MS SQL Server
  Home arrow MS SQL Server arrow Page 7 - Server-Level Security
ASP Free Forums 
.NET  
ASP  
ASP Code  
ASP.NET  
ASP.NET Code  
BrainDump  
C#  
Code Examples  
Database  
Database Code  
IIS  
Microsoft Access  
MS SQL Server  
Visual Basic.NET  
Windows Scripting  
Windows Security  
XML  
ASP Web Hosting  
ASP.NET Web Hosting 
Mobile Linux 
App Generation ROI 
Windows Web Hosting
 
IBM® developerWorks 
Sun Developer Network 
Weekly Newsletter
 
Developer Updates  
Free Website Content 
 RSS  Articles
 RSS  Forums
 RSS  All Feeds
Write For Us Get Paid 
Request Media Kit
Contact Us 
Site Map 
Privacy Policy 
Support 
 USERNAME
 
 PASSWORD
 
 
  >>> SIGN UP!  
  Lost Password? 
MS SQL SERVER

Server-Level Security
By: Sams Publishing
  • Search For More Articles!
  • Disclaimer
  • Author Terms
    		•
    Rating: 3 stars3 stars3 stars3 stars3 stars / 3
    2005-07-21

    Table of Contents:
  • Server-Level Security
  • Deploying Physical Security
  • Hardening Server Security
  • Using Security Templates to Secure a Server
  • File-Level Security
  • Additional Security Mechanisms
  • Using Software Update Services
    		•

    Rate this Article: Poor Best 
      ADD THIS ARTICLE TO:
      Del.ici.ous Digg
      Blink Simpy
      Google Spurl
      Y! MyWeb Furl
    Email Me Similar Content When Posted
    Add Developer Shed Article Feed To Your Site
    Email Article To Friend
    Print Version Of Article
    PDF Version Of Article
    		 
     
    ADVERTISEMENT

    Server-Level Security - Using Software Update Services
    (Page 7 of 7 )

    One of the main drawbacks to Windows security has been the difficulty in keeping servers and workstations up to date with the latest security fixes. For example, the security fix for the Index Server component of IIS was available for more than a month before the Code Red and Nimbda viruses erupted onto the scene. If the deployed Web servers had downloaded the patch, they would not have been affected. The main reason that the vast majority of the deployed servers were not updated was that keeping servers and workstations up to date with the latest security patches was an extremely manual and time-consuming process. For this reason, a streamlined approach to security patch application was required and realized with the release of Software Update Services (SUS).

    Understanding the Background of SUS: Windows Update

    In response to the original concerns regarding the difficulty in keeping computers properly patched, Microsoft made available a centralized Web site called Windows Update to which clients could connect, download security patches, and install them. Invoking the Windows Update Web page remotely installed an executable, which ran a test to see which hotfixes had been applied. Those that were not applied were offered up for download, and users could easily install these patches.

    Windows Update streamlined the security patch verification and installation process, but the major drawback was that it required a manual effort to go up to the server every few days or weeks and check for updates. A more efficient, automated process was required.

    Deploying the Automatic Updates Client

    The Automatic Updates Client was developed to automate the installation of security fixes and patches and to give users the option to automatically "drizzle" patches across the Internet to the local computer for installation. Drizzling, also known as Background Intelligent Transfer Service (BITS), is a process in which a computer intelligently utilizes unused network bandwidth to download files to the machine. Because only unused bandwidth is used, there is no perceived effect on the network client itself.

    The Automatic Updates Client was included as a standard feature that is installed with Windows 2000 Service Pack 3 and Windows XP Service Pack 1. It is also available for download as a separate component.

    Understanding the Development of Software Update Services

    The Windows Update Web site and the associated client provided for the needs of most home users and some small offices. However, large organizations, concerned about the bandwidth effects of downloading large numbers of updates over the Internet, often disabled this service or discouraged its use. These organizations often had a serious need for Windows Update's capabilities. This fact led to the development of Software Update Services.

    SUS is a free download from Microsoft that effectively gives organizations their own, independent version of the Windows Update server. SUS runs on a Windows Server 2003 (or Windows 2000) machine that is running Internet Information Services. Clients connect to a central intranet SUS server for all their security patches and updates.

