Computing   Empowering Businesses
Home Company Products Services Downloads Whitepapers Contact Us

Microsoft Windows 2008 Server

Background

Its Windows, its Microsoft.

For these tests, VFX is using the Windows 2008 Server Enterprise Edition. We have setup using 768MB RAM, 36GB virtual HD.

Using the MSDN ISO, VMware setup using the x64 install (provided you are using a x64 CPU). Installation of VMware Tools works just fine using VMware Server 1.0.4 and VMware Workstation 6.0.2.

Default Policies

Microsoft hasn't done much to change the default policies supplied with Windows Server 2008.

Default Domain Policy

The default layout of the Default Domain Policy in screenshots.

Default Domain Controller Policy

The default layout of the Default Domain Controller Policy in screenshots.

Security Implications

All the basic principals from Windows 2000 Server and Windows 2003 Server apply. We're going to cover the additional measures as applied to Windows 2008 Server(s)

Directory 'File Services' allows for Indexing. A consideration here would be what user can search for files on the share; possibly giving up information.

NTLM and LanMan

Microsoft has finally moved away from storage of LanMan (LM) password hashing on the AD, but in review they still have set "Network Security: LAN Manager authentication level" to "Send LM & NTLM responses on server". Microsoft Server 2008 puts this setting to Enable by default. If unchecked, Vista sets to Enable and XP sets to Disable.

Complexity Requirements and Length

By default, complexity requirements on passwords are enabled on domain controllers but disabled on stand-alone servers. Member computers follow the configuration of their domain controllers.

In similarity, password lengths are set to 7 characters on domain controllers but set to 0 on stand-alone servers. Member computers follow the configuration of their domain controllers.

Kerberos Authentication

Microsoft has finally updated Kerberos for MIT Kerberos interoperability. They have included 128 and 256 bit AES encryption to their Kerberos authentication. Something Microsoft skipped in Server 2003, instead they have relied on 56 bit DES for MIT Kerberos interoperability.

Wired Network Policies

New to Windows Server 2008 and Vista is Group Policy settings for Wired Networks Auto Config service for clients. This policy allows for 802.1x authentication and single sign-on features.

Group Policy View

Wireless Network Policies

The 2008 AD allows for defining of group policies for XP and Vista wireless networks. Since XP and Vista both handle wireless differently, policies must be set independently of each other. Some of the differences in Wireless Active Directory Group Policies include:

SettingWindows XPWindows Vista
Use Windows WLAN AutoConfigurationYesYes
Prevent Ad-Hoc ConnectionsNoYes
Prevent Infrastructure ConnectionsNoYes
Deny Access to Network based on SSIDNoYes
Use only Group Policy for Allowed NetworksNoYes
Perform cryptography FIPS 140-2 Certified ModeNoYes

Wireless Policy Screenshots

Default setup of a Windows XP Wireless Policy. These screenshots include both Ad-Hoc and Infrastructure modes.

Default setup of a Windows Vista Wireless Policy. These screenshots include both Ad-Hoc and Infrastructure modes.

Windows Firewall with Advanced Security

In review of this area, you can set Group Policies by Program, Port (TCP or UDP only), Predefined, or Custom. Rules can be applied to inbound or outbound connections. By default, no rules are set. This is expected since every network is different.

In reviewing the Custom rule sections, Microsoft has appeared to allow for completely customizable rules in that you can define any protocol number (or a section of predefined protocols), remote and local ports, remote and local IP addresses, allow (and allow secure only) and block, from and to specifically designed computers, and when are rules applied (when the computer is attached to the domain, public, or private network).

Another section of interest is the "Connection Security Rules". There are several areas underneath, some of which specifically refer to what Vista incorporates into the domain Group Policies. Isolation (Restrict connections based on authentication criteria, such as domain membership or health status), Authentication exemption (Do not authenticate connections from the specified computers), Server-to-server (Authenticate connections between the specified computers), Tunnel (Authenticate connections between gateway computers), and Custom defined rules.

Device Restrictions

So, as the security risk of USB and other portable media becomes more prevelant, Server 2008 and Vista allows for restrictions of use of certain types of removable media.

Sleep and Hibernating Settings

With the knowledge becoming more prevalant that Whole Disk Encryption (WDE) stores keys and passwords in memory which can be bypassed to read those such keys if the computer goes to sleep mode, now you have the option of disabling various portions of S3 sleep and hibernating functions. Of course, this only applies to Vista.

Misc and Other Settings

Microsoft has finally decided to allow for administrators of clients that are running Vista to turn off startup sounds. No more Windows boot sounds.

Links

 Microsoft Products
Macintosh Products
Snort Signatures
Linux Laptops
Other / Older

© Copyright 1997-2008; VFX Computing, Inc.. All rights reserved.
Privacy Statement - Legal Notice