Week 4 Les 1 Windows
Understanding the Layered approach Windows Firewall with advanced security
Common language runtime (CLR); - Profielen: Domain, Private & Public
• Alle Microsoft code wordt via CLR getest op Instellen:
security ‘holes’ • Statisch of GPO
• Hiermee wordt de beveiliging verhoogd - in- outbound rules
Layer Approach (Defense-in-depth) • Programma’s
• Fysieke beveiliging • Poort(en)
o Beperkt fysieke toegang • Predefined
o Beperkt logon • Custom
o Gebruik andere/extra technieken - Server & domain-isolation
zoals Smart cards Firewall poorten
o Beveilig Wireless (bedraad) netwerk
▪ O.a. 802.1x
o Firewall, IDS/IPS, DMZ
Server & Domain Isolation (1)
• People have around-the-clock access to e-
mail, messages, files, databases, and Web
pages. They can access this data through
multiple types of connections, including
wired (such as Ethernet), wireless, and
remote access
• The same ease of connectivity that allows
users to access networked resources at any
time from almost anywhere also allows
malicious programs (such as viruses and
worms) and malicious users to attack Server & Domain Isolation (2)
computers or their resources at any time and
from anywhere.
Server & Domain Isolation (3)
Server & Domain Isolation (4)
• IEEE 802.3/11 Wired & Wireless
• Dial-Up & VPN
Server & Domain Isolation (5) • Active Directory:
o Kerberos of x509 certificaat
o Mac / Linux / Unix / Geen IPsec
▪ ‘Exception’
▪ “IPsec” proxy
• Extra beveiliging boven op:
o Anti-virus, Anti-malware, Anti-
spyware
o Firewall, 802.1x, intrusion
detection, NTFS & Share
permissions, SSL,..
,Server & Domain Isolation (6)
▪ PC1: communicatie verzoek naar Server1 (TCP-SYN)
▪ PC1: IPsec ‘mutual authentication’
▪ PC1&Server1: domein credentials
▪ IPSec ‘authentication succeeds’
▪ ‘negotiation of IPsec protection succeeds’
▪ PC1: ‘initial communication with IPsec’
▪ Server1: ‘Respons’ (TCP-SYN-ACK)
▪ PC&Server1: communicatie
Server & Domain Isolation & Wireshark Harderning servers
- Updates;
- Firewall, virusscanner,….
- Definiëren, configureren en controleren van:
▪ Server roles en features;
▪ Veilige services: vb DNSSec;
- Reduced Attack Surface:
▪ IE, .NET, GUI, (onnodige) Applicaties;
▪ Microsoft Baseline Security Analyzer (MBSA);
▪ Security Compliance Manager (SCM).
Hardening Servers (2) Security Data in Transit
▪ AppLocker; - Extra vorm van beveiliging: (defense in depth);
o Executable Rules: .exe, … - Encryption:
o Windows Installer rules: .MSU, .MSI, … • VPN, FW, IPSec,…
o Script Rules: .PS1, .BAT, … • Public Key Infrastructure.
o AppX - Private Key vs Public key encryption.
▪ GPO instellingen: o.a. • Public = asymmetric, Private symmatric;
o Device Guard, o Encryptie en decryptie;
o Default domain Policy, • Certificaten.
o Password,
IPSec PKI Supports
• Digital signatures
• Secure e-mail
• Internet authentication
• IP security
• Smart card (logon)
• Encrypting File Systems
• Wireless/Wired 802.1x
authentication
• Authentication of
network devices
,Wat is PKI?
