Security for Deploying Information Systems - Essay Example

? Full Paper Security for deploying Information Systems As per a survey that was conducted by Software Productivity Research in 2009, inadequate software development leading to bad quality costs above $500 billion per year on a global level (Dave, 2011). Application is a core component of a computer that operates on an application layer of the Open System Interconnection (OSI) model. Everyone interacts with the application and not the hardware, if software quality is not present, Users will become reluctant to use it again. For instance, vulnerability is reported that may impose risks, bugs and errors, incompatibility issues etc. moreover, a news report of a new threat targeting user information may become a great challenge for organizations to sustain their business and customers. However, these news reports may lead to programming flaws and bad quality that may result in massive business losses. For a core banking application, errors, bugs or inadequate security measures cannot be ignored, as a single vulnerability may lead to a major threat for business. For this reason, integrating security in product lifecycle is the most important factor. As mentioned earlier, security breaches are now making headlines, as dependency on applications, mobile applications and online applications has sky rocketed. Users are now making complex online transactions from their cell phones and websites resulting in a rise of application threats. Consequently, there is a requirement of addressing security issues in an application to a relatively high degree. Moreover, many organizations purchase applications from the vendor that all imposes inherent risks that are not known by that time. A recommended solution for addressing application security must be conducted during the feasibility study. Integration of security controls followed with a secure application development approach will ensure quality and security of an application. Furthermore, deciding recommended security controls in a feasibility study will justify the cost of implementing and integrating them within the application. Traditionally, organizations are not addressing application security during the software development life cycle. They conduct security audits by auditors with specialized tools (Edwards, 2006) and with partial resources, at the end of a finished product making the security isolated. If any issue arises during the security audit in end stages of a software development lifecycle, it is more time consuming and expensive to address. Moreover, security auditors have their own criterion that is their primary objective. For instance, analyzing all risks are addressed or not, level of compliance by classifying vulnerabilities and controls for mitigating threats. All these issues are addressed before an official release of an application. Similarly, the development team has to ensure timely and cost effective development of the software modules and to make their name in the market first (Dave, 2011). Likewise, the audit report with a list of security vulnerabilities is submitted to the application development team for making any suitable changes (Dave, 2011). However, the report does not include any method or a hint of where these vulnerabilities exist. Developers on the other hand, launch the product as per schedule and therefore, security issues were not addressed. However, the best solution of addressing application security is in the software development life cycle, so that developers can rectify and remediate any security vulnerabilities through this process, as afterwards there is no time and the product launches without addressing security vulnerabilities that may result in major threats to organizations afterwards. 2 Implementing a Secure Domain Environment 2.1 Active Directory Implementation Active directory is an essential component which provides efficient and effective network administration. The first step is to prepare a domain. Active directory functions on the domain. The domain name for abc will be ‘www.abc.com’. Single domain model will be adopted as a forest root domain since the organization is a SME. After creating the domain, DNS configuration is required and what type of DNS version to be used; the names used for the domains, servers, and services in Active Directory; and the names of the forests and the forest root domains. The trust plan is also required which parallels the creation of the forest and domain plans, outlines any manually created trusts, the direction of the trusts, and the rationale for them. Trusts can be imple­mented for reasons of performance enhancement within a single forest or to allow access to resources between separate forests. 2.2 User And Group Creation 30 users are created with five groups in the active directory. Each user is assigned membership of the following groups. Group 1 named as “Long Term Lets Group” Group 2 named as “Short Term Lets Group” Group 3 named as “Personnel Group” Group 4 named as “Marketing Group” Group 5 named as “Accounts Group” 2.3 Limited Access For limiting access to the sales and all the remaining staff, Configuration will be conducted in the “Active directory users and computers” console. Click Start menu?Administrative Tools, ? Active Directory Users and Computers. In the console, click user account Right-click the user accounts, and then click Properties. Click Account and then click Logon Hours. Click All to select all available times, and then click Logon Denied. Select the time blocks as per the requirements to allow the specific user to log on to the domain, and then click Logon Permitted. A status line provides the options to edit logon times including days of the week, and timings. 2.4 User Login Restriction Active Directory Users and Computers?Properties?Accounts Click the logon workstations dialog box by clicking the Log On To tab. Enter the name of a required workstation. Click Add. Replicate this procedure to identify additional workstations as per the organizations requirements. 2.5 User Restriction on Workstation User restriction is possible by applying group policy capabilities in Windows 2003 Domain; Users can be prevented from logging on to different domains rather than their home domain. In the target domain new ‘domain wide group policy object’ is created and activates by activating “Deny logon locally" to the resource of domain user accounts. The check should be enabled for the option “Deny logon locally”  2.6 Configuring mandatory file access Mandatory file access is implemented by configuring the User's Environment Settings. Active Directory Users and Computers? User's Properties ? Profile tab. Click option named as local path. Insert the path to the home directory in the related field. Example C:\ abc \ %UserName%. 2.7 Password Policy The password policy will be applied in the Active directory users and computers console. These five elements related to password policy apply on each user created. Enforce password history, (As per organization requirement) Maximum password age, (Maximum 30 days) Minimum password age, (As per organization requirement) Minimum password length (10 Characters) Passwords must meet complexity requirements (As per organization requirement) 2.8 Account Lockout Policy Access the group policy console which is required for account lockout configuration. On the right hand side expand the security options?expand computer configurations? select Windows settings ? click security settings? click local Policies? select security options. By double clicking properties of automatically log off users when login time expires opens a dialog for defining policy. Clicks define this policy setting and click on enabled tab. In this way policy restriction which enforces for logon hours is activated. 