Scribd
Upload
296 views

Server Hardening

To establish a baseline level of security for member servers in an Active Directory domain, certain security settings should be configured through a GPO. These include auditing account logon events, account management, directory service access, logon events, object access, and policy changes. The GPO should also restrict network access and revoke certain user rights to the servers. Proper organization of servers into OUs based on both their server role and administrative needs is important for effective security policy deployment.

Uploaded by

Rajesh Jayakumar
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
296 views

Server Hardening

To establish a baseline level of security for member servers in an Active Directory domain, certain security settings should be configured through a GPO. These include auditing account logon events, account management, directory service access, logon events, object access, and policy changes. The GPO should also restrict network access and revoke certain user rights to the servers. Proper organization of servers into OUs based on both their server role and administrative needs is important for effective security policy deployment.

Uploaded by

Rajesh Jayakumar
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 32

c   

Server hardening consists of creating a baseline for the security on your servers in your
organization. The default configurations of a Windows Server 2003 computer are not designed
with security as the primary focus. Rather, a default installed computer is designed for
communication and functionality. To protect your servers, you must establish solid and
sophisticated security policies for all types of servers in your organization.

In this section, we will discuss the basic security baseline for a member server that is running in
a Windows Server 2003 Active Directory domain. We will also discuss the best-practice security
configurations in the security templates, starting with the generic best practices that apply to
most member servers in the organization. We will then move on to the specific types of member
servers, as well as domain controllers. We will discuss which services, ports, applications, and so
forth need to be hardened for different server roles, and compare this to the baseline security for
simple member servers.



c
Member servers
Domain controllers
File and print servers
Web servers

    
You must establish a baseline of security for all members servers before creating additional
security templates and policies to tailor security for specific types of servers. One of the most
important aspects of applying hardening settings to member servers is developing the OU
hierarchy that will support the security template and policies that you develop. You must also
understand the various levels of security that are routinely used to develop and deploy security to
all servers.

   

The only way to efficiently and successfully deploy security to the different server roles in your
enterprise is to design Active Directory to support those roles. The design should not only
provide an efficient method to deploy security, but it should also organize the computer accounts
into OUs for easier management and troubleshooting.

Although Active Directory design is extremely flexible, you must consider a number of factors
when organizing servers into OUs based on server role. The first factor is Group Policy
application. For example, if you have two server roles that each need different security policy
settings, you should separate the computer accounts into different OUs. The second factor is
administration of the computer accounts within Active Directory. Even though you have only
two different server roles, you might have two different administrators controlling the same type
of server role. This might force you to have OUs not only for server roles, but also for server
roles based on the administrator in charge.

Figures 5-7 illustrates an OU structure that does not consider location or administrative needs but
does consider server roles. Figure 5-8 illustrates an OU structure that has a different set of
administrators for the Main Office and Branch Office, where each office also has the same types
of server roles.
         !
  "      # 
   

$% OUs are also commonly organized by physical location -- for example, the Main Office
and Branch Office model. For more information on organizing OUs based on GPO
deployment, see Chapter 4.

     !    

Member server security environments are based on the operating systems of the clients and
servers in your enterprise. Legacy clients and servers can't take advantage of the robust features
and functions that Active Directory provides, such as Group Policy, Kerberos, and other security
features. As the operating systems of domain members rise to levels that support all Active
Directory functions and features, it becomes possible to raise the overall security for the
enterprise and thus create a solid security environment.

There are three different security environment levels typically found in an enterprise
environment:

D !   When you have a mixed operating system environment of new and older
versions, you must provide adequate security that will not constrain the operation of
legacy clients. This is the lowest security level, but it needs to be that way for
communication to occur and legacy applications to work properly. This business
environment might include legacy clients such as Windows 95, Windows 98, or
Windows NT 4.0 Workstation. You should limit this environment to having only
Windows 2000 Server and Windows Server 2003 domain controllers. You should not
support Windows NT 4.0 Server domain controllers, although you can have Windows NT
Server computers configured as member servers.

D  &    This security level removes the legacy operating systems and uses
only those that support the features and functions that Active Directory offers. This
includes clients running Windows 2000 Professional and Windows XP Professional.
These clients all support Group Policy, Kerberos authentication, and new security
features that the legacy clients don't support. The domain controllers must be Windows
2000 Server or later. There will not be any Windows NT Server computers, even as
member servers.
D · c ! This security level is basically the same as for Enterprise Client -- it
changes only the level of security that is implemented. This level enhances security
standards so that all computers conform to stringent security policies for both clients and
servers. This environment might be constrictive enough that loss of functionality and
manageability occurs. However, this must be acceptable because the higher security
levels are a good tradeoff for the functionality and manageability that you are losing.

