a) Logging, Monitoring and Auditing
Device and application logging: Event data need to be collected efficiently so that it can be analysed. Apart from logging typical network activity, a log event data may be required for custom applications, environmental sensors, backup tape devices, physical access systems or security cameras.
The Microsoft Windows logging tool is called Event Viewer. It enables you to collect log data automatically and provides centralised reporting and management functionality. Event Viewer is available in most versions of Windows. Event Viewer in Windows Server 2008 categorises log file as:
Windows: Traditional Windows log files include the Application, Security and System logs. Windows Server 2008 also includes the Setup and Forward Event logs, which might not be available on other versions of Windows.
Applications and Services: logs include log files for hardware events as well as each of the roles installed on the server.
Microsoft: logs are located within the Microsoft Windows node of the Applications and Services Logs category. Each Windows component offers its own log file.
In each log, Windows records events. An event is a record of the details associated with something of significance that happened on the system.
Following are the details listed in the event’s properties:
Source: identifies the program component or service that generated the event.
Event ID: displays an ID number that identifies the event type.
Level: item specifies the event type in this case Information.
User: item identifies the user or process associated with the event.
Logged: item records the date and time that the event occurred.
Task Category: item is classified by a descriptor. Events in the Security Log are often assigned a category, such as Logon and Logoff, to describe the general classification of the action that generated the event. But not all events are assigned a category.
Computer: item specifies the computer on which the event occurred.
There are 6 levels which can be assigned to an event, depending on the type of action that has occurred:
Information: event notifies of a successful operation like when a service starts normally.
Warning: event is an informational message that might indicate a problem that should be investigated or fixed. Alternatively, a warning might indicate that only part of an operation has finished.
Error: event notifies if a problem has occurred such as a driver failing to load.
Audit Success: events are found in the security log only and notify of successful security events, such as when a user logs on to a computer successfully.
Audit Failure: events are found in the Security log only and notify of unsuccessful security events. For example, when a user’s logon request is denied due to incorrect password.
Critical: event level indicates that a failure has occurred which an application or component cannot automatically recover from.
Devices and applications that on which logging should be enabled are as follows:
Antivirus software: here, logging should be enabled for the signature version and update date, last scan date and time, positive virus detections and the date and time at which the antivirus software is disabled or shutdown.
Firewall: here, logging should be enabled for blocked access requests, blocked application requests, invalid requests, malformed packets, and management actions – such as port forwards setup.
Wireless access point and RADIUS: monitor activity on wireless access points using RADIUS; failed logon attempts, NPS access rejection, malformed packets and invalid requests.
DNS Server: here, logging should be enabled for DNS record updates, update request failures, zone transfer requests and zone transfer failures.
Domain controller: here, logging should be enabled for failed logon attempts, failed and successful administrator logons and requests for privilege escalations.
Critical Application: here, logging should be enabled for version information, the date and time of updates and security-related events
System Monitoring and Auditing:
Monitoring system performance: monitoring is an ongoing process that is performed to gather information which enables to determine if all systems are functioning correctly. Security-related parameters can be monitored to ensure that the system can cope with the workload created by authentication and authorization requests.
A performance baseline is a report of the performance characteristics of a system under normal use. A baseline can be created after a system is setup and is running properly. Then the current performance can be compared with the baseline at regular intervals to determine whether the system’s operations have changed.
Baselines should be re-created if conditions or configurations are changed such as after upgrading system hardware, the operating system or key application.
Windows Server 2008 provides a logging and monitoring application called the Reliability and Performance Monitor console, which is found in Server Manager or under Administrative Tools. In Windows Vista, it is known as Performance Monitor and in Windows XP it is called System Monitor, which can be opened by running the command “perfmon.msc”.
The Reliability and Performance Monitor console can be used to measure computer performance. Performance objects are any resources that can be measured. When server roles are added or install new applications, additional objects are installed. Some of the common performance objects include:
- Paging file
- Physical disk
The aspects of performance objects that can be measured are called counters. For example, the Kerberos Authentication counter reports on aspects such as the number of datagrams received and fragmented or the number of fragmentation failures.
When the system is monitored for security purposes, it might be useful to monitor:
The Security Per-Process Statistics object
The Security System-wide Statistics object
Server objects, especially the Errors Access Permissions, Errors Granted Access and Errors Logon counters
The Reliability and Performance Monitor console reflects CPU, Disk, Network and Memory resource levels. Following are the three major components of the console:
Monitoring Tools: contains the Performance Monitor and Reliability Monitor. The Performance Monitor displays real-time performance statistics or the results of logged data whereas the Reliability Monitor compares system changes to changes in system stability.
