One School One Network Configuration Guide.doc

451 views

Published on

  • Be the first to comment

  • Be the first to like this

One School One Network Configuration Guide.doc

  1. 1. ‘One School One Network’ Configuration Guide Matthew Collins Richard Lian ICT Network Manager ICT Systems Manager Prince Henry’s Grammar School Cardinal Heenan Catholic High School V E R I T A S C ARD I N AL H EEN AN CA T H O LI C H I G H S C H O O L
  2. 2. Introduction This guide is intended to be used to allow schools to implement a One School One Network (OSON) Infrastructure. It is appreciated that a one size fits all approach is not practical and the guide tries to remain as general as possible in order that the results may be achieved across a range of configurations. Implementation of OSON relies on sufficient knowledge of TCP/IP, Windows 2000/2003/XP, Active Directory, Group Policy and IP Sec. Training or guidance on the these technologies is outside the scope this document which assumes a competent level of knowledge. It is however clear that IP Sec is not commonly used within schools and often has never been touched on. Further information on IP Sec can be found at: http://www.microsoft.com/windowsserver2003/technologies/networking/ipsec/ This guide broadly covers the following: • Moving your SIMS server to Curriculum and removing any existing Admin-Curriculum link. • Securing SIMS • Securing other administration or office information • Securing other aspects of the SIMS server using security policy • Reducing the attack surface of privileged staff and administrator user accounts • Maintaining access to LCC applications and SIMS file transfers • Other configuration changes which may be necessary in the transfer process. Page 2 of 15
  3. 3. Table of Contents Introduction.................................................................................................................................2 Table of Contents........................................................................................................................3 Joining your SIMS server to the curriculum domain..............................................................4 If your SIMS server is the domain controller.............................................................................4 Joining your Admin PCs to the Curriculum Domain..............................................................4 Admin Curriculum Link..............................................................................................................5 Securing SIMS.............................................................................................................................5 IPSec.........................................................................................................................................5 Server IPSec configuration.......................................................................................................5 Client IPSec Configuration........................................................................................................8 Restricting SIMS applications from running on the local machines.....................................9 Windows 2000 Client on Windows 2000/2003 Server..............................................................9 Windows XP Client on Windows 2003 Server..........................................................................9 Software Restriction Policy.......................................................................................................9 Securing SIMS and Admin/Office shares on the server.......................................................10 SIMS Share.............................................................................................................................10 Office/Admin Shared Area......................................................................................................10 Security Policy on the SIMS server........................................................................................11 Reducing the attack surface of the Staff/Administrator Logon...........................................11 Maintaining Access to LCC Applications and SIMS File Transfers....................................12 NAT Setup...............................................................................................................................12 Server NAT Interface configuration.........................................................................................12 Configuring the NAT................................................................................................................12 Configure the client.................................................................................................................13 Test client access to applications...........................................................................................13 Other configuration changes...................................................................................................14 Change IP Addresses of other IP capable devices................................................................14 Migrating Users.......................................................................................................................14 Desktop Environment Settings for Migrated Admin Users.....................................................14 Review other NTFS security ..................................................................................................14 Review GPO settings and other Security policies..................................................................14 Acceptable Use Policy for Staff (AUP)....................................................................................14 Other Documents to Consider.................................................................................................15 Other documents to consider..................................................................................................15 Page 3 of 15
  4. 4. Joining your SIMS server to the curriculum domain This is a relatively easy process providing that your SIMS server is not the domain controller for your existing admin domain. Assuming that it is not then the following steps should be taken: 1.) Physically connect the server to a curriculum network switch 2.) Assign curriculum IP address information to this network card 3.) Join the server to the curriculum domain 4.) Move the computer account to an OU in Active Directory One this is done if you are using a centrally stored connect.ini file then you will need to change the IP address contained within. If the connect.ini file references the server by name rather than IP then no changes will need to be made. You will also need to check permissions on NTFS folders and shares as old admin users or security groups that are not Built-In windows users or groups will have had their permissions removed due to the domain change. WARNING: SIMS is now running un-secured on the curriculum domain. It is advisable to undergo this procedure during a holiday period or have the security settings described in the rest of the document in place before joining the SIMS server to the domain. If your SIMS server is the domain controller You need to de-promote it from hosting Active Directory using the command dcpromo. If this is the only domain controller on the admin network then any admin user and computer accounts, security groups, group policies will be lost. You need to think carefully about the consequences of this. Once it is de-promoted then the procedure as detailed above can be applied. Active Directory removal and domain controller management is outside the scope of this document. Joining your Admin PCs to the Curriculum Domain This is a relatively easy process and the following steps should be taken: 1.) Physically connect the server to a curriculum network switch 2.) Assign curriculum IP address information to this network card 3.) Join the PC to the curriculum domain 4.) Move the computer account to an OU in Active Directory You will also need to check permissions on NTFS folders and shares as old admin users or security groups that are not Built-In windows users or groups will have had their permissions removed due to the domain change. Page 4 of 15
  5. 5. Admin Curriculum Link If you have previously had an admin-curriculum link via the LLN Cisco 2950 then you will need to make some minor changes to domain trusts and LMHOST files. 1.) On the curriculum domain remove the trust relationship that was established with admin using Active Directory Domains and Trusts. 2.) Remove any reference to the names of the old SIMS server from LMHOSTS files on the curriculum network. In fact it should not be necessary to have LMHOSTS files in place on the curriculum network unless you have a specific application which requires them. Securing SIMS IPSec You need to utilise IPSec technology to encrypt and authenticate SIMS traffic across the curriculum LAN and if necessary prevent workstations from communicating to the SQL component of the SIMS server. This document does not cover in detail the use IPSec only the configuration settings. 1.) Discover the TCP/UDP port on the SIMS server that SQL Server or MSDE runs on. Use the following Server Network Utility application: a. C:Program FilesMicrosoft SQL Server80ToolsBinSVRNETCN.EXE – or – b. Run Server Network Utility from Microsoft SQL Server on the Start menu. The properties of TCP/IP will show the port configuration. 2.) Create an IP Sec policy for the server. • Do this either locally on the SIMS server using the IP Security Policy Management MMC snap in – or – • Place the SIMS server in a separate OU and apply a Group Policy. o Settings for IPSec are under Computer Configuration -> Windows Settings -> Security Settings -> IP Security Policies on Active Directory. 3.) Use the policy settings outlined in the following sections Server IPSec configuration You must configure IP Sec to authenticate and encrypt traffic on the following ports: • SIMS SQL Port e.g. TCP 1433 • SQL Server Resolution Service UDP 1434 – This will dynamically select the port if the default is unavailable, which would then be unsecured. To prevent this we must use IP Sec on this port also. 1.) Create a new IP Security Rule and name it SIMS Policy or similar. Continue to click next screen accepting defaults; a. Active Default Response Rule = Checked b. Authentication = Active Directory Default (Kerberos V5 protocol). Page 5 of 15
  6. 6. 2.) Choose to edit the properties of the rule. 3.) Add a new rule and repeat the above process this time you will be presented with an IP Filer List screen, choose to ‘Add’ an IP Filter list. 4.) Name the IP Filter List SIMS SQL Filter List or similar. 5.) Choose Add – Follow the Wizard use the following settings: a. IP Traffic Source -> Source Address: My IP Address b. IP Traffic Destination -> Destination Address: Any IP Address c. IP Protocol Type -> Select a Protocol Type: TCP d. IP Protocol Port - > Set the IP Protocol Port. From this Port: 1433 to Any Port. e. Click Finish Page 6 of 15
  7. 7. 6.) Repeat step 5 for UDP port 1434. 7.) On the IP Filter List screen select the IP Filter List you have just created. 8.) Choose Next 9.) IP Filter Actions: Choose Require Security. 10.)Complete the wizard with any default settings. You have now successfully created the IP Sec policy for the server. Notice however that its status is Unassigned. Right clicking the policy Assigns it and enforces the settings that were chosen. IMPORTANT: For the server to process the policy you will need to refresh group policy with the following command: - Gpupdate /target:computer /force Page 7 of 15
