Planning for Security

 < Day Day Up > 



Before planning the security of a network, take a few moments to consider the following list of potential security risks relevant to the network. Then use the sections that follow to address these threats, as well as to learn what to do when the network is successfully hacked.

  • Internet hackers All computers and devices attached directly to the Internet are subject to random attacks by hackers. According to the Cooperative Association for Internet Data Analysis (CAIDA), during a random 3-week time period in 2001 there were more than 12,000 DoS attacks: 1200–2400 were against home machines and the rest were against businesses. If your organization has a high profile, it might also be subject to targeted attack by hackers who don’t like your organization or who are engaging in corporate espionage.

    For more information about securing a network against Internet hackers, see the “Securing Internet Firewalls” section of this chapter. Also review the “Updating Windows Small Business Server” section of Chapter 6, “Completing the To Do List and Other Post-Installation Tasks.”

  • Wireless hackers and theft of service Wireless access points are exposed to the general public looking for free Internet access (some are willing to crack WEP encryption) and to mobile hackers. To reduce this risk, refer to the “Securing Wireless Networks” section in this chapter.

  • Viruses and worms Networks are subject to virus exposure from e-mail attachments, infected documents, and worms such as CodeRed and Blaster that automatically attack vulnerable servers (and clients that sit directly on the Internet). Look at the “Securing Client Computers” section of this chapter along with the “Updating Windows Small Business Server” section of Chapter 6 for help with this.

  • Nosy or disgruntled employees and former employees Internal users and former users might try to attack or steal information using valid accounts. To help prevent this, refer to the “Ensuring Physical Security” section of this chapter as well as Chapter 6.

Ensuring Physical Security

Although security is not something that can be achieved in absolute terms, it should be a clearly defined goal. The most secure operating system and network in the world is defenseless against someone with physical access to a computer. Evaluate your own environment and security requirements to determine what additional steps, such as biometric or smart card controls, might be appropriate. At a minimum, you should take the following precautions (additional measures are covered in Chapter 6):

  • Place servers in a locked server room.

  • Use case locks on your servers and don’t leave the keys in them.

  • Place network hubs, routers, and switches in a locked cable room or wiring closet.

  • Install case locks on client systems or publicly accessible systems.

  • Use laptop locks when using laptops in public.

Securing Client Computers

Even a highly secure network can be quickly compromised by a poorly secured client computer—for example, a laptop running Windows 98 with sensitive data stored on the hard drive. To maximize the security of client computers, use the following guidelines (refer to Chapter 6 and Chapter 12, “Managing Computers on the Network,” for more security procedures):

  • Use a secure operating system Use Windows 2000 Professional or Windows XP Professional on all client computers (particularly laptops).

  • Use NTFS, file permissions, and possibly EFS Use NTFS for all hard drives, and apply appropriate file permissions so that only valid users can read sensitive data. Encrypt sensitive files on laptop computers using Encrypting File System (EFS).

  • Keep clients updated Use the Automatic Updates feature of Windows XP and Windows 2000 Professional Service Pack 3 or later to keep client systems updated automatically, or use Windows Update. Ideally you should install Software Update Services (SUS) so that you can centrally control which updates are installed, as described in Chapter 12.

  • Use MBSA to check clients for security problems The Microsoft Baseline Security Analyzer (MBSA) makes it easy to check all computers running Windows Server 2003 (including Windows Small Business Server 2003), Windows XP, Windows 2000, and Windows NT 4.0 for missing service packs, hot fixes, security updates, and other security problems. See Chapter 6 for more information.

  • Enable password policies Password policies is a feature of Windows Small Business Server 2003 that requires user passwords to meet certain complexity, length, and uniqueness requirements, ensuring that users choose passwords that aren’t trivial to crack.

    More Info 

    For more information about enabling the password policies feature during the initial Windows Small Business Server 2003 server setup process, see Chapter 6.

    Note 

    Remembering passwords has become an increasingly difficult prospect, leading to the resurgence of the yellow-sticky note method of recalling them. It’s important to discourage this practice.

