S 4.283 Secure migration of Windows NT 4 Server and Windows 2000 Server to Windows Server 2003
Initiation responsibility: IT Security Officer, Head of IT
Implementation responsibility: Administrator
There are usually several goals to be reached and various reasons for updating a previous version of Windows to Windows Server 2003. There is a very wide variety of organisational and technical starting points. For this reason, comprehensive and careful planning that takes the goals to be reached into account is essential when updating a server. The requirements in S 2.315 Planning the use of servers and S 2.319 Migration of servers must be taken into account. When migrating a Windows NT server installation, the specifications in S 2.233 Planning the migration from Windows NT to Windows 2000 also apply in general.
Advantages and disadvantages of various migration paths
When deciding on a migration path, the particular advantages and disadvantages of updating an existing server (in-place upgrade) must be weighed carefully against the advantages and disadvantages of a new installation. Under some circumstances, the security standard of an updated server will differ significantly from the security standard of a newly installed Windows Server 2003 system because old "problems" or old concepts are still implemented. The Windows version present on the server before the update is also an important factor. The default security settings on an updated Windows Server 2003 system are not the same as the default settings in a new installation. The settings are set differently by the setup program depending on which version and service pack is being updated. For example, if Windows NT 4.0 Server is updated to Windows Server 2003, then the resulting settings will be different from those on a system where Windows 2000 Server is updated to Windows Server 2003.
To implement a homogeneous security policy, the security configurations need to be modified depending on the initial situation (version, role, and configuration).
Updating an existing server generally requires less work since the existing users, groups, and rights are kept. Files and applications do not have to be reinstalled.
In contrast, a new installation with a freshly formatted hard disk provides higher performance. The hard disk partitions can also be modified to meet the current requirements. A new installation is recommended on servers having very high availability requirements. If this is not the case, then you must back up the old data and completely defragment the partitions.
Preparation
The manufacturer information, especially the documentation supplied on the installation media (e.g. in the \DOC directory on the Windows Server 2003 installation media) must be taken into account. Before updating, it must be checked if the update requirements are fulfilled. This includes the upgrade capability of the different versions of the operating system. The system requirements and hardware compatibility can be found in the manufacturer documentation or checked using the setup program on the Windows Server 2003 installation medium by setting the Check System Compatibility option. In addition to the recommended manufacturer requirements, the capacity needed in the production environment (hard disk space, memory, etc.) must also be taken into account. Under some circumstances, it may help to have information on the existing devices and drivers available in case it is necessary to intervene manually. It is recommended to create an inventory list for the server documenting its components specifications (such as the name, type, number, IRQ, I/O address, etc.). If drivers are offered by the manufacturers for these components, then these drivers should be obtained in advance.
The use of Windows Server 2003 may require the use of new drivers that only work with newer BIOS versions. This should only be done, though, after it has been determined which driver versions require which BIOS versions.
If
- clusters,
- volume sets,
- mirror sets,
- stripe sets, or
- FAT/FAT32 partitions
are located on the server to be updated, then they must be given special consideration. Here, use of FAT is generally not recommended.
Software that will continue to be operated on the server after updating must be tested for compatibility in advance. This type of software includes anti-virus software, backup and management systems, and encryption applications, among others.
The name, name service, and network settings of the server to be migrated must be selected so that no conflicts or additional threats arise in any phase.
You will find more information on this subject in the Resources for IT-Grundschutz (see DNS/WINS/DHCP as an infrastructure service under Windows Server 2003 in the Resources for Windows Server 2003).
A productive Windows Server 2003 system should only have one operating system installed (with the exception of the recovery console) and should only contain NTFS partitions.
It should be examined if it would be useful to create a checklist from the knowledge gained and requirements specified in the planning phase. This can be used for documented verification of functioning in case of test migration and above all after execution of migration.
Execution
After the successful completion of all tests, the migration of a productive server should be coordinated with business operations. At the specified time, the server is to be removed from production operation to perform the installation. A full backup of the data must be created.
Only software from secure sources can be used for installation (S 2.273 Prompt installation of security-relevant patches and updates). The most recent service packs, security patches, and drivers must be available. The installation procedure is more secure and easier to repeat later when the software is provided on suitable removable media such as CDs or DVDs.
During installation, an active network connection is required on the server. The serial connections of any uninterruptible power supplies attached should be disconnected due to possible complications when the interfaces are detected.
The Dynamic Updates option for updating over the Internet as well as unattended updates are to be avoided since there are usually a few special items that require you to make a decision or intervene somehow when updating servers used in production environments. Internet connections used during installation of a server require additional security safeguards and entail avoidable risks. In addition, the availability of such connections cannot be guaranteed.
Aids
The migration of a server to new hardware is supported by tools provided by Microsoft. The availability of support in case of problems must be clarified with the manufacturer before these tools and utilities are used. They should be carefully selected and tested before use. Tools from third party providers can also be used.
- The File Server Migration Toolkit (FSMT) is used to migrate and consolidate the data from old file servers. The permissions at the NTFS and share level are also migrated by FSMT in addition to the data.
- The Microsoft Print Migrator migrates printer drivers and their configurations, but without security privileges.
- The Active Directory Migration Tool (ADMT) is available for migrating and consolidating domains.
- The Virtual Server Migration Toolkit (VSMT) can be used to migrate the operating system and applications installed on a physical server to a virtual machine running MS Virtual Server 2005.
Post-emergency tasks
After completing each major step, for example after restarting the Windows Server 2003 system, the Event Viewer must be examined for critical errors and warnings.
Depending on the product version and the license agreement, it may be necessary to activate the product. Information on product activation can be found in the Resources for IT-Grundschutz (see Selection of suitable licensing methods for Windows XP/Server 2003 in the Resources for Windows Server 2003).
Security configuration
The security configuration in Windows Server 2003 is set up using various tools whose configuration ranges partially overlap. You can also define your own policies and templates.
- After updating, a prepared security configuration is to be set up on the server with the help of the Security Configuration Wizard (SCW). The role of the server being configured must already be defined at this time.
- With the Microsoft Management Console (MMC), templates for security settings are created and applied, if necessary, using security configuration and analysis and security templates. It is also possible to apply these templates using group policies. In the Windows Server 2003 Security Guide (available online from the manufacturer), there are recommended security templates, descriptions, and documentation templates available. These recommendations must be adapted in each case to the specific requirements. You will find additional help in safeguards S 4.280 Secure basic configuration of Windows Server 2003 and higher and S 2.366 Use of security templates under Windows Server 2003.
The Event Viewer must always be checked after completing a security configuration.
In Windows Server 2003, the Internet Explorer is set to "High" security by default. The limitations resulting from this setting can be eliminated by placing the corresponding Internet addresses in the Trustworthy Sites zone or by placing the corresponding UNC paths in the Local Intranet zone. The user must possess the necessary permissions to configure Internet Explorer.
Under Windows Server 2003, additional local groups and users, e.g. remote desktop uses, network configuration operators, support_388945a0 (disabled), were created; these must be considered and taken into account.
The directory path for user profiles has changed since Windows NT 4.0. Existing scripts and procedures are to be adapted to reflect this change, if necessary.
Review questions:
- Is the migration directory of Windows Server 2003 systems documented and adjusted to the security policies of the organisation?
- Was the capability of upgrading to Windows Server 2003 verified in advance (drivers, meeting of manufacturers' hardware requirements etc.) and documented in a checklist?
- Is a security configuration performed for system hardening after installation of Windows Server 2003?