Disegno di una Rete Sicura con Microsoft Windows 2000

Designing a Secure Microsoft Windows 2000 Network

Course 2150 · Five days · Instructor-led

This course provides students with the knowledge and skills necessary to design a security framework for small, medium, and enterprise networks by using Microsoft®

Windows® 2000 technologies. This course contains four units that describe the securing of specific areas of the network:

· Unit 1, Providing Secure Access to Local Network Users

· Unit 2, Providing Secure Access to Remote Users and Remote Offices

· Unit 3, Providing Secure Access Between Private and Public Networks

· Unit 4, Providing Secure Access to Partners

At Course Completion

At the end of the course, students will be able to:

· Identify the security risks associated with managing resource access and data flow on the network.

· Describe how key technologies within Windows 2000 are used to secure a network and its resources.

· Plan a Windows 2000 administrative structure so that permissions are granted only to appropriate users.

· Plan an Active Directory directory service structure that facilitates secure and verifiable user account creation and administration.

· Define minimum security requirements for Windows 2000-based domain controllers, application servers, file and print servers, and workstations.

· Design a strategy for securing local storage of data and providing secure network access to file and print resources.

· Design end-to-end security for the transmission of data between hosts on the network.

· Design a strategy for securing access for non-Microsoft clients within a Windows 2000-based network.

· Design a strategy for securing local resources accessed by remote users who use dial-up or virtual private network (VPN) technologies.

· Design a strategy for securing local resources accessed by remote offices within a wide area network (WAN) environment.

· Protect private network resources from public network users.

· Design a strategy for securing private network user access to public networks.

· Design a strategy for authenticating trusted users over public networks.

· Design a strategy for securing data and application access for the private network when accessed by trusted partners.

· Plan for an e-commerce implementation between your organization and external business partners that facilitates business communication.

· Design a structured methodology for securing a Windows 2000 network.

Microsoft Certified Professional Exams

This course helps you prepare for the fol­lowing Microsoft Certified Professional exams:

· Exam 70-220, Designing

Security for a Microsoft Windows 2000 Network

Prerequisites

This course requires that students meet the following prerequisites:

· Working knowledge of Windows 2000 Directory Services

· Completion of course 1560, Upgrading Support Skills from Microsoft Windows NT® 4.0 to

Microsoft Windows 2000

OR

· Completion of course 2154, Implementing and Administering Windows 2000

Directory Services.

OR

· Equivalent knowledge

The course materials, lectures, and lab exercises are in English. To benefit fully from our instruction, students need an understanding of the English language and completion of the prerequisites.

Course Materials and Software

The course materials are yours to keep.

You will also be provided with the following software for use in the classroom:

· Windows 2000 Advanced Server

· Network Monitor 2.0 (for classroom use)

Day 1

Module 1: Assessing Security Risks

Topics:

Identifying Risks to Data

Identifying Risks to Services

Identifying Potential Threats

Introducing Common Security Standards

Planning Network SecuritySkills:

After completing this module, students will be able to:

· Describe the potential risks to different types of stored data.

· Describe the potential risks from a denial of service.

· Describe potential threats against network security.

· Describe common industry standards for measuring network security.

· Discuss methodologies for securing a Windows 2000 network.

Module 2: Introducing Windows 2000 SecurityTopics:

Introducing Security Features in Active

Directory

Authenticating User Accounts

Securing Access to Resources

Introducing Encryption Technologies

Encrypting Stored and Transmitted Data

Introducing Public Key Infrastructure

Technology

Skills:

After completing this module, students will be able to:

· Describe how security features in Active Directory provide a framework for designing a secure Windows 2000 network.

· Describe the authentication methods that Windows 2000 provides for user and computer accounts.

· Identify the methods that can be used to secure resource access in Windows 2000 networks.

· Identify the encryption technologies that Windows 2000 supports.

· Describe how encryption technologies are used to secure stored and transmitted data in a Windows 2000 network.

· Describe how a Public Key

Infrastructure (PKI) can be used to create a secure network.

