Solved

Dedicated management hosts

Posted on 2011-03-23
11
358 Views
Last Modified: 2012-05-11
I have just been working through Microsoft’s MSAT risk assessment tool and one of the controls it suggests I would appreciate some clarification on.

It states:

Does you company use DMH (dedicated management hosts) for the secure administration of systems and devices within the environment? And if so select systems for which dedicated management hosts exist: servers/network devices.

So can anyone tell me what exactly is a “dedicated management host”, and what is the risk of administrating say your payroll server without a “dedicated management host”, what risks could they impose on the server itself? What features on a DMH would prevent this type of risk? Is it practical in big IT shops where you have numerous sensitive servers to use DMH’s?
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
11 Comments
 
LVL 18

Accepted Solution

by:
liddler earned 200 total points
ID: 35197210
So a dedicated management host is a server used specifically to only manage other servers, in a windows systems it might hod the cert to be allowed to terminal server onto production servers, in linux it would be the only sshd entry in tcpwrappers on prod servers.
The host would have restricted access and the highest level of security possible, maybe two-factor authentication on internal networks or in their own, firewalled, VLAN
0
 
LVL 3

Author Comment

by:pma111
ID: 35197252
Is it always a server, and not a workstation?

Is it so admins dont admin a server either via RDP on there untrusted workstations?
0
 
LVL 18

Expert Comment

by:liddler
ID: 35197659
server or workstation doesn't matter, but servers are typically more locked down than workstations

It it to reduce the attack vector, it is best practice to admin from a host that doesn't have web browsing or USB access, so a torjan / virus etc that might get onto a machine via a download or USB cannot get into production

0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 
LVL 3

Author Comment

by:pma111
ID: 35197764
Thanks for the information.

Is this kind of thing common practice or pretty rare?

Is there kind of a windows template on what to use for workstations / servers that are to be used as these management hosts?

Is there a way to enforce this as well, i.e. only accept connections from approved management hosts and deny from all others like an untrusted workstation accessing it via RDP or whatever from him workstation?

Also if its a dedicated management server, how does the admin login to the server to do his admin on other servers? If say the server is 60 miles away in a different data centre, and then how can it be trusted that logging into the dedicated management host from a workstation using whatever remote software is not exposing a risk?
0
 
LVL 3

Author Comment

by:pma111
ID: 35197790
by the way

>>in a windows systems it might hod the cert to be allowed to terminal server onto production servers

Can you go into a bit more detial on this concept as its not something I am familar with. Is it not a case of with the correct pwd any workstation/server in the domain can remote onto a server if they have the right password be it domain/local?
0
 
LVL 3

Author Comment

by:pma111
ID: 35197798
And does all of this hamper it admins just wanting to do their job.

i.e. there comeback may be this stuff is not practical, there may be times when they need to remote onto a server from another machine except this dedicated management console

as I dont work as an IT admin I dont really know if thats a valid exuse of not, whats your view?
0
 
LVL 18

Expert Comment

by:liddler
ID: 35197893
>> Is this kind of thing common practice or pretty rare?
I've not been in enough places to answers that, most unix / linux places I've work do this kind of thing
most windows places don't....


Is there kind of a windows template on what to use for workstations / servers that are to be used as these management hosts? Possibly, but it all depends on what sort of systems you have, but basically get a host, server or workstation, switch off everything you don't need and keep it patched use MBSA (http://technet.microsoft.com/en-us/security/cc184923) to check securty regularly

Is there a way to enforce this as well, i.e. only accept connections from approved management hosts and deny from all others like an untrusted workstation accessing it via RDP or whatever from him workstation?
Install a certificate authority, sign certs and require them for RDP - lots on Technet and here on EE about that

Also if its a dedicated management server, how does the admin login to the server to do his admin on other servers? If say the server is 60 miles away in a different data centre, and then how can it be trusted that logging into the dedicated management host from a workstation using whatever remote software is not exposing a risk?
By daisy chain, only allow access to admin host from specif certified remote hosts, or via something like Citrix

And does all of this hamper it admins just wanting to do their job.

I've worked both as an Admin (give me all access I NEED it) and now as a security manager ((only as much access to get the job done) Anything like this, if done properly will not stop an admin doing their job, the usual reason for no doing it, is the admin may not know what access they need to do there job, so they default to give me everything.  It's our job to help work out what they need and give them EXACTLY that, so they can do everything they need and not to allow anything else



0
 
LVL 3

Author Comment

by:pma111
ID: 35197937
Thanks a lot for the pointers, the issue I was wondering with workstations used to manage other servers is the software they have on them. Most exploits you here of these days are for stuff like adobe flash adobe reader and as far as I know its a nightmare to pro-actively patch these, so I would say a workstation is more likely to have been affected than a server, I guess. I suspect in most places admins use RDP onto sensitive servers and I doubt theres anything to stop them doing this if they had credentials.

But some may not have the luxury of several machines one for admin duties one for day to day. As even if the admin is an approved user who can RDP onto a server for admin duties , that workstation will still likely have email, web access, USB open ports on etc. Are you saying the workstation used (and approved)to RDP onto the dedicated management host for admin purposes should also have no web access, email or usb, or unneccesary client apps like adobe?
0
 
LVL 3

Author Comment

by:pma111
ID: 35197953
If you could dig me out a technet link specific to certs and RDP I'd be most grateful, just done some searches on there and got hits but not sure if I am looking at the right thing
0
 
LVL 3

Author Comment

by:pma111
ID: 35198170
I also suspect going down the certificate authority route means significant £cost to buy certificates and implement? I guess thats another reason people dont use it
0
 
LVL 18

Expert Comment

by:liddler
ID: 35199277

But some may not have the luxury of several machines one for admin duties one for day to day
You could use VMimages instead of separate machines, but yes there would be a cost

If you could dig me out a technet link specific to certs and RDP I'd be most grateful, just done some searches on there and got hits but not sure if I am looking at the right thing
No, I was primarily a unix / linux admin before becoming a security manager, so it's not my area of expertise
I also suspect going down the certificate authority route means significant cost to buy certificates and implement? I guess thats another reason people dont use it
I don't think so, internally signed certs from your CA in AD should be free, and I don't think installing the CA module has a separate license cost, but you'd have to check
0

Featured Post

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
google exe file 5 161
Windows Security Pop-Up 7 73
End point security for Enterprise Cloud 5 65
Pasword self service reset in Azure 6 52
OnPage: Incident management and secure messaging on your smartphone
Ransomware continues to grow in reach and sophistication, putting data everywhere at risk. Learn how to avoid being caught in its sinister clutches with these 11 key tips.
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question