|
Published: February 27, 2008
Welcome to the Windows Server 2008 Security Guide.
This guide provides instructions and recommendations to help strengthen the security
of computers running Windows Server® 2008 that are members of an Active Directory®
domain.
In addition to the guidance that the Windows Server 2008
Security Guide prescribes, this Solution Accelerator provides tools, step-by-step
procedures, recommendations, and processes that significantly streamline the deployment
process. This guide not only provides you with effective security setting guidance.
It also provides you with a reproducible method that you can use to apply the guidance
to both test and production environments.
The key tool that this Solution Accelerator provides for you is the GPOAccelerator.
The tool enables you to run a script that automatically creates all the Group Policy objects (GPOs) you need to apply this
security guidance. The Windows Server 2008 Security Guide Settings workbook
that accompanies this guide provides another resource that you can use to compare
and evaluate the Group Policy settings.
Microsoft engineering teams, consultants, support engineers, partners, and customers
have reviewed and approved this prescriptive guidance to make it: - Proven. Based on field experience.
- Authoritative. Offers the best advice available.
- Accurate. Technically validated and tested.
- Actionable. Provides the steps to success.
- Relevant. Addresses real-world security concerns.
Microsoft has published security guides for Windows Server 2003 and Windows
2000 Server. This guide references significant security enhancements
in Windows Server 2008. The guide was developed and tested with computers running
Windows Server 2008 joined to a domain that uses Active
Directory® Domain Services (AD°DS).
As the operating system continues to evolve through future releases, you can expect
updated versions of this guidance to include more security enhancements. Solution
Accelerators are also available to assist you with the deployment and operation
of Windows Server 2008. For more information about all available Solution Accelerators,
visit Solution Accelerators
on TechNet.
IT security is everybody's business. Every day, adversaries are attempting to invade
your networks and access your servers to bring them down,
infect them with viruses, or steal information about your customers
or employees. Attacks come from all directions: from onsite
employee visits to Web sites infected with malware,
to offsite employee connections through virtual private networks (VPNs), branch
office network connections to corporate servers, or direct assaults on vulnerable
computers or servers in your network. Organizations of all sizes now also face more
complex and demanding audit requirements.
You know firsthand how essential your servers are to keeping your organization up
and running. The data they house and the services they provide are your organization’s
lifeblood. It is your job to stand guard over these essential assets, prevent them
from going down or falling victim to attacks from outside
and inside your organization, and to prove to auditors that you have taken all reasonable
steps to secure your servers.
Windows Server 2008 is engineered from the ground up with security in mind,
delivering an array of new and improved security technologies and features that
provide a solid foundation for running and building your business. The
Windows Server 2008 Security Guide is designed to further enhance the security
of the servers in your organization by taking full advantage of the security features
and options in Windows Server 2008.
This guide builds on the Windows
Server 2003 Security Guide, which provides specific recommendations about
how to harden servers running Windows Server 2003
with Service Pack 2 (SP2). The Windows Server 2008 Security
Guide provides recommendations to harden servers that use security baselines for the following two environments:
The organization of the guide enables you to easily access the information that
you require. The guide and its associated tools help you to: - Establish and deploy either of the security prescribed baselines in
your network environment.
- Identify and use Windows Server 2008 security features for common security
scenarios.
- Identify the purpose of each individual setting in either security baseline and understand their significance.
You will need to download the
GPOAccelerator for the Windows Server 2008 Security Guide
and the how-to guidance for this tool to create, test, and deploy the security settings
for either the EC environment or the SSLF environment. This
tool automatically creates all the GPOs for the security
settings this guide recommends. For instructions about how to use the tool to accomplish
these tasks, see How to Use the GPOAccelerator. This guide is designed primarily for enterprise customers.
To obtain the most value from this material, you will need to read the entire guide.
However, it is possible to read individual portions of the guide to achieve specific
aims. The "Chapter Summary" section in this overview briefly introduces the information
in the guide. For further information about security topics and settings related
to Windows Server 2008, see the Windows Server 2008 Security Guide Settings
workbook and the companion guide,
Threats and Countermeasures.
Who Should Read This Guide
The Windows Server 2008 Security Guide is primarily
for IT professionals, security specialists, network architects,
computer engineers, and other IT consultants who plan application or infrastructure
development and deployments of Windows Server 2008 for servers in an enterprise
environment. The guide is not intended for home users. This guide is for individuals
whose jobs may include one for more of the following roles: - Security specialist. Users in this role focus on how to provide security
across computing platforms within an organization. Security specialists require
a reliable reference guide that addresses the security needs of every level of the
organization and also offers proven methods to implement security countermeasures.
Security specialists identify security features and settings, and then provide recommendations
on how their customers can most effectively use them in high risk environments.
- IT operations, help desk, and deployment staff. Users in IT operations
focus on integrating security and controlling change in the deployment process,
whereas deployment staff focuses on administering security updates
quickly. Staff in these roles also troubleshoot security issues related to applications
that involve how to install, configure, and improve the usability and manageability
of software. They monitor these types of issues to define
measurable security improvements and a minimum of impact on critical business applications.
- Network architect and planner. Users in
this role drive the network architecture efforts for computers in their organizations.
- Consultant. Users in this role are aware of security scenarios that span
all the business levels of an organization. IT consultants from both Microsoft Services
and partners take advantage of knowledge transfer tools for enterprise customers
and partners.
Note Users who want to apply the prescriptive guidance in this
guide must, at a minimum, read and complete the steps to establish the EC environment in How
to Use the GPOAccelerator.
The following knowledge and skills are required for consultants, operations, help
desk and deployment staff, and security specialists who develop, deploy, and secure
server systems running Windows Server 2008 in an enterprise organization: - MCSE on Microsoft Windows Server 2003 or a later certification and two or
more years of security-related experience, or equivalent knowledge.
- In-depth knowledge of the organization’s domain and Active
Directory environments.
- Experience with the Group Policy Management Console (GPMC).
- Experience in the administration of Group Policy using
the GPMC, which provides a single solution for managing all Group
Policy–related tasks.
- Experience using management tools including Microsoft Management Console (MMC),
Gpupdate, and Gpresult.
- Experience using the Security Configuration Wizard (SCW).
- Experience deploying applications and server computers in enterprise environments.
The primary purposes of this guide are to enable you to do the following: - Use the solution guidance to efficiently create and apply tested security baseline configurations using Group Policy.
- Understand the reasoning for the security setting recommendations in the baseline configurations that the guide prescribes, and their implications.
- Identify and consider common security scenarios, and then use specific security
features in Windows Server 2008 to help you manage them in your environment.
- Understand role based security for different workloads in Windows Server 2008.
The guide is designed to enable you to use only the relevant parts of it to meet
the security requirements of your organization. However, readers will gain the most
benefit by reading the entire guide.
This guide focuses on how to help create and maintain a secure environment for servers
running Windows Server 2008. The guide explains the different stages of how
to secure two different environments, and what each security setting addresses for
the servers deployed in either one. The guide provides prescriptive information
and security recommendations.
Client computers in the EC environment can run either Windows XP with SP2 or later or Windows Vista.
However, the servers that manage these clients computers on the network must
run Windows Server 2008 or Windows Server 2003 with SP2 or later. Client
computers in the SSLF environment can only run Windows Vista and the servers
that manage them can only run Windows Server 2008.
This guide includes chapters that provide security recommendations about how to
harden the following server roles and the role services
that they provide: - Active Directory Domain Services
(AD DS)
- Dynamic Host Configuration Protocol (DHCP) Server
- Domain Name System (DNS) Server
- Web Server (IIS)
- File Services
- Print Services
- Active Directory Certificate Services (AD CS)
- Network Policy and Access Services
- Terminal Services
Note Configuration information about how to set up a server role,
such as step-by-step configuration guidance on specific roles, is not in scope for
this guide. This guide only includes the security settings available in the operating
system that it recommends. However, more configuration information for Windows Server 2008
is available on the Windows
Server 2008 Step-by-Step Guides Web page on the Microsoft Download Center.
Hardening recommendations for the following server roles
are not included in this guide: - Active Directory Federation Services
- Active Directory Lightweight Directory Services
- Active Directory Rights Management Services
- Application Server
- Fax Server
- Hyper-V
- Streaming Media Services
- UDDI Services
- Windows Deployment Services
For a thorough discussion of all the security settings in
Windows Server 2008, refer to the companion guide,
Threats and Countermeasures.
Guidance and Tool Requirements
This Solution Accelerator includes the following documents and workbooks:
After downloading the Windows
Server 2008 Security Guide Solution Accelerator from the Microsoft Download
Center, use the Microsoft Windows Installer (.msi) file to install these resources
on your computer in a location of your choice. Then you can download the
GPOAccelerator and the how-to guidance for this tool to create, test, and
deploy the security settings for the Windows Server 2008 Security
Guide. Note To access the GPOAccelerator tool and the How to Use the GPOAccelerator document,
extract the GPOAccelerator.zip archive for these resources.
This release of the Windows Server 2008 Security Guide
consists of 11 chapters, and an appendix that you can use to reference setting descriptions,
considerations, and values. The Windows Server 2008 Security Guide Settings
workbook file that accompanies the guide provides another resource that you can
use to compare and evaluate the Group Policy settings. In
addition, the Windows Server 2008 Attack Surface Reference
workbook provides summary information about services, files, and firewall rules
specific to each server role that the guide covers. The following figure shows the
guide structure to help inform you how to optimally implement and deploy the prescriptive
guidance. .jpg)
The overview states the purpose and scope of the guide, defines the guide audience,
and indicates the organization of the guide to assist you in locating the information
relevant to you. It also describes the tools and templates that
accompany the guide, and the user prerequisites for the guidance. Brief descriptions
follow for each chapter and the appendix for the guide.
