You are on page 1of 32

An organization should strive to achieve the best and most affordable security

protection against data loss or damage to software and equipment. Network


technicians and the organization's management should work together to develop a
security policy that ensures that data and equipment have been protected against
all security threats. A security policy includes a comprehensive statement about the
level of security required and how this security will be achieved.

You may be involved in developing a security policy for a customer or organization.


When creating a security policy, you should ask the following questions to
determine security factors:

Is the computer located at a home or a business?


Home computers are generally more vulnerable to wireless intrusion than business
computers. Business computers also have a high threat of network intrusion,
because of users abusing their access privileges.
Is there full-time Internet access?
The longer a computer is connected to the Internet, the greater the chance of
attacks from other infected computers. A computer accessing the Internet should be
configured with a firewall and anti-virus software.
Is the computer a laptop?
Physical security is an issue with laptop computers. There are measures to secure
laptops, such as cable locks.
After completing this section, you will meet these objectives:

Outline a local security policy.


Explain when and how to use security hardware.
Explain when and how to use security application software.
A security policy is a collection of rules, guidelines, and checklists. Network
technicians and managers of an organization work together to develop the rules and
guidelines for the security needs of computer equipment. A security policy includes
the following elements:

It defines an acceptable computer usage statement for an organization.


It dentifies the people permitted to use the computer equipment in an organization.
It identifies the devices that are permitted to be installed on a network, as well as
the conditions of the installation. Modems and wireless access points are examples
of hardware that could expose the network to attacks.
It defines the requirements necessary for data to remain confidential on a network.
It determines a process for employees to acquire access to equipment and data.
This process may require the employee to sign an agreement regarding the
company rules. It also lists the consequences for failure to comply.
The security policy should also provide detailed information about the following
issues in case of an emergency:

Steps to take after a breach in security


Who to contact in an emergency
Information to share with customers, vendors, and the media
Secondary locations to use in an evacuation
Steps to take after an emergency is over, including the priority of services to be
restored
A security policy is a collection of rules, guidelines, and checklists. Network
technicians and managers of an organization work together to develop the rules and
guidelines for the security needs of computer equipment. A security policy includes
the following elements:

It defines an acceptable computer usage statement for an organization.


It dentifies the people permitted to use the computer equipment in an organization.
It identifies the devices that are permitted to be installed on a network, as well as
the conditions of the installation. Modems and wireless access points are examples
of hardware that could expose the network to attacks.
It defines the requirements necessary for data to remain confidential on a network.

It determines a process for employees to acquire access to equipment and data.


This process may require the employee to sign an agreement regarding the
company rules. It also lists the consequences for failure to comply.
The security policy should also provide detailed information about the following
issues in case of an emergency:

Steps to take after a breach in security


Who to contact in an emergency
Information to share with customers, vendors, and the media
Secondary locations to use in an evacuation
Steps to take after an emergency is over, including the priority of services to be
restored
Security applications protect the operating system and software application data.

The following products and software applications can be used to protect network
devices:

Software firewall Filters incoming data and is built into Windows


Intrusion Detection Systems (IDS) Monitors and reports on changes in program
code and unusual network activity
Application and OS patches Updates applications and the operating system to
repair security weaknesses that are discovered
Software applications are available to protect computers from viruses, spyware,
adware, and grayware.

In small offices and homes, computers usually connect directly to the Internet rather
than through a protected LAN. This puts computers that are outside of a LAN at high
risk for viruses and other attacks. At a minimum, these computers should use
firewall, anti-virus, and anti-malware programs. Application software and the
operating system should be updated with the latest patches.

The security policy should determine the level of security applications put in place.
In developing a policy, management should calculate the cost of data loss versus
the expense of security protection and determine which trade-offs are acceptable.
A technician should determine the appropriate techniques to secure equipment and
data for the customer. Depending on the situation, more than one technique may be
required.

Passwords
Using secure, encrypted login information for computers with network access should
be a minimum requirement in any organization. Malicious software monitors the
network and may record plaintext passwords. If passwords are encrypted, attackers
would have to decode the encryption to learn the passwords.

Logging and Auditing


Event logging and auditing should be enabled to monitor activity on the network.
The network administrator audits the log file of events to investigate network
access by unauthorized users.

Wireless Configurations
Wireless connections are especially vulnerable to access by attackers. Wireless
clients should be configured to encrypt data.

