Designing an Authentication Strategy

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Designing an Authentication Strategy"

Transcription

1 C H A P T E R 1 4 Designing an Athentication Strategy Most organizations need to spport seamless access to the network for mltiple types of sers, sch as workers in offices, employees who are traveling, and perhaps even bsiness partners and cstomers. At the same time, organizations need to protect network resorces from potential intrders. A well-designed strategy can help yo achieve this complex balance between providing reliable access for sers and strong network secrity for yor organization. In This Chapter Overview of the Athentication Strategy Design Process Creating a Fondation for Athentication Secring the Athentication Process Extending Yor Athentication Framework Enabling Spplemental Athentication Strategies Edcating Users Additional Resorces Related Information For more information abot the Kerberos version 5 protocol, see the Distribted Services Gide of the Microsoft Windows Server 2003 Resorce Kit (or see the Distribted Services Gide on the Web at For more information abot the Active Directory directory service logical strctre, see Designing the Active Directory Logical Strctre in this book. For more information abot pgrading from the Microsoft Windows NT version 4.0 operating system to the Microsoft Windows Server 2003 operating system, see Upgrading Windows NT 4.0 Domains to Windows Server 2003 Active Directory in this book.

2 654 Chapter 14 Designing an Athentication Strategy Overview of the Athentication Strategy Design Process One of the most fndamental elements of an organization s secrity strategy is verifying the identity of clients and granting them appropriate access to system resorces based on their identity. By creating an strategy for yor organization, yo can prevent attackers and malicios sers from accessing and tampering with sensitive information, consming compting power or other system resorces, and impersonating sers in order to send misleading or incorrect information. Athentication technology in the Microsoft Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition operating systems allows yo to implement a variety of strategies based on the complexity of yor organization, the qality of a ser s credentials, the means by which sers access the network, and the clients they se to gain access. In addition, Windows Server 2003 technology allows yo to establish a fondation for more efficient management of sers, compters, and services on the network. Note For a list of the job aids that are available to assist yo in designing an strategy, see Additional Resorces later in this chapter.

3 Overview of the Athentication Strategy Design Process 655 Process for Designing an Athentication Strategy Designing an strategy involves evalating yor existing infrastrctre and creating acconts, establishing a means to secre the process, and establishing standards for network and time synchronization. Yo might also need to extend yor model to allow between forests or between other Kerberos realms, and to enable delegated in order to facilitate ser access to system resorces. Figre 14.1 shows the process for designing an strategy. Figre 14.1 Designing an Athentication Strategy Create a fondation for Secre the process Extend yor framework Enable spplemental strategies Edcate sers

4 656 Chapter 14 Designing an Athentication Strategy Athentication Backgrond Information Windows Server 2003 technology incldes a nmber of featres that provide soltions for a wide variety of bsiness needs. Central administration of acconts Administrators can create a single accont for each ser that allows the ser to access the appropriate network resorces. Users can log on at different desktops, workstations, or notebooks in the domain by sing the same ser name and a password or smart card. Single sign-on environment Users are reqired to enter a ser name and password or smart card only when first logging on to a Windows Server 2003 based compter. The Windows Server 2003 operating system atomatically athenticates the ser to the local compter, to the Active Directory domain, and to any other application or resorce server in the forest that reqires prior to access. When sers change passwords, the pdates are made to the ser acconts in Active Directory. The password changes apply atomatically to all resorces in the domain or forest. Compter acconts in Active Directory Compter acconts in Active Directory for all of the compters within a domain allow many of the Windows Server 2003 secrity featres that are designed for sers to be applied to compters as well. Compter acconts in Active Directory also allow yo to add application servers as member servers within yor trsted domains and to demand from the sers and other services that access these resorce servers. Service acconts in Active Directory The services rnning on resorce servers are athenticated atomatically if the servers are members of a domain that trsts the ser s accont domain. In Windows Server 2003, all of the domains in a forest atomatically have two-way transitive trst. Windows Server 2003 also spports transitive trst relationships between forests. In this way, when organizations add application servers to their domains, only athenticated sers and services can access them. Smart card spport Windows Server 2003 spports optional smart card. A smart card contains a processor chip that stores the ser s private key and pblic key certificate. The ser inserts the card into a smart card reader attached to the compter. The ser then types in a personal identification nmber (PIN) when reqested, to enable access to the keys stored on the smart card. Athentication proceeds when the correct PIN enables access to the private key and the certificate on the card, allowing the Active Directory service to verify the ser s identity. In this way, compters that store highly sensitive data can be secred from attack withot the need to store them in locked rooms. At the same time, athorized sers can access information stored on high-secrity compters.

5 Overview of the Athentication Strategy Design Process 657 Certification for Microsoft Windows Windows Server 2003 interoperates with third-party applications designed according to the Application Specification for Windows The Application Specification defines the technical reqirements for applications to earn the Certified for Microsoft Windows logo. Applications can carry the Certified for Microsoft Windows logo when they have passed compliance testing and have exected a logo license agreement with Microsoft. To pass compliance testing, a server application mst operate within the appropriate secrity context, redcing the risk posed by sccessfl attacks, and perform Kerberos-based mtal for all client reqests, ensring that clients know that the servers with which they are commnicating are the intended parties, and not attackers posing as the server. Aditing Windows Server 2003 provides secrity adit information to track attempts to log on to servers and workstations. This gives organizations the ability to detect nathorized attempts to access the system. Kerberos V5 protocol When a client attempts to connect to a resorce server, the Kerberos Key Distribtion Center (KDC), rnning on a domain controller, provides the client with a ticket to verify the ser s identity to the server, and a shared secret key. The ticket allows the server to validate the ser immediately and can be sed mltiple times. The shared secret key is passed to the server in encrypted form, allowing both compters to se the shared secret key to encrypt any network data they exchange. The Microsoft implementation of the Kerberos protocol is based on indstry standard specifications defined by the Internet Engineering Task Force (IETF). The Kerberos V5 protocol provides the following advantages: Efficient to servers. Becase takes place qickly, sers do not lose prodctive work time. Clients can obtain a ticket for a particlar server one time and rese the ticket for mltiple network sessions. Mtal. By means of the shared secret key, parties at both ends of a network connection can verify each other s identities. This is a change from NTLM, which allows only servers to verify the identities of their clients. Delegated. A service can impersonate a client when connecting to a network service, sch as a database. Delegated is not available in NTLM. Interoperability. Kerberos in Windows Server 2003 can interoperate with the implementation of Kerberos in other operating systems.

6 658 Chapter 14 Designing an Athentication Strategy Tools for Deploying Athentication The following tools are available to assist yo in deploying : Active Directory Users and Compters. A Microsoft Management Console (MMC) snapin that allows yo to create ser and compter acconts in the Active Directory. Grop Policy. An MMC snap-in that allows yo to apply Grop Policy, inclding Kerberos, aditing, and NTLM behavior. Certificate Services. An MMC snap-in sed to establish the certification athorities (CAs) and isse the certificates sed in pblic key. For more information abot these tools, see the Distribted Services Gide of the Windows Server 2003 Resorce Kit (or see the Distribted Services Gide on the Web at Creating a Fondation for Athentication When yo deploy Windows Server 2003, yo can create a fondation for secre of sers, compters, and services in yor organization by creating acconts in Active Directory for all entities that reqire athenticated access to resorces. Becase a nmber of factors impact the strategy that yo deploy, yo mst evalate the strctre of yor existing environment before yo create the fondation for yor strategy. For a worksheet to assist yo in creating a fondation for, see Athentication Strategy Planning (DSSAUT_1.doc) on the Microsoft Windows Server 2003 Deployment Kit companion CD (or see Athentication Strategy Planning on the Web at Figre 14.2 shows the process for creating a fondation for.

7 Creating a Fondation for Athentication 659 Figre 14.2 Creating a Fondation for Athentication Create a fondation for Secre the process Extend yor framework Enable spplemental strategies Evalate yor environment Create ser acconts Create a ser accont management plan Create a compter accont management plan Secre service acconts Edcate sers Apply policies to grops

8 660 Chapter 14 Designing an Athentication Strategy Evalating Yor Environment Before yo establish an strategy for yor organization, yo mst become familiar with yor crrent environment, inclding the strctre of yor organization; the sers, compters, and services in yor organization that reqire ; and the applications and services that are in se. Specifically, identify the following: The nmber of domain controllers in yor organization. Ensre that yo have enogh domain controllers in yor environment to accommodate yor sers reqests. If the nmber of domain controllers is insfficient, a large volme of client reqests can reslt in failed attempts. If yo determine that yo have an insfficient nmber of domain controllers, deploy more domain controllers to meet the logon needs of yor sers. The type of network connectivity between site locations in yor organization. Domain controllers mst be well connected to sers to ensre reliable access for. Clients that do not have access to local domain controllers might be nable to access resorces if the network connection is navailable. If the connectivity between domain controllers in remote sites is insfficient, deploy more domain controllers in those sites or improve the connectivity between the sites. The nmber of CAs that are available in yor organization and their locations. As with domain controllers, a sfficient nmber of CAs mst be available to handle client reqests and they mst be well connected in order to provide timely responses. For information abot creating a CA infrastrctre, see Designing a Pblic Key Infrastrctre in this book. The nmber of sers, grops, and compters in yor organization and where compters are located. This impacts the nmber of domain controllers and CAs that are reqired to ensre consistent. The nmber and locations of sers who access the network by means of RADIUS and RAS servers. Note Windows Server 2003 provides for remote ser by means of RADIUS and RAS servers. For more information abot sing RADIUS servers, see Deploying IAS in Deploying Network Services of this kit. For more information abot sing RAS servers, see Deploying Dial-Up and VPN Remote Access Servers in Deploying Network Services.

