Microsoft Windows Server Security

Security Checklist for Windows 2003 Servers

I created a personal checklist for locking down a server after building it. This is a compilation of reading security books and Windows security guides over the past couple of years. This checklist also assumes that you are putting your server behind a firewall with only the ports open that you need (port 80, 443 for example). The first thing I do is find out what role the server will take. Once you know what role it will be then there are a couple of setting that can be changed. A typical server that I used to set up a lot was a web server. I will use a web server as an example. Here is the base O/S.

Windows 2003 Server Standard Edition (32-bit)
IIS 6 installed with SMTP and FTP (I know that all of these roles shouldn't be on the same server and you probably wouldn't want to use Microsoft's SMTP or FTP but I used to, so I will write about it.)

Step One - Building Your Server
When you build your server you should use NTFS as the file system. This is absolutely critical, I almost didn't mention it because it seems so obvious. After the basic installation make sure you run all of the Windows updates until they say "0". You may get a couple of hardware updates that you won't need if you are using the manufacturer's drivers instead of the windows drivers.

Step Two - Lockdown FTP
Unfortunately the default setting for a freshly installed server in still anonymous access is allowed. So you must go in the IIS Manager MMC and change this. In the MMC expand the FTP sites folder under you see "Default FTP site" right click on this site and click properties. Once this window opens up click on the "Security Accounts" tab and uncheck the "Allow anonymous connections" checkbox. After you uncheck this checkbox Microsoft will warn you about how this action will allow users to see the username and password in plaintext. This is true and one of the reason why you shouldn't use Microsoft's FTP. Use one that implements FTP over SSL.




Step Three - Lockdown SMTP
My experience with MS's SMTP is that either it is used for Exchange or SQL Server used it to send out messages to the developers for whatever trigger they set. Thankfully, MS has decided not to allow relaying as the default setting in Windows 2003. Whenever I set it up I always went one step further and didn't let any computers connection except for the ones that I allowed. In order to access the settings of the SMTP server go to the IIS Manager MMC and right click on "Default SMTP Virtual Server" and click on properties. Next click on the "Access" tab and the bottom two boxed areas are what we want to change. So the settings would be as follows;
1. Connection Control - Set to "Only the list below" with either your IP range or the one or two other computers that need to connect to it. Remember to add the local server if it will be connecting to it to send messages.
2. Relay Restrictions - Set it exactly how Connection Control is set. Remember to add the local server if it will be connecting to it to send messages.

Step Four - Disable Any Services that the Web Server Won't Need
Here are a couple of services that I would stop and disable for a web server
1. Print Spooler
2. Wireless Configuration
3. Windows Audio

Since Windows 2003 already disables services like "Alerter" and "Messenger" most of the services that I disable are to make sure that RAM and other server resources don't get allocated to starting, stopping and managing them.

Step Five - Change the Local Security Policy
There are many settings in the local security policy that should be changed to increase security. In order to access the local security policy click on Start/Administrative Tools/Local Security Policy. You will see five different sub-sections, Account Policies, Local Policies, Public key Policies, Software Restriction Policies and IP Security Policies on Local Computer. I will be discussing the first two, Account Polices and Local Policies.

Account Policies
Within Account Policies there are two sub sections, Password Policy and Account Lockout Policy. My custom password policy uses the following settings with success (so far). Remember I don't work for the government if so these settings would probably be much more restrictive.

Password policy
Enforce password history - 4 passwords remembered
Maximum password age - 90 days
Minimum password age - 2 days
Minimum password length - 8 Characters
Password must meet complexity requirements - enabled.

Account lockout policy

Account lockout duration - 30 minutes
Account lockout threshold - 10 invalid logon attempt
Reset account lockout counter after - 30 minutes.

I have heard many many different ways to set this. Some set the threshold to 3 attempts others never reset the lockout counter (in this case an administrator must manually unlock it). My belief is that my settings will stop any hacker from trying to dictionary or brute force your password.

Local Policies
Withing this section there are three sub-sections, Audit Policy, User Rights Assignment and Security Options

Audit Policy - I used to log everything but this really only allows for a couple of hours of security logs. I now set this to failure for everything and success for "Audit account logon events".

User Rights Assignments - Here I remove the everyone group anywhere I see it. The following policies should have it, Access this computer from the network and Bypass traverse checking.

Security Options - Once again Microsoft has changed some of these settings to be a more restrictive security setting. I will discuss the ones that I change. I will not go through each one but starting at the top I will move down probably skipping several entries until you see the next one.

Accounts: Rename administrator account - Change this to anything you want besides the default

Interactive logon: Message text for users attempting to log on - Put some warning in this area along with a "if you aren't authorized do not logon" also. I got something that I saw about the local computer system law. It looks pretty good. (If you want it just email me)

Interactive logon: Message title for users attempting to log on - This is the title of the window. Put something like "WARNING!", just a simple one line of text for this one.

Interactive logon: Prompt user to change password before expiration - the default is 14 days. That seems like a long time to me. I change this to 3 days.

Most of the other setting should be in a "locked down" state. There are detailed Microsoft guides that discuss exactly what each of these setting do. If you want some more detail then click here. There is one caveat about the local security policy is that if the server is part of a Windows domain then a domain security policy will replace the local security policy.