Infrastructure
|
Authentication — Administrative, Internal & Remote Users, Password Policies, Inactive Accounts Management & Monitoring — Incident Reporting & Response, Secure Build, Physical Security |
Infrastructure security
focuses on how the network should function, what business processes (internal or
external) it must support, how hosts are built and deployed, and how the network
will be managed and maintained. Effective infrastructure security can help
provide significant improvements in the areas of network defense, incident
response, network availability, and fault analysis. By establishing a sound
infrastructure design that is understood and followed, an organization can
identify areas of risk and can design methods of threat mitigation. An
organization can mitigate infrastructure risk by focusing on the following areas
of infrastructure security::normal'>Perimeter Defense — Firewalls,
Anti-virus, Remote Access, Segmentation, Intrusion Detection Systems,
Wireless Security|
Perimeter Defense |
|
|
Subcategory |
Best Practices |
|
Firewall Rules and Filters |
Firewalls are a first-line defense mechanism and should be placed at all network border locations. Rules implemented on firewalls should be highly restrictive and set on a host-by-host and service-by-service basis. When creating firewall rules and router ACLs (Access Control Lists), focus on first protecting access control devices and the network from attack. Enforce data flow by use of network ACLs and firewall rules. Test firewall rules and router ACLs to determine whether or not existing rules contribute to Denial of Service (DoS) attacks. Deploy one or more DMZs as part of a systematic and formal firewall development. Place all Internet accessible servers there. Restrict connectivity to and from the DMZs. |
|
Anti-virus |
Deploy anti-virus solutions
throughout the environment on both the server and desktop levels. Deploy
specialized anti-virus solutions for specific tasks such as file server
scanners, content screening tools, and data upload and download scanners.
Configure anti-virus solutions to scan for viruses both entering and leaving
the environment. For desktops and laptops an anti-virus solution should be included in the default build environment. If you are using Microsoft Exchange, use the additional anti-virus and content filtering-capabilities it offers at the mailbox level. |
|
Remote Access |
Workstations are a critical factor in the defense of any environment, especially if there are remote and roaming users that connect to the environment. Tools such as personal firewalls, anti-virus, and remote-access software should be present and properly configured on all workstations. Implement a policy which requires periodic review of these tools to make sure their configurations reflect changes in applications and services being used, but at the same time still keep the workstation resistant to attacks. |
|
Segmentation |
Use segmentation to separate specific extranets from vendor, partner, and customer access. Each external network segment should allow only specific application traffic to be routed to the specific application hosts and ports that are used to supply services to customers. Ensure that network controls are in place to restrict access to only what is required for each third-party connection. Restrict access to and from the network services being provided, and restrict access between network segments. |
|
Intrusion-Detection System (IDS) |
Both network- and host-based intrusion-detection systems should be deployed to detect and notify of attacks against corporate systems. |
|
Wireless |
Best practice for wireless implementation should include ensuring that the network does not broadcast its SSID; that WPA encryption is used; that the network is fundamentally treated as untrustworthy. |
|
Perimeter Defense - Resources |
|
|
Windows Server 2008 |
http://www.microsoft.com/windowsserver2008/en/us/overview.aspx Windows Server 2008 is the most
secure Windows Server yet. The operating system has been hardened to help
protect against failure and several new technologies help prevent
unauthorized connections to your networks, servers, data, and user accounts.
