Book description
Get the definitive reference for planning and implementing security features in Windows Server 2008 with expert insights from Microsoft Most Valuable Professionals (MVPs) and the Windows Server Security Team at Microsoft. This official Microsoft RESOURCE KIT delivers the in-depth, technical information and tools you need to help protect your Windows® based clients, server roles, networks, and Internet services. Leading security experts explain how to plan and implement comprehensive security with special emphasis on new Windows security tools, security objects, security services, user authentication and access control, network security, application security, Windows Firewall, Active Directory® security, group policy, auditing, and patch management. The kit also provides best practices based on real-world implementations. You also get must-have tools, scripts, templates, and other key job aids, including an eBook of the entire RESOURCE KIT on CD.
Key Book Benefits
Definitive technical information and expert insights straight from the Windows Server Security Team and leading Microsoft MVPs
Provides in-depth information that every Windows administrator needs to know about helping protect Windows-based environments
Includes best practices from real-world implementations
CD includes additional job aids, including tools, scripts, and a fully searchable version of the entire RESOURCE KIT book
Q&A with Jesper M. Johansson, author of Windows Server 2008 Security Resource Kit
The credentials of the contributors to Windows Server 2008 Security Resource Kit are quite impressive. How important was it to assemble such a group for this title?
In my opinion, it was necessary. Server products are necessarily complex, and security, by its very nature, requires a very broad understanding of the product. Developing that understanding in a single person is possible, but very time consuming and still does not lead to the breadth of perspective that you find in a group of people. No single person can truly understand both what it is like to implement Active Directory in a 50,000 seat organization, and how to run a 50-seat small business network long-term, and neither of them is probably going to also be one of the world's foremost experts on implementing public key cryptography infrastructures. By putting together this world-wide team of experts (representing four countries on three continents) we were able to produce a resource that had far more depth and breadth of knowledge than would otherwise have been possible, and you get the expertise of 12 of the foremost experts on Windows Security in a single package.
What extras are available on the Resource Kit CD?
First, you get a bonus chapter on Rights Management Services, as well as an electronic copy of the entire book. I am very excited about the electronic copy because it provides a searchable way to read the book. These types of books are always used as references and being able to search it is very valuable.
You also get some tools that may come in handy for managing servers. Scripting Guru Ed Wilson wrote some custom PowerShell scripts specifically for this book to manage user accounts and other security related aspects of your deployment. In addition, I wrote a couple of tools for the book. One is my password generator, which I first made available several years ago. It enables you to manage unique administrator account passwords and service account passwords on hundreds or thousands of servers on a network. I also included my elevation tools, which allow you to launch an elevated instance of Windows Explorer, as well as elevating any command you want from the command line. Having worked with User Account Control (UAC) daily for about two years I find that one of the biggest impediments to running under UAC is the multiple prompts you get when you perform many file operations. As an administrator, that is a very common task. Elevating Windows Explorer lets you do those operations with a single elevation prompt, and still leave UAC turned on.
Comparing the two programs, what are some of the fundamental differences between Windows Server 2008 and Windows Server 2003?
To me, the biggest difference is the fact that while Windows Server 2003 was built under the security best practices of 2002, Windows Server 2008 incorporates all the secure development practices Microsoft learned in the five years since. The field of secure software development has progressed immensely between 2002 and 2007, and incorporating them will make Windows Server 2008 much more able to stand up to the threats we will see in the next five years. By the way, it is with a heavy heart that I say that, as I worked hard on security in Windows Server 2003, but it is true.
Apart from the engineering process, the first thing people will notice is the completely new management model in Windows Server 2008. Instead of installing a lot of separate components, you now deploy roles to the server. This makes a lot of sense because the roles are what you bought the server to fill. By implementing that metaphor in the management tools the risk for misconfiguration is greatly reduced.
The new kernel features are also very important and will make a big difference for many. First, the new virtualization features are fundamentally going to change how we build and run data centers. The improvements in security, reliability, and performance in the kernel features, such as thread scheduling, and in the networking features, such as the new network file system, also are going to be valuable to many.
