Wharf Traders is moving to new location and hence below mentioned is the proposed manual for their new office location.
As a consultant, to Wharf Traders I have suggested detailed specifications that are required in order to create and achieve security and protection of the data, which is sensitive in nature.
I have proposed 3 Windows server 2008 and 4 Linux servers including Ubuntu and Centos as backend server to the network. Also, I have acknowledged that users will have client machines as Xp or Vista.
In manual I have detailed step by step configuration of services and configuration that needs to be enabled in the network along with other details further mentioned in Detailed Specification and Justification section of the manual
The sole aim of this manual is to guide system administrator of Wharf trader for configuration and setup of the network as mentioned and specified.
Expected Audience of Proposed Manual
This is very sensitive document and manual contains information related to network, which can reveal potential threat to network if released abruptly.
It has confidential information and it is meant to be only for the use by system administrator.
Planning of Users and Groups for Wharf Trader Network
Wharf Traders comprises of four main departments (AKA Divisions) namely:
Apart from these internal departments the possible data flow externally is mainly from Corporate Finance Division with its clients such as lawyers and accounts. As par requirement the confidential data flow is identified here and also, Investment Advise department requires secure communication with the market makers.
NOTE: The nature of data is very important to classify in order to create successful groups and their plan, which is referred below in next section and it, is advisable to read the data flow before reading and implementing and further.
Chief Executive of Wharf Traders (CEO)
Corporate Finance Department:
As this department has special requirements such as secure and confidential transfer and storage of top-secret data, which is highly sensitive in nature and liable to persecution under UK Law special care is taken in creating groups and identifying their roles long with users.
Managing Director of Corporate Finance (CF)
Project Supervisor
Project Team
Project coordinators
Investment Advice Department:
As this department has special requirements such as secure and confidential transfer and storage of secret data, which is highly sensitive in nature and liable to persecution under UK Law special care is taken in creating groups and identifying their roles long with users. The data is hosted on separate server and it is acknowledge that the hosted services is provided to the clients such as market makers via AIM to Wharf and then to it's clients.
Managing Director of Investment Advise (IA)
Investment Advisors Supervisors
Investment Advice Team
Market facilitators Team
Coordinators
Research Department:
Research is not having sensitive data to work on but however as it is providing information to departments such as Corporate Finance and Investment Advice for potential clients and prospects and progress on listing of current clients, It makes its information sensitive in nature ultimately.
Managing Director of Research (RE)
Investment Advice Support Supervisors
Investment Advice Support Team
Corporate Finance Support Supervisors
Corporate Finance Support Team
Back Office:
Back Office is responsible for all the clerical work of the company and hence it also does the printing and accounting such as from creating invoices for the clients to sending it via post, printing of documents to posting them on news posts, And other various activities
Managing Director of Back Office (BO)
Back Office Supervisors
Back Office Team
Personal Assistant to Chief Executive (CEO)
NOTE: This information will additionally follow the Bell-La Padula Information model to produce effective Users and Groups and eventually enforce policy based on this.
IN Simple terms Bell-La Padula Information model consists of two things:
No read UP
No write Down
More information is mentioned in Details specification and justification if required to refer when in doubt.
Creation of Groups is based on above mentioned planned and mentioned in Section 5 of this manual
Data Flow and Data Classification in Wharf Traders
Classification of Data
Departments
UK Classification Level
Traffic Flow of Data
Security
Via
Internally
Externally
Corporate Finance
Top Secret
Top Secret
Top Secret
SSH, SFTP, IPsec,Firewall
Investment Advice
Confidential
Confidential
Confidential
SSL, IPsec
Research
Restricted
Normal
Normal
IPsec
Back Office
Restricted
Normal
Normal
IPsecIt is very essential part of User and Group planning as data classification supports and acknowledges daily operations and functionalities of Wharf Trader in terms of storing and transferring of data over network internally and externally over internet.
Classification helps to identify following things:
Criticality of Data
Sensitivity of Data
How much to Protect, Control and Secure any particular Data
Hence, by keeping these things in mind below is the proposed classification of data based on UK Data Classification.
Figure 2
NOTE: This information will additionally follow the Bell-La Padula Information model to produce effective Users and Groups and eventually enforce policy based on this.
IN Simple terms Bell-La Padula Information model consists of two things:
No read UP
No write Down
More information is mentioned in Details specification and justification if required to refer when in doubt.