Security Technologies
Security technologies include hash encoding, symmetric encryption, asymmetric
encryption, and Virtual Private Networks (VPNs). Each technology is used for a
specific purpose:

Hash encoding Hash encoding, or hashing, ensures that messages are not
corrupted or tampered with during transmission. Hashing uses a mathematical
function to create a numeric value that is unique to the data. If even one character
is changed, the function output, called the message digest, will not be the same.
However, the function is one way. Knowing the message digest does not allow an
attacker to recreate the message. This makes it difficult for someone to intercept

and change messages. Hash encoding is illustrated in Figure 1. The names of the
most popular hashing algorithms are SHA and MD5.
Symmetric encryption Symmetric encryption requires both sides of an encrypted
conversation to use an encryption key to encode and decode the data. The sender
and receiver must use identical keys. Symmetric encryption is illustrated in Figure 2.
DES and 3DES are examples of symmetric encryption.
Asymmetric encryption Asymmetric encryption requires two keys, a private key
and a public key. The public key can be widely distributed, including e-mailing in
clear text or posting on the web. The private key is kept by an individual and must
not be disclosed to any other party. These keys can be used in two ways. Public key
encryption is used when a single organization needs to receive encrypted text from
a number of sources. The public key can be widely distributed and used to encrypt
the messages. The intended recipient is the only party to have the private key,
which is used to decrypt the messages. In the case of digital signatures, a private
key is required for encrypting a message, and a public key is needed to decode the
message. This approach allows the receiver to be confident about the source of the
message because only a message encrypted using the originator's private key could
be decrypted by the public key. Asymmetric encryption using digital signatures is
illustrated in Figure 3. RSA is the most popular example of asymmetric encryption.
VPN A VPN uses secure protocols to encrypt and to secure data as if it was
traveling in a private, corporate LAN, even though the data actually travels over any
network, for example, the Internet. The secured data pipelines between points in
the VPN are called secure tunnels. The process is illustrated in Figure 4. VPN
technology often uses IPSec to secure communications between devices.
Computer equipment and data can be secured using overlapping protection
techniques to prevent unauthorized access to sensitive data. An example of
overlapping protection is using two different techniques to protect an asset. This is
known as two-factor security, as shown in Figure 1. When considering a security
program, the cost of the implementation has to be balanced against the value of
the data or equipment to be protected.

Physical Security
Use security hardware to help prevent security breaches and loss of data or
equipment. Physical security access control measures include the following:

Lock This is the most common device for securing physical areas. If a key is lost,
all identically keyed locks must be changed.

Conduit This is a casing that protects the infrastructure media from damage and
unauthorized access.
Card key This is a tool used to secure physical areas. If a card key is lost or stolen,
only the missing card must be deactivated. The card key system is more expensive
than security locks.
Video equipment This records images and sound for monitoring activity. The
recorded data must be monitored for problems.
Security guard This person controls access to the entrance of a facility and
monitors the activity inside the facility.
Network equipment should be mounted in secured areas. All cabling should be
enclosed in conduits or routed inside walls to prevent unauthorized access or
tampering. Network ports that are not in use should be disabled.

Biometric devices, which measure physical information about a user, are ideal for
use in highly secure areas. However, for most small organizations, this type of
solution would be too expensive.

Data Security
You can protect data by using data security devices to authenticate employee
access. Two-factor identification is a method to increase security. Employees must
use both a password and a data security device similar to those listed here:

Smart card This is a device that has the ability to store data safely. The internal
memory is an embedded Integrated Circuit Chip (ICC) that connects to a reader
either directly, or through a wireless connection. Smart cards are used in many
applications worldwide, such as secure ID badges, online authentication devices,
and secure credit card payments.
Security key fob This is a small device that resembles the ornament on a key ring.
It has a small radio system that communicates with the computer over a short
range. The fobs are small enough to attach to a key rings. The computer must
detect the signal from the key fob before it will accept a username and password.
Biometric device This measures a physical characteristic of the user, such as
fingerprints or the patterns of the iris in the eye. The user is granted access if these
characteristics match its database and the correct login information is supplied.