Network Access Protection (
|
|
Authentication |
|
|
Subcategory |
Best Practices |
|
Administrative Users |
For administrative accounts, implement a strict policy that requires the use of complex passwords that meet the following criteria: · Alphanumeric · Upper and lower case · At least one special character · Minimum length of 14 characters To further mitigate the risk of a password attack, implement the following controls: · Password expiration · Account lockout after 7 to 10 failed login attempts · System logging In addition to implementing complex passwords, consider implementing multifactor authentication. Implement advanced controls around account management (do not allow account sharing) and account-access logging. |
|
Internal Users |
For user accounts, implement a policy that requires the use of complex passwords that meet the following criteria: · Alphanumeric · Upper and lower case · At least one special character · Minimum length of 8 characters To further mitigate the risk of a password attack implement the following controls: · Password expiration · Account lockout after at least 10 failed login attempts · System logging In addition to complex passwords, consider implementing multifactor authentication. Implement advanced controls around account management (do not allow sharing of accounts) and account-access logging. |
|
Remote-Access Users |
Implement complex password controls for all users of remote access, whether this access is granted through the use of dial-up or VPN technologies. A password is considered to be complex if it meets the following criteria: · Alphanumeric · Upper and lower case · At least one special character · Minimum length of 8 characters Implement an additional factor of authentication for accounts that are granted remote access. Also consider implementing advanced controls around account management (do not allow sharing of accounts) and account access logging. In the case of remote access, it is especially important to protect the environment through the use of strong account management practices, sound logging practices, and incident detection capabilities. To further mitigate the risks of brute-force password attacks, consider implementing the following controls: · Password expiration · Account lockout after 7 to 10 failed login attempts · System logging Remote-access services should also take into account systems that will be used to access the network or hosts. Also consider implementing controls around hosts that are allowed to access the network via remote access. |
|
Password Policies |
The use of complex passwords for all accounts is a basic element of Defense-in-Depth. Complex passwords should be 8 to 14 characters in length, with alphanumeric and special characters. Minimum length, history maintenance, lifetime, and pre-expiration of passwords should all be set to provide additional defenses. In general, password expiration should be set to the following: · Maximum length 90 days · New accounts must change password at login · Password history of 8 passwords (8 days minimum) In addition to complex passwords, multifactor authentication is important, especially for administrative and remote user accounts. Account lockout, after 10 failed login attempts, should be enabled on all user accounts. The controls around account lockout can vary from simply being focused on blocking brute-force password attacks to requiring administrator intervention to unlock. It is considered a best practice to enable lockout for administrative accounts, at least for network access. This would not allow the account to be locked out at the console, only from across a network. This may not be appropriate for all organizations, especially those with remote locations. For remote-access accounts, it is best to require an administrator to unlock the account, as attacks could remain undetected for a significant amount of time if other means are not being used to track authentication failures. Consider the following guidelines when implementing controls around account lockout: · Lockout after 7 to 10 failed login attempts for administrative and remote-access accounts · Lockout after at least 10 failed login attempts for regular user accounts · Require administrative access to re-enable for administrator and remote-access accounts and automatically re-enable regular user accounts after 5 minutes |
|
Password Policies |
Typically the restrictions around creating passwords for administrators should be greater than those for normal accounts. On Windows systems, administrative accounts (and service accounts) should be set with passwords that are 14 characters in length and use alphanumeric and special characters. |
|
Inactive Accounts |
Institute a process to include an immediate notification procedure to all system administrators for terminated staff members to ensure their accounts are disabled immediately, especially their remote access accounts. Consider implementing a process to review the current accounts of staff that transfer to another department within the organization. Regularly monitor relevant
vendors' sites for virus signature updates and download updates to a quarantined
area for testing in a lab environment. Verify that the updates do not cause
any conflicts with deployed operating systems or applications before rolling
out to production. For anti-virus applications, consider deploying a central console that will facilitate reporting on which systems are out-of-date or have software features disabled. In the case of remote users who do not regularly connect to the corporate network, consider using an auto update feature. Terminated staff accounts should be disabled in a timely manner, to ensure that the terminated users or other users could use the account to gain unauthorized access. If system administrators are not aware of changes in the status of a user due to transfer, they will not change or remove system or physical accesses. This could lead to unauthorized or excessive access by transferred users. |
|
Authentication - Resources |
|
|
Windows Server 2008 |
Windows Server 2008 is the most
secure Windows Server yet. The operating system has been hardened to help
protect against failure and several new technologies help prevent
unauthorized connections to your networks, servers, data, and user accounts.
