396 Windows Server 2003: Best Practices for Enterprise Deployments Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 8 6. Select the type of trust you wish to create (two-way, one-way: incoming or one-way: outgoing). 7. If you have administrative rights in both domains, you can select Both this domain and the specified domain to create both sides of the trust at the same time. Click Next. 8. Type in your administrative credentials for the target domain or forest. Click Next. 9. The wizard is ready to create the outgoing trust in the target domain or forest. Click Next. Once finished, it will ask you to configure the new trust. Click Next. 10. It will ask you to confirm the outgoing trust. Select Yes, confirm the outgoing trust and then click Next. Confirming trusts is a good idea because it ensures that the trust is working properly. 11. It will ask you to confirm the incoming trust. Select Yes, confirm the incoming trust and then click Next. 12. Review your changes and click Finish when done. Use the same procedure to create other types of trusts. The wizard will automatically change its behavior based on the values you input in its second page. Working with Active Directory security can be complex, but you will reduce the level of complexity if you keep a structured, well-documented approach to change management. Ensure you use standard operating procedures at all times and ensure that these documented procedures are provided to all personnel who require them. Web Server Access Control Another area where authentication is required is at the Web server. IIS provides several different authentication types from anonymous logon to full certificate-based authentication. Table 8-4 lists the authentication modes available in IIS 6.0. P:\010Comp\Tip&Tec\343-x\ch08.vp Wednesday, March 26, 2003 9:24:35 AM Color profile: Generic CMYK printer profile Composite Default screen Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Basically, you need to determine which authentication mode works best for you and for the Web server requirement. Internal and external solutions will be different and there will also be differences between the solutions you implement on the Internet and in the extranet because you will most likely want more secure authentication in the latter. Table 8-5 outlines some recommendations. Chapter 8: Managing Enterprise Security 397 Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 8 Mode Security Limitations (If Any) Client Support Comments Anonymous None No security All Works in any scenario Basic Low Clear text password, use only with SSL All Works in any scenario Digest Medium IE5 and higher Works in any scenario NTLM Medium Doesn’t work over proxies Internet Explorer only Works only in the intranet Kerberos High IE 5 on W2000 or XP in domain infrastructure Works only in the intranet, DC needs to be accessible by the client IIS Client Certificate Mapping High WS03 provides auto-renewal for certificates All newer browsers All AD Client Certificate Mapping Very High WS03 provides auto-enrollment and auto-renewal for certificates All newer browsers Works in any scenario Microsoft Passport Very High Passport is stored on the Web All newer browsers Works in any scenario, but may be risky for intranet implementation Table 8-4 Authentication in IIS Scenarios Requirements Recommendations Intranet (parallel network) All clients have Windows accounts stored in your directory All clients use Internet Explorer 6 or more There is a strong level of password encryption Use Kerberos through Integrated Windows Authentication Internet You need to support multiple browser types and multiple versions Most of the information on your servers is public Some data or business logic may require a secure login You do not have control over user computers and you do not want to be intrusive Some situations may require delegation Anonymous Basic over SSL Passport Table 8-5 Web Server Authentication Recommendations P:\010Comp\Tip&Tec\343-x\ch08.vp Wednesday, March 26, 2003 9:24:35 AM Color profile: Generic CMYK printer profile Composite Default screen Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 398 Windows Server 2003: Best Practices for Enterprise Deployments Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 8 IIS authentication is defined in the IIS console under the Web site’s properties. In the Directory Security tab, there is an Authentication and Access Control section. Click Edit to modify this Web site’s settings. Select and apply the appropriate authentication mode for each site. .NET Framework Authentication Since the .NET Framework uses Web services, authentication models rely heavily on IIS, but there are some core functionalities within the framework itself since it provides role-based security (RBS). The RBS in the framework can rely on three different types of authentication: forms-based Scenarios Requirements Recommendations Extranet This requires very secure solution You might require mutual authentication You may need a third party to manage the relationship between your server and the certificate holder The operation should be seamless to the client Certificate Passport Table 8-5 Web Server Authentication Recommendations (continued) P:\010Comp\Tip&Tec\343-x\ch08.vp Wednesday, March 26, 2003 9:24:35 AM Color profile: Generic CMYK printer profile Composite Default