230 likes | 429 Vues
Chapter 4. DESIGNING A MANAGEMENT INFRASTRUCTURE . MICROSOFT MANAGEMENT CONSOLE (MMC). Provides most administrative capabilities Most snap-ins use: DCOM/RPCs SMB/CIFS Use IPSec to protect privacy Use firewalls to protect against attacks Use Group Policy settings to restrict snap-in usage.
E N D
Chapter 4 DESIGNING A MANAGEMENT INFRASTRUCTURE
Chapter 4: Designing a Management Infrastructure MICROSOFT MANAGEMENT CONSOLE (MMC) • Provides most administrative capabilities • Most snap-ins use: • DCOM/RPCs • SMB/CIFS • Use IPSec to protect privacy • Use firewalls to protect against attacks • Use Group Policy settings to restrict snap-in usage
Chapter 4: Designing a Management Infrastructure MMC TRAFFIC CAPTURED
Chapter 4: Designing a Management Infrastructure REMOTE DESKTOP • Provides access to almost all administrative functions • Limited to two or three users simultaneously • Has encryption built in • Change port number to reduce the risk of worms
Chapter 4: Designing a Management Infrastructure REMOTE ASSISTANCE • Same protocol as Remote Desktop • Primarily used for managing desktop computers • Enables interactively training users remotely
Chapter 4: Designing a Management Infrastructure TELNET • Unencrypted text-based management tool • Client and server included with Microsoft Windows computers • Includes no mandatory security • Should never be used
Chapter 4: Designing a Management Infrastructure TELNET TRAFFIC CAPTURED
Chapter 4: Designing a Management Infrastructure SECURE SHELL (SSH) • Encrypted text-based management tool • Primarily used for network devices and UNIX computers • Client and server not included with Windows • Download Cygwin
Chapter 4: Designing a Management Infrastructure SNMP • Unencrypted management tool • Weak authentication with SNMP community names • Most SNMP requests are sent from the server to the client • SNMP traps are client to server notifications
Chapter 4: Designing a Management Infrastructure SNMP SECURITY CONFIGURATION
Chapter 4: Designing a Management Infrastructure EMERGENCY MANAGEMENT SERVICES (EMS) • Remote administration that works when the operating system is offline • Requires support by the server hardware platform • Useful when server or network has failed, such as during a denial-of-service (DoS) attack • Connect by network or serial port: • Should only be connected to dedicated management network • Serial ports require terminal concentrator for network access
Chapter 4: Designing a Management Infrastructure EMS WITH TERMINAL CONCENTRATOR
Chapter 4: Designing a Management Infrastructure DESIGNING SECURITY FOR EMS • Focus on physical security • Choose service processors that provide authentication and encryption • Choose terminal concentrators that provide strong authentication and support SSH
Chapter 4: Designing a Management Infrastructure MANAGING NETWORK LOAD BALANCING (NLB) • Leave remote access disabled • Use the Network Load Balancing Manager administration tool instead of Wlbs.exe • Use virtual private networks (VPNs) to provide network encryption • Restrict access to the quorum disk and cluster log • Use a domain group to assign rights to manage the cluster
Chapter 4: Designing a Management Infrastructure MANAGING SHAREPOINT TEAM SERVICES • Disable the SharePoint Administration Web site if possible • If not: • Require SSL • Restrict access to Fpadmdll.dll and Fpadmcgi.exe • Change the default port number
Chapter 4: Designing a Management Infrastructure REMOTE WEB ADMINISTRATION OF IIS • Disable Remote Web Administration if possible • If not: • Require SSL • Change the default port number • Require IPSec • Carefully restrict administrative rights • Restrict access to administrative IP addresses
Chapter 4: Designing a Management Infrastructure DESIGNING A MANAGEMENT NETWORK • Create separate local area networks (LANs) for user connections and for managing servers • Connect only management computers and servers to the management network • Block management traffic on the user network
Chapter 4: Designing a Management Infrastructure MANAGEMENT NETWORK DIAGRAM
Chapter 4: Designing a Management Infrastructure DESIGNING A MANAGEMENT NETWORK WITH A GATEWAY • All management connections must go through a gateway server • Servers are configured to allow only management connections from the gateway server • Gateway server can enforce strong authentication even if servers do not support it
Chapter 4: Designing a Management Infrastructure MANAGEMENT NETWORK WITH GATEWAY DIAGRAM
Chapter 4: Designing a Management Infrastructure AUTHENTICATING ADMINISTRATORS • Require strong authentication for administrators • Use Remote Authentication Dial-In User Service (RADIUS) protocol for centralized authentication • Use Internet Authentication Service (IAS) to connect RADIUS clients to Active Directory
Chapter 4: Designing a Management Infrastructure BEST PRACTICES FOR USING ADMINISTRATIVE RIGHTS • Log on to your desktop as a user • Log on to servers as an administrator • Delegate the responsibility of managing privileged group memberships • Fine-tune administrative access: • Delegation of Control Wizard to assign granular rights • Group Policy software restrictions to prevent administrative accounts from running unnecessary applications
Chapter 4: Designing a Management Infrastructure SUMMARY • Most enterprises use MMC, Remote Desktop, SSH, and SNMP for different management tasks • Use EMS for out-of-band management control, but do not rely on built-in security • Design a separate network for remote management, and block management protocols on other interfaces • Limit users who have administrative rights, and restrict the level of administrative rights