Server Roles Review

The physical hardware and logical components of the network are necessary to provide a number of features for the network, such as connectivity, routing and switching capabilities, network security, and access control. The network infrastructure has to exist before the servers needed to support services and applications which are required by your users can be deployed into your networking environment. While Windows Server 2003 provides a number of features and tools when you install it on a computer, you have to implement additional features and functionality on a server to provide the services and capabilities required by the organization and its users.

With Windows Server 2003 came the introduction of server roles. Server roles group related administrative tasks, and are used to provide a specific capability or function to the network design. With Windows Server 2003, if you configure a server for a certain server role, a number of additional services, features and tools are installed for the server. In this manner, the server is set up to provide the required services to your users. Servers can be configured to perform a number of roles. The applications that the server is running specify the role of the particular server.Planning Server Security

A few common server roles are listed below. For Windows Server 2003, there are a number of different server roles that you can configure using the Configure Your Server Wizard of the Manage Your Server utility:

  • File server role; the file server role is responsible for storing data for network users, and providing access to files stored on the file server. File servers enable users to store files in a centralized location, and enables a user to share files with another user.

  • Print server role; this role enables administrators to configure network printing capabilities for the network and manage printing functions on the network. The print server is the computer where the print drivers are located that manage printing between printers and client computers. The print servers manage the print queues, and can also supply audit logs on jobs printed by users.

  • Application server role; the application server role makes Web applications and distributed applications available to users. A Web server typically contains a copy of a World Wide Web site and can also host Web based applications. Internet Information Services 6.0 (IIS 6.0) is Microsoft's integrated Web server that enables you to create and manage Web sites within your organization. Through IIS, you can create and manage Web sites, and share and distribute information over the Internet or intranet. With the introduction of Windows Server 2003, came the advent of Internet Information Services (IIS) 6.

  • Mail server role; the mail server role provides e-mail services for the network, by providing the functionality needed for users to send and receive e-mail messages. Mail servers store e-mail data, process client requests and receive incoming e-mail from the Internet. The Simple Mail Transfer Protocol (SMTP) and Post Office Protocol 3 (POP3) TCP/IP based protocols are installed when you configure the mail server role.

  • Terminal server role; Terminal Services have the ability to operate as an application server that remote clients can connect to, and run sessions from. The Terminal Services server runs the applications. When a client establishes a connection to Terminal Services, it creates a Terminal Services session for the client. All processing is handled by the Terminal Services server. Clients use insignificant bandwidth on the underlying network when they establish a connection.

  • Remote access server/VPN server; the Windows Server 2003 remote access and VPN server role can be used to provide remote access to clients through dial-up connections or through Virtual private networks (VPNs). The Windows Server 2003 Routing and Remote Access Service (RRAS) server provides a number of features and capabilities, including LAN-to-LAN routing, LAN-to-WAN routing, Virtual private network (VPN) routing, Network Address Translation (NAT) routing, additional routing features such as IP multicasting and packet filtering, and can assign DHCP addresses to RRAS clients.

  • Domain controllers role; a domain controller is a computer running Windows 2000 or Windows Server 2003 that contains a replica of the Active Directory domain directory. A domain controller is a server that stores a write copy of Active Directory, and maintains the Active Directory data store. Domain controllers in Active Directory also maintain the security policy of the domain. Domain controllers provide security for the domain by authenticating user logon attempts. Specific roles can be assigned to domain controllers within a domain and forest. Domain controllers that are assigned special master roles are called Operations Masters. These domain controllers host a master copy of specific data in Active Directory. They also copy data to the remainder of the domain controllers. The different types of master roles which can be configured on domain controllers are the Schema Master role, Domain Naming Master role, Relative ID (RID) Master role, PDC Emulator role, and Infrastructure Master role. In addition to these roles, a Global Catalog (GC) server role can also be installed on a domain controller. The global catalog server stores a full replica of all objects in its host domain, and a partial replica of objects for the remainder of the domains in the forest. The partial replica contains those objects which are frequently searched for.

  • DNS server role; the DNS server role resolves IP addresses to domain names, and domain name to IP addresses. A DNS server is a computer running the DNS service that provides domain name services. The information in the DNS database of a DNS server pertains to a portion of the DNS domain tree structure or namespace. This information is used to provide responses to client requests for name resolution. A DNS server is authoritative for the contiguous portion of the DNS namespace over which it resides. You can configure different server roles for your DNS servers. The different DNS server roles which you can configure are the Standard Primary DNS server, Standard Secondary DNS server, Caching-only DNS server, Master DNS server, and Dynamic DNS Server.