Diagram 1
Diagram 2
Diagram 3
Network Overview and Server cataloguing (Role) within Wharf Trader
The network of Wharf Traders comprises of the following:
Switches
Firewalls
Servers
Backup Servers
Client Workstations
NOTE: Please refer to Details Specifications and Justification for further information related to his details and in case of any doubts.
Diagram 4
Server Cataloging
The Setup of different servers for Wharf Trader domain comprises of the following set of servers including their services as mentioned in figure 4:
Primary Domain Controllers (WT-DC1).
Secondary Domain Controllers (WT-DC2).
A Member Server/File server (WT-SRV1).
A Member Backup Server/File server (WT-SRV2).
Corporate Department Server -Linux-Corporate (WT-CF-Com)
Investment Department Server -Linux-Investment (WT-IA-Com)
Database Server -Linux-Wharf (WT-DB)
Backup Server -Linux-Backup (WT-BKP)
NOTE : Refer to justification section of this manual for identify the reason for any items in this section.
Role Configuration for Above Mentioned Servers :
Table 3.1
Table 3.2
Table 3.3
Server's Configurations
To configure the server ideally there are certain steps and procedures to follow after planning as did above where roles are specifically declared.
NOTE: This is just a step procedure without any detail information and hence if incase of uncertainty any such detail information is required then please refer to Detailed Specification and Justification Section of this Manual.
1). Configuration of Domain Controller, Active Directory DNS , Mail Server, File Server Etc.
Active Directory within domain controller is essential for providing authentication and authorization process. Users from each department will be assigned with proper security (SID & UID) to access the IT resources.
Configuring the Primary Domain Controller
Organize the Primary Domain Controller [1] . Initial Configuration and Setup should be done in Primary Domain Controller as mentioned in Figure 3.1.
Promote the Primary Domain Controller, there are the minority of configurations to keep in mind:
Fully Qualified Domain Name (FQDN) within root domain forest: WHARFTRADER.COM
NetBIOS Name/default name of Domain: WT
Options -> Additional Domain Controller, leave checkbox next to DNS Server as it is selected
Use of a complex password is essential with combinations of uppercase characters and lowercase characters, numbers, and alphanumeric characters with at least 8 digits.
Amend if not ->DNS delegation is selected to manually: Yes
Log On as Domain Administrator
Verify the Domain Zone for the Primary Domain Controller
Configuring the Secondary Domain Controller
Function of a Secondary Domain Controller within the same domain is to increase the redundancy and reliability of network services and resources. Deploying supplementary Domain Controller can help significantly to bestow fault tolerance, and load balancing within Domain.
Organize the Secondary Domain Controller. Initial Configuration and Setup should be done in Domain Controller as mentioned in Figure 3.1.
Adhere the Secondary Domain Controller to WHARFTRADER.COM Domain
Mount the DNS Service in Secondary Domain Controller
Endorse the Secondary Domain Controller, there are the minority configurations to keep in mind:
Effective Configuration: Add this domain controller to the same forest as above.
Network recommendation: The name of Domain will be WHARFTRADER.COM
Construct this Secondary Domain Controller as a Global Catalogue Server for the domain
A DNS delegation is not required and hence ignores it.
Media Install: imitate data over the network by current domain controller.
Log On as an Domain Administrator and not as local administrator.
Verify the Domain Zone for the Secondary Domain Controller
File Services Configuration on Windows Server 2008
Organize the Member Server. Initial Configuration and Setup should be done in Domain Controller as mentioned in Figure 3.2.
Adhere the Member Server to WHARFTRADER.COM Domain
Endorse the Member Server as a File Server [2]
Verify in Server Manager console that File Services role is added
DHCP Services Configuration on Windows Server 2008
Endorse the Member Server as an DHCP Server [3]
Verify the Server Manager console that the DHCP Services are added
There are this minor configurations to keep in mind:
Construct new Scope (different IP address range for every departments) base on the setting as mentioned in Figure 3.2.
Construct new Reservation that a DHCP client (workstations) from same departments is always assigned the same IP address.
Note: Always Log On as Domain Administrator when accessing this Member Server and not as the local administrator else the domain wont be visible.
