Janalent Windows 2008 Whitepaper - Security Enhancements
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Janalent Windows 2008 Whitepaper - Security Enhancements as PDF for free.
More details
- Words: 5,316
- Pages: 20
Accessing Tomorrow’s Security Protection Today Protecting your Organization with Windows Server 2008 Security Technologies
Rick Pollak, Senior Solutions Consultant, MCITP Window Server 2008 Kenneth Ta, Mgr. Enterprise Solutions, CISSP, PMP, MCITP Windows Server 2008 www.janalent.com +1-888-290-4870 [email protected] © 2008 Janalent Corporation, All Rights Reserved
Executive Summary Windows Server 2008 builds on the success and strengths its predecessor Windows Server 2003 and is designed to provide organizations with the most productive platform for powering applications, networks, and Web services from the workgroup to the datacenter with exciting, valuable new functionality and powerful improvements to the base operating system. Windows Server 2008 has many granular improvements over Windows Server 2003 and Windows Server 2003 R2, but many of these improvements are low-level. As a result, Janalent views Windows Server 2008 as an incremental improvement over Windows Server 2003, not as a major shift (such as Windows NT Server 4 to Windows Server 2000). These incremental improvements shouldn't be regarded as "negative" because most IT organizations prefer incremental improvements that can be digested easily, rather than large technology jumps that require massive changes to the established processes, and infrastructure. Windows Server 2008 excels in just about every area when compared to previous versions of Window Server. It doesn't matter which pieces of the functionality you use, you'll find it faster, easier to deploy, much more sensible in its defaults, and requires less work for more output. But, of all the reasons why you should consider upgrading to Windows 2008 is security, security, and security. It would be pointless to argue against not having a secure IT infrastructure. The infiltration of company servers and data can have a tremendous negative impact to an organization. Windows Server 2008 introduces several new features with security in mind including Read Only Domain Controllers (RODC), Network Access Protection (NAP), Core Server, Terminal Services Remote App Publishing, and BitLocker – just to name a few. This whitepaper discusses how your organization can benefit from the security that Windows Server 2008 offers. Although this paper focuses on the security features of Windows Server 2008, there are a myriad of other compelling features you may benefit from.
2
Accessing Tomorrow’s Security Protection Today using Windows 2008
www.janalent.com
Contents Executive Summary ...................................................................................................... 2 About Janalent – Organization Profile ......................................................................... 4 Lines of Business .......................................................................................................... 5 Janalent Infrastructure Design & Restructuring Solutions.................................... 5 Delivery Methodology.................................................................................................. 6 Selected Partnerships .................................................................................................. 7 WhitePaper Overview .................................................................................................. 8 Business Challenges ..................................................................................................... 9 Windows Server 2008 Security Features ................................................................... 10 BitLocker Technologies .............................................................................................. 10 Modes of Operation ............................................................................................ 11 Read-Only Domain Controllers .................................................................................. 12 Network Policy and Access Services .......................................................................... 13 Available Network Access Services ..................................................................... 13 Network Access Protection ........................................................................................ 14 Server Core Installation.............................................................................................. 15 What do I get with Server Core? ................................................................................ 16 Terminal Services ................................................................................................ 16 RemoteApp Presentation.................................................................................... 17 Windows Firewall ................................................................................................ 17 Order of Windows Firewall Rules Evaluation...................................................... 18 Conclusion .................................................................................................................. 19 Janalent Windows Server 2008 Launch Offer ............................................................ 19 About The Authors ..................................................................................................... 20
3
Accessing Tomorrow’s Security Protection Today using Windows 2008
www.janalent.com
About Janalent – Organization Profile As an innovative Business & Technology Consulting Solutions organization, Janalent is focused on providing the highest-level balanced business and technology expertise available in the marketplace. Janalent strives to go beyond the boundaries of traditional consulting firms and believe that true return on investment requires today's battle-proven corporate leaders to align business and technology processes with the overall strategic direction of the organization. Our mission is to ensure customer success by providing innovative, business enabling solutions based on our core operating philosophy and organization mantra of Knowledge, Wisdom, and Performance. Janalent’s philosophy is one of partnership--and our client and partners’ success is our ultimate goal. Delivering solutions that enable, support, and enhance our client's ability to be successful is our ultimate measure of success. More broadly, we regularly help our clients and key Partners in the high level planning, implementation approach, migrating approach, and management of many of the largest and most complex KM/ SharePoint, Exchange, and Active Directory initiatives in the world. Our consultants have successfully delivered engagements to over 500 customers across every industry in five continents. In the Infrastructure design & restructuring arena, Janalent has quickly become a recognized leader and “Go To” partner in the area of design, integration & migration consulting services. Many of our consultants have over 15 years experience designing and deploying infrastructure solutions for the largest environments in the world. Our subject matter experts know that to be successful initiatives require a careful balance of people, process, and technology. Ignore any of these areas, and your probability of success is significantly reduced. Our end goal is to help move organizations toward the "Information Workplace" of tomorrow, where users have a seamless, contextual and role-based environment in which to work. Our consultants have extensive experience in analyzing and designing complex infrastructure & knowledge management solutions. From performing requirements analysis, and aligning technical activities with business goals in an organizational strategy, to designing and deploying technology that enables business processes and people activities, while educating and evolving the use of infrastructure solutions (people, process, and technology) within the organization, our consultants are considered THE experts who have done it all.
4
Accessing Tomorrow’s Security Protection Today using Windows 2008
www.janalent.com
Lines of Business Janalent focuses on four primary lines of business. These lines of business support on our distinctive competencies, experience, partnership model, customer engagement process, 2 and ADE Success Methodology™. Our Lines of business are:
Janalent Infrastructure Design & Restructuring Solutions As a valued Microsoft Certified Gold Partner, we combine the highest level subject matter experts, best in class tools, and proven methodology to successfully deliver the RIGHT solution for your organization the first time. Our world class infrastructure design & restructuring solutions are built upon our proven approach for success with the following key capabilities:
Analysis & Alignment
Architecture & Design
Opportunity Analysis Infrastructure Discovery & Assessment Business Case Preparation Current environment catalog Utilization Analysis Infrastructure Business Process Mapping Hardware / Software Assessment Source - Target Solutions analysis
Infrastructure Methodology Design Infrastructure Design Options Mapping Infrastructure system design Directory structure architecture and design Messaging system architecture and design Migration Planning, and process design Capacity planning & Storage Optimization Back-up and recovery solutions
Deployment & Migration
Training, Knowledge Transfer & Next Steps
Directory & Messaging System deployment Merger, Acquisition, & Divestiture execution Organization integration Toolset subject matter expertise Client advocacy to vendor community
Solution documentation Knowledge Transfer with key personnel Customized training for client personnel After-Action Review Next Steps Definition
5
Accessing Tomorrow’s Security Protection Today using Windows 2008
www.janalent.com
Delivery Methodology 2
Janalent’s ADE Success Methodology™ is a business and technology balanced methodology focused on providing both valuable business enablement, and efficient and effective technology solutions. Our methodology has been built by incorporating the unrivaled experience of our consulting solutions professionals, industry proven best-practices, and the feedback of our customers and partners. 2
ADE is a six-phase solution success framework consisting of Analysis, Alignment, Design, Deployment, Education, and solution Evolution. The framework is a cycle focused on continual improvement and solution enhancement. The following is a short summary of the 2 ADE Success Methodology™ phases: Analyze: To provide a solution that fits both the organization’s business and technology needs, we begin by analyzing the current technology environment, the business drivers a solution must satisfy, and the organizational culture of the enterprise. By combining bestpractice business & technology analysis techniques our Consultants will create an analysis reference that will support all other phases of the methodology. Align: Using the analysis reference created in the first phase, our consultants will assess the current alternatives and craft a technology solution that will not only be technically innovative and elegant, but will also support the needs and unique business requirements of the enterprise. 2
Design: The design phase of ADE is focused on an accelerated but methodical design, proof of concept, validation and documentation of the business and technology solution created by Janalent. Drawing upon information collected, analyzed, and aligned in Phases 1 & 2, our experienced consultants and project managers produce a proven and robust solution ready for deployment. 2
Deploy: The deployment phase of ADE provides the opportunity to pilot, incorporate lessons-learned, and execute on action plans around deployment and our Rapid Project Execution (RPE) processes. Educate: We believe that no solution implementation is successful without educating administrators, line-of-business managers, and other interested parties in the design, deployment, and management best-practices of the solution so our client’s project teams can take ownership without disruption or process breakdown. Evolve: The long-term key to success in our partnerships with clients is our continual evaluation and focus on innovation. Our solution evolution activities focus on continually enhancing and working with our clients on their systems to make those solutions even more valuable to the organization.
