Securing Windows Server 2008: Prevent Attacks from Outside and Inside Your Organization

Securing Windows Server 2008: Prevent Attacks from Outside and Inside Your Organization

by Aaron Tiensivu

View All Available Formats & Editions

Microsoft hails the latest version of its flagship server operating system, Windows Server 2008, as "the most secure Windows Server ever". However, to fully achieve this lofty status, system administrators and security professionals must install, configure, monitor, log, and troubleshoot a dizzying array of new features and tools designed to keep the bad guys out and


Microsoft hails the latest version of its flagship server operating system, Windows Server 2008, as "the most secure Windows Server ever". However, to fully achieve this lofty status, system administrators and security professionals must install, configure, monitor, log, and troubleshoot a dizzying array of new features and tools designed to keep the bad guys out and maintain the integrity of their network servers. This is no small task considering the market saturation of Windows Server and the rate at which it is attacked by malicious hackers. According to IDC, Windows Server runs 38% of all network servers. This market prominence also places Windows Server at the top of the SANS top 20 Security Attach Targets. The first five attack targets listed in the SANS top 20 for operating systems are related to Windows Server. This doesn't mean that Windows is inherently less secure than other operating systems; it's simply a numbers game. More machines running Windows Server. More targets for attackers to hack.
As a result of being at the top of the "most used" and "most hacked" lists, Microsoft has released a truly powerful suite of security tools for system administrators to deploy with Windows Server 2008. This book is the comprehensive guide needed by system administrators and security professionals to master seemingly overwhelming arsenal of new security tools including:
1. Network Access Protection, which gives administrators the power to isolate computers that don't comply with established security policies. The ability to enforce security requirements is a powerful means of protecting the network.
2. Enhanced solutions for intelligent rules and policies creation to increase control and protection over networking functions, allowing administrators to have a policy-driven network.
3. Protection of data to ensure it can only be accessed by users with the correct security context, and to make it available when hardware failures occur.
4. Protection against malicious software with User Account Control with a new authentication architecture.
5. Increased control over your user settings with Expanded Group Policy. name just a handful of the new security features. In short, Windows Server 2008 contains by far the most powerful and complex suite of security tools ever released in a Microsoft Server product. Securing Windows Server 2008 provides system administrators and security professionals with the knowledge they need to harness this power.

* Describes new technologies and features in Windows Server 2008, such as improvements to networking and remote access features, centralized server role management, and an improved file system.
* Outlines steps for installing only the necessary components and subsystems of Windows Server 2008 in your environment. No GUI needed.
* Describes Windows Server 2008?s security innovations, such as Network Access Protection, Federated Rights Management, and Read-Only Domain Controller
* Includes coverage of monitoring, securing, and troubleshooting Windows Server 2008
* Covers Microsoft's Hyper-V virtualization technology, which is offered as an add-on to four of the eight versions of Windows Server 2008 and as a stand-alone product

Product Details

Elsevier Science
Publication date:
Sold by:
Barnes & Noble
File size:
8 MB

Read an Excerpt

Securing Windows Server 2008

Prevent Attacks from Outside and Inside Your Organization
By Dale Liu


Copyright © 2008 Elsevier, Inc.
All right reserved.

ISBN: 978-0-08-056997-0

Chapter One

Microsoft Windows Server 2008: An Overview

Solutions in this chapter:

* Server Manager

* Server Core

* Active Directory Certificate Services

* Active Directory Domain Services

  •   Summary

  •   Solutions Fast Track

  •   Frequently Asked Questions


    With the introduction of new revisions to Microsoft products—for example, Windows, Exchange, and Communications Server—we have seen a trend toward "roles" within each product, as opposed to the various products being an all-in-one type of solution (as with Exchange 2007), or being additional features that work as a snap-in, such as DNS in Windows 2003.

    With earlier versions of Windows Server 2000 or 2003, an Active Directory server was just that—an Active Directory server. What we are trying to say here is that it was more-or-less an "all-or-nothing" deal when creating a domain controller in Windows 2003. Very little flexibility existed in the way a domain controller could be installed, with the exception of whether a domain controller would also be a global catalog server or flexible single master operation (FSMO) server.