Network File System (NFS) Services Configuration on Windows Server 2008
Begin Installation of Network File System (NFS) [4] on server 2008
Configure NFS authentication (e.g. wtadmin)
Create an NFS shared folder
Assign permissions to folders (e.g. Read Only permissions, Write Only permissions, and Execute (Read and Write) permissions)
From the Linux-Corporate and Investment Server, Mount above created NFS shared folder
SSH Server is required in windows 2008 server to secure the communication channel for file transfer (.e.g. Backing up archive, auditing logs etc.)
NOTE: Windows Server 2008 defines by default Domain Control Policy and also, Domain Policy by default. In Domain Policy password policy is enabled from beginning. (Operational Built-in Security)
Policies are mentioned in details in other part of Manual and also in detail specification section.
Linux Server Configuration (Ubuntu Server Version9)
This server setup is to facilitate the secure communication of data between corporate finance department and its clients that comprises of new clients, their advisors and their lawyers respectively).
Linux-Corporate Server Configuration - Ubuntu Server Version9
Organize the Linux-Corporate Server [5] , Initial Configuration and Setup should be done as mentioned in Figure 3.3.
Once the Linux-Corporate Server (Ubuntu (V9)) is installed, there are the minority configurations to keep in mind:
Transform the root password to a strong password as per mentioned in windows. A complex password with similar combinations of letters (upper and lower case), Numeric characters and special characters as mentioned below
Construct a less privilege user, this user will have access to root account via sudo utility as required e.g. wtadmin
Ensure a strong password policy:
Password Complexity needs to be atleast e.g., a-z, A-Z, !#~% etc.
Max. Age of password before it expires
Min Length of password is need to be at least 8 characters long
Make certain that openssh [6] server is install to provide secure remote access
Please Note: Be confident that you are not to altering any other configuration option in file. Always save file before quit.
Make certain that 'PermitRootLogin' value is assign to 'No' in file of SSH configuration .
/etc/ssh/sshd_config
SSH server needs to restart to take changes in effect.
/etc/init.d/ssh restart
Linux-Investment Server Configuration - Ubuntu Server Version9
Organise the Linux-Investment Server to ensure the settings as mentioned in Figure 3.4.
Once the installation of server is finished, follow the steps shown in Linux-Corporate Server configuration.
Configuration Linux-Database Server - Centos Server
Organise the Linux-Database Server to ensure the settings as mentioned in Figure 3.5.
Once the installation of server is finished, follow the steps shown in Linux-Corporate Server configuration.
Configuration Linux-Backup Server - UBUNTU Server
Organise the Linux-Backup Server to ensure the settings as mentioned in Figure 3.6.
Once the installation of server is finished, follow the steps shown in Linux-Corporate Server configuration.
Also, Change the network interface to accept only connection from local servers Linux-Corporate and Linux-Investment.
Change the IP Table by going into IPTABLES and edit the configuration by adding any block all other IP apart from 193.168.2.5, 193.168.2.7 and 193.168.2.6
Also, change the same so that there is not outgoing connection directly from this server to block any external incoming and outgoing connection
Make outgoing connection via 193.168.2.5
Creating Groups and Users as Planned in Section 1 of the Manual within the active directory of WT-DC1 (Primary Domain Controller)
The objective to implement the Active Directory is to control (restrict) and smooth the usage of resources within Wharf Trader network. The formation of groups helps to create a fine control in windows environment so that access authorisation and authentication can be maintained.
Below mentioned diagram 5 states two of the department Corporate Finance and its groups Team and Investment Advice and its team is an example on the managing members and memberships within domain and active directory to fine the control over access, authentication and permission to specific resources. Similarly further group's needs to be created in order to achieve fine-grained control over the network and users usage of the other network resources.
Diagram 5
As above can be seen that only certain type of permission will be available to research on the folders of CA and IA so that they cannot have full right on either of it. Note that as Back Office won't have any rights on these folders and hence cannot access it.
Follow the steps mentioned below to create users and groups as specified in Section 1 Planning of User and Group
Creation of groups from member and members from users include following steps:
Construct Organisation Units (OUs),
Construct Users for every department,
Construct of Global Groups in every department,
Allocate Users to their relevant Global Groups,
For Specific use, Allocate domain local group from global group
Allocation of Computers to their relevant Sub-OU
As from Section 1 begin creation of Organisational Units (OUs)
Below mentioned are the tasks to follow to construct Organisational Units (OUs) [7] :
Launch "Active Directory Users and Computers".