'(#c  )**+c !, '


The three enterprise environments described earlier and the procedures outlined in this chapter
for hardening different server roles in each environment are discussed more fully in the
á 
    . The Security Guide also includes a set of additional
security templates that can be imported into GPOs to harden different server roles in legacy
client, enterprise client, and high security environments. It also includes additional procedures
for hardening security settings that cannot be configured using Group Policy. Using these
additional security templates can simplify the hardening of different server roles on your
network, and you can further customize these security templates to meet the specific needs of
your Active Directory environment.

c !  -    

This section will cover some common security settings that apply to standard member servers in
the domain. These settings are best created in a GPO that is then linked to the top-level server
OU. In Figure 5-7 or 5-8, this would be the Member Servers OU.

Table 5-7 provides a full list of security settings for a member server.


 Account Policies, which include Password Policy, Account Lockout Policy, and
Kerberos Policy, are not specified in the member servers security baseline outlined here. This
is because Account Policies must be defined at the domain level in Active Directory, while the
member servers security baseline is defined in GPOs linked to OUs where member servers are
found. For best practices concerning domain Account Policies, see "Account Policies" under
"Sections of the Security Template" earlier in this chapter, and also refer to the á 

     described in the "Windows Server 2003 Security Guide" sidebar.

 c !  -    

!    &    · c !


c !c 
-  -  - 

Account Logon Success Success Success
Events Failure Failure Failure
Success Success Success
Account Management
Failure Failure Failure
Directory Service Success Success Success
Access Failure Failure Failure
Success Success Success
Logon Events
Failure Failure Failure
Success Success Success
Object Access
Failure Failure Failure
Policy Change Success Success Success
Success
Privilege Use No Auditing Failure
Failure
Process Tracking No Auditing No Auditing No Auditing
System Events Success Success Success

!    &    · c !


