Chapter 11 of the Windows Server 2008 Security Guide: Hardening Terminal Services is now live on TechNet.
The details of the attack surface for the Terminal Services role(s) are included in the Windows Server 2008 Attack Surface Reference workbook included in the Guide. The Terminal Services role has the greatest attack surface and requires more configuration settings than the other role services discussed in the Guide. However, only the TS Gateway role service has specific security configuration changes. There are no additional steps to secure the TS Licensing, TS Session Broker, and TS Web Access role services.
Table 11.1 summarizes the recommended security configuration tasks for hardening servers performing the Terminal Services role, including:
The Windows Server 2008 Security Guide is designed to further enhance the security of the servers in your organization by taking full advantage of the new and improved security technologies and features in Windows Server 2008. Use the guidance to create, test, and deploy your security baseline quickly and reliably, harden your server workloads, and evaluate security setting recommendations to meet the requirements of your environment.
Along with the online version above, the Windows Server 2008 Security Guide is also available as a download and includes the following components:
Check out the new troubleshooting information on TechNet, we think you'll like it. F'rinstance, the tshooter for TS Gateway:
TS Gateway Server Availability
The Terminal Services Gateway (TS Gateway) server must be available on the network and the appropriate services must be running on the TS Gateway server. The Terminal Services connection authorization policy (TS CAP) and Terminal Services resource authorization policy (TS RAP) stores must also be available, so that these policies can be evaluated to determine whether remote clients meet policy requirements. TS CAPs specify who can connect to a TS Gateway server. TS RAPs specify the internal network resources (computers) that clients can connect to through a TS Gateway server. If TS CAPs and TS RAPs are not available, the TS Gateway server will not be available for client connections.
TS Gateway Server Configuration
For remote clients to successfully connect to internal network resources (computers) through a Terminal Services Gateway (TS Gateway) server, the TS Gateway server must be configured correctly. The TS Gateway server must be configured to use an appropriate Secure Sockets Layer (SSL)-compatible X.509 certificate, and authorization policy settings must be configured correctly. Terminal Services connection authorization policies (TS CAPs) specify who can connect to the TS Gateway server. Terminal Services resource authorization policies (TS RAPs) specify the internal network resources that clients can connect to through a TS Gateway server.
TS Gateway Server Connections
For remote clients to successfully connect to internal network resources (computers) through a Terminal Services Gateway (TS Gateway) server, clients must meet the conditions specified in at least one Terminal Services connection authorization policy (TS CAP) and Terminal Services resource authorization policy (TS RAP). TS CAPs specify who can connect to a TS Gateway server and the authentication method that must be used. TS RAPs specify the computers that clients can connect to through a TS Gateway server. Note that a limit can be set on the TS Gateway server to restrict the maximum number of simultaneous client connections.
If you have an issue after your initial setup of Windows Server 2008 Terminal Services, you can make use of the troubleshooting section on TechNet. Here are some additional things to check, and steps to consider:
If you liked the Windows Vista Hardware Assessment, you will love the free Microsoft Assessment and Planning Solution Accelerator. Free, agent-less deskotp and server assessment, including hardware and device inventory, compatibility analysis, and readiness pre-fab reports that'll make you look like the genius you are to upper management. Salty goodness.
This release also includes new features for gathering performance metrics from computers you are considering for consolidation using Microsoft Virtual Server 2005 R2. Using the performance metrics and a model virtual server host computer, you can generate reports that recommend placement of the physical servers in a virtual server environment. This tool incorporates the assessment features provided by the Windows Vista Hardware Assessment Solution Accelerator, including localization of the Windows Vista assessment reports in French, German, Japanese, Korean, Spanish, and Brazilian Portuguese.
Others who downloaded Microsoft Assessment and Planning Solution Accelerator also downloaded:
TechNet Edge has a couple of good videos:
Solution Accelerators Beta release PM interview - Part 1
Solution Accelerators Beta release PM interview - Part 2
Curious George lists top-rated WS2K8 videos from TechNet Spotlight here. Reprinted below for the lazy...er...time-challenged. You may wonder why these don't appear on the How-to videos list of the new WS2K8 TechCenter - it turns out that the only videos we can list on that feed are videos that are available in the download center. So, unitl I can get that changed keep watching your favorite bloggers!
