You are previewing Windows Server® 2008 Security Resource Kit.
O'Reilly logo
Windows Server® 2008 Security Resource Kit

Book Description

Get the definitive reference for planning and implementing security features in Windows Server 2008 with expert insights from Microsoft Most Valuable Professionals (MVPs) and the Windows Server Security Team at Microsoft. This official Microsoft RESOURCE KIT delivers the in-depth, technical information and tools you need to help protect your Windows® based clients, server roles, networks, and Internet services. Leading security experts explain how to plan and implement comprehensive security with special emphasis on new Windows security tools, security objects, security services, user authentication and access control, network security, application security, Windows Firewall, Active Directory® security, group policy, auditing, and patch management. The kit also provides best practices based on real-world implementations. You also get must-have tools, scripts, templates, and other key job aids, including an eBook of the entire RESOURCE KIT on CD.

Key Book Benefits

Definitive technical information and expert insights straight from the Windows Server Security Team and leading Microsoft MVPs

Provides in-depth information that every Windows administrator needs to know about helping protect Windows-based environments

Includes best practices from real-world implementations

CD includes additional job aids, including tools, scripts, and a fully searchable version of the entire RESOURCE KIT book

Q&A with Jesper M. Johansson, author of Windows Server 2008 Security Resource Kit

The credentials of the contributors to Windows Server 2008 Security Resource Kit are quite impressive. How important was it to assemble such a group for this title?

In my opinion, it was necessary. Server products are necessarily complex, and security, by its very nature, requires a very broad understanding of the product. Developing that understanding in a single person is possible, but very time consuming and still does not lead to the breadth of perspective that you find in a group of people. No single person can truly understand both what it is like to implement Active Directory in a 50,000 seat organization, and how to run a 50-seat small business network long-term, and neither of them is probably going to also be one of the world's foremost experts on implementing public key cryptography infrastructures. By putting together this world-wide team of experts (representing four countries on three continents) we were able to produce a resource that had far more depth and breadth of knowledge than would otherwise have been possible, and you get the expertise of 12 of the foremost experts on Windows Security in a single package.

What extras are available on the Resource Kit CD?

First, you get a bonus chapter on Rights Management Services, as well as an electronic copy of the entire book. I am very excited about the electronic copy because it provides a searchable way to read the book. These types of books are always used as references and being able to search it is very valuable.

You also get some tools that may come in handy for managing servers. Scripting Guru Ed Wilson wrote some custom PowerShell scripts specifically for this book to manage user accounts and other security related aspects of your deployment. In addition, I wrote a couple of tools for the book. One is my password generator, which I first made available several years ago. It enables you to manage unique administrator account passwords and service account passwords on hundreds or thousands of servers on a network. I also included my elevation tools, which allow you to launch an elevated instance of Windows Explorer, as well as elevating any command you want from the command line. Having worked with User Account Control (UAC) daily for about two years I find that one of the biggest impediments to running under UAC is the multiple prompts you get when you perform many file operations. As an administrator, that is a very common task. Elevating Windows Explorer lets you do those operations with a single elevation prompt, and still leave UAC turned on.

Comparing the two programs, what are some of the fundamental differences between Windows Server 2008 and Windows Server 2003?

To me, the biggest difference is the fact that while Windows Server 2003 was built under the security best practices of 2002, Windows Server 2008 incorporates all the secure development practices Microsoft learned in the five years since. The field of secure software development has progressed immensely between 2002 and 2007, and incorporating them will make Windows Server 2008 much more able to stand up to the threats we will see in the next five years. By the way, it is with a heavy heart that I say that, as I worked hard on security in Windows Server 2003, but it is true.

Apart from the engineering process, the first thing people will notice is the completely new management model in Windows Server 2008. Instead of installing a lot of separate components, you now deploy roles to the server. This makes a lot of sense because the roles are what you bought the server to fill. By implementing that metaphor in the management tools the risk for misconfiguration is greatly reduced.

The new kernel features are also very important and will make a big difference for many. First, the new virtualization features are fundamentally going to change how we build and run data centers. The improvements in security, reliability, and performance in the kernel features, such as thread scheduling, and in the networking features, such as the new network file system, also are going to be valuable to many.

What do you feel is the biggest security oversight made by network admins?

