S 3.109 Windows Server 2008
Description
With Windows Server 2008, Microsoft has introduced a server operating system that entails significant improvements in terms of security as compared to previous versions. The release of Windows Server 2008 R2 made additional improvements and extensions available, making Windows 2008 the equivalent to Windows 7 on the client side.
Windows Server 2008 can be used as operating system for servers with different tasks from Windows domain controllers over Active Directory servers and database servers to application servers or infrastructure services such as DHCP, DNS or VPN. It is not necessary to activate all functions; the selection depends on the application scenarios. This module cannot describe all operational scenarios in detail, but is limited to the common operating system platform and essential organisation-wide security functions.
This module must always be applied when Windows Server 2008 is used as operating system; the same applies when designed as Windows Server Core. Irrespective of this, services realised with the help of Windows Server 2008 must be covered by suitable modules of layer 5 (applications) or by a supplementary risk analysis.
If Windows Server 2008 is referred to in this module and in the corresponding safeguards and threats, this also includes the R2 version. Any changes and particularities in R2 are referred to explicitly in each case.
Threat scenario
The following threats are relevant when using a server with the Windows Server 2008 operating system:
Organisational Shortcomings
| T 2.7 | Unauthorised use of rights |
| T 2.19 | Inadequate key management for encryption |
| T 2.111 | Exposure of login data relating to change of service providers |
| T 2.114 | Inconsistent security settings for SMB, RPC, and LDAP under Windows Server |
| T 2.115 | Inappropriate handling of standard security groups in Windows server 2003 and higher |
| T 2.116 | Data loss relating to copying or moving data in Windows server 2003 or higher |
| T 2.156 | Compatibility problems when increasing the Active Directory function level |
Human Error
| T 3.9 | Improper IT system administration |
| T 3.27 | Improper time synchronisation |
| T 3.48 | Incorrect configuration of Windows computers |
| T 3.81 | Inappropriate use of security templates for Windows Server 2003 and higher |
| T 3.97 | Violation of confidentiality in spite of BitLocker drive encryption under Windows Vista and higher |
| T 3.98 | Loss of BitLocker-encrypted data |
Technical Failure
| T 4.13 | Loss of stored data |
| T 4.22 | Software vulnerabilities or errors |
| T 4.54 | Loss of protection via the encrypting file system EFS |
| T 4.55 | Data loss relating to password resets in Windows Server 2003/XP and higher |
Deliberate Acts
| T 5.7 | Line tapping |
| T 5.52 | Misuse of administrator rights in Windows operating systems |
| T 5.71 | Loss of confidentiality of classified information |
| T 5.79 | Unauthorised acquisition of administrator rights under Windows systems |
| T 5.83 | Compromising cryptographic keys |
| T 5.85 | Loss of integrity of information that should be protected |
| T 5.132 | Compromising RPD user sessions under Windows server 2003 and higher |
| T 5.133 | Unauthorized use of web-based administration tools |
Method recommendation
The safeguards described here supplement the safeguards in module S 3.1 General server by specific aspects for servers operated under the Windows Server 2008 operating system. To secure the information system examined, other modules will need to be implemented in addition to this module. These modules are selected based on the results of the IT-Grundschutz modelling process.
Planning and design
Careful planning is indispensable for each server used. In S 4.418 Planning the use of Windows Server 2008, the basic recommendations are summarised for this purpose. New features as compared to earlier Microsoft server operating systems are described in S 4.408 Overview of new security-relevant functions of Windows Server 2008.
In corporate environments, volume licence contracts are usually used to purchase Windows servers. For the corresponding activation, the correct conditions must be created to ensure the availability of the systems (see S 4.336 Activation of Windows systems from a volume licence contract in Vista or Server 2008 and higher versions). This also includes preparing the reactivation which may become necessary after changes in the configuration in particular (S 4.343 Reactivation of Windows systems from a volume licence contract in Vista or Server 2008 and higher versions).
