www.yorktech.com

Download Report

Transcript www.yorktech.com 

1
Chapter 4
DESIGNING A
MANAGEMENT
INFRASTRUCTURE
Chapter 4: Designing a Management Infrastructure
2
MICROSOFT MANAGEMENT CONSOLE (MMC)
 Provides most administrative capabilities
 Most snap-ins use:
 DCOM/RPCs
 SMB/CIFS
 Use IPSec to protect privacy
 Use firewalls to protect against attacks
 Use Group Policy settings to restrict snap-in
usage
Chapter 4: Designing a Management Infrastructure
MMC TRAFFIC CAPTURED
3
Chapter 4: Designing a Management Infrastructure
4
REMOTE DESKTOP
 Provides access to almost all administrative
functions
 Limited to two or three users
simultaneously
 Has encryption built in
 Change port number to reduce the risk of
worms
Chapter 4: Designing a Management Infrastructure
REMOTE ASSISTANCE
 Same protocol as Remote Desktop
 Primarily used for managing desktop
computers
 Enables interactively training users
remotely
5
Chapter 4: Designing a Management Infrastructure
TELNET
 Unencrypted text-based management tool
 Client and server included with Microsoft
Windows computers
 Includes no mandatory security
 Should never be used
6
Chapter 4: Designing a Management Infrastructure
TELNET TRAFFIC CAPTURED
7
Chapter 4: Designing a Management Infrastructure
8
SECURE SHELL (SSH)
 Encrypted text-based management tool
 Primarily used for network devices and
UNIX computers
 Client and server not included with Windows
 Download Cygwin
Chapter 4: Designing a Management Infrastructure
9
SNMP
 Unencrypted management tool
 Weak authentication with SNMP community
names
 Most SNMP requests are sent from the
server to the client
 SNMP traps are client to server notifications
Chapter 4: Designing a Management Infrastructure
SNMP SECURITY CONFIGURATION
10
Chapter 4: Designing a Management Infrastructure
11
EMERGENCY MANAGEMENT SERVICES (EMS)
 Remote administration that works when the
operating system is offline
 Requires support by the server hardware
platform
 Useful when server or network has failed, such
as during a denial-of-service (DoS) attack
 Connect by network or serial port:
 Should only be connected to dedicated
management network
 Serial ports require terminal concentrator for
network access
Chapter 4: Designing a Management Infrastructure
EMS WITH TERMINAL CONCENTRATOR
12
Chapter 4: Designing a Management Infrastructure
13
DESIGNING SECURITY FOR EMS
 Focus on physical security
 Choose service processors that provide
authentication and encryption
 Choose terminal concentrators that provide
strong authentication and support SSH
Chapter 4: Designing a Management Infrastructure
14
MANAGING NETWORK LOAD BALANCING (NLB)
 Leave remote access disabled
 Use the Network Load Balancing Manager
administration tool instead of Wlbs.exe
 Use virtual private networks (VPNs) to
provide network encryption
 Restrict access to the quorum disk and
cluster log
 Use a domain group to assign rights to
manage the cluster
Chapter 4: Designing a Management Infrastructure
15
MANAGING SHAREPOINT TEAM SERVICES
 Disable the SharePoint Administration Web
site if possible
 If not:
 Require SSL
 Restrict access to Fpadmdll.dll and
Fpadmcgi.exe
 Change the default port number
Chapter 4: Designing a Management Infrastructure
REMOTE WEB ADMINISTRATION OF IIS
 Disable Remote Web Administration if
possible
 If not:
 Require SSL
 Change the default port number
 Require IPSec
 Carefully restrict administrative rights
 Restrict access to administrative IP
addresses
16
Chapter 4: Designing a Management Infrastructure
17
DESIGNING A MANAGEMENT NETWORK
 Create separate local area networks (LANs)
for user connections and for managing
servers
 Connect only management computers and
servers to the management network
 Block management traffic on the user
network
Chapter 4: Designing a Management Infrastructure
MANAGEMENT NETWORK DIAGRAM
18
Chapter 4: Designing a Management Infrastructure
19
DESIGNING A MANAGEMENT NETWORK WITH
A GATEWAY
 All management connections must go
through a gateway server
 Servers are configured to allow only
management connections from the gateway
server
 Gateway server can enforce strong
authentication even if servers do not
support it
Chapter 4: Designing a Management Infrastructure
MANAGEMENT NETWORK WITH GATEWAY
DIAGRAM
20
Chapter 4: Designing a Management Infrastructure
21
AUTHENTICATING ADMINISTRATORS
 Require strong authentication for
administrators
 Use Remote Authentication Dial-In User
Service (RADIUS) protocol for centralized
authentication
 Use Internet Authentication Service (IAS) to
connect RADIUS clients to Active Directory
Chapter 4: Designing a Management Infrastructure
22
BEST PRACTICES FOR USING ADMINISTRATIVE
RIGHTS
 Log on to your desktop as a user
 Log on to servers as an administrator
 Delegate the responsibility of managing
privileged group memberships
 Fine-tune administrative access:
 Delegation of Control Wizard to assign
granular rights
 Group Policy software restrictions to prevent
administrative accounts from running
unnecessary applications
Chapter 4: Designing a Management Infrastructure
23
SUMMARY
 Most enterprises use MMC, Remote
Desktop, SSH, and SNMP for different
management tasks
 Use EMS for out-of-band management
control, but do not rely on built-in security
 Design a separate network for remote
management, and block management
protocols on other interfaces
 Limit users who have administrative rights,
and restrict the level of administrative
rights