Overview
The overview states the purpose and scope of the guide, defines the guide audience, and indicates the organization of the guide to assist you in locating the information relevant to you. It also describes the tools and templates that accompany the guide, and the user prerequisites for the guidance. Brief descriptions follow for each chapter and the appendix for the guide.
Chapter 1: Implementing a Security Baseline
This chapter identifies the benefits to an organization of creating and deploying a security baseline. The chapter includes high-level security design recommendations that you can follow in preparation to implement either the EC baseline settings or the SSLF baseline settings. The chapter explains important security considerations for both the EC environment and the SSLF environment, and the broad differences between these environments.
The Windows Server 2008 Security Baseline Settings workbook that accompanies this guide provides another resource that you can use to compare and evaluate the Group Policy settings. Run the .msi file for the SCM tool that accompanies the download for this toolkit to create, test, and deploy the security settings for either the EC environment or the SSLF environment. For instructions on how to use the tool, see the information available in the Help Topics for the tool.
 Caution The guidance in this chapter positions your organization to establish the SSLF environment, which is distinct from the EC environment. The SSLF guidance is for high security environments only. It is not a supplement to the guidance on the EC environment. Security settings prescribed for the SSLF environment limit key functionality across the environment. For this reason, the SSLF security baseline is not intended for most organizations. Be prepared to extensively test the SSLF security baseline before implementing it in a production environment.
Chapter 2: Reducing the Attack Surface by Server Role
This chapter provides an overview of built-in tools in Windows Server 2008 that can help you to quickly configure, maintain, and enforce all of the required functionality for the servers in your environment. The chapter discusses using Server Manager to help reduce the attack surface of your servers by only configuring the functionality that each specific server role requires.
The chapter then discusses how you can use the Security Configuration Wizard (SCW) to help maintain and enforce the configuration implemented by Server Manager. The chapter also provides information about Server Core, a new installation option in Windows Server 2008.
Chapter 3: Hardening Active Directory Domain Services
This chapter discusses how organizations can harden Active Directory Domain Services (AD DS) to manage users and resources, such as computers, printers, and applications on a network. AD DS in Windows Server 2008 includes a number of new features that are not available in previous versions of Windows Server®, and some of these features focus on deploying AD DS more securely. Features that enhance security in AD DS include new auditing capabilities, fine-grained password policies, and the ability to use read-only domain controllers (RODCs).
Chapter 4: Hardening DHCP Services
This chapter provides prescriptive guidance for hardening the DHCP Server role. The chapter discusses DHCP Server and DHCP Client services in Windows Server 2008 that include security-related enhancements for Network Access Protection (NAP) and DHCPv6 functionality.
Chapter 5: Hardening DNS Services
This chapter provides prescriptive guidance for hardening the DNS Server role. Windows Server 2008 provides enhancements in the DNS Server service that focus on improving performance or provide new features, including background zone loading to help circumvent potential denial-of-service (DoS) attacks, and support for RODCs located in perimeter networks, branch offices, or other unsecured environments.
This chapter provides prescriptive guidance for hardening the Web Server role. The chapter discusses how the Web server role installs Microsoft® Internet Information Services (IIS) 7.0, which has been redesigned into forty modular components that you can choose to install as needed.
Chapter 7: Hardening File Services
This chapter provides prescriptive guidance for hardening the File Server role. File servers can provide a particular challenge to harden, because balancing security and functionality of the fundamental services that they provide is a fine art. Windows Server 2008 introduces a number of new features that can help you control and harden a file server in your environment.
Chapter 8: Hardening Print Services
This chapter provides prescriptive guidance for hardening the Print Server role. Significant security changes were introduced to printing services in the operating system for Windows Vista, and these changes have also been incorporated into Windows Server 2008 for your organization to take full advantage of them.
Chapter 9: Hardening Active Directory Certificate Services
This chapter provides prescriptive guidance for hardening Active Directory Certificate Services (AD CS) on a server running Windows Server 2008. AD CS provides customizable services for creating and managing public key certificates used in software security systems that employ public key technologies. The chapter discusses how your organizations can use AD CS to enhance security by binding the identity of a person, device, or service to a corresponding private key.
Chapter 10: Hardening Network Policy and Access Services
This chapter provides prescriptive guidance for hardening Network Policy and Access Services on servers running Windows Server 2008. Network Policy and Access Services (NPAS) in Windows Server 2008 provide technologies that allow you to deploy and operate a virtual private network (VPN), dial-up networking, 802.1x protected wired and wireless access, and Cisco Network Admission Control (NAC)-based devices.
The chapter discusses how you can use NPAS to define and enforce policies for network access authentication, authorization, as well as client health using Network Policy Server (NPS), the Routing and Remote Access Service, Health Registration Authority (HRA), and the Host Credential Authorization Protocol (HCAP).
Chapter 11: Hardening Terminal Services
This chapter provides prescriptive guidance for hardening Terminal Services on servers running Windows Server 2008. These servers provide essential services that allow users to access Windows-based programs or the full Microsoft Windows® desktop from various locations. Windows Server 2008 includes a number of specific role services for this technology that your organization can use, including TS Licensing to manage Terminal Server client access licenses (TS CALS) that are required for devices and users to connect to a terminal server.
The chapter also discusses how the Terminal Services Session Broker (TS Session Broker) role service supports reconnection to an existing session on a terminal server that is a member of a load-balanced terminal server farm, how the Terminal Services Gateway (TS Gateway) role service enables authorized users to connect to terminal servers and remote desktops on the corporate network over the Internet using RDP via HTTPS, and how the Terminal Services Web Access (TS Web Access) role service allows authorized users to gain access to terminal servers via a Web browser.
More Information
The following resources provide additional information about security topics and in-depth discussion of the concepts and security prescriptions in this guide on Microsoft.com:
Infrastructure Planning and Design.
Microsoft Assessment and Planning Toolkit.
Microsoft Deployment.
Microsoft Windows Security Resource Kit.
Microsoft Windows Server 2003 Resource Kit.
Security Guidance.
Solution Accelerators.
Threats and Countermeasures.
Windows Server 2003 Security Guide.
Windows XP TechCenter.
Windows XP Security Guide.
Feedback
The Solution Accelerators – Security and Compliance (SA–SC) team would appreciate your thoughts about this and other solution accelerators.
Please send your comments using the following resources:
E-mail to: secwish@microsoft.com.
We look forward to hearing from you.
|
