Beruflich Dokumente
Kultur Dokumente
Windows Server 2008 builds on the success and strengths its predecessor Windows
Server 2003 and is designed to provide organizations with the most productive
platform for powering applications, networks, and Web services from the
workgroup to the datacenter with exciting, valuable new functionality and powerful
improvements to the base operating system.
Windows Server 2008 has many granular improvements over Windows Server 2003
and Windows Server 2003 R2, but many of these improvements are low-level. As a
result, Janalent views Windows Server 2008 as an incremental improvement over
Windows Server 2003, not as a major shift (such as Windows NT Server 4 to
Windows Server 2000). These incremental improvements shouldn't be regarded as
"negative" because most IT organizations prefer incremental improvements that can
be digested easily, rather than large technology jumps that require massive changes
to the established processes, and infrastructure.
Windows Server 2008 excels in just about every area when compared to previous
versions of Window Server. It doesn't matter which pieces of the functionality you
use, you'll find it faster, easier to deploy, much more sensible in its defaults, and
requires less work for more output. But, of all the reasons why you should consider
upgrading to Windows 2008 is security, security, and security.
It would be pointless to argue against not having a secure IT infrastructure. The
infiltration of company servers and data can have a tremendous negative impact to
an organization. Windows Server 2008 introduces several new features with
security in mind including Read Only Domain Controllers (RODC), Network Access
Protection (NAP), Core Server, Terminal Services Remote App Publishing, and
BitLocker – just to name a few.
This whitepaper discusses how your organization can benefit from the security that
Windows Server 2008 offers. Although this paper focuses on the security features
of Windows Server 2008, there are a myriad of other compelling features you may
benefit from.
In the Infrastructure design & restructuring arena, Janalent has quickly become a
recognized leader and “Go To” partner in the area of design, integration & migration
consulting services. Many of our consultants have over 15 years experience
designing and deploying infrastructure solutions for the largest environments in the
world. Our subject matter experts know that to be successful initiatives require a
careful balance of people, process, and technology. Ignore any of these areas, and
your probability of success is significantly reduced. Our end goal is to help move
organizations toward the "Information Workplace" of tomorrow, where users have
a seamless, contextual and role-based environment in which to work.
Analyze: To provide a solution that fits both the organization’s business and technology
needs, we begin by analyzing the current technology environment, the business drivers a
solution must satisfy, and the organizational culture of the enterprise. By combining best-
practice business & technology analysis techniques our Consultants will create an analysis
reference that will support all other phases of the methodology.
Align: Using the analysis reference created in the first phase, our consultants will assess the
current alternatives and craft a technology solution that will not only be technically
innovative and elegant, but will also support the needs and unique business requirements of
the enterprise.
2
Design: The design phase of ADE is focused on an accelerated but methodical design,
proof of concept, validation and documentation of the business and technology solution
created by Janalent. Drawing upon information collected, analyzed, and aligned in Phases 1
& 2, our experienced consultants and project managers produce a proven and robust
solution ready for deployment.
2
Deploy: The deployment phase of ADE provides the opportunity to pilot, incorporate
lessons-learned, and execute on action plans around deployment and our Rapid Project
Execution (RPE) processes.
Evolve: The long-term key to success in our partnerships with clients is our continual
evaluation and focus on innovation. Our solution evolution activities focus on continually
enhancing and working with our clients on their systems to make those solutions even more
valuable to the organization.
Janalent is a Strategic Global Service Partner and Value Added Reseller for AvePoint.
AvePoint is recognized as the leading software solution vendor within the SharePoint
backup/restore and disaster recovery market.
Network Appliance, Inc. (NetApp) is a world leader in unified storage solutions for today's
data-intensive enterprise. NetApp® storage solutions include specialized hardware,
software, and services, providing seamless storage management for open network
environments. Janalent provides solution architecture and advanced subject matter
expertise for NetApp on Microsoft infrastructure products.
In addition to the partners listed above, Janalent maintains many valuable partnerships with
Industry leading Software, Hardware, and Systems Integration organizations. For a complete
list of Janalent partnerships, please visit our website at www.janalent.com.
With the release of Windows Server 2008, Microsoft has provided enterprise
customers with a product that provides security out of the box. The concept of
secure by default is part of Microsoft’s Trustworthy Computing initiative first
introduced in 2002. The fruition of that security initiative has taken center stage
with the release of Windows Server 2008.