  • Install antivirus software Antivirus software should be installed on the Windows Small Business Server 2003 server as well as all clients. The best way to do this is to purchase a small-business antivirus package that includes client, server, and Exchange Server virus scanning. This package is often no more expensive than purchasing consumer antivirus software for each client, and it provides additional scanning and management capabilities. Companies that provide these solutions include Sophos (http://www.sophos.com), Symantec (http://www.symantec.com), and McAfee (http://www.mcafee.com).

  • Sign and encrypt e-mail Companies with the need to send secure e-mail should set up users to send digitally signed and possibly encrypted e-mail. If a small number of users need this capability, purchase digital IDs from an Internet Certificate Authority such as Verisign (http://www.verisign.com) or Thawte (http://www.thawte.com). If a large number of users require this ability, consider installing Certificate Services (included in Windows Small Business Server 2003) and creating your own digital IDs.

  • Keep Web browsers secure Web browsers often have security holes in them that allow nefarious Web sites to do such things as read the contents of the Clipboard or access files on the hard drive. To remedy this situation, keep Web browsers patched with the latest security updates, and consider testing a few clients for security issues using a free browser checkup Web site such as the one provided by Qualys at http://browsercheck.qualys.com.

Securing Wireless Networks

Wireless networks using the 802.11b, 802.11a, and 802.11g standards are very convenient but also introduce significant security vulnerabilities if not properly secured. To properly secure wireless networks, follow these recommendations:

  • Enable 802.11i or WPA encryption on the access points.

  • If the access points don’t support 802.11i or WPA, either use WEP with 802.1x authentication, or place all access points in a perimeter network, with the Windows Small Business Server 2003 computer acting as a firewall between the perimeter network (and the access points) and the internal network. To reach the internal network, wireless clients must establish a secure VPN connection with the Windows Small Business Server 2003 server.

  • If you’re relying on the easily cracked WEP encryption method, change WEP keys monthly at a minimum (weekly is better).

    Note 

    WPA provides two methods of authentication: an “Enterprise” method that makes use of a RADIUS server, and a “SOHO” method known as WPA-PSK (Pre-Shared Key), that makes use of an 8–63 character network key, similar to WEP. Using a network key is easier to set up and provides adequate security for most small networks. Some WPA devices also provide the option of using the stronger, hardware-accelerated (and thus faster) AES encryption method used by the 802.11i standard.

  • Companies with a lot of wireless clients might want to investigate installing Internet Authentication Services (IAS) and Certificate Services on the Windows Small Business Server 2003 server and using 802.1x Authentication (using IAS as a RADIUS server). This procedure is discussed in Chapter 15.

  • Change the SSID from the default. For maximum security, pick a name that doesn’t reveal the name or location of your network.

  • Use “warchalking” symbols to notify potential wireless users that the network is closed to public users or open to the public for Internet access. To do so, type () before the SSID to indicate a closed node, or type )( to indicate an open node. For example, ()closed1 would be a good SSID for a private network.

  • Disable the ability to administer access points from across the wireless network.

  • Change the default password of all access points.

Securing Internet Firewalls

Most external firewall devices are secure by default, but you can take some additional steps to maximize the security of a firewall:

  • Disable remote administration, or limit it to responding to a single IP address (that of your network consultant).

  • Disable the firewall from responding to Internet pings.

  • Enable Stateful Packet Inspection (SPI) and protection from specific attacks such as the Ping of Death, Smurf, and IP Spoofing.

  • Change the default password for the firewall device.

  • Leave all ports on the firewall closed except those needed by the Windows Small Business Server 2003 server. Alternatively, enable UPnP so that Windows Small Business Server 2003 can automatically configure ports as needed.

  • Check for open ports using the free Shields Up and Port Scan services at http://grc.com.

  • Keep the firewall updated with the latest firmware versions, available for download from the manufacturer’s Web site.



 < Day Day Up > 



Microsoft Windows Small Business Server 2003 Administrator's Companion
Microsoft Windows Small Business Server 2003 Administrators Companion (Pro-Administrators Companion)
ISBN: 0735620202
EAN: 2147483647
Year: 2004
Pages: 224

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net