City of Uppsala

Swedish Municipality Increases Network Security and Reduces Costs

The City of Uppsala, one of Sweden’s largest municipalities, operates two separate computer networks. One is used by city administrators, and the other is used by students and staff at the local public schools. The city needed to protect the administration network from unauthorized access and malware attacks. In May 2007, the city teamed with TrueSec, a Microsoft® Gold Certified Partner, to test and deploy Windows Server® 2008 Network Access Protection on the administration network. To gain access to prerelease builds of the software, the city participated in the Microsoft Rapid Deployment Program. After completing the pilot deployment, the city expects to see significant improvements in system security and stability. The city also anticipates that the solution will help lower IT administration costs.

Situation

Defending our administration network against malicious attacks has sometimes been a time-consuming job. Windows Server 2008 Network Access Protection will help us to do this more efficiently.  Mats Birgersson Server Technician City of Uppsala

The City of Uppsala, also known as Uppsala Kommun, is located in central Sweden. With more than 185,000 inhabitants, it is the country’s fourth largest municipality. The city operates an IT environment consisting of two enterprise networks separated by a firewall.

The administration network, used by employees of the municipality, includes 150 server computers running the Windows® 2000 Server and Windows Server® 2003 operating systems. Approximately 6,000 users access this network from 4,500 client computers. The other network is used by employees and students of Uppsala public schools and other affiliated schools in the area. This citywide education network consists of 100 server computers running Windows Server 2003 and various versions of Linux and Novell NetWare. More than 20,000 users access this network from approximately 7,000 client computers. Both the administration and education networks can be accessed through wireless LAN access points. All administration users can connect to the education network, and some education users are authorized to access the administration network.

Both networks have been targeted by malicious users attempting to gain access to sensitive information or to spread malware in the administration network. The networks have experienced some virus outbreaks, which have cost the city money and strained limited IT administration resources. According to Mats Birgersson, Server Technician for the City of Uppsala, “One of the problems with these kinds of large networks is that we have people going home with their computers and connecting to their home network. When they reconnect to one of our networks, we don’t know what is on the computers or who is using them.” The city does not allow unauthorized access to either network, but because the city-owned PCs are installed throughout the city of Uppsala, enforcing this restriction is difficult. Enforcement is made even more challenging by the fact that users with laptop computers can access either network through the wireless access points. These computers access many unsecured or less secure networks, making it impossible for the city’s IT administrators to determine the computers’ compliance with security and system health standards. Says Birgersson, “We have never lost any data from security exploits, but we knew we needed more control over network access than we had.”

The city needed a solution that would help protect all the servers on the administration network from unauthorized access. It wanted to give its IT administrators tools to help them track and control user access, and determine the security compliance of mobile computers before they accessed the network. Because of limited funding and IT staff resources, the solution had to be low-cost, offer comprehensive network protection, and operate in an automated way.

Solution

TrueSec, a Microsoft® Gold Certified Partner, was one of the city’s technology partners for maintaining the networks, so its consultants were familiar with the city’s network security challenges. When the enhancements to Network Access Protection (NAP) in Windows Server 2008 were announced, the consultants considered NAP technology to be a way to address those challenges. According to Anders Jansson, Security Consultant at TrueSec, “We proposed the idea of adopting NAP to Uppsala Kommun to increase the security of the city’s administration network. That was the first time the city had heard of the technology. Once it heard about what NAP could do, it agreed to proceed with the evaluation.”

We have never lost any data from security exploits, but we knew we needed more control over network access than we had.  Mats Birgersson Server Technician City of Uppsala

The city’s education network has servers that run Windows Server and Linux variants. One reason the city chose at the outset to deploy Microsoft technology over competing Linux solutions was that it offered better support. “If you go with Linux, you can never be sure of what kind of support you're going to get,” says Birgersson. “Maybe the product is free, but you still have to put in the staff hours to basically support the product yourself. For us, that translates into a lot of overhead cost." In addition, the city determined that Microsoft technology could meet the higher security requirements of the administration network. The network contains sensitive social services data that needs added protection from unauthorized access.

To get prerelease versions of Windows Server 2008, TrueSec and the city participated in the Microsoft Rapid Deployment Program. At the end of May 2007, they formed a migration team to test and deploy the Microsoft software. The team built a test network consisting of 15 servers running Windows Server 2008. Along with NAP, they installed Internet Protocol security (IPsec) to provide additional network-level security. When the team completed the evaluation phase two months later, representatives of the evaluation team participated in a Microsoft training event in Seattle to get detailed information on how to deploy NAP and Windows Server 2008.