  • WINS server role; a WINS server is an enhanced NetBIOS name server designed by Microsoft to resolve NetBIOS computer names to IP addresses. The WINS provides name resolution services for clients that need to resolve IP addresses to NetBIOS names, and vice versa. A WINS enabled client can communicate with a WINS server that is located anywhere on the internetwork. All Windows operating system prior to Windows 2000 require NetBIOS name support. This is due to Windows 2000 being the first Windows operating system where NetBIOS naming was no longer required. You might still need to provide support for NetBIOS naming if you have legacy applications.

  • DHCP server; the primary function of a DHCP server is to automatically assign IP addresses to DHCP clients. You can configure a server as a DHCP server so that the DHCP server can automatically assign IP addresses to DHCP clients. The DHCP server dynamically assign IP addresses to DHCP clients, and also can also assign TCP/IP configuration information to DHCP clients, including subnet mask information, default gateway IP addresses, DNS server IP addresses, and WINS server IP addresses.

  • Streaming media server; the streaming media role provides media services so that clients can access streaming audio and video. The Windows Media Services is used to provide media services to clients, and can be configured on server platforms, and on enterprise platforms.

Selecting the Operating System (OS)

For each of the above mentioned different server roles which can be configured in Windows Server 2003, you need to decide on the necessary security configurations which should be utilized for each specific server role. When planning server security, one of the initial elements that you need to ascertain is which Windows operating system (OS) you will utilize in the organization. This is particularly important because each specific operating system offers different security configurations which you can use to implement server security.

The Windows server operating systems are listed below, together with the minimum system requirements for installing each specific operating system. For you to install a particular Windows operating system for a server, the particular server should meet the minimum system requirements of the particular operating system:

  • Windows NT Server 4:

    • Processor; 486/33 MHz or higher Pentium; OR Pentium Pro

    • Hard disk; For Intel/compatible systems 125MB minimum available hard disk space. For RISC based systems 160MB minimum available hard disk space

    • RAM; 16MB (recommended, 32MB).

    • CPU; Retail, up to 4 CPUs. Hardware vendor, up to 32 CPUs.

  • Windows 2000 Server:

    • Processor; 133 MHz or higher Pentium compatible

    • Hard disk; 2GB, 1GB free space

    • RAM; 128MB (recommended, 256MB; maximum 4GB)

    • CPU; 4 CPUs

  • Windows 2000 Advanced Server:

    • Processor; 133 MHz or higher Pentium compatible

    • Hard disk; 2GB, 1GB free space

    • RAM; 128MB (recommended, 256MB; maximum 8GB)

    • CPU; 8 CPUs

  • Windows 2000 Datacenter:

    • Processor; Pentium III Xeon or higher

    • Hard disk; 2GB, 1GB free space

    • RAM; 256MB

    • CPU; 4 CPUs – 8-way capable or above server

  • Windows Server 2003 Standard Edition:

    • Processor; 133 MHz or higher Pentium compatible

    • Hard disk; 1.5GB

    • RAM; 128MB (recommended, 256MB)

    • CPU; 4 CPUs

  • Windows Server 2003 Enterprise Edition:

    • Processor; For Itanium computers 733 MHz. For x86 computers 133 MHz.

    • Hard disk; For Itanium computers 2GB. For x86 computers 1.5GB.

    • RAM; 128MB (recommended, 256MB)

    • CPU; 8 CPUs

  • Windows Server 2003 Web Edition:

    • Processor; 133 MHz or higher Pentium compatible

    • Hard disk; 1.5GB

    • RAM; 128MB (recommended, 256MB)

    • CPU; 2 CPUs

  • Windows Server 2003 Datacenter Edition:

    • Processor; For Itanium computers 733 MHz. For x86 computers 400 MHz.

    • Hard disk; For Itanium computers 2GB. For x86 computers 1.5GB.

    • RAM; 512MB

    • CPU; 8-way capable or above, up to 64.

As mentioned previously, each Windows server operating system provides different features, and different security configurations which can be enabled to enhance server security and network security. Therefore, before deciding on the operating system to utilize, you have to know which server system functionality and security features are required for your network design, as determined by the organization's requirements. Each Windows server system version that was introduced is accompanied by new features and additional security enhancements. This concept is illustrated in the remainder of this Section of the Article.

The editions of Windows 2000 have been designed for increased system reliability and availability, and scalability.

  • Windows 2000 Server: Windows 2000 Server is an application, print and file server, and Web server OS. Windows 2000 Server provides a reliable, secure and performance enhanced network client computer and desktop operating system. It includes a new file encryption system, and better management tols than those provided by Windows NT. Windows 2000 Server also includes a few additional server capabilities. Windows 2000 includes infrastructure services based on the Active Directory services. Data encryption over the network (IPSec) and in the file system (EFS) was initially provided in Windows 2000 Server.

