Accessing Tomorrow’s Security Protection Today

Protecting your Organization with Windows Server 2008 Security Technologies

Rick Pollak, Senior Solutions Consultant, MCITP Window Server 2008

Kenneth Ta, Mgr. Enterprise Solutions, CISSP, PMP, MCITP Windows Server 2008
www.janalent.com +1-888-290-4870 info@janalent.com
© 2008 Janalent Corporation, All Rights Reserved
Executive Summary

Windows Server 2008 builds on the success and strengths its predecessor Windows
Server 2003 and is designed to provide organizations with the most productive
platform for powering applications, networks, and Web services from the
workgroup to the datacenter with exciting, valuable new functionality and powerful
improvements to the base operating system.

Windows Server 2008 has many granular improvements over Windows Server 2003
and Windows Server 2003 R2, but many of these improvements are low-level. As a
result, Janalent views Windows Server 2008 as an incremental improvement over
Windows Server 2003, not as a major shift (such as Windows NT Server 4 to
Windows Server 2000). These incremental improvements shouldn't be regarded as
"negative" because most IT organizations prefer incremental improvements that can
be digested easily, rather than large technology jumps that require massive changes
to the established processes, and infrastructure.

Windows Server 2008 excels in just about every area when compared to previous
versions of Window Server. It doesn't matter which pieces of the functionality you
use, you'll find it faster, easier to deploy, much more sensible in its defaults, and
requires less work for more output. But, of all the reasons why you should consider
upgrading to Windows 2008 is security, security, and security.
It would be pointless to argue against not having a secure IT infrastructure. The
infiltration of company servers and data can have a tremendous negative impact to
an organization. Windows Server 2008 introduces several new features with
security in mind including Read Only Domain Controllers (RODC), Network Access
Protection (NAP), Core Server, Terminal Services Remote App Publishing, and
BitLocker – just to name a few.

This whitepaper discusses how your organization can benefit from the security that
Windows Server 2008 offers. Although this paper focuses on the security features
of Windows Server 2008, there are a myriad of other compelling features you may
benefit from.

2 Accessing Tomorrow’s Security Protection Today using Windows 2008

www.janalent.com
Contents
Executive Summary ...................................................................................................... 2
About Janalent – Organization Profile ......................................................................... 4
Lines of Business .......................................................................................................... 5
Janalent Infrastructure Design & Restructuring Solutions.................................... 5
Delivery Methodology.................................................................................................. 6
Selected Partnerships .................................................................................................. 7
WhitePaper Overview .................................................................................................. 8
Business Challenges ..................................................................................................... 9
Windows Server 2008 Security Features ................................................................... 10
BitLocker Technologies .............................................................................................. 10
Modes of Operation ............................................................................................ 11
Read-Only Domain Controllers .................................................................................. 12
Network Policy and Access Services .......................................................................... 13
Available Network Access Services ..................................................................... 13
Network Access Protection ........................................................................................ 14
Server Core Installation.............................................................................................. 15
What do I get with Server Core? ................................................................................ 16
Terminal Services ................................................................................................ 16
RemoteApp Presentation.................................................................................... 17
Windows Firewall ................................................................................................ 17
Order of Windows Firewall Rules Evaluation...................................................... 18
Conclusion .................................................................................................................. 19
Janalent Windows Server 2008 Launch Offer ............................................................ 19
About The Authors ..................................................................................................... 20

3 Accessing Tomorrow’s Security Protection Today using Windows 2008

www.janalent.com
About Janalent – Organization Profile
As an innovative Business & Technology Consulting Solutions organization, Janalent
is focused on providing the highest-level balanced business and technology
expertise available in the marketplace. Janalent strives to go beyond the
boundaries of traditional consulting firms and believe that true return on
investment requires today's battle-proven corporate leaders to align business and
technology processes with the overall strategic direction of the organization. Our
mission is to ensure customer success by providing innovative, business enabling
solutions based on our core operating philosophy and organization mantra of
Knowledge, Wisdom, and Performance.

Janalent’s philosophy is one of partnership--and our client and partners’ success is

our ultimate goal. Delivering solutions that enable, support, and enhance our
client's ability to be successful is our ultimate measure of success. More broadly,
we regularly help our clients and key Partners in the high level planning,
implementation approach, migrating approach, and management of many of the
largest and most complex KM/ SharePoint, Exchange, and Active Directory initiatives
in the world. Our consultants have successfully delivered engagements to over 500
customers across every industry in five continents.

In the Infrastructure design & restructuring arena, Janalent has quickly become a
recognized leader and “Go To” partner in the area of design, integration & migration
consulting services. Many of our consultants have over 15 years experience
designing and deploying infrastructure solutions for the largest environments in the
world. Our subject matter experts know that to be successful initiatives require a
careful balance of people, process, and technology. Ignore any of these areas, and
your probability of success is significantly reduced. Our end goal is to help move
organizations toward the "Information Workplace" of tomorrow, where users have
a seamless, contextual and role-based environment in which to work.

Our consultants have extensive experience in analyzing and designing complex

infrastructure & knowledge management solutions. From performing requirements
analysis, and aligning technical activities with business goals in an organizational
strategy, to designing and deploying technology that enables business processes
and people activities, while educating and evolving the use of infrastructure
solutions (people, process, and technology) within the organization, our consultants
are considered THE experts who have done it all.

4 Accessing Tomorrow’s Security Protection Today using Windows 2008

www.janalent.com
Lines of Business
Janalent focuses on four primary lines of business. These lines of business support on our
distinctive competencies, experience, partnership model, customer engagement process,
2
and ADE Success Methodology™. Our Lines of business are:

Janalent Infrastructure Design & Restructuring Solutions

As a valued Microsoft Certified Gold Partner, we combine the highest level subject matter
experts, best in class tools, and proven methodology to successfully deliver the RIGHT
solution for your organization the first time. Our world class infrastructure design &
restructuring solutions are built upon our proven approach for success with the following
key capabilities:
Analysis & Alignment Architecture & Design
Opportunity Analysis Infrastructure Methodology Design
Infrastructure Discovery & Assessment Infrastructure Design Options Mapping
Business Case Preparation Infrastructure system design
Current environment catalog Directory structure architecture and design
Utilization Analysis Messaging system architecture and design
Infrastructure Business Process Mapping Migration Planning, and process design
Hardware / Software Assessment Capacity planning & Storage Optimization
Source - Target Solutions analysis Back-up and recovery solutions

Deployment & Migration Training, Knowledge Transfer & Next Steps

Directory & Messaging System deployment Solution documentation
Merger, Acquisition, & Divestiture execution Knowledge Transfer with key personnel
Organization integration Customized training for client personnel
Toolset subject matter expertise After-Action Review
Client advocacy to vendor community Next Steps Definition

5 Accessing Tomorrow’s Security Protection Today using Windows 2008

www.janalent.com
Delivery Methodology
2
Janalent’s ADE Success Methodology™ is a business and technology balanced methodology
focused on providing both valuable business enablement, and efficient and effective
technology solutions. Our methodology has been built by incorporating the unrivaled
experience of our consulting solutions professionals, industry proven best-practices, and the
feedback of our customers and partners.
2
ADE is a six-phase solution success framework consisting of Analysis, Alignment, Design,
Deployment, Education, and solution Evolution. The framework is a cycle focused on
continual improvement and solution enhancement. The following is a short summary of the
2
ADE Success Methodology™ phases:

Analyze: To provide a solution that fits both the organization’s business and technology
needs, we begin by analyzing the current technology environment, the business drivers a
solution must satisfy, and the organizational culture of the enterprise. By combining best-
practice business & technology analysis techniques our Consultants will create an analysis
reference that will support all other phases of the methodology.

Align: Using the analysis reference created in the first phase, our consultants will assess the
current alternatives and craft a technology solution that will not only be technically
innovative and elegant, but will also support the needs and unique business requirements of
the enterprise.
2
Design: The design phase of ADE is focused on an accelerated but methodical design,
proof of concept, validation and documentation of the business and technology solution
created by Janalent. Drawing upon information collected, analyzed, and aligned in Phases 1
& 2, our experienced consultants and project managers produce a proven and robust
solution ready for deployment.
2
Deploy: The deployment phase of ADE provides the opportunity to pilot, incorporate
lessons-learned, and execute on action plans around deployment and our Rapid Project
Execution (RPE) processes.

Educate: We believe that no solution implementation is successful without educating

administrators, line-of-business managers, and other interested parties in the design,
deployment, and management best-practices of the solution so our client’s project teams
can take ownership without disruption or process breakdown.

