Securing Network Server and User Workstations

1
Chapter 2

• Securing Network Server and User Workstations

2
Authors Goal

• Achieve CIA
• Confidentiality
• Authentication
• access control
• encryption
• Integrity
• Security scanning software (anti-virus, etc)
• IDS intrusion detection system
• Checksums
• System monitoring
• Availability
• Redundancy

3
Authors Method

• Plan
• Configure
• Maintain
• Improve

4
Plan

• Write deployment plans and recovery plans for
  each class of system
• Private server
• Public server
• User workstation
• Portable computer

5
Plan

• Classify users
• Privileged, few (or no) restrictions to sensitive
  data, software, and hardware,
• Non-privileged restricted access to data,
  software, and hardware

6
Plan

• A deployment plan should include
• Configuration instructions for
• Hardware, software, and the OS
• Determine if remote system administration will be
  allowed
• Classify the users and their privileges.
• Define the daily administration tasks.
• Define the physical access
• Document the backup procedure

7
Configure

• Configure the OS and applications as outlined in
  the deployment plan.
• Disabling unneeded features in the OS and other
  apps.
• Install only the needed applications.
• Configure strong authentication procedures.
• Configure re-authentication after idle periods.
• Configure limits on authentication failures.
• Configure appropriate access controls for
• data,
• services
• hardware
• Configure for backups
• Replicate the configuration to other systems.
• Configure system logging

8
Maintain Integrity

• Update the OS and applications regularly.
• Update security software regularly.
• Run security software checks regularly.
• Implement regular backup procedures.
• Use a secure method to store and inspect log
  files.
• Record Cryptographic checksums
• Remote maintenance must be secure.
• Measures are needed to prevent unauthorized
  installation of hardware.

9
Improve User Awareness

• All users must sign a Computer System Usage
  Policy.
• Identify the file systems that are archived and
  those that are not archived.
• Educate users which systems, software, data, and
  peripheral devices are usable, and which are off
  limits.
• Provide periodic training to cover security
  issues.
• Posting banners and sending e-mails with
  important announcements regarding system usage
  and security.

10
Other Significant Points

• New systems should be configured before
  deployment (being attached to a network)
• Provide physical security
• Data must be properly protected from
• Unauthorized access (encryption, intrusion
  defenses, access controls)
• Unplanned changes (access controls and intrusion
  defenses)
• Loss (backups and intrusion defenses)