Analyzing and Managing the Risks of Administering Networks | MCSE: Windows(r) Server 2003 Network Security Design Study Guide (70-298)

< Day Day Up >

The most secure way to manage your network is by allowing only local administration of servers. This would mean that you would have to sit down at the keyboard attached to the server and log on as an administrator to manage the server. This is impractical for many organizations, and if this is the case in your organization, you will need to manage your servers remotely. But before you begin to do so, you will need to develop a remote management plan.

A remote management plan ensures that the proper tools and configuration you choose for managing your servers are in line with your security policy and infrastructure. Your remote management plan will help you understand what type of management each server needs, whether they need to be managed locally or remotely, the location of the servers in your organization, who will administer them, and what the requirements for security are on the servers. You should use the following steps to develop the remote management plan:

Evaluate remote management needs.
Determine the tools and hardware needed to meet your remote management needs.
Design the hardware and software configuration.
Configure the network infrastructure to accommodate remote management.
Plan remote management deployment.

Evaluating Remote Management Needs

When developing your remote management plan, the first thing you need to do is determine which servers you will manage remotely. Then you can consider what the cost, convenience, and availability requirements should be for managing the servers on your network. Your company’s security policy might include requirements that would make it more costly to administer a server remotely than the inconvenience or increase in staffing to maintain availability would warrant.

For example, suppose your company’s security policy requires that data on sensitive database servers be protected by an expensive authentication and data encryption system if the servers are to be remotely accessed. The system might contain per-server and yearly subscription fees that make remote administration more expensive than just using local administration of the server as the only administrative option.

Remote administration provides convenience by allowing you to manage the network from a location other than the server console. You need to decide whether you will allow remote administration from the internal network only or from an external network and internally. You can allow remote administration from the internal network of your company. This will allow server administrators a gain in productivity by avoiding frequent trips to the server room or another location.

You could also allow remote administration through a VPN, HTTP, or dial-up connection. This will allow server administrators to check on the status of servers from home or other locations through an Internet or dial-up connection. This is convenient for administrators who are on call or for someone with more expertise who is helping out in an emergency situation.

Remote administration can help increase the availability of your network without increasing the staffing cost of the organization. Administrators can access the network from their desktop at work or from home to resolve problems and maintain servers instead of having to drive to the branch office or company to resolve the problems. This will mean server problems can be resolved and servers made available more quickly. You could gain the same availability on a locally managed network by increasing staff to provide an administrator around the clock.

Of course, each of these items will impact the others. If you reduce cost by allowing only local administration, you decrease convenience, and perhaps decrease availability of the server (unless you increase staff). For example, suppose you require that a database server is only administered locally for security reasons. This server also has an availability requirement that states it can be down for no longer than 30 minutes and needs to be available 24/7 except for scheduled maintenance. You could have a staff member carry a pager and manage the server from home to resolve most problems if you allow remote management. Without remote management additional staffing will be required to meet the 24/7 onsite management or require the employees on page duty to be within 15 minutes of work. Either way, maintaining this security requirement is certain to affect your staffing costs. You need to look at costs to determine which approach is the best for this server.

Benefits and Threats of Remote Management

Remote management introduces new threats to your servers. When you remotely manage a server, you need to consider additional security measures. Remotely managing computers will allow potentially sensitive information to be transmitted across the network. You must ensure that the management tool provides the necessary means to prevent eavesdropping on the data it sends or you must provide this service yourself (through VPN, IPSec or SSL usually). This would not be a necessary consideration if you just used local management. Remote management will also increase your exposure to attacks using management tools.

You will need to make sure that the management tool you use can be used by only a select group of individuals and that the necessary password protections are enforced. Out-of-band remote management can be threatened because there is no logical security on the serial connections used to manage the server. You need to determine which servers can benefit or be threatened by remote management.

Remote management provides the following benefits:

Reduced total cost of ownership
Increased availability of servers
Increased convenience and productivity of administrators

There are some threats associated with remote management:

Increased attack surface because attackers can use the tools
Security holes in remote administration tool or service that are not patched or kept up-to-date
Sensitive data sent across the network
No logical security on serial connections for out-of-band communications

In the “Evaluating Remote Management Needs” Design Scenario, you will determine which servers in the organization can benefit from remote management and which should be managed locally.

