Organizations that use computers and networks, especially if they connect to external resources such as the Internet, must address security issues in system and network design, and how they configure and deploy their computers. Capabilities that include process automation, remote management, remote access, availability 24 hours a day, worldwide access, and software device independence enable businesses to become more streamlined and productive in a competitive marketplace. However, these capabilities also expose the computers of these organizations to potential compromise.
In general, administrators take reasonable care to prevent unauthorized access to data, service disruption, and computer misuse. Some specialized organizations, such as those in the military, government, and finance are required to protect some or all of the services, systems, and data that they use with a specialized security level. The SSLF baseline is designed to provide this level of security for these organizations. To preview the SSLF settings, see the Windows Server 2008 Security Baseline Settings workbook that accompanies this guide.
Limited Functionality
The specialized security the SSLF baseline implements may reduce functionality in your environment. This is because the SSLF baseline limits users to only the specific functions that they require to complete necessary tasks. Access is limited to approved applications, services, and infrastructure environments. There is a reduction in configuration functionality because the baseline disables many property pages with which users may be familiar.
The following sections in this chapter describe the areas of higher security and limited functionality that the SSLF baseline enforces:
Restricted services and data access.
Restricted network access.
Strong network protection.
Restricted Services and Data Access
Specific settings in the SSLF baseline can prevent valid users from accessing services and data by requiring strong passwords that users can more easily forget or misspell. In addition, these settings may lead to an increase in help desk calls. However, the security benefits that the settings provide help make it harder for malicious users to attack computers running Windows Server 2008 in this environment. Setting options in the SSLF baseline that could potentially prevent users from accessing services and data include those that:
Restrict administrative groups such as Backup Operators and Server Operators.
Enforce stronger password requirements.
Require more strict account lockout policy.
Require more strict User Rights Assignments and Security Options policy.
Note The Windows Server 2008 Security Baseline Settings workbook that accompanies this guide provides another resource that you can use to compare setting values of the EC and the SSLF baselines.
Group Policy can either restrict or enforce the default setting values of many user rights and security options. This can cause some applications that require specific user rights on a computer to not function properly. For this reason, it is important to closely review user right and security option setting requirements for applications that are outside the realm of those that are installed for different server roles. These can include but are not limited to applications developed specifically for your environment or tools used to perform diagnostics or updates for your computers.
Restricted Network Access
Network reliability and system connectivity is paramount for successful business. Microsoft operating systems provide advanced networking capabilities that help to connect systems, maintain connectivity, and repair broken connections. Although this capability is beneficial to maintaining network connectivity, attackers can use it to disrupt or compromise the computers on your network.
Administrators generally welcome features that help to support network communications. However, in special cases, the primary concern is the security of data and services. In such specialized environments, some loss of connectivity is tolerated to help ensure data protection. Setting options in the SSLF baseline that increase network security but could potentially prevent users from network access include those that:
Limit access to client systems across the network.
Hide systems from browse lists.
Control Windows Firewall exceptions.
Implement connection security, such as packet signing.
Strong Network Protection
A common strategy to attack network services is to use a denial of service (DoS) attack. Such an attack prevents connectivity to data or services or overextends system resources and degrades performance. The SSLF baseline provides additional protections to system objects and the assignment of resources to help guard against this type of attack. Setting options in the SSLF baseline that help to prevent DoS attacks include those that control:
Process memory quota assignments.
Object creation.
The ability to debug programs.
Process profiling.
All of these security considerations contribute to the possibility that the security settings in the SSLF baseline may prevent applications in your environment from running or users from accessing services and data as expected. For these reasons, it is important to extensively test the SSLF baseline after you implement it and before you deploy it in a production environment.
Security Design
The security design this chapter recommends forms the starting point for the scenarios in this guide, as well as the mitigation suggestions for the scenarios. The remaining sections in this chapter provide design details about the core security structure:
Microsoft strongly recommends that you perform your own testing in a lab environment before deploying new security policies to production computers. The settings recommended in this guide and stored as security baselines in the SCM tool have been thoroughly tested. However, your organization’s network has unique business applications that may be impacted by some of these settings. Therefore, it is extremely important to thoroughly test the settings before implementing them on any production computers.
OU Design for Security Policies
The Microsoft security guides for Windows, Office, and Internet Explorer use organizational units (OUs). An OU is a container within a domain that uses AD DS. An OU may contain users, groups, computers, and other OUs. If an OU contains other OUs, it is a parent OU. An OU within a parent OU is a child OU.
You can link a GPO to an OU, which will then apply the GPO's settings to the users and computers that are contained in that OU and its child OUs. And to facilitate administration, you can delegate administrative authority to each OU.
OUs provide an effective way to segment administrative boundaries for users and computers. Microsoft recommends that organizations assign users and computers to separate OUs, because some settings only apply to users and other settings only apply to computers.
You can delegate control over a group or an individual OU by using the Delegation Wizard in the Microsoft® Management Console (MMC) Active Directory Users and Computers snap-in tool. See the "More Information" section at the end of this chapter for links to documentation about how to delegate authority.
One of the primary goals of an OU design for any environment is to provide a foundation for a seamless Group Policy implementation that applies to all client computers in AD DS. This ensures that the client computers meet the security standards of your organization. The OU design must also provide an adequate structure to accommodate security settings for specific types of users in an organization. For example, developers may require access to their computers that average users do not. Also, laptop users may have different security requirements than desktop users.
The following figure illustrates a simple OU structure that is sufficient for the Group Policy discussion in this chapter. This OU structure may differ from the requirements of your organization's environment.
Figure 1.1 Example OU structure for computers running Windows 7 and Windows Server 2008
Domain Root
You should apply some security settings throughout the domain to control how the domain, as a whole, is configured. These settings are contained in GPOs that apply to the domain. Computers and Users are not managed in this container.
Domain Controllers OU
Domain controllers hold some of the most sensitive data in your organization — data that controls the security configuration itself. You apply GPOs at this level in the OU structure to configure and protect the domain controllers.
Member Servers OU
This OU contains child OUs as described below. You should include settings that apply to all servers, but not to workstations, in the GPOs that you apply to this OU.
Server Role OUs
Microsoft recommends creating an OU for each server role that your organization uses. Each OU should contain only one type of server computer. You can then configure GPO settings and apply them to OUs that are specific to each role.
You can also choose to combine certain roles on the same server, if your organization requires it. For example, you may choose to combine the File and Print server roles. In this case, you can create an OU for these combined server roles called "File and Print Server," and then link the two role-specific GPO policies to that OU.
Important Combining server roles on the same computer requires careful planning and testing to ensure that you do not negatively affect the overall security of the server roles that you combine.
Department OU
Security requirements often vary within an organization. For this reason, it may make sense to create one or more department OUs in your environment. This OU enables you to apply security settings from GPOs to computers and users in their respective department OUs.
This OU contains the user accounts for the EC environment. The settings that you apply to this OU are described in detail in the Windows 7 Security Baseline Settings Excel workbook that accompanies this guide.
Windows 7 Computers OU
This OU contains child OUs for each type of client computer running Windows 7 in the EC environment. This guide focuses on security guidance for desktop and laptop computers. For this reason, the engineers for this guide created the following computer OUs:
Desktop OU. This OU contains desktop computers that constantly remain connected to the network. The settings applied to this OU are described in detail in the Windows 7 Security Baseline Settings Excel workbook.
Laptop OU. This OU contains laptop computers for mobile users that are not always connected to the network. The Windows 7 Security Baseline Settings Excel workbook also provides details about the settings that apply to this OU.
|
