html5-img
1 / 23

DESIGNING A MANAGEMENT INFRASTRUCTURE

Chapter 4. DESIGNING A MANAGEMENT INFRASTRUCTURE . MICROSOFT MANAGEMENT CONSOLE (MMC). Provides most administrative capabilities Most snap-ins use: DCOM/RPCs SMB/CIFS Use IPSec to protect privacy Use firewalls to protect against attacks Use Group Policy settings to restrict snap-in usage.

trevina
Télécharger la présentation

DESIGNING A MANAGEMENT INFRASTRUCTURE

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 4 DESIGNING A MANAGEMENT INFRASTRUCTURE

  2. Chapter 4: Designing a Management Infrastructure MICROSOFT MANAGEMENT CONSOLE (MMC) • Provides most administrative capabilities • Most snap-ins use: • DCOM/RPCs • SMB/CIFS • Use IPSec to protect privacy • Use firewalls to protect against attacks • Use Group Policy settings to restrict snap-in usage

  3. Chapter 4: Designing a Management Infrastructure MMC TRAFFIC CAPTURED

  4. Chapter 4: Designing a Management Infrastructure REMOTE DESKTOP • Provides access to almost all administrative functions • Limited to two or three users simultaneously • Has encryption built in • Change port number to reduce the risk of worms

  5. Chapter 4: Designing a Management Infrastructure REMOTE ASSISTANCE • Same protocol as Remote Desktop • Primarily used for managing desktop computers • Enables interactively training users remotely

  6. Chapter 4: Designing a Management Infrastructure TELNET • Unencrypted text-based management tool • Client and server included with Microsoft Windows computers • Includes no mandatory security • Should never be used

  7. Chapter 4: Designing a Management Infrastructure TELNET TRAFFIC CAPTURED

  8. Chapter 4: Designing a Management Infrastructure SECURE SHELL (SSH) • Encrypted text-based management tool • Primarily used for network devices and UNIX computers • Client and server not included with Windows • Download Cygwin

  9. Chapter 4: Designing a Management Infrastructure SNMP • Unencrypted management tool • Weak authentication with SNMP community names • Most SNMP requests are sent from the server to the client • SNMP traps are client to server notifications

  10. Chapter 4: Designing a Management Infrastructure SNMP SECURITY CONFIGURATION

  11. Chapter 4: Designing a Management Infrastructure EMERGENCY MANAGEMENT SERVICES (EMS) • Remote administration that works when the operating system is offline • Requires support by the server hardware platform • Useful when server or network has failed, such as during a denial-of-service (DoS) attack • Connect by network or serial port: • Should only be connected to dedicated management network • Serial ports require terminal concentrator for network access

  12. Chapter 4: Designing a Management Infrastructure EMS WITH TERMINAL CONCENTRATOR

  13. Chapter 4: Designing a Management Infrastructure DESIGNING SECURITY FOR EMS • Focus on physical security • Choose service processors that provide authentication and encryption • Choose terminal concentrators that provide strong authentication and support SSH

  14. Chapter 4: Designing a Management Infrastructure MANAGING NETWORK LOAD BALANCING (NLB) • Leave remote access disabled • Use the Network Load Balancing Manager administration tool instead of Wlbs.exe • Use virtual private networks (VPNs) to provide network encryption • Restrict access to the quorum disk and cluster log • Use a domain group to assign rights to manage the cluster

  15. Chapter 4: Designing a Management Infrastructure MANAGING SHAREPOINT TEAM SERVICES • Disable the SharePoint Administration Web site if possible • If not: • Require SSL • Restrict access to Fpadmdll.dll and Fpadmcgi.exe • Change the default port number

  16. Chapter 4: Designing a Management Infrastructure REMOTE WEB ADMINISTRATION OF IIS • Disable Remote Web Administration if possible • If not: • Require SSL • Change the default port number • Require IPSec • Carefully restrict administrative rights • Restrict access to administrative IP addresses

  17. Chapter 4: Designing a Management Infrastructure DESIGNING A MANAGEMENT NETWORK • Create separate local area networks (LANs) for user connections and for managing servers • Connect only management computers and servers to the management network • Block management traffic on the user network

  18. Chapter 4: Designing a Management Infrastructure MANAGEMENT NETWORK DIAGRAM

  19. Chapter 4: Designing a Management Infrastructure DESIGNING A MANAGEMENT NETWORK WITH A GATEWAY • All management connections must go through a gateway server • Servers are configured to allow only management connections from the gateway server • Gateway server can enforce strong authentication even if servers do not support it

  20. Chapter 4: Designing a Management Infrastructure MANAGEMENT NETWORK WITH GATEWAY DIAGRAM

  21. Chapter 4: Designing a Management Infrastructure AUTHENTICATING ADMINISTRATORS • Require strong authentication for administrators • Use Remote Authentication Dial-In User Service (RADIUS) protocol for centralized authentication • Use Internet Authentication Service (IAS) to connect RADIUS clients to Active Directory

  22. Chapter 4: Designing a Management Infrastructure BEST PRACTICES FOR USING ADMINISTRATIVE RIGHTS • Log on to your desktop as a user • Log on to servers as an administrator • Delegate the responsibility of managing privileged group memberships • Fine-tune administrative access: • Delegation of Control Wizard to assign granular rights • Group Policy software restrictions to prevent administrative accounts from running unnecessary applications

  23. Chapter 4: Designing a Management Infrastructure SUMMARY • Most enterprises use MMC, Remote Desktop, SSH, and SNMP for different management tasks • Use EMS for out-of-band management control, but do not rely on built-in security • Design a separate network for remote management, and block management protocols on other interfaces • Limit users who have administrative rights, and restrict the level of administrative rights

More Related