Hardware destruction is the process of removing sensitive data from hardware and
software when data is no longer needed. Hardware destruction must be performed
before recycling or discarding items that store data. Three methods are commonly
used to either destroy or recycle data and hard drives:

Data wiping

Hard drive destruction

Hard drive recycling

The level of security that the customer needs determines which devices are used to
keep data and equipment secure, and how the data should be removed or
destroyed.
Computer equipment and data can be secured using overlapping protection
techniques to prevent unauthorized access to sensitive data. An example of
overlapping protection is using two different techniques to protect an asset. This is
known as two-factor security, as shown in Figure 1. When considering a security
program, the cost of the implementation has to be balanced against the value of
the data or equipment to be protected.

Physical Security
Use security hardware to help prevent security breaches and loss of data or
equipment. Physical security access control measures include the following:

Lock This is the most common device for securing physical areas. If a key is lost,
all identically keyed locks must be changed.
Conduit This is a casing that protects the infrastructure media from damage and
unauthorized access.
Card key This is a tool used to secure physical areas. If a card key is lost or stolen,
only the missing card must be deactivated. The card key system is more expensive
than security locks.

Video equipment This records images and sound for monitoring activity. The
recorded data must be monitored for problems.
Security guard This person controls access to the entrance of a facility and
monitors the activity inside the facility.
Network equipment should be mounted in secured areas. All cabling should be
enclosed in conduits or routed inside walls to prevent unauthorized access or
tampering. Network ports that are not in use should be disabled.

Biometric devices, which measure physical information about a user, are ideal for
use in highly secure areas. However, for most small organizations, this type of
solution would be too expensive.

Data Security
You can protect data by using data security devices to authenticate employee
access. Two-factor identification is a method to increase security. Employees must
use both a password and a data security device similar to those listed here:

Smart card This is a device that has the ability to store data safely. The internal
memory is an embedded Integrated Circuit Chip (ICC) that connects to a reader
either directly, or through a wireless connection. Smart cards are used in many
applications worldwide, such as secure ID badges, online authentication devices,
and secure credit card payments.
Security key fob This is a small device that resembles the ornament on a key ring.
It has a small radio system that communicates with the computer over a short
range. The fobs are small enough to attach to a key rings. The computer must
detect the signal from the key fob before it will accept a username and password.
Biometric device This measures a physical characteristic of the user, such as
fingerprints or the patterns of the iris in the eye. The user is granted access if these
characteristics match its database and the correct login information is supplied.
Hardware destruction is the process of removing sensitive data from hardware and
software when data is no longer needed. Hardware destruction must be performed
before recycling or discarding items that store data. Three methods are commonly
used to either destroy or recycle data and hard drives:

Data wiping

Hard drive destruction

Hard drive recycling

The level of security that the customer needs determines which devices are used to
keep data and equipment secure, and how the data should be removed or
destroyed.

Hardware and software firewalls protect data and equipment on a network from
unauthorized access. A firewall should be used in addition to security software.

Hardware and software firewalls have several modes for filtering network data
traffic:

Packet filter This is a set of rules that allows or denies traffic based on criteria such
as IP addresses, protocols, or ports used.
Proxy firewall This is a firewall installed on a proxy server that inspects all traffic
and allows or denies packets based on configured rules. A proxy server is a server
that is a relay between a client and a destination server on the Internet.
Stateful packet inspection This is a firewall that keeps track of the state of network
connections traveling through the firewall. Packets that are not part of a known
connection are dropped.
Hardware Firewall
A hardware firewall is a physical filtering component that inspects data packets from
the network before they reach computers and other devices on a network. A
hardware firewall is a free-standing unit that does not use the resources of the
computers it is protecting, so there is no impact on processing performance.

Software Firewall

A software firewall is an application on a computer that inspects and filters data


packets. Windows Firewall is an example of a software firewall that is included in the
Windows operating system. A software firewall uses the resources of the computer,
resulting in reduced performance for the user.

Consider the items listed in Figure 1 when selecting a firewall.

NOTE: On a secure network, if computer performance is not an issue, you should


enable the internal operating system firewall for additional security. Some
applications may not operate properly unless the firewall is configured correctly for
them
A network has many different types of security settings. Technicians must configure
security settings for folders and files, wireless devices and clients, and hardware
and software firewalls.

Permission Levels for Folders and Files


Permission levels are configured to limit individual or group user access to specific
data. Both FAT and NTFS allow folder sharing and folder-level permissions for users
with network access. Folder permissions are shown in Figure 1. The additional
security of file-level permissions is provided with NTFS. File-level permissions are
shown in Figure 2.

