Tip

Eliminate zero-day threats with virtual server technology

This is the third installment in our series on containing zero-day threats.

One solution when fighting zero-day attacks is to take advantage of virtual

Requires Free Membership to View

server technology. If you have several server roles that require a minimal amount of system resources, you could consolidate those roles onto a single physical server that is hosting multiple virtual servers. Doing so provides better security than hosting all of the server roles under a common operating system (OS) because each virtual OS functions as an isolated environment.

More on zero-day threats
  • Harden your network services and contain zero-day threats

  • Define server roles, counterattack zero-day threats
  • Using virtual servers is also more cost effective than using separate physical boxes for each server. Not only do you save money on hardware, but you also save on licenses: Windows Server 2003 R2 is licensed to run up to four virtual instances of Windows Server on each physical server.

    Whether you choose to use physical or virtual servers, the real trick is to figure out exactly which components you do and do not need on each server. Only then can you remove unnecessary components and disable unnecessary services. (Disabling unnecessary services and uninstalling unnecessary components also tends to increase the server's performance.)

    Fortunately, it's not as difficult as it sounds. Microsoft has created a document called the Windows Server 2003 Security Guide, which helps you figure out which components are necessary for your situation. The guide takes a role-based approach to server security and discusses at length which components are required for servers acting in various roles. You can access the Windows security guide on Microsoft's TechNet site.

    Although the Windows Server 2003 Security Guide is a rather extensive document, it does not cover every possible scenario. The good news is that Microsoft has published similar guides pertaining to most of its server products. For example, suppose that one of the servers in your organization is running Exchange Server 2003. The Windows Server 2003 Security Guide does not address the procedure for hardening an Exchange Server. It does, however, contain a baseline procedure for hardening a member server. You can use the baseline policy as a starting point and then refer to the Microsoft Exchange Server 2003 Security Hardening Guide for specific Exchange Server requirements.

    I can't provide the links for all of the security guides -- there are just too many of them. But, you can easily find any of these guides by performing a simple query using the product name and the words SECURITY GUIDE in either Google or directly on the Microsoft Web site.

    The most effective countermeasure against zero-day exploits involves reducing the attack surface of the computer that you are trying to protect. Keep in mind that you should always exercise security in depth. In other words, don't depend solely on a limited attack surface to protect you against a zero-day exploit. Adhere to standard security best practices, such as keeping systems patched, keeping antivirus software up to date, using strong passwords and working with the lowest possible user privileges.

    About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit his personal Web site at www.brienposey.com.

    This was first published in November 2006

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.