c !c 
-  -  - 
 . 
Administrators,
Access this computer Not Defined Not defined
Authenticated
from the network (Use defaults) (Use defaults)
Users
Revoke all security
Act as part of the Not Defined Not defined
groups and
operating system (Use defaults) (Use defaults)
accounts
Add workstations Not Defined Not defined
Administrators
to domain (Use defaults) (Use defaults)
Administrators,
Adjust memory Not Defined Not defined
NETWORK
quotas for a process (Use defaults) (Use defaults)
SERVICE,
LOCAL SERVICE
Administrators, Administrators, Administrators,
Allow log on locally Backup Operators, Backup Operators, Backup Operators,
Power Users Power Users Power Users
Administrators, Administrators,
Allow log on through
Remote Desktop Remote Desktop Administrators
Terminal Services
Users Users
Change the Not Defined Not Defined
Administrators
system time (Use defaults) (Use defaults)
Revoke all security Revoke all security Revoke all security
Debug programs groups and groups and groups and
accounts accounts accounts
ANONYMOUS ANONYMOUS ANONYMOUS
LOGON; Built-in LOGON; Built-in LOGON; Built-in
Administrator, Administrator, Administrator,
Guests; Guests; Guests;
Deny access to this
SUPPORT_ SUPPORT_ SUPPORT_
computer from
388945a0; 388945a0; 388945a0;
the network
Guest; all NON- Guest; all NON- Guest; all NON-
Operating System Operating System Operating System
service accounts service accounts service accounts
Deny log on Guests; Support_ Guests; Support_ Guests; Support_
as a batch job 388945a0; Guest 388945a0; Guest 388945a0; Guest
Built-in Adminis- Built-in Adminis- Built-in Adminis-
trator; Guests; trator; Guests; trator; Guests;
Deny log on Support_388945a0; Support_388945a0; Support_388945a0;
Terminal Services Guest; all NON- Guest; all NON- Guest; all NON-
operating system operating system operating system
service accounts service accounts service accounts
Enable computer and Revoke all security
Not Defined Not Defined
user accounts to be groups and
(Use defaults) (Use defaults)
trusted for delegation accounts
Force shutdown from Not Defined Not Defined
Administrators
a remote system (Use defaults) (Use defaults)
NETWORK
Generate security
Not Defined Not Defined SERVICE,
audits
LOCAL SERVICE
Impersonate a client Not Defined Not Defined Local Service;
after authentication (Use defaults) (Use defaults) Network Service
Increase scheduling Not Defined Not Defined
Administrators
priority (Use defaults) (Use defaults)
Load and unload Not Defined Not Defined
Administrators
device drivers (Use defaults) (Use defaults)
Lock pages in Not Defined Not Defined
Administrators
memory (Use defaults) (Use defaults)
Revoke all security
Log on as a batch Not Defined Not Defined
groups and
job (Use defaults) (Use defaults)
accounts
Manage auditing Not Defined Not Defined
Administrators
and security log (Use defaults) (Use defaults)
Modify firmware Not Defined Not Defined
Administrators
environment values (Use defaults) (Use defaults)
Perform volume Not Defined Not Defined
Administrators
maintenance tasks (Use defaults) (Use defaults)
Profile single Not Defined Not Defined
Administrators
process (Use defaults) (Use defaults)
Profile system Not Defined Not Defined
Administrators
performance (Use defaults) (Use defaults)
Remove computer Not Defined Not Defined
Administrators
from docking station (Use defaults) (Use defaults)
LOCAL
Replace a process Not Defined Not Defined SERVICE,
level token (Use defaults) (Use defaults) NETWORK
SERVICE
Restore files and Not Defined
Administrators Administrators
directories (Use defaults)
Shut down the Not Defined Not Defined
Administrators
system (Use defaults) (Use defaults)
Revoke all security
Synchronize directory Not Defined Not Defined
groups and
service data (Use defaults) (Use defaults)
accounts
Take ownership of Not Defined Not Defined
Administrators
files or other objects (Use defaults) (Use defaults)
!    &    · c !
c !c 
-  -  - 
c !&
Accounts: Guest
Disabled Disabled Disabled
account status
Accounts: Limit
local account use
Enabled Enabled Enabled
of blank passwords
to console logon
Audit: Audit the
access of global Disabled Disabled Disabled
system objects
Audit: Audit the use
of Backup and Disabled Disabled Disabled
Restore privilege
Audit: Shut down
system immediately
Disabled Disabled Enabled
if unable to log
security audits
Devices: Allow
undock without Disabled Disabled Disabled
having to log on
Devices: Allowed to
format and eject Administrators Administrators Administrators
removable media
Devices: Prevent
users from installing Enabled Enabled Enabled
printer drivers
Devices: Restrict
CD-ROM access to Not Defined Not Defined
Enabled
locally logged -- on (Use defaults) (Use defaults)
user only
Devices: Restrict
floppy access to Not Defined Not Defined
Enabled
locally (Use defaults) (Use defaults)
logged -- on user only
Devices: Unsigned
Warn but allow Warn but allow Warn but allow
driver installation
installation installation installation
behavior
Domain controller:
Allow server
Disabled Disabled Disabled
operators
to schedule tasks
Domain controller:
Not Defined Not Defined
LDAP server signing Require Signing
(Use defaults) (Use defaults)
requirements
Domain controller:
Refuse machine
Disabled Disabled Disabled
account password
changes
Domain member:
Digitally encrypt or
Disabled Enabled Enabled
sign secure channel
data (always)
Domain member:
Digitally encrypt
Enabled Enabled Enabled
secure channel data
(when possible)
Domain member:
Digitally sign secure
Enabled Enabled Enabled
channel data (when
possible)
Domain member:
Disable machine
Disabled Disabled Disabled
account password
changes
Domain member:
Maximum machine 30 days 30 days 30 days
account password age
Domain member:
Enabled Enabled Enabled
Require strong
(Windows 2000 or
later) session key
Interactive logon:
Do not display last Enabled Enabled Enabled
user name
Interactive logon:
Do not require Disabled Disabled Disabled
CTRL+ALT+DEL
This system is This system is This system is
restricted to autho- restricted to autho- restricted to autho-
rized users. Indivi- rized users. Indivi- rized users. Indivi-
duals attempting duals attempting duals attempting
unauthorized access unauthorized access unauthorized access
Interactive logon:
will be prosecuted. will be prosecuted. will be prosecuted.
Message text for
If unauthorized, If unauthorized, If unauthorized,
users attempting
terminate access terminate access terminate access
to log on
now! Clicking on now! Clicking on now! Clicking on
OK indicates your OK indicates your OK indicates your
acceptance of the acceptance of the acceptance of the
information in information in information in
the background. the background. the background.
IT IS AN OFFENSE IT IS AN OFFENSE IT IS AN OFFENSE
Interactive logon:
TO CONTINUE TO CONTINUE TO CONTINUE
Message title for
WITHOUT WITHOUT WITHOUT
users attempting to
PROPER PROPER PROPER
log on
AUTHORIZATION AUTHORIZATION AUTHORIZATION
Interactive logon:
Number of previous
logons to cache (in
1 0 0
case domain
controller
is not available)
Interactive logon:
Prompt user to
14 days 14 days 14 days
change password
before expiration
Interactive logon:
Require Domain
Controller authenti- Enabled Enabled Enabled
cation to unlock
workstation
Interactive logon:
Not Defined
Smart card removal Lock Workstation Lock Workstation
(Use defaults)
behavior
Microsoft network
client: Digitally sign
Disabled Enabled Enabled
communications
(always)
Microsoft network
client: Digitally sign
Enabled Enabled Enabled
communications
(if server agrees)
Microsoft network
client: Send
unencrypt- Disabled Disabled Disabled
ed password to third-
party SMB servers
Microsoft network
server: Amount of
idle 15 minutes 15 minutes 15 minutes
time required before
suspending session
Microsoft network
server: Digitally sign
Disabled Enabled Enabled
communications
(always)
Microsoft network
server: Digitally sign
Enabled Enabled Enabled
communications
(if client agrees)
Microsoft network
server: Disconnect
Enabled Enabled Enabled
clients when logon
hours expire
Network access: Do
not allow anonymous
Enabled Enabled Enabled
enumeration of SAM
accounts
Network access: Do
not allow anonymous Enabled Enabled Enabled
enumeration of SAM
accounts and shares
Network access: Do
not allow storage of
credentials or .NET Enabled Enabled Enabled
Passports for network
authentication
Network access: Let
Everyone permissions
Disabled Disabled Disabled
apply to anonymous
users
Network access:
Named Pipes that can
None None None
be accessed
anonymously
System\Current System\Current System\Current
ControlSet\Control\ ControlSet\Control\ ControlSet\Control\
ProductOptions; ProductOptions; ProductOptions;
Network access: System\Current System\Current System\Current
Remotely accessible ControlSet\Control\ ControlSet\Control\ ControlSet\Control\
registry paths Server Applications; Server Applications; Server Applications;
Software\Microsoft\ Software\Microsoft\ Software\Microsoft\
Windows NT\ Windows NT\ Windows NT\
CurrentVersion CurrentVersion CurrentVersion
Network access:
Remotely System\Current System\Current System\Current
accessible ControlSet\Control\ ControlSet\Control\ ControlSet\Control\
registry paths Print\Printers Print\Printers Print\Printers
and sub-paths