What do you feel is the biggest security oversight made by network admins?
Put a slightly different way, the area where I see the most room for improvement is in security posture management. Administrators are far too focused on vulnerabilities and on the types of "hardening" tweaks that were useful in the 1990s, when software shipped wide open by default. Today, those things are not nearly as important as it is to manage the security posture of your servers. Far too many administrators still believe in the perimeter and fail to recognize that just about every organizational network today is semi-hostile, at best. The biggest security oversight is not to analyze and manage the threats posed to servers by other actors on the network. The Security Resource Kit goes into depth in discussing what I refer to as Network Threat Modeling, as the analysis phase of Server and Domain Isolation – probably the most powerful security tool in the arsenal today. Yet, the proportion of networks that use these tools is infinitesimal.
What are your thoughts on the constant hype surrounding potential security flaws in Vista?
As I have written elsewhere (http://msinfluentials.com/blogs/jesper/?archive/2008/01/24/do-vista-users-need-?fewer-patches-than-xp-users.aspx) I fail to see any data backing up the argument. Certainly, there have been flaws in Vista – and anyone who expected it to be flawless was unrealistic – but the improvements are tremendous over Windows XP. Windows Vista has about half as many critical problems as Windows XP in the same time-frame. I'm not sure that it would have been reasonable to expect it to perform much better than that given how large and complex modern software is and how fast the security landscape is moving.
Therefore, I have to think that the reasons for the hype are something other than data. The popular press seems to operate on the assumption that complaining about Microsoft generates advertising revenue, and they are probably correct. The fact of the matter today is that a significant portion of the software industry, specifically the security portion, has built its business almost exclusively on selling software that purports to protect Microsoft's customers from Microsoft's screw-ups. It is simply terrifying to it, and a grave threat to its business model, that Microsoft should actually manage to produce software, and particularly operating systems, that are so secure they do not need most of the products that portion of the industry sells.
The popular press, being a largely advertising funded business, has happily latched on to this perception and boosted the unsubstantiated claims of Windows Vista's vulnerability to the benefit of their major advertisers. It is truly a sick eco-system that harms the customer in both the short and long term. The threats today, as I mentioned above, are trending toward the types of things that the security software industry cannot protect against. The new threats are against people, and the focus needs to shift to helping people make better security decisions and take responsibility for their own actions. Unfortunately, the current unsubstantiated hype about Windows Vista is not about protecting customers, it is about selling unnecessary security software and inculcating users and IT managers alike in the belief that they must buy third party software to run Windows safely; a belief that, with a few notable exceptions, such as anti-virus software, is falsified by the data. In fact, the hype has even lead to a huge growth industry in malicious, fake, security software. I have seen a lot of people lured by the hype into buying security software that is not security software at all, but simply malware in disguise. The average consumer, inundated with hype, is unable to make out what to really believe. This sick ecosystem is harmful and the press and the pundits are not helping, but only increasing the hype.
In your opinion, which network faces the biggest security risk today: the small office with multiple power users or large corporation with a large LUA base?
The unmanaged networks. I have seen very well managed and very secure networks in both small and large organizations, and I have seen poorly managed and very insecure networks in both as well. It is not really a matter of size but of how much time and effort is put into the security aspects of it. One of the largest weaknesses seems to be training. Security today is about end-points. The attacks are against people far more prevalent than those against technology and vulnerabilities. We need to, as an industry, understand how to push the security out to the assets that we are trying to protect. In the past we have centralized security because it was a way to centralize management of security. The challenge now is to de-centralize security, while still permitting centralized management. This is a non-trivial task, but it must be done. As a starting point, I dare every IT manager to start analyzing the risks to his or her network, and specifically, what it is they want the network to be used for. Once you understand what it is you want the network to provide you have a chance to work on making it provide that and nothing else. To me, that is the most important thing we can do. A properly staffed IT group, with adequate training and resources to train its users, an organizational mandate to protect the organization's assets, and a keen understanding of the business they serve will build a network that is adequately secured regardless of the size of the network. Windows Server 2008 certainly provides some very powerful technologies to help you manage security in your network, but while that is a necessary component, it is insufficient by itself. At a very base level, it is about the people and the processes you have, more than about the technology. Technology will help, but it is just a tool that your people will implement using a process that helps or hurts.
