Systems Server Configuration Manual Computer Science Essay

Published:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

This instruction manual was prepared merely for the configuration of operating system (Windows Server 2008 & Linux Operating Server) to be used by the office systems administrator in Wharf Traders Limited. This instruction manual gives a clear systematic guide on how to configure appropriate security controls to secure the operating and communicating platform within the internal and external of Wharf Traders Limited.

Infrastructure Overview

The infrastructure design in this instruction manual would describe the communication network that includes servers (.e.g. Windows Server 2008 and Linux Servers) and client computers (.e.g. Windows XP/Vista) within Wharf Trader internal LAN (Local Area Network). Furthermore, the setup of Linux communication servers (Ubuntu Server) for secures communication between internal organisation (division) and its external clients. A typical network topology diagram for Wharf Trader is shown below in Figure 1.

Figure 1

Purpose

The primary purposes of this instruction manual are to enable systems administrator to do the following:

Using the information provided in this manual as a step-by-step guidance to efficiently create and apply tested security baseline configurations for the servers residing within the internal (i.e. Windows Server 2008, Linux Server) and external network.

Provide systematic security setting and configuration for the applications and services running within the servers.

Considering the security between the internal and external network environment, the use of specific security features to create and maintain users and groups for project work are provided in this instructional manual.

Provide step-by-step procedures for authentication, authorisation and access control for both internal and external users. (i.e. external advisors, internal employees)

Provide step-by-step procedures using the appropriate methodology for encryption of data in transit and for storage.

Implement recommended procedures for the systems restoration in the event of failure.

Configure basic audit procedures within the systems for anomalies activities such as possible network compromise or unusual user's login behaviors.

Provide step-by-step appropriate security and maintenance policy for the systems.

Data Classification and Traffic Flow within internal and external network

Data Classification

Data classification is essential to support Wharf Trader's operation in storing and transferring of sensitive data / documents over the internal network and the internet infrastructure. It is critical to determine the extent to which the data needs to be controlled / secured in order to assign the right level of protection and classification according to its level of sensitivity. The Data classifications for each division in Wharf Trader organisation are shown as follows in Figure 2.

Division

Document / Data Classification

Traffic Flow (Data)

Channel Security

(Encryption)

Internal

External

Corporate Finance

Highly Sensitive

Highly Secure

Highly Secure

SSH, SFTP, IPsec

Investment Advice

Sensitive

Secure

Secure

SSL, IPsec

Research

Non-Sensitive

Normal

Normal

IPsec

Back Office

Non-Sensitive

Normal

Normal

IPsec

Figure 2

Traffic Flow diagram for Corporate Finance and its Clients (.e.g. Accounts, Lawyers, Client Companies)

Figure 3

Traffic Flow diagram for Investment Advice and its Clients (.e.g. Market-markers)

Figure 4

Traffic Flow diagram between each division and the Windows File Server

Figure 5

Servers Overview and Categorization

The Servers setup for Wharf Trader's operation domain should consist of the followings:

Two Domain Controllers (WHARFTRADER-DC1 & WHARFTRADER-DC2).

A Member Server (WHARFTRADER-SRV).

Two Communication Servers (WHARFTRADER-COMM1 & WHARFTRADER-COMM2)

Servers Characterization and Services Configuration

Use the following tables as shown in Figure 1.2, 1.3. and 1.4 when setting up the appropriate computer names, operating systems, and network settings that are required to complete the setups in this manual.

Domain Controllers (WHARFTRADER-DC1 & WHARFTRADER-DC2) configuration

Operating System

Role

Configuration items

Values

Microsoft Windows Server 2008

First Domain Controller Setup:

Active Directory Domain Services (AD DS)

Domain Name System (DNS)

This is the first Domain Controller in Wharf Trader organisation to support user's (e.g. employees) authentication, authorisation and access control to the network resources within the domain.

Computer name

WHARFTRADER-DC1

Full DNS name

WHARFTRADER.COM

IP address

192.168.0.1

Subnet mask

255.255.255.0

Default gateway

192.168.0.100

Preferred DNS server

192.168.0.1

Secondary DNS server

192.168.0.2

Second Domain Controller Setup:

Active Directory Domain Services (AD DS)

Domain Name System (DNS)

The schema that contains users and workstations would be replicated to this Domain Controller from the First Domain Controller and vice versa.

The purpose of having this second Domain Controller is to support the network authentication of the organisation in the event that either one of the machines fail, network authentication still works.

Computer name

WHARFTRADER-DC2

Full DNS name

WHARFTRADER.COM

IP address

192.168.0.2

Subnet mask

255.255.255.0

Default gateway

192.168.0.100

Preferred DNS server

192.168.0.2

Secondary DNS server

192.168.0.1

Figure 1.2

Member Server (WHARFTRADER-SRV) configuration

Operating System

Role

Configuration items

Values

Microsoft Windows Server 2008

File Server Service:

The purpose of having this File Server is to facilitate the files sharing between Research Division, Corporate Finance and Investment Advice. The communication channel between the client workstations and the File Server within the local area network are secure with IP security technology (IPsec)

Dynamic Host Configuration Protocol (DHCP):

The purpose of using DHCP is to facilitate the ease of management of IP addresses assignment automatically than having assign IP addresses (statically) to every client's machine manually. DHCP also support scalability and control where individual division has a dedicated range of IP addresses.