System\Current System\Current System\Current


ControlSet\ ControlSet\ ControlSet\
Services\Eventlog Services\Eventlog Services\Eventlog

System\Current System\Current System\Current


ControlSet\ ControlSet\ ControlSet\
Services\Eventlog Services\Eventlog Services\Eventlog

Software\ Software\ Software\


Microsoft\ Microsoft\ Microsoft\
OLAP Server OLAP Server OLAP Server

Software\Microsoft\ Software\Microsoft\ Software\Microsoft\


Windows NT\ Windows NT\ Windows NT\
CurrentVersion\Print CurrentVersion\Print CurrentVersion\Print

Software\Microsoft\ Software\Microsoft\ Software\Microsoft\


Windows NT\ Windows NT\ Windows NT\
CurrentVersion\ CurrentVersion\ CurrentVersion\
Windows Windows Windows

System\Current System\Current System\Current


ControlSet\Control\ ControlSet\Control\ ControlSet\Control\
ContentIndex ContentIndex ContentIndex

System\Current System\Current System\Current


ControlSet\Control\ ControlSet\Control\ ControlSet\Control\
Terminal Server Terminal Server Terminal Server

System\Current System\Current System\Current


ControlSet\Control\ ControlSet\Control\ ControlSet\Control\
Terminal Server\ Terminal Server\ Terminal Server\
UserConfig UserConfig UserConfig

System\Current System\Current System\Current


ControlSet\Control\ ControlSet\Control\ ControlSet\Control\
Terminal Server\ Terminal Server\ Terminal Server\
DefaultUser DefaultUser DefaultUser
Configuration Configuration Configuration

Software\ Software\ Software\


Microsoft\ Microsoft\ Microsoft\
Windows NT\ Windows NT\ Windows NT\
CurrentVersion\ CurrentVersion\ CurrentVersion\
Perflib Perflib Perflib

