الاثنين، 28 يناير 2008
Windows Server 2003 Security Guide
Who Should Read This Guide
This guide is primarily intended for consultants, security specialists, systems architects,
and IT professionals who are responsible for the planning stages of application or
infrastructure development, and the deployment of Windows Server 2003. These roles
include the following common job descriptions:
● Architects and planners responsible for driving the architecture efforts for the
clients in their organizations.
● IT security specialists focused purely on providing security across the platforms
within their organizations.
● Business analysts and business decision makers (BDMs) with critical business
objectives and requirements that depend on client support.
● Consultants from both Microsoft Services and partners who need detailed
resources of relevant and useful information for enterprise customers and partners.
Scope of this Guide
This guide is focused on how to create and maintain a secure environment for computers
running Windows Server 2003 in your organization. The material explains the different
stages of how to secure the three environments defined in the guide, and what each
prescribed server setting addresses in terms of client dependencies. The three
environments considered are labeled Legacy Client, Enterprise Client, and High Security.
● The Legacy Client settings are designed to work in a Microsoft Active Directory®
domain with member servers and domain controllers running Windows Server
2003, and clients running Microsoft Windows® 98, Windows NT 4.0 and later.
● The Enterprise Client settings are designed to work in an Active Directory domain
with member servers and domain controllers running Windows Server 2003, and
clients running Windows 2000, Windows XP, and later.
● The High Security settings are also designed to work in an Active Directory domain
with member servers and domain controllers running Windows Server 2003, and
clients running Windows 2000, Windows XP, and later. However, the High Security
settings are so restrictive that many applications may not function. For this reason,
the servers may encounter some impact on performance, and managing the
servers will be more challenging.
Hardening guidance is provided for a group of distinct server roles. The countermeasures
described and the tools provided assume that each server will have a single role, if you
need to combine roles for some of the servers in your environment then you can
customize the security templates included with this guide so that the appropriate
combination of services and security options are configured for the servers with multiple
roles. The roles covered by this guide include:
● Domain controllers
● Infrastructure servers
● File servers
● Print servers
● Internet Information Services (IIS) servers
● Internet Authentication Services (IAS) servers
● Certificate Services servers
● Bastion hosts
The settings recommended in this guide were tested thoroughly in lab environments
depicting those described above: Legacy Client, Enterprise Client, and High Security.
These settings were proven to work in the lab, but it is important that your organization
test these settings in your own lab that accurately represents your production
environment. It is likely that you will need to make some changes to the security
templates and the manual procedures documented within this guide so that all of your
business applications continue to function as expected. The detailed information provided
in the companion guide, Threats and Countermeasures: Security Settings in Windows
Server 2003 and Windows XP, which is available for download at
http://go.microsoft.com/fwlink/?LinkId=15159, gives you the information you need to
assess each specific countermeasure and to decide which of them are appropriate for
your organization’s unique environment and business requirements.
Download this Guide
الخميس، 24 يناير 2008
Windows XP Remote Desktop
You've finally arrived at your hotel room, and you're ready to relax before giving your important presentation tomorrow. But when you open your laptop, you realize that you forgot to transfer the current version of your presentation from your Windows XP Professional Edition home or office computer to your mobile machine. No one's at home to email you the file. Unless you can find some way to access the file, you've got a long night ahead of you.
But if you've installed the Remote Desktop Connection client software on your laptop and enabled XP Pro's Remote Desktop feature on your home or office system, you're in luck. You can use this single-user version of Windows Terminal Services to log on remotely to your home computer—access it as if you were sitting at your desk—and copy the presentation to your laptop's local hard disk. Remote Desktop can give you remote access—complete with full color and sound—to local disk drives on an XP Pro workstation. You can copy files between computers that aren't on the same network, or you can access a powerful but inconveniently located system from a less powerful but mobile machine.
Windows Terminal Services 101
During the past few years, Microsoft has begun to embrace the benefits of multiuser computing. Terminal Services is a core service in all Windows 2000 Server products. Until XP, Terminal Services worked in this way: Users at desktop client machines ran applications that resided on the server (called the terminal server) and displayed the output on the client. Win2K and later server products support Terminal Services in one of two modes: Remote Administration mode, which gives administrators remote control of a server, or Application Server mode, which lets users run applications from the server. Remote Administration mode permits as many as two remote administrative connections in addition to the server's console connection; Application Server mode permits as many simultaneous connections as the server license specifies.
In a Terminal Services environment, client computers connect to a terminal server through a display protocol that sends graphical output to the client's monitor and accepts keystrokes and mouse clicks from the client. The native Windows protocol is RDP; RDP 5.0, which Terminal Services uses, supports automatic client-printer mapping and a shared clipboard that lets users copy text between sessions or between local and remote applications. However, RDP 5.0 has a 256-color display limit, doesn't provide sound support, and doesn't map client-side drives to the terminal session.