Evolve: The long-term key to success in our partnerships with clients is our continual
evaluation and focus on innovation. Our solution evolution activities focus on continually
enhancing and working with our clients on their systems to make those solutions even more
valuable to the organization.

6 Accessing Tomorrow’s Security Protection Today using Windows 2008

www.janalent.com
Selected Partnerships

Janalent is a field-managed Microsoft Gold Certified Partner with advanced competencies

achieved in Advanced Infrastructure Solutions, Information Worker Solutions, Networking
Infrastructure Solutions, and Security Solutions. Janalent’s focus and competence on
Microsoft Technologies have made Janalent a partner-of-choice in our regions for Active
Directory, Exchange, SharePoint and other Microsoft infrastructure technologies.

Janalent is a Strategic Global Service Partner and Value Added Reseller for AvePoint.
AvePoint is recognized as the leading software solution vendor within the SharePoint
backup/restore and disaster recovery market.

Network Appliance, Inc. (NetApp) is a world leader in unified storage solutions for today's
data-intensive enterprise. NetApp® storage solutions include specialized hardware,
software, and services, providing seamless storage management for open network
environments. Janalent provides solution architecture and advanced subject matter
expertise for NetApp on Microsoft infrastructure products.

Janalent consultants are recognized as global-leaders in the architecture, design, and

deployment of Quest Software toolsets and are routinely engaged to provide solution
architecture for the largest and most-complex initiatives using Quest Software tools.
Janalent is an Elite Managed Channel Partner for Quest Software and is both a Value Added
Reseller, and strategic service delivery partner.

In addition to the partners listed above, Janalent maintains many valuable partnerships with
Industry leading Software, Hardware, and Systems Integration organizations. For a complete
list of Janalent partnerships, please visit our website at www.janalent.com.

7 Accessing Tomorrow’s Security Protection Today using Windows 2008

www.janalent.com
WhitePaper Overview

With the release of Windows Server 2008, Microsoft has provided enterprise
customers with a product that provides security out of the box. The concept of
secure by default is part of Microsoft’s Trustworthy Computing initiative first
introduced in 2002. The fruition of that security initiative has taken center stage
with the release of Windows Server 2008.

Now more than ever, enterprise customers have many options for introducing
enhance security using Windows OS. These security enhancements include a variety
of components that provide unparalleled protection. As technologies advances for
protecting against vector threats, so does the advancement of hacker tools used to
overcome these protection mechanisms. Security needs to be implemented in
layers. Given enough resources and time any technology can be hacked. For this
very reason, it a single security technology will not suffice to deter attacks. For
example, most vehicles today have a built in alarm system to protect the vehicle
from theft. In addition to the alarm system, many car manufacturers also install
anti-theft stereo components. Take this one step further and some drivers will also
install a steering wheel lock device. Alone, each of these security devices is not
enough to deter a thief from breaking in. Altogether, a thief is more inclined to
break into a car that is an easy target versus one that is well protected. This
analogy applies to protecting enterprise systems very well.

Some of the enhanced security features Microsoft introduces in Window Server

2008 provide very good targeted protection in many different areas. For instance,
to help protect against attacks to the data residing on the servers, Microsoft
introduced BitLocker Drive Encryption. To protect the network, Microsoft
introduced Network Access Protection (NAP) used to prevent users that do not
meet security standards from gaining network access. Microsoft has also beefed up
and simplified host-based security by adding enhanced protection in the forms
Windows Firewall and Enhanced Security MMC. With these enhanced security
protection features, enterprises have no excuses for not having a secure
environment.

8 Accessing Tomorrow’s Security Protection Today using Windows 2008

www.janalent.com
Business Challenges
There are many business challenges to being secured, but only two challenges that
can quickly derail an organization’s security imitative. The first challenge is that
many enterprise customers are challenged with recognizing the value security brings
to the enterprise. Implemented correctly, the value enhanced security brings to the
table is beyond imagination. As many security practitioners will agree, not having to
deal with lawsuits from compromised systems and the embarrassing event of having
to publicly announce theft of confidential data is enough to warrant the additional
protection.

The second and oftentimes most dangerous is the misconception that security is a
onetime event. The truth is security is a journey and not a destination. This means
security evolves and does not simply end. Businesses need to be prepared to evolve
their systems over time to keep ahead of the same technology that protects them
from attacks. As new threats and vulnerability arise, virus definitions and firewall
protection have to be update to prevent newly discovered threats from
materializing. Left alone any protection will eventually come crumbling down.