  • Windows 2000 Advanced Server: This edition of Windows 2000 builds on the features provided by Windows 2000 Server to offer enhanced scalability, and higher availability. This makes Windows 2000 Advanced Server perfect for those larger organizations that need high availability for mission critical data.

  • Windows Server 2000 Datacenter Server: Windows 2000 Datacenter Server edition includes all the features of Windows 2000 Advanced Server, but it also provides load balancing services and enhanced clustering services. This edition of Windows 2000 is ideal for large data warehouses, and online transaction processing (OLTP).

Windows 2000 Server supports enhanced TCP/IP networking services such as Dynamic DNS (DDNS), Dynamic Host Configuration Protocol (DHCP), Automatic Private IP Addressing (APIPA), and Windows Internet Name Service (WINS) for backward support in mixed mode environments. Windows 2000 Server also provides Internet Information Services (IIS), Distributed File System (DFS), Routing and Remote Access for policy based management of remote access servers, the Terminal Services feature, Removable Storage for managing removable media, Services for Macintosh, Gateway Services for NetWare, and Services for Unix for interoperability in a heterogeneous network environment. Windows 2000 also supports Open Database Connectivity (ODBC) software, Message Queuing Services, and Component Object Model (COM+). This makes it possible for new applications to interoperate with existing software and data. Windows 2000 includes new printers, modem and hardware drivers which further simplifies hardware installation, and makes it more effective. Windows 2000 includes support for USB, IEEE 1394, and Advanced Configuration Power Interface (ACPI) device configuration and power management. Windows 2000 can support device types that are cumbersome to use in Windows NT, and includes a bidirectional parallel port driver that enables communication with many more devices. Windows 2000 includes the Plug and Play (PnP) feature. Windows 2000 supports the Win32 Driver Model (WDM) and the device driver signing feature. Lastly, Windows 2000 provides the NTFS version 5 features and security enhancements.

The Kerberos authentication protocol is the default authentication protocol used for Windows 2000, Windows XP Professional, and Windows Server 2003. Kerberos authentication was initially introduced in Windows 2000. Kerberos utilizes mutual authentication to verify the following:

  • Verify the identity of the user

  • Verify whether the service or network resource can be accessed.

Kerberos authentication offers improved security over the NTLM authentication protocol, including the following

  • Delegated authentication enables services to pose as clients when accessing network resources.

  • Mutual authentication makes it possible for the server to be authenticated to the client.

  • A server can authenticate a client with no need of contacting a domain controller.

  • Transitive trust can be used between domains within the same forest, and for domains which are connected with a forest trust relationship.

Kerberos version 5 makes use of a 'ticket' strategy to authenticate valid network users, and provides mutual authentication between users and resources. The Kerberos authentication type is dependant on the Key Distribution Center (KDC) to issue tickets. Each network client makes use of DNS to find the closest available KDC to obtain a Kerberos ticket. The ticket usually remains active for about 8 o 10 hours. The Key Distribution Center (KDC) is a service which runs as a component of Active Directory. The Key Distribution Center (KDC) manages the database of security account information for each security principal within a domain. The KDC holds the cryptographic key which is only known by the particular security principal, and the KDC. This cryptographic key, also called a long term key, is formed from the logon password of the user, and is used when the KDC and the security principal interact. Because each domain controller in Windows Server 2003 domains operates as a KDC, fault tolerance is enabled for the domain.

Windows Server 2003 supports the NTLM authentication protocol to provide compatibility for the earlier operating systems (OSs) such as for Windows NT 4 compatibility. Secure Sockets Layer/Transport Security Layer (SSL/TLS) and digest authentication is typically used for Web applications. SSL/TLS is based on X.509 public-key certificates and enables mutual authentication between the client and server.

The Windows 2000 operating system also included support for smart cards. Smart card authentication is based on the use of smart cards and is supported in Windows 2000 and Windows Server 2003. A smart card is a security device or credit card sized hardware token which can be used to provide additional protection to applications and security protocols.

Smart cards provide the following features:

  • Secure method of user authentication

  • Interactive logon

  • Remote access logons

  • Administrator logons

  • Secure code signing

  • Secure e-mail

In network environments, smart cards are typically used for following purposes

  • Logging on to a computer

  • Encryption of e-mail

  • Encryption of disk files through EFS

Active Directory is in actual fact the most important feature introduced in Windows 2000 because it brings about a few important domain structural changes. Domains in Active Directory use the DNS domain naming structure, and not the NetBIOS naming structure used in Windows NT domains. Because of DNS, Active Directory domains are structured in a hierarchical model. Domain trees is the concept used to describe hierarchically structured groups of domains with a contiguous namespace, while the grouping of trees with a noncontiguous namespaces are called forests. You can define trust relationships among forests to facilitate communication.

