Windows Server 2008 R2 Unleashed (90 page)

ptg

Although these components can be set up manually, the process of turning on these

services is streamlined through the use of the Configure Your Server Wizard.

Securing a Server Using Server Manager

With the list of roles that a server will perform in hand, the ideal utility for turning on

these roles and securing them is the newly renovated Server Manager. By default, if a

server is a DNS server but does not do file and print services, Server Manager not only

opens the ports required for DNS, but also blocks any file and print access to the server.

Windows Server 2008 R2 Server Manager, shown in Figure 13.8, allows for individual roles

to be enabled on a server. After being enabled, those roles are turned on and the proper

ports to run those roles are opened on the server.

Examining File-Level Security

Files secured on Windows Server 2008 R2 are only as secure as the permissions that are

set on them. Subsequently, it is good to know that Windows Server 2008 R2 does not

grant the Everyone group full control over share-level and NTFS-level permissions. In

addition, critical operating system files and directories are secured to disallow their unau-

thorized use.

Despite the overall improvements made, a complete understanding of file-level security is

recommended to ensure that the file-level security of a server is not neglected.

430

CHAPTER 13

Server-Level Security

FIGURE 13.8

Viewing Server Manager.

ptg

Understanding NT File System (NTFS) Security

The latest revision of the NT File System (NTFS) is used in Windows Server 2008 R2 to

provide for file-level security in the operating system. Each object that is referenced in

NTFS, which includes files and folders, is marked by an access control entry (ACE) that

physically limits who can and cannot access a resource. NTFS permissions utilize this

concept to strictly control read, write, and other types of access on files.

File servers should make judicious use of NTFS-level permissions, and all directories should

have the file-level permissions audited to determine if there are any holes in the NTFS

permission set. Changing NTFS permissions in Windows Server 2008 R2 is a straightfor-

ward process; simply follow these steps:

1. Right-click the folder or file onto which the security will be applied, and choose

Properties.

2. Select the Security tab.

3. Click the Advanced button.

4. Click the Change Permissions button.

5. Uncheck the Include Inheritable Permissions from This Object’s Parent check box.

6. Click Remove when prompted about the application of parent permissions.

7. While you’re in the Advanced dialog box, use the Add button to give access to the

groups and/or users who need access to the files or folders.

8. Check the Replace All Child Object Permissions with Inheritable Permissions from

This Object check box, as shown in Figure 13.9, and click OK.

Examining File-Level Security

431

13

FIGURE 13.9

Setting NTFS permissions.

9. When prompted about replacing security on child objects, click Yes to replace child

ptg

object security and continue.

10. Click OK and then click OK again to close the property pages.

Examining Share-Level Security Versus NTFS Security

Previous Windows security used share-level permissions, which were independently set. A

share is a file server entry point, such as \\sfofs01\marketing, that enables users to have

access to a specific directory on a file server. Older file systems such as FAT, HPFS, and

FAT32 did not include file-level security, so the security was set instead on the share level.

Although share-level security can still be set on files, it is preferable to use NTFS-level secu-

rity, where possible. Share-level security is not very secure because it cannot secure the

contents of subdirectories easily.

Auditing File Access

A good practice for file-level security is to set up auditing on a particular server, directory,

or file. Auditing on NTFS volumes enables administrators to be notified of who is access-

ing, or attempting to access, a particular directory. For example, it might be wise to audit

access to a critical network share, such as a finance folder, to determine whether anyone is

attempting to access restricted information.

NOTE

Audit entries are another example of security settings that can be automatically set via

security templates in Windows Server 2008 R2. It is wise to consider the use of securi-

ty templates to more effectively control audit settings.

432

CHAPTER 13

Server-Level Security

The following steps illustrate how to set up simple auditing on a folder in Windows

Server 2008 R2:

1. Right-click the folder or file onto which the auditing will be applied, and choose

Properties.

2. Select the Security tab.

3. Click the Advanced button.

4. Select the Auditing tab.

5. Click the Edit button.

6. Using the Add button, enter all users and groups that will be audited. If you’re audit-

ing all users, enter the Everyone group.

7. On the Auditing property page, select all types of access that will be audited. If

you’re auditing for all success and failure attempts, select all the options, as indi-

cated in Figure 13.10.

ptg

FIGURE 13.10

Selecting what to audit.

