Secure Windows Server in the cloud via Active Directory Group Policy

With cloud technologies and server virtualization becoming a huge presence within the data center, many administrators are tasked with utilizing existing Server 2008 R2 installations to secure these new environments.

The Windows Server platform comes with several features that help engineers lock down their environment and make it available for virtualization or a cloud deployment. Remember, even though users are coming in from various locations to access a centralized workload, that instance is still located and potentially controlled by a Windows Server environment. Active Directory and Group Policy Objects are powerful tools which can help lock down a cloud-facing environment.

Although administrators are now looking at and working with a new type of end-point, many core security practices still remain the same. Engineers will work with existing technologies currently available to them to successfully lock down their environment.

Securing Active Directory. Having a secure Active Directory environment will create a more robust cloud-ready infrastructure capable of growing with business demand. Within Server 2008 R2 Active Directory creates a secure boundary for an organization providing log-on authentication. Active Directory creates a hierarchical containment structure

When planning a secure DNS server deployment, engineers should first collect information about their environment. Remember, when deploying Windows Server 2008 R2, planning, design and testing are always going to be very important. In the planning phase, engineers are gathering vital environmental information that will help them determine security traits within their infrastructure. This information should include the structure and hierarchy of the internal and external domains, identification of DNS servers that will be authoritative for these domain names, and the DNS client requirements for host resolution on your network.

Using this information, engineers are able to lock down their environment by knowing which features to use. The following should be considered when deploying a secure AD and DNS for a cloud-ready environment:

• Communication with the WAN/Cloud/Internet. Within a data center, not all servers are going to be web-facing and not all of them will provide cloud services. In these situations, if your network hosts are not required to resolve names on the Internet, eliminate all communication between internal DNS servers and the Internet. In this DNS design, you can use a private namespace that is hosted entirely in your network where internal DNS servers host zones for the root domain and top-level domains. In this configuration, your DNS servers will not use Internet root name servers, so configure the root hints to point them only to internal DNS roots
• Working with zone transfers. DNS is an extremely important function. This is why securing every element within the deployment is important. By disabling zone transfers unless they are required engineers are providing a more secure DNS environment. If, however, zone transfers are required, they should only occur to specified IP addresses. Opening zone transfers to any server can potentially open up some security holes. An attack aimed at open zone transfers may expose your DNS and allow a malicious footprint to occur internally. This is why working with and locking down and restricting zone transfers is an important part of the planning process.
• Managing AD integrated zones. Security enhancements that are available when using directory-integrated zones include access control lists and secure dynamic updates. You cannot use directory-integrated zones unless the DNS server is also a domain controller. Windows 2008 Server Core. Windows 2008 Server Core is a Windows Server that does not contain a GUI. All administration of Server Core is performed via the command-line or via scripting. A server running a Server Core installation supports the following server roles:

Deploying Group Policy Objects. GPO is a powerful tool to help administrators lock down servers, other machines and cloud-facing VMs as well. When using Group Policy administrators are able to manage configurations for groups of computers and users, including options for registry-based policy settings, security settings, software deployment, scripts, folder redirection, Remote Installation Services, and Internet Explorer maintenance. By using Group Policy, an engineer is able to deploy software packages and secure computers and users. GPO can quickly become complex when engineers work with factors such as policy settings, the interaction between multiple policies, and inheritance options. As with any deployment, careful planning, design and testing must be conducted. This is especially true with cloud-facing Windows servers. With a good plan engineers are able to provide the standardized functionality, security, and management control that an organization requires. For more information see Microsoft's article on advanced group policy management.

Windows Server master image control. There will be certain environments where cloud-based Windows servers are completely virtualized. Some of these infrastructures -- healthcare for example -- may require that these images be certified and not changed. In these scenarios, engineers are able to create a master golden image snapshot. They are then able to clone that image and apply patches and updates to it in a test environment. They can then test against their isolated server to see if there are any incompatibilities with the latest update. Even in a production environment if a patch fails or produces a management flaw, a server administrator can simply roll back to the latest working version of their Windows environment. For certification purposes, a master image can be safely stored where engineers know that no further changes can be made to that environment.

As Windows Server technology continues to improve, more features will become available to the administrator to successfully deploy and lock down their environment. Because every environment is unique, careful security-based planning will have to be conducted before any cloud initiative is explored. The ability of Windows Server platforms to adapt to the needs of the environment is certainly impressive. However, it’ll always be up to the Windows Server administrator to know and understand their environment to truly utilize the feature sets that the Server platform has to offer.

ABOUT THE AUTHOR
Bill Kleyman, MBA, MISM, is an avid technologist with experience in network infrastructure management. His engineering work includes large virtualization deployments as well as business network design and implementation. Currently, he is the Virtualization Architect at MTM Technologies Inc. He previously worked as Director of Technology at World Wide Fittings Inc.

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.