Embed Size (px)
DESCRIPTION
Citation preview
‘One School One Network’
Configuration Guide
Matthew Collins Richard LianICT Network Manager ICT Systems ManagerPrince Henry’s Grammar School Cardinal Heenan Catholic High School
Introduction
This guide is intended to be used to allow schools to implement a One School One Network (OSON) Infrastructure. It is appreciated that a one size fits all approach is not practical and the guide tries to remain as general as possible in order that the results may be achieved across a range of configurations.Implementation of OSON relies on sufficient knowledge of TCP/IP, Windows 2000/2003/XP, Active Directory, Group Policy and IP Sec. Training or guidance on the these technologies is outside the scope this document which assumes a competent level of knowledge.It is however clear that IP Sec is not commonly used within schools and often has never been touched on.
Further information on IP Sec can be found at:
http://www.microsoft.com/windowsserver2003/technologies/networking/ipsec/
This guide broadly covers the following:
Moving your SIMS server to Curriculum and removing any existing Admin-Curriculum link. Securing SIMS Securing other administration or office information Securing other aspects of the SIMS server using security policy Reducing the attack surface of privileged staff and administrator user accounts Maintaining access to LCC applications and SIMS file transfers Other configuration changes which may be necessary in the transfer process.
Page 2 of 15
Table of Contents
Introduction...............................................................................................................................2Table of Contents......................................................................................................................3Joining your SIMS server to the curriculum domain.............................................................4
If your SIMS server is the domain controller............................................................................4Joining your Admin PCs to the Curriculum Domain.............................................................4Admin Curriculum Link............................................................................................................5Securing SIMS...........................................................................................................................5
IPSec.......................................................................................................................................5Server IPSec configuration......................................................................................................5Client IPSec Configuration......................................................................................................8
Restricting SIMS applications from running on the local machines....................................9Windows 2000 Client on Windows 2000/2003 Server.............................................................9Windows XP Client on Windows 2003 Server.........................................................................9Software Restriction Policy......................................................................................................9
Securing SIMS and Admin/Office shares on the server......................................................10SIMS Share...........................................................................................................................10Office/Admin Shared Area.....................................................................................................10
Security Policy on the SIMS server.......................................................................................11Reducing the attack surface of the Staff/Administrator Logon..........................................11Maintaining Access to LCC Applications and SIMS File Transfers....................................12
NAT Setup.............................................................................................................................12Server NAT Interface configuration.......................................................................................12Configuring the NAT..............................................................................................................12Configure the client...............................................................................................................13Test client access to applications..........................................................................................13
Other configuration changes.................................................................................................14Change IP Addresses of other IP capable devices...............................................................14Migrating Users.....................................................................................................................14Desktop Environment Settings for Migrated Admin Users.....................................................14Review other NTFS security..................................................................................................14Review GPO settings and other Security policies.................................................................14Acceptable Use Policy for Staff.............................................................................................14
Other Documents to Consider...............................................................................................15Other documents to consider................................................................................................15
Page 3 of 15
Joining your SIMS server to the curriculum domain
This is a relatively easy process providing that your SIMS server is not the domain controller for your existing admin domain.
Assuming that it is not then the following steps should be taken:
1.) Physically connect the server to a curriculum network switch2.) Assign curriculum IP address information to this network card3.) Join the server to the curriculum domain4.) Move the computer account to an OU in Active Directory
One this is done if you are using a centrally stored connect.ini file then you will need to change the IP address contained within. If the connect.ini file references the server by name rather than IP then no changes will need to be made.
You will also need to check permissions on NTFS folders and shares as old admin users or security groups that are not Built-In windows users or groups will have had their permissions removed due to the domain change.
WARNING: SIMS is now running un-secured on the curriculum domain. It is advisable to undergo this procedure during a holiday period or have the security settings described in the rest of the document in place before joining the SIMS server to the domain.
If your SIMS server is the domain controller
You need to de-promote it from hosting Active Directory using the command dcpromo. If this is the only domain controller on the admin network then any admin user and computer accounts, security groups, group policies will be lost. You need to think carefully about the consequences of this.
Once it is de-promoted then the procedure as detailed above can be applied.
Active Directory removal and domain controller management is outside the scope of this document.