Data Collector Sets: DCSs are collection of statistical information that is gathered saved to a log. A DCS takes a snapshot over time by collecting three types of data:
- Counter data
- Event trace data – used for debugging and performance tuning
- System configuration information from the Registry
Reports: are used to store the results of data collector sets logging. Unless a data collector set is started, the report will remain empty.
Auditing systems: while auditing a system, it is possible to capture a snapshot of the system configuration at that point in time. This is not a real-time or ongoing process of gathering information.
Auditing a system enables to:
- Perform an inventory of systems to know what resources are available
- Perform corrective action that resolves potential problems
- Determine if systems comply with corporate policies
- Determine if systems meet the minimum configuration standards
Periodic audits should be conducted in the areas of:
- System security settings
- User access and rights
- Group policies
Auditing can also be performed on:
Data storage and retention policies: enables to determine the kind of data kept, how it is being stored and for how long. Personally Identifiable Information (PII) such as employee numbers, client credit card numbers and vendor contract information are stored within databases and must be retained when needed, but also be removed when no longer necessary.
Physical access policies: enable to control who can enter an area (telecommunication closets and server rooms) and when they can enter it. The access list is to be updated immediately whenever an employee is terminated or changes position.
Corporate security policies: dictate the company’s guidelines and practises for using computing resources. This policy includes guidelines for aspects such as password policies, acceptable and prohibited activities and incident report plans.
b) Organisational Security
Security and human-resource policies help to define the rules and practices that a company implements to manage and protect information in the organisation. A well-defined policy ensures that the company’s commitment to information security can be clearly outlined by defining policy goals and stating who is responsible for achieving these goals.
While designing a security policy, following sections are required to be included:
Privacy: the security policy, created need to protect the privacy of customer and supplier information. This ensures that the trust between the organisation and external entities is strengthened because both parties know that the information is secure. If the information is compromised, the enteritis might lose their trust in the company and might even take legal action against the company for disclosure of their information.
Due care: refers to the care required to ensure security within a company. It helps to identify and assess the risks to the organisation and to specify the measures employees need to take ensure the security of the company’s information. Having a strong security policy ensures that it can be proved that due care was exercised, which can help to protect the company from legal action against.
Account expiration: while defining a security policy, it is necessary to consider how to handle unused user accounts which need to be deleted as soon as they are no longer needed.
Need-to-know information: refers to sensitive data in a company that is shared with only those who absolutely must have access to it. This decreases the chance of unauthorized access without disturbing authorised users access to information. This least-privilege basis of access prevents an employee from putting the company at risk.
Service-level agreements: A SLA is a contract that documents the service level between a service provider and end user. SLA defines all service levels of support as well as penalties if the provider does not meet a service level. A disaster recovery plan can also be documented in an SLA. It is also required to include a contingency plan if a provider cannot meet an obligation.
Other aspects to consider when compiling a security policy are acceptable use, separation of duties, password management as well as disposal and destruction of information.
Acceptable-use policies help to define the manner in which computer information and resources may be used. The purpose is to ensure that information is protected and to limit the possibility of legal action against the company and its employees. This aspect also affects employee productivity as it relates to Internet access and use. If employees share sensitive information with third parties or access unauthorized web pages, they could compromise the company’s security, because the company could be held responsible for any agreement the employees make when using an e-mail address from the company.
Information classification is used to ensure that information that should be kept internal to the organisation is not released to the public and also to make sure that that publically available information can be freely accessed by clients and other organisations.
Separation of duties ensures that one person is not responsible for multiple processes because this creates the potential for abuse. It is also required so that the company does not lose the e information the employee possesses in the event of employee’s sudden death or departure from the company.
Security functions should be separated into multiple elements, where each element is part of making the whole security structure work. Each of the elements should be assigned to a different person or group of persons, which helps to alleviate abuse of power. This also ensures that there is someone in place if one person suddenly becomes unavailable.
It is necessary to emphasize the need for strong passwords when drawing up a password policy. A strong password policy reduces the risk of mismanaged passwords that can lead to security problems.
Password policies should include the following specifications:
- Minimum password length
- Reuse of passwords, including variations on existing passwords
- Required characters with a combination of alphabetic, numeric and/or special characters
- Password reset interval, which determines how long the password is valid before it needs to be reset
Deleting electronic files and reformatting disks does not completely erase all data. Magnetic media can be disposed by degaussing it, where the media is demagnetized, making all data contained on it unreadable. All data can also be overwritten with zero using a process called zeroization.
2. HR and incidents Policies and Change Management:
Human resource policies: A company’s Human Resource (HR) policy should address security issues such as the use of ID badges, keys and restricted access areas. It should be ensured that security personnel follow these policies as well as enforce them to maintain security within the company.
HR policies document the various aspects of personnel management, as they apply to each stage in an employee’s employment life in the company.
Personnel management includes three aspects:
Hiring: before hiring an employee, it is necessary to perform a background check. This includes checking references, past employers, criminal records and verifying all certifications and degrees that the candidate claims to possess.
Employee review and maintenance: performing employee review and maintenance is important to determine progress and identify potential job-related problems. Security clearance can also be evaluated, where employee may require higher or lower security access. During a review meeting, aspects such as job rotation, separation of duties and additional training requirements can also be evaluated. Job rotation ensures that all employees are able to perform various duties, so that they are able to cope in an emergency. Ensuring that there is a separation of duties helps to ensure that employees do not have excessive power which potentially can be abused.
Post-employment: before terminating an employee’s position in the company, it is necessary to document all procedures that have been followed prior to termination. This includes a meeting between the employee and an HR staff member. All security badges, keys and other access devices should be removed from the employee’s possession before employment is terminated and the employee escorted from the building. Then the employee’s account need to be disabled and change all shared passwords.
A company’s security policy should be based on a code of ethics, which is included in the policy documents. This code of ethics ensures that all employees act in a manner that is responsible, legal, honest and beneficial to the company. The code of ethics can also be used to ensure that all employees perform their professional duties optimally and act appropriately when representing the company’s interests.
Incident response policies: incident refers to events in the company that negatively affect the network. These can include viruses, system failure, unauthorized access, service disruption or any attempt to violate company policy. Incidents are to be dealt with by following the guidelines specified in the incident response policy.
All incidents need to be handled as soon as possible to reduce the impact on the company. It is also important that incidents are handled competently to prevent further incidents from occurring.
A good incident response plan should be developed to ensure that all incidents are handled correctly. This plan also guides employees in exercising due care.
A good incident response policy addresses six areas:
1. Preparation: good preparation is important as it enables to cope with an incident quickly and efficiently. This ensures that the resources to cope with problems are available and are able to access them easily. It also need be ensured that the resources used to respond to incidents can cope with attacks.
Part of the preparation stage involves documenting the duties of each member of the incident response team. It needs to be ensured that members are aware of the steps to be taken based on the nature and seriousness of the incident. The document should also include member’s contact details and all other relevant information relating to their duties. In the preparation stage, it is necessary to determine and document all acceptable risks. The dedicated hardware and software to be used for analysis and forensics of the incident has to be indentified and need to ensure that al incident response team members are properly trained to handle incidents.
2. Detection: when an incident occurs, the incident response team needs to detect the effect that the incident has on the company and the cause of the incident. The team also determines the scope of the incident and then plans suitable recovery.
The following questions may be asked during the detection stage:
- How many systems were impacted?
- How many networks were impacted?
- How far did the intruder get into the internal network?
- What level of privileges was accessed?
- What information and systems are at risk?
- How many paths of attack were available?
- Who has knowledge of the incident?
- How extensive is the vulnerability?
3. Containment: when an incident occurs, it is important to contain as quickly as possible. A system may need to shut down for preventing further damage or parts of the system might need to be taken off-line and firewall rules may also need to be altered. Further containment measures include suspending login accounts and disabling all file transfers.
Monitoring levels are also required to be increased to determine how deeply an intruder managed to penetrate the network. Compromised equipment or data should not be used until the incident is resolved.
4. Eradication: once the incident has been contained, the cause of incident is required to be eradicated. For example if the incident was a result of a virus or malicious code, the cause can be eradicated by cleaning or deleting all affected files. Before the data is restored to the drives, it should be ensured that the backups do not contain any viruses and are free of malicious code.
5. Recovery: if equipment has been damaged or compromised, new equipment can be ordered as detailed in the incident response policy. A good incident response policy will document procedures for replacing equipment quickly. This will ensure that the company can continue to function as optimally as possible.
6. Follow-up: the final aspect of the incident response policy deals with a follow-up to help the company learn from the incident. This ensures that incidents can be further prevented from occurring or handle other incidents more efficiently.
