In our previous tip, we explored how four Windows components could be used to help with your wireless and wired network security configurations: Windows Active Directory Domain Services, Network Policy Server, Microsoft NAP and Windows Client XP SP3. Now, let's look at how configuring those same Windows Server 2008 features will improve authentication and access control in your network infrastructure.
- Role-based access control
Whether a user connects remotely or locally, your Windows environment is equipped to offer role-based access control. Network managers can segment users based on Active Directory Group membership or through specific Network Policy Server policies. Popular group roles may keep users separated functionally, separating users that may have special privileges or restrictions such as HR users, accounting departments, management or even R&D lab teams. In most cases the users and groups are already defined in the Windows Active Directory, and the authentication server with NPS is used to map authentication policies to the different AD groups.
Different policies can filter out connection requests to offload them to other servers, or filter and process endpoints differently based on how they're connecting, their location, time of day, group membership, or a variety of other attributes. The NPS policy that matches the evaluation of the connecting endpoint will be used to process the request. The NPS Server can then return specific attributes that place routing restrictions on the endpoint or put them in a different VLAN (through dynamic assignment on the switch). By using this method of extending basic directory hierarchy and mapping it to network policies, network managers can easily offer granular role-based access control in the network.
- Device management authentication
One function that's so effortless yet often overlooked is the use of Windows AD and NPS for authenticating the network managers to infrastructure devices (switches, routers, firewalls). It has really become a necessity as organizations move to more vigorous change management tracking and audit requirements.
Without a change management system or centralized authentication, members of an organization's IT team frequently use the same shared credentials (i.e. a single admin or root account) to log in and manage network devices. Using shared logons does not allow any delineation in privileges between IT managers, nor any accounting of who made configuration changes and at what time. And lack of accounting leads to a lack of accountability if a misconfiguration is made or a security vulnerability is created, intentionally or not. Change management assists organizations in meeting compliance regulations and protecting the network from insider attacks.
To take advantage of the Windows feature, all that's needed is a network administrators group in Active Directory. Some devices may be able to connect directly to the Active Directory; in other cases, the group should be mapped to a corresponding NPS Policy and linked to the device's management authentication using RADIUS communications. With this option and RADIUS accounting turned on, an organization will have a clear look at exactly who changed what in the network.
- Posture-based access control
With Windows Server 2008, it is also possible to have comprehensive endpoint authentication using client health or security posture feedback as part of the decision-making process. Posture-based access control is a dynamic layer of protection that combines traditional user authentication with a real time check of a client device's status at the time of connection request. This ensures not only that the user is allowed on the network, but also that the device they're using to connect with is safe to introduce in the environment.
Configuring a Windows network infrastructure
Learn how these four Microsoft tools can help with your wired and wireless security needs as well.
The NAP framework, in conjunction with Active Directory and NPS, can offer a layered security assessment and validation for users and devices connecting to the network.
- Remote access authentication
Directory authentication can be used, through Windows AD, for SSL-VPN clients connecting remotely. The integration of the Microsoft NAP component can extend remote authentication to include a health or security posture as part of an intelligent decision process. Organizations with third-party SSL VPN solutions can leverage Windows AD directly in most cases, or through standard RADIUS communications provided by Windows NPS (Network Policy Server). Network managers should always pay extremely close attention to all accounts and privileges attached to any remote access solution to protect against insider attacks or malicious use by unauthorized users who have somehow compromised a legitimate account.
As an organization grows, so must its IT infrastructure. Instituting strong authentication, role-based access control and a solid change management plan are essential to organizations of any size. Although the tasks seem daunting at first blush, a few additional Windows Server 2008 configurations are all that's needed to make big improvements in an organization's overall security posture.
About the author:
Jennifer Jabbusch is an infrastructure security consultant with Carolina Advanced Digital, Inc., a security integrator based in North Carolina. She specializes in areas of network security, NAC/NAP, 802.1X and wireless security, and consults for a variety of government agencies, educational institutions and Fortune 100 and 500 corporations. She serves as a contributing SME on access control, business continuity and telecommunications, and lead SME in the cryptography domains of the official (ISC)2 CISSP courseware and maintains SecurityUncorked.com blog.
Send comments on this technical tip to firstname.lastname@example.org.