6
Accessing Tomorrow’s Security Protection Today using Windows 2008
www.janalent.com
Selected Partnerships
Janalent is a field-managed Microsoft Gold Certified Partner with advanced competencies achieved in Advanced Infrastructure Solutions, Information Worker Solutions, Networking Infrastructure Solutions, and Security Solutions. Janalent’s focus and competence on Microsoft Technologies have made Janalent a partner-of-choice in our regions for Active Directory, Exchange, SharePoint and other Microsoft infrastructure technologies.
Janalent is a Strategic Global Service Partner and Value Added Reseller for AvePoint. AvePoint is recognized as the leading software solution vendor within the SharePoint backup/restore and disaster recovery market.
Network Appliance, Inc. (NetApp) is a world leader in unified storage solutions for today's data-intensive enterprise. NetApp® storage solutions include specialized hardware, software, and services, providing seamless storage management for open network environments. Janalent provides solution architecture and advanced subject matter expertise for NetApp on Microsoft infrastructure products.
Janalent consultants are recognized as global-leaders in the architecture, design, and deployment of Quest Software toolsets and are routinely engaged to provide solution architecture for the largest and most-complex initiatives using Quest Software tools. Janalent is an Elite Managed Channel Partner for Quest Software and is both a Value Added Reseller, and strategic service delivery partner.
In addition to the partners listed above, Janalent maintains many valuable partnerships with Industry leading Software, Hardware, and Systems Integration organizations. For a complete list of Janalent partnerships, please visit our website at www.janalent.com.
7
Accessing Tomorrow’s Security Protection Today using Windows 2008
www.janalent.com
WhitePaper Overview With the release of Windows Server 2008, Microsoft has provided enterprise customers with a product that provides security out of the box. The concept of secure by default is part of Microsoft’s Trustworthy Computing initiative first introduced in 2002. The fruition of that security initiative has taken center stage with the release of Windows Server 2008. Now more than ever, enterprise customers have many options for introducing enhance security using Windows OS. These security enhancements include a variety of components that provide unparalleled protection. As technologies advances for protecting against vector threats, so does the advancement of hacker tools used to overcome these protection mechanisms. Security needs to be implemented in layers. Given enough resources and time any technology can be hacked. For this very reason, it a single security technology will not suffice to deter attacks. For example, most vehicles today have a built in alarm system to protect the vehicle from theft. In addition to the alarm system, many car manufacturers also install anti-theft stereo components. Take this one step further and some drivers will also install a steering wheel lock device. Alone, each of these security devices is not enough to deter a thief from breaking in. Altogether, a thief is more inclined to break into a car that is an easy target versus one that is well protected. This analogy applies to protecting enterprise systems very well. Some of the enhanced security features Microsoft introduces in Window Server 2008 provide very good targeted protection in many different areas. For instance, to help protect against attacks to the data residing on the servers, Microsoft introduced BitLocker Drive Encryption. To protect the network, Microsoft introduced Network Access Protection (NAP) used to prevent users that do not meet security standards from gaining network access. Microsoft has also beefed up and simplified host-based security by adding enhanced protection in the forms Windows Firewall and Enhanced Security MMC. With these enhanced security protection features, enterprises have no excuses for not having a secure environment.
8
Accessing Tomorrow’s Security Protection Today using Windows 2008
www.janalent.com
Business Challenges There are many business challenges to being secured, but only two challenges that can quickly derail an organization’s security imitative. The first challenge is that many enterprise customers are challenged with recognizing the value security brings to the enterprise. Implemented correctly, the value enhanced security brings to the table is beyond imagination. As many security practitioners will agree, not having to deal with lawsuits from compromised systems and the embarrassing event of having to publicly announce theft of confidential data is enough to warrant the additional protection. The second and oftentimes most dangerous is the misconception that security is a onetime event. The truth is security is a journey and not a destination. This means security evolves and does not simply end. Businesses need to be prepared to evolve their systems over time to keep ahead of the same technology that protects them from attacks. As new threats and vulnerability arise, virus definitions and firewall protection have to be update to prevent newly discovered threats from materializing. Left alone any protection will eventually come crumbling down.
9
Accessing Tomorrow’s Security Protection Today using Windows 2008
www.janalent.com
Windows Server 2008 Security Features The following sections outline new or significantly enhanced security features in Windows Server 2008. We strive to provide a balanced and real-world representation of the features that provide real value to the enterprise.
BitLocker Technologies BitLocker is a data protection feature available in Windows Server 2008, Windows Vista Enterprise and Windows Vista Ultimate. BitLocker addresses the threats of data theft and of exposure from stolen server by providing a closely integrated solution in Windows Server 2008.
Figure 1. BitLocker Components Data on a stolen server is vulnerable to unauthorized access, either by running a software attack tool against it or by transferring the computer’s hard disk to a different computer. BitLocker helps mitigate unauthorized data access by enhancing Windows Server 2008 file and system protections.
Key Features and Benefits of BitLocker Provides encryption for entire volumes Uses Advanced Encryption Standard (AES) encryption in cipher blockchaining (CBC) mode BitLocker enhances data protection by bringing together two major sub-functions: drive encryption and integrity checking of early boot components.
10
Accessing Tomorrow’s Security Protection Today using Windows 2008
www.janalent.com
Modes of Operation BitLocker provides three modes of operation. The first two modes require a cryptographic hardware chip called a Trusted Platform Module (version 1.2 or later) and compatible BIOS: Transparent Operation Mode: This mode exploits the capabilities of the TPM 1.2 hardware to provide for a transparent experience. The key used for the disk encryption is encrypted by the TPM chip and will only be released to the OS loader code if the early boot files appear to be unmodified. User Authentication Mode: This mode requires that the user provide some authentication to the pre-boot environment in order to be able to boot the OS. Two authentication modes are supported: a pre-boot PIN entered by the user, or a USB key. The final mode does not require a TPM chip: USB Key: The user must insert a USB device that contains a startup key into the computer to be able to boot the protected OS. Note that this mode requires that the BIOS on the protected machine support the reading of USB devices in the pre-OS environment.