On domain WHARFTRADER.COM, choose New -> Organizational Unit.
Feed the name of the department in OU dialog box and OK to confirm and create the OU.
To bank Users and Resources create Sub-Organisation Units.
To complete the rest of the departments as mentioned in section 1 of this manual follow this step again.
Note: Organisational Unit has target only to one Group Policy and hence applies to only that particular group in Organisational Unit, various groups can have various policy.
As from Section 1 begin creation of users
Below mentioned are the tasks to follow to construct Users [8] :
Launch " Active Directory Users and Computers"
In domain -> WHARFTRADER.COM, move to selected Organisational Unit (e.g. Research) and Sub-Organisational Unit (e.g. RE_UG Accounts)
On Sub-Organisational Unit (e.g. RE_UG Accounts), click New -> User.
Fill the name of the user (e.g. Mary) etc and OK to continue.
Set user password only to " change at next logon".
To Complete account setup configuration for other users mentioned in section 1 or others as required follow this steps again.
Password policy of Windows Server:
Password history impose: Twenty Four passwords kept
Max. Age of password: Forty Two days
Min. Age of password: One day
Min length of password: Seven characters
Password complexity requirements: Enabled
This password policy is in effect by default, and it is within the policy of domain as mentioned above, it will be re-defined on the execution of a suitable security and maintenance management policy section.
As from Section 1 begin Creation of Global Groups
Below mentioned are the tasks to follow to construct Global Groups [9] :
Launch "Active Directory Users and Computers"
In domain ->WHARFTRADER.COM, move to respective Organisational Unit (e.g. Research) and Sub-Organisational Unit (e.g. RE_UG Accounts)
On to New and choose Group from
In Group dialog box, there are minority of configurations to take note:
In domain group name should not be identical.
In Group Scope: choose Global, Group Type: choose Security
Write the group name and choose OK to complete the process.
To complete the rest of the Groups as mentioned in section 1 of this manual and others as required follow the same steps again.
Assign Users to Groups
To add Users to Global Groups [10] :
Launch "Active Directory Users and Computers".
In domain (WHARFTRADER.COM), choose Organisational Unit (e.g. Research) and Sub-Organisational Unit (e.g. RE_UG Accounts)
Choose group and choose Properties.
In Members choose add.
Choose advance, and find now. OK to complete the process.
To add users to their respective groups from section 1 of this manual and others as required follow the same steps again.
Reference to diagram 6
DIAGRAM 6
Authentication, Authorisation and Access Control Methods in Wharf Trader Network and Storage Security
6.1 Authentication
In Windows Server the authentication is based on Kerberos
Since, It suitable in management of much larger network with distributed resources, there are minority of to take note:
One Point Failure - Keeping two domain controller provide additional redundancy to network
The time-clock synchronisation involving client and Key Distribution Centre must be well inside of 5 minutes frame or else it wont get through.
6.2 IP Sec Implementation
Using IP security (IPsec) method is to ensure sensitive transfer of data across the internal network is done safely and securely. This Approach is mainly aimed at protecting the data in transit from unwanted interference and capture.
Use this technology while accessing file server.
To communicate with server comply client systems with IPsec. Make below mentioned minor changes to accomplish this:
Always response to ipsec and do not allow unsecured connections
Do not allow any inbound passing
Do not accept connection from IP addresses that do not comply with ipsec
Use only Pre-shared key as method to authenticate
Choose IPsec mode as tunnel setting
Choose only IP address from WT-SVR1 and WT-SVR2 when SVR1 is down.
NOTE: Above mentioned are the details and implementation only on Windows servers and below mentioned are only for linux server (Please refer to detailed specification section of manual for any further information).
In user authentication and Account Information with Windows AD, LDAP is used for A/c information, whereas Kerberos is used for user authentication.
Lightweight Directory Access Protocol Installation and configuration on Linux Ubuntu Server V9
Install ldap and library by using SU command to get root privilege.
Use the IP address of WT-DC1 which is having active directory for windows. Use DC=WHARFTRADER;DC=Com
Choose ldap Version = 3 and amend details in nsswitch configuration file to hide details of ldap
To view users via ldap install utility and test user account that are present in active directory
Install and configure kerberos5 On Linux Ubuntu Server
Install Kerberos and configure kerb5 configuration file
Default area WHARFTRADER.com
provide the IP address along with port for KDC (Key Distribution Center)
specify WHARFTRADER.com.
