Server Virtualization in Action: A View From the Trenches Page 2

Reboot your VM or restart your X server to initialize the new video support. Your graphical interface should fire up and prompt you for a username and password. A graphical interface isn’t necessary to any functions of a dedicated server, but it’s nice to have for performing some administrative tasks (creating new users, sharing folders, printer setup) in a busy environment.

Whether you use Windows, Linux, or some other operating system, your virtual server is now ready for dedicated service.

Dedicating the Server

Depending on your operating system and choices during installation, it takes only 15 to 45 minutes to completely install and prepare a VM for this next critical step in the process of creating a dedicated system.

For our Debian-based mail server, we must prune out all unnecessary daemons (services) and check for open ports that may offer an attacker opportunity to hack our system. We downloaded and installed the NMap network security auditing tool from http://www.nmap.org. This tool is available as source code, Linux/UNIX packages, and as a Windows installer.

The NMap tool assists you in checking your new system for open TCP and UDP network ports so that you can make informed decisions about which ones to turn off. When we performed an intense scan of my new Debian system, we found that we had three open ports. Table 9-1 shows the output from NMap for that system.

Although we have three open ports, only two are essential: SMTP and SSH. You could argue that SSH is not absolutely necessary, but we prefer to keep it. rpcbind (rpc.statd) is a good candidate for removal because the mail server does not require Network File System (NFS) or any other Remote Procedure Call (RPC) program to operate normally.

The same service pruning can be done for Windows systems, although more caution should be taken when doing so. Disabling required services can be devastating to a Windows system. We scanned a virtual Windows 2003 server that acts as an Active Directory server with NMap. Table 9-2 shows the results. The server is a default installation to which Active Directory was added upon initial configuration. No other services were configured for it.

Table 9-3 is an NMap scan of a Windows 2003 system default installation.

Table 9-1  NMap Results for Debian Mail Server Scan.

Table 9-2  NMap Results for Windows 2003 Active Directory Server Scan.

Table 9-3  NMap Results for Windows 2003 Server Scan.

Although this is not a book on security, it bears mentioning that ports 135 and 445 should be blocked from the Internet. Port 445 is deeply embedded in Windows and is almost impossible to turn off without negative consequences, so your best option is to block it via firewall. Port 135, on the other hand, may be turned off without ill effects. At a minimum, it should be blocked via firewall from the Internet. When it comes to Internet security, you should expose only those ports that need exposure.

After you have removed any offending services from your system, it’s ready for business as a dedicated virtual server.

This excerpt © Copyright Pearson Education. All rights reserved.

Want to read more than that? Pick up a copy of Practical Virtualization Solutions from InformIT

Follow ServerWatch on Twitter

Next >> Deploying Server Appliances