All earlier versions of Terminal Services were limited in that you could use them only when you bought a server OS—you had no way to get Terminal Services functionality on a personal OS. With the release of XP Pro, Terminal Services functionality has finally reached the desktop. Through its Remote Desktop feature, XP Pro uses Terminal Services to provide remote access to a PC.
Ready for Remote Desktop
Remote Desktop provides single-connection remote access to the computer. This setup is similar to Terminal Services in Remote Administration mode in that you don't need to purchase extra licenses to use it. However, Remote Desktop permits only one remote connection and either shuts down the host system's local console when someone launches a remote session or shuts down the remote session when someone logs on to the console. (If, for example, you use an account name to log on at the console, then later use the same account name to connect remotely, Remote Desktop automatically shuts down the console session. If you use a different account name to connect remotely, Remote Desktop warns you that continuing will lock out another session and asks whether you want to continue.)
XP Pro doesn't permit incoming Remote Desktop connections by default. To configure a host system to accept incoming connections, open the Control Panel System applet and go to the Remote tab. Select the Allow users to connect remotely to this computer check box, then click OK. Enabling remote connections doesn't give all users automatic access to the host computer: The setting simply lets members of the local and Domain Administrators groups initiate an RDP session and provide their logon credentials.
You can permit accounts outside of these groups to use Remote Desktop. On the Remote tab, click Select Remote Users to see a list of permitted Remote Desktop users. To add users to this list (which will be empty at first), click Add to open the Select Users dialog box. Choose the source of the accounts you want to add (you can choose from computer-based accounts or from domain accounts if the XP system is part of a domain). If you know the exact name and spelling of the account you want to add, enter the name as ComputerName\UserName or DomainName\UserName (click the Examples link to see examples of the correct formats). If you don't know the exact name, click Advanced, then click Locations. Choose the computer or domain that you want to browse, then choose the type of object you want to browse for (Users only for computer-based accounts or Users and/or Groups for domain accounts). Click Find Now. The area at the bottom of the dialog box will populate with the applicable account objects from the chosen location. Select the account or accounts that you want to add (you can use the Ctrl key to select multiple accounts), then click OK. Click OK again to close the Select Users dialog box. The chosen accounts now appear in the permitted users list.
XP's RDP protocol is the Remote Desktop Connection client. XP Pro and XP Home Edition automatically install the client on a system during OS installation. To use Remote Desktop Connection on earlier Windows systems, you can install the Remote Desktop Connection client from the XP CD-ROM, or you can download that client (for free) from Microsoft at http://www.microsoft.com/windowsxp/pro/downloads/rdclientdl.asp. The 3.4MB download file is called msrdpcli.exe file. Run this file and follow the installation wizard to accept the license agreement, choose whether Remote Desktop Connection should be available for all people using the computer or just for the person installing the client, and install the support files. Installing Remote Desktop Connection on a Win2K or Windows 9x computer permits you to connect to another computer; the client doesn't permit other computers to connect to your system.
After you install Remote Desktop Connection, connecting to the remote XP computer is easy. Select Programs, Accessories, Communications, Remote Desktop Connection to open the Remote Desktop Connection dialog box. Type the name of the host system in the Computer text box, then click Connect. The connection automatically opens in full-screen mode, and the host computer's desktop completely replaces the local desktop at the local resolution. To see your local desktop, move the mouse to the upper center of the screen. A tab with the name of the host computer appears alongside the typical window-manipulation buttons (i.e., Minimize, Resize, Maximize, and Close). You can use these buttons to minimize the remote session to a Taskbar button, resize the remote session to display in a window, or close the session window. Closing the window disconnects but doesn't terminate the remote session. You can use the same procedure you used to create the session to reconnect to the session and continue where you left off. (For instructions about shutting down a session, see the sidebar "Remote Desktop Troubleshooting Tips.")
Configuring Remote Desktop Connection
You can also configure expanded Remote Desktop Connection settings. To do so, open Remote Desktop Connection and click Options to expand the Remote Desktop Connection dialog box.
Remote Desktop Connection uses your logon credentials to connect to the remote computer. If those credentials don't work (perhaps because you don't have a user account on both computers), you can add the proper credentials on the General tab. From this tab, you can click Save As to save connection settings and copy them to another computer on which Remote Desktop Connection is installed. (To use saved settings, click Open.)
The Display tab contains—you guessed it—display settings. When you want to view the remote session in a smaller window rather than in the default full-screen mode, or if your session is slow over a dial-up connection when using 24-bit color, you can edit those settings on the Display tab to put less stress on the connection.