PKI :
• Is a standard approach to security-based tools, technologies, processes, and services that are used
to enhance the security of communications, applications, and business transactions
• Relies on the exchange of digital certificates between authenticated users and trusted resources
PKI provides:
• Confidentiality: Encryption
• Integrity: digital signing; identifies whether data was modified
• Authenticity: Hash algorithm to prove that the digest was produced by the sender
• Non-repudiation: digitally signed data; digital signature provides proof of integrity and of the origin
of data
Componenten van een PKI Wat is een CA
Gebruik Certificaten voor SSL Certificaten voor Digital signatures
- The purpose of securing a connection with SSL is to protect Digital signatures ensure:
data during communication • Content is not modified during
- For SSL, a certificate must be installed on the server transport
- Be aware of trust issues • The identity of the author is
- The SSL works in the following steps: verifiable
1. The user types an HTTPS URL Digital signatures work in the following
2. The web server sends its SSL certificate steps:
3. The client performs a check of the server certificate 1. When an author digitally signs a
4. The client generates a symmetric encryption key document or a message, the
5. The client encrypts this key with the server’s public operating system on his or her
key machine creates a message
6. The server uses its private key to decrypt the cryptographic digest
encrypted symmetric key 2. The cryptographic digest is then
- Make sure that you configure the SSL certificate properly encrypted by using author’s
private key and added to the end
Using Certificates for Content Encryption of the document or message
3. The recipient uses the author’s
public key to decrypt the
cryptographic digest and compare
it to the cryptographic digest
created on the recipient’s machine
Users need to have a certificate based on a
User template to use digital signatures
, Using Certificates for Authentication Overview of the AD CS Server Role
You can use certificates for user and device authentication, In Windows Server
and in network and application access scenarios such as:
• L2TP/IPsec VPN
• EAP-TLS
• PEAP
• NAP with IPsec
• Outlook Web App
• Mobile device authentication
Stand-alone vs Enterprise Cas
Public vs Private Cas
Internal private CAs:
• Require greater administration
than external public Cas
• Cost less than external public
CAs, and provide greater control
over certificate management
• Are not trusted by external
clients by default
• Offer advantages such as
customized templates and
autoenrollment
Cross-Certification Hierarchy External public CAs:
• Are trusted by many external
clients
• Have slower certificate
procurement
Opties voor CA Hierarchies
Aandachtspunten voor een Root CA
- Computer name and domain membership cannot change
- When you plan private key configuration, consider the
following: Considerations for Deploying a
• CSP (Cryptographic provider) Subcordinate CA
• Key character length with a default of 2,048
• The hash algorithm that is used to sign certificates
issued by a CA
- When you plan a root CA, consider the following:
• Name and configuration
• Certificate database and log location
• Validity period
Understanding the Layered approach Windows Firewall with advanced security
Common language runtime (CLR); - Profielen: Domain, Private & Public
• Alle Microsoft code wordt via CLR getest op Instellen:
security ‘holes’ • Statisch of GPO
• Hiermee wordt de beveiliging verhoogd - in- outbound rules
Layer Approach (Defense-in-depth) • Programma’s
• Fysieke beveiliging • Poort(en)
o Beperkt fysieke toegang • Predefined
o Beperkt logon • Custom
o Gebruik andere/extra technieken - Server & domain-isolation
zoals Smart cards Firewall poorten
o Beveilig Wireless (bedraad) netwerk
▪ O.a. 802.1x
o Firewall, IDS/IPS, DMZ
Server & Domain Isolation (1)
• People have around-the-clock access to e-
mail, messages, files, databases, and Web
pages. They can access this data through
multiple types of connections, including
wired (such as Ethernet), wireless, and
remote access
• The same ease of connectivity that allows
users to access networked resources at any
time from almost anywhere also allows
malicious programs (such as viruses and
worms) and malicious users to attack Server & Domain Isolation (2)
computers or their resources at any time and
from anywhere.
Server & Domain Isolation (3)
Server & Domain Isolation (4)
• IEEE 802.3/11 Wired & Wireless
• Dial-Up & VPN
Server & Domain Isolation (5) • Active Directory:
o Kerberos of x509 certificaat
o Mac / Linux / Unix / Geen IPsec
▪ ‘Exception’
▪ “IPsec” proxy
• Extra beveiliging boven op:
o Anti-virus, Anti-malware, Anti-
spyware
o Firewall, 802.1x, intrusion
detection, NTFS & Share
permissions, SSL,..
,Server & Domain Isolation (6)
▪ PC1: communicatie verzoek naar Server1 (TCP-SYN)
▪ PC1: IPsec ‘mutual authentication’
▪ PC1&Server1: domein credentials
▪ IPSec ‘authentication succeeds’
▪ ‘negotiation of IPsec protection succeeds’
▪ PC1: ‘initial communication with IPsec’
▪ Server1: ‘Respons’ (TCP-SYN-ACK)
▪ PC&Server1: communicatie
Server & Domain Isolation & Wireshark Harderning servers
- Updates;
- Firewall, virusscanner,….