Network File System (NFS) service:

The purpose of having NFS service is to facilitate the backup files from the Linux Server (Communication Server)

SSH Server service:

To support the transferring of sensitive files (.e.g. audit archives) using secure communication application/protocol

such as File Transfer Protocol over SSH (SFTP)

Computer name

WHARFTRADER-SVR

Full DNS name

WHARFTRADER.COM

IP address

192.168.0.3

Subnet mask

255.255.255.0

Default gateway

192.168.0.100

Preferred DNS server

192.168.0.1

Secondary DNS server

192.168.0.2

DHCP IP range:

Corporate Finance

192.168.1.2

Investment Advice

192.168.2.2

Research

192.168.3.2

Back Office

192.168.4.2

Figure 1.3

Communication Server (WHARFTRADER-COMM1 & WHARFTRADER-COMM2) configuration

Operating System

Role

Configuration items

Values

Ubuntu Server Edition 9.10)

(Linux Kernel 2.6.31)

First Communication Server support the secure communication between corporate finance and its clients (e.g. new market entrants and their others advisors such as accountants and lawyers).

Computer name

WHARFTRADER-COMM1

IP address

192.168.5.2

Subnet mask

255.255.255.0

Default gateway

192.168.5.1

Preferred DNS server

192.168.0.1

Secondary DNS server

192.168.0.2

The Second Communication Server is to support the secure communication between investment advisors (broker) and its clients (e.g. investment clients).

Both Servers are using secure communication application/protocol such as File Transfer Protocol over SSH (SFTP)

Computer name

WHARFTRADER-COMM2

IP address

192.168.5.3

Subnet mask

255.255.255.0

Default gateway

192.168.5.1

Preferred DNS server

192.168.0.1

Secondary DNS server

192.168.0.1

Figure 1.4

Domain Controllers Setup

Domain Controller Setup with Active Directory and DNS

A Domain Controller with implementation of an Active Directory was necessary to support the authentication and authorization process for all users in different division in Wharf Trader's operation environment. Users from different division will be assign with appropriate security and gain access right to use the IT resources provided by Wharf Trader.

Setting up the First Domain Controller (Windows Server 2008 Platform)

Tasks:

Prepare the First Domain Controller [1] . Configure the Domain Controller base on the setting as shown in Figure 1.2.

The computer name for this server: WHARFTRADER-DC1

IP address: 192.168.0.1

Subnet mask: 255.255.255.0

Default gateway:192.168.0.100

Promote the First Domain Controller, there are few configurations to take note:

Fully Qualified Domain Name of the forest root domain: WHARFTRADER.COM

Domain NetBIOS Name, accept the default name: WHARFTRADER

Additional Domain Controller Options, keep the checkbox beside DNS Server selected

DNS delegation manually: Yes

Directory Services Restore Mode Administrator Password (DSRM): Using a complex password that contains a combination of uppercase and lowercase letters, numbers, and symbols.

Log On as an Administrator (Member of the Domain Administrators Group)

Check the DNS Zone for the First Domain Controller

Setting up the Second Domain Controller (Windows Server 2008 Platform)

A deployment of a second Domain Controller to the domain is to improve the availability and reliability of network services. Having additional Domain Controllers can help provide fault tolerance, balance the load of existing Domain Controllers, and provide additional infrastructure support to its clients.

Tasks:

Prepare the Second Domain Controller. Configure the Domain Controller base on the setting as shown in Figure 1.2.

The computer name for this server: WHARFTRADER-DC2

IP address: 192.168.0.2

Subnet mask: 255.255.255.0

Default gateway:192.168.0.100

Join the Second Domain Controller to WHARFTRADER.COM Domain

Install the DNS Service on the Second Domain Controller

Promote the Second Domain Controller, there are few configurations to take note:

Deployment Configuration: Existing forest and Add a domain controller to an existing domain

Network Credentials: The Domain name is WHARFTRADER.COM

Configure the Second Domain Controller as a Global Catalog Server

Do not need to create the DNS delegation

Install from Media: choose to either replicate data over the network from an existing domain controller

Log On as an Administrator (Member of the Domain Administrators Group)

Note: Configuring Second Domain Controller, as a Global Catalog Server is to serve as a backup server in the event of a system failure.

Member Server Setup

Server Setup for DHCP, File and NFS services

The research materials from the research division were hosted on the File Server to facilitate a common sharing of sensitive information amongst corporate finance and investment advisors. These research materials include pricing of shares and potential companies' information from the market. Moreover, this File Server could serve as a central backup server to store all the systems backup data. This includes the Domain Controllers, File Server and Communication Servers (Linux Servers).

Setting up the File Service Role (Windows Server 2008 Platform)

Tasks:

Prepare the Member Server base on the setting as shown in Figure 1.3.

The computer name for this server: WHARFTRADER-SVR

IP address: 192.168.0.3

Subnet mask: 255.255.255.0

Default gateway: 192.168.0.100

Join the Member Server to WHARFTRADER.COM Domain

Promote the Member Server as a File Server [2] 

Check the Server Manager console to ensure the File Services role is added

Setting up the DHCP Service Role (Windows Server 2008 Platform)

Tasks:

Promote the Member Server as an DHCP Server [3] 

Check the Server Manager console to ensure the DHCP Server Services role is added

There are few configurations to take note:

Create new Scope (different IP address range for each division) base on the setting as shown in Figure 1.3.

