Microsoft Windows Server

1
Microsoft Windows Server
2
Securing the Server

• Provide Physical Security for the machineMost
  security breaches in corporate environments occur
  from the inside. Culprits can be well meaning
  "power users" who configure their co-workers PCs,
  to disgruntled employees, or they can be full
  blown corporate spies that are working at your
  company. It may not be practical to physically
  secure every workstation in your environment, but
  your servers need to be in a locked room with
  monitored access. Consider placing surveillance
  cameras in your server rooms and keeping the
  tapes for 30 days. For desktops, install a lock
  on the CPU case, keep it locked, and store the
  key safely away from the computer at a secure
  location. (i.e. a locked cabinet in the server
  room)

3
Securing The Server

• Password protect the screensaverOnce again this
  is a basic security step that is often
  circumvented by users. Make sure all of your
  workstations and servers have this feature
  enabled to prevent an internal threat from taking
  advantage of an unlocked console. For best
  results, choose the blank screensaver or logon
  screensaver. Avoid the OpenGL and graphic
  intensive program that eat CPU cycles and memory.
  Make sure the wait setting is appropriate for
  your business. If you can get your users in the
  habit of manually locking their workstations when
  they walk away from their desks, you can probably
  get away with an idle time of 15 minutes or more.
  You can keep users from changing this setting via
  Group Policy.  
• Use NTFS on all partitionsFAT and FAT32 File
  systems don't support file level security and
  give hackers a big wide open door to your system.
  Make sure all of your system partitions are
  formatted using NTFS.
• Always run Anti-Virus softwareAgain, this is
  something that is considered a basic tenet of
  security, but you would be surprised at how many
  companies don't run Anti-Virus software, or run
  it but don't update it. Today's AV software does
  more than just check for known viruses, many scan
  for other types of malicious code as well.

4
Securing The Server

• Create 2 accounts for AdministratorsCreate one
  regular user account for your Administrators for
  reading mail and other common tasks, and a
  separate account (with a more aggressive password
  policy) for tasks requiring administrator
  privileges. Have your Administrators use the "Run
  As" command available with Windows 200x to enable
  the access they need. This prevents malicious
  code from spreading through your network with
  admin privileges. 

5
Securing The Server

• Rename the Administrator AccountMany hackers
  will argue that this won't stop them, because
  they will use the SID to find the name of the
  account and hack that. Our view is, why make it
  easy for them. Renaming the Administrator account
  will stop some amateur hackers cold, and will
  annoy the more determined ones. Remember that
  hackers won't know what the inherit or group
  permissions are for an account, so they'll try to
  hack any local account they find and then try to
  hack other accounts as they go to improve their
  access. If you rename the account, try not to use
  the word 'Admin" in its name. Pick something that
  won't sound like it has rights to anything.
• Consider creating a dummy Administrator
  accountAnother strategy is to create a local
  account named "Administrator", then giving that
  account no privileges and impossible to guess 10
  digit complex password. This should keep the
  script kiddies busy for a while. If you create a
  dummy Administrative account, enabled auditing so
  you'll know when it is being tampered with.

6
Securing The Server

• Replace the "Everyone" Group with "Authenticated
  Users" on file shares"Everyone" in the context
  of Windows 200x security, means anyone who gains
  access to your network can access the data. Never
  assign the "Everyone" Group to have access to a
  file share on your network, use "Authenticated
  Users" instead. This is especially important for
  printers, who have the "Everyone" Group assigned
  by default.
• Password SecurityA good password policy is
  essential to your network security, but is often
  overlooked. In large organizations there is a
  huge temptation for lazy administrators to create
  all local Administrator accounts (or worse, a
  common domain level administrator account) that
  uses a variation of the company name, computer
  name, or advertising tag line. i.e.
  companyname1, win2kcompanyname, etc. Even
  worse are new user accounts with simple passwords
  such as "welcome", "letmein", "new2you", that
  aren't required to changed the password after the
  first logon. Use complex passwords that are
  changed at least every 60 -90 days. Passwords
  should contain at least eight characters, and
  preferably nine (recent security information
  reports that many cracking programs are using the
  eight character standard as a starting point).
  Also, each password must follow the standards set
  for strong passwords .

7
Securing The Server

• Disable the Guest AccountWindows 200x finally
  disables the guest account by default, but if you
  didn't build the image yourself, always double
  check to make sure the guest account is not
  enabled. For additional security assign a complex
  password to the account anyway, and restrict its
  logon 24x7. 
• Limit the number of unnecessary
  accountsEliminate any duplicate user accounts,
  test accounts, shared accounts, general
  department accounts, etc., Use group policies to
  assign permissions as needed, and audit your
  accounts regularly. These generic accounts are
  famous for having weak passwords (and lots of
  access) and are at the top of every hacker's list
  of accounts to crack first. This can be a big
  problem at larger companies with understaffed IT
  departments.

