CHAPTER 6

Server and Network Security

In this chapter, you will

•   Examine different types of security controls

•   Determine how to secure resource access

•   Identify best practices for hardening networks and servers

•   Learn how encryption protects server data

This chapter provides a great reference for technicians responsible for setting up security controls that protect not only servers but also the network environment in which those servers live. A few scary security examples are scattered throughout the chapter to put you in a security frame of mind.

Physical Security Measures

Technological security solutions are great; they solve business problems efficiently and are absolutely required for businesses to remain competitive and safe. But sometimes old-school methods can be overlooked. Security measures such as firewalls and antimalware won’t help if your server disks are not behind locked doors in a protected facility. They also won’t help if users are not made aware of potential security problems and how to mitigate them.

Premises Access

The first line of physical defense is perimeter security, which comes from the following:

•   Fencing

•   Bollard posts to protect buildings from vehicle incursion

•   Lighting

•   Locked gates

•   Security guards

•   Guard dogs

•   Limited access to areas of a facility

•   Motion-sensing security systems

It doesn’t make sense for every organization and government agency to implement all of these measures, but some of them can be implemented to improve security.

Access to a physical structure is always an issue. And it is a very big deal when it comes to data centers, because hundreds or thousands of customers’ personal data may be stored in a data center and is ideally replicated to other data centers for fault tolerance. This is why some providers are reluctant to reveal the addresses of their data centers.

Consider data center “camouflage,” such as an unmarked building located in a densely forested area or a nondescript concrete building with little signage. Locked doors with reinforced doorframes can protect the facility from unauthorized entry. Reflective glass can be used for external windows and internal office spaces to enable viewers to look out through the glass, but not the other way around. For security and privacy reasons, data centers normally have few external windows.

Security guards are important aspects of building security, even if their services are shared by multiple tenants. A visiting guest who is expected to enter a secured facility should be placed on an access list ahead of time so guards can refer to the list when the guest arrives and provides identification. Many business locations require that guests and personnel present some kind of ID card—in some cases a photo ID—before they can enter the facility, especially after hours.

Access control vestibules (sometimes referred to as mantraps) are used at building entrances where high security is a must. In these vestibules, a second inner door opens only after the first outer door has been closed and locked. This prevents tailgating, when an unauthorized person slips through a door behind an authorized person.

Of course, a security camera, another important security defense, would capture somebody slipping in behind you. Every facility has a policy regarding surveillance footage retention, if it is retained at all. The mere presence of a security camera can serve as a deterrent to bad behavior, as can signage stating that the area is being watched. The wording on signage can be important for legal reasons: you don’t want parties claiming they didn’t know they were being watched and that their privacy rights have been violated.

Once people have physical access to the facility, internal physical controls can further keep sensitive information safe. In a clean desk policy, personnel are prohibited from leaving sensitive documents in areas where anybody can see them; locking up sensitive documents or even backup tapes in a locked cabinet is better than leaving them out in the open.

Card-based Access

Radiofrequency identification (RFID) chips are embedded in many types of cards, including building access cards and toll cards for roads and bridges. RFID was designed to be used for inventory and asset tracking, but its use has expanded in a variety of ways.

You may be wondering how an RFID card differs from a smartcard. Smartcards, such as debit and credit cards, are designed to be used for payment systems, and they have more built-in security than RFID cards. RFID chips have a longer wireless range than smartcards, which introduces more security vulnerabilities. Payment cards normally encrypt wireless transmissions to the receiving terminal, and these days that’s done often using close-range wireless solutions such as near-field communication (NFC). RFID cards, on the other hand, are not encrypted. With either card type, the primary benefit is convenience. You may have to enter a PIN to use a card, but it’s still very easy to use. The downside is that somebody else may be able to scan your private data stored on a card.

The type of data stored on a card varies from one vendor’s card to another, but generally you can expect the following:

•   Card type

•   Account numbers

•   Account expiry

•   Account holder name

•   Card and account expiration dates

•   PIN, or a hash of a PIN

Forging a smartcard is extremely difficult to do, because we’re talking about a microprocessor chip embedded into a card (Figure 6-1). An average thief will not be able to reproduce this.

Images

Figure 6-1  Embedded chip on a payment card

The Human Element

People are the biggest security threat of all. Companies should implement strict hiring and background check policies to ensure that employees can be trusted with sensitive information. Segregation of duties must be enforced to ensure no single person controls a process from beginning to end. This is not limited to processes involving money but can extend to preventing individual persons from having knowledge of an entire cryptographic key; the key is available only when each of several persons provides his or her part of the key, which requires knowledge of a password or possession of a physical or digital unique token.

Images

NOTE   Still, no system is perfect. Consider, for example, intelligence agent Jeffrey Delisle of the Royal Canadian Navy, who supplied sensitive information to a Russian spy agency beginning in 2007. I went to high school with Jeff in the late ’80s; needless to say, I was absolutely floored when I became aware of this situation.

The other aspect of the human security element is user awareness and training. The best technical safeguards are not effective if users don’t understand threats such as social engineering and e-mail phishing; it pays to be somewhat paranoid and cynical when it comes to IT security! Providing documentation to employees about security awareness is usually not as effective as lunch-and-learn sessions presented by dynamic speakers who make these important issues much more memorable.

Authentication

Authentication is the process of proving one’s identity. Technicians generally assume that authentication applies only to individual users, but it can also be used to prove the identity of

•   Devices

•   Services

•   Applications

Everybody is familiar with supplying a username and password to authenticate to a system, but security can be increased by using additional authentication factors. At the device level, a smartphone with a virtual private network (VPN) app may need a unique device Public Key Infrastructure (PKI) security certificate that is trusted by the VPN server before the user even gets a chance to provide his credentials to the VPN. Or a client desktop may require a unique PKI certificate before granting access to a restricted web site. Normally, secured web sites require a PKI certificate only on the server side, but for very sensitive sites, connecting clients may need a certificate installed on their device too.

A security certificate can be applied to the software, so that when it executes it can authenticate to another component for proper functionality. For example, a web service may use a PKI certificate to authenticate to a back-end database.

Successful authentication is required before access is granted to computing resources such as web sites, databases, files, and so on. There are various categories of authentication, as discussed in the following sections.

Identity Federation

Today’s business computer environments are increasingly complex: there are business-to-business connectivity requirements as well as on-premises–to–public cloud connections. There needs to be a way to centralize authentication that supports Single Sign-On (SSO).

Identify federation strives to provide a single centralized identity store. “Single” doesn’t mean it can’t be replicated to multiple servers. Think of a company that plans to use public cloud services and has Microsoft Active Directory (AD) user accounts configured on-premises already. Why re-create users and passwords in the cloud for authentication to cloud apps, when those users already have accounts in AD? Even existing password policies enforcing password length and lockout settings would still be effective.

Web applications can be configured to trust security tokens issued from a trusted identity store. Security tokens contain claims, or assertions about a user or device. For example, a user claim might consist of an e-mail address and a date of birth. Different applications will consume different claims and can provide different scopes of access depending on claim values; it depends on the app.

With identify federation, apps don’t have to handle authentication themselves; instead, they consume trusted security tokens containing claims. Replicating existing user account credentials from on-premises to the cloud enables web SSO, so that after their initial authentication, users don’t have to keep entering their credentials when they access different resources.

Images

EXAM TIP   Expect exam questions related to configuring authentication between on-premises and cloud environments. Web SSO between on-premises networks and public cloud providers is achieved by replicating an on-premises directory service to a cloud-based directory service.

Microsoft Active Directory Federation Services (ADFS) handles identity federation nicely, as do other solutions such as the open-source Shibboleth product. Figure 6-2 shows how claims can be configured: the Employee-ID attribute in the left column is changed in the claim to EmpID. This would occur if a consuming web app needed to see a claim with EmpID and not Employee-ID; this will vary from application to application.

Images

Figure 6-2  Mapping an LDAP attribute to an outgoing claim

Something You Know

This type of security is stored in your head—and hopefully in nobody else’s. A password, PIN, mother’s maiden name, color of your first car, middle child’s nickname are something you know—stuff about you that shouldn’t be easy to figure out or find on social media or through web searches.

Most authentication today still relies on a username and password combination. Even though this consists of two items, they both fall under a single category (something you know), so we call this single-factor authentication.

Images

EXAM TIP   Watch out for questions that reference multifactor authentication, and make sure the methods mentioned are from different authentication categories.

The problem with the traditional password is that it’s not really all that secure—and users hate it. If you’re using passwords, you have to change them periodically based on your organization’s security policy. This is a tedious task; users are normally required to change their passwords to something they’ve never used before, and the new password must meet complexity requirements, such as some uppercase and lowercase letters, numbers, and symbols. No wonder users get exasperated!

Problems with passwords result in user frustration, less time spent at work being productive, increased help desk costs, and—as if that’s not enough—they are not very secure. Nevertheless, a username/password combination is still a popular authentication system in use today.

Something You Have

Some authentication mechanisms require that you have physical possession of something, such as a smartcard or a hardware token (also called security tokens or key fobs) that displays a changing numeric code that users must enter in addition to a username and password. These days, software apps can act as software tokens. Administrators make token files available to users to import into their software token application, as shown in Figure 6-3.

Images

Figure 6-3  Configuring the RSA SecurID software token

When you use your debit chip card to pay for something, you’re using a smartcard. Of course, you must know the PIN to use it, but you must also have the card in your possession to use it—this is multifactor authentication (MFA). Small purchases, however, may not require the PIN with some cards.

A hardware token, such as an RSA token used for VPN authentication, is synchronized with the VPN device and has a small display showing a numeric value that changes periodically, such as every 90 seconds. This numeric value must be entered within an acceptable timeframe, in addition to some other type of authentication, such as username and password, before access to the VPN is granted. This numeric value is a form of a one-time password (OTP); it is never the same and is used for a single authentication session. Another OTP example is using a web site’s “Forgot password” feature, in which a unique code is sent via SMS text or e-mail that enables you to sign in only once, within a limited time frame, to reset a forgotten password.

Another example of something you have is a PKI security certificate. Your smartphone might use this to establish trust (at the device level) between the phone and a VPN appliance. The same holds true with servers that must trust each other before transmitting sensitive information.