screen Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Chapter 8: Managing Enterprise Security 399 Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 8 authentication (generates a cookie), IIS authentication, and Windows authentication. The first must be programmed within the Web service. The second and third methods are administered by network operations. The easiest way to authenticate users and authorize access to Web resources within the intranet is to assign roles to them. Roles are groups that have different access levels within each application. These groups are application-specific, but they can be mapped to the Active Directory. Authorization stores must be created prior to group assignation. This can be done through the Authorization Manager console which is launched by running the azman.msc command. Developers must create the initial store and link it to an application, then administrators can assign users and groups to it. The store can be located in Active Directory, but the developer must have store creation rights within the AD to do so. This is a new security model that is very powerful and requires less management than former application authorization schemes. Ensure that your developers endeavor to use this approach when creating Web services for internal use. Access Audition and Monitoring The final aspect of Level 4 is audition. It is important to track resource use and monitor log files to ensure that users have appropriate access rights and that no user tries to abuse their rights. Audition is a two-step process in WS03. First, you must enable the auditing policy for an event. Then, for given types of objects, you must turn on the auditing for the object you want to track and identify who you want to track. WS03 lets you audit several different types of events: account logon events, account management, directory service access, logon events, object access, policy change, privilege use, process tracking, and system events. Audition is controlled through the Audit Policy, which is located in the security settings of Group Policy. Enabling the Audit Policy can have significant impact in your network. Audited objects and events slow down the system, so it is important to audit only those events or objects you deem critical in your network. To define the Audit Policy, move to the appropriate GPO and select Computer Configuration | Windows Settings | Security Settings | Audit Policy. Double-click on the event you want to audit and modify the policy. You can audit either the success or the failure of an event or both. If you want to audit object access, such as accessing a container in AD or a file on a server, you must turn on auditing for that object and identify who you want to audit. To do so, you must view the object’s security properties and use the Advanced button. In AD, you must enable Advanced Features from the View menu of the AD consoles to do this. Once again, turn to the security guides mentioned earlier to identify the audit policies you want to implement in your network. Level 5: External Access Level 5 focuses on the perimeter network and the protection of your internal network from outside influences. In today’s connected world, it is impossible to create internal networks that are completely P:\010Comp\Tip&Tec\343-x\ch08.vp Wednesday, March 26, 2003 9:24:36 AM Color profile: Generic CMYK printer profile Composite Default screen Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 400 Windows Server 2003: Best Practices for Enterprise Deployments Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 8 isolated from the external world. Thus you need to secure the internal network as much as possible, in fact, creating a barrier that must be crossed before anyone can enter. This barrier can take several different forms, but in the case of the parallel network, it is based on the continued use of your perimeter environment. This environment is often called the demilitarized zone (DMZ). Perimeter networks can contain any number of components. These can be limited to a series of firewalls that protect your internal network or they can include and contain your Internet servers as well as your extranet services. If this is the case, this network will be fairly complex and will include defenses at every level of the Castle Defense System. The perimeter also includes all of the links between your internal network and the outside world. Too many administrators forget that their network includes internal modems that users can use from within the enterprise to connect to the outside world and do not include these in the analysis of perimeter requirements. Do not make this mistake. It is not the purpose of this chapter to review all of the features of a perimeter network. What is important at this level for the internal network is the implementation of a Public Key Infrastructure. Designing an Internal Public Key Infrastructure PKI implementations can be quite complex, especially if you need to use them to interact with clients and suppliers outside your internal network. The main issue at this level is one of authority: are you who you say you are and can your certificates be trusted? When this is the case, you must rely on a third-party authority specializing in this area to vouch for you and indicate that your certificates can and should be trusted. WS03 can play a significant role in reducing