Berkeley Lab Computer Protection Program: Resources

Emergencies | Site Index | Contact Us


	CPP Home

	Contacts

	Policy Guidelines

	Scan Information

	System Procedures

	Tools & Services

	ALERTS

	Recent CPP Actions

	News & Articles

	CPP Intranet

PROCEDURES FOR SECURING SYSTEMS

Windows Server 2003 Security Checklist

Introduction

Microsoft's Windows Server 2003 (WS2003) was developed in accordance with Microsoft’s Trusted Computing Initiative (TCI), in which security engineering was incorporated into the software development process. One very positive consequence is that WS2003 is the most secure out-of-the-box operating system (OS) that Microsoft has made. Downfalls from a security perspective include the fact that numerous group-policy parameters that affect security are not set by default, and that a large number of vulnerabilities have surfaced since this OS was first released. The purpose of these guidelines is to describe baseline security measures for securing WS2003.

Scope

The WS2003 OS consists of a number of separate but related versions:

WS2003, Standard Edition — the “standard” server

WS2003 64-Bit Edition — a server built to support 64-bit applications

WS2003, Enterprise Edition — a high-ended version of this OS that allows clusters, boots from a Storage Area Network (SAN), has hot-install memory, and much more

WS2003, Web Edition — a version that is specifically tailored to be only a Web server

WS2003, Datacenter Edition — large amounts of RAM, tailored for data mining

These guidelines apply only to the standard, 64-bit, and enterprise editions.

Baseline Security Measures

Establishing at least a baseline level of security is essential if WS2003 workstations and servers are going to be to defend themselves against basic attacks launched against Windows systems. Putting the following countermeasures in place will result in a baseline level of security:

Ensure that your system's hard drive consists of at least two partitions, C and D. Use C as the system drive; this partition should contain critical system directories and files. Do not set up user shares to this partition. In member servers, use the D: partition to hold other files and folders; set up user shares to D: as needed. In domain controllers, use D to hold Active Directory files and folders (such as the ntds and sysvol folders); do not set up user shares to D. Set up drive E in domain controllers to hold user files and folders. If users should need access to resources on domain controllers (something that is not advisable from a security perspective), set up user shares to drive E.

Format each partition as an NTFS partition [1]. If any volume is FAT-formatted, enter:

convert <partition letter>: /fs:ntfs

For instance, to convert partition D: to be an NTFS partition, enter:

convert d: /fs:ntfs
Download the Microsoft Baseline Security Analyzer (MBSA) for WS2003 from here. Run this tool once a week and install any missing hotfixes by going here and following the instructions. (Note: Although Windows Updates are fine for workstations, they are not recommended for servers such as WS2003 systems because of the potential for damage or disruption of service from downloading flawed hotfixes.)

Ensure that your Windows Server 2003 system is part of a domain [2]. Your alternative is to have your machine belong to a workgroup, something that is very dangerous given that whoever discovers the name of a workgroup can make a hostile machine a member of that workgroup, then attack other systems within that workgroup. Workgroups provide almost no barriers to attackers. To check whether your system is part of a domain or workgroup, right click on My Computer to Properties and then click on Computer Name. For information concerning how to join a domain at LBNL, contact Curtis McDonald, cjmcdonald@lbl.gov. There is no charge for joining the central LBL domain.

Ensure that file permissions on the system drive (and, in the case of domain controllers, the drive on which Active Directory resides) are appropriate. In general, do not assign anything more than Read-Execute permissions to Authenticated Users, but always assign Full Control to Creator Owner and Administrators.Assign Everyone Read-Execute access to C:\%systemroot% (which by default is C:\Windows), C:\%systemroot%\system 32. In Domain Controllers (DCs) ensure that Authenticated Users do not have more than Read-Execute access to the sysvol, sysvol\sysvol, and ntds folders (wherever they reside in the file system). Do not assign any access permissions to the Everyone group. Remove any access (but do not assign No Access) that this group has. This is especially important in the case of C:\%systemroot%\repair, where a backup copy of the password file resides. To check each permission use the Windows Explorer to locate a file or folder. Right click on the icon for the file or folder to Properties -> Security.

