Windows system administration

[Open Your Hands]

Microsoft Solutions for Security

Windows Server 2003 .

 Security Guide
1
Introduction to the Windows Server 2003 Security Guide

Overview
Welcome to the Microsoft Windows Server 2003 Security Guide. This guide is designed
to provide you with the best information available to assess and counter security risks
specific to Microsoft® Windows Server™ 2003 in your environment. The chapters in this
guide provide detailed guidance on enhancing security setting configurations and
features wherever possible in Windows Server 2003 to address threats identified in your
environment. If you are a consultant, designer, or systems engineer involved in a
Windows Server 2003 environment, this guide has been designed with you in mind.
The guidance has been reviewed and approved by Microsoft engineering teams,
consultants, support engineers, as well as customers and partners to make it:
? Proven — Based on field experience
? Authoritative — Offers the best advice available
? Accurate — Technically validated and tested
? Actionable — Provides the steps to success
? Relevant — Addresses real – world security concerns
Working with consultants and systems engineers who have implemented Windows
Server 2003, Windows® XP, and Windows® 2000 in a variety of environments has
helped establish the latest best practices to secure these servers and clients. This
information is provided in detail in this guide.
The companion guide, Threats and Countermeasures: Security Settings in Windows
Server 2003 and Windows XP, provides a comprehensive look at all of the major security
settings present in Windows Server 2003 and Windows XP. Chapters 2 through 11 of this
guide include step – by – step security prescriptions, procedures, and recommendations to
provide you with task lists to transform the security state of computers running Windows
Server 2003 in your organization to a higher level of security. If you want more in – depth
discussion of the concepts behind this material, refer to resources such as the Microsoft
Windows 2003 Server Resource Kit, the Microsoft Windows XP Resource Kit, the
Microsoft Windows 2000 Security Resource Kit, and Microsoft TechNet.
2
Executive Summary
Whatever your environment, you are strongly advised to take security seriously. Many
organizations make the mistake of underestimating the value of their information
technology (IT) environment, generally because they exclude substantial indirect costs. If
an attack on the servers in your environment is severe enough, it could greatly damage
the entire organization. For example, an attack in which your corporate Web site is
brought down that causes a major loss of revenue or customer confidence might lead to
the collapse of your corporation’s profitability. When evaluating security costs, you should
include the indirect costs associated with any attack, as well as the costs of lost IT
functionality.
Vulnerability, risk, and exposure analysis with regard to security informs you of the
tradeoffs between security and usability that all computer systems are subject to in a
networked environment. This guide documents the major security countermeasures
available in Windows Server 2003 and Windows XP, the vulnerabilities that they address,
and the potential negative consequences of implementing each.
The guide then provides specific recommendations for hardening these systems in three
common enterprise environments: one in which older operating systems such as
Windows 98 must be supported; one consisting of only Windows 2000 and later
operating systems; and one in which concern about security is so high that significant
loss of functionality and manageability is considered an acceptable tradeoff to achieve
the highest level of security. These environments are referred to respectively as the
Legacy Client, Enterprise Client, and High Security throughout this guide. Every effort
has been made to make this information well organized and easily accessible so that you
can quickly find and determine which settings are suitable for the computers in your
organization. Although this guide is targeted at the enterprise customer, much of it is
appropriate for organizations of any size.
To get the most value out of the material, you will need to read the entire guide. You can
also refer to the companion guide, Threats and Countermeasures: Security Settings in
Windows Server 2003 and Windows XP, which is available for download at
http://go.microsoft.com/fwlink/?LinkId=15159. The team that produced this guide hopes
that you will find the material covered in it useful, informative, and interesting.

[Open Your Hands]