8
Securing The Server

• Secure your Backup tapesIt's amazing how many
  organizations implement excellent platform
  security, and then don't encrypt and/or lock up
  their backup tapes containing the same data. It's
  also a good idea to keep your Emergency Repair
  Disks locked up and stored away from your servers.

9
Securing The Server

• Use the Security Configuration Toolset included
  with Windows 200x to configure policies.Microsoft
  provides a Security Configuration Toolset which
  provides plug in templates for the MMC that allow
  you to easily configure your policies based on
  the level of security you require. The template
  includes a long list of configurable options
  (many of which appear on this checklist) and also
  includes a useful security analysis tool. If your
  workstation is not part of a domain, you can
  still enable policies by using the Poledit.exe
  file from the Windows 200x Server CD-ROM.
• Don't allow unmonitored modems in your
  environmentOne of the easiest hacks in the world
  is finding a company's phone number prefix and
  suffix range and war-dialing for a modem that
  picks up. After weeding through the fax machines,
  you can either look for an unsecured workstation
  with RAS enabled, or one with Symantec's PC
  Anywhere loaded on it. If either one is
  configured incorrectly, you can easily gain
  access to the local machine and work up from
  there. If you have a digital phone system, get a
  list of every analog line that comes into your
  workplace and find out where it goes! Every PC
  hooked to a modem is a security risk. Make sure
  they're configured correctly and audited
  regularly.

10
Securing The Server

• Shut down unnecessary servicesUnnecessary
  services take up system resources and can open
  holes into your operating system. IIS, RAS, and
  Terminal Services have security and configuration
  issues of their own, and should be implemented
  carefully if required. There are also several
  malicious programs that can run quietly as
  services without anyone knowing. You should be
  aware of all the services that all run on your
  servers and audit them periodically. What
  services are deemed unnecessary may vary based on
  the function of your server and/or workstations.
  Please test your specific configuration in a lab
  environment before enabling it in your production
  network.

11
Securing The Server

• Shut down unnecessary portsThis is a judgment
  call based on your needs and risks. Workstations
  aren't normally at risk behind a firewall, but
  never assume your servers are safe!  A hackers
  first attempt at rattling the doors and windows
  usually involves using a port scanner. You can
  find out a list of open ports on your local
  system by opening the file located at
  systemroot\drivers\etc\services. You can
  configure your ports via the TCP/IP Security
  console located in the TCP/IP properties (Control
  Panel gt Network and Dial Up Connections gt Local
  Area Connection gt Internet Protocol (TCP/IP) gt
  Properties gt Advanced gt Options gt TCP/IP
  Filtering) To allow only TCP and ICMP
  connections, configure the UDP and IP Protocol
  check boxes to "Permit Only" and leave the fields
  blank.

12
Securing The Server

• Enable AuditingThe most basic form of Intrusion
  Detection for Windows 200x is to enable auditing.
  This will alert you to changes in account
  policies, attempted password hacks, unauthorized
  file access, etc.,  Most users are unaware of the
  types of doors they have unknowingly left open on
  their local workstation, and these risks are
  often discovered only after a serious security
  breach has occurred. At the very minimum,
  consider auditing the following events

13
Securing the Server

• Set permissions on the security event logThe
  event log files are not protected by default, so
  permissions should be set on the event log files
  to allow access to Administrator and System
  accounts only. 
• Store all sensitive documents on file
  serversAlthough most new workstations come with
  some very large drives, you should consider
  storing all of a users data (documents,
  spreadsheets, project files, etc.,) on a secured
  server, where the data is backed up regularly.
  Modify the parameters for the "My Documents"
  folder to always point to the users network share
  on a secured server. For laptop users, enable the
  "Make available offline" capabilities to
  synchronize the folder's content.
• Prevent the last logged-in user name from being
  displayedWhen you press Ctrl-Alt-Del, a login
  dialog box appears which displays the name of the
  last user who logged in to the computer, and
  makes it easier to discover a user name that can
  later be used in a password-guessing attack. This
  can be disabled using the security templates
  provided on the installation CD, or via Group
  Policy snap in. For more information, see
  Microsoft KB Article Q310125

14
Securing the Server

• Check Microsoft's web site for the latest
  hotfixesNobody writes 30 million lines of code
  and is going to have it perfect the first time,
  so updating service packs and hotfixes can go a
  long way to plug security holes. The problem is
  that hotfixes aren't regression-tested as
  thoroughly as service packs and can come with
  bugs of their own. You should always test them on
  a comparable, non production system before
  deploying them. Check Microsoft's TechNet
  Security Page frequently for the latest hotfixes
  and decide which ones you need to roll out.