510    Chapter 8 • Infrastructure Security: System Hardening

             viding faster access. However, extra effort is initially required to create adequate
             access controls to limit unauthorized contact with the data it is processing.
                 While discussing data repositories, administrators also need to examine a con-
             cept called Directory Enabled Networks (DEN). DEN is a model developed in the
             1990s by Microsoft and Cisco to centralize control and management of an entire
             network, rather than just controlling users and group assignments. It is currently
             controlled and developed by the Distributed Management Task Force (DMTF), and
             can be viewed by visiting www.dmtf.org/standards/wbem/den. DEN utilizes the
             capabilities of various data repository structures and directory services structures to
             provide a more centralized management and control function for entire networks.
             By definition, it is a centralized repository for information about networks, applica-
             tions, and users. For example, when networks were first being constructed and
             used, it was normal to have a network that contained only one hundred or so com-
             puters and users. However, the last decade has seen an explosion of network use
             and capability, which has led to management problems and high administrative
             costs. DEN networks, with much refinement, have allowed the development of
             integrated management solutions and control into the directory services being
             used. Currently, many hardware vendors and OS and NOS vendors have designed
             solutions integrating their management capabilities into the directory service in
             use. For example, Novell has introduced eDirectory services, which are cross-plat-
             form capable, and Microsoft has introduced Active Directory. Both of these, and
             others, allow administrators to integrate control of network services into the direc-
             tory service arena.This includes the development of services such as Dynamic
             DNS (and the integration of zone files into the directory for security enhancement
             and control) and DHCP rogue server detection.Additionally, it allows the delivery
             of centralized policies for remote access, port, and interface controls, and router and
             switch configurations from a central repository.


             Directory Services
             Directory services information can be either very general in nature and publicly
             available, or restricted in nature and subject to much tighter control.While looking
             at directory services in the application area, it is important to look at different types
             of directory service cases and what should be controlled within them.
                 Directory services data is maintained and stored in a hierarchical structure. One
             type of directory service is structured much like the white pages of a telephone
             book, and may contain general information such as e-mail addresses, names, and so
             forth.These servers operate under the constraints of Lightweight Directory Access




          www.syngress.com