9 Creating a Fondation for Athentication 661 Whether yor organization incldes clients rnning versions of Windows earlier than the Microsoft Windows 2000 operating system or other non-native operating systems, or applications that reqire protocols other than the Kerberos V5 protocol or reqire special configration to interoperate with the Kerberos protocol. The operating systems and applications in se in yor environment impact the protocols that yo can enable by means of policy. For example, versions of Windows earlier than Windows 2000 reqire NTLM or anonymos access. If clients in yor environment are rnning these operating systems, yo mst configre the LAN Manager level policy to enable those clients to access resorces in yor system. Note When yo enable LAN Manager, yo cannot take advantage of all of the secrity benefits that are available in Windows Server Therefore, if yo do not need to spport versions of Windows earlier than Windows 2000, it is best to se the Kerberos protocol. The nmber and location of smart card sers in yor organization, if applicable, and any secrity-sensitive tasks or sers, sch as administrators, that might reqire smart cards in the ftre. The nmber of crrent and planned ftre smart card sers in yor organization impacts the nmber of CAs that yo reqire. Creating User Acconts User acconts are reqired for. Assign sers the appropriate permissions to access resorces by creating ser acconts in Active Directory and adding the acconts to the appropriate grops. Adding acconts to secrity grops and applying access control settings to resorces allows sers to tilize their athenticated identity to access resorces, and facilitates accont management. It is best to grant sers and grops access to only those resorces that are reqired for them to complete their job tasks. In this way, if any ser accont is compromised by a malicios ser, he or she has limited access to resorces, and therefore can case only minimal damage. For more information abot ser acconts and secrity grops, see Designing a Resorce Athorization Strategy in this book. Note Do not allow sers to share acconts or passwords or to se weak passwords. Shared acconts and weak passwords compromise the secrity of yor environment. For more information abot creating password policies, see Creating a Strong Password Policy later in this chapter. Creating ser acconts involves creating a plan for ser accont management in yor organization.

10 662 Chapter 14 Designing an Athentication Strategy Creating a User Accont Management Plan When yo deploy Windows Server 2003 and establish the appropriate ser acconts in Active Directory, yo need to create a plan for ser accont management. Creating a ser accont management plan involves determining which individals in yor organization have the right to create new ser acconts, and establishing a plan for the disabling of and resetting of ser acconts. Assign the User Accont Creation Right Assigning the right to create new ser acconts involves careflly balancing strong secrity and timely response to reqests to create new acconts. Becase misse of the ser accont creation right presents a secrity risk to yor organization, assign this right to trsted administrators only. For many organizations, it is sfficient to limit the ability to create new ser acconts to the members of the Domain Administrators grop. In large organizations or in sitations where administrators need to delegate tasks, yo might need to assign the right to create new ser acconts to another grop, sch as the IT staff or the Hman Resorces grop. Whoever yo designate to create ser acconts, a general gideline is to assign one individal the right to create new ser acconts for every 100 employees. However, yo might need to adjst this nmber based on the expected growth of yor organization. For example, if yor organization reglarly adds new divisions, acqires companies, or expands into other markets, yo need to plan for the creation of new ser acconts by assigning the right to create new ser acconts to the appropriate nmber of individals to meet the reqirements for yor anticipated growth. Establish a Plan for the Disabling of User Acconts Becase nsed bt active ser acconts are a common target for secrity attacks, yo mst establish a clear, consistent policy for disabling ser acconts. Yo can choose one of the following soltions for disabling active nsed ser acconts in yor organization: Inclde disabling ser acconts as part of the employee departre procedre. Establish a policy by which ser acconts are deleted from Active Directory when employees leave yor organization. Create scripts that search for ser acconts that have not been logged on to for a period of time or have not had their password changed, and delete the acconts that the script identifies. For example, yo might decide to create a script that identifies acconts that have not been logged on to for six weeks, or that have not had their passwords changed for twice the password lifetime prescribed by domain Grop Policy, and delete those acconts.

11 Creating a Fondation for Athentication 663 Establish a Plan for Resetting User Acconts When a ser forgets his or her password, the accont mst be reset before it can be sed. An effective way to enable the resetting of ser acconts in yor organization is to grant help desk staff the right to reset passwords. Delegate the right to reset passwords to help desk staff so that members of the Domain Administrators grop are not reqired to reset ser accont passwords. Creating a Compter Accont Management Plan Windows 2000 and Windows Server 2003 compters have acconts in Active Directory and are athenticated in a separate process that is transparent to the ser. Yo can se compter to apply niform secrity policies to grops of compters, sch as compters contained in a domain, a site, or an organizational nit (OU) based on how the compters are groped and which rights and policies are granted and applied to each grop. For example, yo can configre an OU for compters that are pblic kiosks on a retail floor and apply limited permissions to sers. Yo can configre another OU for a compter stored in a locked office and allow sers greater access to resorces. Evalate the secrity needs for different types of compters in yor organization. Determine which compters are more vlnerable to compromise and therefore reqire stronger secrity settings, and then apply policies to the domains, sites, and OUs as appropriate to yor secrity needs. For more information abot applying secrity policies, see Deploying Secrity Policy in Designing a Managed Environment in this kit. Managing Compter Acconts Yo also need to establish a plan for managing compter acconts, inclding: The creation of new acconts The deletion of old acconts Resetting of compter accont passwords. Becase new compter acconts are created atomatically whenever a compter is added to a domain, yo need to decide who has the right to add compters to domains. Yo can delegate this responsibility to an individal or grop in yor organization by adding them to the Add workstations to domain Grop Policy.

12 664 Chapter 14 Designing an Athentication Strategy Yo can choose to manage new compter accont creation in yor organization in one of the following ways: Allow athenticated sers to create new compter acconts. This approach might be desirable in organizations where sers can be largely trsted. However, if yo only want to trst a limited grop of sers, sch as developers, for example, to create new compter acconts, yo can control this by sing the Secrity Configration Manager to either assign or deny this right to sers. By defalt, athenticated sers are assigned the Add workstations to domain ser right on the Grop Policy object on domain controllers. This enables them to create p to 10 compter acconts in the domain by sing the Network Identification Wizard. The wizard reqests information abot the compter name, the domain or workgrop that the compter is joining, and the domain sers that are to be added to the local grops for local compter access, and ses this information and the credentials of the athenticated ser to create a new accont in Active Directory. Note After a compter accont is created, administrators mst ensre that the accont is a member of the appropriate grops, so that the appropriate Grop Policies are applied. IT staff joins each new compter to the domain individally dring installation. Althogh this approach can work for small organizations in which compter accont creation occrs infreqently, it is impractical for large organizations with a high volme of new compter acconts. IT staff ses scripts to create new acconts ahead of time, and assigns new compters to existing acconts dring installation. Yo can se an Active Directory Service Interfaces (ADSI) script to create compter acconts in advance of installing new compters. As new compters are broght online, their compter names mst match the names that yo have specified in the script. This approach works well for organizations in which many similar compters need to be added to a domain simltaneosly, sch as in a training lab or server farm. For more information abot sing scripts to create new compter acconts, see Windows Deployment and Resorce Kits at or see the MSDN Scripting Clinic link on the Web Resorces page at Note It is more secre to create new compter acconts from the compter itself, rather than creating the acconts remotely or by sing scripts. An attacker who gains access to some part of a domain can se existing scripts or remote accont creation processes to create acconts to frther compromise the system. Reqiring that new acconts be created from the new compter protects against sch attacks.

13 Creating a Fondation for Athentication 665 Yo can choose to delete compter acconts in yor organization in one of the following ways: Inclde deleting sers compter acconts as part of the employee departre procedre. When employees leave yor organization, establish a policy by which their compter acconts are deleted from Active Directory. Create scripts that search for compter acconts that have not been logged on to for a period of time or have not had their password changed, and delete those compter acconts. For example, yo might create a script that identifies acconts that have not been logged on to for six weeks or that have not had their passwords changed for twice the password lifetime as prescribed by domain Grop Policy, and delete those acconts. If a compter is nable to contact a domain controller to initiate a password change, the accont might become nsynchronized with the domain and reqire a password reset. An effective way to enable the resetting of compter acconts in yor organization is to assign help desk staff the right to reset passwords. Delegate the right to reset compter passwords to help desk staff so that members of the Domain Administrators grop are not reqired to reset compter accont passwords. Important If yo are migrating from Windows NT 4.0 domains, yo mst create a plan for the creation of new compter acconts. Compters rnning Windows NT 4.0 do not have compter acconts. Creating Service Acconts Like sers, services have acconts and athenticate to the network operating system. This ensres that only athorized services are able to complete tasks, and protects against attackers who create nathorized services to infiltrate network systems. Most service acconts are created atomatically when a service is installed. Similarly, applications that act as services, sch as print spoolers or messaging services, create acconts atomatically to complete their tasks. Therefore, in general, yo do not need to create or modify service acconts. However, if service acconts are deleted accidentally, yo mst recreate them manally. Creating service acconts is similar to creating ser acconts. The only additional configration step that is needed is to set the service principal name (SPN) for the accont. This needs to be done to ensre mtal. For example, in the case of a web server, a SPN of http/hostname might need to be set for the service accont. The SPN can be set for the accont by sing the Setspn tility. For more information abot Setspn, in Help and Spport Center for Windows.NET Server 2003, click Tools, and then click Windows Spport Tools.

