Contents
Overview 1
Lesson: Determining Threats and
Analyzing Risks to Computers 2
Lesson: Designing Security for Computers 8
Lab A: Designing Security for Computers 23

Module 6: Creating a
Security Design for
Computers


Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no
part of this document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.

 2002 Microsoft Corporation. All rights reserved.

Microsoft, MS-DOS, Windows, Windows NT, Active Directory, ActiveX, BizTalk, PowerPoint, Visio,
and Windows Media
are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.

Module 6: Creating a Security Design for Computers iii

Instructor Notes
In this module, students will learn how to determine threats and analyze risks to
computers in an organization. Students will also learn how to design security
for computers throughout the computers’ life cycles, from initial purchase to
decommissioning.
After completing this module, students will be able to:

Determine threats and analyze risks to computers.

Design security for computers.

To teach this module, you need the following materials:

Microsoft
®
PowerPoint
®

file 2830A_06.ppt

The animation Microsoft Software Update Services,
2810A_03_A005_1952.htm, located in the Media folder on the Web page
on the Student Materials CD.


It is recommended that you use PowerPoint version 2002 or later to
display the slides for this course. If you use PowerPoint Viewer or an earlier
version of PowerPoint, all the features of the slides may not be displayed
correctly.

To prepare for this module:

Read all of the materials for this module.

Complete the practices.

Complete the lab and practice discussing the answers.

Watch the animation.

Read the additional reading for this module, located under Additional
Reading on the Web page on the Student Materials CD.

Visit the Web links that are referenced in the module.

Presentation:
60 minutes


Lab:
30 minutes
Required materials
Important
Preparation tasks
iv Module 6: Creating a Security Design for Computers

How to Teach This Module
This section contains information that will help you to teach this module.
Lesson: Determining Threats and Analyzing Risks to Computers
This section describes the instructional methods for teaching this lesson.
Emphasize that students are responsible for the security of a computer at each
stage in its life cycle.
This page is intended simply to give examples of vulnerabilities. To elaborate
attacks, draw upon your own experience. The next page deals with common
vulnerabilities, so try not to skip ahead.
Explain the threats, but do not discuss how to secure against them. The second
lesson in the module covers that topic. Emphasize that off-site repair of
computers is also a risk that students may need to protect against. If an attacker
has physical control of a user’s computer, the user has lost the security battle.
Ask students what recommendations they would make to the government
agency in the scenario.
Lesson: Designing Security for Computers
This section describes the instructional methods for teaching this lesson.
Emphasize that students must understand what the implications of an update are
to a system before they install or deploy the update to their networks.
Encourage students to test all updates before deployment.
You can play the animation by clicking the arrow on the slide.

Use this page to review the content of the module. Students can use the

checklist as a basic job aid. The phases mentioned on the page are from
Microsoft Solutions Framework (MSF). Use this page to emphasize that
students must perform threat analysis and risk assessment on their own
networks for the topic covered in this module, and then they must design
security responses to protect the network.
Assessment
There are assessments for each lesson, located on the Student Materials
compact disc. You can use them as pre-assessments to help students identify
areas of difficulty, or you can use them as post-assessments to validate learning.
The Security Life Cycle
of a Computer
Why Security of
Computers Is Important
Common Threats to
Computers
Practice: Analyzing
Risks to Computers
Common Methods for
Applying Security
Updates
Multimedia: Microsoft
Software Update
Services
Security Policy
Checklist
Module 6: Creating a Security Design for Computers v

Lab A: Designing Security for Computers
To begin the lab, open Microsoft Internet Explorer and click the name of the
lab. Play the video interviews for students, and then instruct students to begin

the lab with their lab partners. Give students approximately 20 minutes to
complete this lab, and spend about 10 minutes discussing the lab answers as a
class.
Use the answers provided in the Lab section of this module to answer student
questions about the scope of Ashley Larson’s request in her e-mail.
For general lab suggestions, see the Instructor Notes in Module 2, “Creating a
Plan for Network Security.” Those notes contain detailed suggestions for
facilitating the lab environment used in this course.
Customization Information
This section identifies the lab setup requirements for a module and the
configuration changes that occur on student computers during the labs. This
information is provided to assist you in replicating or customizing Microsoft
Official Curriculum (MOC) courseware.
This module includes only computer-based interactive lab exercises, and as a
result, there are no lab setup requirements or configuration changes that affect
replication or customization.

The lab in this module is also dependent on the classroom
configuration that is specified in the Customization Information section at the
end of the Automated Classroom Setup Guide for Course 2830A, Designing
Security for Microsoft Networks.