System\Current System\Current System\Current


ControlSet\Services\ ControlSet\Services\ ControlSet\Services\
SysmonLog SysmonLog SysmonLog
Network access:
Restrict anonymous
Enabled Enabled Enabled
access to Named
Pipes and Shares
Network access:
Shares that can be
None None None
accessed
anonymously
Network access:
Classic -- local Classic -- local Classic -- local
Sharing and security
users authenticate users authenticate users authenticate
model for local
as themselves as themselves as themselves
accounts
Network security:
Do not store LAN
Manager hash value Enabled Enabled Enabled
on next password
change
Send NTLMv2
Network security: Send NTLMv2
Send NTLMv2 response only/
LAN Manager response only/
responses only refuse LM and
authentication level refuse LM
NTLM
Network security:
LDAP client signing Negotiate signing Negotiate signing Negotiate signing
requirements
Network security:
Minimum session
security for NTLM
No minimum Enabled all settings Enabled all settings
SSP
based (including
secure RPC) clients
Network security:
Minimum session
security for NTLM
No minimum Enabled all settings Enabled all settings
SSP
based (including
secure RPC) servers
Recovery console:
Allow automatic Disabled Disabled Disabled
administrative logon
Recovery console:
Allow floppy copy
and access to all Enabled Enabled Disabled
drives
and all folders
Shutdown: Allow
system
Disabled Disabled Disabled
to be shut down with-
out having to log on
Shutdown: Clear
virtual Disabled Disabled Enabled
memory page file
System cryptography:
Force strong key pro- User is prompted User is prompted User must enter a
tection for user keys when the key is when the key is password each time
stored on the first used first used they use a key
computer
System cryptography:
Use FIPS compliant
algorithms for Disabled Disabled Disabled
encryption, hashing,
and signing
System objects:
Default owner for
objects created by Object creator Object creator Object creator
members of the
Administrators group
System objects:
Require case
Enabled Enabled Enabled
insensitivity for non-
Windows subsystems
System objects:
Strengthen default
permissions of
Enabled Enabled Enabled
internal
system objects (such
as Symbolic Links)
System settings:
None None None
Optional subsystem

!    &    · c !


c !c 
-  -  - 
  
Maximum application 16,384 KB 16,384 KB 16,384 KB
log size
Maximum security
81,920 KB 81,920 KB 81,920 KB
log size
Maximum system
16,384 KB 16,384 KB 16,384 KB
log size
Prevent local guests
group from accessing Enabled Enabled Enabled
application log
Prevent local guests
group from accessing Enabled Enabled Enabled
security log
Prevent local guests
group from accessing Enabled Enabled Enabled
system log
Retention method for
As needed As needed As needed
application log
Retention method for
As needed As needed As needed
security log
Retention method for
As needed As needed As needed
system log

!    &    · c !