Unit 1: Providing Secure Access to Local

Network Users

Module 3: Planning Administrative

Access

Topics:

Determining the Appropriate Administrative

Model

Designing Administrative Group Strategies

Planning Local Administrative Access

Planning Remote Administrative Access

Lab:

Planning Secure Administrative Access

Skills:

After completing this module, students will be able to:

· Select an administrative model for an organization.

· Plan memberships in Windows 2000 administrative groups.

· Plan secure local administrative access to the network.

· Plan secure remote administrative access to the network.

Day 2

Module 4: Planning User Accounts

Topics:

Designing Account Policies and Group Policy

Planning Account Creation and Location

Planning Delegation of Authority

Auditing User Account Actions

Lab:

Planning a Security-based OU Structure

Skills:

After completing this module, students will be able to:

· Design an account policy and

Group Policy strategy for user accounts.

· Plan for the creation and location of user accounts within the domain and organizational unit (OU) structure.

· Plan delegation of authority to user accounts.

· Design an audit strategy that will track changes made to objects in Active Directory.

Module 5: Securing Windows 2000-Based

Computers

Topics:

Planning Physical Security for Windows 2000-based Computers

Evaluating Security Requirements

Designing Security Configuration Templates

Evaluating Security Configuration

Deploying Security Configuration Templates

Labs:

Analyzing a Security Template

Designing Customized Security Templates

Skills:

After completing this module, students will be able to:

· Plan physical measures to secure Windows 2000-based computers.

· Evaluate the security requirements for Windows 2000-based computers with respect to their roles in the network.

· Design security configuration templates to enforce security settings.

· Evaluate the existing security configuration of a Windows 2000-based computer.

· Determine how to deploy security templates in a Windows 2000 network.

Module 6: Securing File and Print Resources

Topics:

Examining Windows 2000 File System SecurityProtecting Resources Using DACLs

Encrypting Data Using EFS

Auditing Resource Access

Securing Backup and Restore ProceduresProtecting Data from Viruses

Labs

Managing EFS Recovery Keys

Planning Data SecuritySkills:

After completing this module, students will be able to:

· Describe the security provided in the file systems supported by Windows 2000.

· Design a security strategy for protecting data such as files, folders, print resources, and the registry by using discretionary access control lists (DACLs).

· Design a strategy for the protection and recovery of file resources encrypted with Encrypting File System (EFS).

· Design an audit strategy to monitor file and print resource access.

· Design a secure backup and restore procedure that allows for disaster recovery.

· Plan for virus protection in a network security design.

Day 3

Module 7: Securing Communication Channels

Topics:

Assessing Network Data Visibility Risks

Designing Application-Layer SecurityDesigning IP-Layer SecurityDeploying Network Traffic Encryption

Lab:

Planning Transmission SecuritySkills:

After completing this module, students will be able to:

· Assess potential risks to transmitted data on the network wire in the local area network (LAN).

· Design a strategy for providing authentication and data privacy by applying security at the application layer.

· Design a strategy for providing authentication and data privacy by applying security at the Internet Protocol (IP) layer.

· Design an Internet Protocol

Security (IPSec) strategy for encrypting private network data transmissions.

Module 8: Providing Secure Access to

Non-Microsoft Clients

Topics:

Providing Secure Network Access to UNIX Clients

Providing Secure Network Access to NetWare Clients

Providing Secure Access to Macintosh Clients

Securing Network Services in a Heterogeneous Network

Monitoring for Security Breaches

Lab:

Securing Telnet Transmissions

Skills:

After completing this module, students will be able to:

· Identify the risks associated with allowing UNIX clients access to a Windows 2000 network.

· Identify the risks associated with allowing NetWare clients access to a Windows 2000 network.

· Identify the risks associated with allowing Macintosh clients access to a Windows 2000 network.

· Secure common network services that are operating in a heterogeneous network.

· Monitor a heterogeneous network for security breaches and identify the risks of unauthorized network monitoring.

Unit 2: Providing Secure Access to Remote

Users and Offices

Module 9: Providing Secure Access to Remote Users

Topics:

Identifying the Risks of Providing Remote

Access

Designing Security for Dial-Up Connections

Designing Security for VPN Connections

Centralizing Remote Access Security Settings

Lab:

Using RADIUS Authentication

Skills:

After completing this module, students will be able to:

· Identify the risks associated with providing network access to remote users.