14 666 Chapter 14 Designing an Athentication Strategy There are also bilt-in service acconts that se the compter accont credentials by defalt for network. These inclde the LocalSystem accont, which was already present in Windows However, LocalSystem is a privileged accont and shold be sed only when reqired. Windows Server 2003 incldes the following new secrity contexts to provide a means by which yo can frther secre network service acconts: LocalService. This context is intended for services that rn with limited access on local compters and do not reqire network. In this way, a compromised service can do limited damage to the local compter and no damage to network compters. NetworkService. This context is intended for services that need to complete tasks on the network, bt reqire only restricted local capabilities. Secring Service Acconts Most services have specific fnctions, so it is best to grant them only those rights that are reqired for the services to perform those fnctions. In this way, if attackers compromise a service accont, they have limited access and can do only a limited amont of damage. If a service accont has rights that extend beyond its specific fnction, an attacker who compromises the accont can do extensive damage. To ensre maximm secrity, avoid rnning services on domain controllers. For example, do not make yor domain controller a mail server, Web server, and file and print server. Adding mltiple services on a critical link sch as the domain controller is risky, becase it increases the complexity of the system and therefore increases the potential for compromise. A problem with a print server that might otherwise only give an attacker the ability to create nathorized print jobs can instead grant the attacker access to Active Directory, a critical data repository. The secrity benefits of sing separate compters for services otweigh the initial investment in hardware eqipment. Also, yo might need to reset service accont passwords. Do not modify service acconts nless a problem occrs that interferes with the fnctioning of a service. To reset service accont passwords 1. In Active Directory Users and Compters, right-click the ser s accont. 2. Click Reset Password. 3. Enter and confirm the new password. Yo mst ensre that the service ses the newly selected password before the service can take advantage of the reset password. Ensre that the password that the service ses and the password that yo reset the service accont to have are the same.

15 Creating a Fondation for Athentication 667 Applying Athentication Policies to Grops Yo can manage in yor organization by adding ser, compter, and service acconts to grops and then applying policies to those grops. For example, yo can apply the following policies to grops, based on their fnction in the organization: Log on locally Access this compter from the network Log on over network Reset acconts Create acconts If yo want to make a compter less accessible to others, inclding both legitimate sers and attackers, yo can se policies in the following ways to restrict access for less trsted grops (sch as Anonymos): Assign the Deny access to this compter from the network policy. Assign the Deny logon locally policy. Remove the Remove compter from docking station policy. Other policies that yo might assign or deny to sers can also increase secrity or maximize flexibility, sch as Deny logon as batch job or Log on as service. For more information abot Grop Policies that impact, see Deploying Secrity Policy in Designing a Managed Environment of this kit. Example: Creating a Fondation for Athentication An organization that incldes 2,100 sers and 3,700 compters created an strategy when they deployed Windows Server 2003 in their environment. Becase compters in their environment are rnning versions of the Windows operating system earlier than Windows 2000, they need to spport LAN Manager. They decided to make members of the help desk staff and the Administrators grop responsible for ser accont management, and delegated compter accont management to the help desk staff. The organization secred their service acconts by rnning only reqired services on domain controllers and restricting the nmber of individals who are able to administer services. They assigned the Log on locally, Access this compter from the network, and Log on over network rights to Domain Admins and Domain Users, bt not to Gest acconts, to protect the secrity of their system. They granted the Reset acconts and Create accont policies to help desk staff to redce the administrative brden on domain administrators.

16 668 Chapter 14 Designing an Athentication Strategy Figre 14.3 shows the worksheet that the organization created to docment their strategy plan. Figre 14.3 Example of an Athentication Strategy Planning Worksheet (contined)

17 Secring the Athentication Process 669 Figre 14.3 Example of an Athentication Strategy Planning Worksheet (contined) Secring the Athentication Process It is important to secre yor process to protect yor system against varios types of secrity threats, sch as password-cracking tools, brte-force or dictionary attacks, abse of system access rights, impersonation of athenticated sers, and replay attacks. In addition, if yo share resorces on yor network with other organizations, yo mst ensre that yor policies interoperate with the policies that are in place on other systems. For a worksheet to se in docmenting secrity policies, see Athentication Secrity (DSSAUT_2.doc) on the Windows Server 2003 Deployment Kit companion CD (or see Athentication Secrity on the Web at Figre 14.4 shows the process for secring.

18 670 Chapter 14 Designing an Athentication Strategy Figre 14.4 Secring Athentication Create a fondation for Secre the process Extend yor framework Enable spplemental strategies Create a strong password policy Establish an accont lockot policy Assign logon hors Create a ticket expiration policy Edcate sers Establish network standards Set clock synchronization tolerance to prevent replay attacks

19 Secring the Athentication Process 671 Creating a Strong Password Policy Given enogh encrypted data, time, and compting power, attackers can compromise almost any cryptographic system. Yo can prevent sch attackers from scceeding by making the task of cracking the password as difficlt as possible. Two key strategies to accomplish this are to reqire sers to set complex passwords and to reqire sers to change their passwords periodically, so that attackers do not have sfficient time to crack the complex encryption code. Complex Passwords Yo shold set password policy to reqire complex passwords, which contain a combination of ppercase and lowercase letters, nmbers, and symbols, and are typically a minimm of six characters long or more for all acconts, inclding administrative acconts, sch as local administrator, domain administrator, and enterprise administrator. In this way, when sers sbmit a new password, Windows Server 2003 password policy determines whether the password meets established complexity reqirements. Yo can set more complex password reqirements; however, sch password policies can increase costs to the organization if they obligate sers to select passwords that are difficlt to remember. Users might be forced to call the help desk if they forget their passwords, or they might write down their passwords, ths making them vlnerable to discovery. For this reason, when yo establish password policies, yo need to balance the need for strong secrity against the need to make the password policy easy for sers to follow. Earlier Client Operating Systems Versions of the operating system earlier than Windows Server 2003 cannot handle passwords that contain more than 14 characters. For example: Attempts to log on to a Windows 2000 based compter rnning Terminal Services by sing atomatic logon settings configred in Client Connection Manager fail if yor password is more than 14 characters long. Client Connection Manager has a 14-character limitation for passwords sed for atomatic logon. To work arond this problem, yo mst manally enter a password to be sed for the connection when prompted. Yo can prevent this by modifying the password sed in Client Connection Manager and on yor domain to be no more than 14 characters long. In versions 3.5 and 3.51 of the Microsoft Windows operating system, Rn.exe allows sers to start tilities. When sers start tilities, they can specify a ser accont and password to be sed to start the application. When the password parameter is sed, Rn.exe stores the vales in bffers limited to 14 characters. Passwords longer than 14 characters are trncated for storage and then passed to domain controllers in trncated form, casing failres. Yo can solve many of these problems by applying the latest service packs for operating systems. If yor organization incldes clients rnning versions of the operating system earlier than Windows Server 2003 that do not spport longer passwords, be sre to accont for this when yo set yor password policies.

20 672 Chapter 14 Designing an Athentication Strategy Selecting Password Policy Options Windows Server 2003 provides secrity policies that ensre that all sers select strong passwords. Creating a password policy involves setting the following options in the Defalt Domain Grop Policy object. These policies, with the exception of those settings related to password lifetime, are enforced on all sers in a domain. Maximm password age This setting determines the period of time (in days) that a password can be sed before the system reqires the ser to change it. The best defense against impersonation is to reqire that sers change their passwords reglarly. This redces the amont of time available for attackers to crack nknown passwords, and it periodically invalidates any password that has been stolen by other means. The defalt vale of 42 days is generally appropriate; however, some IT departments shorten this to 30 days. Enforce password history This setting determines the nmber of niqe new passwords that have to be associated with a ser accont before an old password can be resed. It also rejects new passwords that are too similar to previos passwords. This featre prevents sers from circmventing password lifetime restrictions by resing their old password. The defalt vale is 1. Most IT departments choose a vale greater than 10. Minimm password age This setting determines the nmber of days that mst pass before a ser can change his or her password. Defining a minimm password age prevents sers from circmventing the password history policy by defining mltiple passwords in rapid sccession ntil they can se their old password again. The defalt vale is 0, bt it is recommended that this be reset. A vale of a few days discorages rapid password recycling while still permitting sers to change their own passwords if desired. Note that setting this parameter to a vale higher than the maximm password age forces sers to call the IT department to change their passwords, which increases costs to the organization. Minimm password length The setting determines the minimm nmber of characters that a ser s password mst contain. It is recommended that yo change this setting from the defalt vale of 0. A minimm password length of seven characters is considered standard.