PKI costs in these situations. Since it includes all the features required to implement a PKI service, all you need to do is acquire the root server certificate from an external source. This certificate will then be embedded into every certificate issued by your infrastructure. It will prove to your clients, partners, and suppliers that you are who you are and you won’t have to implement an expensive third-party PKI solution. But you don’t need this type of certificate for the purposes of the internal network since you control all of the systems within the network and you don’t need to prove yourself or your organization to them. The Windows PKI services support several types of security situations. You can use them to: • Secure Web services, servers, and applications • Secure and digitally sign email  QUICK TIP Microsoft provides a very extensive outline of a complex perimeter network through its Prescriptive Architecture Guide for Internet Data Centers. In fact, this guide is extremely complete and provides specific instructions for the implementation of the network for both Nortel and Cisco network devices. It is located at http://www.microsoft.com/solutions/idc/techinfo/ solutiondocs/default.asp. P:\010Comp\Tip&Tec\343-x\ch08.vp Wednesday, March 26, 2003 9:24:36 AM Color profile: Generic CMYK printer profile Composite Default screen Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 8 • Support EFS • Sign code • Support smart card logon • Support virtual private networking (VPN) • Support remote access authentication • Support the authentication of Active Directory replication links over SMTP • Support wireless network authentication WS03 provides two types of certificate authorities (CA): standalone and enterprise. The latter provides complete integration to the Active Directory. The advantage of enterprise CAs is that since their certificates are integrated to the directory, they can provide auto-enrollment and auto-renewal services. This is why the PKI service you implement in the internal network should be based on enterprise CAs. PKI best practices require very high levels of physical protection for root certificate authorities. This is because the root CA is the core CA for the entire PKI hierarchy. If it becomes corrupted for some reason, your entire Public Key Infrastructure will be corrupted. Therefore, it is important to remove the root CA from operation once its certificates have been issued. Since you will remove this server from operation, it makes sense to create it as a standalone CA (removing an enterprise CA from the network will cause errors in AD). PKI best practices also require several levels of hierarchy. In fact, in PKI environments that must interact with the public, it makes sense to protect the first two levels of the infrastructure and remove both from the network. But in an internal PKI environment, especially one that will mostly be used for code signing, encryption, smart card logon, and VPN connections, two levels are sufficient. Subordinate CAs should be enterprise CAs so that they can be integrated to AD. In order to add further protection to the subordinate CA, do not install it on a domain controller. This will reduce the number of services on the server. An example of both an internal and an external PKI architecture is illustrated in Figure 8-8. Chapter 8: Managing Enterprise Security 401  QUICK TIP Root CAs should be removed from operation for their protection. Many organizations find it difficult to justify a physical machine as root CA because the machine is basically always off the network. This may be a good opportunity to use virtual machines using technologies such as VMware GSX Server (http://www.vmware.com/) if budgets do not permit a physical machine. Taking a virtual machine offline is much easier than for a physical machine. In addition, the virtual machine can be placed in a suspended state indefinitely, making it easier and quicker to bring back online. It can also be copied to DVD and physically removed from the site. P:\010Comp\Tip&Tec\343-x\ch08.vp Wednesday, March 26, 2003 9:24:36 AM Color profile: Generic CMYK printer profile Composite Default screen Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 402 Windows Server 2003: Best Practices for Enterprise Deployments Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 8 Even if your PKI environment will be internal, you should still focus on a proper PKI design. This means implementing a seven-step process as is outlined in the internal PKI Implementation Checklist illustrated in Figure 8-9. Consider each step before deploying the PKI. This is not a place where you can make many mistakes. Thoroughly test every element of your PKI architecture before proceeding to its implementation within your internal network. Finally, just as when you created your security policy to define how you secure your environment, you will need to create a certification policy and communicate it to your personnel. Figure 8-8 A PKI architecture P:\010Comp\Tip&Tec\343-x\ch08.vp Wednesday, March 26, 2003 9:24:37 AM Color profile: Generic CMYK printer profile Composite Default screen Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Chapter 8: Managing Enterprise Security 403 Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 8 Managing the Security Policy The Castle Defense System provides a structured approach