S 4.276 Planning the use of Windows Server 2003
Initiation responsibility: Head of IT, IT Security Officer
Implementation responsibility: Administrator, Head of IT
Before installing Windows Server 2003, extensive plans must be produced to ensure proper and secure introduction and, consequentially, to enable secure operation. In this case, it must be ensured that the security policies specified (see S 2.316 Defining a security policy for a general server) are followed so that the implementation conforms to the policies. It must be mentioned in this context that to prevent the operation of unneeded components later on, a standard Windows Server 2003 installation does not have any pre-installed software components. Depending on the application scenario, you must define which role the Windows Server 2003 server will assume and which additional software components may need to be installed to fulfil this role.
The questions and planning steps arising in conjunction with the introduction and operation of Active Directory are only taken into account in part in this document.
Basic concept
A Windows Server 2003 installation is planned in several steps. It is recommended to use a defined requirements catalogue according to S 2.80 Drawing up a requirements catalogue for standard software since this makes it much easier to create the plan.
The actual planning can follow the top-down design principle: Based on a basic concept for the overall system, specific plans are specified for subcomponents in detailed subconcepts. The following questions are handled, for example, in the basic concept:
- Will a new network be built or will an existing network be migrated?
- Should an existing Windows network (for example based on Windows 2000 Server) be migrated entirely or only in part to Windows Server 2003?
- Will a new, additional server be installed or will an existing server be upgraded (see S 4.283 Secure migration of Windows NT 4 Server and Windows 2000 Server to Windows Server 2003)?
- Which components, e.g. file servers, print servers, DNS servers, etc., will be replaced and which will be kept?
- Do existing procedures or components, for example a Kerberos system or even a PKI, need to be integrated into Windows Server 2003? In this case, the interoperability with other IT systems as well as the range of functions offered must be taken into account, amongst others.
- Is the server configuration planned sufficient to handle peak loads and the amount of data expected?
- Is the licensing model adequate and suitable for the preparation concept and the contingency concept?
- Is a mixed operation of Windows Server 2003 and other operating systems, such as Windows 2000, Windows 95, Novell, or Unix, necessary? If this is the case, then this, amongst others, may have an effect on the authentication procedures used in the system that, depending on the other operating systems used, may also show vulnerabilities, correspondingly lowering the security of the Windows Server 2003 environment as a whole. The security standard for the combined environment should be specified in a security policy.
Planning roles
The server roles should be specified when creating the subconcepts. The Windows Server 2003 operating concept defines specific roles using a variety of configuration wizards. The roles are to be planned depending on the application scenario and the requirements defined. The requirements defined, for example the amount of data and size of the load expected, communication protocols and interfaces, access concepts, configuration of the particular operating system components, etc., must be taken into account in the subconcepts for each role.
Roles (selection)
| Server role | Server Configuration Wizard | Manual configuration | Security Configuration Wizard |
|---|---|---|---|
| File Server | x | x | |
| Print Server | x | ||
| Application Server | x | x | |
| Mail Server | x | ||
| Terminal Server | x | x | |
| RAS/VPN Server | x | x | |
| Domain Controller | x | x | |
| DNS Server | x | x | |
| DHCP Server | x | x | |
| Streaming Media Server | x | x | |
| WINS Server | x | x | |
| Web Server | x | x | |
| Remote Installation Server | x | x | |
| Bastion Host | x | ||
| Certificate Server | x | x |
The Security Configuration Wizard supports a large number of additional server roles for Microsoft products, for example the role of a database server.
Combination of server roles
Roles can be combined to reduce purchasing costs and the time and expense required for administration. The possible combinations are limited mainly by the following aspects:
- Security/protection requirements of the IT system
- Design-related restrictions in Windows Server 2003
- Scalability requirements
The following distribution of roles is recommended. In each case, the planned combination of roles must be tested.- Application Server, Certificate Server, Web Server, RAS/VPN Server:
These roles should be used separately from other roles mainly for security reasons. - Terminal Server, Print Server:
These roles should be separated from other roles mainly for design and scalability reasons. For example, drivers from other manufacturers are installed on print servers that can affect the availability of the server. - Bastion Host:
A Bastion Host is a computer requiring security that is connected directly to the Internet. Bastion hosts are generally used as Web servers, DNS servers, FTP servers, SMTP servers, and NNTP servers. The bastion host role is suitable for servers in vulnerable areas but should not be combined with other server roles.
- Application Server, Certificate Server, Web Server, RAS/VPN Server:
- Combinations
Infrastructure services can be operated together on a common server. If Active Directory is used, then it is recommended to integrate the DNS into the domain controllers. WINS should not be used on the domain controller in medium-sized and large-scale environments when there are high security requirements.
In many cases, it makes sense to assign additional roles to a filer server, for example infrastructure services. Even the streaming media server role can be assumed by a file server.
It is possible to use remote installation services (RIS) on a file server, for example in the context of Help Desk scenarios. However, the security of the server can be affected by the remote installation services.
The services for the mail server role can be combined with other roles for certain administrative or infrastructural purposes. In this case, the requirements definition should make a clear distinction between this role and the role of the bastion host.
- Other server applications and services
The Internet Information Services (IIS) contain basic services for various server roles (e.g. for a web server) but do not represent a separate server role themselves. When planning, you should differentiate between static and dynamic IIS components due to the different levels of security.
- Additional server roles can be provided using extra software. Compatibility with the standard roles must be assessed on a case-by-case basis, and the possible conflicts described above when combining roles must be taken into account. Planning should be based on the results of the software selection process (see module 1.10 Standard software).
