SECURING NETWORK INFRASTRUCTURE is an asymmetric challenge. You must be nearly perfect. Bad actors need to find just one weakness. Since the most secure networks are those with security baked in, let’s start with the basic recipe for that.
Hardening the OS
The simplest way to harden your operating system installation is to reduce the attack surface by limiting the number of running services as much as possible. There’s no one answer for just how small that number should be, as the roles your server performs and other requirements dictate which services you require. For example, most of us need to have DHCP, DNS, and other services running on our domain controllers. You can whittle away many more services from an RDS or other single-purpose server, though.
Another way to harden your servers is to implement the Windows firewall in the most restrictive way possible, opening only those ports that are absolutely necessary. Don’t forget to keep an eye on “Active Directory bloat” either, to ensure you have only the accounts in place that you need. Finally, remember to build your file system as simply as you can, with minimal permissions that you loosen only as becomes necessary.
Meet the Author in Person
Joshua Liberman will speak about network infrastructure security and more at the next ChannelPro SMB Forum in Boston on Sept. 6. For more information, see events.channelpronetwork.com.
The real OS jocks out there, meanwhile, can install Windows in “Server Core” mode, eliminating the GUI altogether. The most common usage of Server Core mode is for Hyper-V host deployments, where performance is paramount and most management is performed by tools located on separate guest machines anyway. Forgoing the GUI means you lose out on the use of local GUI-based native OS management tools for RAID, power management, and other functions, but for those who are capable of it, command line interface-only implementations are a great way to slim down Windows.
As with anything security-related, you’ll need to test and refine whatever techniques you use iteratively as you go. No matter how well you believe you know your Windows internals and ports, you’ll be amazed at just what fails when you really start battening down the Windows firewall and shutting down services. Further, many services have complex dependencies that are not easily spotted in native OS tools, so becoming familiar with third-party tools that can find them will be invaluable.
Group Policy Objects and Other Security Hacks
The past few years have seen resurging interest in security Group Policy Objects (GPOs). In addition to configuring automatic updates through Windows Server Update Services, many of us deploy GPOs to restrict software by computer or user, or to force the Windows Certificate Store to update for DPI-SSL. Another GPO security enhancement is giving users login permissions only on specific PCs.
Making sure your users are not local admins, as painful as that can be, is also crucial. Given enough time, it’s possible to run almost any application without the “local admin crutch.”
Another quick security enabler is turning on MAC address filtering in your DHCP Manager once you’ve completely populated your network with DHCP addresses. This is a “poor man’s substitute” for network access control and is both quick and easy to implement. It won’t prevent users from hard-coding an IP on a device to gain network access, but it will alert you to casual attempts to add devices to the network.
Yet another way to boost the security of your SMB networks that’s relatively easy to implement but often overlooked is enforcing reasonable password policies. Nothing draconian, but eight characters with at least one non-alphanumeric character and no embedded user names generally does the trick.
Network Segmentation (VLANs)
Most of us are used to designing flat SMB networks. Times have changed, however. We now have more traffic types—including data, voice, wireless, and Internet of Things (IoT)—and a concomitantly greater need to employ network segmentation.
There are several good reasons to segment your networks. Paramount is performance, especially if you have data and VoIP phones on the same network. Security is also a top reason. Very few desktops need access to management resources, so why not enforce that at the network level? And if you provide guest wireless access to your SMB clients, doesn’t it make sense to segment that traffic out?
Another benefit of segmenting your networks is resistance to hacks in which an attacker gains access to a lower-privilege machine and then uses it to leapfrog to other endpoints. If your users cannot access endpoints or servers beyond their VLAN, attackers can’t access them either. This benefit alone might just sell you on network segmentation.
In addition, segmenting your networks makes them more manageable and provides you a good excuse to move your clientele away from consumer-grade switches and into quality Layer 2 switches offering better performance and reliability.
I’ve seen some companies create a dozen or more VLANs to handle every type of traffic, from wireless management to replication data, and even to segment one organizational unit or functional area of the business from another. Such strategies are beyond the scope of this article, but breaking traffic out across management, production, wireless, and voice makes sense for SMBs. We are also segmenting IoT devices on their own VLAN, to limit the threat they pose.
Extra Credit: Two-Factor Authentication
TFA is accomplished by adding either biometric (something you are) or token-based (something you have) security to the classic username/password (something you know) credential set. TFA implementations used to be prohibitively expensive and complex, but that’s no longer true. With offerings ranging from tokens to RFID cards bearing embedded credentials now available for as little as a few dollars a month, TFA is no longer beyond the reach of SMB customers.
If nothing else, consider enabling quick-and-dirty TFA via one-time passwords sent to users’ cell phones. This not only enhances security but can be priceless in any situation in which an individual user must be locked out.
On Your Way
This article gives you a solid starting point for the basics of securing your network infrastructure. With proper OS hardening, smart security GPOs, some easy security hacks, segmented network design, and maybe even TFA implementation, you’ll be well on your way to securing your SMB networks.
JOSHUA LIBERMAN is president and founder of Net Sciences Inc., a network support firm offering systems integration and MSP services, with a strong focus on security and data protection, throughout New Mexico, Colorado, Arizona, and Utah. To read Part 1 in this series, go here.
Image: Dall-E
