Capability: Security and Networking
On This Page
Introduction
Requirement: Integrated Threat Management and Mitigation Across Clients and Server Edge
Requirement: Model-enabled Service Level Monitoring of Desktops, Applications, and Server Infrastructure
Requirement: Quarantine Solution for Unpatched or Infected Computers
Introduction
Security and Networking is the third Core Infrastructure Optimization capability. The following table describes the high-level challenges, applicable solutions, and benefits of moving to the Dynamic level in Security and Networking.
Challenges |
Solutions |
Benefits |
---|---|---|
Business Challenges Enterprise firewall security policies not present for desktops or servers Enterprise extranet security policies not present IT Challenges Server event management is reactive, lacking a holistic view of the enterprise No real-time security event monitoring for desktops or servers |
Projects Implement integrated threat management and mitigation solutions across clients and server edge Deploy model-enabled service level monitoring of desktops, applications, and server infrastructure Implement quarantine solution for unpatched or infected computers |
Business Benefits Achieve proactive security with explicit policies and control from desktop, to firewall, to extranet Address regulatory compliance thoroughly Increase user productivity with a stable and secure environment Respond to security issues quickly and proactively Mirror business representation through security policy IT Benefits Thorough monitoring and reporting of server infrastructure, with similar capabilities for desktop Cost-effective control and visibility over every PC helps IT proactively solve problems before they affect users |
The Dynamic level in the Infrastructure Optimization Model addresses key requirements of networking and security components, including:
Integrated Threat Management and Mitigation Across Clients and Server Edge
Model-enabled Service Level Monitoring of Desktops, Applications, and Server Infrastructure
Quarantine Solution for Unpatched or Infected Computers
Requirement: Integrated Threat Management and Mitigation Across Clients and Server Edge
Audience
You should read this section if you do not have integrated threat management and mitigation across clients and server edge.
Overview
Organizations are facing an onslaught of increasingly targeted and sophisticated attacks on their networks. Protecting network resources and providing seamless access for legitimate activities requires a sophisticated and multifunctional edge gateway solution. To coincide with the Core Infrastructure Optimization Model’s requirement for secure remote access, protection of IT environments from Internet-based threats becomes a necessity.
Phase 1: Assess
The Assess phase should determine the appropriate server and client edge security needs for your organization and identify which processes are currently in place. Security requirements can vary dramatically from company to company or institution to institution based, for example, on size, industry or field, or regional laws and regulations. Gathering a formal list of risks and requirements of your organization will allow you to evaluate security technologies and how their utilization may affect your organization more effectively.
Phase 2: Identify
During the Identify phase, you will examine the security and remote access technologies and procedures currently in place and determine what the security requirements are for your organization. During this phase, you will gather security policies that are currently implied or enforced, in addition to technology components already in use or at your disposal. You will also gather any external requirements based on laws or regulations for your region or industry. It is recommended that your organization consider server and client edge threat models and corresponding technologies simultaneously when planning for the Dynamic level requirement for a Quarantine Solution for Unpatched or Infected Computers.
Phase 3: Evaluate and Plan
Your organization’s goal during the Evaluate and Plan phase should be to determine a strategy for edge security and to evaluate the technologies available to reduce Internet-based threats. When evaluating your technologies, you should consider security optimization for access to your organization’s file resources and branch offices as well as how your Web and LOB applications are accessed. Your organization can use tools providing enhanced virtual private network (VPN) security and firewalls for Web applications and network resources, as well as tighter access control and enhanced authorization for network resources and LOB applications.
Internet Security and Acceleration (ISA) Server 2006
Microsoft Internet Security and Acceleration (ISA) Server 2006 is a security gateway that helps protect your applications and resources from Internet-based threats. ISA Server can help your organization to secure access to applications and data. It also helps secure application infrastructure by protecting LOB applications, services, and data across all network layers with stateful packet inspection, application-layer filtering, and comprehensive publishing tools. Using ISA Server, you can streamline your network through a unified firewall and virtual private network (VPN) architecture. ISA Server helps protect your IT environment and reduce security risks and costs, while working to eliminate the effects that malicious software and attackers have on your organization.
Intelligent Application Gateway (IAG) 2007
Microsoft Intelligent Application Gateway (IAG) 2007 with Application Optimizers provides secure socket layer (SSL) virtual private network (VPN), a Web application firewall, and endpoint security management that enable access control, authorization, and content inspection for a wide variety of LOB applications. Together, these technologies provide mobile and remote workers with easy and flexible secure access from a broad range of devices and locations including kiosks, PCs, and mobile devices. IAG also enables IT administrators to enforce compliance with application and information usage guidelines through a customized remote access policy based on device, user, application, or other business criteria. Key benefits include:
A unique combination of SSL VPN-based access, integrated application protection, and endpoint security management.
A powerful, Web-application firewall that helps keep malicious traffic out, and sensitive information in.
Reduced complexity of managing secure access and protecting business assets with a comprehensive, easy to use platform.
Interoperability with core Microsoft application infrastructure, third-party enterprise systems, and custom in-house tools.
Phase 4: Deploy
Evaluated and approved edge security solutions are implemented in the Deploy phase. It is important to perform both usability and fire drill tests for any additional control mechanisms introduced into your environment.
Further Information
For more information on ISA server products and implementations, go to the ISA Server TechCenter on Microsoft TechNet at https://www.microsoft.com/technet/isa/default.mspx.
Topic Checkpoint
Requirements |
|
---|---|
Assessed server edge security threats and evaluated threat mitigation solutions. |
|
|
Implemented technology solutions to protect against Internet-based threats across the client and server edge. |
Requirement: Model-enabled Service Level Monitoring of Desktops, Applications, and Server Infrastructure
Audience
You should read this section if you do not have a model-enabled service level monitoring of desktops, applications, and server infrastructure.
Overview
In the Core Infrastructure Optimization Implementer Resource Guide: Standardized to Rationalized guide, we discussed the introduction of best practice service level management for several of the requirements at the Rationalized level. Processes introduced for service level management described how services are defined and measured via service level agreements (SLAs). Model-enabled service level monitoring takes these concepts to the Dynamic level by requiring a means to express service models at the system level and report actual service levels—across multiple components—against defined SLAs. Recent advances in technology and industry standards, such as the new Service Modeling Language (SML), allow organizations to implement true model-enabled service monitoring and management.
Phase 1: Assess
As part of the Rationalized level requirement for ITIL/COBIT-based Process Management, your organization implemented service level management processes and in doing so defined a service catalog. The service catalog lists all of the services currently being provided, summarizes service characteristics, describes the users of the service, and details those responsible for ongoing maintenance. The Assess phase will ensure that the service catalog is complete and up-to-date.
Phase 2: Identify
The Identify phase will nominate which services within the service catalog are modeled and assign priorities to each service. The list of nominated services will be used in the Evaluate and Plan phase when considering technology options and planning for implementation. This requirement focuses on a subset of IT services, including desktop or client services, application services, and server infrastructure.
Phase 3: Evaluate and Plan
The goal of the Evaluate and Plan phase is to identify the technologies needed to enable model-enabled service level monitoring of desktops, applications, and server infrastructure. This implies that the selected technology offers both the capability to systematically define services from your organization’s service catalog as well as monitor availability and events from defined services.
System Center Operations Manager 2007
Operations Manager 2007 offers a service-oriented monitoring approach that enables you to monitor your end-to-end information technology services, scale monitoring across large environments and organizations, and use Microsoft application and operating system knowledge to resolve operational problems. Operations Manager 2007 is the recommended solution for this requirement in the Core Infrastructure Optimization Model and provides functionality to create and monitor end-to-end service models.
Desktop Service Monitoring
Desktop service monitoring in Operations Manager 2007 uses two mechanisms to monitor desktop experience: Agentless Exception Monitoring and Customer Experience Improvement Program data collection.
Agentless Exception Monitoring (AEM)
AEM enables you to monitor operating systems for crashes and applications for errors. Error reporting clients are configured with Group Policy to redirect error reports to an Operations Manager 2007 management server, instead of reporting directly to Microsoft. By staging error reports on a management server, Operations Manager 2007 is able to provide detailed views and reports that aggregate error data across your organization. The views and reports provide knowledge about failures and offer solutions, as available, to help resolve the issues.
You can determine how often an operating system or application experiences an error and the number of affected computers and users. This determination enables you to direct your efforts where they will have the greatest benefit to the organization.
When the error reports are anonymously synchronized with Microsoft, per the Privacy Statement for the Microsoft Error Reporting Service, solution responses that are available for the respective errors are provided. You can also use AEM to provide solutions for issues experienced with your internally developed applications.
Customer Experience Improvement Program (CEIP)
When you choose to participate in the CEIP, you configure clients with Group Policy to redirect CEIP reports to an Operations Manager 2007 management server, instead of reporting directly to Microsoft. The management servers are configured to forward these reports to Microsoft.