Network Access Protection ( References http://www.microsoft.com/windowsserver2008/en/us/overview.aspx |
|
Windows Server Active Directory |
A central component of the Windows platform, Active Directory directory service provides the means to manage the identities and relationships that make up network environments. Windows Server 2003 makes Active Directory simpler to manage, easing migration and deployment. Windows Server Active Directory is already used by companies around the world to gain unified management of identities and resources across the enterprise network. Active Directory enables organizations to centrally manage and track information about users and their privileges. In addition, Active Directory Lightweight Directory Services (ADLDS), an LDAP directory service, provides organizations with flexible support for directory-enabled applications. Integration with Microsoft Federated Identity, Strong Authentication, Information Protection and Identity Lifecycle Management solutions, makes Active Directory an ideal foundation for building a comprehensive identity and access solution. References http://www.microsoft.com/windowsserver2003/technologies/directory/activedirectory/default.mspx |
|
Windows Server 2003 - Internet Authenication Services (IAS)
|
Internet Authentication Service (IAS) is the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server and proxy in Windows Server 2003. As a RADIUS server, IAS performs centralized connection authentication, authorization, and accounting for many types of network access, including wireless and virtual private network (VPN) connections. As a RADIUS proxy, IAS forwards authentication and accounting messages to other RADIUS servers. In Windows Server 2008, IAS has been replaced with Network Policy Server (NPS). References |
|
Windows Server 2008 - Network Policy Server (NPS)
|
Network Policy Server (NPS) is
the Microsoft implementation of a Remote Authentication Dial-in User Service
(RADIUS) server and proxy in Windows Server 2008. NPS is the replacement for
Internet Authentication Service (IAS) in Windows Server 2003. As a RADIUS server, NPS performs
centralized connection authentication, authorization, and accounting for many
types of network access, including wireless and virtual private network (VPN)
connections. As a RADIUS proxy, NPS forwards authentication and accounting
messages to other RADIUS servers. NPS also acts as a health evaluation server
for Network Access Protection ( References |
|
Public Key Infrastructure
|
Microsoft Public Key
Infrastructure ( References http://www.microsoft.com/windowsserver2003/technologies/pki/default.mspx |
|
Certificates
|
Windows Certificate Services (CS) provides an integrated public key infrastructure that enables the secure exchange of information. With strong security and easy administration across the Internet, extranets, intranets, and applications, CS provides customizable services for issuing and managing the certificates used in software security systems employing public key technologies. References http://www.microsoft.com/windowsserver2003/technologies/idm/StrongAuthentication.mspx |
Management and Monitoring |
|
|
Subcategory |
Best Practices |
|
Incident Reporting & Response |
Institute procedures for the reporting of and response to security incidents, issues, and concerns. Designate an emergency response team that includes representatives from several disciplines including technology, human resources, and legal for responding to all security incidents and issues. Consider implementing a full incident response program that includes incident response teams, containment management, event correlation and analysis, and incident response procedures. Maintain a build process with all vendor patches and recommended lockdown configuration. Test this process regularly. Use host-hardening procedures to patch and properly configure services and applications on each host. Disable all nonessential services and applications. Workstations should be hardened by installing recommended patches, removing all unnecessary services and packages, and auditing file permissions. Incorporate host-hardening steps into standard workstation build procedures. It is important to follow documented incident reporting and response process to ensure that all issues and incidents are reviewed and assessed in a consistent manner. It is important for all users to understand their responsibility to report any security issues or incidents and for them to have a clearly defined process for reporting these issues. |
|
Physical Security |
Institute physical access controls to guard against unauthorized persons gaining access to the building and to sensitive information. Consider reassessing all physical access controls to ensure they are adequate and are being complied with. Increase staff awareness of the personnel access control policy and encourage the challenging of unrecognized individuals. All computer systems should be secured to prevent easy theft. Servers and networking equipment should be secured in locked cabinets in locked rooms with controlled access. Physical access should be stringently controlled, preventing unauthorized individuals access buildings, sensitive data and systems. With such access they could alter system configurations, introduce vulnerabilities into the network, or even destroy or steal equipment. 10 critical physical security measures · Lock up the server room · Set up surveillance · Make sure the most vulnerable devices are in that locked room · Use rack mount servers · Don't forget the workstations · Keep intruders from opening the case · Protect the portables · Pack up the backups · Disable the drives · Protect your printers |
|
Management and Monitoring – Resources |
|
|
Windows Server 2008 |
Windows Server 2008 is the most
secure Windows Server yet. The operating system has been hardened to help
protect against failure and several new technologies help prevent
unauthorized connections to your networks, servers, data, and user accounts.
