The Host Credential Authorization Protocol (HCAP) allows you to integrate your NAP-based solution with Cisco Network Admission Control (NAC)–based solutions. When you deploy HCAP with NPS and NAP, NPS can perform client health evaluation and the authorization of Cisco NAC–enabled network access devices (such as switches, routers, wireless access points, and VPN concentrators).
In this configuration, a server computer that runs the HCAP role service communicates with the Cisco Secure Access Control Server (ACS) that authorizes the NAC–enabled devices. NPS manages the validation of the health state attributes and the assignment of the overall health state of NAC–enabled devices in the interoperability architecture.
For more information about NAP, HCAP, and NAP enforcement points, see Network Access Protection on TechNet. For more information about NAC, see Network Admission Control on the Cisco Web site.
Attack Surface
The HCAP role service is susceptible to security attacks for any ISAPI extension that runs on IIS, which is provided by the Web Server (IIS) role.
To identify the attack surface for this role service, you need to identify the following factors:
Installed files. The files are installed as part of the HCAP role service.
Running services. The services that run as part of the HCAP role service.
Note You can use the RootkitRevealer and Sigcheck utilities that are part of Windows Sysinternals to verify the integrity of the installed files and the files that the services run.
Firewall rules. The Windows Firewall rules that the HCA role service uses.
Role dependencies. The dependencies for the HCAP role service.
The details of the attack surface for the HCAP role service are included in the Windows Server 2008 Attack Surface Reference workbook that accompanies this Solution Accelerator. To view the attack surface for this role service, on the NPAS tab of the workbook, view the sections that correspond to each of the items in the previous list.
Security Measures
This section describes the security measures that you can incorporate into the HCAP role service configuration to protect the server against malicious attacks. The recommendations that follow assume that you have only selected the HCAP role service option on the Select Role Services page of the Add Roles Wizard. Recommendations for other role services are not included.
Configuration Checklist
The following table lists the recommended security configuration tasks for hardening servers that perform the HRA role service. If you need help to complete any of the checklist items, see the following sections in this chapter for additional details and recommendations.
Table 10.7 Configuration Checklist
|
Configuration tasks
|
|
Place computers that run the HCAP role service in an intranet.
|
|
Make computers that run the HCAP role service members of an intranet forest.
|
|
Use IPsec to secure HCAP role service communication.
|
|
Use SSL encryption to protect HCAP requests and responses.
|
|
Dedicate a computer to run the HCAP role service.
|
|
Perform the hardening recommendations for the Web Services (IIS) server role.
|
Place Computers That Run the HCAP Role Service in an Intranet
The server computer that runs the HRA role service obtains health certificates on behalf of the Cisco Secure ACSs when they are determined to be compliant with network health requirements. These health certificates authenticate the Cisco Secure ACSs for IPsec–protected communications with other NAC–enabled devices and NAP clients on an intranet.
In addition, the HCAP role service needs to communicate with computers that run the Certification Authority role service and the NPS role service. In a domain environment, the HCAP role service also requires a connection to an Active Directory global catalog for authentication of client credentials. Because of these connectivity requirements, Microsoft recommends placing the computer that runs the HCAP role service in a protected subnet of your intranet.
Make Computers That Run the HCAP Role Service Members of an Intranet Forest
The computers that run the HCAP role service are typically placed in secured subnets in your intranet. Although it is possible to deploy the HCAP role service on a stand-alone computer, Microsoft recommends deploying the computers that run the HCAP role service as members of a domain in your intranet forest.
Use IPsec to Secure HCAP Role Service Communication
The computers that run the HCAP role service communicate with computers that run the Certification Authority role service and the NPS role service. To prevent potential viewing of the communication between these computers, Microsoft recommends securing them by using IPsec. For more information about securing communication by using IPsec, see the IPsec overview page on TechNet.
Use SSL Encryption to Protect HCAP Requests and Responses
The HCAP role service communicates with client computers by using the HTTP or HTTPS protocols. Microsoft recommends always configuring HCAP to use the HTTPS protocol to communicate with client computers. This configuration encrypts the traffic between the HCAP role service and client computers.
For more information, see "Certificates for SSL encryption" in "Understanding HRA Authentication Requirements" in the Windows Server 2008 Help and Support.
Dedicate a Computer to Run the HCAP Role Service
Install the HCAP role service on a computer that is dedicated to the role service (and any role service dependencies). Although you can install this role service on the same computer that runs other role services, doing so increases the attack surface of the HCAP role service. For more information about role and role service dependencies, see "Attack Surface" earlier in this "HCAP Role Service" section.
Perform the Hardening Recommendations for the Web Services (IIS) Server Role
Because this role service uses IIS 7.0, ensure to perform the hardening recommendations for the Web Services (IIS) server role. For more information about hardening the Web Services (IIS) server role, see Chapter 6, "Hardening Web Services" in this guide.
Relevant Group Policy Settings
There are no security-related Group Policy settings available for the HCAP role service.
More Information
The following resources on Microsoft.com can provide you with additional best practice information about how to harden server computers that run the HCAP role service role:
"Certificates for SSL encryption" in the "Understanding HRA Authentication Requirements" section of the Windows Server 2008 Help and Support.
Cisco Network in a Portable Document Format (PDF) file.
