Introduction to Controlling Communication with the Internet for Windows Server 2003 with SP1

Applies To: Windows Server 2003 with SP1

Products in the Microsoft® Windows Server™ 2003 family include a variety of technologies that communicate with the Internet to provide increased ease of use. Browser and e-mail technologies are obvious examples, but there are also technologies such as Automatic Updates that help you obtain the latest software and product information, including bug fixes and security patches. These technologies provide many benefits, but they also involve communication with Internet sites, which administrators might want to control.

Control of this communication can be achieved through a variety of options built into individual components, into the operating system as a whole, and into server components designed for managing configurations across your organization. For example, as an administrator, you can use Group Policy to control the way some components communicate. For some components, you can direct all communication to the organization’s own internal Web site instead of to an external site on the Internet. In addition, in Windows Server 2003 with Service Pack 1 (SP1), you can use Windows Firewall and the Security Configuration Wizard to help you control aspects of your configuration such as which services are running and which ports are open.

This white paper provides information about the communication that flows between components in Windows Server 2003 with SP1 and sites on the Internet, and it describes steps to take to limit, control, or prevent that communication in an organization with many users. The white paper is designed to assist you, the administrator, in planning strategies for deploying and maintaining products in the Windows Server 2003 family with SP1 in a way that helps to provide an appropriate level of security and privacy for your organization’s networked assets.

This white paper provides guidelines for controlling components in the following operating systems:

  • Windows Server 2003 with SP1, Web Edition

  • Windows Server 2003 with SP1, Standard Edition

  • Windows Server 2003 with SP1, Enterprise Edition

  • Windows Server 2003 with SP1, Datacenter Edition

  • Windows Server 2003, Standard x64 Edition

  • Windows Server 2003, Enterprise x64 Edition

  • Windows Server 2003, Datacenter x64 Edition

For more information about the services and software available in each of the editions of Windows Server 2003, see the Microsoft Web site at:

https://go.microsoft.com/fwlink/?LinkId=46002

Note that when selecting an appropriate edition of the operating system, you can use the basic security principle of running only the services and software that a particular server requires. For example, if you have a server that requires only the operating-system services and software in Windows Server 2003 SP1, Web Edition, you might choose this edition instead of another edition for that server.

The white paper is organized around individual components found in the Windows Server 2003 family, so that you can easily find detailed information for any component you are interested in.

What This White Paper Covers and What It Does Not Cover

This section describes the following:

  • Types of components covered in this white paper

  • Types of components not covered in this white paper

  • Security basics that are beyond the scope of this white paper, with listings of some other sources of information about these security basics

Types of Components Covered in This White Paper

This white paper provides:

  • Information about components that in the normal course of operation send information to or receive information from one or more sites on the Internet. An example of this type of component is Windows Error Reporting. If you choose to use this component, it sends information to a site on the Internet.

  • Information about components that routinely display buttons or links that make it easy for you to initiate communication with one or more sites on the Internet. An example of this type of component is Event Viewer; if you open an event in Event Viewer and click a link, you are prompted with a message box that says, "Event Viewer will send the following information across the Internet. Is this OK?" If you click OK, information about the event is sent to a Web site, which replies with any additional information that might be available about that event.

  • Brief descriptions of Windows Firewall and the Security Configuration Wizard, which are designed to help you control certain settings related to network communication (and therefore are related to communication across the Internet). These components can help you control aspects of your configuration such as which services are running and which ports are open.

  • Brief descriptions of components like Microsoft Internet Explorer and Internet Information Services (IIS) that are designed to communicate with the Internet. It is beyond the scope of this white paper to describe all aspects of maintaining appropriate levels of security in an organization running servers that communicate across the Internet. This white paper does, however, provide basic information about how components such as Internet Information Services work, and it provides suggestions for other sources of information about balancing your organization’s requirements for communication across the Internet with your organization’s requirements for protection of networked assets.

Types of Components Not Covered in This White Paper

This white paper does not provide:

  • Information about managing or working with applications, scripts, utilities, Web interfaces, Microsoft ActiveX® controls, extensible user interfaces, the .NET Framework, and application programming interfaces (APIs). These are either applications, or are layers that support applications, and as such provide extensions that go beyond the operating system itself.

    Windows Installer is not covered in this white paper, although Windows Installer includes some technology that (if you choose) you can use for installing drivers or other software from the Internet. Such Windows Installer packages are not described here because they are like a script or utility that is created specifically for communication across the Internet.

    Note that among the applications not covered in this white paper are Web-based and server-based applications, for example, server-based applications for databases, e-mail, or instant messaging. You must work with your application software provider to learn what you can do to mitigate any risks that are part of using particular applications (including Web-based or server-based applications), scripts, utilities, and other types of software that run on products in the Windows Server 2003 family.

  • Information about components that store local logs that could potentially be sent to someone or could potentially be made available to support personnel. This information is similar to any other type of information that can be sent through e-mail or across the Internet in other ways. You must work with your support staff to provide guidelines about the handling of logs and any other similar information you might want to protect.

Security Basics That are Beyond the Scope of This White Paper

This white paper is designed to assist you, the administrator, in planning strategies for deploying and maintaining Windows Server 2003 with SP1 in a way that helps provide an appropriate level of security and privacy for your organization’s networked assets. The white paper does not describe security basics, that is, strategies and risk-management methods that provide a foundation for security across your organization. It is assumed you are actively evaluating and studying these security basics as a standard part of network administration.

Some of the security basics that are a standard part of network administration include:

  • Monitoring. This includes using a variety of software tools, including tools to assess which ports are open on servers and clients.

  • Virus-protection software.

  • The principle of least privilege (for example, not logging on as an administrator if logging on as a user is just as effective).

  • The principle of running only the services and software that are necessary—that is, stopping unnecessary services and keeping computers (especially servers) free of unnecessary software.

  • Strong passwords -- that is, requiring all users and administrators to choose passwords that are not easily cracked.

  • Risk assessment as a basic element in creating and implementing security plans.

  • Software deployment and maintenance routines to help ensure that your organization’s software is running with the latest security updates and patches.

  • Defense-in-depth. In this context, defense-in-depth (also referred to as in-depth defense) means redundancy in security systems. An example is using firewall settings together with Group Policy to control a particular type of communication with the Internet.

Other Sources of Information about Security Basics

The following books and Web sites are a few of the many sources of information about the security basics described previously: