12.3. Securing the Operating System
The second most direct way to access the DW/BI system is by way of the operating system. You should implement the following procedures for all the servers in your development, test, and production systems:
Restrict login access. No business user needs to log on to the servers. Most DW/BI team members don't need to log in, as their tools work remotely. Only system administrators need to log in; others can access services across the network.
Ensure the security policy on all servers is set to not add Domain Users to the local Users group. By default, Domain Users are usually added to the local Users group, which has login privileges.
Ensure the Windows Administrator account on all servers has a strong password.
Ensure the Windows Guest account on all servers is disabled.
Ensure strong password policies. Strong policies include technical policies, like requiring a mix of letter case and non-alphanumeric characters. Users need to be educated about security as well, to not write down passwords and avoid the many scams that fill our inboxes. This is usually an enterprise-wide concern.
Restrict network access.
Ensure the Everyone group does not have access to the server.
Disable null sessions to prevent anonymous sessions.
Disable unneeded services. For security reasons, consider disabling the Telnet, FTP, SMTP, and NNTP services if they're not needed.
Ensure data folders ...
Get The Microsoft® Data Warehouse Toolkit: With SQL Server™ 2005 and the Microsoft® Business Intelligence Toolset now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
