Planning Your SBS Network on Windows® Small Business Server 2011

  • 5/15/2011
Contents

Planning for Security

It is far easier to implement effective security measures to protect your SBS network if you plan for security before you actually start installing software. In the following sections, we’ll cover some of the most common attack vectors and the preliminary steps you can take in this planning stage to prepare your defenses:

  • Careless or disgruntled employees and former employees Internal users and former users are the biggest risk factors to data loss and data theft on most computer networks. Whether from laziness, disregard of security policies, or outright malice, the internal user is often the most dangerous on your network. To help reduce risks related to this, refer to the Ensuring Physical Security section of this chapter as well as to Chapter 8.

  • Internet hackers All computers and devices attached directly to the Internet are subject to random attacks by hackers. According to the Cooperative Association for Internet Data Analysis (CAIDA), during a random three-week time period in 2001 more than 12,000 DoS attacks occurred: 1200–2400 were against home computers and the rest were against businesses. If your organization has a high profile, it might also be subject to targeted attack by hackers who don’t like your organization or who are engaging in corporate espionage.

    For more information about securing a network against Internet hackers, see the Securing Internet Firewalls section of this chapter.

  • Wireless hackers and theft of service Wireless access points are exposed to the general public looking for free Internet access and to mobile hackers. To reduce this risk, refer to the Securing Wireless Networks section in this chapter.

  • Viruses and worms Networks are subject to virus exposure from email attachments, infected documents, and worms such as CodeRed and Blaster that automatically attack vulnerable servers and clients. Refer to the Securing Client Computers section of this chapter for more information.

Ensuring Physical Security

Although security is not something that can be achieved in absolute terms, it should be a clearly defined goal. The most secure operating system and network in the world is defenseless against someone with physical access to a computer. Evaluate your physical environment to decide what additional security measures you should take, including the following:

  • Place servers in a locked server room. And control who has keys!

  • Use case locks on your servers, and don’t leave the keys in them.

  • Place network hubs, routers, and switches in a locked cable room or wiring closet.

  • Install case locks on client systems or publicly accessible systems.

  • Use laptop locks when using laptops in public.

  • Use BitLocker to encrypt the data on laptops that contain sensitive data.

Securing Client Computers

Even a highly secure network can be quickly compromised by a poorly secured client computer—for example, a laptop running an older version of Windows with sensitive data stored on the hard drive. To maximize the security of client computers, use the following guidelines (refer to Chapter 8, and Chapter 14, for more security procedures):

  • Use a secure operating system Use Windows Vista or Windows 7 on all client computers, with a strong preference for Windows 7 on laptops.

  • Use NTFS, file permissions, BitLocker, and EFS Use NTFS for all hard drives, and apply appropriate file permissions so that only valid users can read sensitive data. Encrypt sensitive files on laptop computers using the Encrypting File System (EFS), and encrypt at least the system drive on laptops using BitLocker. (BitLocker is available only on Enterprise and Ultimate versions of Windows Vista and Windows 7.)

  • Keep clients updated Use the Automatic Updates feature of Windows to keep systems updated automatically. Ideally, use the Windows Software Update Service (WSUS), integrated into SBS 2011, to centrally control which updates are installed, as described in Chapter 15.

  • Enable password policies Password Policies is a feature of SBS 2011 that requires user passwords to meet certain complexity, length, and uniqueness requirements, ensuring that users choose passwords that aren’t trivial to crack.

    Note

    Remembering passwords has become an increasingly difficult prospect, leading to the resurgence of the yellow-sticky-note method of recalling them. It’s important to discourage this practice, and encourage the use of distinctive but easy-to-remember passphrases. See the Under The Hood sidebar Beyond Passwords—Two-Factor Authentication for an alternative to annoyingly complex passwords.

  • Install antivirus software Antivirus software should be installed on the SBS 2011 computer as well as on all clients. The best way to do this is to purchase a small-business antivirus package that supports both clients and the server. There are good third-party solutions specifically designed for the SBS market from several vendors.

