Windows Server 2008: New features and how they help manage and secure virtualized environments Kirk Munro, MVP Sr. Software Developer Quest Software

Server Manager Product Installation Initial Configuration Managing Windows Server 2008

Server Manager

Read-Only Domain Controller Main Office Remote Site Features Read Only Active Directory Database Only allowed user passwords are stored on RODC Unidirectional Replication Role Separation Benefits Increases security for remote Domain Controllers where physical security cannot be guaranteed Support ADFS,DNS, DHCP, FRS V1, DFSR (FRS V2), Group Policy, IAS/VPN, DFS, SMS, ADSI queries, MOM RODC

Branch Hub Read Only DC Why Branch Offices Asked for RODC Windows Server 2008 DC User logs on and authenticates RODC: Looks in DB: "I don't have the users secrets" Forwards Request to Windows Server 2008 DCWindows Server 2008 DC authenticates requestReturns authentication response and TGT back to the RODC RODC gives TGT to User and RODC will cache credentials RODC

How RODC Mitigates “Stolen DC” Issues Attacker Perspective Hub Admin Perspective

Windows Server Core Small subset of the executable files and DLLs installed No GUI interface, no.NET, no PowerShell Nine available Server Roles Managed with remote tools

Server Core

– A minimal installation option for Windows Server 2008 – Included with Standard, Enterprise, and Datacenter – Available for x86 and x64 Includes – A set of server roles DHCP, File, AD, AD LDS, Media Services, DNS, and Windows Virtualization Services – The following optional features: WINS, Failover Clustering, Subsystem for UNIX-based applications, Backup, Multipath IO, Removable Storage Management, Bitlocker Drive Encryption, SNMP, Telnet Client – Command Line interface, no GUI Shell

Active Directory Improvements Now called Active Directory Domain Services Fine Grained Password Control Restartable Domain Services Improved Auditing Improved Disaster Recovery Server Core Role Fully IPv6 compliant

Admin Role Separation Problem: – Too many accounts in the Domain Admins group Most of these DAs are really server admins (patch management, etc) Solution: – Provides a new “local administrator” level of access per Read-Only Domain Controller Also includes all Builtin groups (Backup Operators, etc) – Prevents “accidental” Active Directory modifications by machine administrators – Does not prevent “local administrator” from maliciously modifying the local DB – This is only a true security feature for Read-Only DC

CategoryKey Features and Enhancements New policy settings for new Windows Vista features New policy settings for existing key areas (security, desktop management, etc) Extending Coverage A more secure, stable Group Policy engine Responsiveness to changing network conditions Enhanced troubleshooting capabilities (event/error logs) More granular application of local policy GPMC integration into the operating system Improved syntax and multilingual support for Admin Templates policy settings A solution to “sysvol bloat” Reliable and Efficient Application of Policy Ease of Use Group Policy Improvements

BitLocker™ Drive Encryption Group Policy allows central encryption policy and provides Branch Office protection Provides data protection, even when the system is in unauthorized hands or is running a different or exploiting Operating System Uses a v1.2 TPM or USB flash drive for key storage Full Volume Encryption Key (FVEK) Encryption Policy

Code Integrity Verification The OS loader and kernel performs code signature checks On 64-bit (x64) platforms: – All kernel mode code must be signed in order to load – Identity of all kernel mode binaries is verified – System audit events for integrity check failures On 32-bit platforms: – Administrator prompted to install unsigned kernel mode code – Load-time checks done on all kernel mode binaries, unsigned code allowed to load

Address Space Location Randomization (ASLR) Prior to Windows Vista – Executables and DLLs load at fixed locations – Buffer overflows commonly relied on known system function addresses to cause specific code to execute The Windows Vista loader bases modules at one of 256 random points in the address space – OS images now include relocation information – Relocation performed once per image and shared across processes User stack locations are also randomized

Malware Protection with ASLR ATTACK ATTACK ATTACK msvcrt USER32 ADVAP132 RPCRT4 GDI32 kernel32 ntdll msvcrt USER32 ADVAP132 RPCRT4 GDI32 kernel32 ntdll msvcrt USER32 ADVAP132 RPCRT4 GDI32 kernel32 ntdll0x7d x7b x x x x x7d x7b x x x x

Service Hardening System services presented a large attack target – Many were network facing and running as SYSTEM – Bugs allowed for privilege elevation attacks Security Improvements – Concept of least privilege applied to services Give few services full SYSTEM control Reduce which services can use the network Limit system exposure in case of compromise – “Sandbox” such low privileged services Limit the damage to Windows in case of take over

Service Hardening Service-specific SIDs permit a service’s access to objects to be limited – Only required objects give SID access – Specified by most Windows 2008 services – SIDs are marked disabled until service starts – Firewall policy can be applied to service SID (and many services are now blocked at the firewall) Write-restricted service processes further limit write access – Can only modify objects allowing WRITE for service SIDs

Windows Server 2003 LocalSystem Wireless Configuration System Event Notification Network Connections (netman) COM+ Event System NLA Rasauto Shell Hardware Detection Themes Telephony Windows Audio Error Reporting Workstation ICS RemoteAccess DHCP Client W32time Rasman browser 6to4 Help and support Task scheduler TrkWks Cryptographic Services Removable Storage WMI Perf Adapter Automatic updates WMI App Management Secondary Logon BITS Network Service DNS Client Local Service SSDP WebClient TCP/IP NetBIOS helper Remote registry Windows Server 2008 LocalSystem Firewall Restricted Removable Storage WMI Perf Adapter Automatic updates WMI App Management Secondary Logon LocalSystem Demand started BITS Network Service Fully Restricted DNS Client ICS RemoteAccess DHCP Client W32time Rasman browser 6to4 Task scheduler IPSEC Services Server NLA Network Service Network Restricted TrkWks Cryptographic Services Local Service No Network Access Wireless Configuration System Event Notification Network Connections Shell Hardware Detection Rasauto Themes COM+ Event System Local Service Fully Restricted Telephony Windows Audio TCP/IP NetBIOS helper WebClient SSDP Error Reporting Event Log Workstation Remote registry Service Changes

Windows PowerShell New Command-line shell & Scripting Language Improves productivity & control Accelerates automation of system admin Easy-to-use Works with existing scripts Remote server management via WMI

Windows PowerShell Resources Hundreds of Scripts Books & Training Materials Community Support MS MVPs PowerShell Team Blog Active Newsgroup and User Groups Channel 9: DFO Show IIS.net Manning Publications O’Reilly Media Sapien Press & others… TechNet ScriptCenter Exchange Server 2007 Terminal Server WMI, Registry, Hardware, etc. Community-Submitted scripts PowerShellCommunity.org

PowerShell

Resources Windows Server 2008: – Windows Server 2008 Administrator’s Companion by Charlie Russell – Administering Windows Server 2008 Server Core by John Paul Mueller – Core configuration commands – cscript C:\Windows\System32\SCRegEdit.wsf /cli – CoreConfigurator – User Interface for key configuration items in Server Core PowerShell: – My Blog: – PowerShell Community Site: – PowerGUI Community Site: – TechNet Script Center: – PowerShell: TFM (2 nd edition) by Don Jones (Sapien Press) – PowerShell in Action by Bruce Payette (Manning) – Key cmdlets to help you get started: Get-Help, Get-Command, Get-Alias, Get-Member, Get- PSDrive, Get-PSProvider, Get-PSSnapin Bootcamp: – (slide decks available June 1, 2008)

Questions? Kirk Munro, MVP Sr. Software Developer Quest Software