Windows Server 2008 Configuration
Updated: March 10, 2009
This section lists security-related settings that are configured by default in Windows Server 2008 on the servers for Windows EBS. These settings represent best practices for securing Windows Server 2008 on the servers for Windows EBS.
For a list of the server applications, roles, and services that are installed on the servers for Windows EBS, see the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=128032).
Windows Server 2008 security configuration
When you install Forefront TMG in Windows EBS, the Installation Wizard automatically hardens the Windows Server 2008 operating system that is running on the Security Server. The operating system is hardened by running the Scwcmd.exe tool (the command-line version of the Security Configuration Wizard) with the following command:
scwcmd.exe configure /p:isa_harden.xml
This command applies the security policy that is defined in the file Isa_harden.xml, which is supplied with Forefront TMG. When this security policy is applied, the startup type of numerous services is configured.
In addition, the security policy enables the following client features:
Microsoft networking client
Hardening the Windows Server 2008 operating system on the Security Server reduces the attack surface by disabling functionality that is not required while maintaining the minimum functionality that is required. For more information about the hardening of the operating system on the Security Server, see the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=128033).
Windows Firewall with Advanced Security
Windows Firewall with Advanced Security is enabled by default on the two domain controllers in Windows EBS: the Management Server and the Messaging Server.
On the Security Server, Windows Firewall with Advanced Security is turned off by default, because of the network firewall services that are provided by Forefront TMG.
IPv6 is disabled over all interfaces on the servers for Windows EBS. On the Management Server and the Messaging Server, IPv6 is disabled by setting the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcpip6\Parameters\DisabledComponents to 0xff. On the Security Server, IPv6 is disabled in Forefront TMG.
Internet Explorer Enhanced Security Configuration
In Windows Server 2008, on the servers for Windows EBS, Internet Explorer® Enhanced Security Configuration (IE ESC) is enabled by default for the Administrators and Users groups. IE ESC raises the default security levels on Internet Explorer security zones. In addition, IE ESC adjusts some Internet options to reduce exposure to possible security threats.