Book: CompTIA Network+ Lab Manual

Previous: Phase 2: Implementing and Configuring the Design
Next: Phase 4: Troubleshooting the Network

Phase 3

Maintaining and Securing the Network

Phase 3 comprises many tasks that an administrator performs during the life of an established internetwork, including securing the infrastructure against active assaults as well as more passive issues such as spyware infiltration. In addition to spyware mitigation, this phase includes scanning for viruses and keeping your operating system current with the latest updates. Some of the tasks in this phase concentrate on authorizing users and their administrative groups for access to services and resources, denying others implicitly or outright.

Attacks on networks and their resources vary widely. This phase gives you some methods to combat the most popular attacks in addition to ways to guard against such attacks in the first place by encrypting your data. Because accidents can compromise data every bit as much as malicious deeds can, one of the tasks in this phase presents a strategy and method to back up your information in preparation for an accident.

note.eps

The tasks in this phase map to domains 2.1, 5.2, 5.3, and 5.4 in the objectives for the CompTIA Network+ exam.

details the membership of these groups.

1. On the computer’s Desktop, right-click My Computer and choose Manage. This produces the Computer Management plug-in for the Microsoft Management Console (MMC).

2. In the left pane of the Computer Management window, expand Local Users And Groups under System Tools.

Group membership

Group Name Members
Sales Planning akaminski (Sales), bunderhill (Mktg)
Advertising bunderhill (Mktg), csullivan (Fin)
Receivables akaminski (Sales), csullivan (Fin)

3. Under Local Users And Groups, click the Groups folder to produce the current list of user groups that have been created on this computer, as seen here.

c03g007.tif

4. Right-click in an unaffiliated (blank) portion of the right pane of the Computer Management display to bring up a context menu and then click New Group. This opens the New Group dialog, which allows you to enter the details for a new user group. You can also choose New User from the Action menu.

5. In the New Group dialog, shown next, start by giving the group a meaningful name and optionally supplying a potentially helpful description.

c03g008.tif

6. Click the Add button to begin the process of adding users to the group. The next image shows the Select Users dialog that pops up when you do.

c03g009.tif

7. Type in the user account names for this group separated by semicolons (;) and click the OK button to go back to the New Group dialog. The following image shows the Select Users dialog with the akaminski and bunderhill user accounts typed in.

c03g010.tif

Optionally, to check your accuracy, you may elect to click the Check Names button, which will confirm your selections or give you the opportunity to correct those that are incorrect. The next image shows an example of the Check Names feature catching the omission of Ann Kaminski’s first initial in her username.

c03g011.tif

8. As you can see in the following screen shot, which once again shows the New Group dialog, Ann’s and Bob’s user accounts have been added to the Sales Planning group. Click the Create button to finalize the establishment of the Sales Planning group.

c03g012.tif

9. The New Group dialog stays open and clears out so you can create another group. Create all three groups as described in this task, following the details in and clicking the Create button for each one.

10. Finally, click the Close button to return to the Computer Management plug-in, where the three groups can be seen in the list of groups in the right pane.

c03g013.tif

Criteria for Completion

You have completed this task when you confirm that the three groups are visible in the right pane of the Computer Management display while Groups is selected in the left pane, and you confirm that each group’s membership matches the details in .

details the initial access that is to be granted to each of these shares.

Resource access

Resource Name Group with Access
Sales and Marketing Sales Planning
Marketing and Finance Advertising
Sales and Finance Receivables

General Procedure in Windows XP

1. On the computer’s Desktop, right-click any unaffiliated area and choose New Folder. This creates a new folder on the Desktop.

2. The default name for the folder you created is New Folder. Rename the folder Sales and Marketing.

3. Right-click your new folder and choose Sharing And Security. This takes you to the Sharing tab of the Sales And Marketing Properties dialog.

c03g014.tif

4. By default, your folder is not shared. Select Share This Folder to activate the bottom portion of the page, automatically reproducing the folder name as the share name, as shown here.

c03g015.tif

5. Click the Permissions button to open the Share Permissions tab of the Permissions dialog for your folder. The following image shows that the built-in Everyone group, which includes all users, has Read access across the network to this resource by default.

c03g016.tif

6. Click the Add button to open the Select Users Or Groups dialog. Type in the name of each group that you want to give or deny access to the resource and press Enter. The following image shows the Select Users Or Groups dialog with Sales Planning. Click the OK button.

c03g017.tif

7. With Sales Planning selected on the Share Permissions tab, click the check box for Full Control in the Allow column.

8. It is too permissive to leave the Everyone group with access, so click the Everyone entry in the Group Or User Names pane and then click the Remove button. This results in the complete removal of the Everyone group from the ACL. Click the OK button to return to the Sharing tab of the Sales And Marketing Properties dialog.

note.eps

Note that because all user accounts are in the Everyone group, its removal from the ACL tacitly denies anyone who is not explicitly permitted. Only members of the Sales Planning group are explicitly permitted. There is a subtle difference between this passive denial and the explicit denial that occurs when an account is in a group that is denied access overtly. If you explicitly deny the Everyone group, you shut down the resource for every account regardless of what other positive access a user has by virtue of their own account or other group membership. However, in this case, only those members of Everyone not also in the Sales Planning group get denied access to the resource—subtle, indeed.

9. Now, click the Security tab. This is where you provide local access rights to the resource. These rights are combined with the share-level permissions to provide the effective rights for the object when it’s accessed from the network. If you have specific reasons not to allow local access to anyone logged on to the computer—keep in mind you can limit who is allowed to log on to a computer, if that’s an issue—adjust this step to include only those accounts or groups to be permitted access. Go through the same process you went through earlier and add the Everyone group. Again, using what you learned earlier, remove every other account. Give the Everyone group Full Control permission over the local resource. Doing so makes certain that the individuals you intend to have access from across the network are not stymied by a restrictive local policy. The following screen shot shows the end result. Click the OK button to complete the share.

c03g018.tif
note.eps

Most administrators reverse the logic of this step. The industry preference is to open shares completely to the Everyone group while restricting more specifically at the NTFS file level. That way, the rights are kept with the object, not with the share, which only points to the object. This makes troubleshooting access issues easier later, especially in domain environments. One catch: This strategy works only with NTFS filesystems. The strategy used here provides decent security for non-NTFS filesystems that have no file-level security.

10. It is possible, depending on the group policy implemented on your network, to check the shared resource you just created right on the same computer. If you want to try this, open the Run dialog by choosing Start Run. Type \\localhost in the Open field and then click OK to try to bring up your own machine’s list of shares. If this does not work, you might have to substitute your computer’s IP address for the name localhost.

11. Once you produce the list of shares for your computer, right-click Sales And Marketing and select Map Network Drive. This opens the Map Network Drive dialog.

c03g019.tif

12. Go with the default drive letter (N in the screen shot that follows) or change to another available one. The folder name is filled in for you automatically.

c03g020.tif

13. Click the Different User Name link to open the Connect As dialog. The example here shows Ann Kaminski’s username entered, along with her password. Once the dialog is filled out, click OK to negotiate the connection to the share.

c03g021.tif

14. Open My Computer and note the existence of a network drive under the drive letter you assigned to this resource. The fact that total size and free space measurements are given for your mapped drive indicates that you have attached to the share successfully.

c03g022.tif

15. If double-clicking the entry in My Computer brings up a window similar to the following, then you have proven further that you have created a network-accessible share. This window pops up automatically when you check connectivity by mapping a drive to a network share remotely.

c03g023.tif

16. If you would like to see what happens when you try to access a resource without being authorized to do so, first disconnect from the network drive, which you do by right-clicking its entry in My Computer and clicking Disconnect in the context menu. Then enter Cathy Sullivan’s credentials in an attempt to gain unauthorized access to the Sales and Marketing share.

When you try to access the share remotely, the status indicator is displayed. An error display similar to the following eventually pops up, indicating that Cathy could not be positively authenticated as Ann was and Bob would have been.

c03g024.tif

17. Notice that the entry returns to the My Computer output but that there are no drive-size specifications listed this time. That’s because Cathy was denied access to the share, so the server did not bother to return these statistics.

c03g025.tif

Be sure to repeat this task for the other two shares and test to see whether the two appropriate executives can access each one while the unauthorized executive for each one cannot.

Procedure in Windows Vista and Windows 7

In Vista and Windows 7, you must first ensure that the proper settings exist to follow the general procedure that follows this section. This requires disabling the Sharing Wizard. This wizard considerably limits the control you have over how resources are shared. These procedures are performed on a machine using Windows Vista Ultimate. Some Vista Home versions might vary somewhat.

Disabling the Sharing Wizard

1. Right-click the Start button and click Explore or Open Windows Explorer in the context menu.

tip.eps

If you don’t have a menu bar in Windows Explorer, click Organize Layout Menu Bar. You need the menu bar for the next step.

2. Click Tools Folder Options.

3. Click the View tab.

4. Scroll down to the bottom of the list and clear the check mark from Use Sharing Wizard (Recommended). This feature is recommended for general users, but more advanced users will want to enable sharing of resources in a manner reminiscent of the classic method. Clearing this check box enables this classic behavior. Advanced sharing in Windows 7 is still allowed when this option is selected.

c03g026.tif

5. Click OK to close Folder Options.

6. Close the Windows Explorer window.

General Procedure in Windows Vista and Windows 7

1. On the computer’s Desktop, right-click in any unaffiliated area and choose New Folder. This creates a new folder on the Desktop.

2. The default name for the folder you created is New Folder. Rename the folder Sales and Marketing.

3. Right-click your new folder and choose Share. This places you on the Sharing tab of your folder’s Properties pages. In Windows 7, choose Share With Advanced Sharing. If you chose not to disable the Sharing Wizard in either operating system, simply choose Properties instead of Share and then manually select the Sharing tab for the same effect.

c03g027.tif

4. Click the Advanced Sharing button in the center of the page to open the dialog that allows you to enable sharing for your folder.

c03g028.tif

5. Follow Steps 5 through 8 in the earlier section, “General Procedure in Windows XP.” The dialogs will look only slightly different.

6. Click the Security tab.

c03g029.tif

7. Click the Advanced button. You will need to remove this folder’s inheritance of permissions from its parent folder in order to remove existing permissions.

c03g030.tif

8. Click the Edit button (called Change Permissions in Windows 7) to unlock the check box that you need to clear.

c03g031.tif

9. Click to remove the check mark from the box labeled Include Inheritable Permissions From This Object’s Parent. Optionally, if you are using this procedure as a guide for other folders, check the other box to force inheritance of these new permissions to existing child objects, of which there are none for this example. The following Windows Security dialog is displayed.

c03g032.tif

In Windows 7, the Copy button becomes the Add button. The function is the same, but the description reads more clearly, making it easier to determine its effect.

10. Click the Remove button to start over with the permissions for this folder. Note the warning that this folder has no permissions, shown next. You could click the Add button here to add the Everyone group to the ACL, but the following steps follow a procedure that works when removing existing permissions is not necessary.

c03g033.tif

11. Click OK to close the top Advanced Security Settings dialog. You are again warned that there are no permissions set for this folder.

c03g034.tif

12. Click Yes to continue.

13. Click OK to close the next level of the Advanced Security Settings dialog for this folder and return to the Security tab of the folder’s Properties pages.

c03g035.tif

14. Click the Edit button to unlock the permissions settings for the folder and open the Permissions dialog for the folder. Note the Add button in the following screen shot and note again that you could have used the dialog shown in Step 10 of this section to perform the following steps.

c03g036.tif

15. Click the Add button to begin the same process you went through earlier to add the Everyone group. Give the Everyone group Full Control permission over the local resource. The following screen shot shows the end result.

c03g037.tif

16. Click the OK button to close the Permissions dialog and then click OK on the Security tab of the Properties pages for your folder to complete the share.

17. Pick up the Windows XP procedure earlier in this task at Step 10 and note that the Vista and Windows 7 analogue for XP’s My Computer is simply Computer.

If you don’t have the Computer icon on your Desktop or in the Start menu (highly unlikely), you might need to right-click Start, click Explore, and find Computer in the left frame. The same solution should work for any case in this book where you want to use Vista to perform the tasks but only XP procedures are outlined. Be sure to repeat this procedure for the other two shares.

Criteria for Completion

You have completed this task when you confirm that the two appropriate executives can access each folder while the unauthorized executive for each one cannot, based on the details of .

shows a sample portion of an internetwork that will be referenced throughout this task.

Note that the internal-facing network of the RAS server, 172.16.50.128/27, is the network from which addresses are assigned to RAS clients. Additionally, the interface on the noPoD router in the 172.16.50.160/29 network is considered to be attached directly to the Internet because the Internet is made up of more than just the backbone and ISP routers.

Sample network

c03f001.eps

1. Enter global configuration mode.

noPoD#config t

noPoD(config)#

2. The first line of the access list for the VPN subnet is the most specific line of the three overlapping lines to be entered. Therefore, it must come first. This line states that any ICMP traffic coming from any device in the 172.16.50.128 subnet destined for the host at address 172.16.50.65 is allowed to pass. This makes sure that pinging the internal interface on router noPoD from a VPN connection through the RAS server is allowed but pinging any other LAN interface is not.

noPoD(config)#access-list 100 permit icmp 172.16.50.128

0.0.0.31 host 172.16.50.65

noPoD(config)#

The mask in the preceding command, 0.0.0.31, is known as a wildcard mask. To form a wildcard mask from a standard mask, reverse the ones and zeros. Therefore, where a /27, or 255.255.255.224, mask would be appropriate, the corresponding wildcard mask is 0.0.0.31. A quick way to accomplish the same thing is to subtract each octet in the standard mask from 255.

Wildcard masks are used with commands that require more flexibility than a standard mask provides. Their format is reversed to make it more obvious when they are being used. Wildcard masks are more flexible because they allow the mixing of ones and zeros, unlike standard masks. They are used to produce a group of contiguous or noncontiguous addresses. Standard masks cannot accomplish this due to their restrictions of contiguity.

3. The second line is more specific than the third line but less so than the first. If you specify this line first, pinging the router interface at address 172.16.50.65 from a RAS client fails. If you specify it last, unwanted ICMP traffic over the VPN is not deterred.

noPoD(config)#access-list 100 deny icmp any 172.16.50.64

0.0.0.63 echo

noPoD(config)#

4. The last line of the access list ensures that all other traffic based on IP is allowed to pass normally, which includes all other ICMP traffic.

noPoD(config)#access-list 100 permit ip any any

noPoD(config)#

5. The access list for the public interface of the noPoD router is a bit simpler. All echo requests coming in on this interface must be blocked, but all other ICMP traffic must be allowed. The first line filters all ping requests, while the second one allows all other IP-based traffic to pass, including any other ICMP traffic.

noPoD(config)#access-list 150 deny icmp any 172.16.50.64

0.0.0.63 echo

noPoD(config)#access-list 150 permit ip any any

noPoD(config)#

6. Applying the access lists to the proper interfaces is the final step in securing the LAN against malicious ICMP traffic. The following lines of configuration establish the IP identities of the interfaces as well as apply the appropriate access lists where they belong. Note that the internal LAN interface of the router does not have an access list applied to it. There is no need.

noPoD(config)#interface f0/0

noPoD(config-if)#ip address 172.16.50.129 255.255.255.224

noPoD(config-if)#ip access-group 100 in

noPoD(config-if)#interface f0/1

noPoD(config-if)#ip address 172.16.50.163 255.255.255.248

noPoD(config-if)#ip access-group 150 in

noPoD(config-if)#interface f1/0

noPoD(config-if)#ip address 172.16.50.65 255.255.255.192

noPoD(config-if)#

7. Exit configuration.

noPoD(config-if)#end

noPoD#

Criteria for Completion

You have completed this task when you have configured your router as noted and optionally tested access restrictions using equipment and connections similar to those outlined in . You may substitute two computers, one for the entire public connection and one for the RAS server, in order to test your configuration more easily. Keep in mind that crossover Ethernet cables are required when connecting computers to routers.

shows a sample portion of the internetwork referenced in this task.

Task sample network

c03f002.eps

PPP Authentication

This section of the task establishes strong authentication so that the link stays down until matching authentication is used at both ends.

1. Enter global configuration mode on one of the routers. Start with Tokyo’s Router J in this example.

RouterJ#config t

RouterJ(config)#

2. Establish login credentials for the remote device, router D. In the following command, the name after the username keyword is case-sensitive and must match the remote device’s hostname or the name configured with the ppp chap hostname interface configuration command on router D’s opposing interface. The password must match the password configured in router D’s username command or with the ppp chap password interface configuration command on router D’s opposing interface.

RouterJ(config)#username RouterD password wiley

RouterJ(config)#

3. On the serial interface leading to router D, enter interface configuration mode and set the encapsulation to PPP.

RouterJ(config)#interface s0/0

RouterJ(config-if)#encapsulation ppp

RouterJ(config-if)#

4. Now that PPP is set as the interface’s encapsulation method, PPP-specific commands become available. Set the authentication protocol to CHAP. If changing the encapsulation did not bring the link down and the interface was in an up/up condition, it switches to up/down, pending proper authentication, for which router D is not yet ready.

