Relevant Group Policy Settings
Although there are Group Policy settings for the DNS Client service, there are no Group Policy settings available for the DNS Server service.
More Information
The following resources on Microsoft.com can provide you with further security best practice information about how to harden server computers that perform the DNS role:
Configuring DNS Servers for ISA Server 2004.
Dnscmd Overview.
New features for DNS.
Server Core Installation Option of Windows Server 2008 Step-By-Step Guide.
Using DNS Security Extensions (DNSSEC).
Using forwarders.
Chapter 6: Hardening Web Services
This chapter focuses on how to harden Web servers running Windows Server® 2008. The Web Server role by default installs Microsoft® Internet Information Services (IIS) 7.0 on a computer running Windows Server 2008.
Microsoft redesigned IIS 7.0 into 40 modular components that you can choose to install as needed. The fewer components that you install, the smaller the attack surface that is available to a potential attacker.
By default, IIS 7.0 Setup installs a Web server with minimum functionality that supports static Web pages, request filtering, static file compression, and the IIS Manager GUI interface. There are many IIS 7.0 scenarios that organizations can use to provide Web services. However, the following two considerations are key to planning your Web server design:
The sensitivity of the data that the server will present: Knowing this provides you with an idea of the risk involved if the data is compromised, and how much effort your organization should spend to protect it.
The required user experience: Knowing this governs the feature requirements of the Web site itself, and the components that you need to install to secure it.
This chapter focuses on a typical scenario of a Web server hosted on a corporate intranet that displays mission critical content and data. Access to the server, or applications on the server, is restricted to users on a job need basis. This type of Web server requires authentication and authorization mechanisms that are tied to Active Directory® users and groups. You can use these groups to generate certificates to identify users after you have granted them permission to access information on the server.
For this scenario, this chapter discusses how you can apply best practice processes to harden your Web server against malicious attacks from either anonymous or authorized users. If you choose to use the default modules that install with IIS 7.0, these configure the Web server to only provide static HTML pages and images. The Windows Server 2008 Attack Surface Reference workbook that accompanies this Solution Accelerator lists the files and services that install with each feature.
As in previous versions of IIS, when you perform a default installation of IIS 7.0 on a computer running Windows Server 2008, the Setup program installs and starts the Worldwide Web Publishing (W3SVC) service on the server computer.
In addition, the IIS 7.0 Setup program installs and starts the Windows Process Activation Service (WAS). WAS generalizes the IIS process model, making IIS 7.0 HTTP independent. Because of this, your IIS server can now host Windows Communication Foundation (WCF) services using non-HTTP protocols. It also includes configuration application programming interfaces (APIs) that allow you to configure WAS settings programmatically. The W3SVC service depends on the WAS service.
Finally, the default installation of IIS 7.0 also installs the Application Host Helper Service (AppHostSvc). This service provides a configuration history feature that lets you go back to an earlier version of the Web server configuration. The Application Host Helper Service saves the ApplicationHost.config file to separate configuration history subdirectories at intervals that you specify. Previous configuration settings for this service were stored by default in the \inetpub\history\CFGHISTORY_xxxxxxxxxx subdirectory, where each x represents a number that would increment for each configuration version. If you copy an earlier version of the IIS configuration file into the %windir%\system32\inetsrv\config directory, you will return IIS to the configuration state contained in the restored file.
Secure By Default
At a conceptual level, the security considerations for the Web server role using IIS 7.0 on a computer running Windows Server 2008 have not changed significantly from those for a computer running IIS 6.0 with Windows Server® 2003. It remains important to keep the server's attack surface as small as possible.
However, at the implementation level, a lot has changed between the releases of IIS 6.0 and IIS 7.0. A fundamental change is that instead of installing a variety of features with IIS 6.0 and then having to enable or disable them, IIS 7.0 uses a minimum installation by default approach—only installing components that work with static sites. The default installation for IIS 7.0 includes the following feature modules:
Static content module
Default document module
Directory browsing module
HTTP Errors module
HTTP Logging module
Request Monitor module
Request Filtering module
Static Content Compression module
IIS Management Console module
The default installation of IIS 7.0 does not support ASP.NET or ASP functionality. You must explicitly select them during the role selection process to include these technologies on your IIS 7.0 Web server. The following figure illustrates the role services that make up the Windows Server 2008 Web Server (IIS) role.
Note The items in bold in the figure are components that install by default when you select the high-level Web Server role.
Figure 6.1 Role services hierarchy for the Web Server role
|