Create new Reservation to ensure that a DHCP client (workstations) from each division is always assigned the same IP address.

Log On as an Administrator (Member of the Domain Administrators Group) when accessing this

Member Server.

Note: Windows Server 2008 has a default Domain Controller Policy and a default Domain Policy. The password policy in the default Domain Policy is enabled by default. (Security by Deployment)

Setting up the Services for Network File System (NFS) Role (Windows Server 2008 Platform)

Tasks:

Install Network File System (NFS) [4] service as an NFS server

Configuring NFS authentication (e.g. wtcommadmin)

Creating an NFS shared folder

Specifying permissions for folders (e.g. Read, Write, and Execute permissions)

Mount the NFS shared folder from the Communication Server (Linux Server)

Installation of SSH server [5] in Windows Server 2008 is needed to secure the traffic from the communication server for files transfers (.e.g. Backup archive, audit logs)

Communication Server Setup

Communication Server Setup (Ubuntu Server Edition - Linux Kernel 2.6.31)

This communication server setup is to support the secure communication traffic between corporate finance and its clients (e.g. new market entrants and their others advisors such as accountants and lawyers).

Setting up First Linux Server (Ubuntu Server)

Tasks:

Prepare the Communication Server [6] base on the setting as shown in Figure 1.4.

The name for this server: WHARFTRADER-COMM1

IP address: 192.168.5.2

Subnet mask: 255.255.255.0

Default gateway: 192.168.5.1

Once the First Communication Server (Ubuntu - base system) is installed, there are few configurations to take note:

Change the root password to a strong password

Create a lesser privileged user, this user will have root access through the sudo utility as required (e.g. wtcsadmin)

Ensure a strong password policy:

Password Complexity (e.g., a-z, A-Z, !#~% etc)

Maximum Password Age before Password Expiration

Minimum Password Length (at least 8 characters long)

Ensure openssh [7] server is install for secure remote access

Ensure the 'PermitRootLogin' value is set to 'No' in the SSH server configuration file.

[/etc/ssh/sshd_config]

Note: Be sure not to change any other configuration option. Then save the file.

Restart the SSH server so that the configuration changes will be read and implemented by the server. [/etc/init.d/ssh restart]

Setting up Second Linux Server (Ubuntu Server)

Tasks:

Prepare the Communication Server base on the setting as shown in Figure 1.4.

The name for this server: WHARFTRADER-COMM2

IP address: 192.168.5.3

Subnet mask: 255.255.255.0

Default gateway: 192.168.5.1

Once the Second Communication Server (Ubuntu - base system) is installed, repeat the steps as shown above in configuring First Linux Server.

Users and Groups Management

To create and maintain users and groups for individual divisions

The purpose deploying Active Directory [8] is to facilitate the usage of IT resources within the organisation. Then creation of users and groups is to establish authentication, authorisation and access control to individual groups in domain.

Figure 1.5 has given an example on the management of memberships in relation to users and groups within a domain with access control permissions to the IT resources.

Example:

Figure 1.5

There are four main divisions within Wharf Trader domain. The planning of storing users, groups, and other objects in "folders" called OUs (organizational units) is highly recommended in order to facilitate the ease of management for administrators.

The task for managing the users and groups account for individual divisions includes:

Create Organisation Units (OUs),

Create Users for each divisions,

Create of Global Groups in each divisions,

Assign Users to their respective Global Groups,

Assign Global Groups to Domain Local Groups for dedicated resources usage

Assigning of Computers to their respective Sub-OU

Organisation Units (OUs) creation

Tasks:

Follow the steps to create the respective Organisation Units (OUs):

Launch the Active Directory Users and Computers from the Administrative Tools menu.

Right-click on the domain (WHARFTRADER.COM) and choose New and then Organizational Unit. (Organisation Unit Dialog box will appear)

In the Organisation Unit Dialog box, type the name of the divisions (e.g. Corporate Finance) and press OK to complete the creation.

Create two Sub-OU to house the users and computers objects respectively

(.e.g. CF_UG Accounts, CF_Workstations)

Repeat the above steps to complete the rest of the divisions.

Note: An OU is a Group Policy target, so you can assign a different Group Policy to each OU.

Users creation

Tasks:

Follow the steps to create Users:

Launch the Active Directory Users and Computers from the Administrative Tools menu.

Expand the domain (WHARFTRADER.COM), go to the respective OU (e.g. Corporate Finance) and Sub-OU (e.g. CF_UG Accounts)

Right-click on the Sub-OU (e.g. CF_UG Accounts), choose New and User.

(New Object - User Dialog box will appear)

In the New Object - User Dialog box, type the name of the User (e.g. Daniel) and press OK to continue.

On the password-setting screen, set the user's password and then have them change it on their first log-on by selecting "User must change password at next logon".

Click "Finish" on the next screen complete user creation process.

Repeat the above steps to complete the rest of the users.

Note: Windows Server 2008 has a default password policy:

Enforce password history: 24 passwords remembered

Maximum password age: 42 days

Minimum password age: 1 days

Minimum password length: 7 characters

Password must meet complexity requirements: Enabled

This default password policy setting (resides in the default Domain Policy) will be re-defined in the implementation of an appropriate security and maintenance management policy section.