When configuring network share permissions for a computer that has NTFS, you
must create a network share and assign shared permissions to users or groups. Only
users and groups with both NTFS permissions and shared permissions can access a
network share.

File and network share permissions can be granted to individuals or through


membership within a group. If an individual or a group is denied permissions to a
network share, this denial overrides any other permissions given. For example, if
you deny someone permission to a network share, the user cannot access that
share, even if the user is the administrator or part of the administrators group.

Securing a network includes the proper selection and configuration of several


different technologies. Some of these technologies, which are shown in Figure 3, are
used to configure wireless security. The type of security needed by the network will
indicate which security technologies must be enabled and configured in each
network device.

NOTE: All router configurations, in this text, are based on the Linksys WRT300N
wireless router. The configuration examples assume you are already logged on to
the wireless router.

Wireless Antennae
The gain and signal pattern of the antenna connected to a wireless access point can
influence where the signal can be received. Avoid transmitting signals outside of the
network area by installing an antenna with a pattern that serves your network
users.

Network Device Access Permissions


Many wireless devices built by a specific manufacturer have the same default
username and password for accessing the wireless configuration. If left unchanged,
unauthorized users can easily log on to the access point and modify the settings.
When you first connect to the network device, change the default username and
password. Some devices allow you to change both the username and the password,
while others only allow you to change the password.

To change the default password, use the following path:


Administration > Management > type the new router password > Re-enter to
confirm > Save Settings.

Wireless Security Modes


Most wireless access points support several different security modes. The most
common ones are:

Wired Equivalent Privacy (WEP) This encrypts the broadcast data between the
wireless access point and the client using a 64-bit or 128-bit encryption key. Figure 4
shows the WEP configuration.
Wi-Fi Protected Access (WPA) This is an improved version of WEP. It was created as
a temporary solution until 802.11i became ratified. Now that 802.11i has been
ratified, WPA2 has been released. It covers the entire 802.11i standard. WPA uses
much stronger encryption than WEP encryption.
Wi-Fi Protected Access 2 (WPA2) This is an improved version of WPA. WPA2
supports robust encryption, which provides government-grade security. WPA2 can
be enabled with password authentication (Personal) or server authentication
(Enterprise).
Lightweight Extensible Authentication Protocol (LEAP), also called EAP-Cisco This is
a wireless security protocol created by Cisco to address the weaknesses in WEP and
WPA.
To add wireless security, use the following path:
Wireless > Wireless Security > select a Security Mode > select an Encryption Type
> type the Pre-shared Key > set Key Renewal > Save Settings > Continue.

SSID
A wireless access point broadcasts the SSID by default so that wireless devices can
detect the wireless network. You can disable SSID broadcasting on a wireless
network to prevent the wireless access point or router from revealing the name of
the wireless network.

To disable SSID broadcasting, use the following path:


Wireless > Basic Wireless Setting > select Disabled for SSID Broadcast > Save
Settings > Continue.

Disabling SSID broadcasting can make it more difficult for legitimate clients to find
the wireless network. Manually enter the SSID on wireless devices to connect to the
wireless network when the SSID broadcast has been disabled on the wireless router
or access point. Simply turning off the SSID broadcast is not sufficient to prevent
unauthorized clients from connecting to the wireless network. Instead of turning off
the SSID broadcast, use stronger encryption such as WPA or WPA2.

MAC Address Filtering


MAC address filtering is a technique used to deploy device-level security on a
wireless LAN. Because every wireless client has a unique MAC address, wireless
access points can prevent wireless clients from connecting to the wireless network if
they do not have authorized MAC addresses. MAC address filtering, as shown in
Figure 5, is vulnerable to attack when used alone and should be combined with
other security techniques.

To set up a MAC address filter, use the following path:


Wireless > Wireless MAC Filter > select Enabled.

Select Prevent or Permit for the access restriction type.

Select Wireless Client List > select the client > Save to MAC Address Filter List >
Add > Save Settings > Continue.

Add a MAC address for each client that you wish to permit or deny access to the
wireless client list.

The MAC address of a wireless NIC can be found by typing ipconfig /all at the
command prompt. For devices other than computers, the MAC address can usually
be found on the label of the device or within the manufacturers instructions. On
wireless networks with a large number of clients, MAC address filtering can become
tedious because you must enter each MAC address in the filter.

