The following knowledge and skills are required for consultants, operations, help desk and deployment staff, and security specialists who develop, deploy, and secure server systems running Windows Server 2008 in an enterprise organization:
MCSE on Microsoft Windows Server 2003 or a later certification and two or more years of security-related experience, or equivalent knowledge.
In-depth knowledge of the organization’s domain and Active Directory environments.
Experience with the Group Policy Management Console (GPMC).
Experience in the administration of Group Policy using the GPMC, which provides a single solution for managing all Group Policy–related tasks.
Experience using management tools including Microsoft Management Console (MMC), Gpupdate, and Gpresult.
Experience using the Security Configuration Wizard (SCW).
Experience deploying applications and server computers in enterprise environments.
Guide Purpose
The primary purposes of this guide are to enable you to do the following:
Use the solution guidance to efficiently create and apply tested security baseline configurations using Group Policy.
Understand the reasoning for the security setting recommendations in the baseline configurations that the guide prescribes, and their implications.
Identify and consider common security scenarios, and then use specific security features in Windows Server 2008 to help you manage them in your environment.
Understand role based security for different workloads in Windows Server 2008.
The guide is designed to enable you to use only the relevant parts of it to meet the security requirements of your organization. However, readers will gain the most benefit by reading the entire guide.
Guide Scope
This guide focuses on how to help create and maintain a secure environment for servers running Windows Server 2008. The guide explains the different stages of how to secure two different environments, and what each security setting addresses for the servers deployed in either one. The guide provides prescriptive information and security recommendations.
Client computers in the EC environment can run either Windows XP Professional SP3 or later, or Windows Vista SP1. However, the servers that manage these client computers on the network must run Windows Server 2008 or Windows Server 2003 SP2 or later. Client computers in the SSLF environment can only run Windows Vista SP1 and the servers that manage them can only run Windows Server 2008.
This guide includes chapters that provide security recommendations about how to harden the following server roles and the role services that they provide:
Active Directory Domain Services (AD DS)
Dynamic Host Configuration Protocol (DHCP) Server
Domain Name System (DNS) Server
Web Server (IIS)
File Services
Print Services
Active Directory Certificate Services (AD CS)
Network Policy and Access Services
Terminal Services
Note Configuration information about how to set up a server role, such as step-by-step configuration guidance on specific roles, is not in scope for this guide. This guide only includes the security settings available in the operating system that it recommends. However, more configuration information for Windows Server 2008 is available on the Windows Server 2008 Step-by-Step Guides Web page on the Microsoft Download Center.
Hardening recommendations for the following server roles are not included in this guide:
For a thorough discussion of all the security settings in Windows Server 2008, refer to the companion guide, Threats and Countermeasures.
Guidance and Tool Requirements
This Solution Accelerator includes the following documents and workbooks:
Note The Windows Server 2008 Security Baseline Settings workbook provides CCE unique identifiers for each setting. You can use the CCE identifiers to facilitate fast and accurate correlation of configuration data across multiple information sources and tools.
After downloading the Windows Server 2008 Security Guide Solution Accelerator from the Microsoft Download Center, extract these resources on your computer in a location of your choice. You must run the .msi file for the Security Compliance Manager (SCM) tool that accompanies the download for this toolkit to create, test, and deploy the security settings for the Windows Server 2008 Security Guide.
Chapter Summaries
This release of the Windows Server 2008 Security Guide consists of 11 chapters that you can use to reference setting descriptions, considerations, and values. The Windows Server 2008 Security Baseline Settings workbook that accompanies the guide provides another resource that you can use to compare and evaluate the Group Policy settings. In addition, the Windows Server 2008 Attack Surface Reference workbook provides summary information about services, files, and firewall rules specific to each server role that the guide covers. The following figure shows the guide structure to help inform you how to optimally implement and deploy the prescriptive guidance.
Figure 1 Security Guide Structure
|
