Published: February 27, 2008

Welcome to the Windows Server 2008 Security Guide. This guide provides instructions and recommendations to help strengthen the security of computers running Windows Server® 2008 that are members of an Active Directory® domain.

In addition to the guidance that the Windows Server 2008 Security Guide prescribes, this Solution Accelerator provides tools, step-by-step procedures, recommendations, and processes that significantly streamline the deployment process. This guide not only provides you with effective security setting guidance. It also provides you with a reproducible method that you can use to apply the guidance to both test and production environments.

The key tool that this Solution Accelerator provides for you is the GPOAccelerator. The tool enables you to run a script that automatically creates all the Group Policy objects (GPOs) you need to apply this security guidance. The Windows Server 2008 Security Guide Settings workbook that accompanies this guide provides another resource that you can use to compare and evaluate the Group Policy settings.

Microsoft engineering teams, consultants, support engineers, partners, and customers have reviewed and approved this prescriptive guidance to make it:

• Proven. Based on field experience.
• Authoritative. Offers the best advice available.
• Accurate. Technically validated and tested.
• Actionable. Provides the steps to success.
• Relevant. Addresses real-world security concerns.

Microsoft has published security guides for Windows Server 2003 and Windows 2000 Server. This guide references significant security enhancements in Windows Server 2008. The guide was developed and tested with computers running Windows Server 2008 joined to a domain that uses Active Directory® Domain Services (AD°DS).

As the operating system continues to evolve through future releases, you can expect updated versions of this guidance to include more security enhancements. Solution Accelerators are also available to assist you with the deployment and operation of Windows Server 2008. For more information about all available Solution Accelerators, visit Solution Accelerators on TechNet.

Executive Summary

IT security is everybody's business. Every day, adversaries are attempting to invade your networks and access your servers to bring them down, infect them with viruses, or steal information about your customers or employees. Attacks come from all directions: from onsite employee visits to Web sites infected with malware, to offsite employee connections through virtual private networks (VPNs), branch office network connections to corporate servers, or direct assaults on vulnerable computers or servers in your network. Organizations of all sizes now also face more complex and demanding audit requirements.

You know firsthand how essential your servers are to keeping your organization up and running. The data they house and the services they provide are your organization’s lifeblood. It is your job to stand guard over these essential assets, prevent them from going down or falling victim to attacks from outside and inside your organization, and to prove to auditors that you have taken all reasonable steps to secure your servers.

Windows Server 2008 is engineered from the ground up with security in mind, delivering an array of new and improved security technologies and features that provide a solid foundation for running and building your business. The Windows Server 2008 Security Guide is designed to further enhance the security of the servers in your organization by taking full advantage of the security features and options in Windows Server 2008.

This guide builds on the Windows Server 2003 Security Guide, which provides specific recommendations about how to harden servers running Windows Server 2003 with Service Pack 2 (SP2). The Windows Server 2008 Security Guide provides recommendations to harden servers that use security baselines for the following two environments:

• Enterprise Client (EC). Servers in this environment are located in a domain that uses AD DS and communicate with other servers running Windows Server 2008 or Windows Server 2003 SP2 or later. The client computers in this environment include a mixture: some run Windows Vista® whereas others run Windows XP with SP2 or later. For information about the baseline security settings that this environment uses, see "Appendix A: Security Group Policy Settings."
• Specialized Security – Limited Functionality (SSLF). Concern for security in this environment is so great that a significant loss of functionality and manageability is acceptable. For example, military and intelligence agency computers operate in this type of environment. The servers in this environment run only Windows Server 2008. For information about the SSLF settings that this environment uses, see "Appendix A: Security Group Policy Settings."

  Caution   The SSLF security settings are not intended for the majority of enterprise organizations. The configuration for these settings has been developed for organizations where security is more important than functionality.

The organization of the guide enables you to easily access the information that you require. The guide and its associated tools help you to:

• Establish and deploy either of the security prescribed baselines in your network environment.
• Identify and use Windows Server 2008 security features for common security scenarios.
• Identify the purpose of each individual setting in either security baseline and understand their significance.