16-bit applications and other outdated software that do not offer any security mechanisms in the application layer or do not support the Windows Server 2003 mechanisms pose a higher security risk to the server. For this reason, special requirements for securing the data and network levels must be taken into account when planning the Windows Server 2003 environment. This is relevant technically as well as organisationally.
- Roles in heterogeneous environments
Heterogeneous server environments with existing services and roles also have an influence on the role planning process, especially when existing services are migrated to or consolidated in Windows Server 2003, or when the parallel implementation of certain roles on different platforms is planned (a classic example of this is DNS). Finally, the role plan also depends on the format and migration capabilities of the existing databases and production systems, as well as on the associated medium-term and long-term strategies.
Considerations when configuring the server
The scale of the hardware is determined based on the aspects of performance, availability, and the server role.
In terms of the performance, the minimum requirements of the manufacturer as well as the requirements catalogue should be taken into account. Load simulation tools from the Microsoft web site or from server manufacturers allow you to predict the response of Windows Server 2003 components to various load scenarios. In particular, the maximum number of simultaneous users must be carefully estimated and forecast. If the server will have a high number of users or will be used intensively, then collecting several servers together to form a cluster should be considered.
The planned server roles and server applications, the expected load, and the amount of data expected determine the additional parameters of the hardware configuration. Important additional parameters include, for example, the hard disk array layout and the partition layout. It is recommended to configure independent hard disk arrays (RAID levels) for performance and availability reasons for certain server roles, e.g. for file servers or database servers. The software RAID version of Windows Server 2003 allows you to configure an economical data-redundant setup quickly. However, such a setup is cannot be used to increase performance and cannot compensate for the loss of a hard disk during live operation in most cases. Hardware RAID levels are to be preferred in all cases when planning.
The planning of the partition layout should be based on the amount of data to be expected and logical separation of different types of data. For example, it makes sense to create a separate partition containing just the operating system and the programme files. User data and temporary data should be stored in separate partitions that can be located on other disk arrays, if necessary. In Windows Server 2003 with Service Pack 1 or lower, hard disk quotas can only be configured at the partition or volume level.
Network connection
When planning the use of Windows Server 2003, it is necessary to consider a suitable network connection based on the selected server role. The required communication protocols can be derived from the server role(s). In this case you must check if the communication protocol conflicts with the network concept, the security policies for the communication protocol, and if applicable, the concept for the security gateways. The data throughput the server must be able to handle can be determined based on the number of client accesses expected. Lower performance is to be assumed for encrypted accesses. The performance of the server should therefore be scaled, for example using faster processors and network adapters or, on the software side, with the help of network load distribution in a cluster running Windows Server 2003. Both the communication protocol and the data throughput are important features of the availability and must be planned carefully.
When planning a server that can be accessed over an insecure network or that is installed in a particularly vulnerable part of the network (for example a web server connected to the Internet), then higher security requirements must be taken into account. When planning a server installation in a vulnerable area, you can proceed in principle like when planning servers in protected areas, but for all planning aspects you must assume a higher risk of theft, denial of service attacks, and other attempts to compromise the servers. In addition, it must be specified conceptually how the server or servers will be isolated from the local network and how communication with the local network can be secured, if necessary. Examples of this include security gateways and DMZ layouts.
It is generally not recommended to use servers that are members of a protected Active Directory environment in vulnerable locations or in a DMZ. The security contexts should be separated accordingly.
Access capabilities
When planning to use a server, it must also be considered which access paths must or should be enabled (NetBIOS shares, WebDAV, DFS, etc.). If necessary, safeguards S 4.277 Protection of SMB, LDAP, and RPC communication under Windows Servers and S 5.132 Secure use of WebDAV under Windows Server 2003 must be taken into account in terms of securing communications. The reasons why each authorised access path is needed must be provided.
Considerations relating to server administration
When planning the server usage, the following additional aspects must be taken into account. Some subconcepts are recommended for this purpose, and existing concepts should be extended.
- planning the administration (S 2.364 Planning of administration for Windows Server 2003 and higher); this also includes any additional software necessary for administration
- monitoring (monitoring, logging, evaluation), see S 2.365 Planning of system monitoring under Windows Server 2003
- patch management, updates
- provision and preparation (S 4.281 Secure installation and preparation of Windows Server 2003, S 4.283 Secure migration of Windows NT 4 Server and Windows 2000 Server to Windows Server 2003)
- migrating existing data
Specifications for these aspects should be provided in the security policy for Windows Server 2003 and must be taken into account in further planning. A binding policy should be available for use in production.
License model
Suitable license models depend on what the Windows system is used for. Product keys and a product activation procedure are supplied with Windows Server 2003 by the manufacturer to check the licenses. It must be ensured that the IT system under examination is adequately licensed, that the individual Windows Server 2003 system can be activated or can be installed from an activation-free source, and that a license is available. This must be taken into account, if necessary, in the provision concept and in the contingency concept.
Review questions:
- When using Windows Server 2003, are the security policies of the organisation considered and implemented?
- For Windows Server 2003, were the server roles planned depending on the application scenario and the requirements defined?
- For Windows Server 2003, is compatibility between the standard server roles and additional server roles ensured?
- Lack of security mechanisms on application level: Are the special requirements for securing the data and network levels taken into account when planning the Windows Server 2003 environment?
- When dimensioning the hardware for Windows Server 2003, are performance, availability and server roles taken into account?
- Are the communication protocols used adjusted to the network concept and the security policy to counteract any conflicts?
- For Windows Server 2003, were increased security requirements defined for vulnerable locations?
- Are policies and safeguards for securing vulnerable Windows Servers 2003 and isolating them from the local network defined?
- Are the access paths available on the Windows Servers 2003 reduced to the required minimum, and are they documented?
- For Windows Server 2003, is the required amount of licences and installation sources available?