Performance and Security of Windows Server - Case Study Example

Windows 2003 Server Security Windows Server 2003 is the next generation of server operating systems. It is more scalable and delivers better performance as compared with previous server products from Microsoft. By default the server components of Windows Server 2003 are disabled for security purposes. It is also compatible with older applications. It also has an enhanced Active Directory compatibility. The IIS web server has improved performance and security. Windows Server 2003 also allows multiple DFS roots to be installed and configured on a single server. Microsoft has paid more attention to security in Windows Server 2003. One of the key features of Windows Server 2003 security is the Common Language Runtime software engine. It ensures that programs can be run with the proper permissions and without any errors. It also allows the sharing of encrypted files which allows the person who encrypts any file to give other people the ability to decrypt the file. Offline files can also be encrypted by EFS. Another security feature of Windows Server 2003 is the ability to restrict the software running on any machine using software restriction policies. They can be applied at any level. They are beneficial in preventing the running of malicious programs like viruses and Trojans. Authentication support for Extensible Authentication Protocols has also been provided in the operating system. Further certificates can be enrolled and renewed automatically to deploy smart cards. Other new security features of Windows Server 2003 are the integration of Passport with Active Directory. The operating system also supports the mapping of Active Directory user accounts to passport accounts. Windows Sever 2003 has been designed to provide multiple levels of security to protect data and control the ability of users to access resources. The operating system allows the setting of permissions at File Level, Shared Folder and Active Directory level. NTFS level permissions are set on the files and folders which are present on the server’s disk system. Only authenticated users can access the file system. Shared Folder permissions are accessed by users through shares. These permissions determine the level of access that the user has to the data accessed through the share. They are applied together with NTFS permissions. Permissions can also be set for the share object in the Active Directory. This is done to control access to the share object. Several default permissions are assigned directly to the object once the shared folder is created in the Active Directory (Shinder). Setting user rights and privileges is another way to control access to resources and is one of the key security features of Windows Server 2003. User rights are inherited from parent objects. User rights affect how a user logs on to a system and who can shut down a server. User rights, NTFS and Shared Folder permissions are usually set for an entire group instead of for one single user. Windows Server 2003 offers a variety of permissions and user rights for administrators to configure for different users and organizations. Windows Server 2003 Group Policy Object Editor is a powerful and versatile tool for assigning multiple levels of security according to the users and requirements of an organization. Windows Server 2003 has more security features for IIS 6.0. It disables internet access, scripts and FrontPage extensions by default. No websites are allowed because internet explorer access is restricted to High Security Zone. Authentication settings for IIS control the access of users. It can be configured to enable anonymous access which enables users to access the site without logging on. Another way of authentication is integrated Windows authentication which is secure and hashes the user name and password for network transmission. Digest authentication for Windows domain servers is another security feature of Windows Server 2003. .NET Passport Authentication is a new form of authentication which is a feature of IIS 6.0 (Melber). Windows Server 2003 has many security policies. Account policy allows the administrator to define password requirements and Kerberos key policies. Audit policy protects the computer from failed logon attempts and allows access to specific resources. Another type of security policy is cryptographic policy which gives administrators the ability to control the algorithms used by TLS/SSL. Server 2003 also has domain and firewall policies which allow adding and removing computers and setting standard policies for Windows firewall. Server 2003 also allows the use of smart card usage policy which allows smart cards to be used for authentication. PKI policy allows Server 2003 to support digital certificates issued by the Windows Server 2003 certification authority. EFS is also extensively available in Windows Server 2003. In order to encrypt files and folders, a user must have a valid X.509 certificate. EFS generates a self signed certificate. Server 2003 also has support for IPv6 addressing which uses 128 bit addressing. It also provides better security and performance for IP communications. The large address space of Ipv6 provides extra security by making it time consuming for potential attackers to make network scans of possible addresses. This is a very basic level of security which nevertheless provides some measure of security that is aimed at slowing down any potential intruder. It also has built in support for IP Security Protocol. IPSec provides data confidentiality and authentication using encapsulating and authentication headers. IPv6 also provides support for temporary address support. This can enhance security by providing anonymity for users who access the internet (Melber). Server 2003 has a Security Configuration Wizard which provides a flexible process to reduce any attacks on servers. SCW is a collection of tools which are combined with an XML rules database. Using SCW, administrators can test and deploy security policies. This tool can also roll back security policies and provides native support for security policy management on servers. SCW can be used to determine which services are required, which services need to be run and which services can be disabled. It also can manage network port filtering and control IIS Web extensions which are allowed for Web servers. It can also create audit policies to capture network events. Security policies can be created and tested using SCW. These policies can be for a single server or for groups of servers. Policies can be managed from a single location. These policies allow the hardening of servers from potential security threats. SCW is integrated with IPsec and Windows Firewall. SCW can be used to create port filters and custom scripts to set or modify IPsec. Server 2003 allows the application of Group Policy security settings