  8. 8. You may also need to restart the IP Security service. Running SIMS on a workstation at this point should result in a failure to connect to the database as the client is not IP Sec enabled. Client IPSec Configuration Clients who need to be able to access SIMS must be IPSec enabled using the Client Respond Only built-in IPSec policy. 1.) Apply a Group Policy Object to the OU where the client PC’s which need to access SIMS reside. 2.) Settings for IPSec are under Computer Configuration -> Windows Settings -> Security Settings -> IP Security Policies on Active Directory. 3.) Assign the Policy ‘Client Respond Only’. This is a basic client policy where the client will respond to an IPSec request from the server and both client and server will then negotiate the secure channel. Only PC’s where this policy is applied should be able to connect to the SIMS database. IMPORTANT NOTE: This IP Sec configuration assumes that the SIMS SQL database is on the same server as SIMS and that there are no other databases which have been set up on the SQL server. If the SQL database for SIMS is on a different server then the IPSec server policy will apply to that server instead. If there are other databases on the SQL server then a different IPSec solution will need to be applied. Page 8 of 15
  9. 9. Restricting SIMS applications from running on the local machines The approach to this will vary depending on the combination of client and server operating system you are using. Windows 2000 Client on Windows 2000/2003 Server The easiest way to secure the SIMS application is to secure the local SIMS folder: - C:Program FilesSIMS, using NTFS. The following NTFS settings should be applied using File System security in Group Policy. • Domain Admins – Full Control • Staff Users (or your defined SIMS users security group) – Modify. Windows XP Client on Windows 2003 Server a.) Apply the same NTFS settings as above. b.) Apply a Software Restriction Policy Software Restriction Policy Within Group Policy – Computer/User configuration -> Security Settings -> Software Restriction Policy. It is possible to restrict the running of executables based on the computer or user that is trying to run them. The restriction can be by path, hash value (meaning that if the executable is renamed or moved it still will not run) or by digital certificate. The easiest way is to set up a path and hash rule for: • C:Program FilesSIMSSIMS .netSIMSLoad.exe • C:Program FilesSIMSSIMS .netPulsar.exe This prevents pupil users from running them. The rules must be configured at the client. 1.) Install Group Policy Management Console on a Windows XP client with SIMS installed. 2.) Navigate to an OU that contains your Pupils and create a new or modify an existing GPO. 3.) Under User Configuration -> Security Settings -> Software Restriction Policy. Right Click -> Create new policies. 4.) Under Security Levels the default should be set to Unrestricted. 5.) Go to Additional Rules 6.) Create a new path rule and hash rule by following the same procedure of choosing the executables listed above and setting the security level to disallowed. Page 9 of 15
  10. 10. You may want to test this exclusively of NTFS permissions. Log on to this workstation as a pupil and try to run the SIMS executables. Securing SIMS and Admin/Office shares on the server SIMS Share This share is commonly mapped to F: drive for users. The following share and NTFS permissions may be applied. Share Everyone – Full Control NTFS Domain Admins – Full Control Staff (Your staff or SIMS user group) – RXW or Modify You may also need to have ‘Modify’ rights for certain users, for example users of WebXchange. Office/Admin Shared Area Many schools will have a common admin area often called ‘office’. As this is now available on the curriculum network it is recommended that you review the security of this area and apply the appropriate permissions suitable for your school. Page 10 of 15
  11. 11. Security Policy on the SIMS server Modification of the Security Policy on the SIMS server will add an extra layer of protection against Pupils or any other unauthorised users from accessing the server or information on the server. Windows Server 2003 Service Pack 1 also includes a new tool, the Security Configuration Wizard which guides you through a process of hardening the server with minimal administrator effort. Experimenting with this is worth considering if you wish to seriously reduce the overall attack surface of the server. The following settings should be applied to provide some basic but additional security to the server. These settings can be applied through a GPO. Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment • Deny access to this computer from the network: {Domain Name}Pupils • Deny log on locally: {Domain Name}Pupils This will prevent any pupil from making a network connection to this server. If the Office/Admin shared area is also maintained on this server then that will be protected also. Reducing the attack surface of the Staff/Administrator Logon One of the single biggest risks of the One Network approach is the opportunity for students to highjack a staff or administrator login account either through theft of user credentials or by utilising a workstation which has been left unattended and logged on by a member of staff or administrator. The following should be considered best practice implementation to reduce the risk: 1.) Automatically lock the desktop and require a password to unlock after a given time period. The time period should give a trade off between usability and security. 2.) Use a strong password policy: a. Enforce complexity b. Have at least 8 characters c. Keep a password history of at least 3 passwords. d. Lock accounts after at most 3 repeated failures. e. A maximum password age of at most 60 days. 3.) Use multi-factor authentication if feasible such as fingerprint or smartcard. 4.) Restrict logon hours where possible. 5.) Restrict students from logging on to staff only workstations. 6.) Audit successful and failed account logons. 7.) Audit file deletions on shares. 8.) Ensure that the minimal NTFS security permissions are given to network accessible shares. Never give users more permissions than they require and use a role based approach to assigning permissions. 9.) Administrators should have 2 accounts, one for administration tasks and a regular account with equivalent permission, for example, to staff members. 10.)Only install MIS software on workstations which will require access to the MIS system. 11.)Create a written security policy for members of staff to agree and follow. Work with the management team especially when areas of accountability are concerned. Page 11 of 15
