As Cloud technology and Server virtualization become more and more important in the data center, many administrators have received the task of using the existing Server 2008 R2 installation to ensure the security of the new environment.
The Windows Server platform has many features that can help engineers lock their environments and make them available for virtualization or cloud deployment. Remember, although users access a centralized workload from different locations, the instance is still in the Windows Server environment and is potentially controlled by the Windows environment.
Active directories and Group Policy objects are both practical tools that can help lock cloud-oriented environments.
Although the administrator now sees that all new terminals are used, many core security practices are still the same. Engineers still work with existing technologies available to lock their environments.
Ensure the security of the Active Directory. Having a secure Active Directory environment will create cloud infrastructure that is more dynamic and can grow as needed. In Server 2008 R2, the Active Directory creates a security line for enterprises that provide logon authentication. The Active Directory creates a hierarchical architecture, including the Active Directory forest, the domain in the forest, the DNS, and the organizational unit in each domain.
Engineers should first collect environment information when planning a secure DNS server deployment. Remember, planning, design, and testing are always important when deploying Windows Server 2008 R2. During the planning phase, engineers collect critical environmental information that helps engineers determine security traits within the infrastructure. This information should include the structure and level of internal and external domains, the identification of DNS servers authorized for these domain names, and the DNS Client Requirements for host address resolution in the network.
With this information, engineers can understand what features are used to lock their environments. When deploying secure AD and DNS in the cloud environment, consider the following:
Contact WAN/Cloud/Internet. In a data center, not all servers are network-oriented, and not all servers provide cloud services. In this case, if you do not need your network host to resolve the name on the internet, eliminate all the connections between the internal DNS server and the Internet. In this DNS design, you can use the fully hosted private domain name space in your network. The internal DNS server is the root domain and the primary domain name hosting area. In this configuration, the DNS server does not use the Internet root name host, so you need to configure the root prompt to direct them only to the internal DNS Root.
Regional Transmission-related work. DNS is a very important feature. This is also the reason to ensure that every element in the deployment is secure. If you do not need to, disable regional transmission. In this way, engineers provide a safer DNS environment. However, if regional transmission is required, they should only appear at specific IP addresses. Enabling regional transmission to any server may bring some security risks. Attacks designed to enable regional transmission may expose your DNS and allow malicious internal intrusion. This is also the reason that regional transmission-related work, locking, and restrictions are an important part of the planning process.
Manage the overall AD region. Security enhancements available when using the integrated directory area include the access control list and security dynamic updates. You cannot use the integrated directory region unless the DNS server is also a domain controller. Windows 2008 Server Core is a Windows Server version that does not contain the GUI. All Server cores are managed through command lines or scripts. The Server that runs the Server Core installation supports the following Server roles:
● Active Directory domain service (ad ds)
● Active Directory Certificate Service (ad cs)
● Active Directory light Directory Service (ad lds)
● DHCP Server
● DNS Server
● File service
● Print Service
● Streaming media service
● IIS
● Hyper-V
You may also use the Microsoft Management Console (MMC) tool on other servers to connect to Server Core to manage some features.
Deployment Group Policy object (GPO ). GPO is a powerful tool that helps administrators lock servers, other machines, and cloud-oriented virtual machines. When using group policies, administrators can manage configurations for groups of computers and users, the options include registry-based policy settings, security settings, software deployment, scripts, Folder Redirection, Remote Installation Services, and IE maintenance. By using group policies, engineers can deploy software packages and ensure the security of computers and users. When a worker uses policy settings, interaction between multiple policies, and inheritance options, GPO can quickly become more complex. As with all deployments, careful planning, design, and testing must be performed. This is especially true when cloud-oriented Windows servers are used. Good planning engineers can provide standardized functions, security, and management control required by enterprises.
Windows Server master image control. In some environments, cloud-based Windows servers are fully virtualized. Some of these infrastructures may require these images to be certified and will not be changed, such as healthcare. In this case, engineers can create a Master Gold image snapshot. Then they can clone the image and apply patches and updates to the cloned image in the test environment. Then they can test on an independent server to see if there is any problem with update incompatibility. Even in a production environment, if a patch becomes invalid or has a management defect, the server administrator can easily roll back to a Windows environment that has been working normally recently. To achieve the purpose of authentication, the master image can safely store a location in the environment, and the engineer knows that this location will not be changed.
As Windows Server technology continues to improve, more tools can help administrators successfully deploy and lock their environments. Because each environment is unique, careful security-based planning must be performed before cloud activities are developed. The ability of the Windows Server platform to adapt to environmental requirements is also impressive. However, to truly utilize the functions provided by these server platforms, it depends on the Windows administrator's understanding of the environment.
Original Chinese TechTarget content