Now more than ever, enterprise customers have many options for introducing
enhance security using Windows OS. These security enhancements include a variety
of components that provide unparalleled protection. As technologies advances for
protecting against vector threats, so does the advancement of hacker tools used to
overcome these protection mechanisms. Security needs to be implemented in
layers. Given enough resources and time any technology can be hacked. For this
very reason, it a single security technology will not suffice to deter attacks. For
example, most vehicles today have a built in alarm system to protect the vehicle
from theft. In addition to the alarm system, many car manufacturers also install
anti-theft stereo components. Take this one step further and some drivers will also
install a steering wheel lock device. Alone, each of these security devices is not
enough to deter a thief from breaking in. Altogether, a thief is more inclined to
break into a car that is an easy target versus one that is well protected. This
analogy applies to protecting enterprise systems very well.
The second and oftentimes most dangerous is the misconception that security is a
onetime event. The truth is security is a journey and not a destination. This means
security evolves and does not simply end. Businesses need to be prepared to evolve
their systems over time to keep ahead of the same technology that protects them
from attacks. As new threats and vulnerability arise, virus definitions and firewall
protection have to be update to prevent newly discovered threats from
materializing. Left alone any protection will eventually come crumbling down.
BitLocker Technologies
BitLocker is a data protection feature available in Windows Server 2008, Windows Vista
Enterprise and Windows Vista Ultimate. BitLocker addresses the threats of data theft and of
exposure from stolen server by providing a closely integrated solution in Windows Server
2008.
Transparent Operation Mode: This mode exploits the capabilities of the TPM 1.2
hardware to provide for a transparent experience. The key used for the disk
encryption is encrypted by the TPM chip and will only be released to the OS loader
code if the early boot files appear to be unmodified.
User Authentication Mode: This mode requires that the user provide some
authentication to the pre-boot environment in order to be able to boot the OS. Two
authentication modes are supported: a pre-boot PIN entered by the user, or a USB
key.
USB Key: The user must insert a USB device that contains a startup key into the
computer to be able to boot the protected OS. Note that this mode requires that the
BIOS on the protected machine support the reading of USB devices in the pre-OS
environment.
The most common scenario for deployments for BitLocker for Windows Server 2008 will be
the TPM only option. The primary reason for this is that other methods require user
interaction which is uncommon in server reboot/start-up scenarios.
VPN Services
Dial-up Services
802.11 protected access
Routing & Remote Access (RRAS)
Offer Authentication through Windows Active Directory
Control network access with policies
Network Access Protection: Network Access Protection (NAP) is a new client health
policy creation, enforcement, and remediation technology that is included in the
Windows Vista Business, Windows Vista Enterprise, and Windows Vista Ultimate
operating systems, and in the Windows Server 2008 operating system. With NAP,
administrators can establish and automatically enforce health policies which can
include software requirements, security update requirements, required computer
configurations, and other settings.
Highly Secure Wireless and Wired Access: When you deploy 802.1X wireless access
points, highly secure wireless access provides wireless users with a security-enhanced,
password-based authentication method that is easy to deploy. When you deploy
802.1X authenticating switches, wired access helps you to secure your network by
ensuring that intranet users are authenticated before they can connect to the
network or obtain an IP address using Dynamic Host Configuration Protocol (DHCP).
Remote Access Solutions: With remote access solutions, you can provide users with
VPN and traditional dial-up access to your organization’s network. You can also
connect branch offices to your network with VPN solutions.
Central Network Policy Management with RADIUS Server and Proxy: Rather than
configuring network access policy at each network access server, such as wireless
access points, 802.1X authenticating switches, VPN servers, and dial-up servers, you
can create policies in a single location that specify all aspects of network connection
requests, including who is allowed to connect, when they can connect, and the level
of security they must use to connect to your network.
The industry lost billions in US dollars with the outbreak of mass mailing worms like
Mydoom, Netsky, Sober, Zafi, etc. And it has been found that it was always the weakest link
principle that played havoc in networks, which was supposed to be secure. The weakest link
was mostly provided by remote computers, roaming laptops, home computers, etc.
Network administrators have a new platform to mitigate this threat with Network Access
Protection (NAP), a new set of operating system components included with Windows Server
2008 provides a platform to help ensure that client computers on a private network meet
administrator-defined requirements for system health.
NAP enforces health requirements by monitoring and assessing the health of client
computers when they attempt to connect or communicate on a network. Client computers
that are not in compliance with the health policy can be provided with restricted network
access until their configuration is updated and brought into compliance with policy.
