Securing the Operating System

The second most direct way to access the DW/BI system is by way of the operating system. You should implement the following procedures for all the servers in your development, test, and production systems:

• Restrict login access. No business user needs to log on to the servers. Most DW/BI team members dont need to log in, as their tools work remotely. Only system administrators need to log in; others can access services across the network.

  • Ensure the security policy on all servers is set to not add Domain Users to the local Users group. By default, Domain Users are usually added to the local Users group , which has login privileges.

  • Ensure the Windows Administrator account on all servers has a strong password.

  • Ensure the Windows Guest account on all servers is disabled.

  • Ensure strong password policies. Strong policies include technical policies, like requiring a mix of letter case and non- alphanumeric characters . Users need to be educated about security as well, to not write down passwords and avoid the many scams that fill our inboxes. This is usually an enterprise-wide concern.

• Restrict network access.

  • Ensure the Everyone group does not have access to the server.

  • Disable null sessions to prevent anonymous sessions.

  • Disable unneeded services. For security reasons, consider disabling the Telnet, FTP, SMTP, and NNTP services if theyre not needed.

• Ensure data folders are secure. By default, the SQL Server relational database and Analysis Services databases store data in file structures that are appropriately protected. However, you can create Analysis Services partitions in remote locations, which might not be protected. Other sensitive information includes backups and trace logs, and Integration Services packages. Ensure all information is appropriately protected.

• Keep up-to-date with security patches for the operating system. Keep up-to-date with service packs for the SQL Server components .