If you are using this documentation solely for non-commercial purposes internally within YOUR company or organization, then this documentation is licensed to you under the Creative Commons Attribution-NonCommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.5/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
This documentation is provided to you for informational purposes only, and is provided to you entirely "AS IS". Your use of the documentation cannot be understood as substituting for customized service and information that might be developed by Microsoft Corporation for a particular user based upon that user’s particular environment. To the extent permitted by law, MICROSOFT MAKES NO WARRANTY OF ANY KIND, DISCLAIMS ALL EXPRESS, IMPLIED AND STATUTORY WARRANTIES, AND ASSUMES NO LIABILITY TO YOU FOR ANY DAMAGES OF ANY TYPE IN CONNECTION WITH THESE MATERIALS OR ANY INTELLECTUAL PROPERTY IN THEM.
Microsoft may have patents, patent applications, trademarks, or other intellectual property rights covering subject matter within this documentation. Except as provided in a separate agreement from Microsoft, your use of this document does not give you any license to these patents, trademarks or other intellectual property.
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious.
Microsoft, Active Directory, and Windows Server 2008 are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
You have no obligation to give Microsoft any suggestions, comments or other feedback ("Feedback") relating to the documentation. However, if you do provide any Feedback to Microsoft then you provide to Microsoft, without charge, the right to use, share and commercialize your Feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, technologies and services to use or interface with any specific parts of a Microsoft software or service that includes the Feedback. You will not give Feedback that is subject to a license that requires Microsoft to license its software or documentation to third parties because we include your Feedback in them.
Executive Overview: Windows Server 2008 Security Guide
IT security is everybody's business. Every day, adversaries are attempting to invade your networks and access your servers to bring them down, infect them with viruses, or steal information about your customers or employees. Attacks come from all directions: from onsite employee visits to Web sites infected with malware, to offsite employee connections through VPNs, branch office network connections to corporate servers, or direct assaults on vulnerable computers or servers in your network.
You know first hand how essential your servers are to keeping your organization up and running. The data they house and the services they provide are your organization’s lifeblood. It’s your job to stand guard over these essential assets, and to prevent them from going down, or falling victim to attacks from outside and inside your organization.
Windows Server® 2008 is engineered from the ground up with security in mind, delivering an array of new and improved security technologies and features that provide a solid foundation for running and building your business. To help you quickly configure, deploy, and manage the security settings in Windows Server 2008 across your organization, Microsoft is developing the Windows Server 2008 Security Guide. This guidance is designed to further enhance the security of the servers in your organization by taking full advantage of the security features and options in Windows Server 2008.
The team is producing a prescriptive security guide you can rely on that is:
Proven. Based on field experience.
Authoritative. Offers the best advice available.
Accurate. Technically validated and tested.
Actionable. Provides the specific steps to success.
Supported. Recommendations are fully supported by Microsoft Product Support.
How Does the Windows Server 2008 Security Guide Help Secure Your Business?
Based on extensive, real-world experience from customers, government agencies, and Microsoft security experts, the Windows Server 2008 Security Guide describes how to structure your environment correctly and prescribes security settings that are appropriate for most enterprise environments. The guide also prescribes more restrictive settings that are appropriate for more "locked down" environments, where concern for security is so great that a significant loss of functionality is acceptable.
Both security setting configurations have been thoroughly tested in Microsoft labs, and validated by customers and partners under real-world conditions. You also can easily tailor the configuration you choose by modifying any of the security settings to accommodate the unique needs of your organization.
Deploy Your Security Baseline Quickly and Reliably
The powerful GPOAccelerator tool is included with the guidance to enable you to automatically deploy a tested configuration of Group Policy security settings across your organization — in minutes, instead of hours or days.
The tool creates all of the Group Policy objects (GPOs) you need to deploy the security configuration you choose. The tool also eliminates many manual steps in the deployment process to give you faster and more reliable results.
With more than 200 security and privacy setting options, you can fine-tune your deployment of Windows Server 2008, balancing your organization’s needs for security and functionality.
Harden Your Server Workloads
This security guide also includes detailed guidance on how to harden Windows Server 2008 to handle different server "workloads" in your organization, including servers that perform as domain controllers, and others that provide DNS, DHCP, Web, File, and Print services. The tested guidance describes how to harden key services like Active Directory® Certificate Services (AD CS), Network Access Services, and Terminal Services.
Security Setting Recommendations
The security guide includes a comprehensive technical reference that explains what each prescribed security setting in the Windows Server 2008 Security Guide does, provides recommended configurations, and identifies the threats that each setting mitigates. A Security Settings Workbook included with the guide also lists all of the prescribed settings for each of the preconfigured security baselines that the guide prescribes.
Windows Server 2008 Security Benefits
Windows Server 2008 has been designed from the beginning with security fully in mind. Some of the primary new security benefits in the operating system allow your organization to:
Protect your network against unauthorized or unhealthy computers. Network Access Protection helps to protect your network by enforcing customized health requirement policies on computers, automatically updating computers to meet compliance requirements, and optionally confining noncompliant computers to a restricted network until they meet the network access requirements of your organization.
Deploy small footprint specialized servers. Server Core, a minimal server installation option, enables you to only install core functionality to limit exposure and reduce management overhead.
Secure server communication. Windows Server Firewall with Advanced Security combines firewall and Internet Protocol security (IPsec) management into one tool so that you can more easily manage secure communication.
Improve branch office security. The new Read-Only Domain Controller (RODC) configuration option helps to protect Active Directory Domain Services (AD DS) if the branch office domain controller is compromised.
Reduce server attack surfaces. Workload-based roles and components allow you to deploy only the server roles you need with more security and less attack surface.
Control service security. Windows Service Hardening helps protect critical server services from being compromised by abnormal activity in the file system, registry, or network. Each service in Windows Server 2008 is designed with reduced privilege and has been "profiled" to access only specific files, registry entries or network interfaces to limit any damage if a service is compromised.
Provide best-of-breed data encryption. Cryptography Next Generation (CNG) implements the Suite B cryptographic algorithms defined by the United States government. Suite B includes algorithms for data encryption, digital signatures, key exchange, and hashing. CNG also allows third parties, such as smart card vendors, to "plug in" to the infrastructure with less effort and expense.
Call to Action
For more information about Windows Server 2008 and the security guide, visit:
Windows Server 2008 TechCenter on Microsoft TechNet.
Evaluate the Windows Server 2008 Public Beta today on TechNet to obtain the latest Beta of the software.
Connect on Microsoft.com to sign in using your Windows Live ID to download Beta versions of the Windows Server 2008 Security Guide later this year. You can also provide feedback on the guide through Connect.
The final version of the guide will be available on the Web and for download from Microsoft with the release of Windows Server 2008.