You will need to download the GPOAccelerator for the Windows Server 2008 Security Guide and the how-to guidance for this tool to create, test, and deploy the security settings for either the EC environment or the SSLF environment. This tool automatically creates all the GPOs for the security settings this guide recommends. For instructions about how to use the tool to accomplish these tasks, see How to Use the GPOAccelerator.

This guide is designed primarily for enterprise customers. To obtain the most value from this material, you will need to read the entire guide. However, it is possible to read individual portions of the guide to achieve specific aims. The "Chapter Summary" section in this overview briefly introduces the information in the guide. For further information about security topics and settings related to Windows Server 2008, see the Windows Server 2008 Security Guide Settings workbook and the companion guide, Threats and Countermeasures.

Who Should Read This Guide

The Windows Server 2008 Security Guide is primarily for IT professionals, security specialists, network architects, computer engineers, and other IT consultants who plan application or infrastructure development and deployments of Windows Server 2008 for servers in an enterprise environment. The guide is not intended for home users. This guide is for individuals whose jobs may include one for more of the following roles:

• Security specialist. Users in this role focus on how to provide security across computing platforms within an organization. Security specialists require a reliable reference guide that addresses the security needs of every level of the organization and also offers proven methods to implement security countermeasures. Security specialists identify security features and settings, and then provide recommendations on how their customers can most effectively use them in high risk environments.
• IT operations, help desk, and deployment staff. Users in IT operations focus on integrating security and controlling change in the deployment process, whereas deployment staff focuses on administering security updates quickly. Staff in these roles also troubleshoot security issues related to applications that involve how to install, configure, and improve the usability and manageability of software. They monitor these types of issues to define measurable security improvements and a minimum of impact on critical business applications.
• Network architect and planner. Users in this role drive the network architecture efforts for computers in their organizations.
• Consultant. Users in this role are aware of security scenarios that span all the business levels of an organization. IT consultants from both Microsoft Services and partners take advantage of knowledge transfer tools for enterprise customers and partners.

Note   Users who want to apply the prescriptive guidance in this guide must, at a minimum, read and complete the steps to establish the EC environment in How to Use the GPOAccelerator.

Skills and Readiness

The following knowledge and skills are required for consultants, operations, help desk and deployment staff, and security specialists who develop, deploy, and secure server systems running Windows Server 2008 in an enterprise organization:

• MCSE on Microsoft Windows Server 2003 or a later certification and two or more years of security-related experience, or equivalent knowledge.
• In-depth knowledge of the organization’s domain and Active Directory environments.
• Experience with the Group Policy Management Console (GPMC).
• Experience in the administration of Group Policy using the GPMC, which provides a single solution for managing all Group Policy–related tasks.
• Experience using management tools including Microsoft Management Console (MMC), Gpupdate, and Gpresult.
• Experience using the Security Configuration Wizard (SCW).
• Experience deploying applications and server computers in enterprise environments.

Guide Purpose

The primary purposes of this guide are to enable you to do the following:

• Use the solution guidance to efficiently create and apply tested security baseline configurations using Group Policy.
• Understand the reasoning for the security setting recommendations in the baseline configurations that the guide prescribes, and their implications.
• Identify and consider common security scenarios, and then use specific security features in Windows Server 2008 to help you manage them in your environment.
• Understand role based security for different workloads in Windows Server 2008.

The guide is designed to enable you to use only the relevant parts of it to meet the security requirements of your organization. However, readers will gain the most benefit by reading the entire guide.

Guide Scope

This guide focuses on how to help create and maintain a secure environment for servers running Windows Server 2008. The guide explains the different stages of how to secure two different environments, and what each security setting addresses for the servers deployed in either one. The guide provides prescriptive information and security recommendations.

Client computers in the EC environment can run either Windows XP with SP2 or later or Windows Vista. However, the servers that manage these clients computers on the network must run Windows Server 2008 or Windows Server 2003 with SP2 or later. Client computers in the SSLF environment can only run Windows Vista and the servers that manage them can only run Windows Server 2008.

