Security Framework

Previous page
Table of content
Next page

A security framework is a set of controls that is used to limit exposure to vulnerabilities and threats. As a result, controls also enforce an organization's security policies and reduce the risk to which an organization is exposed. Although a wide range of potential controls can be implemented within a security framework, all controls are generally classified either as administrative, physical, or technical controls.

When choosing to implement a control, the following items should be considered:

  • Controls should be implemented as a response to risk.

  • Controls should be implemented at multiple levels throughout an organization. This is the practice of defense-in-depth (DID).

  • Controls should be monitored, reviewed, and audited to verify effectiveness.

  • A control can never completely eliminate risk. In relation, there is a fine line between an effective control and usability. A balance must be struck that addresses both risk and usability.

Administrative Controls

Administrative controls can be security policies or items such as standards, guidelines, procedures, checklists, and executive enforcement statements that set a clear directive for individuals to follow to ensure security. Because these controls interact directly with individuals, they tend to be scrutinized more rigorously than other controls. In addition, administrative controls are the foundations from which technical and physical controls are implemented and managed.

Although administrative controls contain many different important aspects, all organizations need to address four areas within their administrative controls. Organizations must educate their individuals about their security policies while enforcing those policies. Furthermore, there are form-based controls that must be applied to employees and IT staff.

Educating the Organization

To comply with security policies that are in effect, users need to know what those security policies are, the consequences of breaking those policies (for example, a warning letter and then termination), and most importantly, how breaking a security policy affects the organization, department, and individual.

Educating users on the organization's security policies can take many forms, including but not limited to the following:

  • New employee orientation

  • Security handbook

  • Training sessions

  • Banner notification (a basic form of awareness)

  • Bulletins in Exchange Server public folders

Two important points to consider when training users is that simply handing them information is not an effective means to educate users, and security policy education should be addressed continually. In other words, you should provide various forms of security policy education and do so on a periodic basis.

Policy Enforcement

Policy enforcement can be a tricky matter and, although enforcement may not be the most enjoyable aspect of security policies, it is a necessity. If you do not enforce the policies and the corresponding consequences, they are essentially ineffective.

This means that if consequences are defined, it is an information security department's job to provide information about compliance for a policy to ensure the enforcement of security standards. It is not, however, the job of the information security department to enact the consequences that are defined within a policy. The job of enforcement should fall squarely with the realm of the human resources department with support from upper management.

Therefore, enforcement must be tailored to the security policy rather than the individual. For instance, after setting a specific consequence such as termination for revealing to the public confidential information on a new product or service, following through with termination for a developer but not a management-level person can have grave consequences for the security policies and the organization.

Employee Forms

There are countless forms relating to an organization's security and corresponding policies. A few of these forms that should be signed prior to employment or as a mandatory procedure for existing employees are listed here:

  • Confidentiality agreement

  • Identification (such as badges, key cards, and usernames and passwords)

  • Software license agreement (such as policies on copying company software or installing unapproved software on the network)

After your organization creates employee security policy forms, it is recommended that you seek legal counsel to review these documents. Doing so helps to keep the documents in good standing.

IT Personnel Forms

In addition to the employee forms that apply to all employees, IT personnel should be required to sign additional forms to protect the network environment. These forms can include

  • Incident reporting policies and high-level procedures

  • Privacy agreements pertaining to the way systems are administered or operated

  • Additional integrity and ethics agreements in regard to system usage, disclosure of sensitive or confidential information, and more

Physical Controls

Physical controls relates to how the organization is physically protected from intrusion. Locking mechanisms (both externally and internally), video surveillance, facility-access control such as electronic or smartcard mechanisms, and perimeter boundaries (such as fences and gates) are all examples of how the organization can be protected. Simply documenting what is and is not in place is effectively an internal security audit. Audits often can strengthen security policies and practices.

Note

Internal security audits for all areas of the network help to define and strengthen security policies and practices. However, a third-party security expert or firm should periodically perform security audits on your infrastructure to ensure maximum security.


Technical Controls

Technical controls are technical items that are put in place to protect information systems and data. Examples of technical controls range from hardware-based firewalls and antivirus software, to any security feature that is inherit within a technical item. When implementing a technical control, it is important to understand that the threats posed to an organization are dynamic and changing. Therefore, technical controls should be implemented so they can quickly be adapted to changing threats and in an overlapping fashion at many levels within an organization. Furthermore, a technical control should be under constant review and audited to verify effectiveness and identify instances where the control has been circumvented.