Authentication Method
Requires User Interaction
Description
TPM only
No
TPM validates early boot components.
TPM + PIN
Yes
TPM + startup key
Yes
Startup key only
Yes
TPM validates early boot components. The user must enter the correct PIN before the start-up process can continue, and before the drive can be unlocked. A Trusted Computing Group (TCG) compliant TPM version 1.2 helps to protect the PIN from brute force attacks. The TPM successfully validates early boot components, and a USB flash drive containing the startup key has been inserted. The user is prompted to insert the USB flash drive that holds the recovery key and/or startup key and reboot the computer.
Table 1. BitLocker Authentication Methods
The most common scenario for deployments for BitLocker for Windows Server 2008 will be the TPM only option. The primary reason for this is that other methods require user interaction which is uncommon in server reboot/start-up scenarios.
11
Accessing Tomorrow’s Security Protection Today using Windows 2008
www.janalent.com
Read-Only Domain Controllers A RODC is a domain controller that you can install at a remote location. Its sole purpose is to host a read-only copy of your Active Directory (AD) database. This is well suited for locations where physical security of the domain controller can't be guaranteed at sites like branch offices. In the real world, a major financial institution could have all of their domain controllers in corporate headquarters and put a RODC in every branch office throughout the country instead of the current, common practice of a fully writeable domain controller.
Key Features and Benefits of Read Only DCs
Read Only Active Directory Database Only allowed user passwords are stored on RODC Unidirectional Replication Role Separation Increases security for remote Domain Controllers where physical security cannot be guaranteed
Branch office environments typically deploy a hub-and-spoke site topology. In larger environments, this type of topology can put a significant load on bridgehead servers in the hub site. Bridgehead servers are further constrained because inbound replication is serialized. RODCs that are deployed in the spoke sites can relieve the inbound replication load on bridgehead servers because they never replicate any changes.
12
Accessing Tomorrow’s Security Protection Today using Windows 2008
www.janalent.com
Figure 2. Secret Caching Process
Network Policy and Access Services Network Policy and Access Services in Windows Server 2008 delivers a variety of methods to help provide users with secure local and remote network connectivity, connect network segments, and allow network administrators to centrally manage network access and client health policies.
Available Network Access Services There are numerous network access services provided by Windows Server 2008. These services provide enhanced connectivity options to enable companies to access their network when and how they need. VPN Services Dial-up Services 802.11 protected access Routing & Remote Access (RRAS) Offer Authentication through Windows Active Directory Control network access with policies
13
Accessing Tomorrow’s Security Protection Today using Windows 2008
www.janalent.com
Network Policy and Access Services in Windows Server 2008 provides the following network connectivity solutions: Network Access Protection: Network Access Protection (NAP) is a new client health policy creation, enforcement, and remediation technology that is included in the Windows Vista Business, Windows Vista Enterprise, and Windows Vista Ultimate operating systems, and in the Windows Server 2008 operating system. With NAP, administrators can establish and automatically enforce health policies which can include software requirements, security update requirements, required computer configurations, and other settings. Highly Secure Wireless and Wired Access: When you deploy 802.1X wireless access points, highly secure wireless access provides wireless users with a security-enhanced, password-based authentication method that is easy to deploy. When you deploy 802.1X authenticating switches, wired access helps you to secure your network by ensuring that intranet users are authenticated before they can connect to the network or obtain an IP address using Dynamic Host Configuration Protocol (DHCP). Remote Access Solutions: With remote access solutions, you can provide users with VPN and traditional dial-up access to your organization’s network. You can also connect branch offices to your network with VPN solutions. Central Network Policy Management with RADIUS Server and Proxy: Rather than configuring network access policy at each network access server, such as wireless access points, 802.1X authenticating switches, VPN servers, and dial-up servers, you can create policies in a single location that specify all aspects of network connection requests, including who is allowed to connect, when they can connect, and the level of security they must use to connect to your network.
Network Access Protection The industry lost billions in US dollars with the outbreak of mass mailing worms like Mydoom, Netsky, Sober, Zafi, etc. And it has been found that it was always the weakest link principle that played havoc in networks, which was supposed to be secure. The weakest link was mostly provided by remote computers, roaming laptops, home computers, etc. Network administrators have a new platform to mitigate this threat with Network Access Protection (NAP), a new set of operating system components included with Windows Server 2008 provides a platform to help ensure that client computers on a private network meet administrator-defined requirements for system health. NAP enforces health requirements by monitoring and assessing the health of client computers when they attempt to connect or communicate on a network. Client computers that are not in compliance with the health policy can be provided with restricted network access until their configuration is updated and brought into compliance with policy. Depending on how NAP is deployed, noncompliant clients can be quarantined or automatically updated so that users can quickly regain full network access without manually updating or reconfiguring their computers.
14
Accessing Tomorrow’s Security Protection Today using Windows 2008
www.janalent.com
Key Features and Benefits of using NAP Help ensure the ongoing health of desktop computers on the LAN that are configured for DHCP or that connect through 802.1X authenticating devices, or that have NAP IPsec policies applied to their communications. Enforce health requirements for roaming laptops when they reconnect to the company network. Verify the health and policy compliance of unmanaged home computers that connect to the company network through a VPN server running Routing and Remote Access (RRAS) service. Determine the health and restrict access of visiting laptops brought to an organization by partners and other guests.
Designed for flexibility, NAP can interoperate with any vendor’s software that provides a System Health Agent (SHA) and System Health Validators (SHVs). NAP also includes an API set for developers and vendors to build their own components for network policy validation, ongoing compliance, and network isolation. Examples of third-party solutions that work with Network Access Protection would be antivirus, patch management, VPN, and networking equipment.
Server Core Installation Server Core is a minimal installation of Windows Server 2008 and does not come with a graphical user interface. The idea is that you only install the services you need. The benefits of a Server Core installation are reduced attack surface and reduced patch surface. Troubleshooting should be easier, as well, and we would expect increased stability because of the smaller code footprint. Finally, Server Core has lower hardware requirements due to its smaller OS footprint. The available roles include: Active Directory Domain Services (AD DS) Active Directory Lightweight Directory Services (AD LDS) DHCP Server DNS Server File Services Print Services Streaming Media Services Web Server (IIS 7)
15
Accessing Tomorrow’s Security Protection Today using Windows 2008
www.janalent.com
Figure 3. Windows 2008 Server Core options during install
What do I get with Server Core? With a Server Core installation, you get none of the following: desktop shell (aero, wallpaper, etc.), CLR and .NET Framework, MMC console or snap-ins, start menu, control panel, Internet Explorer, Windows Mail, WordPad, Paint, Windows Explorer, run box, etc. You do get the kernel and that is all you need. It allows you to have a very secure deployment of a specific role of Windows. This type of configuration allows a corporation to easily consolidate Windows server to very specific locked down roles. For example, you can have a dedicated command line IIS Web server, dedicated DHCP server, DNS Server. You could even take it one step further and port these systems to a virtual machine. Many data centers and network operation centers (NOCS) will take advantage of a Windows server core installation as it is a very secure and tight installation.