With the release of Microsoft Windows Server 2003 quite a few enhancements and features were introduced that were not previously available in Windows 2000 Active Directory. These enhancements were aimed at improving the scalability, efficiency, speed and performance of Active Directory, and addressed a few deficiencies or shortcomings of the earlier version of Active Directory utilized in Windows 2000 Server. When a domain controller running Windows Server 2003 is created, a number of Active Directory basic features are immediately installed and available to the Windows Server 2003 domain controller. Certain other Active Directory features are only available when particular conditions exist in the network.

Additional Active Directory features can be enabled but is dependant on the following conditions, or factors:

  • The operating system (OS) running on the domain controller.

  • The domain functional level. In Windows 2000 Active Directory, the domain mode terminology was utilized.

  • The forest functional level.

  • Whether the functional level is raised for the domain only, or for the forest.

Domain and forest functional levels provides the means by which you can enable additional domain-wide and forest-wide Active Directory features, remove outdated backward compatibility within your environment, and improve Active Directory performance and security.

The domain functional levels that can be set for Active Directory in Windows Server 2003 ae listed below. The Windows 2000 Mixed and Windows Native domain functional levels were available in Windows 2000 to enable backward compatibility to operating systems such as Windows NT 4.0. The latter two functional levels are only available with Windows Server 2003.

  • Windows 2000 Mixed: This is the default functional level implemented when you install a Windows Server 2003 domain controller. The basic Active Directory features are available when this mode is configured. The Active Directory domain features that are available in Windows 2000 mixed domain functional level include support for Local groups, Global groups and Distribution Groups, Distribution Group nesting, Global Catalog support and up to 40,000 domain objects are supported

  • Windows 2000 Native: In Windows 2000 Native functional level, the backup domain controllers of Windows NT is not supported as domain controllers in the domain. Only Windows 2000 domain controllers and Windows Server 2003 domain controllers are supported. The main differences between Windows 2000 Mixed and Windows 2000 Native is that features like group nesting, or using Universal Groups and Security ID Histories (SIDHistory) is not available in Windows 2000 Mixed, but is available in Windows 2000 Native.

  • Windows Server 2003 Interim: This functional level is used when Windows NT domains are directly upgraded to Windows Server 2003. Windows Server 2003 Interim is basically identical to Windows 2000 Native. The key point to remember on Windows Server 2003 Interim is that this domain functional level is used when the forests in your environment do not have Windows 2000 domain controllers.

  • Windows Server 2003: The Windows Server 2003 domain functional level is used when the domain only includes Windows Server 2003 domain controllers. Once the domain level is set as Windows Server 2003 domain functional level, it cannot be lowered to any of the previous domain functional levels. All Active Directory domain features are available in Windows Server 2003 domain functional level, including Local and Global groups, Distribution Groups, Distribution group nesting, Security group nesting, Universal Groups, Group conversion between Security Groups and Distribution Groups, Global Catalog support, SID History, Up to 1,000,000 domain objects are supported, Renaming domain controllers, Update logon timestamp, Users/Computers container redirection, Constrained delegation and User password support on the InetOrgPerson object.

The forest functional levels that can be set for Active Directory in Windows Server 2003 listed below.

  • Windows 2000: In this forest functional level, Windows NT, Windows 2000 and Windows Server 2003 domain controllers can exist in domains. The Active Directory forest features that are available in Windows 2000 forest functional level include Universal Group caching, Application directory partitions, Global Catalog replication enhancements, Installations from backups, the Active Directory quota feature, and SIS for system access control lists (SACL).

  • Windows Server 2003 Interim: Windows NT backup domain controllers and Windows Server 2003 domain controllers can exist in domains.

  • Windows Server 2003: All domain controllers in the forest have to be running Windows Server 2003 for the forest functional level to be raised to the Windows Server 2003 forest functional level. With the Windows Server 2003 forest functional level, all forest-wide Active Directory features are available, including Domain renaming, Forest Trust, Defunct schema objects, Dynamic auxiliary classes, Application groups, Universal Group caching, Application directory partitions, Global Catalog replication enhancements, Installations from backups, Active Directory quota feature, SIS for system access control lists (SACL), Improved Knowledge Consistency Checker (KCC) replication algorithms, Linked value replication, InetOrgPerson objectClass and NTDS.DIT size reduction.