c !c 
-  -  - 
c! c  
Alerter Disabled Disabled Disabled
Application Layer
Disabled Disabled Disabled
Gateway Service
Application
Disabled Disabled Disabled
Management
ASP.NET State Service Disabled Disabled Disabled
Automatic Updates Automatic Automatic Automatic
Background Intelligent
Manual Manual Manual
Transfer Service
Certificate Services Disabled Disabled Disabled
MS Software Shadow
Manual Manual Manual
Copy Provider
Client Service for
Disabled Disabled Disabled
Netware
ClipBook Disabled Disabled Disabled
Cluster Service Disabled Disabled Disabled
COM+ Event System Manual Manual Manual
COM+ System
Disabled Disabled Disabled
Application
Computer Browser Automatic Automatic Automatic
Cryptographic
Automatic Automatic Automatic
Services
DHCP Client Automatic Automatic Automatic
DHCP Server Disabled Disabled Disabled
Distributed Link
Disabled Disabled Disabled
Tracking Client
Distributed Link
Disabled Disabled Disabled
Tracking Server
Distribution
Transaction Disabled Disabled Disabled
Coordinator
DNS Client Automatic Automatic Automatic
DNS Server Disabled Disabled Disabled
Error Reporting
Disabled Disabled Disabled
Service
Event Log Automatic Automatic Automatic
Fax Service Disabled Disabled Disabled
File Replication Disabled Disabled Disabled
File Server for
Disabled Disabled Disabled
Macintosh
FTP Publishing Disabled Disabled Disabled
Help and Support Disabled Disabled Disabled
HTTP SSL Disabled Disabled Disabled
Human Interface
Disabled Disabled Disabled
Device Access
IAS Jet Database
Disabled Disabled Disabled
Access
IIS Admin Service Disabled Disabled Disabled
IIS IMAPI CD-Burning
Disabled Disabled Disabled
COM Service
Indexing Service Disabled Disabled Disabled
Infrared Monitor Disabled Disabled Disabled
Internet Authentication
Disabled Disabled Disabled
Service
Internet Connection
Firewall (ICF)/Internet
Disabled Disabled Disabled
Connection Sharing
(ICS)
Intersite Messaging Disabled Disabled Disabled
IP Version 6 Helper
Disabled Disabled Disabled
Service
IPSec Policy Agent
Automatic Automatic Automatic
(IPSec Service)
Kerberos Key
Disabled Disabled Disabled
Distribution Center
License Logging
Disabled Disabled Disabled
Service
Logical Disk Manager Manual Manual Manual
Logical Disk Manager
Manual Manual Manual
Administrative Service
Message Queuing Disabled Disabled Disabled
Message Queuing
Disabled Disabled Disabled
Down Level Clients
Message Queuing
Disabled Disabled Disabled
Triggers
Messenger Disabled Disabled Disabled
Microsoft POP3 Service Disabled Disabled Disabled
MSSQL$UDDI Disabled Disabled Disabled
MSSQLServerADHelper Disabled Disabled Disabled
.NET Framework
Disabled Disabled Disabled
Support Service
Netlogon Automatic Automatic Automatic
NetMeeting Remote
Disabled Disabled Disabled
Desktop Sharing
Network Connections Manual Manual Manual
Network DDE Disabled Disabled Disabled
Network DDE DSDM Disabled Disabled Disabled
Network Location
Manual Manual Manual
Awareness (NLA)
Nework News Transport
Disabled Disabled Disabled
Protocol (NNTP)
NTLM Support
Automatic Automatic Automatic
Provider
Performance Logs
Manual Manual Manual
and Alerts
Plug and Play Automatic Automatic Automatic
Portable Media
Disabled Disabled Disabled
Serial Number
Printer Server for
Disabled Disabled Disabled
Macintosh
Print Spooler Disabled Disabled Disabled
Protected Storage Automatic Automatic Automatic
Remote Access Auto
Disabled Disabled Disabled
Connection Manager
Remote Access
Disabled Disabled Disabled
Connection Manager
Remote Administration
Manual Manual Manual
Service
Remote Desktop Helper
Disabled Disabled Disabled
Session Manager
Remote Installation Disabled Disabled Disabled
Remote Procedure
Automatic Automatic Automatic
Call (RPC)
Remote Procedure
Disabled Disabled Disabled
Call (RPC) Locator
Remote Registry Service Automatic Automatic Automatic
Remote Server
Disabled Disabled Disabled
Manager
Remote Server
Disabled Disabled Disabled
Monitor
Remote Storage
Disabled Disabled Disabled
Notification
Remote Storage Server Disabled Disabled Disabled
Removable Storage Manual Manual Manual
Resultant Set of Policy
Disabled Disabled Disabled
Provider
Routing and Remote
Disabled Disabled Disabled
Access
SAP Agent Disabled Disabled Disabled
Secondary Logon Disabled Disabled Disabled
Security Accounts
Automatic Automatic Automatic
Manager
Server Automatic Automatic Automatic
Shell Hardware
Disabled Disabled Disabled
Detection
Simple Mail Transport
Disabled Disabled Disabled
Protocol (SMTP)
Simple TCP/IP Services Disabled Disabled Disabled
Single Instance
Disabled Disabled Disabled
Storage Groveler
Smart Card Disabled Disabled Disabled
SNMP Service Disabled Disabled Disabled
SNMP Trap Service Disabled Disabled Disabled
Special Administration
Disabled Disabled Disabled
Console Helper
System Event
Automatic Automatic Automatic
Notification
Task Scheduler Disabled Disabled Disabled
TCP/IP NetBIOS
Automatic Automatic Automatic
Helper Service
TCP/IP Print Server Disabled Disabled Disabled
Telephony Disabled Disabled Disabled
Telnet Disabled Disabled Disabled
Terminal Services Automatic Automatic Automatic
Terminal Services
Disabled Disabled Disabled
Licensing
Terminal Services
Disabled Disabled Disabled
Session Directory
Themes Disabled Disabled Disabled
Trival FTP Daemon Disabled Disabled Disabled
Uninterruptible
Disabled Disabled Disabled
Power Supply
Upload Manager Disabled Disabled Disabled
Virtual Disk Service Disabled Disabled Disabled
Volume Shadow Copy Manual Manual Manual
WebClent Disabled Disabled Disabled
Web Element Manager Disabled Disabled Disabled
Windows Audio Disabled Disabled Disabled
Windows Image
Disabled Disabled Disabled
Acquisition (WIA)
Windows Installer Automatic Automatic Automatic
Windows Internet
Disabled Disabled Disabled
Name Service (WINS)
Windows Management
Automatic Automatic Automatic
Instrumentation
Windows Management
Instrumentation Driver Manual Manual Manual
Extensions
Windows Media
Disabled Disabled Disabled
Services
Windows System
Disabled Disabled Disabled
Resource Manager
Windows Time Automatic Automatic Automatic
WinHTTP Web Proxy
Auto-Discovery Disabled Disabled Disabled
Service
Wireless Configuration Disabled Disabled Disabled
WMI Performance
Manual Manual Manual
Adapter
Workstation Automatic Automatic Automatic
World Wide Publishing
Disabled Disabled Disabled
Service

% / -    

For a member server to function on the network with other computers, specific ports must be
opened. Table 5-8 presents a list of those critical ports. As we investigate specific server roles,
additional ports will need to be added to ensure the server functions properly.

 "%-    
% 0 &
137 (NetBIOS name Used by the browse master service. This must be open
service) for WINS and browse master servers.
Must be open to accept inbound datagrams from NetBIOS
138 (NetBIOS datagram
applications such as the Messenger service or the
service)
Computer Browser service.
Must be closed unless you run applications or operating
systems that need to support Windows networking (SMB)
139 (NetBIOS session
connections. If you run Windows NT 4.0, Windows
service)
Millennium Edition, Windows 98, or Windows 95, this
port must be open on your servers.
Used by basic Windows networking, including file sharing,
445 (CIFS/SMB server)
printer sharing, and remote administration.
3389 (Remote Desktop Must be open if you are using Terminal Services for appli-
Protocol) cation sharing, remote desktop, or remote assistance.

Return to Table of
0  Contents

Domain controllers are the heart of any environment that runs Active Directory. These
computers must be stable, protected, and available to provide the key services for the directory
service, user authentication, resource access, and more. If there is any loss or compromise of a
domain controller in the environment, the result can be disastrous for clients, servers, and
applications that rely on domain controllers for authentication, Group Policy, and the LDAP
directory.

Not only should these domain controllers be hardened with security configurations, they must
also be physically secured in locations that are accessible only to qualified administrative staff. If
domain controllers are stored in unsecured locations due to limitations of the facility (such as in a
branch office), you should apply additional security configurations to limit the potential damage
from physical threats against the computer.

0  !    


Along the same lines as the Member Server hardening guidelines, domain controllers also have
different levels of security based on the environment in which they are deployed. These levels
are the same as those defined in the "Member Servers" section in this chapter: Legacy Client,
Enterprise Client, and High Security.

c !  - 

Security settings that apply specifically to domain controllers are best created in a GPO that is
then linked to the Domain Controllers OU. The settings for domain controllers should be based
on those we reviewed in the earlier "Member Servers" section. Of course, a domain controller
also has additional functions or features compared to a member server, and this requires
additional open ports and security configuration. You must review the security settings list to
ensure that you are not restricting a key feature for your domain controller.

Table 5-9 lists the settings that differ from those specified in Table 5-7. In other words, the
baseline security settings for domain controllers as outlined below should be incrementally added
to the baseline security settings for member servers described previously.

.$ For more information on hardening domain controllers in different enterprise


environments, see the á 
    .

 1c !  - 

!    &    · c !


c !c 
-  -  - 
 . 
Administrators,
Authenticated
Access this
Not Defined Not Defined Users,
computer from
(Use defaults) (Use defaults) ENTERPRISE
the network
DOMAIN
CONTROLLERS
Add workstations
Administrators Administrators Administrators
to domain
Allow log on locally Administrators Administrators Administrators
Allow log on through
Administrators Administrators Administrators
Terminal Services
Change the
Administrators Administrators Administrators
system time
Enable computer
and user accounts Not Defined Not Defined
Administrators
to be trusted for (Use defaults) (Use defaults)
delegation
Load and unload
Administrators Administrators Administrators
device drivers
Restore files and
Administrators Administrators Administrators
directories
Shutdown the
Administrators Administrators Administrators
system

!    &    · c !


c !c 
-  -  - 
c !&
Network security:
Do not store LAN
Manager hash value Disabled Enabled Enabled
on next password
change

!    &    · c !


c !c 
-  -  - 
c! c  
Distributed File
Automatic Automatic Automatic
System
DNS Server Automatic Automatic Automatic
File Replication Automatic Automatic Automatic
Intersite Messaging Automatic Automatic Automatic
Kerberos Key
Automatic Automatic Automatic
Distribution Center
Remote Procedure
Automatic Automatic Automatic
Call (RPC) Locator

% / - 

Domain controllers are responsible for specific functions, as seen in the different settings listed
in Table 5-9. Many of these different security template settings are due to required services to
authenticate users and maintain consistency of the Active Directory database between other
domain controllers. Table 5-10 lists additional ports that you must open for domain controllers.