Determining the Tools and Hardware Needs

Remote management tools in Windows Server 2003 make it possible to perform any management action on the server remotely except for hardware installation. You can take advantage of in-band and out-of-band remote management tools. In-band remote management tools are the traditional tools that you use to manage your server, such as Terminal Services For Remote Administration or Active Directory Users And Computers. These tools work if the server is functioning correctly and can communicate with the network.

Design Scenario: Evaluating Remote Management Needs

Expo, Inc. is a corporation that provides party and convention planning services in North America. It has offices in 17 major cities throughout the United States. Currently, each office has its own IT administrative staff. Expo would like to consolidate their IT staff in their corporate headquarters in Los Angeles. Expo, Inc. will need to implement remote management to be able to successfully manage remote servers. Management is concerned about security issues that remote management presents.

Question: What are the security threats to remote management? Answer:
- Eavesdropping, both intentional and accidental, on the remote management tool’s network communications
- Weak passwords or password technology to authenticate the remote management session
- Servers that are not patched regularly and might have a known security hole in the remote management service

The main in-band remote management tools in Windows Server 2003 are listed here:

Microsoft Management Console (MMC) MMC is a framework for hosting administrative tools called snap-ins. You can customize MMC to meet your administrative needs by adding or removing snap-ins. Each snap-in can be made up of tools, web pages, folders, and other items that are used to administer applications and services.

Windows Script Host Windows Script Host allows you to write scripts that are used to automate administrative tasks. You can choose to write a script in any common script language, including Microsoft Visual Basic Scripting Edition (VBScript) and ECMA Script (known as JScript or JavaScript). You will want to make sure that the extensions (.vbs, .js, .vbe, .jse, .wmf) of script files are not mapped to the Windows Scripting Host executables (wscript.exe or cscript.exe). This will prevent them from executing without typing cscript.exe ScriptName at a command prompt, increasing security against accidental execution of scripts. You will also want to make sure that only administrative accounts have execute access to the wscript and cscript executables.

Remote Desktop for Administration This will allow an administrator to manage a network computer from any computer on the network. You use Remote Desktop for Administration to log onto a remote server and you will see the remote server’s desktop. This tool was known as Teminal Services for Remote Administration in Windows 2000. You will be able to interact with the remote server as if you were managing it locally. You will log on to the remote server with your own account, so if someone is already logged on to the server, they will not see what you are doing, nor will you compete for the mouse pointer. They have added a new feature to Remote Desktop for Administration that allows you to connect to the console session, so you can run programs remotely that require console access, like Microsoft SQL Server hotfixes. This is one of the favorite management tools on Windows Server 2003.

Web Interface for Remote Administration This is a web-based application that allows you to administer a server using a web browser and the HTTP protocol. This tool is particularly useful for managing a web server, and you can perform the following configuration tasks: create websites, delete websites, configure websites, configure network settings, restart the web server, and manage local user accounts.

Remote Assistance Remote Assistance will allow you to remotely manage another computer much as you can with Remote Desktop for Administration except that you must be given permission to manage the server or workstation by the current user. You will then take over the mouse and keyboard functionality as if you were local. Remote Assistance allows administrators or help desk personnel to aid users in new or difficult tasks. Remote Assistance also allows you to chat in real time with the user.

Command-line administration tools These are tools like Telnet and SSH, which can be used to have a remote command line on the server. The commands that you type in the Telnet window will run on the server that you are connected to. It is sometimes more convenient to use command line tools over a slow network connection or from other operating systems.

Note

Designing security for in-band management tools, except for Windows Scripting Host because it was discussed above, will be discussed in detail in the section entitled “Designing a Secure Administrative Strategy for Server Management Tools.”

Out-of-band remote management tools are used if the server is not responding to standard network communications. This could be because the server is hung up or the network device has stopped functioning. Using out-of-band management tools combined with the appropriate hardware, you will need to locally manage a server only for hardware upgrades and maintenance. Out-of-band services are provided by the Emergency Management Services (EMS) on Windows Server 2003. To effectively use EMS, you may need to purchase additional hardware and you’ll need to weigh the cost of additional hardware with the benefit of the service. Out-of-band connections usually involve using the serial port on the server to administer the server. This connection can be established remotely through specialized hardware or a dialup connection.

