions.
PART 4: TROUBLESHOOTING LAB B QUESTIONS

1. How did the attacker first gain entry to the network?
ANSWER The attacker exploited a vulnerability on the newly rebuilt Web server, CPSRV006, to launch a directory traversal attack. By performing a directory traversal attack, the attacker was able to run executable files that exist outside the Web virtual directories. The attacker was then able to use the compromised Web server to launch attacks against the RDFL004 server and the domain controller (compromising a weak password).
156
2. Did the missing network diagram play a role in the attack?

ANSWER It is quite possible the missing network diagram played a role. CPSRV006 is multihomed and has a connection to both the internal network and the demilitarized zone (DMZ). However, there is evidence that the attacker ran Ipconfig on CPSRV006 and discovered that the computer was multihomed. The attacker would not have needed the map, but it certainly would have been useful.
3. According to the Security log file for CPSRV006, what executable files were run by the attacker? Hint: search the file for the .exe text string.
ANSWER Excluding .dll files, the files are Inetinfo.exe, Cmd.exe, Nc.exe, Net.exe, and Ftp.exe.
4. According to the Security log file for CPSRV006, what two text files were created by the attacker? Hint: search the file for the .txt text string.
ANSWER The attacker created two text files: Clist.txt and Ipconfig.txt.
5. What protocol did the attacker use to transfer files? What log files show evidence of the protocol that was used? Hint: knowing the Transmission Control Protocol (TCP) ports for common protocols will help you answer this question.
ANSWER The attacker used FTP to transfer the files. You can see the evidence of FTP use in the CPSRV006 Security log, the CPSRV006 Netstat log, and the ISA Server log. FTP uses TCP ports 20 and 21.
6. According to the tripwire log for RDFL004, what files were modified or added?
ANSWER The attacker modified Explorer.exe and Taskman.exe. The attacker then added files named Server.exe and Subseven2.2b.zip.
7. According to the Security log file for RDFL004, what executable files did the attacker run?
ANSWER The attacker launched Pkzip.exe and Server.exe.
157
8. Considering your response to question 7, are there entries in other log files that correspond to the running of one of these executable files?
ANSWER Yes. The ISA Server log shows outbound traffic destined for a remote host using TCP port 27374 at the same time. The Netstat log for CPSRV006 also shows that this port is in an established state with a remote host. Port 27374 is associated with a number of well-known Trojan horses, including SubSeven, BadBlood, Ramen, and others.
9. What lapses in procedure allowed the attack to occur?

ANSWER CPSVR006 was put online before patches were installed, and a network diagram was possibly lost.
10. What format is used to generate user names at Contoso pharmaceuticals? That is, how is a persons name used to create a user name? Are user names easy to guess?
ANSWER The user name is a combination of the first name and one or two initials of the last name. Yes, user names are easy to guess.
11. Should Contoso review its password complexity requirements?

ANSWER Yes. Sandra Martinezs password was guessed in fewer than three attemptsit must have been a weak password.
12. What should Contosos responses be to the intrusion? For example, should they power off the servers, contact other individuals, or discipline employees?
ANSWER At the very least, they should disconnect RDFL004 and CPSRV006 from the network, because these servers are compromised. Next, they might want to consider contacting law enforcement agencies and consider hiring a forensics specialist to ensure the proper collection of evidence. Once evidence has been collected, the hard drives of the computers should be wiped and a new instance of the operating system and applications installed. According to the change logs, an employee named Pat Coleman rebuilt the server and put it online without applying patches. At the very least, a supervisor needs to talk to Pat about the dangers of putting a server into production before it has had up-to-date and approved patches applied to it. RDFL004 might also have
158
lacked patches, and this issue needs to be addressed. Max Benson might have to answer for his carelessness with the network diagram. Also, network passwords should be changed, users need to be educated about the need for complex passwords, and password complexity should be enforced through group policy.
13. What should Contoso do to enhance security and prevent similar attacks from taking place in the future?
ANSWER They should strengthen their policies and procedures with regard to security audits and patches. They should not allow multihomed configurations to be implemented on computers in the DMZ. They should implement strict rules on the internal firewall to control communication between internal hosts and hosts in the DMZ. They should enforce password complexity requirements using group policy. For high security servers, they might want to consider implementing the Internet Protocol Security (IPSec) Require Security policy, which would have prevented the attack on RDFL004 entirely. Also, a number of security-related procedures probably werent properly followed. Procedure and policy documents should be reviewed. Training and education will help address any gaps between the procedure and policy documents and the behavior of end users and computer support staff. In general, the organization needs to practice defense-in-depth as much as possible to mitigate risk. Defense-in-depth means that a layered approach is used to provide security and that defense against a particular threat or set of threats does not rely on a single countermeasure. For example, a firewall might have the capability to drop HTTP packets that attempt to exploit a buffer overflow vulnerability. However, the Web servers behind the firewall should also be patched to ensure that the risk of a buffer overflow attack is mitigated. Patching servers implies that processes and procedures are put in place to ensure that critical patches are applied in a timely and consistent manner. This means that administrators need to be well acquainted with those policies and procedures and to be knowledgeable about security and the technology they deal with. Having knowledgeable network administrators implies that the company provides adequate training and also follows sound hiring practices to ensure (as much as possible) that new employees have appropriate knowledge and are trustworthy. In other words, for a defense-in-depth security strategy to be effective, it must focus on technology, operations, and people. Weakness in any one of these areas could have serious consequences.
159
To sum up, the organization needs to ensure that it has Appropriate technological countermeasures (such as firewalls, intrusion detection systems, and virus checkers) Good corporate security policies, procedures, and guidelines that are fully supported by all levels of management and communicated effectively and appropriately to all staff Well-informed and security-conscious users as well as knowledgeable and well-trained network administrators NOTE Please see the Lab Notes on the Instructor CD for a detailed analysis of the log files and suggestions for evaluating the exercise.

