This is the third installment in our series on containing zero-day threats.
One solution when fighting zero-day attacks is to take advantage of virtual server technology. If you have several server roles that require a minimal amount of system resources, you could consolidate those roles onto a single physical server that is hosting multiple virtual servers. Doing so provides better security than hosting all of the server roles under a common operating system (OS) because each virtual OS functions as an isolated environment.
Using virtual servers is also more cost effective than using separate physical boxes for each server. Not only do you save money on hardware, but you also save on licenses: Windows Server 2003 R2 is licensed to run up to four virtual instances of Windows Server on each physical server.
Whether you choose to use physical or virtual servers, the real trick is to figure out exactly which components you do and do not need on each server. Only then can you remove unnecessary components and disable unnecessary services. (Disabling unnecessary services and uninstalling unnecessary components also tends to increase the server's performance.)
Fortunately, it's not as difficult as it sounds. Microsoft has created a document called the Windows Server 2003 Security Guide, which helps you figure out which components are necessary for your situation. The guide takes a role-based approach to server security and discusses at length which components are required for servers acting in various roles. You can access the Windows security guide on Microsoft's TechNet site.
Although the Windows Server 2003 Security Guide is a rather extensive document, it does not cover every possible scenario. The good news is that Microsoft has published similar guides pertaining to most of its server products. For example, suppose that one of the servers in your organization is running Exchange Server 2003. The Windows Server 2003 Security Guide does not address the procedure for hardening an Exchange Server. It does, however, contain a baseline procedure for hardening a member server. You can use the baseline policy as a starting point and then refer to the Microsoft Exchange Server 2003 Security Hardening Guide for specific Exchange Server requirements.
I can't provide the links for all of the security guides -- there are just too many of them. But, you can easily find any of these guides by performing a simple query using the product name and the words SECURITY GUIDE in either Google or directly on the Microsoft Web site.
The most effective countermeasure against zero-day exploits involves reducing the attack surface of the computer that you are trying to protect. Keep in mind that you should always exercise security in depth. In other words, don't depend solely on a limited attack surface to protect you against a zero-day exploit. Adhere to standard security best practices, such as keeping systems patched, keeping antivirus software up to date, using strong passwords and working with the lowest possible user privileges.
About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit his personal Web site at www.brienposey.com.
