Logo
programming4us
programming4us
programming4us
programming4us
Home
programming4us
XP
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Windows Phone
 
Windows Server

Security and Delegation in Configuration Manager 2007 : Basic Security Concepts

- How To Install Windows Server 2012 On VirtualBox
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire
1/6/2012 4:14:01 PM
IT departments often address information security through a set of tactical initiatives, such as carrying out a network vulnerability scan or deploying antivirus programs. Although these are important tools for securing your IT environment, their effectiveness can be limited unless they are part of an overall security program.

A security program is an ongoing organizational effort to align security policies and practices with your business goals and regulatory requirements. An effective security program requires involvement and support from upper-management. In a corporate environment, ultimate responsibility for information security and regulatory compliance rests with the executive management and board of directors. The security program defines an enterprise security architecture including policies, standards, and practices for addressing security within your organization. The enterprise security architecture should form the basis of your strategic, tactical, and operational initiatives to address information security. Organizations today are at various stages of maturity in terms of implementing a security program. Many are just starting or have not started at all, whereas other organizations have made extensive efforts and have robust security programs.

Security Programs and the Infrastructure Optimization Model

Similar to other aspects of IT, security programs tend to go through the steps portrayed in Microsoft’s Infrastructure Optimization Model (IO Model), used to assess the maturity of organizations’ IT operations.

The Infrastructure Optimization Model categorizes the state of one’s IT infrastructure, describing the impacts on cost, security risks, and the ability to respond to changes. Using the model in Figure 1, you can identify where your organization is, and where you want to be.

  • Basic— Reactionary, with much time spent fighting fires

  • Standardized— Gaining control

  • Rationalized— Enabling the business

  • Dynamic— Being a strategic asset

Figure 1. The Infrastructure Optimization Model


Although most organizations are somewhere between the basic and standardized levels in this model, typically you should prefer to have a strategic asset rather than fighting fires. This is as true in managing security as in managing desktops.


As an IT professional, you should become familiar with your organization’s security program and engage the appropriate resources to support your efforts to implement security effectively within the scope of your responsibility. To implement ConfigMgr security in a way that is appropriate and beneficial to your organization, you need to understand ConfigMgr security issues and apply them according to the policies and methodology of your enterprise security program.

The principal objectives of information security are to protect the Confidentiality, Integrity, and Availability (known as the CIA or AIC triad) of information assets. A fourth objective included by many security experts is alternately called accountability or auditability. These objectives can be described as follows:

  • Confidentiality— Protecting company secrets, private employee information and information belonging to customers, partners and suppliers is essential to avoid potential legal sanctions and financial losses. Confidentiality is even more important in military organizations. Configuration Manager 2007 provides access to data stored on client machines through its inventory and remote management capabilities. The site database also contains configuration data that an attacker can use to find vulnerabilities in your network and systems. Protecting your ConfigMgr infrastructure is, therefore, vital to ensuring confidentiality for sensitive data.

  • Integrity— In addition to protecting data from unauthorized disclosure, effective security must protect information and systems from unauthorized modification. A poorly designed software package or malicious use of ConfigMgr tools can easily compromise the integrity of your environment. Protecting the integrity of information systems is, therefore, a paramount concern in ConfigMgr security.

  • Availability— In many cases, an interruption of vital services might cause business losses equal to or greater than a lapse in confidentiality or integrity. For example, a customer-facing website might not store or process sensitive information, but if it is down, the company’s Internet presence is lost until the service is restored. Even in military settings where confidentiality and integrity are generally the foremost concerns, disruption of vital command, communications, or intelligence systems during combat operations can have catastrophic consequences. Your ConfigMgr infrastructure needs to be resilient enough to provide services reliably while at the same time avoiding any negative effects on other network or system functionality. Although ConfigMgr service availability often is not considered mission critical, if your patch management infrastructure is down when you need to deploy a critical patch, your entire environment could be at risk. If you enforce Network Access Protection (NAP), clients might need to access ConfigMgr services for remediation to gain access to your network.