Note

You will learn more about out-of-band communication later in this chapter in the section entitled “Designing for Emergency Management Services.”

Designing the Hardware and Software Configuration

It’s important to design for securing the hardware and configuring the security of the software used for remote management. You will need to consider the type of remote management you’ll use and secure it against intentional attacks or even accidents. With in-band remote management, you must pay attention to requirements of how the administrators will authenticate to the server and mechanisms for encrypting communications with the server. You will also need to consider the impact of in-band remote management on your firewall configuration. Out-of-band communication has no logical security, so you will need to plan for the physical security of the serial connections required. You will also need to design the appropriate rights and folder permissions to protect the remote management tools so that only the appropriate administrators can access them.

In general, your security strategy for remote management should consider the following:

User authentication—The server should allow remote management from only the appropriate administrator.
Machine authentication—The server should allow remote management from only the appropriate machine.
Physical security—The hardware should be physically secure, especially in the case of out-of-band remote management.
Encryption—Information sent over the network because of remote management needs to be confidential.
Auditing—All access due to remote administration should be logged in a secure fashion.

In the follow sections we will consider how each of these points affect your remote management security strategy.

User Authentication

Most remote management tools require that you authenticate with the server before you can manage the server. The tool may take advantage of the underlying operating system for authentication or require a separate username and password. You will need to consider the authentication mechanisms available in the management tool when you design for remote management security because they may not be strong enough for your security policy.

For example, your policy may state that all network authentication use Kerberos for centralized management and the strong protections that would be afforded. If the management tool does not support Kerberos, you may not be able to use it remotely. In general, consider the authentication mechanisms available in the tool and whether they are appropriate for protecting the server you are managing.

Strong authentication mechanisms on Windows Server 2003 include Kerberos and smart card authentication. You should consider also having a separate password policy that requires administrators to have longer and more difficult passwords than regular users have. You may even consider using smart cards for remote administration, even if you don’t use them for regular users. These can be enforced through Group Policy and Active Directory. You will also want to make sure that you audit the accounts that have been given remote management access.

Medium authentication mechanisms on Windows Server 2003 would allow for using NT LAN Manager (NTLM) security for authentication. You would also want to enforce the strong password policies on administrative accounts, as well as audit access by these accounts to the servers. It is not recommended that you use less security than this for remote access.

After you have decided on the authentication mechanism you are going to use, you will need to decide which administrators will perform which administrative tasks. You will design security groups and assign administrators user accounts to each group. You will want to assign to each administrator the minimum security level they need to perform their remote management tasks. Generally, you will use three mechanisms to control the remote management tasks you can perform:

User rights User rights define what administrative tasks can be performed on the server, such as logging on locally or setting up new hardware.

Shared folder permissions Shared folder permissions allow you to control which users or groups can access a share over the network. Many administrative tools use shared folders to log access, launch the administrative tools, access administrative shares over the network (for example, C$), or log onto computers remotely using terminal emulation programs.

NTFS permissions NTFS permissions allow you to control who can launch various programs, including remote administrative tools.

Note

These settings were discussed in Chapter 8, “Designing Security for Servers with Specific Roles.”

Machine Authentication

You will want to establish which computers you’ll use to perform remote management. You will use machine authentication in conjunction with the authentication of the user account to provide additional security. There are two main mechanisms that you can use to verify the computer:

IP address filtering IP address filtering is used to decide which IP addresses are allowed to connect to the server. You would configure the server to allow the remote management workstations to connect. IP address filtering is a static process that is appropriate only to statically assigned IP addresses. It is also susceptible to IP address spoofing, so you shouldn’t rely on it solely. It is one more mechanism in your security toolkit to harden your servers. A stronger mechanism is to use computer certificates.

Computer certificates Computer certificates uniquely identify each computer on the network. Since computer certificates are next to impossible to forge, their use is a strong security mechanism, especially if combined with a strong authentication mechanism like smart cards. An attacker would need the computer certificate and an administrator account credentials to attack the machine through the remote administration tools. IP address filtering can be made stronger when used in conjunction with computer certificates to provide for even stronger security if feasible.

