Acknowledgements
The Solution Accelerators – Security and Compliance (SA–SC) team would like to acknowledge and thank the team that produced the Windows Server 2008 Security Guide. The following people were either directly responsible or made a substantial contribution to the writing, development, and testing of this solution.
Development Team
Authors and Experts
Benjamin Curry – Content Master
Kurt Dillard – kurtdillard.com
Richard Harrison – Content Master
Byron Hynes – Microsoft
Doug Steen – Wadeware LLC
Developers
Bhakti Bhalerao – Infosys Technologies Ltd
Haikun Zhang – Minesage Co Ltd
Hui Zeng – Minesage Co Ltd
José Maldonado – Microsoft
Michael Tan – Microsoft
Naresh Krishna Kumar Kulothungan – Infosys Technologies Ltd
ZhiQiang Yuan – Minesage Co Ltd
Editors
John Cobb – Wadeware LLC
Steve Wacker – Wadeware LLC
Product Managers
Alain Meeus – Microsoft
Jim Stuart – Microsoft
Shruti Kala – Microsoft
Program Manager
Vlad Pigin – Microsoft
Release Manager
Karina Larson – Microsoft
Test Managers
Gaurav Singh Bora – Microsoft
Sumit Parikh – Microsoft
Testers
Ankit Agarwal – Infosys Technologies Ltd
Beenu Venugopal – Infosys Technologies Ltd
Dhanashri Dorle – Infosys Technologies Ltd
Raxit Gajjar – Infosys Technologies Ltd
Swaminathan Viswanathan – Infosys Technologies Ltd
Contributors and Reviewers
Sreenivas Addagatla, Starr Anderson, Brandon Baker, Siddharth Bhai, Daniel H. Brown, Derick Campbell, Chase Carpenter, Pankaj Chhabra, Richard Costleigh, Raf Cox, Jan Decrock, Ido Dubrawsky, Nils Dussart, Thomas Deml, Pitchai "Elango" Elangom, Lambert Green, Roger Grimes, Jim Groves, Robert Hoover, Manu Jeewani, Dan Kaminsky, David Kennedy, David Kruse, Nazim Lala, Anthony Leibovitz, Richard Lewis, Adrian Lannin, Greg Lindsay, Brad Mahugh, Aaron Margosis, Greg Marshall, Georgi Matev, Herbert Mauerer, Nathan Muggli, Doug Neal, Ramasubramanian K. Neelmani, Marco Nuijen, Chandra Nukala, Frank Olivier, Ashwin Palekar, Sanjay Pandit, Abhishek Pathak, Enrique Saggese, Oded Ye Shekel, Michiko Short, Eugene Siu, Jeff Westhead, and Sudarshan Yadav, John Addeo (Dimension Data America), Jorge de Almeida Pinto (MVPS), Renato Miguel de Barros (Modulo Security Solutions), Jan De Clercq (Hewlett-Packard), Guido Grillenmeier (Hewlett-Packard), Jakob H. Heidelberg (Interprise Consulting A/S), Korean Government, Juergen Otter (Siemens AG), Vern Perryman (Hewlett-Packard), Stephan Reitinger (Siemens AG Austria), Derek Seaman (PointBridge), Alex Vandurme (NCIRC/NATO), David Vanophalvens (NCIRC/NATO), and Werner Kraus (Siemens AG Austria).
Note The United States Department of Commerce National Institute of Standards and Technology (NIST) participated in the review of this Microsoft security guide and provided comments that were incorporated into the published version.
Note At the request of Microsoft, the National Security Agency Information Assurance Directorate participated in the review of this Microsoft security guide and provided comments that were incorporated into the published version.
Chapter 1: Implementing a Security Baseline
Windows Server® 2008 is the most secure operating system that Microsoft has produced to date. However, every organization needs to consider what level of security and functionality is required. Therefore, you may need to make specific configuration changes to meet the requirements of your environment. This chapter demonstrates how relatively easy it is to configure security settings to harden computers that perform different server roles. Each server is running Windows Server 2008 in the default configuration and is joined to a domain using Active Directory® Domain Services (AD DS).