Something You Are

Each and every one of us is biologically unique in some way. Nothing is perfect, though: a fingerprint scan could be defeated by forcing somebody to press his finger on a scanner, or, in a gruesome scenario, by an attacker taking a victim’s finger with him to place on a scanner. This category of authentication, biometric authentication, uses unique identifying characteristics related to your body, including the following:

•   Fingerprint

•   Voice recognition

•   Facial recognition

•   Speech or gesture recognition

•   Behavioral recognition

•   Retinal scan

•   Iris scan

•   Handwriting recognition

For years, certain laptop models have included built-in fingerprint scanners, or you can use an external fingerprint scanner connected via USB. Fingerprint scans generally require a unique eight-point match for successful authentication. This means the fingerprint scan must already exist somewhere on the system.

Many vendors offer products that enable biometric authentication integration with existing systems. For example, we could store fingerprints with Microsoft AD user accounts by extending the schema (blueprint) to enable this to be stored as an attribute of a user. Biometric authentication may also be configured to enable access to more sensitive data than would be available with only username and password authentication.

Under Lock and Key

You may have used a proximity or swipe card to gain access to a building and to certain floors or areas. Keypads are another option for opening doors, as well as arming and disarming security systems, but you have to know the code. Keypads are great for server rooms, because we don’t want unfettered access to racks of equipment that includes storage media. Server room doors should never be left open, even for ventilation reasons; HVAC environmental controls should be taking care of that!

A data center can contain thousands of physical servers (and tens or hundreds of thousands of virtual machines). Many rack systems for data centers have doors on the front and back that can be locked to control physical access to the equipment.

It may be important to use a lock-down security cable to protect expensive data projection units from theft, but these are replaceable and don’t contain sensitive company data as laptops would. Yet how often do we see laptops being locked down compared to projection units?

Mobile devices introduce enormous risks, yet they are ubiquitous in homes just as they are at work locations. As with USB thumb drives, mobile devices and storage media are easily lost, stolen, forgotten at a client site or in a taxi, and so on.

Logical Access Control

Logical access controls are the mechanisms put in place to secure authentication and authorization to use network resources such as shared folders, web apps, or databases. Mechanisms include the use of smart cards for authentication, or adding a user to a web app role to give them access to some or all of a web app.

Managing individual user access to resources is difficult on a large network; therefore, it is rarely done. Auditing individual users (as opposed to everybody at once) makes sense to reduce information overload, however.

Groups

The standard procedure for resource access in most of today’s networks is as follows:

1.   Create a group following company standards.

•   Naming conventions

2.   Grant resource permissions to the group.

•   Web site

•   Database

•   Files/folders

•   Categories of data

3.   Add members to the group.

•   Users

•   Devices

•   Other groups (group nesting)

Images

NOTE   Adding group members in Microsoft AD requires that the user added to the group log off and log back on again. The access token that contains group memberships is updated only upon initial user logon.

Any user in a group who, for example, has been granted read and write permission to a file will inherit those permissions, because the user is a member of the group. One problem with groups is that you might need to create hundreds of groups to manage resource access, and that’s a lot of additional items to manage. Then there’s the issue of group membership being static (members are manually added and removed).

Some tools enable dynamic group membership, for example, based on some kind of characteristic, or rule, such as whether an employee is full-time or part-time, but you’re still managing a group. Be aware of distribution list groups, which is the case with Microsoft AD (see Figure 6-4), because this type of group (versus a security group) cannot be assigned permissions; it is designed for use by e-mail systems.

Images

Figure 6-4  Creating a group using the Active Directory Administrative Center (ADAC)

Dynamic Access Control

Other solutions such as Microsoft Windows Server Dynamic Access Control (DAC) offer alternatives (see Figure 6-5). DAC is nothing new, other than the fact that it is now built into the operating system. DAC looks at user and device AD attributes to determine what level of access, if any, is granted to files and folders (resources). This can be done without groups, but somebody must have filled in the user and device attributes in AD. For example, DAC may enable only read access to a folder for full-time employees in Orlando, while full-time employees at headquarters may be given read and write permissions.

Images

Figure 6-5  Configuring conditional file system permissions in Windows Server

Roles

Roles are similar to groups, but one difference is that a role may apply to a single individual, such as a CEO. As we do with groups, we assign resource permissions to roles and then assign a role occupant. The role occupant(s) then get the role permissions. This is referred to as role-based access control (RBAC). You can even delegate IT administrator tasks to other administrators using RBAC.

Rights and Permissions

In Microsoft environments, we have to be careful how we use the terms “rights” and “permissions.” A right is black-and-white: either you can or you cannot do something. For example, either you can change the date and time on a server, or you cannot. Permissions are a degree of access to a resource. For example, you might have only read permission to a file, or you might have read, write, and modify permissions to a file. Either way, rights and permissions can be assigned to users, groups, or roles, or they can be assigned conditionally based on attributes. Take care to follow the principle of least privilege, which is inconvenient, but it matters: assign only the rights and permissions necessary to perform a job task, and nothing more.

File System Permissions

Windows and UNIX/Linux servers support a wide variety of file system types depending on how the file system will be used. Some offer more advanced features such as encryption and local file system security.

Windows NTFS Permissions

Windows servers commonly use NTFS (New Technology File System), which offers benefits beyond the old File Allocation Table (FAT) file system, including the following:

•   Local file and folder permissions

•   File and folder encryption using Encrypting File System (EFS)

•   File system auditing

•   File system journaling (disk recovery and repair is quicker)

•   Data deduplication to save disk space

•   Disk space quotas

Standard NTFS permissions (Figure 6-6) include

Images

Figure 6-6  NTFS standard permissions

•   Full Control

•   Modify

•   Read & Execute

•   List Folder Contents

•   Read

•   Write

•   Special Permissions

The List Folder Contents permission applies only when assigning permissions to folders, not files. A big distinction between Modify and Write permissions is that Modify enables file deletion and Write does not. Special Permissions provide a further degree of granularity; for instance, you may want to allow the creation of folders but not new files (by default, both are possible if a user is allowed to write).

NTFS permissions can be assigned to a drive, folder, or file. When assigned to a drive or folder, the permissions are inherited by subordinate file system objects. You can either allow or deny permissions. To alter permissions inheritance, you right-click a file or folder name and choose Properties. Then click the Security tab, the Advanced button, and then the Disable Inheritance button. You can also alter permissions inheritance by adding a new access control list (ACL) entry for a user, group, or computer with a different set of permissions that will then apply from that point in the file system down through the file system hierarchy.

NTFS uses a discretionary access control list (DACL), where the system administrator, at his or her discretion, sets file system permissions. Every drive, folder, and file has a DACL. Operating systems such as Security-Enhanced Linux (SELinux) use a mandatory access control (MAC) model where system policies determine which access users have to various aspects of the system, including files.

Windows Shared Folder Permissions

Individual files cannot be shared over the network, but folders can. To control network access to shared folders, we configure share permissions (Figure 6-7). As with applying permissions to any resource, groups are normally used.

Images

Figure 6-7  Shared folder permissions

There are three shared folder permissions:

•   Full Control

•   Change

•   Read

Images

NOTE   When you’re combining NTFS and share permissions, the most restrictive permissions will apply. A common strategy is to be a bit more liberal with share permissions and then lock things down granularly with NTFS permissions.

Linux File System Permissions

Many types of file systems are available for UNIX and Linux operating systems, including ReiserFS, ext4, and XFS, to name a few.

Some file systems support extended permissions, but here we will look at the standard permissions that will work on any type of UNIX/Linux file system:

•   Read (r), 4

•   Write (w), 2

•   Execute (x), 1

You’re probably wondering what the listed numbers mean. The r, w, and x should be self-explanatory. Read has an internal value of 4, write is 2, and execute is 1.

Three sets of these three permissions (r, w, and x) apply to the following:

•   Owner of the file or directory

•   Group associated with the file or directory

•   Everyone else

That’s why you’ll sometimes see commands such as chmod 760 project_b.txt (see Figure 6-8). The chmod means “change mode”; it’s how we set file system permissions at a shell prompt (there are Linux GUI shells that will enable this to be done without typing).

Images

Figure 6-8  Setting file system permissions in Linux

Back to the example: chmod 760 /projects. The 7 in 760 applies to the file or directory owner, which in Figure 6-8 is shown as the first occurrence of “root” from the left. The 7 is the sum of 4 + 2 + 1 (r + w + x), so it means the owner (in this case root) has read, write, and execute permissions. The 6 value is the sum of 4 + 2 (r + w), so the group associated with the file or directory (in this case also root, the second occurrence from the left in Figure 6-8) has read and write permissions. The 0 means that neither read, nor write, nor execute has been assigned to everybody else.

The chmod command also has a-R command line switch (not shown in the figure) that recursively applies permissions to a directory and everything in and under it. Note that delete and modify are both included in the write permission. In most Linux distributions, if you are logged into Linux as the root superuser account, these file system permissions are not applied, because they are for nonroot users only.

Images

NOTE   Don’t forget that Linux commands are case-sensitive! So Chmod and chmod are not the same thing!

Peripheral Devices

Access control should also be considered for peripheral devices such as data projectors, printers, and USB devices.

Projectors

Because a data projector doesn’t store sensitive company information and its contents won’t endanger human lives, there’s not much more you can do to lock it down beyond preventing it from being physically stolen or remotely projected to by placing it on an isolated and secured network. Modern projectors support wireless technologies such as Bluetooth and Wi-Fi, so they can be discovered on the network; make sure to secure the network the projector is on unless you are OK with anybody on the network potentially controlling the display. The same type of logic also applies to smart TVs.

Printers

Printers are another story. Some printers store queued jobs for a period of time, which could conceivably be retrieved by a determined malicious user. Whether or not the network printer is managed by a centralized print server, access to manage the printer must be secure. Change the default administrative username and password and make sure HTTPS administrative access is enabled (as opposed to HTTP).

One benefit of using a print server to manage printers is centralized management and security control. If you use a Windows print server or a Linux CUPS print server, you can determine what printing privileges are granted to different groups of users.

Images

NOTE   Even though users can print directly to printers without a print server, remember that print servers provide centralized security and management.

USB

This is a catch-all category; pretty much any type of peripheral can be plugged into a computer via USB, and this is really important from a security standpoint. Malware infections are scary and can infect your server depending on what you plug into USB ports—not just into servers themselves, but also into any device that in some way can contact your servers.