    SUS is not considered to be a replacement technology for existing software deployment solutions such as Systems Management Server (SMS), but rather it is envisioned as a solution for mid- to large-size businesses to take control over the fast deployment of security patches as they become available. Current SMS customers may decide instead to use the SMS 2.0 Value Pack, which includes security-patch functionality similar to that offered by SUS.

    The most recent revision to SUS, Service Pack 1, added capabilities and fixed several issues. The following is a list of items addressed and features added in SUS Service Pack 1:

    • Support for deploying service packs—Previously missing in SUS was the ability to deploy major service packs. Service Pack 1 now allows for the application of recent service packs for newer MS operating systems.

    • Ability to run on Domain Controller and Small Business Server—SUS was previously limited to non-domain controller servers.

    • Improved details for patches—SUS now contains links to information about each patch that is made available.

    • Improved Group Policy ADM file—The wuau.adm file, available for download from Microsoft, has been improved to allow for more intelligent application of patches and reboot scheduling for clients.

    SUS Prerequisites

    Deploying SUS on a dedicated server is preferable, but it can also be deployed on a Windows Server 2003 member server, as long as that server is running Internet Information Services. The following list details the minimum levels of hardware on which SUS will operate:

    • 700MHz x86-compatible processor

    • 512MB RAM

    • 6GB available disk space

    In essence, a SUS server can easily be set up on a workstation-class machine, although more enterprise-level organizations might desire to build more redundancy in to a SUS environment.

    Installing a Software Update Services Server

    The installation of SUS is straightforward, assuming that IIS has been installed and configured ahead of time (for more information on installing IIS, refer to Chapter 11, "Internet Information Services v6"). The executable for SUS can be downloaded from the SUS Web site at Microsoft, currently located at the following URL:

    To complete the initial installation of SUS, follow these steps:

    1. Run the SUS Setup from the CD or the download executable.

    2. Click Next at the Welcome screen.

    3. Review and accept the license agreement to continue. Click Next to continue.

    4. Click the Typical button to install the default options.

    5. At the following screen, specify which URL clients will access SUS. If this is a dedicated SUS server, leave it at the root, as illustrated in Figure 12.9. Then click install.                                          

    6. The installation will complete, and the admin Web site URL will be displayed. Click Finish to end the installation.

    The administration Web page (http://servername/SUSAdmin) will be automatically displayed after installation. This page is the main location for all configuration settings for SUS and is the sole administrative console. By default, it can be accessed from any Web browser on the local network. All further configuration will take place from the Admin console, as illustrated in Figure 12.10.

    Figure 12.9
    Specifying a download URL for SUS clients.

    Setting SUS Options

    After installation, SUS will not physically contain any security patches. The first task after installation should be configuring all the options available to the server. You can invoke the option page by clicking Set Options in the left pane of the SUS Admin page.

    Setting Proxy Server Options

    If using a proxy server on the network, the first set of options in SUS allows the server to utilize a proxy server for downloading updates. If one is not on the network, select Do Not Use a Proxy Server from the options page.

    Note - When in doubt, select Automatically Detect Proxy Server Settings. With this setting, if a proxy server does not exist, SUS will automatically configure itself not to use a proxy server.

    SUS Server Name Options

    The next set of options, illustrated in Figure 12.11, allows an administrator to specify the server name that clients will use to locate the update server. It is recommended to enter the fully qualified domain name (such as server2.companyabc.com) of the server so that clients use DNS as opposed to NetBIOS to locate the server.

    Selecting a Content Source

    The following option allows administrators to download SUS updates directly from Microsoft Windows Update servers or from another internal SUS server. In most cases, the former situation will apply, although there are large deployment situations in which multiple SUS servers could be deployed and configured to update from each other.

    Figure 12.10
    The SUS Admin console.

    Figure 12.11
    Setting SUS options.

    Handling Previously Approved Updates

    The next option grants control over whether new versions of updates that were previously approved by an administrator should be re-approved automatically. Choose the desired option and continue with the configuration.

    Update Location and Supported Client Languages

    The final option is an important one. At this point, SUS can either be deployed as a full-fledged replica of all Microsoft patches or simply configured to point to a Windows Update server when clients request patches. Most SUS installations will choose the former, illustrated in Figure 12.12, which minimizes client bandwidth concerns to the Internet. If you choose to utilize Windows Update servers, the clients will be redirected from the SUS server to the Internet Windows Update servers to download the actual security patch.