21 Secring the Athentication Process 673 Passwords mst meet complexity reqirements This setting enables Windows Server 2003 to verify that new passwords meet complexity reqirements. The defalt password filter (Passfilt.dll) inclded with Windows Server 2003 reqires that a password: Is not based on the ser s accont name. Contains at least six characters. Contains characters from three of the following for categories: Uppercase alphabet characters (A Z) Lowercase alphabet characters (a z) Arabic nmerals (0 9) Nonalphanmeric characters (for example,!$#,%) This policy is disabled by defalt. Enable it to secre yor passwords against cracking. Establishing an Accont Lockot Policy Yo need to establish an accont lockot policy at the same time that yo establish a password secrity policy. Accont lockot policies protect yor environment against brte-force or dictionary attacks. Given enogh tries, even complex passwords can be gessed. Accont lockot policies redce the nmber of gesses that an attacker can make. It is best to establish an accont lockot policy that is restrictive enogh to prevent attacks, while still allowing for the occasional ser error. An accont lockot policy that is too strict might increase the nmber of spport calls in yor organization as sers who type their passwords incorrectly are mistakenly locked ot. Creating an accont lockot policy involves setting the following options in the Defalt Domain Grop Policy object. Accont lockot threshold The accont lockot threshold limits the nmber of times that anyone can attempt to log on to a compter from a remote location. This prevents attackers from trying all possible passwords over the network. This setting is disabled by defalt in the Defalt Domain Grop Policy object. Yo can trn it on by setting the vale to a nmber within the accepted range of 1 throgh 999. Set the vale high enogh to ensre that occasional errors do not reslt in accont lockot. Note that this setting does not apply to attempts to log on at the console of a locked workstation or to attempts to nlock a screensaver. Locked workstations cannot be forced to rn passwordcracking programs.

22 674 Chapter 14 Designing an Athentication Strategy Accont lockot dration The accont lockot dration determines how long, in mintes, an accont that has exceeded the accont lockot threshold remains locked before it is atomatically nlocked. Valid settings range from 0 throgh 99,999 mintes, or abot 10 weeks. When the vale is set to 0, an administrator mst manally nlock the accont. Becase accont lockot policies are designed to protect against brte-force attacks, setting even a low vale for the accont lockot dration redces the nmber of possible attacks considerably. Note that setting a high vale for the accont lockot dration can increase help desk calls when legitimate sers are mistakenly locked ot, and aside from indicating that an attack was attempted, provides little additional protection. By defalt, this policy is not defined, becase it is only applicable when an accont lockot threshold is specified. Reset accont lockot conter after This setting determines the nmber of mintes that mst elapse after a failed logon attempt before the conter is reset to 0 bad logon attempts. The range is 1 throgh 99,999 mintes. This vale mst be less than or eqal to the accont lockot dration. Enforce ser logon restrictions When this option is enabled, the KDC validates every reqest for a session ticket by examining the ser rights policy on the target compter. The ser reqesting the session ticket mst be assigned the Log on locally policy (if the reqested service is rnning on the same compter) or the Access this compter from the network policy (if the reqested service is on a remote compter) to receive a session ticket. This option also serves as a means to ensre that the reqesting accont is still valid. Verification is optional becase the extra step takes time and might slow network access to services, bt if accont rights have changed or ser acconts have been disabled between the time when the initial ticket was issed and the time when a service ticket was reqested, these changes do not take effect. By defalt, the policy is enabled in the Defalt Domain Grop Policy object. If the policy is disabled, this check is not performed. For greater secrity in an environment in which ser acconts change freqently, enable this setting. For faster performance, particlarly in a more stable ser accont environment, disable this setting.

23 Secring the Athentication Process 675 Assigning Logon Hors Yo can assign logon hors as a means to ensre that employees are sing compters only dring specified hors. This setting applies both to interactive logon, in which a ser nlocks a compter and has access to the local compter, and network logon, in which a ser obtains credentials that allow him or her to access resorces on the network. Assigning logon hors is sefl for organizations in which some sers are less trstworthy than others or reqire spervision. For example, yo might want to restrict logon hors when: Logon hors are a condition for secrity certification, sch as in a government network. Yor organization incldes shift workers. In this case, allow shift workers to log on only dring their schedled hors. Yor organization incldes temporary employees. The logon schedle is enforced by the Kerberos Grop Policy setting Enforce User Logon Restrictions, which is enabled by defalt in Windows Server Whether sers are forced to log off when their logon hors expire is determined by the Atomatically log off sers setting. By defalt, all domain sers can log on at any time. Yo can se the following procedre to limit the logon hors of an individal domain ser. To restrict the logon hors of a domain ser 1. In Active Directory Users and Compters, right-click the ser s accont. 2. Click Properties, and click the Accont tab. 3. Click Logon Hors. In the Logon Hors dialog box, indicate the hors and/or days of the week in which yo are restricting the ser from logging on. When yo have set the logon hors for an individal, yo can copy that accont to apply the same settings to a new ser in the same department. To restrict the logon hors for mltiple sers in the same OU 1. In Active Directory Users and Compters, select the ser acconts, and then right-click any of the selected items. 2. Use the Properties of Mltiple Objects dialog box to alter the properties for all of the selected sers. When yo restrict logon hors, yo might also want to force sers to log off after a certain point. If yo apply this policy, sers cannot log on to a new compter, bt they can stay logged on even dring restricted logon hors. To force sers to log off when logon hors expire for their accont, apply the Network secrity: Force logoff when logon hors expire policy.

24 676 Chapter 14 Designing an Athentication Strategy Creating a Ticket Expiration Policy It is important to establish reasonable lifetimes for tickets in yor organization. Ticket lifetimes mst be short enogh to prevent attackers from cracking the cryptography that protects the ticket s stored credentials. However, ticket lifetimes mst also be long enogh to be convenient for sers and to ensre that reqests for new tickets do not overload the network. Creating a ticket expiration policy involves setting the following options in the Defalt Domain Grop Policy object. Maximm lifetime for ser ticket This setting indicates the amont of time for which a ticket is valid before it expires. Generally, it is best if the Maximm Lifetime for User Ticket setting reflects the average amont of time that sers access their compters in one day. This is set to 10 hors in the Defalt Domain Grop Policy object. At the end of the ticket lifetime, the ser either obtains a new ticket or renews the existing ticket. This process is performed transparently by the compter, bt each ticket reqest or renewal prodces network traffic and domain controller loading. A short maximm ticket lifetime provides greater secrity bt also increases network traffic. A long maximm ticket lifetime decreases network traffic bt does not provide the same level of secrity. Maximm lifetime for service ticket This setting sally matches the established ser ticket lifetime. It might be shorter, however, if there is a need in yor organization for secre to services beyond what is reqired for ser. It might be longer if sers reqire ninterrpted access to services for long periods of time. For example, yo might need to extend the ticket lifetime if yor sers rn jobs that have a dration that is longer than the dration of the ser ticket lifetime. If yo do not have any special reqirements for service ticket lifetime, do not extend the lifetime of the ticket. The maximm service ticket lifetime mst be greater than 10 mintes and less than or eqal to the Maximm Lifetime for User Ticket setting. By defalt, this vale is set to 600 mintes (10 hors) in the Defalt Domain Grop Policy object (GPO). Ongoing operations are not interrpted if the session ticket sed to athenticate the connection expires before the operation is complete. Maximm lifetime for ser ticket renewal This setting determines the period of time (in days) dring which a ser s ticket-granting ticket (TGT) can be renewed. By defalt, this is set to seven days in the Defalt Domain GPO. Shorter renewal times make it easier to reqire sers to reathenticate in the event that yo sspect that there has been a secrity breach. An attacker with a renewable ser ticket can contine to renew that ticket for as long as the policy allows. Shortening renewal times makes an attacker s task more difficlt, bt it also increases the load on domain controllers.

25 Secring the Athentication Process 677 Establishing Network Athentication Standards Windows Server 2003 allows for interoperability with earlier versions of Windows and other operating systems. Interoperating with other operating systems, however, can negatively impact yor network secrity. It is important, therefore, to establish standards for network to minimize the effect that this interoperability has on yor organization s secrity. Yo can do this by restricting LAN Manager and by restricting anonymos access. Yo mst also establish a plan for pgrading Windows NT 4.0 domain controllers to balance the Kerberos load in Windows Server 2003 and Windows 2000 domains. Restricting LAN Manager Athentication De to advances in cracking tools and hardware capabilities, LAN Manager encryption is more vlnerable to attack than newer forms of encryption. For this reason, it is important to restrict the se of LAN Manager whenever possible. Windows Server 2003 spports all versions of LAN Manager, inclding LM, NTLM, and NTLM version 2 (NTLMv2), to allow for compatibility with clients that do not spport newer protocols. If it is necessary in yor organization to spport LAN Manager, yo can increase secrity by enabling spport of NTLMv2 whenever possible. Redcing or eliminating the se of LAN Manager and NTLM version 1 (NTLMv1) removes password hash vales from the network, and therefore increases network secrity. Yo can enable NTLMv2 spport by doing the following: Upgrading to at least Service Pack 4 (SP4) on all Windows NT 4.0 based clients. Yo can download the service pack from the Microsoft Web site at Installing the directory services client on all client compters that are rnning the Microsoft Windows 95 or Windows 98 operating system Yo can install the directory services client from the Windows Server 2003 operating system CD. Tightening LAN Manager policies. If all clients spport NTLMv2, set Domain Grop Policy for LAN Manager Athentication Level to Send NTLMv2 response only\refse LM & NTLM. This policy is nder Compter Configration\Windows Settings\Secrity Settings\Local Policies\Secrity Options\. If some clients exist that do not spport NTLMv2, set the LAN Manager Athentication Level to Send NTLM response only. This redces the amont of ciphertext available to attackers. Note Clients that do not typically spport NTLMv2 inclde Macintosh and Windows Services for UNIX.

