In this lecture were going to demonstrate several security techniques that can be implemented in Windows server 2016.

DANE (DNS Based Authentication of Named Entities)

• The first technique is DANE. Basically, DANE tells a client who to expect a Certificate from. That client or server will only accept a certificate from a designated source. We’ll demonstrate how DANE works in a minute.
• First, let’s clear up some terminology. DANE helps to prevent MIMA

What is a Man-in-the-middle attack? A mitm attack happens when communication between two systems is intercepted by an outside entity.

• What is a TLSA record? TLSA stands for (Transport Layer Security Authentication)

This record contains the Port number that the TLS server communicates on

The Server Host Name of the TLS server

And the Port number that the TLS server listens on.

• How does DANE work?

Client

Client requests the IP address of google.com from sa.com sa.com responds by informing the client to expect a certificate from https://www.ca.com

At that point the DNS server sends 8.8.8.8 the IP address for Google.com to the client.

A Typical example of a man-in-the-middle attack Client requests a record

sa.com responds by informing the client to expect a cert from https://www.ca.com Attacker attempts to get client or the server to accept cert from another CA called https://www.carip.com

In this case the server refuses the certificate and flags it as an invalid certificate. The MITM attack fails.

DNS Cache Locking

**DNS Cache Locking **is one of the methods that protects from DNS cache poisoning.

**So, what is DNS Cache Poisoning? **

• It is the act of placing false information in a DNS Servers cache.
• DNS cache locking uses the Time to Live (amount of time a record stays in cache)
• By default, TTL set to 24 hours
• Malic…