How do I secure Windows Server in the cloud?

Source: Internet
Author: User
Keywords Security server Active Directory can
Tags active directory all servers available for based cloud cloud technology controlled data


As cloud technology and server virtualization become more and more important in the data center, many administrators receive the task of using an existing server 2008 R2 installation to secure a new environment.



The Windows server platform has many features that help engineers lock down their environment and make the environment available for virtualization or cloud deployment. Remember that although the user is accessing a centralized workload from a different location, this instance is still in the Windows Server environment and is potentially controlled by the Windows environment.



Active Directory and Group Policy objects are practical tools that can help lock the cloud-oriented environment.



Although administrators now see the use of new terminals, many of the core security practices are still the same. Engineers still use the existing technical work available today to lock in their environment.



Ensure Active Directory security. Having a secure Active Directory environment creates a more dynamic cloud infrastructure that can grow by business requirements. Within the server 2008 R2, the Active Directory creates a security boundary for the enterprise that provides login authentication. The Active Directory creates a hierarchical schema that includes active forests, domains in the forest, DNS, and organizational units in each domain.



When you schedule a secure DNS server deployment, agents should first  about the environment. Remember that planning, design, and testing are always important when deploying Windows Server 2008 R2. During the planning phase, engineers collect critical environmental information that helps engineers determine the security features within the infrastructure. This information should include the structure and level of internal and external domains, identification of DNS servers for these domain names, and DNS client requirements for host address resolution in the network.



With this information, engineers can understand which features are used to lock in their environment. You should also consider the following when deploying secure AD and DNS for a cloud environment:



Contact with Wan/cloud/internet. Within the datacenter, not all servers are network-oriented, and not all servers provide cloud services. In this case, if you do not need your network host to resolve the name on the Internet, then eliminate all connections between the internal DNS server and the Internet. In this DNS design, you can use the private domain name space that is completely managed in your network, and the internal DNS server is the root domain and the first level domain name hosting area. In this configuration, the DNS server does not use the Internet root name host, so you configure root hints to boot them to only the internal DNS root.



Area transfer related work. DNS is a very important feature. This is why you want to ensure that every element in your deployment is secure. If you do not need to close the zone transfer, in this way, the engineer provides a more secure DNS environment. However, if zone transfers are required, they should only appear at specific IP addresses. Opening a zone transfer to any server can pose some security risks. An attack designed to open a zone transfer may expose your DNS and allow for malicious intrusion inside. This is why regional transport-related work, locking, and throttling are an important part of the planning process.



Manage the integrated ad area. The security enhancements available when using the Consolidated directory area include access control lists and secure dynamic updates. You cannot use the Consolidated directory area unless the DNS server is also a domain controller. Windows 2008 Server Core is a version of Windows Server that does not contain a GUI. All Server Core management is performed by command line or through scripting. Servers running Server Core installation support the following server roles:



Active Directory domain service (AD DS)



Active Directory Certificate Services (AD CS)



Active Directory Light Directory service (AD LDS)



DHCP Server



DNS Server



File Services



Print Service



Streaming Media Services



IIS



Hyper-V



You may also manage features by connecting to the Server Core from the Microsoft Management Console (MMC) tool on other servers.



Deploy the Group Policy object (GPO). A GPO is a powerful tool that helps administrators lock down servers, other machines, and virtual machines that are cloud-oriented. With Group Policy, administrators can manage configurations for computers and users ' groups, including options for registry-based policy settings, security settings, software deployment, scripting, Folder Redirection, Remote Installation Services, and IE maintenance. By using Group Policy, agents can deploy software packages and secure computers and users. GPOs can quickly become complex when they use factors such as policy settings, interactions between multiple policies, and inheritance options. As with all deployments, careful planning, design, and testing must be performed. This is especially true when you are using a cloud-oriented Windows Server. A good planning engineer can provide the standardized functions, security, and management controls that the enterprise needs.



Windows Server master image control. In some environments, cloud-based Windows servers are completely virtualized. Some of these infrastructures may require these images to be authenticated and will not be altered, such as medical care. In this case, an agent can create a master gold image snapshot. They can then clone the image and apply patches and updates to the cloned image in the test environment. They can then test on separate servers to see if there are any issues with updates that are incompatible with the update. Even in a production environment, if a patch fails or a management flaw arises, the server administrator can easily roll back to the most recent working Windows environment. For authentication purposes, the master image can safely store a location in the environment, and the engineer knows that the location will not be changed.



As Windows Server technology continues to improve, more tools can help administrators successfully deploy and lock their environments. Because each environment is unique, careful planning based on security must precede the development of cloud activities. The ability of the Windows server platform to adapt to environmental requirements is also impressive. But to really take advantage of the set of features provided by these server platforms, you need to depend on the Windows Administrator's understanding of their environment.


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.