Terminal Services Microsoft has extensively revamped the Terminal Services architecture and has some new features that were only capable by purchasing 3rd party solutions like Citrix Metaframe. One feature that is sure to be appreciated is the ability to publish an application without supplying the entire remote desktop using Terminal Services (TS) RemoteApp. This is a more secure way of using Terminal Services oriented applications as users only see the application and not the entire server desktop.
16
Accessing Tomorrow’s Security Protection Today using Windows 2008
www.janalent.com
RemoteApp Presentation TS RemoteApp programs are accessed through Terminal Services, and look and act as if they are running on the end user's local computer. Users can run TS RemoteApp programs side by side with their local programs. If a user is running more than one RemoteApp on the same terminal server, RemoteApp will share the same Terminal Services session. Users can access TS RemoteApp in a number of ways: Double-clicking a program icon on their desktop or Start menu that has been created and distributed by their administrator Double-clicking a file which has an extension associated with a TS RemoteApp Accessing a link to the TS RemoteApp on a Web site by using TS Web Access Another feature is the ability to publish an application using HTTPS - without needing to provide access via a Virtual Private Network (VPN) or opening up unwanted ports on firewalls. Terminal Services Gateway enables authorized remote users to connect to terminal servers and remote desktops (remote computers) on the corporate network from any Internet-connected device that is running Remote Desktop Connection (RDC) 6.0. Terminal Service Gateway uses Remote Desktop Protocol (RDP) tunneled over HTTPS to help form a highly secure, encrypted connection between remote users on the Internet and the remote computers on which their productivity applications run, even if their use is located behind a network address translation (NAT) Traversal-based router.
Windows Firewall Many security practitioners agree in one way or another that security should be implemented in layers. One of these layers includes implementing host-based security. Many will agree that implementing host based security in today’s IT environment is a requirement for many enterprises. To assist with this process, Windows Server 2008 provides enhanced firewall technology and Internet Protocol security (IPsec) that are combined into a single interfaced called “Windows Firewall with Advanced Security MMC” snap-in.
Key Features and Benefits New GUI interface – an MMC snap-in is now available to configure the advanced firewall. Bi-directional – filters outbound traffic as well as inbound traffic. Works better with IPSEC – now the firewall rules and IPSec encryption configurations are integrated into one interface. Advanced Rules configuration – you can create firewall rules (exceptions) for Windows Active Directory (AD) service accounts & groups, source/destination IP addresses, protocol numbers, source and destination TCP/UDP ports, ICMP, IPv6 traffic, and interfaces on the Windows Server.
17
Accessing Tomorrow’s Security Protection Today using Windows 2008
www.janalent.com
Order of Windows Firewall Rules Evaluation Windows Firewall with Advanced Security supports the following types of rules: Windows Service Hardening:
This type of rule restricts services from establishing connections. Service restrictions are configured out-of-the-box so that Windows Services can only communicate in specific ways (i.e., restricting allowable traffic through a specific port) but until you create a firewall rule, traffic is not allowed.
Connection security rules: This type of rule defines how and when computers authenticate using IPsec. Connection security rules are used in establishing server and domain isolation, as well as in enforcing NAP policy. Authenticated bypass rules: This type of rule allows the connection of particular computers if the traffic is protected with IPsec, regardless of other inbound rules in place. Specified computers are allowed to bypass inbound rules that block traffic. For example, you could allow remote firewall administration from only certain computers by creating authenticated bypass rules for those computers, or enable support for remote assistance by the Help Desk. Block rules: This type of rule explicitly blocks a particular type of incoming or outgoing traffic. Allow rules. This type of rule explicitly allows a particular type of incoming or outgoing traffic. Default rules: These rules define the action that takes place when a connection does not meet any of the parameters of a higher order rule. Out-of-the-box, the inbound default is to block connections and the outbound default is to allow connections. Figure 4 shows the order in which Windows Firewall with Advanced Security applies the various types of rules. This ordering of rules is always enforced, even when rules are coming from Group Policy. Rules, including those from Group Policy, are sorted and then applied. Domain administrators can allow or deny local administrators the permission to create new rules.
Order of Rules Evaluation
Group Policy 1
Connection Security Rules Authenticated Bypass Rules
Block Rules Group Policy 2 Allow Rules
Order of Evaluation
Windows Service Hardening
Default Rules Local Policy
· ·
Local rule merge is configurable via Group Policy Default rules come from the highest precedence GPO
Figure 4. Order of Rules Evaluation
18
Accessing Tomorrow’s Security Protection Today using Windows 2008
www.janalent.com
Conclusion Windows Server 2008 is the most secure server product from Microsoft to date. Microsoft has focused on building Windows Server 2008 from ground-up with security as key focus. Organizations should take a serious look at the security benefits Windows Server 2008 has to offer. As external threats and technology advances, so does the need to decrease the attack surface to minimize risk. Over the last five years, Microsoft has ratcheted up its effort to develop enterprise products that are secure out of the box. With Windows Server 2008, Microsoft listened to customer’s request for a more secure product. Security should not be thought of as destination, but a journey. Security does not end with deployment of technological services. It’s a journey and process that is ongoing. Security technologies have come far and strong, but every security initiative should have two components: advanced security technologies and strong security policies. Implemented together both the technology and policies will go a long way to minimizing security risks in the enterprise.
Janalent Windows Server 2008 Launch Offer To celebrate the release of Microsoft’s most significant Server release in history, Janalent is offering a free* Windows Server 2008 Organizational readiness assessment. To take advantage of this exciting offer, or to find out more about Janalent’s Infrastructure & Architecture solutions including Windows Server 2008, please contact one of our solution professionals at +1-888-290-4870, or by email at [email protected]. For more information about Janalent or the authors, please visit www.janalent.com
19
Accessing Tomorrow’s Security Protection Today using Windows 2008
www.janalent.com
About The Authors Rick Pollak, MCSE (NT/2000/2003), MCITP Windows Server 2008 Rick is a Senior Enterprise Solutions Consultant for Janalent Corporation--a Quest Software Elite Regional Channel Partner, and field-managed Microsoft Gold Partner. He brings an extremely impressive track record of technical achievements, global architecture, and professional services delivery with a deep understanding of the business needs and requirements of different organizations. He has participated in many enterprise oriented architecture and design, security assessments, and migrations for Microsoft Exchange and Active Directory.
Kenneth Ta, CISSP, PMP, MCSE (NT/2000/2003), MCITP Windows Server 2008 Ken is a Manager in Janalent’s Enterprise Solutions practice and is responsible for technical delivery and engagement management. He has been involved with strategic IT consulting for Fortune 1000 companies and brings an extremely impressive track record of technical achievements with a deep understanding of the business needs and requirements of different organizations. Ken is an industry recognized professional specializing in architecture, design, deployment and migrations of complex Fortune 1000 enterprise systems. Ken has been involved in numerous enterprise security initiatives for 2 Fortune 1000 enterprises. He is recognized by ISC as a Certified Information Systems Security Professional (CISSP) since 2001. He has been involved in projects ranging from performing security audits and penetration attacks to developing information security policies and emergency response teams.