Physical Security

You should always include physical security in your security design for your servers. But servers that use out-of-band management need special consideration. The serial connections between servers and out-of-band management hardware need to be protected physically because there is no authentication available. You should lock server rooms that contain the out-of-band management components and servers. Use a physical identification mechanism to determine who is entering and leaving the server room. Try to contain all the serial connections and equipment to the locked server room.

Encryption

You need to consider how you will protect the data that the remote management tools transmit over a network. Does the tool itself provide encryption options, or if you will need to provide encryption, what mechanism is appropriate? Chances are your security policy will state the acceptable encryption strength for sensitive data in your organization and even the technologies that are preferred.

Regardless of whether the tool supports its own encryption mechanism, you may decide to encrypt access to the servers in a more general and manageable fashion. There are two main mechanisms for encrypting data on Windows Server 2003 for remote management:

IP Security (IPSec) IPSec is generally the mechanism used for mitigating the security vulnerability of unencrypted or weakly encrypted data in the remote management tool. Configure the server and the remote management computer to require IPSec for a connection. This will work with an IP-based management product.

Secure Sockets Layer (SSL) SSL is used to secure the communication of tools that use HTTP to communicate with the server.

Auditing

You must make sure that you devise a means for securely auditing the use of remote management tools. Your audit logs should track who used the tool, from what machine they used it, when it was used, and what was done during the administrative session.

You can use the built-in auditing in Windows to track who logged into the server and the machine that they used. You will need to investigate the logging capabilities of the management tool to gain a more detailed log of a specific remote management tool. This will allow you to track detailed information like what the administrator did. Design a plan for securing the audit logs from attackers or administrators that may want to change them to cover up misdeeds. It would also be wise to have a separate auditor that would read the logs or reports from the logs about activity for remote management to detect unauthorized use.

You can use the follow tools to configure Windows auditing:

Domain Security Policy’s Audit Policy
Domain Controller Security Policy’s Audit Policy
Local Security Policy’s Audit Policy
Group Policy Management
NTFS or Registry Property dialog boxes.

You can then view the audit log using the Event Viewer’s security log. You will need to investigate if the particular application has additional settings and tools for handling auditing.

Secondary Network

In addition to authenticating users and machines, securing the physical structure, encrypting network traffic, and auditing, you can establish a secondary network specifically designed for remote management traffic to add extra security to the remote administration. A secondary network can increase the performance, security, and availability of your remote management solution by separating the traffic for remote management to its own network, accessed using a secure router. You would be allowed to remotely administer boxes only if you had access to this network, along with having the correct user and machine credentials and user rights.

Real World Scenario: Designing for Remote Access

We have two offices for our company, the corporate headquarters located in Wilmington, Delaware, and a branch office located in Philadelphia, Pennsylvania. Most of the servers are located at our corporate headquarters and are used to provide support for business applications, our website, and e-mail. Our branch location in Philadelphia contains servers that provide some backup for important systems and support that location. We also have routers, wireless access points, and phone systems at each location that need to be managed.

Our IT staff is very limited, so the convenience and productivity gains of remote management are very important to our company. This easily outweighs the security risks associated with remote management in our situation. We just could not afford to hire the people necessary for local administration, nor do we feel like going into the office on Sunday afternoon to fix an e-mail server that is not responding. We need to be able to manage the servers and devices from home or from either of the two locations. We are concerned about security because, when there is a security incident, it usually involves time to resolve and we want to keep customer information private.

We use strong passwords for administrators, strong password protocols like Kerberos and certificate-based authentication of machines, and encrypt the communications to perform remote management. We installed Windows Server 2003 on some of our key servers for out-of-band support, so if a server locks up, we can fix it remotely or provide access to the routers through the serial port with terminal emulation. We also use secure HTTP with client certificates to manage some of our devices and the services we provide. We have a patching process in place so that the servers are kept up-to-date with any security fixes that Microsoft posts.

If you decide to use remote management tools, you will need to decide what means you will use to secure them as the next Design Scenario explores.