26 678 Chapter 14 Designing an Athentication Strategy Restricting Anonymos Access In Windows Server 2003, access that was available to Anonymos sers in Windows NT 4.0 is available only to Everyone and Gest acconts. However, in some of the following sitations yo might still need to allow Anonymos access to portions of yor network. Some of the services rnning versions of Windows earlier than Windows 2000 se anonymos access to reqest ser accont information from domain controllers and to list network shares on file servers and workstations. Yo also might need to allow Anonymos access when an administrator in the trsting domain of a one-way cross-forest trst relationship needs to list sers and shares in the trsted domain of another forest. In addition, the Windows NT Remote Access Service (RAS) ses anonymos logon to determine whether a ser has permission to establish a RAS connection. Anonymos access to Active Directory is sed to change passwords from earlier systems. This form of anonymos access is enabled by the Pre-Windows 2000 compatible access secrity grop, which is a local grop fond only on Windows 2000 and Windows Server 2003 domain controllers. By defalt, this grop has read access to ser and grop objects in Active Directory. If yo need to spport networks containing a mix of Windows NT 4.0, Windows 2000, and Windows Server 2003 desktops and servers, yo mst take into accont the new restrictions on anonymos access by doing the following: First determine which services and applications reqire anonymos access to network resorces, and identify the servers to which anonymos access is needed. Then decide whether to add the Anonymos Logon identity to specific access control lists (ACLs), or to make secrity policy changes that relax the restrictions that Windows Server 2003 places on anonymos access. Yo can reglate anonymos access by doing the following: Edit the ACLs of the resorces, adding the Anonymos Logon identity to the list of athorized sers. This approach is the most secre, bt reqires editing the ACLs of each resorce, which might be difficlt to manage or trobleshoot. Use the Do not allow anonymos enmeration of SAM acconts and shares policy Grop Policy object, which can be fond in Compter Configration/Windows Settings/Secrity Settings/Local Policies/Secrity Options, to prevent attackers from sing anonymos connections to obtain information abot acconts and shares on a compter. Preventing Secrity Acconts Manager (SAM) accont enmeration can help thwart attacks, bt also prevents legitimate sers in other domains from obtaining this information.

Enabling Advanced Windows Server 2003 Active Directory Features

Enabling Advanced Windows Server 2003 Active Directory Features C H A P T E R 5 Enabling Advanced Windows Server 2003 Active Directory Featres The Microsoft Windows Server 2003 Active Directory directory service enables yo to introdce advanced featres into yor environment

More information

Upgrading Windows NT 4.0 Domains to Windows Server 2003 Active Directory

Upgrading Windows NT 4.0 Domains to Windows Server 2003 Active Directory C H A P T E R 8 Upgrading Windows NT 4.0 Domains to Windows Server 2003 Active Directory Upgrading yor domains from Microsoft Windows NT 4.0 to Windows Server 2003 Active Directory directory service enables

More information

aééäçóáåö=táåççïë= péêîéê=ommp=oéöáçå~ä= açã~áåë

aééäçóáåö=táåççïë= péêîéê=ommp=oéöáçå~ä= açã~áåë C H A P T E R 7 aééäçóáåö=táåççïë= péêîéê=ommp=oéöáçå~ä= açã~áåë Deploying Microsoft Windows Server 2003 s involves creating new geographically based child domains nder the forest root domain. Deploying

More information

Planning a Smart Card Deployment

Planning a Smart Card Deployment C H A P T E R 1 7 Planning a Smart Card Deployment Smart card spport in Microsoft Windows Server 2003 enables yo to enhance the secrity of many critical fnctions, inclding client athentication, interactive

More information

Deploying Network Load Balancing

Deploying Network Load Balancing C H A P T E R 9 Deploying Network Load Balancing After completing the design for the applications and services in yor Network Load Balancing clster, yo are ready to deploy the clster rnning the Microsoft

More information

Planning an Active Directory Deployment Project

Planning an Active Directory Deployment Project C H A P T E R 1 Planning an Active Directory Deployment Project When yo deploy the Microsoft Windows Server 2003 Active Directory directory service in yor environment, yo can take advantage of the centralized,

More information

Designing and Deploying File Servers

Designing and Deploying File Servers C H A P T E R 2 Designing and Deploying File Servers File servers rnning the Microsoft Windows Server 2003 operating system are ideal for providing access to files for sers in medim and large organizations.

More information

Planning a Managed Environment

Planning a Managed Environment C H A P T E R 1 Planning a Managed Environment Many organizations are moving towards a highly managed compting environment based on a configration management infrastrctre that is designed to redce the

More information

High Availability for Internet Information Server Using Double-Take 4.x

High Availability for Internet Information Server Using Double-Take 4.x High Availability for Internet Information Server Using Doble-Take 4.x High Availability for Internet Information Server Using Doble-Take 4.x pblished April 2000 NSI and Doble-Take are registered trademarks

More information

Upgrading Windows 2000 Domains to Windows Server 2003 Domains

Upgrading Windows 2000 Domains to Windows Server 2003 Domains C H A P T E R 9 Upgrading Windows 2000 Domains to Windows Server 2003 Domains Upgrading yor network operating system from Microsoft Windows 2000 to Windows Server 2003 reqires minimal network configration

More information

High Availability for Microsoft SQL Server Using Double-Take 4.x

High Availability for Microsoft SQL Server Using Double-Take 4.x High Availability for Microsoft SQL Server Using Doble-Take 4.x High Availability for Microsoft SQL Server Using Doble-Take 4.x pblished April 2000 NSI and Doble-Take are registered trademarks of Network

More information

EMC VNX Series. EMC Secure Remote Support for VNX. Version VNX1, VNX2 300-014-340 REV 03

EMC VNX Series. EMC Secure Remote Support for VNX. Version VNX1, VNX2 300-014-340 REV 03 EMC VNX Series Version VNX1, VNX2 EMC Secre Remote Spport for VNX 300-014-340 REV 03 Copyright 2012-2014 EMC Corporation. All rights reserved. Pblished in USA. Pblished Jly, 2014 EMC believes the information

More information

EMC VNX Series Setting Up a Unisphere Management Station

EMC VNX Series Setting Up a Unisphere Management Station EMC VNX Series Setting Up a Unisphere Management Station P/N 300-015-123 REV. 02 April, 2014 This docment describes the different types of Unisphere management stations and tells how to install and configre

More information

The bintec HotSpot Solution. Convenient internet access anywhere

The bintec HotSpot Solution. Convenient internet access anywhere The bintec HotSpot Soltion Convenient internet access anywhere Convenient internet access for all kinds of spaces Today s internet sers are freqently on the go. They expect to have internet access on their

More information

Designing a TCP/IP Network

Designing a TCP/IP Network C H A P T E R 1 Designing a TCP/IP Network The TCP/IP protocol site defines indstry standard networking protocols for data networks, inclding the Internet. Determining the best design and implementation

More information

HSBC Internet Banking. Combined Product Disclosure Statement and Supplementary Product Disclosure Statement

HSBC Internet Banking. Combined Product Disclosure Statement and Supplementary Product Disclosure Statement HSBC Internet Banking Combined Prodct Disclosre Statement and Spplementary Prodct Disclosre Statement AN IMPORTANT MESSAGE FOR HSBC CUSTOMERS NOTICE OF CHANGE For HSBC Internet Banking Combined Prodct

More information

EMC ViPR Analytics Pack for VMware vcenter Operations Management Suite

EMC ViPR Analytics Pack for VMware vcenter Operations Management Suite EMC ViPR Analytics Pack for VMware vcenter Operations Management Site Version 1.1.0 Installation and Configration Gide 302-000-487 01 Copyright 2013-2014 EMC Corporation. All rights reserved. Pblished

More information

Phone Banking Terms Corporate Accounts

Phone Banking Terms Corporate Accounts Phone Banking Terms Corporate Acconts If there is any inconsistency between the terms and conditions applying to an Accont and these Phone Banking Terms, these Phone Banking Terms prevail in respect of

More information

Isilon OneFS. Version 7.1. Backup and recovery guide

Isilon OneFS. Version 7.1. Backup and recovery guide Isilon OneFS Version 7.1 Backp and recovery gide Copyright 2013-2014 EMC Corporation. All rights reserved. Pblished in USA. Pblished March, 2014 EMC believes the information in this pblication is accrate

More information

EMC PowerPath Virtual Appliance

EMC PowerPath Virtual Appliance EMC PowerPath Virtal Appliance Version 1.2 Administration Gide P/N 302-000-475 REV 01 Copyright 2013 EMC Corporation. All rights reserved. Pblished in USA. Pblished October, 2013 EMC believes the information

More information

Planning and Implementing An Optimized Private Cloud

Planning and Implementing An Optimized Private Cloud W H I T E PA P E R Intelligent HPC Management Planning and Implementing An Optimized Private Clod Creating a Clod Environment That Maximizes Yor ROI Planning and Implementing An Optimized Private Clod

More information

GUIDELINE. Guideline for the Selection of Engineering Services

GUIDELINE. Guideline for the Selection of Engineering Services GUIDELINE Gideline for the Selection of Engineering Services 1998 Mission Statement: To govern the engineering profession while enhancing engineering practice and enhancing engineering cltre Pblished by

More information

EMC Smarts SAM, IP, ESM, MPLS, VoIP, and NPM Managers

EMC Smarts SAM, IP, ESM, MPLS, VoIP, and NPM Managers EMC Smarts SAM, IP, ESM, MPLS, VoIP, and NPM Managers Version 9.2.2 Spport Matrix 302-000-357 REV 02 Copyright 2013 EMC Corporation. All rights reserved. Pblished in USA. Pblished December, 2013 EMC believes

More information

EMC Storage Analytics

EMC Storage Analytics EMC Storage Analytics Version 2.1 Installation and User Gide 300-014-858 09 Copyright 2013 EMC Corporation. All rights reserved. Pblished in USA. Pblished December, 2013 EMC believes the information in

More information

Technical Notes. PostgreSQL backups with NetWorker. Release number 1.0 302-001-174 REV 01. June 30, 2014. u Audience... 2. u Requirements...

Technical Notes. PostgreSQL backups with NetWorker. Release number 1.0 302-001-174 REV 01. June 30, 2014. u Audience... 2. u Requirements... PostgreSQL backps with NetWorker Release nmber 1.0 302-001-174 REV 01 Jne 30, 2014 Adience... 2 Reqirements... 2 Terminology... 2 PostgreSQL backp methodologies...2 PostgreSQL dmp backp... 3 Configring

More information

Effective governance to support medical revalidation

Effective governance to support medical revalidation Effective governance to spport medical revalidation A handbook for boards and governing bodies This docment sets ot a view of the core elements of effective local governance of the systems that spport

More information

CRM Customer Relationship Management. Customer Relationship Management

CRM Customer Relationship Management. Customer Relationship Management CRM Cstomer Relationship Management Kenneth W. Thorson Tax Commissioner Virginia Department of Taxation Discssion Areas TAX/AMS Partnership Project Backgrond Cstomer Relationship Management Secre Messaging

More information

CRM Customer Relationship Management. Customer Relationship Management

CRM Customer Relationship Management. Customer Relationship Management CRM Cstomer Relationship Management Farley Beaton Virginia Department of Taxation Discssion Areas TAX/AMS Partnership Project Backgrond Cstomer Relationship Management Secre Messaging Lessons Learned 2

More information

Kentucky Deferred Compensation (KDC) Program Summary

Kentucky Deferred Compensation (KDC) Program Summary Kentcky Deferred Compensation (KDC) Program Smmary Smmary and Highlights of the Kentcky Deferred Compensation (KDC) Program Simple. Smart. For yo. For life. 457 Plan 401(k) Plan Roth 401(k) Deemed Roth

More information

EMC ViPR. Concepts Guide. Version 1.1.0 302-000-482 02

EMC ViPR. Concepts Guide. Version 1.1.0 302-000-482 02 EMC ViPR Version 1.1.0 Concepts Gide 302-000-482 02 Copyright 2013-2014 EMC Corporation. All rights reserved. Pblished in USA. Pblished Febrary, 2014 EMC believes the information in this pblication is

More information

EMC Storage Resource Management Suite

EMC Storage Resource Management Suite EMC Storage Resorce Management Site Version 3.0.2.0 Installation and Configration Gide PN 302-000-859 REV 02 Copyright 2013-2014 EMC Corporation. All rights reserved. Pblished in USA. Pblished April, 2014

More information

Installation Guide EMC DD OS. EMC Data Domain Operating System USB Installation Guide REV. 03, OCTOBER 2013

Installation Guide EMC DD OS. EMC Data Domain Operating System USB Installation Guide REV. 03, OCTOBER 2013 Installation Gide EMC DD OS EMC Data Domain Operating System USB Installation Gide 302-001-818 REV. 03, 775-2092-0001 OCTOBER 2013 This gide provides instrctions for installing the Data Domain operating

More information

EMC NetWorker. Performance Optimization Planning Guide. Version 8.2 302-000-697 REV 01

EMC NetWorker. Performance Optimization Planning Guide. Version 8.2 302-000-697 REV 01 EMC NetWorker Version 8.2 Performance Optimization Planning Gide 302-000-697 REV 01 Copyright 2000-2014 EMC Corporation. All rights reserved. Pblished in USA. Pblished Janary, 2015 EMC believes the information

More information

Preparing your heavy vehicle for brake test

Preparing your heavy vehicle for brake test GUIDE Preparing yor heavy vehicle for brake test A best practice gide Saving lives, safer roads, ctting crime, protecting the environment Breaking the braking myth Some people believe that a locked wheel

More information

BIS - Overview and basic package V2.5

BIS - Overview and basic package V2.5 Engineered Soltions BIS - Overview and basic package V2.5 BIS - Overview and basic package V2.5 www.boschsecrity.com Complete enterprise management for efficient, integrated bilding and secrity management

More information

Analog Telephones. User Guide. BusinessPhone Communication Platform

Analog Telephones. User Guide. BusinessPhone Communication Platform Analog Telephones BsinessPhone Commnication Platform User Gide Cover Page Graphic Place the graphic directly on the page, do not care abot ptting it in the text flow. Select Graphics > Properties and make

More information

Candidate: Shawn Mullane. Date: 04/02/2012

Candidate: Shawn Mullane. Date: 04/02/2012 Shipping and Receiving Specialist / Inventory Control Assessment Report Shawn Mllane 04/02/2012 www.resorceassociates.com To Improve Prodctivity Throgh People. Shawn Mllane 04/02/2012 Prepared For: NAME

More information

Introduction to HBase Schema Design

Introduction to HBase Schema Design Introdction to HBase Schema Design Amandeep Khrana Amandeep Khrana is a Soltions Architect at Clodera and works on bilding soltions sing the Hadoop stack. He is also a co-athor of HBase in Action. Prior

More information

Corporate performance: What do investors want to know? Innovate your way to clearer financial reporting

Corporate performance: What do investors want to know? Innovate your way to clearer financial reporting www.pwc.com Corporate performance: What do investors want to know? Innovate yor way to clearer financial reporting October 2014 PwC I Innovate yor way to clearer financial reporting t 1 Contents Introdction

More information

Purposefully Engineered High-Performing Income Protection

Purposefully Engineered High-Performing Income Protection The Intelligent Choice for Disability Income Insrance Prposeflly Engineered High-Performing Income Protection Keeping Income strong We engineer or disability income prodcts with featres that deliver benefits

More information

NAPA TRAINING PROGRAMS FOR:

NAPA TRAINING PROGRAMS FOR: NAPA TRAINING PROGRAMS FOR: Employees Otside Sales Store Managers Store Owners See NEW ecatalog Inside O V E R V I E W 2010_StoreTrainingBrochre_SinglePg.indd 1 5/25/10 12:39:32 PM Welcome 2010 Store Training

More information

Installation Guide. Isilon InsightIQ. InsightIQ Installation Guide. Release number 3.0. January, 2014

Installation Guide. Isilon InsightIQ. InsightIQ Installation Guide. Release number 3.0. January, 2014 Installation Gide Isilon InsightIQ Release nmber 3.0 InsightIQ Installation Gide Janary, 2014 Yo can install InsightIQ throgh Red Hat Package Manager (RPM) on a Linx machine or as a virtal appliance. Yo

More information

Closer Look at ACOs. Designing Consumer-Friendly Beneficiary Assignment and Notification Processes for Accountable Care Organizations

Closer Look at ACOs. Designing Consumer-Friendly Beneficiary Assignment and Notification Processes for Accountable Care Organizations Closer Look at ACOs A series of briefs designed to help advocates nderstand the basics of Accontable Care Organizations (ACOs) and their potential for improving patient care. From Families USA Janary 2012

More information

Galvin s All Things Enterprise

Galvin s All Things Enterprise Galvin s All Things Enterprise The State of the Clod, Part 2 PETER BAER GALVIN Peter Baer Galvin is the CTO for Corporate Technologies, a premier systems integrator and VAR (www.cptech. com). Before that,

More information

EMC PowerPath/VE Installation and Administration Guide

EMC PowerPath/VE Installation and Administration Guide EMC PowerPath/VE Installation and Administration Gide Version 5.9 and Minor Releases for VMware vsphere P/N 302-000-236 REV 03 Copyright 2009-2014. All rights reserved. Pblished in USA. EMC believes the

More information

Facilities. Car Parking and Permit Allocation Policy

Facilities. Car Parking and Permit Allocation Policy Facilities Car Parking and Permit Allocation Policy Facilities Car Parking and Permit Allocation Policy Contents Page 1 Introdction....................................................2 2.0 Application

More information

The Intelligent Choice for Basic Disability Income Protection

The Intelligent Choice for Basic Disability Income Protection The Intelligent Choice for Basic Disability Income Protection provider Pls Limited Keeping Income strong We prposeflly engineer or basic disability income prodct to provide benefit-rich featres delivering