to the design of a security policy. But it cannot stand alone to defend your critical resources. It must be supplemented by a defense plan, a plan that includes both reactive and proactive defense measures. This means additional defenses at several levels, especially in terms of system resilience. This will be covered in Chapter 9. There are also ongoing operations that must take place at regular intervals to ensure that your defense system is constantly monitored and that your reaction plans work properly. Simulations and fire drills are good practice. You will see how you respond and also if your response plan is adequate. You do not want to find yourself in a situation where the only response is unplugging a system. One of the keys to a solid response plan is ensuring that everyone in the organization knows and understands their role in the plan. Windows Server 2003 and Active Directory bring considerable change to the enterprise network. It is important that these changes are fully understood by your staff. It is also important that you identify each new role within your operations as well as the modifications you must bring to existing roles. Finally, to support your security policy to its fullest, you need to limit the delegated rights you assign to both administrators and operators within your network. These items will be covered in Chapter 10. Figure 8-9 The Internal PKI Implementation Checklist P:\010Comp\Tip&Tec\343-x\ch08.vp Wednesday, March 26, 2003 9:24:38 AM Color profile: Generic CMYK printer profile Composite Default screen Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Best Practice Summary This chapter recommends the following best practices: • Implement a Security Policy. • If you do not have a security model in place, use the Castle Defense System. • Add support to the Castle Defense System by preparing a defense plan as outlined in the Enterprise Security Policy Design Blueprint. • Round out security management activities by implementing security testing and monitoring. • Ensure that you have comprehensive user awareness programs in place. Layer 1: Critical Data • Inventory and categorize all information in your network. • Ensure that your applications make use of the security features within the engine they use to run. If you create applications using SQL Server, make sure you use the security features of SQL Server in addition to other security measures in your network. Layer 2: Physical Protection • Ensure that the physical protection aspects of your network are well documented and include redundant systems. • Use two-factor authentication devices for administrators. Layer 3: Operating System Hardening • Secure your servers and computers at installation with the secedit command. • Use security templates and the Security Configuration Manager to apply security settings to files and folders, the registry, and system services. Use GPOs for all other security settings. • Remember to fully test all of your security configurations before deploying them, especially with corporate applications, because securing certain elements may stop applications from working. • Protect your systems with an antivirus program and apply Software Restriction Policies. • Always keep your directory permissions as simple as possible and try to use inherited permissions as much as possible. • Ensure that all personnel with administrative rights to the directory can be fully trusted. • Encrypt all offline data. • Protect encrypted data through Windows PKI. 404 Windows Server 2003: Best Practices for Enterprise Deployments Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 8 P:\010Comp\Tip&Tec\343-x\ch08.vp Wednesday, March 26, 2003 9:24:38 AM Color profile: Generic CMYK printer profile Composite Default screen Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Chapter 8: Managing Enterprise Security 405 Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 8 • Begin with the default security policies for managed code in the .NET Framework and refine them as you become more familiar with the use of this powerful application tool. • If you intend to make extensive use of the .NET Framework, migrate all code to managed code as soon as you can. It will give you more granular security processes. • Keep Internet Information Server off your servers unless it is an Application Server. • Do not install IIS on domain controllers. • When IIS is installed, configure its security level to the minimum required for the server role. Make this the first step in your configuration activities. • At a minimum, use the IIS security template from the Microsoft Security Operations Guide to secure your IIS servers. • Globally secure your IIS servers through Group Policy. Layer 4: Information Access • Modify the default policies within the Protected Forest Root Domain before creating child domains. • Manage trusts carefully and use the UGLP Rule to assign permissions to users. • Use a comprehensive authentication and authorization plan that covers Windows, Web servers, and the .NET Framework. • Modify the Default Domain Policy to include a high-security Global Account Policy. • Ensure that your developers use role-based authorization plans for the Web services they design. • Enable auditing on key events within your network and monitor those audits. Layer 5: External Access • Create the root certificate authority of your