As the adage goes, "fail to plan, plan to fail." Nowhere does this expression ring more true than when you are dealing with network security and change and configuration management. By now, you've undoubtedly performed quite a bit of work on your network in an attempt to increase its security. But you need to ask two questions at this point:
Although the topics of monitoring and change and configuration management are extensive , we briefly examine both of them here. Planning for Security Monitoring
Your network is now complete. You've rolled out all your servers and clients , network links are 100% available, and all Group Policy Objects are working properly. Your network is in a Utopian stateor is it? How would you know if things weren't really as good deep down as they appear to be on the surface? If you can't see any problems, does that mean that they do not exist? Unfortunately, no. You need to include in your administrative plan for the network a strategy to perform routine regular security monitoring of all parts of the networkfrom the most high profile server to the seemingly least important client workstation sitting in the lobby kiosk. But how will you go about monitoring security? It can be a big job that only increases exponentially as the number of computers on the network increases . Although you can use (and may want to at a later time) many good third-party products to centrally monitor security for your network, you can do a fair bit of monitoring yourself using only the tools provided within Windows or made available as an add-on download by Microsoft. First and foremost, before you even start to monitor security, you should strive to always enforce the principle of least privilege for your users. This principle dictates that users are given only the minimum privileges required to perform the specific set of tasks that they have been assigned. If you use the principle of least privilege, a compromised user account has a smaller impact on the overall security of the network than if you were to blanket -assign to users permissions that they did not need. Ideally, all normal user operations should be carried out in the context of a User account. If additional privileges are required for a specific reason, the administrator can either log in to the network with a special account for the purpose of performing those actions or use the Run As command to perform those actions within the context of the account that has the additional privileges. After you have completely implemented the principle of least privilege, the task of monitoring network security will be greatly simplified because you can more easily determine what types of events are normal and what types of events are abnormalindicating a possible security flaw or breach in your network. The first part of your security monitoring plan should be to implement a well-thought-out and carefully configured auditing program. Windows Server 2003 allows you to perform auditing of the following areas:
EXAM TIP Auditing options You must have a good understanding of these auditing options and the ways they can be used to accomplish the auditing goals set forth. Auditing is configured through Group Policy and is discussed in more detail in MCSA/MCSE 70-291 Training Guide: Implementing, Managing, and Maintaining a Windows Server 2003 Network Infrastructure (2003, Que Publishing; ISBN: 0789729482) by Dave Bixler and Will Schmied because Exam 70-291 covers auditing in detail. The second part of your security monitoring plan should be to collect, filter, and examine the event logs for all network computers in a centralized location. Several third-party applications provide this type of utility, often with many other nice features as well, but you can get good results by using the EventCombMT or DumpEL utilities. You can download EventCombMT from www.microsoft.com/technet/security/prodtech/windows/secwin2k/. Although these two tools are part of the Securing Windows 2000 Server Guide, they are still valid tools that you should have in your toolbox. Figure 8.33 shows the EventCombMT utility after the completion of a log gathering session. Note that text files are created with the output results in tab-delimited format. Figure 8.33. The EventCombMT utility provides a quick, easy, and free method to gather event logs from the network.
You also may want to use the DumpEL (Dump Event Log) utility which is run from the command line and be can be scripted for greater power. DumpEL provides the same basic functionality as EventCombMT , but from the command line. The best way to find DumpEL is to search for it at the Microsoft Downloads Center, located at www.microsoft.com/downloads/. If you want to enter the URL, it is www.microsoft.com/downloads/details.aspx?FamilyID=c9c31b3d-c3a9-4a73-86a3-630a3c475c1a&DisplayLang=en. Planning for Change and Configuration Management
In today's networking environment, it's fair to say that you can no longer just go off and make changes to the configuration of the network or its computers without having documentation in hand. This documentation, more often than not, is two-fold: One set of documents details exactly what you are going to be doing and how you will back out of it should problems arise. You will create the second set of documentation as you work, documenting the new configuration that you have set in place. The first documentthe one outlining exactly what will be done, how it will be done, and what will happen should things not work out correctlyis in itself derived using yet another document: the change and configuration management policy for your network. You use the change and configuration management policy document to create all future plans for making security and configuration changes on your network. The key point that you must realizeand make all members of your organization realizeis that even the smallest change to the network can turn out to be the largest security problem you've ever seen. A good example would be a (routine) routing table change that causes PPTP traffic to take the tunnel in one direction and the regular IP subnet on the return path so that only one half of the conversation is encrypted. As you can see from this simple example, even the smallest, most routine administrative tasks can have a large impact on the security and functionality of your network. Thus, you must implement a change and control policy that will be used when making any change to the networkwhether or not the change appears to be security- related ! Such a policy should require, at a minimum, the following steps:
EXAM TIP Take control For more information about security monitoring and change and control policies, be sure to see TICSA Training Guide by Mike Chapple, Debra Littlejohn Shinder, and Shawn Porter (2002, Que Publishing; ISBN: 0789727838). As you can see, this process can become lengthy and time-consuming , but no amount of planning is ever wasted . Fortunately, you do not have to reinvent the wheel to implement a good change and configuration control plan; you can find many high-quality resources both in print and on the Internet. Some of the more useful ones on the Internet include
|