You can now harden the default operating system using only Group Policy objects (GPOs). Previous guidance from Microsoft required importing Security Template .inf files and extensive manual modification of the Administrative Templates portion of several GPOs. Working with these files and templates is no longer necessary. A "stand-alone" server is not a member of an AD DS domain. All of the recommended Group Policy settings are documented as baselines in the SCM tool that accompanies this guide.
To deploy this guidance, you need to:
Create an organizational unit (OU) structure for your environment.
Run the SCM tool for this guide.
Important You must run the .msi file for the SCM tool that accompanies the download for this toolkit to create, test, and deploy the security settings for this guide. This tool automatically creates all the GPOs for the security settings this guide recommends. The tool also includes the LPT that you can use to apply security settings to stand-alone computers.
Use the Group Policy Management Console (GPMC) to link and manage the GPOs.
Caution It is essential to thoroughly test your OU and GPO designs before deploying them in a production environment. Use this guidance to create and deploy the OU structure and security GPOs during both the test and production phases of the implementation.
The security baseline GPOs for this guide provide a combination of tested settings that enhance security for computers running Windows Server 2008 in the following two distinct environments:
Enterprise Client (EC)
Specialized Security – Limited Functionality (SSLF)
The Enterprise Client (EC) environment referred to in this chapter consists of a domain using AD DS in which computers running Windows Server 2008 with Active Directory manage client computers that can run either Windows Vista® Service Pack 1 (SP1) or Windows XP® Professional (SP3) or later, and member servers running Windows Server 2008 or Windows Server 2003 SP2 or later. The client computers and member servers are managed in this environment through Group Policy, which is applied to sites, domains, and OUs. Group Policy provides a centralized infrastructure within AD DS that enables directory-based change and configuration management of user and computer settings, including security and user data.
Note The Enterprise Client (EC) security baseline this guide prescribes helps to provide enhanced security that allows sufficient functionality of the operating system and applications for the majority of organizations.
Specialized Security – Limited Functionality Environment
The Specialized Security – Limited Functionality (SSLF) environment referred to in this chapter consists of a domain using AD DS in which computers running Windows Server 2008 with Active Directory manage client computers that can run either Windows Vista® Service Pack 1 (SP1) or Windows XP® Professional SP3 or later, and member servers running Windows Server 2008.
The Specialized Security – Limited Functionality (SSLF) baseline for this guide addresses the demand to help create highly secure environments for computers running Windows Server 2008. Concern for security is so great in these environments that a significant loss of functionality and manageability is acceptable. These setting recommendations have been developed in cooperation with several government agencies from around the world.
Caution The SSLF security settings are not intended for the majority of enterprise organizations. The configuration for these settings has been developed for organizations where security is more important than functionality.
If you decide to test and deploy the SSLF configuration settings to servers in your environment, the IT resources in your organization may experience an increase in help desk calls related to the limited functionality that the settings impose. Although the configuration for this environment provides a higher level of security for data and the network, it also prevents some services from running that your organization may require. Examples of this include Terminal Services, which allows users to connect interactively to desktops and applications on remote servers.
It is important to note that the SSLF baseline is not an addition to the EC baseline: the SSLF baseline provides a distinctly different level of security. For this reason, do not attempt to apply the SSLF baseline and the EC baseline to the same computers. Rather, for the purposes of this guide, it is imperative to first identify the level of security that your environment requires, and then decide to apply either the EC baseline or the SSLF baseline. You can use the Windows Server 2008 Security Baseline Settings workbook that accompanies this guide provides to compare setting values.
Important If you are considering whether to use the SSLF baseline for your environment, be prepared to exhaustively test the computers in your environment after you apply the SSLF security settings to ensure that they do not prohibit required functionality for the computers in your environment.
|