Microsoft Small Business Server 2003 Unleashed - page 78


Summary

This chapter examined several aspects of security for an SBS installation. The physical security of the server computer should not be overlooked. Keeping the server away from common areas reduces the chance of accidental disconnection or damage. Providing adequate power and temperature protection helps maintain the integrity of data on the server.

Server data is protected with a combination of NTFS and share permissions. NTFS permissions are applied to files and folders and allow users to read, write, modify, and delete files. Individual permissions can be either allowed or denied, with the Deny permission having higher precedence than the Allow permission. All files and folders lower in the directory tree inherit permissions applied to a folder, unless explicitly removed and replaced with other permissions. NTFS special permissions allow for finer control of access to file resources. File ownership is used to calculate disk space used when disk quotas are enabled. The CREATOR OWNER group permissions apply only to the owner of a file. Files and folders on the server volumes can also be encrypted so that only the user and the Administrator can view the contents.

Share permissions determine the maximum level of access that a user can have to a shared directory on the server. Users and groups can be granted the ability to read files and folders, change files and folders, or have full control over the contents of the share. When share and NTFS permissions are applied in combination, the more restrictive of the permissions is applied.

Strong passwords provide another level of security for data on the server. Password policies can be put in place to ensure the continued security of passwords on the network. The password policy can control the minimum length, complexity, and age of passwords. The policy can be modified in two waysby using the Change Password Policies Wizard or by modifying the Small Business Server Domain Password Policy group policy object directly. Unless the number of remembered passwords or the minimum password age values need to be modified, the wizard should be used to set password policy.



Best Practice Summary

  • Power protectionWith the continuing drop in the price of Uninterruptible Power Supplies (UPS), there are fewer reasons not to get a large unit. Use a UPS that has a serial connection to the server and monitoring software so that the server can shut down normally in case of an extended power outage.

  • Setting NTFS permissionsSet as few permissions as possible to avoid unnecessary confusion. Apply permissions to security groups, not to individual user objects. Avoid using the Deny permission, and never apply the Deny permission to the Everyone group. Apply permissions to folders instead of files. Leave default permissions as defaults and do not modify permissions on the root of C: or the Windows directory.

  • Setting shared folder permissionsGive Domain Users Full Control permissions on shares and use NTFS permissions to restrict access. When accessing data through a share, the more restrictive of the share and NTFS permissions apply.

  • Setting password requirementsEnable password policies on the server. Encourage users not to use their SBS password for any other accounts. Set a maximum password age, but be reasonable. Get support from business management prior to implementing password policies.



Chapter 10. Workstation Security

IN THIS CHAPTER

  • Windows XP Service Pack 2

  • Local Administrator Access for Users

  • Antivirus Tools

  • Antispyware Tools

  • The Managed Network

  • Let's Not Forget About Office

  • The Educated End User and Security Review Process

  • Protecting Data from the Inside

  • Troubleshooting Workstation Security

Once upon a time, the network consultant worried most about the threat from the floppy drive. At one time all viruses and all attacks on the network barring physical attacks came from a worker at the office placing a disk in a drive and launching a file. At that time most viruses attached themselves to a Word file or perhaps even a boot sector. As long as the antivirus software was kept up-to-date on the workstation, you were relatively assured that you could stay one step ahead of the virus. Viruses spread through sneakernets, the slang description for a bunch of computers whose means of transporting files was having a floppy disk moved from one computer to another. Thus, like in a virus infection in humans, physical contact was key to transmitting the computer virus in most small networks.

But as technology connects us every moment of our lives, so too has the capability for viruses to be transmitted increased. When the networks that most of us rely on were first designed, there was no need to put protections for workstations inside the office. All we needed to protect networks was a well-designed, well-defended perimeter. But then two inventions changed the way we do computing foreverand changed the boundaries of our network.

The laptop and the Internet moved the boundaries of computer networks away from the ISA Server and Cisco Pix and into the homes of small businesses. It moved the threat window from the time it took to move infected files around via floppy disks to now where within 24 hours, proof of concept of exploit code is posted on the Web. You must think of workstation security as protecting someone from an epidemic. What is the best protection for an infectious disease? Ensuring that you are not exposed in the first place and obtaining inoculations when you realize you cannot remove all the risk of exposure. The computer world is no different. There are three tenets to risk management in a network:

  • Accept the risk.

  • Mitigate the risk.

  • Transfer the risk.

This chapter assumes that you have completed the process of identifying those assets in the firm you need to protect. You have identified those databases and devices that contain the data you need to most protect due to regulation or other requirements. Typically, for most firms, this is a category of data called personal identity information (PII). In the healthcare industry, this data is electronic patient healthcare information (ePHI). Both PII and ePHI have as their risk factors, a risk of business impact due to the required disclosure laws now on the books in many locations. Furthermore one could argue that sitting down and making a reasonable determination of the risk factors in your network is both a good business practice to ensure that your security dollars are well spent and just good business period. If your firm and your clientele depend on a source of data for your revenue above all other pieces of data on your network, this process will help you and your clients streamline that data and assign the proper protection.

Traditionally in risk management there is an equation that allows you to put a dollar value, a budget in place:

AROxSLE = ALE

You first look at the annualized rate of occurrence (ARO) for these events. What historically has been the impact of viruses? Then you determine the single loss expectancy (SLE) for the risk, which is based on the costs to clean up from the risk. Multiply the two to determine the annual loss expectancy (ALE) to determine whether it's less expensive to "clean up from the mess" or to "prevent the mess" in the first place. That amount you calculatethe dollar amount to clean up the machinesshould be less than the cost of the item needed to prevent the event from occurring in the first place. If it is not, there is no question that prevention is cheaper than cleaning up.

Best Practice: Security Budget Calculation

Sit down early on with your client and determine the client's environment and level of tolerance for security issues. Setting this budget early in a proactive way will help you set forth the design goals of the network.


Although this chapter focuses on some key processes to ensure more protection of the workstations, should always keep in mind this equation and the overall part that workstations play in the security of your network. Your best protective device may not be technology at all; it may in fact be an educated end user. Make sure that in your budget of security actions you also remember that education will go a long way to the overall security of your network.

Network threat modeling is a relatively new concept but is key for any size firm. Understanding where your data if stored and flowing and the appropriate amount of resources to apply to protecting that key data is more an art than a science.