Securing Internet Access

1
Securing Internet Access

• Designing an Internet Acceptable Use Policy
• Securing Access to the Internet by Private
  Network Users
• Restricting Access to Content on the Internet
• Auditing Internet Access

2
Designing an Internet Acceptable Use Policy

• Policy elements
• Implementing the policy

3
Internet Acceptable Use Policy

• Draft an Internet acceptable use policy before
  securing Internet access for private network
  users.
• An Internet acceptable use policy defines
  acceptable employee Internet use.
• Private network users must understand the rules
  when they use corporate resources to access the
  Internet.
• Define the policy before designing the network
  infrastructure and services that enforce and
  monitor the policy.

4
Policy Elements

• Describe the available services.
• Define specific user responsibility.
• Define authorized Internet use.
• Define unauthorized Internet use.
• Define who owns resources stored on the
  organization's computers.
• Define the consequences of performing
  unauthorized access.
• Provide for new technologies.

5
Implementing the Policy

• Create a document outlining the newly defined
  Internet acceptable use policy.
• Include in the document a contract that employees
  must sign before gaining Internet access.
• Have the organization's legal representatives
  review the contract and the policy to ensure the
  contract is legally binding.

6
Making the Decision Designing an Internet
Acceptable Use Policy

• Develop a fair Internet acceptable use policy.
• Determine which protocols will be allowed for
  Internet access.
• Verify authorized usage and identify unauthorized
  usage.
• Enforce the Internet acceptable use policy.

7
Applying the Decision Designing an Internet
Acceptable Use Policy for Wide World Importers

• The Internet acceptable use policy needs to
  describe the consequences of violating the
  policy.
• Wide World Importers needs to develop a fair
  Internet acceptable use policy accepted by both
  management and employees.

8
Securing Access to the Internet by Private
Network Users

• Identifying risks when private network users
  connect to the Internet
• Restricting Internet access to specific computers
• Restricting Internet access to specific users
• Restricting Internet access to specific protocols

9
Identifying Risks when Private Network Users
Connect to the Internet

• Introducing viruses
• Deploy a virus scanning solution for all client
  computers, servers, and entry points to the
  network.
• Installing unauthorized software
• Control software installation through a central
  network authority.
• Restrict users to writing data to their hard
  disks only in common shared areas and their
  personal profile directories.

10
Exposing Private Network Addressing
11
Attempting to Bypass the Established Security
12
Making the Decision Reducing Risks when
Providing Internet Connectivity

• Reduce the risk of viruses.
• Prevent the installation of unauthorized
  software.
• Prevent Internet users from revealing the private
  network addressing scheme.
• Prevent users from bypassing network security
  when accessing the Internet.

13
Applying the Decision Reducing Risks at Wide
World Importers

• Wide World Importers must include the following
  tasks in its network security plan
• Install virus scanning software at multiple
  locations on the network.
• Preconfigure Microsoft Internet Explorer to
  ensure that security settings are set to restrict
  download of specific content.
• Configure the external firewall with Network
  Address Translation (NAT) service to prevent
  exposure of the private network addressing scheme
  on the Internet.

14
Restricting Internet Access to Specific Computers

• Configure client computers.
• Configure the firewall to limit the computers
  that can connect to the Internet.
• Configure Internet permissions for network
  servers.

15
Servers Requiring Access to the Internet Through
an External Firewall
16
Making the Decision Designing Firewall Packet
Filters to Allow Internet Access

• Determine which computers are required to respond
  directly to incoming requests.
• Determine which computers are required to
  initiate data exchange with computers on the
  Internet.
• Determine if the computers that require access to
  the Internet have a static IP address or a
  Dynamic Host Configuration Protocol
  (DHCP)-assigned IP address.
• Determine which protocols the computers use when
  accessing the Internet.

17
Applying the Decision Designing Wide World
Importers' Firewall Packet Filters
18
Applying the Decision Designing Wide World
Importers' Firewall Packet Filters (Cont.)
19
Restricting Internet Access to Specific Users
20
Microsoft Proxy Server 2.0 Services

• Web Proxy service
• Windows Socket (WinSock) Proxy service
• Socks Proxy service

21
Authenticating Proxy Server Requests

• Proxy Server 2.0 supports three methods of
  authenticating users
• Anonymous access
• Basic authentication
• Integrated Windows Authentication
• The Proxy Server update must be downloaded to
  configure the software to authenticate with
  Active Directory directory service.

22
Making the Decision Restricting Which Users Can
Access the Internet

• Allow all users to access the Internet.
• Simplify the process of granting users access to
  Internet protocols.
• Distinguish users connecting to the proxy
  service.
• Specify which users can use the Web Proxy
  service.
• Specify which users can use the WinSock Proxy
  service.

23
Applying the Decision Restricting Internet
Access at Wide World Importers
24
Applying the Decision Restricting Internet
Access at Wide World Importers (Cont.)
25
Restricting Internet Access to Specific Protocols

• Determining Necessary Protocols
• Determining Risks of Using Each Protocol
• Defining Allowed and Disallowed Protocols

26
Restricting Protocol Access in the Web Proxy

• Set permissions separately for the Web (HTTP),
  Secure (HTTPS), Gopher, and FTP Read services to
  allow only authorized groups to use the protocol.
• For each protocol, define which groups can access
  the protocol.
• Partial permissions to the protocols cannot be
  assigned.