Table of contents
-
Windows Server 2008 Security Resource Kit
- Acknowledgements
-
Introduction
- Overview of the Book
- Document Conventions
-
Companion CD
- Elevation Tools
- Passgen
-
Management Scripts
- CreateLocalUser.ps1
- EvaluateServices.ps1
- FindAdmin.ps
- FindServiceAccounts.ps1
- ListUserLastLogon.ps1
- LocateDisabledUsers.ps1
- LocateLockedOutUsers.ps1
- LocateOldComputersNotLogon.ps1
- LocateOldUsersNotLogOn.ps1
- LookUpUACEvents.ps1
- ScanForSpecificSoftware.ps1
- ScanForSpecificUpdate.ps1
- ScanConfig.ps1
- UnlockLockedOutUsers.ps1
- WhoIs.ps1
- eBook
- Bonus Chapters
- Chapter-Related Materials
- Links to Tools Discussed in the Book
- Resource Kit Support Policy
-
I. Windows Security Fundamentals
- 1. Subjects, Users, and Other Actors
- 2. Authenticators and Authentication Protocols
-
3. Objects: The Stuff You Want
- Access Control Terminology
- Tools to Manage Permissions
- Major Access Control Changes in Windows Server 2008
- User Rights and Privileges
- RBAC/AZMAN
- Summary
- Additional Resources
-
4. Understanding User Account Control (UAC)
- What Is User Account Control?
- How Token Filtering Works
-
Components of UAC
- UAC Elevation User Experience
- Application Information Service
- File and Registry Virtualization
- Manifests and Requested Execution Levels
- Installer Detection Technology
- User Interface Privilege Isolation
- Secure Desktop Elevation Prompts
- Using Remote Assistance
- UAC Remote Administrative Restrictions
- Mapping Network Drives When Running in Admin Approval Mode
- Application Elevations Blocked at Logon
- Configuring Pre-Windows Vista Applications for Compatibility with UAC
-
UAC Group Policy Settings
-
UAC Policy Settings Found Under Security Options
- User Account Control: Admin Approval Mode for the Built-in Administrator Account
- User Account Control: Behavior of the Elevation Prompt for Administrators in Admin Approval Mode
- User Account Control: Behavior of the Elevation Prompt for Standard Users
- User Account Control: Detect Application Installations and Prompt for Elevation
- User Account Control: Only Elevate Executables That Are Signed and Validated
- User Account Control: Only Elevate UIAccess Applications That Are Installed in Secure Locations
- User Account Control: Run All Users, Including Administrators, as Standard Users
- User Account Control: Switch to the Secure Desktop When Prompting for Elevation
- User Account Control: Virtualize File and Registry Write Failures to Per-User Locations
- Related UAC policies
-
UAC Policy Settings Found Under Security Options
- What's New in UAC in Windows Server 2008 and Windows Vista SP1
- UAC Best Practices
- Summary
- Additional Resources
-
5. Firewall and Network Access Protection
- Windows Filtering Platform
- Windows Firewall with Advanced Security
-
Routing and Remote Access Services
-
Improvements in RRAS
- Support for IPv6
- NAP Enforcement for Remote Access VPN Connections
- Updated Connection Creation Wizard
- Secure Socket Tunneling Protocol
- Support for Multiple Locations in CMAK
- Support for Dynamic DNS Updates in Connection Manager
- Support for the Network Diagnostics Framework
- Enhanced WinLogin Support
- Additional Cryptographic Algorithms
- Robust Certificate Checking for VPN Connections
-
Improvements in RRAS
-
Internet Protocol Security
- IPsec Basics
-
New Capabilities in Windows Server 2008
- Integrated Firewall and IPsec Configuration
- Simplified IPsec Policy Configuration
- Improved IPsec Authentication
- Improved Load Balancing and Clustering Server Support
- Client-to-DC IPsec Protection
- Integrated IPv4 and IPv6 Support