RouterJ(config-if)#ppp authentication chap

RouterJ(config-if)#

%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed ↵

state to down

RouterJ(config-if)#

5. Exit configuration.

RouterJ(config-if)#end

RouterJ#

6. With the exception of the username command, enter all corresponding commands for router D.

RouterD#config t

RouterD(config)#interface s0/0

RouterD(config-if)#encapsulation ppp

RouterD(config-if)#ppp authentication chap

RouterD(config-if)#

7. Upon execution of the username command, note that the link is reestablished almost immediately.

RouterD(config-if)#exit

RouterD(config)#username RouterJ password wiley

RouterD(config)#

%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0,

  changed state to up

RouterD(config)#

8. Exit configuration.

RouterD(config)#end

RouterD#

OSPF with MD5-Encrypted Authentication

Although the link may be authenticated and in an up/up condition, OSPF might refuse to send advertisements across the PPP link until additional authentication is performed between both ends of the OSPF adjacency.

1. Enter global configuration mode on one of the routers. Start with Tokyo’s router J.

RouterJ#config t

RouterJ(config)#

2. (Optional) Create a loopback interface and give it the identity of the Gigabit Ethernet interface in . This aids in simulating the network without added equipment. If you have the additional equipment, feel free to configure the Ethernet address on the physical interface.

RouterJ(config)#interface loopback0

RouterJ(config-if)#ip address 172.16.50.65 255.255.255.192

RouterJ(config-if)#

3. Enter interface configuration mode on the OSPF interface that connects to router D and ensure that its IP address is entered.

RouterJ(config)#interface s0/0

RouterJ(config-if)#ip address 172.16.50.5 255.255.255.252

RouterJ(config-if)#

4. Set the password for authentication and set the password encryption type to MD5.

RouterJ(config-if)#ip ospf message-digest-key 1 md5 wiley

RouterJ(config-if)#

5. Add all OSPF interfaces to the OSPF routing process under area 0 and require MD5 authentication for all interfaces in area 0.

RouterJ(config-if)#router ospf 1

RouterJ(config-router)#network 172.16.50.4 0.0.0.3 area 0

RouterJ(config-router)#network 172.16.50.64 0.0.0.63 area 0

RouterJ(config-router)#area 0 authentication message-digest

RouterJ(config-router)#

6. Exit configuration.

RouterJ(config-router)#end

RouterJ#

7. (Optional) Create a loopback interface on router D and give it the identity of the Gigabit Ethernet interface in .

RouterD#config t

RouterD(config)#interface loopback0

RouterD(config-if)#ip address 172.16.50.9 255.255.255.252

RouterD(config-if)#

8. For now, do not configure the MD5 key on router D. So, with the exception of the ip ospf command on the serial interface, enter all corresponding commands for router D. Note that the process ID at the end of the router ospf command is locally significant and can but does not need to match across routers.

RouterD#config t

RouterD(config)#interface s0/0

RouterD(config-if)#ip address 172.16.50.6 255.255.255.252

RouterD(config-if)#router ospf 10

RouterD(config-router)#network 172.16.50.4 0.0.0.3 area 0

RouterD(config-router)#network 172.16.50.8 0.0.0.3 area 0

RouterD(config-router)#area 0 authentication message-digest

RouterD(config-router)#

9. Exit configuration.

RouterD(config-router)#end

RouterD#

10. Issuing the show ip route command, note that only local interfaces exist in the routing table on both routers. The following output is from router J.

RouterJ#sh ip rout

[output omitted]

Gateway of last resort is not set

     172.16.0.0/16 is variably subnetted, 3 subnets, 3 masks

C       172.16.50.6/32 is directly connected, Serial0/0

C       172.16.50.4/30 is directly connected, Serial0/0

C       172.16.50.64/26 is directly connected, Loopback0

RouterJ#

11. Upon execution of the ip ospf command on router D’s serial interface, using the same key ID (1) and password as on router J, note that the adjacency is formed almost immediately.

RouterD#config t

RouterD(config)#interface s0/0

RouterD(config-if)#ip ospf message-digest-key 1 md5 wiley

RouterD(config-if)#

%OSPF-5-ADJCHG: Process 10, Nbr 172.16.50.65 on Serial0/0 from

  LOADING to FULL, Loading Done

RouterD(config-if)#

12. Exit configuration.

RouterD(config-if)#end

RouterD#

13. Note that both routers now have complete routing tables. The following output is from router J.

RouterJ#sh ip rout

[output omitted]

Gateway of last resort is not set

     172.16.0.0/16 is variably subnetted, 4 subnets, 3 masks

O       172.16.50.9/32 [110/65] via 172.16.50.6, 00:01:56, Se0/1

C       172.16.50.6/32 is directly connected, Serial0/1

C       172.16.50.4/30 is directly connected, Serial0/1

C       172.16.50.64/26 is directly connected, Loopback0

RouterJ#

Criteria for Completion

You have completed this task when you have configured your routers as described in the steps of the task. Optional confirmation of your configuration is encouraged.

shows a sample portion of an internetwork that will be referenced throughout this task.

Task sample network

c03f003.eps

Testing for SYN Flooding

The first step is to determine if SYN flooding appears to be occurring. There is no need to combat a problem that does not exist. The cure can be challenging enough to warrant avoiding when unnecessary. The method for accomplishing this is to set up an access list that permits the specific types of traffic that you are studying and to monitor the matches against each type.

1. Enter global configuration mode.

noSYN#config t

noSYN(config)#

2. Create an access list that tests for TCP segments to the attacked server that are part of an established connection. The SYN bit in the TCP header is used in only two segments, which appear only when establishing a connection between two TCP speakers. The initial, unsolicited TCP segment has the SYN bit set. The response to this segment also has the SYN bit set. The difference is that the second segment also has the ACK bit set. In fact, every segment after the first one has the ACK bit set. Therefore, use the following command to permit only segments with the ACK bit set, denying the initial SYN segment that has an ACK bit of 0.

noSYN(config)#access-list 110 permit tcp any host 172.16.50.65

  established

noSYN(config)#

3. Any messages that matched the previous statement have exited the access list. So, now that you have a line that matches TCP traffic without just the SYN bit set, all other TCP segments, by definition, have only the SYN bit set. These are the potential instruments of attack to which special attention should be paid. Nevertheless, it is not necessary at this juncture to block these data structures but rather simply to compare their numbers to those from the previous line of the access list.

noSYN(config)#access-list 110 permit tcp any host 172.16.50.65

noSYN(config)#

4. Because it is not the intent to block any traffic yet, the last line of the access list ensures that all other traffic based on IP is allowed to pass normally, which includes all other TCP traffic.

noSYN(config)#access-list 110 permit ip any any

noSYN(config)#

5. Apply the access list to inbound traffic on the external interface of the noSYN router. This is the interface shown in as being attached to the Internet on the 172.16.50.160/29 network.

noSYN(config)#interface f0/0

noSYN(config-if)#ip access-group 110 in

6. After an arbitrary period of time, look at the number of hits to the different lines in the access list. An inordinate number of initial segments to this server might indicate that it is the victim of a SYN flood attack. The following output shows a normal distribution of TCP traffic.

noSYN(config-if)#end

noSYN#show access-lists 110

Extended IP access list 110

   10 permit tcp any any established (60 matches)

   20 permit tcp any any (6 matches)

   30 permit ip any any (14 matches)

noSYN#

If the established line in the access list has very few matches, this means the local server has not generated repeat traffic from the supposed source of the TCP connection requests, possibly because the source IP addresses of these requests were bogus. If this is the case, and if the other TCP line in the list has relatively many matches, meaning a flood of SYN segments has appeared on the interface, use the configuration in the next section to minimize the connections opened by external sources.

Controlling SYN Flooding

This section guides you through the process of turning your test into a shield in order to block some of the traffic you started out only counting.

1. Enter global configuration mode.

noSYN#config t

noSYN(config)#

2. As when testing for a flood of SYN messages, the first step is to permit those non-initial TCP messages that are part of an established connection or negotiation.

noSYN(config)#access-list 110 permit tcp any host 172.16.50.65

  established

noSYN(config)#

3. Because this access list is to be applied to the public interface of the noSYN router, allowing all VPN traffic to pass regardless of its nature, it is safe to deny all other TCP traffic, meaning that initial SYN-only messages are not allowed.

noSYN(config)#access-list 110 deny tcp any host 172.16.50.65

noSYN(config)#

note.eps

When you are unable to block all initial TCP segments, due to the public nature of the server or other host, it is possible to use the same access list presented in the previous section. However, to extract the necessary information to lead you to the perpetrator of the attack, add the keyword log-input to the end of the command in Step 3 in the previous section. Similar ACLs along the reverse path are required to trace completely back to the source.