Changing management processes: Change management refers to a set of procedures that are followed whenever a network change is made. These procedures are developed and documented by network staff. Change management begins with a request for change (RFC) document, which can be used to record a change, define the type of change and effects the change will have.
Once documented, RFC is sent for review. The scope of an RFC determines who evaluates it such as an IT Manager or the change advisory board (CAB). CAB consists of representatives of departments affected by the change.
Once the RFC is approved, the change has to be planned and scheduled. It is then developed, tested and implemented. All these actions need to be documented in an RFC log. The change will be completed when both the change owner and the requester verify that the change has been successfully implemented.
A high level of security can be ensured during change implementation by being consistent in terms of how changes are managed. To do this, a change management process can be developed. Whenever network upgrades need to be done, install patches, add new users or update a firewall, the process and procedures should be documented. Being thorough in documenting the process, security risks are restricted.
Education, Training and Secure Disposal:
Education and training needs: in order to protect company’s information assets, staffs are required to be educated on the various risks that threaten company security. Educating network administrators and end users on system security enables you to safeguard sensitive company data against loss or compromise.
When employees are educated about the security procedures in the company, they will be able to identify potential security risks or violations. For an end-user, a broad overview of security policies should be provided, whereas a detailed level of knowledge is required for the administrative users and an exhaustive level of knowledge is required for employees who are in charge of security within the company including the detailed knowledge of all policies and procedures.
When a technician is required to troubleshoot a problem on an employee’s computer and needs the login details, the employee should be aware that they need to change all login details as soon as the problem has s been resolved. Users should also ask technicians to prove their identity before granting them access to the system. This helps to prevent unauthorized users from accessing network resources. Additionally, users should also remain with the technician while the problem is being fixed to ensure that technician does not access sensitive data on the computer or the network.
Security training should cover the following aspects:
- The reasons for training
- How to maintain the security of system accounts
- Policies relating to the sue of system accounts and access and control of system media
- Security contacts for the company and who to contact if a security incident is suspected
- Approved techniques for disposing of data through methods like degaussing, overwriting or destruction
- Policies regarding installation, removal and use of applications, databases, and data as well as policies regarding use of the Internet and email
The three common methods used to educate and train users are:
On-the-job training: refers to the experience gained such as when an incident occurs and the user learns how to respond to the incident and how to resolve and recover from it. Part of on-the-job training involves documenting all the steps taken in response to incidents. This record can be used as a guide for the next incident or to train others in handling incidents.
Classroom training: enables to learn about security policies and dealing with security incidents while learning from the experiences of both the instructor and the other students. This gives a better understanding of how to respond to different incidents.
Online training: enables to gain training when a user cannot make it to a classroom. This method enables user to fit training into a busy schedule. With this method, user may access training documents or policies on the company’s network. This method of training can include multimedia content such as audio and video files.
Disposal of IT equipment: before disposing electronic components and equipments, it is necessary to ensure that all hazardous material is removed. The component’s Material Safety Data Sheets (MSDS) can be checked for information on handling and disposal. If the user is unsure how to dispose of equipment containing lead, phosphorous and other hazardous material, Occupational Safety and Health Administration (OSHA) and Environmental Protection Agency (EPA) guidelines can be followed.
Batteries contain heavy metals such as nickel, mercury and cadmium which can’t be disposed by ordinary means. Instead, a battery recycler is to be used where the heavy metals are removed and sold back to industries that use them. Then the rest of the battery can be disposed.
CRT monitors contain phosphorous and sometimes mercury switches along with lead and other precious metals. These items need to be recycled instead of being discarded in the trash.
Data that is stored on magnetic media cannot be disposed by erasing or reformatting the disk. Data can still be accessed even if new files are written to the disk. To truly destroy data, a utility designed to repeatedly write random data to the media is required. Only by writing data several times can ensure that all traces of the old data are destroyed.
Following are the utilities that can be used to properly dispose data:
- On Track Data Eraser
- Norton System Works
c) Business Continuity and Environmental Control
Business Continuity and Disaster Recovery:
Creating a redundancy plan: With proper planning an organisation can function even if the equipment fails or destroyed. The backup equipment should be able to use until the non-functioning systems are brought back into service or replace them. The backup infrastructure could include redundant servers, workstations, communication lines, networks, utilities or other systems.
If the organisation can’t function after losing mission critical data or being temporarily off-line, it could suffer irrecoverable losses. Hence most organisations express their availability as a “number of nines”. For example a “five nines system” has 99.999% availability.
Minimising downtime is critical for companies that rely solely on the Internet to attract and take customer orders.
