About Microsoft Windows Server 2003

Transcription

1 About Microsoft Windows Server 003 Windows Server 003 (WinK3) requires extensive provisioning to meet both industry best practices and regulatory compliance. By default the Windows Server operating system allows various methods of anonymous and unaudited access, which must be corrected in order to properly secure the system and ensure least privilege. The vast majority of the settings listed below can be adjusted in the Local System Security Settings (secpol.msc), or for Domain Controllers, in the Group Policy Settings (gpedit.msc). Additional configurations can be adjusted inside the Registry Editor (regedit.exe).as one of the most widely used server operating systems throughout the world, this checklist is an absolute necessity for ensuring the security of these devices and all other system resources for which they interact with.

2 Sorting Criteria Defined The provisioning and hardening checklist provided below is organized to present security controls in a descending format, with more critical vulnerabilities being addressed first. Each item will be given a severity code derived from the applicable information, while a security control will first be assigned a code based on the area of information security to which it pertains, followed by the severity of the vulnerability addressed. For example: (General/Severity ) indicates a security control which is of the General category, with the highest possible severity. Following the assigned severity code, will be a detailed description of how the control must be implemented to address the aforementioned vulnerability. Each control listed within this document, is an "industry best practice" and its implementation is subject to the specific requirements of the organization being audited.

3 Windows Server 003 (WinK3) Provisioning and Hardening Checklist General Information Name of Individual Performing the Windows Server 003 Provisioning and Hardening Last Name First Name Middle Name Title of Review Additional Information Department Division Office Immediate Supervisor Server Information (). Hostname of Server (). Type of Application(s) on server (3). IP Address of Server (4). Function of Server (5). FIPS Security Category (7). Data Info. Classification Level Vulnerability s Severity Severity Severity 3 Severity 4 Vulnerabilities which when exploited lead to immediate superuser access, unauthorized access to a machine, or allow an attacker to bypass security controls. Vulnerabilities which provide an attacker information with a high probability of allowing unauthorized access to a machine, or to bypass security controls. Vulnerabilities which grant an attacker information that may possibly lead to the compromise of a machine, or the bypassing of existing security controls Vulnerabilities which generally degrade the overall security of a system when left unresolved. Operating System (). The version of Microsoft Windows installed should not be less than Service Pack.

4 (). Ensure the system is configured to disable automatic administrator login. (3). All vendor recommended patches and hot fixes should be installed. (4). The built in Administrator and Guest accounts should be renamed to something other an Administrator or Guest. (5). Unless a documented need exists, the Guest account should be disabled. (6). The system screen saver settings should be configured to lock the screen as required by organizational or regulatory policy.

5 System Auditing (). The Application, System, and Security Event log files should have ACLs set as follows: Administrators Read and Execute. System Full Control. (). Each partition/drive should be set to audit Failures for the Everyone group at a minimum. (3). Configure the system to disallow guest access to the Event logs. (4). The HKEY_LOCAL_MACHINE\SOFTWARE and HKEY_LOCAL_MACHINE\SYEM registry hives should have auditing set to record Failures for the everyone group at a minimum (5). The system event log size, and retention policy should be set to comply with

6 organizational or regulatory requirements. System Access Controls (). The system should be configured to disallow the anonymous enumeration of SAM accounts and network shares. (Note: For domains supporting Exchange 003, this setting should be allowed for the DC Group Policy.) (). Configure the system to lock an account after 3 or fewer bad login attempts. (3). The Reset account lockout counter setting should be set to 30 minutes or greater. (4). The Account location duration setting should be set to 0, which requires an administrator to unlock accounts which have been locked out.

7 (5). The system should be configured to cache 3 or fewer user logins. 3 User Account Privilege Controls (). No user, to include administrators should be granted the right, act as part of the operating system. (). Ensure the following User Rights are assigned: Access this computer from network Administrators, Authenticated Users, Enterprise Domain Controllers Add workstations to domain Administrators Adjust memory quotas for a process Administrators, Local Service, Network Service Allow log on locally Administrators, Backup Operators Allow log on through Terminal Services Administrators Backup files and directories Administrators, Backup Operators Bypass traverse checking Authenticated Users Change the system time Administrators, Local Service Create a pagefile Administrators Create a token object (None) Create global objects Administrators, Service Create permanent shared objects (None) Deny logon as a batch job Guests, Support_388945a0 Deny logon as a service (None) Deny logon locally Guests, Support_388945a0 Deny logon through Terminal Services Guests, Users

8 Enable computer and user accounts to be trusted for delegation Administrators Force shutdown from a remote system Administrators Generate security audits Local Service, Network Service Impersonate a client after authentication Administrators, Service Increase scheduling priority Administrators Load and unload device drivers Administrators Lock pages in memory (None) Log on as a batch job (None) Log on as a service Network Service Manage auditing and security log Administrators Group (Exchange Enterprise Servers Group on Domain Controllers and Exchange Servers) Modify firmware environment values Administrators Perform volume maintenance tasks Administrators Profile single process Administrators Profile system performance Administrators Remove computer from docking station Administrators Replace a process level token Local Service, Network Service Restore files and directories Administrators, Backup Operators Shut down the system Administrators Take ownership of files or other objects Administrators (3). Minimum, and Maximum Password Age, Password Length/Complexity, and Password Uniqueness settings should comply with organizational or regulatory standards. Networking Security (). All unnecessary services and protocols should be disabled.

9 (). If the ftp service is enabled, it should be configured to disallow access to system-related files such as PAGEFILE.sys or NTLDR. (3). All forms of remote access to system services should be conducted using encrypted formats such as SSH or Remote Desktop Protocol. (4). Configure the system to disallow Remote Assistance. (5). The server's web content should be kept in a separate partition from the server's system files. (6). Configure the system to prevent the sending of unencrypted passwords to third party SMB servers.

10 (7). Configure the system to disallow anonymous remote registry access. (8). Ensure the LanMan authentication level is set to at least: Send NTLMv response only\refuse LM. (9). The following accounts: Guests, Anonymous Logon, Support_388945a0, should be denied the ability to login to the machine remotely. (0). The system should be configured to perform SMB packet signing and encryption wherever possible (). Ensure the system is configured to require secure RPC connections.

11 (). The system should be configured to disallow IP Source Routing, ICMP Redirects, and Internet Router Discovery Protocol. Additionally, configure the system to allow connections to time out sooner if a SYN flood is detected. 3 (3). Configure the system to ignore NetBIOS name release requests from all systems except WINS servers. 3 Local Security Options (). The system should be configured to disable AutoRun for all drives and removable media. (). Anonymous SID/Name translation should be disabled. (3). Anonymous access to named pipes should be limited to the following: COMNAP, COMNODE, SQL\QUERY, SPOOLSS, LLSRPC, BROWSER, NETLOGON,

12 Lsarpc, samr. (4). Remote accessible registry paths should be restricted to the following: System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion (5). No unapproved account should be able to Debug programs or have more than read access to Winlogon registry keys. (6). The ACLs for all disabled services should be set as follows: Administrators Full Control, System Full Control, Interactive Read. (7). Configure the system to disallow the storing of passwords using reversible encryption.

13