  • Install antispyware software Antispyware software should be installed on all client computers on the network and configured for real-time monitoring and daily full scans.

  • Keep web browsers secure Unpatched web browsers are a significant security issue. Always keep web browsers updated with the latest security updates.

UNDER THE HOOD: Beyond Passwords—Two-Factor Authentication

Password policies are a difficult subject for many small businesses. Serious security using only passwords requires long and complex passwords, changed regularly and never repeated. That’s a nice goal, but it’s also not something users are going to be all that happy with. If your network contains sensitive information—and whose doesn’t these days?—you should consider providing an additional layer of security beyond simple passwords.

Windows Small Business Server 2011 Standard sets reasonable, if somewhat minimal, password policies, but even the best of password policies is a balancing act between making the password difficult to crack and making it easy for users to remember and use so that they aren’t tempted to write it down on the back of their keyboards. The four kinds of authentication methods or factors are

  • Something you know (password)

  • Something you have (token or physical key)

  • Something you are (biometric)

  • Somewhere you are (location)

Of these, only the first three are realistic and usable in a small business environment, though the fourth—location—is starting to be used by banks as one factor to be sure that the person trying to access your bank account is actually you.

Passwords alone are a single-factor authentication method—in this case, something you know. Two-factor authentication requires two of the main three factors, and it provides a definite improvement in the surety that the person authenticating to your network is really who he claims to be. By enabling a second authentication factor, your need for overly draconian password policies is greatly reduced.

For a second authentication factor, we like the simplicity, moderate cost, and effectiveness of a one-time password (OTP). Generated automatically by a token you carry around with you, the combination of the token, a personal identification number (PIN), and your SBS password provides an additional level of security. Requiring administrators and all remote users to use two-factor authentication is a good way to improve the overall security of the sensitive data on your network.

Third-party providers of OTP tokens include AuthAnvil (http://www.authanvil.com), CryptoCard (http://www.cryptocard.com), and RSA SecureID (http://www.rsa.com). Of these, only AuthAnvil is focused on the small business market, with a suite of products that are fully integrated into SBS. Plus their soft tokens run on our users’ phones, greatly simplifying token management and deployment. We use AuthAnvil on our SBS network for all laptops and servers, and for all remote users.

Securing Wireless Networks

Wireless networks using the 802.11b, 802.11a, 802.11g, and 802.11n standards are very convenient but can also introduce significant security vulnerabilities if not properly secured. To properly secure wireless networks, follow these recommendations:

  • Change the default password of all access points.

  • Change the default SSID. Pick a name that doesn’t reveal the identity or location of your network.

  • Enable 802.11i (WPA2) encryption on the access points.

  • If the access points don’t support WPA2-Enterprise, don’t use them on your internal network.

    • NOTE

    WPA2 provides two methods of authentication: an “Enterprise” method that makes use of a RADIUS server, and a “Personal” method known as WPA2-Personal that uses a Pre-Shared Key (PSK) instead of a RADIUS server.

  • Disable the ability to administer access points from across the wireless network.

For more on configuring and protecting wireless networks, see Chapter 19.

Securing Internet Firewalls

Most external firewall devices are secure by default, but you can take some additional steps to maximize the security of a firewall:

  • Change the default password for the firewall device! We know this seems obvious, but unfortunately, it is all too often ignored.

  • Disable remote administration, or limit it to responding to a single IP address (that of your network consultant).

  • Disable the firewall from responding to Internet pings. OK, we admit this is controversial. It’s certainly a best practice, but it can also make troubleshooting a connectivity issue remotely a lot harder.

  • Enable Stateful Packet Inspection (SPI) and protection from specific attacks, such as the Ping of Death, Smurf, and IP Spoofing.

  • Leave all ports on the firewall closed except those needed by the SBS 2011 server.

  • Regularly check for open ports using trusted port-scanning sites. We use http://www.dslreports.com.

  • Require two-factor authentication for all access to the firewall.

  • Keep the firewall updated with the latest firmware versions, which are available for download from the manufacturer’s website.

Save to your account

This chapter is from the book