20
Accessing Tomorrow’s Security Protection Today using Windows 2008
www.janalent.com
Rick Pollak, Senior Solutions Consultant, MCITP Window Server 2008 Kenneth Ta, Mgr. Enterprise Solutions, CISSP, PMP, MCITP Windows Server 2008 www.janalent.com +1-888-290-4870 [email protected] © 2008 Janalent Corporation, All Rights Reserved
Executive Summary Windows Server 2008 builds on the success and strengths its predecessor Windows Server 2003 and is designed to provide organizations with the most productive platform for powering applications, networks, and Web services from the workgroup to the datacenter with exciting, valuable new functionality and powerful improvements to the base operating system. Windows Server 2008 has many granular improvements over Windows Server 2003 and Windows Server 2003 R2, but many of these improvements are low-level. As a result, Janalent views Windows Server 2008 as an incremental improvement over Windows Server 2003, not as a major shift (such as Windows NT Server 4 to Windows Server 2000). These incremental improvements shouldn't be regarded as "negative" because most IT organizations prefer incremental improvements that can be digested easily, rather than large technology jumps that require massive changes to the established processes, and infrastructure. Windows Server 2008 excels in just about every area when compared to previous versions of Window Server. It doesn't matter which pieces of the functionality you use, you'll find it faster, easier to deploy, much more sensible in its defaults, and requires less work for more output. But, of all the reasons why you should consider upgrading to Windows 2008 is security, security, and security. It would be pointless to argue against not having a secure IT infrastructure. The infiltration of company servers and data can have a tremendous negative impact to an organization. Windows Server 2008 introduces several new features with security in mind including Read Only Domain Controllers (RODC), Network Access Protection (NAP), Core Server, Terminal Services Remote App Publishing, and BitLocker – just to name a few. This whitepaper discusses how your organization can benefit from the security that Windows Server 2008 offers. Although this paper focuses on the security features of Windows Server 2008, there are a myriad of other compelling features you may benefit from.
2
Accessing Tomorrow’s Security Protection Today using Windows 2008
www.janalent.com
Contents Executive Summary ...................................................................................................... 2 About Janalent – Organization Profile ......................................................................... 4 Lines of Business .......................................................................................................... 5 Janalent Infrastructure Design & Restructuring Solutions.................................... 5 Delivery Methodology.................................................................................................. 6 Selected Partnerships .................................................................................................. 7 WhitePaper Overview .................................................................................................. 8 Business Challenges ..................................................................................................... 9 Windows Server 2008 Security Features ................................................................... 10 BitLocker Technologies .............................................................................................. 10 Modes of Operation ............................................................................................ 11 Read-Only Domain Controllers .................................................................................. 12 Network Policy and Access Services .......................................................................... 13 Available Network Access Services ..................................................................... 13 Network Access Protection ........................................................................................ 14 Server Core Installation.............................................................................................. 15 What do I get with Server Core? ................................................................................ 16 Terminal Services ................................................................................................ 16 RemoteApp Presentation.................................................................................... 17 Windows Firewall ................................................................................................ 17 Order of Windows Firewall Rules Evaluation...................................................... 18 Conclusion .................................................................................................................. 19 Janalent Windows Server 2008 Launch Offer ............................................................ 19 About The Authors ..................................................................................................... 20
3
Accessing Tomorrow’s Security Protection Today using Windows 2008
www.janalent.com
About Janalent – Organization Profile As an innovative Business & Technology Consulting Solutions organization, Janalent is focused on providing the highest-level balanced business and technology expertise available in the marketplace. Janalent strives to go beyond the boundaries of traditional consulting firms and believe that true return on investment requires today's battle-proven corporate leaders to align business and technology processes with the overall strategic direction of the organization. Our mission is to ensure customer success by providing innovative, business enabling solutions based on our core operating philosophy and organization mantra of Knowledge, Wisdom, and Performance. Janalent’s philosophy is one of partnership--and our client and partners’ success is our ultimate goal. Delivering solutions that enable, support, and enhance our client's ability to be successful is our ultimate measure of success. More broadly, we regularly help our clients and key Partners in the high level planning, implementation approach, migrating approach, and management of many of the largest and most complex KM/ SharePoint, Exchange, and Active Directory initiatives in the world. Our consultants have successfully delivered engagements to over 500 customers across every industry in five continents. In the Infrastructure design & restructuring arena, Janalent has quickly become a recognized leader and “Go To” partner in the area of design, integration & migration consulting services. Many of our consultants have over 15 years experience designing and deploying infrastructure solutions for the largest environments in the world. Our subject matter experts know that to be successful initiatives require a careful balance of people, process, and technology. Ignore any of these areas, and your probability of success is significantly reduced. Our end goal is to help move organizations toward the "Information Workplace" of tomorrow, where users have a seamless, contextual and role-based environment in which to work. Our consultants have extensive experience in analyzing and designing complex infrastructure & knowledge management solutions. From performing requirements analysis, and aligning technical activities with business goals in an organizational strategy, to designing and deploying technology that enables business processes and people activities, while educating and evolving the use of infrastructure solutions (people, process, and technology) within the organization, our consultants are considered THE experts who have done it all.
4
Accessing Tomorrow’s Security Protection Today using Windows 2008
www.janalent.com
Lines of Business Janalent focuses on four primary lines of business. These lines of business support on our distinctive competencies, experience, partnership model, customer engagement process, 2 and ADE Success Methodology™. Our Lines of business are:
Janalent Infrastructure Design & Restructuring Solutions As a valued Microsoft Certified Gold Partner, we combine the highest level subject matter experts, best in class tools, and proven methodology to successfully deliver the RIGHT solution for your organization the first time. Our world class infrastructure design & restructuring solutions are built upon our proven approach for success with the following key capabilities:
Analysis & Alignment
Architecture & Design
Opportunity Analysis Infrastructure Discovery & Assessment Business Case Preparation Current environment catalog Utilization Analysis Infrastructure Business Process Mapping Hardware / Software Assessment Source - Target Solutions analysis
Infrastructure Methodology Design Infrastructure Design Options Mapping Infrastructure system design Directory structure architecture and design Messaging system architecture and design Migration Planning, and process design Capacity planning & Storage Optimization Back-up and recovery solutions
Deployment & Migration
Training, Knowledge Transfer & Next Steps
Directory & Messaging System deployment Merger, Acquisition, & Divestiture execution Organization integration Toolset subject matter expertise Client advocacy to vendor community
Solution documentation Knowledge Transfer with key personnel Customized training for client personnel After-Action Review Next Steps Definition
5
Accessing Tomorrow’s Security Protection Today using Windows 2008
www.janalent.com
Delivery Methodology 2
Janalent’s ADE Success Methodology™ is a business and technology balanced methodology focused on providing both valuable business enablement, and efficient and effective technology solutions. Our methodology has been built by incorporating the unrivaled experience of our consulting solutions professionals, industry proven best-practices, and the feedback of our customers and partners. 2
ADE is a six-phase solution success framework consisting of Analysis, Alignment, Design, Deployment, Education, and solution Evolution. The framework is a cycle focused on continual improvement and solution enhancement. The following is a short summary of the 2 ADE Success Methodology™ phases: Analyze: To provide a solution that fits both the organization’s business and technology needs, we begin by analyzing the current technology environment, the business drivers a solution must satisfy, and the organizational culture of the enterprise. By combining bestpractice business & technology analysis techniques our Consultants will create an analysis reference that will support all other phases of the methodology. Align: Using the analysis reference created in the first phase, our consultants will assess the current alternatives and craft a technology solution that will not only be technically innovative and elegant, but will also support the needs and unique business requirements of the enterprise. 2
Design: The design phase of ADE is focused on an accelerated but methodical design, proof of concept, validation and documentation of the business and technology solution created by Janalent. Drawing upon information collected, analyzed, and aligned in Phases 1 & 2, our experienced consultants and project managers produce a proven and robust solution ready for deployment. 2
Deploy: The deployment phase of ADE provides the opportunity to pilot, incorporate lessons-learned, and execute on action plans around deployment and our Rapid Project Execution (RPE) processes. Educate: We believe that no solution implementation is successful without educating administrators, line-of-business managers, and other interested parties in the design, deployment, and management best-practices of the solution so our client’s project teams can take ownership without disruption or process breakdown. Evolve: The long-term key to success in our partnerships with clients is our continual evaluation and focus on innovation. Our solution evolution activities focus on continually enhancing and working with our clients on their systems to make those solutions even more valuable to the organization.
