Windows Security Survival Guide

We encourage you to enhance this guide by identifying missing areas (scenarios, features, lifecycle...), provide links to and write descriptions of existing content, and providing new content where there are gaps. Join the community!

Introduction

Many companies invest a good amount of money trying to protect their resources by adding more software, additional layers of protection and also by enhancing policies and procedures to enforce security. However, many companies do not yet realize many of those security goals can be accomplished by correctly configuring the Windows operating system and taking advantage of the built in security features. The goal of this article is to give you the core foundation on Windows Security and how to take advantage of Windows operating system security capabilities to achieve your company’s security goals. This survival guide is yours; feel free to enhance it with your insights around this subject.

If you still have questions about why you should read the Windows Security Survival Guide, take a look at the following TechNet blog posts before start reading this article:

• Exploring the Windows Security Survival Guide - Confidentiality
• Exploring the Windows Security Survival Guide - Integrity
• Exploring the Windows Security Survival Guide - Availability

Back to the Basics

Before moving into Windows’ security capabilities, it is important to go back to the fundamentals of the security triad and understand what your company is trying to accomplish by implementing a security program. The core elements of the security triad are:

• Confidentiality
• Integrity
• Availability

Companies are concerned about data confidentiality with the goal being to avoid unauthorized access and information leakage. While confidentiality is a subject getting more and more visibility these days, there is also another core requirement for companies, called integrity. Having confidential information without accuracy also doesn’t help, companies require more and more accurate information regardless of where it is stored and if at some point that information needs to be in transit.

Notice that two states were used in the previous sentence: stored and transit. At some point the information will need to be stored and at some point this information will be in transit for user consumption. In both states it is important that the information is always available, which means that availability is also a core requirement for companies. Based on this we can certainly affirm that Windows security is a part of this broader goal. That’s why when planning information security in Windows server and client systems it is vital to understand what Windows has to offer to assist the system to become more secure.

Getting Started

Since 2002, Microsoft has used the Microsoft Security Development Lifecycle as part of its regular software development process. This has helped Microsoft to create software that has a solid security foundation and also lowered the attack surface on its products. While this is a great step towards a more secure software right “out of the box”, many IT Pros rely 100% on that and don’t make the adjustments that their company needs in order to achieve their security objectives. For this reason it is important to get more engaged during security planning discussions to better understand corporate security needs and requirements, instead of just saying well, this is already blocked by default so it doesn’t matter. The IT Pros engagement in the security space is a necessary step for a more secure ecosystem. The links below will give you the basis in some of the terminologies that we expect that IT Pros have familiarity with:

• TechNet Library: A Look Inside the Security Development Lifecycle at Microsoft
• TechNet Library: Security Fundamentals
• TechNet Library: Security Threats
• TechNet Library: Security Risk Management Guide
• TechNet Library: Security Watch The Challenge of Information Security Management
• TechNet Webcast: Essentials of Security (Level 200)
• TechNet Webcast: Security Risk Management: Concepts and Prerequisites (Level 300)
• TechNet Webcast: Security Risk Management: Risk Assessment (Level 300)
• TechNet Edge: Security Compliance Manager with Microsoft Product Unit Manager Chase Carpenter

Note: Microsoft also offers an academic exam to validate secure core fundamentals; the exam is 98-367 – Security Fundamentals* (Microsoft Learning site).*

Understanding the Threat Landscape

In order to better protect the systems, you need to understand the evolving threat landscape that your company is going to face once it decides to implement a security policy throughout the enterprise. Identifying the potential threats that your company is facing and how Windows can assist in making the system more secure is vital to a more cohesive security program across the company. The articles below will assist you to identify the threats, countermeasures and other elements that are part of this security planning.

• Download Center: Threats and Countermeasures - Security Settings in Windows Server 2008 and Windows Vista
• TechNet Library: IT Infrastructure Threat Modeling Guide
• TechNet Library: Infrastructure Planning and Design Guide for Malware Response
• TechNet Library: Security Monitoring and Attack Detection Planning Guide
• Podcast: Using the Microsoft Security Intelligence Report v8 in an Evolving Threat Landscape
• MSDN Library: Evaluating Security Threats
• Security Compliance Manager Wiki
• MSDN Library: Uncover Security Design Flaws Using The STRIDE Approach

Reducing the Attack Surface

One way to reduce the attack surface on the Windows operating system is by hardening it in order to disable services that will not be used for the role(s) that you are implementing on the server, rather adjusting system settings to provide a more secure configuration and changing service accounts for some applications. For example: if you are implementing a Windows Server 2008 as a Web Server, there are some services you can safely disable since they will not be used by the Web Server role. Microsoft offers a comprehensive guide to hardening Windows Server; however it is important to identify if the application that will run on top of Windows Server will support that hardening procedure. There are some applications that will not work properly if the hardening is not done correctly or if the security is too restrictive and doesn’t allow the application to function as it should.

A classic example of that is with the Microsoft Forefront Threat Management Gateway, the only supported way to harden the Windows Server operating system on which Forefront TMG will be installed is by using the correct guidelines exposed in the Hardening the Windows infrastructure (TechNet Library) article or by running the Security Configuration Wizard (TechNet Library) with the Forefront TMG 2010 template. To avoid supportability issues, make sure to verify the support statement of the application that will be installed on the Windows Server that you are hardening. The links below provides you the core references for Windows hardening:

• TechNet Library: What's New for Operating System Hardening and Integrity for Windows Server 2008
• Podcast: Hardening Windows Server 2008 Deployments with the Windows Server 2008 Security Guide
• Download Center: Windows Server 2008 Security Configuration Wizard
• Download Center: Windows Server 2008 Security Guide
• Solution Accelerators site: Security Compliance Manager Demo

Another important point to consider while planning to reduce the attack surface is to make sure that the systems are correctly patched with the latest updates. In order to do that the company needs to plan how it will deploy those updates across all platforms. Microsoft recently released the second edition of the Security Update Guide (Download Center) that brings best practices to deploy upadtes using WSUS.

