Windows Server 2008 R2 Unleashed (92 page)

server security by disabling unnecessary services and locking out file-level permissions by

default. In addition to the standard features, advanced options in Windows Server 2008

R2, such as the integrated intelligent firewall, enable administrators to add multiple layers

of security to servers, further protecting them from attacks and vulnerabilities. In addition,

the automatic updating capabilities of tools such as Windows Server Update Services give

organizations an edge in protecting servers and workstations from constantly changing

security threats.

Best Practices

The following are best practices from this chapter:

. Physically secure servers behind locked doors, in a controlled-access environment.

. Apply security in layers.

. Use the Server Roles Wizard for turning on server roles and having them automati-

ptg

cally secured.

. Use the integrated Windows Firewall for enhanced security, and only open ports or

allow protocols when necessary.

. Use both inbound and outbound firewall rules to limit the exposure a compromised

server would have.

. Use the Run As Administrator command when administrative access is required

instead of logging on as an administrator.

. Consider a honeypot solution using auditing to identify internal (or external) sabo-

teurs before they can do some serious damage by creating serious-looking shares on

the network, such as Financial Statements, Root Info, or similar such shares, and

audit access to those folders.

. Plan to run the initial synchronization of WSUS over a weekend, beginning the

download on Friday evening.

. Test and approve WSUS patches before deploying them to production, either man-

ually or through a process of setting up a pilot WSUS server and a production

WSUS server.

CHAPTER 14

IN THIS CHAPTER

Transport-Level Security
. Introduction to Transport-Level

Security in Windows Server

2008 R2

. Deploying a Public Key

Infrastructure with Windows

Server 2008 R2

. Understanding Active Directory

Certificate Services (AD CS) in

In the past, networks were closed environments, insulated

Windows Server 2008 R2

from each other and accessible only on internal segments.

. Active Directory Rights

Over time, a need developed to share information between

Management Services

these networks, and connections were established to trans-

mit data from network to network. The transmission of

. Using IPSec Encryption with

Windows Server 2008 R2

this information was originally insecure, however, and, if

intercepted, could easily be read by unauthorized persons.

The need to secure this information was subsequently

made a priority, and became a critical component of

ptg

network infrastructure.

Over time, the technology used to keep this information

safe evolved along with the technology available to exploit

and obtain unauthorized access to data. Despite these

threats, intelligent design and configuration of secure trans-

port solutions using Windows Server 2008 R2 greatly

increase the security of a network. In many cases, they are

absolutely required, especially for data sent across uncon-

trolled network segments, such as the Internet.

This chapter focuses on the mechanisms that exist to

protect and encrypt information sent between computers

on a network. New and improved transport security features

in Windows Server 2008 R2 are highlighted, and sample

situations are detailed. IPSec, Public Key Infrastructure

(PKI), and virtual private network (VPN) use is outlined and

illustrated. In addition, specific server functionality, such as

that provided by Windows Server 2008 R2 Active Directory

Certificate Services (AD CS) and Active Directory Rights

Management Services (AD RMS), is outlined.

442

CHAPTER 14

Transport-Level Security

Introduction to Transport-Level Security in Windows

Server 2008 R2

Transport-level security is the securing of communications between client and server, and

between servers. Although some organizations put in firewalls or encrypt files, the imple-

mentation of security at the transport-level is yet another level of security important in

the design and implementation of a protected network environment.

The Need for Transport-Level Security

The very nature of interconnected networks requires that all information be sent in a

format that can easily be intercepted by any client on a physical network segment. The

data must be organized in a structured, common way so that the destination server can

translate it into the proper information. This simplicity also gives rise to security problems,

however, because intercepted data can easily be misused if it falls into the wrong hands.

The need to make information unusable if intercepted is the basis for all transport-level

encryption. Considerable effort goes into both sides of this equation: Security specialists

develop schemes to encrypt and disguise data, and hackers and other security specialists

develop ways to forcefully decrypt and intercept data. The good news is that encryption

ptg

technology has developed to the point that properly configured environments can secure

their data with a great deal of success, as long as the proper tools are used. Windows Server

2008 R2 offers much in the realm of transport-level security, and deploying some or many

of the technologies available is highly recommended to properly secure important data.

Deploying Security Through Multiple Layers of Defense

Because even the most secure infrastructures are subject to vulnerabilities, deploying

multiple layers of security on critical network data is recommended. If a single layer of

security is compromised, the intruder will have to bypass the second or even third level of

security to gain access to the vital data. For example, relying on a complex 128-bit

“unbreakable” encryption scheme is worthless if an intruder simply uses social engineer-

ing to acquire the password or PIN from a validated user. Putting in a second or third layer

of security, in addition to the first one, will make it that much more difficult for intruders

to break through all layers.

Transport-level security in Windows Server 2008 R2 uses multiple levels of authentication,

encryption, and authorization to provide for an enhanced degree of security on a network.

The configuration capabilities supplied with Windows Server 2008 R2 allow for the estab-

lishment of several layers of transport-level security.

NOTE

Security through multiple layers of defense is not a new concept, but is rather adapted

from military strategy, which rightly holds that multiple lines of defense are better than

one.