Security+ Lab Answers

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Security+ Lab Answers

Uploaded by

Copyright:

Available Formats

LAB ANSWERS:

LAB ANSWERS: SECURITY+ CERTIFICATION

EXAMINING SECURITY THREATS AND VULNERABILITIES

EXERCISE 1-2: IDENTIFYING THREATS, VULNERABILITIES, AND DEFENSES AGAINST ATTACKS

LAB 1: EXAMINING SECURITY THREATS AND VULNERABILITIES

Account security Antivirus software

Security policies Software updates

LAB ANSWERS: SECURITY+ CERTIFICATION

ANSWER Possible answers if the attacker is a rival:

Security policies; physical security

Secure baselines; proper configuration; intrusion detection software

Security policies; user education; password security

Possible answers if the attacker is an animal rights activist.

Weak passwords; insecure baseline configuration; misconfigured Web server

Password security; secure baseline configuration; proper Web server configuration

LAB 1: EXAMINING SECURITY THREATS AND VULNERABILITIES

EXERCISE 1-3: CALCULATING RISK

LAB ANSWERS: SECURITY+ CERTIFICATION

EXERCISE 1-4: CLASSIFYING ATTACKS AND IDENTIFYING DEFENSIVE MEASURES

LAB 1: EXAMINING SECURITY THREATS AND VULNERABILITIES

ANSWER Possible answers include the following:

Physical Trojan horse

Denial of service (DoS) attack

Software patch; proper configuration

LAB ANSWERS: SECURITY+ CERTIFICATION

EXERCISE 1-5: APPLYING BASIC SECURITY GUIDELINES

LAB 1: EXAMINING SECURITY THREATS AND VULNERABILITIES

LAB REVIEW QUESTIONS

2. What is the difference between a passive attack and an active attack?

4. What do social engineering attacks target: computers, users, applications, or networks?

LAB ANSWERS: SECURITY+ CERTIFICATION

5. What do spoofing attacks target: computers, users, applications, or networks?

LAB CHALLENGE 1-1: COMPARING QUALITATIVE AND QUANTITATIVE RISK ANALYSIS

LAB 1: EXAMINING SECURITY THREATS AND VULNERABILITIES

LAB ANSWERS: SECURITY+ CERTIFICATION

ESTABLISHING AND MAINTAINING BASELINE SECURITY

Testing the Security Template Configuration

LAB 2: ESTABLISHING AND MAINTAINING BASELINE SECURITY

5. In the details pane, click Telnet.

9. Attempt to shut down the computer.

LAB ANSWERS: SECURITY+ CERTIFICATION

LAB 2: ESTABLISHING AND MAINTAINING BASELINE SECURITY

LAB REVIEW QUESTIONS

LAB ANSWERS: SECURITY+ CERTIFICATION

LAB CHALLENGE 2-1: AUTOMATING MBSA SCANS

LAB 2: ESTABLISHING AND MAINTAINING BASELINE SECURITY

LAB ANSWERS: SECURITY+ CERTIFICATION

MONITORING AND MAINTAINING ACCOUNT AND ACCESS CONTROL SECURITY

LAB 3: MONITORING AND MAINTAINING ACCOUNT AND ACCESS CONTROL SECURITY

EXERCISE 3-2: EXAMINING AND CHANGING ACCOUNT SECURITY

LAB ANSWERS: SECURITY+ CERTIFICATION

review the settings in the details pane.

Viewing and Modifying the Local Security Policy

LAB 3: MONITORING AND MAINTAINING ACCOUNT AND ACCESS CONTROL SECURITY

Managing Local Accounts and Viewing Security Logs

LAB ANSWERS: SECURITY+ CERTIFICATION

EXERCISE 3-3: CONFIRMING ACCOUNT SECURITY CONFIGURATION CHANGES

EXERCISE 3-4: USING ALTERNATE CREDENTIALS TO PERFORM ADMINISTRATIVE TASKS

LAB 3: MONITORING AND MAINTAINING ACCOUNT AND ACCESS CONTROL SECURITY

16. Double-click a number of recent entries in the Security log.

EXERCISE 3-5: INSTALLING WINDOWS 2003 ADMINISTRATION TOOLS PACK

LAB ANSWERS: SECURITY+ CERTIFICATION

EXERCISE 3-6: EXAMINING ACTIVE DIRECTORY ACCESS CONTROL LISTS

6. Type cipher /a /e c:\encrypted folder\. and then press ENTER.