Contents Overview 1 Lesson: Introduction to Designing Security for Microsoft Networks 2 Contoso Pharmaceuticals: A Case Study 10 Module 1: Introduction to Designing Security Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.  2002 Microsoft Corporation. All rights reserved. Microsoft, MS-DOS, Windows, Windows NT, Active Directory, ActiveX, BizTalk, PowerPoint, Visio, and Windows Media are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Module 1: Introduction to Designing Security iii Instructor Notes This module introduces Course 2830A, Designing Security for Microsoft Networks, and presents general security concepts that are used throughout the course. This module emphasizes the importance of a network security design in the protection of an organization’s assets. The module also introduces a fictional organization, Contoso Pharmaceuticals, which is used as an ongoing case study for the labs in the course. Students will become familiar with the network security issues that confront Contoso Pharmaceuticals, meet some of its employees, and learn about the lab environment. There is no lab for this module. After completing this module, students will be able to:  Provide an overview of designing security.  Describe the components of the case study for this course. To teach this module, you need Microsoft ® PowerPoint ® file 2830A_01.ppt. It is recommended that you use PowerPoint version 2002 or later to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, all of the features of the slides may not be displayed correctly. To prepare for this module:  Read all of the materials for this module. Presentation: 30 minutes Lab: 00 minutes Required materials Important Preparation tasks iv Module 1: Introduction to Designing Security How to Teach This Module This section contains information that will help you to teach this module. This course contains teachable appendices, which are modules that do not contain practices, assessments, or labs. If you have time at the end of the course, you can use the appendices as lecture material. Encourage students to read the material on their own. Lesson: Introduction to Designing Security for Microsoft Networks This lesson is designed to introduce students to key security concepts such as asset, threat, vulnerability, and risk. It also introduces a framework for understanding security design. Other modules in this course will revisit the framework, giving students a context in which to place the information that they receive in this course. Emphasize the concepts of asset, threat, vulnerability, and risk. You will revisit these concepts in depth in later modules. Emphasize these principles to students, and revisit them throughout the course. Spend as much time as necessary based on the experience level of the students in your classroom. Discuss the differences between design and implementation and the challenges and difficulties of each. Try to relate each aspect of design and implementation to roles in students’ organizations. Discuss non-Microsoft administrators on a network, such as router administrators, and how they play a role in overall network security. Module 2, “Creating a Plan for Network Security” in this course goes into greater detail about design teams, policies, and procedures. Use this page to set student expectations regarding the scope of this course. There are several Microsoft servers, for example, that this course does not focus on. Emphasize that the items on the slide represent the areas of a network that this course covers. Describe how data might flow across the network in the slide, and where possible vulnerabilities might exist. Describe how each point is a complex area of threats, vulnerabilities, risks, and countermeasures. Also emphasize to students that the areas listed in the Additional Reading section are not covered in this course, but are covered in detail in the courses listed. Use this opportunity to point out the Additional Reading listings, and tell students that this course provides numerous resources, white papers, and other materials in this folder on the Student Materials CD. Note Wh y Secure a Network? Important Principles of Securit y Security Design and Implementation Overview of a Microsoft Network Module 1: Introduction to Designing Security v This page shows the flow of the course on a single slide, and also gives students a simple framework that they can use to approach security design. This framework will be revisited at the end of each module on a page called Security Design Checklist. Use this slide to show students how the content in the course flows from a planning segment in Modules 2, 3, and 4 to a building component in Modules 5 through 11. Module 12 and the Appendices reflect the management aspect of security design. This framework was leveraged from Microsoft Solutions Framework (MSF), which is discussed in greater detail in Module 2, “Creating a Plan for Network Security.” Avoid going into excessive depth on this page, but ensure that students understand the general structure of the course, and why topics are presented in the order given here. Emphasize that this framework is not meant to be inclusive or act as the ultimate statement regarding security; instead, it is simply an effective way to categorize the planning that each student will need to perform as she designs security for her organization. Appendices A, B, and C are teachable modules that do not include instructor notes, practices, labs, or assessment items. If your class finishes early on the last day, you can either