It's important to revisit security zones in network configuration. One way to centrally manage the security associated with the iSCSI security zone is to use Windows Group Policy to require CHAP authentication for the initiator.
While CHAP authentication isn't the greatest, it's what we have to work with for iSCSI networks. (Read my post about the iSCSI Software Initiator on pre-Windows Server 2008 systems.)
Above all else, you should allocate the storage traffic for iSCSI storage in a fully separated network if possible. If you want to require Windows Systems to use the CHAP authentication protocol, Windows Group Policy can enforce this requirement.
For Windows Vista and Windows Server 2008 systems, you can configure these Group Policy values: Computer Configuration | Administrative Templates | System | iSCSI | iSCSI Security.
In this section of the computer Group Policy configuration, there are two relevant objects to require CHAP on iSCSI configurations: The first is to require mutual CHAP, and the other is to require one-way CHAP. The mutual CHAP Group Policy object is shown in Figure A.
Figure A
Click the image to enlarge.
Once configured, the Windows system will be required to use the CHAP levels assigned. While I don't expect this to be a frequent occurrence, you can go to the next section of Group Policy (iSCSI Target Discovery) and prohibit a manual iSCSI configuration if needed. This may be more applicable to client systems, so someone crafty enough to circumvent a USB device restriction may not be able to map a drive to an iSCSI storage device.
This configuration applies only to a Windows system acting as an iSCSI Initiator, which will receive storage from an iSCSI target. If a Windows system were to function as an iSCSI target, third-party software would be required or a Windows Storage Server Edition. For a Windows system to function as an iSCSI target, it would require third-party software or Windows Storage Server Edition.
Visit the Microsoft site for more information about Windows storage support.
p>Rick Vanover is a Systems Administrator in Columbus, Ohio. He has more than 12 years of IT experience, and he focuses on virtualization, Windows-based server administration, and system hardware.