Network Load Balancing: Security Best Practices for Windows 2000 and Windows Server 2003

Applies To: Windows Server 2003 with SP1

In This White Paper

General Assumptions

There are a number of general assumptions that need to hold around the infrastructure and operational best practices to ensure a secure environment in which to run NLB clusters:

  1. Servers and storage are in physically secure locations.

  2. Practical security implementations such firewalls, network probes and management tools to detect irregular traffic are in place.

  3. Best practices and common sense in terms of security are adhered to in areas like administration, storage of logs, backup and restore, etc.

  4. Platform level security best practices are adhered to in terms of assigning administrative permissions, Access Control Limiting resources, and other housekeeping roles.

  5. The network infrastructure services such as Active Directory, DNS, DHCP, WINS, etc. must be secure. Any compromise of these infrastructure services can lead to a compromise of the NLB itself.

  6. Administration tools or other applications that administer NLB clusters can be run from remote workstations. The administrator must ensure that the applications are run from trusted computers. Any compromise on the computers on which the applications are executing (that the cluster administrator runs), can compromise the cluster. For example, if there are untrusted users with elevated privileges on the workstation where the administration tools are run, untrusted or malicious code can be run against the cluster by the cluster administrator without the cluster administrator realizing.

  7. NLB creates and maintains a set of objects in the operating system such as files, devices, registry keys, etc. These objects have a default security setting that ensures non-privileged users cannot impact the cluster configuration or the applications running on the cluster. Changing these security settings to less restrictive security settings can lead to the cluster being compromised and application data being corrupted.