1. Choosing Naming Conventions
Creating naming conventions makes choosing names for computers, shared folders, and users easier and lends consistency to the network. This consistency results in a more user-friendly network.
1.1. Choosing a Domain Name for the Network
The domain name is the most important and politically sensitive name on the network, and it is one you can’t change without starting all over and completely rebuilding your network. Do not
make this decision without consulting everyone who has a stake in the
result. By getting others involved in the process, you’ll have a much
greater chance of acceptance.
Some questions to ask when choosing a domain name include
Is the name easy to
remember, and does it make sense for the company? This could be the
company name in its most common form or an abbreviation. Is
the name 15 characters or shorter? Use only letters, numbers, the
underscore, and a hyphen in the name to ensure DNS and NetBIOS
compatibility. Is the name available? If the name is already in use as an Internet
domain name for another company, you’ll have to either choose a
different name or have a different internal and external domain name. If you already have an Internet website, use the same name, without the extension, for your internal domain name. For example, if the company uses www.example.com for its Internet website, use example
for the domain name. The Windows Small Business Server 2011 Standard
Installation Wizard will automatically add a .local extension to the
name you choose. As
soon as you choose a domain name, register it (preferably with .com,
.net, or .org) on the Internet so that another company can’t purchase
it.
Warning:
IMPORTANT
Changing your internal domain name is impossible without a complete
re-installation, so picking a name that will last is critical.
|
There are two domain names you need to worry about when setting up your network:
the Internet domain name that the outside world sees for your company
and email, and the internal domain name that Windows Small Business
Server uses. They are usually related but not identical. The public,
Internet domain name needs to be globally unique, officially registered
with a Domain Naming
Service, and clearly identifiable as your company. The internal,
Windows name can be anything at all, though it usually is the same as
the external, public one, but with a different top-level domain.
So if your company is
Example Widgets and your public Internet domain name is example.com,
your internal Windows domain name could be something like example.local.
This makes it easy to keep track of, and it gives you complete control
over managing the internal DNS of your Windows Small Business Server
network while allowing you to have a reliable third party manage your
public DNS records.
Although it is
technically possible to change your public name, it’s neither easy nor
painless, and it’s virtually impossible to change your internal name
without having to completely rebuild your network
from scratch. So it’s worth spending time up front to make sure you’re
choosing a name that is appropriate and has the support of all parties.
Another possibility is to choose a completely generic name for your internal domain
that has nothing whatsoever to do with your company name. This works
great if you change your public name because nothing has to change on
your network. But it’s not an approach we like. We’ve always preferred naming based on the company name—it’s just easier for everyone to understand and remember.
|
1.2. Naming Computers
It’s easy for you
to keep a map of what the different clients and servers are called and
where they are on the network, but if you make life hard on users, you
pay in the long run. So naming all the computers after Shakespearean
characters or Norse gods might make sense to you, but it isn’t going to
help users figure out that Puck is the Windows Small Business Server computer and Odin is the desktop used for payroll.
On the other hand, using
Srv1 for the SBS server tells everyone immediately which computer it is.
When naming computers, use a consistent convention and sensible names,
such as the following:
We’ll be using a
somewhat more complicated naming convention that identifies the physical
host computer, the role of the computer, and the IP address of the
computer. Thus our SBS server is hp160-SBS2011, signifying that it’s
running on the Hewlett-Packard DL 160 G6 server, and that it’s running
Windows Small Business Server 2011 Standard. There are several virtual
machines running on that HP server, so it gets a fair workout.
Our naming convention is more
complicated than most small businesses need, but it serves our needs
where we are continually building and rebuilding test environments for
writing projects. Ultimately, it doesn’t matter what you name your
computers, as long as everyone understands the convention and can find
the resources they need. 2. Planning for Security
It is far easier to implement effective security measures to protect your SBS network if you plan for security before
you actually start installing software. In the following sections,
we’ll cover some of the most common attack vectors and the preliminary
steps you can take in this planning stage to prepare your defenses:
Careless or disgruntled employees and former employees
Internal users and former users are the biggest risk factors to data
loss and data theft on most computer networks. Whether from laziness,
disregard of security policies, or outright malice, the internal user is
often the most dangerous on your network. Internet hackers All computers and devices attached directly to the Internet are subject to random attacks
by hackers. According to the Cooperative Association for Internet Data
Analysis (CAIDA), during a random three-week time period in 2001 more
than 12,000 DoS attacks occurred: 1200–2400 were against home computers
and the rest were against businesses. If your organization has a high
profile, it might also be subject to targeted attack by hackers who
don’t like your organization or who are engaging in corporate espionage.
Wireless hackers and theft of service
Wireless access points are exposed to the general public looking for
free Internet access and to mobile hackers.
Viruses and worms
Networks are subject to virus exposure from email attachments, infected
documents, and worms such as CodeRed and Blaster that automatically
attack vulnerable servers and clients.
2.1. Ensuring Physical Security
Although security is not
something that can be achieved in absolute terms, it should be a
clearly defined goal. The most secure operating system and network in
the world is defenseless against someone with physical access to a
computer. Evaluate your physical environment to decide what additional
security measures you should take, including the following:
Place servers in a locked server room. And control who has keys! Use case locks on your servers, and don’t leave the keys in them. Place network hubs, routers, and switches in a locked cable room or wiring closet. Install case locks on client systems or publicly accessible systems. Use laptop locks when using laptops in public. Use BitLocker to encrypt the data on laptops that contain sensitive data.