The CEIP reports forwarded from your organization to Microsoft are combined with CEIP reports from other organizations and individual customers to help Microsoft solve problems and improve the Microsoft products and features customers use most often. For more information about the CEIP, see https://go.microsoft.com/fwlink/?linkid=75040.
Management Packs for Windows-based Workstation Operating Systems and Applications
Following are the Management Packs for Windows-based workstation operating systems and applications that are included with Operations Manager 2007:
Windows Vista®
Windows XP
Windows 2000
Microsoft Information Worker
Distributed Application Service Monitoring
A distributed application service in Operations Manager 2007 monitors the health of a distributed application that you define. It creates the monitors, rules, views, and reports necessary to monitor your distributed application and the individual components that it contains. When creating a distributed application in Operations Manager 2007, you first create the service that defines the distributed application monitoring object at a high level. Then you define the individual components that are part of the distributed application you want to monitor.
Infrastructure Monitoring
Operations Manager 2007 continues to offer comprehensive server infrastructure status monitoring and adds new features over Operations Manager 2005 to monitor SNMP-enabled devices such as routers, print servers, and computers not running Windows, even if the device or operating system does not have a Management Pack. To monitor these devices or other operating systems, you can create monitors and rules that use SNMP. A SNMP-based monitors and rules can collect data from SNMP events or traps as well as generate alerts or change the health state of the monitored object.
Phase 4: Deploy
The Deploy phase again implements the plans derived from the effort of the previous three phases. If your organization has selected System Center Operations Manager 2007 as the technology to define and monitor your IT services, detailed deployment guidance can be found in the online document library for System Center Operations Manager 2007 on Microsoft TechNet.
Further Information
For more information on user provisioning, go to Microsoft TechNet and search for “service monitoring” and “Operations Manager.”
Topic Checkpoint
Requirements |
|
---|---|
|
|
|
|
|
Implemented automated solution to define and monitor service levels. |
If you have completed the steps listed above, your organization has met the minimum requirement of Model-enabled service level monitoring of desktops, applications, and server infrastructure.
Go to the next Self Assessment question.
Requirement: Quarantine Solution for Unpatched or Infected Computers
Audience
You should read this section if you do not have a quarantine solution for unpatched or infected computers.
Overview
In today’s security-conscious environment, an in-depth approach to protecting your network and sensitive data is a very complex matter. You can no longer rely on perimeter defenses and antivirus suites alone to protect network assets and confidential information. Security organizations and professionals now understand that internal network risks, whether intentional or accidental, have the potential to be even more perilous than external threats. To move to the Dynamic level, you need to have a mechanism for isolating unmanaged computers from your full company network.
The widespread availability of the Internet has led to significant changes in the way many organizations work. To maintain competitive advantage, organizations increasingly require employees to connect to corporate networks from remote locations such as homes, branch offices, hotels, Internet cafes, or customers' premises.
Phase 1: Assess
The Assess phase begins the quarantine solution project by taking another inventory of client security configurations tracked in your configuration management processes. At the Dynamic level, we can assume the Standardized level requirements for best practice patch management and antivirus controls are in place as well as configuration management as part of the Rationalized level requirement set. The Assess phase examines the client configuration items and ensures that they are up-to-date.
Phase 2: Identify
In the Identify phase, we will determine which configurations should be controlled and added to the minimum requirements for assessing whether a client computer is a threat when connecting to network resources. Typically, minimum requirements would include that all required software updates and antivirus programs are installed and signatures are up-to-date. During the Identify phase, you should also consider patch management, configuration scanning, and antivirus update practices and how these can most easily be fed into requirements of the quarantine solution to be implemented.
Phase 3: Evaluate and Plan
In the Evaluate and Plan phase, we determine the technologies available to enable desired functionality and perform the configuration non-compliance detection and lockout routines defined in the Identify phase. The Dynamic level requires that at least remote connections to network resources be controlled via a quarantine solution. These remote connections are usually implemented with virtual private network (VPN) technologies. This section primarily references the Implementing Quarantine Services with Microsoft Virtual Private Network Planning Guide on Microsoft TechNet. We will also introduce Network Access Protection included in Windows Vista and Windows Server 2008 for on-site quarantine services.
Virtual Private Networks (VPNs)
VPN connections allow employees and partners to connect to a corporate local area network (LAN) over a public network in a secure manner. Remote access that uses VPN technologies is a key enabler for many new business opportunities, such as remote administration and high-security applications.
