S 2.67 Defining a security strategy for peer-to-peer networks

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: IT Security Management

Prior to commencement of the configuration and installation of a Peer-to-Peer network on a WfW, Windows 95 and/or Windows NT computer, two basic factors must be considered:

It should first be clarified which service must be performed by the relevant operating system and what is the scope of this service? In particular, it should be clarified whether the Peer-to-Peer functions of the operating system, i.e. shared resources such as printers or directories should be used at all.

This can be illustrated using a number of examples:

• The IT-system is used for a working group of typically three to five users, whereby each user should have all rights. The complete Peer-to-Peer functionality should be supported at each workstation.

• The IT-system is used for a large group in which various rights can be allocated. The Peer-to-Peer functionality is to be implemented in a limited manner on the basis of definite requirements.

• The IT-system is used in a server-supported PC network, where Peer-to-Peer functionality for the exchange of data can generally be dispensed with. several printers should be used jointly via peer-to-peer functions.

• The IT-system is to be installed in a server-supported PC network, where Peer-to-Peer functionality is not planned. All Peer-to-Peer functions must then be deactivated. In this case, the consideration of the following points is not necessary. However, the measures described in S 5.37 Restricting peer-to-peer functions when using WfW, Windows 95 or Windows NT in a server-supported network should be taken into account.

Note:

security functions offered by server-supported networks are far more extensive than those offered by Peer-to-Peer networks. Moreover, additional security problems may arise when using Peer-to-Peer functions in a server-supported network. Therefore the use of Peer-to-Peer functions in a server-supported PC network should be avoided. Peer-to-Peer networks which serve to connect WfW to other computers with WfW, Windows 95 or Windows NT should only be considered as a temporary solution until WfW is replaced by Windows 95 or Windows NT or until a server-supported network operating system is installed.

Given that Peer-to-Peer functions should be used, these considerations must then be transformed into a security strategy.

This demonstrates that the development of a suitable security strategy involves a relatively large amount of time and expense, depending on the system environment and organisation structure already in place, as well as the planned restrictions of Peer-to-Peer functionality.

Below is a methodical approach for the development of a comprehensive security strategy for a Peer-to-Peer network. As a Peer-to-Peer network can be used in various configurations, however, individual decisions regarding the necessary steps have to be taken for each situation.

Defining a Security Strategy for a Peer-to-Peer Network

The security strategy shows how a Peer-to-Peer network can be securely established, administered and operated. The individual development steps of such a strategy are presented below:

1. Definition of the Peer-to-Peer network structure

A Peer-to-Peer network structure is defined by determining the following:

• which computers are to act as file servers (these may share directories)

• which computers are to act as print servers (these may share printers)

• which computers are to act as application servers for certain IT applications, e.g. mail, schedule+, fax (these should continually be available)

• which computers are merely clients (these can only be connected to other computers)

. On the one hand, it should be ensured that the capacity of the servers fulfil the requirements concerning speed and memory. On the other hand, the number of servers should be limited to the amount actually needed. Furthermore, no application should be allocated to servers which constantly involve transmitting large amounts of data through the network, as this can lead to the network overloading.

2. Regulation of responsibilities

A Peer-to-Peer network should be securely operated by trained administrators and their substitutes. Only these persons may change security parameters in the Peer-to-Peer network. They are, for example, responsible for providing the relevant persons-in-charge with administration authorisations and tools on application or file servers so that these persons can share the directories and applications needed by others.

Peer-to-Peer administrators must be explicitly named in a server-supported PC network containing additional authorised Peer-to-Peer functions. They may, however be identical to the network administrators.

The responsibilities of the various users in a Peer-to-Peer network are described under step 7.

3. Restriction of sharing possibilities

Windows for Workgroups

Using the administration tool ADMINCFG.EXE for WfW, the following can be granted or denied:

• the sharing of directories

• the sharing of printers

• restrictions for the WfW registration password (expiry, minimum length etc.)

• enabling of network DDE (e.g. exchanging data via the output file or making telephone calls via WfW).

The file ADMINCFG.EXE comes with the WfW package but is not installed on the computers as standard. The application is only described in the instructions for systems operators (see S 4.45 Setting up a secure Peer-to-Peer environment).

It should be determined on to which computer this administrative tool is to be installed.

This program has a password function to protect the configuration. Anybody who has access to this program can try to find out the password of the configuration file and then change the sharing options.

It is thus sensible to make it available only to the administrator and his substitute. Furthermore, it is also possible using WfW to place the configuration files on one server (either for one user, for groups or for all users jointly; c.f. WfW Resource Kit, Addendum for Operating System Version 3.11"). The advantage of this is that alterations can be made simultaneously for several WfW users, particularly if the password of the configuration file(s) is to be changed.

Note: A configuration protected by a password only offers limited security as it cannot withstand a direct attack. The restriction of the WfW functionality thus primarily protects against user errors.

Windows 95

The option to share directories or printers for individual computers and/or users may be restricted under Windows 95 by appropriate entries in the profile (see also S 4.58 Sharing of directories under Windows 95).

