Improving Network Security Using Windows Server 2008 : Improving Network Security Using Windows Server 2008 Published:
May 2008
Table of Contents : Table of Contents Introduction
Business Benefits
Existing Network and Security Overview
Planning
Deployment, Design, and Improvements
Lessons Learned
Best Practices
Resources
Introduction : Introduction The Secure Anywhere Access initiative is a primary driver for Microsoft IT:
To achieve Secure Anywhere Access, Microsoft IT must employ a variety of security strategies.
Defense in depth and security evolution:
It is no longer feasible simply to protect at the perimeter.
Protection and security must exist throughout the network.
As the threats have evolved, so too have the response and the approach.
Primary strategies and technologies:
IP Security (IPsec) to create Domain and Server Isolation
Group Policy
Windows Firewall and Authenticated IP
Network Access Protection (NAP)
Business Benefits : Business Benefits Improvement of overall computer security
Protection of intellectual property
Increased policy compliance
Full Integration with IP version 6 (IPv6) and NAP
Application-agnostic network security
Existing Network and Security Overview : Existing Network and Security Overview The Microsoft security environment
Server and Domain Isolation
Windows Firewall
NAP
The Microsoft Security Environment : The Microsoft Security Environment Approximately 100,000 intrusion attempts each month
Approximately 1 million infected or malicious e-mail messages received each month
Special environments for product development and testing have specific security requirements
Challenges in the Microsoft Security Environment : Challenges in the Microsoft Security Environment Many users are local administrators.
Many users have multiple computers.
Many applications and versions of those applications exist.
Security Solutions in the Microsoft Environment : Security Solutions in the Microsoft Environment Solutions include:
Strong passwords.
Perimeter and host-based firewalls.
Policy enforcement.
IPsec—Server and Domain Isolation.
Application segregation.
Vulnerability scanning.
NAP.
Server & Domain Isolation : Server & Domain Isolation Domain Isolation Protect managed computers from unmanaged
or rogue computers and users Protect specific high-value servers and data Server Isolation
Isolation Solution Details : Isolation Solution Details Policies are created, distributed, and managed through Active Directory® Security Groups and Group Policy:
Domain membership is required to access trusted resources.
Expands the use of supportive tools like Microsoft Systems Management Server (SMS) 2003 or Windows Server® Update Service (WSUS).
Authentication is based on machine and user credentials:
Kerberos, X.509 certificates, NTLM version 2 (NTLMv2), NAP health certificates
Policies are enforced at the network layer by IPsec:
Uses IPsec transport mode for end-to-end security and Network Address Translation (NAT) traversal
Packets encapsulated with Encapsulating Security Payload (ESP) or Authentication Header (AH) for authentication and integrity
Optionally, encryption of highly sensitive network traffic
Windows Firewall : Windows Firewall Windows Firewall was introduced with Windows® XP Service Pack 2 (SP2) and Windows Server 2003 Service Pack 1 (SP1) for inbound filtering only.
Windows Vista® and Windows Server 2008 add outbound filtering.
The new Windows Firewall with Advanced Security enables management of both firewall and Server and Domain Isolation from a single interface.
Windows Firewall Integration : Windows Firewall Integration Integrated host firewall and IPsec management:
New management tools (the Windows Firewall with Advanced Security MMC snap-in; netsh advfirewall command-line tool)
Reduces conflicts and coordination overhead amongtechnologies
Firewall rules becomemore intelligent:
Specify securityrequirements suchas authenticationand encryption
Specify ActiveDirectory computeror user groups
Network Access Protection : Network Access Protection New in Windows Server 2008
Validates client computers’ configuration and security health prior to allowing them access to resources
Updates client computers to bring them into compliance with security requirements
Provides reporting on health of computers within the domain.
Planning : Planning Security has evolved over the past several years within Microsoft IT.
Microsoft IT has rolled out enhancements to security in phases.
Each phase has had its own planning steps, though many steps have been similar.
Common Planning Steps : Common Planning Steps Certain steps were common or similar to both the IPsec and Windows Firewall rollouts:
Designing the initial Group Policy objects (GPOs).
Testing the policies.
Creating a rollout plan and schedule.
Testing the rollout process.
Communicating with users.
Deploying the solution.
Deployment : Deployment Group Policy is the basis on which the initial IPsec rollout was based and through which Windows Firewall was rolled out to client computers.
GPOs were created for IPsec.
Windows Firewall was pushed to computers running Windows Vista or WindowsServer 2008.
Windows Firewall Design : Windows Firewall Design Inbound connections are blocked unless allowed by a specific rule:
Local administrators can change the firewall rules as necessary without Microsoft IT intervention.
Outbound connections are allowed unless blocked by a specific rule.
Windows Server 2008 and Windows Vista Improvements : Windows Server 2008 and Windows Vista Improvements Windows Server 2008 and Windows Vista offer several security improvements that make deployment and management easier:
Simplified IPsec policy and configuration
Improved support for load balancing and clustering
New management interface and tool and wizards
NAP
Lessons Learned : Lessons Learned IPsec cryptography can adversely affect computer performance.
Many wide area network (WAN) optimization techniques and products don’t work well with IPsec and IPv6.
Troubleshooting problems is somewhat more difficult when additional layers of security are employed.
Best Practices : Best Practices Configure GPOs in groups to simplify management.
Limit administration of IPsec.
Use a naming convention that covers both the policy and the group function.
For More Information… : For More Information… Visit TechNet at www.microsoft.com/technet
IT Showcase at www.microsoft.com/itshowcase
Server and Domain Isolation Guidance http://www.microsoft.com/sdisolation
Introduction to Windows Firewall with Advanced Security http://www.microsoft.com/downloads/details.aspx?FamilyId=DF192E1B-A92A-4075-9F69-C12B7C54B52B&displaylang=en
“The New Windows Firewall in Windows Vista and Windows Server ‘Longhorn’” (The Cable Guy, January 2006) http://www.microsoft.com/technet/community/columns/cableguy/cg0106.mspx
Simplifying IPsec Policy with Simple Policy Update http://technet.microsoft.com/en-us/library/bb726975.aspx
Slide 22 :
Slide 23 : This document is provided for informational purposes only.
MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.
© 2008 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, Windows and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Mushtaq Naik