Global Groups creation

Tasks:

Follow the steps to create Global Groups:

Launch the Active Directory Users and Computers from the Administrative Tools menu.

Expand the domain (WHARFTRADER.COM), go to the respective OU (e.g. Corporate Finance) and Sub-OU (e.g. CF_UG Accounts)

Right-click on the respective Sub-OU (e.g. CF_UG Accounts), point to New and choose Group from the shortcut menu. (New Object - Group Dialog box will appear)

In the New Object - Group Dialog box, there are few configurations to take note:

The group name must be unique in the domain.

For Group Scope, select Global

For Group Type, select Security

Fill in the required information such as the name of the Group

(e.g. Corporate_Finance_Grp) and press OK to complete the Group creation process.

Repeat the above steps to complete the rest of the Groups.

Assign Users to their respective Global Groups

Tasks:

Follow the steps to assign Users to their respective Global Groups [9] :

Launch the Active Directory Users and Computers from the Administrative Tools menu.

Expand the domain (WHARFTRADER.COM), go to the respective OU (e.g. Corporate Finance) and Sub-OU (e.g. CF_UG Accounts)

Right click on the highlighted group name and select Properties.

Click on the Members Tab and then click Add.

Note: Make sure the Object Types and Locations fields are pointing to the correct

Positions

Click Advanced, and click Find Now. All the potentials group members will appear in the lower pane.

Highlight the user accounts to be added and click OK to complete the process.

Repeat the above steps to add users to their respective groups.

Assign Global Groups to Domain Local Groups for dedicated resources usage

The creation of Domain Local Group is to give group permission to Global Groups to access the resources such as Colour Printer within the domain.

Tasks:

Create new Domain Local Group base on the same procedure in Group creation. Take note of the configurations:

For Group Scope, select Domain Local

For Group Type, select Security

Assign permission for each resource (e.g. Colour Printers) to the Domain Local Group.

As the final step, we assign appropriate Global Groups as members of the respective Domain Local Group (e.g. rColorPrintersPrint group).

It is advisable to create an Organisation Unit to group the Domain Local Group to facilitate Global Groups accessing the resources within the domain.

Domain Local Group assignment example is shown in Figure 1.6

Note: Domain Local Group would served as a common grouping for accessing dedicated resources when maintaining users and groups for project work within the domain.

Assigning of Computers to their respective Sub-OU

The purpose of computers container in the domain tree is to house the domain newly joined computers.

The computer name for these computers will show their divisions prefix (e.g. CFPC1). The procedure of assigning these computers to their respective Sub-OU is to drag and drop these computers from the computers container to their respective Sub-OU (e.g. CF_Workstations).

Tasks:

Go to the computers container in the domain tree

Drag and drop these workstations from the computers container to their respective Sub-OU

Refer to Figure 1.6 for workstations assignment.

Figure 1.6

Authentication and Communication Security

The authentication and communication security within internal and external connection

Domain Controllers Authentication Security

Authentication

The default authentication architecture for Windows Platform is base on Kerberos [10] authentication.

Although Kerberos authentication is suitable in managing a larger network with distributed resources, there are few points to take note:

Single Point of Failure - The reason of having two Domain Controllers within a Domain is for redundancy purpose in case one of the Domain Controllers is down.

The time-clock synchronisation between client and KDC (Key Distribution Centre - normally the Domain Controller for the Domain) must be within 5 minutes.

All users will behaviour as domain users to the Domain Controllers, they need to authenticate to the Domain Controllers in order to gain access to the domain resources.

File Server (Member Server) Communication Security

IPSec Implementation

Using IP security (IPsec) mechanism to secure the communication channel to ensure sensitive data transfer across the internal network is protected between each division's workstations and the File Server. This is to protect the data in transit against network sniffing.

Tasks:

Implement IPsec via Group Policy [11] for each individual Organisation Units when accessing the File Server. (Refer to Section 10 for Domain Policy Setting)

Ensure that those workstations in the domain are IPsec aware in order to communicate with the File Server.

Communication Servers (Authentication and Communication Security between internal and external network)

Secure Shell (SSH) / Secure File Transfer Protocol (SFTP) Implementation

The authentications to the communication servers are based on the users accounts created in the servers (e.g. /etc/passwd).The login credentials send across the network to this communication server would be in plaintext. Therefore, these login credentials shall be protection in transit against network sniffing. This includes transfers of sensitive data and documents between the corporate finance / investment advice and their clients. Hence, Secure Shell (SSH/SFTP) application is use to protect the data and documents in transit as it creates a secure communication channel between the workstations to the communication server as well as external to it. (SSH for Remote Connections - client workstations)

Tasks:

Create users and groups to allow only the users (e.g. Corporate Finance / Investment Advisors) to use the communication server

Ensure that the Secure Shell server or service (e.g. OpenSSH) is setup and running in the communication servers (Ubuntu Server)

Backup a copy the file (/etc/ssh/sshd_config) [12] and protect it from writing

There are few security configurations to take note while configuring the SSH (e.g. OpenSSH) server configuration file (/etc/ssh/sshd_config).