Network Access Protection ( References http://www.microsoft.com/windowsserver2008/en/us/overview.aspx |
|
Windows Server Active Directory |
A central component of the Windows platform, Active Directory directory service provides the means to manage the identities and relationships that make up network environments. Windows Server 2003 makes Active Directory simpler to manage, easing migration and deployment. Windows Server Active Directory is already used by companies around the world to gain unified management of identities and resources across the enterprise network. Active Directory enables organizations to centrally manage and track information about users and their privileges. In addition, Active Directory Lightweight Directory Services (ADLDS), an LDAP directory service, provides organizations with flexible support for directory-enabled applications. Integration with Microsoft Federated Identity, Strong Authentication, Information Protection and Identity Lifecycle Management solutions, makes Active Directory an ideal foundation for building a comprehensive identity and access solution. References http://www.microsoft.com/windowsserver2003/technologies/directory/activedirectory/default.mspx |
|
Public Key Infrastructure
|
Microsoft Public Key
Infrastructure ( References http://www.microsoft.com/windowsserver2003/technologies/pki/default.mspx |
|
Certificates
|
Windows Certificate Services (CS) provides an integrated public key infrastructure that enables the secure exchange of information. With strong security and easy administration across the Internet, extranets, intranets, and applications, CS provides customizable services for issuing and managing the certificates used in software security systems employing public key technologies. References http://www.microsoft.com/windowsserver2003/technologies/idm/StrongAuthentication.mspx |
|
Forefront Client Security
|
Forefront Client Security helps guard against emerging threats, such as spyware and rootkits, as well as traditional threats, such as viruses, worms, and Trojan horses. By delivering simplified administration through central management and providing critical visibility into threats and vulnerabilities, Forefront Client Security helps you protect your business with confidence and efficiency. Forefront Client Security integrates with your existing infrastructure software, such as Microsoft Active Directory, and complements other Microsoft security technologies for enhanced protection and greater control. References http://www.microsoft.com/forefront/clientsecurity/en/us/overview.aspx |
|
Windows Vista - BitLocker Drive Encryption
|
Bitlocker Drive Encryption is a data protection feature available in Windows Vista Enterprise and Ulitmate editions and in Windows Server 2008. Bitlocker enhances data protection by bringing together drive encryption and integrity checking of early boot components. References http://www.microsoft.com/windows/products/windowsvista/features/details/bitlocker.mspx |
|
Windows Vista - Encrypted File System (EFS)
|
Encrypting File System (EFS) is a data protection feature in the Business, Enterprise and Ultimate editions of Windows Vista. If is useful for user-level file and folder encryption. References http://www.microsoft.com/windows/products/windowsvista/features/details/encryptingfilesystem.mspx |
|
Windows Vista and XPsp2 - Windows Defender
|
Windows Defender works with Internet Explorer 7 to help make conscious choices installing software on your PS by providing always-on protection and monitoring of key system locations watching for changes that signal the installation and presence of spyware. References http://www.microsoft.com/windows/products/windowsvista/features/details/defender.mspx |
|
Windows Firewall
|
Windows Firewall is a critical first line of defense to protect your computer against many types of malicious software. It can help stop malware before it infects your computer. Windows Firewall comes with Windows Vista and is turned on by default to protect your system as soon as windows starts. References http://www.microsoft.com/windows/products/windowsvista/features/details/firewall.mspx |
|
Windows Security Center
|
Windows Security Center alerts you when your security software is out of date or when your security settings should be strengthened. It displays your firewall settings and tells you whether your PC is set up to receive automatic updates from Microsoft. References http://www.microsoft.com/windows/products/windowsvista/features/details/securitycenter.mspx |
|
ADFS |
Microsoft Active Directory Federation Services (ADFS) provides the interoperability required to simplify the broad, federated sharing of digital identities and policies across organizational boundaries. Seamless yet secure, customers, partners, suppliers, and mobile employees can all securely gain access to the information they need, when they need it. ADFS Boost cross-organizational efficiency and collaboration with secure data access across companies and Improves operational efficiency with streamlined federation systems and simplified management of IDs and passwords. It boost visibility into cross-boundary processes with transparent, auditable information rights and roles and improves security with ADFS claim mapping, SAML tokens, and Kerberos authentication. ADFS helps to reduce operations costs by taking advantage of existing investments in Active Directory and security systems and eliminates the complexity of managing federation by using Active Directory as the main identity repository. References http://www.microsoft.com/windowsserver2003/technologies/idm/federatedidentity.mspx |
|
(IPV6) Direct Connect |
IPv6 is designed to solve many
of the problems of the current version of IP (known as IPv4) such as address
depletion, security, autoconfiguration, and extensibility. Its use will also
expand the capabilities of the Internet to enable a variety of valuable and
exciting scenarios, including peer-to-peer and mobile applications. Support for Internet Protocol version 6
(IPv6), a new suite of standard protocols for the Network layer of the
Internet, is built into the latest versions of Microsoft Windows, which
include Windows Vista, Windows Server 2008, Windows Server 2003, Windows XP
with Service Pack 2, Windows XP with Service Pack 1, Windows XP Embedded SP1,
and Windows CE . References |
|
802.1 |
The IEEE 802.1X standard for wired networks provides authentication and authorization protection at the network edge where a host attaches to the network. IPsec provides peer authentication and cryptographic protection of IP traffic from end-to-end. This white paper describes the security and capabilities of 802.1X for wired networks and IPsec based on industry standards and their support in Windows Server 2003, Windows Server 2008, Windows XP and Windows Vista and provides comparison information when evaluating deployment of these security technologies. References |