How to check which domain function level is set for the domain

  1. Open the Active Directory Domains And Trusts console.

  2. Right-click the particular domain whose functional level you want verify, and select Raise Domain Functional Level from the shortcut menu.

  3. The Raise Domain Functional Level dialog box opens.

  4. You can view the existing domain functional level for the domain in Current domain functional level.

How to raise the domain functional level to the Windows 2000 native domain functional level or Windows Server 2003 domain functional level

Before you can raise the domain functional level to Windows Server 2003 domain functional level, each domain controller in the domain has to running Windows Server 2003.

To raise the domain functional level for a domain,

  1. Open the Active Directory Domains And Trusts console

  2. Right-click the particular domain whose functional level you want to raise, and select Raise Domain Functional Level from the shortcut menu.

  3. The Raise Domain Functional Level dialog box opens.

  4. Use the Select An Available Domain Functional Level list to choose the domain functional level for the domain.

  5. Click Raise.

  6. Click OK.

How to check which forest functional level is set for the forest

  1. Open the Active Directory Domains And Trusts console

  2. Right-click Active Directory Domains and Trusts in the console tree, and select Raise Forest Functional Level from the shortcut menu.

  3. The Raise Forest Functional Level dialog box opens

  4. You can view the existing forest functional level for in Current forest functional level.

How to raise the forest functional level to Windows Server 2003 forest functional level

Each domain controller in the forest has to be running Windows Server 2003 before you can change the forest functional level to Windows Server 2003. When you raise the forest functional level, all domains in the forest will automatically have their domain functional level raised to Windows Server 2003.

To raise the forest functional level for a forest,

  1. Open the Active Directory Domains And Trusts console

  2. Right-click Active Directory Domains And Trusts in the console tree, and select Raise forest Functional Level from the shortcut menu.

  3. The Raise Domain Functional Level dialog box opens

  4. Click Raise.

  5. Click OK.

Understanding the Security Features of Firewalls

The method, by which you can physically secure the network, is through the usage of firewalls. While firewalls provide some level of physical security, you should bear in mind that firewalls are just barriers which make it difficult for intruders to attack the network.

Firewalls are categorized as follows:

  • Network firewalls: These firewalls monitor traffic entering and exiting the network, in an attempt to protect the perimeter network. Software based Microsoft Internet Security and Acceleration (ISA) Server and the hardware based Nortel Networks Alteon Switched Firewall System are network firewall solutions.

  • Host-based firewalls: These firewalls protect those computers it is defined to protect. The network to which the computer is connected to is irrelevant. The Internet Connection Firewall (ICF) feature of Windows XP and Windows Server 2003 is a host-based firewall solution.

Firewalls work by checking packets to determine whether packets should be permitted to be forwarded, or whether packets should be dropped. The main function of the firewall is to filter traffic. TCP/IP packets have an IP packet header, followed by the actual content of the packet. The IP packet header is either a TCP header or a UDP header. The TCP header or UDP header contains the IP addresses and port number of the sender (source), and the IP addresses and port numbers of the receiver (destination). A TCP header contains the following additional information as well: Sequence numbers and acknowledgment numbers, and conversation state.

As packets pass over the firewall, packets are examined according to the filtering parameters configured for the firewall to filter traffic on. The filtering parameters define which packets should be allowed to pass over the firewall. The default configuration is that firewalls typically deny all packets other than those which it has been explicitly set up to allow. In networking environments, firewalls are usually configured to block all incoming traffic, and to allow outbound traffic from the private internal network.

Packet filters are used to define the traffic types that should be denied by a firewall. You need to implement firewalls and router packet filters to secure the resources within your private network from Internet users.

When you configure IP packet filters, you can specify what traffic is allowed or denied, based on the following:

  • Source address

  • Destination address

  • Source and destination TCP port number

  • Source and destination UDP port number

  • The interface that the packet arrives on.

  • The interface that the packet should be forwarded to

  • IP protocol numbers

  • ICMP types and codes

IP packet filters should be used for the purposes:

  • To restrict traffic being sent to, or from a specific computer, you can filter on source/destination IP address range.

  • To restrict traffic coming from, or being sent to a specific IP address range of a network segment, you can filter on source/destination IP address range.

  • To restrict traffic being transmitted to/from a particular application, you can filter on protocol number.

Advanced firewalls include a number of additional security features, including:

  • Stateful inspection: Here, packets are examined when they reach the firewall. However, packets are allowed to access internal network resources as determined by the configured access policy. Stateful inspection capabilities are provided by proxy servers and firewall solutions that support Network Address Translation (NAT).