MAC address filtering is not a strong layer of security. Instead of using MAC address
filtering, use stronger encryption techniques such as WPA or WPA2.

Firewalls

A firewall is a device or application installed on a network to protect it from


unauthorized users and malicious attacks. A software firewall is software installed
on a computer to block specific incoming or outgoing traffic. For example, a firewall
that is configured to block outgoing traffic on port 21 will not allow the computer to
connect to a standard FTP server. The firewall can be configured to block multiple
individual ports, a range of ports, or even traffic specific to an application.

The Linksys WRT300N wireless router is also a hardware firewall. A hardware firewall
isolates your network from other networks. A hardware firewall will pass two
different types of traffic into your network:

Traffic that originates from inside your network


Traffic destined for a port that you have intentionally left open
There are several types of hardware firewall configurations:

Packet filter This configuration does not allow packets to pass through the firewall,
unless they match the established rule set configured in the firewall. Traffic can be
filtered based on many attributes, such as source IP address, source port or
destination IP address or port, and destination services such as WWW or FTP.
Application layer This configuration intercepts all packets traveling to or from an
application. It prevents all unwanted outside traffic from reaching protected devices.
Proxy This configuration intercepts all traffic between computers and different
networks and uses established rules to determine if data requests should be
allowed.
To configure hardware firewall settings on the Linksys WRT300N, use the following
path:
Security > Firewall > select Enable for SPI Firewall Protection. Then select other
Internet filters and web filters required to secure the network. Click Save Settings >
Continue.

Port Forwarding and Port Triggering


Hardware firewalls are mainly used to block ports to prevent unauthorized access in
and out of a LAN. However, there are situations when specific ports must be opened
so that certain programs and applications can function properly. Port forwarding is a

rule-based method of directing traffic between devices on separate networks. When


traffic reaches the router, the router determines if the traffic should be forwarded to
a certain device based upon the port number found with the traffic. For example,
port numbers are associated with specific services such as FTP, HTTP, HTTPS, and
POP3. The rules determine which traffic will be sent onto the LAN. For example, a
router might be configured to forward port 80, which is associated with the HTTP
protocol. If the router then receives a packet with the destination port of 80, the
router will forward this traffic to a web server inside the network.

To add Port Forwarding, use the following path:


Applications & Gaming > Single Port Forwarding > select or enter an Application
Name. You may need to enter the External Port number, Internet Port number, and
Protocol type. Then enter the IP Address of the computer that should receive the
requests. Click Enable > Save Settings > Continue.

Port triggering allows the router to temporarily forward data through inbound ports
to a specific device. You can use port triggering to forward data to a computer only
when a designated port range is used to make an outbound request.

For example, a video game might use ports 27000 to 27100 for connecting with
other players. These are the trigger ports. A chat client might use port 56 for
connecting the same players so that they can interact with each other. An example
of a port triggering rule is when any gaming traffic uses an outbound port that is
within the triggered port range, inbound chat traffic on port 56 will be forwarded to
the computer that is being used to play the video game and chat with friends. When
the game is over and the triggered ports are no longer in use, port 56 will no longer
be allowed to send traffic of any type to this computer.

To add Port Triggering, use the following path:


Applications & Gaming > Port Range Triggering > type the Application Name. Enter
the starting and ending port numbers of the triggered port range, and starting and
ending port numbers of the forwarded port range. Click Enable > Save Settings >
Continue.

A firewall selectively denies traffic to a computer or network segment. Firewalls


generally work by opening and closing the ports used by various applications. By

opening only the required ports on a firewall, you are implementing a restrictive
security policy. Any packet not explicitly permitted is denied. In contrast, a
permissive security policy permits access through all ports, except those explicitly
denied. In the past, software and hardware were shipped with permissive settings.
As users neglected to configure their equipment, the default permissive settings left
many devices exposed to attackers. Most devices now ship with settings as
restrictive as possible, while still allowing easy setup.

Software Firewalls
Software firewalls can be either an independent application or part of the operating
system. There are several third-party software firewalls. There is also a software
firewall built into Windows XP, as shown in Figure 1.

