Designing for Emergency Management Services

Emergency Management Services (EMS) is a collection of out-of-band management tools that enable the ability to manage Windows Server 2003 machine when it is no longer responding to in-band management tools. You can access the EMS through a terminal emulator, like HyperTerminal, that connects to a serial port on the server.

EMS is made up of standard Windows Server 2003 components that have been modified to redirect their output to the out-of-band communication port in addition to the video card. The following Windows components support out-of-band communication:

• Recovery Console

• Remote Installation Services (RIS)

• Text mode setup

• Setup loader

In addition to the standard Windows components, EMS includes two new remote management consoles: Special Administration Console (SAC) and !Special Administration Console (!SAC).

Using the Special Administration Console is the most common way to access the EMS services on Windows Server 2003. SAC provides you with a command-line environment to manage the server when it is locked up, as shown in Figure 10.8.

Figure 10.8: Special Administration Console

The SAC will be available as long as the kernel of Windows Server 2003 is running. This means you can issue commands early in the boot process because as soon as the kernel is running, you can have access to the SAC, if it is enabled on your server. You can issue commands to the SAC that will support the following administration features:

• Restarting the server

• Shutting down the server

• Displaying the list of running processes

• Killing a process

• Configuring the IP address on the server

• Starting a command prompt in the operating system if possible

• Generating a stop error so the server dumps memory

The SAC provides user mode access through the cmd command. This will launch a command shell that you can then use to launch a command-line in-band management tool like Telnet to make managing the server easier. SAC also provides for viewing the setup logs generated during the setup process to check on the progress of the setup or to diagnose problems with the setup. You can press Esc+Tab to switch to the SAC and view the setup logs during the GUI portion of the setup.

The !SAC is the failsafe special management console that will load if the SAC fails to start for some reason. This is an automatic process. The !SAC does not provide all of the same functionality the SAC provides. In fact, it only provides two functions:

• Restarting the server

• Redirecting stop error messages

You can utilize the EMS services that are built into Windows Server 2003 to provide management of the server if the kernel is running or during loading. If you purchase additional hardware like a service processor or if you have a firmware console, you can manage the server even if the kernel is not working.

You will need to decide how you will connect to the server to support EMS. Generally, you are going to connect to a serial connection on the server. Serial connections have no logical security, so you will want to make sure that you have strong physical security for the serial connection. This will mean keeping the computers and devices that connect to the serial connection in the secure server room and keeping the connection itself secured. You can lay out different designs for supporting EMS. There is additional hardware you can purchase to add network support for EMS. There are four basic designs for laying out your EMS infrastructure: direct serial connection, modem serial connection, terminal concentrator, and intelligent Uninteruptable Power Supply (UPS).

Using a Direct Serial Connection

A direct serial connection is the simplest of the out-of-band connections to a server. You can establish the connection by using a null modem cable between the management computer and the server running EMS. The management computer is a computer that is running some kind of terminal emulation software. The easiest software to use is HyperTerminal because it comes with any Windows operating system, but almost any type of terminal emulation software will work.

You will need to make sure that the management computer and the server are physically secure to protect this design. You can set up a remote solution for a direct serial connection by setting up a management computer in the server room and enabling Remote Desktop for Administration on it. Set up HyperTerminal to connect to the serial port with the connection to the computer you would like to manage. This can provide secure remote management, but it’s really only practical for a single computer or very few. The main benefit of direct serial connections is that they are easy to set up because they require no additional hardware.

The direct serial connection has a number of disadvantages:

• Computers need to be close to each other for physical security.

• It has the most limited functionality.

• It’s difficult to manage more than a few boxes using a direct serial connection.

Figure 10.9 shows an example of a direct serial connection.

Figure 10.9: Direct serial connection

The direct serial connection is a great way to quickly connect a laptop computer to diagnose a server problem, like a hung server.

Using Modem Serial Connection

A modem serial connection is similar to a direct serial connection except it involves putting a modem between the management computer and the servers. You would then dial into the modem and use a terminal emulation program. You have two connections to secure: the connection between the management computer and the modem and the connection between the modem and the server. Security on the connection between the management computer and the modem is based on security features found in the modem. For example, you could enable call-back features in the modem to allow only connections from known numbers. Security on the serial connection between the modem and the server will need to be physically maintained.

Figure 10.10 shows how a modem setup would look.

Figure 10.10: Remote EMS through a modem

The benefits of using a modem for out-of-band communications are as follows:

• It’s easy to set up and configure for use because there are no complicated devices to purchase and configure.

• The management computer can remotely connect to the server.

There are some disadvantages:

• Security features in a modem are limited.

• It’s difficult to manage more than a few computers using a modem.

Using a Terminal Concentrator

There are two problems with the direct serial or the modem serial connection to the server. The first problem is that the management computer is limited to two to four serial ports and therefore you can have only two to four EMS connections to your servers. The second problem is that the management computer needs to be physically secured to prevent access to the SAC. There is no logical security for the connection. You can manage a larger number of servers and remove the necessity of physically securing the management computer by setting up a terminal concentrator to support a larger number of connections.

The terminal concentrator contains a larger number of serial ports than a server contains and can support a connection to a server for each port it contains. The terminal concentrator can then be connected to a network or a modem to provide terminal access to the servers it is connected to. This makes it easier to provide out-of-band communication to a larger amount of servers. A terminal concentrator also makes it easier to secure out-of-band communications.

You will need to physically secure the terminal concentrator’s connection to the servers, just as you would any other serial connection. You should include the terminal concentrator in the server room with the servers that you will manage through it. The main difference is that the management computer and user can be logically authenticated.

You usually connect to a terminal concentrator using a command-line terminal emulator like Telnet. Better yet, many support SSH, which can provide many options for authentication, including smart card and Public Key Infrastructure (PKI). SSH also encrypts the traffic between the terminal concentrator and the management computer, further protecting the data from eavesdropping and manipulating. You should look for a terminal concentrator that supports SSH as a connection option. If your terminal concentrator does not support SSH, then attackers could sniff packets to obtain administrative information. You should consider using a secondary network for remote management only if this is the case.

Figure 10.11 illustrates what a network with a terminal concentrator would look like.

Figure 10.11: Using a terminal concentrator

The following are benefits of using a terminal concentrator:

• It supports logical authentication mechanisms.

• It can support encryption.

• It supports a larger number of servers for out-of-band management.

• It can support features in firmware like powering on and off the servers.

The main disadvantage is that you need to purchase additional hardware in the form of terminal concentrators.

Using an Intelligent UPS

You may already have devices that can act as terminal concentrators in the form of an intelligent UPS. The intelligent UPS can provide the same features a terminal concentrator provides. An intelligent UPS can form two connections to the server for use by EMS. It can connect using the standard serial connection and it can connect to the server through the AC power line. This means that not only can you manage the servers, but you can remotely control the power to the servers.

You would need to manage and secure intelligent UPSes in the same way you treat terminal concentrators. Physically secure the device in the server room with the servers and then use logical security to secure the network connection to the UPS. Having one device that does two functions may save you the costs of purchasing separate terminal concentrators.

Real World Scenario: Using EMS to Manage Servers

We use Exchange Server 2003 for e-mail in our organization. The server has been giving us some problems lately, just locking up with no explanation. We suspect it is a hardware problem, but we needed to keep the server running until we could get replacement hardware. The server would lock up and nobody could get to e-mail without the server being rebooted. The server would tend to lock up at inconvenient times, such as on weekends and at night.

We decided to install EMS on the server and set up a serial connection to another server called ServerA. Whenever the Exchange server locks up, we can then connect to the server and launch HyperTerminal to connect to the e-mail server through the out-of-band communication channels. We can then issue a reboot command to the server to fix the problem.

Figure 10.12 shows what a configuration using an intelligent UPS would look like.

Figure 10.12: Intelligent UPS setup

The following are benefits of using an intelligent UPS:

• It supports logical authentication mechanisms.

• It can support encryption.

• It supports a larger number of servers for out-of-band management.

• It can support features in firmware like powering on and off the servers

The main disadvantage is that if you don’t own an intelligent UPS, you need to purchase additional hardware.

In the following Design Scenario, you will look at designing a security infrastructure for EMS.

Design Scenario: Designing for Emergency Management Services

Expo, Inc. wants to be able to use local contractors on an as-needed basis to manage the hardware locally.

During the design phase, you spoke to the CSO and the network administrator:

CSO All remote management must be secure.

Network Administrator We are having problems with some of our critical servers hanging from time to time. This usually happens at night or on weekends. Whoever is on pager duty must then go into the office to reset the server so it will be available for our clients. We need a means to remotely manage these servers, even if they have hung, to determine what the problem may be and to resolve the problem through a reboot. We would like to apply the solution to all 26 of our servers. They are all running Windows Server 2003.

1. Question: What should Expo, Inc. do solve this problem? Answer: The company should purchase a terminal concentrator that suppor ts SSH. The terminal concentrator will scale to support all 26 servers, where the direct serial connection and modem connection will not accommodate this. Using intelligent UPS es could also work, except you would have the added cost of purchasing the UPSes. The terminal concentrator solution would be more cost effective. Administrator s should install this in the server room where it can be kept physically safe and connected to the servers via serial cables. The administrators can then connect to the server through SSH and perform actions like rebooting the server, even if user mode is hung.