27
Restricting Protocol Access in the WinSock Proxy

• Set permissions for individual protocols in the
  WinSock Proxy on a per protocol basis.
• An additional option exists to grant unlimited
  access to all protocols supported by the Proxy
  Server.
• WinSock Proxy supports the most popular
  protocols.
• WinSock Proxy also provides access to newer
  protocols by adding the protocol definitions to
  the WinSock Proxy.
• To use the WinSock Proxy service in Proxy Server
  2.0, install the WinSock Proxy client at the
  client computer.

28
Making the Decision Determining Which Protocols
Can Access the Internet

• Determine which protocols are required.
• Determine who requires protocol access.
• Define allowed protocols.
• Add new protocols.
• Allow access to the WinSock Proxy.

29
Applying the Decision Determining Which
Protocols Can Access the Internet at Wide World
Importers

• Wide World Importers must include the following
  permissions in its Web Proxy and WinSock Proxy
  configurations
• Configure the Web Proxy to grant access
  permissions to the Internet Access local group
  and the IT Access local group for the Web (HTTP),
  Secure (HTTPS), and FTP Read protocols.
• Configure the WinSock Proxy to grant unlimited
  access to the IT Access local group.
• Configure the WinSock Proxy to grant access
  permission to the Internet Access group for the
  File Transfer Protocol (FTP) and Network News
  Transfer Protocol (NNTP).

30
Restricting Access to Content on the Internet

• Preventing access to specific Web sites
• Using the Internet Explorer Administration Kit
  (IEAK) to preconfigure settings
• Managing content downloads
• Preventing access to specific types of content

31
Preventing Access to Specific Web Sites
32
Making the Decision Preventing Access to
Specific Web Sites

• Identify Web sites that will always be
  unauthorized for access.
• Include the domain names in the domain filter
  list.

33
Applying the Decision Preventing Access to
Specific Web Sites at Wide World Importers

• Configure a domain filter for nwtraders.tld to
  prevent the Proxy Server from allowing access to
  any Web sites for nwtraders.tld.
• Ensure that the filter prevents access to any Web
  site within nwtraders.tld.

34
The IEAK

• Allows administrators to preconfigure Internet
  Explorer settings before deploying Internet
  Explorer and to update deployments
• Can be downloaded by searching www.microsoft.com
  for "IEAK"
• Consists of the IEAK Profile Manager and the
  Internet Explorer Customization Wizard

35
The IEAK Profile Manager

• Profile Manager allows administrators to modify
  existing installations by storing the modified
  configuration setting in a .ins file.
• Internet Explorer clients will detect the .ins
  file and apply those settings when Internet
  Explorer is configured to Automatically Detect
  Settings.

36
Internet Explorer Customization Wizard

• Allows administrators to define custom settings
  for all security settings in Internet Explorer
• Allows configuration of the following
  security-related options
• Enable Automatic Configuration
• Proxy Settings
• Define Certification Authorities
• Define Security Zones
• Enable Content Rating

37
Making the Decision Using the IEAK to
Preconfigure Settings

• Determine the desired configuration of Internet
  Explorer.
• Define an installation package that applies the
  standard configuration.
• Determine how modifications will be deployed.
• Prevent modification of the standard
  configuration.

38
Applying the Decision Using the IEAK to
Preconfigure Settings for Wide World Importers

• Wide World Importers currently supports both
  Internet Explorer and Netscape Navigator.
  Migrating to a pure Internet Explorer environment
  and using the IEAK will reduce the cost of
  deploying the latest version of Internet Explorer
  and ensure that consistent security settings are
  deployed.
• The IEAK will work in the Wide World Importers
  network because the IEAK supports Microsoft
  Windows 95, Microsoft Windows 98, Microsoft
  Windows NT, and Microsoft Windows 2000.
• Use the IEAK Profile Manager to create a modified
  .ins file and post it on an accessible share on
  the network.
• If Internet Explorer is configured to autodetect
  Proxy settings, the .ins file will be read from
  the network location and used to apply any
  modifications.

39
Internet Explorer Security Zones

• Internet Explorer allows administrators to manage
  what content can be downloaded from Web sites.
• Each security zone is configured with a security
  setting that defines what content can be
  downloaded from Web sites in the security zone.
• Additional zones cannot be added to the
  predefined zones included with Internet Explorer.

40
Predefined Security Zones
41
Internet Explorer Security Zone Level
ActiveX Controls and plug-ins
42
Deploying Internet Explorer Settings

• Use a mix of IEAK and Group Policy to ensure that
  correct settings are applied to all Internet
  Explorer clients.
• Modify settings from a central location by
  defining configuration (.ins) files.
• Secure Internet Explorer by using Group Policy to
  prevent the display of configuration property
  pages.