6
Accessing Tomorrow’s Security Protection Today using Windows 2008
www.janalent.com
Selected Partnerships
Janalent is a field-managed Microsoft Gold Certified Partner with advanced competencies achieved in Advanced Infrastructure Solutions, Information Worker Solutions, Networking Infrastructure Solutions, and Security Solutions. Janalent’s focus and competence on Microsoft Technologies have made Janalent a partner-of-choice in our regions for Active Directory, Exchange, SharePoint and other Microsoft infrastructure technologies.
Janalent is a Strategic Global Service Partner and Value Added Reseller for AvePoint. AvePoint is recognized as the leading software solution vendor within the SharePoint backup/restore and disaster recovery market.
Network Appliance, Inc. (NetApp) is a world leader in unified storage solutions for today's data-intensive enterprise. NetApp® storage solutions include specialized hardware, software, and services, providing seamless storage management for open network environments. Janalent provides solution architecture and advanced subject matter expertise for NetApp on Microsoft infrastructure products.
Janalent consultants are recognized as global-leaders in the architecture, design, and deployment of Quest Software toolsets and are routinely engaged to provide solution architecture for the largest and most-complex initiatives using Quest Software tools. Janalent is an Elite Managed Channel Partner for Quest Software and is both a Value Added Reseller, and strategic service delivery partner.
In addition to the partners listed above, Janalent maintains many valuable partnerships with Industry leading Software, Hardware, and Systems Integration organizations. For a complete list of Janalent partnerships, please visit our website at www.janalent.com.
7
Accessing Tomorrow’s Security Protection Today using Windows 2008
www.janalent.com
WhitePaper Overview With the release of Windows Server 2008, Microsoft has provided enterprise customers with a product that provides security out of the box. The concept of secure by default is part of Microsoft’s Trustworthy Computing initiative first introduced in 2002. The fruition of that security initiative has taken center stage with the release of Windows Server 2008. Now more than ever, enterprise customers have many options for introducing enhance security using Windows OS. These security enhancements include a variety of components that provide unparalleled protection. As technologies advances for protecting against vector threats, so does the advancement of hacker tools used to overcome these protection mechanisms. Security needs to be implemented in layers. Given enough resources and time any technology can be hacked. For this very reason, it a single security technology will not suffice to deter attacks. For example, most vehicles today have a built in alarm system to protect the vehicle from theft. In addition to the alarm system, many car manufacturers also install anti-theft stereo components. Take this one step further and some drivers will also install a steering wheel lock device. Alone, each of these security devices is not enough to deter a thief from breaking in. Altogether, a thief is more inclined to break into a car that is an easy target versus one that is well protected. This analogy applies to protecting enterprise systems very well. Some of the enhanced security features Microsoft introduces in Window Server 2008 provide very good targeted protection in many different areas. For instance, to help protect against attacks to the data residing on the servers, Microsoft introduced BitLocker Drive Encryption. To protect the network, Microsoft introduced Network Access Protection (NAP) used to prevent users that do not meet security standards from gaining network access. Microsoft has also beefed up and simplified host-based security by adding enhanced protection in the forms Windows Firewall and Enhanced Security MMC. With these enhanced security protection features, enterprises have no excuses for not having a secure environment.
8
Accessing Tomorrow’s Security Protection Today using Windows 2008
www.janalent.com
Business Challenges There are many business challenges to being secured, but only two challenges that can quickly derail an organization’s security imitative. The first challenge is that many enterprise customers are challenged with recognizing the value security brings to the enterprise. Implemented correctly, the value enhanced security brings to the table is beyond imagination. As many security practitioners will agree, not having to deal with lawsuits from compromised systems and the embarrassing event of having to publicly announce theft of confidential data is enough to warrant the additional protection. The second and oftentimes most dangerous is the misconception that security is a onetime event. The truth is security is a journey and not a destination. This means security evolves and does not simply end. Businesses need to be prepared to evolve their systems over time to keep ahead of the same technology that protects them from attacks. As new threats and vulnerability arise, virus definitions and firewall protection have to be update to prevent newly discovered threats from materializing. Left alone any protection will eventually come crumbling down.
9
Accessing Tomorrow’s Security Protection Today using Windows 2008
www.janalent.com
Windows Server 2008 Security Features The following sections outline new or significantly enhanced security features in Windows Server 2008. We strive to provide a balanced and real-world representation of the features that provide real value to the enterprise.
BitLocker Technologies BitLocker is a data protection feature available in Windows Server 2008, Windows Vista Enterprise and Windows Vista Ultimate. BitLocker addresses the threats of data theft and of exposure from stolen server by providing a closely integrated solution in Windows Server 2008.
Figure 1. BitLocker Components Data on a stolen server is vulnerable to unauthorized access, either by running a software attack tool against it or by transferring the computer’s hard disk to a different computer. BitLocker helps mitigate unauthorized data access by enhancing Windows Server 2008 file and system protections.
Key Features and Benefits of BitLocker Provides encryption for entire volumes Uses Advanced Encryption Standard (AES) encryption in cipher blockchaining (CBC) mode BitLocker enhances data protection by bringing together two major sub-functions: drive encryption and integrity checking of early boot components.
10
Accessing Tomorrow’s Security Protection Today using Windows 2008
www.janalent.com
Modes of Operation BitLocker provides three modes of operation. The first two modes require a cryptographic hardware chip called a Trusted Platform Module (version 1.2 or later) and compatible BIOS: Transparent Operation Mode: This mode exploits the capabilities of the TPM 1.2 hardware to provide for a transparent experience. The key used for the disk encryption is encrypted by the TPM chip and will only be released to the OS loader code if the early boot files appear to be unmodified. User Authentication Mode: This mode requires that the user provide some authentication to the pre-boot environment in order to be able to boot the OS. Two authentication modes are supported: a pre-boot PIN entered by the user, or a USB key. The final mode does not require a TPM chip: USB Key: The user must insert a USB device that contains a startup key into the computer to be able to boot the protected OS. Note that this mode requires that the BIOS on the protected machine support the reading of USB devices in the pre-OS environment.