This guide includes chapters that provide security recommendations about how to harden the following server roles and the role services that they provide:

• Active Directory Domain Services (AD DS)
• Dynamic Host Configuration Protocol (DHCP) Server
• Domain Name System (DNS) Server
• Web Server (IIS)
• File Services
• Print Services
• Active Directory Certificate Services (AD CS)
• Network Policy and Access Services
• Terminal Services

Note   Configuration information about how to set up a server role, such as step-by-step configuration guidance on specific roles, is not in scope for this guide. This guide only includes the security settings available in the operating system that it recommends. However, more configuration information for Windows Server 2008 is available on the Windows Server 2008 Step-by-Step Guides Web page on the Microsoft Download Center.

Hardening recommendations for the following server roles are not included in this guide:

• Active Directory Federation Services
• Active Directory Lightweight Directory Services
• Active Directory Rights Management Services
• Application Server
• Fax Server
• Hyper-V
• Streaming Media Services
• UDDI Services
• Windows Deployment Services

For a thorough discussion of all the security settings in Windows Server 2008, refer to the companion guide, Threats and Countermeasures.

Guidance and Tool Requirements

This Solution Accelerator includes the following documents and workbooks:

• Windows Server 2008 Security Guide
• Appendix A: Security Group Policy Settings
• Windows Server 2008 Attack Surface Reference workbook
• Windows Server 2008 Security Guide Settings workbook

  Note   The Windows Server 2008 Security Guide Settings workbook provides CCE unique identifiers for each setting. You can use the CCE identifiers to facilitate fast and accurate correlation of configuration data across multiple information sources and tools.

After downloading the Windows Server 2008 Security Guide Solution Accelerator from the Microsoft Download Center, use the Microsoft Windows Installer (.msi) file to install these resources on your computer in a location of your choice. Then you can download the GPOAccelerator and the how-to guidance for this tool to create, test, and deploy the security settings for the Windows Server 2008 Security Guide.

Note   To access the GPOAccelerator tool and the How to Use the GPOAccelerator document, extract the GPOAccelerator.zip archive for these resources.

Chapter Summary

This release of the Windows Server 2008 Security Guide consists of 11 chapters, and an appendix that you can use to reference setting descriptions, considerations, and values. The Windows Server 2008 Security Guide Settings workbook file that accompanies the guide provides another resource that you can use to compare and evaluate the Group Policy settings. In addition, the Windows Server 2008 Attack Surface Reference workbook provides summary information about services, files, and firewall rules specific to each server role that the guide covers. The following figure shows the guide structure to help inform you how to optimally implement and deploy the prescriptive guidance.

Overview

The overview states the purpose and scope of the guide, defines the guide audience, and indicates the organization of the guide to assist you in locating the information relevant to you. It also describes the tools and templates that accompany the guide, and the user prerequisites for the guidance. Brief descriptions follow for each chapter and the appendix for the guide.

Chapter 1: Implementing a Security Baseline

This chapter identifies the benefits to an organization of creating and deploying a security baseline. The chapter includes high-level security design recommendations that you can follow in preparation to implement either the EC baseline settings or the SSLF baseline settings. The chapter explains important security considerations for both the EC environment and the SSLF environment, and the broad differences between these environments.

The Windows Server 2008 Security Guide Settings workbook that accompanies this guide provides another resource that you can use to compare and evaluate the Group Policy settings. The GPOAccelerator tool is available as a separate download from the Microsoft Download Center. For instructions on how to use the tool, see How to Use the GPOAccelerator.

Caution   The guidance in this chapter positions your organization to establish the SSLF environment, which is distinct from the EC environment. The SSLF guidance is for high security environments only. It is not a supplement to the guidance on the EC environment. Security settings prescribed for the SSLF environment limit key functionality across the environment. For this reason, the SSLF security baseline is not intended for most organizations. Be prepared to extensively test the SSLF security baseline before implementing it in a production environment.

Chapter 2: Reducing the Attack Surface by Server Role

This chapter provides an overview of built-in tools in Windows Server 2008 that can help you to quickly configure, maintain, and enforce all of the required functionality for the servers in your environment. The chapter discusses using Server Manager to help reduce the attack surface of your servers by only configuring the functionality that each specific server role requires.