Scary USB devices include

•   Certain types of USB cables that can infect devices they are plugged into (referred to as a USB Ninja Cable)

•   Smartphones

•   Tablets

•   Storage media

Ransomware sends a chill of fear down the backs of all server geeks. This type of malware is in epidemic mode as of the writing of this book. It executes on an infected computer and encrypts any files that the infected device can write to, including server and cloud storage. The only way to get a decryption key is to pay a ransom in bitcoins, assuming you’d get the key anyway. If you’re lucky, you’ll be able to rebuild affected systems quickly from images and backup, but it’s not always that easy, and this can be very costly, so weigh this risk against the cost of prevention and mitigation.

One way to mitigate USB threats is to disable USB ports for storage media, while allowing peripherals such as printers, keyboards, and mice. There are ways to enforce this centrally, such as using Group Policy in an AD environment, as shown in Figure 6-9. Of course, antimalware solutions can help with some infections, but not all of them. The best security measure? User awareness and education! Ransomware is usually spread by phishing e-mails or by people clicking malicious web page links or opening infected file attachments.

Images

Figure 6-9  Configuring Group Policy to block access to removable storage

Network Security

Networks are cool: millions of interconnected devices share data around the planet in a matter of seconds. But this also means the bad guys (and gals) have an infrastructure in place to ply their despicable trade, such as compromising network hosts and transferring sensitive data (exfiltration) outside of the organization. On a corporate network, one important consideration is strictly controlling access to your networks in the first place.

NAC

Network Access Control (NAC) is often referred to as “port-based security.” These ports are logical, not physical—you can think of a port as some kind of entry point into a network.

When IT techies chat about NAC, you’ll also hear them mention “802.1X.” IEEE 802.1X is a worldwide standard for port-based security, or controlling access into your network. Think of the various network edge devices that enable connections to the network:

•   Network switches

•   Wireless routers

•   VPN appliances

These edge devices should never perform authentication for connecting devices and users. Why? Because they are the first point of contact by devices and users, and they could be compromised, and we don’t want a hacked VPN appliance to provide malicious users with usernames and passwords. Additionally, configuring user authentication information on each and every edge device just doesn’t scale well in a larger environment, even assuming each device can accommodate storing all of these credentials. Instead, these edge devices should forward authentication requests from devices and users to a central authentication authority—a RADIUS server.

RADIUS Servers

Remote Authentication Dial-In User Service (RADIUS) is an old standard that still persists today, with improvements made over the years. The idea is that edge devices (RADIUS clients) forward authentication requests from connecting devices and users (supplicants) before allowing network access. Only after successful centralized authentication via the RADIUS server will the device or users be allowed to access the network.

Your Windows or Linux server can easily be made into a RADIUS server by installing the appropriate software and configuring a RADIUS shared secret between the RADIUS clients and the RADIUS server (see Figure 6-10). Configure RADIUS clients to forward authentication requests to the RADIUS server. For Wi-Fi routers, use the WPA Enterprise or WPA2 Enterprise option.

Images

Figure 6-10  Configuring a VPN appliance as a trusted RADIUS client

TACACS

Terminal Access Controller Access-Control System (TACACS) and its newer variant TACACS+ are designed to handle frequent authorization requests within a session; RADIUS is designed primarily for authentication at the beginning of a session. TACACS+ enhances security by encryption transmissions, and it is based on the TCP transport mechanism as opposed to UDP, which is used by RADIUS. TACACS+ is normally used to administer network devices, while RADIUS is used primarily for centralized authentication.

VLANs

A virtual local area network is similar conceptually to adding a new network segment to your existing network infrastructure. Technically, creating a new VLAN creates a new broadcast domain (just like a new physical network would). Network broadcasts are addressed to all devices on a network, although routers do not forward these broadcasts to other networks.

Let’s say, for example, that you have a 24-port OSI Layer 3 Ethernet switch. By default, all 24 ports are grouped into the same VLAN. This means that if you plug in 24 network devices and configure them on the same IP subnet, they can communicate with one another.

There are times, however, when you may want to split your 24-port switch into smaller networks. Why would you do this? Because smaller networks perform better than larger ones, and you might want isolation between networks—maybe a VLAN for deploying images to new computers (which slows down the network) and a separate VLAN for accounting computers.

From a security perspective, separate VLANs present a simple security barrier. A router is needed to enable communication between VLANs, and a Layer 3 switch can do this too; a Layer 2 switch does not have routing capabilities. VLANs are covered in more detail in Chapter 5.

Images

TIP   Make sure you plug each physical server network interface card (NIC) into the correct switch port, especially if using port-based VLAN membership; otherwise, devices may not be able to communicate with the server.

VLAN Attacks

Even though traffic from one VLAN should not be able to reach a different VLAN without a router, as with everything in IT, there are vulnerabilities that actually let this happen, including, but not limited to, the following:

•   MAC flooding attacks  These fill MAC table limited memory on switches, which causes otherwise isolated traffic to be visible on other VLANs, which really has the switch acting as a hub; unicast traffic is visible to all devices in that VLAN.

•   VLAN hopping  Attacker spoofs the identity of another switch to create a trunking link through which all VLAN traffic can pass and is thus visible to the attacker.

It’s one thing to identify a weakness, but what can we do about it? Switch administrators can enforce proper switch VLAN configurations such as disabling automatic trunk negotiation, enabling strong port security, allowing connections from specific or a limited number of MAC addresses, and, of course, as a general hardening best practice, applying the latest firmware updates.

Firewalls

Firewalls control inbound and outbound traffic, whether for an entire network or for a single network device. Some firewalls look only at IP addresses, port numbers, and protocol types, while others (OSI Layer 7 firewalls) perform deep packet inspection. The best approach is to block everything and then create firewall rules to allow only traffic that is necessary.

Firewalls can be hardware or software based. Hardware-based appliances are generally more stable and can handle more traffic than their software counterparts. Just remember that hardware appliances also get firmware updates, so be sure to subscribe to vendor update notifications.

Host-based Firewalls

A host-based firewall runs as software on a specific host. Windows computers use the Windows Firewall (configured through the GUI or the command line), while UNIX and Linux systems can use command line tools such as iptables or Uncomplicated Firewall (uwf). These are both considered OSI Layer 4 firewalls because they can allow or deny traffic based on the following:

•   Source IP address

•   Destination IP address

•   Source port

•   Destination port

•   Protocol type

Some Windows services such as AD require multiple ports for communication, in which case it is possible to work with groups of firewall rules, some of which are already included in Windows.

Windows Firewall  The Windows Firewall can be configured in the GUI (Figure 6-11) or through the command line. Consider the following PowerShell example (not case-sensitive), which allows Active Directory–related communications by using a supplied firewall rule group:

Images

Figure 6-11  Creating a firewall rule using the Windows Firewall GUI

Enable-NetFirewallRule -DisplayGroup "Active Directory Domain Services"

We could also add a custom firewall rule using PowerShell. In this example, assume we’ve installed an SSH listener on our Windows host. You don’t want to enable access through Telnet because usernames and passwords are sent in clear text. So, to allow inbound SSH traffic, you’d use this:

Images

Linux Firewall  You can use a variety of methods to configure a Linux firewall. With some Linux variants, for example, to allow incoming SSH administrative traffic, an iptables command would look like this:

Images

-A means to add to the INPUT chain, -p means protocol, -m means match, --dport is the destination port, and -j means jump to ACCEPT (the target of this rule).

You could then list firewall rules with the following command:

iptables -L

Network-based Firewalls

Routers or specialized appliances function as network-based firewalls. These devices have at least two network interfaces and can be configured with NACLs to control inbound and outbound traffic. They are placed on the network where network traffic that must be examined will flow into and out of the network, such as between the Internet and an internal network. These are often called perimeter firewalls.

Dedicated network-based firewall appliances are designed to be a firewall (unlike an operating system running firewall software) and are hardened to the hilt. They come in both hardware and software appliance forms.

Reverse Proxy Servers  A reverse proxy server is a type of network-based firewall. Forward, or “normal,” proxy servers fetch items from the Internet, such as web pages, on behalf of an internal client. Often, that content is cached on the proxy server to speed up subsequent requests for that same content.

Reverse proxy servers listen for incoming traffic, such as traffic destined for a web server. Although to the Internet it appears the reverse proxy server is the real web server, it isn’t; it simply forwards requests quietly to a web server on an internal protected network.

Deep Packet Inspection  In addition to basic firewall packet filtering (IP addresses, port numbers, protocol types), deep packet inspection (DPI) is a given with network-based firewalls. This advanced functionality tracks TCP sessions instead of treating each packet separately: this is called stateful packet inspection.

DPI goes beyond the OSI Layer 4 type of packet inspection; it goes all the way up to OSI Layer 7, the application layer. Allowing or blocking traffic based on details such as payload content provides much more functionality than allowing or blocking traffic based solely on packet headers.

Many public cloud companies offer various types of firewalls in the cloud, a part of Security as a Service (SECaaS). For example, the Microsoft Azure cloud uses Network Security Groups (NSGs) to control inbound and outbound traffic at the subnet and virtual NIC (VNIC) levels, as shown in Figure 6-12.

Images

Figure 6-12  A Microsoft Azure Network Security Group rule

Distributed Denial-of-Service Attacks  Not all distributed denial-of-service (DDoS) attacks are sophisticated; conceptually speaking, DDoS attacks are like jamming a communication channel with static so nothing meaningful gets through. The “distributed” part of DDoS means an attacker could have hundreds or thousands of infected computers (zombies and zombie nets) at their disposal to execute the attack.

Packet flooding can bring down a victim server or an entire network if enough machines send enough bogus traffic in a short period of time. Servers and network infrastructure equipment can handle only so much traffic at a time; too much garbage traffic means legitimate traffic doesn’t get processed, and therein lies the issue. Of course, it takes very little to spoof the source IP address of the zombie computers that ran the attack, so tracking down the culprit machines is made more difficult.

One common mitigation technique is to “black hole” the traffic—to discard traffic destined for the victim. Of course, this means legitimate traffic is also lost, so the attacker is still achieving their malicious objective. Depending on the specific DDoS attack, router ACLs could block some traffic as well, but doing this could require hundreds of ACL rules. Suffice it to say the standard firewalls are not designed to mitigate DDoS attacks.

