Microsoft recommends using a new installation of the operating system to start your configuration work so that Server Manager optimally configures just the roles and features that you select. However, if you cannot perform a new installation, ensure to check the following common security configurations before you start a role-specific setup. This approach helps to minimize the possibility of settings from previous configurations interfering with the server's security settings for its new role.
The following table lists the common server security configuration best practices that Microsoft recommends following before configuring a server for a specific role. You can use this table as a checklist to help ensure that your server is appropriately configured and hardened against malicious attacks.
Table 2.10 Server Configuration Best Practice Assumptions
Component
|
Characteristics
|
Physical security
|
Store your servers in secure areas with restricted access to help limit unauthorized access and minimize the possibility of theft.
|
System Updates
|
After installing the operating system, use Windows Update to ensure that you have installed the latest security and system updates on the servers.
|
Roles
|
Use Server Manager to remove all unnecessary role services or features from the servers. This best practice helps minimize the attack surface of each server.
|
Applications, services and devices
|
Server Manager configures the necessary services and devices installed on each server for the roles they perform. However, any applications installed on the servers that no longer required can affect security. Microsoft recommends removing all unnecessary applications and services from each server.
|
Protocols
|
Remove or disable any unused protocols. By default, Windows Server 2008 installs the standard TCP/IP version 4 and 6 protocols for use with the installed network cards.
|
Accounts
|
Remove any unused user accounts.
Ensure the Guest account is not enabled (it is disabled by default).
Rename the default administrator account and establish a strong password for it. For additional protection, disable the default administrator account.
Ensure strong password policies are enforced.
Restrict remote logons for standard user accounts.
Disable Null sessions (anonymous logons).
Disable or remove shared administrative accounts.
Restrict the local administrators group (ideally to two members).
Require administrators to log on interactively (or implement a secure remote administration solution).
|
Files and directories
|
Use Windows Explorer to check the hard drives on the server for files or folders that are no longer required. If possible, reformat disks that contained sensitive legacy data.
Ensure that the Everyone group has no rights to folders or shares containing sensitive data.
|
Check Shares
|
Remove unused shares from the server.
Remove permissions from the Everyone group from any server shares.
|
Review Firewall Rules
|
Review the status of Windows Firewall rules to ensure that only the required network ports are available to the network. The Windows Server 2008 Attack Surface Reference workbook that accompanies this guide documents the default Windows Firewall rules that Server Manger creates while configuring a server role.
Review the dynamic port range configuration. For more information about dynamic ports that Windows Server 2008 requires, see Microsoft Knowledge Base article 929851: "The default dynamic port range for TCP/IP."
|
The remaining chapters in this guide assume that you have applied these best practices before you attempt to configure specific server roles.
More Information
The following resources provide additional information about Server Manager and the Security Configuration Wizard included with Windows Server 2008 on Microsoft.com:
Antivirus Defense-in-Depth Guide.
Security Configuration Wizard Concepts.
Security Configuration Wizard for Windows Server 2008.
Server Manager.
Server Core Installation Option of Windows Server 2008 Step-By-Step Guide.
The default dynamic port range for TCP/IP.
The New Windows Firewall in Windows Vista and Windows Server 2008.
Windows Server 2008: Server Management.
Windows Server 2008 Server Manager Technical Overview.
Virus scanning recommendations for computers that are running Windows Server 2003, Windows 2000, Windows XP, or Windows Vista.
Chapter 3: Hardening Active Directory Domain Services
Organizations use Active Directory® Domain Services (AD DS) to manage domain users and resources, such as computers, printers, and applications on a network. AD DS in Windows Server® 2008 includes a number of new features that are not available in previous versions of Windows Server, and some of these features focus on deploying AD DS more securely.
The role services available for the Active Directory Domain Services role, as displayed in the following figure, include:
AD DS Domain Controller. This role service installs by default with the AD DS role. It enables a server to store directory data and manages communication between users and domains, including user logon processes, authentication, and directory searches.
Identity Management for UNIX. This role service integrates computers running Windows® in an existing UNIX environment. You can install the following optional sub-elements of this role service:
Server for Network Information Services (NIS). This sub-element integrates Windows and NIS networks by exporting NIS domain maps to Directory Service entries. This allows an Active Directory domain controller to act as a master NIS server.
Password Synchronization. This sub-element ensures that when a password changes in one environment (UNIX or Windows) it also changes in the other environment.
Figure 3.1 Role services hierarchy for the AD DS role
|