Put a slightly different way, the area where I see the most room for improvement is in security posture management. Administrators are far too focused on vulnerabilities and on the types of "hardening" tweaks that were useful in the 1990s, when software shipped wide open by default. Today, those things are not nearly as important as it is to manage the security posture of your servers. Far too many administrators still believe in the perimeter and fail to recognize that just about every organizational network today is semi-hostile, at best. The biggest security oversight is not to analyze and manage the threats posed to servers by other actors on the network. The Security Resource Kit goes into depth in discussing what I refer to as Network Threat Modeling, as the analysis phase of Server and Domain Isolation – probably the most powerful security tool in the arsenal today. Yet, the proportion of networks that use these tools is infinitesimal.

What are your thoughts on the constant hype surrounding potential security flaws in Vista?

As I have written elsewhere ( I fail to see any data backing up the argument. Certainly, there have been flaws in Vista – and anyone who expected it to be flawless was unrealistic – but the improvements are tremendous over Windows XP. Windows Vista has about half as many critical problems as Windows XP in the same time-frame. I'm not sure that it would have been reasonable to expect it to perform much better than that given how large and complex modern software is and how fast the security landscape is moving.

Therefore, I have to think that the reasons for the hype are something other than data. The popular press seems to operate on the assumption that complaining about Microsoft generates advertising revenue, and they are probably correct. The fact of the matter today is that a significant portion of the software industry, specifically the security portion, has built its business almost exclusively on selling software that purports to protect Microsoft's customers from Microsoft's screw-ups. It is simply terrifying to it, and a grave threat to its business model, that Microsoft should actually manage to produce software, and particularly operating systems, that are so secure they do not need most of the products that portion of the industry sells.

The popular press, being a largely advertising funded business, has happily latched on to this perception and boosted the unsubstantiated claims of Windows Vista's vulnerability to the benefit of their major advertisers. It is truly a sick eco-system that harms the customer in both the short and long term. The threats today, as I mentioned above, are trending toward the types of things that the security software industry cannot protect against. The new threats are against people, and the focus needs to shift to helping people make better security decisions and take responsibility for their own actions. Unfortunately, the current unsubstantiated hype about Windows Vista is not about protecting customers, it is about selling unnecessary security software and inculcating users and IT managers alike in the belief that they must buy third party software to run Windows safely; a belief that, with a few notable exceptions, such as anti-virus software, is falsified by the data. In fact, the hype has even lead to a huge growth industry in malicious, fake, security software. I have seen a lot of people lured by the hype into buying security software that is not security software at all, but simply malware in disguise. The average consumer, inundated with hype, is unable to make out what to really believe. This sick ecosystem is harmful and the press and the pundits are not helping, but only increasing the hype.

In your opinion, which network faces the biggest security risk today: the small office with multiple power users or large corporation with a large LUA base?

The unmanaged networks. I have seen very well managed and very secure networks in both small and large organizations, and I have seen poorly managed and very insecure networks in both as well. It is not really a matter of size but of how much time and effort is put into the security aspects of it. One of the largest weaknesses seems to be training. Security today is about end-points. The attacks are against people far more prevalent than those against technology and vulnerabilities. We need to, as an industry, understand how to push the security out to the assets that we are trying to protect. In the past we have centralized security because it was a way to centralize management of security. The challenge now is to de-centralize security, while still permitting centralized management. This is a non-trivial task, but it must be done. As a starting point, I dare every IT manager to start analyzing the risks to his or her network, and specifically, what it is they want the network to be used for. Once you understand what it is you want the network to provide you have a chance to work on making it provide that and nothing else. To me, that is the most important thing we can do. A properly staffed IT group, with adequate training and resources to train its users, an organizational mandate to protect the organization's assets, and a keen understanding of the business they serve will build a network that is adequately secured regardless of the size of the network. Windows Server 2008 certainly provides some very powerful technologies to help you manage security in your network, but while that is a necessary component, it is insufficient by itself. At a very base level, it is about the people and the processes you have, more than about the technology. Technology will help, but it is just a tool that your people will implement using a process that helps or hurts.