    The new roles in Windows Server 2008 provide a new way for you to determine how they are implemented, configured, and managed within an Active Directory domain or forest. The new roles (and the official Microsoft definitions) are as follows:

    * Read-only domain controller (RODC) This new type of domain controller, as its name implies, hosts read-only partitions of the Active Directory database. An RODC makes it possible for organizations to easily deploy a domain controller in scenarios where physical security cannot be guaranteed, such as branch office locations, or in scenarios where local storage of all domain passwords is considered a primary threat, such as in an extranet or in an application-facing role.

    * Active Directory Lightweight Directory Service (ADLDS) Formerly known as Windows Server 2003 Active Directory Application Mode (ADAM), ADLDS is a Lightweight Directory Access Protocol (LDAP) directory service that provides flexible support for directory-enabled applications, without the dependencies required for Active Directory Domain Services (ADDS). ADLDS provides much of the same functionality as ADDS, but does not require the deployment of domains or domain controllers.

    * Active Directory Rights Management Service (ADRMS) Active Directory Rights Management Services (ADRMS), a format and application-agnostic technology, provides services to enable the creation of information-protection solutions. ADRMS includes several new features that were available in Active Directory Rights Management Services (ADRMS). Essentially, ADRMS adds the ability to secure objects. For example, an e-mail can be restricted to read-only, meaning it cannot be printed, copied (using Ctrl+C, and so on), or forwarded.

    * Active Directory Federation Services (ADFS) You can use Active Directory Federation Services (ADFS) to create a highly extensible, Internet-scalable, and secure identity access solution that can operate across multiple platforms, including both Windows and non-Windows environments. Essentially, this allows cross-forest authentication to external resources—such as another company's Active Directory. ADFS was originally introduced in Windows Server 2003 R2, but lacked much of its now-available functionality.

    These roles can be managed with Server Manager and Server Core. Discussing Server Core is going to take considerably longer, so let's start with Server Manager.

    Server Manager

    Server Manager is likely to be a familiar tool to engineers who have worked with earlier versions of Windows. It is a single-screen solution that helps manage a Windows server, but is much more advanced than the previous version.

    Using Server Manager to Implement Roles

    Although we will be discussing Server Manager (Figure 1.1) as an Active Directory Management tool, it's actually much more than just that.

    In fact, Server Manager is a single solution (technically, a Microsoft Management Console [MMC]) snap-in that is used as a single source for managing system identity (as well as other key system information), identifying problems with servers, displaying server status, enabled roles and features, and general options such as server updates and feedback.

    Table 1.1 outlines some of the additional roles and features Server Manager can be used to control:

    Server Manager is enabled by default when a Windows 2008 server is installed (with the exception of Server Core). However, Server Manager can be shut off via the system Registry and can be re-opened at any time by selecting Start | Administrative Tools | Server Manager, or right-clicking Computer under the Start menu, and choosing Manage (Figure 1.2).

    So, those are the basics of Server Manager. Now let's take a look at how we use Server Manager to implement a role. Let's take the IIS role and talk about using the Add Role Wizard to install Internet Information Services (IIS).

    Server Core

    Server Core brings a new way not only to manage roles but also to deploy a Windows Server. With Server Core, we can say goodbye to unnecessary GUIs, applications, services, and many more commonly attacked features.

    Using Server Core and Active Directory

    For years, Microsoft engineers have been told that Windows would never stand up to Linux in terms of security simply because it was too darn "heavy" (too much) code, loaded too many modules (services, startup applications, and so on), and was generally too GUI heavy. With Windows Server 2008, Microsoft engineers can stand tall, thanks to the introduction of Server Core.

    What Is Server Core?

    What is Server Core, you ask? It's the "just the facts, ma'am" version of Windows 2008. Microsoft defines Server Core as "a minimal server installation option for Windows Server 2008 that contains a subset of executable files, and five server roles." Essentially, Server Core provides only the binaries needed to support the role and the base operating systems. By default, fewer processes are generally running.

    Server Core is so drastically different from what we have come to know from Windows Server NT, Windows Server 2000, or even Windows Server 2003 over the past decade-plus, that it looks more like MS-DOS than anything else (Figure 1.5). With Server Core, you won't find Windows Explorer, Internet Explorer, a Start menu, or even a clock! Becoming familiar with Server Core will take some time. In fact, most administrators will likely need a cheat sheet for a while. To help with it all, you can find some very useful tools on Microsoft TechNet at -b91453ccc78d18161033.mspx?mfr=true. This provides command and syntax lists that can be used with Server Core. The good news is, for those of you who want the security and features of Server Core with the ease-of-use of a GUI, you have the ability to manage a Server Core installation using remote administration tools.

