9 ways to teach you to build a secure Windows Server 2008

At present, many companies use Microsoft's Windows platform as their preferred platform. Recently, with the release of Windows Server 2008, more and more enterprises are planning to upgrade to this new version of the server operating system. In fact, according to industry consultant IDC, by the end of this year, the number of Windows Server 2008 installations worldwide will reach more than 3.5 million.

As enterprises to run business-critical applications using the Windows platform dependent increasing security, the importance of the availability of the Windows platform is self-evident. After all, under the current increasingly competitive conditions, the impact of system collapse on enterprises may be catastrophic, so how to effectively manage Windows servers has become a very urgent matter for enterprise IT departments. Fortunately, there are a number of well-established tools and services that can help companies manage their servers to welcome, maximize and maintain their investments in the Windows environment, even if they choose to migrate to Windows Server 2008.

Windows Server 2008 can be said to be by far the most robust Windows Server Caozuojitong, all its functions are to provide a more solid foundation for enterprise platform services and applications of such a design around the goal. The new availability, virtualization, security, and management capabilities of Windows Server 2008 help information technology (IT) professionals maximize their control and management of their infrastructure.

For example, Windows Server 2008 introduces the Windows PowerShell technology. Windows PowerShell is a command line shell and script system management tool. PowerShell is an object-based shell built on the .Net framework that supports both existing WMI, COM, ADO.NET, ADSI and other Windows management models. In addition, it also contains more than 130 tools. Such a development and management environment makes it easier for IT departments to control and automate repetitive system management tasks.

In addition, Windows Server 2008 the new Server Manager (Server Manager) is only a single control panel, which gives administrators has brought great convenience, administrators can easily install, configure and manage server Roles and features of Windows Server 2008.

Because of these improvements Windows Server 2008, many companies are eager to migrate to the more powerful business platform. Because of this, providing protection for the upgraded Windows environment has become the most urgent task for enterprise IT departments. In order to maintain business continuity, IT departments must be able to find an effective solution that not only restores data, systems and applications, but also supports and integrates new features in Windows Server 2008.

1. Security settings


system installation process to create a powerful and secure server will have to pay attention to every detail from the beginning of time to install safety. The new server should be installed on an isolated network to eliminate all possible channels of attack until the operating system's defenses are completed.

In the initial steps of starting the installation, you will be asked to choose between FAT (File Allocation Table) and NTFS (New Technology File System). At this point, you must choose the NTFS format for all disk drives. FAT is a relatively primitive file system designed for early operating systems. NTFS emerged with the advent of Windows NT, which provides a security feature not available in FAT, including Access Control Lists (ACL) and File System Journaling, file system logging. Any changes to the file system. Next, you need to install the latest Service Pack (SP2) and any popular patches available. While many of the patches in the service pack are quite old, they can fix several known vulnerabilities that can cause threats, such as denial of service attacks, remote code execution, and cross-site scripting.

2. After you configure security policy


installing the system, you can sit down and do some more detailed safety. The easiest way to improve the immunity of Windows Server 2003 is to use the Server Configuration Wizard (SCW), which guides you through the process of creating a secure policy based on the role of the server on the network.

SCW is different from the Configure Your Server Wizard. SCW does not install server components, but monitors ports and services and configures registration and auditing settings. SCW is not installed by default, so you must add it via the Add/Remove Programs window of the Control Panel. Select the "Add/Remove Windows Components" button and select "Security Configuration Wizard" and the installation process will start automatically. Once installed, SCW can be accessed from the Administrative Tools.

SCW security policy by creating an XML file format that can be used to configure services, network security, specific registry values, audit policy, even if possible, can also be configured IIS. The configuration interface allows you to create new security policies or edit existing ones and apply them to other servers on the network. If the policy created by an operation creates a conflict or instability, you can roll back the operation.

SCW covers all the basics of Windows Server 2003 security. Running the wizard, the first thing that appears is the Security Configuration Database, which contains all the roles, client functions, management options, services, ports, and more. SCW also includes a broad knowledge base of application knowledge. This means that when a selected server role requires an application -- client functions such as automatic updates or management applications such as backup -- the Windows Firewall will automatically open the required ports. The port is automatically blocked when the application is closed.

Network security settings, registry protocols, and Server Message Block (SMB) signature security increase the security of critical server functions. The Outbound Authentication setting determines the level of authentication required to connect to external resources. The final step

SCW and related audit policy. By default, Windows Server 2003 only audits successful activities, but for an enhanced version of the system, both successful and failed activities should be audited and logged. Once the wizard is executed, the created security policy is stored in an XML and can be used by the server immediately, for later use, and even by other servers. Servers that do not perform the first step of the hardening process during server installation can also install SCW.

3. Set appropriate access control permissions for physical machines and logic components


From the moment you press the server's power button until the operation starts and Before all services are active, the malicious behavior of the threat system still has the opportunity to damage the system. In addition to the operating system operating system, a healthy server should start with a password-protected BIOS/firmware. In addition, as far as the BIOS is concerned, the server's power-on sequence should be set correctly to prevent booting from unauthorized other media.

Immediately after starting the computer, press the F2 key, and you will be taken to the BIOS setup page. You can use Alt-P to move back and forth on the various settings tabs of the BIOS. On the Boot Order tab, set the server startup preference to Internal HDD. On the Boot Order tab, there are three options for hard disk passwords: Primary, Administrative, and Hard.

Similarly, the ability to automatically run external media, including CDs, DVDs, and USB drives, should be disabled. In the registry, enter the path HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesCdrom (or other device name) and set the Autorun value to 0. The autorun feature has the potential to automatically launch malicious applications carried on portable media. This is an easy way to install malware such as Trojan, Backdoor, KeyLogger, and Listener (see Figure 4).

The next line of defense is about how users log into the system. While alternative technologies for authentication, such as biometrics, tokens, smart cards, and one-time passwords, can be used to protect systems in Windows Server 2003, many system administrators, whether local or remote, use The combination of username and password is used as the verification code for the login server. But many times, they all use the default password, which is obviously asking for trouble (please don't use the actual @55w0rd!).

above note these points are very obvious. However, if you have to use a password, it is best to use a strong password policy: the password is at least 8 characters long, including English uppercase letters, numbers, and non-alphanumeric characters. In addition, you'd better change your password periodically and not use the same password for a specific period of time.

a strong password policy plus multiple authentication (Multifactor Authentication), this is just the beginning. Thanks to the ACL functionality provided by NTFS, each user can be assigned different levels of access to all aspects of a server. File Access Control The settings for print share permissions should be based on Group rather than Everyone. This can be done on the server or through Active Directory.

It is also important to ensure that only one authenticated user can access and edit the registry. The goal is to limit the number of users accessing these critical services and applications.