Joining your Admin PCs to the Curriculum Domain
This is a relatively easy process and the following steps should be taken:
1.) Physically connect the server to a curriculum network switch2.) Assign curriculum IP address information to this network card3.) Join the PC to the curriculum domain4.) Move the computer account to an OU in Active Directory
You will also need to check permissions on NTFS folders and shares as old admin users or security groups that are not Built-In windows users or groups will have had their permissions removed due to the domain change.
Page 4 of 15
Admin Curriculum Link
If you have previously had an admin-curriculum link via the LLN Cisco 2950 then you will need to make some minor changes to domain trusts and LMHOST files.
1.) On the curriculum domain remove the trust relationship that was established with admin using Active Directory Domains and Trusts.
2.) Remove any reference to the names of the old SIMS server from LMHOSTS files on the curriculum network. In fact it should not be necessary to have LMHOSTS files in place on the curriculum network unless you have a specific application which requires them.
Securing SIMS
IPSec
You need to utilise IPSec technology to encrypt and authenticate SIMS traffic across the curriculum LAN and if necessary prevent workstations from communicating to the SQL component of the SIMS server.
This document does not cover in detail the use IPSec only the configuration settings.
1.) Discover the TCP/UDP port on the SIMS server that SQL Server or MSDE runs on. Use the following Server Network Utility application:
a. C:\Program Files\Microsoft SQL Server\80\Tools\Bin\SVRNETCN.EXE – or –b. Run Server Network Utility from Microsoft SQL Server on the Start menu.
The properties of TCP/IP will show the port configuration.
2.) Create an IP Sec policy for the server.
Do this either locally on the SIMS server using the IP Security Policy Management MMC snap in – or – Place the SIMS server in a separate OU and apply a Group Policy.
o Settings for IPSec are under Computer Configuration -> Windows Settings -> Security Settings -> IP Security Policies on Active Directory.
3.) Use the policy settings outlined in the following sections
Server IPSec configuration
You must configure IP Sec to authenticate and encrypt traffic on the following ports:
SIMS SQL Port e.g. TCP 1433 SQL Server Resolution Service UDP 1434 – This will dynamically select the port if the default is
unavailable, which would then be unsecured. To prevent this we must use IP Sec on this port also.
1.) Create a new IP Security Rule and name it SIMS Policy or similar. Continue to click next screen accepting defaults;
a. Active Default Response Rule = Checkedb. Authentication = Active Directory Default (Kerberos V5 protocol).
Page 5 of 15
2.) Choose to edit the properties of the rule.3.) Add a new rule and repeat the above process this time you will be presented with an IP Filer List screen,
choose to ‘Add’ an IP Filter list.
4.) Name the IP Filter List SIMS SQL Filter List or similar.5.) Choose Add – Follow the Wizard use the following settings:
a. IP Traffic Source -> Source Address: My IP Addressb. IP Traffic Destination -> Destination Address: Any IP Addressc. IP Protocol Type -> Select a Protocol Type: TCPd. IP Protocol Port - > Set the IP Protocol Port. From this Port: 1433 to Any Port.e. Click Finish
Page 6 of 15
6.) Repeat step 5 for UDP port 1434.7.) On the IP Filter List screen select the IP Filter List you have just created.8.) Choose Next9.) IP Filter Actions: Choose Require Security.10.)Complete the wizard with any default settings.
You have now successfully created the IP Sec policy for the server. Notice however that its status is Unassigned. Right clicking the policy Assigns it and enforces the settings that were chosen.
IMPORTANT: For the server to process the policy you will need to refresh group policy with the following command: - Gpupdate /target:computer /force
Page 7 of 15
You may also need to restart the IP Security service.
Running SIMS on a workstation at this point should result in a failure to connect to the database as the client is not IP Sec enabled.
Client IPSec Configuration
Clients who need to be able to access SIMS must be IPSec enabled using the Client Respond Only built-in IPSec policy.
1.) Apply a Group Policy Object to the OU where the client PC’s which need to access SIMS reside.2.) Settings for IPSec are under Computer Configuration -> Windows Settings -> Security Settings -> IP
Security Policies on Active Directory.3.) Assign the Policy ‘Client Respond Only’.
This is a basic client policy where the client will respond to an IPSec request from the server and both client and server will then negotiate the secure channel.
Only PC’s where this policy is applied should be able to connect to the SIMS database.
IMPORTANT NOTE: This IP Sec configuration assumes that the SIMS SQL database is on the same server as SIMS and that there are no other databases which have been set up on the SQL server.If the SQL database for SIMS is on a different server then the IPSec server policy will apply to that server instead. If there are other databases on the SQL server then a different IPSec solution will need to be applied.