Configuring the Windows XP or Windows Vista firewall can be completed in two


ways:

Automatically The user is prompted to Keep Blocking, Unblock, or Ask Me Later for
any unsolicited requests. These requests may be from legitimate applications that
have not been configured previously or may be from a virus or worm that has
infected the system.
Manage Security Settings The user manually adds the program or ports that are
required for the applications in use on the network.
Windows XP
To add a program, select:
Start > Control Panel > Security Center > Windows Firewall > Exceptions > Add
Program.

To disable the firewall, select:


Start > Control Panel > Security Center > Windows Firewall.

Windows Vista
To add a program, select:

Start > Control Panel > Security Center > Windows Firewall > Change Settings >
Continue > Exceptions > Add Program.

To disable the firewall, select:


Start > Control Panel > Security Center > Windows Firewall > Turn Windows Firewall
on or off > Continue > select Off (not recommended) > OK.

The Windows firewall blocks all incoming network connections, except for specific
programs and services. For example, the Windows Update service and Internet
Explorer are allowed through the firewall by default. An exception, as shown in
Figure 2, is a rule that opens a blocked port in the firewall for a specific need. For
instance, to allow an FTP connection you must create an exception that will open up
port 21. Each different type of connection requires a unique port number to pass
data through the firewall.

To add a port exception to the Windows Firewall, select the Exceptions tab.

Click Add port > type a Name > type a Port number > select a Protocol. To specify
that only certain computers will be affected by the exception, click Change scope >
Specify the computers > OK > OK > OK.
Malware is malicious software that is installed on a computer without the knowledge
or permission of the user. Certain types of attacks, such as those performed by
spyware and phishing, collect data about the user that can be used by an attacker
to gain confidential information.

You should run virus and spyware scanning programs to detect and clean unwanted
software. Many browsers now come equipped with special tools and settings that
prevent the operation of several forms of malicious software. It may take several
different programs and multiple scans to completely remove all malicious software:

Virus protection Anti-virus programs typically run automatically in the background


and monitor for problems. When a virus is detected, the user is warned and the
program attempts to quarantine or delete the virus.

Spyware protection Anti-spyware programs that scan for keyloggers, which


capture your keystrokes, and other malware so that it can be removed from the
computer.
Adware protection Anti-adware programs look for programs that display
advertising on your computer.
Phishing protection Anti-phishing programs block the IP addresses of known
phishing websites and warn the user about suspicious websites.
NOTE: Malicious software may become embedded in the operating system. Special
removal tools are available from the operating system manufacturer to clean the
operating system.
An operating system is often the target of attacks in order to gain control of a
computer. The compromised computer can then be used to launch attacking e-mails
without the knowledge of that computer's user. A computer compromised in this
way is called a zombie.

Windows automatically downloads and installs updates to operating systems by


default. However, this may not be the best way to update systems. The updates
may conflict with the security policy of an organization or may conflict with other
settings on a computer. The following options available in Windows give users the
ability to control when software is updated:

Automatic Downloads and installs updates automatically without user intervention


Only download updates Downloads the updates automatically, but the user is
required to install them
Notify me Notifies the user that updates are available and gives the option to
download and install
Turn off automatic updates Prevents any checking for updates
If the user is on a dial-up network, the Windows Update setting should be configured
to notify the user of available updates, or it should be turned off. The dial-up user
may want to control the update by selecting a time when the update does not
interrupt other network activity or use the limited resources available.
Employees in an organization may require different levels of access to data. For
example, a manager and an accountant may be the only employees in an
organization with access to the payroll files.

Employees can be grouped by job requirements and given access to files according
to group permissions. This process helps manage employee access to the network.
Temporary accounts can be set up for employees that need short-term access.
Close management of network access can help to limit areas of vulnerability that
might allow a virus or malicious software to enter the network.

Terminating Employee Access


When an employee leaves an organization, access to data and hardware on the
network should be terminated immediately. If the former employee has stored files
in a personal space on a server, eliminate access by disabling the account. If, at a
later time, the employee's replacement requires access to the applications and
personal storage space, re-enable the account and change the name to the name of
the new employee.

Guest Accounts
Temporary employees and guests may need access to the network. For example,
many visitors might require access to e-mail, the Internet, and a printer on the
network. These resources can be made available to a special account called Guest.
When guests are present, they can be assigned to the Guest account. When no
guests are present, the account can be disabled until the next guest arrives.

Some guest accounts may require extensive access to resources, as in the case of a
consultant or a financial auditor. This type of access should be granted only for the
period of time required to complete the work.

