Windows Server 2008 Security Features

Daniel Petri
MVP, Senior IT Consultant www.petri.co.il daniel@petri.co.il

Server Core Overview Server Core Supported Roles and Features Server Core Management Options Windows Firewall with Advanced Security Server and Domain Isolation Network Access Protection Group Policy Enhancements

Windows Server is frequently deployed to support a single role or a fixed workload However, you must deploy and service all of Windows Server, along with tons of functions, features, files, services and other binaries that are probably not needed for the specific function of that server.

Server Core is:

A minimal installation option for Windows Server 2008
Command Line interface, no GUI Shell

Included in the following Windows Server 2008 SKUs

Web Standard Enterprise Datacenter

Available for x86 and x64 Same binaries as full version

Windows directory
Full: 6 GB, 35K files Core: 1.5 GB 13K files

Reduced maintenance Because the Server Core installation option installs only what is required to have a manageable server for the specific roles, less maintenance is required than on a full installation of Windows Server 2008. Reduced attack surface Because Server Core installations are minimal, there are fewer applications running on the server, which decreases the attack surface.

Reduced management Because fewer applications and services are installed on a server running the Server Core installation, there is less to manage. Less disk space required A Server Core installation requires only about 1 GB of disk space to install and approximately 2 GB for operations after the installation.

Server Core reduces the patches required

Servicing burden is reduced by removing components that are most often serviced
Windows 2000 is ~60% reduction Windows Server 2003 is ~40% reduction

Not an application platform

No .NET

 Active Directory Domain Services (AD DS) Active Directory Lightweight Directory Services (AD

LDS) DHCP server DNS server File services (including DFSR and FRS) Printer Services Streaming Media Services Windows Server Virtualization IIS 7.0 Hyper-V

 BitLocker Drive Encryption

Failover Clustering
Multipath I/O Removable Storage Management

SNMP Services (SNMPv1 and v2c)

Subsystem for UNIX-based Applications Telnet Client Windows Server Backup WINS server Qos

 Setup is the same and has the same options

Manual installation using Setup

Unattended installation using Unattended setup WDS Same unattended options as

Vista and Windows Server 2008

Can use the Windows

Automated Installation Kit (WAIK) tools to create unattend files Hardware requirements are based upon your own server tuning for best performance.

 Locally using a command prompt

Remotely using
MMC snap-in Controlling computer must be Server 2008 or Vista

TS Remote Desktop command line

TS Remote RemoteApp command line in a

desktop window Windows Remote Shell Utilities and scripts

Configure keyboard Set time and time zone Configure the UI Change password Check machine name Set IP address Check the firewall Add to domain Check and install roles Convert to a DC Configure roles Backup the system Monitor performance

Network card

configuration Change device drivers Check event logs Manage certificates Licensing Security

 Combined firewall and IPSec management New management tools Windows Firewall with

Advanced Security MMC snap-in Reduces conflicts and coordination overhead between technologies Firewall rules become more intelligent Specify security requirements such as authentication and encryption Specify Active Directory computer or user groups

 Outbound filtering

Enterprise management feature not for

consumers Simplified protection policy reduces management overhead Fully integrated into Group Policies and Local Policies

Server and Domain Isolation creates a layer of end-to-end protection that can greatly reduce the risk of costly malicious attacks and unauthorized access to your networked resources. SDI is based on IPSec and GPO. Enables you to dynamically segment your Windows environment into more secure and isolated logical networks. SDI allows you to limit access to only authenticated and authorized users.

The problem:
One of the most time-consuming challenges that administrators face is ensuring that computers that connect to private network assets are up to date and meet health policy requirements. This complex task is commonly referred to as maintaining computer health. Failure to keep computers that connect to the network up to date is one of the most common ways to jeopardize the integrity of a network.

The solution:
Network Access Protection for Windows Server 2008, Windows Vista and Windows XP SP3 provides components and an application programming interface (API) set that help administrators enforce compliance with health policies for network access or communication.

NAP helps provide a solution for the following common scenarios:

Verifying the health state of roaming laptops Verifying the health state of desktop computers Verifying the health state of visiting laptops Verifying the health state of unmanaged home computers

Note:
Network Access Protection is not designed to secure a network from malicious users. It is designed to help administrators maintain the health of the computers on the network, which in turns helps maintain the networks overall integrity.

Policy Servers
e.g. Microsoft System Center, Forefront or 3rd party

Not policy compliant

Remediation Servers
WSUS, System Center, 3rd party

Windows Vista Client

DHCP, VPN Switch/Router

Microsoft Network Policy Server

Restricted Network
Policy compliant
5

1 2 3

Client requests access to network and presents current health state DHCP, VPN or Switch/Router relays health status to Microsoft Network Policy Server (RADIUS) Network Policy Server (NPS) validates against IT-defined health policy If not policy compliant, client is put in a restricted VLAN and given access to fix up resources to download patches, configurations, signatures (Repeat 1 - 4)

Corporate Network

If policy compliant, client is granted full access to corporate network

Over 700 new settings

Power options, Removable media, Windows Firewall configuration, Printer management

Transition to ADMX files

ADMX + ADML

Additional management features

Add comments to individual GPOs and settings Search and filter on settings and comments

Create Starter GPOs for easier reuse

Alphabetic listing of all Administrative Templates settings

Group Policy Preference (which is basically PolicyMaker integrated into the GPO Editor)

Group Policy Preferences allow administrators to configure and deploy Windows and application settings that were previously unavailable using Group Policy. You can also manage Group Policy Preferences from a Windows Vista Service Pack 1 computer by installing the Remote Server Administration Tools (RSAT), which included the updated version of GPMC.

Some of the benefits of using Group Policy Preferences in your environment: Improving IT Productivity Reducing Need for Logon Scripts Limiting Configuration Errors Enhancing End-User Satisfaction Minimizing Image Maintenance Reducing Overall Image Count

The Client-Side Extensions for GP Preferences are included in Windows Server 2008, and down-level versions will be available as a separate download for: Windows XP Service Pack 2 and above Windows Vista RTM and above Windows Server 2003 SP1 and above

Windows Server 2008 is the most secure platform ever developed by Microsoft, allowing administrators superior control over their environments and of services running on the servers.

Daniel Petri
dpetri@johnbryce.co.il www.petri.co.il

 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.