For secure operation of the system, additional aspects must already be considered during the planning phase from general specifications regarding the system administration (S 2.364 Planning of administration in Windows 2003 and higher) over the group policies (S 2.326 Planning the Windows XP, Vista and Windows 7 group policies) to the integration into a system monitoring (S 2.489 Planning of system monitoring under Windows Server 2008).
Depending on the planned area of application of the server, additional aspects must be planned, e.g. for the organisation's own public key infrastructure (S 2.232 Planning the Windows CA structure in Windows 2000 and higher) or in the framework of Windows-based virtualisation solutions (S 2.490 Planning the use of virtualisation using Hyper-V).
Purchasing
Before a Windows 2008 server system is purchased, its requirements must be clarified. This does not only relate to the hardware requirements, but it is also necessary to select correct edition (S 4.409 Purchasing of Windows Server 2008) and to consider the necessary infrastructure for the activation (S 4.336 Activation of Windows systems from a volume licence contract in Vista or Server 2008).
Implementation
In order to install the operating system, the templates provided by the manufacturer are of help (S 2.491 Use of roles and security templates under Windows Server 2008). On this basis, a secure basic configuration must be created (S 4.280 Secure basic configuration of Windows Server 2003 and higher). For this purpose, the default settings can be accepted for the most part, unlike with earlier Windows server versions. If an older Windows operating system is replaced by Windows Server 2008, the migration must be planned and implemented accordingly (S 4.412 Secure migration of Windows Server 2003 to Server 2008).
As it has already been the case with earlier Windows server versions, the protection of the devices connected locally (S 4.52 Device protection under Windows NT/2000/XP), the use of scripts and script environments (S 2.367 Use of commands and scripts under Windows Server 2003 and higher), the configuration of the system services (S 4.284 Handling of services under Windows Server 2003 and higher) as well as adequate password protection (S 4.48 Password protection under Windows systems) are also important.
For the file system, it must be specified if the logging of the respectively last file access is to be used. This logging makes the clarification of security incidents much easier, but may also have a negative influence on the performance and must therefore be examined (S 4.342 Activation of the Last Access time stamp under Windows Vista and higher). New features such as the user account control (S 4.340 Use of the Windows User Account Control UAC in Windows Vista and higher) and the integrity protection option (S 4.341 Integrity protection in Windows Vista and higher versions) can provide improved system security as compared to earlier versions and should therefore be used. If the server is used as Active Directory, the explanations summarised in S 4.414 Overview of new function for Active Directory under Windows Server 2008 and higher must also be taken into account.
With higher protection requirements, it is recommended to implement advanced safeguards such as the establishment of restricted user environments (S 2.32 Establishment of a restricted user environment), additional safeguards to protect the network communication (S 4.277 Protection of SMB, LDAP and RPC communication under Windows Servers or S 5.90 Use of IPSec under Windows) or the application control using the tool AppLocker (S 4.419 Application control in Windows 7 and higher by means of AppLocker). For the encryption of data, mechanisms are available on the data media and on the file system level (S 4.337 Use of BitLocker drive encryption and S 4.147 Secure use of EFS under Windows).
Operation
The most important regular operational tasks are summarised in S 2.369 Regular security-relevant maintenance of a Windows Server 2003 and are supplemented by the secure administration of the user accounts and access rights (S 2.370 Administration of access rights under Windows Server 2003 and higher). The system should be specifically monitored in order to quickly detect availability problems and security incidents (S 4.344 Monitoring of Windows Vista, Windows 7 and Windows Server 2008 systems).
Like for all IT systems, a functioning patch management is also a central element for maintaining the system security. For this purpose, the Windows Server Update Services (WSUS), a tool provided by Microsoft themselves, is available (S 4.417 Patch Management with WSUS under Windows Server 2008 and higher).
The users and administrators of the server must take into account the particularities when deleting files (S 4.56 Secure deletion under Windows operating systems). With the new biometric authentication options by means of fingerprint, an alternative to entering passwords is also available (S 4.415 Secure operation of biometric authentication under Windows).
Disposal
When disposing of Windows servers, the safeguards described in module S 3.1 General server must be implemented. In addition to this, the individual accounts must be deactivated or deleted (S 2.371 Regulated deactivation and deletion of unused user accounts).