Windows Server 2008 Deployment Overview - Michael Niehaus, Tim Mintner
The 10 Most Important Things About Failover Clustering - Jim Teague
Power Management: Windows Server - Stephen Berard
Dynamic Partition: Windows Server - Davis Walker
Windows Server Longhorn - Iain McDonald
Windows Server virtualisation - solution scenarios - David Hitchen
Windows Server 2008 Kernel Advances - Mark Russinovich
Active Directory Domain Services in Microsoft Windows Server 2008 - Stephanie Cheung
Virtualization in Windows Server - Mike Neil
Managing Windows Server 2008 with Server Manager - Dan Harman
Using Group Policy with Windows and Windows Server 2008 - Mazhar Mohammed, Derek Melber
Microsoft.com: Employing Windows Server 2008 and Internet Information Services 7 - Paul Wright, Brad LeRoss
Living the Longhorn Life: What's Up With Windows Server 2008 - Mark Minasi
Microsoft.com has posted a nifty grid at https://www.microsoft.com/windowsserver2008/en/us/compare-features.aspx that shows you which versions of Windows Server 2008 are required for the new features:
= Not Available
Internet Information Services 7.0
Covered by server license. No incremental licensing requirements.
Network Access Protection
AD Rights Management Services (RMS)
Covered by server license, but incremental RMS CALs required, similar to Terminal Services.
Terminal Services Gateway and RemoteApp
Covered by server license, but incremental TS CALs required, similar to AD Rights Management Services.
Windows Deployment Services
Check out the new features in TechNet Forums, including: increased discoverability with tagging, real-time updates, and additional RSS feeds. You can create your own avatar, earn participation medals, and create affiliations that showcase your Forum engagement. Full text and code editors make each post easier to create and find.
To learm about the new features, watch a video or read the FAQ Need Help with Forums?
While you are here, if you have not yet taken a look, stop by The Edge as well.
For More Information: http://www.microsoft.com/windowsserver2008/terminal-services/default.mspx Terminal Server 2008 Technical Resources: http://technet2.microsoft.com/windowsserver2008/en/servermanager/terminalservices.mspx
If you used RADIUS servers to provide centralized authentication, authorization, and accounting of your clients connecting to network resources, you know that in Windows Server 2003 this was called Internet Authentication Service (IAS). Look for IAS in Windows Server 2008 and you might spin your wheels. This service now is part of Network Policy and and Access Services. The server role providing these services is called the Network Policy Server (NPS).
You can deploy NPS as a proxy, Network Access Protection (NAP) policy server and as a Remote Authentication Dial-in User Service (RADIUS). RADIUS is an Internet Engineering Task Force (IETF) protocol that provides centralized authentication, authorization, and accounting for network access. RADIUS proxies forward RADIUS messages between RADIUS clients (network access devices) and RADIUS servers.
The Cable Guy has a great article introducing you to the changes to IAS in the December 2007 TechNet Magazine. For example, the new management snap in has some changes:
This phrase is sometimes translated as "translator, traitor!" Too many times in the past, a new version of a product not only does not care about the previous version, to the extent that it considers itself as "innovating", wants new users to put the hate on the old product.
Love it, hate it, Office 2007 is different from Office 2003 and your users may have trouble at frist making the switch - "translating" how they used to do a thing into the new UI. Show of hands - how many of you have gottent the question " Hey, where did they put the <foo> button?"
Here is the Office online URL you can send to your users that allows them to get the translation from the old "way they knew how to do it" to the new way: http://office.microsoft.com/assistance/asstvid.aspx?assetid=XT100766331033&vwidth=1044&vheight=788&type=flash&CTT=11&Origin=HA100744321033.
