لطفا منتظر باشید ...
Configuring Your Infrastructure for Remote Management
Remote administration, whether in-band or out-of-band, might require changes to your environment in areas such as network connectivity, memory and processor resources, and security. After you select the tools you plan to use for remote management, assess the impact they have on your environment, and decide how to configure hardware components, the next step is to determine the changes you need to make to your infrastructure to mitigate any potential negative impacts. The place of this step in the process is illustrated in Figure 5.10.
Figure 5.10: Configuring Your Infrastructure for Remote Management
For more information about ways that remote administration might affect your environment, see the Server Management Guide of the Windows Server 2003 Resource Kit (or see the Server Management Guide on the Web at http://www.microsoft.com/reskit).
Ensuring Network Connectivity
Remote administration requires a stable, unrestricted connection between the management computer and the server being managed. In some cases, you also might need a high-speed connection. The tools you select and the location of the management computer in relation to the server being managed determine the network connectivity issues you need to address. Issues you need to address include available network bandwidth, the type of connection you plan to use, firewalls that might prevent access, and routers that might prevent access due to IP packet filtering.
Network bandwidth
Because remote administration tools can increase network traffic, you need to assess your current traffic levels and the capacity of your network to handle additional traffic that might result from the tools you decide to use. Typically, remote administration tools increase traffic only by a small amount, but some tools can increase traffic significantly. Remote Desktop for Administration, for example, is resource intensive and can create a significant amount of traffic.
Type of connection
If you select resource intensive remote management tools, you also need to assess the type of connection you plan to use with the tool. Typically, high-speed connections available on a LAN or WAN can, depending on your current traffic level, accommodate resource intensive tools. Dial-up, digital subscriber line (DSL), or broadband digital cable connections across a VPN, however, are relatively slow compared to LAN and WAN connections and might result in poor performance for some remote management tools.If you plan to perform remote management tasks across a VPN, you need to configure the networking settings for the connection. For information about specifying these settings, see "VPN remote access for employees" in Help and Support Center for Windows Server 2003.
Firewalls
Because firewalls restrict network traffic, they can prevent you from remotely managing computers from outside the firewall. If you plan to use a management computer outside the firewall to manage servers inside the firewall, ensure that you can connect to them remotely through the firewall and that the firewall supports the network protocols and ports used by your tools. You might need to reconfigure firewall settings to permit remote management through the firewall.For more information about the impact of firewall settings on remote management, see the Server Management Guide of the Windows Server 2003 Resource Kit (or see the Server Management Guide on the Web at http://www.microsoft.com/reskit).
IP packet filtering
If you use routers that filter IP packets based on source and destination IP addresses and TCP ports, ensure that you can remotely access the servers you need to manage remotely. You might need to reconfigure IP packet filtering settings on your routers to permit remote management from your management computer.For more details about configuring your network for remote management, see the Server Management Guide of the Windows Server 2003 Resource Kit (or see the Server Management Guide on the Web at http://www.microsoft.com/reskit).
Ensuring Memory and Processor Resources
Remote management software tools that run on a management computer use memory, disk, and processor resources. Remote management services that run on a managed server use memory and processor resources. Although you typically do not need to add memory or processor resources for remote management, you might want to ensure that the tools you choose do not degrade server performance, especially on critical servers such as domain controllers.Remote management tools that support graphical user interfaces use more processor resources than command-line tools do. If you are concerned about the effect of a specific remote management tool on server performance, test the tasks you plan to perform with the tool to ensure that the current memory and processor resources can accommodate remote management. The task you perform with a tool affects processor activity more than the tool itself.Remote management tools use memory on both the management computer and the server. If the computers meet minimum hardware requirements, remote management tools typically do not cause memory usage performance problems. If you optimize memory by terminating all nonessential services and processes, such as on a Web server, you might want to verify that your remote management tools do not have an impact on performance. For more information about assessing memory usage on remote management computers and servers, see the Server Management Guide of the Windows Server 2003 Resource Kit (or see the Server Management Guide on the Web at http://www.microsoft.com/reskit).
Providing Security for Remote Management
Remote administration introduces new security considerations into your environment. When you manage servers remotely, sensitive information that normally is not transmitted across a network is sent over your network. For example, server identifying information, configuration information, and other sensitive management information such as user names and passwords can be transmitted. You need to ensure that your remote management tools and tasks do not expose this sensitive data to someone sniffing or eavesdropping on your network. In addition, when you use serial ports for out-of-band management, the null modem connections between the servers and the management computer or other out-of-band hardware component provide no logical security against unauthorized access.When planning security solutions for remote management, you need to protect against intentional acts as well as accidents. For in-band remote management, you need to consider solutions such as authentication and encryption. If you plan to use dial-up, DSL, or broadband digital cable connections across a VPN, you also need to plan your firewall configuration. For out-of-band remote management, you need to plan physical security solutions to protect the inherently insecure serial connections. Finally, you need to determine a strategy for user rights and shared folder permissions so that only authorized administrators can perform authorized management tasks.As you plan your remote management security strategy, you need to make sure that:
The server allows administrative commands only from an authenticated computer.
The server accepts administrative commands only from an authenticated administrator.
Confidential information — including administrative commands and configuration settings — cannot be intercepted, read, or changed by intruders.
Log files are viewed by using a secure method.
A secondary network built specifically for remote management can increase security, performance, and availability. You can control access to such a management network by using a secure router.For more detailed information about assessing security risks inherent in remote management and an overview about how to mitigate or eliminate these security vulnerabilities, see the Server Management Guide of the Windows Server 2003 Resource Kit (or see the Server Management Guide on the Web at http://www.microsoft.com/reskit).