teach your students the appendices or use them as subjects for discussion. Lesson: Contoso Pharmaceuticals: A Case Study Contoso Pharmaceuticals is a fictional company that the labs in this course use as an ongoing case study. The labs rely on an interactive application in which students will read and watch scenario information relating to Contoso’s security design. Put students in the mindset of being consultants for Contoso Pharmaceuticals. Have them draw on their own experience as they perform the labs in this course. Ashley Larson is the new Chief Information Officer (CIO) for Contoso Pharmaceuticals. In the labs, she has hired students to help her as Contoso updates its security design. Emphasize to students that Ashley’s comments and e-mails will provide the goals for each lab. The labs in this course are scenario-based exercises that revolve around the student analyzing or solving a problem relating to the topics covered in the module. Although this introductory module does not have a lab, the rest of the modules do have labs associated with them. Tell students that beginning with the next module, they will use the lab environment in each module. One teaching suggestion is to perform the lab for Module 2, “Creating a Plan for Network Security,” together as a class, so that students can familiarize themselves with the lab structure. In subsequent labs, have students work in pairs to generate interaction among students. Framework for Desi gning Security Introduction to Contoso Pharmaceuticals Contoso Pharmaceuticals Personnel Introduction to the Lab Environment vi Module 1: Introduction to Designing Security Assessment This is an introductory module, and as such there are no assessment questions designed for it. You can use the Key Security Concepts topic page to lead a post-module discussion. There are assessments for each lesson, located on the Student Materials compact disc. You can use them as pre-assessments to help students identify areas of difficulty, or you can use them as post-assessments to validate learning. Customization Information This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs. This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware. There are no labs in this module, and as a result, there are no lab setup requirements or configuration changes that affect replication or customization. Module 1: Introduction to Designing Security 1 Overview ***************************** ILLEGAL FOR NON - TRAINER USE ****************************** This module introduces Course 2830, Designing Security for Microsoft Networks, and presents general security concepts that are used in the course. This module emphasizes the importance of a network security design in the protection of an organization’s assets. The module also introduces a fictional organization, Contoso Pharmaceuticals, which the labs in the course use as an ongoing case study. You will become familiar with the network security issues that confront Contoso Pharmaceuticals, meet some of its employees, and learn about the lab environment. After completing this module, you will be able to:  Provide an overview of designing security.  Describe the components of the case study for this course. Introduction Objectives 2 Module 1: Introduction to Designing Security Lesson: Introduction to Designing Security for Microsoft Networks ***************************** ILLEGAL FOR NON - TRAINER USE ****************************** A security design is a comprehensive plan that guides the implementation of security policies and procedures for an organization. A security design helps an organization protect its assets so that it can implement security in a consistent and effective manner. After completing this lesson, you will be able to:  Explain why organizations invest in network security.  Describe important principles of security.  Explain the difference between security design and security implementation.  Describe the areas of a Microsoft network that should be secured.  Describe the general organization of information in this course. Introduction Lesson objectives Module 1: Introduction to Designing Security 3 Why Secure a Network? ***************************** ILLEGAL FOR NON - TRAINER USE ****************************** Organizations invest in network security to protect their assets from threats. Assets on a computer network can include such items as e-mail messages, intellectual property like trade secrets or source code, customer databases, and e-commerce transactions. A threat is a danger or vulnerability to an asset. Threats to assets include attackers trying to steal information, software applications that lack the latest security updates, and natural disasters such as fires or floods. A security design uses the concept of risk management to determine appropriate security responses to threats. Risk management is a careful study of criteria, for example, the likelihood of a threat occurring, the impact of the threat, the value of an asset to your organization, and the cost of a security solution. After you perform risk management, you can decide on an appropriate response to a threat. Data collected during risk management is also useful to present to upper management and key stakeholders to persuade them of the importance of network security and its value to your organization. Key points 4 Module 1: Introduction to Designing Security Important Principles of Security ***************************** ILLEGAL FOR NON - TRAINER USE ****************************** Defense in depth refers to a combination of