Visit the catalog page for Microsoft® Windows Server 2008™ Security Resource KitVisit the errata page for Microsoft® Windows Server 2008™ Security Resource KitDownload the supplemental content for Microsoft® Windows Server 2008™ Security Resource Kit

Table of Contents

  1. Windows Server 2008 Security Resource Kit
    1. Acknowledgements
    2. Introduction
      1. Overview of the Book
        1. Part I: Windows Security Fundamentals
        2. Part II: Implementing Identity and Access (IDA) Control Using Active Directory
        3. Part III: Common Security Scenarios
      2. Document Conventions
        1. Reader Aids
        2. Sidebars
        3. Command-Line Examples
      3. Companion CD
        1. Elevation Tools
        2. Passgen
        3. Management Scripts
          1. CreateLocalUser.ps1
          2. EvaluateServices.ps1
          4. FindServiceAccounts.ps1
          5. ListUserLastLogon.ps1
          6. LocateDisabledUsers.ps1
          7. LocateLockedOutUsers.ps1
          8. LocateOldComputersNotLogon.ps1
          9. LocateOldUsersNotLogOn.ps1
          10. LookUpUACEvents.ps1
          11. ScanForSpecificSoftware.ps1
          12. ScanForSpecificUpdate.ps1
          13. ScanConfig.ps1
          14. UnlockLockedOutUsers.ps1
          15. WhoIs.ps1
        4. eBook
        5. Bonus Chapters
        6. Chapter-Related Materials
        7. Links to Tools Discussed in the Book
          1. Windows PowerShell
          2. Process Explorer
          3. Microsoft Network Monitor
          4. Privbar
      4. Resource Kit Support Policy
    3. I. Windows Security Fundamentals
      1. 1. Subjects, Users, and Other Actors
        1. The Subject/Object/Action-Tuple
        2. Types of Security Principals
          1. Users
          2. Computers
          3. Groups
          4. Abstract Concepts (Log-on Groups)
          5. Services
        3. Security Identifiers
          1. SID Components
          2. SID Authorities
          3. Service SIDs
          4. Well-Known SIDs
        4. Summary
        5. Additional Resources
      2. 2. Authenticators and Authentication Protocols
        1. Something You Know, Something You Have
          1. Something You Know
          2. Something You Have
          3. Something You Are
        2. Understanding Authenticator Storage
          1. LM Hash
          2. NT Hash
          3. Password Verifier
          4. In Memory
          5. Reversibly Encrypted
        3. Authentication Protocols
          1. Basic Authentication
          2. Challenge-Response Protocols
            1. Digest Authentication
            2. LM and NTLM
            3. NTLM v2
            4. NTLM++
            5. Kerberos
        4. Smart Card Authentication
          1. Smart Cards and Passwords
        5. Attacks on Passwords
          1. Obtaining Passwords
            1. Ask for Them
            2. Capture the Passwords Themselves
            3. Capture the Challenge-Response Sequence
            4. Capture the Hashes
            5. Guessing Passwords
          2. Using the Captured Information
            1. Cracking Passwords
            2. Precomputed Hash Attacks
            3. Pass-the-Hash Attacks
          3. Protecting Your Passwords
        6. Managing Passwords
          1. Use Other Authenticators
          2. Record Passwords, Safely
          3. Stop Thinking About Words
          4. Set Password Policies
          5. Fine-Grained Password Policies
            1. Precedence and Fine-Grained Password Policies
        7. Summary
        8. Additional Resources
      3. 3. Objects: The Stuff You Want
        1. Access Control Terminology
          1. Securable Objects
          2. Security Descriptors
          3. Access Control List
            1. ACL Structure
          4. Access Control List Entry
          5. Access Masks
          6. Relationship Between Access Control Structures
          7. Inheritance
          8. Security Tokens
          9. Access Check Process
            1. Restricted Tokens
          10. Integrity Labels
          11. Empty and NULL DACLs
          12. Security Descriptor Definition Language
            1. Interpreting an SDDL String
        2. Tools to Manage Permissions
          1. cacls and icacls
          2. SC
          3. subinacl
        3. Major Access Control Changes in Windows Server 2008
          1. TrustedInstaller Permissions
          2. Network Location SIDs
          3. File System Name Space Changes
          4. Power User Permissions Removed
          5. OWNER_RIGHT and Owner Rights
        4. User Rights and Privileges
        5. RBAC/AZMAN
        6. Summary
        7. Additional Resources
      4. 4. Understanding User Account Control (UAC)
        1. What Is User Account Control?
        2. How Token Filtering Works
        3. Components of UAC
          1. UAC Elevation User Experience
            1. The Credential Prompt
            2. The Consent Prompt
          2. Application Information Service
          3. File and Registry Virtualization
            1. File Virtualization
            2. Registry Virtualization
            3. Configuring Registry Virtualization to Improve Application Compatibility
          4. Manifests and Requested Execution Levels
          5. Installer Detection Technology
          6. User Interface Privilege Isolation
          7. Secure Desktop Elevation Prompts
          8. Using Remote Assistance
          9. UAC Remote Administrative Restrictions
            1. Local User Accounts
            2. Domain User Accounts
            3. Managing UAC Remote Restrictions
          10. Mapping Network Drives When Running in Admin Approval Mode
          11. Application Elevations Blocked at Logon
          12. Configuring Pre-Windows Vista Applications for Compatibility with UAC
        4. UAC Group Policy Settings
          1. UAC Policy Settings Found Under Security Options
            1. User Account Control: Admin Approval Mode for the Built-in Administrator Account
            2. User Account Control: Behavior of the Elevation Prompt for Administrators in Admin Approval Mode
            3. User Account Control: Behavior of the Elevation Prompt for Standard Users
            4. User Account Control: Detect Application Installations and Prompt for Elevation
            5. User Account Control: Only Elevate Executables That Are Signed and Validated
            6. User Account Control: Only Elevate UIAccess Applications That Are Installed in Secure Locations
            7. User Account Control: Run All Users, Including Administrators, as Standard Users
            8. User Account Control: Switch to the Secure Desktop When Prompting for Elevation
            9. User Account Control: Virtualize File and Registry Write Failures to Per-User Locations
          2. Related UAC policies
            1. Require Trusted Path for Credential Entry
            2. Enumerate Administrator Accounts on Elevation
        5. What's New in UAC in Windows Server 2008 and Windows Vista SP1
          1. New Group Policy Setting: UIAccess Applications to Prompt for Elevation without Using the Secure Desktop
          2. UAC Prompt Reduction When Performing File Operations in Windows Explorer
          3. More Than 40 Additional UAC-Related Application Compatibility Shims
        6. UAC Best Practices
          1. Good Practice
          2. Better Practice
          3. Best Practice
        7. Summary
        8. Additional Resources
      5. 5. Firewall and Network Access Protection
        1. Windows Filtering Platform
        2. Windows Firewall with Advanced Security
          1. Improvements in the Windows Firewall
            1. Better Management Interface
            2. Windows Service Hardening
            3. Outbound Filtering
            4. Granular Rules
            5. Location-Aware Profiles
            6. Authenticated Bypass
            7. Active Directory User, Computer, and Groups Support
            8. IPv6 Support
            9. IPsec Integration
          2. Managing the Windows Firewall
            1. Graphical Management
              1. General
            2. Command-Line Management
            3. Network Profiles
        3. Routing and Remote Access Services
          1. Improvements in RRAS
            1. Support for IPv6
            2. NAP Enforcement for Remote Access VPN Connections
            3. Updated Connection Creation Wizard
            4. Secure Socket Tunneling Protocol
            5. Support for Multiple Locations in CMAK
            6. Support for Dynamic DNS Updates in Connection Manager
            7. Support for the Network Diagnostics Framework
            8. Enhanced WinLogin Support
            9. Additional Cryptographic Algorithms
            10. Robust Certificate Checking for VPN Connections
        4. Internet Protocol Security
          1. IPsec Basics
            1. IPsec Authentication
            2. IPsec Communication Modes
            3. IPsec Methods
            4. IPsec Rules and Policies
          2. New Capabilities in Windows Server 2008
            1. Integrated Firewall and IPsec Configuration
            2. Simplified IPsec Policy Configuration
            3. Improved IPsec Authentication
            4. Improved Load Balancing and Clustering Server Support
            5. Client-to-DC IPsec Protection
            6. Integrated IPv4 and IPv6 Support
            7. Integration with Network Access Protection
            8. Additional Configuration Options for Protected Communication
            9. New Cryptographic Support