Who Should Read This Guide
This guide is primarily intended for consultants, security specialists, systems architects,
and IT professionals who are responsible for the planning stages of application or
infrastructure development, and the deployment of Windows Server 2003. These roles
include the following common job descriptions:
? Architects and planners responsible for driving the architecture efforts for the
clients in their organizations.
? IT security specialists focused purely on providing security across the platforms
within their organizations.
? Business analysts and business decision – makers (BDMs) with critical business
objectives and requirements that depend on client support.
? Consultants from both Microsoft Services and partners who need detailed
resources of relevant and useful information for enterprise customers and partners.
4
Get Secure Stay Secure
In October 2001, Microsoft launched an initiative known as the Strategic Technology
Protection Program (STPP). The aim of this program is to integrate Microsoft products,
services, and support that focus on security. Microsoft views the process of maintaining a
secure environment as two related phases. Get Secure and Stay Secure.
Get Secure
The first phase is called Get Secure. To help your organization achieve an appropriate
level of security, the advice in this guide is designed to help you secure your current and
future computer systems.
Stay Secure
The second phase is known as Stay Secure. It is one thing to create an environment that
is initially secure. However, once your environment is up and running, it is entirely
another to keep the environment secure over time, take preventative action against
threats, and then respond to them effectively when they do occur.
5
Scope of this Guide
This guide is focused on how to create and maintain a secure environment for computers
running Windows Server 2003 in your organization. The material explains the different
stages of how to secure the three environments defined in the guide, and what each
prescribed server setting addresses in terms of client dependencies. The three
environments considered are labeled Legacy Client, Enterprise Client, and High Security.
? The Legacy Client settings are designed to work in a Microsoft Active Directory®
domain with member servers and domain controllers running Windows Server
2003, and clients running Microsoft Windows® 98, Windows NT 4.0 and later.
? The Enterprise Client settings are designed to work in an Active Directory domain
with member servers and domain controllers running Windows Server 2003, and
clients running Windows 2000, Windows XP, and later.
? The High Security settings are also designed to work in an Active Directory domain
with member servers and domain controllers running Windows Server 2003, and
clients running Windows 2000, Windows XP, and later. However, the High Security
settings are so restrictive that many applications may not function. For this reason,
the servers may encounter some impact on performance, and managing the
servers will be more challenging.
Hardening guidance is provided for a group of distinct server roles. The countermeasures
described and the tools provided assume that each server will have a single role, if you
need to combine roles for some of the servers in your environment then you can
customize the security templates included with this guide so that the appropriate
combination of services and security options are configured for the servers with multiple
roles. The roles covered by this guide include:
? Domain controllers
? Infrastructure servers
? File servers
? Print servers
? Internet Information Services (IIS) servers
? Internet Authentication Services (IAS) servers
? Certificate Services servers
? Bastion hosts
The settings recommended in this guide were tested thoroughly in lab environments
depicting those described above: Legacy Client, Enterprise Client, and High Security.
These settings were proven to work in the lab, but it is important that your organization
test these settings in your own lab that accurately represents your production
environment. It is likely that you will need to make some changes to the security
templates and the manual procedures documented within this guide so that all of your
business applications continue to function as expected. The detailed information provided
in the companion guide, Threats and Countermeasures: Security Settings in Windows
Server 2003 and Windows XP, which is available for download at
http://go.microsoft.com/fwlink/?LinkId=15159, gives you the information you need to
assess each specific countermeasure and to decide which of them are appropriate for
your organization's unique environment and business requirements.

[Open Your Hands]

Chapter 1: Introduction to the Windows Server 2003
Security Guide
This chapter introduces the Windows Server 2003 Security Guide, and includes a brief
overview of each chapter.
Chapter 2: Configuring the Domain Infrastructure
This chapter explains how the domain environment will be constructed as a baseline in
order to provide guidance to secure a Windows Server 2003 infrastructure. The chapter
first focuses on domain – level security settings and countermeasures. High level
descriptions of the Microsoft Active Directory service design, the organizational unit (OU)
design, and domain policy are included.
The Legacy Client, Enterprise Client, and High Security environments mentioned in
Chapter 1 are then explained in terms of securing a domain environment. This provides a
vision of the evolution your organization can make toward a more secure environment
within a domain infrastructure that is appropriate for each of these environments.
Chapter 3: Creating a Member Server Baseline
This chapter explains security template settings and additional countermeasures for the
server roles covered in the three environments defined in the guide. The chapter largely
focuses on establishing a Member Server Baseline Policy (MSBP) for the server role
hardening recommendations discussed later in the guide.
The recommendations in this chapter are chosen to safely allow corporations to deploy
strongly recommended setting configurations for Windows Server 2003 systems which
suit both existing and newly – built systems. The default security configurations within
Windows Server 20003 have been researched and tested. The recommendations
specified in this chapter were determined to provide greater security than the default
operating system settings. In some cases to provide support for legacy clients, a less
restrictive setting configuration is suggested than that present in the default installation of
Windows Server 2003.
7
Chapter 4: Hardening Domain Controllers
The domain controller server role is one of the most important roles to secure in any
Active Directory environment with computers running Windows Server 2003. Any loss or
compromise of a domain controller could prove devastating to clients, servers, and
applications that rely on domain controllers for authentication, Group Policy, and a central
lightweight directory access protocol (LDAP) directory.
This chapter outlines the need to always store domain controllers in physically secure
locations that are accessible only to qualified administrative staff. The hazards of storing
domain controllers in unsecured locations, branch offices for example, are addressed and
a significant portion of the chapter is devoted to explaining the security considerations
behind the recommended Domain Controller Group Policy.
Chapter 5: Hardening Infrastructure Servers
In this chapter, the Infrastructure server role is defined as either a Dynamic Host Control
Protocol (DHCP) server or a Windows Internet Name Service (WINS) server. Details are
provided on the areas in which the infrastructure servers in your environment can benefit
from security settings that are not applied by the Member Server Baseline Policy (MSBP).
Chapter 6: Hardening File Servers
This chapter focuses on the File server role and the difficulties related to hardening
servers designated for it. The most essential services for these servers require the
Windows network basic input/output system (NetBIOS) – related protocols. The Server
Message Block (SMB) and Common Internet File System (CIFS) protocols are also used
to provide rich information to unauthenticated users, and yet these are often
recommended to be disabled in high – security Windows® environments. This chapter
details any areas in which File servers can benefit from security settings not applied by
the MSBP.
Chapter 7: Hardening Print Servers
Print servers are the focus of this chapter. Again, the most essential services for these
servers require use of Windows NetBIOS – related protocols. The protocols for SMB and
CIFS can also provide rich information to unauthenticated users for this server role, but
these are also often recommended to be disabled in high – security Windows
environments. This chapter details the areas in which Print server security settings can
be strengthened in ways that are not applied by the MSBP.
Chapter 8: Hardening IIS Servers
This chapter outlines how comprehensive security for Web sites and applications
depends on an entire IIS server (including each Web site and application running on the
IIS server) to be protected from client computers in your environment. Web sites and
applications also must be protected from other Web sites and applications running on the
same IIS server. Practices to ensure this distinction is achieved between the IIS servers
in your environment are described in detail in this chapter.
8
IIS is not installed on members of the Microsoft Windows Server System™ family by
default. When IIS is initially installed, it is installed in a highly secure, "locked" mode. For
example, IIS by default serves only static content. Features such as Active Server Pages
(ASP), ASP.NET, Server – Side Includes, WebDAV publishing, and Microsoft FrontPage®
Server Extensions must now be enabled by the administrator through the Web Service
Extensions node in Internet Information Services Manger (IIS Manager).
Sections in this chapter provide the detail on a variety of security hardening settings that
should be implemented to enhance the security of IIS servers in your environment. The
importance of security monitoring, detection, and response is emphasized to ensure the
servers stay secure.
Chapter 9: Hardening IAS Servers
Internet Authentication Servers (IAS) provide RADIUS services, a standards – based
authentication protocol designed for verifying identity of clients accessing networks
remotely. This chapter details any areas in which IAS Servers can benefit from security
settings not applied by the MSBP.
Chapter 10: Hardening Certificate Services Servers
Certificate Services provide the cryptographic and certificate management services
needed to build a public key infrastructure (PKI) in your server environment. This chapter
details any areas in which Certificate Services servers will benefit from security settings
not applied by the MSBP.
Chapter 11: Hardening Bastion Hosts
Bastion hosts servers are accessible to clients from the Internet. In this chapter, it is
explained how these systems exposed to the public are susceptible to attack from a
much larger number of users who can remain completely anonymous in many cases if
they wish. Many organizations do not extend their domain – infrastructure to public
portions of this network. For this reason, this chapter content focuses on hardening
recommendations for stand – alone computers. Details are provided on any areas in
which bastion hosts can benefit from security settings not applied by the MSBP, or the
methods used to apply those settings in an Active Directory – based domain environment.
Chapter 12: Conclusion
The concluding chapter of this guide recaps the important points of the material
discussed in the previous chapters.
9
Tools and Templates
A collection of security templates, scripts, and additional tools are included with this guide
to make it easier for your organization to evaluate, test, and implement the
countermeasures recommended in this guide. The security templates are text files that
can be imported into domain – based group policies, or applied locally using the Security
Configuration and Analysis snap – in. These procedures are detailed in Chapter 2,
"Configuring the Domain Infrastructure." The scripts included with this guide implement
IPSec packet filters using the NETSH command line tool and test scripts used in testing
the recommended countermeasures. This guide also includes a Microsoft Excel
workbook called Windows Server 2003 Security Guide Settings that documents the
settings included in each of the security templates. These tools and templates are
included in the self-extracting WinZip archive that contains this guide. When you
extracted the files from this archive the following folder structure is created in the location
you specified:
? \Windows Server 2003 Security Guide — contains the Portable Document Format
(PDF) file document that you are currently reading, as well as the Test Guide,
Delivery Guide, and Support Guide associated with this material.
? \Windows Server 2003 Security Guide\Tools and Templates — contains
subdirectories for any items that may accompany this guide.
? \Windows Server 2003 Security Guide\Tools and Templates\Security
Guide\Security Templates — contains all security templates that are discussed in
the guide.
? \Windows Server 2003 Security Guide\Tools and Templates\Security
Guide\Sample Scripts — contains all sample IPSec filter scripts and an Excel
workbook containing all traffic maps discussed in the guide.
? \Windows Server 2003 Security Guide\Tools and Templates\Security
Guide\Checklists — contains checklists specific to each server role.
? \Windows Server 2003 Security Guide\Tools and Templates\Test Guide— contains
tools related to the test guide.
? \Windows Server 2003 Security Guide\Tools and Templates\Delivery Guide—
contains tools related to the delivery guide.

