Microsoft Security Fundamentals (Draft)

Security Layers

Security Principles

Information Security is built up with the three prinicples;

Confidentiality

To ensure information is secure from unpermitted users.

Integrity

To ensure that data is correct and accurate fr its intended purpose.

Availability

To ensure data is avaliable at the right time.

Managing risks is extremely important for any organisation, having a management plan in place will help prevent and remove possible risks in the future.

Using a risk matrix can help identify the likelihood and the consequence of a risk.

A rule that is crucial to follow is the "principle of least privilege" (POLP), giving the user the basic level of access to information and resources they need to forfill their jobs.

It is imporant to have all outbound and inbound traffic to be denied and only allowed if it has been requested and appropriate justification.

Social Engineering

Social engineering - Is to manipulate people to perform tasks to allow the attacker to gain access to sensitive information.

Man-In-The-Middle

A Man in the middle attack (MITM) - is a type of attack that intercepts traffic without the user knowing. When a request is sent, a source and destination MAC address is used, as it is hardcode (unique). An ARP table is used to place an IP address to each MAC address, a man in the middle attack consists of changing the ARP table by replacing the router MAC address with the attackers MAC address, thus intercepting the traffic.

Defence in Depth

Defence in Depth - is a concept of having multiple layers of security, this counts for both technology controls and people. The solutions for Defence in Depth can include; firewalls, IDS, IPS, DMZ.

Microsoft Software

Microsoft Baseline Security Analyzer - is a piece of software that will detect any missing security updates and security misconfigurations.

Microsoft Security Compliance Manager (SCM) - is a tool to configure nad manage computers in an enviroment ad prviate cloud using group policy.

Physical Security

Keyloggers - is a type of device that can be inserted into the computer to capture keystrokes, this is extremely effective to capture users login credentials.

Access Control - restricting access to individuals to the resources that are permitted.

Two factor Authentication (2FA)

Is a process of adding another layer of security. An example would be to login with your user name and password and then requiring you to then enter a code that has been sent to you over SMS (text).

Mobile Devices

portable devices have three issues, them being loss, left and espionage.

a docking station is one way of keeping a device physically secure, allowing the user to lock it to the dock to prevent a user to steal the laptop.

Encryption is another layer of security, if a device has been stolen. Preventing users access information stored on the device.

Internet Security

ActiveX

is technology to allow to code and run it in IE, this can be harmful as someone can add malicous code (e.g. spyware). Its normally blocked.

Java

java can be dangerous as it can be java applets that can installed spyware or viruses.

Plug-ins

Plugs can offer the same risks, being exposed to spyware or viruses.

Zones

There are four zones; Internet, Local Internet, Trusted site and Restricted sites. You can click on a zone and customise on what is enabled and disabled, e.g. ActiveX and Java.

Wireless Security

Wireless networks have disadvantages be easily interpected compared to wired connections. It is also easier for individuals to spot a network that is close by, this can be seen via the SSID (Name of the network). You can alternativly hide the SSID to prevent individuals from see tthere is a network close by.

When choosing a wireless protocol it is advised to use WPA2, as it is the most recent and secured network.

Wireless access points normally allow you to use one frequence, however some can allow two which are 2.4GHz and 5GHz. This can allow old technologies to connect to the acces point as they may not be compatible with 5GHz. 2.5GHz is primarily for long distance, but longer download and upload speeds with 5GHz is for a shorter distance with faster download and upload speeds.

Most wireless access points can have the SSID disabled, although this makes it harder for users to connect, but helps increase the security.

Organisations can implement a RADIUS server that will help he wireless access point authenticate users connecting to the access point, checking with the radius server on whether it should like that person connect to the network.

MAC address filtering can be used, allowing you to hardcode a list of devices that can connect to the network.

Operating System Security

User Authentication

Logging In

This can be broken down to something you know, which can be a password. Somthing you own, which can be a passport, smart card or ID card. Lastly, somthing you are, which is biomerics.

RADIUS server (Remote Authentication DIal In USer Service)

A radius server provides authentication, authorisation and accounting (AAA) to manage user who connect and use a network.

Example; a user wants to connect to the network, the wireless router will check with the radius server, if the radius server gives the thumbs up, then the wireless router will allow the user to connect. The radius server will also will tell the router what he can do and also log what the user does on the network.

Kerberos

Kerberos is a network authentication protocol, used by windows. This works on the basis of tickets. (more to be included)

PKI (Public Key Infrastructure)

This is a combination of software, hardware, people, policies and procedures. This is to managed distribute, use, store and revoke digital certificates.

The public key encrypts the data and inorder to view what has been encrypted, you'll need to be given a private key to view the contents.

Certificates

Certificates are used to allow users to use HTTPS for a secure connection to the server of the website.

Permissions

NTFS

NTFS is the more preferred file system, as it support volumes up to 16 Exabyte. It is also more reliable and also offers better security (e.g. encryption).

It can allow which groups and users can access files on NTFS. This can include users locally and via a network.

Full Control

Giving a user full control and ownership of files. You should avoid giving this to your end users, as they change change permissions.

Modify

Allows the user to change everything.

Read and Execute

To allow the user to see both files and folders as well as running files within.

List Folder Contents

Allows the user to see folders and contents.

Read

Allows the user to to view the contents of the file.

Write

Allows the user to write to the file.

Inhertied permissions are those that are propagated to an object from a parent object.

Sharing and Permissions

To share a file you right click on the file and click properties, go to sharing then share. In the drop down you can click on everyone. If you want more advanced sharing you go into advanced sharing and you can set what permissions the users have with the folder.

Password Policies

Complexity Requirements - You cna find this in all windows systems to enable, to set rules to require the user to meet these requirements when creating a password.

Audit Policies

Audit policies is where a powerful tool to help maintain the security of a system.

To enable auditing on windows, you go into Administrative Tools then Local Security Policy, tThen go into local Policies and Audit Policy. You then go into Audit Object Access and go into properties and select Success and Failure.

Bitlocker

Bitlocker is a Windows product to encrypt the Hard Disk, so once encrypted and the laptop is stolen, they contents of the Hard Disk will not be readable unless they have the password.

TPM

Malware

Trojan Horse

It is a Malicious application that hides in software, until it it has been downloaded and executed it will then infect the machine.

Malware

It is a malicious type of software that causes damage without the users consent.

Spyware

It is a type of malware that will spy on the users PC without their consent and collects information about that users activites.

Add more here

Network Security

Dedicated Firewalls

A Firewall is a network security system, it will monitor and control both incoming and outgoing network traffic.

Port forwarding is a way to forward all ports to a specific location. Where all traffic with is incoming on a certain port (maybe port 80) it will direct it to the designated machine (maybe a web server).

Network Access Protection

a NAP is under Network Policy Server and it will help identify a computers health that is connected to that network, if the computer falls short of the health requirement policy it will then have limited access within the network. It will also automatically updates noncompliant computers that are connected to the network which are missing software updates.

Network Isolation

VLANs

A VLAN is a logical group of PCs, Servers and other devices on the same LAN despite their geographical distribution.

DMZ

DMZ is a perimeter network that will normally contain internet facing services (e.g. web server, email server or DNS), this reduces the risk of unauthorised individuals gaining access to your network.

Protocol Security

IPsec

IPsec is a protocol suite for securing internet protocol communications, as it communicates by authenticating and encrypting each IP packet within the communication of the sessions.

A secure tunnel (encryption) is established when using the IPsec suit, this is normally known as a site to site(S2S) VPN.

Lastly there is a client side VPN, this is primarily for when working from home and allowing you to connect to a works network.