Server Core
Server Core is a new installation option in Windows Server 2008. Server Core helps reduce the attack surface of the supported server roles by installing only a subset of the binary files that a server requires to operate. This approach also reduces the size of the server installation, which helps reduce the number of files that might require updates in the future. For example, the Explorer shell and Microsoft Internet Explorer® cannot be installed as part of a Server Core installation.
A Server Core installation supports the following server roles:
Active Directory Domain Services
Active Directory Lightweight Directory Services
DNS Server
DHCP Server
File Services
Print Services
Streaming Media Services
Web Server (IIS)
Hyper-V™
The following optional features are also supported:
Microsoft Failover Cluster
Network Load Balancing
Subsystem for UNIX-based Applications
Windows Backup
Multipath I/O
Removable Storage Management
BitLocker Drive Encryption
Simple Network Management Protocol (SNMP)
Windows Internet Naming Service (WINS)
Telnet client
Quality of Service (QoS)
Server Core requires only about 1 GB of space on the server's hard disk drive to install, and an additional 2 GB for normal operations. After installing and configuring the server, you can manage it either locally from a command prompt, remotely by using Remote Desktop, or by using the MMC or command-line tools that support remote use. When applicable, the server role chapters in this guide point out when a Server Core installation can help you better secure your environment.
User Account Control (UAC) is described later in this guide as a way to reduce the risk of compromise. However, note that you should never attempt to enforce the UAC Group Policy settings on servers running a Server Core installation. This is because the UAC escalation prompts cannot display in the Server Core user interface, so if you force the use of UAC you will be unable to perform any administrative tasks. When deploying roll-based Group Policy, you should either place servers running Server Core in separate OUs that do not have UAC settings enforce by Group Policy or configure WMI filters to ensure that such Group Policy is not applied to servers running Server Core.
For detailed information and guidance about how to install Server Core, see the Server Core Installation Option of Windows Server 2008 Step-By-Step Guide on TechNet.
Security Configuration Wizard
The Security Configuration Wizard (SCW) functionality in Windows Server 2008 is similar to the functionality in the Windows Server 2003 Service Pack 2 (SP2) version of the wizard. You can still use the SCW to reduce the attack surface of a server by disabling unneeded services and blocking unused or unnecessary ports. However, using the wizard is now an optional process.
Windows Server 2003 was designed for administrators to use the SCW after installing a default version of the operating system on a server to reduce its attack surface. However, now when you install Windows Server 2008 on a computer, Server Manager automatically determines what is needed on the server and implements the minimum functionality required for the server to fulfill its specific role.
The SCW uses a step-by-step approach that guides you through different aspects of the configuration process that you can analyze and then optimally configure. The SCW is not an MMC snap-in, but a self-contained program that you can access by running SCW.exe.
You can use the SCW to rapidly create security policies for multiple servers or groups of servers from a single computer. This capability allows you to manage policies throughout the organization from a single location. These policies provide consistent, supported hardening measures that are appropriate for the functions that each server provides within the organization.
The SCW is integrated with the new Windows Firewall in Windows Server 2008. Unless you prevent it from doing so, the SCW will configure Windows Firewall to permit inbound network traffic to important ports that the operating system requires as well as listening applications. If additional port filters are required, you can use the SCW to create them. As a result, policies that the SCW creates address the need for custom scripts to set or modify IPsec filters to block unwanted traffic. This capability simplifies the management of network hardening. You also can use the SCW to simplify the configuration of network filters for services that use remote procedure call (RPC) or dynamic ports.
For more information about the new Windows Firewall, see the article "The New Windows Firewall in Windows Vista and Windows Server 2008" on TechNet.
It is no longer necessary to run the SCW to reduce the attack surface of individual servers. However, you can still take advantage of the SCW to create and deploy security policies that you can use to help maintain a configuration implemented by Server Manager across one or more servers using Group Policy.
When you use the SCW to create a new policy, it uses the current configuration of a server as an initial configuration. Therefore, it is best to create the policy on a server that is the same server type as the one for which you are creating the policy. This approach will streamline the task somewhat because the starting configuration should approximately match the desired configuration. When you use the SCW to create a new policy, it creates an XML file and saves it in the %systemdir%\security\msscw\Policies folder by default. After you create your policies, you can use either the SCW or the SCWcmd.exe command-line tool to apply the policies directly to your test servers.
The next section in this chapter focuses on how to use the SCW and SCWcmd.exe to create GPOs to help enforce your server security configuration. For more detailed information about the SCW, including the wizard's capabilities and links to other SCW resources, see the "Security Configuration Wizard Concepts" page on TechNet.
Using SCW and Group Policy to Improve Security
You can use the SCW to create and apply security policies directly to servers. However, this approach would be a time-consuming process for a large number of servers. Microsoft recommends deploying SCW policies using the SCWcmd.exe tool to convert the SCW XML–based policy into a GPO, which you can then apply to a large number of servers at one time. Although at first this conversion might seem an unnecessary step, this approach provides the following advantages:
Familiar Active Directory–based mechanisms replicate, deploy, and apply the policies.
GPOs that are made available to you through this conversion allow you to incrementally use policies with organizational units (OUs) and policy inheritance to fine-tune the hardening of similarly configured servers that are not exactly the same. For example, with Group Policy you can place servers in a child OU and then apply an incremental policy. If you use the SCW for this task, you must create a new policy for each unique configuration in your environment.
The policies are automatically applied to all servers that are placed in corresponding OUs. If you use the SCW, you must either manually apply the policies or use a customized scripting solution.
Using the SCW to Create Role Policies
Use a new installation of the operating system to start your configuration work. This approach helps ensure that there are no legacy settings or software from previous configurations that could interfere with your work. If possible, use hardware that is similar to the hardware for your deployment to help ensure as much compatibility as possible. In the following procedure, the new installation is called a reference computer.
To create a role policy
Create a new installation of Windows Server 2008 on a new reference computer.
Use the ICT tool to join the computer to the domain.
Install mandatory applications on your reference computer. Such applications could include software and management agents, tape backup agents, and antivirus or antispyware utilities.
Use Server Manager to install the appropriate server roles. For example, if your target servers will run DHCP and DNS, install those roles.
Note You do not have to configure each workload exactly the same way on the servers that you deploy, but you must install the roles so that the SCW can determine the proper configuration of each server.
Click Start, click All Programs, click Administrative Tools, and then click Security Configuration Wizard.
On the Configuration Action page, select Create new policy, and then click Next.
On the Select Server page, type the name or IP address of the reference computer, and then click Next.
Note This action enters the local computer name by default.
On the Processing Security Configuration Database page, click Next, and then on the Role-Based Service Configuration page, click Next.
On the Select Server Roles page, ensure that the wizard has detected and selected all of the installed server roles on your reference computer. Then click Next.
Caution If the wizard does not select all of the roles that you want to install on the server, the resulting policy will disable services that some roles require, and the server will not operate properly.
On the Select Client Features page, ensure that the wizard has detected and selected all of the installed features on your reference computer. Then click Next.
Caution If the wizard does not select all of the features that you want to install on the server, the resulting policy will disable services that some roles require, and the server will not operate properly.
On the Select Administration and Other Options page, ensure that the wizard has detected and selected all of the installed options on your reference computer. Then click Next.
On the Select Additional Services page, ensure that the wizard has detected and selected all of the required services on your reference computer. Then click Next.
Note If you have configured your reference computer with all required roles and installed any additional required software, such as backup agents or antivirus software, you should not need to modify any of the previous Role-based Service Configuration pages.
On the Handling Unspecified Services page, click Next.
On the Confirm Service Changes page, review the service mode changes that the SCW will include in the resulting security policy, and then click Next.
Caution Pay close attention to any services whose startup mode changes from Automatic to Disabled to ensure that you do not disable any required functionality.
On the Network Security page, click Next.
On the Network Security Rules page, ensure that the SCW has detected the appropriate ports and applications it will use to configure Windows Firewall. Then click Next.
On the Registry Settings page, select the Skip this section checkbox, and click Next.
On the Audit Policy page, select the Skip this section checkbox, and click Next.
On the Save Security Policy page, click Next.
On the Security Policy File Name page, specify the appropriate path, name the policy to save it, and then click Next.
Note By default, the XML–based policy files are saved to the Security\msscw\policies folder under the server's installation folder (typically this is located at C:\Windows). However, the SCW allows you to specify another location.
On the Apply Security Policy page, click the Apply Later option, and then click Next.
Note You can select the Apply Now option to apply the security policy directly to a server. This allows you to apply a security policy to stand-alone servers.
Finally, on the Completing the Security Configuration Wizard page, click Finish.
The following procedure guides you through using SCWcmd.exe to convert the XML–based SCW policy file that you just created into a GPO.
To convert a role policy into a GPO
At a command prompt, type the following, and then press ENTER:
scwcmd transform /p:
/g:
The following example creates a GPO named File Server Policy in Active Directory. You must specify a unique name for the new GPO, or the command will return an error:
scwcmd transform /p:"C:\Windows\Security\msscw\Policies\FileServer.xml" /g:"File Server Policy"
Note This example displays on multiple lines because of display limitations and to make it easier to read. However, you must type the information at the command prompt on one line when you run the command.
Use the Group Policy Management Console (GPMC) to link the newly created GPO to the appropriate OUs.
The SCM tool mentioned in Chapter 1, "Implementing a Security Baseline," creates example GPOs that were originally created using this tool. These example GPOs have been modified to not disable any system services and to not implement any firewall rules. While this allows you to combine these GPOs for servers configured to perform multiple roles, the GPOs only serve to ensure that required system services remain enabled.
While this provides a mechanism to help ensure system availability, an ideal GPO also disables any services that are not required. You can use the GPOs created by the SCM tool on your production servers, but considerable benefit is gained by creating GPOs specifically tailored to your servers using the previous procedures.
Important You must run the .msi file for the SCM tool that accompanies the download for this toolkit to create, test, and deploy the security settings for this guide. This tool automatically creates all the GPOs for the security settings this guide recommends. The tool also includes Security Template .inf files that you can use to apply security settings to stand-alone servers.
|