Avoid sharing folders or partitions if you do not need to do so. For each share, allow Creator Owner and Administrator to have Full Control and then assign Authenticated Users the Read (default) or Change (if writing and deleting files is necessary) level of share access. To check or change share permissions or to delete shares, go from Start -> Administrative Tools -> Computer Management -> System Tools -> Shared Folders -> Shares. Highlight the share you want to get to, then right click to Properties. You can right click to Stop Sharing if you do not need the share or right click to Properties to change its permissions if they are inappropriate.

Disable automatic generation of 8.3 File Names. Use of 8.3 file naming (a legacy mechanism from the FAT file system) can permit users to get to files and folders without authorization. Using a Registry editor such as regedt32 (by going Start -> Run and entering regedt32), add a value, NtfsDisable8dot3NameCreation, to the following Registry key:

HKEY_LOCAL_MACHINE\System|CurrentControlSet\Control\FileSystem

Assign a numerical value of 1 and a type of REG_DWORD.

Rename the default Administrator account to a name that does not give away the fact that this is a privileged account [3]. Change the account description to "User account." Enter a ridiculously long (up to 104 characters) and as difficult to guess a password as possible. Write the password down on the piece of paper that you keep in your personal possession, e.g., in your wallet or purse whenever you are at work. Never share this password with others and do not leave the slip of paper on which this password is written anywhere where others might see it. Use the default Administrator account only for emergency access. Create one additional account that is a member of the Administrators group for yourself and another for each person who needs to administer your system. Create an unprivileged account for each Administrator, also. Use the unprivileged account when you are engaged in normal activities such as Web surfing, obtaining FTP access, and downloading mail. Use the superuser account only when you are involved in system administration duties. To do this in member servers, go from Start -> Administrative Tools -> Computer Management -> Local Users and Groups -> Users and then right click on Administrator to Properties. To do this in DCs, go from Start -> Administrative Tools -> Domain Security Policy -> Active Directory Users and Computers -> Local Users and Groups -> Users and then right click on Administrator.

Create a new, unprivileged account named "Administrator." Ensure that this account is in the Guest group only. Look at your logs frequently to determine whether people are trying to logon to this account, which is a decoy account designed to deflect genuine attacks against your system. To do this in member servers, go from Start -> Administrative Tools -> Computer Management -> Local Users and Groups -> Users and then right click on Administrator. To do this in DCs, go from Start -> Administrative Tools -> Active Directory Users and Computers -> <Your_domain_name> and right click to New -> User.
Leave the Guest account disabled. To do this in member servers, go from Start -> Administrative Tools -> Computer Management -> Local Users and Groups -> Users and then right click on Guest to Properties. To do this in DCs, go from Start -> Administrative Tools -> Domain Security Policy -> Active Directory Users and Computers -> Local Users and Groups -> Users and then right click on Guest to Properties.

Drastically limit the membership in the Enterprise Admins, Schema Admins, and Administrator groups, all of which have almost unlimited power. This applies only to DCs. To check this in DCs, go from Start -> All Programs -> Administrative Tools -> Domain Security Policy -> Active Directory Users and Computers -> Local Users and Groups -> Builtin.

Drastically limit the member in the Local Administrators group. To check this in member servers, go from Start -> Administrative Tools -> Computer Management -> Local Users and Groups -> Builtin. Right click on Administrators -> Properties -> Members. To do this in DCs, go from Start -> Administrative Tools -> Active Directory Users and Computers -> Local Users and Groups -> Builtin. Right click on Administrators -> Properties -> Members.

Set the following Account Options for each account:

User must change password at next logon.	Yes (checked)
User cannot change password.	No (not checked)
Password never expires.	No (not checked)
Account is disabled.	No (except for the Guest and Support accounts)[4]
Store password using reversible encryption [5].	Yes (unless low ended clients such as W9X machines connect to this host)

To do this in member servers, go from Start -> Administrative Tools -> Computer Management -> Local Users and Groups -> Users and then right click on Guest to Properties. To do this in DCs, go from Start -> Administrative Tools -> Domain Security Policy -> Active Directory Users and Computers -> Local Users and Groups -> Users and then right click on Guest to Properties.

