Operational and Organizational Security: Policies and Disaster Recovery• Chapter 12  709

                 access to server resources needed a new account created on the different servers. If
                 a user left the organization, or had different access needs, the administrator had to
                 modify or delete the account from every server. If the administrator missed deleting
                 or changing access for an account on a particular server, the user could still access
                 the resources and data.This presented an administrative nightmare and a significant
                 security risk.
                    Single sign-ons are common to newer network OSes such as Windows and
                 Novell NetWare.They allow a user to sign in from one computer, be authenticated
                 by the network, and use resources and data from any server to which they have
                 access. Single sign-ons have been used since Novell implemented Novell Directory
                 Services (NDS), but are also available in newer Microsoft networks that implement
                 Active Directory. Single sign-ons make it easier to manage a network. Changes
                 made to one account are replicated to all servers in a domain or network. If a user’s
                 access needs change or a user is terminated and needs their account deleted, an
                 administrator can make the change once and know that the changes are reflected
                 network-wide.

                 Centralized vs. Decentralized


                 When it comes to security, there are tradeoffs. Controlling access is a tradeoff
                 between convenience and a secure environment, with more security making it
                 increasingly difficult for users to perform necessary tasks.Think about security as a
                 lock on a door.The more locks you have will make the door more secure, but it
                 also means that people wanting access beyond the door will need a greater number
                 of keys, which could lead to a difficult experience.When discussing centralized and
                 decentralized security, administrators need to make decisions that will trade off one
                 consideration for another.
                    When discussing centralization and decentralization in terms of networks, it
                 often refers to the location of servers on a network. Centralizing servers into one
                 location means that all of the servers are physically located in a single room or
                 building.This allows an administrator to visit one location to perform security-
                 related tasks such as backing up and restoring data, fixing failed hardware,
                 upgrading system software, or dealing with incidents that are adverse to security
                 (such as hacking attempts or viruses on a machine). By having the machines in one
                 area, the administrator can deal with tasks more effectively than if they had to drive
                 miles to get from one server to another.
                    Unfortunately, having servers in one central location is not always an option.
                 Users in branch offices or distant locations (such as other countries) may have to




                                                                              www.syngress.com