Contingency Planning
Like for all other central IT systems, a suitable contingency plan must also be created for Windows servers (S 6.76 Creation of a contingency plan for failure of a Windows network). A central contingency planning element is the data backup which must also include relevant areas of the operating system (S 6.99 Regular backup of important system components for Windows Server). When the availability requirements are higher, additional precautions can be made via redundancies (S 6.43 Use of redundant Windows servers).
Planning and design
| S 2.232 | (C) | Planning the Windows CA structure in Windows 2000 and higher |
| S 2.326 | (A) | Planning the Windows XP, Vista and Windows 7 group policies |
| S 2.364 | (A) | Planning of administration for Windows 2003 and higher |
| S 2.489 | (A) | Planning of system monitoring under Windows Server 2008 |
| S 2.490 | (C) | Planning the use of virtualisation using Hyper-V |
| S 4.147 | (Z) | Secure use of EFS under Windows |
| S 4.277 | (C) | Protection of SMB, LDAP, and RPC communication under Windows Servers |
| S 4.336 | (A) | Activation of Windows systems from a volume licence contract in Vista or Server 2008 and higher versions |
| S 4.337 | (Z) | Use of BitLocker drive encryption |
| S 4.340 | (A) | Use of Windows User Account Control UAC in Windows Vista and higher |
| S 4.341 | (A) | Integrity protection in Windows Vista and higher versions |
| S 4.342 | (Z) | Activation of the Last Access time stamp under Windows Vista and higher |
| S 4.408 | (W) | Overview of new security-relevant functions of Windows Server 2008 |
| S 4.414 | (W) | Overview of new functions for Active Directory under Windows Server 2008 and higher |
| S 4.418 | (A) | Planning the use of Windows Server 2008 |
Purchasing
| S 4.409 | (W) | Purchasing of Windows Server 2008 |
Implementation
| S 2.32 | (Z) | Establishment of a restricted user environment |
| S 2.367 | (C) | Use of commands and scripts under Windows Server 2003 and higher |
| S 2.491 | (B) | Use of roles and security templates under Windows Server 2008 |
| S 4.48 | (A) | Password protection under Windows systems |
| S 4.52 | (A) | Device protection under Windows NT/2000/XP |
| S 4.280 | (A) | Secure basic configuration of Windows Server 2003 and higher |
| S 4.284 | (B) | Handling of services under Windows Server 2003 and higher |
| S 4.410 | (Z) | Use of network access protection under Windows |
| S 4.412 | (Z) | Secure migration of Windows Server 2003 to Server 2008 |
| S 4.413 | (Z) | Secure use of virtualisation using Hyper-V |
| S 4.419 | (Z) | Application control in Windows 7 and higher by means of AppLocker |
| S 5.90 | (Z) | Use of IPSec under Windows |
Operation
| S 2.368 | (C) | Handling of administrative templates under Windows Server 2003 and higher |
| S 2.369 | (A) | Regular security-relevant maintenance of a Windows Server 2003 |
| S 2.370 | (A) | Administration of access rights under Windows Server 2003 and higher |
| S 4.56 | (C) | Secure deletion under Windows operating systems |
| S 4.343 | (Z) | Reactivation of Windows systems from a volume licence contract in Vista or Server 2008 and higher versions |
| S 4.344 | (B) | Monitoring of Windows Vista, Windows 7 and Windows Server 2008 systems |
| S 4.411 | (Z) | Secure use of DirectAccess under Windows |
| S 4.415 | (Z) | Secure operation of biometric authentication under Windows |
| S 4.416 | (Z) | Use of Windows Server Core |
| S 4.417 | (B) | Patch Management with WSUS under Windows Server 2008 and higher |
Disposal
| S 2.410 | (B) | Orderly withdrawal of a directory service from operation |
Contingency Planning
| S 6.43 | (Z) | Use of redundant Windows servers |
| S 6.76 | (C) | Creation of a contingency plan for failure of a Windows network |
| S 6.99 | (A) | Regular backup of important system components for Windows Server |