Authentication

Use SSH Protocol 2 only

Use Public Key Based Authentication

Configure Idle Log Out Timeout Interval

Disable root Login via SSH

Disable Empty Passwords

Use Strong SSH Passwords and Passphrase

(If Public Key Based Authentication is not use)

Authorisation Control

Allow Authenticate Users and Groups Access

Change SSH Port and Limit IP Binding

Chroot SSHD (Lock Down Users To Their Home Directories)

Authorisation Control Enhancement (External File)

Use TCP Wrappers to update /etc/hosts.allow and /etc/hosts.deny

Use Port Knocking (e.g. using iptables)

Creation of shared folders to allow internal users (e.g. Corporate Finance / Investment Advisors) and their respective clients for files and documents transfers.

Access Control (Shared Folder Permission)

Only allow authenticated users (e.g. Corporate Finance and their respective Clients) to Read / Write to the folder.

Do not allow any authenticated users to change the permission of the folder except the root administrator.

Only allow certain file (e.g. Txt, Doc, PDF etc) to be stored in the shared folder. Any files that do not comply with the above mentioned will be deleted. (use cron job)

Storage Security

The storage security within the file server and communication server

File Server (Member Server) Storage Security

The encryption of files on the file server is essential in order to protect sensitive data and documents stored by Research divisions. These files will be stored separately on different folders on the file server to served and accessed by different divisions (.e.g. Corporate Finance or Investment Advisor) respectively.

Encrypting File System (EFS) Implementation (Windows Server 2008 Platform)

Encrypting File System (EFS) [13] only encrypts data when it is stored on the file server hard disk. However, EFS does not encrypt data when transmitted across the network. For that purpose, IPsec is implemented as a protection mechanism to secure the data or documents in transit.

Tasks:

Enable the Local Policy to allow EFS support on the File Server.

Take note of the option when EFS is allow:

Encrypt the contents of the user's Documents folder

Setting appropriate permissions for users or groups from each divisions is essential to protected the encrypted folder or file against deletion or listing of files or directories. Anyone with the appropriate permissions can delete or list encrypted folders or files. For this reason, using EFS in combination with NTFS [14] permissions is recommended.

Note: The policy setting for EFS is located in the Local Group Policy Editor under Local Computer Policy\Windows Settings\Security Settings\Public Key Policies\Encrypting File System.

Communication Server Storage Security

The storage security between Corporate Finance / Investment Advisors and their respective clients shall be protected once it is transfer to the respective folder on the communication server. The purpose of implementing storage security on each users or groups folder is to keep data private from other users on the system.

eCryptfs implementation (Linux Platform)

The storage security on the communication server could be implemented using eCryptf [15] (an enterprise-class stacked cryptographic filesystem for Linux Operating System).

Tasks:

Ensure the necessary packages (ecryptfs-utils) is installed

Using this encryption packages to encrypts the respective partition where the shared folders between the Corporate Finance / Investment Advisors and their respective clients resides.

Encrypt the partition of the groups or users working directory

(.e.g. /home/corporate_finance)

Setting appropriate directories permissions for users or groups from each divisions is essential to protected the encrypted folder or file against deletion or listing of files or directories.

Backup and Restoration Procedures

The backup and restoration utility for Windows and Linux Platform

Backup and Restoration Procedures for Windows Platform (Domain Controller and File Sever)

The Windows Server Backup [16] feature in Windows Server 2008 is a backup tool that provides a solution for day-to-day backup and recovery needs. Windows Server Backup is capable of backing up a full server (all volumes), selected volumes, or the system state. In the event of hard disk failures, it is possible to perform a system recovery that will restore the complete system including volumes, folders, files, certain applications, and the system state onto the new hard disk, by using a full server backup and the Windows Recovery Environment.

Windows Server Backup Implementation (Windows Server 2008 Platform)

The importance of having a data backup procedures / policy is to prevent data loss in the event of a complete system failure. For this reason, the Windows Server Backup program is designed to assist an organisation in planning a backup and restoration procedures / policy.

Tasks:

Backup all critical systems such as Domain Controllers and File Server (Windows Platform). This includes:

Domain Controllers

System state of the Servers (to recover back its original state before system failure)

System Boot Files

Active Directory

SYSVOL folder (includes all the Group Policies)

Event Logs

File Server (Member Server)

Selected volumes that contain the Shared Folders and Files

(.e.g. Research Materials for Corporate Finance and Investment Advisors)

Backup selected workstations from individual divisions based on data critically status

Create an appropriate Backup Schedule to run the Backup jobs.

Types of Backup to take note:

Normal Backup

Incremental Backup

Differential Backup

All Backup shall be stored at the central storage (holding medium such as hard disks) with RAID (Redundant Array of Inexpensive Disks) capability. Refer to Figure 1.

Restoration of files shall be performed to verify that the data is:

written to the storage medium and

workable copy if restore on an entirely separate machine

Note: The creation and execution of backup jobs must be a member of the Domain Administrator group (e.g. Administrator or Backup Operator)

Backup and Restoration Procedures for Linux Platform (Communication Server)

One of the simplest ways to backup a Linux system is using the available command line utilities (tar and cron) for backup and restoration. The tar [17] utility is to create an archive file based on the selected directories or files and the cron [18] utility to schedule and executed any backup jobs using scripts (e.g. Shell script, Perl script). These scripts could perform the moving of the archive file to the central storage (Windows File Server) using the NFS mount function.