43
Making the Decision Managing Content Downloads

• Allow download of safe content from trusted
  sites.
• Allow unrestricted access to content on the
  private network.
• Prevent download of harmful content from all
  Internet sites.
• Apply security settings that match the Internet
  acceptable use policy for the organization.
• Ensure consistent security settings on all client
  computers.

44
Applying the Decision Managing Content Downloads
at Wide World Importers

• Wide World Importers wants to place restrictions
  that make it difficult to download software from
  the Internet.
• Configure the Internet zone to use the High
  security setting to prevent users from
  downloading most harmful content from the
  Internet.
• Combine the High security setting with deployment
  of a security template to limit users to creating
  files in their personal folders and common shared
  files locations.
• Ensure that the users are not members of the
  Power Users group on the local computer.

45
Preventing Access to Specific Types of Content
46
Using Plug-Ins to Block Content

• Restrict access to Web sites that contain
  unauthorized content by using plug-ins that allow
  content scanning at the Proxy Server.
• The Proxy Server will not load the inappropriate
  materials and will inform the user that the
  content is blocked.
• A list of plug-ins for content scanning is
  available at www.microsoft.com/proxy/.

47
Using Internet Explorer Content Advisor

• The Content Advisor controls what content can be
  displayed in the browser windows by using the
  Recreational Software Advisory Council on the
  Internet (RSACi) rating system.
• RSACi classifies Internet content in four
  categories, based on language, nudity, sex, and
  violence.
• When the Content Advisor is enabled, Internet
  Explorer scans the HTML source code for RSACi
  ratings contained in HTML metatags.
• Define what action to take if a site is unrated.
• Blocking access to unrated sites might deny
  access to inoffensive sites as well.
• Prevent users from changing the content ratings
  by either
• Locking the Content Advisor settings with a
  supervisor password
• Preventing access to the Content tab in the
  Internet Explorer Properties dialog box

48
Making the Decision Preventing Access to
Specific Types of Content

• Define the organization's policy on obscene
  content.
• Define what content must be blocked.
• Define what actions to take when an unrated Web
  site is accessed.
• Prevent users from changing content settings.
• Ensure that all settings for Internet Explorer
  installations are consistent.

49
Applying the Decision Preventing Access to
Internet Content for Wide World Importers

• Define restrictions in the Content Advisor to
  prevent access to sites that contain nudity, sex,
  and violence.
• Enable content ratings for all Internet Explorer
  clients to ensure consistent application of the
  restrictions.
• Configure the settings using the IEAK so that the
  required settings are configured as the default
  settings.
• Configure the IEAK to ensure that Internet
  Explorer clients are configured to autoconfigure
  settings and will download any modified content
  settings.
• Use Group Policy to prevent access to the Content
  tab of the Internet Explorer Properties dialog
  box.

50
Auditing Internet Access

• Proxy Server 2.0
• Audit logs
• Logging configuration regular or verbose
• Logging fields

51
Designing Proxy Server Auditing
52
Audit Logs

• The log data allows administrators to review all
  Internet access.
• Written text files are stored in the
  systemroot\system32\MSPlogs folder, where
  systemroot is the folder where Windows 2000 is
  installed.
• New log files can be created every day, week, or
  month.
• Proxy Server maintains the following logs
• Web Proxy log (W3yymmdd.log)
• WinSock Proxy log (Wsyymmdd.log)
• Socks Proxy log (Spyymmdd.log)
• Logging can be configured to use either regular
  or verbose logging.

53
ODBCCompliant Database Logging

• Advantage Open Database Connectivity (ODBC)
  logging has improved search and management
  capabilities to review the logged data.
• Disadvantage ODBC logging uses more processor
  time than text-based logging.
• Before implementing ODBC logging, determine
  whether the Proxy Server has any processor
  resource issues.

54
Log Reviews

• Ensure that reviewing the logs is one of the
  Proxy Server administrators regular assignments.
• Unless the logs are reviewed, there is no way to
  ensure that the Proxy Server is functioning as
  expected.
• If ODBC logging is used, the database product
  provides query mechanisms to find data related to
  a specific user or protocol.
• If text logging is used, consider purchasing a
  third-party product that provides reporting
  options for text-based log files.

55
Making the Decision Implementing Internet Access
Logging

• Examine Internet usage from the private network.
• Conserve disk space related to logging at the
  Proxy Server.
• Ensure that all information of a proxied session
  can be analyzed.

56
Applying the Decision Implementing Logging at
Wide World Importers

• Wide World Importers must enable logging of the
  Web Proxy and WinSock Proxy services.
• Log to an ODBC data source such as SQL Server to
  view the logs.
• Configure the Proxy Server to use verbose
  logging.

57
Chapter Summary

• Determining contents of the policy
• Identifying risks when private network users
  connect to the Internet
• Restricting Internet access to specific computers
• Restricting Internet access to specific users
• Restricting Internet access to specific protocols
• Preventing access to specific Web sites
• Using the IEAK to preconfigure settings
• Managing content downloads
• Preventing access to specific types of content
• Designing Proxy Server auditing