About Microsoft Windows Server 2003



Similar documents
Windows Server 2008/2012 Server Hardening

Security Options... 1

Symantec Enterprise Security Manager Baseline Policy Manual for CIS Benchmark

Belarc Advisor Security Benchmark Summary

Web. Security Options Comparison

SECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X)

Symantec Enterprise Security Manager Baseline Policy Manual for CIS Benchmark. For Windows Server 2008 (Domain Member Servers and Domain Controllers)

Objectives. At the end of this chapter students should be able to:

Defense Security Service Office of the Designated Approving Authority

Windows Operating Systems. Basic Security

Data Stored on a Windows Server Connected to a Network

PATCHING WINDOWS SERVER 2012 DOMAIN CONTROLLERS. Prepared By: Sainath K.E.V MVP Directory Services

Walton Centre. Document History Date Version Author Changes 01/10/ A Cobain L Wyatt 31/03/ L Wyatt Update to procedure

Defense Security Service Office of the Designated Approving Authority Standardization of Baseline Technical Security Configurations

Microsoft Solutions for Security and Compliance. Windows Server 2003 Security Guide

Windows NT Server Operating System Security Features Carol A. Siegel Payoff

Windows IIS Server hardening checklist

Locking down a Hitachi ID Suite server

NNT PCI DSS Microsoft Windows Server 2012 R2 Benchmark 12/17/ :37

SIEMENS. Sven Lehmberg. ZT IK 3, Siemens CERT. Siemens AG 2000 Siemens CERT Team / 1

How To Set A Group Policy On A Computer With A Network Security Policy On Itunes.Com (For Acedo) On A Pc Or Mac Mac (For An Ubuntu) On An Ubode (For Mac) On Pc Or Ip

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features

modules 1 & 2. Section: Information Security Effective: December 2005 Standard: Server Security Standard Revised: Policy Ref:

Before deploying SiteAudit it is recommended to review the information below. This will ensure efficient installation and operation of SiteAudit.

Defense Security Service Industrial Security Field Operations NISP Authorization Office. Technical Assessment Guide for Windows 7 Operating System

Windows XP Professional Operating System Legacy, Enterprise, and Specialized Security Benchmark Consensus Baseline Security Settings

CIS Microsoft Windows Server v Benchmark

A Roadmap for Securing IIS 5.0

Computer Security: Principles and Practice

NNT CIS Microsoft Windows Server 2008 R2 Benchmark Level 1 Member Server v

How To Audit A Windows Active Directory System

e-governance Password Management Guidelines Draft 0.1

SQL Server Hardening

Windows Advanced Audit Policy Configuration

Web Plus Security Features and Recommendations

MSRPC NULL sessions. Exploitation and protection. Jean-Baptiste Marchand

Table Of Contents. - Microsoft Windows - WINDOWS XP - IMPLEMENTING & SUPPORTING MICROSOFT WINDOWS XP PROFESSIONAL...10

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

Microsoft Auditing Events for Windows 2000/2003 Active Directory. By Ed Ziots Version 1.6 9/20/2005

How To Secure An Rsa Authentication Agent

MCSE TestPrep: Windows NT Server 4, Second Edition Managing Resources

Data Stored on a Windows Computer Connected to a Network

Department of Information Technology Active Directory Audit Final Report. August promoting efficient & effective local government

System Security Policy Management: Advanced Audit Tasks

Pointsec Enterprise Encryption and Access Control for Laptops and Workstations

Secure configuration document

Pension Benefit Guaranty Corporation. Office of Inspector General. Evaluation Report. Penetration Testing An Update

Web Security School Entrance Exam

User Rights vjj 1

DC Agent Troubleshooting

Windows 2000/Active Directory Security

RSA SecurID Ready Implementation Guide

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Five Steps to Improve Internal Network Security. Chattanooga ISSA

Secure Software Programming and Vulnerability Analysis

Implementation of Internal Audit Recommendations: Summary of Progress Report by Head of Finance

EMC Celerra Network Server

Remote Administration

NE-2273B Managing and Maintaining a Microsoft Windows Server 2003 Environment

GFI White Paper PCI-DSS compliance and GFI Software products

GE Measurement & Control. Cyber Security for NEI 08-09

Windows Server 2003 Operating System Legacy, Enterprise, and Specialized Security Benchmark Consensus Security Settings for Domain Member Servers

Kepware Technologies Remote OPC DA Quick Start Guide (DCOM)

AIR FORCE ASSOCIATION S CYBERPATRIOT NATIONAL YOUTH CYBER EDUCATION PROGRAM UNIT FIVE. Microsoft Windows Security.

