|
|
|
Question : Understand Security Improvements in Windows Server 2008
|
|
|
|
You have installed Windows Server 2008 because you want to take
advantage of the many improvements, including those in the area of
security. How do you understand what improvements have been made to
Windows Server 2008 security, and what do these improvements mean for
your network?
|
|
|
|
Answer : Understand Security Improvements in Windows Server 2008
|
|
Windows
Server 2008 has made a number of changes to security features. Some
changes can be readily seen, such as Windows Firewall and Network
Access Protection (NAP). But these configurable components are only
part of the big picture. Some security components in Windows Server
2008 are installed by default and need no configuration or management.
Others call for very little setup and configuration.
We
begin this section by looking at the “less configurable” security
pieces, and then we move on to the components that could be considered
highly configurable. Regardless of how configurable they are, all these
components are parts of a whole, and it’s important to understand them
in order to build a secure environment.
Built-in Security Features
To
begin, let’s look at the security features that are added when Windows
Server 2008 is installed. These features require little to no
configuration, and some of them can be managed:
Authorization Manager:
This is a role-based management tool for controlling access to
resources by assigning users to roles in Windows Server 2008. You can
also track what permissions are granted to each role in your network. Security Auditing:
This tool allows you to track security events on your server. Auditing
allows you to monitor the creation, access, and modification of
objects. It tracks user activities and provides warnings about
potential security problems. Security Configuration Wizard:
This tool determines the minimum required functionality of the server
to perform tasks, based on its installed roles. All other ports,
services, and functionality are disabled. To run the Security
Configuration Wizard, perform the following steps:
1. | In
Server Manager, highlight Server Manager in the console tree. In the
Details pane you can see that the Server Summary Security Information
is directly below the Computer Information.
| 2. | Click Run Security Configuration Wizard.
| 3. | On the first screen of the Security Configuration Wizard, click Next.
| 4. | On
the Configuration Action screen, choose to create a new security
policy. The following other choices are available on this screen:
Edit an existing security policy Apply an existing security policy Rollback the last applied security policy
Click Next.
| 5. | In
the next screen, select a server to use as a baseline for this security
policy. You need to have Administrator permissions to this server.
Choose the DNS name or IP Address and Click Next.
| 6. | On
the Security Configuration screen, review the database configuration
(you will receive a pop up warning asking to allow Active X controls,
click Yes) and then click Next.
| 7. | On the Role-Based Service Configuration screen, click Next.
| 8. | Select the server roles that this server performs and click Next.
| 9. | Select the client features this server performs and click Next.
| 10. | Select the options used in administration of this server and click Next.
| 11. | Select any additional services that this server is running and click Next.
| 12. | Choose
how to handle unspecified services. You can choose not to change the
startup mode of the service or to disable the service. Click Next.
| 13. | Confirm the selections in this screen and click Next.
| 14. | Get
ready to configure Network Security. (This section of the wizard
configures the Windows Firewall settings for this server.) Click Next.
| 15. | Select or unselect the network security rules or add additional rules and click Next.
| 16. | Get
ready to configure the registry settings. (This section of the wizard
configures the protocols used for communication with other computers.)
Click Next.
| 17. | Choose whether Server Message Block (SMB) security signatures are required. Select the attributes and click Next.
| 18. | Choose
settings for whether you Require LDAP Signing; click the radio box to
choose the minimum default security level for LDAP; then click Next.
| 19. | Choose the outbound authentication methods and click Next.
| 20. | Choose Outbound Authentication using Domain Accounts and click Next.
| 21. | View the Registry Settings Summary section and click Next.
| 22. | Set
the audit policy for this server; these are the settings that will be
used for success/failure audits for the server. Click Next.
| 23. | Choose one of the following choices from the Auditing Objectives list:
Click Next.
| 24. | Confirm your selections and click Next.
| 25. | On the Save Security Policy screen, click Next.
| 26. | Name the security policy file (the .xml
extension will automatically be added later), change the location, add
a description, view the security policy, or include security templates
to this policy, and click Next.
| 27. | Choose to apply this policy later or to apply it now. Click Next.
| 28. | On the final screen of the wizard, note the location of this security policy file and the name and then click Finish.
|
Software Restriction Policies:
This tool is used to identify and control the ability of software to
run on a local computer, organizational unit (OU), domain, or site.
Managing these polices at the OU, domain, or site level requires the
use of the Group Policy Management console. To manage software
restriction policies on the local computer, do the following:
1. | Select Start, Administrative Tools, Local Security Policy.
| 2. | In the console tree, click Software Restriction Policies.
| 3. | Either right-click and select New Software Restrictions Policy or select Action, New Software Restrictions Policy.
| 4. | In the object view, choose security levels, enforcement, designated file types, trusted publishers, and additional rules.
|
Note
Under
additional rules, you have the option of creating a new rule for
certificates, hashes, network zones, and paths. The rules are used to
override the default security level in place on the local machine.
Note
These
software restriction policies will apply only to the local computer. If
restriction policies need to be implemented on a large scale, you
should instead use the Group Policy Management console.
Security Configuration and Analysis:
This tool analyzes and configures the local security policy for the
server. It provides recommendations alongside the current security
settings and flags areas where the current security settings do not
match recommendations. It also enables you to resolve those security
issues by directly configuring the local security policy and importing
security templates. Encrypting File System (EFS):
This tool provides a transparent file-encrypting technology for storing
encrypted files on an NTFS volume. EFS is managed through Group Policy
or the Encrypting File System Wizard. To encrypt a file or folder using
the Encrypting File System Wizard, perform the following steps:
1. | Open the Control Panel and double-click User Accounts.
| 2. | Under Tasks, click Manage Your File Encryption Certificates.
| 3. | On the first page of the Encrypting File System Wizard, click Next.
| 4. | Select a certificate to use or create a new certificate and click Next.
| 5. | Choose to back up the certificate and key now or later and then click Next.
| 6. | Select
the folder or volume(s) with encrypted files. You can choose to update
encrypted files later by checking the box below the folder and volume
selections. Click Next.
| 7. | Review the certificate details and click Close.
|
Internet Explorer Enhanced Security Configuration (IE ESC):
This security component reduces your server’s exposure to web-based
attacks. The only configuration is to turn IE ESC on or off for the
Administrators and Users group. (By default, IE ESC is turned on for
both groups.)
User Account Control (UAC)
You
are familiar with User Account Control (UAC) from Windows Vista.
Windows Server 2008 has added UAC into its security repertoire. Like
some of the other security components in Windows Server 2008, UAC is
installed when you install Windows Server 2008. It is usually managed
using Group Policies, although you can set up UAC under the local
security policy. So what does the inclusion of UAC mean for Windows
Server 2008, and how does it improve overall security?
UAC
provides the ability to enter credentials during a user session to
perform administrative tasks without switching users or using the Run
As command.
To view and set UAC settings in the Local Security Policy tool, perform the following steps:
1. | Select Start, Administrative Tools, Local Security Policy.
| 2. | In
the console tree, expand Local Policies and click Security Options.
Scroll down to the bottom of the screen to see the available UAC
options (see Figure 1).
| 3. | Double-click each UAC setting you want to configure, select the UAC option, and click OK.
|
Additional Security Components
Windows Server 2008 comes with additional security components that need to be set up after Windows Server 2008 is installed:
Smart cards:
Windows Server 2008 has built-in capabilities to work with smart cards.
Smart card readers should be installed and configured according to
manufacturers’ specifications. Trusted Platform Module (TPM) management:
TPM is a hardware-based security architecture for providing access to
systems. An installed TPM chip (v.1.2) and TCG-compliant BIOS are
needed. Windows Server 2008 has an MMC snap-in for managing TPM devices
on the local server. No further configuration is needed to take
advantage of TPM. BitLocker drive encryption:
BitLocker provides full drive encryption and an integrity check of boot
components. You install BitLocker by using the Add Features Wizard, as
follows:
1. | In Server Manager choose Add Feature, BitLocker Drive Encryption and click Next.
| 2. | On the next page, which asks you to confirm that you want to install the feature, click Install.
| 3. | On
the results page, which inform you that you must restart your server to
finish the installation of BitLocker, click Close. When you are
prompted to restart the server and finish the installation, click Yes.
| 4. | When the BitLocker installation is complete, click Close.
|
An
important and often-overlooked part of the security picture is Windows
Update. In fact, when you look at the security information in Server
Manager, you see that Configure Updates is directly below Windows
Firewall. It is important to ensure that Windows Server 2008 is kept up
to date by using either Windows Update or another update management
package, such as WSUS or System Center Configuration Manager. All the
security you put in place is useless if you forget to patch a hole that
has been discovered.
|
|
|
|
|