  • Intrusion detection features: Firewalls that include intrusion detection features are able to detect possible network attack attributes as they inspect packets. These firewalls can perform a number of activities when they detect a network attack:

    • Start a counter attack.

    • Block access from the network of the intruder.

    • Notify an administrator of the network attack.

  • Application layer intelligence capabilities: These firewalls allow or drop packets based on the content of the packet. The firewalls are capable of inspecting and analyzing data within the traffic flows.

  • Virtual Private Network (VPN) capabilities: These types of firewalls enable remote networks to connect with other remote networks over the Internet. If you use both a VPN and a firewall solution, the firewall is able to filter traffic within the VPN tunnel.

Understanding Perimeter Networks

The main role of a perimeter network, also called demilitarized zone (DMZ), is to provide an additional layer of protection for the internal private network when a server on the perimeter network is compromised. The perimeter network typically hosts Web services that are extended to Internet clients.

A perimeter network usually consists of the following elements:

  • A firewall for protecting the front-end servers from the Internet traffic.

  • A firewall between the back-end servers and private network. This firewall should allow communication between back-end servers and specific servers located on the private network.

  • Hardened servers for supporting the services provided by the applications. Hardened servers ca be configured to disable unsafe Internet services.

A perimeter network is either a single firewall configuration, or back to back firewall configuration:

  • Single firewall configuration: Here a single firewall is used with a network interface card (NIC) connected to the perimeter network, a NIC connected to the Internet, and another NIC connected to the private network. The private network comprises of the organization's network, computers and servers that are not extended to the public network. This is the simplest firewall configuration strategy. Because this configuration consists of only one firewall, the private network is vulnerable when an attacker is able to bypasses the firewall.

  • Back to back firewalls configuration: Here, one firewall is utilized to connect the front end of the perimeter network to the Internet, and another firewall is utilized to connect the back end of the perimeter network to the private network. This method provides more protection to the private network. Additional firewalls can be implemented between the Web tiers in the perimeter network to further enhance security for the private network.

Web Content servers and front end servers usually reside in the perimeter network. A perimeter network can be further segmented:

  • A segment should be utilized to implement a management network.

  • The various forms of Internet traffic such as HTTP and FTP should be routed to separate Web clusters.

  • Non routable network addresses should be assigned to the internal networks of the Web site.

  • Internet traffic should be separated from the internal network or back end traffic.

  • Ensure that IP forwarding is not enabled for the front end servers.

Understanding Windows Server 2003 Security Settings

Auditing enables you to determine which activities are occurring on your system. Through auditing, administrators can collect information associated with resource access and usage on your system. You can audit system logon, file access, object access, as well as any configuration changes. When an event or action takes place that is configured for auditing, the action or event is written to the security log. Security auditing events are written to the security log of the system, and can be accessed from Event Viewer.

The main types of events which you should audit are listed below:

  • Computer logons

  • Computer logoffs

  • Access to objects, and files and folders

  • System events, such as when the following occurs:

    • Computer reboots

    • Computer shutdowns.

    • System time is modified

    • Audit logs are cleared.

  • Performance of user and computer account management activities, such as:

You can define audit polices for the local computer, a domain controller, a domain or an organization unit (OU).

The audit policies that you can configure with Windows Server 2003 are listed here:

  • Audit Account logon events: This policy is typically enabled on domain controllers, to track users which are logging on to the computer.

  • Audit Account management: This policy tracks account management tasks performed on the computer, including creating, changing, and deleting user objects; and changing account passwords.

  • Audit Directory service access: For domain controllers, the policy tracks when users access Active Directory objects which have system access control lists (SACLs).

  • Audit Logon events: This audit policy tracks when the user logons and logoffs.

  • Audit Object access: Tracks when a user accesses operating system components such as files, folders or registry keys.

  • Audit Policy change: This policy tacks when changes are made t the security configuration settings of the computer, and includes changes made to Audit policies, Trust policies, and User rights.

  • Audit Privilege use: Tracks when a user effects a user right. The user rights excluded from auditing because of the volume of log entries which they generate are: Back Up Files And Directories, Bypass Traverse Checking , Create A Token Object, Debug Programs, Generate Security Audits, Replace Process Level Token, and Restore Files And Directories.

  • Audit Process tracking: This policy tracks when certain events take place on the computer, such as when a program starts, or a process ends.

  • Audit System events: This policy tracks events such as when computer restarts or shuts down; and any events that impact the security log or the security of the system.

