S 4.418 Planning the use of Windows Server 2008
Initiation responsibility: IT Security Officer, Head of IT
Implementation responsibility: Head of IT, Administrator
Due to the increased differentiation of roles during the installation phase, the planning phase has an even higher importance before using Windows Server 2008 as compared to earlier Windows versions. For example, the role of the Server Core can only be selected at the time of installation; subsequent change of this role is not possible. Correspondingly, the selected roles and features must be thoroughly adjusted to the requirements of the intended use of the Windows Server 2008 system.
Based on S 2.315 Planning the use of servers and S 4.409 Purchasing of Windows Server 2008, the following safeguard describes the essential aspects to be noted during the planning phase before using a Windows Server 2008.
Creating a rough concept
A Windows Server 2008 installation is planned in several steps.
The actual planning can follow the top-down design principle: Based on a basic concept for the overall system, specific plans are specified for subcomponents in detailed subconcepts. The following questions are handled, for example, in the basic concept:
- Will a new network be built or will an existing network be migrated?
- Should an existing Windows network (for example based on Windows 2000 Server or Windows Server 2003) be migrated entirely or only in part to Windows Server 2008? Direct migration of Windows NT systems to Windows Server 2008 is not possible.
- Is an additional server to be introduced, or an existing server to be upgraded?
- Which components, e.g. file servers, print servers, or DNS servers, will be replaced and which will be kept?
- Do existing procedures or components, for example a Kerberos system or even an existing PKI, need to be integrated into Windows Server 2008? In this case, the interoperability with other IT systems as well as the range of functions offered must be taken into account, amongst others.
- Is the server configuration planned sufficient to handle peak loads and the amount of data expected?
- Is the licensing model adequate and suitable for the preparation concept and the contingency concept?
- Is a mixed operation of Windows Server 2008 and other operating systems, such as Windows 2000 or 2003, Novell, or Unix, necessary? This may have an effect on the authentication procedures used in the system that, depending on the other operating systems used, may also show vulnerabilities, correspondingly lowering the security of the Windows Server 2008 environment as a whole. The necessary security requirements for such a mixed environment should be defined in a security policy.
Selection of roles and features
With Windows Server 2003 R2, Microsoft introduced server roles.
These are applications that either can be installed subsequently or, like the Server Core, must be configured at the time of installation. Up to Windows Server 2003, applications such as the Internet Information Services (IIS) or other basic services such as printing and file services were installed as standard installation.
In contrast, a newly installed Windows Server 2008 does not have a role or function to be fulfilled after installation. These roles and functions must be explicitly allocated and configured by the administrator for each system.
Besides the roles, there are also Features. Usually, they represent an extension of an existing role, but, like the WINS service, may also represent a completely separate function.
The combination of a minimal basic installation and specifically selected roles and features represents a significant improvement of security, because this enables all systems to only install the functions actually required. The necessity to uninstall functions or services not required is no longer applicable.
Installation and configuration of server roles or features is usually made using the Server Manager. This is the central management tool of a Windows Server 2008 (see S 4.x-10 Use of the security tools).
On a Windows Server 2008 R2, seventeen different roles can be selected. the following table provides an overview of these roles and the availability of the corresponding role per edition.
| Server role | Enterprise | Datacenter | Standard | Web | Itanium | Foundation |
|---|---|---|---|---|---|---|
| Active Directory Certificate Services | Yes | Yes | Limited | No | No | Limited |
| Active Directory Domain Services | Yes | Yes | Yes | No | No | Yes |
| Active Directory Federation Services | Yes | Yes | Yes | No | No | No |
| Active Directory Lightweight Directory Services | Yes | Yes | Yes | No | No | Yes |
| Active Directory Rights Management Services | Yes | Yes | Yes | No | No | Yes |
| Application Server | Yes | Yes | Yes | No | Yes | Yes |
| DHCP Server | Yes | Yes | Yes | No | No | Yes |
| DNS Server | Yes | Yes | Yes | Yes | No | Yes |
| Fax servers | Yes | Yes | Yes | No | No | Yes |
| File Services | Yes | Yes | Limited | No | No | Limited |
| Hyper-V | Yes | Yes | Yes | No | No | No |
| Network Policy and Access Services | Yes | Yes | Limited | No | No | Limited |
| Print and Document Services | Yes | Yes | Yes | No | No | Yes |
| Remote Desktop Services | Yes | Yes | Limited | No | No | Limited |
| Web Services (IIS) | Yes | Yes | Yes | Yes | Yes | Yes |
| Windows Deployment Services | Yes | Yes | Yes | No | No | Yes |
| Windows Server Update Services (WSUS) | Yes | Yes | Yes | No | No | Yes |
Combination of Windows Server 2008 (R2), Windows Vista and Windows 7
In principle, all combinations of the server and client systems approved and supported by Microsoft can be used within a Windows domain.
However, it must be taken into account that the complete use of all functions, in particular for newly introduced group policy objects, is only possible in combination with the corresponding client system. Corresponding server client combinations are e.g. Windows Server 2008 and Windows Vista or Windows Server 2008 R2 and Windows 7.
Examples of usable functions that are exclusively available for the combination of Windows Server 2008 R2 and Windows 7 include, among others:
- DirectAccess: The creation of VPN connections using DirectAccess is only possible with the combination of Windows Server 2008 R2 and Windows 7. The same applies to the VPN-Reconnect function.
- BranchCache: This Windows 7 client function enables minimisation of the WAN traffic in branches.
- Remote Desktop Services: The new functions of the server role of a Windows Server 2008 R2 formerly known as terminal services can now be completely used by Windows 7 client systems.
It can be assumed that new functions will be added when introducing further releases or service packages. This particularly applies for introduction of new server or client systems.
Review questions:
- Was configuration of the Windows Server 2008 system carefully planned, taking into account all relevant requirements?
- Do the selected roles and features meet the requirements of the scheduled use of the Windows Server 2008 system?
- Were the restrictions of present older systems or the particularities of a mixed operation sufficiently taken into account in the planning of a Windows Server 2008?