Lab Setup
There are no lab setup requirements that affect replication or customization.
Lab Results
There are no configuration changes on student computers that affect replication
or customization.
General lab su
ggestions
Important


Module 6: Creating a Security Design for Computers 1

Overview

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
In this module, you will learn how to determine threats and analyze risks to
computers in an organization. You will also learn how to design security for
computers throughout their life cycles, from initial purchase to
decommissioning.
After completing this module, you will be able to:

Determine threats and analyze risks to computers.

Design security for computers.

Introduction
Ob
jectives
2 Module 6: Creating a Security Design for Computers

Lesson: Determining Threats and Analyzing Risks to
Computers

*****************************
ILLEGAL FOR NON

-
TRAINER USE
******************************
The computers on your network present many opportunities for attackers to
access your organization’s data. Ensuring that your computers are secured and
updated throughout their operational lives is essential to maintaining a secure
network.
After completing this lesson, you will be able to:

Describe the security life cycle of a computer.

Explain why securing computers is important.

Describe common threats to computers.

Introduction
Lesson objectives
Module 6: Creating a Security Design for Computers 3

The Security Life Cycle of a Computer

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
The security life cycle of a computer includes the following phases:

Initial installation. During the initial installation of an operating system and
applications, viruses and configuration errors can compromise the security

of a computer. Be sure to set the password for the built-in Administrator
account during the initial installation.

Baseline configuration. After initial installation, configure the baseline
configuration settings for security that your organization requires for
computers.

Role-specific security. Computers that have specific roles, such as Web
servers, require additional configuration beyond the baseline security
configuration to ensure that they are protected against threats that are
specific to the computer’s role.

Application of security updates. During the computer’s lifetime, service
packs and security updates for the operating system and applications will be
released. To maintain the baseline security configuration, install the service
packs and security updates.

Decommissioning. At the end of a computer’s operational lifetime, dispose
of it in a way that makes it impossible for attackers to obtain information on
the hard disk or media devices.

Key points
4 Module 6: Creating a Security Design for Computers

Why Security of Computers Is Important

*****************************
ILLEGAL FOR NON
-
TRAINER USE

******************************
When a network administrator installs software on new computers for the Sales
department, a virus infects the computers before the administrator can install a
service pack that protects against the virus. The virus exploits a known
vulnerability and installs a Trojan horse application. The administrator deploys
the computers to users without realizing that the computers have been
compromised by an external attacker.
During an unattended installation of an operating system over the network, the
local Administrator account’s password is configured and sent in plain text over
the network. An internal attacker who is sniffing packets on the network
intercepts the password. The attacker discovers that the password also works
with the Administrator account on his manager’s computer. He uses the account
to access confidential data on his manager’s computer.
External attacker
scenario
Internal attacker
scenario
Module 6: Creating a Security Design for Computers 5

Common Threats to Computers

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Although technical security measures are essential for securing computers in
your organization, the majority of threats to computers are from people and
flawed processes. For example, an attacker physically attacks a computer’s hard
disk, or a process in an organization omits the application of service packs

before deployment.
For more information about change management, see Appendix C, “Designing
an Operations Framework to Manage Security.”
Key points
Additional readin
g
6 Module 6: Creating a Security Design for Computers

Practice: Analyzing Risks to Computers

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Northwind Traders recently signed a contract with a government agency to
perform confidential research for a national security project. The government
will supply Northwind Traders with 100 government computers that the agency
has collected from various internal departments.
Northwind Traders proposes to hire Consolidated Messenger, a publicly held
shipping company, to pick up the computers from a secure government facility
and ship them to the Northwind Traders headquarters. The IT staff at
Northwind Traders will install antivirus software and the research application
that is required for the project.
Northwind Traders’ research facility is still under construction and will be
ready in three weeks. In the interim, Consolidated Messenger will store the
computers at a warehouse that Northwind Traders shares with Coho Vineyard.
1. What are the potential threats to the computers and to Northwind Traders?
The computer hardware could be tampered with and compromised
when in the possession of Consolidated Messenger or while stored at the

warehouse. An attacker could install keyboard monitoring equipment,
other types of hardware eavesdropping devices, or malicious software.
Northwind Traders has no plans for performing an initial installation
or creating a secure baseline for the computers. Although its plan to
install antivirus software is a good idea, it likely will not provide
sufficient security. Also, because the agency is collecting computers
from various departments, the computers may also be configured for
different roles and, therefore, may not be properly secured for their
new role as research computers.


Introduction
Questions