A data backup stores a copy of the information on a computer to removable backup


media that can be kept in a safe place. If the computer hardware fails, the data can
be restored from the backup to functional hardware.

Data backups should be performed on a regular basis. The most current data
backup is usually stored offsite to protect the backup media if anything happens to
the main facility. Backup media is often reused to save on media costs. Always
follow your organization's media rotation guidelines.

Backup operations for Windows XP can be performed at the command line or from a
batch file using the NTBACKUP command. The default parameters for NTBACKUP will
be the ones set in the Windows XP backup utility. Any options you want to override
must be included in the command line. You cannot restore files from the command
line using the NTBACKUP command.

The Windows XP Backup or Restore Utility wizard files have the extension .bkf. A .bkf
file can be saved to a hard drive, a DVD, or to any other recordable media. The
source location and target drive can be either NTFS or FAT.

The Windows Vista backup files have the extension .zip. Backup data is
automatically compressed, and each file has a maximum compressed size of 200
MB. A Windows Vista backup file can be saved to a hard drive, any recordable
media, or to another computer or server connected to your network. The backup
can only be created from an NTFS partition. The target hard drive must be either
NTFS or FAT formatted.

NOTE: You can manually exclude directories in the Windows XP Backup or Restore
Utility wizard. This is not supported in the Windows Vista Backup Files wizard.

You can make a Windows backup manually or schedule how often the backup will
take place automatically. To successfully backup and restore data in Windows, the
appropriate user rights and permissions are required:

All users can back up their own files and folders. They can also back up files for
which they have the Read permission.
All users can restore files and folders for which they have the Write permission.
Members of the Administrators, Backup Operators, and Server Operators (if joined
to a domain) can back up and restore all files (regardless of the assigned
permissions). By default, members of these groups have the Backup Files and
Directories and Restore Files and Directories user rights.
The Windows XP Backup or Restore Utility wizard provides five backup types:

Full or Normal This backup type copies all selected files and marks each file as
having been backed up.
Incremental This backup type backs up only files that have been created or
changed since the last full or incremental backup. Restoring files requires that you
have the last full backup set and all incremental backup sets.
Differential This backup type copies only files that have been created or changed
since the last full backup. Restoring files requires that you have the last full and one
differential backup.
Daily This backup type copies all selected files that have been modified the day
that the daily backup has been performed.
Copy This backup type copies all selected files but does not mark them as having
been backed up.
To start the Windows XP Backup or Restore Utility wizard, select:
Start > All Programs > Accessories > System Tools > Backup. The Backup or
Restore wizard starts. To change the backup setting, select Advanced Mode > Tools
> Options.

To restore a backed up file in Windows XP, in the Backup or Restore wizard, select:
Next > Restore files and settings > Next > select the backed up file > Next > Finish.

To start the Windows Vista Backup Files wizard, select:


Start > All Programs > Maintenance > Backup and Restore Center > Back up files.

To change the backup settings, select Change settings > Change backup settings >
Continue.

To restore a backed up file in Windows Vista, select:


Start > All Programs > Maintenance > Backup and Restore Center > Restore files.
A combination of backup types, as shown in Figure 1, allow the data to be backed up
efficiently. A full backup is a copy of all files on the drive. An incremental backup
backs up only those files created or changed since the last normal or incremental

backup. It marks files as having been backed up. A differential backup copies files
created or changed since the last normal or incremental backup, but it does not
mark files as having been backed up. Backing up data can take time, so it is
preferable to do backups when the network traffic is low. Other types of backups
include daily backup and copy backup, which do not mark the files as having been
backed up.

The data backup media is just as important as the data on the computer. You should
store the backup media in a climate-controlled offsite storage facility with good
physical security. The backups should be readily available for access in case of an
emergency.

This chapter discussed computer security and why it is important to protect


computer equipment, networks, and data. Threats, procedures, and preventive
maintenance relating to data and physical security were described to help you keep
computer equipment and data safe. Security protects computers, network
equipment, and data from loss and physical danger. The following are some of the
important concepts to remember from this chapter:

Security threats can come from inside or outside of an organization.


Viruses and worms are common threats that attack data.
Develop and maintain a security plan to protect both data and physical
equipment from loss.
Keep operating systems and applications up to date and secure with patches
and service packs.