Planning a Security Framework


As the adage goes, "fail to plan, plan to fail." Nowhere does this expression ring more true than when you are dealing with network security and change and configuration management. By now, you've undoubtedly performed quite a bit of work on your network in an attempt to increase its security. But you need to ask two questions at this point:

  1. How will you verify that your security implementation is or is not functioning as desired?

  2. How will you ensure that the security of your network is not reduced or compromised through changes made to the network?

Although the topics of monitoring and change and configuration management are extensive , we briefly examine both of them here.

Planning for Security Monitoring

Plan a framework for planning and implementing security.

  • Plan for security monitoring.

Your network is now complete. You've rolled out all your servers and clients , network links are 100% available, and all Group Policy Objects are working properly. Your network is in a Utopian stateor is it? How would you know if things weren't really as good deep down as they appear to be on the surface? If you can't see any problems, does that mean that they do not exist? Unfortunately, no.

You need to include in your administrative plan for the network a strategy to perform routine regular security monitoring of all parts of the networkfrom the most high profile server to the seemingly least important client workstation sitting in the lobby kiosk. But how will you go about monitoring security? It can be a big job that only increases exponentially as the number of computers on the network increases . Although you can use (and may want to at a later time) many good third-party products to centrally monitor security for your network, you can do a fair bit of monitoring yourself using only the tools provided within Windows or made available as an add-on download by Microsoft.

First and foremost, before you even start to monitor security, you should strive to always enforce the principle of least privilege for your users. This principle dictates that users are given only the minimum privileges required to perform the specific set of tasks that they have been assigned.

If you use the principle of least privilege, a compromised user account has a smaller impact on the overall security of the network than if you were to blanket -assign to users permissions that they did not need. Ideally, all normal user operations should be carried out in the context of a User account. If additional privileges are required for a specific reason, the administrator can either log in to the network with a special account for the purpose of performing those actions or use the Run As command to perform those actions within the context of the account that has the additional privileges.

After you have completely implemented the principle of least privilege, the task of monitoring network security will be greatly simplified because you can more easily determine what types of events are normal and what types of events are abnormalindicating a possible security flaw or breach in your network.

The first part of your security monitoring plan should be to implement a well-thought-out and carefully configured auditing program. Windows Server 2003 allows you to perform auditing of the following areas:

  • Audit Account Logon Events This option configures auditing to occur for user logons and logoffs. A successful audit generates an audit entry when a user successfully logs in, and a failed audit generates an entry when a user unsuccessfully attempts to log in.

  • Audit Account Management This option configures auditing to occur for each event of account management on a computer. Typical account management events include creating a user, creating a group, renaming a user, disabling a user account, and setting or changing a password. A success audit generates an audit entry when any account management event is successful, and a failure audit generates an entry when any account management event fails.

  • Audit Directory Service Access This option configures auditing to occur when a user accesses an Active Directory object that has its own system access control list (SACL). This setting is only for Active Directory objects, such as GPOs, not for file system and Registry objects. A success audit generates an audit entry when a user successfully accesses an Active Directory object that has an SACL specified, and a failure audit generates an entry when an unsuccessful access attempt occurs.

  • Audit Logon Events This option configures auditing to occur upon each instance of a user logging on to or off a computer. The audit events are generated on domain controllers for domain account activity and on local computers for local account activity. When both the Audit Logon Events and the Audit Account Logon Events options are configured, logons and logoffs that use a domain account generate logon or logoff audit events on the local computer as well as the domain controller. A success audit generates an audit entry when a logon attempt succeeds, and a failure audit generates an audit entry when a logon attempt fails.

  • Audit Object Access This option configures auditing to occur upon each user access of an object, such as a file, folder, printer, or Registry key that has its own SACL configured. To configure auditing for object access, you also need to configure auditing specifically on each object for which you want to perform auditing. A success audit generates an audit entry when a user successfully accesses an object, and a failure audit generates an audit entry when a user unsuccessfully attempts to access an object.

  • Audit Policy Change This option configures auditing to occur upon every occurrence of changing user rights assignment policies, audit policies, or trust policies. A success audit generates an audit entry when a change to one of these policies is successful, and a failure audit generates an audit entry when a change to one of these policies fails.

  • Audit Privilege Use This option configures auditing to occur upon every occurrence of a user exercising a user right. A success audit generates an audit entry when the exercise of a user right succeeds, and a failure audit generates an audit entry when the exercise of a user right fails.

  • Audit Process Tracking This option configures auditing to occur for events such as program activation, process exit, handle duplication, and indirect object access. A success audit generates an audit entry when the process being tracked succeeds, and a failure audit generates an audit entry when the process being tracked fails.

  • Audit System Events This option configures auditing to occur when certain system events occur such as computer restarts and shutdowns. A success audit generates an audit entry when a system event is executed successfully, and a failure audit generates an audit entry when a system event is attempted unsuccessfully.

