There are no security-related group policy settings for the Routing role service. However, you can configure NPS (RADIUS) policy settings to help secure the authentication used between routers.
More Information
The following resources on Microsoft.com can provide you with additional best practice information about how to harden server computers that run the Routing role service:
Configuring Firewalls.
Extensible Authentication Protocol.
How to configure an L2TP/IPSec connection by using Preshared Key Authentication.
IPsec overview.
Point-to-Point Tunneling Protocol (PPTP).
Protected Extensible Authentication Protocol (PEAP).
Routing and Remote Access.
Routing and Remote Access Blog.
Server and Domain Isolation.
Windows Server 2008 Step-by-Step Guides: Step-by-Step Guide: Deploying SSTP Remote Access.
Virtual Private Networks.
Virtual Private Networking with Windows Server 2003: Deploying Site-to-Site VPNs.
HRA Role Service
Health Registration Authority (HRA) is a NAP component that issues health certificates to clients that pass the health policy verification that is performed by NPS using the Statement of Health (SoH) protocol (including security policies). HRA is currently used only when the NAP enforcement method is IPsec enforcement.
However, you could extend this capability to issue health certificates for other enforcements in the future. You can use the HRA to enforce specific health requirements before you allow computers to communicate with each other by refusing to issue certificates or by requiring IPsec connections.
In such a configuration, a server computer that runs the HRA role service acts as a NAP enforcement point. Other NAP enforcement points include:
NAP-capable VPN servers.
NAP-capable DHCP servers.
Ethernet switches that support the 802.1X authentication protocol or dynamic VLAN assignments.
Wireless access points that support 802.1X authentication.
For more information about HRA, see HRA Server Role and Health Registration Authority (HRA) on TechNet. For more information about NAP, HRA, and NAP enforcement points, see Network Access Protection.
Attack Surface
The HRA role service is susceptible to security attacks for any ISAPI extension that runs on Internet Information Services (IIS), which is provided by the Web Server (IIS) role. To identify the attack surface for this role service, you need to identify the following factors:
Installed files. The files that are installed as part of the HRA role service.
Running services. The services that run as part of the HRA role service.
Note You can use the RootkitRevealer and Sigcheck utilities that are part of Windows Sysinternals to verify the integrity of the installed files and the files that the services run.
Firewall rules. The Windows Firewall rules that the HRA role service uses.
Role dependencies. The dependencies for the HRA role service.
The details of the attack surface for the HRA role service are included in the Windows Server 2008 Attack Surface Reference workbook that accompanies this Solution Accelerator. To view the attack surface for this role service, on the NPAS tab of the workbook, view the sections that correspond to each of the items in the previous list.
Security Measures
This section describes the security measures that you can incorporate into your HRA role service configuration to protect the server against malicious attacks. The recommendations that follow assume that you have only selected the HRA role service option on the Select Role Services page of the Add Roles Wizard. Recommendations for other role services are not included.
Configuration Checklist
The following table lists the recommended security configuration tasks for hardening servers that perform the HRA role service. If you need help to complete any of the checklist items, see the following sections in this chapter for additional details and recommendations.
Table 10.6 Configuration Checklist
|
Configuration tasks
|
|
Place the computers that run the HRA role service in an intranet.
|
|
Make computers that run the HRA role service members of an intranet forest.
|
|
Use IPsec to secure HRA role service communication.
|
|
Use SSL encryption to protect HRA client requests and responses.
|
|
Dedicate a computer to run the HRA role service.
|
|
Allow only authenticated users to obtain health certificates.
|
|
Perform the hardening recommendations for the Web Services (IIS) server role.
|
The server computer that runs the HRA role service obtains health certificates on behalf of NAP clients when they are determined to be compliant with network health requirements. These health certificates authenticate NAP clients for IPsec-protected communications with other NAP clients on an intranet.
In addition, the HRA role service needs to communicate with computers that run the Certification Authority role service and the NPS role service. In a domain environment, the HRA role service also requires a connection to an Active Directory global catalog for authentication of client credentials. Because of these connectivity requirements, Microsoft recommends placing the computer that runs the HRA role service in a protected subnet of your intranet.
Make Computers That Run the HRA Role Service Members of an Intranet Forest
The computers that run the HRA role service are typically placed in secured subnets in your intranet. Although it is possible to deploy the HRA role service on a stand-alone computer, Microsoft recommends deploying the computers that run the HRA role service as members of a domain in your intranet forest.
Use IPsec to Secure HRA Role Service Communication
The computers that run the HRA role service communicate with computers that run the Certification Authority role service and the NPS role service. To prevent potential viewing of communication between these computers, secure communication by using IPsec. For more information about securing communication by using IPsec, see the IPsec overview page on TechNet.
Use SSL Encryption to Protect HRA Client Requests and Responses
The HRA role service communicates with client computers by using the HTTP or HTTPS protocols. Microsoft recommends always configuring the HRA to use the HTTPS protocol to communicate with client computers. This configuration encrypts the traffic between the HRA role service and client computers. For more information, see the topics "Certificates for SSL encryption" in "Understanding HRA Authentication Requirements" in the Windows Server 2008 Help and Support.
Dedicate a Computer to Run the HRA Role Service
Install the HRA role service on a computer dedicated to the role service, along with any role service dependencies. Although you can install this role service on the same computer that runs other role services, doing so increases the attack surface of the HRA role service. For more information about role and role service dependencies, see "Attack Surface" earlier in this "HRA Role Service" section.
Allow Only Authenticated Users to Obtain Health Certificates
While installing the HRA role service, you can configure the authentication requirements for HRA. You can configure HRA to allow only authenticated members of a domain to obtain health certificates. You can also configure HRA to allow all users, including anonymous users, to obtain health certificates.
When you provide health certificates for computers in your intranet, always require authenticated users. Only allow anonymous users in limited cases when you want to provide such users with access to a portion of your network. For example, you might want to allow visitors to have Internet access as anonymous users while connected to your intranet.
For more information about this topic, see "Understanding HRA Authentication Requirements" in the Windows Server 2008 Help and Support.
Perform the Hardening Recommendations for the Web Services (IIS) Server Role
Because this role service uses IIS 7.0, ensure to perform the hardening recommendations for the Web Services (IIS) server role. For more information about hardening the Web Services (IIS) server role, see Chapter 6, "Hardening Web Services," in this guide.
Relevant Group Policy Settings
There are no security-related Group Policy settings available for the HRA role service.
More Information
The following resources on Microsoft.com can provide you with additional best practice information about how to harden server computers that run the HRA role service:
"Certificates for SSL encryption" in the "Understanding HRA Authentication Requirements" section of the Windows Server 2008 Help and Support.
Health Registration Authority (HRA).
HRA Server Role.
IPsec overview.
Network Access Protection.
Server and Domain Isolation.
"Understanding HRA Authentication Requirements" in the Windows Server 2008 Help and Support.
|