The following resources on Microsoft.com can provide you with more security best practice information about how to design and maintain a server running Windows Server 2008 that performs the File Server role:
Antivirus Defense-in-Depth Guide.
Encrypting File System.
Microsoft network server: Digitally sign communications (always).
Security and Protection.
Server Core Installation Option of Windows Server 2008 Step-By-Step Guide.
"Virus scanning recommendations for computers that are running Windows Server 2003, Windows 2000, Windows XP, or Windows Vista": Knowledge Base article 822158.
Windows BitLocker Drive Encryption.
Windows Management Instrumentation.
Windows Remote Management.
Windows Server 2008 TechNet Library.
Chapter 8: Hardening Print Services
This chapter focuses on how to harden computers that perform the Print Server role available in Windows Server® 2008. Microsoft introduced significant security changes to printing services in the operating system for Windows Vista®. These changes also are incorporated into Windows Server 2008. For more information about the new features introduced in Windows Vista, see the "Point and Print Security in Windows Vista" white paper.
While the Printer service in Windows Server 2008 supports legacy clients, your organization cannot achieve optimal security unless all the client computers that you manage are running Windows Vista.
There are three role services that you can select to comprise the Print Server role on a computer running Windows Server 2008: the Print Server Role, the Line Printer Daemon (LPD) Service role service, and the Internet Printing role service.
Print Server role service. Installing this role service makes very few changes to the server. The primary printing service is the Print Spooler service (Spooler). This service provides the majority of the functionality required for applications to manage printer related functions. In addition to managing the printer, many applications also rely on this service to assist in print and page operations, such as formatting pages as they display on screen. For this reason, the Print Spooler service is enabled by default in Windows Server 2008, regardless of whether the Print server has the printer service role installed or not. However, by default the service is not enabled for network access so you can only use it directly on the server console. This helps to reduce the attack surface on servers that are not actively sharing printers on the network.
When you add the Print Server role service to a default installation of Windows Server 2008, and then install and share a print device, the Spooler and Server services become available for network connections by using remote procedure call (RPC). This change expands the attack surface of the Print server after these services become available over the network.
Although the Print Server role service does not depend directly on the File Server role service, when you install the Print Server role service, a dependency is exposed when you add a shared print device to the server. Both the Print Services and File Services roles share common RPC and NetBIOS over TCP/IP (NetBT) mechanisms to gain access to shared resources, whether the resources are printers or folders and files. When you first share a printer, you will notice that the File Server role service is automatically enabled, and that you can manage it in Server Manager.
Firewall rules are predefined and disabled by default for the Print Server role service. The process of installing this role service does not enable these rules. Only installing and sharing a print device enables the rules.
For more information, see the "Attack Surface" section in this chapter.
LPD Service role service. This role service enables TCP/IP-based printing using the LPD protocol. This role service requires the Printer Server role service to be installed, which minimally expands the attack surface for the Print server. For more information, see the "Attack Surface" section in this chapter.
Internet Printing role service. This role service allows you to make shared printers available to client computers by using the Internet Printing Protocol (IPP) over an HTTP connection. Web browser-based client computers can connect to and use printers that are published using the Web Server role available in Windows Server 2008. Internet printing also enables connections between users and printers that are not on the same domain or network.
The Internet Printing role service depends on the Web Server (IIS) role, which is installed by Windows Server 2008 automatically when you select the Internet Printing role service. This installation includes a number of Web Server role services and features, including ASP, ISAPI Extensions, ISAPI Filters, .NET Extensibility application development features, Request Filtering, Basic Authentication, Windows Authentication security features, a number of features in the Common HTTP Features role service, the Health and Diagnostics role service, the Performance role service, and the Management Tools role service. Along with these features, the Windows Process Activation Service (WAS) is installed and enabled, which includes configuration application programming interfaces (APIs), and a process model with .NET environment support.
Because the Internet Printing role service is so dependent on the Web Server role, you should add the attack surface of the Web Server role to the services identified in this section. For more information about the attack surface of the Web Server role, see Chapter 6, "Hardening Web Services" of this guide.
When you add the Internet Printing role service to a default installation of Windows Server 2008, the installer adds a number of Active Server Pages (ASP) files to the Internet Information Services (IIS) 7.0 server to extend the Web server's functionality to support IPP. No additional services are required for the server, and no additional network ports are opened when you add the Internet Printing role service. This is because the client computer's browser uses the standard Web server ports (80 and 443) to connect to the printer.
After you install the Internet Printing role service, the print server client computers in your organization can print or manage documents from their Web browsers. When the print server client computers attempt to connect to the printers Web page, the server generates a .cab file that contains the appropriate printer driver files and then downloads the .cab file to the client computers. After the printer drivers install, the printer displays in the Printers folder on the client computer. For more information, see the "Attack Surface" section in this chapter.
The following figure illustrates the role services that make up the Windows Server 2008 Print Server role.
Figure 8.1 Role services hierarchy for the Print Server role
|