IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
S 2.91 Determining a security strategy for the
Windows NT client-server network
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: IT Security Management
Before a start can be made on the actual configuration and installation of
Windows NT in a client-server network, two fundamental observations must
first be made:
First of all, it must be clarified which services are to be provided by the
operating system and in what context it is to be used.
This can be illustrated using a number of examples:
- The system is deployed in a server-supported PC network as a server for a
fairly large workgroup in which different rights can be assigned. If
necessary, due to specific requirements, Peer-to-Peer functions should also
be implemented in a limited manner. For example, individual printers
should be able to be used jointly via Peer-to-Peer functionality.
- The system is deployed as the client in a server-supported PC network with
Windows NT servers which can dispense with Peer-to-Peer functionality
for the exchange of data.
- The system is deployed as the client in a server-supported PC network with
Novell NetWare servers.
- The system is deployed as the server in a PC network with MS-DOS, MS
Windows, WfW or Windows 95 clients.
- The system is deployed as the server in a network in which there are
exclusively Windows NT clients.
Extra security problems can arise as a result of the use of Peer-to-Peer
functions within a Windows NT network (in this respect see also 6.3 Peer-to-
Peer network). For this reason the use of Peer-to-Peer functions within
Windows NT networks should be avoided. Peer-to-Peer functions should, at
best, be allowed as a temporary solution in a restricted way, if, for example,
WfW computers or non-networkable printers are to be integrated into the
Windows NT network.
Following this, the above considerations must be translated into a security
strategy.
Here it can be seen that depending on the already existing system environment
and organisational structure, together with the restrictions on possible Peer-to-
Peer functions that may have to be allowed for, a greater or lesser effort is
necessary in the development of a suitable security strategy.
A methodical procedure is shown below which can be used to develop a
comprehensive security strategy for a client-server network. However, as
Windows NT can be deployed in various configurations, an individual
decision should be taken for the respective characteristic as to which of the
steps outlined should be applied.
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000