For each of the above mentioned event categories, you can choose between three values when you enable auditing. These values in turn determine the condition for which an audit entry would be created:

  • Successes only; an audit entry will be created when a particular event or action successfully finalizes.

  • Failure only; an audit entry will be created when a particular event or action fails.

  • Successes and Failures; an entry will be created when the particular event or action successfully finalizes or fails.

An important management tool for administrators of Windows Server 2003 is the Event Log. Event Viewer stores events that are logged in a system log, application log, and security log. You can access Event Viewer from the Administrative Tools folder.

The maximum size of the Event Log, Event Log performance, and other attributes are controlled by the following Event Log policies:

  • Maximum log size; specifies the maximum size for the log file.

  • Retain log; sets the time duration for which the Event Log information should be retained.

  • Retention method for log; sets what actions should occur when the Event Log's maximum size is reached:

    • Overwrite Events By Days option

    • Overwrite Events As Needed option

    • Do Not Overwrite Events (Clear Log Manually) option.

  • Prevent local guests group from accessing log; defines whether the local guests group is allowed to access the Event log.

You can enable the Security Options policies to secure certain server components from a number of threats and accidents. Through Security Options policies, you can secure specific server components. A few Security Options policies which you should consider activating are listed below:

  • Accounts: Administrator Account Status; enables/disables the local Administrator account of the computer.

  • Accounts: Guest Account Status; enables/disables the local Guest account of the computer.

  • Accounts: Rename Administrator Account; defines the alternative name for the security identifier (SID) of the local Administrator account.

  • Accounts: Rename Guest Account; defines the alternative name for the security identifier (SID) of the local Guest account

  • Audit: Audit The Use Of Backup And Restore Privilege; when the Audit Privilege Use policy is enabled, it configures the computer to audit user privileges.

  • Audit: Shut Down System Immediately If Unable To Log Security Audits; results in the computer shutting down when no further auditing entries can be written to the security log due to the log reaching its maximum size limit.

  • Devices: Allowed To Format And Eject Removable Media; defines those local groups which are allowed to format and eject removable NTFS file system media.

  • Devices: Restrict CD-ROM Access To Locally Logged-on User Only; stops users from accessing the CD-ROM drives of the computer.

  • Devices: Restrict Floppy Access To Locally Logged-on User Only; stops users from accessing the floppy disk drive of the cmputer.

  • Domain Member: Maximum Machine Account Password Age; sets the frequency at which the computer account password of the system is modified.

  • Interactive Logon: Do Not Require CTRL+ALT+DEL; specifies the Disable option so that users are secured from Trojan horse attacks.

  • Interactive Logon: Require Domain Controller Authentication To Unlock Workstation; stops the computer from being unlocked through cached credentials.

  • Microsoft Network Client: Digitally Sign Communications (Always); sets the computer to require packet signatures for Server Message Block client communications.

  • Microsoft Network Server: Digitally Sign Communications (Always); sets the computer to require packet signatures for Server Message Block server communications.

  • Network Access: Do Not Allow Anonymous Enumeration Of SAM Accounts And Shares; stops anonymous users from gathering information on the names of local user accounts and shares.

  • Network Access: Remotely Accessible Registry Paths And Sub-paths; defines the registry paths and sub-paths which certain users can access.

  • Network Access: Shares That Can Be Accessed Anonymously; defines the shares which can be accessed by anonymous users.

  • Network Security: Force Logoff When Logon Hours Expire; configures the computer to end any current local user connections that have used up their defined logon hours or time.

  • Shutdown: Allow System To Be Shut Down Without Having To Log On; enables the Shut Down button in the Log On To Windows dialog box.

Services can be defined as system programs, processes or routines running in the background that performs a specific operation within the operating system. Administrators need to monitor services and also change the configuration of services when necessary. When the Windows Server 2003 operating system installs, some services are automatically installed with the operating system. These services are usually set with the Automatic startup type. This means that the service starts automatically when the operating system starts or boots. The startup type specified for the service controls when and how the service starts.
A few services that have the Automatic startup type configured are Automatic Updates, DHCP Client, DNS Client, IPSec Services, Remote Procedure Call (RPC), Server, Security Accounts Manager, and System Event Notification.

For those services that have the Automatic startup type configured, you can use System Services policies to disable those services which a specific server does not require. A few services for which you can configure the startup type as Disabled (if the server does not require the service) are Application Management, Distributed File System, Distributed Transaction Coordinator, Fax Service, ClipBook, Indexing Service, Internet Connection Sharing (ICS), and Smart Card.

Restricted Groups contains groups for specific security restrictions. You can configure Restricted Groups to ensure that group memberships remain defined as it was specified. Restricted Groups policies ensure that the Members attributes and Members Of attributes remain consistent. You configure Restricted Groups policies by adding a policy and then specifying the members of the policy.