A fault-tolerant system immediately switches to a redundant component or subsystem when the main part fails. A fault tolerance system can be added to a server by additional hard drives, CPUs, power supplies and network adapters or other components. Having a fault-tolerant server is critical for the high availability systems – such as online companies – which should always be available.
Redundant systems for all components are needed to achieve high availability. If an organisation needs 99.999% availability, they need duplicate components to deal with any malfunctions. This is also known as a failover system. Such system enables service to continue without interruption until the primary system or component can be brought back online.
For this to be successful, the data on the failover system must be synchronised with the data on the main system. This ensures that the information is up to date. This can be accomplished with server clusters and RAID.
In server clustering, multiple servers jointly perform each task. Most current operating system supports clustering, which allows failover.
RAID is designed to improve disk performance and prevent data loss if a disk fails. RAID writes data across multiple disks at once using the following methods of implementations:
RAID 0: is also known as disk striping. It maps multiple drives together as a single drive to enable better performance and increase storage capacity. However, it does not provide any fault tolerance. If a single disk fails, the whole logical drive becomes inaccessible.
RAID 1: is also known as disk mirroring or disk duplexing. RAID 1 stores identical copy of data on multiple drivers. If one disk fails, the other drive continues to operate. Disk duplexing enhances disk mirroring using a separate disk controller for each disk, which enables it to provide additional fault tolerance.
RAID 3: is also known as disk striping with a parity disk. It writes data across three or more drives, where one drive stores the parity bits for each byte written to the other disks. As long as the disk containing the parity information doesn’t fail, failures to the array disks can be resolved by using the parity information to restore the data.
RAID 5: is also known as disk striping with parity. It occurs when data is written across three or more drives. Parity information is spread over all of the disks within the array.
RAID levels can also be nested. Nested RAID is sometimes known as a two-dimensional RAID, multiple RAID or multi-RAID. By combing multiple RAID levels, nested RAID provides a performance boost in addition to the redundancy. This is usually accomplished by combining RAID 0 with RAID 1, 3 or 5.
In nested RAID, the disks are divided into sets. Within the sets, a single RAID level is used to create arrays. A second RAID level is then applied to those arrays, thereby creating a higher level array. For instance, a RAID 0 can is created and RAID 1 is applied to mirror the RAID 0 arrays. This is known as RAID 0+1 or RAID 01. If RAID 1 is applied and striped those sets using RAID 0, it is RAID 1+0 or RAID 10. Other common combinations are 03, 53, 30, 05, 50 15 and 51.
Uninterruptable Power Supplies (UPSs) can be used to recover from power outages. The switch-over timing is essential to stop the server from going off-line. A UPS can give the administrator time to shut the server down in an orderly manner.
Creating a disaster recovery plan: Disaster recovery plan define exactly what to do when disaster strikes. The plan identifies the required actions and resources necessary to restore mission critical processes damaged or halted as a result of a disaster. The plan needs to cover every aspect of what must be done to continue operation throughout a disaster and also needs to detail how the recovery plan will be implemented. Since there may be delay in between disaster and the implementation of the recovery plan, hence the plan should specify what should be done during that time so that the organisation’s business can continue to operate.
An effective disaster recovery plan should smoothly transition to redundant systems so that nobody even notices the switch. The switch to redundant or replacement system should be done as quickly and effectively as possible so that the downtime of the organisation’s systems are kept to a minimum.
In addition to redundant system, plan may also involve a redundant location. The alternate locations can be set up ahead of time. There are three kinds of redundant locations to be used:
Hot sites: are fully configured, ready for operation within just a few hours of an incident. The major disadvantage of a host site is the expense which may increase the data centre costs by over 50%.
Warm sites: are only partially configured for operation. It contains some computer equipment that is partially configured. This type of site provides some peripherals, but does not include everything on the original network. As it is only partially configured, it is difficult or impossible to perform periodic testing.
Cold sites: provide only the most basic environment to carry on business. It provides wiring, ventilation, plumbing and possibly raised flooring for cabling. This relatively low cost site does not include the hardware needed to carry on the organisation’s business.