- Definiëren, configureren en controleren van:
▪ Server roles en features;
▪ Veilige services: vb DNSSec;
- Reduced Attack Surface:
▪ IE, .NET, GUI, (onnodige) Applicaties;
▪ Microsoft Baseline Security Analyzer (MBSA);
▪ Security Compliance Manager (SCM).
Hardening Servers (2) Security Data in Transit
▪ AppLocker; - Extra vorm van beveiliging: (defense in depth);
o Executable Rules: .exe, … - Encryption:
o Windows Installer rules: .MSU, .MSI, … • VPN, FW, IPSec,…
o Script Rules: .PS1, .BAT, … • Public Key Infrastructure.
o AppX - Private Key vs Public key encryption.
▪ GPO instellingen: o.a. • Public = asymmetric, Private symmatric;
o Device Guard, o Encryptie en decryptie;
o Default domain Policy, • Certificaten.
o Password,
IPSec PKI Supports
• Digital signatures
• Secure e-mail
• Internet authentication
• IP security
• Smart card (logon)
• Encrypting File Systems
• Wireless/Wired 802.1x
authentication
• Authentication of
network devices
,Wat is PKI?
PKI :
• Is a standard approach to security-based tools, technologies, processes, and services that are used
to enhance the security of communications, applications, and business transactions
• Relies on the exchange of digital certificates between authenticated users and trusted resources
PKI provides:
• Confidentiality: Encryption
• Integrity: digital signing; identifies whether data was modified
• Authenticity: Hash algorithm to prove that the digest was produced by the sender
• Non-repudiation: digitally signed data; digital signature provides proof of integrity and of the origin
of data
Componenten van een PKI Wat is een CA
Gebruik Certificaten voor SSL Certificaten voor Digital signatures
- The purpose of securing a connection with SSL is to protect Digital signatures ensure:
data during communication • Content is not modified during
- For SSL, a certificate must be installed on the server transport
- Be aware of trust issues • The identity of the author is
- The SSL works in the following steps: verifiable
1. The user types an HTTPS URL Digital signatures work in the following
2. The web server sends its SSL certificate steps:
3. The client performs a check of the server certificate 1. When an author digitally signs a
4. The client generates a symmetric encryption key document or a message, the
5. The client encrypts this key with the server’s public operating system on his or her
key machine creates a message
6. The server uses its private key to decrypt the cryptographic digest
encrypted symmetric key 2. The cryptographic digest is then
- Make sure that you configure the SSL certificate properly encrypted by using author’s
private key and added to the end
Using Certificates for Content Encryption of the document or message
3. The recipient uses the author’s
public key to decrypt the
cryptographic digest and compare
it to the cryptographic digest
created on the recipient’s machine
Users need to have a certificate based on a
User template to use digital signatures
, Using Certificates for Authentication Overview of the AD CS Server Role
You can use certificates for user and device authentication, In Windows Server
and in network and application access scenarios such as:
• L2TP/IPsec VPN
• EAP-TLS
• PEAP
• NAP with IPsec
• Outlook Web App
• Mobile device authentication
Stand-alone vs Enterprise Cas
Public vs Private Cas
Internal private CAs:
• Require greater administration
than external public Cas
• Cost less than external public
CAs, and provide greater control
over certificate management
• Are not trusted by external
clients by default
• Offer advantages such as
customized templates and
autoenrollment
Cross-Certification Hierarchy External public CAs:
• Are trusted by many external
clients
• Have slower certificate
procurement
Opties voor CA Hierarchies
Aandachtspunten voor een Root CA
- Computer name and domain membership cannot change
- When you plan private key configuration, consider the
following: Considerations for Deploying a
• CSP (Cryptographic provider) Subcordinate CA
• Key character length with a default of 2,048
• The hash algorithm that is used to sign certificates
issued by a CA
- When you plan a root CA, consider the following:
• Name and configuration
• Certificate database and log location
• Validity period