4. Because it is not the intent to block any other traffic, the last line of the access list ensures that all other traffic based on IP, including all other TCP messages, is allowed to pass normally.

noSYN(config)#access-list 110 permit ip any any

noSYN(config)#

5. Apply the access list to inbound traffic on the external interface of the noSYN router.

noSYN(config)#interface f0/0

noSYN(config-if)#ip access-group 110 in

6. Exit configuration.

noSYN(config-if)#end

noSYN#

Criteria for Completion

You have completed this task when you have configured your router as noted and optionally tested access restrictions using equipment and connections similar to those outlined in . You may substitute two computers, one for the entire public connection and one for the RAS server, in order to test your configuration more easily. Keep in mind that crossover Ethernet cables are required when connecting computers to routers.

.

3. On the resulting web page, keep the default of All Downloads, and in the search field, enter efsinfo and either press the Enter key or click the Go button on the page.

4. This should result in something similar to the following. Don’t concern yourself with the fact that you have a different operating system from the one displayed. Click the link in the result.

c03g064.tif

5. Go through the validation process, if required, installing the Windows Genuine Advantage software if asked.

6. Once you are validated and taken to the download page, click the Download button near the top of the page. This produces the security warning shown next. If you wish to archive the file that installs the utility, click the Save button and navigate to where you want the file stored. Otherwise, simply click the Run button to start the installation process.

c03g065.tif

Note that you need to find the file you saved and run it to get to the same point as clicking the Run button without saving the file.

7. If you clicked the Run button earlier, you might see the following security warning pop-up, which simply asks you to confirm the fact that you wish to run this file. Click the Run button.

c03g066.tif

8. You see the following welcome screen, on which you click the Next button to continue to the End User License Agreement (EULA) dialog.

c03g067.tif

9. Agree with the EULA, and click the Next button to bring up the Destination Directory dialog.

10. The default destination folder is \Program Files\Resource Kit on your primary hard drive volume, as shown for drive C in the following screen shot. Note the default and click the Install Now button to begin the installation.

c03g068.tif

11. After the status bar runs across, you are taken to the final dialog for the installation. Click the Finish button to close the wizard.

12. The final steps refer to . Start by going back to your command prompt window.

Command prompt results

c03f004.tif

13. At the command prompt, enter path=%path%;c:\program files\resource kit. Note that there are two mandatory spaces in the preceding string and C: is assumed, but substitute your drive letter. This command allows you to run the efsinfo utility from any folder. Refer back to .

14. Change your logged directory back to the Encryption folder with the command cd\encryption.

15. At the new prompt, enter the command efsinfo to produce output similar to that in . Note that David Elliot encrypted the objects and he is shown as the user that can decrypt them. Note also that the Decrypted file shows up as not being encrypted.

Determining Who Encrypted an Object in XP and Later

It is possible to find out who is allowed to open and decrypt an encrypted object in Windows without leaving the GUI. The following steps can be used to discover this information.

1. Right-click Encrypted in the Encryption folder and then click Properties.

2. Click the Advanced button in the Properties dialog.

3. Click the Details button to the right of the encryption check box in the Advanced Attributes dialog.

4. Note the username(s) in the Users Who Can Transparently Access This File section of the resulting dialog, as shown in the following image. At a minimum, you will see the account of the encrypting user.

c03g069.tif

Understanding the Encryption Details Dialog

You can use the Add button in the Encryption Details dialog to choose additional users with certificates (meaning they have already encrypted something else). Note, however, that every user added can not only transparently access the file but can also decrypt the file.

If a data recovery agent (DRA) exists on the local system or in the domain, their name will appear in the lower section of the dialog. As a security enhancement, Windows XP and later do not automatically include this role for the administrator the way Windows 2000 did, making it possible for an attacker to hack into the administrator account and gain access to all encrypted objects.

If you would like to establish this role for any account, log on with that account and enter the cipher /r:filename command, where filename has no extension, at the command prompt in the desired directory to create the necessary filename.pfx and filename.cer files.

Subsequently, open Local Security Policy in Administrative Tools and expand Security Settings Public Key Policies, right-click Encrypting File System, and then click Add Data Recovery Agent. Finally, use the Browse Folders button in the second dialog to find the CER file you created. This places the user whose account created the PFX and CER files in the lower section of the Encryption Details dialog for all encrypted objects.

You might find that there are issues with using the DRA to decrypt some preexisting objects, but no such issues should arise with decrypting any objects that have been created or modified after the DRA was created.

Right-Clicking to Encrypt (Optional)

Most users are not inconvenienced by the procedure to encrypt an object because they do not encrypt items that often. However, you might frequently need to encrypt objects, making an easier procedure worth the dangers of hacking your system’s Registry.

warning.eps

Any time you edit your system’s Registry, there are inherent risks. One inadvertent slip and you can render your system useless, requiring reinstallation of the operating system and likely producing data loss. While editing the Registry, only perform the steps in this task as written.

1. Open the Registry Editor by clicking Start Run and entering regedit.

2. Expand down to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced, shown here with the next three steps already performed.

c03g070.tif

3. Right-click in the unaffiliated space in the right pane and click New DWORD Value.

4. Name the value EncryptionContextMenu.

5. Double-click the EncryptionContextMenu name to bring up the Edit DWORD Value dialog, change its value from 0 to 1, and click OK.

6. No system reboot is required. Simply exit Registry Editor and right-click a file or folder to confirm the presence of the Encrypt selection. Be sure not to right-click a file that is not able to be encrypted, and recall that encrypting a compressed file removes its compression.

Criteria for Completion

You have completed this task when you create the files and folders noted in this task and observe the encryption peculiarities mentioned here.

as a reference. Assume router B encrypts any IP traffic it sees going from host B to host A. Further assume that router A encrypts any IP traffic it sees going from subnet A to host B. Configuring encryption this way could result in a successful SA if host B initiates contact but a failed SA if any subnet A member other than host A initiates contact. This is because inbound traffic is held to the converse of the outbound relationships you establish. As a result, router B does not expect any remote device other than host A to send encrypted information across the link.

Encryption example

c03f005.eps

Procedure

In this task, you will configure two Cisco routers with mirror-image pairings and then encrypt all IP traffic from both directions.

Equipment Used

For this task, you need two Cisco routers with at least two network interfaces each. Optionally, any pairing of interface types can be made to work, in theory, with additional considerations if serial interfaces are used. Testing the task’s results is assumed in the following procedure. Therefore, two computers, as well as hubs, switches, or crossover cables, are necessary.

Details

The following steps walk you through targeting traffic for encryption and implementing encryption on the link between routers. shows a sample portion of an internetwork that will be referenced throughout this task.

Task sample network

c03f006.eps

IP Configuration

Each device’s IP address is crucial. Not configuring the devices correctly leads to unrecognized addresses and the router’s refusal to encrypt or even transmit data between hosts.

1. Execute the following on router Inside.

Inside#config t

Inside(config)#int s0/0

Inside(config-if)#ip address 172.16.50.22 255.255.255.252

Inside(config-if)#int f0/0

Inside(config-if)#ip address 172.16.50.65 255.255.255.192

Inside(config-if)#

2. Execute the following on router Outside.

Outside#config t

Outside(config)#int s0/0

Outside(config-if)#ip address 172.16.50.21 255.255.255.252

Outside(config-if)#int f0/0

Outside(config-if)#ip address 172.31.10.1 255.255.255.0

Outside(config-if)#

3. Set up two computers, one on each end of the network. Configure each one with the appropriate address, mask, and default gateway, according to .

4. To avoid configuring dynamic routing, which is a preference in a lab setting but not a requirement, configure the following static routes on the corresponding device.

Inside(config-if)#exit

Inside(config)#ip route 172.31.10.0 255.255.255.0 172.16.50.21

Inside(config)#

Outside(config-if)#exit

Outside(config)#ip route 172.16.50.64 255.255.255.192 172.16.50.22

Outside(config)#

5. Pinging from the computers is now possible. The following output is from the server in .

C:\>ping 172.31.10.18

Pinging 172.31.10.18 with 32 bytes of data:

Reply from 172.31.10.18: bytes=32 time<1ms TTL=128

Reply from 172.31.10.18: bytes=32 time<1ms TTL=128

Reply from 172.31.10.18: bytes=32 time<1ms TTL=128

Reply from 172.31.10.18: bytes=32 time<1ms TTL=128

Ping statistics for 172.31.10.18:

   Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

   Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\>

Defining Traffic to Encrypt

Access lists are used to define what traffic you wish to encrypt over the link as well as what traffic you do not wish to encrypt. A permit parameter means encrypt the traffic on this line. A deny parameter means do not encrypt the traffic on this line. A crypto access list is not a filter for transmission. Denied traffic is not encrypted but is still eligible for transmission.

