IS3340 Unit 8 Assignment 1: Policy for Securing Windows Environment Learning Objectives and Outcomes You will learn about the policy required for securing clients and server applications in a Windows environment. Assignment Requirements Securing Windows applications requires hardening each application to protect it from potential vulnerabilities. Your job is to select an appropriate control to address each anticipated vulnerability. You have been given the task of reviewing security policy and recommending an appropriate security controls to respond to vulnerabilities the security team has identified for the new enterprise resource planning (ERP) software. You can select from a list of security controls to detect or prevent each stated threat. For each vulnerability, you should select the best control to ensure Ken 7 Windows Limited fulfills the stated requirements to secure its application software. Select from these security controls: a. Place a firewall between the Internet and your Web server. b. Place a firewall between your Web server and your internal network. c. Remove the mail server service. d. Require encrypted connections for all remote ERP clients. e. Apply the latest security patches. f. Use a packet sniffer to view the contents of network packets. g. Require all personnel attend a lunch and learn session on updated security policies. Identified ERP software vulnerabilities: 1. The ERP software vendor reports that some customers have experienced denial-of-service (DoS) attacks from computers sending large volumes of packets to mail servers on the Web server computers. (a ) Place a firewall between the Internet and your Web server (c ) Remove the mail server service 2. Users that leave their workstations logged in during long durations of inactivity could allow attackers to hijack their session and impersonate them in the application. (g ) Require all personnel attend a lunch and learn session on updated security policies 3. Attackers with packet sniffers and proxy software could potentially intercept exchanges of private data. (d ) Require encrypted connections for all remote ERP clients 4. Four software vulnerabilities in previous ERP software versions could allow attackers to escalate their permissions and assume administrator privileges. (e ) Apply the latest security patches
Presentation on theme: "Unit 4 NT1330 Client-Server Networking II Date: 1/13/2016"— Presentation transcript:
1 Unit 4 NT1330 Client-Server Networking II Date: 1/13/2016
ITT TECHNICAL INSTITUTENT1330Client-Server Networking IIDate: 1/13/2016Instructor: Williams Obinkyereh
2 Class Agenda 1Learning ObjectivesLesson Presentation and Discussions.Discussion on Assignments.Discussion on Lab Activities.Break Times. 10 Minutes break in every 1 Hour.Note: Submit all Assignment and labs due today.
3 Class Agenda 2Theory : Unit 4: Working with Active Directory Sites ( 6:00pm -8:00pm)Class room –Th 5Unit 4. Lab 1. Working with ActiveDirectory Sites(8:15pm to 11:00pm)Class room –Lab 1
4 Working with Active Directory Sites
5 Skills Matrix Technology Skill Objective Domain Objective #
Introducing Active Directory SitesConfigure sites2.3Configuring Active Directory ReplicationConfigure Active Directory replication2.4
6 Logical Versus Physical Structure
ForestTreesDomainsOUsLeaf objectsPhysicalIP Subnets/SitesDomain ControllersLogical is how we look at and organize resources.Physical is actually what it looks like.
7 Forest Root DomainFirst domain is the forest root and is referred to as the forest root domainImperative to the functionality of AD; if it disappears, the entire structure ceases to operateFunctions the forest root domain usually handles:DNS serverGlobal catalog serverForestwide administrative accountsOperations mastersMCTS Windows Server 2008 Active Directory
8 Forest Root DomainFirst domain is the forest root and is referred to as the forest root domainImperative to the functionality of AD; if it disappears, the entire structure ceases to operateFunctions the forest root domain usually handles:DNS serverGlobal catalog serverForestwide administrative accountsOperations masters
9 Forest Root Domain (cont.)
10 Understanding SitesAD site represents a physical location where DCs are placed and group policies can be appliedFirst DC of a forest creates a site named Default-First-Site-Name once installedThree main reasons for establishing multiple sites:Authentication efficiencyReplication efficiencyApplication efficiencySites are created using Active Directory Sites and Services
11 Understanding Sites (cont.)
12 Site Components Subnets
Each site is associated with one or more IP subnets, and a subnet can only be associated with a single siteSite LinksA site link is needed to connect two or more sites for replication purposesDetermine replication schedule and frequency between two sitesBridgehead ServersIntersite replication occurs between bridgehead serversOne DC is designated as the Inter-Site topology Generator (ISTG), which then designates a bridgehead server to handle replication for each directory partition
13 Active Directory Sites
Sites are defined by IP subnets that are well-connected, which means that network infrastructure between them is fast and reliable.In most cases, an Active Directory site will map to a single LAN.Multiple sites will be joined together by site links.Intersite replication takes place along site links that you defined within Active Directory Sites and Services.