A disaster recovery plan should also include provisions for preventing accidents. Some of the issues that should be covered in a disaster recovery plan include
- Backup generator and UPS
- Single point of failure
- Spare parts
- Redundant servers
- Redundant ISP
- Redundant connections
- Backing up and restoring data
There are various kinds documents needed to be included in a disaster recovery plan, addressing various areas such as:
The disasters and threats covered by the plan
- The members of the disaster recovery team and their contact information
- The impact on the business a disaster will have using an assessment
- The contingency plan to be put in place in the event of a disaster
- The system configuration information necessary to restore mission critical applications, network diagrams, vendor lists and son on
Different disasters and threats might need to be dealt with in different ways. Some incidents might involve the need to relocate and others might just require switching over to backup or redundant systems. Threats can be categorised into several different types such as
- Natural disasters: include threats such as flooding, earthquakes, snow storms and wildfires.
- Accidents: include threats such as power disruptions, vehicular accidents, chemical spills and fires.
- Internal: threats often involve people and employees. They include incidents such as sabotage, employee violence or theft.
- External: threats come from influences outside a company. They include threats like industrial espionage or hacker attacks.
- Armed conflict: threats include incidents that might occur due to terrorism, war or civil unrest.
The disaster recovery plan needs to be thoroughly planed and tested to ensure business continuity in the event of a disaster. The disaster recovery team should contain members from each department in the organisation. This prevents any department’s needs from being overlooked during the incident.
Performing a business impact assessment helps to identify the mission critical functions in an organisation and the impact a disaster would have on those functions.
In an organisation, business functions can be categorised into the following groups:
- Critical functions: need to be restored for normal operation
- Essential functions: must be restored as quickly as resources are available
- Necessary functions: must be restored once normal processing has been restored
- Desirable non-critical functions: will be suspended during an incident
Contingency plans are the procedures needed to keep an organisation’s business going during the failure of a crucial component. They are also known as business continuity plans. They identity team members responsible for the recovery process and what they need to do, which functions to restore first, and the process for restoring those functions. A contingency plan should include:
- A responsibility checklist
- Emergency contacts
- A warning system
- Alternative sites
The documents within a disaster recovery plan should include:
The system configuration: for all key network devices such as server, routers and firewalls. All changes to the devices since they were originally deployed also need to be included in the document. Login details for any devices need to be included and kept up to date.
Diagrams: Network and facilities diagrams, including blueprints of the entire network and facilities infrastructure information, will enable to re-create the infrastructure at an alternative site if needed.
Vendor and supplier lists: is the contact information for any vendor or supplier whom might be required to contact during the disaster.
A backup plan: a completely documented backup plan helps to identify the backups needed to rapidly restore business functions.
Data Backup and Restore Media Rotation:
Data backup schemes: Having backups of the data on the network is a critical part of disaster recovery. Depending on the data needs of an organisation, the data are backed up and the respective rotation method is used. Although some organisations can make do with daily/weekly backups, other organisations might need hourly backups to fully protect mission critical data.
In addition to backing p data, it may require to create an image of the entire network hard drives. Image backups copy the hard disk sector by sector, creating a “snapshot” of the disk that can later be restored to another disk.
Windows Server 2008 can be backed up using Windows commands or third-party programs. For Windows Vista, the Backup and Restore Centre or a third-party program can be used.
Windows Server Backup utility can be installed from the Server Manager. Either a full or a custom backup can be performed. The backups are performed on a per-volume basis. But this utility doesn’t allow to backup individual folders within the volume.
Another utility is the command-line tool Wbadmin. Wbadmin is used to backup system state data because Windows Server Backup snap-in does not include this capability. The system state data cannot be written to a removable drive or to the system drive; a secondary drive must be available to record this data.
System state data includes:
- Boot files
- The Active Directory database
- Certificate Services
- Cluster database and the registry
- Performance counter configuration information
- The Components Services Class registration database
It should be determined how often to backup information as well as what information to backup. The common manual backup types are:
Full: A full backup backs up all of the files in the selected drive. It is the slowest to complete, but only one set of backup media when doing a full restore.
Incremental: An incremental backup backs up just the files that were modified since the last backup was performed, before clearing the archive bit. Incremental backups are faster than a full backup. But when restoring, the full backup must be first restored and then restore each incremental backup set.
Differential: A differential backup backs up only the files modified since the last full backup, but does not clear the archive bit. Each differential backup takes more room than the previous one. When restoring files, the full backup need to restore and then the most recent differential backup.
Image backups can also be performed using the Volume Shadow Copy Service. This allows creating a complete copy known as a full copy or clone. It also allows copying only those changes to the volume since the last full copy known as a differential copy or a copy-on-write. The Volume Shadow Copy Service creates two images, one being the original volume and the other the shadow copy volume. The original volume has full read and write capabilities, but the shadow copy is read-only.