Following are the corresponding access lists for each router. Note that the implicit deny stops all other traffic from being encrypted. You define the source (first address) as the device or network on the same side of the encrypted link as the router being configured and the destination as the device or network on the opposite side. Always avoid using any keyword in crypto access lists.

Inside(config)#access-list 120 permit ip host 172.16.50.95 host

172.31.10.18

Inside(config)#

Outside(config)#access-list 120 permit ip host 172.31.10.18 host

172.16.50.95

Outside(config)#

Defining How to Encrypt and Authenticate

Transform set is the term used for a combination of security protocols and algorithms. Both encryption and authentication protocols are specified in a transform set that you conceive. Your transform set will be based on encryption by the encapsulating security payload (ESP) use of the Data Encryption Standard (DES) algorithm.

Specify the ESP-compatible SHA HMAC authentication algorithm (SHA stands for Secure Hash Algorithm and HMAC stands for Hash Message Authentication Code), which will use the pre-shared key you specify later on each router to verify the source of the encrypted data as the opposite router. Name your transform set ENCRYPT.

Inside(config)#crypto ipsec transform-set ENCRYPT esp-des esp-sha-hmac

Inside(cfg-crypto-trans)#exit

Inside(config)#

Outside(config)#crypto ipsec transform-set ENCRYPT esp-des esp-sha-hmac

Outside(cfg-crypto-trans)#exit

Outside(config)#

Mapping the Traffic to the Encryption

Cisco uses a crypto map to tie the access list representing the traffic to be encrypted to the protocols and algorithms that perform the encryption and authentication. Use the following commands to create crypto maps based on the traffic you chose to encrypt and the transform set created earlier as well as to identify the other end of the encrypted link.

1. Name the crypto map STATIC, realizing that you could have implemented dynamic crypto maps had the peers been less deterministic. You receive a warning to let you know that you still have work to do to complete the map.

Inside(config)#crypto map STATIC 1 ipsec-isakmp

% NOTE: This new crypto map will remain disabled until a peer

       and a valid access list have been configured.

Inside(config-crypto-map)#

Outside(config)#crypto map STATIC 1 ipsec-isakmp

% NOTE: This new crypto map will remain disabled until a peer

       and a valid access list have been configured.

Outside(config-crypto-map)#

2. Within the new configuration context, define the other router’s serial interface’s IP address as the peer identity for the encryption SA.

Inside(config-crypto-map)#set peer 172.16.50.21

Inside(config-crypto-map)#

Outside(config-crypto-map)#set peer 172.16.50.22

Outside(config-crypto-map)#

3. Relate the crypto map back to the transform set called ENCRYPT that you created earlier.

Inside(config-crypto-map)#set transform-set ENCRYPT

Inside(config-crypto-map)#

Outside(config-crypto-map)#set transform-set ENCRYPT

Outside(config-crypto-map)#

4. Finally, specify the access list from which to obtain the addresses of the source and destination flows to be encrypted.

Inside(config-crypto-map)#match address 120

Inside(config-crypto-map)#exit

Inside(config)#

Outside(config-crypto-map)#match address 120

Outside(config-crypto-map)#exit

Outside(config)#

Get the Interface Involved

No encryption or authentication occurs just by virtue of the foregoing steps. An interface must be affiliated with the crypto map, which in turn references the traffic to be encrypted and how to encrypt it.

1. Enter interface configuration mode and apply the crypto map, STATIC.

Inside(config)#int s0/0

Inside(config-if)#crypto map STATIC

%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

Inside(config-if)#end

Inside#

Outside(config)#int s0/0

Outside(config-if)#crypto map STATIC

%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

Outside(config-if)#end

Outside#

2. It seems perfectly logical that a simple ping from one computer to the other will result in an SA being formed between the routers. No outward sign is given without turning on debugging.

Inside#debug crypto ipsec

Crypto IPSEC debugging is on

Inside#debug crypto isakmp

Crypto ISAKMP debugging is on

Inside#

Outside#debug crypto ipsec

Crypto IPSEC debugging is on

Outside#debug crypto isakmp

Crypto ISAKMP debugging is on

Outside#

3. Ping one of the computers from the other and notice that what was once successful now fails.

C:\>ping 172.31.10.18

Pinging 172.31.10.18 with 32 bytes of data:

Request timed out.

Request timed out.

Request timed out.

Request timed out.

Ping statistics for 172.31.10.18:

   Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\>

4. Observe the local router’s debug output. What follows are the lines of output pertinent to the discussion. Note that the first block is output by the IPSec debug while the rest is due to the Internet Security Association Key Management Protocol (ISAKMP) debugging.

*IPSEC(sa_request): ,

 (key eng. msg.) OUTBOUND local= 172.16.50.22, remote=

172.16.50.21,

   local_proxy= 172.16.50.95/255.255.255.255/0/0 (type=1),

   remote_proxy= 172.31.10.18/255.255.255.255/0/0 (type=1),

   protocol= ESP, transform= esp-des esp-sha-hmac  (Tunnel),

   lifedur= 3600s and 4608000kb,

   spi= 0x5828C451(1479066705), conn_id= 0, keysize= 0, flags=

0x400A

*ISAKMP: Created a peer struct for 172.16.50.21, peer port 500

*insert sa successfully sa = 8525B564

*ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main

mode.

*ISAKMP:(0:0:N/A:0):No pre-shared key with 172.16.50.21!

*ISAKMP:(0:0:N/A:0): No Cert or pre-shared address key.

*ISAKMP:(0:0:N/A:0): construct_initial_message: Can not start

Main mode

*ISAKMP: Deleting peer node by peer_reap for 172.16.50.21:

8525BC50

*ISAKMP:(0:0:N/A:0):purging SA., sa=8525B564, delme=8525B564

*ISAKMP:(0:0:N/A:0):purging node 657521518

Everything appears to start out well, but eventually the SA that was created is purged. UDP port 500 springs into action, only to be torn back down eventually. ISAKMP is doing what ISAKMP does. It’s looking for a CA-provided or pre-shared key to use in the authentication with the neighbor. Planning to use the pre-shared method, but having established no pre-shared key yet, you get ISAKMP to raise a red flag.

Creating the Pre-shared Key

Only the crypto isakmp key command is required to create a pre-shared key, but the key must be identical, like a password, on both ends, with each end pointing to the other.

1. On each router issue the crypto isakmp key command, using the same case-sensitive alphanumeric key and the appropriate opposite-end address.

Inside#config t

Inside(config)#crypto isakmp key WILEY address 172.16.50.21

Inside(config)#end

Inside#

Outside#config t

Outside(config)#crypto isakmp key WILEY address 172.16.50.22

Outside(config)#end

Outside#

tip.eps

Note that hostnames are recommended over addresses when routers have more than one address and more than one interface involved in SAs. In the case of the two routers in this procedure, only one encrypted path exists, making addresses acceptable.

2. Try the ping again. It is unsuccessful again.

C:\>ping 172.31.10.18

Pinging 172.31.10.18 with 32 bytes of data:

Request timed out.

Request timed out.

Request timed out.

Request timed out.

Ping statistics for 172.31.10.18:

   Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\>

3. Note the output on the local router.

*IPSEC(sa_request): ,

 (key eng. msg.) OUTBOUND local= 172.16.50.22, remote=

172.16.50.21,

   local_proxy= 172.16.50.95/255.255.255.255/0/0 (type=1),

   remote_proxy= 172.31.10.18/255.255.255.255/0/0 (type=1),

   protocol= ESP, transform= esp-des esp-sha-hmac  (Tunnel),

   lifedur= 3600s and 4608000kb,

   spi= 0xB449223F(3024691775), conn_id= 0, keysize= 0, flags=

0x400A

*Created a peer struct for 172.16.50.21, peer port 500

*insert sa successfully sa = 8525B564

*ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main

mode.

*ISAKMP:(0:0:N/A:0):Looking for a matching key for 172.16.50.21

in default

*ISAKMP:(0:0:N/A:0): : success

*ISAKMP:(0:0:N/A:0):found peer pre-shared key matching

172.16.50.21

*ISAKMP:(0:0:N/A:0):incorrect policy settings. Unable to

initiate.

*ISAKMP: Deleting peer node by peer_reap for 172.16.50.21:

857B8808

*ISAKMP:(0:0:N/A:0):purging SA., sa=8525B564, delme=8525B564

*ISAKMP:(0:0:N/A:0):purging node 614749934

You start out on very familiar ground. Then, everything seems to get better; the pre-shared keys seem to do the trick, only to uncover another issue lurking in the wings. Apparently, the default ISAKMP policy settings for Internet Key Exchange (IKE) negotiations are not compatible with your effort to use pre-shared keys. In fact, the default authentication method is RSA signatures.