people, operations, and security technologies. Defense in depth provides multiple layers of protection to a network by defending against threats at multiple points within the network. A single layer is often ineffective against multiple attacks. By using defense in depth, if an attack breaks through one point of defense, other defenses provide additional protection to the asset. Least privilege refers to consistently granting a user, resource, or application the least amount of privilege or permissions necessary to perform the required task. Practices such as using default or full control permissions on resources, or giving user accounts administrator rights, simplify administration to a dangerous degree. Granting excessive permissions can introduce numerous vulnerabilities that attackers can easily exploit. The concept of an attack surface describes points of entry that an attacker can exploit to penetrate the network. A network that has a minimum of exposed areas or points that are vulnerable to attack has a minimized attack surface. In comparison, a network that has several unprotected connections to the Internet has a larger attack surface than a small, isolated network with a single, secured connection to a branch office. Key points [...]... network Module 1: Introduction to Designing Security Additional reading For more information about ongoing use and management of the network, see Appendix A, Designing an Acceptable Use Policy,” Appendix B, Designing Policies for Managing Networks,” and Appendix C, Designing an Operations Framework to Manage Security, ” in Course 2830, Designing Security for Microsoft Networks 9 10 Module 1: Introduction. .. lab Module 1: Introduction to Designing Security 11 Introduction to Contoso Pharmaceuticals *****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Contoso Pharmaceuticals produces prescription drugs for a worldwide market Despite growing into a large company over the years, it has never performed network design in an organized manner As a result, Contoso... threat Designing security measures The bulk of this course uses the knowledge and skills from Module 3, “Identifying Threats to Network Security, ” and Module 4, “Analyzing Security Risks,” and applies them to the following areas of a Microsoft network: physical security; computers; accounts; authorization; data; data transmission; and network perimeters Each module identifies common vulnerabilities to. . .Module 1: Introduction to Designing Security 5 Security Design and Implementation *****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points As a designer of network security, you must understand the difference between security design and security implementation, which are related but different processes Security design ensures that... Introduction to Designing Security Contoso Pharmaceuticals: A Case Study *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction This course presents a case study of a fictional company, Contoso Pharmaceuticals The labs in each module focus on Contoso’s challenges and efforts to design security for its network This course uses an interactive lab application to convey... white paper, Microsoft SQL Server 2000 Security, under Additional Reading on the Web page on the Student Materials CD For more information about Exchange 2000 security, see Security Operations Guide for Exchange 2000 Server, under Additional Reading on the Web page on the Student Materials CD 7 8 Module 1: Introduction to Designing Security Framework for Designing Security *****************************ILLEGAL... nonexistent security on its network As part of reforming its Information Technology (IT) department, Contoso has hired a new chief information officer (CIO) to direct security efforts for the company’s network The CIO has hired you as a consultant to help design security for Contoso Pharmaceuticals In each lab, you will analyze a different scenario that focuses on topics taught in the course 12 Module 1: Introduction. .. John Chen John is one of Contoso’s IT administrators He offers technical details about the security of the network Suzan Fine Suzan is Vice President (VP) of the research and development department and an executive stakeholder Lani Ota Lani is a business analyst and represents the end user in the organization Module 1: Introduction to Designing Security 13 Introduction to the Lab Environment *****************************ILLEGAL... Internet Security and Acceleration (ISA) Server 2000, are covered in detail in separate courses Module 1: Introduction to Designing Security Additional reading For more information about Active Directory, see Course 2154, Implementing and Administering Microsoft Windows 2000 Directory Services For more information about ISA Server, see Course 2159, Deploying and Managing Microsoft Internet Security. .. company history Network files A file server that contains folders with relevant documents that you may need to complete a lab Help Instructions about how to use the interactive lab To complete a lab 1 Read Ashley’s e-mail in each lab to determine the goals for the lab 2 Click Reply and then type your answer to Ashley’s questions 3 Click Send to save your answers to a folder on your desktop 4 Discuss . gning Security Introduction to Contoso Pharmaceuticals Contoso Pharmaceuticals Personnel Introduction to the Lab Environment vi Module 1: Introduction to Designing. Lesson: Introduction to Designing Security for Microsoft Networks 2 Contoso Pharmaceuticals: A Case Study 10 Module 1: Introduction to Designing Security