Roger's Security Blog

As Chief Security Advisor of Microsoft EMEA - lets share interesting security information

Securing My Infrastructure: Introduction (part 2)

Securing My Infrastructure: Introduction (part 2)

  • Comments 5
  • Likes

Looking at Jacks comment to my initial post this morning (Securing My Infrastructure: Introduction) it seems that I have to give you some additional information:

So let me start with the goal of this network:

Basically I started to build it on one server to play around with our technology. Soon I had to realize that unless I am running it in a "production-like" style, I will not learn the daily problems and challenges with a certain setup. It is one thing to make an environment to work and another to keep it running. Since then I connected my home PCs to the lab and run it 24*7 – and learned a lot!

Second point is about the physical setup of the servers:

I am actually running three physical servers at the moment running Windows Server 2003 R2 at the moment:

  1. My oldest server is the oldest PC I have in the house with a 1.8 GHz CPU and 512 MB of RAM. It is running Windows Server 2008 R2 fully patched and is my ISA Server.
  2. The initial server mentioned above. It really rocked when I bought it – well it is quite a time ago J. It has a 2.4 GHz CPU and 2 GB of RAM. I am running a DC on it and Virtual Server 2005 R2 with two Virtual Machines on it (a DFS-server (512 MB) and my MOM/Virtual Server Manager Server (1GB)). It runs pretty smoothly but at its limits.
  3. I needed this server as I needed a 64-bit environment. Therefore I put together a third server (and put it in the cellar – my wife really enjoys that). This has two 64bit Core2 CPUs in it (3GHz) and 8 GB of RAM. Additionally I am running a RAID 5 disk stack. This is my Exchange Server. On it I am running Virtual Server 2005 R2 again with 4 Servers (a second DC as a backup for my AD J, a SQL Server, my Forefront Client Security/WSUS server and my SharePoint).

So there are two questions open that come to my mind – probably more, let me know

  • Why am I not running Windows Server 2008? This is a valid question. I built some labs with Windows Server 2008 but did not have the appropriate time available to actually start to migrate. I will start with the less critical servers to gain some experience with the migration as soon as it goes RTM (and this is soon). I will not be able to migrate the firewall as ISA Server 2006 will not run on Windows Server 2008. The reason is that we re-designed the IP-Stack on Windows Server 2008.
  • Why no Hyper-V? This is the next big step I will do in this environment for sure. My server 2 from above is still a 32-bit. Therefore I will have to add a second 64-bit server and start the migration from there. I will have everything on Hyper-V except for the Firewall (my server 2 will be the new Firewall after the migration). So give me some time here. I will describe certain setups (like the ISA Server) and then tell you more about the migration from physical to virtual machines and from Windows Server 2003 to Windows Server 2008.

Does that make sense?

If there is any question you would like to me address, drop me a mail or a comment.

Looking forward to your feedback

Roger

Comments
  • Roger,

    First, Thank you!

    It makes sense. Except the ISA 2008, I hope you mean ISA 2006 which does not run on server 2008 ?

    Question, the radius server you mentioned in the introduction, this is being used to authenticate web clients to sharepoint and exchange?

    Regards,

    Jack

  • Hi Roger,

    Thanks for this valuable post.

    Are you using ISA Server for VPN?

    If yes, then radius server is peforming authentication?

    Have you installed AV enterprise server ( so one machine is updating and downloading virus definitions? If yes, AV console is installed on all clients and servers?

    Any tool or server for detection or monitoring network?

    Cheers

    Shoaib

  • Sorry, for the re-fresh of the post but sure - it was a typo. I meant ISA Server 006 not 2008.

    It seems that you have a loooot of questions :-) which is very good. Actually I am running ISA Domain integrated (why should I not) am not using Radius there. At the moment I am using Radius for WPA only. This will change as I am planning to go for NAP sometimes soon and then Radius (today IAS, NPS - Network Policy Server - in Windoes Server 2008) will have an additional role

    Roger

  • This is a follow-up of my last post about how I secure my environment. If you want to read the start

  • Well, this is a follow-up of my last posts about how I secure my environment. If you want to read the

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment