Home > Articles

Designing Strategies for Security Management

This chapter is from the book

Terms you'll need to understand:

  • Remote desktop administration
  • Telnet
  • Emergency Management Services
  • Software Update Services (SUS)
  • Systems Management Server (SMS)
  • Disaster recovery plan (DRP)

Techniques you'll need to master:

  • Designing security for network management
  • Designing a security update infrastructure

Your network has enough enemies, including viruses, well-intentioned users, and not so well-intentioned attackers. You must ensure that you don't become your own worst enemy! You need to understand the risks associated with managing your network and mitigate those risks with whatever tools you have available. In addition, you need to keep your network up to date with the latest security patches. This process needs to be as automatic as possible in your situation.

In this chapter, we discuss the tools that you can use to manage the risk of managing the network. These include simple tools such as the Run as command as well as more complex tools used to monitor and manage servers and services. We also discuss the new tools in Windows Server 2003 that aid you in assessing the current patch level of computers in your network and in keeping computers up to date with security patches from the Microsoft Web site.

Designing Security for Network Management

You need to understand the power of the Administrator account as well as other accounts that provide rights on the network. In the right hands, these are tools you use to manage a network. In the wrong hands, they are weapons that attackers can use against you. As you manage your network, take care that these accounts do not fall into the wrong hands. In addition, you need to understand the tools and services available to enhance and monitor the security of your network. Designing security for network management includes the following components:

  • Managing the risk of managing networks
  • Designing the administration of servers
  • Designing security for Emergency Management Services

Managing the Risk of Managing Networks

Windows Server 2003 controls access to Active Directory and the ability to manage it using security groups. Some groups are designed to give a person rights to manage an aspect of the network, solely because they are associated with that group. These groups include Administrators, Server Operators, Account Operators, Backup Operators, and many others. Administrators who are members of these groups must understand the power that the group membership gives them and use it wisely.

We now discuss the tools that Windows Server 2003 provides to assist an administrator in the safe management of the network. These tools include the following:

  • The Run as command
  • Restricted groups
  • Security auditing

The Run as Command

Even if you are an administrator, you need to log on every morning with the same type of user account that everyone else uses. You don't need an administrative account to check your email and browse the Web. You should only use an administrative account if you are doing something on the network that requires the use of an administrative account. This practice protects the network because the less you use an administrative logon, the less chance there is for a Trojan horse virus or some type of worm to pick it up and send it to an attacker. Also, if you walk away from a computer that you are logged on to with an administrative account, another person could use the computer and "play Administrator" for a while!

Although your users should only have one account, you and your other administrators need to have at least two accounts. You should use a normal user account until it is necessary to use the administrative account and, at that time, you can use the Run as command to perform a secondary logon.

You can use the Run as command either through the GUI or at the command line. To use the Run as command with a GUI tool, simply right-click the tool, click Run as, and then log on with the account that you want to use to run that tool. You might need to hold down the Shift key while you right-click, depending on the tool that you choose. Figure 3.1 shows the Run as command on the Start menu. Figure 3.2 shows the secondary logon screen for the Run as command. When the tool is closed, the system reverts back to the primary logon account.

Figure 3.1Figure 3.1 You can right-click the tool to use the Run as command.

Figure 3.2Figure 3.2 The Run as command provides a secondary logon for that tool only.

To use the Run as command from a command prompt, type the following syntax:

Runas /user:domain\account name mmc %windir%\system32\tool.msc

where domain is the name of your domain, account name is the name of the account with which you want to run the tool, and tool is the name of the tool that you want to run.

For example, Runas /user:bfe.vtc.com\administrator "mmc%windir%\system32\dsa.msc" will run Active Directory Users and Computers in the bfe.com domain by the account name of Administrator.

After you enter this syntax correctly, you are then asked the password of the account with which you want to run the program. Figure 3.3 shows the command line with the entered command and the system's response. After you enter the correct password, the system opens the tool. When the tool is closed, the system reverts back to your primary logon account.

Figure 3.3Figure 3.3 You can use the Run as command from a command-line interface.

TIP

You can check the %windir%\system32 folder on your servers for files with .msc extensions. All files with .msc extensions can be used with the Run as menu option. You can even create shortcuts on the desktop or in your administrative tools using the same command.