Deploying a Public Key Infrastructure with Windows Server 2008 R2

443

Understanding Encryption Basics

Encryption, simply defined, is the process of taking intelligible information and scram-

bling it so as to make it unintelligible for anyone except the user or computer that is the

destination of this information. Without going into too much detail on the exact methods

of encrypting data, the important point to understand is that proper encryption allows

this data to travel across unsecured networks, such as the Internet, and be translated only

by the designated destination. If packets of properly encrypted information are inter-

cepted, they are worthless because the information is garbled. All mechanisms described

in this chapter use some form of encryption to secure the contents of the data sent.

Deploying a Public Key Infrastructure with Windows

Server 2008 R2

14

The term Public Key Infrastructure (PKI) is often loosely thrown around, but is not often

thoroughly explained. PKI, in a nutshell, is the collection of digital certificates, registra-

tion authorities, and certificate authorities that verify the validity of each participant in

an encrypted network. Effectively, a PKI itself is simply a concept that defines the mech-

anisms that ensure that the user who is communicating with another user or computer

ptg

on a network is who he says he is. PKI implementations are widespread and are becom-

ing a critical component of modern network implementations. Windows Server 2008 R2

fully supports the deployment of multiple PKI configurations, as defined in the follow-

ing sections.

PKI deployments can range from simple to complex, with some PKI implementations

utilizing an array of smart cards and certificates to verify the identity of all users with a

great degree of certainty. Understanding the capabilities of PKI and choosing the proper

deployment for an organization are subsequently a must.

Defining Private Key versus Public Key Encryption

Encryption techniques can primarily be classified as either symmetrical or asymmetrical.

Symmetrical encryption requires that each party in an encryption scheme hold a copy of

a private key, which is used to encrypt and decrypt information sent between the two

parties. The problem with private key encryption is that the private key must somehow

be transmitted to the other party without it being intercepted and used to decrypt the

information.

Public key, or asymmetrical, encryption uses a combination of two keys, which are mathe-

matically related to each other. The first key, the private key, is kept closely guarded and is

used to encrypt the information. The second key, the public key, can be used to decrypt

the information. The integrity of the public key is ensured through certificates, which will

be explained in depth in the following sections of this chapter. The asymmetric approach

to encryption ensures that the private key does not fall into the wrong hands and only

the intended recipient will be able to decrypt the data.

444

CHAPTER 14

Transport-Level Security

Exploring Digital Certificates

A certificate is essentially a digital document that is issued by a trusted central authority

and is used by the authority to validate a user’s identity. Central, trusted authorities such

as VeriSign are widely used on the Internet to ensure that software from Microsoft, for

example, is really from Microsoft, and not a virus in disguise.

Certificates are used for multiple functions, such as the following:

. Secure email

. Web-based authentication

. IP Security (IPSec)

. Code signing

. Certification hierarchies

Certificates are signed using information from the subject’s public key, along with identi-

fying information, such as name, email address, and so on, and a digital signature of the

certificate issuer, known as the Certificate Authority (CA).

ptg

Understanding Active Directory Certificate

Services (AD CS) in Windows Server 2008 R2

Windows Server 2008 R2 includes a built-in Certificate Authority (CA) technology that is

known as Active Directory Certificate Services (AD CS). The first iteration of AD CS

emerged with Windows Server 2008, though previous versions of the technology were

simply known as Certificate Services. AD CS can be used to create certificates and subse-

quently manage them; it is responsible for ensuring their validity. AD CS is often used in

Windows Server 2008 R2 if there is no particular need to have a third-party verify an orga-

nization’s certificates. It is common practice to set up a standalone CA for network

encryption that requires certificates only for internal parties. Third-party certificate

authorities such as VeriSign are also extensively used but require an investment in individ-

ual certificates.

NOTE

Although the term Active Directory has been incorporated into the name of the

Windows Certificate Services function, it should be understood that AD CS does not

necessarily require integration with an existing Active Directory Domain Services (AD

DS) forest environment. Although this is commonly the case, it is important to under-

stand that AD CS has independence over AD DS forest design. For more information on

AD DS, see Chapter 4, “Active Directory Domain Services Primer,” and Chapter 5,

“Designing a Windows Server 2008 R2 Active Directory.”

Understanding Active Directory Certificate Services (AD CS) in Windows Server

445

Windows Server 2008 R2 introduced a few additions to AD CS features, including the

following:

.
Certificate Enrollment Web Service and Certificate Enrollment Policy Web

Service—
This is the most significant improvement, essentially allowing certificates

to be enrolled directly over HTTP, enabling non-domain or Internet-connected

clients to connect and request certificates from a CA server.

.
Improved support for high-volume CAs used for NAP—
AD CS in Windows

Server 2008 R2 improves the database performance when high-volume scenarios

such as NAP are utilized.

.
Support for cross-forest certificate enrollment—
AD CS in Windows Server 2008

R2 allows for CA consolidation across multiple forests.

Other books

Sixth Column by Robert A. Heinlein
Butterfly Weed by Harington, Donald
Ghost Writer by Margaret Gregory
Arsènal by Alex Fynn
The Prow Beast by Robert Low
Crossing Paths by Stinnett, Melanie
Highness by Latrivia Nelson