  12. 12. Maintaining Access to LCC Applications and SIMS File Transfers In order for LCC applications such as FAB or web based FAB (Hierarchies) to function correctly the client computer must ‘present’ an IP address in the admin network range; This range is considered to be; • 10.even.any.X Clearly all PC’s will now have an incompatible curriculum IP address. NAT Setup The solution to this is to set up a Windows 2000/2003 server as a NAT (Network Address Translator). This server could be the SIMS server that used the old admin IP 10.even.any.100 This server needs two NIC’s: • One assigned curriculum IP address information and plugged into a curriculum switch. • One assigned admin IP address information and plugged either into an admin switch or directly into the LLN switch admin port. If you do not wish to have any IP capable equipment using an admin IP address (which is likely) then plug the admin NIC in the server directly into the LLN switch admin port. Server NAT Interface configuration Configure the interfaces as follows; Curriculum interface • IP Address: An IP from your curriculum range • Subnet Mask: 255.255.252.0 • Default gateway: Leave blank • DNS1: Your primary curriculum DNS server • DNS2: Your secondary curriculum DNS server Admin interface • IP Address: An IP from your admin range, the best choice may be 10.even.any.100 • Subnet Mask: 255.255.255.0 • Default gateway: Your admin default gateway IP address. • DNS1: 10.255.255.4 • DNS2: 10.255.255.5 Configuring the NAT a. Install Routing and Remote Access on the server using Add/Remove programs. b. Under Admin tools open Routing and Remote Access Page 12 of 15
  13. 13. c. Right click on the server name and choose ‘Configure and Enable Routing and Remote Access’, next; d. On the Configuration page choose NAT, next; e. On the NAT Internet Connection page choose: Use this public interface to connect to the internet -> Choose the Admin network interface, next; f. On the Private Network Connection page choose; Use this private interface to connect to the internal network: Choose your Curriculum network interface, next; g. Finish the wizard, the NAT should now be configured. Configure the client Any client who needs access to LLC applications or do AVCO transfers will need there IP settings adjusting from that of the DHCP assigned options on the curriculum network; The following settings must be applied which are different to the DHCP supplied settings: Default Gateway: The IP address of the Curriculum network interface on the NAT. This will typically require you to provide these machines with a static IP address or set up a new DHCP scope, options and reservations. Test client access to applications Test one of the configured clients with all LCC applications to ensure functionality. Page 13 of 15
  14. 14. Other configuration changes Change IP Addresses of other IP capable devices Printers, Wireless Points, Switches and other IP devices which had static or DHCP reserved IP addresses on the Admin network will need reconfiguring and additional server reconfiguration may be necessary. If you have any external access to, for example CCTV systems you may need to consult with the external provider to ensure that they can still access the systems. Migrating Users You may wish to migrate old admin network users across to curriculum. This requires an online admin domain controller and the Active Directory Migration Tool (ADMT) which can be downloaded from the Microsoft web site. The alternative is to recreate the users on the curriculum domain from scratch. Desktop Environment Settings for Migrated Admin Users It is likely that some users will need different mapped drives to others and that you may want to provide existing curriculum users with access to old admin resources. Some users will need new desktop and start menu icons. This is best achieved through folder redirection which gives the administrator maximum control and flexibility. How to implement these changes is outside the scope of this document. Review other NTFS security Strictly speaking, this is not a requirement of the OSON project, but this is probably a good time to review all your existing NTFS security on your network, e.g. all your existing NTFS security on your file servers and application servers etc… Review GPO settings and other Security policies As stated above, this is also not a requirement of the OSON project, but all your existing GPO’s and security policies should also be reviewed. There may be conflicting settings or settings that now need to be enabled or disabled as a result of integrating your networks. Acceptable Use Policy for Staff (AUP) This is not a technical requirement but it is a factor that needs to be considered and implemented or updated if you already have a policy in place. All the risks that have been discussed in this document with relation to the ‘human’ user interface need to be addressed in the AUP so that staff understand the risks etc… It also needs to state the procedure if any misdemeanour occurs. Page 14 of 15
  15. 15. Other Documents to Consider Other documents to consider ‘One School, One Network’ An Overview for School Leadership Teams Authors, Matthew Collins and Richard Lian ‘One School, One Network’ Lab Configuration, Tests and Results Authors, Matthew Collins, Richard Lian and Alistair Herron Page 15 of 15

×