DDoS perpetrators often demand payment from victims before they will turn off the packet tap. You may remember the BetCRIS DDoS attacks in 2003. (BetCRIS is still an online sports betting site.) Attackers would launch a DDoS against BetCRIS before major live sporting events. The attackers demanded US$40,000 to cease the attacks for up to 12 months. For every day offline, BetCRIS lost up to $100,000. Although a software developer was able to block that particular attack, further attacks by DDoS extortionists are expected, and this type of attack is becoming more problematic for other online businesses.

Security Zones

Planning a network layout involves dealing with sensitive systems residing on protected internal networks and services that should be visible to the Internet on external public-facing networks. An intranet is an internal network that can offer connection services like those found on the Internet.

Isolation is key. Firewalls control traffic from the Internet into the public-facing network, which in turn has a second firewall that further controls traffic into and out of an internal secured network. You must always make sure that internal data is not replicated to a public-facing network—examples include DNS servers in a public network replicating with internal DNS servers—and the same goes for replicating directory services (such as Microsoft AD).

Screened Subnets

A screened subnet (formerly referred to as a demilitarized zone, or DMZ) is an external, public-facing network in which we place services that should be reachable from the Internet, such as the following:

•   VPN appliances

•   SMTP mail servers

•   Web servers

•   FTP servers

Normally, a reverse proxy exists in the screened subnet, which listens for client requests for these services, and the services themselves exist on a different internal network that is protected by a firewall. Figure 6-13 shows an example of a firewall layout in a screened subnet network.

Images

Figure 6-13  Firewalls in a screened subnet layout

Images

EXAM TIP   You could see an exam question about placement of firewalls or rules on a network architecture diagram. Remember that public services should exist in the screened subnet either literally, or they should be accessible from the screened subnet through a reverse proxy.

PKI

A Public Key Infrastructure (PKI) is a hierarchy of digital security certificates issued to users, devices, or services for the purposes of security. PKI certificates can be used to encrypt and digitally sign sensitive e-mail messages, to encrypt files, to authenticate a smartphone to a VPN, to secure a web site over HTTPS, and for other purposes.

The certificate authority (CA) is at the top of the hierarchy, and it can have subordinate CAs, such as in a large organization where each region may want its own CA. Subordinate CAs are sometimes called registration authorities (RAs). Finally, the actual PKI certificates are issued by either the CA or a subordinate CA, as pictured in Figure 6-14.

Images

Figure 6-14  PKI hierarchy

You can install your own CA within your organization, which can then issue self-signed PKI certificates as you see fit. Certificates can be manually requested and issued or automatically issued, which is possible using Microsoft Group Policy.

The root, or top-level, CA should be kept offline, because if it is compromised, so, too, are all certificates issued within that hierarchy.

Instead of an internal CA, you can also pay a fee and acquire PKI certificates issued to third-party trusted CAs on the Internet, such as Amazon, Google, DigiCert, and Symantec (formerly Verisign), to name a few.

PKI Certificate Contents

The certificate itself, also called an X.509 certificate, can be used as a file (ideally password-protected), or it can be burned into a magnetic strip or smartcard. But what exactly is stored in a PKI certificate?

When a certificate is issued by a CA or an intermediary CA, a template is used that contains details on what should be stored in the certificate. Common items in the certificate (along with examples) include the following:

•   Serial number

•   Subject name

•   User e-mail address, fully qualified domain name (FQDN) of web site

•   Unique mathematically related public and private key pair

•   The private key must be kept secret, and though it can be stored with the certificate, technically it is stored safely on the device in a key store, not directly within the certificate itself

•   Certificate use

•   E-mail or file encryption, code signing for developers

•   Digital signature of CA along with signature algorithm used

•   Date of issuance and expiration date

•   Certificate can no longer be used once it expires

The certificate can be exported with particular attributes, such as when a certificate is exchanged with other users for e-mail encryption. Encrypting an e-mail message requires the public key of the message recipient(s). So in this case, the recipient exports only the public key portion of the certificate and provides it to the sender. The mathematically related private key is used by the recipient to decrypt the message.

SSL and TLS

Secure Sockets Layer (SSL) is a network security protocol that was developed in the 1990s by Netscape. Like its successor, Transport Layer Security (TLS), SSL provides encryption and authentication between communicating devices over a network. TLS version 1.3 is the latest version as of this writing.

Images

CAUTION   Don’t use SSL or TLS versions 1.0 and 1.1; they are deprecated because of many known security vulnerabilities.

HTTP web servers use TCP port 80 for unencrypted connections and port 443 for HTTPS encrypted connections (the port numbers may vary, but these are normally used). The same is true for other higher level protocols such as Simple Mail Transfer Protocol (SMTP), Post Office Protocol (POP3), and so on. Whether you use SSL or TLS, a PKI certificate is required.

When the option is available, you should use the newest version of TLS if it is supported by the application. Modify the registry on a Windows server to disable SSL 3.0 and enable TLS. Using OpenSSL with Linux also supports TLS; this is configured per application (web site, web browser, and so on).

IPSec

Even though it’s built into IPv6, Internet Protocol Security (IPSec) also works with IPv4. Contrary to popular belief, IPSec is not used solely for VPNs.

Unlike SSL and TLS, IPSec is not configured for each application. Consider the fact that you need to acquire a PKI certificate and configure both apps to use the certificates if you want to secure an HTTP web server and an SMTP mail server. With IPSec, you can secure network traffic without acquiring a PKI certificate for each individual app or server. IPSec doesn’t even require the use of PKI certificates.

IPSec applies policy settings to computers, and this dictates how it will be used. For example, on a Windows server, IPSec is configured as part of the Windows Firewall under Connection Security Rules. It can be configured to be used where both parties communicating over a network use IPSec to secure network traffic, regardless of the protocol being used.

This is an interesting concept, because all the network traffic within your organization could be encrypted and authenticated using IPSec without your having to configure security for each app or network service. Even ping traffic could be encrypted. Some enterprise networks don’t encrypt internal network traffic, but bear in mind that many threats can cause havoc within a network, so if you have the option, you should encrypt all internal traffic.

Configuring IPSec requires some kind of key for authentication. Figure 6-15 shows key options when configuring Windows Firewall, including using the Kerberos protocol, certificates, and preshared keys.

Images

Figure 6-15  IPSec authentication options

Images

EXAM TIP   You might get exam questions testing your knowledge of authentication protocols. For computers joined to an AD domain, the Kerberos protocol is the best choice for authentication. A preshared key is the weakest option because it is a symmetric key, which means that the same key is used for encryption and decryption. The difficulty with symmetric keys is how to distribute them securely. Knowledge of the symmetric key is all that is required for decryption.

IPSec Tunnel Mode

IPSec tunnel mode is normally used between two endpoint VPN devices, such as a site-to-site VPN over the Internet. It works by encrypting the entire original IP packet (not just the payload) and adding a new IP header so that the transmission can get to the other end of the tunnel.

Tunnel mode can also be used between a client and a server or VPN appliance. In technical jargon, the original IP packet is said to be “encapsulated” in a new IPSec packet.

IPSec Transport Mode

IPSec transport mode doesn’t encrypt the entire original IP packet (headers and payload), but just the payload itself. Communication between devices is protected regardless of the protocol being used.

VPNs

A VPN provides an encrypted, secured connection to a target private network over an untrusted network such as the Internet. VPNs have long been used by people who work from home or who travel, as well as to link sites together over the Internet.

Client-to-site VPNs require client VPN software configured to connect to a VPN appliance in a company screened subnet (or reachable through a reverse proxy in the screened subnet). Once a user authenticates to the VPN, ideally using multifactor authentication, the encrypted tunnel is established and any network traffic between the client and VPN appliance is secured.

Site-to-site VPNs require a VPN appliance at two different network sites. A point-to-point encrypted tunnel is established between the two VPN appliances that link networks together. It can also be used between an on-premises network and a public cloud provider’s network.

The most common types of VPN protocols are

•   Point-to-Point Tunneling Protocol (PPTP)

•   Layer 2 Tunneling Protocol with IPSec (L2TP/IPSec)

•   Secure Sockets Layer (SSL) tunnel

If the VPN appliance is using an L2TP/IPSec VPN, the VPN client software must be configured accordingly. SSL VPNs have become popular because they use standard HTTPS ports, which are opened in most of today’s firewalls.

Intrusion Detection and Prevention Systems

Intrusion detection (ID) and intrusion prevention (IP) play big roles in securing hosts and networks by looking for anomalous, or suspicious, activity that doesn’t match normal network usage patterns.

Host Intrusion Detection System

A host intrusion detection system (HIDS) detects suspicious activity related to a specific host, such as an HTTP web server running multiple web apps. By monitoring network traffic into and out of the host, operating system, and application logs, the ID engine can determine whether something is out of the ordinary.

A HIDS must be configured to look for abnormalities; sophisticated solutions can monitor host activity over time and generate a baseline of normal activity. One benefit of a HIDS is that it can read traffic that is encrypted over the network; once the host decrypts that traffic, it can be examined. ID systems can send alert notifications to technicians, who can then take further action.

Network Intrusion Detection System

A network intrusion detection system (NIDS) is a standalone appliance that watches network activity, looking for anomalies. For this to work, the NIDS must be able to see all of the traffic. Security information and event management (SIEM) software provides a centralized repository for logs, audit events, and security device alerts to detect and notify admins of suspicious activity. For example, attackers can enable a backdoor on a compromised device that will provide them with undetected access for long periods of time; this problem is often solved by applying patches, but SIEM solutions may detect repeated abnormal login times to a server.

In a network-switched environment, switch administrators will have to configure the switch to copy all packets to the port to which the NIDS is connected. Here’s an example: Using the open-source Snort IDS, rules are created that determine what gets monitored. The Snort command line or configuration file specifies output log file locations for alert messages. To assign a unique Snort ID (sid) and to generate an alert for ICMP traffic from any host to any host, our Snort rule is configured as follows:

alert icmp any any -> any any (msg:"ICMP Traffic Detected";sid:3000003;)

Intrusion Prevention Systems

Intrusion prevention systems (IPSs) extend the functionality of IDSs by taking steps to prevent further damage when malicious activity is detected. Like IDSs, IPSs must be tuned for the specific host (HIPS) or network (NIPS) environment they will be monitoring. An IPS can, for example, detect malware and remove or prevent the infection from spreading. Another example is excessive packets received from a remote network in a short amount of time; an IPS could block further traffic from that network address.

