ALTE DOCUMENTE
|
|||||||||
During RIS-based operating system installations, you need to maintain network security. The elements you need to consider when planning security for your RIS network include those that relate directly to the network, the client, server authorization, and administrative tasks. To plan for securing your RIS server on the network, address the following issues:
Security risks of your PXE environment.
NTLM authentication protocol level needed to log on securely over the network.
Security for non-prestaged RIS clients.
Enhancement of network security by using prestaged 929c217j RIS clients.
Restriction of client installation options.
Control of the user interaction level during installation.
Security for operating system images.
Security for RIS server authorizations.
Planning security for RIS administrative tasks.
For a job aid to record your planning decisions for RIS server security, see "Planning RIS Server Security" (ACIRIS_05.doc) on the Windows Server 2003 Deployment Kit companion CD (or see "Planning RIS Server Security" on the Web at https://www.microsoft.com/reskit).
Because of the design of PXE architecture, the PXE environment can introduce some inherent security risks in a network containing a RIS server, as follows:
PXE has no provisions to detect or prevent unauthorized installations on PXE-enabled client computers from an unknown server. Any server that establishes a connection with a PXE-enabled client can perform an installation on the client computer.
PXE has no provisions to prevent packet spoofing. As a result, an attacker could send malicious packets to integrate into the client installation.
PXE cannot prevent unknown PXE-enabled computers on the network from receiving a remote operating system installation from a RIS server.
This last risk is offset by the fact that RIS provides service only to users who log on with valid user credentials. In addition, if you prestage your client computers in Active Directory and configure your RIS server to only respond to known clients, a PXE-enabled intruder gaining access to your network cannot receive an operating system installation or any information about your client computer configurations.
To minimize the potential for successful attacks on your PXE-enabled clients, plan to take the following steps to ensure that unauthorized users cannot connect to them:
Install and configure a firewall on your network.
Implement safeguards, such as auditing and monitoring, to detect intrusions on your network.
Secure physical access to your network.
Enforce a strict password policy throughout your network.
For this part of your security planning process, use job aid "Planning RIS Server Security" (ACIRIS_05.doc) on the Windows Server 2003 Deployment Kit companion CD (or see "Planning RIS Server Security" on the Web at https://www.microsoft.com/reskit) to indicate the steps you choose to take to secure PXE-enabled clients. Record this information under the section "PXE Environment Security."
As part of planning for RIS server security, you need to evaluate which level of the NTLM challenge/response authentication protocol you require in your network. RIS can use either of two versions of NTLM to support RIS client network logons, including NTLM (the first version) and NTLMv2. NTLMv2 is inherently more secure than NTLM because of the way it handles encryption keys.
The NTLM version you choose affects the authentication protocol level that clients use, the level at which the protocol negotiates session security, and the authentication level that servers accept. For more information about choosing the most appropriate LAN Manager authentication level in a network that includes RIS, see "Setting the LAN Manager Authentication Level on a network that includes RIS" in Help and Support Center for Windows Server 2003.
When determining the most appropriate version of NTLM for your network, consider the following:
The network logon security level you need. If you choose the highest level of security by using the Send NTLMv2 response only\refuse LM & NTLM option, then only NTLMv2 is used. However, when this is the case, you must ensure that all computers involved in the authentication process are running software that supports NTLMv2. If you choose the lower security level by using the Send NTLM response only option, NTLMv2 is used wherever possible and NTLM is used only when authenticating computers do not support NTLMv2.
The various operating systems you are running. The NTLM version you choose can affect the ability of Windows 2000 Server, Windows 2000 Professional, Windows Server 2003, and Windows XP Professional computers to communicate with Windows NT 4.0 and earlier clients over the network. For example, Windows NT 4.0 computers earlier than SP4 do not support NTLMv2 and Windows 9x computers do not support any NTLM version.
For this part of your security planning process, use job aid "Planning RIS Server Security" (ACIRIS_05.doc) on the Windows Server 2003 Deployment Kit companion CD (or see "Planning RIS Server Security" on the Web at https://www.microsoft.com/reskit) to indicate the NTLM authentication level you want to use, along with the platforms in use that support the NTLM level you choose. Record this information under the section "NTLM Authentication Level."
Providing RIS-based operating system installations to RIS clients that are not prestaged could pose a security risk. To service these clients, you must configure your RIS server to respond to all clients that request service. In this situation, the RIS server does not discriminate between authorized and unauthorized clients making service requests. This could expose your network to malicious clients.
For this part of your planning process, use job aid "Planning RIS Server Security" (ACIRIS_05.doc) on the Windows Server 2003 Deployment Kit companion CD (or see "Planning RIS Server Security" on the Web at https://www.microsoft.com/reskit) to record your choice to configure non-prestaged RIS clients with the right to join the domain or check the box indicating that you will allow Remote Installation to create computer accounts.
|
