Read Windows Server 2008 R2 Unleashed Online
Authors: Noel Morimoto
server security by disabling unnecessary services and locking out file-level permissions by
default. In addition to the standard features, advanced options in Windows Server 2008
R2, such as the integrated intelligent firewall, enable administrators to add multiple layers
of security to servers, further protecting them from attacks and vulnerabilities. In addition,
the automatic updating capabilities of tools such as Windows Server Update Services give
organizations an edge in protecting servers and workstations from constantly changing
security threats.
The following are best practices from this chapter:
. Physically secure servers behind locked doors, in a controlled-access environment.
. Apply security in layers.
. Use the Server Roles Wizard for turning on server roles and having them automati-
ptg
cally secured.
. Use the integrated Windows Firewall for enhanced security, and only open ports or
allow protocols when necessary.
. Use both inbound and outbound firewall rules to limit the exposure a compromised
server would have.
. Use the Run As Administrator command when administrative access is required
instead of logging on as an administrator.
. Consider a honeypot solution using auditing to identify internal (or external) sabo-
teurs before they can do some serious damage by creating serious-looking shares on
the network, such as Financial Statements, Root Info, or similar such shares, and
audit access to those folders.
. Plan to run the initial synchronization of WSUS over a weekend, beginning the
download on Friday evening.
. Test and approve WSUS patches before deploying them to production, either man-
ually or through a process of setting up a pilot WSUS server and a production
WSUS server.
IN THIS CHAPTER
Transport-Level Security
. Introduction to Transport-Level
Security in Windows Server
2008 R2
. Deploying a Public Key
Infrastructure with Windows
Server 2008 R2
. Understanding Active Directory
Certificate Services (AD CS) in
In the past, networks were closed environments, insulated
Windows Server 2008 R2
from each other and accessible only on internal segments.
. Active Directory Rights
Over time, a need developed to share information between
Management Services
these networks, and connections were established to trans-
mit data from network to network. The transmission of
. Using IPSec Encryption with
Windows Server 2008 R2
this information was originally insecure, however, and, if
intercepted, could easily be read by unauthorized persons.
The need to secure this information was subsequently
made a priority, and became a critical component of
ptg
network infrastructure.
Over time, the technology used to keep this information
safe evolved along with the technology available to exploit
and obtain unauthorized access to data. Despite these
threats, intelligent design and configuration of secure trans-
port solutions using Windows Server 2008 R2 greatly
increase the security of a network. In many cases, they are
absolutely required, especially for data sent across uncon-
trolled network segments, such as the Internet.
This chapter focuses on the mechanisms that exist to
protect and encrypt information sent between computers
on a network. New and improved transport security features
in Windows Server 2008 R2 are highlighted, and sample
situations are detailed. IPSec, Public Key Infrastructure
(PKI), and virtual private network (VPN) use is outlined and
illustrated. In addition, specific server functionality, such as
that provided by Windows Server 2008 R2 Active Directory
Certificate Services (AD CS) and Active Directory Rights
Management Services (AD RMS), is outlined.
442
CHAPTER 14
Transport-Level Security
Introduction to Transport-Level Security in Windows
Transport-level security is the securing of communications between client and server, and
between servers. Although some organizations put in firewalls or encrypt files, the imple-
mentation of security at the transport-level is yet another level of security important in
the design and implementation of a protected network environment.
The Need for Transport-Level Security
The very nature of interconnected networks requires that all information be sent in a
format that can easily be intercepted by any client on a physical network segment. The
data must be organized in a structured, common way so that the destination server can
translate it into the proper information. This simplicity also gives rise to security problems,
however, because intercepted data can easily be misused if it falls into the wrong hands.
The need to make information unusable if intercepted is the basis for all transport-level
encryption. Considerable effort goes into both sides of this equation: Security specialists
develop schemes to encrypt and disguise data, and hackers and other security specialists
develop ways to forcefully decrypt and intercept data. The good news is that encryption
ptg
technology has developed to the point that properly configured environments can secure
their data with a great deal of success, as long as the proper tools are used. Windows Server
2008 R2 offers much in the realm of transport-level security, and deploying some or many
of the technologies available is highly recommended to properly secure important data.
Deploying Security Through Multiple Layers of Defense
Because even the most secure infrastructures are subject to vulnerabilities, deploying
multiple layers of security on critical network data is recommended. If a single layer of
security is compromised, the intruder will have to bypass the second or even third level of
security to gain access to the vital data. For example, relying on a complex 128-bit
“unbreakable” encryption scheme is worthless if an intruder simply uses social engineer-
ing to acquire the password or PIN from a validated user. Putting in a second or third layer
of security, in addition to the first one, will make it that much more difficult for intruders
to break through all layers.
Transport-level security in Windows Server 2008 R2 uses multiple levels of authentication,
encryption, and authorization to provide for an enhanced degree of security on a network.
The configuration capabilities supplied with Windows Server 2008 R2 allow for the estab-
lishment of several layers of transport-level security.
