Operating System Security (3-3-4) 11.1003
This lesson guide provides instructions and recommendations to help strengthen the OS Security of computers running Windows Server® 2008 that are members of an Active Directory® domain. This Windows Server 2008 Security Guide consists of 11 chapters, and an appendix that you can use to reference setting descriptions, considerations, and values. The Windows Server 2008 Security Guide Settings workbook file that accompanies this guide provides another resource that you can use to compare and evaluate the Group Policy settings. In addition, the Windows Server 2008 Attack Surface Reference workbook provides summary information about services, files, and firewall rules specific to each server role that this guide covers. The following figure shows the guide structure to help inform you how to optimally implement and deploy the prescriptive guidance.
The overview states the purpose and scope of the guide and indicates the organization of the guide to assist you in locating the information relevant to you. It also describes the tools and templates that accompany the guide, and the user prerequisites for the guidance. Brief descriptions follow for each chapter and the appendix for the guide.
This chapter identifies the benefits to an organization of creating and deploying a security baseline. The chapter includes high-level security design recommendations that you can follow in preparation to implement either the EC baseline settings or the SSLF baseline settings. The chapter explains important security considerations for both the EC environment and the SSLF environment, and the broad differences between these environments.
The Windows Server 2008 Security Guide Settings workbook that accompanies this guide provides another resource that you can use to compare and evaluate the Group Policy settings. The GPOAccelerator tool is available as a separate download from the Microsoft Download Center. For instructions on how to use the tool, see How to Use the GPOAccelerator.
Caution The guidance in this chapter positions your organization to establish the SSLF environment, which is distinct from the EC environment. The SSLF guidance is for high security environments only. It is not a supplement to the guidance on the EC environment. Security settings prescribed for the SSLF environment limit key functionality across the environment. For this reason, the SSLF security baseline is not intended for most organizations. Be prepared to extensively test the SSLF security baseline before implementing it in a production environment.
Chapter 2: Reducing the Attack Surface by Server Role
This chapter provides an overview of built-in tools in Windows Server 2008 that can help you to quickly configure, maintain, and enforce all of the required functionality for the servers in your environment. The chapter discusses using Server Manager to help reduce the attack surface of your servers by only configuring the functionality that each specific server role requires.
The chapter then discusses how you can use the Security Configuration Wizard (SCW) to help maintain and enforce the configuration implemented by Server Manager. The chapter also provides information about Server Core, a new installation option in Windows Server 2008.
Chapter 3: Hardening Active Directory Domain Services
This chapter discusses how organizations can harden Active Directory Domain Services (AD DS) to manage users and resources, such as computers, printers, and applications on a network. AD DS in Windows Server 2008 includes a number of new features that are not available in previous versions of Windows Server, and some of these features focus on deploying AD DS more securely. Features that enhance security in AD DS include new auditing capabilities, fine-grained password policies, and the ability to use read-only domain controllers (RODCs).
Chapter 4: Hardening DHCP Services
This chapter provides prescriptive guidance for hardening the DHCP Server role. The chapter discusses DHCP Server and DHCP Client services in Windows Server 2008 that include security-related enhancements for Network Access Protection (NAP) and DHCPv6 functionality.
Chapter 5: Hardening DNS Services
This chapter provides prescriptive guidance for hardening the DNS Server role. Windows Server 2008 provides enhancements in the DNS Server service that focus on improving performance or provide new features, including background zone loading to help circumvent potential denial-of-service (DoS) attacks, and support for RODCs located in perimeter networks, branch offices, or other unsecured environments.
Chapter 6: Hardening Web Services
This chapter provides prescriptive guidance for hardening the Web Server role. The chapter discusses how the Web server role installs Microsoft® Internet Information Services (IIS) 7.0, which has been redesigned into forty modular components that you can choose to install as needed.
This chapter provides prescriptive guidance for hardening the File Server role. File servers can provide a particular challenge to harden, because balancing security and functionality of the fundamental services that they provide is a fine art. Windows Server 2008 introduces a number of new features that can help you control and harden a file server in your environment.
Chapter 8: Hardening Print Services
This chapter provides prescriptive guidance for hardening the Print Server role. Significant security changes were introduced to printing services in the operating system for Windows Vista, and these changes have also been incorporated into Windows Server 2008 for your organization to take full advantage of them.
Chapter 9: Hardening Active Directory Certificate Services
This chapter provides prescriptive guidance for hardening Active Directory Certificate Services (AD CS) on a server running Windows Server 2008. AD CS provides customizable services for creating and managing public key certificates used in software security systems that employ public key technologies. The chapter discusses how your organizations can use AD CS to enhance security by binding the identity of a person, device, or service to a corresponding private key.
Chapter 10: Hardening Network Policy and Access Services
This chapter provides prescriptive guidance for hardening Network Policy and Access Services on servers running Windows Server 2008. Network Policy and Access Services (NPAS) in Windows Server 2008 provide technologies that allow you to deploy and operate a virtual private network (VPN), dial-up networking, 802.1x protected wired and wireless access, and Cisco Network Admission Control (NAC)-based devices.
The chapter discusses how you can use NPAS to define and enforce policies for network access authentication, authorization, as well as client health using Network Policy Server (NPS), the Routing and Remote Access Service, Health Registration Authority (HRA), and the Host Credential Authorization Protocol (HCAP).
Chapter 11: Hardening Terminal Services
This chapter provides prescriptive guidance for hardening Terminal Services on servers running Windows Server 2008. These servers provide essential services that allow users to access Windows-based programs or the full Microsoft Windows® desktop from various locations. Windows Server 2008 includes a number of specific role services for this technology that your organization can use, including TS Licensing to manage Terminal Server client access licenses (TS CALS) that are required for devices and users to connect to a terminal server.
The chapter also discusses how the Terminal Services Session Broker (TS Session Broker) role service supports reconnection to an existing session on a terminal server that is a member of a load-balanced terminal server farm, how the Terminal Services Gateway (TS Gateway) role service enables authorized users to connect to terminal servers and remote desktops on the corporate network over the Internet using RDP via HTTPS, and how the Terminal Services Web Access (TS Web Access) role service allows authorized users to gain access to terminal servers via a Web browser.
Appendix A: Security Group Policy Settings
The appendix includes
descriptions and tables that detail the prescribed settings in the EC and SSLF
security baselines for this guide. The
appendix describes each setting and the reasoning for their configuration
values. The appendix also indicates setting differences between Windows
Server 2008 and Windows Server 2003.
"Cyberspace: A consensual hallucination experienced daily by billions of legitimate operators, in every nation, by children being taught mathematical concepts... A graphical representation of data abstracted from the banks of every computer in the human system. Unthinkable complexity. Lines of light ranged in the non-space of the mind, clusters and constellations of data. Like city lights, receding..."
(William Gibson -'Neuromancer')