Window Server 2003 contains a number of significant improvements to network security, which has become a greater concern over the past several years as hackers become more sophisticated. The threats to network infrastructure represent the largest threats to network security because compromising vital network infrastructure services can seriously disrupt corporate networks, destroy data, and breach confidentiality. As a result, Windows Server 2003 provides numerous ways to protect the infrastructure.
Network infrastructure consists of physical assets such as cabling, hubs, routers, and servers, and the software aspects such as DHCP, DNS, and WINSservices that define, create, and manage the elements that provide network functionality. Each of the critical services can be configured to be more secure, reducing or eliminating the threat of attack.
Ethernet-based networks, the majority of networks implemented today, use the Internet Protocol (IP) as the basis of network activity. The implementation of the IP Security protocol by Windows 2000 and Windows Server 2003 provides significant opportunities to secure network infrastructure. IPSec consists of several elements, including the IPSec Policy Agent that looks for IPSec policy and applies it to the computer, the IPSec driver that implements the filter lists and filter actions specified by the IPSec policies, and the IPSec protocols that provide data integrity, anti-replay, and optional confidentiality services.
The IPSec protocols are the Authentication Header (AH) and Encapsulated Security Payload (ESP). AH provides data integrity by signing the IP packet header, which prevents the packet from being tampered with in any way. However, it does not provide data encryption, which would provide confidentiality. Encryption is implemented via ESP, which encapsulates the data and encrypts it. AH and ESP are typically not used together. AH is used where packet integrity is important but confidentiality is not. ESP is used where confidentiality is important because it also provides some level of packet integrity although it does not protect the original IP header.
IPSec policies can be implemented via group policy and can be defined via the IP Security Policy Management snap-in or via the Group Policy Object Editor snap-in in Windows Server 2003. Three predefined example IPSec policies are provided, including Server (Request Security), Secure Server (Require Security), and Client (Respond Only). These can be used as the basis for custom IPSec policies but should not be implemented as is.
Other methods of securing the network infrastructure include using Secure Sockets Layer (SSL), which is widely implemented for secure Web sites. S/MIME can be used to secure end-to-end e-mail security, and Server Message Block signing provides secure communication between computers.
Wireless networking has become increasingly popular in the corporate environment. Standards are based on the 802.11 IEEE specification. Early standards did not provide significant security because, at the time, security was not as great a concern, wireless network technology was just emerging and there were government regulations regarding the use of encryption technologies. The standards have evolved from 802.11 to todays most secure implementation to date, 802.1X, which is the IEEE standard the defines authenticated access to wireless networks.
Authenticated access can be accomplished in a number of ways, depending on the existing or desired network infrastructure. Wired Equivalent Privacy (WEP) defines an encryption algorithm for data security, but recent flaws discovered in the WEP algorithm make it vulnerable to cracking. Eliminating the use of static keys and shared keys can help reduce the risk, as can reducing the required time interval between re-authentication, which would generate new keys and reduce or eliminate the change of someone being able to crack the encryption.
Within the Windows Server 2003 framework, implementing wireless networking using Active Directory, DNS integrated with Active Directory, and RADIUS servers (implemented as IAS) provides the most secure configuration. When wireless access points (WAPs) are configured as RADIUS clients , user or computer credentials are passed from the client to the WAP and the WAP requests authentication from IAS. IAS checks the database for credential authentication and checks policies to see if the computer or user is authorized for wireless access. IAS then notifies the WAP that credentials were accepted or rejected. If accepted, the computer or user is then granted access via the wireless access point. A combination of strong authentication and data encryption provides the strongest security currently available for wireless networks in Windows Server 2003.