Windows NT

Under Windows NT the option to share directories is restricted to administrators, thereby preventing misuse by the end user. If applicable, the resources to be approved should be determined in detail when planning the network (see S 2.94 Sharing of directories under Windows NT).

4. Establishing a name convention

In order to hinder a masquerade under WfW, clear names should be used for the computers, user groups and the users. These names should be known to all users. In the event that a name which is not possible according to the convention is used for registration, e.g. a name similar to an existing one, a masquerade is obvious. Registration under an already registered computer name is denied by WfW. A masquerade under a registered name is possible, however, if the user in question is not currently registered.

By means of the system guidelines under Windows 95, unauthorised persons must be prevented from changing user names and computer names. Access to the system control option "network" should thus be deactivated for standard users (see also S 2.103 Setting up user profiles under Windows 95).

Under Windows NT the only authorised users are those defined by the administrator. Only administrators may change computer names. However, users can try to log on under another user name via the option "log on as" under "connect network drive".

In addition, name conventions can be introduced for the sharing of names of directories or printers. In the event that it should not be possible to draw conclusions regarding the contents of the directory, pseudonyms should be used. Should a shared resource not be recognisable as such, the symbol "$" must be attached to the share name. The latter is recommended if directories are only used for the bilateral exchange of information between two users.

5. Determining directories or printers to be shared and the granting of access rights

For the application server, it should be determined which directories (e.g. the Post Office directory AGPO under Mail) are to be shared. For the file server, the directories to which the users are to have access should be selected. Under WfW and Windows 95 any user can share resources for network access; under Windows NT only administrators have permission to do this.

Two access models must be differentiated. Share Level Security, in which access to shared resources is controlled by passwords and User Level Security, in which access is controlled by the server operating system. WfW supports only the first of these models, Windows NT (as client) only the second whilst Windows 95 allows the choice between both models, via the system control option "network" under the register card "access control". When using Share Level Security, access rights (read and write access) for shared directories must be defined and appropriate passwords selected.

As a result of the allocation of these passwords to individual users, the access authorisations are distributed in the Peer-to-Peer network. These passwords should only be made known as far as is necessary, since the withdrawal of authorisation for one person involves changing the password for all other authorised users.

When using User Level Security under Windows NT and Windows 95 access rights will be explicitly assigned to individual users and/or groups. The clients must be connected in a workgroup or domain with at least one Windows NT system. In this case password entry will be omitted. Use of Share Level Security must be avoided here, since it offers considerably less protection. It should then be decided whether the directories are automatically shared when the server is started and whether it should automatically be connected to the accessing computer upon start-up.

The above comments also apply to the sharing of printers.

6. Changing passwords

Windows for Workgroups

A series of passwords are used in the WfW network - registration passwords, the password for calling up ADMINCFG.EXE and the passwords for the various rights of shared directories, printers and output file. The registration passwords and the password for calling up ADMINCFG.EXE should be changed on a regular basis (see also S 2.11 Provisions governing the use of passwords). The maximum term of validity for these passwords should thus be stipulated. In order to be able to change the ADMINCFG.EXE password efficiently, the relevant configuration files can be stored centrally on one server. As changing the share passwords can involve a high degree of organisation (see No. 5), it should be determined in advance how often these are to be changed and how those persons affected are to be informed of the new passwords.

Windows 95

Under Windows 95, the amount of passwords to be used depends upon which access model is deployed (User Level Security or Share Level Security). In the former case, as with Windows NT, the passwords will only be required for the computers having shared resources for network access. In the latter case, similar to WfW, passwords for the shared resources will also be required. Separate passwords for the administration of Peer-to-Peer functions are not required as these will be controlled via the user profile.

Access protection at the user level is based on the user lists contained in Windows NT or Novell Netware servers, and can thus only be implemented in these networks. If Peer-to-Peer functions must be implemented despite having a Windows NT or Novell Netware server network, then it is preferable to implement this access model since it offers a higher level of protection.

Windows NT

Under Windows NT, the administration of Peer-to-Peer functions takes place under general network and access control, so that no separate passwords are required for these administrative tasks. Regarding administration of access passwords for the users concerned, please refer to the notes contained in safeguard S 2.11 Provisions governing the use of passwords.

7. Responsibilities for users in a Peer-to-Peer network

In addition to Peer-to-Peer management tasks (see No. 2), other responsibilities must be determined. It should be determined what the responsibilities of the various Peer-to-Peer network users are to be, such as: These can, for example, be responsibilities for

• the evaluation of the log files on the individual servers or clients,

• the allocation of access rights,

• the escrow and changing of passwords and

• carrying out data backups.

8. Training

It must then be determined which Peer-to-Peer users have to be trained in which points. Effective operation can only begin after adequate training.

The security strategy developed in this way should be documented and announced to the users of the Peer-to-Peer network to the extent required.

Additional controls:

• Is the security strategy adapted to changes in the usage environment?