Hardening

Hardening a server reduces its attack surface. In a data center, server hardening is done through a centralized configuration and not on each and every individual server. Server operating system images can be hardened so that newly installed servers are reasonably safe right from the start. The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-123, “Guide to General Server Security,” provides guidance for securing servers including logging, patching, access control, backups, and more. You can view this document at https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-123.pdf.

Keeping systems secure is an ongoing process. Periodic vulnerability scans should be conducted to detect weaknesses in hardware, operating systems, and applications. Some vulnerability scanners can automatically correct or remediate weaknesses; others will only report the discovered vulnerabilities. Often, patching and following secure configuration guidelines reduce vulnerabilities.

Operating System Hardening

There’s no reason why a HIDS or HIPS shouldn’t be implemented on each and every server. It makes sense for each server to have a dedicated component that watches for malicious activity, including malware, and either notifies administrators or takes some kind of corrective action.

The good news is that most modern server operating systems do not have much installed by default, so right away you’re off to a good start. The following list contains common items addressed when hardening servers:

•   Apply firmware updates to BIOS/UEFI RAID controllers.

•   Set a UEFI/BIOS boot password to prevent changing the boot order.

•   Enable CPU No-eXecute (NX bit) at the BIOS level.

•   Prevent certain memory pages from running executable code.

•   Stop buffer overflow attacks.

•   Lock the server chassis or rack case.

•   Disable Wake-on-LAN.

•   You don’t want servers brought down for maintenance to be remotely awakened.

•   Apply operating system updates.

•   Apply application software updates.

•   Follow OS and application configuration best practices.

•   Enable multifactor authentication.

•   Install a HIDS/HIPS component.

•   Keep your antimalware solution up to date.

•   Configure a host-based firewall.

•   Block unused ports.

•   Disable unused services and daemons.

•   Disable unused accounts.

•   Rename or disable default accounts.

•   Enable auditing or logging related to the IT workload.

•   Copies of log entries should be forwarded to a different host.

•   Log forwarding is possible using Windows Event Log Forwarding and Linux syslog forwarding.

•   Audit user logins, group membership changes, user file system activity, including file deletion, database row modifications, and so on.

•   Follow the principle of least privilege when assigning rights and permissions.

•   Enable network encryption for all traffic if possible (encrypt data in transit).

•   Traffic on internal networks should also be encrypted (consider using IPSec).

•   Encrypt data at rest on all storage media.

•   Plan for hardware failure (power supplies, disks) by configuring redundancy such as disk RAID levels.

None of these items should be a surprise, especially since most organizational security policies will insist on these configurations.

Hardware Hardening

In addition to applying the latest firmware updates for server hardware, you must apply firmware updates for network infrastructure and network devices: this is crucial. Disable or unplug hardware that isn’t required. Hardware to consider includes the following:

•   Routers

•   Switches

•   SAN switches

•   SAN backup devices

•   Disk arrays

•   Network printers

•   VPN appliances

•   Firewall appliances

•   Wireless access points

•   Wireless routers

When it comes to devices such as network switches, you’ll need to consider an entire set of configuration items when hardening. For instance, unused switch ports should be disabled; switch ports should not allow numerous MAC addresses, which could indicate a VLAN MAC flooding attack; remote Telnet administration should be disabled in favor of SSH; and so on.

Application Hardening

Many hardening techniques that apply to hardening server OSs also apply to application hardening. You need to have a strong knowledge of the application before locking it down so that you can keep it functional. Of course, if you don’t need an application or service running, don’t even install it—or, at the very least, disable it.

Patching is always crucial, whether for operating systems, drivers, or specific application patches. For example, plenty of Microsoft Office memory corruption vulnerabilities have been addressed by patches. To be fair, the open-source LibreOffice has had its share of vulnerabilities, often in the form of buffer overflows. Ideally, you will have a sandbox environment where you can test patches before they are deployed to a production environment (virtualization makes this easy).

Hardening an application also includes modifying its default configuration. For instance, you might choose to disable collaborative sharing features in an app to prevent sensitive data leakage, or you might configure macro security in a spreadsheet to enable only trusted digitally signed macros to execute. You can use security configuration baselines to compare current device configurations to detect changes, and, depending on the tool being used, revert configurations back to a secure state.

Using PowerShell scripts for automating Windows Server administrative tasks is becoming more and more popular, but malicious users can also cause damage or steal data if they can get a script to run on a device. One way to allow only digitally signed scripts to run is by configuring the script execution policy to run only digitally signed scripts from a trusted signer, as shown in Figure 6-16.

Images

Figure 6-16  Hardening the PowerShell script execution policy

Data Security

Data, however it is being used, should always be encrypted when possible using strong encryption ciphers. Encrypted data presents another layer of defense that malicious users have to overcome. Data can exist in various states:

•   Data in use  Currently being processed

•   Data in motion  Transmitted over a network

•   Data at rest  Stored on media

Encryption requires at least one key. A symmetric key is used to encrypt and decrypt. With asymmetric encryption, a pair of keys is used, one for encryption and one for decryption. PKI certificates contain related public and private key pairs—so, for example, if data is encrypted with the public key, only the related private key can decrypt the data.

Data loss prevention (DLP) tools can increase an organization’s control in preventing sensitive data from leaving the organization or intellectual property becoming available to unauthorized users. This means labeling data so it can be handled in accordance with DLP policies. Examples include adding digital watermarks to documents or photos to prevent unwanted publication, disallowing files from being copied to removable media to prevent unwanted duplication, or preventing e-mail messages with sensitive file attachments from being sent to recipients outside of the organization.

DLP is designed to reduce or eliminate data breach incidents. It can be configured with products such as Microsoft Exchange for e-mail, as well as in the cloud using Azure Information Protection (AIP). These days, organizations must comply with data breach notification laws to disclose security breaches to affected stakeholders.

Data and Mobile Devices

Mobile device use in a business environment presents an enormous threat. Centralized management of mobile device options is absolutely paramount, including logical partitioning, or containerization. Business apps, settings, and data must be kept separate from users’ personal apps, settings, and data if users will be accessing personal mobile devices onsite.

A centralized data leakage prevention tool must be used to ensure, for example, that sensitive file attachments cannot be stored on removable thumb drives or shared on social media sites.

Geofencing is another great way to control where mobile device apps can be used. In retail, for example, potential customers in a mall may have access to coupons online only when they are inside the mall. On the security side, a mobile device app that can access sensitive information may be usable only within certain physical boundaries. Signal blocking can be achieved in the case of a seized mobile device by using a Faraday bag to prevent the mobile device from transmitting or receiving data.

Encrypting Data at Rest

Organizations must discover and label data in their possession. Highly valued data, such as customer financial records, compared to product documentation, must be prioritized when it comes to applying security controls to protect that data. The business impact of losing highly valued data plays into the need to address security during the relevant data’s life cycle, including creation, storage, use, sharing, and eventually archiving and deletion. The annual cost of applying security controls to protect or replace data must not exceed the value of that data.

Encryption is one type of security control that can protect sensitive data. Encryption of data at rest prevents unauthorized access to stored sensitive data. We talked about encrypting data as it gets transmitted over the network; here, the focus is on protecting data when it’s stored on media. The physical location of data can also determine which data privacy laws are applicable. For example, a subpoena could be issued to a cloud provider in a specific region where the provider is required to provide access to stored data.

The Payment Card Industry Data Security Standard (PCI-DSS) requires (since 2006) merchants handling customer payment card information to encrypt not only data transmission on a network but also data at rest; otherwise, they face steep fines. In 1996, the U.S. government enacted the Health Insurance Portability and Accountability Act (HIPAA), which requires that private health information be protected. There are many such data protection requirements for different types of data throughout the world.

Personally identifiable information (PII), also referred to as individually privileged information, refers to any information that uniquely identifies an individual, such as a credit card number or home address. Many laws, regulations, and security standards require PII data to be labelled as such and encrypted.

Windows BitLocker

Windows client and server operating systems support the BitLocker encryption feature (the client must be running the Enterprise Edition of the OS). BitLocker encrypts entire disk volumes and removable USB thumb drives. Group Policy settings can be configured to require BitLocker encryption on certain types of drives and to prevent data writes to unencrypted drives.

The Trusted Platform Module (TPM) is a firmware standard built into most laptop, desktop, and server motherboards. TPM can store cryptographic keys used for encrypting and decrypting BitLocker disk volumes, and it can also detect unauthorized system startup modifications such as changes to the boot sequence. If a motherboard fails, the decryption key would be unavailable even if the disk drive were moved to another computer, so it’s important to store decryption and recovery keys in a safe location.

If a malicious user were to steal BitLocker-encrypted hard disks or thumb drives, the data would be inaccessible without the decryption key. You can see BitLocker configuration options in Figure 6-17.

Images

Figure 6-17  Windows BitLocker settings

Other third-party disk volume encryption tools can be used on Windows servers, including Symantec Endpoint Encryption and Sophos SafeGuard Enterprise, to name a few.

Windows Encrypting File System

Individual files and folders can be encrypted to provide data confidentiality. Microsoft has long included the Encrypting File System (EFS) within its Windows operating system. EFS ties encrypted files and folders to specific users (unlike BitLocker disk volume encryption). Encryption and decryption are possible using the GUI as well as the cipher.exe command line tool.

The first time a Windows user encrypts a file using EFS, a PKI security certificate is automatically generated if the user doesn’t already have one on the machine. The certificate contains a unique public and private key pair for the user that is employed for EFS encryption and decryption.

Technically, EFS uses a bulk encryption key, a file encryption key (FEK), to encrypt blocks of data. The user’s public key (from their PKI certificate) is used to encrypt the FEK, which is stored with the file. Each encrypted file has a different FEK. To decrypt files, the user’s private key (from their PKI certificate) reveals the FEK, which in turn decrypts the blocks of data.

The user PKI certificate must be backed up to a safe location. EFS data recovery agents can be configured to grant administrators the ability to decrypt user EFS-encrypted files. In a Microsoft AD environment, the domain Administrator account can decrypt files on any station joined to the domain.

Files can be encrypted using the following command, where /e means encrypt:

cipher.exe /e D:ProjectsProject_A.txt

OpenSSL

Some Linux distributions include the openssl package, which can, among other things, encrypt files. Your chosen Linux distribution may first require a package to be installed before file encryption is possible using OpenSSL.

