Logo
PREGNANCY
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
 
 
Windows Server

Windows Server 2003 : Creating Role-Specific Server Configurations (part 2) - Securing Infrastructure Servers & Securing File and Print Servers

4/9/2011 11:51:25 AM

Securing Infrastructure Servers

Infrastructure servers are computers that run network support services such as DNS, DHCP, and Windows Internet Name Service (WINS). An infrastructure server can run any or all of these services, and might also fill other roles, such as an application or file and print server.

For an infrastructure server that provides all these services, you should modify the System Services policies in your infrastructure servers’ GPO to include the following services, using the Automatic startup type:

  • DHCP Server

  • DNS Server

  • NT LM Security Support Provider

  • Windows Internet Name Service (WINS)

Configuring DNS Security

It is common for administrators to run the DNS Server service on Windows Server 2003 domain controllers, particularly when they use Active Directory-integrated zones. One benefit of storing the zone database in Active Directory is that the directory service takes over securing and replicating the DNS data. However, even if you do use Active Directory-integrated zones, there are additional security measures you might consider.

Protecting Active Directory-Integrated DNS When you create Active Directory-integrated zones on your DNS server, the zone database is stored as part of the Active Directory database, which protects it from direct access by unauthorized users. However, you should still take steps to ensure that the MicrosoftDNS container object in Active Directory (shown in Figure 2) is secure.

Figure 2. The MicrosoftDNS container in the Active Directory Users And Computers console

Tip

To access the MicrosoftDNS container object in the Active Directory Users And Computers console, you must first select the Advanced Features option from the console’s View menu. The console then displays additional containers, including the System container, which contains MicrosoftDNS.

By default, the DnsAdmins, Domain Admins, and Enterprise Admins groups all have the Full Control permission for the MicrosoftDNS container. The local Administrators group lacks the Full Control permission, but it does have the permissions needed to create new objects and modify existing ones. You might modify these defaults to limit the number of users with permission to modify this container.

Protecting DNS Database Files For DNS zones that are not integrated into Active Directory, the zone databases are simple text files stored in the C:\Windows\System32\ Dns folder by default. Windows Server 2003 creates DNS debug logs in the same folder. The permissions for this folder grant the Administrators group Full Control, while the Server Operators group receives all permissions except Full Control. The Authenticated Users group receives the permissions needed to read and execute files in this folder (see Figure 3).

Figure 3. The DNS Properties dialog box

You don’t need file system permissions to maintain the DNS zone databases using the DNS console or to access DNS server information using a client. Therefore, there is no reason for the Authenticated Users group to have file system permissions. By enabling users to view the DNS data files, you give them an opportunity to gather information about your domain that they could use to stage an attack against the network. You can safely revoke the Authenticated Users group’s permissions for this folder, and even limit the Server Operators group to read-only access, if desired.

Configuring DHCP Security

The interruption of a DHCP server’s functions might not have an immediate effect on your network, but eventually your DHCP clients’ leases will expire and they will be unable to obtain new ones. Apart from enabling the DHCP Server service itself, there is little you can do to configure DHCP using a GPO. However, there are security measures that can help to ensure uninterrupted performance.

Denial of service attacks (DoS) constitute one of the biggest threats to DHCP servers. It is relatively simple for an unscrupulous individual to create a script that sends repeated requests for IP address assignments to the server until all the addresses in the scope are depleted. Legitimate clients are then unable to obtain addresses until the bogus leases expire. Several techniques can defend against denial of service attacks, including the following:

  • Use the 80/20 address allocation method— Use two DHCP servers to provide addresses for each subnet, with 80 per cent of the available addresses in one server’s scope and 20 per cent in the other. This ensures that there are addresses available to clients, even if one of the servers is under attack.

  • Create a DHCP server cluster— Clustering enables you to use multiple servers to create a single network entity. If one server fails, the other servers in the cluster take up the slack.

