PEN International is the world’s leading association of writers, working to promote literature and defend freedom of expression around the world. With a dozen permanent staff members and contact with activists all over the globe, the need for efficient collaboration tools and internal data sharing is strong. In addition, in being committed to defending civil rights, PEN International handles information that is often sensitive and must be protected from adversaries.
To fulfill these needs, the organization replaced their in-office Windows server with a dedicated remote machine equipped with Caisleán, an eQualit.ie-developed set of Ansible recipes for secure self-hosting. The former setup was proving to be unsatisfactory, notably in terms of reliability, security and flexibility. This article borrows from our experience setting up Caisleán for PEN’s use case and provides insights into migration process from a Windows Server environment.
Working with eQualit.ie in a consultative manner meant that a staff team with limited experience of IT were able to avail themselves of a service which has contributed to improving the security of our information and communications, as well as contributing to increased productivity of the entire staff team. ♣
Use case and issues
The primary role played by the office server was file sharing through Windows network folders, a convenient way to access common resources on a local network. Each staff member had an individual account to connect to the Active Directory and access the shared folders.
The setup was considered unreliable: workstations randomly could not access network folders and the server needed frequent reboots due to crashes. Security was also a concern: no disk encryption and low physical security of the server, doubts on whether the server was equipped with proper anti-virus software and lack of trust towards proprietary software (a common scenario). In addition, their setup was designed primarily as an internal office network and staff working remotely could not access the shared storage.
Prior to the migration to a secure online system, we were experiencing frequent downtimes when access to the shared drive crashed, which impacted on our ability to carry out our work. Additionally, it was often difficult for staff to access the shared drive remotely. Now we have next to no down times and staff are able to access the shared drives remotely as if they were in the office.
Our approach was to adapt Caisleán services as a remote server, hosted in a professional data center with removable backup storage. Its configuration would replicate Active Directory possibilities whilst solving some of the crucial security issues and introducing the possibility of remote access.
Adapting and setting up Caisleán for remotely accessed shared folders
Windows network folders can be set up on a GNU/Linux server thanks to Samba. Mimicking local network folder sharing on a remote server is possible by making clients connect through an OpenVPN tunnel. Finally, OpenLDAP can store user accounts and thus be used as an authentication backend for Samba and OpenVPN.
Caisleán is aimed at organizations with multiple users who wish to store and share their data, with ease and security. Caisleán’s functional setups for OpenLDAP and OpenVPN were implemented along with security-related features. Stacking Samba on top of this codebase implied the following changes:
- implementing template configuration files and Ansible tasks to setup Samba, configured for LDAP-based authentication
- setting up the creation of a Samba-compatible LDAP tree for user accounts and the installation of Samba-LDAP specific user management tools
- connecting OpenVPN to OpenLDAP to allow password-based VPN access
- setting up a restricted Usermin version to allow easy password update.
Pushing the newly adapted version of Caisleán to the server resulted in a fully functioning VPN with user authentication and file sharing. To increase security, the server was set up with full disk encryption (FDE). Caisleán repository provides documentation to set up FDE on a remote server.
The final step was to migrate the data to the new server to finally be able to fully decommission the office server.
Migrating
Migrating the data and updating workstations’ configuration was the longest and most difficult part of the process.
Data migration
With 300GB worth of data, transferring PEN International’s files from their office to the new server was a challenge in itself. After a night-long copy onto a portable hard disk followed by a roam through a traffic-jammed London undergoing tube strike, it was finally possible to upload the data from a reliable Internet connection.
User accounts transfer
It was important that everyone with an account on the office server kept their user names on the new system. It is conveniently possible to dump the content of a whole Active Directory tree to an LDIF file using a Windows
built-in tool. After dumping the office server Active Directory tree, the generated LDIF files were used to re-create user accounts in the new server’s LDAP.
The occasion was also used to purge obsolete user accounts, as the presence of such accounts is generally a weakening factor for security.
Reconfiguration of workstations
Workstation logon was controlled by the office server holding all user accounts. With the accounts becoming remote and shared folders becoming accessible from anywhere, binding workstation access to a centralized local server was not making sense anymore.
Nevertheless, as commonly observed in this kind of setup, each workstation held local user data for remotely controlled users: e-mail accounts and cache, web browsing data, applications preferences, etc. At the same time, users were prevented from logging on if the workstation could not contact the logon server, making this data inaccessible through the normal logon process. Before unplugging the office server, local accounts thus had to be created on workstations, and data stored on workstations associated with remotely controlled accounts had to be moved to these local accounts.
This process of disconnecting workstations from the local Windows domain proved to be cumbersome, especially as the Windows registry had to be edited. Thanks to a live GNU/Linux distribution together with registry edition tools like chntpw, hivex and FRED, all account data could finally be properly migrated. This was a fairly tiresome process involving repeated manual operations on fifteen workstations.
In the end, a local account could be used on each workstation. OpenVPN was installed and configured to connect to the remote server and ask for the user’s credentials, subsequently making the Samba shared folders accessible.
At this point, all workstations had become fully independent from the office server.
Office server decommissioning
Fully decommissioning the office server firstly required transferring its secondary roles to other devices: DHCP and IP routing were transferred to an already running network appliance, and the printer drivers were uploaded to the
remote server.
The final step was to erase the office server’s hard disk data using a live system. The machine’s inability to boot on USB devices was the last obstacle, and required to burn a live DVD for the occasion.
Shortly after the migration, we experienced a break-in at our office. The burglars targeted IT equipment, and would previously have been able to access our server, had we still had one on site. However, thanks to the work of eQualit.ie, our information was secure on the cloud, and our back-up drive was in a safe location, thanks to the advice we received.
Conclusion and remaining challenges
PEN International’s office server has been completely replaced, and the staff can share documents from workstations and personal computers. The service is more reliable, provides better data security and can be used from anywhere.
We are also very pleased with the cost savings we have found since the migration. Our server was due to be replaced, so we have avoided the cost of purchasing a new server. Additionally the level of IT support we have needed has dramatically reduced, leading to further savings.
The main lesson taken from this experience is that the most difficult part was not to set up the new system but to migrate the data and change the configuration of the systems already in place. When migrating a whole set of workstations, a variety of small difficulties have to be anticipated.
A main point of improvement is the integration of the process of connecting to the VPN and accessing the shared folders. As it is now, a user needs to enter credentials to access VPN and subsequently connect to network folders, and a single input would make it more user-friendly but would entail implementation of specific scripts for each operating system.
The PEN case provided the opportunity to implement a Samba-LDAP setup into Caisleán. While functional and available in the repository, improvements are still required to make it applicable in more generic use cases.
♣ All quotes in this article attributed to Ann Harrison, Programme Director, Writers in Prison Committee