4. Create a prioritized ISAKMP policy on both routers to be used during initial and subsequent IKE key negotiations, which provides each router with the other router’s private key for decrypting the data that it sends later. The priority number, 1 being the highest priority and 10000 being the lowest, does not have to match on both ends, but use a priority that allows for overriding current policy entries while continuing to use uncontested entries simply by creating an additional policy of higher priority.

Inside#config t

Inside(config)#crypto isakmp policy 10

Inside(config-isakmp)#authentication pre-share

Inside(config-isakmp)#end

Inside#

Outside#config t

Outside(config)#crypto isakmp policy 10

Outside(config-isakmp)#authentication pre-share

Outside(config-isakmp)#end

Outside#

There is a default policy of the lowest priority—call it 10001—that supplies you with the other defaults. Authentication is the only parameter that conflicts with your plans to use pre-shared keys. Thus, authentication is the only parameter you need to specify. Other parameters that you accept from the default policy are as follows:

5. Subsequent pings meet with success.

C:\>ping 172.31.10.18

Pinging 172.31.10.18 with 32 bytes of data:

Reply from 172.31.10.18: bytes=32 time<1ms TTL=128

Reply from 172.31.10.18: bytes=32 time<1ms TTL=128

Reply from 172.31.10.18: bytes=32 time<1ms TTL=128

Reply from 172.31.10.18: bytes=32 time<1ms TTL=128

Ping statistics for 172.31.10.18:

   Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

   Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\>

6. Note the debug output on the local router; the floodgates appear to have opened. In fact, the remote router now has recipient debug activity slightly different from the following output, where there was none before.

*IPSEC(sa_request): ,

 (key eng. msg.) OUTBOUND local= 172.16.50.22, remote=

172.16.50.21,

   local_proxy= 172.16.50.95/255.255.255.255/0/0 (type=1),

   remote_proxy= 172.31.10.18/255.255.255.255/0/0 (type=1),

   protocol= ESP, transform= esp-des esp-sha-hmac  (Tunnel),

   lifedur= 3600s and 4608000kb,

   spi= 0x50E86232(1357406770), conn_id= 0, keysize= 0, flags=

0x400A

*Created a peer struct for 172.16.50.21, peer port 500

*insert sa successfully sa = 8525B564

*ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main

mode.

*ISAKMP:(0:0:N/A:0):Looking for a matching key for 172.16.50.21

in default

*ISAKMP:(0:0:N/A:0): : success

*ISAKMP:(0:0:N/A:0):found peer pre-shared key matching

172.16.50.21

*ISAKMP:(0:0:N/A:0): beginning Main Mode exchange

*ISAKMP:(0:0:N/A:0): sending packet to 172.16.50.21 my_port 500

peer_port 500 (I) MM_NO_STATE

*ISAKMP (0:0): received packet from 172.16.50.21 dport 500 sport

500 Global (I) MM_NO_STATE

*ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0

*ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority

10 policy

*ISAKMP:      encryption DES-CBC

*ISAKMP:      hash SHA

*ISAKMP:      default group 1

*ISAKMP:      auth pre-share

*ISAKMP:      life type in seconds

*ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

*ISAKMP:(0:1:SW:1): sending packet to 172.16.50.21 my_port 500

peer_port 500 (I) MM_SA_SETUP

*ISAKMP (0:134217729): received packet from 172.16.50.21 dport

500 sport 500 Global (I) MM_SA_SETUP

*ISAKMP:(0:1:SW:1): processing KE payload. message ID = 0

*ISAKMP:(0:1:SW:1): processing NONCE payload. message ID = 0

*ISAKMP:(0:1:SW:1): processing vendor id payload

*ISAKMP:(0:1:SW:1): speaking to another IOS box!

*ISAKMP:(0:1:SW:1):Send initial contact

*ISAKMP:(0:1:SW:1):SA is doing pre-shared key authentication

using id type ID_IPV4_ADDR

*ISAKMP (0:134217729): ID payload

       next-payload : 8

       type         : 1

       address      : 172.16.50.22

       protocol     : 17

       port         : 500

       length       : 12

*ISAKMP:(0:1:SW:1):Total payload length: 12

*ISAKMP:(0:1:SW:1): sending packet to 172.16.50.21 my_port 500

peer_port 500 (I) MM_KEY_EXCH

*ISAKMP (0:134217729): received packet from 172.16.50.21 dport

500 sport 500 Global (I) MM_KEY_EXCH

*ISAKMP:(0:1:SW:1): processing ID payload. message ID = 0

*ISAKMP (0:134217729): ID payload

       next-payload : 8

       type         : 1

       address      : 172.16.50.21

       protocol     : 17

       port         : 500

       length       : 12

*ISAKMP:(0:1:SW:1):: peer matches *none* of the profiles

*ISAKMP:(0:1:SW:1): processing HASH payload. message ID = 0

*ISAKMP:(0:1:SW:1):SA authentication status:

       authenticated

*ISAKMP:(0:1:SW:1):SA has been authenticated with 172.16.50.21

*ISAKMP: Trying to insert a peer 172.16.50.22/172.16.50.21/500/, and inserted successfully 857B8808.

You can see that the IPSec information has never changed. Now, however, you see success in ISAKMP where there was none before. Negotiations succeed and expected addresses, port and protocol numbers, and policy and priority numbers appear with no critical errors.

7. (Optional) Subsequent pings produce nothing from the debugs running. If you would like to re-create the original flurry of success, execute the following on either router. Prepare for a litany of debug messages as the security associations are broken.

Inside#clear crypto sa

Inside#

Now the first ping from either computer results in debug output similar to the first successful debugs you witnessed.

8. Turn debugging off when you are done.

Inside#undebug all

Port Statistics for unclassified packets is not turned on.

All possible debugging has been turned off

Inside#

Outside#undebug all

Port Statistics for unclassified packets is not turned on.

All possible debugging has been turned off

Outside#

Criteria for Completion

You have completed this task when you have completed the configuration of all four devices and verified that keys are being exchanged and IPSec is being triggered for the appropriate traffic.

shows a typical external hard drive with AC power and USB connections.

An external hard drive

c03f007.tif

Details

In the following procedure, you use your operating system’s built-in backup utility to back up the Documents and Settings folder for each account that has logged on to the computer. In this example, Windows XP Professional is used. Windows Vista and Windows 7 users will find the Backup And Restore Center to be quite different from XP’s Backup Or Restore Wizard, offering very little granularity regarding what can be backed up. The Complete PC Backup and Create A System Image options, however, create a complete drive image, a feature that is not built into XP.

Backing Up Your Data in Windows XP

Backing up data presents a variety of options, including what to back up, where to store the backup set, and what type of backup to perform.

1. Open the Backup Or Restore Wizard by clicking Start All Programs Accessories System Tools Backup.

c03g071.tif

2. On the Backup Or Restore Wizard Welcome screen, click the Next button. Alternatively, you can use the full version of the utility by clicking the Advanced Mode link, producing the utility interface shown here.

c03g072.tif

To return to Wizard mode once in the middle of Advanced mode, choose Tools Switch To Wizard Mode. Wizard mode is advised for anyone who does not require the added control of Advanced mode. You will know if Wizard mode does not provide the control you require, at which point you need only close the utility and start it again.

3. In the Backup Or Restore screen, you must decide which function you wish to perform. For this example, choose Back Up Files And Settings, the default, and click the Next button.

c03g073.tif

4. In the What To Back Up screen, you have four choices:

Fill in the radio button beside Everyone’s Documents And Settings and click Next to move on to the Backup Type, Destination, And Name screen.

c03g074.tif

5. Click the Browse button and navigate to a drive and folder where you wish to place the backup file, preferably not on the same drive with the information being backed up. Give the backup set a name, such as WileyBackup, and click the Save button to return to the screen, which looks similar to the following. Then click Next to advance to the next wizard screen.

c03g075.tif

6. In the Completing The Backup Or Restore Wizard screen, click the Advanced button to explore the options for the level of backup you wish to perform.

c03g076.tif

7. In the Type Of Backup screen, the default backup type is normal, which backs up every file you choose regardless of how its archive bit is set. To keep your backup manageable during this task, choose Differential from the drop-down, shown next. Click Next.

c03g077.tif

8. Clear all check boxes in the How To Back Up dialog. Doing so speeds the backup along, avoiding verification. Verification is not a bad idea in production, especially with critical information on the line. Additionally, you make sure that all files, even those in use, get backed up. Click Next.

c03g078.tif

9. In the Backup Options screen, choose Replace The Existing Backups. Doing so reduces confusion later in this example if you perform the backup more than once or use an existing file for the backup set. In production, placing related backups, such as a normal backup and all subsequent incremental backups, in the same backup set is not a bad idea. You just have to remember there are multiple backups in the same backup file. Click Next.

c03g079.tif

10. The When To Back Up screen allows you to schedule the backup for when the computer is least busy. For this example, leave the default, Now, selected. Click Next.

c03g080.tif

11. You are once again taken to the Completing The Backup Or Restore Wizard screen. This time, it has no Advanced button. Making modifications now involves clicking the Back button to return to previous screens until you arrive at the one with the information you wish to alter. Click the Finish button to start the backup process.

c03g081.tif

The Backup Progress pop-up appears briefly. Very soon another pop-up, similar to the following, displays the progress in estimating the number of files and bytes to be backed up.

c03g082.tif

The Backup Progress pop-up returns to the foreground as it ticks off the advancement of the backup process with a green bar. Eventually, the Backup Progress pop-up looks similar to the following, indicating the backup is complete.

c03g083.tif

Clicking the Report button generates a Notepad text file with slightly more in-depth information compared to what the Backup Progress pop-up displays. Click the Close button to end the wizard completely and conclude the backup.

Restoring Files from a Backup

Restoring backed-up files provides another opportunity to make choices about how you wish to proceed. Different options work best in certain situations.

1. Find the backup set you just created and double-click it. This brings up the same Backup Or Restore Wizard from which you started your backup.

2. Click Next to go to the Backup Or Restore screen, where you select Restore Files And Settings this time. Click the Next button to proceed to the What To Restore screen.

3. The What To Restore screen is a simple tree that includes the most recent backup (notice the WileyBackup file in the following screen shot) as well as any past backup sets that you have not deleted. Click the plus sign to the left of the backup set you just created to expand it, and put a check mark in the box beside the entry you wish to restore. Click the Next button.

c03g084.tif
note.eps

Note in the preceding image that the other expanded backup set called backup.bkf shows two entries. This is what happens when a backup is appended to an existing backup set. Be sure to pay attention to the dates on these two backups, if they are related, so you restore them in the proper order, with the oldest one being restored first and so on.

4. In the Completing The Backup Or Restore Wizard screen, click the Advanced button to bring up the Where To Restore screen.

5. In the Where To Restore screen, you can choose to restore all files to the exact location from which they came or some other location, including a single folder that you can sort out later.

c03g085.tif

If you wish to perform the restore, select Original Location and click the Next button, progressing to the How To Restore screen. Otherwise, click the Cancel button to end the wizard completely and skip all remaining steps.

6. In the How To Restore screen, choose the default, recommended option (as shown in the following image), which makes sure the restore you are about to perform does not alter your data, which has not been compromised as in the case of actual data loss. Click the Next button.

c03g086.tif

7. The Advanced Restore Options screen in the following image is best kept at its default settings unless you have good cause to change anything. Click the Next button.

c03g087.tif

8. You return to the Completing The Backup Or Restore Wizard screen, now with the Advanced button missing. Click the Finish button to begin the restore process and click the Close button when the restore is complete.

Backing Up Your Data in Windows 7

Using the built-in utility to perform your backups in Windows 7 is slightly different from doing so in Windows Vista. Nevertheless, understanding the procedure in Windows 7 will lead to having no issues performing the same general procedure in Vista.

1. Run the Backup And Restore applet in Control Panel (Backup And Restore Center in Vista). Vista also gives you access to this utility through the Backup Status And Configuration selection in the Start All Programs Accessories System Tools menu. If you’ve never run a backup, you might need to set up the utility to run the first backup. Clicking the Set Up Backup link to do so brings up a list of possible backup destinations for you to choose from.

c03g088.tif

If you choose to save your backup sets to a network location by clicking the Save On A Network button, the following dialog appears. Use this to establish connectivity to the share location.

c03g089.tif

2. Assuming, instead, that you will use a local storage location to save the backup set, choose a drive from the list. By default, the utility will attempt to create a full system image in addition to the backup set containing the individual files you choose from a list of supported files. If the location you choose does not have enough space for the image, you will be warned of that fact here. Otherwise, you will be warned that others could access your backup set on such a location type.

c03g090.tif

3. Click Next and choose if you would like to specify the locations from which to back up the supported files.

c03g091.tif

If you select Let Me Choose and click Next, you can expand Additional Locations (includes folders such as AppData, Contacts, Desktop, Downloads, and Favorites) for any and all users and choose among libraries for the current user. You can also choose to back up entire drive partitions and to create a system image of the drives required for Windows to run.

c03g092.tif

If you click the link to explain what files are excluded by default from being backed up, you open a Windows Help And Support dialog that allows you to expand the section that applies to your situation.

c03g093.tif

4. Select Let Windows Choose and click Next. At the resulting dialog, you are able to adjust or remove the backup schedule and confirm that the backup summary indicates your intended choices.

c03g094.tif

5. Click the Save Settings And Run Backup button to proceed to the Backup And Restore applet to begin the backup process. This is the type of interface you will see when you enter the applet once it is set up.

c03g095.tif

6. Once the backup is complete, you will see a summary indicating whether or not the backup was successful. The following image shows a failed backup attempt. Notice, in the Restore section at the bottom of the dialog, that you have options that allow you to restore from a backup set or from a system image. You can also choose to run System Restore after clicking the Recover System Settings Or Your Computer link.

c03g096.tif

If you would like to change the way the utility saves backup sets, you can click the Manage Space link. The Change Settings link, on the other hand, allows you to change the location of future backup sets and when or if the backups will occur on a schedule. Click the Next button until you arrive at the following dialog, seen earlier, where you find the Change Schedule link.

c03g097.tif

Clicking the Change Schedule link brings up the following dialog, allowing you to check the box and choose the backup schedule or to clear the box and remove an existing schedule, resulting in the need to back up your system manually.

c03g098.tif

Criteria for Completion

You have completed this task when you have created a backup file in a location of your choosing and optionally restored its contents to their original location.

and enter spybot in the Search field. Click the Go button.

2. If not the first, one of the first results is Spybot—Search & Destroy, shown next. Click the Download label to the right, which brings up a Security Warning dialog.

c03g114.tif

3. In the Security Warning dialog, click the Run button. If you prefer to save the installation file and run it separately, the Save button accomplishes this.

4. After clicking the Run button, or after executing the downloaded file, and after the progress indicator makes it all the way across, you’ll get another security warning. Simply click the Run button to confirm that the program’s execution is intentional.

5. Choose the language in which you wish to install. Click OK to open the welcome dialog.

6. In the welcome dialog, click the Next button to advance to the License Agreement dialog.

7. Accept the license agreement and click the Next button to go to the Select Destination Location dialog.

8. Generally, the default installation destination, as shown in the following image, is recommended. If you have a reason to change this location, click the Browse button to navigate to a new location. Installing to the same location as an older version overwrites the older version for efficiency. Click the Next button to open the Select Components dialog.

c03g115.tif

9. As shown next, there are not many options in the Select Components dialog, but one that you might consider is Download Updates Immediately.

c03g116.tif

Checking this selection causes Setup to look for updates during the installation process, which requires an Internet connection. Clearing this box allows you to install from a downloaded file without a connection. Updates can be downloaded at any time later. Click the Next button, which takes you to the Select Start Menu Folder dialog.

10. The Select Start Menu Folder dialog is where you allow the installation process to create a folder on your Start menu or choose to use an existing folder. Click the Browse button to select your own folder on the Start menu or enter a new name to create a new folder with a different name from the default. Click the Next button to continue to the Select Additional Tasks dialog.

11. In the Select Additional Tasks dialog, choose the icons you want created as well as the real-time protection methods you desire. Remember, you can find the executable in the Start menu folder you chose. If you chose not to use a Start menu folder, you still can find the application in the destination location you picked out earlier. Click the Next button to advance to the Ready To Install dialog.

12. Confirm your settings and click the Back button to return and change the settings in previous dialogs or click the Install button to begin downloading any additional files for the installation.

13. If you chose to update during installation and updates were found, the following screen appears. You want to use the default, which is the path where the program was just installed.

c03g117.tif

14. When the Include Updates Setup is done, click the Close button to be brought to the wizard completion dialog, where the only choice is to run Spybot—Search & Destroy now or not. Either way, click the Finish button to leave the wizard.

Running the Application

1. If you did not choose to run the application after installation or you already had Spybot—Search & Destroy installed, double-click the icon to start the program. The first time you run the application, you are presented with a series of steps to finalize your installation. The first major step among these is to back up your system’s Registry. If a software package includes this feature, there’s probably a very good reason. Click the Create Registry Backup button in the middle of the pop-up. When the Next arrow returns, click it to move along.

c03g118.tif

2. The next major milestone is to search for and install updates, as shown in the following screen shot. If you chose to do this during installation and you just completed that part of the installation, there will not be anything to download and the associated button remains ghosted. Otherwise, click the Search For Updates button; if any are found, the Download All Available Updates button becomes active. Click the Download All Available Updates button to do so. Click the Next arrow to continue.

c03g119.tif

3. Once all updates are downloaded, it is a good idea to immunize your system, which applies any downloaded definitions to the application. Click the Immunize This System button to complete the update process. Click the Next arrow to finalize the installation of the application.