8. Click OK to apply the settings.

9. Click OK twice to save the settings.

Additional Security Mechanisms

433

NOTE

An effective way of catching “snoops” in the act is to create serious-looking shares on

the network, such as Financial Statements, Root Info, or similar such shares, and

audit access to those folders. This mechanism, known as a honeypot, has been suc-

cessfully used to identify internal (or external) saboteurs before they could do some

serious damage.

Encrypting Files with the Encrypting File System

13

Windows Server 2008 R2 continues support for the Encrypting File System (EFS), a method

of scrambling the contents of files to make them unintelligible to unauthorized users. EFS

has proven to be valuable for organizations that desire to keep proprietary data, especially

those stored on laptops, out of the wrong hands. A more comprehensive approach to

client encryption is with Windows 7/Vista BitLocker Drive Encryption, which encrypts all

files on the entire hard drive, with the exception of a few files required for startup.

Additional Security Mechanisms

ptg

In an insecure world, a server is only as secure as the software that runs on it. Windows

Server 2008 R2 is the most secure Windows yet, and includes many built-in mechanisms

to keep a server secure. Additional security considerations such as antivirus options and

backup should be taken into account, however, as they directly affect the overall security

of the operating system itself.

Antivirus Precautions

Viruses might be one of the most dangerous threats faced by servers. Many viruses are

written to specifically exploit key vulnerabilities that are present in server infrastructure.

Others infect files that might be held on a server, spreading the infection to clients who

download files. Consequently, it is extremely important to consider the use of an enter-

prise antivirus solution on all file servers in a network. All the major antivirus manufactur-

ers include robust file-level scanners, and administrators should consider using them.

Microsoft itself has released a line of antivirus products with tight integration with the

Windows Server line. This is part of the Forefront line of security products. An advantage

to using the Forefront product suite is that it uses five antivirus engines all running at the

same time. This way, if one of the engines doesn’t catch a virus or isn’t updated quickly

enough, there is a good chance that one of the other vendors’ engines will detect the virus.

More information on the Forefront line can be found at www.microsoft.com/forefront.

An aggressive plan should be in place to keep antivirus patterns and engines up to date.

Because virus outbreaks can wreak havoc worldwide in a matter of hours, rather than

days, it is wise to have servers check for updates at least daily.

434

CHAPTER 13

Server-Level Security

Deploying Backup Security

Although the need for a backup strategy might seem obvious to most people, it is often

surprising to find out how inadequately prepared many organizations are in regard to

their backups. All too often, a company will discover that it is very easy to back up a

server but often more difficult to restore. In addition to disaster recovery issues, the issue

of backup security is often neglected.

File server backups require that an authenticated user account with the proper privileges

copy data to a storage mechanism. This requirement ensures that not just anyone can back

up an environment and run off with the tape. Keeping this point in mind, the tapes that

contain server backups should be protected with the same caution given to the server itself.

All too often, a big pile of server backup tapes is left out on unsecured desks, and there is

often no mechanism in place to account for how many tapes are in which location.

Implementing a strict tape retention and verification procedure is, subsequently, a must.

Using Windows Server Update Services

One of the main drawbacks to Windows security has been the difficulty in keeping servers

and workstations up to date with the latest security fixes. For example, the security fix for

ptg

the Index Server component of IIS was available for more than a month before the Code

Red and Nimbda viruses erupted onto the scene. If the deployed web servers had down-

loaded the patch, they would not have been affected. The main reason that the vast major-

ity of the deployed servers were not updated was that keeping servers and workstations up

to date with the latest security patches was an extremely manual and time-consuming

process. For this reason, a streamlined approach to security patch application was required

and realized with the formulation of Windows Server Update Services (WSUS).

Understanding the Background of WSUS: Windows Update

In response to the original concerns regarding the difficulty in keeping computers prop-

erly patched, Microsoft made available a centralized website called Windows Update to

Other books

Super by Jim Lehrer
A Gangsta Twist Saga by Clifford “Spud” Johnson
The Book of Old Houses by Sarah Graves
Holiday Homecoming by Jillian Hart
Giant Thief by David Tallerman
Love Rewards The Brave by Monroe, Anya
The Shakespeare Stealer by Gary Blackwood
Flying Hero Class by Keneally, Thomas;