Designing a Secure Microsoft Windows 2000 Network

2150: Designing a Secure Microsoft Windows 2000 Network (5 Days)

About this Course

This course provides students with the knowledge and skills necessary to design a security framework for small, medium, and enterprise networks by using Microsoft Windows 2000 technologies. This course contains four units that describe how to help protect specific areas of the network:

• Unit 1, Providing Security-Enhanced Access to Local Network Users
• Unit 2, Providing Security-Enhanced Access to Remote Users and Remote Offices
• Unit 3, Providing Security-Enhanced Access Between Private and Public Networks
• Unit 4, Providing Security-Enhanced Access to Partners

At Course Completion

At the end of the course, students will be able to:

• Identify the security risks associated with managing resource access and data flow on the network.
• Describe how key technologies within Windows 2000 are used to help protect a network and its resources.
• Plan a Windows 2000 administrative structure so that permissions are granted only to appropriate users.
• Plan an Active Directory directory service structure that facilitates security-enhanced and verifiable user account creation and administration.
• Define minimum security requirements for Windows 2000-based domain controllers, application servers, file and print servers, and workstations.
• Design a strategy for to help protect local storage of data and provide security-enhanced network access to file and print resources.
• Design end-to-end security for the transmission of data between hosts on the network.
• Design a strategy to help provide security-enhanced access for non-Microsoft clients within a Windows 2000-based network.
• Design a strategy to help protect local resources accessed by remote users who use dial-up or virtual private network (VPN) technologies.
• Design a strategy to help protect local resources accessed by remote offices within a wide area network (WAN) environment.
• Help protect private network resources from public network users.
• Design a strategy to help protect private network user access to public networks.
• Design a strategy for authenticating trusted users over public networks.
• Design a strategy to help protect data and application access for the private network when accessed by trusted partners.
• Plan for an e-commerce implementation between your organization and external business partners that facilitates business communication.
• Design a structured methodology for securing a Windows 2000 network.

Course Outline

Module 1: Assessing Security Risks

Lessons

• Identifying Risks to Data
• Identifying Risks to Services
• Identifying Potential Threats
• Introducing Common Security Standards
• Planning Network Security

Lab

Module 2: Introducing Windows 2000 Security

Lessons

• Introducing Security Features in Active Directory
• Authenticating User Accounts
• Securing Access to Resources
• Introducing Encryption Technologies
• Encrypting Stored and Transmitted Data
• Introducing Public Key Infrastructure Technology

Lab

Module 3: Planning Administrative Access

Lessons

• Determining the Appropriate Administrative Model
• Designing Administrative Group Strategies
• Planning Local Administrative Access
• Planning Remote Administrative Access

Lab : Lab

• Planning Security-Enhanced Administrative Access

After completing this module, students will be able to:

• Select an administrative model for an organization.
• Plan memberships in Windows 2000 administrative groups.
• Plan security-enhanced local administrative access to the network.
• Plan security-enhanced remote administrative access to the network.

Module 4: Planning User Accounts

Lessons

• Designing Account Policies and Group Policy
• Planning Account Creation and Location
• Planning Delegation of Authority
• Auditing User Account Actions

Lab : Lab

• Planning a Security-based OU Structure

After completing this module, students will be able to:

• Design an account policy and Group Policy strategy for user accounts.
• Plan for the creation and location of user accounts within the domain and organizational unit (OU) structure.
• Plan delegation of authority to user accounts.
• Design an audit strategy that will track changes made to objects in Active Directory.

Module 5: Securing Windows 2000-Based Computers

Lessons

• Planning Physical Security for Windows 2000-based Computers
• Evaluating Security Requirements
• Designing Security Configuration Templates
• Evaluating Security Configuration
• Deploying Security Configuration Templates

After completing this module, students will be able to:

• Plan physical measures to help protect Windows 2000-based computers.
• Evaluate the security requirements for Windows 2000-based computers with respect to their roles in the network.
• Design security configuration templates to enforce security settings.
• Evaluate the existing security configuration of a Windows 2000-based computer.
• Determine how to deploy security templates in a Windows 2000 network.

Module 6: Securing File and Print Resources

Lessons

• Examining Windows 2000 File System Security
• Protecting Resources Using DACLs
• Encrypting Data Using EFS
• Auditing Resource Access
• Helping Protect Backup and Restore Procedures
• Helping Protecting Data from Viruses

After completing this module, students will be able to:

• Describe the security provided in the file systems supported by Windows 2000.
• Design a security strategy to help protect data such as files, folders, print resources, and the registry by using discretionary access control lists (DACLs).
• Design a strategy for the protection and recovery of file resources encrypted with Encrypting File System (EFS).
• Design an audit strategy to monitor file and print resource access.
• Design a security-enhanced backup and restore procedure that allows for disaster recovery.
• Plan for virus protection in a network security design.

Module 7: Securing Communication Channels

Lessons

• Assessing Network Data Visibility Risks
• Designing Application-Layer Security
• Designing IP-Layer Security
• Deploying Network Traffic Encryption

Lab : Lab

• Planning Transmission Security

After completing this module, students will be able to:

• Assess potential risks to transmitted data on the network wire in the local area network (LAN).
• Design a strategy to help provide authentication and data privacy by applying security at the application layer.
• Design a strategy to help provide authentication and data privacy by applying security at the Internet Protocol (IP) layer.
• Design an Internet Protocol Security (IPSec) strategy for encrypting private network data transmissions.

