Published: June 1, 2008   |   Updated: February 27, 2008

IT security is everybody's business. Every day, adversaries are attempting to invade your networks and access your servers to bring them down, infect them with viruses, or steal information about your customers or employees. Attacks come from all directions: from onsite employee visits to Web sites infected with malware, to offsite employee connections through VPNs, branch office network connections to corporate servers, or direct assaults on vulnerable computers or servers in your network. Organizations of all sizes now also face more complex and demanding audit requirements.

You know first hand how essential your servers are to keeping your organization up and running. The data they house and the services they provide are your organization’s lifeblood. It’s your job to stand guard over these essential assets, prevent them from going down or falling victim to attacks from outside and inside your organization, and to prove to auditors that you have taken all reasonable steps to secure your servers.

Windows Server® 2008 is engineered from the ground up with security in mind, delivering an array of new and improved security technologies and features that provide a solid foundation for running and building your business. To help you quickly configure, deploy, and manage the security settings in Windows Server 2008 across your organization, Microsoft is developing the Windows Server 2008 Security Guide. This guidance is designed to further enhance the security of the servers in your organization by taking full advantage of the security features and options in Windows Server 2008.

The team is producing a prescriptive security guide you can rely on that is:

• Proven. Based on field Experience.
• Authoritative. Offers the best advice available.
• Accurate. Technically validated and tested.
• Actionable. Provides the specific steps to success.
• Relevant. Addresses real-world security concerns.
• Supported. Recommendations are fully supported by Microsoft Product Support.

How Does the Windows Server 2008 Security Guide Help Secure Your Business?

The Windows Server 2008 Security Guide describes how to structure your environment based on best practices to maintain an appropriate level of security while allowing you to minimize the total cost of securing your IT environment. Our guidance is based on extensive, real-world experience from customers, government agencies, and Microsoft security experts.

Because increasing security always results in a trade off between cost and functionality, the guide prescribes security settings that are appropriate for most business enterprise environments. The guide also prescribes a second group of security settings that are appropriate for environments that require increased security with more central control. These options give your organization the choice to either harden a general computing environment or choose to establish a more "locked down" environment where concern for security is so great that it outweighs a potential loss of functionality.

Both security setting configurations have been thoroughly tested in Microsoft labs, and validated by customers and partners under real-world conditions. You can implement the baseline security settings immediately, which helps to reduce the time and expense you need to invest, and you also can easily tailor the configuration you choose by modifying any of the security settings to accommodate the unique needs of your organization.

Deploy Your Security Baseline Quickly and Reliably

The powerful GPOAccelerator tool is available as a separate download to enable you to automatically deploy a tested configuration of Group Policy security settings across your organization — in minutes, instead of hours or days.

The tool creates all of the Group Policy objects (GPOs) you need to deploy the security configuration you choose. The tool also eliminates many manual steps in the deployment process to give you faster and more reliable results. With more than 200 security and privacy setting options, you can fine-tune your deployment of Windows Server 2008, balancing your organization’s needs for security and functionality.

Harden Your Server Workloads

This security guide also includes detailed guidance on how to further harden Windows Server 2008. While Windows Server 2008 is designed from the ground up to be "secure," there are two important aspects to consider:

• First, it is important to maintain your configuration. By applying the baseline security settings, the secure defaults are reinforced.
• Second, each organization must choose the appropriate level of security versus functionality. By reviewing our guidance, you can determine if the default is too restrictive, not secure enough or "just right" for your organization.

The guide provides settings for several different server "workloads," including servers that perform as domain controllers, and others that provide DNS, DHCP, Web, File, and Print services. The tested guidance describes how to harden key services like Active Directory® Certificate Services (AD CS), Network Access Services, and Terminal Services.

Security Setting Recommendations

The security guide includes a comprehensive technical reference that explains what each prescribed security setting in the Windows Server 2008 Security Guide does, provides recommended configurations, and identifies the threats that each setting mitigates. The Windows Server 2008 Security Guide Settings workbook lists all of the prescribed settings for each of the preconfigured security baselines that the guide prescribes. The Windows Server 2008 Attack Surface Reference workbook also provides you with another valuable reference.

Windows Server 2008 Security Benefits

Windows Server 2008 has been designed from the beginning with security fully in mind. Use the information and settings provided in the Windows Server 2008 Security Guide to maximize your benefit from these features and benefits. Some of the primary new security benefits in the operating system allow your organization to:

• Protect your network against unauthorized or unhealthy computers. Network Access Protection helps to protect your network by enforcing customized health requirement policies on computers, automatically updating computers to meet compliance requirements, and optionally confining noncompliant computers to a restricted network until they meet the network access requirements of your organization.
• Deploy small footprint specialized servers. Server Core, a minimal server installation option, enables you to only install core functionality to limit exposure and reduce management overhead.
• Secure server communication. Windows Server Firewall with Advanced Security combines firewall and Internet Protocol security (IPsec) management into one tool so that you can more easily manage secure communication.
• Improve branch office security. The new Read-Only Domain Controller (RODC) configuration option helps to protect Active Directory Domain Services (AD DS) if the branch office domain controller is compromised.
• Reduce server attack surfaces. Workload-based roles and components allow you to deploy only the server roles you need with more security and less attack surface.
• Control service security. Windows Service Hardening helps protect critical server services from being compromised by abnormal activity in the file system, registry, or network. Each service in Windows Server 2008 is designed with reduced privilege and has been "profiled" to access only specific files, registry entries or network interfaces to limit any damage if a service is compromised.
• Provide best-of-breed data encryption. Cryptography Next Generation (CNG) implements the Suite B cryptographic algorithms defined by the United States government. Suite B includes algorithms for data encryption, digital signatures, key exchange, and hashing. CNG also allows third parties, such as smart card vendors, to "plug in" to the infrastructure with less effort and expense.

More Information

For more information about Windows Server 2008 and the security guide, see the following resources:

• Windows Server 2008 Security Guide.
• GPOAccelerator and the how-to guidance for this tool to create, test, and deploy the security settings for the Windows Server 2008 Security Guide.
• Solution Accelerators on Microsoft TechNet.