  • Monitor DHCP activity— You can monitor the activity of a DHCP server by using tools such as the Performance console and Network Monitor or by enabling audit logging on the DHCP server.

DHCP audit logging is not integrated into the main Windows Server 2003 auditing facility. You can enable DHCP audit logging using group policies but you cannot access the logs using the Event Viewer console. To enable DHCP audit logging, you must open the DHCP console, display the Properties dialog box for the DHCP server, and then select the Enable DHCP Audit Logging check box in the General tab. The server stores the log files in the C:\Windows\System32\Dhcp folder, by default.

Securing File and Print Servers

Security for a file and print server requires policy settings similar to those of the baseline installation you created in this article. The two main changes you must make for the file and print server role are as follows:

  • Enable the Print Spooler service Use the appropriate policy in the System Services container of your GPO to enable the Print Spooler service with the Automatic startup type. The server needs this service to receive print jobs from other computers on the network.

  • Disable the Microsoft Network Server: Digitally Sign Communications (Always) security policy When this security option is enabled, users are unable to view the print queue on the server, even though they are able to submit print jobs. Defining this policy with a value of Disabled in the Security Options container of your GPO ensures that your clients can access the print queue on the server.

Note

To view print queues on file and print servers, client computers must have the Security Options policy, Microsoft Network Client: Digitally Sign Communications (Always) (or its equivalent) disabled as well.
Configuring Permissions Using a GPO

One of the most important security measures for a file and print server is protection for the user data stored on the server drives. You create this protection by using the NTFS file system on your drives and by using NTFS permissions to control access to the server drives. You can specify the permissions for your NTFS drives in a GPO by browsing to the File System container in the Group Policy Object Editor console and, from the Action menu, selecting Add File. In the series of dialog boxes that appear, you perform the following tasks:

  1. Specify the files or folders for which you want to configure file system permissions.

  2. Specify the permissions you want to assign to the selected files or folders.

  3. Specify whether you want the permissions to be inherited by subfolders.

By default, all the NTFS drives on a computer running Windows Server 2003, except the system drive, have Full Control permission assigned to the Everyone group. Therefore, it is up to you to design a directory structure and a system of permissions for your drives that gives users only the access they need to the files stored there.

Tip

In addition to file system permissions, you can also use a GPO to configure registry permissions on a computer running Windows Server 2003. Browse to the Registry container and, from the Action menu, choose Add Key. The process resembles configuring file system permissions, except that you select a registry key instead of a file or folder.

Securing Application Servers

It is difficult, if not impossible, to create a generic security configuration for application servers, because the requirements of the individual applications are usually unique. Windows Server 2003 includes some software that enables the computer to function as an application server, most notably Internet Information Services (IIS), which provides World Wide Web, File Transfer Protocol (FTP), and other Internet server services, but in most cases, application servers run external software products, such as database or e-mail servers. To secure these applications, you must compare the security requirements of your network and your users with the security features provided by the application itself.
Other -----------------
- Exchange Server 2010 Management and Maintenance Practices : The Exchange Control Panel
- Exchange Server 2010 Management and Maintenance Practices : Maintenance Tools for Exchange Server 2010
- Exchange Server 2010 Management and Maintenance Practices : Proper Care and Feeding of Exchange Server 2010
- SharePoint 2010 : Designing and Managing Pages and Sites for Knowledge Workers - Reviewing Site Features and Site Collection Features
- SharePoint 2010 : Designing and Managing Pages and Sites for Knowledge Workers - Understanding and Using Site Variations
- SharePoint 2010 PerformancePoint Services : Examining Reporting Services Reports
- SharePoint 2010 PerformancePoint Services : Examining ProClarity Analytics Server Page Reports
- SharePoint 2010 PerformancePoint Services : Examining KPI Details Reports
- BizTalk 2010 Recipes : Orchestrations - Configuring a Send Port at Runtime
- BizTalk 2010 Recipes : Orchestrations - Binding Orchestrations
- BizTalk 2010 Recipes : Orchestrations - Creating Multipart Messages
- Windows Server 2008 R2 : File Server Resource Manager (part 4)
- Windows Server 2008 R2 : File Server Resource Manager (part 3)
- Windows Server 2008 R2 : File Server Resource Manager (part 2)
- Windows Server 2008 R2 : File Server Resource Manager (part 1) - Installing the File Server Resource Manager Tools & FSRM Global Options
- Windows Server 2008 R2 : Volume-Based NTFS Quota Management
- Exchange Server 2010 : Installing Edge Transport Monitoring Certificates (part 3) - Install the Agent on the Edge Transport & Configure the Agent to Use the Certificate
- Exchange Server 2010 : Installing Edge Transport Monitoring Certificates (part 2) - Request a Certificate from the Root CA Server
- Exchange Server 2010 : Installing Edge Transport Monitoring Certificates (part 1) - Create Certificate Template & Request the Root CA Server Certificate
- SharePoint 2010 : Designing and Managing Pages and Sites for Knowledge Workers - An Overview of Site Collection Administration Tools
 
 
Most view of day
- Microsoft Exchange Server 2010 : Completing Transport Server Setup (part 3) - Enabling Anti-Spam Features
- Accessing and Using Your Network : Learning Some Common Network Tasks
- Deploying Applications (part 1) - Preparing the Lab, Planning Deployment, Choosing a Deployment Strategy
- Microsoft Exchange Server 2007 : Consolidating a Windows 2000 Domain to a Windows Server 2003 Domain Using ADMT (part 4) - Migrating User Accounts
- Troubleshooting Hardware, Driver, and Disk Issues : How to Use Built-In Diagnostics (part 4)
- Using Microsoft SharePoint with Microsoft Dynamics CRM Functions (part 2) - Displaying Data Using BDC in Microsoft Office SharePoint Server
- Windows Server 2012 Administration : Managing Printers with the Print Management Console (part 3) - Using the Print Management Console
- Windows Server 2008 R2 high-availability and recovery features : Installing and Administering Failover Clustering (part 7) - Create shared folder on cluster, Testing Failover of Cluster
- Microsoft Project 2010 : Defining Project Resources - Using the Task Form View to Add Additional Resources
- Sharepoint 2013 : Managing Site Security - Create a SharePoint Group for a Site
Top 10
- Migrating to Exchange Server 2007 : Migrating from Exchange 2000 Server or Exchange Server 2003 to Exchange Server 2007 (part 7)
- Migrating to Exchange Server 2007 : Migrating from Exchange 2000 Server or Exchange Server 2003 to Exchange Server 2007 (part 6)
- Migrating to Exchange Server 2007 : Migrating from Exchange 2000 Server or Exchange Server 2003 to Exchange Server 2007 (part 5) - Moving Mailboxes
- Migrating to Exchange Server 2007 : Migrating from Exchange 2000 Server or Exchange Server 2003 to Exchange Server 2007 (part 4) - Installing Exchange Server 2007 on a Server System
- Migrating to Exchange Server 2007 : Migrating from Exchange 2000 Server or Exchange Server 2003 to Exchange Server 2007 (part 3) - Installing Exchange Server 2007 Prerequisites
- Migrating to Exchange Server 2007 : Migrating from Exchange 2000 Server or Exchange Server 2003 to Exchange Server 2007 (part 2)
- Migrating to Exchange Server 2007 : Migrating from Exchange 2000 Server or Exchange Server 2003 to Exchange Server 2007 (part 1) - Planning Your Migration
- Migrating to Exchange Server 2007 : Deploying a Prototype Lab for the Exchange Server 2007 Migration Process
- Migrating to Exchange Server 2007 : Moving to Native Mode in Exchange
- Migrating to Exchange Server 2007 : Understanding What’s New and What’s Different with Exchange Server 2007
 
 
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro