Introduction to Controlling Communication with the Internet for Windows Server 2008
Applies To: Windows Server 2008
The Windows Server® 2008 operating system includes a variety of technologies that communicate with the Internet to provide increased ease-of-use and functionality. Browser and e-mail technologies are obvious examples, but there are also technologies such as automatic updating that help you obtain the latest software and product information, including bug fixes and software updates. These technologies provide many benefits, but they also involve communication with Internet sites, which administrators might want to control.
Control of this communication can be achieved through a variety of options built into individual features, into the operating system as a whole, and into server features designed for managing configurations across your organization. For example, as an administrator, you can use Group Policy to control the way some features communicate. For some features, you can create an environment in which all communication is directed to the organization’s own internal Web site instead of to an external site on the Internet.
This white paper provides information about the communication that flows between features in Windows Server 2008 and sites on the Internet, and describes steps to take to limit, control, or prevent that communication in an organization with many users. This white paper is designed to assist you, the administrator, in planning strategies for deploying and maintaining Windows Server 2008 in a way that helps provide an appropriate level of security and privacy for your organization’s networked assets.
This white paper provides guidelines for controlling features in the following set of operating systems:
Windows Web Server 2008
Windows Server 2008 Standard
Windows Server 2008 Enterprise
Windows Server 2008 Datacenter
Windows Server 2008 for Itanium-Based Systems
This white paper is organized around individual features found in Windows Server 2008, so that you can easily find detailed information for any feature you are interested in.
For more information about the features available in each of the editions of Windows Server 2008, see the Microsoft Web site at:
What This White Paper Covers and What It Does Not Cover
This section describes the:
Standard computer information sent by Internet-enabled features
Types of features covered in this white paper
Types of features not covered in this white paper
Security basics that are beyond the scope of this white paper, with listings of some other sources of information about these security basics
Standard Computer Information Sent by Internet-Enabled Features
When you use software with Internet-enabled features, information about your computer ("standard computer information") is sent to the Web sites you visit and online services you use. Microsoft uses standard computer information to provide you with Internet-enabled services, to help improve our products and services, and for statistical analysis. Standard computer information typically includes information such as your IP address, operating system version, browser version, and regional and language settings. In some cases, standard computer information may also include hardware ID, which indicates the device manufacturer, device name, and version. The purpose of this white paper is not to describe standard computer information sent by Internet-enabled features in Windows Server 2008, but to describe additional information that can be sent or received by those features.
Types of Features Covered in This White Paper
This white paper provides:
Information about features that in the normal course of operation send information to or receive information from one or more sites on the Internet. An example of this type of feature is Windows Error Reporting. If you choose to use this feature, it sends information to a site on the Internet.
Information about features that routinely display buttons or links that make it easy for you to initiate communication with one or more sites on the Internet. An example of this type of feature is Event Viewer. If you open an event in Event Viewer and click a link, you are prompted with a message box that says, "Event Viewer will send the following information across the Internet. Is this OK?" If you click OK, information about the event is sent to a Web site, which replies with any additional information that might be available about that event.
Brief descriptions of features like Microsoft Internet Explorer and Internet Information Services (IIS) that are designed to communicate with the Internet. It is beyond the scope of this white paper to describe all aspects of maintaining appropriate levels of security in an organization running servers that communicate across the Internet. This white paper does, however, provide basic information about how components such as Internet Information Services work, and it provides suggestions for other sources of information about balancing your organization’s requirements for communication across the Internet with your organization’s requirements for protection of networked assets.
Types of Features Not Covered in This White Paper
This white paper does not provide:
Information about managing or working with applications, scripts, utilities, Web interfaces, Microsoft ActiveX® controls, extensible user interfaces, Microsoft .NET Framework, and application programming interfaces (APIs). These are either applications or layers that support applications, and as such, they provide extensions that go beyond the operating system itself.
Windows Installer is not covered in this white paper, although Windows Installer includes some technology that you can choose to use for installing drivers or other software from the Internet. Such Windows Installer packages are not described here because they are like a script or utility that is created specifically for communication across the Internet.
Note that among the applications not covered in this white paper are Web-based and server-based applications, for example, server-based applications for databases, e-mail, or instant messaging. You must work with your software provider to learn what you can do to mitigate any risks that are part of using particular applications (including Web-based or server-based applications), scripts, utilities, and other software that runs on Windows Server 2008.
Information about features that store local logs that could potentially be sent to someone or could potentially be made available to support personnel. This information is similar to any other type of information that can be sent through e-mail or across the Internet in other ways. You must work with your support staff to provide guidelines for handling logs and any other similar information you might want to protect.
Security Basics that are Beyond the Scope of This White Paper
This white paper is designed to assist you, the administrator, in planning strategies for deploying and maintaining Windows Server 2008 in a way that helps provide an appropriate level of security and privacy for your organization’s networked assets. The white paper does not describe security basics, that is, strategies and risk-management methods that provide a foundation for security across your organization. It is assumed you are actively evaluating and studying these security basics as a standard part of network administration.
Some security basics that are a standard part of network administration include:
Monitoring. This includes using a variety of software tools, including tools to assess which ports are open on servers and clients.
The principle of least privilege (for example, not logging on as an administrator if logging on as a user is just as effective).
The principle of running only the services and software that are necessary—that is, stopping unnecessary services and keeping computers (especially servers) free of unnecessary software.
Strong passwords—that is, requiring all users and administrators to choose passwords that are not easily cracked.
Risk assessment as a basic element in creating and implementing security plans.
Software deployment and maintenance routines to help ensure that your organization’s software is running with the latest security updates and patches.
Defense-in-depth. In this context, defense-in-depth (also referred to as in-depth defense) means redundancy in security systems. An example is using firewall settings together with Group Policy to control a particular type of communication with the Internet.
Other Sources of Information About Security Basics
The following books and Web sites are a few of the many sources of information about the security basics described previously:
Meier, J.D., et al. "Improving Web Application Security: Threats and Countermeasures." Redmond, WA: Microsoft Press, 2003. For more information, see the MSDN Web site at:
Howard, Michael, and David LeBlanc. "Writing Secure Code, Second Edition." Redmond, WA: Microsoft Press, 2003.
Kaufman, C., R. Perlman, and M. Speciner. "Network Security: Private Communication in a Public World." Upper Saddle River, New Jersey: Prentice-Hall Inc., 2002.
Smith, B., B. Komar, and the Microsoft Security Team. "Microsoft® Windows® Security Resource Kit, Second Edition." Redmond, WA: Microsoft Press, 2005.
For more information, see the Microsoft Press Web site at:
The security Web page on the Microsoft Web site at:
The Reference Architecture content on the Microsoft Web site at:
The Web page focused on security for Windows Server 2008 on the Microsoft Windows Web site at:
The Web page focused on security on the Microsoft Developer Network (MSDN®) Web site at:
The Web pages focused on security on the Microsoft TechNet Web site at: