In-Depth

Use Server Roles to Heighten Security

Securing your network goes beyond your hardware or software firewalls. You must define the role of each server and then implement delta security policies to protect your services.

• By Danielle Ruest and Nelson Ruest
• 11/01/2004

With the proliferation of computer attacks at the application level, it is no longer enough to protect your systems through a basic hardware or software firewall. Today, you must concentrate on where the information is actually stored to ensure it is well protected. This is why you should use two more keywords to help secure the systems that hold your vital data (see the sidebar, "10 Security Keywords"). These two keywords are purpose and vigilance. The first deals with how individual servers are protected, and the second deals with how you proceed to protect these servers.

State Intended Purpose
The keyword purpose represents the purpose or role each server plays in your network. One of the best ways to secure a server platform is to examine the purpose of each server and define security parameters for that purpose. In fact, when you think of securing servers, you should use a two-step approach. First, you need to create a baseline security model. This baseline is the basic security strategy you use for each of the servers you configure for use in your network. This way each server has a minimum security level no matter what. Second, you need to create a delta security policy you can use to secure the particular set of services you set to run on this server role.

This is the core approach for the Microsoft Security Guide for Windows Server 2003. You need to integrate your server security approaches with your Active Directory structure (see Figure 1). To do so, you need to create an organizational unit (OU) structure that divides your servers by purpose or role. Then you need to create a baseline policy, and assign it to the main Server or Services OU. Because of the hierarchical nature of Group Policy Object (GPO) assignment, the server roles contained in child OUs will automatically apply the baseline policy. Next, you should create delta policies to secure each particular server role and apply them to the appropriate OUs. Of note in Windows networks is the domain controller role. This role is a default role created when you implement an Active Directory. Because of this, this server role is placed in a special OU and uses a special GPO—the Default Domain Controllers Policy (DDCP)—that you can also use to secure the server in this role.

The last role you might need to cover is the multi-purpose server. If you have powerful servers acting in more than one role, but are only member servers, then you'll need to design a non-conflicting delta policy strategy; that is, one you can add to others without damaging previously assigned policies. This gets very tricky when the multi-purpose server also acts as a domain controller because it requires the application of the DDCP as well as the delta policies. This is one reason why you should ensure your baseline policy and your DDCP mostly include the same generic security settings for servers.

Today, you need to use the Security Configuration and Analysis or secedit tool to create your server policies. This means you need to create the policies from scratch. Don't worry because free sample GPOs can help get you started. The best place to look is in the Microsoft Security Guide for Windows Server 2003 (see Resources). But wait. That's not all. You'll soon see Service Pack 1 for Windows Server 2003 (hopefully by mid-2005). It will include a new tool labeled the Security Configuration Wizard (see Figure 2). This tool provides a comprehensive overview of the status of a current system and helps you determine how to further lock down your servers. You can use the Security Configuration Wizard (SCW) to capture security settings from a standard system, edit an exiting policy, apply captured settings to a local or remote computer, or roll back security settings to their original state.

When you use SCW to capture security settings, it performs five steps:

• First, it walks you through the startup settings for services on the server. The settings are listed according to the role the server plays in your network. These roles include every potential server role included in the entire Windows Server System stack, even the sub-roles you find in individual Server System products. In fact, it covers more than 60 server role descriptions. In addition, it includes complete descriptions for each service. Services are listed for server and client roles, as well as administrative options, non-Microsoft services, and unspecified services or services that are not on this machine, but might be found on other machines (see Figure 3).
• The second step focuses on network security. It lets you review and secure open inbound TCP/IP ports and provides valuable information as to which ports are required by which active service.
• The third step concentrates on registry settings—not all settings, but critical settings related to security. This includes server message block (SMB) signing for communications encryption, lightweight directory access protocol (LDAP) signing for access to the directory, outbound authentication with domain accounts, inbound authentication, and so on.
• The fourth series of settings the Wizard lets you configure are related to the audit policy for this server role.
• The fifth and final step of the Wizard deals with saving, naming, and providing a description for the policy you just created. Once this is done, you can choose to apply the policy or save it for later use.

This tool provides comprehensive security reports you can use to document system configurations. You can use the command-line equivalent of the wizard, scwcmd, to apply policies to servers as they are staged. Finally, to make sure your security policies remain in place, you can apply SCW policies through GPOs and assign them to the server role-based OU structure you created. Look for this service pack and more secure servers next year.

Be Vigilant
OK, now your servers are secure. But you also need to live with this keyword: vigilance. This means you must be ever watchful and ever aware of impending threats. In fact, one of the most common reasons attacks work, especially internal attacks, is because we are not vigilant enough. So you know what this means: Don't let your guard down, not even an instant! Use the right processes to do daily verifications of your systems. One good source of daily, weekly, and monthly administration activities is the activity schedule available with the Windows Server 2003 Pocket Administrator (see Resources). It doesn't only cover security, but it does provide you with a starting point.

You're almost all set. Review two additional keywords in "Manage Patches and Updates" and your new or updated security strategy will be complete.