Identifying Technical Constraints when Designing Security

 < Day Day Up > 



Unfortunately, organizations are not homogenous when it comes to the technology that they implement. You will discover a variety of equipment and operating systems in your organization. The capabilities of the equipment, operating systems, and applications might limit your security options. You will need to evaluate the current network technologies used in your organization because they will affect what you can and cannot do with your security policies. If a risk is great and it is likely to occur, you might even need to change the existing infrastructure to accommodate a policy. Suppose, for example, that you would like to enforce software policies through Group Policy. This is most effectively accomplished through combining Group Policy and Active Directory. If you don’t have Active Directory, it would be difficult. A short list of the technologies on your network that you need to evaluate follows:

  • Authentication infrastructure

  • E-mail

  • World Wide Web service

  • File sharing infrastructure

  • Naming services

  • Firewall/proxy services

  • Custom software and services

  • Remote access services

  • PKI infrastructure

  • Bandwidth

  • CPU power of the servers (particularly with regard to encryption because it puts a heavy burden on processor power)

Note

The means for securing each of the technologies in the preceding list will be discussed in greater detail in the appropriate chapter in this book.

You do not want technological limitations to guide your security policies. You should design security policies that would be theoretically best for the organization. You will need to identify areas where the security policies may not be consistent with the network’s current technology. The organization can then decide whether it is cost effective to change or update the technology or whether to change the policy. Implementing a security policy that is not consistent with the network’s technology puts an additional burden on the user by introducing interoperability constraints.

Interoperability constraints are restrictions brought on when two applications cannot communicate with each other and therefore cannot support the security protocols used to authenticate users on a network. Applications that have interoperability constraints could not support the necessary security

Real World Scenario: Exchange 2000 and Active Directory Distribution List

start example

One situation in which you’ll encounter technical constraints (and more specifically, interoperability constraints) is when you’re trying to secure distribution group membership on an Exchange 2000 Server machine. If you need to support earlier versions of Windows than 2000 in Active Directory, then you’ll need to enable the access group that’s compatible with pre–Windows 2000 access groups to simulate the Everyone group in previous versions of Windows. This will allow down-level clients to enumerate the list of users in a distribution list. Unfortunately, it also means that everyone has permissions to view group membership, which leads to a problem with Exchange Server 2000. Because it relies on Windows 2000 Server security and distribution groups for its distribution lists, you will not be able to hide a distribution group’s membership as long as you have earlier versions of Windows. You can either upgrade all the clients to Windows 2000 or greater and disable the group that’s compatible with earlier versions or live without the ability to hide distribution group membership. You will need to decide, based on the security policy and cost, what you are prepared to do.

end example

protocols used to authenticate users on the network. For example, if your organization’s mainframe computer does not support Windows authentication, users would have to use a separate user ID and password to log on to the mainframe. Interoperability constraints can also be an issue when two different versions of an application are used. For example, you might need to use the less-secure protocol NTLM instead of Kerberos to authenticate users in a Windows domain because you need to support users on Windows 98 or Windows NT 4 computers in the domain. You will need to discover and investigate how interoperability constraints will affect your security policies and procedures.

In the following Design Scenario, you will analyze the technical constraints that will impact the security of Infinite Horizons.

Design Scenario: Technical Constraints when Designing Security

start example

Infinite Horizons has an outsourcing program for HR departments of client companies and needs to securely share information contained in its databases with customers. It also has some applications that the customers need to use to enroll employees in their benefits programs. They can also check on the status and current benefits of each employee. Infinite Horizons customers don’t always use Windows-based computers, and those that do could be using any version from Windows 3.1 to Windows XP.

  1. Question: What are the technical limitations to Infi nite Horizons’s security policy? Answer: The client operating systems vary widely in capabilities. The client operating systems vary widely in capabilities, so use will not use the same ways of protecting them. For example, you might want to enforce a password policy that includes strong passwords, passwords longer than 8 characters, and a minimum of 4 days for the password. However, you may find that one of the operating systems that you are using does not support one of these features or you have to purchase a separate package.

  2. Question: What kind of interoperability issues might arise when clients connect to Infinite Horizons’ network? Answer: Clients might not support the more secure version of authentication protocols or encryption technology that would be preferred for the sensitive data.

end example



 < Day Day Up > 



MCSE. Windows Server 2003 Network Security Design Study Guide Exam 70-298
MCSE: Windows(r) Server 2003 Network Security Design Study Guide (70-298)
ISBN: 0782143296
EAN: 2147483647
Year: 2004
Pages: 168

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net