Set the following Password Policy values:

Enforce password history	24
Maximum password age	180 days
Minimum password age	1 day
Minimum password length	8
Passwords must meet complexity requirements	Enabled
Store passwords using reversible encryption	Yes (unless low-ended clients such as W9X machines connect to this host)

To set or check these parameters in member servers, go from Start -> Administrative Tools -> Local Security Policy -> Security Settings -> Account Policies -> Password Policy. To check this in DCs, go from Start -> Administrative Tools -> Domain Security Policy -> Security Settings -> Account Policies -> Password Policy.

Set the following Account Lockout parameters:

Account lockout duration	60 min.
Account lockout threshold	5 invalid logon attempts
Reset account lockout counter after	60 min.

To set or check these parameters in member servers, go from Start -> Administrative Tools -> Local Security Policy -> Security Settings -> Account Policies -> Account Lockout Policy. To check this in DCs, go from Start -> Administrative Tools -> Domain Security Policy -> Security Settings -> Account Policies -> Account Lockout Policy.

Enable the following Audit Policy settings.

Audit account logon events	Success/Failure
Audit account management	Success/Failure
Audit directory service access (but only if host is a DC)	Success/Failure
Audit logon events	Success/Failure
Audit policy change	Success/Failure
Audit privilege use	Success/Failure

To set these parameters in member servers, go from Start -> Administrative Tools -> Local Security Policy -> Security Settings -> Local Policies -> Audit Policy. To check this in DCs, go from Start -> Administrative Tools -> Domain Security Policy -> Security Settings -> Local Policies -> Audit Policy.

Enable the following Event Log settings for the security log:

Maximum security log size	16384 kilobytes
Prevent local guests group from accessing security log	Enabled
Retain security log	Not defined
Retention method for security log	Overwrite events as needed

To set these parameters in member servers, go from Start -> Administrative Tools -> Local Security Policy -> Security Settings -> Event Log. To check this in DCs, go from Start -> Administrative Tools -> Domain Security Policy -> Security Settings -> Event Log.

Ensure at a minimum that the no unprivileged group such as Authenticated Users and Everyone has any of the following rights:

–Act as part of the operating system
–Add workstations to domain
–Backup files and directories
–Create a pagefile
–Create a token object
–Debug programs
–Enable computer and user accounts to be trusted for delegation
–Force shutdown from a remote system
–Increase quotas
–Increase scheduling priority
–Load and unload device drivers
–Lock pages in memory
–Logon as a batch job
–Logon as a service
–Logon locally
–Manage auditing and security log
–Modify firmware environment variables
–Replace a process-level token
–Restore files and directories
–Shut down the system
–Synchronize directory service data
–Take ownership of files and other objects

To check these parameters in member servers, go from Start -> Administrative Tools -> Local Security Policy -> Security Settings -> Event Log. To check this in DCs, go from Start -> Administrative Tools -> Domain Security Policy -> Security Settings -> Event Log.

Enable the following Security Options (or ensure that they are enabled):

Do not enable:

–Accounts: Limit local use of blank passwords to local logons only
–Audit: Shut down system immediately if unable to log security audits
–Devices: Unsigned driver installation behavior
–Domain Controller: Allow server operators to schedule tasks
–Network access: Let Everyone permissions apply to anonymous users
–Recovery console: Allow automatic administrative logon
–Recovery console: Allow floppy copy and access to all drives and all folders

To set or check these parameters in member servers, go from Start -> Administrative Tools -> Local Security Policy -> Security Settings -> Local Policies -> Security Options. To check this in DCs, go from Start -> Administrative Tools -> Domain Security Policy -> Security Settings -> Local Policies -> Security Options.

Ensure that the bare number of services—only the services that you genuinely need--are running. The following are services that are usually not needed in WS2003:

–Alerter
–Computer Browser
–IIS Admin Service (this is needed for IIS Web servers and IIS-based FTP)
–Indexing Service
–Messenger
–Print Spooler (except when there is a local printer or when you add a remote printer)
–Routing and Remote Access
–Simple TCP Services
–Telnet
–Windows Installer (should be enabled only during software installations)
–Worldwide Web Publishing (this is needed for IIS Web servers)

Disable any unnecessary services in member servers by going from Start -> Administrative Tools -> System Services. Highlight the name of each unnecessary service, double click and then under Service Status click on Stop and under Startup Type set this to Disabled. In DCs go from Start -> Administrative Tools -> Domain Controller Security Policy -> Security Settings -> System Services instead.