Hardening IIS Servers

Using Windows Administrative Tools on VNX

Introduction to Computer Security

Workflow Templates Library

Central Agency for Information Technology

Introduction p. 1 Approach to the Book p. 2 At Least Three Ways to Do It p. 2 Where to Find the Tools p. 3 Running Tools with Alternate Credentials

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

Windows security for n00bs part 1 Security architecture & Access Control

11 NETWORK SECURITY PROJECTS. Project Understanding Key Concepts. Project Using Auditing and Event Logs. Project 11.3

Windows 7 / Server 2008 R2 Configuration Overview. By: Robert Huth Dated: March 2014

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

6WRUP:DWFK. Policies for Dedicated SQL Servers Group

CIS Microsoft Windows Server Benchmark. v

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 8 Desktop and Server OS Vulnerabilities

Securing Active Directory Correctly

Rapid Vulnerability Assessment Report

MCSE Core exams (Networking) One Client OS Exam. Core Exams (6 Exams Required)

SQL Server Hardening

Univention Corporate Server. Operation of a Samba domain based on Windows NT domain services

Lesson Plans Microsoft s Managing and Maintaining a Microsoft Windows Server 2003 Environment

Managing and Maintaining a Microsoft Windows Server 2003 Environment

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

Nessus scanning on Windows Domain

Securing Remote Desktop for Windows XP

Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure

Default Domain Policy Data collected on: 10/12/2012 5:28:08 PM General

Securing. Active. Directory. Your. Five Key Lessons to. Chapters. Sponsored by: 1. Perform a Self-Audit

Managing and Maintaining a Windows Server 2003 Network Environment

Transcription:

About Microsoft Windows Server 003 Windows Server 003 (WinK3) requires extensive provisioning to meet both industry best practices and regulatory compliance. By default the Windows Server operating system allows various methods of anonymous and unaudited access, which must be corrected in order to properly secure the system and ensure least privilege. The vast majority of the settings listed below can be adjusted in the Local System Security Settings (secpol.msc), or for Domain Controllers, in the Group Policy Settings (gpedit.msc). Additional configurations can be adjusted inside the Registry Editor (regedit.exe).as one of the most widely used server operating systems throughout the world, this checklist is an absolute necessity for ensuring the security of these devices and all other system resources for which they interact with.

Sorting Criteria Defined The provisioning and hardening checklist provided below is organized to present security controls in a descending format, with more critical vulnerabilities being addressed first. Each item will be given a severity code derived from the applicable information, while a security control will first be assigned a code based on the area of information security to which it pertains, followed by the severity of the vulnerability addressed. For example: (General/Severity ) indicates a security control which is of the General category, with the highest possible severity. Following the assigned severity code, will be a detailed description of how the control must be implemented to address the aforementioned vulnerability. Each control listed within this document, is an "industry best practice" and its implementation is subject to the specific requirements of the organization being audited.

Windows Server 003 (WinK3) Provisioning and Hardening Checklist General Information Name of Individual Performing the Windows Server 003 Provisioning and Hardening Last Name First Name Middle Name Title of Review Additional Information Department Division Office Immediate Supervisor Server Information (). Hostname of Server (). Type of Application(s) on server (3). IP Address of Server (4). Function of Server (5). FIPS Security Category (7). Data Info. Classification Level Vulnerability s Severity Severity Severity 3 Severity 4 Vulnerabilities which when exploited lead to immediate superuser access, unauthorized access to a machine, or allow an attacker to bypass security controls. Vulnerabilities which provide an attacker information with a high probability of allowing unauthorized access to a machine, or to bypass security controls. Vulnerabilities which grant an attacker information that may possibly lead to the compromise of a machine, or the bypassing of existing security controls Vulnerabilities which generally degrade the overall security of a system when left unresolved. Operating System (). The version of Microsoft Windows installed should not be less than Service Pack.

(). Ensure the system is configured to disable automatic administrator login. (3). All vendor recommended patches and hot fixes should be installed. (4). The built in Administrator and Guest accounts should be renamed to something other an Administrator or Guest. (5). Unless a documented need exists, the Guest account should be disabled. (6). The system screen saver settings should be configured to lock the screen as required by organizational or regulatory policy.

System Auditing (). The Application, System, and Security Event log files should have ACLs set as follows: Administrators Read and Execute. System Full Control. (). Each partition/drive should be set to audit Failures for the Everyone group at a minimum. (3). Configure the system to disallow guest access to the Event logs. (4). The HKEY_LOCAL_MACHINE\SOFTWARE and HKEY_LOCAL_MACHINE\SYEM registry hives should have auditing set to record Failures for the everyone group at a minimum (5). The system event log size, and retention policy should be set to comply with

organizational or regulatory requirements. System Access Controls (). The system should be configured to disallow the anonymous enumeration of SAM accounts and network shares. (Note: For domains supporting Exchange 003, this setting should be allowed for the DC Group Policy.) (). Configure the system to lock an account after 3 or fewer bad login attempts. (3). The Reset account lockout counter setting should be set to 30 minutes or greater. (4). The Account location duration setting should be set to 0, which requires an administrator to unlock accounts which have been locked out.

(5). The system should be configured to cache 3 or fewer user logins. 3 User Account Privilege Controls (). No user, to include administrators should be granted the right, act as part of the operating system. (). Ensure the following User Rights are assigned: Access this computer from network Administrators, Authenticated Users, Enterprise Domain Controllers Add workstations to domain Administrators Adjust memory quotas for a process Administrators, Local Service, Network Service Allow log on locally Administrators, Backup Operators Allow log on through Terminal Services Administrators Backup files and directories Administrators, Backup Operators Bypass traverse checking Authenticated Users Change the system time Administrators, Local Service Create a pagefile Administrators Create a token object (None) Create global objects Administrators, Service Create permanent shared objects (None) Deny logon as a batch job Guests, Support_388945a0 Deny logon as a service (None) Deny logon locally Guests, Support_388945a0 Deny logon through Terminal Services Guests, Users

Enable computer and user accounts to be trusted for delegation Administrators Force shutdown from a remote system Administrators Generate security audits Local Service, Network Service Impersonate a client after authentication Administrators, Service Increase scheduling priority Administrators Load and unload device drivers Administrators Lock pages in memory (None) Log on as a batch job (None) Log on as a service Network Service Manage auditing and security log Administrators Group (Exchange Enterprise Servers Group on Domain Controllers and Exchange Servers) Modify firmware environment values Administrators Perform volume maintenance tasks Administrators Profile single process Administrators Profile system performance Administrators Remove computer from docking station Administrators Replace a process level token Local Service, Network Service Restore files and directories Administrators, Backup Operators Shut down the system Administrators Take ownership of files or other objects Administrators (3). Minimum, and Maximum Password Age, Password Length/Complexity, and Password Uniqueness settings should comply with organizational or regulatory standards. Networking Security (). All unnecessary services and protocols should be disabled.

(). If the ftp service is enabled, it should be configured to disallow access to system-related files such as PAGEFILE.sys or NTLDR. (3). All forms of remote access to system services should be conducted using encrypted formats such as SSH or Remote Desktop Protocol. (4). Configure the system to disallow Remote Assistance. (5). The server's web content should be kept in a separate partition from the server's system files. (6). Configure the system to prevent the sending of unencrypted passwords to third party SMB servers.

(7). Configure the system to disallow anonymous remote registry access. (8). Ensure the LanMan authentication level is set to at least: Send NTLMv response only\refuse LM. (9). The following accounts: Guests, Anonymous Logon, Support_388945a0, should be denied the ability to login to the machine remotely. (0). The system should be configured to perform SMB packet signing and encryption wherever possible (). Ensure the system is configured to require secure RPC connections.

(). The system should be configured to disallow IP Source Routing, ICMP Redirects, and Internet Router Discovery Protocol. Additionally, configure the system to allow connections to time out sooner if a SYN flood is detected. 3 (3). Configure the system to ignore NetBIOS name release requests from all systems except WINS servers. 3 Local Security Options (). The system should be configured to disable AutoRun for all drives and removable media. (). Anonymous SID/Name translation should be disabled. (3). Anonymous access to named pipes should be limited to the following: COMNAP, COMNODE, SQL\QUERY, SPOOLSS, LLSRPC, BROWSER, NETLOGON,

Lsarpc, samr. (4). Remote accessible registry paths should be restricted to the following: System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion (5). No unapproved account should be able to Debug programs or have more than read access to Winlogon registry keys. (6). The ACLs for all disabled services should be set as follows: Administrators Full Control, System Full Control, Interactive Read. (7). Configure the system to disallow the storing of passwords using reversible encryption.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information