Security

SolutionBase: Using the network enhancements in Windows Server 2003

Windows Server 2003 has been shipping for a while now, but many Windows NT and Windows 2000 network administrators haven't yet seen the need to make the move. This article outlines some of the newer enhancements Microsoft has made to the networking features in Windows Server 2003.

Windows Server 2003 has many great new features, including enhancements to networking functionality. Some of these will be especially important to small businesses. In this article, we'll look at three new features: the Internet Connection Firewall (which is upgraded to the new Windows Firewall by Server 2003 Service Pack 1), network bridging capabilities, and changes to terminal services. These features were first introduced in Windows XP, but are new to the server product in Windows Server 2003.

The Internet Connection Firewall

You're probably already familiar with ICF if you deploy Windows XP on the desktop, but did you know that Server 2003 also includes the built-in firewall? Who would use a host-based firewall on a server, you might ask. But ICF can provide basic firewall protection for small businesses on a budget, even if only as a stop-gap measure until a more sophisticated perimeter firewall is in place.

If you're using Internet Connection Sharing (ICS) to share an Internet connection for a small office network, you can enable ICF on the shared connection to the Internet (not on the connection to the local network) to protect the internal network. You can also use ICF to protect a Web server or SMTP server running on Windows Server 2003 Standard or Enterprise Edition.

ICF is not included with Server 2003 Web or Datacenter editions. Internet Connection Sharing (ICS) and the Network Bridge are likewise included only in Standard and Enterprise editions. Also note that ICF cannot be enabled if Routing and Remote Access (RRAS) is enabled on the Server 2003 computer.

Any Windows Server 2003 computer that is directly connected to the Internet through a dialup, broadband or dedicated connection and does not have a firewall in front of it or another software firewall installed should have ICF enabled. ICF is a host-based firewall (often called a "software firewall" because it runs on a regular client or server operating system rather than on a dedicated hardware appliance).

ICF features and functionality

Although ICF does not perform sophisticated application layer filtering like modern enterprise-level firewalls (such as Microsoft's ISA Server, Cisco's PIX or CheckPoint), it does perform stateful filtering. This means it inspects the source and destination headers of incoming traffic and checks this against a table of communications that have been initiated by the computer on which ICF is installed or computers on the internal network (when the ICF computer is also an ICS host). If the table indicates that the communications originated with a computer on your internal network, the traffic from the Internet is allowed. If there is no table entry, indicating that the Internet traffic is unsolicited, it is denied. This prevents port scanning and other types of attacks.

But what if you need to allow unsolicited traffic (for example, you have a Web server that needs to be available to Internet users)? No problem. You can configure the appropriate service (in this case, HTTP) on the ICF computer to allow unsolicited HTTP traffic through the firewall. It will then be forwarded by the ICF computer to the Web server computer. A number of common services are already preconfigured for ICF, so that all you have to do to allow their traffic through is check a checkbox. Here's how:

  1. Click Control Panel | Network Connections.
  2. Right click the network connection on which you have ICF enabled (the connection to the Internet) and select Properties.
  3. Click the Advanced tab and then click the Settings button.
  4. Click the Services tab. Check the box(es) for the service(s) you want to allow through the firewall, as shown in Figure A, and click OK.

Figure A

You can configure the firewall to allow preconfigured services through by checking a box.

The preconfigured services from which you can choose are:

  • FTP server (File Transfer Protocol)
  • IMAP 3 (Mail server)
  • IMAP 4 (Mail server)
  • SMTP (Mail server)
  • NNTP (Newsgroup server)
  • POP3 (Mail server)
  • Remote Desktop server
  • HTTPS (Secure Web server)
  • Telnet server
  • HTTP (Web server)

You can edit settings for the services you enable. For example, when you enable the HTTP (Web server) service, you need to enter the name or IP address of the computer hosting the Web services, if it's not the ICF computer.

If the service you want to allow is not in the list of preconfigured services, you can add it by clicking the Add button and entering a name/description, the name or IP address of the computer hosting the service and external and internal TCP or UDP ports that will be used by the service. In Figure B, we added a service to allow the ICF computer to run the PCAnywhere host.

Figure B

You can add services to the preconfigured list.

By default, ICF does not allow ICMP messages through the firewall. These messages (PING) are often used for troubleshooting. If you want to allow ICMP, click the ICMP tab and check the box(es) for the type(s) of ICMP messages you want to allow. Your choices include:

  • incoming echo request
  • incoming timestamp request
  • incoming router request
  • outgoing destination unreachable
  • outgoing source quench
  • outgoing parameter problem
  • outgoing time exceeded
  • redirect

ICF Logging

ICF does basic logging. You can configure it to log dropped packets (both incoming and outgoing) and/or to log successful connections. Although configuration options are limited, the log does contain quite a bit of information. This includes the date and time of each transaction, actions observed by the firewall, protocols used, source and destination IP addresses, source and destination ports, packet sizes, TCP control flags, TCP sequence numbers, TCP acknowledgement numbers, TCP window size, ICMP type and code, and information entries for specific actions.

You can also select a location where the log file will be stored (the default log file is named pfirewall.log and stored in the WINDOWS directory). You can set a size limit on the firewall log to prevent it from getting too large. The size value can be anything between 1 and 32,767 KB. If the log goes over the file that you've set, ICF will rename the file to pfirewall.old and then start a new one. This only happens once; if the limit is exceeded a second time, ICF will overwrite the pfirewall.old file with the current log file information and then start a new one.

The log is created in W3C Extended Log File format. You can view it by clicking the Browse button on the Security Logging tab (shown in Figure C), highlighting the file and clicking Open.

Figure C

Open the ICF log by clicking the Browse button on the Security Logging tab.

Note that Windows Server 2003 Service Pack 1, a release candidate at the time of this writing, will update ICF to the Windows Firewall just as SP2 did for XP. One of the most important changes is that the firewall will be turned on by default in new installations of Server 2003 with SP1 slipstreamed. This protects the server during setup and configuration, even if you choose to disable it later.

This new version of the firewall provides security during bootup (after the network stack loads and prior to the firewall user-mode service starting). The new version also supports application based exceptions, which means the firewall can open and close listening ports automatically so the ports will be open only during the time the application is listening on the ports.

Network bridging

Another new networking feature in Server 2003 is another feature that wasn't in Windows 2000 Server. This is another feature that's likely to be most used by small businesses. A bridge is a device or software construct that connects different segments of a local area network (such as a wireless segment and an Ethernet segment) so that they can communicate with each other. The Network Bridge feature allows your Windows Server 2003 computer to act as the bridging device.

Using the bridging feature requires two or more network connections on the Server 2003 machine one to each network segment that you want to bridge. You can use cabled Ethernet, 802.11 wireless, IEEE 1394 (FireWire) or even HPNA (Home Phoneline Network Adapter) connections. Note that IPv6 is supported only on Ethernet connections.

Configuring the bridge

To set up a bridge, select the connections that will be part of it. Highlight them (using the CTRL key to select multiple connections) and right click. Then select Bridge Connections from the context menu, as shown in Figure D.

Figure D

You can bridge two or more network segments to which your Server 2003 computer is connected.

A dialog box will ask you to wait for a moment, and then a new section labeled Network Bridge will appear in the Network Connections window. It contains an icon representing the bridge itself, and the connections that you bridged will be moved from the LAN or High-Speed Internet section to the Network Bridge section, as shown in Figure E.

Figure E

A new section for the Network Bridge is created in the Network Connections window.

How the bridge works

The Server 2003 Network Bridge uses the Spanning Tree Algorithm (STA) and the Spanning Tree Protocol (STP) to prevent bridging loops. Looping was traditionally a common problem with bridges when more than one bridge existed on the network.

Note that you can only have one network bridge on your Server 2003 computer, but it can connect many networks (so long as the computer is physically connected to each of those networks).

You can add connections to the bridge in one of two ways:

  • Right click the icon for the connection you want to add and select Add to Bridge from the context menu.
  • Right click the Network Bridge icon and select Properties, then on the General tab, under Adapters, check the checkbox for the connection you want to add.

Don't add the Internet connection to the Network Bridge, as this will open up your internal network to attack from the Internet.

After a connection has been added to the Network Bridge, you can no longer configure ICF or ICS on that connection. In fact, the Advanced tab disappears from its properties sheet. You'll also find that you can't configure its TCP/IP and other network settings through its property sheet anymore. Instead, you must configure the properties of the Network Bridge.