2.2. Securing Client Computers
Even a highly secure network can
be quickly compromised by a poorly secured client computer—for example,
a laptop running an older version of Windows with sensitive data stored on the hard drive. To maximize the security of client computers, use the following guidelines :
Use a secure operating system Use Windows Vista or Windows 7 on all client computers, with a strong preference for Windows 7 on laptops. Use NTFS, file permissions, BitLocker, and EFS
Use NTFS for all hard drives, and apply appropriate file permissions so
that only valid users can read sensitive data. Encrypt sensitive files
on laptop computers using the Encrypting File System (EFS), and encrypt
at least the system drive on laptops using BitLocker. (BitLocker is
available only on Enterprise and Ultimate versions of Windows Vista and
Windows 7.) Keep clients updated
Use the Automatic Updates feature of Windows to keep systems updated
automatically. Ideally, use the Windows Software Update Service (WSUS),
integrated into SBS 2011, to centrally control which updates are
installed. Enable password policies Password
Policies is a feature of SBS 2011 that requires user passwords to meet
certain complexity, length, and uniqueness requirements, ensuring that
users choose passwords that aren’t trivial to crack.
Note:
Remembering passwords has
become an increasingly difficult prospect, leading to the resurgence of
the yellow-sticky-note method of recalling them. It’s important to
discourage this practice, and encourage the use of distinctive but
easy-to-remember passphrases. See the Under The Hood sidebar Beyond Passwords—Two-Factor Authentication for an alternative to annoyingly complex passwords.
Install antivirus software
Antivirus software should be installed on the SBS 2011 computer as well
as on all clients. The best way to do this is to purchase a
small-business antivirus package that supports both clients and the
server. There are good third-party solutions specifically designed for
the SBS market from several vendors. Install antispyware software
Antispyware software should be installed on all client computers on the
network and configured for real-time monitoring and daily full scans. Keep web browsers secure Unpatched web browsers are a significant security issue. Always keep web browsers updated with the latest security updates.
|
Password policies are a difficult subject for many small businesses. Serious security
using only passwords requires long and complex passwords, changed
regularly and never repeated. That’s a nice goal, but it’s also not
something users are going to be all that happy with. If your network
contains sensitive information—and whose doesn’t these days?—you should
consider providing an additional layer of security beyond simple
passwords.
Windows Small Business
Server 2011 Standard sets reasonable, if somewhat minimal, password
policies, but even the best of password policies is a balancing act
between making the password difficult to crack and making it easy for
users to remember and use so that they aren’t tempted to write it down
on the back of their keyboards. The four kinds of authentication methods
or factors are
Something you know (password) Something you have (token or physical key) Something you are (biometric) Somewhere you are (location)
Of these, only the first
three are realistic and usable in a small business environment, though
the fourth—location—is starting to be used by banks as one factor to be
sure that the person trying to access your bank account is actually you.
Passwords alone are a
single-factor authentication method—in this case, something you know.
Two-factor authentication requires two of the main three factors, and it
provides a definite improvement in the surety that the person
authenticating to your network is really who he claims to be. By
enabling a second authentication factor, your need for overly draconian
password policies is greatly reduced.
For a second authentication factor, we like the simplicity, moderate cost, and effectiveness of a one-time password (OTP).
Generated automatically by a token you carry around with you, the
combination of the token, a personal identification number (PIN), and
your SBS password provides an additional level of security. Requiring
administrators and all remote users to use two-factor authentication is a
good way to improve the overall security of the sensitive data on your
network.
Third-party providers of OTP tokens include AuthAnvil (http://www.authanvil.com), CryptoCard (http://www.cryptocard.com), and RSA SecureID (http://www.rsa.com).
Of these, only AuthAnvil is focused on the small business market, with a
suite of products that are fully integrated into SBS. Plus their soft
tokens run on our users’ phones, greatly simplifying token management
and deployment. We use AuthAnvil on our SBS network for all laptops and
servers, and for all remote users.
|
2.3. Securing Wireless Networks
Wireless networks using the
802.11b, 802.11a, 802.11g, and 802.11n standards are very convenient but
can also introduce significant security vulnerabilities if not properly secured. To properly secure wireless networks, follow these recommendations:
Change the default password of all access points. Change the default SSID. Pick a name that doesn’t reveal the identity or location of your network. Enable 802.11i (WPA2) encryption on the access points. If the access points don’t support WPA2-Enterprise, don’t use them on your internal network.
Note:
WPA2
provides two methods of authentication: an “Enterprise” method that
makes use of a RADIUS server, and a “Personal” method known as
WPA2-Personal that uses a Pre-Shared Key (PSK) instead of a RADIUS
server.
Disable the ability to administer access points from across the wireless network.
2.4. Securing Internet Firewalls
Most external firewall devices are secure by default, but you can take some additional steps to maximize the security of a firewall:
Change the default password for the firewall device! We know this seems obvious, but unfortunately, it is all too often ignored. Disable remote administration, or limit it to responding to a single IP address (that of your network consultant). Disable the firewall from responding to Internet pings.
OK, we admit this is controversial. It’s certainly a best practice, but
it can also make troubleshooting a connectivity issue remotely a lot
harder. Enable Stateful Packet Inspection (SPI) and protection from specific attacks, such as the Ping of Death, Smurf, and IP Spoofing. Leave all ports on the firewall closed except those needed by the SBS 2011 server. Regularly check for open ports using trusted port-scanning sites. We use http://www.dslreports.com. Require two-factor authentication for all access to the firewall. Keep the firewall updated with the latest firmware versions, which are available for download from the manufacturer’s website.
|