Page 8 of 15
Restricting SIMS applications from running on the local machines
The approach to this will vary depending on the combination of client and server operating system you are using.
Windows 2000 Client on Windows 2000/2003 Server
The easiest way to secure the SIMS application is to secure the local SIMS folder: - C:\Program Files\SIMS, using NTFS. The following NTFS settings should be applied using File System security in Group Policy.
Domain Admins – Full Control Staff Users (or your defined SIMS users security group) – Modify.
Windows XP Client on Windows 2003 Server
a.) Apply the same NTFS settings as above.b.) Apply a Software Restriction Policy
Software Restriction PolicyWithin Group Policy – Computer/User configuration -> Security Settings -> Software Restriction Policy.
It is possible to restrict the running of executables based on the computer or user that is trying to run them.
The restriction can be by path, hash value (meaning that if the executable is renamed or moved it still will not run) or by digital certificate.
The easiest way is to set up a path and hash rule for:
C:\Program Files\SIMS\SIMS .net\SIMSLoad.exe C:\Program Files\SIMS\SIMS .net\Pulsar.exe
This prevents pupil users from running them. The rules must be configured at the client.
1.) Install Group Policy Management Console on a Windows XP client with SIMS installed.2.) Navigate to an OU that contains your Pupils and create a new or modify an existing GPO.3.) Under User Configuration -> Security Settings -> Software Restriction Policy. Right Click -> Create new
policies.4.) Under Security Levels the default should be set to Unrestricted.5.) Go to Additional Rules6.) Create a new path rule and hash rule by following the same procedure of choosing the executables listed
above and setting the security level to disallowed.
Page 9 of 15
You may want to test this exclusively of NTFS permissions. Log on to this workstation as a pupil and try to run the SIMS executables.
Securing SIMS and Admin/Office shares on the server
SIMS Share
This share is commonly mapped to F: drive for users.
The following share and NTFS permissions may be applied.
Share
Everyone – Full Control
NTFS
Domain Admins – Full ControlStaff (Your staff or SIMS user group) – RXW or Modify
You may also need to have ‘Modify’ rights for certain users, for example users of WebXchange.
Office/Admin Shared Area
Many schools will have a common admin area often called ‘office’. As this is now available on the curriculum network it is recommended that you review the security of this area and apply the appropriate permissions suitable for your school.
Page 10 of 15
Security Policy on the SIMS server
Modification of the Security Policy on the SIMS server will add an extra layer of protection against Pupils or any other unauthorised users from accessing the server or information on the server.
Windows Server 2003 Service Pack 1 also includes a new tool, the Security Configuration Wizard which guides you through a process of hardening the server with minimal administrator effort. Experimenting with this is worth considering if you wish to seriously reduce the overall attack surface of the server.
The following settings should be applied to provide some basic but additional security to the server. These settings can be applied through a GPO.
Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment
Deny access to this computer from the network: {Domain Name}\Pupils Deny log on locally: {Domain Name}\Pupils
This will prevent any pupil from making a network connection to this server. If the Office/Admin shared area is also maintained on this server then that will be protected also.
Reducing the attack surface of the Staff/Administrator Logon
One of the single biggest risks of the One Network approach is the opportunity for students to highjack a staff or administrator login account either through theft of user credentials or by utilising a workstation which has been left unattended and logged on by a member of staff or administrator.
The following should be considered best practice implementation to reduce the risk:
1.) Automatically lock the desktop and require a password to unlock after a given time period. The time period should give a trade off between usability and security.
2.) Use a strong password policy:a. Enforce complexityb. Have at least 8 charactersc. Keep a password history of at least 3 passwords.d. Lock accounts after at most 3 repeated failures.e. A maximum password age of at most 60 days.
3.) Use multi-factor authentication if feasible such as fingerprint or smartcard.4.) Restrict logon hours where possible.5.) Restrict students from logging on to staff only workstations.6.) Audit successful and failed account logons.7.) Audit file deletions on shares.8.) Ensure that the minimal NTFS security permissions are given to network accessible shares. Never give
users more permissions than they require and use a role based approach to assigning permissions.9.) Administrators should have 2 accounts, one for administration tasks and a regular account with equivalent
permission, for example, to staff members.10.)Only install MIS software on workstations which will require access to the MIS system. 11.)Create a written security policy for members of staff to agree and follow. Work with the management team
especially when areas of accountability are concerned.