Public Key Infrastructure as a standalone CA and remove it from the network once its certificates have been issued. • Use a two-level CA hierarchy for internal purposes and make all second-level CAs enterprise CAs. • Plan your PKI environment carefully before you implement it. Test it in a lab environment before deploying to your internal network. • Ensure that communications between your domain controllers are encrypted through IPSec tunneling. General Security • Ensure that your security policy is always up to date and that all of your users are aware of it. Continue to provide regular communications to your user base on security issues. P:\010Comp\Tip&Tec\343-x\ch08.vp Wednesday, March 26, 2003 9:24:38 AM Color profile: Generic CMYK printer profile Composite Default screen Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com [...]... Application Servers Dedicated Web Servers Collaboration Servers Terminal Servers Identity Management (domain controllers) Application Servers File and Print Servers Dedicated Web Servers Collaboration Servers Network Infrastructure Servers Applications Web farms Internet Security and Acceleration Server (ISA) VPN servers Streaming Media Servers Terminal Services SQL Servers Exchange servers Message Queuing servers... creating and installing Server Clusters, but they provide a good reference and foundation before you begin The best thing to do is to determine where Server Clusters will help you most Use the details in both Tables 9- 1 and 9- 2 to help you make the appropriate clustering decisions QUICK TIP Microsoft provides detailed information on the deployment of Server Clusters in the Windows Server 2003 Deployment Guide:... Chapter 1, Windows Server 2003 offers some exceptional opportunities for server consolidation This leads to fewer servers to manage These servers, though, have a more complex structure because they include more services than the single purpose server model used in the NT world But server consolidation does not necessarily mean more complex server structure; it can just mean more with less For example,... e p r i s e D e p l o y m e n t s Figure 9- 6 The architecture of Internet Information Server version 6 The same goes for file servers The same WS03 server can manage up to 5,000 domain DFS roots A Server Cluster can manage up to 50,000 standalone DFS roots—another opportunity for massive server consolidation and considerable cost savings Internet Information Server (IIS) also offers great consolidation... stress testing tools for its Windows platforms It can help out in the server baselining process, especially in the evaluation of server interrupts per second Just search for “stress tool” at http://www.microsoft.com/technet/default.asp Planning for System Recovery Even though you have done your best to ensure high availability for your servers and services, disasters can always happen and servers can always... include any capability for mirroring information deposits Clustering Service Network Load Balancing Server Clusters WS03 Edition Web Standard Enterprise Datacenter Enterprise Datacenter Number of nodes Up to 32 Up to 4 for WES Up to 8 for WDS Hardware All network adapters must be on the WS03 Hardware Compatibility List, especially RAIN NICs Cluster hardware must be designed for WS03 Server role (as identified... Deployment Guide: “Designing Server Clusters.” Another chapter, “Installing on Cluster Nodes,” outlines all of the activities required for cluster server installations Finally, Microsoft provides information on the automation of Server Cluster member setup at http:// www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/ deploy/confeat/MSCclust.asp Server Consolidation As... network Multiple-Node Server Clusters Server Clusters offer the same type of availability services as NLB clusters, but use a different model Whereas in NLB clusters servers do not have to be identical, it is the purpose of the Server Cluster to make identical servers redundant by allowing immediate failover of hosted applications or services As illustrated in Figure 9- 2, Windows Server 2003 supports either... virtual machine technology to test both NLB and server clusters right on your own desktop or laptop For information on how to use VMware Workstation to create server clusters, go to http://www.winnetmag.com/Articles/Index.cfm?ArticleID=37 599 You will need a subscription to Windows & NET Magazine to obtain the article Final Server Cluster Considerations Cluster server installation and deployment is not a... used multiple small servers in your existing network can easily be consolidated into Server Clusters in the new network so long as they meet the performance baselines of the older network To do so, you need to have established baselines and standard measurement systems This is where performance monitoring comes into play Windows Server 2003 uses System Monitor to evaluate server performance System Monitor . 396 Windows Server 2003: Best Practices for Enterprise Deployments Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest. Version - http://www.simpopdf.com 398 Windows Server 2003: Best Practices for Enterprise Deployments Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest. encrypted data through Windows PKI. 404 Windows Server 2003: Best Practices for Enterprise Deployments Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest &