Last section!

49. Regardless of whether the VPN server is located behind the firewall or in front of it, you should configure the firewall to open only the required ports and configure the VPN server to protect it by allowing only VPN traffic on its external network interface.
50. Know which ports are required for VPN protocol access through the firewall. TCP 1723, UDP 500, 4500, 1701
51. You configure remote access account lockout by using registry. This has no relationship to account lockout in AD.
52. NAT-T solutions for client VPN software are available for windows client software, 98, 2k, XP, 2k3.
53. Security templates should be designed to apply security based on the role that a server will perform on the network.
54. Disable unused services.
55. Lock down settings if you can.
56. Use incremental templates to provide a serve with the ability to perform its function.
57. Baseline templates apply the maximum settings, while incremental relax specific settings to allow server to do its work.
58. Access control provides additional layers of defense. Permissions, audit, backup, and EFS can all work together to manage access to resources.
59. Delegation of authority is used to reduce administrative workload and to provide separation of duties and autonomy for divisions and departments.
60. Backup plans for data are essential. They should include provisions for protecting the backup data, media, and operations.
61. Encryption and decryption of files should be managed carefully. Encryption has little effect if password is weak.
62. PKI provides a sound way of implementing both EFS file recovery and EFS key archival.
63. The delegation of authority wizard provides admin control by assigning permissions to objects in the AD.
64. Explicit permissions, even explicit allow, have precedence over inherited permissions.
65. SACLs also follow inheritance rules.
66. A client authentication strategy must be developed that considers LAN-based and WAN-based clients, wireless and RA clients.
67. RRAS and IAS RAPs should reflect the RAP of organization.
68. The authentication, authorization, and accounting capabilities of IAS should be used.
69. RAPs can secure remote access through the application of RA conditions, profile constraints, and user account dial-in properties.
70. NAQC can be used to ensure the status of remote access clients meets and organizations security policy with respect to updates, virus protections, and security protection.
71. Securing connections between RADIUS servers, RADIUS proxies, and clients and other RA devices is as important as securing connections between user’s devices and user accounts and servers on network.
72. Designing a secure client system means considering all aspects of computer and network security as it affects all client computers.
73. Key areas of concern are hardening the OS and restricting user access.
74. Admin templates are useful for securing the OS and apps.
75. If you set a software restriction policy level to disallowed, no software other than essential OS can run unless you create a software restriction rule that allows it to run
76. Some rules like path rules can be circumvented.
77. Use admin templates in both user and computer side of GP.
78. Admin template cannot be imported into GPOs, you must configure directly in the GPO.
79. Wireless networks that rely on 802.11 infrastructures alone are difficult to secure at all.
80. Adding 802.1X improves the authentication and encryption processes and makes the wireless network securable.
81. Watch for rogue WAPs.
82. PEAP-EAP-MSCHAPv2 authentication is a good choice for small networks and for networks w/o PKI because only a server cert is required. Users only need passwords.
83. EAP-TLS is for high security. Both server and client certs are needed.
84. EAP-MD5 is not good alone. Mutual authentication and rekeying isn’t possible.
85. 802.11 networks that don’t support 802.1X are subject to attack on WEP encryption.
86. Securing IIS is a task composed of securing the server running 2k3 and IIS related settings.
87. Key factors to consider are designing the IIS database are the related services and extensions, process isolation, web and NTFS permissions, and authentication.
88. Authentication via cert mapping can provide secure access to internal resources such as email and intranet sites. Partner access using certs provided by partners can also be provided by cert mapping.
89. Application pools can be set up to process isolation and to provide security for multiple web sites installed on the same server.
90. FTP user isolation mode provides the ability to create multiple virtual FTP roots. Authorized users of FTP sites cannot use directory traversal to access other FTP sites on the same server.
91. Using radius for authenticated access to websites can provide a way to securely manage authentication in situations in which many authorized users must securely access a public web site.
92. Always protect basic authentication by encrypting communications between client computers and web server. SSL can be used w/ or w/o client certs to protect access from the internet. IPSec can be used to protect communications from the internal network to the IIS server.