9 Accessing Tomorrow’s Security Protection Today using Windows 2008

www.janalent.com
Windows Server 2008 Security Features
The following sections outline new or significantly enhanced security features in Windows
Server 2008. We strive to provide a balanced and real-world representation of the features
that provide real value to the enterprise.

BitLocker Technologies
BitLocker is a data protection feature available in Windows Server 2008, Windows Vista
Enterprise and Windows Vista Ultimate. BitLocker addresses the threats of data theft and of
exposure from stolen server by providing a closely integrated solution in Windows Server
2008.

Figure 1. BitLocker Components

Data on a stolen server is vulnerable to unauthorized access, either by running a software

attack tool against it or by transferring the computer’s hard disk to a different computer.
BitLocker helps mitigate unauthorized data access by enhancing Windows Server 2008 file
and system protections.

Key Features and Benefits of BitLocker

 Provides encryption for entire volumes
 Uses Advanced Encryption Standard (AES) encryption in cipher
blockchaining (CBC) mode
 BitLocker enhances data protection by bringing together two major
sub-functions: drive encryption and integrity checking of early boot
components.

10 Accessing Tomorrow’s Security Protection Today using Windows 2008

www.janalent.com
Modes of Operation
BitLocker provides three modes of operation. The first two modes require a cryptographic
hardware chip called a Trusted Platform Module (version 1.2 or later) and compatible BIOS:

Transparent Operation Mode: This mode exploits the capabilities of the TPM 1.2
hardware to provide for a transparent experience. The key used for the disk
encryption is encrypted by the TPM chip and will only be released to the OS loader
code if the early boot files appear to be unmodified.
User Authentication Mode: This mode requires that the user provide some
authentication to the pre-boot environment in order to be able to boot the OS. Two
authentication modes are supported: a pre-boot PIN entered by the user, or a USB
key.

The final mode does not require a TPM chip:

USB Key: The user must insert a USB device that contains a startup key into the
computer to be able to boot the protected OS. Note that this mode requires that the
BIOS on the protected machine support the reading of USB devices in the pre-OS
environment.

Authentication Requires User Description

Method Interaction
TPM only No TPM validates early boot components.
TPM + PIN Yes TPM validates early boot components. The user must
enter the correct PIN before the start-up process can
continue, and before the drive can be unlocked. A
Trusted Computing Group (TCG) compliant TPM version
1.2 helps to protect the PIN from brute force attacks.
TPM + startup key Yes The TPM successfully validates early boot components,
and a USB flash drive containing the startup key has
been inserted.
Startup key only Yes The user is prompted to insert the USB flash drive that
holds the recovery key and/or startup key and reboot
the computer.
Table 1. BitLocker Authentication Methods

The most common scenario for deployments for BitLocker for Windows Server 2008 will be
the TPM only option. The primary reason for this is that other methods require user
interaction which is uncommon in server reboot/start-up scenarios.

11 Accessing Tomorrow’s Security Protection Today using Windows 2008

www.janalent.com
Read-Only Domain Controllers

A RODC is a domain controller that you can install at a remote

location. Its sole purpose is to host a read-only copy of your
Active Directory (AD) database. This is well suited for
locations where physical security of the domain controller
can't be guaranteed at sites like branch offices.

In the real world, a major financial institution could have all of

their domain controllers in corporate headquarters and put a
RODC in every branch office throughout the country instead
of the current, common practice of a fully writeable domain controller.

Key Features and Benefits of Read Only DCs

 Read Only Active Directory Database
 Only allowed user passwords are stored on RODC
 Unidirectional Replication
 Role Separation
 Increases security for remote Domain Controllers where physical
security cannot be guaranteed

Branch office environments typically deploy a hub-and-spoke site topology. In

larger environments, this type of topology can put a significant load on bridgehead
servers in the hub site. Bridgehead servers are further constrained because inbound
replication is serialized. RODCs that are deployed in the spoke sites can relieve the
inbound replication load on bridgehead servers because they never replicate any
changes.