IT Pro tribal wisdom says that Microsoft gets it right at about version 3. TechNet has a new release of search (3.0, 'natch), with new "refinements" that allow you to easily scope to forums, or the KB. The events and errors db is now indexed! You can get nifty tips as well such as:
Say that 10 times fast, no, really, try. SEO is a most tricky thing from a writer's perspectiuve, but, if that headline helped you find this content - that's all that matters to me.
Some great (fairly short) IT Pro videos for you to check out:
Pst, there is a scroll of How To videos now on the new Windows Server 2008 TechCenter.
Apologies to you Bruce Cockburn fans, I have a condition that lowers my resistance to puns and obscure 90's culture references...this blog headline is a two-fer.
The Microsoft Diagnostics and Recovery Toolset is probably the best known secret weapon in the Software Assurance Desktop Optimization Pack Microsoft aquired with superstar Mark Russonovich.
Any IT Pro that doesn't know it yet is gonna fall in love.
DaRT is a set of tools that can help you diagnose system problems—even if a system is not booting properly. For example, ERD Commander utilizes Windows PE to boot a system that is not booting or is not booting normally. Crash Analyzer and FileRestore are available for online use as well.
Psst - did you know that there is a 30 day eval version of DaRT you can download if you do not have SA? Keep it under your hat, kay? Did I mention, FREE? Even though DaRT is released as part of Desktop Optimization, you have trouble tickets that have a client component, no? For example, this KB that tells you how to use Filemon to troubleshoot SoftGrid issues...
Windows 2000, No Service Pack and HigherWindows XP Professional, No Service Pack and Higher
Windows 2000 Registry Repair Utility
The Staysafe blog has some great resources, including my fav: "Why Social Engineering Always Works".
If you want to know the Microsoft way to write secure web apps, check out this post with an extensive list of Microsoft resources.
IT Pro. Developer. Microsoft serves content to these audiences on two sides of an organizational divide. Technet/blogs.technet.com for IT Pros, and msdn/blogs.msdn.com for Developers. However, we all know that there is a significant - and growing - number of you who spend time in both camps.
The new SQL Server TechCenter on TechNet and Developer Center on MSDN have content links that takes you over to the content on the other propery. Check out the upper right-hand corner of this page, for example: http://technet.microsoft.com/en-us/sqlserver/bb895957.aspx.
The site manager blogs about it here: http://blogs.technet.com/sqlserverweb/archive/2008/01/09/what-s-new-on-the-sql-server-tech-and-developer-centers-9-jan-2008.aspx.
What do you think? Is this helpful to you? Worth expanding across all content on both properties? Leave comments.
There's an interesting new video on TechNet edge. This one shows background on the folks creating the Infrastructure Planning and Design Guides, with focus on the Server 2008 terminal services infrastructure planning & design guide (IPD).
Vista SP1 RTM was 2/4/08. All your users can get it in mid-March via Windows Update and the Microsoft Download Center. IT Pros can get it today if they are TechNet subscribers. Just log on to your TN subscription home page and check the "Top Subscriber Downloads" section.
Basta. Content thee.
Suicide claimed Ric Weiland (one of the founders of Microsoft), and a local Seattle-area friend of a friend, author Stevie Kallos. You can read about his story, and one way you can help here.
The Out of the Darkness Overnight Experience is a 20-mile walk over the course of one night (June 21 in Seattle). Net proceeds benefit the American Foundation for Suicide Prevention, funding research, education, and awareness programs – both to prevent suicide and to assist those affected by suicide.
The conversation about respecting copyright around music with my teenagers started like this: "Dad, if it was illegal for me to copy my friend's music CD, would Media Player say Rip Music??"
If, like mine, your teens seem to listen easier to peers, rock stars, homeless people - ANYONE rather than their parent - then Microsoft's beta MyBytes website may be what you are looking for.
Spoonfull of sugar = ringtones, Music Mixer, community
Medicine = education about intellectual property law
"Microsoft's survey found that about half of the teenagers surveyed (49%) said they are not familiar with the rules and guidelines for downloading content from the Internet. Only 11% understood the rules well, and of those, 82% said downloading content illegally merits punishment. Among those unfamiliar with the law, only 57% supported punishment for intellectual property violations."