Authentication Method
Requires User Interaction
Description
TPM only
No
TPM validates early boot components.
TPM + PIN
Yes
TPM + startup key
Yes
Startup key only
Yes
TPM validates early boot components. The user must enter the correct PIN before the start-up process can continue, and before the drive can be unlocked. A Trusted Computing Group (TCG) compliant TPM version 1.2 helps to protect the PIN from brute force attacks. The TPM successfully validates early boot components, and a USB flash drive containing the startup key has been inserted. The user is prompted to insert the USB flash drive that holds the recovery key and/or startup key and reboot the computer.
Table 1. BitLocker Authentication Methods
The most common scenario for deployments for BitLocker for Windows Server 2008 will be the TPM only option. The primary reason for this is that other methods require user interaction which is uncommon in server reboot/start-up scenarios.
11
Accessing Tomorrow’s Security Protection Today using Windows 2008
www.janalent.com
Read-Only Domain Controllers A RODC is a domain controller that you can install at a remote location. Its sole purpose is to host a read-only copy of your Active Directory (AD) database. This is well suited for locations where physical security of the domain controller can't be guaranteed at sites like branch offices. In the real world, a major financial institution could have all of their domain controllers in corporate headquarters and put a RODC in every branch office throughout the country instead of the current, common practice of a fully writeable domain controller.
Key Features and Benefits of Read Only DCs
Read Only Active Directory Database Only allowed user passwords are stored on RODC Unidirectional Replication Role Separation Increases security for remote Domain Controllers where physical security cannot be guaranteed
Branch office environments typically deploy a hub-and-spoke site topology. In larger environments, this type of topology can put a significant load on bridgehead servers in the hub site. Bridgehead servers are further constrained because inbound replication is serialized. RODCs that are deployed in the spoke sites can relieve the inbound replication load on bridgehead servers because they never replicate any changes.
12
Accessing Tomorrow’s Security Protection Today using Windows 2008
www.janalent.com
Figure 2. Secret Caching Process
Network Policy and Access Services Network Policy and Access Services in Windows Server 2008 delivers a variety of methods to help provide users with secure local and remote network connectivity, connect network segments, and allow network administrators to centrally manage network access and client health policies.
Available Network Access Services There are numerous network access services provided by Windows Server 2008. These services provide enhanced connectivity options to enable companies to access their network when and how they need. VPN Services Dial-up Services 802.11 protected access Routing & Remote Access (RRAS) Offer Authentication through Windows Active Directory Control network access with policies
13
Accessing Tomorrow’s Security Protection Today using Windows 2008
www.janalent.com
Network Policy and Access Services in Windows Server 2008 provides the following network connectivity solutions: Network Access Protection: Network Access Protection (NAP) is a new client health policy creation, enforcement, and remediation technology that is included in the Windows Vista Business, Windows Vista Enterprise, and Windows Vista Ultimate operating systems, and in the Windows Server 2008 operating system. With NAP, administrators can establish and automatically enforce health policies which can include software requirements, security update requirements, required computer configurations, and other settings. Highly Secure Wireless and Wired Access: When you deploy 802.1X wireless access points, highly secure wireless access provides wireless users with a security-enhanced, password-based authentication method that is easy to deploy. When you deploy 802.1X authenticating switches, wired access helps you to secure your network by ensuring that intranet users are authenticated before they can connect to the network or obtain an IP address using Dynamic Host Configuration Protocol (DHCP). Remote Access Solutions: With remote access solutions, you can provide users with VPN and traditional dial-up access to your organization’s network. You can also connect branch offices to your network with VPN solutions. Central Network Policy Management with RADIUS Server and Proxy: Rather than configuring network access policy at each network access server, such as wireless access points, 802.1X authenticating switches, VPN servers, and dial-up servers, you can create policies in a single location that specify all aspects of network connection requests, including who is allowed to connect, when they can connect, and the level of security they must use to connect to your network.
Network Access Protection The industry lost billions in US dollars with the outbreak of mass mailing worms like Mydoom, Netsky, Sober, Zafi, etc. And it has been found that it was always the weakest link principle that played havoc in networks, which was supposed to be secure. The weakest link was mostly provided by remote computers, roaming laptops, home computers, etc. Network administrators have a new platform to mitigate this threat with Network Access Protection (NAP), a new set of operating system components included with Windows Server 2008 provides a platform to help ensure that client computers on a private network meet administrator-defined requirements for system health. NAP enforces health requirements by monitoring and assessing the health of client computers when they attempt to connect or communicate on a network. Client computers that are not in compliance with the health policy can be provided with restricted network access until their configuration is updated and brought into compliance with policy. Depending on how NAP is deployed, noncompliant clients can be quarantined or automatically updated so that users can quickly regain full network access without manually updating or reconfiguring their computers.
14
Accessing Tomorrow’s Security Protection Today using Windows 2008
www.janalent.com
Key Features and Benefits of using NAP Help ensure the ongoing health of desktop computers on the LAN that are configured for DHCP or that connect through 802.1X authenticating devices, or that have NAP IPsec policies applied to their communications. Enforce health requirements for roaming laptops when they reconnect to the company network. Verify the health and policy compliance of unmanaged home computers that connect to the company network through a VPN server running Routing and Remote Access (RRAS) service. Determine the health and restrict access of visiting laptops brought to an organization by partners and other guests.
Designed for flexibility, NAP can interoperate with any vendor’s software that provides a System Health Agent (SHA) and System Health Validators (SHVs). NAP also includes an API set for developers and vendors to build their own components for network policy validation, ongoing compliance, and network isolation. Examples of third-party solutions that work with Network Access Protection would be antivirus, patch management, VPN, and networking equipment.
Server Core Installation Server Core is a minimal installation of Windows Server 2008 and does not come with a graphical user interface. The idea is that you only install the services you need. The benefits of a Server Core installation are reduced attack surface and reduced patch surface. Troubleshooting should be easier, as well, and we would expect increased stability because of the smaller code footprint. Finally, Server Core has lower hardware requirements due to its smaller OS footprint. The available roles include: Active Directory Domain Services (AD DS) Active Directory Lightweight Directory Services (AD LDS) DHCP Server DNS Server File Services Print Services Streaming Media Services Web Server (IIS 7)
15
Accessing Tomorrow’s Security Protection Today using Windows 2008
www.janalent.com
Figure 3. Windows 2008 Server Core options during install
What do I get with Server Core? With a Server Core installation, you get none of the following: desktop shell (aero, wallpaper, etc.), CLR and .NET Framework, MMC console or snap-ins, start menu, control panel, Internet Explorer, Windows Mail, WordPad, Paint, Windows Explorer, run box, etc. You do get the kernel and that is all you need. It allows you to have a very secure deployment of a specific role of Windows. This type of configuration allows a corporation to easily consolidate Windows server to very specific locked down roles. For example, you can have a dedicated command line IIS Web server, dedicated DHCP server, DNS Server. You could even take it one step further and port these systems to a virtual machine. Many data centers and network operation centers (NOCS) will take advantage of a Windows server core installation as it is a very secure and tight installation.
Terminal Services Microsoft has extensively revamped the Terminal Services architecture and has some new features that were only capable by purchasing 3rd party solutions like Citrix Metaframe. One feature that is sure to be appreciated is the ability to publish an application without supplying the entire remote desktop using Terminal Services (TS) RemoteApp. This is a more secure way of using Terminal Services oriented applications as users only see the application and not the entire server desktop.