CAUTION

We are only using the default name "Administrator" for the administrative account for this training example. You should always change the default names of administrative accounts.

Restricted Groups

Membership in a security group can give someone permissions and rights that she would not have if she was not in that security group, especially if that group is a member of another group that has more rights. This is the way the system is supposed to work. But, what if someone is a member of a group that gives her administrative access and you are not aware that she is a member? In this case, your own system is working against you.

You might be thinking, "But I can just check all of the groups and make certain that I know who the members are." Well, that's true, but there might be more groups to keep track of than you think. You have to consider that every workstation and member server has its own local groups as well! Wouldn't it be nice to just lock those groups down with some type of template? Well, now you can!

Restricted Groups is a computer security policy that should be used primarily with workstations and member servers. In other words, it is rarely used on domain controllers. It allows you to define who can be a member in a particular security group on a computer and what other groups that group can be a member of as well. After you define who can be a member of that group, anybody else who currently is a member is removed from membership as soon as the security policy is refreshed. This way, it's impossible for you to miss anybody. You can also copy the template that you create and use it on subsequent workstations and member servers.

You can create the template and apply the settings for Restricted Groups on a member server running Windows 2000 Server or Windows Server 2003 in two ways. You can either create the template in the local security settings for each of the computers that you choose or you can create a Group Policy and roll it out to all of the computers in an organizational unit (OU) or hierarchy of OUs. For Windows 2000 Professional and Windows XP Professional clients, you can use Group Policy to enforce Restricted Groups.

As we mentioned previously, you should refrain from using Restricted Groups at the domain level; however, it is possible to use this tool to provide a "reality check" if you suspect that someone has obtained fraudulent access to administrative rights through membership in a security group.

To configure Restricted Groups on one member server, perform the following steps:

  1. Open the Local Security Policy through Administrative Tools.
  2. Expand the Security Settings option.
  3. Right-click Restricted Groups.
  4. Click Add Group.
  5. Type the name of the group that you need to manage.
  6. Add the members that you want to be in the group and the groups of which that group can be a member.
  7. Click OK or Apply.

When you click OK or Apply, only the members that you have designated are still members of the groups for which you have set Restricted Groups. Any other members are removed from group membership. This takes effect the next time they log on to the server locally.

To configure Restricted Groups with Group Policy, perform the following steps:

  1. Open the Group Policy Management Console and Group Policy Object Editor tools to create and configure a new Group Policy or edit an existing one.
  2. Expand Computer Configuration.
  3. Right-click Restricted Groups.
  4. Click Add Group.
  5. Type the name of the group that you need to manage.
  6. Add the members that you want to be in the group and the groups of which that group can be a member.
  7. Click OK or Apply.

When the Group Policy is linked to a container, the Restricted Groups settings become effective for all computers in that container. You can force the policy to apply as soon as you link it, using the gpupdate command, or you can simply wait until the policy is refreshed automatically by the system.

TIP

When a Group Policy is linked to a container, you must ensure that no other policies that could change the results of the Group Policy are linked to the same container. Remember, the last one to "flip those switches" wins!

Security Auditing

A wise person once said "You don't get what you expect, you get what you inspect." You need to have a system in place that aids you in monitoring the security of your network. This includes an audit policy that determines what is to be audited and a person or persons responsible for regularly checking the security log to look for anything that doesn't seem to fit.

Windows Server 2003 provides the tools for auditing logons, resource access, account management, and more. Your audit policy determines what is written to the security log. The security log can then be read, archived, and printed with Event Viewer. Figure 3.4 shows the settings for Audit Policy in the Microsoft Management Console (MMC) named Default Domain Security Settings. Table 3.1 defines each of the settings that you could use in your audit policy. You can audit each of these settings for success, failure, or success and failure. Figure 3.5 shows an example of a security log in Event Viewer.

Figure 3.4Figure 3.4 The settings in your audit policy determine what is written to the security log.

Table 3.1 Audit Policy Settings

Policy

Definition

Audit Account Logon Events

Is set on a domain controller. Audits domain controller's authentication of a logon from another computer.

Audit Account Management

Audits activity that is generally associated with administrators, such as creating or renaming users or groups, or changing passwords.

Audit Directory Service Access

Audits objects in Active Directory that have their system access control list (SACL) set for auditing.