The chapter then discusses how you can use the Security Configuration Wizard (SCW) to help maintain and enforce the configuration implemented by Server Manager. The chapter also provides information about Server Core, a new installation option in Windows Server 2008.

Chapter 3: Hardening Active Directory Domain Services

This chapter discusses how organizations can harden Active Directory Domain Services (AD DS) to manage users and resources, such as computers, printers, and applications on a network. AD DS in Windows Server 2008 includes a number of new features that are not available in previous versions of Windows Server, and some of these features focus on deploying AD DS more securely. Features that enhance security in AD DS include new auditing capabilities, fine-grained password policies, and the ability to use read-only domain controllers (RODCs).

Chapter 4: Hardening DHCP Services

This chapter provides prescriptive guidance for hardening the DHCP Server role. The chapter discusses DHCP Server and DHCP Client services in Windows Server 2008 that include security-related enhancements for Network Access Protection (NAP) and DHCPv6 functionality.

Chapter 5: Hardening DNS Services

This chapter provides prescriptive guidance for hardening the DNS Server role. Windows Server 2008 provides enhancements in the DNS Server service that focus on improving performance or provide new features, including background zone loading to help circumvent potential denial-of-service (DoS) attacks, and support for RODCs located in perimeter networks, branch offices, or other unsecured environments.

Chapter 6: Hardening Web Services

This chapter provides prescriptive guidance for hardening the Web Server role. The chapter discusses how the Web server role installs Microsoft® Internet Information Services (IIS) 7.0, which has been redesigned into forty modular components that you can choose to install as needed.

Chapter 7: Hardening File Services

This chapter provides prescriptive guidance for hardening the File Server role. File servers can provide a particular challenge to harden, because balancing security and functionality of the fundamental services that they provide is a fine art. Windows Server 2008 introduces a number of new features that can help you control and harden a file server in your environment.

Chapter 8: Hardening Print Services

This chapter provides prescriptive guidance for hardening the Print Server role. Significant security changes were introduced to printing services in the operating system for Windows Vista, and these changes have also been incorporated into Windows Server 2008 for your organization to take full advantage of them.

Chapter 9: Hardening Active Directory Certificate Services

This chapter provides prescriptive guidance for hardening Active Directory Certificate Services (AD CS) on a server running Windows Server 2008. AD CS provides customizable services for creating and managing public key certificates used in software security systems that employ public key technologies. The chapter discusses how your organizations can use AD CS to enhance security by binding the identity of a person, device, or service to a corresponding private key.

Chapter 10: Hardening Network Policy and Access Services

This chapter provides prescriptive guidance for hardening Network Policy and Access Services on servers running Windows Server 2008. Network Policy and Access Services (NPAS) in Windows Server 2008 provide technologies that allow you to deploy and operate a virtual private network (VPN), dial-up networking, 802.1x protected wired and wireless access, and Cisco Network Admission Control (NAC)-based devices.

The chapter discusses how you can use NPAS to define and enforce policies for network access authentication, authorization, as well as client health using Network Policy Server (NPS), the Routing and Remote Access Service, Health Registration Authority (HRA), and the Host Credential Authorization Protocol (HCAP).

Chapter 11: Hardening Terminal Services

This chapter provides prescriptive guidance for hardening Terminal Services on servers running Windows Server 2008. These servers provide essential services that allow users to access Windows-based programs or the full Microsoft Windows® desktop from various locations. Windows Server 2008 includes a number of specific role services for this technology that your organization can use, including TS Licensing to manage Terminal Server client access licenses (TS CALS) that are required for devices and users to connect to a terminal server.

The chapter also discusses how the Terminal Services Session Broker (TS Session Broker) role service supports reconnection to an existing session on a terminal server that is a member of a load-balanced terminal server farm, how the Terminal Services Gateway (TS Gateway) role service enables authorized users to connect to terminal servers and remote desktops on the corporate network over the Internet using RDP via HTTPS, and how the Terminal Services Web Access (TS Web Access) role service allows authorized users to gain access to terminal servers via a Web browser.

Appendix A: Security Group Policy Settings

The appendix includes descriptions and tables that detail the prescribed settings in the EC and SSLF security baselines for this guide. The appendix describes each setting and the reasoning for their configuration values. The appendix also indicates setting differences between Windows Server 2008 and Windows Server 2003.