  • Accountability— To demonstrate you follow security policies and allow you to take corrective action if a breach of security occurs, you must maintain effective audit logs to track security sensitive operations on a per user basis. With increasing emphasis on regulatory compliance, the completeness and integrity of audit logs and records of user activity is an integral part of any security program. ConfigMgr provides the ability to track user actions, and additional audit capabilities are available within Windows, SQL Server, and in many cases through your network infrastructure devices.

A guiding principle in security is the concept of risk management. It is not possible for any organization to keep its assets absolutely secure. Some basic risk management concepts include

  • A vulnerability is a weakness that could result in compromise of the confidentiality, integrity, or availability of your information or systems.

  • A threat is a potential danger to your information systems. Keep in mind that threats include both malicious and inadvertent actions. Good security helps protect against honest mistakes by users and deliberate breaches by hackers and malware creators.

  • A risk is the likelihood of a threat being realized and the associated business impact if the threat is realized.

There are four possible approaches for dealing with risk, and your organizational policies determine how you choose or recommend a strategy for each set of potential risks:

  • Risk avoidance— You might decide that the business value of undertaking a technology initiative simply does not justify the risk. For example, you might decide that the value to your company of Internet-based client management (IBCM) is not sufficient to justify exposing your ConfigMgr infrastructure to the Internet.

  • Risk mitigation— You might decide to implement countermeasures to address potential threats to reduce risk. For example, you might decide to implement a Public Key Infrastructure (PKI) and deploy Configuration Manager 2007 in native mode to reduce the chances of a network-based attack on ConfigMgr communications.

  • Risk acceptance— You might decide to accept certain risks if both the business value of the activity and the cost of implementing additional controls to mitigate risk outweigh the potential losses posed by the risk. For example, you might decide to accept the risk of using a system as a branch distribution point (BDP) that does not meet the normal security standards of your server infrastructure. You would choose to accept this risk if you determine the value of the services the BDP provides is sufficient to justify the risk, and the cost of implementing a higher level of security is not justified by the risk mitigation it would provide.

  • Risk transfer— In some cases you can purchase insurance to protect your organization from losses due to certain risks. Risk transfer is mentioned here for completeness, but this strategy is generally not applicable to the security choices you make in your ConfigMgr deployment.

Every organization must assess the value of its assets and weigh the probable losses from threats to those assets against the costs of implementing additional security measures to counter those threats. Risk mitigation strategies, also known as controls, fall into three categories:

  • Technical— Technical controls are often the first things that come to mind when thinking of information security. Firewalls, antimalware programs, access controls, and cryptography are examples of tools you can use to implement technical controls. Microsoft provides extensive guidance on technical controls relevant to ConfigMgr under the Security and Privacy for Configuration Manager 2007 topic at the System Center TechCenter (http://technet.microsoft.com/en-us/library/bb680768.aspx).

  • Administrative— Administrative controls are every bit as essential to information security as technical controls. These controls include policies, standards, and procedures that integrate sound security practices into the way your organization does business and how you provide IT services.

  • Physical— Physical controls prevent unauthorized physical access to your IT assets. These controls include building access systems, cameras, guards, and alarm systems. Physical security is an integral part of information security, and there is a growing trend to unify information security and physical security, although most IT professionals are not directly responsible for physical security services.

Other -----------------
- System Center Configuration Manager 2007 : Configuration Manager Queries - Using Query Results & Status Message Queries
- Windows Server Enterprise Administration : Planning for Data Sharing and Collaboration (part 2) - Planning a SharePoint Infrastructure
- Windows Server Enterprise Administration : Planning for Data Sharing and Collaboration (part 1)
- Sharepoint 2007 : Managing Security - Assign Permissions to a File or List Item
- Sharepoint 2007 : Managing Security - See What Permissions Are Set
- Microsoft Dynamics AX 2009 : Processing Business Tasks - Creating sales orders
- Microsoft Dynamics AX 2009 : Processing Business Tasks - Creating purchase orders
- Active Directory Domain Services 2008 : Delete a Computer Object
- Active Directory Domain Services 2008 : Create a Computer Object
- Windows Server 2008 Server Core : Managing the System Time with the W32Tm Utility
 
 
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
- First look: Apple Watch

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
programming4us programming4us
Popular tags
Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 windows Phone 7 windows Phone 8
programming4us programming4us
 
programming4us
Natural Miscarriage
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Game Trailer