EXAM TIP

Auditing options You must have a good understanding of these auditing options and the ways they can be used to accomplish the auditing goals set forth.


Auditing is configured through Group Policy and is discussed in more detail in MCSA/MCSE 70-291 Training Guide: Implementing, Managing, and Maintaining a Windows Server 2003 Network Infrastructure (2003, Que Publishing; ISBN: 0789729482) by Dave Bixler and Will Schmied because Exam 70-291 covers auditing in detail.

The second part of your security monitoring plan should be to collect, filter, and examine the event logs for all network computers in a centralized location. Several third-party applications provide this type of utility, often with many other nice features as well, but you can get good results by using the EventCombMT or DumpEL utilities. You can download EventCombMT from www.microsoft.com/technet/security/prodtech/windows/secwin2k/. Although these two tools are part of the Securing Windows 2000 Server Guide, they are still valid tools that you should have in your toolbox. Figure 8.33 shows the EventCombMT utility after the completion of a log gathering session. Note that text files are created with the output results in tab-delimited format.

Figure 8.33. The EventCombMT utility provides a quick, easy, and free method to gather event logs from the network.

You also may want to use the DumpEL (Dump Event Log) utility which is run from the command line and be can be scripted for greater power. DumpEL provides the same basic functionality as EventCombMT , but from the command line. The best way to find DumpEL is to search for it at the Microsoft Downloads Center, located at www.microsoft.com/downloads/. If you want to enter the URL, it is www.microsoft.com/downloads/details.aspx?FamilyID=c9c31b3d-c3a9-4a73-86a3-630a3c475c1a&DisplayLang=en.

Planning for Change and Configuration Management

Plan a framework for planning and implementing security.

  • Plan a change and configuration management framework for security.

In today's networking environment, it's fair to say that you can no longer just go off and make changes to the configuration of the network or its computers without having documentation in hand. This documentation, more often than not, is two-fold: One set of documents details exactly what you are going to be doing and how you will back out of it should problems arise. You will create the second set of documentation as you work, documenting the new configuration that you have set in place.

The first documentthe one outlining exactly what will be done, how it will be done, and what will happen should things not work out correctlyis in itself derived using yet another document: the change and configuration management policy for your network. You use the change and configuration management policy document to create all future plans for making security and configuration changes on your network. The key point that you must realizeand make all members of your organization realizeis that even the smallest change to the network can turn out to be the largest security problem you've ever seen. A good example would be a (routine) routing table change that causes PPTP traffic to take the tunnel in one direction and the regular IP subnet on the return path so that only one half of the conversation is encrypted.

As you can see from this simple example, even the smallest, most routine administrative tasks can have a large impact on the security and functionality of your network. Thus, you must implement a change and control policy that will be used when making any change to the networkwhether or not the change appears to be security- related ! Such a policy should require, at a minimum, the following steps:

  1. As the need for change is discovered or recognized, a pending change request is filed. Such requests are reviewed and evaluated at regular intervals.

  2. If the change request is approved during the review process, a change order is created. In addition to describing the change and its desired results, the change order may also specify staffing, budget, and schedule requirements.

  3. When the change order schedule indicates that work to incorporate the requested change is to begin, a change job or work order is enacted. Normally, such changes apply to a copy of the system being changed and do not affect changes to production environments until later in this process. The implementation group must also document its changes and file proposed changes to security policy documents at this time.

  4. During the implementation process, module and unit tests make sure the change as implemented meets the requirements of the change as specified. After the implementation team decides the change is complete, it is turned over to a test group for change testing as an external check.

  5. If the external testing group agrees that the change meets the specifications, that the change has no adverse effects on overall system behavior or capability, and that the documentation changes properly reflect resulting security policy, change enactment is authorized. Only at this point are changes introduced into a production environment, so only at this point do real, visible changes occur.

EXAM TIP

Take control For more information about security monitoring and change and control policies, be sure to see TICSA Training Guide by Mike Chapple, Debra Littlejohn Shinder, and Shawn Porter (2002, Que Publishing; ISBN: 0789727838).


As you can see, this process can become lengthy and time-consuming , but no amount of planning is ever wasted . Fortunately, you do not have to reinvent the wheel to implement a good change and configuration control plan; you can find many high-quality resources both in print and on the Internet. Some of the more useful ones on the Internet include

  • Change Management Learning Center, www. change-management .com

  • Change Management Resource Library, www.change-management.org

  • Kentucky Governor's Office for Technology, http://gotcm.ky.gov



MCSE Windows Server 2003 Network Infrastructure (Exam 70-293)
MCSE 70-293 Exam Prep: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure (2nd Edition)
ISBN: 0789736500
EAN: 2147483647
Year: 2003
Pages: 151
Authors: Will Schmied

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net