14 Site LinksIntersite replication topology is determined by cost value associate with site links
16 Active Directory Replication
Replication is the process of maintaining a consistent database of information when the database is distributed among several locationsIntrasite replicationReplication between domain controllers in the same siteIntersite replicationOccurs between two or more sitesMultimaster replicationUsed by AD for replacing AD objectsKnowledge Consistency Checker (KCC) runs on all DCsDetermines the replication topology, which defines the domain controller path that AD changes flow through and ensures no more than three hops exist between any two DCsMCTS Windows Server 2008 Active Directory
17 Active Directory Replication
Remember:Intra means internal, such as an intranet (your own network).Inter means external, such as the Internet (a conglomeration of networks).Emphasize that if it is internal, fast as possible, no compression and direct to everyone.If it is external, going over the WAN, slower to save bandwidth. Therefore, compression. Bridgehead would also be beneficial.
18 Active Directory Replication (cont.)
19 Active Directory Replication
The process of duplicating Active Directory information between domain controllers for the purposes of fault tolerance and redundancy.Active Directory sites are the means by which administrators can control replication traffic.Whatever changes are made on one domain controller, they are sent to other domain controllers.
20 Understanding the Replication Process
Replication within Active Directory will occur when one of the following conditions is met:An object is added or removed from Active Directory.The value of an attribute has changed.The name of an object has changed.
21 Active Directory Replication
22 Knowledge Consistency Checker (KCC)
Each domain controller uses an internal process called the Knowledge Consistency Checker (KCC) to map the logical network topology between the domain controllers.
23 Viewing Active Directory Connection Objects
Open the Active Directory Sites and Services MMC snap-in.Click the Sites folder, select the desired site, and then click the Servers folder.Expand the server name for which you wish to view connection objects and right-click NTDS Settings. Click Properties.
24 Viewing Active Directory Connection Objects
25 Viewing Active Directory Connection Objects
26 Creating a New SiteIn Active Directory Sites and Services, right-click the Sites folder and select New Site.In the New Object-Site dialog box, key the name for the site based on your plan.Select the DefaultIPSiteLink from the list of site names and click OK to complete the site creation.Show how to create a site.
27 Select New Subnet from the menu.
Creating a New SubnetIn Active Directory Sites and Services, right-click the Subnets folder.Select New Subnet from the menu.In the New Object-Subnet dialog box, enter the IP address and subnet mask that correspond to the segment in your design.Select the site you wish to associate with this subnet and click OK.Show hot to create a new subnet.
28 Creating a New Subnet
29 Configuring Intersite Replication
CostAllows the administrator to define the path that replication will take.If more than one path can be used to replicate information, cost assignments will determine which path is chosen first.A lower-numbered cost value will be chosen over a higher-numbered cost value.Cost values can use a value of 1 to 99,999.Chosen by the Active Directory administrator and are relational only to one another.
30 Configuring Intersite Replication
ScheduleThe schedule of the site link object determines when the link is available to replicate information.By default, newly created site link objects are available for replication 24/7.
31 Replication ProtocolFor both intrasite and intersite replication, Active Directory uses Remote Procedure Calls over Internet Protocol (RPC over IP) by default for all replication traffic.RPC is commonly used to communicate with network services on various computers, whereas IP is responsible for the addressing and routing of the data.RPC over IP replication keeps data secure while in transit by using both authentication and encryption.Explain RPC.Remote procedure call (RPC) is an Inter-process communication technology that allows a computer program to cause a subroutine or procedure to execute in another address space (commonly on another computer on a shared network) without the programmer explicitly coding the details for this remote interaction. That is, the programmer would write essentially the same code whether the subroutine is local to the executing program
32 Replication ProtocolSimple Mail Transport Protocol (SMTP) is an alternative solution for intersite replication when a direct or reliable IP connection is not available.SMTP cannot replicate domain directory partitions.Requires an enterprise certification authority (CA) that is fully integrated with Active Directory.
33 Replication ProtocolUnlike RPC over IP, SMTP does not adhere to schedules and should be used only when replicating between different domains over an extremely slow or unreliable WAN link.
34 Summary of Replication Methods
35 Monitoring Replication
36 A command-line tool used for monitoring Active Directory.
DcdiagA command-line tool used for monitoring Active Directory.Perform connectivity and replication tests, reporting errors that occur.Report DNS registration problems.Analyze the permissions required for replication.Analyze the state of domain controllers within the forest.Demonstrate the Dcdiag.While demonstrating, you can increase the command prompt window font size.
37 Repadmin A command-line tool used for the following:
To view the replication topology from the perspective of each domain controller.To manually create a replication topology if site link bridging is disabled because the network is not fully routed.To force replication between domain controllers when you need updates to occur immediately without waiting for the next replication cycle.To view the replication metadata, which is the combination of the actual data and the up-to-date vector or USN information. This is helpful in determining the most up-to-date information prior to seizing an operations master role.Also demonstrate this.
38 SummaryYou learned how to define and manage sites and site links.You learned how to determine a site strategy based on the physical network infrastructure.You learned how to use Active Directory Sites and Services to configure replication.
39 Unit 4 AssignmentsUnit 4. Assignment 1. AD Design Replication ScenarioUnit 4. Exercise 1. Site-to-Site Connectivity Scenario
40 Unit 4 LabUnit 4. Lab 1. Working with Active Directory Sites