Audit Logon Events

Audits the local logon to a computer regardless of the role of the computer.

Audit Object Access

Audits the access of resource objects, such as a file, folder, printer, Registry key, and so on that have the system access control list (SACL) set for auditing.

Audit Policy Change

Audits changes to user rights assignment policies, audit policies, or trust policies.

Audit Privilege Use

Audits each instance of a user exercising a user right.

Audit Process Tracking

Audits events usually associated with applications, rather than users, such as program activation and handle duplication.

Audit System Events

Audits a user's restarting or shutting down of the system or any event that affects system security or the security log.


Figure 3.5Figure 3.5 You can view the results of a security audit in Event Viewer.

Designing the Administration of Servers

Managing an enterprise can be a cumbersome task, but Windows Server 2003 provides many tools to assist you in the efficient and safe management of your network, no matter how large it is. The tools with which you need to be familiar are as follows:

  • Microsoft Management Consoles (MMCs)
  • Remote Desktop Administration
  • Telnet
  • Remote Assistance

Microsoft Management Consoles

Using Microsoft Management Consoles (MMCs), you can create your own custom "toolboxes" that keep the tools you use most frequently all in one place. You can then share these toolboxes with other administrators whom you trust, or you can create another toolbox that has only the tools that they need. You can simply share the completed MMC in a folder to which the other administrator has access, and he can then use the MMC as well. Share it with Read permission so that the administrator who receives the MMC cannot change the file without also changing the name and the ownership of the file. To use the MMC tools, you must register the proper dynamic link libraries (DLLs). You can easily register most DLLs by entering adminpak.msi at a command prompt and following the Windows Server 2003 Administrative Tools Installation Wizard.

An MMC itself has no administration capability; it's only a toolbox that contains the real tools called snap-ins. These snap-ins are produced by Microsoft and many other vendors. They include most of the tools that you need to configure, manage, and monitor your network. Many of these tools can be used on the local computer or on a remote computer connected to the management console. Figure 3.6 shows an MMC that has been customized to hold tools for two different computers.

Figure 3.6Figure 3.6 You can build MMCs that hold tools for multiple computers.

Remote Desktop Administration

Remote Desktop Connection replaces the Remote Administration Mode for Terminal Services used in Windows 2000 Server. It provides a new interface that allows you to safely manage any computer that is configured to allow users to connect remotely. You can access Remote Desktop Connection by clicking Start, All Programs, Accessories, Communications, Remote Desktop Connection. You can then connect to the computer by entering the computer name and the password for that computer.

TIP

You must also be a member of the Remote Desktop Users security group to use Remote Desktop Connection. The administrator is a member of this group by default and can add other members.

You can control the resolution and other aspects of the "user experience" on the Remote Desktop Connection settings. Figure 3.7 shows the Remote Desktop Connection dialog box. These options allow you to configure your remote session based on the allowed bandwidth and other restrictions. Figure 3.8 shows the custom settings that you can configure on the Experience tab. You should use Remote Desktop Connection when you are making a connection to only one other computer or server.

Figure 3.7Figure 3.7 You can configure options for Remote Desktop Connection.

To make multiple simultaneous connections, use the Remote Desktops snap-in. This tool enables you to manage many servers as if you were sitting in front of each one of them. You can control each of the connections and encrypt the connection over the Remote Desktop Protocol (RDP). You can quickly switch between several remote desktops. Figure 3.9 shows an MMC with the Remote Desktops snap-in installed.

Figure 3.8Figure 3.8 You can configure custom settings on the Experience tab.

Figure 3.9Figure 3.9 You can control multiple remote connections from one interface with the Remote Desktops snap-in.

Telnet

In general, you use Remote Desktop Connection or the Remote Desktops snap-in to connect with any computers that are running Microsoft operating systems. This provides the most secure method of remote administration.

For other servers and network devices on your network, you can use Telnet. The Telnet application is part of the TCP/IP suite, and any network that is using TCP/IP can use it. The Telnet client is built in to Windows Server 2003 and provides a command-line interface to another server and limited functionality to configure the server (see Figure 3.10). Telnet does not provide security—all passwords and data are transmitted in clear text. If you use Telnet, you need to ensure that no sensitive information is being transmitted.