· Design a secure network for remote users who access the network by using dial-up connections.

· Design a secure network for remote users who access the network by using VPN connections.

· Design a secure network for remote users by centralizing the security configuration of remote access servers.

Day 4

Module 10: Providing Secure Access to Remote Offices

Topics:

Defining Private and Public Networks

Securing Connections Using Routers

Securing VPN Connections Between

Remote Offices

Identifying Security Requirements

Lab

Planning Secure Connections for Remote Offices

Skills:

After completing this module, students will be able to:

· Describe the difference between a private network and a public network.

· Plan a secure connection between two remote networks by using routers.

· Plan a secure connection between two remote networks by using a VPN.

· Identify the security requirements that must be considered while planning secure connections between remote offices.

Unit 3: Providing Secure Access Between

Private and Public Networks

Module 11: Providing Secure

Network Access to Internet Users

Topics:

Identifying Potential Risks from the Internet

Using Firewalls to Protect Network Resources

Using Screened Subnets to Protect Network

Resources

Securing Public Access to a Screened Subnet

Lab:

Designing a Screened Subnet

Skills:

After completing this module, students will be able to:

· Analyze the potential threats that are introduced when a private network is connected to the Internet.

· Design a firewall strategy for protecting private network resources.

· Design a secure method for exposing private network resources to the Internet.

· Plan to secure public access to a screened subnet.

Module 12: Providing Secure Internet Access to Network

Users Topics:

Protecting Internal Network Resources

Planning Internet Usage Policies

Managing Internet Access Through

Proxy Server Configuration

Managing Internet Access Through

Client-Side Configuration

Lab:

Securing the Internal Network When Accessing the Internet (Module 12 continued)

Skills:

After completing this module, students will be able to:

· Design a strategy for protecting private network resources from the public network.

· Plan which users, computers, and protocols are allowed access to the Internet.

· Design the Microsoft Proxy

Server settings for maintaining security when local network users access the

Internet.

· Design the client-side requirements for maintaining security when local network users access the

Internet.

Day 5

Unit 4: Providing Secure Access to Partners

Module 13: Extending the Network to Partner Organizations

Topics:

Providing Access to Partner Organizations

Securing Applications Used by Partners

Securing Connections Used by Remote Partners

Structuring Active Directory to Manage Partner

Accounts

Authenticating Partners from Trusted Domains

Lab:

Planning Partner Connectivity

Skills:

After completing this module, students will be able to:

· Describe the connection methods that can be used to provide access to partner organizations.

· Describe the ways to provide secure access to data, applications, and communications shared with trusted partners.

· Design a secure framework that allows partners to use tunnel connections, dial-up connections, and Terminal Services to access the private network.

· Design an Active Directory directory service structure for partners.

· Design a secure framework for authenticating partners from trusted domains.

Module 14: Designing a Public Key Infrastructure

Topics:

Introducing a Public Key Infrastructure

Using Certificates

Examining the Certificate Life Cycle

Choosing a Certification Authority

Planning a Certification Authority Hierarchy

Mapping Certificates to User Accounts

Managing CA Maintenance Strategies

Lab:

Using Certificate-based Authentication

Skills:

After completing this module, students will be able to:

· Describe the basic components of a PKI.

· Define how certificates can be used in a PKI to certify applications and services.

· Define the basic functions of certificates within a certificate life cycle.

· Choose between public and private certification authorities (CAs).

· Plan a hierarchy for organizing

CAs in a network.

· Use certificate mapping to apply user permissions to users who are not included in your organization's

Active Directory directory service.

· Plan recovery and maintenance strategies for CAs.

Module 15: Developing a SecurityPlan

Topics:

Designing a Security Plan

Defining Security Requirements

Maintaining the Security Plan

Lab:

Developing a Security Plan

Skills:

After completing this module, students will be able to:

· Design a security plan that will meet the security requirements of an organization.

· Define the security requirements for local and remote networks, public and private networks, and trusted business partners.

· Develop strategies to maintain the network security plan