Account Policies include attributes for password policy, account lockout policy and Kerberos policy. Password policy determines settings for passwords for domain user accounts, and local user accounts. You can implement strong password policies by using the following security policy settings located in the Password Policy node in Account Policies:

  • Maximum password age: This security policy setting determines the duration after which a user is forced to change a password.

  • Enforce password history: This security policy setting prevents users from re-specifying or reusing previously used passwords.

  • Minimum password age: This security policy setting determines the length of time that a user has to keep a password before he/she can modify the password.

  • Minimum password length: This security policy setting stipulates the minimum length that a password can have.

Account lockout policies should be implemented if your environment is particularly vulnerable to threats arising from passwords which are being guessed. Implementing an account lockout policy basically ensures that the account of a user is locked after an individual has unsuccessfully tried for several times to provide the correct password. The important factor to remember when defining an account lockout policy is that you should implement a policy that permits some degree of user error, but that also prevents unauthorized usage of your user accounts.

The following password and account lockout settings are located in the Account Lockout Policy area in Account Policies:

  • Account lockout threshold: This setting controls the number of times after which an incorrect password attempt results in the account being locked out of the system.

  • Account lockout duration: This setting controls the duration that an account which is locked, remains locked. A setting of 0 means that an administrator has to manually unlock the specific locked account.

  • Reset account lockout counter after: This setting determines the time duration that must pass subsequent to an invalid logon attempt occurring prior to the reset account lockout counter being reset.

How to Plan a Security Framework

A security framework can be defined as the process used when the organization has to perform the activities listed below:

  • Define security requirements.

  • Determine security risks.

  • Select the appropriate security features.

  • Select and implement security policies.

  • Define security implementations.

  • Define security management policies.

Most organizations use a security design committee or team to determine the security needs of the organization and to deploy security policies which can meet these requirements.

A security design committee/team includes individuals that are knowledgeable on the following factors:

  • The mission critical resources of the organization.

  • The security weaknesses or vulnerabilities of the organization.

  • The threats to which the mission critical resources of the organization is exposed.

  • The resources which are mainly at risk.

  • The loss to the organization should particular resources of the organization be compromised.

  • The level of security needed to secure the organization's resources.

  • The security features and security policies which can be used to secure the resources of the organization.

  • The security features and security policies which are ideal to secure particular resources.

  • The impact of implementing security features and security policies on employees, users and administrators.

  • The requirements for deploying identified security solutions.

A typical security life cycle is made up of the following steps:

  • Determining and designing the security infrastructure: The design phase of the security life cycle includes elements such as identifying the resources of the organization that needs to be secured, and then designing the security infrastructure to protect these resources. The security design team should be accountable for creating and designing security policies for the organization.

  • Deploying and implementing the security features and security policies: The security design team should also be responsible for implementing security features and security policies.

  • Continually managing the security solution: All security software should be upgraded as necessary, and audit logs should be regularly examined.

Because the security requirements of organizations differ, you have to determine which security features, tools and policies are needed by the specific organization whose server security you are planning. From the discussions so far, it becomes evident that identifying the security requirements of the organization is a task requiring quite some analysis. One of the initial steps to identifying the security requirements of the organization is to determine which security weaknesses or vulnerabilities currently exist, the threats to which the mission critical resources of the organization is exposed, and the resources which are mainly at risk to being compromised.

There are a number of different risks that have an impact on an organization. Some of the primary threats which you should address are listed here:

  • Environmental threats; pertains to both environmental disasters and disasters due to human intervention. Examples of environmental threats are fires, earthquakes, storms, faulty wiring, and so forth.

  • Accidental threats; relate to threats which are caused without malicious intent. Accidental risks occur when an employee accidentally deletes important files, or modifies data that should not have been changed.

  • Deliberate threats; relate to threats which are caused with malicious intent as the primary objective. Examples of deliberate threats are viruses, Trojan horses, and all other network attacks caused by hackers and intruders.

Once the risk which your organization is vulnerable to is determined, you have to determine which resources and assets of the company could become affected by each identified risk/threat.

Assets and company resources can be categorized as follows:

  • Hardware; such as devices, servers, workstations, printers, and so forth.

  • Software; includes software designed specifically for the organization and other software products.

  • Company data; includes databases, and files and documents.

  • The physical building.

  • Sundry equipment; such as office furniture and other supplies.

  • Employees of the organization.

To secure company assets and resources from all identified security risks, you have to determine which security configurations can match the security requirements of the organization.