Solved

Dedicated management hosts

Posted on 2011-03-23
11
354 Views
Last Modified: 2012-05-11
I have just been working through Microsoft’s MSAT risk assessment tool and one of the controls it suggests I would appreciate some clarification on.

It states:

Does you company use DMH (dedicated management hosts) for the secure administration of systems and devices within the environment? And if so select systems for which dedicated management hosts exist: servers/network devices.

So can anyone tell me what exactly is a “dedicated management host”, and what is the risk of administrating say your payroll server without a “dedicated management host”, what risks could they impose on the server itself? What features on a DMH would prevent this type of risk? Is it practical in big IT shops where you have numerous sensitive servers to use DMH’s?
0
Comment
Question by:pma111
  • 7
  • 4
11 Comments
 
LVL 18

Accepted Solution

by:
liddler earned 200 total points
ID: 35197210
So a dedicated management host is a server used specifically to only manage other servers, in a windows systems it might hod the cert to be allowed to terminal server onto production servers, in linux it would be the only sshd entry in tcpwrappers on prod servers.
The host would have restricted access and the highest level of security possible, maybe two-factor authentication on internal networks or in their own, firewalled, VLAN
0
 
LVL 3

Author Comment

by:pma111
ID: 35197252
Is it always a server, and not a workstation?

Is it so admins dont admin a server either via RDP on there untrusted workstations?
0
 
LVL 18

Expert Comment

by:liddler
ID: 35197659
server or workstation doesn't matter, but servers are typically more locked down than workstations

It it to reduce the attack vector, it is best practice to admin from a host that doesn't have web browsing or USB access, so a torjan / virus etc that might get onto a machine via a download or USB cannot get into production

0
 
LVL 3

Author Comment

by:pma111
ID: 35197764
Thanks for the information.

Is this kind of thing common practice or pretty rare?

Is there kind of a windows template on what to use for workstations / servers that are to be used as these management hosts?

Is there a way to enforce this as well, i.e. only accept connections from approved management hosts and deny from all others like an untrusted workstation accessing it via RDP or whatever from him workstation?

Also if its a dedicated management server, how does the admin login to the server to do his admin on other servers? If say the server is 60 miles away in a different data centre, and then how can it be trusted that logging into the dedicated management host from a workstation using whatever remote software is not exposing a risk?
0
 
LVL 3

Author Comment

by:pma111
ID: 35197790
by the way

>>in a windows systems it might hod the cert to be allowed to terminal server onto production servers

Can you go into a bit more detial on this concept as its not something I am familar with. Is it not a case of with the correct pwd any workstation/server in the domain can remote onto a server if they have the right password be it domain/local?
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 3

Author Comment

by:pma111
ID: 35197798
And does all of this hamper it admins just wanting to do their job.

i.e. there comeback may be this stuff is not practical, there may be times when they need to remote onto a server from another machine except this dedicated management console

as I dont work as an IT admin I dont really know if thats a valid exuse of not, whats your view?
0
 
LVL 18

Expert Comment

by:liddler
ID: 35197893
>> Is this kind of thing common practice or pretty rare?
I've not been in enough places to answers that, most unix / linux places I've work do this kind of thing
most windows places don't....


Is there kind of a windows template on what to use for workstations / servers that are to be used as these management hosts? Possibly, but it all depends on what sort of systems you have, but basically get a host, server or workstation, switch off everything you don't need and keep it patched use MBSA (http://technet.microsoft.com/en-us/security/cc184923) to check securty regularly

Is there a way to enforce this as well, i.e. only accept connections from approved management hosts and deny from all others like an untrusted workstation accessing it via RDP or whatever from him workstation?
Install a certificate authority, sign certs and require them for RDP - lots on Technet and here on EE about that

Also if its a dedicated management server, how does the admin login to the server to do his admin on other servers? If say the server is 60 miles away in a different data centre, and then how can it be trusted that logging into the dedicated management host from a workstation using whatever remote software is not exposing a risk?
By daisy chain, only allow access to admin host from specif certified remote hosts, or via something like Citrix

And does all of this hamper it admins just wanting to do their job.

I've worked both as an Admin (give me all access I NEED it) and now as a security manager ((only as much access to get the job done) Anything like this, if done properly will not stop an admin doing their job, the usual reason for no doing it, is the admin may not know what access they need to do there job, so they default to give me everything.  It's our job to help work out what they need and give them EXACTLY that, so they can do everything they need and not to allow anything else



0
 
LVL 3

Author Comment

by:pma111
ID: 35197937
Thanks a lot for the pointers, the issue I was wondering with workstations used to manage other servers is the software they have on them. Most exploits you here of these days are for stuff like adobe flash adobe reader and as far as I know its a nightmare to pro-actively patch these, so I would say a workstation is more likely to have been affected than a server, I guess. I suspect in most places admins use RDP onto sensitive servers and I doubt theres anything to stop them doing this if they had credentials.

But some may not have the luxury of several machines one for admin duties one for day to day. As even if the admin is an approved user who can RDP onto a server for admin duties , that workstation will still likely have email, web access, USB open ports on etc. Are you saying the workstation used (and approved)to RDP onto the dedicated management host for admin purposes should also have no web access, email or usb, or unneccesary client apps like adobe?
0
 
LVL 3

Author Comment

by:pma111
ID: 35197953
If you could dig me out a technet link specific to certs and RDP I'd be most grateful, just done some searches on there and got hits but not sure if I am looking at the right thing
0
 
LVL 3

Author Comment

by:pma111
ID: 35198170
I also suspect going down the certificate authority route means significant £cost to buy certificates and implement? I guess thats another reason people dont use it
0
 
LVL 18

Expert Comment

by:liddler
ID: 35199277

But some may not have the luxury of several machines one for admin duties one for day to day
You could use VMimages instead of separate machines, but yes there would be a cost

If you could dig me out a technet link specific to certs and RDP I'd be most grateful, just done some searches on there and got hits but not sure if I am looking at the right thing
No, I was primarily a unix / linux admin before becoming a security manager, so it's not my area of expertise
I also suspect going down the certificate authority route means significant cost to buy certificates and implement? I guess thats another reason people dont use it
I don't think so, internally signed certs from your CA in AD should be free, and I don't think installing the CA module has a separate license cost, but you'd have to check
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now