Module 8: Providing Security-Enhanced Access to Non-Microsoft Clients

Lessons

• Providing Security-Enhanced Network Access to UNIX Clients
• Providing Security-Enhanced Network Access to NetWare Clients
• Providing Security-Enhanced Access to Macintosh Clients
• Helping to Protect Network Services in a Heterogeneous Network
• Monitoring for Security Breaches

Lab : Lab

• Securing Telnet Transmissions

After completing this module, students will be able to:

• Identify the risks associated with allowing UNIX clients access to a Windows 2000 network.
• Identify the risks associated with allowing NetWare clients access to a Windows 2000 network.
• Identify the risks associated with allowing Macintosh clients access to a Windows 2000 network.
• Help protect common network services that are operating in a heterogeneous network.
• Monitor a heterogeneous network for security breaches and identify the risks of unauthorized network monitoring.

Module 9: Providing Security-Enhanced Access to Remote Users

Lessons

• Identifying the Risks of Providing Remote Access
• Designing Security for Dial-Up Connections
• Designing Security for VPN Connections
• Centralizing Remote Access Security Settings

Lab : Lab

• Using RADIUS Authentication

After completing this module, students will be able to:

• Identify the risks associated with providing network access to remote users.
• Design a security-enhanced network for remote users who access the network by using dial-up connections.
• Design a security-enhanced network for remote users who access the network by using VPN connections.
• Design a security-enhanced network for remote users by centralizing the security configuration of remote access servers.

Module 10: Providing Security-Enhanced Access to Remote Offices

Lessons

• Defining Private and Public Networks
• Helping Protect Connections Using Routers
• Helping Protect VPN Connections Between Remote Offices
• Identifying Security Requirements

Lab : Planning Security-Enhanced Connections for Remote Offices After completing this module, students will be able to:Students will be able to:

• Describe the difference between a private network and a public network.
• Plan a security-enhanced connection between two remote networks by using routers.
• Plan a security-enhanced connection between two remote networks by using a VPN.
• Identify the security requirements that must be considered while planning security-enhanced connections between remote offices.

Module 11: Providing Security-Enhanced Network Access to Internet Users

Lessons

• Identifying Potential Risks from the Internet
• Using Firewalls to Help Protect Network Resources
• Using Screened Subnets to Help Protect Network Resources
• Helping to Protect Public Access to a Screened Subnet

Lab : Lab

• Designing a Screened Subnet

After completing this module, students will be able to:

• Analyze the potential threats that are introduced when a private network is connected to the Internet.
• Design a firewall strategy to help protect private network resources.
• Design a security-enhanced method for exposing private network resources to the Internet.
• Plan to help protect public access to a screened subnet.

Module 12: Providing Security-Enhanced Internet Access to Network Users

Lessons

• Helping Protect Internal Network Resources
• Planning Internet Usage Policies
• Managing Internet Access Through Proxy Server Configuration
• Managing Internet Access Through Client-Side Configuration

Lab : Lab

• Securing the Internal Network When Accessing the Internet

After completing this module, students will be able to:

• Design a strategy to help protect private network resources from the public network.
• Plan which users, computers, and protocols are allowed access to the Internet.
• Design the Microsoft Proxy Server settings for maintaining security when local network users access the Internet.
• Design the client-side requirements for maintaining security when local network users access the Internet.

Module 13: Extending the Network to Partner Organizations

Lessons

• Providing Access to Partner Organizations
• Securing Applications Used by Partners
• Securing Connections Used by Remote Partners
• Structuring Active Directory to Manage Partner Accounts
• Authenticating Partners from Trusted Domains

Lab : Lab

• Planning Partner Connectivity

After completing this module, students will be able to:

• Describe the connection methods that can be used to provide access to partner organizations.
• Describe the ways to provide security-enhanced access to data, applications, and communications shared with trusted partners.
• Design a security-enhanced framework that allows partners to use tunnel connections, dial-up connections, and Terminal Services to access the private network.
• Design an Active Directory directory service structure for partners.
• Design a framework for authenticating partners from trusted domains.

Module 14: Designing a Public Key Infrastructure

Lessons

• Introducing a Public Key Infrastructure
• Using Certificates
• Examining the Certificate Life Cycle
• Choosing a Certification Authority
• Planning a Certification Authority Hierarchy
• Mapping Certificates to User Accounts
• Managing CA Maintenance Strategies

Lab : Lab

• Using Certificate-based Authentication

After completing this module, students will be able to:

• Describe the basic components of a PKI.
• Define how certificates can be used in a PKI to certify applications and services.
• Define the basic functions of certificates within a certificate life cycle.
• Choose between public and private certification authorities (CAs).
• Plan a hierarchy for organizing CAs in a network.
• Use certificate mapping to apply user permissions to users who are not included in your organization's Active Directory directory service.
• Plan recovery and maintenance strategies for CAs.

Module 15: Developing a Security Plan

Lessons

• Designing a Security Plan
• Defining Security Requirements
• Maintaining the Security Plan

Lab : Lab

• Developing a Security Plan

After completing this module, students will be able to:

• Design a security plan that will meet the security requirements of an organization.
• Define the security requirements for local and remote networks, public and private networks, and trusted business partners.
• Develop strategies to maintain the network security plan.

Prerequisites:

• Working knowledge of Windows 2000 Directory Services
• Completion of Course 1560, Upgrading Support Skills from Microsoft Windows NT 4.0 to Microsoft Windows 2000
• Completion of Course 2154, Implementing and Administering Windows 2000 Directory Services
• Equivalent knowledge

The course materials, lectures, and lab exercises are in English. To benefit fully from the instruction, students need an understanding of the English language and completion of the prerequisites.