More information

The Good Governance Standard for Public Services

The Good Governance Standard for Public Services The Good Governance Standard for Pblic Services The Independent Commission for Good Governance in Pblic Services The Independent Commission for Good Governance in Pblic Services, chaired by Sir Alan Langlands,

More information

Dialog 4106 Basic/Dialog 4147 Medium

Dialog 4106 Basic/Dialog 4147 Medium Dialog 4106 Basic/Dialog 4147 Medim Analog Telephones for MD110 Commnication System User Gide Cover Page Graphic Place the graphic directly on the page, do not care abot ptting it in the text flow. Select

More information

5 Using Your Verbatim Autodialer

5 Using Your Verbatim Autodialer 5 Using Yor Verbatim Atodialer 5.1 Placing Inqiry Calls to the Verbatim Atodialer ( Yo may call the Verbatim atodialer at any time from any phone. The nit will wait the programmed nmber of rings before

More information

The Good Governance Standard for Public Services

The Good Governance Standard for Public Services The Good Governance Standard for Pblic Services The Independent Commission on Good Governance in Pblic Services Good Governance Standard for Pblic Services OPM and CIPFA, 2004 OPM (Office for Pblic Management

More information

Direct Loan Basics & Entrance Counseling Guide. For Graduate and Professional Student Direct PLUS Loan Borrowers

Direct Loan Basics & Entrance Counseling Guide. For Graduate and Professional Student Direct PLUS Loan Borrowers Direct Loan Basics & Entrance Conseling Gide For Gradate and Professional Stdent Direct PLUS Loan Borrowers DIRECT LOAN BASICS & ENTRANCE COUNSELING GUIDE For Gradate and Professional Stdent Direct PLUS

More information

The Intelligent Choice for Disability Income Protection

The Intelligent Choice for Disability Income Protection The Intelligent Choice for Disability Income Protection provider Pls Keeping Income strong We prposeflly engineer or disability income prodct with featres that deliver benefits sooner and contine paying

More information

Closer Look at ACOs. Making the Most of Accountable Care Organizations (ACOs): What Advocates Need to Know

Closer Look at ACOs. Making the Most of Accountable Care Organizations (ACOs): What Advocates Need to Know Closer Look at ACOs A series of briefs designed to help advocates nderstand the basics of Accontable Care Organizations (ACOs) and their potential for improving patient care. From Families USA Updated

More information

A Novel QR Code and mobile phone based Authentication protocol via Bluetooth Sha Liu *1, Shuhua Zhu 2

A Novel QR Code and mobile phone based Authentication protocol via Bluetooth Sha Liu *1, Shuhua Zhu 2 International Conference on Materials Engineering and Information Technology Applications (MEITA 2015) A Novel QR Code and mobile phone based Athentication protocol via Bletooth Sha Li *1, Shha Zh 2 *1

More information

Candidate: Suzanne Maxwell. Date: 09/19/2012

Candidate: Suzanne Maxwell. Date: 09/19/2012 Medical Coder / Billing Clerk Assessment Report Szanne Maxwell 09/19/2012 www.resorceassociates.com Szanne Maxwell 09/19/2012 Prepared For: NAME Prepared by: John Lonsbry, Ph.D. & Lcy Gibson, Ph.D., Licensed

More information

Firewall Feature Overview

Firewall Feature Overview PALO ALTO NETWORKS: Firewall Featre Overview Firewall Featre Overview Palo Alto Networks family of next generation firewalls delivers nprecedented visibility and control of applications, sers and content

More information

Introducing Revenue Cycle Optimization! STI Provides More Options Than Any Other Software Vendor. ChartMaker Clinical 3.7

Introducing Revenue Cycle Optimization! STI Provides More Options Than Any Other Software Vendor. ChartMaker Clinical 3.7 Introdcing Revene Cycle Optimization! STI Provides More Options Than Any Other Software Vendor ChartMaker Clinical 3.7 2011 Amblatory EHR + Cardiovasclar Medicine + Child Health STI Provides More Choices

More information

Appraisal Firewall 1.0. Appraisal Revolution. powered by Appraisal Firewall DATA FACTS WHITE PAPER SERIES

Appraisal Firewall 1.0. Appraisal Revolution. powered by Appraisal Firewall DATA FACTS WHITE PAPER SERIES Appraisal Firewall 1.0 Appraisal Revoltion powered by Appraisal Firewall DATA FACTS WHITE PAPER SERIES The Technology Standard Appraisal Revoltion, powered by Appraisal Firewall technology maximizes yor

More information

Successful Conference

Successful Conference The Keynote Gide to Planning a Sccessfl Conference Dr Cathy Key A Keynote Networks Workbook Contents Introdction...2 The Role of the Conference Organiser...3 Establishing a Committee...4 Creating a Bdget...5

More information

Candidate: Kyle Jarnigan. Date: 04/02/2012

Candidate: Kyle Jarnigan. Date: 04/02/2012 Cstomer Service Manager Assessment Report 04/02/2012 www.resorceassociates.com To Improve Prodctivity Throgh People. Cstomer Service Manager Assessment Report 04/02/2012 Prepared For: NAME Prepared by:

More information

7 Help Desk Tools. Key Findings. The Automated Help Desk

7 Help Desk Tools. Key Findings. The Automated Help Desk 7 Help Desk Tools Or Age of Anxiety is, in great part, the reslt of trying to do today s jobs with yesterday s tools. Marshall McLhan Key Findings Help desk atomation featres are common and are sally part

More information

EMC Data Domain Operating System

EMC Data Domain Operating System EMC Data Domain Operating System Version 5.4 Administration Gide 302-000-072 REV. 06 Copyright 2009-2014 EMC Corporation. All rights reserved. Pblished in USA. Pblished September, 2014 EMC believes the

More information

Chapter 1. LAN Design

Chapter 1. LAN Design Chapter 1 LAN Design CCNA3-1 Chapter 1 Note for Instrctors These presentations are the reslt of a collaboration among the instrctors at St. Clair College in Windsor, Ontario. Thanks mst go ot to Rick Graziani

More information

The Time is Now for Stronger EHR Interoperability and Usage in Healthcare

The Time is Now for Stronger EHR Interoperability and Usage in Healthcare The Time is Now for Stronger EHR Interoperability and Usage in Healthcare Sponsored by Table of Contents 03 Stdy: Large Nmber of EHRs Do Not Meet Usability Standards 05 Black Book: EHR Satisfaction Growing

More information

What to buy: The ordering guide for VDO RoadLog VDO and RoadLog Trademarks of the Continental Corporation

What to buy: The ordering guide for VDO RoadLog VDO and RoadLog Trademarks of the Continental Corporation www.vdoroadlog.com What to by: The ordering gide for VDO RoadLog VDO and RoadLog Trademarks of the Continental Corporation Here s what yo ll need to get p and rnning on RoadLog: VDO RoadLog is the simple

More information

8 Service Level Agreements

8 Service Level Agreements 8 Service Level Agreements Every organization of men, be it social or political, ltimately relies on man s capacity for making promises and keeping them. Hannah Arendt Key Findings Only abot 20 percent

More information

The Role of the Community Occupational Therapist

The Role of the Community Occupational Therapist Ceredigion Conty Concil Social Services Department The Role of the Commnity Occpational Therapist...taking care to make a difference Large Print or other format/medim are available on reqest please telephone

More information

FINANCIAL FITNESS SELECTING A CREDIT CARD. Fact Sheet

FINANCIAL FITNESS SELECTING A CREDIT CARD. Fact Sheet FINANCIAL FITNESS Fact Sheet Janary 1998 FL/FF-02 SELECTING A CREDIT CARD Liz Gorham, Ph.D., AFC Assistant Professor and Family Resorce Management Specialist, Utah State University Marsha A. Goetting,

More information

9 Setting a Course: Goals for the Help Desk

9 Setting a Course: Goals for the Help Desk IT Help Desk in Higher Edcation ECAR Research Stdy 8, 2007 9 Setting a Corse: Goals for the Help Desk First say to yorself what yo wold be; and then do what yo have to do. Epictets Key Findings Majorities

More information

Welcome to UnitedHealthcare. Ideally, better health coverage should cost less. In reality, now it can.

Welcome to UnitedHealthcare. Ideally, better health coverage should cost less. In reality, now it can. Welcome to UnitedHealthcare Ideally, better health coverage shold cost less. In reality, now it can. The plan designed with both qality and affordability in mind. Consistent, qality care is vitally important.

