you learned about various sections of a network security plan. Administrative policies for a security plan include policies for delegation of administrative tasks and monitoring of audit logs to detect suspicious activity. In this lesson, you will learn how to monitor security events in Windows 2000 to prevent attacks and intrusion on your network.
Monitoring Your Network Security
The network security technologies you implement, such as Microsoft Proxy Server, can meet your security goals only if you plan and configure them carefully. With thorough preparation, this work can be done very successfully. However, anticipating all possible risks can be very difficult because
- New risks develop.
- Systems can break down and the environment in which your systems are placed changes over time.
By continually reviewing your network security strategies, you can minimize security risks. However, you also need to watch the actual network security activity to spot weaknesses before they are exploited, and to stop attempts to break security before they are effective
Viewing the Security Log
- Attempt to log on to the Windows 2000 computer on which you activated security auditing for failed logon attempts using an invalid user name and password.
- After failing to log on, use a valid user name and password to log on to Windows 2000.
- Click Start, point to Programs, point to Administrative Tools, then click Event Viewer.
Event Viewer opens.
- Click Security Log in the left pane.
Notice that the failed logon attempt is shown in the right pane of the Event Viewer, as illustrated in Figure 14.6.
- Double-click the Failure Audit item in the event view to open the Event Properties window.
Notice that the description section tells you the reason for the failure and the user name entered, but not the password entered.
- Click OK to close the Event Properties window.
System Monitor
System Monitor is a tool that can be used to track system resources usage. System Monitor can be used to test an application's usage of system resources. Common objects that a user can log are memory, CPU, network, and disk activity. Some additional counters, although not performance related, provide useful information about server security. These include
- Server\Errors Access Permissions
- Server\Errors Granted Access
- Server\Errors Logon
- IIS Security
- Click Start, point to Programs, point to Administrative Tools, then click Performance.
System Monitor opens in the MMC.
- In the right pane, click Add.
The Add Counters dialog box appears, as illustrated in Figure 14.7.
- In the Performance Object drop-down list box, select Server.
- Click Select Counters From List.
- In the Counters list, select a counter, then click Add.
- Click Close to close the Add Counters dialog box.
Monitoring Security Overhead
Security is achieved only at some cost in performance. Measuring the performance overhead of a security strategy is not simply a matter of monitoring a separate process or thread. The features of the Windows 2000 security model and other security services are integrated into several different operating system services. You cannot monitor security features separately from other aspects of the services. Instead, the most common way to measure security overhead is to run tests comparing server performance with and without a security feature. The tests should be run with fixed workloads and a fixed server configuration so that the security feature is the only variable. During the tests, you should measure
- Processor activity and the processor queue
- Physical memory used
- Network traffic
- Latency and delays
Implementing Network Security
As you plan your network, you should implement security technologies that are appropriate for your organization. Addressing these issues early in your Windows 2000 deployment planning ensures that security cannot be breached and that you are ready to provide secure networking facilities when needed. In this lesson, you will learn how to implement security on your network.
Planning for Network Security
Even if you are confident that you have implemented a secure network environment, it is important for you to review your security strategies considering the capabilities of Windows 2000. Some of the new network security technologies in Windows 2000 might cause you to rework your security plan. As you develop your network security plan, you should
- Assess your network security risks.
- Determine your server size and placement requirements.
- Prepare your staff.
- Create and publish security policies and procedures.
- Use a formal methodology to create a deployment plan for your security technologies.
- Identify your user groups and their specific needs and security risks.
Assessing Network Security Risks
Although the ability to share and obtain information is very beneficial, it also presents security risks, described in Table 14.1.
Table 14.1 Network Security Risks
| Security Risk | Description |
|---|---|
| Identity interception | The intruder discovers the user name and password of a valid user. This can occur by a variety of methods, both social and technical. |
| Masquerade | An unauthorized user pretends to be a valid user. For example, a user assumes the Internet Protocol (IP) address of a trusted system and uses it to gain the access rights that are granted to the impersonated device or system. |
| Replay attack | The intruder records a network exchange between a user and a server and plays it back at a later time to impersonate the user. |
| Data interception | If data is moved across the network as plaintext, unauthorized persons can monitor and capture the data. |
| Manipulation | The intruder causes network data to be modified or corrupted. Unencrypted network financial transactions are vulnerable to manipulation. Viruses can corrupt network data. |
| Repudiation | Network-based business and financial transactions are compromised if the recipient of the transaction cannot be certain who sent the message. |
| Macro viruses | Application-specific viruses could exploit the macro language of sophisticated documents and spreadsheets. |
| Denial of service | The intruder floods a server with requests that consume system resources and either crash the server or prevent useful work from being done. Crashing the server sometimes provides opportunities to penetrate the system. |
| Malicious mobile code | This term refers to malicious code running as an autoexecuted ActiveX control or Java Applet uploaded from the Internet on a Web server. |
| Misuse of privileges | An administrator of a computing system knowingly or mistakenly uses full privileges over the operating system to obtain private data. |
| Trojan horse | This is a general term for a malicious program that masquerades as a desirable and harmless utility. |
| Social engineering attack | Sometimes breaking into a network is as simple as calling new employees, telling them you are from the IT department, and asking them to verify their password for your records. |
Competitors could attempt to gain access to proprietary product information, or unauthorized users could attempt to maliciously modify Web pages or overload computers so that they are unusable. Additionally, employees might access confidential information. It is important to prevent these types of security risks to ensure that your company's business functions proceed undisturbed.
Network Authentication
Authentication is the process of identifying users who attempt to connect to a network. Users who are authenticated on the network can utilize network resources based on their access permissions. To provide authentication to network users, you establish user accounts. This is critical for security management. Without authentication, resources such as files are accessible to unauthorized users.
No comments:
Post a Comment