Although a VPN provides secure access by encrypting data though the VPN tunnel, it does not prevent intrusions by malicious software, such as viruses or worms that initiate from the remote access computer. Virus or worm attacks can result from infected computers that connect to the LAN. VPN quarantine with the Network Access Quarantine Control features in Windows Server 2003 provides a mechanism to address these issues. VPN quarantine ensures that computers that connect to the network using VPN protocols are subject to pre-connection and post-connection checks and are isolated until the computer meets the required security policy.
The VPN quarantine solution places all connecting computers that meet the specified remote access policy into a quarantine network and verifies that these computers comply with the organization's security policy. The remote access VPN server lifts the quarantine restrictions and allows access to corporate network resources only when the remote access computer passes all connection checks.
VPN quarantine works by delaying full connectivity to a private network while examining and validating the configuration of the remote access computer against organizational standards. If the computer that connects is not compliant with the organization's policy, the quarantine process can install service packs, security updates, and virus definitions before it allows the computer to connect to other network resources.
VPN Quarantine Requirements
Implementing VPN quarantine requires the following components:
Quarantine-compatible remote access clients
Quarantine-compatible remote access server
Quarantine-compatible Remote Access Dial-In User Service (RADIUS) server (optional)
Quarantine resources
Accounts database
Quarantine remote access policy
Virtual Private Network Quarantine Connection Process
The following figure outlines one approach to VPN quarantine that utilizes resource servers located on a quarantine subnet.
Figure 9. The VPN quarantine process path
VPN quarantine implements a modified process when the user attempts to connect to the remote network. The process includes the following steps:
The computer performs a pre-connection health policy validation check to ensure that the computer meets certain computer health requirements. These might include hotfixes, security updates, and virus signatures. The pre-connection script stores the results of this check locally. An organization could also run post-connection security checks if they want.
After the pre-connection checks have succeeded, the computer connects to the remote access server using VPN.
The remote access server authenticates the user credentials with the RADIUS server against the stored user name and password in the Active Directory® directory service. RADIUS is an optional component in this process.
If Active Directory authenticates the user, the remote access server places the client in quarantine, using the VPN quarantine remote access policy. The remote access client computer's access is limited to the quarantine resources specified by the remote access policy. Quarantine can be enforced in two possible ways on the remote access client computer: using a specific time-out period so the client computer does not stay in quarantine indefinitely or using an IP filter that restricts IP traffic to the specified network resources network only.
The post-connection script notifies the remote access server that the client complies with the specified requirements. If the connection does not meet the requirements in the specified time-out period, the script notifies the user and drops the connection.
The remote access server removes the client computer from quarantine mode by removing the IP filter and grants appropriate access to network resources specified by the remote access policy.
Network Access Protection
Network Access Protection (NAP) is a policy enforcement platform built into the Windows Vista and Windows Server 2008 operating systems that allows you to better protect network assets by enforcing compliance with system health requirements.
Computer Health Requirements
You are faced with the challenge of ensuring that computers that connect to and communicate on your network are compliant with system health requirements. For example, compliant computers have the correct security software installed (such as antivirus protection), the current operating system updates, and the correct configuration (such as host-based firewalls enabled). This challenge is made daunting by the portable nature of laptop computers that can roam to various Internet hotspots and other private networks, and the use of remote access connections made from home computers. If a connecting computer is not compliant, it can expose your network to attacks by malicious software such as network-level viruses and worms. To provide protection against noncompliant computers, you need to do the following:
Centrally configure a set of policies that specify requirements for system health.
Verify system health before allowing unlimited access to the private network or to private network resources.
Limit the network access of noncompliant computers to a restricted network containing resources to return the noncompliant computer to a compliant state.
NAP provides components and an infrastructure that help you validate and enforce compliance with system health policies for network access and communication.
Health Policy Validation
When a user attempts to connect to your network, Network Access Protection validates the computer’s health state against the health policies that you have defined. You can then choose what to do if a computer is not compliant. In a monitoring-only environment, all authorized computers are granted access to the network even if some do not comply with health policies, but the compliance state of each computer is logged. In a restricted access environment, computers that comply with the health policies are allowed unlimited access to the network, but computers that do not comply with health policies or that are not compatible with Network Access Protection have their access limited to a restricted network. In both environments, computers that are compatible with Network Access Protection can automatically become compliant, and you can define exceptions to the validation process. Network Access Protection also includes migration tools to make it easier for you to define exceptions that best suit your network needs.
Health Policy Compliance
You can help ensure compliance with health policies by choosing to automatically update noncompliant computers with the missing requirements through management software, such as Microsoft Systems Management Server. In a monitoring-only environment, computers will have access to the network even before they are updated with required software or configuration changes. In a restricted access environment, computers that do not comply with health policies have limited access until the software and configuration updates are completed. Again, in both environments, computers that are compatible with Network Access Protection can automatically become compliant, and you can define policy exceptions.
Limited Network Access
You can protect network assets by limiting the access of computers that do not comply with health policy requirements. You can define the level of access noncompliant computers will have. Network access limits can be based on a specific amount of time or whether the network access is limited to a restricted network, to a single resource, or to no internal resources at all. If you do not configure health update resources, the limited access will last for the duration of the connection. If you configure health update resources, the limited access will last only until the computer is brought into compliance. You can use both monitoring and health policy compliance in your networks and configure exceptions for both.
Phase 4: Deploy
The Dynamic level only requires that a VPN quarantine solution is implemented for remote access users. Network Access Protection solutions are recommended if your organization is using Windows Server 2008 infrastructure. The Network Access Quarantine Control in Windows Server 2003 guide provides additional planning and deployment guidance for quarantine solutions.
To deploy Network Access Quarantine Control, the basic steps (in order) are as follows:
Create quarantine resources.
Create a script or program that validates client configuration.
Install Rqs.exe on remote access servers.
Create a new quarantine Connection Manager (CM) profile with Windows Server 2003 Connection Manager Administration Kit (CMAK).
Distribute the CM profile for installation on remote access client computers.
Configure a quarantine remote access policy.
Creating Quarantine Resources
To allow your remote access clients to access name server, Web server, or file server resources while they are in quarantine mode, you must designate the servers and their resources that are available to remote access clients.
Creating a Script or Program That Validates Client Configuration
The quarantine script or program that you create can be an executable file (*.exe) or as simple as a command file (*.cmd or *.bat). In the script, perform the set of tests to ensure that the remote access client complies with network policy.
Installing Rqs.exe on Remote Access Servers
The Remote Access Quarantine Agent service (Rqs.exe) components listen for messages from quarantine-compatible remote access clients, which indicate that their scripts have been run successfully.
Creating a New Quarantine CM Profile with Windows Server 2003 CMAK
A quarantine CM profile is just a normal remote access CM profile for dial-up or VPN access with the following additions:
You must add a post-connect action to run the script or program you have created to check network policy compliance and include the script or program within the profile. This is done on the Custom Actions page of the CMAK Wizard.
You must add the notification component to the profile. This is done on the Additional Files page of the CMAK Wizard.
For more information about using custom actions in CMAK, see the topic titled "Incorporating custom actions" in Windows Server 2003 Help and Support.
Distributing the CM Profile for Installation on Remote Access Client Computers
After the quarantine CM profile has been created, it must be distributed and installed on all your remote access client computers. The profile itself is an executable file that must be run on the remote access client to install the profile and configure the quarantine network connection.
Configuring a Quarantine Remote Access Policy
If Routing and Remote Access is configured with the Windows authentication provider, configure the quarantine remote access policy on the remote access server using the Routing and Remote Access snap-in. If Routing and Remote Access is configured with the RADIUS authentication provider, configure the quarantine remote access policy on the IAS server using the Internet Authentication Service snap-in.
Summary
VPN Quarantine using Network Access Quarantine Control provides a managed way to prevent full access to your intranet until the configuration of the remote access client computer has been verified as complying with network policies. Network Access Quarantine Control uses a CM profile containing an embedded quarantine script and a notifier component, a listener component running on a Windows Server 2003 remote access server, and a quarantine remote access policy. To deploy Network Access Quarantine Control, you must designate and configure quarantine resources, create a quarantine script, install the listener component on the remote access servers, create and distribute the quarantine CM profile, and configure a quarantine remote access policy.
Further Information
For more information on user provisioning, go to Microsoft TechNet and search for “VPN Quarantine” and “NAP.”
Topic Checkpoint
Requirements |
|
---|---|
|
Evaluated technologies to enable network quarantine for remote and on-site users. |
|
Implemented VPN quarantine solution for remote users. |
If you have completed the steps listed above, your organization has met the minimum requirement of the Integrated Quarantine Solution for Unpatched or Infected Computers capabilities of the Infrastructure Optimization Model.
Go to the next Self Assessment question.