Authentication
When you perform remote administration, you need to log on to the remote computer you want to manage. Remote management tools use several different authentication protocols — some stronger than others — to ensure that only authorized users can access computers remotely. For example, some tools use the Kerberos version 5 authentication protocol and others use the NTLM authentication protocol. Kerberos authentication is more secure than NTLM authentication.You can mitigate the vulnerabilities of less secure authentication protocols by configuring one or more Group Policy settings. Configure these policy settings for maximum protection if either of the following is true:
You are administering remote computers in an environment that forces NTLM authentication.
You are administering remote computers with remote management tools that use NTLM authentication.
For information about environments that force NTLM authentication and the description and location of Group Policy settings you can use with NTLM, see the Server Management Guide of the Windows Server 2003 Resource Kit (or see the Server Management Guide on the Web at http://www.microsoft.com/reskit).
Encryption
Some remote management tools encrypt data — including passwords — before transmitting it across the network, while others do not. Unencrypted data makes your network vulnerable to eavesdropping and sniffing.If you decide to use a remote management tool that does not encrypt or otherwise secure data, you can mitigate the security vulnerability by using Internet Protocol security (IPSec) to encrypt the communication between the management computer and the server. When you use IPSec, IP packets can pass securely through routers or other computers that do not support IPSec. You administer IPSec by using policies, which you can configure for the specific security requirements of individual computers, domains, organizational units, sites, or your entire enterprise. If you plan to support dial-up remote management, consider using IPSec across a VPN connection. For more information about VPN and about using IPSec with VPN, see the Internetworking Guide of the Windows Server 2003 Resource Kit (or see the Internetworking Guide on the Web at http://www.microsoft.com/reskit).For information about IPSec policies, see "Internet Protocol security (IPSec)" in Help and Support Center for Windows Server 2003. For more information about IPSec in general, see the Networking Guide of the Windows Server 2003 Resource Kit (or see the Networking Guide on the Web at http://www.microsoft.com/reskit).For detailed information about using encryption for remote management, see the Server Management Guide of the Windows Server 2003 Resource Kit (or see the Server Management Guide on the Web at http://www.microsoft.com/reskit).
Physical Security
Although corporate servers must always be situated in secure locations, out-of-band management introduces another physical security issue: the serial connections between servers and out-of-band management components, such as a remote management computer or a terminal concentrator, need to be protected physically because null modem connections provide no logical security. Some ways to provide physical security include:
Keeping server rooms locked with secured access, such as keys, smart cards, or passwords.
Using terminal concentrators or intelligent UPSs to consolidate access to servers and keeping these out-of-band hardware components in the same secured room with the servers.
Keeping cable lengths short to prevent the possibility of extending them outside the secured room.
Rights and Permissions
After you know which servers you plan to manage remotely and which administrators are responsible for specific administrative tasks, you need to set up security groups and assign administrators membership in order to grant them access to remote resources. As you define your security groups, set up administrative tasks with the minimum necessary administrative credentials. By using this technique, you can avoid assigning users a higher security level than they need to perform the tasks for which they are responsible. For recommendations about assigning permissions and user rights, see "Best practices for permissions and user rights" in Help and Support Center for Windows Server 2003.Two types of security considerations are important in remote administration: user rights and shared folder permissions.User rights User rights control the tasks you can perform on a computer, such as setting up user accounts or installing hardware. Depending on the security model and the group structure you use, you might have to configure user rights on each server and management computer, or you might be able to configure them on the domain controller.
Shared folder permissions Shared folder permissions control which users or groups can gain access to the contents of a shared folder remotely over the network, as well as which actions users or groups can perform on the contents of those folders. You can configure shared folder permissions on the server and enable users to gain access to the folders remotely over the network. For example, you can assign Read or Full Control.You need to configure user rights and shared folder permissions if administrators need to do the following:
Access the administrative shares on a remote computer.
Log on to computers remotely by using terminal emulation or command console programs.
Access files or folders on a remote computer.
You can centrally control remote management by using Group Policy settings related to remote management. Group Policy settings for computer configuration include security settings that restrict how a user can access files, folders, and computers, as well as administrative template settings that change the behavior and appearance of remote management tools and technologies, such as Terminal Services.
| Important | Terminal Services is affected by the Internet Explorer Enhanced Security Configuration, which places your server and Microsoft Internet Explorer in a configuration that decreases the exposure of your server to attacks that can occur through Web content and application scripts. As a result, some Web sites might not display or perform as expected. For more information, see "Before installing Terminal Server" and "Internet Explorer Enhanced Security Configuration" in Help and Support Center for Windows Server 2003. |
For information about groups, user rights, permissions, and authorization and access control, see the Distributed Services Guide of the Windows Server 2003 Resource Kit (or see the Distributed Services Guide on the Web at http://www.microsoft.com/reskit). For information about configuring user rights and permissions for remote management, see the Server Management Guide of the Windows Server 2003 Resource Kit (or see the Server Management Guide on the Web at http://www.microsoft.com/reskit).
Secondary Management Network
In addition to authentication, encryption, and user rights, you can add an extra layer of network security by placing your remote management system on a separate network segment and control access by using a secure router, as shown in Figure 5.11. You can use this configuration to control exactly which users and computers are allowed access to the management system.
Figure 5.11: Secondary Management Network
In this configuration, the servers are connected to the terminal concentrator with null modem cables, and all these components are located in a secure room. The management computer can access the servers by connecting to the terminal concentrator through the secure router. The management computer can use an in-band connection or a remote access connection through a remote access server.
