programming4us
programming4us
SECURITY

Understand Security Improvements in Windows Server 2008

- How To Install Windows Server 2012 On VirtualBox
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire
10/9/2010 3:52:27 PM
Windows Server 2008 has made a number of changes to security features. Some changes can be readily seen, such as Windows Firewall and Network Access Protection (NAP). But these configurable components are only part of the big picture. Some security components in Windows Server 2008 are installed by default and need no configuration or management. Others call for very little setup and configuration.

We begin this section by looking at the “less configurable” security pieces, and then we move on to the components that could be considered highly configurable. Regardless of how configurable they are, all these components are parts of a whole, and it’s important to understand them in order to build a secure environment.

Built-in Security Features

To begin, let’s look at the security features that are added when Windows Server 2008 is installed. These features require little to no configuration, and some of them can be managed:

  • Authorization Manager: This is a role-based management tool for controlling access to resources by assigning users to roles in Windows Server 2008. You can also track what permissions are granted to each role in your network.

  • Security Auditing: This tool allows you to track security events on your server. Auditing allows you to monitor the creation, access, and modification of objects. It tracks user activities and provides warnings about potential security problems.

  • Security Configuration Wizard: This tool determines the minimum required functionality of the server to perform tasks, based on its installed roles. All other ports, services, and functionality are disabled. To run the Security Configuration Wizard, perform the following steps:

     
    1.
    In Server Manager, highlight Server Manager in the console tree. In the Details pane you can see that the Server Summary Security Information is directly below the Computer Information.

    2.
    Click Run Security Configuration Wizard.

    3.
    On the first screen of the Security Configuration Wizard, click Next.

    4.
    On the Configuration Action screen, choose to create a new security policy. The following other choices are available on this screen:

    • Edit an existing security policy

    • Apply an existing security policy

    • Rollback the last applied security policy

    Click Next.

    5.
    In the next screen, select a server to use as a baseline for this security policy. You need to have Administrator permissions to this server. Choose the DNS name or IP Address and Click Next.

    6.
    On the Security Configuration screen, review the database configuration (you will receive a pop up warning asking to allow Active X controls, click Yes) and then click Next.

    7.
    On the Role-Based Service Configuration screen, click Next.

    8.
    Select the server roles that this server performs and click Next.

    9.
    Select the client features this server performs and click Next.

    10.
    Select the options used in administration of this server and click Next.

    11.
    Select any additional services that this server is running and click Next.

    12.
    Choose how to handle unspecified services. You can choose not to change the startup mode of the service or to disable the service. Click Next.

    13.
    Confirm the selections in this screen and click Next.

    14.
    Get ready to configure Network Security. (This section of the wizard configures the Windows Firewall settings for this server.) Click Next.

    15.
    Select or unselect the network security rules or add additional rules and click Next.

    16.
    Get ready to configure the registry settings. (This section of the wizard configures the protocols used for communication with other computers.) Click Next.

    17.
    Choose whether Server Message Block (SMB) security signatures are required. Select the attributes and click Next.

    18.
    Choose settings for whether you Require LDAP Signing; click the radio box to choose the minimum default security level for LDAP; then click Next.

    19.
    Choose the outbound authentication methods and click Next.

    20.
    Choose Outbound Authentication using Domain Accounts and click Next.

    21.
    View the Registry Settings Summary section and click Next.

    22.
    Set the audit policy for this server; these are the settings that will be used for success/failure audits for the server. Click Next.

    23.
    Choose one of the following choices from the Auditing Objectives list:

    • Do Not Audit

    • Audit Successful Activities

    • Audit Successful and Unsuccessful Activities

    Click Next.

    24.
    Confirm your selections and click Next.

    25.
    On the Save Security Policy screen, click Next.

    26.
    Name the security policy file (the .xml extension will automatically be added later), change the location, add a description, view the security policy, or include security templates to this policy, and click Next.

    27.
    Choose to apply this policy later or to apply it now. Click Next.

    28.
    On the final screen of the wizard, note the location of this security policy file and the name and then click Finish.

  • Software Restriction Policies: This tool is used to identify and control the ability of software to run on a local computer, organizational unit (OU), domain, or site. Managing these polices at the OU, domain, or site level requires the use of the Group Policy Management console. To manage software restriction policies on the local computer, do the following:

     
    1.
    Select Start, Administrative Tools, Local Security Policy.

    2.
    In the console tree, click Software Restriction Policies.

    3.
    Either right-click and select New Software Restrictions Policy or select Action, New Software Restrictions Policy.