12 Accessing Tomorrow’s Security Protection Today using Windows 2008

www.janalent.com
 Figure 2. Secret Caching Process

Network Policy and Access Services

Network Policy and Access Services in Windows Server 2008 delivers a variety of methods to
help provide users with secure local and remote network connectivity, connect network
segments, and allow network administrators to centrally manage network access and client
health policies.

Available Network Access Services

There are numerous network access services provided by Windows Server 2008. These
services provide enhanced connectivity options to enable companies to access their network
when and how they need.

VPN Services
Dial-up Services
802.11 protected access
Routing & Remote Access (RRAS)
Offer Authentication through Windows Active Directory
Control network access with policies

13 Accessing Tomorrow’s Security Protection Today using Windows 2008

www.janalent.com
Network Policy and Access Services in Windows Server 2008 provides the following network
connectivity solutions:

Network Access Protection: Network Access Protection (NAP) is a new client health
policy creation, enforcement, and remediation technology that is included in the
Windows Vista Business, Windows Vista Enterprise, and Windows Vista Ultimate
operating systems, and in the Windows Server 2008 operating system. With NAP,
administrators can establish and automatically enforce health policies which can
include software requirements, security update requirements, required computer
configurations, and other settings.
Highly Secure Wireless and Wired Access: When you deploy 802.1X wireless access
points, highly secure wireless access provides wireless users with a security-enhanced,
password-based authentication method that is easy to deploy. When you deploy
802.1X authenticating switches, wired access helps you to secure your network by
ensuring that intranet users are authenticated before they can connect to the
network or obtain an IP address using Dynamic Host Configuration Protocol (DHCP).
Remote Access Solutions: With remote access solutions, you can provide users with
VPN and traditional dial-up access to your organization’s network. You can also
connect branch offices to your network with VPN solutions.
Central Network Policy Management with RADIUS Server and Proxy: Rather than
configuring network access policy at each network access server, such as wireless
access points, 802.1X authenticating switches, VPN servers, and dial-up servers, you
can create policies in a single location that specify all aspects of network connection
requests, including who is allowed to connect, when they can connect, and the level
of security they must use to connect to your network.

Network Access Protection

The industry lost billions in US dollars with the outbreak of mass mailing worms like
Mydoom, Netsky, Sober, Zafi, etc. And it has been found that it was always the weakest link
principle that played havoc in networks, which was supposed to be secure. The weakest link
was mostly provided by remote computers, roaming laptops, home computers, etc.
Network administrators have a new platform to mitigate this threat with Network Access
Protection (NAP), a new set of operating system components included with Windows Server
2008 provides a platform to help ensure that client computers on a private network meet
administrator-defined requirements for system health.

NAP enforces health requirements by monitoring and assessing the health of client
computers when they attempt to connect or communicate on a network. Client computers
that are not in compliance with the health policy can be provided with restricted network
access until their configuration is updated and brought into compliance with policy.
Depending on how NAP is deployed, noncompliant clients can be quarantined or
automatically updated so that users can quickly regain full network access without manually
updating or reconfiguring their computers.

14 Accessing Tomorrow’s Security Protection Today using Windows 2008

www.janalent.com
 Key Features and Benefits of using NAP
 Help ensure the ongoing health of desktop computers on the LAN that
are configured for DHCP or that connect through 802.1X authenticating
devices, or that have NAP IPsec policies applied to their
communications.
 Enforce health requirements for roaming laptops when they reconnect
to the company network.
 Verify the health and policy compliance of unmanaged home computers
that connect to the company network through a VPN server running
Routing and Remote Access (RRAS) service.
 Determine the health and restrict access of visiting laptops brought to
an organization by partners and other guests.

Designed for flexibility, NAP can interoperate with any vendor’s software that provides a
System Health Agent (SHA) and System Health Validators (SHVs). NAP also includes an API
set for developers and vendors to build their own components for network policy validation,
ongoing compliance, and network isolation. Examples of third-party solutions that work
with Network Access Protection would be antivirus, patch management, VPN, and
networking equipment.

Server Core Installation

Server Core is a minimal installation of Windows Server 2008 and does not come with a
graphical user interface. The idea is that you only install the services you need. The benefits
of a Server Core installation are reduced attack surface and reduced patch surface.
Troubleshooting should be easier, as well, and we would expect increased stability because
of the smaller code footprint. Finally, Server Core has lower hardware requirements due to
its smaller OS footprint. The available roles include:

Active Directory Domain Services (AD DS)

Active Directory Lightweight Directory Services (AD LDS)
DHCP Server
DNS Server
File Services
Print Services
Streaming Media Services
Web Server (IIS 7)

15 Accessing Tomorrow’s Security Protection Today using Windows 2008

www.janalent.com
 Figure 3. Windows 2008 Server Core options during install

What do I get with Server Core?