In the third quarter of 2007, the migration team purchased 150 HP ProLiant servers with Quad-Core Intel Xeon processors for the administration network. The team installed Windows Server 2008, including Network Access Protection, on these servers in a pilot. In this phase of the deployment, the team also evaluated the Terminal Services Gateway component of Terminal Services as a tool to enable secure access to the administration network from clients on the education network that have been specially granted that access. The city wanted a firewall-friendly and easy-to-use replacement for the third-party technology it was using. NAP tracked all access to the administration network from client computers, evaluating their compliance with the city’s security standards before access was granted. Clients that were not compliant were logged for possible access denial. NAP includes remediation functionality that automatically updates noncompliant computers to bring them into compliance, but this capability was not enabled in this phase of the deployment.

The migration team planned to complete the pilot deployment in January 2008 and then deploy Windows Server 2008 to more servers in the administration network. The team had encountered some incompatibility issues that are common with prerelease software, but these were resolved early in the test phase. With the exception of these issues, the deployment has proceeded smoothly and the city is happy with the result. Says Birgersson, “We have had no problems with NAP or Windows Server 2008 in our deployment.”

Benefits

Even though the deployment of Windows Server 2008 is in its early stages, the city has already seen improvements in system security and stability. The city expects to experience greater benefits in those areas as the deployment continues. And it anticipates that the new solution will help reduce IT administration costs.

We feel that the administration network is more secure, and we expect to see even greater security benefits as the Windows Server 2008 deployment continues.  Mats Birgersson Server Technician City of Uppsala

Improved System Security

With NAP, the city can enforce its security standards for all computers that access the administration network. Because the NAP server evaluates each client computer for compliance before it accesses the network, the number of incidents of unauthorized access from unsecured client computers is reduced. With Terminal Services Gateway, authorized users can access the administration network from the education network while not compromising the firewall protection.

In the test and pilot phases of the deployment, Windows Server 2008 met the city’s expectations for increased network security. Says Birgersson, “We feel that the administration network is more secure, and we expect to see even greater security benefits as the Windows Server 2008 deployment continues.”

Increased System Uptime

By protecting the administration network against malware, the city expects that NAP will also prevent diminished server performance and downtime that results from these attacks. Says Birgersson, “So far, we have seen improvements in server stability in the test and pilot environments. When we have completed our deployment of NAP and Windows Server 2008 in the production environment, we will definitely see more of the benefit.”

Lower Administration Costs

NAP automatically tracks and logs the activity of all client computers accessing the city’s administration network, so the city expects to save the time and cost of administrating the system. Also, as unauthorized access and malware infections are reduced, IT staff will spend less time tracking down and eliminating malware and more time proactively enhancing network security. “Defending our administration network against malicious attacks has sometimes been a time-consuming job. Windows Server 2008 Network Access Protection will help us to do this more efficiently,” says Birgersson.

For More Information

For more information about Microsoft products and services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada Information Centre at (877) 568-2495. Customers who are deaf or hard-of-hearing can reach Microsoft text telephone (TTY/TDD) services at (800) 892-5234 in the United States or (905) 568-9641 in Canada. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information using the World Wide Web, go to:
www.microsoft.com

For more information about TrueSec and its services, call (46) (8) 10 00 10 or visit the Web site at:
www.truesec.com

For more information about the City of Uppsala, call (46) (0) 18 727 00 00 or visit the Web site at:
www.uppsala.se

Windows Server 2008

Windows Server 2008, with built-in Web and virtualization technologies, enables you to increase the reliability and flexibility of your server infrastructure. New virtualization tools, Web resources, and security enhancements help you save time, reduce costs, and provide a platform for a dynamic and optimized datacenter. Powerful new tools like IIS 7.0, Server Manager, and Windows PowerShell™, allow you to have more control over your servers and streamline Web, configuration, and management tasks. Advanced security and reliability enhancements like Network Access Protection and the Read-Only Domain Controller option for Active Directory Domain Services harden the operating system and help protect your server environment to ensure you have a solid foundation on which to build your business.

For more information, go to:
www.microsoft.com/windowsserver2008

This case study is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Document published February 2008