Return to home page
Decrease font size by 1 pointChange font to 8 pointChange font to 9 point (default)Change font to 10 pointIncrease font size by 1 point

Log in or log out
Tech Notes

Configuration Guide: Installing Mobility XE in a Hardened Windows Server Environment

Technical Note 2225

Last Reviewed 08-Aug-2007
Applies to:
Mobility XE server version 7.2 and higher
Mobility server OS: Microsoft Windows Server 2003
 Printer-friendly version

Summary

This document explains how to create a "hardened" baseline configuration in a Microsoft Windows Server 2003 environment. The procedures should be applied to all computers running Mobility XE version 7.2 server pool components, including the Mobility server(s) and Mobility warehouse (primary and standby). By following these instructions, you will be in compliance with Microsoft server security standards. However, NetMotion strongly recommends that you supplement this guide with proper network administration, domain policies, and other security measures.

Estimated time to configure: 4 hours

Minimum Requirements:

  • Microsoft Windows Server 2003

    Note: Consult the Mobility XE version 7.2 Quick Start Guide (included with your product download) or readme file for the minimum and recommended hardware configurations.

  • NetMotion Mobility XE server

  • NetMotion Mobility XE warehouse

  • Anti-virus software

  • Properly configured network and internet connections

Step 1: Basic Server Hardware Configuration

Follow these steps to install the Microsoft Windows Server 2003 operating system and the anti-virus software.

  1. Install Microsoft Windows Server 2003 on your computer.

  2. Install all Microsoft service packs and patches.

  3. Install your preferred anti-virus software. Configure the anti-virus software to frequently and automatically download updated virus definition files.

Step 2: Run the Security Configuration Wizard

Use Microsoft's Security Configuration Wizard (SCW) to ensure that your computer is running only necessary services and processes.

Start the Microsoft SCW:

  1. From the Windows Control Panel, click Add/Remove Programs.

  2. Click Add/Remove Windows Components.

  3. Scroll down to the Security Configuration Wizard and click install.

Using the SCW, perform the following tasks:

  1. Server Roles—check:

    • Remote Access/VPN Server

  2. Client Features—select:

    • automatic update client
    • DHCP client
    • DNS client
    • DNS registration client
    • Microsoft networking client
    • WINS client

  3. Administrative—select:

    • application experience lookup service
    • backup to local machine and NT/3rd party
    • error reporting
    • help and support
    • local application installation
    • performance data collection
    • time synchronization
    • web proxy auto-discovery
    • windows user mode driver framework

  4. Additional Services—select:

    • .Net runtime optimization
    • live update
    • (anti-virus services)

The settings above will provide you with the minimum required services needed to run a Mobility XE server or warehouse in a hardened environment. Any additions to this configuration could jeopardize your security, so you should plan carefully before running additional services or software on the Windows Server 2003 computer.

Step 3: Configure the Local Firewall

Configure the Windows Firewall or a third-party firewall on your computer.

Note: The Windows Firewall only blocks incoming traffic and leaves outgoing traffic unaffected; for higher security, use an external firewall in addition to configuring the Windows Firewall.

  1. Enable the Microsoft Windows Server 2003 Firewall (accessible from the Windows Control Panel), or install and enable a third-party firewall.

  2. If the computer will be used as a Mobility XE server, add the following to the list of exceptions:

    • UDP port 5008
    • UDP port 5009
    • TCP port 5009
    • TCP port 389

    Additionally:

    • If you configured non-default ports for the Mobility XE server or warehouse, add your custom ports to the firewall exceptions list instead of the default ones listed above.
    • If you are using a third-party firewall, UDP ports 5008 and 5009, and TCP ports 5009 and 389 must be open for inbound and outbound traffic.
    • If you are configuring a pool of Mobility XE servers, you must also open TCP port 5009 and UDP port 5009 between Mobility servers to allow for inter-server communication.

  3. If the computer will be used as a Mobility XE warehouse (primary or standby), open TCP port 389. (If you have configured your warehouse to use a non-default port, replace TCP port 389 with your custom port.)

Step 4: Restrict User Account Access

Limit user access to the Mobility XE server and warehouse computers.

  1. From the Windows Control Panel, Administrative Tools, open Computer Management.
  2. Under local users and Groups, ensure that the Guest account is disabled.
  3. Change the Administrator account name and password to something unique from other machines in your network. We recommend using strong 7-14 character alphanumeric passwords . Configure passwords to expire every 3 months at a minimum.

Step 5: Install and Run the Microsoft Security Base-Line Analyzer (MSBA)

Download and install the Microsoft Security Base-Line Analyzer from the following location:

http://www.microsoft.com/technet/security/tools/mbsahome.mspx

Run the analyzer to receive notifications of unnecessary services or any general security problems. Although this tool is rudimentary, it can help identify holes that you may have overlooked while running the Microsoft Security Configuration Wizard.

Related Information

9979

NetMotion Mobility Technical Notes

Please comment on this technical note.