To encrypt a file, use this command:

openssl enc -aes-256-cbc -in project_b.txt -out project_b_encrypted.txt

To decrypt a file, use this command:

openssl enc -d -aes-256-cbc -in project_b_encrypted.txt -out project_b_decrypted.txt

Figure 6-18 shows the unencrypted contents of the project_b.txt sample file (test data) and the contents of the encrypted version of the same file.

Images

Figure 6-18  Viewing unencrypted and encrypted text file content in Linux

Tape Encryption

Even with the popularity of cloud backup solutions, tape is still widely used for data backup purposes. It’s common practice for backup tapes to be rotated (reused) on a periodic basis, but when they contain a fresh data backup, they’re often stored offsite for added security.

Tape media normally contains sensitive information and should be encrypted in case the tapes fall into the wrong hands. Data classification makes it easy to identify data with high value to the organization and to apply life cycle policies, such as determining what needs to be encrypted and what does not, as well as how long data should be retained in accordance with laws or regulations.

Today’s enterprise servers tend to use storage area network (SAN) storage. Having an enterprise-class SAN means having SAN-based backup solutions, which are far more efficient than having a backup solution for each server and its local disks. In addition to storing backups offsite, onsite tapes can be stored in a safe.

Several considerations are related to SAN-based tape backup security:

•   Which user account performs backups  Root or Administrator?

•   Scripts are normally used before and after backup  Are malicious scripts present?

•   When encryption occurs  Does it occur during or after backup?

•   The human element  Have thorough background checks been performed on backup administrators?

•   Reliability  Is the offsite tape storage provider trustworthy?

Compliance with data protection laws often drives the data backup policy within an organization, including encryption requirements. Remember that encryption requires keys; proper key management is crucial to decrypt data when needed.

Secure Media Disposal

Deleting files (soft wiping) from storage media doesn’t remove it permanently. Even the casual Windows user knows to check the Recycle Bin for files that have been mistakenly deleted. Even repartitioning a drive and copying files to it doesn’t necessarily mean you can’t restore some of the old data from the media. Imagine being the head of IT for a medical practice that only repartitioned hard disks from old internal PCs before repurposing the PCs to external entities such as schools and charities. It has happened!

Disk Scrubbing

Disks don’t get dirty and therefore don’t need to be scrubbed for cleanliness. Scrubbing in this context means making it as difficult as possible to retrieve data previously stored on the media. This is done by writing useless random data to the disk in multiple passes (called a hard wipe).

Government laws and regulations in some parts of the world require that specific disk scrubbing solutions be used to ensure that no data remains, and this can influence organizational security policies related to media disposal and destruction. Figure 6-19 shows a screen from the Hard Disk Scrubber from Summit Computer Networks. Zeroing out all sectors on a disk is a common method of wiping the disk to minimize the possibility of data recovery. This technique writes a zero byte to all storage locations on the disk.

Images

Figure 6-19  Disk scrubbing

Physical Destruction

Organizational security policy documentation, driven by laws or regulations, could require the physical destruction of storage media. An often crucial and overlooked aspect of destroying storage media is sorting to ensure that sensitive storage devices no longer being used are the ones that get destroyed. There have been cases of bad sorting, which have, for example, resulted in sensitive Canadian military personnel information being exposed—not a great salute for people who put their lives on the line for their country.

For hard disk drives (HDDs), one way to make sure data cannot be recovered is to drill physical holes into hard disk platters. Degaussing is another technique that can be applied to HDDs; data becomes unrecoverable after a high-intensity magnetic field rearranges data on the drive. USB flash storage media is solid state, so degaussing does not apply, but USB storage devices can be crushed or incinerated. Physical shredding using an industrial shredder can also be effective.

Images

NOTE   Be sure to update company asset and change management solutions to reflect the decommissioning of equipment.

Remote Wipe

Mobile device management (MDM) solutions enable the centralized management of mobile devices. MDM tasks include

•   Software deployment

•   Update deployment

•   Device configuration

•   Device partitioning

Administrators can remotely wipe lost or stolen smartphones to protect sensitive data and apps, as shown in Figure 6-20. Bear in mind that a single compromised mobile device can be used by attackers to infiltrate a network and bring down or compromise servers, so remote wiping is a big deal. The wipe can reset the entire device to factory settings (a full wipe), or it can wipe only corporate apps and data (a selective wipe).

Images

Figure 6-20  Microsoft Intune device wiping options

Selective wipes make sense in bring-your-own-device (BYOD) scenarios, where employees use their personal mobile devices to perform work tasks. Many organizations pay a small monthly stipend to employees to offset the cost of the devices.

Hands-on Exercises

Exercise 6-1: Set NTFS File System Permissions

1.   Ensure that you are logged into Srv2019-1 with the Domain Administrator account (FakedomainAdministrator) with a password of Pa$$w0rd172hfX.

2.   Click the Start button, enter Active, and click Active Directory Users And Computers when it is displayed.

3.   In the left navigator, right-click fakedomain.local and choose New | Organizational Unit.

4.   Enter ProjectManagers for the name and click OK.

5.   Expand fakedomain.local in the left navigator, right-click ProjectManagers, and choose New | User.

6.   Enter User for the first name, One for the last name, and uone for the user logon name. Click Next.

7.   For the password, enter Pa$$w0rd172hfX. Uncheck the option for changing the password at next logon; then click Next and then Finish.

8.   Right-click ProjectManagers and choose New | Group. Name it PMs. Accept all other defaults.

9.   Add User One as a member of the PMs group. Double-click the PMs group within the ProjectManagers organizational unit, and then click the Members tab, click Add, and enter user one. Click OK twice.

10.   Start Windows Explorer. Create a folder called Projects on C: by right-clicking Local Disk (C:) in the left navigator and choosing New | Folder.

11.   From the Start menu, enter Notepad. Click Notepad to launch the application. Enter some random text in the Notepad window.

12.   Choose File | Save, and enter the name C:ProjectsProject_A. Close Notepad.

13.   In Windows Explorer, right-click the Projects folder and choose Properties.

14.   Open the Security tab, click Edit, click Add, and enter PMs. Click OK. Notice the PMs group is automatically allowed the Read & Execute, List Folder Contents, and Read permissions. Click the box under the Allow column for Modify to enable the check mark, and then click OK twice.

15.   Open the Projects folder. Then right-click Project_A and choose Properties.

16.   Open the Security tab, click the Advanced button, and click the Effective Access tab. Then click Select A User and enter user one.

17.   Click OK and then click View Effective Access. Scroll down the list and notice the individual permissions allowed (green check mark). Click OK. Click OK to close Project_A properties. Leave the virtual machine running.

Exercise 6-2: Set Shared Folder Permissions

1.   On Srv2019-1, start Windows PowerShell from the Start menu.

2.   Enter the following:

new-smbshare -name Projects -path c:projects -readaccess "fakedomainPMs"

Then press ENTER. This grants only read access to members of the PMs group.

3.   Verify step 2 in Windows Explorer by right-clicking C:Projects, choosing Properties, clicking the Sharing tab, clicking Advanced Sharing, and then clicking Permissions. You will see the PMs group with Read access. Click Cancel twice.

4.   Click the Security tab, click the Advanced button, and then click the Effective Access tab. Click the Select A User link, enter user one, and click OK.

5.   Click View Effective Access. Scroll down and notice that only read and listing permissions are available. When you combine NTFS and share permissions, the most restrictive permissions prevail. Close all open windows and leave the virtual machine running.

Exercise 6-3: Set File System Permissions in Linux

1.   Ensure that you are logged into Ubuntu-1 as uone with a password of Pa$$w0rd172hfX. Precede each command on the same line with sudo followed by a space. Press the ENTER key after you issue each command.

2.   Enter cd / (without the sudo prefix in this case, because cd is an internal command—it is not its own binary file).

3.   Enter mkdir projects. If prompted for the uone password, enter Pa$$w0rd172hfX. Then enter ls -ld projects. Notice that the default group permissions for the root group are set to r-x (read and execute). The owning group is in the fourth column—in this case, the second occurrence of “root.” The third column lists the owning user.

4.   Enter groupadd sales.

5.   Enter useradd utwo -G sales. User Two is now a member of the sales group.

6.   Enter chgrp sales /projects. Then enter ls -ld projects. Notice that the default group is now sales (fourth column) and members of the sales group now have r-x (read and execute) access to the projects folder.

7.   Enter chmod g+w /projects. This adds the write permission for the group assigned to projects. Enter ls -ld /projects. Notice that the group permissions for sales are now rwx (read, write, and execute). Leave the virtual machine running.

Exercise 6-4: Use EFS to Encrypt Files in Windows

1.   On WinSrv2019-1, open a command prompt and enter md c:udgets.

2.   Start Notepad and type random text into the new file. Name and save the file as c:udgetsudget1 and close Notepad.

3.   From the command prompt, mark the budgets folder to encrypt future files (/e) and also encrypt the entire subdirectory structure (/s). Enter cipher /s:c:udgets /e.

4.   Enter cipher c:udgetsudget1.txt and notice the “E” to the left of the budget1.txt filename; this shows that the file is now encrypted using EFS. Other users will be unable to access this file.

Exercise 6-5: Use OpenSSL to Encrypt Files in Linux

Precede each command on the same line with sudo followed by a space. Press the ENTER key after you issue each command.

1.   In Ubuntu-1, enter mkdir /projects2.

2.   Enter nano /projects2/project_b.txt.

3.   Enter “This is a sample file”. Press CTRL-X, Y and then ENTER to write and quit out of the new file.

4.   To encrypt the new file, enter

Images

Then enter Pa$$w0rd172hfX when prompted.

5.   Delete the original file by entering rm /projects2/project_b.txt. Enter cat /projects2/project_b_encrypted.txt, and notice that the file content is encrypted.

6.   Enter the following:

Images

Then enter Pa$$w0rd172hfX when prompted.

7.   Enter cat /projects2/project_b_decrypted.txt to view the file contents. The file contents are now readable because the file is not encrypted. Leave the virtual machine running.

Exercise 6-6: Use iptables to Set Firewall Rules in Linux

1.   From a command prompt on Srv2019-1, enter ping 192.168.1.201. This is the IP address of the Linux server. You should get a response.

2.   On Ubuntu-1, enter iptables -A INPUT -p icmp -j DROP to block all incoming ICMP traffic.

3.   From a command prompt on Srv209-1, enter ping 192.168.1.201 once again. This time you should not get a response, because ICMP traffic is blocked. The ping command uses ICMP.