IPsec overview.
Network Access Protection.
Network Policy Server.
Server and Domain Isolation.
"Understanding HRA Authentication Requirements" in the Windows Server 2008 Help and Support.
More Information
The following resources on Microsoft.com provide additional best practice information about how to harden server computers that run NPAS role services:
For the NPS role service, see:
Extensible Authentication.
IPsec overview.
Network Policy Server.
Network Policy Server Infrastructure.
Protected Extensible Authentication Protocol (PEAP).
"RADIUS Extensions": RFC 2869.
Server and Domain Isolation.
Shared secrets.
For the Remote Access Service role service, see:
IPsec overview.
Routing and Remote Access.
Routing and Remote Access Blog.
Server and Domain Isolation.
Windows Server 2008 Step-by-Step Guides: Step-by-Step Guide: Deploying SSTP Remote Access.
Virtual Private Networks.
Virtual Private Networking with Windows Server 2003: Deploying Remote Access VPNs.
For the Routing role service, see:
Configuring Firewalls.
Extensible Authentication Protocol.
How to configure an L2TP/IPSec connection by using Preshared Key Authentication.
IPsec overview.
Point-to-Point Tunneling Protocol (PPTP).
Protected Extensible Authentication Protocol (PEAP).
Routing and Remote Access.
Routing and Remote Access Blog.
Server and Domain Isolation.
Windows Server 2008 Step-by-Step Guides: Step-by-Step Guide: Deploying SSTP Remote Access.
Virtual Private Networks.
Virtual Private Networking with Windows Server 2003: Deploying Site-to-Site VPNs.
For the HRA role service, see:
"Certificates for SSL encryption" in the "Understanding HRA Authentication Requirements" section of the Windows Server 2008 Help and Support.
Health Registration Authority (HRA).
HRA Server Role.
IPsec overview.
Network Access Protection.
Server and Domain Isolation.
"Understanding HRA Authentication Requirements" in the Windows Server 2008 Help and Support.
For the HCAP role service, see:
"Certificates for SSL encryption" in the "Understanding HRA Authentication Requirements" section of the Windows Server 2008 Help and Support.
Cisco Network in a Portable Document Format (PDF) file.
IPsec overview.
Network Access Protection.
Network Policy Server.
Server and Domain Isolation.
"Understanding HRA Authentication Requirements" in the Windows Server 2008 Help and Support.
Chapter 11: Hardening Terminal Services
Terminal Services in Windows Server® 2008 supports Remote Desktop Protocol (RDP) 6.0 or later. Windows Server 2008 and Windows Vista® also include the Remote Desktop Connection (RDC) 6.0 client and support it.
Note RDC version 6.1 is available for use on Windows Vista Service Pack 1 (SP1) and Windows® XP Professional SP3. For the best user experience, Microsoft recommends to download the installer package from Microsoft to update your RDC clients to the latest version of either operating system.
In addition to the primary Terminal Services server role, Windows Server 2008 includes the following specific role services:
TS Licensing. The Terminal Services Licensing (TS Licensing) role service manages the Terminal Services client access licenses (TS CALS) that are required for devices and users to connect to a terminal server. You can use this role service to install, issue, and monitor the availability of TS CALs.
TS Session Broker. The Terminal Services Session Broker (TS Session Broker) role service supports reconnection to an existing session on a terminal server that is a member of a load-balanced terminal server farm.
TS Gateway. The Terminal Services Gateway (TS Gateway) role service enables authorized remote users to connect to terminal servers and computers with Remote Desktop enabled on an internal corporate or private network over the Internet. Users can connect from any Internet-connected device that can run the RDC client. The TS Gateway role service does not require users to establish a virtual private network (VPN) session. In addition, this role service uses port 443 to transmit RDP traffic over the HTTP Secure Sockets Layer/Transport Layer Security (SSL/TLS) tunnel. You do not need to open additional ports on the firewall to use this role service.
When you use Server Manager to install the TS Gateway role service, Server Manager also installs and starts the RPC HTTP Proxy server, the Network Policy and Access Services, the Web Server (IIS) role service, and the Windows Process Activation Services.
TS Web Access. The Terminal Services Web Access (TS Web Access) role service allows you to provide access to Terminal Server sessions through a Web interface. Users that you authorize can gain access to terminal servers by using their Web browser. You can configure the Web interface to advertise applications and connections that are available to the user.
Windows Server 2008 also includes the Terminal Services RemoteApp™ (TS RemoteApp) and Terminal Services Easy Print features.
TS RemoteApp allows users to access programs remotely using Terminal Services. The programs appear as if they are running on the user's local computer. TS RemoteApp enables you to provide users with access to a single application over a remote connection, rather than the entire desktop.
The Terminal Services Easy Print feature allows client computers to redirect print sessions to a local printer without the need for an administrator to install any printer drivers on the terminal server. This feature is not a security feature, but it does significantly reduce the risk to the server of a rogue print driver causing a denial-of-service (DoS) attack.
Each role service provides specific functionality to the enterprise and introduces additional elements that can add to the attack surface of the servers performing this role. The following figures illustrates the five role services that you can select as part of the Windows Server 2008 Terminal Services role.
Figure 11.1 Role services hierarchy for Terminal Services
|