Backups can be manual or automatic. Automated backups or unattended backups do not require user intervention. However, they need enough room for the backup to complete. Backups should be stored at a secure off-site location. This will protect the backups in case of a disaster at the primary location. On-site backups should be considered for immediate backups in case a file is accidentally deleted or corrupted. Any on-site backups should be securely stored, preferably in a fire-proof safe. The off-site location might be a bank vault, or a company that provides secure data storage.
The Windows Recovery Environment (RE) is included with Windows Vista and Windows Server 2008. It is a toolset that enables to diagnose and potentially to recover from errors which may hamper Windows startup. It is also used to restore data from a backup. It enables to restore a disk image created with the backup utility.
Backup media rotation schemes: there are different media rotations methods. This enables to have more than one set of backups. If the data need to be restored from a file that was overwritten on a later date, an earlier version of the file can be recovered from one of the older backups. There are three methods can be used for media rotation:
Son: The son method uses the same set of media for the backup each day. No archives are created using this method. Only the last backup is available to restore from.
Father-son: The father-son method combines a full backup with differential or incremental backups each week. At the end of the week, a full backup is performed, whereas on other days either an incremental or a differential backup is performed. This creates an archive from which files can be restored from the previous day. A full system can be restored by restoring the full backup and then restoring the daily backups.
Grandfather: The grandfather rotation method is probably the most commonly used backup rotation method. It uses the father-son rotation each week. The full backup is retained for the month and at month’s end, another full backup is created and is archived for a year. The next month, the weekly full backup media is reused and the daily media is reused each week.
Tower of Hanoi is another commonly used backup rotation scheme which uses at least three sets of backup media. Three media sets allow having eight day’s worth of data before the final media set is reused. Four sets allow 16 days of backups and five sets provide for 32 days of backups. In a 3 media-set rotation, each backup set is given a letter. Each lettered backup set is reused. For example, Set A is used on the first, third, fifth and seventh day of the cycle. Set B is used on second and sixth day of the cycle and Set C is used on fourth and eighth day of the cycle.
The environment within which a company’s computer network is located needs to be secure in order to prevent damage to data or hardware. It needs to make sure that network hardware is installed in a safe and secure environment. Environmental controls that should be considered while planning and maintain network environment are:
1) Fire suppression: Fire is a major risk in any environment that contains a large amount of electrical equipment. It needs to make sure that the network is protected from fire by covering it with appropriate types of fire suppression systems.
The first step in protecting network against fire is a good fire detection system, which may consist of manually-operated buttons or levers or automatic sensors activated by heat or smoke or both. It is also important that fire marshal inspections are carried out periodically to ensure that standards are being met.
There are some guidelines for fire safety:
Keep papers orderly – preferably in metal filing cabinets so that if fire breaks out, loose papers don’t catch fire easily.
Keep working smoke detectors in all areas of the building
Make fire extinguishers for each type of equipment that are readily available and accessible.
Fixed fire suppression systems are used as effective fire protection measures. They are combined with fire detection systems to automatically activate the fire suppression system when fire is detected. For example, a fixed fire suppression system might consist of water sprinklers installed in the ceiling, which are automatically activated when smoke is detected.
Commonly used types of fixed fire suppression systems include:
Gas discharge systems: release fire-suppressing gases from ceiling mounted nozzles when a fire is detected. Fire-suppressing gases include Halon or an EPA-approved Halon replacement gas or carbon dioxide.
Wet pip systems: spray water immediately when the fire suppression system is activated.
Dry pipe systems: contain valves that hold back the release of the water. This enables to shutdown the fire suppression system if the fire has been contained or if the system was accidentally activated.
Pre-action systems: combine wet and dry pipe feature and sound alarm prior to the system releasing water.
While choosing a fire suppression system, it is important to choose which will extinguish the fire but will not damage the equipment in the process. Since computer equipment is very sensitive to water damage, gas discharge systems are usually used to protect computer network environments.
Fire suppression systems that put out fires but don’t cause damage to equipment are known as clean agent systems.
While protecting network from fire, it is important that fire extinguishers are made easily accessible. But choosing the type of fire extinguisher should be chosen carefully. Some may contain chemicals that shouldn’t be used on certain types of electronic equipment. The Material Safety Data Sheets (MSDS) for materials and equipment list the type of fire extinguisher that should be used for fires involving specific equipment or materials. Newer fire extinguishers have picture on them that indicates the types of fires they’re designed to put out. Older ones use colour-coded shapes with a letter to designate which types of fires they’re for.
Generally, fire extinguishers are categorized into four classes:
Class A: fire extinguishers are designed to put out fires involving ordinary combustibles such as wood or paper. They are labelled with either a green triangle with the letter A inside it or a wastebasket and a pile of logs on fire.
Class B: fire extinguishers are designed to put out fires involving flammable liquid such as grease, oil, gasoline or smaller liquids. They are labelled with either a red square with the letter B inside it or a gas can on fire.
Class C: fire extinguishers are designed to put out fires involving electrical equipment. They are labelled with either a blue circle with the letter C inside it or a plug and d cord on fire.
Class D: fire extinguishers are designed to be used on certain types of flammable metals such as aluminium, magnesium or titanium. They are commonly found in chemical laboratories. Class D fire extinguishers are labelled with a yellow start with the letter D inside it.
Fire extinguishers are filled with one of four substances for putting out fires:
Dry chemicals: fire extinguishers contain an extinguishing chemical along with a non-flammable gas propellant. They are designed for putting out fires from multiple types of flammable materials.
Halon gas: is found in fire extinguishers that are designed for use on electrical equipment. Halon gas interrupts the chemical reaction of burning materials. However, it is banned due to green house effect and its danger to humans at concentrations above 10%. Following are the environmentally-friendly alternatives to Halon.
Inegren (IG-541): is a combination of three different gases – nitrogen, argon and carbon dioxide. When released, it lowers the oxygen content in the room to the point that the fire cannot be sustained.
Heptafluoropropane (HFC-227ea): is a chemical agent which is also known as FM-200. This agent is released as a gas that suppresses fire using a combination of physical and chemical mechanisms. When relapsed, it is not harmful to persons in the room.
Trifluromethane (FE-13): is a chemical which was originally developed as refrigerant, but is now commonly used in new fire suppression systems. FE-13 molecules absorb heat, making it impossible for the air in the room to support combustion. It is considered one of the safest clean agents.
Water: along with a compressed gas propellant is found in Class A fire extinguishers. Water-containing fire extinguishers are designed to extinguish fires that involve ordinary combustibles.
Carbon dioxide: is found in Class B and Class C fire extinguishers, in which highly pressurized carbon dioxide displaces oxygen, thus extinguishing fires. Carbon dioxide also cools the item and the surrounding air. They are also popular alternative to Halon systems.
2) Heating, ventilation and air conditioning: HVAC systems control the climate within a building by regulating the temperature airflow within it. When HVAC systems are installed, they need to be the proper size for the space that they need to control. If the HVAC system is too big or too small, it may lead to efficiency and comfort problems.
To prevent damage to network components, it should be ensured that network environment has-
An ambient temperature: In order to prevent damage to network components, an ambient temperature should be maintained in network environment. Since electronic components operate best in cooler temperatures, it should be ensured that it does not get too hot.
Suitable levels of humidity: should be maintained in network environment. Electronic equipments are very sensitive to humidity and functions optimally at a relative humidity level of between 40 and 60%. If the humidity is too high, it can cause condensation on your components, which can damage them. If the humidity is too low, it can cause static electricity that can short out electronic equipments.
Installing the network backbone in the building’s plenum space can reduce the risk of fire damage. The plenum is the space that is used to move air for heating, cooling and humidity control. Typically, the plenum is the space under a raised floor or between a structural ceiling and a dropped ceiling. It can also be used to run high or low voltage wiring.
3) Shielding:When installing network cabling, it is important that cabling is not easily accessible to unauthorized persons. This is to prevent data theft as well as physical damage to the cables. It is also important to ensure that properly shielded cables are used in the network. This is to minimise the effects of EMI and RFI, which can damage data during transmission.
Data corruption from EMI and RFI can be prevented in the following ways:
by installing network equipments far from other electrical equipment and magnets
by choosing cables that offer the best possible shielding for particular network specification
Higher quality cables have better shielding capabilities. High-quality UTP cables provide some protection, but STP has shielding built into the cable to better protect the data. However, as both UTP and STP use copper wire to transmit data, they are vulnerable to physical attacks such as wiretapping. Coaxial cables also provide resistance to EMI and RFI, but they are still vulnerable to physical attacks as in STP and UTP.
Fibre-optic cables offer the best protection against physical damage and damage to data. As they use light to transmit data, they are completely protected from EMI and RFI issues. This also prevents attackers from splicing into the cable. It is recommended to install a conduit around the network cable with lock boxes installed at inspection and termination points.