Configure ticket granting time encryption methods etc. for added security
Modify /etc/pam.d/common-session file
Add another session_need here and restrict root access
Add above mentioned session to create home directory of user session
Systems need to have time synchronised in order to get authenticated within 5 minutes of slot.
To do this install NTUPDATE from SU command via root
6.5 Authenticating via Certification Authority
Certification authority is essential because when any system need to connect it will query for ticket by matching username provided by ldap and sending password in encryption format along with key provided by server to substitute certificate for securing the transfer of data by doing so, It will create certificate to be used on the network and hence does not require external CA and server can issue its own Root CA.
Follow the steps to create Root CA.
openssl genrsa -des3 -out WHARFTRADER.key 1999
it will ask for a phrase or password
openssl req-new-x301-days 360-key WHARFTRADER.key-out WHARFTRADER.crt
it will ask for information such as company name address etc.
Certificate for you Organization is then produced and to view Certificate type openssl x301-in WHARFTRADER.crt -text -noout.
6.6 Configuration of SSH and SFTP
Only permit domain authenticated users and groups to access the WT-CF and WT-IA respectively
Make certain that ssh is running on server and check IPTable is configure accordingly.
Transfer one copy sshd configuration file to other server and activate read only on file to prevent editing.
Security configurations to note when configuring the SSH.
Choose logout, interval etc. time when system is not used
Do not allow direct login to root account
Delete unnecessary accounts and details and modify defaults.
Only use version 2
Only use PK based authentication with complex passwords
Monitor and log every access and change IPtables to accept only limited connections and ports, also alter hosts.allow/deny
Only allow access to users own directory and not any other to lock the access such as SE Linux
Create folder sharing to allow users who are within the network of Wharf Traders.
Only allowed users access based on permissions.
Only allow root to alter permissions on folders.
Only allow specific format of files to be stored and shared and delete any file using cronjob daily that does not match the specification.
Write script in shell/perl to run from cronjob at specific time when fewer load is on server to delete any files that are not required. (Make sure this done with script which runs before daily backup is done) - command cronjob-e)
IP TABLES: Other measures to enable includes IPTABLE which is firewall of linux systems and it provides much better control than windows firewall where any specific IP address, protocol and port number can be blocked or allowed.
It can be checked by command checkstatus IPTABLES ON|OFF|RESET
SE LINUX : Is an extension to Linux accounts and provides additional security by creating compartments of each process and hence whenever any application is compromised it can only compromise process within that compartment and not the whole system. Every compartment has only one process. Enable and install It to achieve extra layer of security over servers in DMZ.
1.9 Configuring the Encryption File System
It only does encryption when data is actually stored on system and does not in transit of data over network or external link.
Allow EFS via local policy in server. And choose Encrypt the contents of user folder
NTFS is recommended as setting up of user permission same as in steps above protects the unauthorised access to the files and folders.
7. Backup And Restoration
In server backup is done easily by backup tool that provides excellent solutions for backup and recovery
7.1 Window Server
It is essential to keep backup and good practise, so that in event of failure the restoration can be done from backup. Ideally all mission critical systems should be configured backup regularly on daily basis
Backup mission critical systems
Essential files to successful restore are System files, policies,Mail server configuration including mx records and users and groups via Active Directory.
Logs are helpful in later process to identify the cause of failure and hence it is essential to backup logon,system,user,security and other logs.
Backup all data including folders of deparment hosted on server so incase of any deletion or drive failure.
Configure backup to schedule as mentioned below depending on criticality and amount of data.
Daily Backup -Incremental
Weekly Backup- Incremental
Monthly backup - Full
Backups should be stores in proper environment along with one copy of backup on offsite location to comply with BCM (Business Continuity Management).
One monthly backup copy is proposed to be sent to off site location to acknowledge BCM (Business Continuity Management) in event of disaster
Restoration of files should be done once a month to verify that the data is written properly and always change the media after certain time limit i.e. every 6 months.
7.2 Linux Ubuntu and Centos Servers
It is easy to backup on Linux with tar and cron utilities.
Tar is used to compress and store file in Unix system and cron is used as scheduler to run any script or command at specified instance of time. Mount command can be used for restoration from this type of files. Scheduling of backup should be done in similar way as it is done in windows server
Using shell script [11] backup all required files including: System files and logs
Make sure that transfer of files via ssh is enable and no line in IPtable is blocking the functioning of ssh.