            10. Network Diagnostics Framework Support
            11. Extended Events and Performance Monitor Counters
            12. Expanded Authenticated Bypass
        5. Network Access Protection
          1. Architecture
            1. Network Policy Server
            2. NAP Administration Server
            3. Health Registration Authority
            4. Host Credential Authorization Protocol
            5. Remediation Servers
            6. Enforcement Components
            7. Enforcement Methods
            8. System Health Validators
            9. System Health Agents
            10. NAP Agent
            11. NAP Enforcement Clients
          2. NAP Implementation
          3. NAP Scenarios
        6. Summary
        7. Additional Resources
      6. 6. Services
        1. Introduction to Services
          1. What Is a Service?
          2. Service Log-on Account
            1. Service Control Manager
          3. Service Listener Ports
          4. Configuring Services
            1. General Tab
            2. Log On Tab
            3. Recovery Tab
            4. Dependencies Tab
          5. Windows Server 2008 Services by Role
        2. Attacks on Services
          1. Blaster Worm
          2. Common Service Attack Vectors
            1. Buffer Overflows
            2. Denial of Service
            3. Remote Log-on Access
            4. Eavesdropping/Sniffing
            5. Password Compromise
            6. Misconfiguration
            7. Unauthorized Information Disclosure
            8. Social Engineering
        3. Service Hardening
          1. Least Privilege
          2. Service SIDs
            1. Defining Access Control Entries for a Service
          3. Write Restricted SIDs
          4. Restricted Network Access
          5. Session 0 Isolation
          6. Mandatory Integrity Levels
          7. Data Execution Prevention
          8. Other New SCM Features
        4. Securing Services
          1. Inventory Services
          2. Minimize Running Services
          3. Apply a Least-Privilege Model to Remaining Services
          4. Keep Your Updates Up to Date
          5. Creating and Using Custom Service Accounts
            1. Use Strong Passwords and Change Them at a Reasonable Interval
            2. Use Group Policy Restricted Groups Feature
            3. Minimize the Use of Domain Administrator Accounts
            4. Consider Using Local System Instead
          6. Use Windows Firewall and IPsec for Network Isolation
          7. Auditing Service Failures
          8. Develop and Use Secure Services
        5. Summary
        6. Additional Resources
      7. 7. Group Policy
        1. What Is New in Windows Server 2008
        2. Group Policy Basics
          1. The Local GPO
          2. Active Directory–Based GPOs
            1. Security Filtering of GPOs
            2. WMI Filtering of GPOs
          3. Group Policy Processing
            1. Slow-Link Processing
            2. Policy Processing Optimizations
        3. What Is New in Group Policy
          1. Group Policy Service
          2. ADMX Templates and the Central Store
          3. Starter GPOs
          4. GPO Comments
          5. Filtering Improvements
          6. New Security Policy Management Support
            1. Device Restrictions
          7. Windows Firewall with Advanced Security
            1. IPsec Configuration
          8. Wired and Wireless Network Policy
            1. Wired Network Policies
            2. Wireless Network Policies
        4. Managing Security Settings
        5. Summary
        6. Additional Resources
      8. 8. Auditing
        1. Why Audit?
        2. How Windows Auditing Works
        3. Setting an Audit Policy
          1. Audit Policy Options
        4. Developing a Good Audit Policy
        5. New Events in Windows Server 2008
        6. Using the Built-In Tools to Analyze Events
          1. Event Viewer
          2. WEvtUtil.exe
        7. Summary
    4. II. Implementing Identity and Access (IDA) Control Using Active Directory
      1. 9. Designing Active Directory Domain Services for Security
        1. The New User Interface
        2. The New Active Directory Domain Services Installation Wizard
        3. Read-Only Domain Controllers
          1. Read-Only AD DS Database
          2. RODC Filtered Attribute Set
          3. Unidirectional Replication
          4. Credential Caching
          5. Read-Only DNS
          6. Staged Installation for Read-Only Domain Controllers
            1. What Are the Prerequisites?
        4. Restartable Active Directory Domain Services
        5. Active Directory Database Mounting Tool
        6. AD DS Auditing
          1. Auditing AD DS Access
            1. Global Audit Policy
            2. SACL
            3. Schema
        7. Active Directory Lightweight Directory Services Overview
          1. Directory Store
            1. Directory Store
            2. Extranet Authentication Store
            3. Development Environment for AD DS and AD LDS
            4. Configuration Store for Distributed Applications
            5. How Do I Create an AD LDS Instance?
          2. New Features in Windows Server 2008 for AD LDS
        8. Active Directory Federation Services Overview
          1. What Is AD FS?
          2. What Is New in Windows Server 2008?
            1. AD FS Role Services
        9. Summary
        10. Additional Resources
      2. 10. Implementing Active Directory Certificate Services
        1. What Is New in Windows Server 2008 PKI
        2. Threats to Certificate Services and Mitigation Options
          1. Compromise of a CA's Key Pair
          2. Preventing Revocation Checking
          3. Attempts to Modify the CA Configuration
          4. Attempts to Modify Certificate Templates
          5. Addition of Nontrusted CAs to the Trusted Root CA Store
          6. Enrollment Agents Issuing Unauthorized Certificates
          7. Compromise of a CA by a Single Administrator
          8. Unauthorized Recovery of a User's Private Key from the CA Database
        3. Securing Certificate Services
          1. Implementing Physical Security Measures
        4. Best Practices
        5. Summary
        6. Additional Resources
    5. III. Common Security Scenarios
      1. 11. Securing Server Roles
        1. Roles vs. Features
          1. Default Roles and Features
        2. Your Server Before the Roles
          1. Default Service Footprint
        3. Server Core
          1. Roles Supported by Server Core
          2. Features Supported by Server Core
          3. What Is Not Included in Server Core
        4. Tools to Manage Server Roles
          1. Initial Configuration Tasks
          2. Add Roles and Add Features Wizards
          3. Server Manager
        5. The Security Configuration Wizard
          1. Using SCW to Audit and Enhance the Security of Each Server Role
            1. Using SCW to Audit and Enhance the Security of Each Server Role
        6. Multi-Role Servers
        7. Summary
      2. 12. Patch Management
        1. The Four Phases of Patch Management
          1. Phase 1: Assess
          2. Phase 2: Identify
            1. Determining Whether the Security Update Pertains to You
            2. Determine the Installation Priority
          3. Phase 3: Evaluate and Plan
            1. The Best Approach to Mitigating the Vulnerability
            2. Planning for the Release
            3. Determining the Release Mechanism
          4. Phase 4: Deploy
            1. Communicating the Change
            2. Testing the Security Update on a Small Group of Computers
            3. Deploying the Security Update to the Masses
        2. The Anatomy of a Security Update
          1. Supported Command-Line Parameters
          2. Integrating MSU Files into a Windows Image File
        3. Tools for Your Patch Management Arsenal
          1. Microsoft Download Center
          2. Microsoft Update Catalog
          3. Windows Update and Microsoft Update
          4. Windows Automatic Updating
          5. Microsoft Baseline Security Analyzer
            1. MBSA Scanning in Interactive Mode
            2. MBSA Scanning with the Command Prompt
          6. Windows Server Update Services
            1. What's New in WSUS 3.0
            2. Microsoft Products Supported by WSUS
            3. Configuring Prerequisites for WSUS 3.0
              1. Install the Windows Internal Database
            4. Install Web Server (IIS) Role
              1. Modify the Web Server Configuration File
            5. Requirements for WSUS 3.0 Server
            6. Install and Configure WSUS 3.0
            7. Configuring WSUS Clients
          7. System Center Essentials 2007
        4. Summary
        5. Additional Resources
      3. 13. Securing the Network
        1. Introduction to Security Dependencies
          1. Acceptable Dependencies
          2. Unacceptable Dependencies
          3. Dependency Analysis of an Attack
        2. Types of Dependencies
          1. Usage Dependencies
          2. Access-Based Dependencies
          3. Administrative Dependencies
          4. Service Account Dependencies
          5. Operational Dependencies
        3. Mitigating Dependencies
          1. Step 1: Create a Classification Scheme
          2. Steps 2 and 3: Network Threat Modeling
          3. Step 4: Analyze, Rinse, and Repeat as Needed
          4. Step 5: Design the Isolation Strategy
          5. Step 6: Derive Operational Strategy
          6. Step 7: Implement Restrictions
            1. Minimize Account Scope
            2. Organizational Security Policy Changes
            3. Separate Service Accounts
            4. Manage Privileges
            5. Restrict Communications
            6. Restrict Access to Resources
        4. Summary
        5. Additional Resources
      4. 14. Securing the Branch Office
        1. An Introduction to Branch Office Issues
          1. Why Do Branch Offices Matter?
          2. What Is Different in a Branch Office?
          3. Building Branch Offices
        2. Windows Server 2008 in the Branch Office
          1. Nonsecurity Features
            1. Server Core Installation Option
            2. Hyper-V (Windows Server Virtualization)
            3. Complete Redesign of TCP/IP Stack
            4. Server Message Block
            5. Data Protection—Windows Server 2008 Server Backup
          2. Security Features for the Branch Office
            1. RODC
            2. BitLocker Drive Encryption
        3. Other Security Steps
        4. Summary
        5. Additional Resources
      5. 15. Small Business Considerations
        1. Running Servers on a Shoestring
          1. Choosing the Right Platforms and Roles
            1. 32- vs. 64-bit Versions of Windows Server 2008
        2. Servers Designed for Small Firms
          1. Windows Server 2008 Web Edition
          2. Windows Server Code Name "Cougar"
          3. Windows Essential Business Server
          4. Hosted Servers
          5. Virtualization
        3. Violating All the Principles with Multi-Role Servers
          1. Acceptable Roles
          2. Server Components
          3. Risk Considerations
            1. Mitigation via Hosted Messaging
            2. Mitigation via the SDL Process
          4. Edge Server Issues
            1. Be Proactive Not Reactive
          5. Supportability and Updating
            1. Billing for Update Management
          6. Server Recoverability
        4. Best Practices for Small Businesses
          1. Following Hardening Guidance
            1. Changing Settings
          2. Policies
            1. Password Policies
            2. Fine-Grained Password Policy
            3. Administrator Account Handling
          3. Vendor Best Practices
            1. Vendor Admin Access
            2. Vendor Remote Access
            3. Outsourcing Issues
            4. Separation of Duties
            5. Vendor Changes to Your Network
          4. Remote Access Issues
            1. Remote Connectivity and Security Considerations
            2. Mobility Choices Decrease Risk
            3. Account Lockout
          5. Monitoring and Management Add-ons
            1. SCE and SCE Managed Services
            2. Third-party Solutions for Managed Services
            3. Remote Management Considerations
          6. The Server's Role in Desktop Control and Management
            1. Recommended Small Business Group Policy Settings
            2. Interactive Logon: Message Text For Users Attempting To Log On
            3. Windows XP and Windows Vista Firewall Group Policy Settings
            4. Authentication and Clients
          7. Recommendations for Additional Server Settings and Configurations
            1. DsrmAdminLogonBehavior
            2. Legacy Apps Limit Server Tweaking
            3. Turning Off Auditing
            4. Turning On Auditing
            5. Turning Off UAC
            6. UAC on the Server
            7. Antivirus and Anti-Spyware
            8. NAP for SMBs
        5. Summary
        6. Additional Resources
      6. 16. Securing Server Applications
        1. Introduction
        2. IIS 7: A Security Pedigree
        3. Configuring IIS 7
          1. Feature Delegation
        4. TCP/IP-Based Security
          1. IP Address Security
          2. Port Security
          3. Host-Header Security
        5. Simple Path-Based Security
          1. Defining and Restricting the Physical Path
          2. Default Document or Directory Browsing?
        6. Authentication and Authorization
          1. Anonymous Authentication
          2. Basic Authentication
          3. Client Certificate Mapping
            1. One-to-One Client Certificate Mapping
            2. Many-to-One Client Certificate Mapping
            3. Active Directory Client Certificate Mapping
          4. Digest Authentication
          5. ASP.Net Impersonation
          6. Forms Authentication
          7. Windows Authentication
          8. Trusting the Server
            1. Configuring SSL
          9. Further Security Considerations for IIS
            1. Application Development
            2. Request Filtering
            3. ASP.NET Server Farms: Machine Keys
            4. Custom Errors
            5. FTP Server
        7. Summary
        8. Additional Resources
    6. A. System Requirements
    7. Index