Tasks:

Create a shell script [19] to backup all critical system files and directories.

This includes:

System state of the Servers (to recover back its original state before system failure)

System Files (e.g. /home /etc /usr /local /opt /var /root /boot)

System Log Files (e.g. /var/log/syslog)

Directories that holds important information (e.g. corporate finance / investment advisors)

Ensure the SSH server is running to secure the connection to the NFS shared folder in the central storage during files transfer.

The shell script should establish a secure channel with SSH server running in the File Server (NFS shared Folder) for transferring of the backup archives across the internal network securely.

Use the cron utility to create an appropriate schedule to run the backup jobs.

Restoration of files shall be performed to verify that the data is:

written to the storage medium and

workable copy if restore on an entirely separate machine

Note: Only allow administrator to perform the backup, restore of an archive, and automate the backup process (e.g. wtcommadmin)

Audit Procedures

System Auditing for Windows and Linux Platform

Enable Audit Policy for Windows Platform (Using Group Policy)

The Audit functionality in Windows Platform machine has provided a logging mechanism that allows the domain administrator the ability to monitor any malicious activity on any workstations, either by an internal user or outside attacker. These activities logging is extremely important as it give an early warning of attempts to crack into system within the domain. These event logs could be of evidentiary proof to the organisation if legal action is involved.

Tasks:

Configure and Enable Auditing in the Default Domain Policy [20] .

(Refer to Section 10 for Domain Policy Setting)

Ensure the Default Domain Policy is link to the respective OU that host the workstations

(.e.g. CF Workstations)

Verify the workstations have received the policy.

Ensure that the audit logs shall not be overwritten when full

Ensure the audit logs is saved and backup daily to the central storage based on the back policy.

Configure Auditing Package for Linux Platform

The audit package for Linux Platform (Ubuntu) contains the necessary audit utilities for monitoring the system and the network. It is important for these audit utilities to perform storing and searching the audit records generate by the audit subsystem.

Tasks:

Install and Configure this Auditing Package [21] .

Use the audit utilities to monitor the important directories and files:

Password File (/etc/passwd)

File System (/etc/shadow)

syscall audit (e.g. sshd)

Ensure that the audit logs shall not be overwritten when full

Ensure the audit logs is saved and backup daily to the central storage based on the back policy.

Note: Constantly review the audit and event logs regularly.

Group Policy Implementation

Domain Security Policy

Configure an appropriate Domain Policy for Security Implementation (Windows Platform)

Using Group Policy [22] instead of a manual configuration process makes it simple to manage and update changes for many computers and users. The usage of GPOs was to ensure that specific policy settings, user rights, and computer behavior apply to computers or users in an OU.

Note: The policy settings in domain-based GPOs are different from those applied locally; the domain-based GPO policy settings will overwrite the locally applied policy settings.

Implementation of a baseline security for Wharf Trader's operation infrastructure requires a minimum of the following GPOs:

A policy for the domain

A policy to provide the baseline security settings for the domain controller

Creating an IPsec Security Policy separated from the above mention policies to allows each workstation from individual Organisation Units in Wharf Trader organisation to access the File Server with encrypted channel.

An IPsec security policy applicable to the workstation for each Organisation Units in Wharf Trader Domain.

Domain Policy Settings

These security settings are applied to the domain through the Computer Configuration node in the Group Policy Object Editor. The following setting groups appear in the Windows Settings sub-node within the Computer Configuration node:

Password Policy

Account Lockout Policy Settings

Audit Policy Settings

Tasks:

Refer to Appendix A for Password, Account Lockout and Audit Policies Configurations.

(Table 1, Table 2 and Table 3 respectively)

Domain Controller Policy Settings

These security settings are applied only to the domain controller through the Computer Configuration node in the Group Policy Object Editor. The following setting groups appear in the Windows Settings sub-node within the Computer Configuration node:

User Right Assignment Settings

Security Options Settings

Tasks:

Refer to Appendix A for User Right Assignment and Security Options Configurations.

(Table 4 and Table 5 respectively)

An IPsec Security Policy (Applicable to each OU workstations)

An IPsec security policy that is applicable only to the workstation of each Organisation Units in Wharf Trader Domain.

Tasks:

Refer to Appendix A for IPsec Policy Configurations. (Table 6)

Integrated Services

Host-Based Firewall Protection and Patch Management Services

Configure an appropriate Domain Firewall Policy (Windows Platform)

Implementing host-based firewall on every workstation added an important layer in a "defense-in-depth" security strategy. This host-based firewall can help protect against attacks that originate from inside the network and also provide additional protection against attacks from outside the network that manage to penetrate the perimeter firewall (See Figure 1). A host-based firewall helps secure a workstation by dropping all network traffic that does not match the administrator-designed rule set for permitted network traffic.

Tasks:

Configure a Basic Firewall Policy [23] 

Configure a group of firewall rules for Windows Clients base on specific needs.