- Integration with Network Access Protection
- Additional Configuration Options for Protected Communication
- New Cryptographic Support
- Network Diagnostics Framework Support
- Extended Events and Performance Monitor Counters
- Expanded Authenticated Bypass
- Network Access Protection
- Summary
- Additional Resources
-
6. Services
- Introduction to Services
- Attacks on Services
- Service Hardening
- Securing Services
- Summary
- Additional Resources
-
7. Group Policy
- What Is New in Windows Server 2008
- Group Policy Basics
- What Is New in Group Policy
- Managing Security Settings
- Summary
- Additional Resources
- 8. Auditing
-
II. Implementing Identity and Access (IDA) Control Using Active Directory
-
9. Designing Active Directory Domain Services for Security
- The New User Interface
- The New Active Directory Domain Services Installation Wizard
- Read-Only Domain Controllers
- Restartable Active Directory Domain Services
- Active Directory Database Mounting Tool
- AD DS Auditing
- Active Directory Lightweight Directory Services Overview
- Active Directory Federation Services Overview
- Summary
- Additional Resources
-
10. Implementing Active Directory Certificate Services
- What Is New in Windows Server 2008 PKI
-
Threats to Certificate Services and Mitigation Options
- Compromise of a CA's Key Pair
- Preventing Revocation Checking
- Attempts to Modify the CA Configuration
- Attempts to Modify Certificate Templates
- Addition of Nontrusted CAs to the Trusted Root CA Store
- Enrollment Agents Issuing Unauthorized Certificates
- Compromise of a CA by a Single Administrator
- Unauthorized Recovery of a User's Private Key from the CA Database
- Securing Certificate Services
- Best Practices
- Summary
- Additional Resources
-
9. Designing Active Directory Domain Services for Security
-
III. Common Security Scenarios
- 11. Securing Server Roles
-
12. Patch Management
- The Four Phases of Patch Management
- The Anatomy of a Security Update
- Tools for Your Patch Management Arsenal
- Summary
- Additional Resources
-
13. Securing the Network
- Introduction to Security Dependencies
- Types of Dependencies
- Mitigating Dependencies
- Summary
- Additional Resources
- 14. Securing the Branch Office
-
15. Small Business Considerations
- Running Servers on a Shoestring
- Servers Designed for Small Firms
- Violating All the Principles with Multi-Role Servers
- Best Practices for Small Businesses
- Summary
- Additional Resources
-
16. Securing Server Applications
- Introduction
- IIS 7: A Security Pedigree
- Configuring IIS 7
- TCP/IP-Based Security
- Simple Path-Based Security
- Authentication and Authorization
- Summary
- Additional Resources
- A. System Requirements
- Index
Product information
- Title: Windows Server® 2008 Security Resource Kit
- Author(s):
- Release date: February 2008
- Publisher(s): Microsoft Press
- ISBN: 9780735625044
You might also like
book
Windows Server® 2008 Active Directory® Resource Kit
Get the definitive, in-depth resource for designing, deploying, and maintaining Windows Server 2008 Active Directory in …
book
Windows Server® 2008 R2 Remote Desktop Services Resource Kit
In-depth and comprehensive, this official Microsoft RESOURCE KIT delivers the information you need to plan, deploy, …
book
Windows Server 2008: The Definitive Guide
This practical guide has exactly what you need to work with Windows Server 2008. Inside, you'll …
book
Self-Paced Training Kit (Exam 70-640): Configuring Windows Server® 2008 Active Directory® (2nd Edition)
EXAM PREP GUIDE Fully updated for Windows Server 2008 R2! Ace your preparation for the skills …