Please refer to detail specification to see sample file.
Restoration of files should be done once a month to verify that the data is written properly and always change the media after certain time limit i.e. every 6 months:
8. Auditing Servers in Wharf Trader Network
8.1 System Auditing for Windows Servers
Set the Audting policy to enable on system.
Ensure that policy is link with Organisational Unit to which the clients are connected and they have received the policy. Such as RE_Workstations
Ensure that logs are not writing on top of other when logs are full
Ensure the logs are stored and backing up on proposed timings mentioned in backup section of the manual to selected location.
8.2 System Auditing for Linux Ubuntu and Centos Servers
Install auditing utility and configure it.
With this utility monitor critical files such as Password files,File System and syscall audit.
Ensure that logs are not writing on top of other when logs are full
Ensure the logs are stored and backing up on proposed timings mentioned in backup section of the manual to selected location.
Keep Logs on more that one system server and offsite location hence if one system is compromised and logs are changes to cover footprints logs will still be available from other system unknown by anyone who tried to exploit the sever and hide their tracks.
Please Note: Check logs regularly using pearl/shell script and filtering specific logs and enable emailing of logs to system administrator using cronjob as mentioned in sample script in detail specification section of this manual.
9. Group Policy Setting and Management
9.1 Windows Servers
Policy are dynamic and hence can be changed and need to be changed over the time and hence it is on administrator to maintain control of it and review them in timely manner. Follow steps mentioned below to do this when required:
Launch Group Policy Management
Choose name of GPO that can be Managing Directors, CEO etc.
Choose Policy and Preference and configure following items
Control access to user activity,
Control software installation their update and deletion
Control management of users data and roaming profile,
Construct policy on basis of groups as required for exmaple Managing Directors should have privilege to data of Supervisors and Teams, Teams should have privilege to have on data of Team coordinators, and Team coordinators should have privilege to limited domain where they can interact with other Team coordinators.
After Assigning Appropriate privilege choose 'Group policy management' and construct GPO within this domain
Verify In 'Active directory user and components' that it is visible and enforced.
Configure policies
Software's Policy: - to restrict running unauthorised software's
Account Policies: - such as password, Lockout, Kerberos policy etc.
Local Policies: - auditing, user rights management, security etc.
Configuration of Firewall Policy
Using firewall provides extra layer of security. Use of application based (proxy) and packet based firewall can create Demilitarised zone as shown in network diagram above in this manual.
Construct Firewall Policy as per requirement using below mentioned steps:
Permit only Internet services via Ports 80 and 443 In and out
Permit only SSH via Port 22 In and out
Permit only IPsec via Ports 500, 50 and 51 In and Out
Permit only DNS Services via Port 53 of User Datagram Protocol In and Out
Permit only DHCP Services via Ports 67 and 68 In and Out
Permit only SMTP Services via Port 25 In and Out
Permit only Remote Procedure Calls services via Port 135 In and Out etc.
Enable logging of firewall.
Use Access Control List on Switches for extra protection and for authenticating users internally and externally.
Allocate policy to the clients systems in Organisational Units as mentioned in above section of this manual.
10. Patch Management Service
10.1 Windows Server
Using Microsoft Server Update service (WSUS) updates can be deployed in organisations such as Wharf traders. Aim is to download updates deploy it to workstations centrally rather than doing it manually on all systems
Download and install WSUS on one of the windows server.
Download updates and Schedule it to install on time when there is less flow of data on network (e.g. midnight).
Only update when thoroughly tested on virtual environment
Set restoration point before implementation and set it back if problem occurs.
Keep the audit logs to track changes and troubleshoot of problems occurs.
Permit only Administrator to deploy the installed updates .
10.2 Linux Server
Using Ubuntu update management system can be deployed in organisations such as Wharf traders. Aim is to download updates deploy it to workstations centrally rather than doing it manually on all systems
Download and install Ubuntu update management on server within one of the ubuntu server.
Download updates and Schedule it to install on time when there is less flow of data on network (e.g. midnight).
Only update when thoroughly tested on virtual environment
Set restoration point before implementation and set it back if problem occurs.
Keep the audit logs to track changes and troubleshoot of problems occurs.
Permit only Administrator to deploy the installed updates .