Inbound and Outbound Traffic for Internet Service. (Port 80, 443)

Inbound and Outbound Traffic for Secure Shell Program (SSH Client) running in authorised workstations. (Port 22)

Inbound and Outbound Traffic for IPsec communication. (Port 500, 50, 51)

Inbound and Outbound Traffic for DNS Service. (Port 53 UDP)

Inbound and Outbound Traffic for DHCP Service. (Port 67, 68)

Inbound and Outbound Traffic for SMTP Service. (Port 25)

Allow Inbound Network Traffic within the organisation that Uses Dynamic RPC. (e.g. Port 135)

Turn on the Firewall Log.

Assign this Basic Firewall Policy to the Sub-OU that contains the workstation using the Group Policy Management tool.

Patch Management Service for Windows Platform

Microsoft Windows Server Update Services 3.0 [24] (WSUS) is a service to serve software updates to workstations inside the organisation. The purpose of having WSUS server is to download security updates from upstream partner (Microsoft) and indirectly issue these updates to client's workstation that requests it upon approval.

Tasks:

Install patch management software (WSUS) within one of the Member Server.

(.e.g. File Server)

Plan and Schedule the security updates during off-peak hours.

Apply updates only as required

Define a backup system for restoration

Maintain an audit trail for changes

Only administrative personnel are allowed to approve the security updates upon thorough testing.

Patch Management Service for Linux Platform (Linux Communication Server)

The software update package for Linux Communication Server (Ubuntu Server) using Ubuntu's package management system [25] . (.e.g. Ubuntu's Advanced Packaging Tool (APT) for Ubuntu based systems)

Tasks:

Use Ubuntu's package management system to install new software packages and security updates for Linux system. (.e.g. Linux Communication Server)

Plan and Schedule the security updates during off-peak hours.

Apply updates only as required

Define a backup system for restoration

Maintain an audit trail for changes

Only administrative personnel are allowed to approve the security updates upon thorough testing.

Appendix A

Table 1: Password Policy Configuration

Procedures

Configure Password Policy Settings by using Group Policy Management Editor at the domain level.

Setting

Use the baseline security setting (Windows Server 2008 Enterprise Domain Policy) to configure the default domain policy:

Enforce password history: 24 passwords remembered

Maximum password age: 90 days

Minimum password age: 1 days

Minimum password length: 8 characters

Password must meet complexity requirements: Enabled

Store passwords using reversible encryption: Disabled

Table 2: Account Lockout Policy Configuration

Procedures

Configure Account Lockout Policy Settings by using Group Policy Management Editor at the domain level.

Setting

Use the baseline security setting (Windows Server 2008 Enterprise Domain Policy) to configure the default domain policy:

Account lockout duration: 15 minute(s)

Account lockout threshold: 10 invalid logon attempt(s)

Reset account lockout counter after: 15 minute(s)

Table 3: Audit Policy Configuration

Procedures

Configure Audit Policy Settings by using Group Policy Management Editor at the domain level.

Setting

Use the baseline security setting (Windows Server 2008 Enterprise Domain Policy) to configure the default domain policy:

Audit account logon events: Success

Audit account management: Success

Audit directory service access: Not Defined

Audit logon events: Success

Audit object access: Not Defined

Audit policy change: Success

Audit privilege use: Not Defined

Audit process tracking: Not Defined

Audit system events: Success

Table 4: User Right Assignment Configuration

Procedures

Configure User Right Assignment by using Group Policy Management Editor at the domain level.

Setting

Use the baseline security setting (Windows Server 2008 Enterprise Domain Controller Policy) to configure the default domain controller policy:

Access this computer from the network: Administrators, Authenticated Users, ENTERPRISE

DOMAIN CONTROLLERS

Add workstations to domain: Administrators

Allow log on through Terminal Services: Administrators

Debug programs: Administrators

Deny access to this computer from the network: Guests

Deny log on as a batch job: Guests

Deny log on locally: Guests

Deny log on through Terminal Services: Guests

Profile single process: Administrators

Profile system performance: Administrators

Remove computer from docking station: Administrators

Replace a process level token: Network Service, Local service

Restore files and directories: Backup Operators, Administrators

Shut down the system: Backup Operators, Administrators

Table 5: Security Options Configuration

Procedures

Configure Security Option Settings by using Group Policy Management Editor at the domain level.

Setting

Use the baseline security setting (Windows Server 2008 Enterprise Domain Controller Policy) to configure the default domain controller policy:

Accounts: Guest account status: Disabled

Accounts: Limit local account use of blank passwords to console logon only: Enabled

Audit: Force audit policy subcategory settings (Windows Vista or later)

to override audit policy category settings: Enabled

Audit: Shut down system immediately if unable to log security audits: Disabled

Devices: Allow undock without having to log on: Disabled

Devices: Allowed to format and eject removable media: Administrators

Devices: Prevent users from installing printer drivers: Enabled

Domain controller: Allow server operators to schedule tasks: Disabled

Domain controller: Refuse machine account password changes: Disabled

Domain member: Digitally encrypt or sign secure channel data (always): Enabled

Domain member: Digitally encrypt secure channel data (when possible): Enabled

Domain member: Digitally sign secure channel data (when possible): Enabled

Domain member: Disable machine account password changes: Disabled

Domain member: Maximum machine account password age: 30 day(s)