 2*%- 

% 0 &
The Kerberos protocol is used by Windows 2000 and later
88 (Kerberos) operating systems to log on and retrieve tickets for accessing
other servers.
This port provides time synchronization for network clients
123 (NTP)
using the Network Time Protocol (NTP).
135 (RPC endpoint This port allows RPC clients to discover the ports that the RPC
mapper/DCOM) server is listening on.
This port the primary way that clients access Active Directory
389 (LDAP) to obtain user information, e-mail addresses, services, and
other directory service information.
464 (Kerberos This port provides secure methods for users to change
Password Changes) passwords using Kerberos.
This port is needed if LDAP will use SSL to provide
636 (LDAP over SSL) encryption
and mutual authentication for LDAP traffic.
This port provides the means for clients to search Active
3268 (Global Catalog)
Directory information that spans multiple domains.
3269 (Global Catalog This port is needed because the Global Catalog uses SSL to
over SSL) provide encryption and mutual authentication for Global
Catalog traffic.


 If your domain controller is running DNS, you will need to also open port 53.

 &  
File and print servers are responsible for resource storage and controlling access to these
resources throughout the enterprise. These servers house the company's documents, trade secrets,
financial data, and much more. If these computers are not protected, the entire company might be
in jeopardy. These computers must be stable, protected, and available to provide users and
applications access to resources stored on these computers.

Like the domain controllers, these servers must be physically protected. If someone were to get
hold of a file server, they could potentially use other tools to gain access to the resources on the
server. You should take action to protect against this.

Table 5-11 lists security settings for file and print servers that differ from the settings in the
Member Servers section earlier in the chapter. In other words, the baseline security settings for
file and print servers as outlined here should be incrementally added to the baseline security
settings for member servers described previously. These settings are best created in a GPO that is
then linked to the OU that contains the file servers.

.$ For more information on hardening file and print servers in different
enterprise environments, see the á 
    .

 22c !  -- &  

!    &    · c !


c !c 
-  -  - 
c !&
Microsoft network
server:
Disabled (Print Disabled (Print Disabled (Print
Digitally sign
Servers only) Servers only) Servers only)
communi-
cations (always)

!    &    · c !


c !c 
-  -  - 
c! c  
Distributed File
Disabled Disabled Disabled
System
File Replication Disabled Disabled Disabled
Automatic (Print Automatic (Print Automatic (Print
Print Spooler
Servers only) Servers only) Servers only)

(   
Microsoft Internet Information Services (IIS) is the service that provides Web services on a
Windows server. Web servers must be properly secured from malicious attackers, while still
allowing legitimate clients to access intranet or public Web sites hosted on the server.

IIS is not installed by default on the Windows Server 2003 family of servers, and when you do
install IIS, it installs in "locked" mode -- a highly secure mode that protects IIS against threats.
Beyond the best-practice security settings presented in this section for IIS, be sure to protect your
Web servers by monitoring security using some form of intrusion detection system, and by
implementing proper incident response procedures.

c !  -(   

Security settings for Web servers are best created in a GPO that is then linked to the OU that
contains the Web servers. Table 5-12 lists only the settings that differ from those in the Table 5-
7. In other words, the baseline security settings for Web servers as outlined here should be
incrementally added to the baseline security settings for member servers described previously.
.$ For more information on hardening Web servers in different enterprise
environments, see the á 
    .

 2)c !  -(   

!    &    · c !


c !c 
-  -  - 
 . 
ANONYMOUS ANONYMOUS ANONYMOUS
LOGON; Built- LOGON; Built- LOGON; Built-
in Administrator; in Administrator; in Administrator;
Deny access to
Support_ Support_ Support_
this computer
388945a0; 388945a0; 388945a0;
from the network
Guest; all NON- Guest; all NON- Guest; all NON-
Operating System Operating System Operating System
service accounts service accounts service accounts
c! c  
HTTP SSL Automatic Automatic Automatic
IIS Admin Service Automatic Automatic Automatic
World Wide Web
Automatic Automatic Automatic
Publishing Service

% / -(   

Web servers should have limited ports available, to reduce their exposure to attacks from the
local network and the Internet. The fewer the ports that are open, the better. Table 5-13 is a list of
additional ports that you will need to open for Web servers.

 2+%-(   

% 0 &
The standard HTTP port for providing Web services to users. This
can be easily changed and is not required. If you do change the port
80 (HTTP)
for HTTP, be sure to add that new port to this list and configure
that
setting within IIS.
Allows HTTP to have a higher level of security that provides
443 (HTTPS) integrity,
encryption, and authentication for Web traffic.

You might also like