4.   From a terminal prompt on Ubuntu-1, enter iptables -F to flush (remove) rules.

5.   From a command prompt on Srv2019-1, ping the Linux server again. You should get a response. Keep Srv2019-1 running.

Exercise 6-7: Enable Encrypted Communication on a Windows IIS Web Server

1.   On Srv2019-1, start Server Manager.

2.   On the left, click Local Server. In the right panel, select On, next to IE Enhanced Security Configuration. Select both Off options and click OK.

3.   Click Manage and then click Add Roles And Features.

4.   Accept defaults and keep clicking Next until you reach the Select Server Roles screen.

5.   If IIS is not already installed, add a check mark next to the Web Server (IIS) option, and if prompted to install tools, click Add Features. Continue through the wizard, accepting defaults by clicking Next

6.   Start Internet Explorer on Srv2019-1. If prompted to accept recommended settings, do so. In the address bar, enter http://srv2019-1.fakedomain.local. The IIS default web page should be displayed. Close Internet Explorer.

7.   From Server Manager, click Manage and then click Add Roles And Features.

8.   Accept the defaults and keep clicking Next until you reach the Select Server Roles screen.

9.   Add a check mark to Active Directory Certificate Services. This role allows the creation of a PKI hierarchy. If prompted to add additional roles and features, click Add Features. Continue through the rest of the wizard, accepting defaults until you reach the end of the wizard. Then click Install and then Close.

10.   In Server Manager, click the flag notification icon in the upper right. Click the Configure Active Directory Certificate Services On This Server link to complete the Certification Authority configuration. Proceed through the wizard and select the Certification Authority check box on the Select Role Services To Configure screen. Create an Enterprise CA, and accept the defaults for the remainder of the settings. Click Close.

11.   From a command prompt, enter mmc, and press ENTER.

12.   Choose File | Add/Remove Snap-in. Select Certificates on the left, click Add, choose Computer Account, and then click Next, then Finish, and then OK.

13.   In the left navigator, expand Certificates (Local Computer). Right-click Personal and choose All Tasks | Request New Certificate.

14.   Click Next twice. Add a check mark for the Domain Controller certificate template listing and click Enroll. This creates a PKI certificate for your server that can be used to secure the IIS web site. Click Finish to close the Certificate Enrollment window.

15.   From the Start menu, enter IIS. When Internet Information Services (IIS) Manager is displayed, click it.

16.   On the left, expand your server name, and then expand Sites.

17.   Right-click Default Web Site and choose Binding.

18.   Click Add, and from the Type drop-down list, choose https.

19.   From the SSL Certificate drop-down list, choose Srv2019-1.fakedomain.local and click OK.

20.   Select the http binding from the list and choose Remove. Click Yes, and then close the dialog box.

21.   Start Internet Explorer, enter http://srv2019-1.fakedomain.local in the address bar, and then press ENTER. After a few moments, you will see a “Can’t reach this page” error message, because we removed the http binding. If it displays the web page, you may need to clear your IE browser history by pressing ALT-T and then choosing Delete Browsing History.

22.   In the address bar, enter https://srv2019-1.fakedomain.local (notice the https). The web page opens over an HTTPS connection.

Chapter Review

This chapter covered various aspects of locking down computer environments—including physical security, server hardening, and data encryption.

Physical Security

Restricted access to facilities is possible using fencing, lighting, security guards, guard dogs, gates, mantraps, door-locking mechanisms, and security solutions such as motion detection systems. Large data centers replicate data to other data centers to ensure high availability of IT services and data. Individual servers as well as server room racks have locking mechanisms to prevent equipment tampering.

Modern access and payment cards, such as RFID chip cards and smartcards, have embedded circuits that can transmit data wirelessly.

Authentication

User, device, and service authentication falls into three categories:

•   Something you know

•   Something you have

•   Something you are

Multifactor authentication uses at least two of these categories. Authentication can be centralized using identity federation.

Logical Access Control

Users can be placed into groups or roles, which are granted permissions to resources. Some server operating systems support conditional access based on user, device, and resource attributes.

Windows administrators assign NTFS and share permissions to control network access to files. The most restrictive permission applies when combining share and NTFS permissions. Linux server administrators can use the chmod command to work with file system permissions.

Network Security

Network Access Control (802.1X) limits which users and devices can connect to a network through edge devices such as network switches, wireless routers, and VPN connections. Edge devices (RADIUS clients) should be configured to forward authentication requests to a central RADIUS authentication server.

VLANs organize network nodes into virtual networks, even within a single physical switch. This can be done by MAC or IP address, by grouping physical switch ports together, and so on. VLANs enable administrators to isolate network traffic for performance and security reasons.

Firewalls

Firewalls regulate traffic into and out of networks and individual hosts. Packet-filtering firewalls examine packet headers, looking at characteristics such as source and destination IP address, port address, and protocol type. Deep packet inspection firewalls examine payload content beyond packet headers.

Reverse proxy servers are listeners on a publicly visible network that forward traffic to a specific network service on an internal protected network.

Network services, firewalls, and proxy servers must be placed in the correct network security zone. Screened subnets enable the safe placement of publicly visible servers while protecting systems on internal networks. Firewalls control traffic between the Internet and the screened subnet and between the screened subnet and internal networks.

PKI

Public Key Infrastructure is a hierarchy of security certificates issued to users, devices, or services. The certificates contain keys that provide security in the form of authentication and encryption. Certificate authorities issue certificates.

PKI certificates contain numerous items such as the subject name, a serial number, and a unique public and private key pair. The private key is sensitive and must not be shared with other parties. Certificates have an expiration date, after which they can no longer be used.

SSL and the newer TLS provide authentication and encryption for network services such as web sites. Keys from PKI certificates make this possible; in most configurations, only the server needs a PKI certificate, not each connecting client.

IPSec

IPSec is used to authenticate and encrypt network transmissions using either transport or tunnel mode. Tunnel mode is used for point-to-point connections such as with VPNs. Transport mode can be used for all devices on a LAN to encrypt network traffic that normally may not support encryption.

IPv6 requires IPSec; it is optional for IPv4. On Windows servers, IPSec is configured through the Windows Firewall using Connection Security Rules.

VPNs

Virtual private networks enable encrypted connections to a private network over an untrusted network. Common VPN types include PPTP, L2TP/IPSec, and SSL. Different types of VPNs require different ports to be open in firewalls—SSL VPNs are firewall friendly because they use TCP port 443, which is also used by HTTPS.

VPN clients require that software be configured to connect to the VPN. All traffic between the client and VPN appliance is encrypted. The VPN appliance decrypts received traffic and sends it to the internal network.

Intrusion Detection and Prevention

An intrusion detection system (IDS) sends administrative alerts when suspicious activity is detected. Network traffic, log files, and local operating system process execution are tracked for anomalies. An intrusion prevention system (IPS) takes this a step further by taking action to stop the activity from continuing.

IDS and IPS solutions can run on a specific host or on the network to view all network traffic, if placed properly. Rules must be configured to ensure that IDS and IPS solutions are effective in a specific network environment.

Hardening

Hardening applies to networks, servers, and applications, and it includes activities such as disabling unused ports and services, applying patches, encrypting data in transit and at rest, and so on.

Logging must be enabled on all devices, and log copies should be forwarded to other hosts in case a device is compromised and logs are cleared. Firmware updates should also be a part of hardening, along with setting CMOS passwords on servers and ensuring that antimalware (antivirus) solutions are kept up to date. Storage area network devices, VPN appliances, routers, switches, and wireless routers should also be hardened.

Data Security

Encryption is used to ensure that only authorized users can access sensitive data. When the same key is used for encryption and decryption, it is called symmetric encryption; when different (yet mathematically related) keys are used, it is called asymmetric encryption. PKI certificates contain related public and private key pairs.

Data encryption can be applied to data in use, data in transit, and data at rest. Ideally, encryption should be used everywhere (networks, servers, backup tapes, desktops), but encryption must be enforced on removable media and mobile devices.

Secure Media Disposal

Techniques such as disk scrubbing (software) can overwrite storage media to prevent data retrieval. Physical techniques such as physical media destruction ensure that sensitive data cannot be retrieved.

Lost or stolen mobile devices can either be fully wiped or selectively wiped. Selective wiping removes only company apps, settings, and data.

Questions

1.   Which physical security control prevents tailgating?

A.   RFID card

B.   Access control vestibule

C.   Security guard

D.   Fencing

2.   Which modern short-distance wireless standard is used for payment cards and terminals?

A.   NFC

B.   Bluetooth

C.   Wi-Fi

D.   4G

3.   Which term is used to describe the act of tricking people into divulging sensitive information?

A.   Threat engineering

B.   Mailing

C.   Scanning

D.   Social engineering

4.   Your VPN requires multifactor authentication. Which of the following solutions should you use?

A.   Smartcard, PIN

B.   Username, password, PIN

C.   Username, PIN

D.   Password, PIN

5.   Your network consists of multiple web applications. To connect to each application, a user e-mail address and date of birth are required. What should you do?

A.   Direct users to enter their e-mail address and date of birth when connecting to each web app.

B.   Configure user claims with identify federation, and configure the web apps to trust the identity provider.

C.   Configure device claims with identify federation, and configure the web apps to trust the devices.

D.   Issue PKI certificates to users, and configure the web apps to trust user PKI certificates.

6.   Which VPN authentication tool uses a changing numeric code synchronized with the VPN appliance?

A.   Key fob

B.   USB thumb drive

C.   Smartcard

D.   PKI certificate

7.   Which of the following statements regarding Active Directory groups is false?

A.   Permissions management is simplified.

B.   Groups can be nested.

C.   Group membership changes take effect while affected users are logged in.

D.   Groups can contain computers.

8.   Hussein needs access to budget files stored on a file server in a folder called Budgets. He is a member of the Managers group. The Managers group has been allowed read, read & execute, list folder contents, and write permissions. Hussein complains that he receives an “Access denied” message when he tries to delete budget files. What should you do?

A.   Decrypt the budget files.

B.   Grant the Managers group write permissions on each individual file.

C.   Grant the Managers group modify permission to the budgets folder.

D.   Add Hussein as an EFS data recovery agent.

9.   Trinity is a member of the Executives group, which has been granted the read permission to a shared folder called Expenses. Trinity is also a member of the Site A group, which has been granted the NTFS read and write permissions to the Expenses folder. What permissions will Trinity have to a file in the Expenses folder?

