Windows Server 2008 R2 Unleashed (89 page)

vidual can simply pull up in the parking lot and access an organization’s local area

network (LAN) via a laptop computer and a standard wireless card. The standard security

employed by wireless networks, Wireless Encryption Protocol (WEP), is effectively worth-

less because it can be cracked in several minutes.

Controlling the network ports and securing network switches are part of the securing

strategy. For organizations with wireless networks, more stringent precautions must be

taken. Deployment of wireless networks using the 802.1x protocol vastly increases the

security of the mechanism. Microsoft uses 802.1x to secure its vast wireless network, and

Windows Server 2008 R2 fully supports the protocol.

For those organizations without the time or resources to deploy 802.1x, the simple step of

placing wireless access points outside the firewall and requiring virtual private network

ptg

(VPN) access through the firewall can effectively secure the wireless network. Even if tres-

passers were to break the WEP key, they would be connected only to an orphaned

network, with no place to go.

Firewall Security

Deployment of an enterprise firewall configuration is a must in any environment that is

connected to the Internet. Servers or workstations directly connected to the Internet are

prime candidates for hacking. Modern firewall implementations such as Microsoft’s Internet

Security and Acceleration (ISA) 2006 offer advanced configurations, such as web proxying

and demilitarized zone (DMZ) configuration, as well. Proper setup and configuration of a

firewall in between a Windows Server 2008 R2 network and the Internet are a must.

Using the Integrated Windows Firewall with

Advanced Security

Windows Server 2008 R2 includes a vastly improved integrated firewall that is turned on

by default in all installations of the product. The firewall, administered from an MMC

snap-in shown in Figure 13.3 (Start, All Programs, Administrative Tools, Windows Firewall

with Advanced Security), gives unprecedented control and security to a server.

Understanding Windows Firewall Integration with Server Manager

The firewall with advanced security is fully integrated with the Server Manager utility and

the Server Roles Wizard. For example, if an administrator runs the Server Roles Wizard and

chooses to make the server a file server, only then are those ports and protocols that are

required for file server access opened on the server.

Using the Integrated Windows Firewall with Advanced Security

425

13

FIGURE 13.3

Using the integrated Windows Firewall with Advanced Security.

ptg

NOTE

It is instinctual for most administrators to disable software firewalls on servers, as they

have caused problems with functionality in the past. This is not recommended in

Windows Server 2008 R2, however, as the product itself is tightly integrated with its

firewall, and the firewall itself provides for a much greater degree of security than previ-

ous versions of Windows Server provided.

Creating Inbound and Outbound Rules on the Windows Firewall

In certain cases, when a third-party application is not integrated with Server Manager, or

when needing to open specific individual ports, it might become necessary to create fire-

wall rules for individual services to run properly. Both inbound rules, addressing traffic to

the server, and outbound rules, addressing how the server can communicate out, can be

created. Rules can be created based on the following factors:

.
Program—
A rule can be created that allows a specific program executable access.

For example, you can specify that the c:\Program Files\Custom Program\mypro-

gram.exe file has full outbound access when running. The Windows Firewall

program will then allow any type of connections made by that program full access.

This can be useful in scenarios when a specific application server uses multiple

varied ports, but the overall security that the firewall provides is still desired.

426

CHAPTER 13

Server-Level Security

.
Port—
Entering a traditional UDP or TCP port into the Add Rules Wizard is

supported. This covers traditional scenarios such as “We need to open Port 8787 on

the server.”

.
Predefined—
Windows Server also has built-in, predefined rules, such as those that

allow AD DS, DFS, BITS, HTTP, and many more. The advantage to using a predefined

rule is that Microsoft has done all the legwork in advance, and it becomes much

easier to allow a specific service.

.
Custom—
The creation of custom rule types not covered in the other categories is

also supported.

For example, the following procedure details the creation of an inbound rule to allow a

custom application to use TCP Port 8787 for inbound communication:

1. Open the Windows Firewall MMC (Start, All Programs, Administrative Tools,

Windows Firewall with Advanced Security).

2. Click on the Inbound Rules node in the node pane.

3. In the Actions pane, click the New Rule link.

4. On the Rule Type page of the New Inbound Rule Wizard, shown in Figure 13.4,

select Port to create a rule based on the port, and click Next to continue.

ptg

FIGURE 13.4

Creating a rule on the Windows Firewall.

5. On the Protocol and Ports page, shown in Figure 13.5, select TCP, and enter 8787 in

the Specific Local Ports field. Click Next to continue.

6. On the Action page, select Allow to enable the connection.

Hardening Server Security

427

13

FIGURE 13.5

Entering port information for the firewall rule.

ptg

NOTE

The Action page of the New Inbound Rule Wizard also allows for a rule to be configured

that only allows the connection if it is secured using IPSec technologies. For more on

IPSec, see Chapter 14, “Transport-Level Security.”

7. On the Profile page, shown in Figure 13.6, select all three check boxes. This enables

an administrator to specify that a rule only applies when connected to specific

networks. Click Next to continue.

8. Enter a descriptive name for the rule, and click Finish.

Review the rule settings in the Inbound Rules node, shown in Figure 13.7. This allows for

a quick-glance view of the rule settings. You can also include a rule in a rule group, which

allows for multiple rules to be tied together for easy on/off application.

Using the integrated Windows Firewall is no longer just a good idea; it’s a vital part of the

security of the product. The addition of the ability to define rules based on factors such as

scope, profile, IPSec status, and the like further positions the Server OS as one with high

levels of integrated security.

Hardening Server Security

Previous versions of Windows Server required a great deal of configuration after installa-

tion to “harden” the security of the server and ensure that viruses and exploits would not

overwhelm or disable the server. The good news with Windows Server 2008 R2 is that, by

428

CHAPTER 13

Server-Level Security

FIGURE 13.6

Specifying the profile of a firewall rule.

ptg

FIGURE 13.7

Viewing the firewall rules.

Examining File-Level Security

429

default, many less commonly used services are turned off. In fact, a fresh installation of

Windows Server 2008 R2 only has those services enabled that are vital for the OS to run

properly, and everything else must be enabled by running Server Manager. In addition, by

default an intelligent firewall is enabled, and only those services that absolutely need to

run are allowed through the firewall.

Subsequently, in Windows Server 2008 R2, it is important to first define which roles a

server will utilize and then to turn on only those services that are necessary, with the use

of Server Manager, which automates the deployment of server roles.

13

Defining Server Roles

Depending on the size of an organization, a server might be designated for one or multi-

ple network roles. In an ideal world, a separate server or servers would be designated to

handle a single role, such as DHCP server or DNS server. Even smaller organizations can

take advantage of virtualization technology such as Windows Server 2008 R2’s Hyper-V

server virtualization platform to provision multiple dedicated guests on a smaller number

of physical hosts.

Because any service that is activated increases the overall risk, it is important to fully

define which roles a server will take on so that those services can be properly configured.

Other books

You Are Not Here by Samantha Schutz
The Gallows Bird by Camilla Läckberg
Compromising Prudence by Marguerite Butler
Husband for Hire by Susan Wiggs
Mr. CEO by Willow Winters
Aftershock by Sylvia Day
Never Say Goodbye by Bethan Cooper
Grief Girl by Erin Vincent
For the Sake of Sin by Suzie Grant, Mind Moore