Windows Server 2008 in an Organization's Defense in Depth Strategy
By Jay Paloma, MCSE, MVP: Windows - Security
See other Security MVP Article of the Month columns.
Defense in depth is the security strategy wherein network defenses are layered, so that a breach in one layer only leads the attacker to the next layer of defensive countermeasures. This increases the likelihood of the attacker being detected, and provides the opportunity for additional countermeasures to be put into place. This article provides an overview of the different security features and enhancements in Windows Server 2008, and discusses how you can use them in your organization's defense in depth strategy.
I love to play real-time strategy games. Right now, I’m hooked on Age of Empires III. Not only does this game teach the importance of maintaining a balanced economy to gradually build a powerful army, but it also gives players the opportunity to see in action the military concept of defense in depth. Knowing how this strategy works in a battle simulation has helped me learn how to apply its benefits to defending network systems. I wrote about applying defense in depth in gaming in this article entitled Defense in Depth in Age of Empires III: The War Chiefs.
Defense in Depth
Defense in depth is a military strategy that aims to delay the advance of the opponent by maintaining multiple, layered lines of defense rather than just one strong defensive line.
In terms of network security, defense in depth is the security strategy wherein network defenses are layered so that a breach in one layer only leads the attacker to the next layer of defensive countermeasures. Layering network defenses helps to prevent direct attacks against critical systems and data, increases the likelihood of the attacker being detected, and gives the defender more time to realign defenses to where they are really needed in the event of an actual, ongoing attack.
The layers of defensive positions in defense in depth are as follows:
Data. An attacker’s ultimate target, including your databases, Active Directory service information, documents, and so on.
Application. The software that manipulates the data that is the ultimate target of attack.
Host. The computers that are running the applications.
Internal Network. The network in the corporate IT infrastructure.
Perimeter. The network that connects the corporate IT infrastructure to another network, such as to external users, partners, or the Internet.
Physical. The tangible aspects in computing: the server computers, hard disks, network switches, power, and so on.
Policies, Procedures, Awareness. The overall governing principles of the security strategy of any organization. Without this layer, the entire strategy fails.
One very important design goal for the Windows Server 2008 operating system was to make the product itself as secure as possible, and at the same time to provide new and improved security features. The following sections examine how some of those security features fit into a defense-in-depth strategy.
While the security features in Windows Server 2008, enumerated below, won’t prevent a physical attack against a resource on your network (for example, someone stealing a server computer or a hard disk), they can help to mitigate the risks caused by a successful physical attack.
Read-Only Domain Controller (RODC). This new Active Directory feature is reminiscent of a Windows NT backup domain controller, in that it does not have a writeable copy of the directory database. In addition, an RODC maintains only the Active Directory objects that actually authenticated to the specific RODC. More importantly, an RODC explicitly denies the storage of elevated-privilege user accounts, such as members of the Administrators group. Though an RODC does not prevent your domain controller from being physically taken off the premises, it does mitigate the risks that are involved in a physical attack, by storing only limited accounts based on a policy. RODCs are best placed in branch offices where physical security of the server computer might not be as tight as the physical security that would be imposed, for example, on a server computer at a head office.
By default, only the members of the Allowed RODC Password Replication group are allowed to replicate authentication information to Read-Only Domain Controllers. The actual replication would happen only when the members of this group are authenticated by the RODC. Note that the Administrators group is explicitly denied such replication. Because only limited-permission user account objects are available in the RODC, if a server computer functioning as a Read Only Domain Controller is physically compromised (the machine is stolen, for example) and password extraction tools are used against the Active Directory information stored on this domain controller, then the risks are limited to these non-administrator equivalent accounts currently stored in the RODC. Administrator-equivalent accounts are not compromised since none is stored in the RODC.
Windows BitLocker Drive Encryption and the Encrypting File System (EFS). Both of these features involve encrypting the data on the hard drive. The main difference is that Windows BitLocker Drive Encryption encrypts the entire drive, while EFS encrypts the individual folders and files. Should the hard disk become physically compromised (such as stolen), both features would render the data unreadable when the hard disk is placed on another computer. With EFS, the files and folders that are encrypted would be unreadable; with BitLocker, the entire drive, including the operating system, would not be accessible.
A frequently asked question about BitLocker and EFS is whether they encrypt data while it is in transit on the network. The answer is no, they only encrypt data upon writing it to the hard disk, and decrypt upon reading the data. It is important to know that data that is encrypted with BitLocker or with EFS is unencrypted while being transmitted over the network. A more appropriate solution for encrypting data over the network is Internet Protocol security (IPsec).
Terminal Services Gateway (TS Gateway) and Terminal Services RemoteApp (TS RemoteApp). These features are similar in function in that they both provide Remote Desktop Protocol (RDP) over HTTPS. The main difference between TS Gateway and TS RemoteApp is that the latter publishes only the application, whereas the former publishes the entire desktop. The Windows Server 2008 computer that hosts this role can be on the perimeter network. A benefit to using TS Gateway or TS RemoteApp is that doing so eliminates the need to grant virtual private network (VPN) access to an external entity; instead you can publish the server or application in the perimeter.
In the image below, the Calculator instance is not running on the client, but instead is running on the server where Terminal Services Web Access (TS Web Access) is running. The ideal scenario here, similar to TS Web Access, is that whenever an external entity needs to access a specific application (for example, the consultant of an enterprise resource planning solution needs access to the enterprise resource planning configuration console), instead of giving RDP access to the entire computer, the external entity is only given access to the specific applications that are published in TS RemoteApp.
Internal Network Security
Windows Firewall with Advanced Security. The main difference between Windows Firewall in the Windows XP SP2 and Windows Server 2003 operating systems, compared to Windows Firewall with Advanced Security in the Windows Vista operating system and in Windows Server 2008, is that the former only filters incoming traffic, while the latter now filters event outgoing traffic. Also, Windows Firewall with Advanced Security is now policy-based, and that it is enabled by default.
The preceding image shows the default firewall rules created automatically in an Active Directory Domain Controller (ADDC). Notice that the ADDC role requires 13 inbound rules and at least 4 outbound rules to properly and securely function. If these rules were created manually, it may take a lot of time for an administrator to troubleshoot connections to the domain controller. Instead of creating these policies manually, the administrator could use the Server Manager utility in Windows Server 2008 to manage server roles and features. Server Manager would automatically add the appropriate firewall policies for the appropriate server roles.
A common question is whether the firewall facility in Windows Server 2008 can protect the internal network in an edge firewall capacity. However, this was not the intended design of Windows Firewall with Advanced Security. A more appropriate solution would be Microsoft Internet Security and Acceleration (ISA) Server 2006 and Intelligent Application Gateway (IAG) 2007.
Network Access Protection (NAP). Because of its flexibility, Network Access Protection (NAP) cuts across two layers of the defense-in-depth strategy. It provides protection for your perimeter, and also for your internal network connections. NAP checks the health status of clients that are connecting to your internal network from outside through VPN, TS Gateway, and dial-up connections. NAP also does checks for internal clients that are granted local area network (LAN) access through Dynamic Host Configuration Protocol (DHCP), through 802.1X-compliant devices like switches, and through wireless LAN (WLAN) access points. It creates boundaries for IPsec usage (to specify whether IPsec is required to connect or is just an option). There is much more that NAP can do but that is outside the scope of this article.
Server Core. Server Core is an installation of Windows Server without the graphical user interface (GUI) that the Windows operating system usually offers. Server Core uses only the command prompt window, from which you can administer the server locally, while Windows PowerShell can be used to administer it remotely. Server Core is most definitely a host-level security feature, because it is stripped down to the essential operating system services like networking, file and printer sharing, Active Directory, Windows Firewall, and so on. It doesn't include Internet Explorer, Windows Media Player, or other such services that are not essential to the function of the server and which hackers might try to exploit. One approach to hardening a server involves disabling services that are not essential, to narrow down the target profile. Server Core does more than simply disable unessential services—it does not make them available in the first place.
The Read-Only Domain Controller (RODC) installed on a Server Core machine is the ideal domain controller setup in a branch office environment where physical security may not be as tight as in the main office of the organization. For more information about how to create a Read-Only Domain Controller on a Server Core computer, see the article Windows Server 2008 RC0: How to Promote Server Core Installation to a Read Only Domain Controller.
Active Directory Rights Management Service (AD RMS). Permissions to data and documents formerly were restricted to how those things were being accessed from the hard drive or from a network share. After documents were accessed, the security of those documents was virtually none. However, now with Rights Management Service, document security can still be enforced with permissions even after the documents are retrieved from a hard drive or from the network. With AD RMS, the information owner can regulate viewing, copying and printing documents, as well as replying to, forwarding and printing email messages to the appropriate individuals inside the organization, or even outside the organization with the use of Active Directory Federation.
The following table provides a summary of the security features discussed in this article and how they impact each layer in the defense in depth strategy.
By knowing how each security feature in Windows Server 2008 plays a role in your defense in depth strategy, you can better use these features and provide the best possible security on your network.