Page 11 of 15
Maintaining Access to LCC Applications and SIMS File Transfers
In order for LCC applications such as FAB or web based FAB (Hierarchies) to function correctly the client computer must ‘present’ an IP address in the admin network range;
This range is considered to be;
10.even.any.X
Clearly all PC’s will now have an incompatible curriculum IP address.
NAT Setup
The solution to this is to set up a Windows 2000/2003 server as a NAT (Network Address Translator). This server could be the SIMS server that used the old admin IP 10.even.any.100
This server needs two NIC’s:
One assigned curriculum IP address information and plugged into a curriculum switch. One assigned admin IP address information and plugged either into an admin switch or directly into the
LLN switch admin port.
If you do not wish to have any IP capable equipment using an admin IP address (which is likely) then plug the admin NIC in the server directly into the LLN switch admin port.
Server NAT Interface configuration
Configure the interfaces as follows;
Curriculum interface
IP Address: An IP from your curriculum range Subnet Mask: 255.255.252.0 Default gateway: Leave blank DNS1: Your primary curriculum DNS server DNS2: Your secondary curriculum DNS server
Admin interface
IP Address: An IP from your admin range, the best choice may be 10.even.any.100 Subnet Mask: 255.255.255.0 Default gateway: Your admin default gateway IP address. DNS1: 10.255.255.4 DNS2: 10.255.255.5
Configuring the NAT
a. Install Routing and Remote Access on the server using Add/Remove programs.b. Under Admin tools open Routing and Remote Access
Page 12 of 15
c. Right click on the server name and choose ‘Configure and Enable Routing and Remote Access’, next;d. On the Configuration page choose NAT, next;e. On the NAT Internet Connection page choose: Use this public interface to connect to the internet ->
Choose the Admin network interface, next;f. On the Private Network Connection page choose; Use this private interface to connect to the internal
network: Choose your Curriculum network interface, next;g. Finish the wizard, the NAT should now be configured.
Configure the client
Any client who needs access to LLC applications or do AVCO transfers will need there IP settings adjusting from that of the DHCP assigned options on the curriculum network;
The following settings must be applied which are different to the DHCP supplied settings:
Default Gateway: The IP address of the Curriculum network interface on the NAT.
This will typically require you to provide these machines with a static IP address or set up a new DHCP scope, options and reservations.
Test client access to applications
Test one of the configured clients with all LCC applications to ensure functionality.
Page 13 of 15
Other configuration changes
Change IP Addresses of other IP capable devices
Printers, Wireless Points, Switches and other IP devices which had static or DHCP reserved IP addresses on the Admin network will need reconfiguring and additional server reconfiguration may be necessary.
If you have any external access to, for example CCTV systems you may need to consult with the external provider to ensure that they can still access the systems.
Migrating Users
You may wish to migrate old admin network users across to curriculum. This requires an online admin domain controller and the Active Directory Migration Tool (ADMT) which can be downloaded from the Microsoft web site.
The alternative is to recreate the users on the curriculum domain from scratch.
Desktop Environment Settings for Migrated Admin Users
It is likely that some users will need different mapped drives to others and that you may want to provide existing curriculum users with access to old admin resources.
Some users will need new desktop and start menu icons. This is best achieved through folder redirection which gives the administrator maximum control and flexibility.
How to implement these changes is outside the scope of this document.
Review other NTFS security
Strictly speaking, this is not a requirement of the OSON project, but this is probably a good time to review all your existing NTFS security on your network, e.g. all your existing NTFS security on your file servers and application servers etc…
Review GPO settings and other Security policies
As stated above, this is also not a requirement of the OSON project, but all your existing GPO’s and security policies should also be reviewed. There may be conflicting settings or settings that now need to be enabled or disabled as a result of integrating your networks.
Acceptable Use Policy for Staff (AUP)This is not a technical requirement but it is a factor that needs to be considered and implemented or updated if you already have a policy in place. All the risks that have been discussed in this document with relation to the ‘human’ user interface need to be addressed in the AUP so that staff understand the risks etc… It also needs to state the procedure if any misdemeanour occurs.
Page 14 of 15
Other Documents to Consider
Other documents to consider
‘One School, One Network’ An Overview for School Leadership TeamsAuthors, Matthew Collins and Richard Lian
‘One School, One Network’ Lab Configuration, Tests and ResultsAuthors, Matthew Collins, Richard Lian and Alistair Herron
Page 15 of 15