The Local Resources tab controls communication between the local computer and the remote system. If you want to automatically map the local computer's drives to the remote system or use the local computer's COM port with the remote session, you can enable those capabilities on this tab. (You can also disable these features from the Local Resources tab.) You can configure sound and keyboard shortcut settings on this tab.
If you plan to use Remote Desktop Connection to run only one application on the remote computer, you can enter the application's path on the Programs tab. (You must know the path. The tab doesn't offer a Browse option because you aren't yet connected to the remote computer.) When you enter the path, the remote application is started and maximized automatically when you log on to the remote session. Closing the remote application disconnects you from the remote computer.
The Experience tab lets you specify your connection's speed and thus selectively enable or disable features such as menu and window animation. You can enable or disable these settings individually, but at first you might want to stick with the client's suggested settings to get the best performance from each network speed. Enabling too many options over slow connections can make your remote session sluggish.
Don't Leave Home Without It
Setting up XP's Remote Desktop and using the feature to connect to an XP Pro system truly is as easy as it sounds. (See the sidebar "Remote Desktop Troubleshooting Tips" for the answers to potential questions and snags.) Of course, Remote Desktop doesn't provide the Terminal Services support of a Windows terminal server, but the feature still provides a handy and easy way to access your host computer. You'll feel as if you never left home.
الأحد، 13 يناير 2008
Windows server 2k8 RC1
Windows Server 2008 System Requirements
This software is intended for evaluation and deployment planning purposes only. If you plan to install the software on your primary machine, it is recommended that you back up your existing data prior to installation.
To use Windows Server 2008 Release Candidate, you need*:
Component | Requirement |
Processor | • Minimum: 1GHz (x86 processor) or 1.4GHz (x64 processor) • Recommended: 2GHz or faster Note: An Intel Itanium 2 processor is required for Windows Server 2008 for Itanium-based Systems |
Memory | • Minimum: 512MB RAM • Recommended: 2GB RAM or greater • Maximum (32-bit systems): 4GB (Standard) or 64GB (Enterprise and Datacenter) • Maximum (64-bit systems): 32GB (Standard) or 2TB (Enterprise, Datacenter and Itanium-based Systems) |
Available Disk Space | • Minimum: 10GB • Recommended: 40GB or greater Note: Computers with more than 16GB of RAM will require more disk space for paging, hibernation, and dump files |
Drive | DVD-ROM drive |
Display and Peripherals | • Super VGA (800 x 600) or higher-resolution monitor • Keyboard • Microsoft Mouse or compatible pointing device |
* Actual requirements will vary based on your system configuration and the applications and features you choose to install. Processor performance is dependent upon not only the clock frequency of the processor, but the number of cores and the size of the processor cache. Disk space requirements for the system partition are approximate. Itanium-based and x64-based operating systems will vary from these disk size estimates. Additional available hard-disk space may be required if you are installing over a network. For more information, please see Windows Server 2008 product site.
Note:
This product requires a valid product key for activation—you may install the product without activation, but if you do not enter a valid product key and activate within 30 days of installation, the software will cease to function. During installation you will be asked to select the edition of Windows Server 2008 you wish to install. You must ensure you choose the edition of Windows Server 2008 for which you have obtained a product key or you will not be able to activate the product.
Expiration:
This time-limited release of Windows Server 2008 Release Candidate will expire on April 7, 2008. After this time, you will need to uninstall the software or upgrade to a later release or a fully licensed version of Windows Server 2008.
Windows Server 2008 Product Description
Microsoft Windows Server 2008 helps IT professionals to increase the flexibility of their server infrastructure while offering developers a more robust Web and applications platform for building connected applications and services. Powerful new management tools and security enhancements offer more control over your servers and network and provide advanced protection for your applications and data.
Windows Server 2008 Standard Edition
This edition of Windows Server 2008 provides key server functionality across most server roles and features. It includes both full and Server Core installation options.
Windows Server 2008 Enterprise Edition
This edition builds on Windows Server 2008 Standard Edition to provide greater scalability and availability, and adds enterprise technologies such as failover clustering and Active Directory Federation Services.
Windows Server 2008 Datacenter Edition
This edition offers the same functionality as Windows Server 2008 Enterprise Edition with support for additional memory and processors, and unlimited virtual image use rights.
Windows Web Server 2008
This edition is designed specifically for use as a Web and applications server. Other server roles are not available in this edition.
Windows Server 2008 for Itanium-based Systems
This edition is designed for use with Intel Itanium 64-bit processors to provide Web and applications server functionality on that platform. Other server roles and features may not be available.