More information

MVM-BVRM Video Recording Manager v2.22

MVM-BVRM Video Recording Manager v2.22 Video MVM-BVRM Video Recording Manager v2.22 MVM-BVRM Video Recording Manager v2.22 www.boschsecrity.com Distribted storage and configrable load balancing iscsi disk array failover for extra reliability

More information

Contact Centre Office Hours:

Contact Centre Office Hours: Large Print or other format/medim are available on reqest please telephone 01545 574000 or Minicom 01545 574001 or Email contact-socservs@ceredigion.gov.k Contact Centre Office Hors: Monday Thrsday: 8.45

More information

f.airnet DECT over IP System

f.airnet DECT over IP System The modlar IP commnication system for voice and messaging with the greatest mobility: flexible, easy to maintain, expandable. Fnkwerk Secrity Commnications For s, efficient commnication is vital. New:

More information

EMC NetWorker and EMC Data Domain Boost Deduplication Devices

EMC NetWorker and EMC Data Domain Boost Deduplication Devices EMC NetWorker and EMC Data Domain Boost Dedplication Devices Version 8.2 Integration Gide 302-000-692 REV 02 Copyright 2001-2014 EMC Corporation. All rights reserved. Pblished in USA. Pblished Jly, 2014

More information

Candidate: Charles Parker. Date: 01/29/2015

Candidate: Charles Parker. Date: 01/29/2015 Software Developer / Programmer Assessment Report 01/29/2015 www.resorceassociates.com To Improve Prodctivity Throgh People. Janary 29, 2015 01/29/2015 The following pages represent a report based on the

More information

Executive Coaching to Activate the Renegade Leader Within. Renegades Do What Others Won t To Get the Results that Others Don t

Executive Coaching to Activate the Renegade Leader Within. Renegades Do What Others Won t To Get the Results that Others Don t Exective Coaching to Activate the Renegade Leader Within Renegades Do What Others Won t To Get the Reslts that Others Don t Introdction Renegade Leaders are a niqe breed of leaders. The Renegade Leader

More information

10 Evaluating the Help Desk

10 Evaluating the Help Desk 10 Evalating the Help Desk The tre measre of any society is not what it knows bt what it does with what it knows. Warren Bennis Key Findings Help desk metrics having to do with demand and with problem

More information

DESTINATION ASSURED CONTACT US. Products for Life

DESTINATION ASSURED CONTACT US. Products for Life DESTINATION ASSURED CONTACT US For more information abot any of the services in this brochre, call 1-800-748-4302, visit or website at www.mac.com or stop by the branch nearest yo. LR-2011 Federally insred

More information

Opening the Door to Your New Home

Opening the Door to Your New Home Opening the Door to Yor New Home A Gide to Bying and Financing. Contents Navigating Yor Way to Home Ownership...1 Getting Started...3 Finding Yor Home...9 Finalizing Yor Financing...12 Final Closing...13

More information

KEYS TO BEING AN EFFECTIVE WORKPLACE PERSONAL ASSISTANT

KEYS TO BEING AN EFFECTIVE WORKPLACE PERSONAL ASSISTANT 5 KEYS TO BEING AN EFFECTIVE WORKPLACE PERSONAL ASSISTANT by: John Barrett Personal assistants (PAs) and their ability to effectively provide essential spports at the workplace are extremely important

More information

Building Trust How Banks are Attracting and Retaining Business Clients With Institutional Money Fund Portals

Building Trust How Banks are Attracting and Retaining Business Clients With Institutional Money Fund Portals Bilding Trst How Banks are Attracting and Retaining Bsiness Clients With Instittional Money Fnd Portals By George Hagerman, Fonder and CEO, CacheMatrix Holdings, LLC C ompetitive pressres are driving innovation

More information

ASAND: Asynchronous Slot Assignment and Neighbor Discovery Protocol for Wireless Networks

ASAND: Asynchronous Slot Assignment and Neighbor Discovery Protocol for Wireless Networks ASAND: Asynchronos Slot Assignment and Neighbor Discovery Protocol for Wireless Networks Fikret Sivrikaya, Costas Bsch, Malik Magdon-Ismail, Bülent Yener Compter Science Department, Rensselaer Polytechnic

More information

User Guide. You'll love FOXTEL iq

User Guide. You'll love FOXTEL iq User Gide Yo'll love FOXTEL iq Contents Welcome to FOXTEL iq... 5 The FOXTEL iq... 5 Updates to the FOXTEL iq... 5 Getting in toch with FOXTEL... 5 For the safety... 6 Getting Started... 7 Switching the

More information

Contents Welcome to FOXTEL iq2...5 For your safety...6 Getting Started...7 Playlist... 51 Active...53 Setup...54 FOXTEL Guide...18 ON DEMAND...

Contents Welcome to FOXTEL iq2...5 For your safety...6 Getting Started...7 Playlist... 51 Active...53 Setup...54 FOXTEL Guide...18 ON DEMAND... Contents Welcome to FOXTEL iq2...5 The FOXTEL iq2...5 Updates to FOXTEL iq2...5 Getting in toch with FOXTEL...5 For yor safety...6 Getting Started...7 Switching the FOXTEL iq2 on and off...7 Changing channel...7

More information

Borrowing for College. Table of contents. A guide to federal loans for higher education

Borrowing for College. Table of contents. A guide to federal loans for higher education Borrowing for College A gide to federal loans for higher edcation Table of contents Edcation loan basics 2 Applying for edcation loans 3 Repaying edcation loans 3 Controlling edcation loan debt 5 Glossary

More information

Make the College Connection

Make the College Connection Make the College Connection A college planning gide for stdents and their parents Table of contents The compelling case for college 2 Selecting a college 3 Paying for college 5 Tips for meeting college

More information

Social Work Bursary: Academic year 2015/16 Application notes for students on undergraduate courses

Social Work Bursary: Academic year 2015/16 Application notes for students on undergraduate courses Social Work Brsary: Academic year 2015/16 Application notes for stdents on ndergradate corses These notes are for ndergradate stdents who have previosly received a brsary. Please make sre yo complete the

More information

Anatomy of SIP Attacks

Anatomy of SIP Attacks Anatomy of SIP Attacks João M. Ceron, Klas Steding-Jessen, and Cristine Hoepers João Marcelo Ceron is a Secrity Analyst at CERT.br/NIC.br. He holds a master s degree from Federal University of Rio Grande

More information

Owning A business Step-By-Step Guide to Financial Success

Owning A business Step-By-Step Guide to Financial Success Owning A bsiness Step-By-Step Gide to Financial Sccess CONTACT US For more information abot any of the services in this brochre, call 1-888-845-1850, visit or website at bsiness.mac.com or stop by the

More information

The Medical Practice EMR Software Buyer s Guide A Practical Guide for Physicians and Medical Practice Office Managers

The Medical Practice EMR Software Buyer s Guide A Practical Guide for Physicians and Medical Practice Office Managers The Medical Practice EMR Software Byer s Gide A Practical Gide for Physicians and Medical Practice Office Managers ChartMaker Clinical 3.7 2011 Amblatory EHR + Cardiovasclar Medicine + Child Health Provided

More information

BIS - Overview and basic package V4.0

BIS - Overview and basic package V4.0 Engineered Soltions BIS - Overview and basic package V4.0 BIS - Overview and basic package V4.0 www.boschsecrity.com Complete enterprise management for efficient, integrated bilding and secrity management

More information

Objectives. At the end of this chapter students should be able to:

Objectives. At the end of this chapter students should be able to: NTFS PERMISSIONS AND SECURITY SETTING.1 Introduction to NTFS Permissions.1.1 File Permissions and Folder Permission.2 Assigning NTFS Permissions and Special Permission.2.1 Planning NTFS Permissions.2.2

More information

RISK MANAGEMENT. 56 Promsvyazbank

RISK MANAGEMENT. 56 Promsvyazbank 56 Promsvyazbank RISK The role of risk management in PSB bsiness processes increased significantly in 2009. In Corporate Bsiness, PSB adopted the new credit policy, implemented new credit analysis, lanched

More information

Position paper smart city. economics. a multi-sided approach to financing the smart city. Your business technologists.

Position paper smart city. economics. a multi-sided approach to financing the smart city. Your business technologists. Position paper smart city economics a mlti-sided approach to financing the smart city Yor bsiness technologists. Powering progress From idea to reality The hman race is becoming increasingly rbanised so

More information

VRM Video Recording Manager v3.0

VRM Video Recording Manager v3.0 Video VRM Video Recording Manager v3.0 VRM Video Recording Manager v3.0 www.boschsecrity.com Distribted storage and configrable load balancing iscsi disk array failover for extra reliability Used with

More information

Bosch Security Training Academy Training Course Catalogue 2015. uk.boschsecurity.com

Bosch Security Training Academy Training Course Catalogue 2015. uk.boschsecurity.com Bosch Secrity Training Academy Training Corse Cataloge 2015 k.boschsecrity.com 2 Bosch Secrity Training Academy Training Corses 2015 Bosch Secrity Training Academy Training Corses 2015 3 Contents Enqiries

More information

STI Has All The Pieces Hardware Software Support

STI Has All The Pieces Hardware Software Support STI Has All The Pieces Hardware Software Spport STI has everything yo need for sccessfl practice management, now and in the ftre. The ChartMaker Medical Site Incldes: Practice Management/Electronic Billing,

More information

A guide to safety recalls in the used vehicle industry GUIDE

A guide to safety recalls in the used vehicle industry GUIDE A gide to safety recalls in the sed vehicle indstry GUIDE Definitions Aftermarket parts means any prodct manfactred to be fitted to a vehicle after it has left the vehicle manfactrer s prodction line.

More information

MSc and MA in Finance and Investment online Study an online MSc and MA in Finance and Investment awarded by UNINETTUNO and Geneva Business School

MSc and MA in Finance and Investment online Study an online MSc and MA in Finance and Investment awarded by UNINETTUNO and Geneva Business School MSc and MA in Finance and Investment online Stdy an online awarded by UNINETTUNO and Geneva Bsiness School Awarded by Geneva Bsiness School Geneva Barcelona Moscow Class profile The connects yo with stdents

More information