S 4.279 Advanced security aspects for Windows Server 2003

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

Additional safeguards are necessary for IT systems with high protection requirements in which Windows Server 2003 is used to achieve such a level of protection. This not only refers to increasing the overall availability of the system (redundancy, high availability cluster), but also specific safeguards to increase the protection of the confidentiality and integrity of applications, data, and network data traffic. Under some circumstances, the safeguards can restrict the functionality or interoperability. For this reason, a test environment should be available in each case to ensure the desired functionality is maintained.

The following list of aspects applies globally and is not complete in any way. Additional precautions must be taken depending on role of the server, the operating scenario, and the corresponding threat scenario. Additional starting points are mentioned in the safeguards specific to Windows Server 2003.

Product activation

The online product activation procedure requires an active Internet connection and use of the HTTP protocol. During the installation phase, this connection should only be implemented through a security gateway with a proxy server, i.e. the AutoActivate option may only be used together with the ActivateProxy option. The response file needs to be edited manually to do this. Activation can also be performed later using a script (for example using the post-installation script) or can be triggered manually.

If the server has a high protection requirement, then you can also use the telephone for activation.

Encryption

IPSec can be used to secure all IP-based communication connections to and from a client. When used, it is possible to authenticate the communication end points, sign the data packets, and transmit them in encrypted form so that the integrity and confidentiality of the data can be guaranteed when there are high security requirements. The subconcept for an IPSec infrastructure should take the additional administration required into account and assumes a test has already been performed in a test environment to check for compatibility with the existing systems.

If encryption conforming to the FIPS (Federal Information Processing Standard) guidelines from the government agency NIST (National Institute of Standards and Technology in the USA) is needed for the SSL/TLS protocol and for the Encrypting File System (EFS), then this can be specified

on the console under Local Security Policy | Local Policies | Security Options | System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing.

Activation ensures secure encryption (e.g. 3DES), but does not always guarantee the longest possible key length. For example, AES is not taken into account (for EFS).

In general, the increased computing power needed and the possible effect on the load response of the server should not be overlooked.

Furthermore, System Cryptography: Force strong key protection for user keys stored on the computer should be set to User is prompted when the key is first used at a minimum. This forces the user to enter a password to gain access to the private key of a security certificate.

High availability

If high availability is required, it may be necessary not only to design parts of the server hardware redundantly, but to make the entire server design redundant and place it in a high availability cluster. Windows Server 2003 Enterprise Edition supports up to eight nodes in a cluster using the cluster service, which can be optimised based on the requirements for high availability and load distribution. Each of the redundant servers should conform to the same hardware requirements. The planning required for clustering must be taken into account when planning the roles because some services are only partially clusterable.

Network load distribution (NLB) is not only supported in the Enterprise Edition, but also in the Web Edition and in the Standard Edition.

Denial-of-service

To secure the system against DoS attacks, the TCP/IP settings of the server (see the Resources for IT-Grundschutz, Securing IP protocols under Windows Server 2003 in the Resources for Windows Server 2003) should be checked and adjusted, if necessary. It is recommended to use administrative templates to set the Registry keys (see S 2.368 Handling of administrative templates under Windows Server 2003 and higher). These precautions should be implemented in all cases in which the server is used in an exposed environment, e.g. when used as a security gateway or in a demilitarized zone (DMZ). They are optional in a protected IT environment.

Use as a web server or as a so-called bastion host (publicly accessible computer in the corporate network) requires the implementation of additional specific safeguards, for example those described in module 5.10 Internet Information Server.

Plug and Play

Another potential threat is posed by the automatic hardware detection function (Plug & Play) if the server is not adequately protected against unauthorised access. It is normally sufficient to deactivate all connections not needed (for example in BIOS and in the Windows Device Manager). Drives for removable data media should be removed, locked, or controlled by software tools from third party manufacturers. Windows Server 2003 only provides a very limited range of this type of functionality.

The Plug & Play feature in Windows Server 2003 is not designed to be bypassed, and bypassing it adversely affects the stability of the system. The extra testing requirements and additional risks entailed are only justified when the security requirements are especially high.

Resource permissions

The default resource permissions in the system folders and for system objects are restrictive, but they should be hardened when the protection requirement is very high. To do this, the permissions for certain standard groups are removed and granted explicitly to certain user accounts instead.

The setting in the Local security policy | Local Policies | Security Options | System Objects: Default owner for objects created by members of the Administrators group console is set by default to Administrators group. Owners always have special permissions for their own objects. In addition, the solution for monitoring groups as the owner of objects is not perfect. The Administrators group setting should be changed to Object creator. However, this setting makes it much more difficult to administer the server.

Review questions:

© Federal Office for Information Security. All rights reserved.