Alexander’s Blog

I am working on securing the entire network for one of my clients. I ran into this article on TechNet that targets the specific area of extranet and how you can best secure it. The article is full of valuable information for securing your extranet environment and is called Plan security hardening for extranet environments.

Part of the article discusses this extranet hardening tool that’s offered by Microsoft. It’s called Extranet hardening planning tool: back-to-back perimeter (http://go.microsoft.com/fwlink/?LinkId=85533&clcid=0×409).

The tool will help you figure out which ports are required for our ISA Server, routers and firewalls. This tool is a Microsoft Office Visio file that you can edit to customize for your own environment. For example, here are some things that you can do with this tool:

• Add your custom port numbers, where applicable.
• Where a choice of protocols or ports is provided, indicate which ports you will use.
• Indicate the specific ports that are used for database communication in your environment.
• Add or remove requirements for ports based on:
  1. Whether you are configuring e-mail integration.
  2. Which layer you deploy the query role to.
  3. If you are configuring a domain trust relationship between the perimeter domain and the corporate domain.

If you haven’t used ISA Server 2006 Capacity Planner you might want to check it out. It’s an online tool that lets you plan secure publishing, branch office gateway, and Web access protection.The tool recommends how many CPUs, amount of disk space and amount of memory that will be suitable for you based on the questions that you answer. While you can argue that the tool is not really exact science but it is a great place to start if you are trying to figure out what kind of hardware you will need to configure and ISA Server in your environment.

You can check out ISA Server Capacity Planner here.

The Data Encryption Toolkit for Mobile PCs describes how to effectively use both EFS and BitLocker to help address your organization’s requirements to protect data on mobile PCs. The Toolkit also provides you with software tools and scripts to help you centrally configure, deploy, and manage encryption settings on all your mobile PCs.
The Data Encryption Toolkit for Mobile PCs includes the following four components:

Executive Overview. This document provides a broad survey from a business and regulatory perspective of how mobile data is at risk and how the Data Encryption Toolkit for Mobile PCs can help. It also provides information about how you can use the guidance and tools in this Solution Accelerator as well as tools you may already have licensed to mitigate these risks.

Security Analysis. This guide provides an in-depth review of how EFS and BitLocker can help you address the unique risks associated with data on mobile PCs.

Planning and Implementation Guide. This guide describes how to plan for, configure, deploy, and operate EFS and BitLocker in your organization.

Microsoft Encrypting File System Assistant. The EFS Assistant is a software tool you can use to centrally control EFS settings on all your PCs (the EFS Assistant also works with desktop PCs). The EFS Assistant can help you encrypt the sensitive files on your users’ laptops, regardless of where those files are located. In addition, the EFS Assistant operates transparently to end users, eliminating training issues or other impacts. Note that you can obtain the EFS Assistant in one of two ways. The Microsoft version of the tool is available on this page. A community version of the tool is available for download from CodePlex, Microsoft’s shared source development site at www.codeplex.com/EFSAssistant.

You can download the toolkit here.

As you may know, Windows Server 2008 Server Core is a minimal operating system that uses relatively little disk space (1 GB) and can improve security because there are fewer files installed and it makes the management easier because there is less fluff added to the Server Core. Server Core cannot run server applications and there is no Graphical User Interface (GUI). Yes, you heard it right. No Windows in Windows Server 2008 Server Core. I want to know who came up with this brilliant idea to come up with an operating system that should be named “Windows” that won’t have any windows?

So how do you manage services in Server Core? Obviously, you use the command shell. Sometimes I wonder if we are going back to the old DOS days. Exchange Server 2007 is a major step backwards for administrators who expect to manage servers using GUI. Server Core also doesn’t has a GUI and you must learn and use the command shell. I have been telling my students for more than a decade, if you want to become a successful network administrator you need to know MS-DOS well. In other words, you need to know the command line interface well.

You know that sooner or later someone will come up with some GUI tools that should have been part of the Exchange Server 2007 or Server Core in the first place. Well, a fellow Directory Services MVP from Israel by the name Guy Teverovsky has written a GUI tool for the Server Core. Check out his blog for all the details.

Here are some of the features of the tool.

• Product Activation
• Configuration of display resolution
• Clock and time zone configuration
• Remote Desktop configuration
• Management of local user accounts (creation, deletion, group membership,
  passwords)
• Firewall configuration
• WinRM configuration
• IP configuration
• Computer name and domain/workgroup membership
• Installation of Server Core features/roles

The tool can be downloaded from Guy’s blog here.

Microsoft Remote Server Administration Tools (RSAT) enables IT administrators to remotely manage roles and features in Windows Server 2008 from a computer running Windows Vista SP1.

It includes support for remote management of computers running either a Server Core or full installation option of Windows Server 2008. Click the links below to download RSAT:

RSAT for Windows Vista for x86-based systems
RSAT for Windows Vista for x64-based systems