    This option also allows you to select the languages in which the security patches will be available. Any languages that are in use within an organization should be selected here; however, the more languages chosen, the larger the initial and subsequent download will be.

    Figure 12.12
    Setting more options in SUS.

    Synchronizing an SUS Server

    After configuring all the options in SUS, particularly the options regarding which security patch languages will be supported, the initial synchronization of the SUS server can take place. To perform the synchronization, follow these steps:

    1. Open the SUS Admin Web page by launching Internet Explorer on the SUS server and going to http://localhost/SUSAdmin.

    2. Click the Synchronize Server link in the left pane.

    3. The next screen to be displayed, shown in Figure 12.13, gives you the option of synchronizing with the SUS site now or setting up a synchronization schedule. It is advised to do a full SUS synchronization first and to schedule subsequent downloads on a daily basis thereafter. So, in this example, click the Synchronize
      Now button.

      Figure 12.13
      Setting SUS synchronize server options.

    4. An updated SUS catalog will then be downloaded in addition to all the security patches that exist on the corporate SUS server. Downloading may take a significant amount of time, depending on the Internet connection in use.

    Note - Plan to run the initial synchronization of SUS over a weekend, beginning the download on Friday evening. Given the number of security patches that you will need to download and the overall Internet connection bandwidth consumption used, it is wise to limit the impact that this procedure will have on the user population.

    Approving SUS Software Patches

    After the initial synchronization has taken place, all the relevant security patches will be downloaded and ready for approval. Even though the files are now physically downloaded and in the IIS metadirectory, they cannot be downloaded by the client until the approval process has been run on each update. This allows administrators to thoroughly test each update before it is approved for distribution to corporate servers and workstations. To run the approval process, follow these steps:

    1. Open the SUS Admin Web page by launching Internet Explorer on the SUS server and going to http://localhost/SUSAdmin.

    2. Click the Approve Updates link in the left pane.

    3. Check those updates listed that have been approved for use in the organization, as illustrated in Figure 12.14, and click the Approve button.

      Figure 12.14
      Approving updates.

    4. At the next VBScript screen, click Yes to Continue.

    5. You are asked to read a license agreement for all the security updates. Read the agreement and click Accept to signify agreement.

    6. The updates will then be approved, and the screen in Figure 12.15 will appear, signifying completion of this procedure.

    Depending on the number of updates downloaded, the preceding steps may need to be repeated several times before all updates are approved.

    Note - A good approach to testing updates is to download them first on a client with direct access to Windows Update on the Internet. After the test server or workstation has successfully downloaded and all functionality has been verified, that particular security patch can be approved in SUS for the rest of the corporate clients.

    Figure 12.15
    Finalizing approval of updates.

    Automatically Configuring Clients via Group Policy

    As previously mentioned, the Automatic Updates client can be downloaded from Microsoft and deployed on managed nodes in an environment, either manually or through automated measures. Service Pack 3 for Windows 2000 includes the client by default, as well as Service Pack 1 for Windows XP. After the client is installed, it can be configured to point to an SUS server, rather than the default Internet Windows Update location.

    The configuration of each client can be streamlined by using a Group Policy in an Active Directory environment. Windows Server 2003 domain controllers automatically contain the proper Windows Update Group Policy extension, and a Group Policy can be defined by following these steps:

    1. Open Active Directory Users and Computers (Start, All Programs, Administrative Tools, Active Directory Users and Computers).

    2. Right-click the organizational unit that will have the Group Policy applied and click Properties.

    3. Select the Group Policy tab.

    4. Click the New button and name the Group Policy.

    5. Click the Edit button to invoke the Group Policy Object Editor.

    6. Expand the Group Policy Object Editor to Computer Configuration\Administrative Templates\Windows Components\Windows Update, as illustrated in Figure 12.16.

      Figure 12.16
      Configuring Windows Update Group Policy settings.

    7. Double-click the Configure Automatic Updates setting.

    8. Set the Group Policy to be enabled, and configure the automatic updating sequence as desired. The three options given—2, 3, and 4—allow for specific degrees of client intervention. For seamless, client-independent installation, choose option 4.