3 File Server 3.1 Drive Mapping To create a network home directory, Active Directory Users and Computers ?Properties?Profile tab. Click Connect option? and choose a drive letter for the home directory. Universal Naming Convention (UNC) notation will be used to type the complete path to the home directory using the, such as: \\abc\USER_DIRS\ %UserName%. The server name is mandatory to mention in the drive path to ensure that the user can access the directory from any computer within the domain. 3.2 Access rights on a Shared Folders The department’s shared folder requires read and write access. Right click on the folder ? Properties?Security. Select everyone in user data properties and select read and write from permissions panel for the specific folder. The long term and short term group will be added in user data properties by selecting read from the permission panel for the folder named as ‘Sales2011’.Managers from each department will be added specifically as users against all employees are created in the active directory. Users (representing as managers of the department) will be added to the user data properties and full writes including read, write and delete will be granted from the security panel. 4 Website 4.1 Welcome Page For creating a domain logon script ‘start.exe command is executed. It creates a file named as ‘logon.bat’ which contains the commands that the user wants to execute. Two new file are created named as ‘contentsfile.bat’ to call the logon.bat file. These both files are placed in the ‘Netlogon’ share on the domain controllers. For configuring the ‘Netlogon’ click Active Directory Users and Computers ? Microsoft Management Console (MMC)?configure user to configure ‘Netlogon’ scripts. 4.2 Virtual directory A Virtual Directory is separately created directory that provides access to a web page that integrates or redirects to the specified directory. The specified link is redirected to a directory hat is located on network sharing or a local server. For changing access levels on virtual directories, following steps are used (Assuming that Internet Information Services (IIS) is installed previously). The explanation is in bulleted points for step by step illustration of the process. Press the button that states directory or web site for changing the permission After highlighting the button, from the drop down list select properties Press the tab that states Directory Security Press the edit button from the password authentication group options Decide what settings are required for authentication Press the OK button 4.3 Virtual directory Permissions Log on to RMS client as local administrator. Click on the Registry Editor. Click on Create the new key for registry named DecommissionunderHKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\DRM Under the Decommission registry key, add a new String Value entry, replacing your-license-server with the name of the RMS cluster used for licensing: Https:// abc /_wmcs/licensing. Double-click the new registry entry, type  http://your-abc_wmcs/decommission, and then click OK. 5 Group Policy The rules applied on an object effects on each user who is a member of that group. The configuration will be conducted on the domain controller by execute the ‘Group policy’ console. On the left column, click ?User configuration?Administrative Templates ?Start menu and Taskbar. On the right side administrative templates will appear. Select the template ‘Remove run menu from start menu’ and Disable Add/ Remove Programs ? Properties ? select disabled from the settings tab. 6 Test plan Run the command from the start menu ? Run ? Dcdiag.exe This command illustrates the statistics of successful active directory implementation, connectivity and efficiency. The result of this test must quote “Test Passed”. Figure 1.1 7 Network Diagram for High Availability Services The network diagram demonstrates the appropriate deployment of firewall, intrusion detection system, servers, switches and WAN connectivity. Figure 1.2 8 Proposed Backup Plan As per the proposed network for an educational establishment, 24 hours availability is required for services related to digital libraries, online learning and web application. In order to implement a disaster recovery plan, replication of data and services is required. This is conducted by installing additional hardware in terms of a backup server that will replicate data on regular basis. For instance, to secure data related to finance department, backup finance server will be deployed to synchronize data on small intervals. Disk mirroring techniques can also be employed. Disk mirroring is defined as “The recording of redundant data for fault tolerant operation. Data are written on two partitions of the same disk or on two separate disks within the same system. Disk mirroring uses the same controller. RAID 1 provides mirroring, which was first accomplished only with SCSI drives, but later with ATA (IDE) drives” (Mirroring 2007). However, RAID controllers are implemented in the process. A comprehensive definition of RAID is available in the network dictionary that says, “Redundant Arrays of Independent Disks (RAID) is a type of disk drives with two or more drives in combination for increasing data integrity, fault tolerance, throughput or capacity and performance. RAID provides seceral methods of writing data across/to multiple disks at once. RAID is one of many ways to combine multiple hard drives into one single logical unit. Thus, instead of seeing several different hard drives, the operating system sees only one. RAID is typically used on server computers, and is usually implemented with identically-sized disk drives. With decreases in hard drive prices and wider availability of RAID options built into motherboard chipsets, RAID is also being found and offered as an option in higher-end end user computers, especially computers dedicated to storage-intensive tasks, such as video and audio editing.”If ‘finance server’ stops responding or crashes, data can be restored from the backup finance server and services can be restored with minimal damage. Similarly, the same methodology can be implemented for student’s database. Moreover, WAN connectivity can be shifted from the disconnected link to the alternate link in order to provide constant connectivity without service interruption. In this case, an educational establishment may subscribe for two internet connections but different carriers. Both the connections will be terminated on the router WAN interface. In order to activate both connections, propriety-based protocol will be configured. Figure 1.7 illustrated the summary of a recovery plan. Server Roles Disaster Recovery Plan Finance Server Deploying Backup Servers equipped with RAID for Disk Mirroring Student’s Database Deploying Backup Servers equipped with RAID for Disk Mirroring Alternate WAN Configuring Priority Based Protocol References Dave, R. (2011). Best practices for tackling security early in development. Electronics World, 117(1908), 10-11. Edwards, M. J. (2006). Audit your web applications for better security. Windows IT Security, 6(6), 6-10. Mirroring (2007). Javvin Technologies, Inc. Redundant Array of Independent Disks. (2007). Network Dictionary, , pp. 405-405. Read More