Figure 3.10Figure 3.10 You can configure servers and network devices on a command-line interface with Telnet.

CAUTION

Telnet is not recommended for remote administration of Microsoft computers because all data and commands are transmitted in clear text.

To access a computer or network device with Telnet, perform the following steps:

  1. Click Start.
  2. Click Run.
  3. Type telnet.
  4. Type open.
  5. Type the name of the host with which you want a connection.
  6. Type ? for help with further commands.

The list of commands that are available are based on the type of host to which you have connected. All commands are alphanumeric. In other words, you can't use your mouse or any type of GUI with Telnet. Table 3.2 lists some Telnet commands and the actions that they perform.

Table 3.2 Telnet Commands

Telnet Command

Action Performed

Open hostname

Establishes session with host

Close

Closes connection

Display

Shows current settings for client

Send

Gives additional commands as defined by the type of host

Set

Allows you to configure options when used with additional arguments, depending on the client

Unset

Turns off options that were previously set

Status

Determines connection status

?

Shows Help menu based on host

Quit

Closes Telnet client


Remote Assistance

Clients can request your assistance using the Remote Assistance tools, provided by Windows XP Professional, and you can respond to their requests and assist them through your Window Server 2003 network. After you are connected, you can view the client's computer and chat online. You can even take control of their mouse and keyboard with their permission. You can also upload files to them or download their files to your computer or central server. Remote Assistance communication can be based on Windows Messenger or Microsoft Outlook. Figure 3.11 shows the Remote Assistance console on a Windows XP Professional client.

Figure 3.11Figure 3.11 Clients can request your assistance using the Remote Assistance console.

Designing Security for Emergency Management Services

At this level, it almost goes without saying that you need to maintain redundant drives, power supplies, and server components. You also need to create backups of all data and configurations and keep copies offsite. This type of management activity is the day-to-day operations that help to keep the network operating smoothly, but what if something goes wrong?

Unfortunately, disasters, such as fires, floods, hurricanes, tornados, and earthquakes, do happen from time to time. Your Emergency Management Services design needs to include a disaster recovery plan (DRP) that takes these into account. Your DRP should focus on the disasters that are most common for your area. For example, you probably won't be concerned about earthquakes if you are located in Florida, and you wouldn't worry much about hurricanes in South Dakota.

In the event of a disaster of this magnitude, the main goal is to get the computers back up to the point that your company can do business before you go out of business permanently! Your DRP should address a plan to rebuild the network to a functioning state as quickly as possible, even if your whole building is destroyed. The details of this plan will, of course, vary, depending on the size and complexity of the company, but the main thing you need is a place to work. The types of alternative sites that you should consider in your DRP are as follows:

  • Hot site
  • Warm site
  • Cold site

Hot Sites

A hot site is a location that is up and running 24/7 with everything that you need to function. Its main advantage is that, in the event of a disaster, you can move into the hot site and resume normal business operations in a matter of hours. Another advantage is that it is possible to do a "dry run" and test the hot site.

The hot site should be close enough to be practical for employees, yet far enough away so as not to be taken down by the same disaster that took down your main site. You can maintain the hot site, or you can pay another company to provide the service. The main disadvantage of a hot site is the large cost associated with it. Typically, the potential loss of money is not enough to justify the cost of a hot site, so they are only used in organizations in which people's lives are at stake, such as highly sensitive governmental institutions or hospital networks.

Warm Sites

A warm site is a location that provides the space, electrical outlets, and communications lines that will be needed in the event of a disaster. It is not customized for one organization and might be used by many organizations in the event of a natural disaster. Typically, no computers are in place because it is assumed that the company will provide the computers when, and if, the time comes to use the site. The main advantage of this type of site is that it costs considerably less to maintain than a hot site. The main disadvantage of this type of site is that it is much more difficult to test your DRP from time to time.

Cold Sites

A cold site is a location that basically has four walls, a ceiling, and a bathroom! Typically, it's a prearranged agreement with another party to use their space if a disaster happens. There is very little planning involved in a cold site. The main advantage is that it costs very little. Two parties in different areas might even agree to let each other use a part of their building in the event of a disaster, so there is no cost to either party. The main disadvantage of a cold site is that it does not fully provide a quick transition back to normal business operations.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020