    4.
    In the object view, choose security levels, enforcement, designated file types, trusted publishers, and additional rules.

    Note

    Under additional rules, you have the option of creating a new rule for certificates, hashes, network zones, and paths. The rules are used to override the default security level in place on the local machine.


    Note

    These software restriction policies will apply only to the local computer. If restriction policies need to be implemented on a large scale, you should instead use the Group Policy Management console.


  • Security Configuration and Analysis: This tool analyzes and configures the local security policy for the server. It provides recommendations alongside the current security settings and flags areas where the current security settings do not match recommendations. It also enables you to resolve those security issues by directly configuring the local security policy and importing security templates.

  • Encrypting File System (EFS): This tool provides a transparent file-encrypting technology for storing encrypted files on an NTFS volume. EFS is managed through Group Policy or the Encrypting File System Wizard. To encrypt a file or folder using the Encrypting File System Wizard, perform the following steps:

     
    1.
    Open the Control Panel and double-click User Accounts.

    2.
    Under Tasks, click Manage Your File Encryption Certificates.

    3.
    On the first page of the Encrypting File System Wizard, click Next.

    4.
    Select a certificate to use or create a new certificate and click Next.

    5.
    Choose to back up the certificate and key now or later and then click Next.

    6.
    Select the folder or volume(s) with encrypted files. You can choose to update encrypted files later by checking the box below the folder and volume selections. Click Next.

    7.
    Review the certificate details and click Close.

  • Internet Explorer Enhanced Security Configuration (IE ESC): This security component reduces your server’s exposure to web-based attacks. The only configuration is to turn IE ESC on or off for the Administrators and Users group. (By default, IE ESC is turned on for both groups.)

User Account Control (UAC)

You are familiar with User Account Control (UAC) from Windows Vista. Windows Server 2008 has added UAC into its security repertoire. Like some of the other security components in Windows Server 2008, UAC is installed when you install Windows Server 2008. It is usually managed using Group Policies, although you can set up UAC under the local security policy. So what does the inclusion of UAC mean for Windows Server 2008, and how does it improve overall security?

UAC provides the ability to enter credentials during a user session to perform administrative tasks without switching users or using the Run As command.

To view and set UAC settings in the Local Security Policy tool, perform the following steps:

1.
Select Start, Administrative Tools, Local Security Policy.

2.
In the console tree, expand Local Policies and click Security Options. Scroll down to the bottom of the screen to see the available UAC options (see Figure 1).

Figure 1. Available UAC settings in the Local Security Policy tool.


3.
Double-click each UAC setting you want to configure, select the UAC option, and click OK.

Additional Security Components

Windows Server 2008 comes with additional security components that need to be set up after Windows Server 2008 is installed:

  • Smart cards: Windows Server 2008 has built-in capabilities to work with smart cards. Smart card readers should be installed and configured according to manufacturers’ specifications.

  • Trusted Platform Module (TPM) management: TPM is a hardware-based security architecture for providing access to systems. An installed TPM chip (v.1.2) and TCG-compliant BIOS are needed. Windows Server 2008 has an MMC snap-in for managing TPM devices on the local server. No further configuration is needed to take advantage of TPM.

  • BitLocker drive encryption: BitLocker provides full drive encryption and an integrity check of boot components. You install BitLocker by using the Add Features Wizard, as follows:

     
    1.
    In Server Manager choose Add Feature, BitLocker Drive Encryption and click Next.

    2.
    On the next page, which asks you to confirm that you want to install the feature, click Install.

    3.
    On the results page, which inform you that you must restart your server to finish the installation of BitLocker, click Close. When you are prompted to restart the server and finish the installation, click Yes.

    4.
    When the BitLocker installation is complete, click Close.

An important and often-overlooked part of the security picture is Windows Update. In fact, when you look at the security information in Server Manager, you see that Configure Updates is directly below Windows Firewall. It is important to ensure that Windows Server 2008 is kept up to date by using either Windows Update or another update management package, such as WSUS or System Center Configuration Manager. All the security you put in place is useless if you forget to patch a hole that has been discovered.

Other  
 
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
REVIEW
- First look: Apple Watch

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
programming4us programming4us
programming4us
 
 
programming4us