128
procedure call (RPC) traffic. This can make management of the server difficult. Because so many ports
have been effectively closed, Terminal Services has been enabled. This will allow administrators to
perform remote administration.
The network traffic map above assumes that the environment contains Active Directory enabled DNS
servers. If stand-alone DNS servers are used, additional rules may be required. The implementation
of IPSec policies should not have a noticeable impact on the performance of the server. However,
testing should be performed before implementing these filters to verify that the necessary functionality
and performance of the server is maintained. Additional rules may also need to be added to support
other applications.
Included with the Microsoft’s “Windows Server 2003 Security Guide: Patterns and Practices” security
guide is a .cmd file that simplifies the creation of the IPSec filters prescribed for a domain controller.
The PacketFilters-File.cmd file uses the NETSH command to create the appropriate filters. This .cmd file
must be modified to include the IP addresses of the other domain controllers in the environment. The
script contains place holders for two domain controllers to be added. Additional domain controllers
can be added if desired. This list of IP addresses for the domain controllers must be kept up
to date. If MOM is present in the environment, the IP address of the appropriate MOM server must
also be specified in the script. This script does not create persistent filters. Therefore, the server will
be unprotected until the IPSec Policy Agent starts. For more information on building persistent filters or
creating more advanced IPSec filter scripts, see Chapter 11, "Additional Member Server Hardening
Procedures" in Microsoft’s “Windows Solution for Security: Threats and Countermeasures: Security
Settings in Windows Server 2003 and Windows XP”. Finally, this script is configured to not assign
the IPSec policy it creates. The IP Security Policy Management snap-in can be used to examine the
IPSec filters created, and to assign the IPSec policy in order for it to take effect.
2.9.7
HP NAS Specific Security Settings
The hardening of specific HP NAS accounts and applications are required to meet NSA security
compliancy.
2.9.7.1
Service Packs, Security Patches, and Hotfixes Installation
Administrators must update all HP NAS server systems to the latest HP NAS revision for their product.
All Microsoft service packs, security patches, and hotfixes that have been certified by HP NAS can be
found at:
http://h20015.www2.hp.com/hub_search/document.jhtml?lc=en&docName=c00056831
.
All HP NAS specific software and drivers can be downloaded at
http://h18006.www1.hp.com/storage/networkattached.html
.
For software and drivers, administrators need to go to their specific HP NAS Windows Storage Server
2003 model for the latest software and drivers for their NAS server system.
2.9.7.2
HP Integrated Lights-Out (iLO) Accounts
HP Integrated Lights-Out (iLO) is integrated into every HP NAS server system. iLO consists of an intelligent
processor and firmware that provides standard and advanced levels of Lights-Out functionality. iLO
provide customers full front-of-the-server remote control of resources located in data centers and remote