Domain member: Require strong (Windows 2000 or later) session key: Enabled

Interactive logon: Do not display last user name: Enabled

Interactive logon: Do not require CTRL+ALT+DEL: Disabled

Interactive logon: Message text for users attempting to log on: Recommended

Interactive logon: Message title for users attempting to log on: Recommended

Interactive logon: Number of previous logons to cache (in case domain controller is not available): 0 logon(s)

Interactive logon: Prompt user to change password before expiration: 14 day(s)

Interactive logon: Require Domain Controller authentication to unlock workstation: Enabled

Interactive logon: Smart card removal behavior: Lock Workstation

Microsoft network client: Digitally sign communications (always): Enabled

Microsoft network client: Digitally sign communications (if server agrees): Enabled

Microsoft network client: Send unencrypted password to third-party SMB servers: Disabled

Microsoft network server: Amount of idle time required before suspending session: 15 minute(s)

Microsoft network server: Digitally sign communications (always): Enabled

Microsoft network server: Digitally sign communications (if client agrees): Enabled

Microsoft network server: Disconnect clients when logon hours expire: Enabled

Network access: Allow anonymous SID/Name translation: Disabled

Network access: Do not allow anonymous enumeration of SAM accounts: Enabled

Network access: Do not allow anonymous enumeration of SAM accounts and shares: Enabled

Network access: Do not allow storage of credentials or .NET Passports for

network authentication: Enabled

Network access: Let Everyone permissions apply to anonymous users: Disabled

Network access: Restrict anonymous access to Named Pipes and Shares: Enabled

Network access: Sharing and security model for local accounts: Classic - local users authenticate as themselves

Network security: Do not store LAN Manager hash value on next password change: Enabled

Network security: LAN Manager authentication level: Send NTLMv2 response only. Refuse LM

Network security: LDAP client signing requirements: Negotiate signing

Network security: Minimum session security for NTLM SSP based (including secure RPC) clients: Require NTLMv2 session security, Require 128-bit encryption

Network security: Minimum session security for NTLM SSP based (including secure RPC) servers:

Require NTLMv2 session security, Require 128-bit encryption

Recovery console: Allow automatic administrative logon: Disabled

Shutdown: Allow system to be shut down without having to log on: Disabled

Shutdown: Clear virtual memory pagefile: Disabled

System cryptography: Force strong key protection for user keys stored on the computer: User is prompted when the key is first used

System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing: Disabled

System objects: Require case insensitivity for non-Windows subsystems: Enabled

System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links): Enabled

User Account Control: Admin Approval Mode for the Built-in Administrator account: Enabled

User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop: Disabled

User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode:

Prompt for credentials

User Account Control: Behavior of the elevation prompt for standard users: Automatically deny elevation requests

User Account Control: Detect application installations and prompt for elevation: Enabled

User Account Control: Only elevate executables that are signed and validated: Disabled

User Account Control: Only elevate UIAccess applications that are installed in secure locations: Enabled

User Account Control: Run all administrators in Admin Approval Mode: Enabled

User Account Control: Switch to the secure desktop when prompting for elevation: Enabled

User Account Control: Virtualize file and registry write failures to per-user locations: Enabled

Table 6: IPsec Policy Configuration

Procedures

Configure IPsec Policy Settings by using Group Policy Management Editor at the domain level.

Setting

To enable IPSec protection for File Server Services, configure the IPsec security setting in the default domain controller policy:

1. Create an IPSec filter list to match File Server Services packets.

Filter list

The source and destination address of the IP packet:

The IP subnet of Corporate Finance / Investment Advisors

File Server

The protocol over which the packet is being transferred: TCP/IP protocol

The source and destination port for TCP and UDP: TCP

Filter Action:

Accept unsecured traffic, but always respond using IPsec: NO

(Inbound pass-through is not allowed)

Accept unsecured communication with non-IP aware computers: NO

Authentication method, IPsec mode, and Connection Type:

Authentication Method: Preshared key

Tunnel setting (IPsec mode): This option is selected , so transport mode is used

Connection Type: Only to specify IP address (File Server in this case)

2. Create an IPSec policy to enforce IPSec protection, and then enable the policy.

3. Enable the Client (respond-only) policy on the File Access clients.

Writing Services

Essay Writing
Service

Find out how the very best essay writing service can help you accomplish more and achieve higher marks today.

Assignment Writing Service

From complicated assignments to tricky tasks, our experts can tackle virtually any question thrown at them.

Dissertation Writing Service

A dissertation (also known as a thesis or research project) is probably the most important piece of work for any student! From full dissertations to individual chapters, we’re on hand to support you.

Coursework Writing Service

Our expert qualified writers can help you get your coursework right first time, every time.

Dissertation Proposal Service

The first step to completing a dissertation is to create a proposal that talks about what you wish to do. Our experts can design suitable methodologies - perfect to help you get started with a dissertation.

Report Writing
Service

Reports for any audience. Perfectly structured, professionally written, and tailored to suit your exact requirements.

Essay Skeleton Answer Service

If you’re just looking for some help to get started on an essay, our outline service provides you with a perfect essay plan.

Marking & Proofreading Service

Not sure if your work is hitting the mark? Struggling to get feedback from your lecturer? Our premium marking service was created just for you - get the feedback you deserve now.

Exam Revision
Service

Exams can be one of the most stressful experiences you’ll ever have! Revision is key, and we’re here to help. With custom created revision notes and exam answers, you’ll never feel underprepared again.