Firewalls

Firewalls are often thought of as control points between an organization and the Internet. Although this is true, firewalls can also segment and protect internal areas within a company. There are many different types of firewalls, and their capabilities vary. The types of firewalls used in an organization should be consistent so that the configurations can be similar. In other words, it may be better to use a single firewall vendor throughout the organization rather than have multiple firewall types spread throughout all locations. This helps reduce complexity and ensures that the entire organization follows the same policy. On the other hand, security requirements may be stringent enough to warrant having two or more types of firewalls. For instance, two separate firewalls guarding the Internet border might be required to significantly reduce the likelihood of intrusion. Although the two firewalls increase the environment's complexity, two firewalls will be less likely to share the same vulnerabilities.

Equally important is that if your company uses more than one firewall, the configurations should be similar if not identical to other firewalls. Specific protocol or port rules should, where applicable, be applied in all locations. For example, a security policy stating that NetBIOS should be stopped at the firewall may keep a hacker from using NetBIOS ports to gain unauthorized access to the network. A security policy would help to prevent any other firewalls in the environment from opening ports 137, 138, and 139.

Note

Windows Server 2003 with SP1 contains a built-in firewall called Windows Firewall. Windows Firewall is a host-based stateful firewall designed to provide Windows servers and clients protection from network attacks that pass through perimeter controls or originate from within an organization. Windows Firewall is not designed to act as a perimeter firewall and should only be used as a supplemental control in conjunction with a full-featured firewall solution such as Microsoft Internet Security and Acceleration Server 2004 or Cisco PIX.


Intrusion Detection System

An intrusion detection system (IDS) is used to detect and notify administrators about malicious activity within an organization's network and information systems. If an IDS system is a reactive system, it not only notifies administrators but takes evasive action to protect the system or network it is monitoring. The typical use of IDS, however, is passive in nature and the use of reactive systems should be limited to special cases that require immediate action when an attack is encountered.

To detect malicious activities, an IDS may either use signature-based or anomaly-based detection methods. The signature-based detection method watches for patterns of activity identified as malicious based on a database of known past attacks. In some cases depending on the rule set, however, an IDS might be able to identity new attacks based on shared characteristics with past attacks. The second detection method, called anomaly-based detection, identifies malicious activity based on baselines that have been defined by administrators or learned from sampling past activity (network- or application-based). If an anomaly-based IDS perceives activity to be different from normal activity, it treats the activity as malicious.

There are two types of IDSs. The most known type is called a network intrusion detection system (NIDS). A NIDS is used to capture network traffic information from various sensors usually positioned at network choke points. The captured network data is then analyzed for traces of malicious activity. The second type of IDS is called a host-based intrusion detection system (HIDS). A HIDS resides on a host system and identifies malicious behavior by monitoring such things as application logs, file system changes, application calls, and other system activities.

Policies surrounding IDSs often involve schedules for keeping the versioning up to date and the procedures to follow after the alarm has been sounded. For instance, if the IDS detects an attack pattern in the network traffic, certain IT personnel should be alerted, and certain procedures should be followed, such as trying to determine the source of the attack or locking down the system from the Internet. The policies that are put in place help to prevent the information systems and networks from being compromised.

Address-Based Restrictions

In addition to some of the possible security policies mentioned earlier, some network environments also have documented security policies stating that access to specific areas of the network is limited to specific IP addresses. Often these restrictions are placed to minimize security risks associated with ports or paths of communication from a system in the DMZ to the internal network. For example, only Server1 in the DMZ can communicate directly with Server2 using port 1433. However, some organizations have even restricted remote administration to specific IP addresses within the internal network.

Authentication

Authentication defines how users are to be identified. It is also the primary authentication mechanism. After a user or system is identified, authentication must occur in Windows Server 2003. Authentication is the process in which a system or user verifies the identification of the other. In other words, the users prove that they are really who they say they are. This is similar to presenting a cashier with a credit card and the cashier asking for a driver's license or other photo ID.

Windows Server 2003 offers several different authentication mechanisms and protocols, including

  • Kerberos

  • .NET Passport

  • Digest

  • Secure Sockets Layer (SSL)

  • HTTP

  • S/MIME

These protocols should be chosen based on the features that you need. For example, for authenticating to Active Directory in a LAN environment, Kerberos is probably the preferred method.

As best practice, security policies relating to authentication should specify the following:

  • The authentication mechanisms required for performing certain tasks. For example, all traffic to the development Web site must use certificate authentication before establishing an SSL connection.

  • The number of authentication factors (that is, the number of authentications) required before accessing a specific system or group of systems.

Authorization

After a user is authenticated, anytime that user requests access to a resource such as a file, folder, share, printer, and so on, Windows Server 2003 checks to see whether the user has the necessary access rights to access and use that resource. For instance, a user can use a Kerberos session ticket to gain access to many different resources or objects. If the user has the necessary rights, that resource can then be accessed and used. This process is called authorization.