Configuring the Network Infrastructure to Accommodate Remote Management

Configuration changes must be made to the network infrastructure to support remote administration. There are a few things to consider:

Types of connection
Changes that will need to be made to firewall configurations
Changes to IP packet filtering settings to support remote management

The type of connection you use will depend on which type of connection will support the remote management tool you are using. Beyond that, the type of connection you choose will

Design Scenario: Evaluating Remote Management Security Needs

Question: What suggestions would you mak e to lessen threats with remote management? Answer:
- Require encryption, like using a VPN, when using remote management tools.
- Require a strong password policy for remote administrators.
- Use smart cards or other means of two-factor authentication.
- Keep the remote management tools and servers up-to-date with patching.
- Physically secure any devices and their connections that will communicate with the serial port.

determine whether you need additional security in terms of establishing a VPN connection first to encrypt the traffic that passes over the connection. Certain types of connections may also pass through a firewall.

If you need to manage a server through a firewall, you should verify the firewall settings to determine if the management tool can work through the firewall. If it will not, you must determine the port numbers used by the management tool. You will also need to analyze the ports required for the remote management tool and decide whether the risk of opening the ports is worth the benefits of using the management tool through the firewall. You may determine it is not, in which case you should look for an alternative tool to manage the server. You will also need to consider any IP packet filtering you may be doing on the firewall, routers, or servers.

IP packet filtering allows you to control which packets can pass through a network device. This is useful for controlling the applications that can communicate with the server or through a router or firewall. You might need to reconfigure these settings for the remote management tool to work properly.

Planning Remote Management Deployment

After you have designed security for remote management, you should test the design in a lab setting that simulates your production environment. You will need to verify that your configuration is secure and meets the organization’s needs for remote management. You should also verify network connectivity, hardware and software configurations, and the security settings of your servers for remote administration.

You will need to verify that you can connect to network resources for the required remote management tools. The following is a list of some of the things you should configure and test according to your design:

Configure and test a secondary network for remote management if your design calls for it for availability or security purposes.
Configure and test the dial-up settings over a VPN connection if you plan to support secure remote management through dial-up.
Configure and test the firewall settings if you will use remote management tools through the firewall.
Configure and test the IP packet filter settings if you have configured the servers or routers to filter for specific applications.
Configure and test the IPSec and SSL settings to the servers if you plan to use IPSec or SSL to encrypt remote management traffic. Verify that the traffic is encrypted through a network monitoring utility.

Verify the hardware and software configurations in your design, particularly your out-of-band hardware configuration and your auditing settings. The following is a list of some of the items that you will need to do:

Verify out-of-band remote management configuration and hardware settings.
Install and test Emergency Management Services.
Configure auditing and verify that it collects the information that you need.
Verify any additional software or hardware settings that your design calls for.
Verify that you can accomplish your remote management needs through the chosen tools.

You will need to verify the security settings that you have configured for remote administration. You should verify the following settings for your remote management configuration if they are applicable:

Verify the authentication protocols used to access the server remotely.
Verify that physical security is adequate for the servers and out-of-band remote management components.
Verify that the proper encryption protocols are being used with your design.
Verify any Group Policy settings that you are using to manage the security settings of your servers, including control of remote management.
Verify that the security groups and user rights assigned to perform administration of servers only perform the proper remote management tasks.
Verify the shared folder and NTFS permissions for your remote management plan.

In the next Design Scenario, you will decide what remote management tool would be beneficial and what risks it poses for the network.

Design Scenario: Risks of Managing Networks

Expo, Inc. is a corporation that provides party and convention planning services. It has offices in 17 major cities throughout the United States. Currently, administration staff is at each location to manage the servers located there.

Expo, Inc. would like to save money by centralizing most of the administrative functions at its corporate headquarters in Los Angeles. The company wants to be able to use local contractors on an as-needed basis to manage the hardware locally. Contractors can take up to 24 hours to respond to a unscheduled incident based on the contract, so the company is looking for a solution that will minimize the unscheduled use of contractors.

Expo, Inc. will be using the Internet as the network between its locations. There is concern about using the Internet to manage the servers and devices at its other locations without local access to the servers.

Question: What remote management options would work best for Expo, Inc.? Answer:

Expo would want to provide an in-band management option like Remote Desktop for Administration to manage the remote networks. The in-band remote management option should include the ability to encrypt the communication with the server and should support strong authentication mechanisms for remote administrators. Expo would also want to provide an out-of-band remote administration option to reduce the dependence on contractors when the server is not responding to in-band remote management tools, such as when it is hung. That way, it will only need to use contractors to install and maintain the server hardware.

< Day Day Up >