    Before going any further, we should discuss exactly what will run on a Server Core installation. Server Core is capable of running the following server roles:

    * Active Directory Domain Services Role

    * Active Directory Lightweight Directory Services Role

    * Dynamic Host Configuration Protocol (DHCP)

    * Domain Name System (DNS) Services Role

    * File Services Role

    * Hyper-V (Virtualization) Role

    * Print Services Role

    * Streaming Media Services Role

    * Web Services (IIS) Role

    Although these are the roles Server Core supports, it can also support additional features, such as:

    * Backup

    * BitLocker

    * Failover Clustering

    * Multipath I/O

    * Network Time Protocol (NTP)

    * Removable Storage Management

    * Simple Network Management Protocol (SNMP)

    * Subsystem for Unix-based applications

    * Telnet Client

    * Windows Internet Naming Service (WINS)

    The concept behind the design Server Core is to truly provide a minimal server installation. The belief is that rather than installing all the application, components, services, and features by default, it is up to the implementer to determine what will be turned on or off.

    Installation of Windows 2008 Server Core is fairly simple. During the installation process, you have the option of performing a Standard Installation or a Server Core installation. Once you have selected the hard drive configuration, license key activation, and End User License Agreement (EULA), you simply let the automatic installation continue to take place. When installation is done and the system has rebooted, you will be prompted with the traditional Windows challenge/response screen, and the Server Core console will appear.

    Uses for Server Core

    A Windows Server 2008 Core Server Installation can be used for multiple purposes. One of the ways that Server Core can be used is to provide a minimal installation for DNS. You can manipulate, manage, and configure DNS servers through the various Windows Server 2008 DNS Graphical User Interfaces (GUIs)–DNS Manager and the Server Manager tool.

    However, there are no GUIs provided with Windows Server 2008 Core Server. There are a number of advantages to running DNS within Server Core, including:

    * Smaller Footprint. Reduces the amount of CPU, memory, and hard disk needed.

    * More Secure. Fewer components and services running unnecessarily.

    * No GUI. No GUI means that users cannot make modifications to the DNS databases (or any other system functions) using common/user-friendly tools.

    If you are planning to run DNS within a Server Core install, there a number of steps you must perform prior to installation. The first step we must take is to set the IP information of the server. To configure the IP addressing information of the server follow these steps:

    1. Identify the network adapter. In the console window, type netsh interface ipv4 show interfaces and record the number shown under Idx column.

    2. Set the IP address, Subnet Mask, and Default Gateway for the server. To do this, type netsh interface ipv4 set address name="<ID>" source=static address=<StaticIP> mask=<SubnetMask> gateway= <DefaultGateway>. ID represents the interface number from step 1, <StaticIP> represents the IP address we will assign, <SubnetMask> represents the subnet mask, and <Default Gateway> represents the IP address of the server's default gateway. See Figure 1.8 for our sample configuration.

    3. Assign the IP address of the DNS server. If this server were part of an Active Directory domain and replicating Active-Directory integrated zones (we will discuss those next), we would likely point this server to another AD-integrated DNS server. If it is not, we would point it to another external DNS server—commonly the Internet provider of your company. From the console, type netsh interface ipv4 add dnsserver name="<ID>" address=<DNSIP> index=1. >. ID represents the number from step 1, <StaticIP> represents the IP address of the DNS server.

    Once the IP address settings are completed—you can verify this by typing ipconfig /all—we can install the DNS role onto the Core Server installation.

    4. To do this, from the command line type start /w ocsetup DNS-Server-Core-Role.

    5. To verify that the DNS Server service is installed and started, type NET START. This will return a list of running services.


    Excerpted from Securing Windows Server 2008 by Dale Liu Copyright © 2008 by Elsevier, Inc.. Excerpted by permission of Syngress. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
    Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

  • Customer Reviews

    Average Review:

    Write a Review

    and post it to your social network


    Most Helpful Customer Reviews

    See all customer reviews >