This chapter identifies the benefits to an organization of creating and deploying
a security baseline. The chapter includes high-level security
design recommendations that you can follow in preparation to implement either the
EC baseline settings or the SSLF baseline settings. The chapter explains important
security considerations for both the EC environment and
the SSLF environment, and the broad differences between these environments.
The Windows Server 2008 Security Guide Settings workbook that accompanies this
guide provides another resource that you can use to compare and evaluate the Group
Policy settings. The
GPOAccelerator tool is available as a separate download from the Microsoft
Download Center. For instructions on how to use the tool, see
How to Use the GPOAccelerator. Caution The guidance in this chapter positions your organization
to establish the SSLF environment, which is distinct from the EC environment.
The SSLF guidance is for high security environments only. It is not a supplement
to the guidance on the EC environment. Security settings prescribed for the SSLF
environment limit key functionality across the environment. For this reason, the
SSLF security baseline is not intended for most organizations.
Be prepared to extensively test the SSLF security baseline before implementing it
in a production environment.
This chapter provides an overview of built-in tools in Windows Server 2008
that can help you to quickly configure, maintain, and enforce all of the required
functionality for the servers in your environment. The chapter discusses using Server
Manager to
help reduce the attack surface of your servers by only configuring
the functionality that each specific server role requires.
The chapter then discusses how you can use the Security Configuration Wizard (SCW) to help maintain and enforce the configuration implemented
by Server Manager.
The chapter also provides information about Server Core,
a new installation option in Windows Server 2008.
This chapter discusses how organizations can harden Active
Directory Domain Services (AD DS)
to manage users and resources, such as computers, printers, and applications on
a network. AD DS in Windows Server 2008 includes a
number of new features that are not available in previous versions of Windows Server,
and some of these features focus on deploying AD DS more securely. Features
that enhance security in AD DS include new auditing capabilities,
fine-grained password policies, and
the ability to use read-only domain controllers (RODCs).
This chapter provides prescriptive guidance for hardening the
DHCP Server role. The chapter discusses DHCP Server and DHCP Client services in
Windows Server 2008 that include security-related enhancements for Network Access Protection (NAP) and DHCPv6
functionality.
This chapter provides prescriptive guidance for hardening the
DNS Server role. Windows Server 2008 provides enhancements in the DNS Server
service that focus on improving performance or provide new features, including background
zone loading to help circumvent potential denial-of-service (DoS) attacks, and support for RODCs
located in perimeter networks, branch offices, or other unsecured
environments.
This chapter provides prescriptive guidance for hardening the
Web Server role. The chapter discusses how the Web server role installs Microsoft®
Internet Information Services (IIS) 7.0, which has been
redesigned into forty modular components that you can choose to install as needed.
This chapter provides prescriptive guidance for hardening the
File Server role. File servers can provide a particular challenge to harden, because
balancing security and functionality of the fundamental services that they provide
is a fine art. Windows Server 2008 introduces a number of new features that
can help you control and harden a file server in your environment.
This chapter provides prescriptive guidance for hardening the
Print Server role. Significant security changes were introduced to printing services
in the operating system for Windows Vista, and these changes
have also been incorporated into Windows Server 2008 for your organization
to take full advantage of them.
This chapter provides prescriptive guidance for hardening Active
Directory Certificate Services (AD CS) on a server
running Windows Server 2008. AD CS provides customizable services for
creating and managing public key certificates used in software security systems
that employ public key technologies. The chapter discusses how your organizations
can use AD CS to enhance security by binding the identity of a person, device,
or service to a corresponding private key.
This chapter provides prescriptive guidance for hardening Network Policy and Access Services on
servers running Windows Server 2008. Network Policy and Access Services (NPAS) in Windows Server 2008 provide technologies that allow
you to deploy and operate a virtual private network (VPN), dial-up
networking, 802.1x protected wired and wireless access, and Cisco Network Admission
Control (NAC)-based devices.
The chapter discusses how you can use NPAS to define and
enforce policies for network access
authentication, authorization, as well as
client health using Network Policy Server (NPS), the Routing
and Remote Access Service, Health Registration Authority (HRA), and the Host Credential Authorization Protocol (HCAP).
This chapter provides prescriptive guidance for hardening Terminal
Services on servers running Windows Server 2008.
These servers provide essential services that allow users to access Windows-based
programs or the full Microsoft Windows® desktop from various locations. Windows
Server 2008 includes a number of specific role services for this technology
that your organization can use, including TS Licensing to manage Terminal Server
client access licenses (TS CALS) that are required for devices and users to
connect to a terminal server.
The chapter also discusses how the Terminal Services Session
Broker (TS Session Broker) role service supports reconnection to an existing
session on a terminal server that is a member of a load-balanced terminal server
farm, how the Terminal Services Gateway (TS Gateway) role service enables authorized
users to connect to terminal servers and remote desktops on the corporate network over the Internet using RDP via HTTPS, and how the Terminal
Services Web Access (TS Web Access) role service allows authorized users to
gain access to terminal servers via a Web browser.
The appendix includes descriptions and tables that detail the prescribed settings
in the EC and SSLF security baselines for this guide. The
appendix describes each setting and the reasoning for their configuration values.
The appendix also indicates setting differences between Windows Server 2008
and Windows Server 2003.
This guide uses the following style conventions. Table 1.1. Style Conventions | Element | Meaning | | Bold font |
Signifies characters typed exactly as shown, including commands, switches and file
names. User interface elements also appear in bold. | | Italic font |
Titles of books and other substantial publications appear in
italic. | |
<Italic> |
Placeholders set in italic and angle brackets <filename>
represent variables. | |
|
Defines code and script samples. | | Note |
Alerts the reader to supplementary information. | | Important |
An important note provides information that is essential to the completion of a
task. | | Warning |
Alerts the reader to essential supplementary information that should not be ignored. | |
‡ |
This symbol denotes specific Group Policy setting modifications
or recommendations. | |
§ |
This symbol denotes Group Policy settings that are new
to Windows Server 2008. |
The following resources provide additional information about security topics and
in-depth discussion of the concepts and security prescriptions in this guide on
Microsoft.com:
The Solution Accelerators – Security and Compliance (SA–SC) team would appreciate
your thoughts about this and other solution accelerators.
Please send your comments using the following resources:
We look forward to hearing from you.
The Solution Accelerators – Security and Compliance (SA–SC) team would like to acknowledge
and thank the team that produced the Windows Server 2008 Security
Guide. The following people were either directly responsible or made a
substantial contribution to the writing, development, and testing of this solution. Content Developers
Byron Hynes – Microsoft
Benjamin Curry – Content Master
Doug Steen – Wadeware LLC
Richard Harrison – Content Master Developers
José Maldonado – Microsoft
Bhakti Bhalerao – Infosys Technologies Ltd
Naresh Krishna Kumar Kulothungan – Infosys Technologies Ltd. Editors
John Cobb – Wadeware LLC
Steve Wacker – Wadeware LLC Product Managers
Alain Meeus – Microsoft
Jim Stuart – Microsoft Program Managers
Vlad Pigin – Microsoft Release Manager
Karina Larson – Microsoft Test Manager
Gaurav Singh Bora – Microsoft Testers
Beenu Venugopal – Infosys Technologies Ltd.
Sumit Parikh – Infosys Technologies Ltd.
Swaminathan Viswanathan – Infosys Technologies Ltd.
Derick Campbell, Chase Carpenter, Nils Dussart, Michiko Short, Siddharth Bhai, Brad
Mahugh, Thomas Deml, Nazim Lala, Pitchai "Elango" Elangom, Ashwin Palekar, Sudarshan
Yadav, Daniel H. Brown, Georgi Matev, David Kruse, Adrian Lannin, Frank Olivier,
Brandon Baker, Nathan Muggli, Pankaj Chhabra, Abhishek Pathak, Ramasubramanian K.
Neelmani, Jim Groves, Jeff Westhead, Dan Kaminsky, Oded Ye Shekel, Greg Lindsay,
Anthony Leibovitz, Sreenivas Addagatla, Lambert Green, Chandra Nukala, Richard Costleigh,
David Kennedy, Marco Nuijen, Robert Hoover, Sanjay Pandit, Ido Dubrawsky,
Doug Neal, Roger Grimes, Eugene Siu, Richard Lewis, Herbert Mauerer, Enrique Saggese,
Manu Jeewani, Sanjay Pandit, Jan De Clercq (Hewlett-Packard), Jorge de Almeida Pinto
(MVPS), Juergen Otter (Siemens AG), Renato Miguel de Barros (Modulo Security Solutions),
John Addeo (Dimension Data America), Derek Seaman (PointBridge), Alex Vandurme (NCIRC/NATO),
David Vanophalvens (NCIRC/NATO), Raf Cox, Jan Decrock, Aaron Margosis, Greg Marshall, Starr Andersen. Note The United States Department of Commerce National Institute
of Standards and Technology (NIST) participated in the review of this Microsoft
security guide and provided comments that were incorporated into the published version. Note At the request of Microsoft, the National Security Agency
Information Assurance Directorate participated in the review of this Microsoft security
guide and provided comments that were incorporated into the published version.
|