Enterprise Security Infrastructure

Introduction to layered security

• Identifying key features of a secure infrastructure
• Distinguishing between enterprise and host-based security

Assessing security technologies

• Applying Windows Server 2008 enhancements
• Leveraging Windows Server 2008 server roles

Building a Public Key Infrastructure (PKI)

PKI fundamentals

• Identifying security services provided by a PKI
• Mining key business benefits of certificate services
• Implementing public key encryption

Managing certificates

• Creating and responding to certificate requests
• Controlling certificate issuance with permissions
• Securing Web-based enrollment with HTTPS
• Revoking compromised keys
• Publishing a Certificate Revocation List (CRL)

Storing, archiving and recovering keys

• Exporting certificates and private keys
• Deploying Key Recovery Agent accounts
• Maintaining secure key escrow
• Providing secure storage for private keys

Leveraging Multifactor Authentication

Extending authentication solutions

• Installing domain support for multifactor authentication
• Testing Kerberos with smart cards and biometrics

Authenticating with smart cards and tokens

• Configuring smart card enrolment stations
• Issuing smart card user certificates
• Implementing a Certificate Hold on misplaced tokens
• Rolling out domain-wide smart card user and computer policies

Credentialing with biometrics

• Surveying available biometric technologies
• Applying biometric authentication in the enterprise
• Accommodating false negatives and minimising false positives
• Controlling access to exemplar databases
• Auditing biometric user enrolment

Deploying a Scalable Data Protection Model

Identifying confidentiality solutions

• Specifying information security requirements
• Analysing data protection technologies
• Matching native solutions to enterprise requirements

Implementing EFS in the enterprise

• Invoking Group Policy to control encryption
• Assuring data access with Recovery Agents
• Recovering lost or damaged keys from escrow
• Selecting approved encryption algorithms in regulatory environments

Assuring BitLocker Data Recovery

• Analysing the business case
• Planning enterprise BitLocker deployments
• Compensating for EFS vulnerabilities
• Maximising data recovery in the event of BitLocker key loss

Implementing Network Access Protection

Maintaining network integrity with NAP

• Integrating health-based decisions with enterprise security
• Tailoring access policies for managed and unmanaged clients
• Controlling access from inside and outside machines

Verifying client health compliance

• Defining comprehensive client compliance policies
• Authenticating health claims with the System Health Validator (SHV)
• Remediating and ensuring ongoing compliance

Enforcing network access restrictions

• Configuring NAP server components
• Limiting network access to conformant machines using DHCP and VPN Quarantine Enforcement Clients (QEC)

Applying Domain and Server Isolation

Isolating high-value servers

• Protecting intellectual property and personal privacy
• Segregating servers with highly sensitive data

Securing Domain Access with IPsec

• Calculating segmentation requirements
• Building domain isolation on AD and Group Policy
• Configuring exception servers for unmanaged computers
• Maximising security while minimising user impact