at the Domain Level. This addresses the account and password policies which must be enforced for all servers in any domain. Group Policy objects allow configuration management solutions to be implemented. Account policies like password policy, account lockout policy and Kerberos policy security settings can be implemented at the Domain Level. Account lockout policies allow the administrator to track the number of failed and successful logon attempts which resulted in the initiation of account lockouts. Password policy settings can also be implemented at the Domain Level. Strong security policies are required for the setting of passwords. Enforce password history is a policy which determines the number of unique new passwords which must be associated with a user account. The default value for setting passwords in Windows Server 2003 is a maximum of 24 passwords. Maximum password age is a policy sets a specific number of days in which a password expires. This makes it difficult for crackers to access a computer before the password has expired. Another policy which can be configured is that of minimum password age which determines the number of days that a password must be used before a user can change it. Minimum password length ensures that passwords have at least a specified number of characters. Another security feature of Server 2003 is that the password must meet complexity requirements. This policy checks all new passwords and ensures that they meet the complexity requirements. Audit policies are another feature of Windows Server 2003. They aim to enhance security by allowing network events to be audited. Audit policies also record user and computer activities in specified categories. Administrators can monitor security objects, users that attempt to log on to any computer and any changes made in audit policy. Audit policies are an integral feature of any comprehensive security plan. They offer a versatile tool for administrators to monitor and track security breaches. Audit account logon events determine whether to audit each instance of a user who logs on to or off from another computer that validates the account. Authentication of a domain user account on a domain controller generates an account logon event that is logged in the domain controller's Security log. Authentication of a local user on a local computer generates a logon event that is logged in the local Security log. No account logoff events are logged. This policy can be effective in configuring various baseline policies. It also effectively logs success and failure events for audit policies (Bird). Audit account management determines whether to audit each account management event on a computer. Organizations need to be able to determine who creates, modifies, or deletes both domain and local accounts. Unauthorized changes could indicate mistaken changes made by an administrator who does not understand how to follow organizational policies, but could also indicate a deliberate attack. This policy allows administrators to check the success values for baseline policies. Audit account management policies are very crucial for network and server security. The NTFS file system with its default permissions and rights has been modified and improved under Microsoft Windows Server 2003. Additional restrictions to execute certain tools have also been added to NTFS file system. These restrictions are helpful as they prevent any potential attacker with privileges to execute any Trojans or malicious software. Several user accounts are built in Windows Server 2003. Guest account is disabled by default during installation of member servers and domain controllers. The built in Administrator account is also renamed to prevent potential attackers from trying to compromise the server. The Windows 2003 server consist of a number of command-line utilities, visual basic scripts, GUI based applications, and documents - all of which you must install from a separate application. The Support Tools are not automatically installed when you install Windows 2003; their installation isn’t an option in the Windows 2003 setup. In order to install it requires approximately 24MB of free space for a full installation. This tools consist of a number of command-line utilities, visual scripts, GUI based applications, and documents. One of the recommended practices for administrators is that the default port numbers for applications should be changed. The Security Event Viewer is another feature of Windows Server 2003 which allows logon auditing. By default Windows Server 2003 disables unnecessary services during installation. However it is also recommended by Microsoft that once the server is fully operational all extra and unnecessary services must be disabled to prevent potential attackers from exploiting vulnerabilities (Bird). Windows Server 2003 offers a versatile and unique way of securing your system. It has many new enhanced security features. Server 2003 also has support for IPv6 addressing which uses 128 bit addressing. It also provides better security and performance for IP communications. The large address space of Ipv6 provides extra security by making it time consuming for potential attackers to make network scans of possible addresses. This is a very basic level of security which nevertheless provides some measure of security that is aimed at slowing down any potential intruder. Windows Sever 2003 has been designed to provide multiple levels of security to protect data and control the ability of users to access resources. The operating system allows the setting of permissions at File Level, Shared Folder and Active Directory level. NTFS level permissions are set on the files and folders which are present on the server’s disk system. Only authenticated users can access the file system. Shared Folder permissions are accessed by users through shares. Server 2003 has a Security Configuration Wizard which provides a flexible process to reduce any attacks on servers. SCW is a collection of tools which are combined with an XML rules database. Using SCW, administrators can test and deploy security policies. This tool can also roll back security policies and provides native support for security policy management on servers. SCW can be used to determine which services are required, which services need to be run and which services can be disabled. It also can manage network port filtering and control IIS Web extensions which are allowed for Web servers. It can also create audit policies to capture network events. Works Cited: Bird, Drew. "Eight Steps to a More Secure Win2k3 Server." Enterprise networking Planet. 2004. 25 Jan 2008 . Shinder, Deb. "Implementing EFS in a Windows Server 2003 Domain." WindowsSecurity.Com. 2006. WindowsSecurity.Com. 25 Jan 2008 . Melber, Derek. "Securing Windows Member Servers." WindowsSecurity.Com. 2006. WindowsSecurity.Com. 25 Jan 2008 . Read More