Confidentiality

As previously explained one of the information security pillars is called confidentiality. Confidentiality is concerned with data privacy. Windows has a variety of features that can assist in this regard. The features that Windows has for the purpose of making the information confidential will vary according to how the information is accessed: locally or remotely. Data can be leaked while in transit via a wired or wireless network. The data privacy risk while data is transiting the network can be increased if the data is transiting without encryption and the risk becomes even higher if the data is flowing on a public network without encryption, such as Internet. For this reason consider the need to insure data privacy while transmitting data from one source to another via a specific network system. There is a false sense of security when you are accessing the data locally.

Data can be leaked on private networks in many ways. Many users think that if they are on the intranet there is nothing to fear. It can be temporarily stored and then be accessed later by malicious code running on the local computer. For this reason it is important to consider Windows resources that can assist in protecting the data locally.

• In the pages referenced below you will find not only the theory behind the technology (including network protocols such as IPSec) but also step-by-step guides, webcasts, deployment resources and test labs:
  • Virtual Private Network (VPN)
  • Network Access Protection (NAP)
  • Wireless Networking
  • Active Directory Rights Management Services
  • DirectAccess
• Encrypting File System
• BitLocker Drive Encryption
• User Account Control
• Too much rights means more risk - using standard users
• Podcast: Malware, Isolation and Security Boundaries: It’s Harder Than It Looks

Integrity

The most basic definition of data integrity is the assurance that the data hasn’t changed while moving from point A to point B. When moving from point A to point B it also means that the data will be in transit. As it was explained in the previous session, data in transit can be either local or via network (wired or wireless). Some of the technologies used by Windows in the confidentiality space will interchange with integrity requirements. The links below will give you the main Windows features that address integrity.

• Core PKI Services: Authentication, Integrity, and Confidentiality
• Internet Protocol Security Enforcement in the Network Access Protection Platform
• Descriptions of the IPsec Algorithms and Methods
• Add or Edit Integrity and Encryption Algorithms
• Audit System Integrity
• Forced Integrity Signing of Portable Executable (PE) files
• Integrity Algorithms
• Software Restriction Policies
• Using Software Restriction Policies to Protect Against Unauthorized Software
• What is the Windows Integrity Mechanism?
• Mandatory Integrity Control

Availability

All those security pillars previously mentioned are very important to maintain data security, but beyond confidentiality and integrity there is another core pillar that must be in place in order to have access to the data, it’s called availability. Having strong mechanisms in place in order to enforce confidentiality and integrity without addressing availability is a high risk operation. These days where users are working remotely and accessing corporate resources from anywhere, it is very important that the connection is available when they need; the authentication server is available when they need and mainly, the data is available when they need. Windows Server has lots of built in features that assist addressing such need. The main features for high availability are listed below:

• Windows Server 2008 High Availability Program
• Windows Server 2008 R2 High Availability
• Failover Clustering
• Windows Server 2008 Network Load Balancing Deployment Guide
• Backup and Recovery
• WHEA - Windows Hardware Error Architecture
• Podcast: High Availability Basics with Windows Server 2008 R2 Hyper-V

Tools

While there are tools that were developed to fulfill a security need, for example the Microsoft Assessment and Planning (MAP) Toolkit for PC Security, there are many other tools that were originally created to deal with different aspects of the Windows operating system but can also be used for security purpose. A great example of that is demonstrated in the article Analyzing a Stuxnet Infection with the Sysinternals Tools. Currently we have an article at TechNet Library that shows core security tools that can be used in different scenarios and you can also find other security related tools at Security TechCenter page.

Other Resources

While this guide can assist you addressing the security triad, it is important to keep in mind that there are many other techniques that can also assist you to keep data more secure. Different security approaches can be used in different scenarios. Some companies might want to use one approach while for others the same approach is not even possible. Think through the real needs as there is no hard formula while implementing security on Windows; it’s all about the needs, about how to keep the system more secure for specific needs. Here are some other important articles that can assist you while deciding which approach to use.

• The Great Debate: Security by Obscurity
• Cloud Security Approach in a Nutshell
• A Proactive Approach to Building a Successful Security Development Lifecycle
• Security basics: What to include in your IT security plan
• Infrastructure Planning and Design Guide for Malware Response
• Getting Started with Security and Claims-Based Identity Model
• Microsoft Security and Audit Handbook
• How To: Harden the TCP/IP Stack
• CIS Windows Server 2008 Benchmark v1.0.0
• Security Compliance Manager (previously Windows Security Guides)
• Security Best Practices
• Microsoft Security Solution Accelerators
• Threat and Countermeasures Guide for Windows Server 2008 R2 and Windows 7
• Information Systems Audit and Control Association

Call to Action

This is a living document that we are starting now and giving it to you as a base to expand it. Do you want to get engaged on this? Make sure to read the guidelines from Wiki: How to Contribute and have a great time helping the community to grow.

See Also

• Wiki: List of Technologies and Related Topics
• Wiki: Survival Guides Portal

This article was originally written by:

Yuri Diogenes, Senior Technical Writer Windows Server iX | IT Pro Security Microsoft Corporation

Yuri’s Blog: http://blogs.technet.com/yuridiogenes Team’s Blog: http://blogs.technet.com/b/securitycontent Twitter: http://twitter.com/yuridiogenes

Why build Community Based Content? See the answer here.