4. In the final step of the installation, click the button that reads Start Using The Program. If you prefer to peruse the tutorial or help file, there are buttons for those as well.

5. Once the full application executes, click the Update icon in the left frame of the application to bring up the manual update search and download window.

c03g120.tif

6. Click the Immunize icon on the left to bring up a window similar to the following. This process is best completed each time you download updates. If someone else downloads updates, including the computer during automated updates, immunization may not occur regularly, obviating some of the updates.

c03g121.tif

7. The Recovery icon is the key to displaying previous spyware fixes so that you can run through the list and place a check mark in any box. Checked items can then have a common policy applied to them. They are either recovered or purged completely from the system. Note, in the following illustration, that there are two levels of check boxes, one to accept the entire group and then one for each of the entries within a group. You can check these boxes in any combination; a check mark placed or cleared in a group box affects all entries within that group.

c03g122.tif

8. The Search & Destroy icon on the left takes you to the meat of the application, the point from which scans are begun, shown next. Click the Check For Problems icon to begin the actual scan.

c03g123.tif

9. You hope to find no problems in general, returning results that appear similar to the following. However, if you do find problems, run down the list and make sure check marks are in the boxes you want them in. Then, click the Fix Selected Problems icon to rid the system of the detected items that you designate.

c03g124.tif

10. Spybot—Search & Destroy has a direct link to the Windows Scheduled Tasks utility. Windows makes this available through Start All Programs Accessories System Tools Scheduled Tasks. Spybot—Search & Destroy places the icon for its Scheduler interface, shown next, under the Settings menu. The two check boxes in this window are convenient for scheduled, unattended scans. In fact, you would never know the scan took place if the log did not confirm as much.

c03g125.tif

11. If you do not have any tasks scheduled for Spybot—Search & Destroy, click the Add icon to bring up the following Scheduled Task pages. If you do have one set already, click the Edit icon to bring up the same view. The Task page shown has one crucial item, the Run As field, that does not default properly and must be set for the task to perform as scheduled.

c03g126.tif

12. Enter the account name, preceded by the authenticating device—usually the local system—or domain and then click the Set Password button to enter the current password for the username entered. Note that whenever the password for the username changes, further scheduled tasks will not execute until a matching password is entered here.

13. The Schedule tab is where you actually enter the time and frequency of the scans to be performed. See the following illustration for an example.

c03g127.tif

14. The Advanced button brings up more detailed settings, including when to start the backups, which can be set for a future date. For example, you might use this feature if you currently handle the scans manually but intend to be away from the computer starting on a certain date and yet the computer will be used by someone else for whom the program is unavailable. The Advanced Schedule Options dialog is shown next.

c03g128.tif

15. The Windows interface for all tasks scheduled looks similar to the following. Note that the same values from Spybot—Search & Destroy are shown for the program in this window.

c03g129.tif

16. In the Spybot—Search & Destroy application, the Settings menu on the left also has a Settings entry. Clicking the entry brings up a long list of very specific items, shown next, that you can tweak to make the application run to your exact specifications.

c03g130.tif

17. The Tools menu on the left displays a number of check boxes for various items. The ones you check appear on the left under the Tools menu so that you can access their specific settings, which are not available without a check mark in the correct box on the right.

c03g131.tif

18. Finally, the Info & License menu on the left is where you can go to make a donation for the publisher of the free software. You can also see the legal information and credits here. The following screen shot shows the Info & License menu.

c03g132.tif

Criteria for Completion

You have completed this task when you have conducted a scan for spyware with Spybot—Search & Destroy and fixed any problems found.

, to verify that the server is set to retrieve and install operating system updates. You have automatic updates turned on, as shown in , but you are concerned that some nonessential updates have not been pushed to the system. You decide to go to Microsoft’s website to find out if there are any updates available and, if so, download and install them.

The Automatic Updates icon in Control Panel

c03f008.tif

Automatic Updates applet

c03f009.tif

Scope of Task

Duration

This task should take about 30 minutes.

Setup

For this task, you need a single computer with an Internet connection.

Caveat

Microsoft offers a server-based update service. When coupled with Group Policy Objects (GPOs) limiting user access to the individual updates, the result of trying to update your operating system is a message similar to the following.

c03g133.tif

Some updates require you to reboot your system. Make sure you do not update your system manually while in the middle of other critical processes.

Procedure

This task points you to Microsoft’s Windows Update site and directs you through a search for updates for your operating system.

Equipment Used

For this task, you need a single computer with an Internet connection.

Details

In the following procedure, you check the Windows Update site for updates to your operating system.

Express for High-Priority Updates

1. Check to see if there is a Windows Update entry in your Start menu, probably visible right on the All Programs menu, as shown next. Click this icon if it exists.

c03g134.tif

Otherwise, point your web browser to . The website checks for a client-side component to the Windows Update application.

Windows Update After Windows XP

Note that with Windows Vista and Windows 7, Windows Update is built in to the operating system. When you try to go to the website, you are met with the following page. Nevertheless, Windows Update is launched automatically for you. In the future, follow the advice of the web page. Windows Update should be able to be found very near the bottom of the All Programs list of application icons, just before the beginning of the list of folders that often begins with Accessories. Windows Update is also an applet in Control Panel in Windows Vista and Windows 7.

c03g135.tif

2. On the Welcome To Windows Update page, there are two buttons, Express and Custom. Click the Express button to see what high-priority updates the software discovers.

c03g136.tif

3. After a progress indicator makes its way across the scale, a page similar to the following displays if high-priority updates are discovered. Click the Install Updates button to continue.

c03g137.tif

4. Accept the EULA if presented with one.

5. A progress indicator will list progress for both downloading and installation of updates. If a dialog similar to the one shown next appears, click the Close button. Normally, it is fine to click the Restart Now button as long as you have all work saved and an immediate reboot would not be destructive.

c03g138.tif

Clicking the Close button takes you back to the results page from the Windows Update website, which looks similar to the following.

c03g139.tif
note.eps

Note that the need to restart for this particular update is reiterated here. Also, there is a link among the text at the bottom to display your system’s past updates.

Custom for Optional Updates

1. After rebooting, if necessary—additional updates do not install until mandatory restarts take place—run the Windows Update service again, but click the Custom button.

2. After a brief search for all types of updates, output similar to the following appears. It is no surprise to see no high-priority updates this time, but be on the lookout for lower-priority optional updates that you wish to download and install.

c03g140.tif

3. Click the Software or Hardware link in the left frame. If updates were found for the category you choose, a display that looks very much like the next screen appears.

c03g141.tif

4. Placing a check mark in each update you wish to install adds it to the list to be downloaded and installed. Click the Review And Install Updates link, shown next, to continue to the page titled the same.

c03g142.tif

5. Click the Install Updates button, shown in the next screen, to start the process.

c03g143.tif

Microsoft Update

Microsoft Update is a service that updates non-operating-system Microsoft components, such as Microsoft Office, much as Windows Update does for the operating system. In fact, the interface looks remarkably similar. These updates had been available online for some time before Microsoft Update was developed, just not all in one convenient service. The following steps take you through the process of checking for and, if necessary, installing the client-side portion of the Microsoft Update service.

1. Check to see if you already have the Microsoft Update icon in your Start menu. If so, click it. If you do not have the icon, point your web browser to and click the Start Now button to begin installation.

2. If you have to install the client side of the service on your computer, the following page eventually displays. Click the Check For Updates button to begin a search for non-operating-system updates.

c03g144.tif

3. A page similar to the following screen shot appears, showing you the updates that were found and the products for which the updates apply.

c03g145.tif

4. If updates were found, review them and check or clear the boxes next to them as you wish.

5. Click the Review And Install Updates link.

6. Accept the EULA.

7. Once the updates are installed, click the Close button on the confirmation dialog.

8. A page similar to the following (and similar to the corresponding page displayed by Windows Update) tells you that the process is complete and allows you to view your update history.

c03g146.tif

Criteria for Completion

You have completed this task when you have accessed Microsoft’s Windows Update site and searched for, downloaded, and installed any high-priority updates found. Optionally, you might have chosen to enhance your experience with this procedure by installing, if necessary, and accessing Microsoft Update as well.

Previous: Phase 2: Implementing and Configuring the Design
Next: Phase 4: Troubleshooting the Network