[Open Your Hands]

Skills and Readiness
The following knowledge and skills are prerequisite for administrators or architects
charged with developing, deploying, and securing installations of Windows Server 2003
and Windows XP in an enterprise:
? MCSE 2000 certification with more than 2 years of security – related experience.
? In – depth knowledge of corporate domain and Active Directory environments.
? Use of management tools, including Microsoft Management Console (MMC),
secedit, gpupdate, and gpresult.
? Experience administering Group Policy.
? Experience deploying applications and workstations in enterprise environments.
11
Requirements
The software requirements for utilizing the tools and templates documented in this guide
are:
? Windows Server 2003 Standard Edition; Windows Server 2003 Enterprise Edition;
or Windows Server 2003 Datacenter Edition.
? A Windows Server 2003 – based Active Directory domain.
? Microsoft Excel 2000 or later.
12
Style Conventions
This guide uses the following style conventions and terminology.
Table 1.1: Style Conventions
Element Meaning
Bold font Characters that are typed exactly as shown, including commands and
switches. User interface elements in text that is prescriptive are also
bold.
Italic font Placeholder for variables where specific values are supplied. For
example, Filename.ext could refer to any valid file name for the first
case in question.
Important Alerts the reader to supplementary information that is essential to the
completion of the task.
Monospace font Code samples.
%SystemRoot% The folder in which the Windows Server 2003 operating system is
installed.
Note Alerts the reader to supplementary information.
Screen Para Messages that appear on screen and command line commands are
styled in this font.
13
Summary
This chapter provided an overview of the primary factors involved in securing Windows
Server 2003 which are considered in greater depth in the rest of the guide. Now that you
have an understanding of how this guide is organized, you can decide whether to read it
from beginning to end, or to select only those sections of most interest to you.
However, it is important to remember that effective, successful, security operations
require making improvements in all of the areas covered in this guide, not just a few. For
this reason, it is highly recommended to read the entire guide to take advantage of all the
information that can be used to secure Windows Server 2003 in your organization that
the guide has to offer.
More Information
The following information sources were the latest available on topics closely related to
securing Windows Server 2003 at the time this guide and product were released to the
pubic.
For more information on Security at Microsoft, see: http://www.microsoft.com/security.
For more detail on how MOF can assist in your enterprise, see:
http://www.microsoft.com/business/services/mcsmof.asp.
For information on the Microsoft Strategic Technology Protection Program Web site, see:
http://microsoft.com/security/mstpp.asp.
For information on the Microsoft Security Notification Service, see:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/
notify.asp.