Style Conventions

This guide uses the following style conventions.

Table 1.1. Style Conventions

Monospace font

More Information

The following resources provide additional information about security topics and in-depth discussion of the concepts and security prescriptions in this guide on Microsoft.com:

• GPOAccelerator tool and guidance from the Microsoft Download Center.
• Infrastructure Planning and Design.
• Microsoft Assessment and Planning.
• Microsoft Deployment.
• Microsoft Windows Security Resource Kit.
• Microsoft Windows Server 2003 Resource Kit: Special Promotional Edition.
• Security Guidance.
• Solution Accelerators.
• Threats and Countermeasures.
• Windows Server 2003 Security Guide.
• Windows Vista.
• Windows XP TechCenter.
• Windows XP Security Guide.

Support and Feedback

The Solution Accelerators – Security and Compliance (SA–SC) team would appreciate your thoughts about this and other solution accelerators.

Please send your comments using the following resources:

• E-mail to: secwish@microsoft.com.
• The Solution Accelerators – Security and Compliance blog on Microsoft TechNet.

We look forward to hearing from you.

Acknowledgments

The Solution Accelerators – Security and Compliance (SA–SC) team would like to acknowledge and thank the team that produced the Windows Server 2008 Security Guide. The following people were either directly responsible or made a substantial contribution to the writing, development, and testing of this solution.

Development Team

Content Developers

Byron Hynes – Microsoft

Benjamin Curry – Content Master

Doug Steen – Wadeware LLC

Richard Harrison – Content Master

Developers

José Maldonado – Microsoft

Bhakti Bhalerao – Infosys Technologies Ltd

Naresh Krishna Kumar Kulothungan – Infosys Technologies Ltd.

Editors

John Cobb – Wadeware LLC

Steve Wacker – Wadeware LLC

Product Managers

Alain Meeus – Microsoft

Jim Stuart – Microsoft

Program Managers

Vlad Pigin – Microsoft

Release Manager

Karina Larson – Microsoft

Test Manager

Gaurav Singh Bora – Microsoft

Testers

Beenu Venugopal – Infosys Technologies Ltd.

Sumit Parikh – Infosys Technologies Ltd.

Swaminathan Viswanathan – Infosys Technologies Ltd.

Contributors and Reviewers

Derick Campbell, Chase Carpenter, Nils Dussart, Michiko Short, Siddharth Bhai, Brad Mahugh, Thomas Deml, Nazim Lala, Pitchai "Elango" Elangom, Ashwin Palekar, Sudarshan Yadav, Daniel H. Brown, Georgi Matev, David Kruse, Adrian Lannin, Frank Olivier, Brandon Baker, Nathan Muggli, Pankaj Chhabra, Abhishek Pathak, Ramasubramanian K. Neelmani, Jim Groves, Jeff Westhead, Dan Kaminsky, Oded Ye Shekel, Greg Lindsay, Anthony Leibovitz, Sreenivas Addagatla, Lambert Green, Chandra Nukala, Richard Costleigh, David Kennedy, Marco Nuijen, Robert Hoover, Sanjay Pandit, Ido Dubrawsky, Doug Neal, Roger Grimes, Eugene Siu, Richard Lewis, Herbert Mauerer, Enrique Saggese, Manu Jeewani, Sanjay Pandit, Jan De Clercq (Hewlett-Packard), Jorge de Almeida Pinto (MVPS), Juergen Otter (Siemens AG), Renato Miguel de Barros (Modulo Security Solutions), John Addeo (Dimension Data America), Derek Seaman (PointBridge), Alex Vandurme (NCIRC/NATO), David Vanophalvens (NCIRC/NATO), Raf Cox, Jan Decrock, Aaron Margosis, Greg Marshall, Starr Andersen.

Note   The United States Department of Commerce National Institute of Standards and Technology (NIST) participated in the review of this Microsoft security guide and provided comments that were incorporated into the published version.

Note   At the request of Microsoft, the National Security Agency Information Assurance Directorate participated in the review of this Microsoft security guide and provided comments that were incorporated into the published version.