You can remove connections from the bridge by right clicking the connection and selecting Remove from Bridge from the context menu or by unchecking the connection's checkbox in the Network Bridge's properties. However, don't leave less than two connections as part of the bridge. If only one connection is left, no bridging can take place, but the Network Bridge will still use system resources. You can disable the bridge or delete it by right clicking its icon and choosing Disable or Delete from the right context menu.

Troubleshooting the Network Bridge

In order for the bridge to work, the network adapter needs to operate in promiscuous mode. If your NIC doesn't, you can try to following to force the NIC into compatibility mode:

  1. Click Start | Run and type cmd to open a command prompt.
  2. At the prompt, enter netsh bridge show adapter
  3. Note the ID number of the NIC that isn't responding.
  4. Type the following command: netsh bridge set adapter <adapter ID number> forcecompatmode=enable
  5. Type netsh bridge show adapter again. Verify that it shows ForceCompatibilityMode to be enabled.

Controlling the bridge through the registry

You can prevent the Bridge from forwarding packets by editing the registry. In your favorite registry editor, navigate to the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BridgeMP

Create a new DWORD value and name it DisableForwarding. Double click the new entry and set its value to 1. You'll need to reboot to apply the change. You can disable the Spanning Tree Algorithm in a similar manner, by creating a DWORD value in the same key called DisableSTA and setting its value to 1.

Terminal services

Terminal services is not a new feature in Windows Server 2003, but it has undergone some changes. In Windows 2000, terminal services operated in one of two modes:

  • Remote administration mode
  • Application server mode

To use either, you had to install the terminal services as a Windows component in Add/Remove Programs. In Remote Administration mode, a license server was not required and there was a limit of two simultaneous connections to the server through terminal services.

In Server 2003, you need to install terminal services only if you want to run an application server. To remotely administer the server, you can use the new Remote Desktop feature, which uses the terminal services technology and the same Remote Desktop Protocol (RDP) but is implemented as a separate feature. This is a more sophisticated version of the Remote Desktop feature in Windows XP. The drawback of Remote Desktop is that now you can only have one connection to the server at a time. The upside is that Remote Desktop is easier to set up and use.

The Terminal Services application server component is included (but not installed by default) with Server 2003 Standard, Enterprise and Datacenter editions. It is not included with Web Server Edition. Remote Desktop is included with all Server 2003 editions.

Using Remote Desktop for administration

For security reasons, Remote Desktop is disabled by default. To enable Remote Desktop, just open the System applet in Control Panel and click the Remote tab. Under Remote Desktop, check the box labeled Allow users to connect remotely to your computer.

You'll also need to add the user accounts you want to be able to connect remotely to the computer to the Remote Desktop Users local group. This group is empty by default, although administrators can connect to the Remote Desktop by default. However, it's best to add your regular user account to group so you won't have to log on as an administrator to make a Remote Desktop connection to the server.

On a server that is not a domain controller, add users to the Remote Desktop Users group through the Local Users and Groups node of the Computer Management MMC. On a domain controller, add users to this group through the Builtin node in Active Directory Users and Computers, as shown in Figure F.

Figure F

On a domain controller, you populate the Remote Desktop Users group through the ADUC tool

Remote administration from Windows, Macintosh, Amiga and Linux computers

Now you can remotely administer the server from any Windows XP computer by clicking Start | All Programs | Accessories | Communications | Remote Desktop Connection and entering the name or IP address of the server. Although XP Home does not include the Remote Desktop server feature, it does include the Remote Desktop Connection (RDC) client. You can connect from a Windows 9x/Me or NT/2000 computer by installing the RDC client. The client is on the Server 2003 CD and in the <systemroot>\System32\Tsclient folder on the Server 2003 machine. You can also download the client software from the Microsoft Web site.

You can connect to Remote Desktop from a Macintosh computer running OS X by downloading the RDC client for Mac. To connect to the Remote Desktop from a Linux computer, use the rdesktop software. You can even use get a Remote Desktop client for Amiga OS.

Windows 2000+3

Windows Server 2003 has improved networking functionality, especially for small businesses, with new and improved networking features over the features found in Windows 2000 Server. Even the three basic advances shown in this article illustrate how Microsoft is working to improve its flagship operating system.

About Deb Shinder

Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...

Editor's Picks

Free Newsletters, In your Inbox