Authorization uses access control methods to determine whether a user has the proper rights to access resources. These access control methods are access control lists (ACLs) and roles.

The New Technology File System (NTFS) is one of the primary ways to set access control; it can be used to gain control over authorized and unauthorized access by assigning permissions. It also incorporates the Encrypting File System (EFS), which can be used to further tighten security by encrypting sensitive and confidential information.

The following are some best practices for using NTFS that can also be incorporated into a security policy:

  • Remove the Everyone group from permissions.

  • Use groups instead of individual users when configuring access controls.

  • Use the least-privilege principle so that users can access only the information that they need.

  • Ensure that administrators have full control on all files, folders, and shares unless the organization specifically dictates otherwise.

  • Allow only administrators to manage resources.

Base Installations

When organizations build servers from scratch, typically the configurations are built inconsistently. In other words, some file and print servers may have IIS, Remote Desktop for Administration, various NTFS permissions, and more, whereas other servers do not. From an administration, maintenance, troubleshooting, or security point of view, such configurations can be a nightmare. Each server must be treated individually, and administrators must try to keep track of separate, incongruent configurations.

Base installation security policies and server build documentation help to create a standard baseline for how a specific type of server is built and the type of security that is applied. They can contain step-by-step instructions on how to build different types of servers without sacrificing security. From this, all administrators have a common ground or knowledgebase of configuration information, including security configurations, which can save time when administering, maintaining, and troubleshooting.

PKI

A Public Key Infrastructure (PKI) is an infrastructure model that manages the creation and distribution of public key certificates. Public key cryptography used to secure (encrypt and verify) communication for a wide number of IT services such as HTTP traffic, VPN connections, network authentication, secure email exchanges, etc. PKI facilitates a web of trust to be established between members of a PKI and their public keys. This web of trust is used by members to provide authentication, identity verification, and confidentiality for intra-party communications.

A CA stores the private and public keys and is responsible for issuing and signing certificates. These certificates are digitally signed agreements that bind the value of the public key with a distinct private key. Certificates typically contain information on the name of the user or service, the time in which the certificate is valid, CA identifier information, the public key value, and the digital signature.

Monitoring Tools

Protecting the network environment with various security policies and mechanisms is, without question, necessary. However, monitoring is also key to enforcement and identifying security policy violations. For instance, all the security policies and mechanisms can be in place, but without monitoring, there is no way to identify and determine whether they are effective.

Some common monitoring tools found within an organization include syslog, SNMP, traffic sniffers, and IDS. The most common Windows Server 2003 monitoring tool is the Event Viewer. The Event Viewer captures audited events such as account logon, account management, directory access, object access, policy change, and more. By default, initial auditing parameters are set to audit successful account logon events. Moreover, logging is configured to use up to 128MB of disk space before overwriting events.

Note

New logon type events can be monitored, including cached logons and remote interactive (Terminal Services) logons.


Application logs are also commonly reviewed for security purposes. Log files are usually generated by services and applications, and the level of detail can often be configured to provide just general information up to the maximum amount of detail. The level of detail that can be provided and the configuration options vary. When you're configuring these options, keep in mind the amount of disk space required as well as how this information will be reviewed.

Tip

It is highly recommended that you consider using Microsoft Operations Manager (MOM) to monitor and manage the Windows Server 2003 network environment. It can consolidate security-related events and provide a convenient, centralized location to review security information on multiple Windows Server 2003 systems.


Auditing Tools

Numerous security stress-testing tools are available from third-party vendors. Many have very specific functionality such as port scanning, password cracking, buffer overflow identification, and more. For example, LC4, formerly known as Lophtcrack, can be used as a password-auditing tool to discover weak passwords, but it's not designed to uncover other vulnerabilities.

When choosing a third-party security tool, you must carefully choose your target area before conducting a stress test.



Previous page
Table of content
Next page
Microsoft Windows Server 2003 Unleashed(c) R2 Edition
Microsoft Windows Server 2003 Unleashed (R2 Edition)
ISBN: 0672328984
EAN: 2147483647
Year: 2006
Pages: 499
Authors: Rand Morimoto, Michael Noel, Alex Lewis
BUY ON AMAZON
Software Configuration Management
SQL Tips & Techniques (Miscellaneous)
The CISSP and CAP Prep Guide: Platinum Edition
FileMaker Pro 8: The Missing Manual
Special Edition Using Crystal Reports 10
Oracle SQL*Plus: The Definitive Guide (Definitive Guides)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy