The following resources on Microsoft.com can provide you with further security best practice information about how to design and maintain Web servers:
Antivirus Defense-in-Depth Guide.
How to Setup SSL on IIS 7.0.
How to Use Request Filtering.
Improving Web Application Security: Threats and Countermeasures.
IIS 7.0: Configure Web Server Security.
Server Core Installation Option of Windows Server 2008 Step-By-Step Guide.
Windows Management Instrumentation.
Windows Server 2008 TechNet Library.
"Virus scanning recommendations for computers that are running Windows Server 2003, Windows 2000, Windows XP, or Windows Vista": Knowledge Base article 822158.
Understanding IIS7 URL Authorization.
Chapter 7: Hardening File Services
This chapter focuses on how to harden computers that perform the File Services role service available in Windows Server® 2008. Computers that perform this role can provide a particular challenge to harden, because balancing the security and functionality of the fundamental services that they provide is a fine art. Windows Server 2008 introduces a number of new features that can help you to control and harden the File services in your environment.
Server Message Block (SMB) is the file-sharing protocol that Windows®-based computers use by default. SMB is an extension of the Common Internet File System (CIFS). Windows Server 2008 features SMB version 2.0, which provides enhanced performance.
You can configure and apply most of the policy settings this chapter discusses through Group Policy. You can link a Group Policy object (GPO) that complements the Member Server Baseline Policy (MSBP) to the appropriate organizational units (OUs) that contain computers running Windows Server 2008 that perform the File Services role. Doing this provides the required security settings for this server role. This chapter only discusses Group Policy settings that vary from those for the MSBP.
The File Services role service also allows you to install the Distributed File System (DFS) role service. DFS consists of the following two technologies that you can use together or independently to provide fault-tolerant and flexible file sharing and replication services on a Windows-based network:
DFS Namespaces. This technology enables you to group shared folders located on different servers into one or more logically structured namespaces. Each namespace appears to users as a single shared folder with a series of subfolders. However, the underlying structure of the namespace can consist of numerous shared folders located on different servers and in multiple sites. Because the underlying structure of shared folders is hidden from users, a single folder in a DFS namespace can correspond to multiple shared folders on multiple servers. This structure provides fault tolerance and the ability to automatically connect users to local shared folders, instead of routing them over wide area network (WAN) connections.
DFS Replication. This technology is a multimaster replication engine that enables you to synchronize folders on multiple servers across local or WAN network connections. This service uses the Remote Differential Compression (RDC) protocol to update only the portions of files that have changed since the last replication. You can use DFS Replication in conjunction with DFS Namespaces or by itself.
In addition, you can install the File Server Resource Manager (FSRM) role service, which provides a suite of tools that enables administrators to understand, control, and manage the quantity and type of stored data that the File services use. By using FSRM, you can place quotas on folders and volumes, actively screen files, and generate comprehensive storage reports.
The Services for Network File System (NFS) role service provides another file sharing solution for an enterprise that has a mixed Windows and UNIX environment. With Services for NFS, you can transfer files between computers running Windows Server 2008 and UNIX operating systems using the NFS protocol. The Windows Search Service also enables you to perform fast file searches on a server from client computers that are compatible with Windows Search.
The Windows Server® 2003 File Server role provides the following services to Windows Server 2008 file servers to make them compatible with file servers running Windows Server 2003 and Windows® 2000:
File Replication Service (FRS), which supports synchronizing folders with file servers that use FRS instead of the newer DFS Replication service. To enable a server to synchronize folders with servers that use FRS with the Windows Server 2003 or Windows 2000 implementations of Distributed File System, install FRS. To enable the latest and most efficient replication technology, install DFS Replication.
Indexing Service, which catalogs the contents and properties of files on local and remote computers. This service also enables you to quickly find files through a flexible query language. You cannot install Indexing Service and Windows Search Service on the same computer.
You can also install the following optional subelements for the File Services role:
Windows Server Backup, which helps you reliably back up and recover the operating system, Windows Server System™ applications, and files and folders stored on the server. This sub-element introduces new backup and recovery technology, and replaces the previous Backup feature available in earlier versions of Windows.
Storage Manager for SANs, which enables you to provision Fibre Channel or iSCSI storage subsystems on a storage area network (SAN).
Multipath I/O, which allows you to increase data availability by providing redundant connections to storage subsystems. Multipathing can also provide load balancing of I/O traffic to improve system and application performance.
The following figure illustrates the role services that make up the Windows Server 2008 File Services role.
Figure 7.1 Role services hierarchy for the File Services role
|