16
Accessing Tomorrow’s Security Protection Today using Windows 2008
www.janalent.com
RemoteApp Presentation TS RemoteApp programs are accessed through Terminal Services, and look and act as if they are running on the end user's local computer. Users can run TS RemoteApp programs side by side with their local programs. If a user is running more than one RemoteApp on the same terminal server, RemoteApp will share the same Terminal Services session. Users can access TS RemoteApp in a number of ways: Double-clicking a program icon on their desktop or Start menu that has been created and distributed by their administrator Double-clicking a file which has an extension associated with a TS RemoteApp Accessing a link to the TS RemoteApp on a Web site by using TS Web Access Another feature is the ability to publish an application using HTTPS - without needing to provide access via a Virtual Private Network (VPN) or opening up unwanted ports on firewalls. Terminal Services Gateway enables authorized remote users to connect to terminal servers and remote desktops (remote computers) on the corporate network from any Internet-connected device that is running Remote Desktop Connection (RDC) 6.0. Terminal Service Gateway uses Remote Desktop Protocol (RDP) tunneled over HTTPS to help form a highly secure, encrypted connection between remote users on the Internet and the remote computers on which their productivity applications run, even if their use is located behind a network address translation (NAT) Traversal-based router.
Windows Firewall Many security practitioners agree in one way or another that security should be implemented in layers. One of these layers includes implementing host-based security. Many will agree that implementing host based security in today’s IT environment is a requirement for many enterprises. To assist with this process, Windows Server 2008 provides enhanced firewall technology and Internet Protocol security (IPsec) that are combined into a single interfaced called “Windows Firewall with Advanced Security MMC” snap-in.
Key Features and Benefits New GUI interface – an MMC snap-in is now available to configure the advanced firewall. Bi-directional – filters outbound traffic as well as inbound traffic. Works better with IPSEC – now the firewall rules and IPSec encryption configurations are integrated into one interface. Advanced Rules configuration – you can create firewall rules (exceptions) for Windows Active Directory (AD) service accounts & groups, source/destination IP addresses, protocol numbers, source and destination TCP/UDP ports, ICMP, IPv6 traffic, and interfaces on the Windows Server.
17
Accessing Tomorrow’s Security Protection Today using Windows 2008
www.janalent.com
Order of Windows Firewall Rules Evaluation Windows Firewall with Advanced Security supports the following types of rules: Windows Service Hardening:
This type of rule restricts services from establishing connections. Service restrictions are configured out-of-the-box so that Windows Services can only communicate in specific ways (i.e., restricting allowable traffic through a specific port) but until you create a firewall rule, traffic is not allowed.
Connection security rules: This type of rule defines how and when computers authenticate using IPsec. Connection security rules are used in establishing server and domain isolation, as well as in enforcing NAP policy. Authenticated bypass rules: This type of rule allows the connection of particular computers if the traffic is protected with IPsec, regardless of other inbound rules in place. Specified computers are allowed to bypass inbound rules that block traffic. For example, you could allow remote firewall administration from only certain computers by creating authenticated bypass rules for those computers, or enable support for remote assistance by the Help Desk. Block rules: This type of rule explicitly blocks a particular type of incoming or outgoing traffic. Allow rules. This type of rule explicitly allows a particular type of incoming or outgoing traffic. Default rules: These rules define the action that takes place when a connection does not meet any of the parameters of a higher order rule. Out-of-the-box, the inbound default is to block connections and the outbound default is to allow connections. Figure 4 shows the order in which Windows Firewall with Advanced Security applies the various types of rules. This ordering of rules is always enforced, even when rules are coming from Group Policy. Rules, including those from Group Policy, are sorted and then applied. Domain administrators can allow or deny local administrators the permission to create new rules.
Order of Rules Evaluation
Group Policy 1
Connection Security Rules Authenticated Bypass Rules
Block Rules Group Policy 2 Allow Rules
Order of Evaluation
Windows Service Hardening
Default Rules Local Policy
· ·
Local rule merge is configurable via Group Policy Default rules come from the highest precedence GPO
Figure 4. Order of Rules Evaluation
18
Accessing Tomorrow’s Security Protection Today using Windows 2008
www.janalent.com
Conclusion Windows Server 2008 is the most secure server product from Microsoft to date. Microsoft has focused on building Windows Server 2008 from ground-up with security as key focus. Organizations should take a serious look at the security benefits Windows Server 2008 has to offer. As external threats and technology advances, so does the need to decrease the attack surface to minimize risk. Over the last five years, Microsoft has ratcheted up its effort to develop enterprise products that are secure out of the box. With Windows Server 2008, Microsoft listened to customer’s request for a more secure product. Security should not be thought of as destination, but a journey. Security does not end with deployment of technological services. It’s a journey and process that is ongoing. Security technologies have come far and strong, but every security initiative should have two components: advanced security technologies and strong security policies. Implemented together both the technology and policies will go a long way to minimizing security risks in the enterprise.
Janalent Windows Server 2008 Launch Offer To celebrate the release of Microsoft’s most significant Server release in history, Janalent is offering a free* Windows Server 2008 Organizational readiness assessment. To take advantage of this exciting offer, or to find out more about Janalent’s Infrastructure & Architecture solutions including Windows Server 2008, please contact one of our solution professionals at +1-888-290-4870, or by email at [email protected]. For more information about Janalent or the authors, please visit www.janalent.com
19
Accessing Tomorrow’s Security Protection Today using Windows 2008
www.janalent.com
About The Authors Rick Pollak, MCSE (NT/2000/2003), MCITP Windows Server 2008 Rick is a Senior Enterprise Solutions Consultant for Janalent Corporation--a Quest Software Elite Regional Channel Partner, and field-managed Microsoft Gold Partner. He brings an extremely impressive track record of technical achievements, global architecture, and professional services delivery with a deep understanding of the business needs and requirements of different organizations. He has participated in many enterprise oriented architecture and design, security assessments, and migrations for Microsoft Exchange and Active Directory.
Kenneth Ta, CISSP, PMP, MCSE (NT/2000/2003), MCITP Windows Server 2008 Ken is a Manager in Janalent’s Enterprise Solutions practice and is responsible for technical delivery and engagement management. He has been involved with strategic IT consulting for Fortune 1000 companies and brings an extremely impressive track record of technical achievements with a deep understanding of the business needs and requirements of different organizations. Ken is an industry recognized professional specializing in architecture, design, deployment and migrations of complex Fortune 1000 enterprise systems. Ken has been involved in numerous enterprise security initiatives for 2 Fortune 1000 enterprises. He is recognized by ISC as a Certified Information Systems Security Professional (CISSP) since 2001. He has been involved in projects ranging from performing security audits and penetration attacks to developing information security policies and emergency response teams.
20
Accessing Tomorrow’s Security Protection Today using Windows 2008
www.janalent.com
Related Documents
Windows Security
December 2019 10
Enhancements
November 2019 10
Web App Security Whitepaper 2
May 2020 7
Windows Security Identifiers
November 2019 33More Documents from "Muneeb Khan"
Janalent-virtualization Seminar Jan 2009
May 2020 9
