IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
Determining a security strategy for a client-server network
The security strategy must demonstrate how a client-server network for the
respective organisation can be securely constructed, administrated and
operated. The individual development steps of such a strategy are presented
below:
1. Definition of the client-server network structure
The first step involves determining the logical structure of the client-server
network, in particular the allocation of the servers and the network domains
(see S 2.93 Planning of a Windows NT network). If possible, the use of Peerto-Peer
functions should be dispensed with, as these can adversely affect the
security of the client-server network. Provided that this cannot be avoided,
however, binding rules must be made for the use of Peer-to-Peer functions
(see S 2.67 Defining a security strategy for Peer-to-Peer networks).
2. Regulation of responsibilities
A client-server network should be operated securely by a trained network
administrator together with a substitute. Only these individuals should be
allowed to alter security parameters in the network. For example, they are
responsible for making administration rights and tools available to the relevant
individuals in charge on the servers, so that the latter can allocate file and
directory rights, share directories and applications required by others,
configure user groups and accounts, and set system guidelines for users,
access supervision and monitoring.
The responsibilities of the individual users in the client-server network are
outlined under Step 11.
3. Determining name conventions
In order to facilitate the management of the client-server network,
unambiguous names should be used for the computers, user groups and users.
In addition, naming conventions should be introduced for the share names of
directories or printers (see S 2.67 Defining a security strategy for Peer-to-Peer
networks). Should no conclusions be possible on the contents of a shared
directory, appropriate pseudonyms must be used. Should a shared resource not
be recognisable as such, the symbol ”$” must be attached to the share name.
The latter is always recommended whenever directories are shared only for
the bilateral exchange of information between two users or for accessing
resources which are only meant to be known to individual users.
4. Determining the rules for user accounts
Before user accounts are set up, the restrictions intended to apply to all, or a
certain number, of these accounts should be stipulated. In particular, this
concerns the rules for passwords and for the reaction of the system to incorrect
log-in procedures. The rules laid down can be implemented with the aid of the
"Policies" option of the User Manager (see S 4.48 Password protection under
Windows NT).
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000