Use the built-in firewall to ensure that any of the following services that you do not need to offer to other systems cannot be reached:

–FTP server
–Internet Mail Access Protocol Version 3 (IMAP3)
–Internet Mail Access Protocol Version 3 (IMAP4)
–Internet Mail Server (SMTP)
–Remote Desktop
–Secure Web Server (HTTPS)
–Telnet Server
–Web Server (HTTP)

Set software policy restrictions for types of files that you do not want executed (e.g., JPG and SCR files) and paths in your file system and Registry that you do not want executables to reach. Go from Start -> Administrative Tools -> Active Directory Users and Computers. In the console tree right-click an OU. Right click to Properties and click the Group Policy tab. Click a GPO in Group Policy Object Links and click Edit (or create a new GPO) In the console tree, go to Group Policy Object <computername>Policy/Computer Configuration or User Configuration/Windows Settings/Security Settings/Software Restriction Policies

Be sure to run Symantec AntiVirus on your system, and to keep its signatures updated every day. To check whether you have Symantec AV, go to Programs. If Symantec AntiVirus is one of the selections, your system is running this program. Go here to download Symantec AV. To update Symantec AV, go from Start to Programs to Symantec AntiVirus Corporate Edition to Symantec AntiVirus Corporate Edition to Live Update. Click on Live Update and follow the instructions. You will now have the latest updates to Symantec AntiVirus, which is the best all-around defense against virus and worm infections.

Conclusion

As mentioned earlier, these guidelines are designed to provide a baseline level of security in WS2003. If you implement these settings and procedures, your WS2003 system, go here to install a free copy of Norton anti-virus software; if you keep this software updated, your system will be able to resist most attacks launched against it.

References

De Clercq, J., Windows Server 2003 Security Infrastructures : Core Security Features. Herndon, VA: Digital Press, 2004.

Jones, D. & Rouse, M., Microsoft Windows Server 2003. Indianapolis: SAMS, 2003
Microsoft Corporation, Windows Sever 2003 Security Guide. http://www.microsoft.com/technet/security/prodtech/ win2003/w2003hg/sgch00.mspx

Minasi, M., Anderson, C., Beveridge, M., Callahan, C.A., & Justice, L. Windows Server 2003. San Francisco: Sybex, 2003.

Rampling, B., Windows Server 2003 Security Bible. New York: Wiley, 2002.

Ruest, D. & Ruest, N., Windows Server 2003: Best Practices for Enterprise Deployments. Berkeley, CA: Osborne, 2003.

Scambray, J. & McClure, S., Windows Server 2003 Hacking Exposed. Berkeley, CA: Osborne, 2003.

Smith, R.F., Unwrapping Win2003. Information Security Magazine, April 2003. http://www.infosecuritymag.com/2003/apr/cover.shtml

Stanek, W.R., Microsoft Windows Server 2003. Redmond, WA: Microsoft Press, 2003.

_____________

Notes

1. The only potential limitation is that 16-bit applications are likely to break if they are installed on NTFS partitions. If you have 16-bit applications that need to run in the WS2003 environment, create another, small FAT32 partition for these applications. But do not jeopardize other applications by putting them on a FAT32 partition — FAT32 has no access permissions whatsoever.

2. If your WS2003 system is a DC, use the Domain Security Policy settings (or possible the group policy settings for Organizational Units (OUs) to set your security policy settings. Domain policy settings prevail over local policy settings, as do OU policy settings.

3. To do this you will need to enable a Security Option setting, "Rename Administrator Account." Dealing with Security Options will soon be covered.

4. If your WS2003 host is not a web server, you should also disable IIS_WPG, IUSR_<servername>, and UWAM_<servername>.

5. Reversible encryption is the weaker form of encryption (based on the much maligned DES encryption algorithm) in WS2003. If no other system needs to connect to shares or to authenticate to your system, you can choose No for this setting, which is something that is much better for security. But if other systems need share or authentication connections, you would do better to choose Yes here to prevent unnecessary disruption of service and functionality.