Providing Security for Remote Management

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Remote administration introduces new security considerations into your environment. When you manage servers remotely, sensitive information that normally is not transmitted across a network is sent over your network. For example, server identifying information, configuration information, and other sensitive management information such as user names and passwords can be transmitted. You need to ensure that your remote management tools and tasks do not expose this sensitive data to someone sniffing or eavesdropping on your network. In addition, when you use serial ports for out-of-band management, the null modem connections between the servers and the management computer or other out-of-band hardware component provide no logical security against unauthorized access.

When planning security solutions for remote management, you need to protect against intentional acts as well as accidents. For in-band remote management, you need to consider solutions such as authentication and encryption. If you plan to use dial-up, DSL, or broadband digital cable connections across a VPN, you also need to plan your firewall configuration. For out-of-band remote management, you need to plan physical security solutions to protect the inherently insecure serial connections. Finally, you need to determine a strategy for user rights and shared folder permissions so that only authorized administrators can perform authorized management tasks.

As you plan your remote management security strategy, you need to make sure that:

  • The server allows administrative commands only from an authenticated computer.

  • The server accepts administrative commands only from an authenticated administrator.

  • Confidential information — including administrative commands and configuration settings — cannot be intercepted, read, or changed by intruders.

  • Log files are viewed by using a secure method.

A secondary network built specifically for remote management can increase security, performance, and availability. You can control access to such a management network by using a secure router.

For more detailed information about assessing security risks inherent in remote management and an overview about how to mitigate or eliminate these security vulnerabilities, see the Storage Technologies Collection of the Windows Server 2003 Technical Reference (or see the Storage Technologies Collection on the Web at https://www.microsoft.com/reskit).

Authentication

When you perform remote administration, you need to log on to the remote computer you want to manage. Remote management tools use several different authentication protocols — some stronger than others — to ensure that only authorized users can access computers remotely. For example, some tools use the Kerberos version 5 authentication protocol and others use the NTLM authentication protocol. Kerberos authentication is more secure than NTLM authentication.

You can mitigate the vulnerabilities of less secure authentication protocols by configuring one or more Group Policy settings. Configure these policy settings for maximum protection if either of the following is true:

  • You are administering remote computers in an environment that forces NTLM authentication.

  • You are administering remote computers with remote management tools that use NTLM authentication.

For information about environments that force NTLM authentication and the description and location of Group Policy settings you can use with NTLM, see the Storage Technologies Collection of the Windows Server 2003 Technical Reference (or see the Storage Technologies Collection on the Web at https://www.microsoft.com/reskit).

Encryption

Some remote management tools encrypt data — including passwords — before transmitting it across the network, while others do not. Unencrypted data makes your network vulnerable to eavesdropping and sniffing.

If you decide to use a remote management tool that does not encrypt or otherwise secure data, you can mitigate the security issue by using Internet Protocol security (IPSec) to encrypt the communication between the management computer and the server. When you use IPSec, IP packets can pass securely through routers or other computers that do not support IPSec. You administer IPSec by using policies, which you can configure for the specific security requirements of individual computers, domains, organizational units, sites, or your entire enterprise. If you plan to support dial-up remote management, consider using IPSec across a VPN connection. For more information about VPN and about using IPSec with VPN, see the Networking Collection of the Windows Server 2003 Technical Reference (or see the Networking Collection on the Web at https://www.microsoft.com/reskit).

For information about IPSec policies, see "Internet Protocol Security (IPSec)" in Help and Support Center for Windows Server 2003. For more information about IPSec in general, see the Networking Collection of the Windows Server 2003 Technical Reference (or see the Networking Collection on the Web at https://www.microsoft.com/reskit).

For detailed information about using encryption for remote management, see the Storage Technologies Collection of the Windows Server 2003 Technical Reference (or see the Storage Technologies Collection on the Web at https://www.microsoft.com/reskit).

Physical Security

Although corporate servers must always be situated in secure locations, out-of-band management introduces another physical security issue: the serial connections between servers and out-of-band management components, such as a remote management computer or a terminal concentrator, need to be protected physically because null modem connections provide no logical security. Some ways to provide physical security include:

  • Keeping server rooms locked with secured access, such as keys, smart cards, or passwords.

  • Using terminal concentrators or intelligent UPSs to consolidate access to servers and keeping these out-of-band hardware components in the same secured room with the servers.

  • Keeping cable lengths short to prevent the possibility of extending them outside the secured room.

Rights and Permissions

After you know which servers you plan to manage remotely and which administrators are responsible for specific administrative tasks, you need to set up security groups and assign administrators membership in order to grant them access to remote resources. As you define your security groups, set up administrative tasks with the minimum necessary administrative credentials. By using this technique, you can avoid assigning users a higher security level than they need to perform the tasks for which they are responsible. For recommendations about assigning permissions and user rights, see "Best practices for permissions and user rights" in Help and Support Center for Windows Server 2003.

Two types of security considerations are important in remote administration: user rights and shared folder permissions.

User rights   User rights control the tasks you can perform on a computer, such as setting up user accounts or installing hardware. Depending on the security model and the group structure you use, you might have to configure user rights on each server and management computer, or you might be able to configure them on the domain controller.

Shared folder permissions   Shared folder permissions control which users or groups can gain access to the contents of a shared folder remotely over the network, as well as which actions users or groups can perform on the contents of those folders. You can configure shared folder permissions on the server and enable users to gain access to the folders remotely over the network. For example, you can assign Read or Full Control.

You need to configure user rights and shared folder permissions if administrators need to do the following:

  • Access the administrative shares on a remote computer.

  • Log on to computers remotely by using terminal emulation or command console programs.

  • Access files or folders on a remote computer.

You can centrally control remote management by using Group Policy settings related to remote management. Group Policy settings for computer configuration include security settings that restrict how a user can access files, folders, and computers, as well as administrative template settings that change the behavior and appearance of remote management tools and technologies, such as Terminal Services.

Important

  • Terminal Services is affected by the Internet Explorer Enhanced Security Configuration, which places your server and Microsoft Internet Explorer in a configuration that decreases the exposure of your server to attacks that can occur through Web content and application scripts. As a result, some Web sites might not display or perform as expected. For more information, see "Before Installing Terminal Server" and "Internet Explorer Enhanced Security Configuration" in Help and Support Center for Windows Server 2003.

For information about groups, user rights, permissions, and authorization and access control, see the Windows Security Collection of the Windows Server 2003 Technical Reference (or see the Windows Security Collection on the Web at https://www.microsoft.com/reskit). For information about configuring user rights and permissions for remote management, see the Storage Technologies Collection of the Windows Server 2003 Technical Reference (or see the Storage Technologies Collection on the Web at https://www.microsoft.com/reskit).

Secondary Management Network

In addition to authentication, encryption, and user rights, you can add an extra layer of network security by placing your remote management system on a separate network segment and control access by using a secure router, as shown in Figure 5.11. You can use this configuration to control exactly which users and computers are allowed access to the management system.

Figure 5.11   Secondary Management Network

Secondary Management Network

In this configuration, the servers are connected to the terminal concentrator with null modem cables, and all these components are located in a secure room. The management computer can access the servers by connecting to the terminal concentrator through the secure router. The management computer can use an in-band connection or a remote access connection through a remote access server.