A.   Read

B.   Read and write

C.   Write

D.   No permissions

10.   Which Linux command is used to set file system permissions?

A.   set-acl

B.   chmod

C.   chperm

D.   set-perm

11.   What type of malware encrypts data files and demands payment before providing a decryption key?

A.   Malware

B.   Trojan

C.   Virus

D.   Ransomware

12.   Which security standard controls port-level access to a network?

A.   802.1X

B.   802.3

C.   802.5

D.   802.11

13.   A smartphone is attempting to authenticate to a RADIUS server through a Wi-Fi router. The Wi-Fi router is configured with WPA2 Enterprise. What term is used to describe the smartphone?

A.   RADIUS client

B.   RADIUS supplicant

C.   RADIUS authenticator

D.   RADIUS consumer

14.   Your network uses four Ethernet switches linked together to interconnect 80 computers. Ten of the computers are used by the accounting department and are configured with IPSec. Accounting department computers do not need to communicate with other computers. How can you keep accounting computer traffic more secure?

A.   Encrypt network communications using HTTPS.

B.   Configure a new VLAN for the accounting department computers.

C.   Encrypt network communications using BitLocker.

D.   Configure accounting department computers to use only IPv6.

15.   Which type of VLAN attack overloads switch MAC table memory?

A.   VLAN hopping

B.   Big MAC attack

C.   MAC flooding attack

D.   VLAN spanning tree

16.   Your firewall can filter traffic based on MAC addresses. Which term correctly identifies your firewall?

A.   Layer 2

B.   Layer 3

C.   Layer 4

D.   Layer 7

17.   Your firewall can filter traffic based on UDP and TCP port numbers. Which term correctly identifies your firewall?

A.   Layer 2

B.   Layer 3

C.   Layer 4

D.   Layer 7

18.   Your firewall can filter traffic based on the contents of packet payloads. Which term correctly identifies your firewall?

A.   Layer 2

B.   Layer 3

C.   Layer 4

D.   Layer 7

Questions and Answers

1.   Which physical security control prevents tailgating?

A.   RFID card

B.   Access control vestibule

C.   Security guard

D.   Fencing

B. Access control vestibules (mantraps) close and lock an outer door before allowing you to open an inner door. This prevents other people from tailgating, or slipping in behind you. A, C, and D are incorrect. RFID cards, such as toll bridge pass cards, use radiofrequencies to transmit data wirelessly. Security guards may notice somebody slipping into a secured facility behind you, but that is not their primary job, so it is not the best answer. Fencing does not prevent tailgating.

2.   Which modern short-distance wireless standard is used for payment cards and terminals?

A.   NFC

B.   Bluetooth

C.   Wi-Fi

D.   4G

A. Near-field communication (NFC) is a short-distance wireless standard used often by payment cards and terminals. B, C, and D are incorrect. Bluetooth is a short-range wireless standard used by headsets, speakers, and so on, but it is not used for payment card systems. Wi-Fi is not a short-range system and is not used by payment systems; neither is 4G, a cellular data network standard.

3.   Which term is used to describe the act of tricking people into divulging sensitive information?

A.   Threat engineering

B.   Mailing

C.   Scanning

D.   Social engineering

D. Social engineering involves tricking people into divulging sensitive information. A, B, and C are incorrect. Threat engineering is a made-up term. Mailing is used to send messages. Scanning is performed to gather information about a network.

4.   Your VPN requires multifactor authentication. Which of the following solutions should you use?

A.   Smartcard, PIN

B.   Username, password, PIN

C.   Username, PIN

D.   Password, PIN

A. The smartcard is something you have, and the PIN is something you know—this is multifactor authentication. B, C, and D are incorrect. Usernames, passwords, and PINs constitute a single authentication category—something you know.

5.   Your network consists of multiple web applications. To connect to each application, a user e-mail address and date of birth are required. What should you do?

A.   Direct users to enter their e-mail address and date of birth when connecting to each web app.

B.   Configure user claims with identify federation, and configure the web apps to trust the identity provider.

C.   Configure device claims with identify federation, and configure the web apps to trust the devices.

D.   Issue PKI certificates to users, and configure the web apps to trust user PKI certificates.

B. Claims contain attributes such as e-mail addresses and dates of birth. Identity federation servers provide these digitally signed claims to apps that are configured to trust the identity provider. A, C, and D are incorrect. Users should not have to enter details for each and every app. The required claim attributes are tied to users, not devices. PKI certificates themselves do not provide claims-based authentication.

6.   Which VPN authentication tool uses a changing numeric code synchronized with the VPN appliance?

A.   Key fob

B.   USB thumb drive

C.   Smartcard

D.   PKI certificate

A. Key fobs, also called hardware or software tokens depending on what is being used, have a changing numeric code that must be entered in addition to other credentials for authentication to succeed. B, C, and D are incorrect. USB thumb drives do not provide anything related to authentication; they are used for storage. Smartcards and PKI certificates can be used for authentication, but they do not have a changing numeric code.

7.   Which of the following statements regarding Active Directory groups is false?

A.   Permissions management is simplified.

B.   Groups can be nested.

C.   Group membership changes take effect while affected users are logged in.

D.   Groups can contain computers.

C. Users must log off and log back in for their group membership changes to be in effect. A, B, and D are incorrect. These options are all true; therefore, they do not address the question.

8.   Hussein needs access to budget files stored on a file server in a folder called Budgets. He is a member of the Managers group. The Managers group has been allowed read, read & execute, list folder contents, and write permissions. Hussein complains that he receives an “Access denied” message when he tries to delete budget files. What should you do?

A.   Decrypt the budget files.

B.   Grant the Managers group write permissions on each individual file.

C.   Grant the Managers group modify permission to the budgets folder.

D.   Add Hussein as an EFS data recovery agent.

C. To delete files, users need the NTFS modify permission. A, B, and D are incorrect. The question does not state that files are encrypted, so decryption and recovery agents do not apply. It is clear that the granted permissions (including write) do not allow deletions.

9.   Trinity is a member of the Executives group, which has been granted the read permission to a shared folder called Expenses. Trinity is also a member of the Site A group, which has been granted the NTFS read and write permissions to the Expenses folder. What permissions will Trinity have to a file in the Expenses folder?

A.   Read

B.   Read and write

C.   Write

D.   No permissions

A. When combining share and NTFS permissions, the most restrictive permission applies. B, C, and D are incorrect. Because the most restrictive (the read share permission) applies, the other answers cannot be correct.

10.   Which Linux command is used to set file system permissions?

A.   set-acl

B.   chmod

C.   chperm

D.   set-perm

B. chmod (change mode) is used to set Linux file system permissions. A, C, and D are incorrect. These commands do not exist in Linux.

11.   What type of malware encrypts data files and demands payment before providing a decryption key?

A.   Malware

B.   Trojan

C.   Virus

D.   Ransomware

D. Ransomware encrypts files that infected computers have write access to, and it demands payment before supposedly supplying a decryption key. A, B, and C are incorrect. Malware is a catch-all term; ransomware is more specific. Trojans are a form of malware that appear to be benign but are malicious. A virus is a form of malware that attaches to files.

12.   Which security standard controls port-level access to a network?

A.   802.1X

B.   802.3

C.   802.5

D.   802.11

A. 802.1X is an IEEE standard that defines port-level security mechanisms for devices connecting to a network. B, C, and D are incorrect. 802.3 is the Ethernet standard, 802.5 is the Token Ring standard, and 802.11 defines the Wi-Fi standard.

13.   A smartphone is attempting to authenticate to a RADIUS server through a Wi-Fi router. The Wi-Fi router is configured with WPA2 Enterprise. What term is used to describe the smartphone?

A.   RADIUS client

B.   RADIUS supplicant

C.   RADIUS authenticator

D.   RADIUS consumer

B. In a RADIUS authentication environment, client devices are referred to as supplicants. A, C, and D are incorrect. RADIUS clients are edge devices such as Wi-Fi routers and network switches. RADIUS authenticator and consumer are not valid terms in this context.

14.   Your network uses four Ethernet switches linked together to interconnect 80 computers. Ten of the computers are used by the accounting department and are configured with IPSec. Accounting department computers do not need to communicate with other computers. How can you keep accounting computer traffic more secure?

A.   Encrypt network communications using HTTPS.

B.   Configure a new VLAN for the accounting department computers.

C.   Encrypt network communications using BitLocker.

D.   Configure accounting department computers to use only IPv6.

B. VLANs provide security by isolating network communications. A, C, and D are incorrect. There is no need to encrypt using HTTPS if IPSec is already in use. BitLocker encrypts disk volumes, not network communications. IPv6 by itself would not provide security.

15.   Which type of VLAN attack overloads switch MAC table memory?

A.   VLAN hopping

B.   Big MAC attack

C.   MAC flooding attack

D.   VLAN spanning tree

C. MAC flooding attacks overwhelm the limited switch memory to retain MAC addresses plugged into switch ports, which makes traffic flood to all ports, much like a hub. This means traffic not normally visible becomes visible to all switch ports. A, B, and D are incorrect. VLAN hopping occurs when a malicious user spoofs packet data so that his station can become a member of multiple VLANs. “Big MAC attack” is a marketing slogan coined by a well-known fast-food chain in the 1970s. VLAN spanning tree is not a type of VLAN attack.

16.   Your firewall can filter traffic based on MAC addresses. Which term correctly identifies your firewall?

A.   Layer 2

B.   Layer 3

C.   Layer 4

D.   Layer 7

A. MAC addresses are OSI Layer 2 (data link) addresses. B, C, and D are incorrect. MAC addresses do not apply to OSI Layers 3, 4, or 7.

17.   Your firewall can filter traffic based on UDP and TCP port numbers. Which term correctly identifies your firewall?

A.   Layer 2

B.   Layer 3

C.   Layer 4

D.   Layer 7

C. Port numbers apply to OSI Layer 4, the transport layer. A, B, and D are incorrect. Port numbers do not apply to OSI Layers 2, 3, or 7.

18.   Your firewall can filter traffic based on the contents of packet payloads. Which term correctly identifies your firewall?

A.   Layer 2

B.   Layer 3

C.   Layer 4

D.   Layer 7

D. Packet payload inspection applies to OSI Layer 7, the application layer. A, B, and C are incorrect. OSI Layers 2, 3, and 4 cannot read packet payload data.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
54.144.233.198