Depending on how NAP is deployed, noncompliant clients can be quarantined or
automatically updated so that users can quickly regain full network access without manually
updating or reconfiguring their computers.
Designed for flexibility, NAP can interoperate with any vendor’s software that provides a
System Health Agent (SHA) and System Health Validators (SHVs). NAP also includes an API
set for developers and vendors to build their own components for network policy validation,
ongoing compliance, and network isolation. Examples of third-party solutions that work
with Network Access Protection would be antivirus, patch management, VPN, and
networking equipment.
You do get the kernel and that is all you need. It allows you to have a very secure
deployment of a specific role of Windows. This type of configuration allows a corporation to
easily consolidate Windows server to very specific locked down roles. For example, you can
have a dedicated command line IIS Web server, dedicated DHCP server, DNS Server. You
could even take it one step further and port these systems to a virtual machine. Many data
centers and network operation centers (NOCS) will take advantage of a Windows server core
installation as it is a very secure and tight installation.
Terminal Services
Microsoft has extensively revamped the Terminal Services architecture and has some new
features that were only capable by purchasing 3rd party solutions like Citrix Metaframe.
One feature that is sure to be appreciated is the ability to publish an application without
supplying the entire remote desktop using Terminal Services (TS) RemoteApp. This is a
more secure way of using Terminal Services oriented applications as users only see the
application and not the entire server desktop.
Double-clicking a program icon on their desktop or Start menu that has been
created and distributed by their administrator
Double-clicking a file which has an extension associated with a TS RemoteApp
Accessing a link to the TS RemoteApp on a Web site by using TS Web Access
Another feature is the ability to publish an application using HTTPS - without needing to
provide access via a Virtual Private Network (VPN) or opening up unwanted ports on
firewalls. Terminal Services Gateway enables authorized remote users to connect to
terminal servers and remote desktops (remote computers) on the corporate network from
any Internet-connected device that is running Remote Desktop Connection (RDC) 6.0.
Terminal Service Gateway uses Remote Desktop Protocol (RDP) tunneled over HTTPS to help
form a highly secure, encrypted connection between remote users on the Internet and the
remote computers on which their productivity applications run, even if their use is located
behind a network address translation (NAT) Traversal-based router.
Windows Firewall
Many security practitioners agree in one way or another that security should be
implemented in layers. One of these layers includes implementing host-based security.
Many will agree that implementing host based security in today’s IT environment is a
requirement for many enterprises. To assist with this process, Windows Server 2008
provides enhanced firewall technology and Internet Protocol security (IPsec) that are
combined into a single interfaced called “Windows Firewall with Advanced Security MMC”
snap-in.
Figure 4 shows the order in which Windows Firewall with Advanced Security applies the
various types of rules. This ordering of rules is always enforced, even when rules are coming
from Group Policy. Rules, including those from Group Policy, are sorted and then applied.
Domain administrators can allow or deny local administrators the permission to create new
rules.
Windows Service
Hardening
Connection Security
Rules
Order of Evaluation
Group Policy 1
Authenticated Bypass
Rules
Block Rules
Group Policy 2
Allow Rules
Default Rules
Local Policy
Windows Server 2008 is the most secure server product from Microsoft to date. Microsoft
has focused on building Windows Server 2008 from ground-up with security as key focus.
Organizations should take a serious look at the security benefits Windows Server 2008 has to
offer.
As external threats and technology advances, so does the need to decrease the attack
surface to minimize risk. Over the last five years, Microsoft has ratcheted up its effort to
develop enterprise products that are secure out of the box. With Windows Server 2008,
Microsoft listened to customer’s request for a more secure product.
Security should not be thought of as destination, but a journey. Security does not end with
deployment of technological services. It’s a journey and process that is ongoing. Security
technologies have come far and strong, but every security initiative should have two
components: advanced security technologies and strong security policies. Implemented
together both the technology and policies will go a long way to minimizing security risks in
the enterprise.
To celebrate the release of Microsoft’s most significant Server release in history, Janalent is
offering a free* Windows Server 2008 Organizational readiness assessment. To take
advantage of this exciting offer, or to find out more about Janalent’s Infrastructure &
Architecture solutions including Windows Server 2008, please contact one of our solution
professionals at +1-888-290-4870, or by email at info@janalent.com. For more information
about Janalent or the authors, please visit www.janalent.com
Kenneth Ta, CISSP, PMP, MCSE (NT/2000/2003), MCITP Windows Server 2008