Solved

Dedicated management hosts

Posted on 2011-03-23
11
362 Views
Last Modified: 2012-05-11
I have just been working through Microsoft’s MSAT risk assessment tool and one of the controls it suggests I would appreciate some clarification on.

It states:

Does you company use DMH (dedicated management hosts) for the secure administration of systems and devices within the environment? And if so select systems for which dedicated management hosts exist: servers/network devices.

So can anyone tell me what exactly is a “dedicated management host”, and what is the risk of administrating say your payroll server without a “dedicated management host”, what risks could they impose on the server itself? What features on a DMH would prevent this type of risk? Is it practical in big IT shops where you have numerous sensitive servers to use DMH’s?
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
11 Comments
 
LVL 18

Accepted Solution

by:
liddler earned 200 total points
ID: 35197210
So a dedicated management host is a server used specifically to only manage other servers, in a windows systems it might hod the cert to be allowed to terminal server onto production servers, in linux it would be the only sshd entry in tcpwrappers on prod servers.
The host would have restricted access and the highest level of security possible, maybe two-factor authentication on internal networks or in their own, firewalled, VLAN
0
 
LVL 3

Author Comment

by:pma111
ID: 35197252
Is it always a server, and not a workstation?

Is it so admins dont admin a server either via RDP on there untrusted workstations?
0
 
LVL 18

Expert Comment

by:liddler
ID: 35197659
server or workstation doesn't matter, but servers are typically more locked down than workstations

It it to reduce the attack vector, it is best practice to admin from a host that doesn't have web browsing or USB access, so a torjan / virus etc that might get onto a machine via a download or USB cannot get into production

0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 3

Author Comment

by:pma111
ID: 35197764
Thanks for the information.

Is this kind of thing common practice or pretty rare?

Is there kind of a windows template on what to use for workstations / servers that are to be used as these management hosts?

Is there a way to enforce this as well, i.e. only accept connections from approved management hosts and deny from all others like an untrusted workstation accessing it via RDP or whatever from him workstation?

Also if its a dedicated management server, how does the admin login to the server to do his admin on other servers? If say the server is 60 miles away in a different data centre, and then how can it be trusted that logging into the dedicated management host from a workstation using whatever remote software is not exposing a risk?
0
 
LVL 3

Author Comment

by:pma111
ID: 35197790
by the way

>>in a windows systems it might hod the cert to be allowed to terminal server onto production servers

Can you go into a bit more detial on this concept as its not something I am familar with. Is it not a case of with the correct pwd any workstation/server in the domain can remote onto a server if they have the right password be it domain/local?
0
 
LVL 3

Author Comment

by:pma111
ID: 35197798
And does all of this hamper it admins just wanting to do their job.

i.e. there comeback may be this stuff is not practical, there may be times when they need to remote onto a server from another machine except this dedicated management console

as I dont work as an IT admin I dont really know if thats a valid exuse of not, whats your view?
0
 
LVL 18

Expert Comment

by:liddler
ID: 35197893
>> Is this kind of thing common practice or pretty rare?
I've not been in enough places to answers that, most unix / linux places I've work do this kind of thing
most windows places don't....


Is there kind of a windows template on what to use for workstations / servers that are to be used as these management hosts? Possibly, but it all depends on what sort of systems you have, but basically get a host, server or workstation, switch off everything you don't need and keep it patched use MBSA (http://technet.microsoft.com/en-us/security/cc184923) to check securty regularly

Is there a way to enforce this as well, i.e. only accept connections from approved management hosts and deny from all others like an untrusted workstation accessing it via RDP or whatever from him workstation?
Install a certificate authority, sign certs and require them for RDP - lots on Technet and here on EE about that

Also if its a dedicated management server, how does the admin login to the server to do his admin on other servers? If say the server is 60 miles away in a different data centre, and then how can it be trusted that logging into the dedicated management host from a workstation using whatever remote software is not exposing a risk?
By daisy chain, only allow access to admin host from specif certified remote hosts, or via something like Citrix

And does all of this hamper it admins just wanting to do their job.

I've worked both as an Admin (give me all access I NEED it) and now as a security manager ((only as much access to get the job done) Anything like this, if done properly will not stop an admin doing their job, the usual reason for no doing it, is the admin may not know what access they need to do there job, so they default to give me everything.  It's our job to help work out what they need and give them EXACTLY that, so they can do everything they need and not to allow anything else



0
 
LVL 3

Author Comment

by:pma111
ID: 35197937
Thanks a lot for the pointers, the issue I was wondering with workstations used to manage other servers is the software they have on them. Most exploits you here of these days are for stuff like adobe flash adobe reader and as far as I know its a nightmare to pro-actively patch these, so I would say a workstation is more likely to have been affected than a server, I guess. I suspect in most places admins use RDP onto sensitive servers and I doubt theres anything to stop them doing this if they had credentials.

But some may not have the luxury of several machines one for admin duties one for day to day. As even if the admin is an approved user who can RDP onto a server for admin duties , that workstation will still likely have email, web access, USB open ports on etc. Are you saying the workstation used (and approved)to RDP onto the dedicated management host for admin purposes should also have no web access, email or usb, or unneccesary client apps like adobe?
0
 
LVL 3

Author Comment

by:pma111
ID: 35197953
If you could dig me out a technet link specific to certs and RDP I'd be most grateful, just done some searches on there and got hits but not sure if I am looking at the right thing
0
 
LVL 3

Author Comment

by:pma111
ID: 35198170
I also suspect going down the certificate authority route means significant £cost to buy certificates and implement? I guess thats another reason people dont use it
0
 
LVL 18

Expert Comment

by:liddler
ID: 35199277

But some may not have the luxury of several machines one for admin duties one for day to day
You could use VMimages instead of separate machines, but yes there would be a cost

If you could dig me out a technet link specific to certs and RDP I'd be most grateful, just done some searches on there and got hits but not sure if I am looking at the right thing
No, I was primarily a unix / linux admin before becoming a security manager, so it's not my area of expertise
I also suspect going down the certificate authority route means significant cost to buy certificates and implement? I guess thats another reason people dont use it
I don't think so, internally signed certs from your CA in AD should be free, and I don't think installing the CA module has a separate license cost, but you'd have to check
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Make the most of your online learning experience.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question