NOTE
Security through multiple layers of defense is not a new concept, but is rather adapted
from military strategy, which rightly holds that multiple lines of defense are better than
one.
Deploying a Public Key Infrastructure with Windows Server 2008 R2
443
Understanding Encryption Basics
Encryption, simply defined, is the process of taking intelligible information and scram-
bling it so as to make it unintelligible for anyone except the user or computer that is the
destination of this information. Without going into too much detail on the exact methods
of encrypting data, the important point to understand is that proper encryption allows
this data to travel across unsecured networks, such as the Internet, and be translated only
by the designated destination. If packets of properly encrypted information are inter-
cepted, they are worthless because the information is garbled. All mechanisms described
in this chapter use some form of encryption to secure the contents of the data sent.
Deploying a Public Key Infrastructure with Windows
14
The term Public Key Infrastructure (PKI) is often loosely thrown around, but is not often
thoroughly explained. PKI, in a nutshell, is the collection of digital certificates, registra-
tion authorities, and certificate authorities that verify the validity of each participant in
an encrypted network. Effectively, a PKI itself is simply a concept that defines the mech-
anisms that ensure that the user who is communicating with another user or computer
ptg
on a network is who he says he is. PKI implementations are widespread and are becom-
ing a critical component of modern network implementations. Windows Server 2008 R2
fully supports the deployment of multiple PKI configurations, as defined in the follow-
ing sections.
PKI deployments can range from simple to complex, with some PKI implementations
utilizing an array of smart cards and certificates to verify the identity of all users with a
great degree of certainty. Understanding the capabilities of PKI and choosing the proper
deployment for an organization are subsequently a must.
Defining Private Key versus Public Key Encryption
Encryption techniques can primarily be classified as either symmetrical or asymmetrical.
Symmetrical encryption requires that each party in an encryption scheme hold a copy of
a private key, which is used to encrypt and decrypt information sent between the two
parties. The problem with private key encryption is that the private key must somehow
be transmitted to the other party without it being intercepted and used to decrypt the
information.
Public key, or asymmetrical, encryption uses a combination of two keys, which are mathe-
matically related to each other. The first key, the private key, is kept closely guarded and is
used to encrypt the information. The second key, the public key, can be used to decrypt
the information. The integrity of the public key is ensured through certificates, which will
be explained in depth in the following sections of this chapter. The asymmetric approach
to encryption ensures that the private key does not fall into the wrong hands and only
the intended recipient will be able to decrypt the data.
444
CHAPTER 14
Transport-Level Security
Exploring Digital Certificates
A certificate is essentially a digital document that is issued by a trusted central authority
and is used by the authority to validate a user’s identity. Central, trusted authorities such
as VeriSign are widely used on the Internet to ensure that software from Microsoft, for
example, is really from Microsoft, and not a virus in disguise.
Certificates are used for multiple functions, such as the following:
. Secure email
. Web-based authentication
. IP Security (IPSec)
. Code signing
. Certification hierarchies
Certificates are signed using information from the subject’s public key, along with identi-
fying information, such as name, email address, and so on, and a digital signature of the
certificate issuer, known as the Certificate Authority (CA).
ptg
Understanding Active Directory Certificate
Services (AD CS) in Windows Server 2008 R2
Windows Server 2008 R2 includes a built-in Certificate Authority (CA) technology that is
known as Active Directory Certificate Services (AD CS). The first iteration of AD CS
emerged with Windows Server 2008, though previous versions of the technology were
simply known as Certificate Services. AD CS can be used to create certificates and subse-
quently manage them; it is responsible for ensuring their validity. AD CS is often used in
Windows Server 2008 R2 if there is no particular need to have a third-party verify an orga-
nization’s certificates. It is common practice to set up a standalone CA for network
encryption that requires certificates only for internal parties. Third-party certificate
authorities such as VeriSign are also extensively used but require an investment in individ-
ual certificates.
NOTE
Although the term Active Directory has been incorporated into the name of the
Windows Certificate Services function, it should be understood that AD CS does not
necessarily require integration with an existing Active Directory Domain Services (AD
DS) forest environment. Although this is commonly the case, it is important to under-
stand that AD CS has independence over AD DS forest design. For more information on
AD DS, see Chapter 4, “Active Directory Domain Services Primer,” and Chapter 5,
“Designing a Windows Server 2008 R2 Active Directory.”
Understanding Active Directory Certificate Services (AD CS) in Windows Server
445
Windows Server 2008 R2 introduced a few additions to AD CS features, including the
following:
.
Certificate Enrollment Web Service and Certificate Enrollment Policy Web
Service—
This is the most significant improvement, essentially allowing certificates
to be enrolled directly over HTTP, enabling non-domain or Internet-connected
clients to connect and request certificates from a CA server.
.
Improved support for high-volume CAs used for NAP—
AD CS in Windows
Server 2008 R2 improves the database performance when high-volume scenarios
such as NAP are utilized.
.
Support for cross-forest certificate enrollment—
AD CS in Windows Server 2008
R2 allows for CA consolidation across multiple forests.