    9. Schedule the interval that updates will be installed, bearing in mind that some updates require reboots.

    10. Click Next Setting to configure more options.

    11. Click Enabled to specify the Web location of the SUS server. Entering the fully qualified domain name is recommended, as indicated in Figure 12.17. Enter both settings (usually the same server) and click OK to save the Group Policy settings.

    12. Repeat the procedure for any additional organizational units. (The same Group Policy can be used more than once.)

    Note - Organizations that do not use Active Directory or Group Policies have to manually configure each client's settings to include the location of the SUS server. This can be done through a local policy or manually through Registry settings, as defined in the SUS Help.

    Figure 12.17
    Setting the SUS server location via a Group Policy.

    Tip - A useful trick for automating the testing of new SUS patches is to deploy two SUS servers and two sets of Group Policies. The first SUS server serves as a pilot SUS server, and all updates are approved as soon as they become available. A subset of the client population then points to this server through a GPO and installs the patches immediately. After the patch has been validated on this pilot group, the real SUS server can then be set to approve the patch, deploying the update to the rest of the user population. This model requires more hardware resources but streamlines the SUS update process.

    Deploying Security Patches with SUS

    Depending on the settings chosen by the Group Policy or the Registry, the clients that are managed by SUS will automatically download updates and install them on clients at a specified time. Some computers may be configured to allow for local interaction, scheduling proper times for the installation to take place and prompting for "drizzle" downloading.

    Clients that are configured to use SUS will not be prompted to configure their Automatic Update settings, and they will be grayed out to prevent any changes from occurring. Users without local administrative access will not be able to make any changes to the installation schedule, although local admin users will be able to postpone forced installs.

    Note - Generally, it is good practice to allow servers to control the download and installation schedule, but to force clients to do both automatically. Depending on the political climate of an organization, this may or may not be a possibility.

    Summary

    Out of the box, Windows Server 2003 is by far the most secure Windows yet. Increased security emphasis through the Trustworthy Computing initiative helps to increase overall server security by disabling unnecessary services and locking out file-level permissions by default. In addition to the standard features, advanced options in Windows Server 2003 allow administrators to add multiple layers of security to servers, further protecting them from attacks and vulnerabilities. In addition, the automatic updating capabilities of tools such as Software Update Services give organizations an edge in protecting servers and workstations from constantly changing security threats.

    Best Practices

    • Physically secure servers behind locked doors, in a controlled-access environment.

    • Apply security in layers.

    • Use Configure Your Server Wizard (CYS) for turning on server roles and securing them.

    • Use the Run As command when administrative access is required instead of logging in as an Administrator.

    • Identify internal (or external) saboteurs before they can do some serious damage by creating serious-looking shares on the network, such as Financial Statements, Root Info, or similar such shares, and audit access to those folders.

    • Don't enable always-on antivirus scanning on non-file servers. Instead, run periodic scans.

    • Plan to run the initial synchronization of SUS over a weekend, beginning the download on Friday evening.

    • Test and approve Software Update Services patches before deploying them to production, either manually or through a process of setting up a pilot SUS server and a production SUS server.


    DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware.


     
    >>> Be the FIRST to comment on this article!

    Buy this book now. This article is excerpted from chapter 12 of MS Windows Server 2003 Unleashed 2nd edition, written by Rand Morimoto (Sams, 2004; ISBN: 0672326671). Check it out at your favorite bookstore. Buy this book now.

    MS SQL SERVER ARTICLES

    - Completing the Introduction to Transact-SQL
    - A Brief Introduction to Transact-SQL
    - Lookups and Blocking Bad Data
    - Field Validation Rules for Blocking Bad Data
    - Using Masks to Block Bad Data
    - Blocking Bad Data
    - Using @@ROWCOUNT and TABLE Variables for Dat...
    - How to Use Variables, IF and CASE in Databas...
    - Creating Important Aspects of Notification S...
    - Working wth Variables in Database Interactio...
    - Delving Deeper into Notification Services
    - Notification Services
    - Building a Multi-table Report with SQL 2005 ...
    - A Secure Way of Building Connection Strings
    - Transferring a Database Using the SSIS Desig...
    Find More MS SQL Server Articles




    © 2003-2008 by Developer Shed. All rights reserved. DS Cluster 6 hosted by Hostway
    Stay green...Green IT