With a Server Core installation, you get none of the following: desktop shell (aero,
wallpaper, etc.), CLR and .NET Framework, MMC console or snap-ins, start menu, control
panel, Internet Explorer, Windows Mail, WordPad, Paint, Windows Explorer, run box, etc.

You do get the kernel and that is all you need. It allows you to have a very secure
deployment of a specific role of Windows. This type of configuration allows a corporation to
easily consolidate Windows server to very specific locked down roles. For example, you can
have a dedicated command line IIS Web server, dedicated DHCP server, DNS Server. You
could even take it one step further and port these systems to a virtual machine. Many data
centers and network operation centers (NOCS) will take advantage of a Windows server core
installation as it is a very secure and tight installation.

Terminal Services
Microsoft has extensively revamped the Terminal Services architecture and has some new
features that were only capable by purchasing 3rd party solutions like Citrix Metaframe.
One feature that is sure to be appreciated is the ability to publish an application without
supplying the entire remote desktop using Terminal Services (TS) RemoteApp. This is a
more secure way of using Terminal Services oriented applications as users only see the
application and not the entire server desktop.

16 Accessing Tomorrow’s Security Protection Today using Windows 2008

www.janalent.com
RemoteApp Presentation
TS RemoteApp programs are accessed through Terminal Services, and look and act as if they
are running on the end user's local computer. Users can run TS RemoteApp programs side by
side with their local programs. If a user is running more than one RemoteApp on the same
terminal server, RemoteApp will share the same Terminal Services session. Users can access
TS RemoteApp in a number of ways:

Double-clicking a program icon on their desktop or Start menu that has been
created and distributed by their administrator
Double-clicking a file which has an extension associated with a TS RemoteApp
Accessing a link to the TS RemoteApp on a Web site by using TS Web Access

Another feature is the ability to publish an application using HTTPS - without needing to
provide access via a Virtual Private Network (VPN) or opening up unwanted ports on
firewalls. Terminal Services Gateway enables authorized remote users to connect to
terminal servers and remote desktops (remote computers) on the corporate network from
any Internet-connected device that is running Remote Desktop Connection (RDC) 6.0.
Terminal Service Gateway uses Remote Desktop Protocol (RDP) tunneled over HTTPS to help
form a highly secure, encrypted connection between remote users on the Internet and the
remote computers on which their productivity applications run, even if their use is located
behind a network address translation (NAT) Traversal-based router.

Windows Firewall
Many security practitioners agree in one way or another that security should be
implemented in layers. One of these layers includes implementing host-based security.
Many will agree that implementing host based security in today’s IT environment is a
requirement for many enterprises. To assist with this process, Windows Server 2008
provides enhanced firewall technology and Internet Protocol security (IPsec) that are
combined into a single interfaced called “Windows Firewall with Advanced Security MMC”
snap-in.

Key Features and Benefits

 New GUI interface – an MMC snap-in is now available to configure the
advanced firewall.
 Bi-directional – filters outbound traffic as well as inbound traffic.
 Works better with IPSEC – now the firewall rules and IPSec encryption
configurations are integrated into one interface.
 Advanced Rules configuration – you can create firewall rules
(exceptions) for Windows Active Directory (AD) service accounts &
groups, source/destination IP addresses, protocol numbers, source and
destination TCP/UDP ports, ICMP, IPv6 traffic, and interfaces on the
Windows Server.

17 Accessing Tomorrow’s Security Protection Today using Windows 2008

www.janalent.com
Order of Windows Firewall Rules Evaluation
Windows Firewall with Advanced Security supports the following types of rules:
Windows Service Hardening: This type of rule restricts services from establishing
connections. Service restrictions are configured out-of-the-box so that Windows Services
can only communicate in specific ways (i.e., restricting allowable traffic through a specific
port) but until you create a firewall rule, traffic is not allowed.
Connection security rules: This type of rule defines how and when computers
authenticate using IPsec. Connection security rules are used in establishing server and
domain isolation, as well as in enforcing NAP policy.
Authenticated bypass rules: This type of rule allows the connection of particular
computers if the traffic is protected with IPsec, regardless of other inbound rules in
place. Specified computers are allowed to bypass inbound rules that block traffic. For
example, you could allow remote firewall administration from only certain computers
by creating authenticated bypass rules for those computers, or enable support for
remote assistance by the Help Desk.
Block rules: This type of rule explicitly blocks a particular type of incoming or outgoing
traffic.
Allow rules. This type of rule explicitly allows a particular type of incoming or outgoing
traffic.
Default rules: These rules define the action that takes place when a connection does not
meet any of the parameters of a higher order rule. Out-of-the-box, the inbound default
is to block connections and the outbound default is to allow connections.

Figure 4 shows the order in which Windows Firewall with Advanced Security applies the
various types of rules. This ordering of rules is always enforced, even when rules are coming
from Group Policy. Rules, including those from Group Policy, are sorted and then applied.
Domain administrators can allow or deny local administrators the permission to create new
rules.

Order of Rules Evaluation

Windows Service
Hardening

Connection Security
Rules
Order of Evaluation

Group Policy 1

Authenticated Bypass
Rules

Block Rules
Group Policy 2

Allow Rules

Default Rules
Local Policy

· Local rule merge is configurable via Group Policy

· Default rules come from the highest precedence GPO

Figure 4. Order of Rules Evaluation

18 Accessing Tomorrow’s Security Protection Today using Windows 2008

www.janalent.com
Conclusion

Windows Server 2008 is the most secure server product from Microsoft to date. Microsoft
has focused on building Windows Server 2008 from ground-up with security as key focus.
Organizations should take a serious look at the security benefits Windows Server 2008 has to
offer.

As external threats and technology advances, so does the need to decrease the attack
surface to minimize risk. Over the last five years, Microsoft has ratcheted up its effort to
develop enterprise products that are secure out of the box. With Windows Server 2008,
Microsoft listened to customer’s request for a more secure product.

Security should not be thought of as destination, but a journey. Security does not end with
deployment of technological services. It’s a journey and process that is ongoing. Security
technologies have come far and strong, but every security initiative should have two
components: advanced security technologies and strong security policies. Implemented
together both the technology and policies will go a long way to minimizing security risks in
the enterprise.

Janalent Windows Server 2008 Launch Offer

To celebrate the release of Microsoft’s most significant Server release in history, Janalent is
offering a free* Windows Server 2008 Organizational readiness assessment. To take
advantage of this exciting offer, or to find out more about Janalent’s Infrastructure &
Architecture solutions including Windows Server 2008, please contact one of our solution
professionals at +1-888-290-4870, or by email at info@janalent.com. For more information
about Janalent or the authors, please visit www.janalent.com

19 Accessing Tomorrow’s Security Protection Today using Windows 2008

www.janalent.com
About The Authors

Rick Pollak, MCSE (NT/2000/2003), MCITP Windows Server 2008

Rick is a Senior Enterprise Solutions Consultant for Janalent

Corporation--a Quest Software Elite Regional Channel Partner, and
field-managed Microsoft Gold Partner. He brings an extremely
impressive track record of technical achievements, global
architecture, and professional services delivery with a deep
understanding of the business needs and requirements of different
organizations. He has participated in many enterprise oriented
architecture and design, security assessments, and migrations for
Microsoft Exchange and Active Directory.

Kenneth Ta, CISSP, PMP, MCSE (NT/2000/2003), MCITP Windows Server 2008

Ken is a Manager in Janalent’s Enterprise Solutions practice and is

responsible for technical delivery and engagement management. He
has been involved with strategic IT consulting for Fortune 1000
companies and brings an extremely impressive track record of
technical achievements with a deep understanding of the business
needs and requirements of different organizations. Ken is an
industry recognized professional specializing in architecture, design,
deployment and migrations of complex Fortune 1000 enterprise
systems.

Ken has been involved in numerous enterprise security initiatives for

2
Fortune 1000 enterprises. He is recognized by ISC as a Certified
Information Systems Security Professional (CISSP) since 2001. He has
been involved in projects ranging from performing security audits
and penetration attacks to developing information security policies
and emergency response teams.

20 Accessing Tomorrow’s Security Protection Today using Windows 2008

www.janalent.com